The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Use this procedure to view Cisco EPN Manager server configuration information such as the current server time, kernel version, operating system, hardware information, and so forth.
Cisco EPN Manager prompts you to enter a hostname when you install the server. For a variety of reasons, you may find a mismatch between the hostname configured on the Cisco EPN Manager server and the hostname configured elsewhere. You can resolve this issue without reinstalling Cisco EPN Manager by changing its hostname on the server. To do so:
Step 1 | Open a CLI session with the Cisco EPN Manager server, making sure you enter configure terminal mode.
See Connect via CLI. |
Step 2 | Enter the following command:
Cisco_EPN_Manager_Server/admin(config)#hostname newHostName where newHostName is the hostname you want to assign to the Cisco EPN Manager server. |
Step 3 | Restart the Cisco EPN Manager server using the ncs stop and ncs start commands. |
Step 4 | Check the hostname configured for your SSL server certificate:
|
Administrators can connect to the Cisco EPN Manager server via its command-line interface (CLI). CLI access is required when you need to run commands and processes accessible only via the Cisco EPN Manager CLI. These include commands to start the server, stop it, check on its status, and so on.
Before you begin, make sure you:
For data security, Cisco EPN Manager encrypts data in transit using standard public key cryptography methods and public key infrastructure (PKI). You can obtain more information about these technologies from the internet. Cisco EPN Manager encrypts the data that is exchanged between the following connections:
To secure communication between the web server and web client, use the public key cryptography services that are built in as part of the HTTPS mechanism. For that you need to generate a public key for the Cisco EPN Manager web server, store it on the server, and then share it with the web client. This can be done using the standard PKI certificate mechanism which not only shares the web server public key with the web client, but also guarantees that the public key belongs to the web server (URL) you are accessing. This prevents any third party from posing as the web server and collecting sensitive information that the web client is sending to the web server. Follow the procedure in Set Up HTTPS to Secure the Connectivity of the Web Server
These topics provide additional steps you can take to secure the web server:
Cisco recommends that the Cisco EPN Manager web server authenticate web clients using certificate-based authentication. This security hardening procedure is described in Set Up Certificated-Based Authentication for Web Clients
To secure connectivity between a CLI client and the Cisco EPN Manager CLI interface, refer to the security hardening procedures in Harden the Cisco EPN Manager Server.
To secure connectivity between the Cisco EPN Manager and systems such as AAA and external storage, refer to the recommendations in Harden Your Cisco EPN Manager Storage.
HTTPS operations use a server key that is generated using public key cryptography algorithms, and trust chain certificates that are generated using the server key. These certificates are applied to the Cisco EPN Manager web server. Depending upon how you generated the certificates, you may have to request the client browsers to trust these certificates the first time the browser connect s to the web server. The HTTPS mechanism ensures the security of the server machine (which in turn improves security of all other associated systems).
Use one of the following two methods to generate and install the web server certificate (do not use the methods together).
Signing Entity |
Description |
See: |
||
---|---|---|---|---|
Self-signed certificates |
|
|||
Certificate Authority (CA) signed certificates |
A Certificate Authority (CA) generates and issues these certificates. The certificates bind a public key to the name of the entity (for example, a server or device) that is identified in the certificate. You must generate a Certificate Signing Request (CSR) file from the Cisco EPN Manager server, and submit the CSR file (which contains the server key) to the CA. When you receive the certificates, you apply them to the web server.
|
The following procedure generates an RSA key and then applies a self-signed certificate with domain information.
Make sure you have the fully qualified domain name (FQDN) of the server. You will need it for this procedure.
Step 1 | Log in to the Cisco EPN Manager server as the Cisco EPN Manager CLI admin user. |
Step 2 | Enter the
following command:
ncs key genkey -newdn |
Step 3 | To activate the certificate, restart Cisco EPN Manager . See Stop and Restart Cisco EPN Manager. |
The following topics explain how to generate and apply CA-signed certificates to the Cisco EPN Manager web server. The procedures are slightly different depending on whether or not your deployment is using HA, and if it is using HA, whether or not you are using HA with virtual IP addresses.
You may need to instruct your users to install the Root and Intermediate CA certificates to their browser or OS certificate store. Ask your organization's IT administrator if this is required. Instructions are provided in Add the CA-Signed Root and Intermediate Certificates to a Browser/OS Trust Store.
Deployment Type |
Summary of Steps |
---|---|
Deployment without HA |
For deployments without HA, you must request the certificate, import it into your web server, and restart the web server to apply it, as described in these topics: |
High availability deployment not using virtual IP addresses |
For HA deployments that do not use virtual IPs, you must request separate certificates for the primary and secondary servers and then import the appropriate certificate onto each server. When you restart the servers to apply the certificates, you must restart them in a specific order. The entire procedure is described in these topics: |
High availability deployment using virtual IP addresses |
For HA deployments that use virtual IPs, you only need to request a single certificate for both servers. You must remove HA on the servers, import the certificate on both servers, and then restart the servers to apply the certificate (you must restart the servers in a specific order). Finally, you reconfigure HA by registering the secondary server on the primary server. The entire procedure is described in these topics: |
Your deployment does not use HA
Your deployment uses HA but does not use virtual IP addressing (you will need to perform the following procedure on both servers)
Note | If your deployment uses HA with virtual IP addresses, use the procedure in Request, Import, and Apply a CA-Signed Web Server Certificate—HA With Virtual IP Addresses. |
Make sure SCP is enabled on your machine and all relevant ports are open. This is required so that you can copy files to and from the server.
This topic explains how to import and apply CA-signed web server certificates to a deployment that does not use HA.
You must have the CA-signed certificates you requested using Request a CA-Signed Web Server Certificate. You cannot perform the following procedure until you have received the certificates.
Make sure SCP is enabled on your local machine and all relevant ports are open. This is required so that you can copy files to and from the server.
Step 1 | If you receive
only one CER file from the CA, proceed to Step 2.
If you receive multiple (chain) certificates, combine (concatenate)
them into a single CER file. You will receive three files: the SSL server
certificate file, the intermediate CA certificate file, and the root CA server
certificate file.
|
Step 2 | Copy the CER
file from your local machine to the backup repository on the
Cisco EPN Manager
server.
|
Step 3 | As the
Cisco EPN Manager
CLI admin user, import the CER file.
ncs key importsignedcert CertFilename.cer repository RepoName |
Step 4 | Restart Cisco EPN Manager to activate this certificate. See Stop and Restart Cisco EPN Manager. |
Depending on your deployment, you may need to instruct your users to install the root and intermediate CA certificates to their browser or OS certificate store. See Add the CA-Signed Root and Intermediate Certificates to a Browser/OS Trust Store for more information.
This topic explains how to import and apply CA-signed web server certificates to an HA deployment that is not using virtual IP addresses. (If you have an HA deployment that does use virtual IPs, see Request, Import, and Apply a CA-Signed Web Server Certificate—HA With Virtual IP Addresses.) This procedure is similar to the procedure for a deployment that does have HA, except that you have to perform the procedure on both the primary server and the secondary server.
Note | When you restart the servers, follow these steps carefully because the servers must be restarted in a specific sequence. |
You must have the CA-signed certificates you requested using Request a CA-Signed Web Server Certificate. You cannot perform the following procedure until you have received the certificates for each server.
Make sure SCP is enabled on your local machine and all relevant ports are open. This is required so that you can copy files to and from the server.
Step 1 | Import the
primary certificates onto the primary server.
|
Step 2 | Perform the previous step on the secondary server. |
Step 3 | On the
secondary
server, import the CER file.
|
Step 4 | On the
primary server, import the CER file.
|
Step 5 | On the secondary server, run the following commands: |
Step 6 | On the
primary
server, run the following commands:
Once all the processes on the primary server are up and running, HA registration is automatically triggered between the secondary and primary servers (and an email is sent to the registered email addresses). This normally completes after a few minutes. |
Step 7 | Verify the HA status on the primary and secondary servers by running the ncs ha status command on both servers. You should see the following: |
Depending on your deployment, you may need to instruct your users to install the root and intermediate CA certificates to their browser or OS certificate store. See Add the CA-Signed Root and Intermediate Certificates to a Browser/OS Trust Store for more information.
If you have a high availability deployment that uses virtual IP addresses, you need to make only one certificate request. When you receive the certificate from the CA, you install the same certificate on both the primary and secondary servers. This is different from HA deployments that do not use IP addressing, where you make two certificate requests and install one certificate on the primary server and the other (different) certificate on the secondary server.
For more information on virtual IPs and HA, see Using Virtual IP Addressing With HA
Make sure SCP is enabled on your machine and all relevant ports are open. This is required so that you can copy files to and from the server.
Step 1 | Generate a CSR
file and private key for the primary and secondary servers. You will install
the private key on both servers, and submit the CSR file to a Certificate
Authority of your choice. The following example shows how to create these files
using openssl in Linux.
| ||
Step 2 | Submit the CSR file to a Certificate Authority of your choice. The CA will send you digitally-signed certificates either in a single file with the name CertFilename.cer, or as a set of multiple files. | ||
Step 3 | If you receive
only one CER file from the CA, proceed to Step 4.
If you receive multiple (chain) certificates, combine (concatenate)
them into a single CER file. You will receive three files: the SSL server
certificate file, the intermediate CA certificate file, and the root CA server
certificate file.
| ||
Step 4 | On the primary
server, copy the CER file to the backup repository on each server.
| ||
Step 5 | Repeat the previous step on the secondary server. | ||
Step 6 | On the
primary
server, as the
Cisco EPN Manager
CLI admin user, remove the HA settings:
ncs ha remove Run the ncs ha status to verify if the HA settings is removed before proceeding with the next step. | ||
Step 7 | On both the
primary and secondary server, import the CER file.
ncs key importsignedcert CertFilename.cer repository RepoName | ||
Step 8 | Restart the
primary and secondary servers. Because they are not yet paired for HA, the
order does not matter. See
Stop and Restart Cisco EPN Manager.
| ||
Step 9 | Verify the status of the primary and secondary servers by running the ncs status command on both servers. | ||
Step 10 | Register the secondary server on the primary server for HA. See Register the Secondary Server on the Primary Server. |
Depending on your deployment, you may need to instruct your users to install the root and intermediate CA certificates to their browser or OS certificate store. See Add the CA-Signed Root and Intermediate Certificates to a Browser/OS Trust Store for more information.
Ask your organization's IT administrator if your users should install the CA Root and Intermediate CA certificates to their browser or OS certificate store. If not done in situations where it is required, users will see indications on their browsers that the browsers are not trusted.
Depending on your browser type and version, the exact steps for this procedure may be slightly different.
If you are adding the certificates to an Internet Explorer browser, you must have Administrator privileges on your client machine.
Step 1 | For Firefox
browsers, follow these steps to import the certificates.
|
Step 2 | For Internet
Explorer browsers, use the Microsoft Certificate Manager tool to import the
certificates. To use this tool, users must have Administrator privileges on
their client machine.
|
Because many devices use HTTPS to relay device configuration information, HTTPS is enabled by default in Cisco EPN Manager . (HTTP is not used by Cisco EPN Manager and is disabled by default.) If needed, you can change the port for the HTTPS server by following these steps.
Step 1 | Choose , then choose . |
Step 2 | In the HTTPS area, enter the new port number, then click Save. |
Step 3 | Restart Cisco EPN Manager to apply your changes. See Stop and Restart Cisco EPN Manager. |
To view existing certificate for the Cisco EPN Manager server:
Step 1 | Log in to the Cisco EPN Manager Admin CLI as the admin user. |
Step 2 | To view the
list of CA Certificates that exist in the
Cisco EPN Manager
trust store, enter the following command:
ncs key listcacerts |
Step 3 | To see the complete trust chain for SSL/HTTPS operations, log into the Cisco EPN Manager web GUI using Google Chrome, and use Chrome to view the CA-signed certificate that the server sent to the browser. Chrome will display all the linked certificates in the trust chain. |
Step 1 | Log in to the Cisco EPN Manager server as the admin user. |
Step 2 | Because you
will need the certificate short names for the delete command, list the short
names of all the CA certificates on the
Cisco EPN Manager
server:
ncs key listcacert |
Step 3 | Locate the CA
certificate you want to delete and enter the following command:
ncs key deletecacert aliasname where aliasname is the short name of the CA certificate you want to delete. |
When you connect to the server, use SSH and log in as the admin user. (See User Interfaces, User Types, and How To Transition Between Them for more information.)
Step 1 | Start your SSH session and log in as the Cisco EPN Manager admin user. |
Step 2 | Enter the admin
password. The prompt will change to the following:
(admin) To view a list of the operations the admin user can perform, enter ? at the prompt. To enter admin config mode, enter the following command (note the change in the prompt): (admin) configure terminal (config) |
Network Time Protocol (NTP) must be properly synchronized on all devices in your network as well as on the Cisco EPN Manager server. Failure to manage NTP synchronizations across your network can result in anomalous results in Cisco EPN Manager . This includes all Cisco EPN Manager -related servers: Any remote FTP servers that you use for Cisco EPN Manager backups, secondary Cisco EPN Manager high-availability servers, and so on.
You specify the default and secondary NTP servers during Cisco EPN Manager server installation. You can also use Cisco EPN Manager ’s ntp server command to add to or change the list of NTP servers after installation.
Note | Cisco EPN Manager cannot be configured as an NTP server; it acts as an NTP client only. Up to three NTP servers are allowed. |
Step 1 | Log in to the Cisco EPN Manager server as the admin user and enter config mode. See Establish an SSH Session With the Cisco EPN Manager Server. |
Step 2 | Set up the NTP
server using one of the following commands.
ntp server ntp-server-IP ntp-key-id ntp-key Where: |
Use this procedure to configure proxies for the server and, if configured, its local authentication server. If you use a proxy server as a security barrier between your network and the Internet, you need to configure the proxy settings as shown in the following steps:
Step 1 | Choose , then choose . |
Step 2 | Click the Proxy tab. |
Step 3 | Select the Enable Proxy check box and enter the required information about the server that has connectivity to Cisco.com and will act as the proxy. |
Step 4 | Select the Authentication Proxy check box and enter the proxy server’s user name and password. |
Step 5 | Click Test Connectivity to check the connection to the proxy server. |
Step 6 | Click Save. |
To enable Cisco EPN Manager to send email notifications (for alarms, jobs, reports, and so forth), the system administrator must configure a primary SMTP email server (and, preferably, a secondary email server).
Step 1 | Choose , then choose . | ||
Step 2 | Under Primary
SMTP Server, complete the Hostname/IP, User Name, Password, and Confirm
Password fields as appropriate for the email server you want
Cisco EPN Manager
to use. Enter the IP address of the physical server. and the Enter the hostname
of the primary SMTP server.
| ||
Step 3 | (Optional) Complete the same fields under Secondary SMTP Server. SMTP server username and password. | ||
Step 4 | Under Sender and Receivers, enter a legitimate email address for Cisco EPN Manager . | ||
Step 5 | When you are finished, click Save. |
FTP/TFTP/SFTP is used to transfer files between the server and devices for device configuration and software image file management. These protocols are also used in high availability deployments to transfer files to a secondary server. These services are normally enabled by default. If you installed Cisco EPN Manager in FIPS mode, they are disabled by default. If you use this page to enable these services, Cisco EPN Manager will become non-compliant with FIPS.
SFTP is the secure version of the file transfer service and is used by default. FTP is the unsecured version of the file transer service; TFTP is the simple, unsecured version of the service. If you want to use either FTP or TFTP, you must enable the service after adding the server.
To change the FTP/TFTP/SFTP password, see Change the FTP User Password.
Step 1 | Configure
Cisco EPN Manager
to use the FTP, TFTP, or SFTP server.
|
Step 2 | If you want to use FTP or TFTP, enable it on the Cisco EPN Manager server. |
Step 3 | Restart Cisco EPN Manager to apply your changes. See Stop and Restart Cisco EPN Manager. |
Cisco EPN Manager can use stored Cisco.com credentials (user name and password) to log in to Cisco.com when it performs the following tasks:
Checks for product software updates
Checks for device software image updates
Opens or reviews Cisco support cases
If these settings are not configured, Cisco EPN Manager will prompt users for their credentials when they perform these tasks. To configure a global Cisco.com user name and password:
When you have a message that you want to display to all users before they log in, create a login disclaimer. The text will be displayed on the GUI client login page below below the login and password fields.
An Cisco EPN Manager restart is needed in rare cases, such as after a product software upgrade. When you stop the Cisco EPN Manager server, all user sessions and terminated.
ncs stop
ncs start
Note | The default network address is 0.0.0.0, which indicates the entire network. An SNMP credential is defined per network, so only network addresses are allowed. 0.0.0.0 is the SNMP credential default and is used when no specific SNMP credential is defined. You should update the prepopulated SNMP credential with your own SNMP information. |
Step 1 | Choose , then choose . | ||
Step 2 | (Optional) Select the Trace Display Values check box to display mediation trace-level logging data values that are fetched using SNMP. | ||
Step 3 | Choose an
algorithm from the
Backoff
Algorithm drop-down list.
| ||
Step 4 | If you do not
want to use the timeout and retries specified by the device, configure the
following parameters.
| ||
Step 5 | In the MaximumVarBinds per PDU field, enter a number to indicate the largest number of SNMP variable bindings allowed in a request or response PDU. This Maximum VarBinds per PDU field enables you to make necessary changes when you have any failures associated to SNMP. For customers who have issues with PDU fragmentation in their network, this number can be reduced to 50, which typically eliminates the fragmentation. | ||
Step 6 | Optionally adjust the Maximum Rows per Table. | ||
Step 7 | Click Save. |
Cisco EPN Manager uses the ftpuser ID to access other servers using FTP. Users with Admin privileges can change the FTP password.
Step 1 | Log in to the Cisco EPN Manager server as the admin user. Establish an SSH Session With the Cisco EPN Manager Server. |
Step 2 | To change the
Cisco EPN Manager
server’s FTP password, enter:
ncs password ftpuser username password password |
(admin) ncs password ftpuser FTPuser password FTPUserPassword Initializing... Updating FTP password. This may take a few minutes. Successfully updated location ftpuser
Cisco EPN Manager uses the root ID to perform special tasks that require root access to the web GUI.
You must know the current web GUI root user password to change it.
Step 1 | Log in to the Cisco EPN Manager Admin CLI as the root user. (For information on the Admin CLI, see User Interfaces and User Types.) |
Step 2 | Enter the
following command, where
newpassword
is the new web GUI root password:
ncs password root password newpassword |
ncs password root password NewWebGUIRootPassword Password updated for web root password
This topic explains how to recover and reset the admin password on Cisco EPN Manager virtual machines (also known as OVAs).
Before You Begin
Ensure that you have:
Step 1 | At the Cisco EPN Manager OVA server, launch the VMware vSphere client. |
Step 2 | Upload the
installation ISO image to the data store on the OVA virtual machine, as
follows:
|
Step 3 | With the ISO
image uploaded to a datastore, make it the default boot image, as follows:
|
Step 4 | Follow the
steps below to reset a server administrator password:
|
Step 5 | Log in with the new admin password. |
The System Monitoring Dashboard provides information about the configuration and performance of the Cisco EPN Manager server. To access the dashboard, choose (your User ID must have administrator privileges to access this dashboard). If you want to customize the dashlets that are displayed in the Overview or Performance tabs, follow the instructions in Add a Predefined Dashlet To a Dashboard.
Dashboard Tab |
Description |
Overview |
Backup and data purging jobs, Cisco EPN Manager system alarms, and utilization statistics for server CPU, disk, and memory. You can specify different time frames to check this information. To view the server time, kernel version, operating system, hardware information, and so forth, click System Information at the top left of the dashboard to open a field with that information. You can add and delete dashlets from the Overview dashboard. |
Performance |
Server syslogs and traps, and input/output. You can specify different time frames for this data, and add and remove dashlets from the Performance dashboard. |
Admin |
|
If Cisco EPN Manager is using 80 percent or more of your system resources or the device/interface/flow counts recommended for the size of OVA you have installed, this can negatively impact performance. Make sure the OVA is not exceeding the device, interface, and flow record recommendations given in the installation documentation. They are the maximums for each given OVA size. You can check these from the Admin Dashboard (see Check Cisco EPN Manager Server Health, Jobs, Performance, and API Statistics Using the System Monitoring Dashboard). To respond to space issues, see Manage Server Disk Space Issues.
Step 1 | Log in to the server as the admin user. Establish an SSH Session With the Cisco EPN Manager Server. |
Step 2 | Enter the
following command to compact the application database:
(admin)# ncs cleanup |
Step 3 | When prompted, answer Yes to the deep cleanup option. |
Cisco EPN Manager will trigger alarms indicating that the server is low on disk space at the following thresholds:
If you receive an alert, consider performing the following actions:
Free up existing database space as explained in Compact the Database.
If you are saving backups to a local repository, consider using a remote backup repository. See Configure the NFS Backup Server.
Reduce the retention period for network inventory, performance, reports, and other classes of data as explained in Data Collection and Purging.
Cisco EPN Manager generates internal SNMP traps that indicate potential problems with system components. This includes hardware component failures, high availability state changes, backup status, and so forth. The failure trap is generated as soon as the failure or state change is detected, and a clearing trap is generated if the failure corrects itself. For TCAs (high CPU, memory and disk utilization traps, and so forth), the trap is generated when the threshold is exceeded.
A complete list of server internal SNMP traps is provided in Cisco Evolved Programmable Network Manager Supported Alarms. Cisco EPN Manager sends traps to notification receivers on port 162. This port cannot be customized at present.
You can customize and manage these traps as described in the following topics:
You can customize server internal SNMP traps by adjusting their severity or (for TCAs) thresholds. You can also disable and enable the traps. Server internal SNMP traps are listed in Cisco Evolved Programmable Network Manager Supported Alarms.
Note | Cisco EPN Manager does not send SNMPv2 Inform or SNMPv3 notifications. |
Step 1 | Choose , then choose . |
Step 2 | For each SNMP
event you want to configure:
|
Step 3 | To save all of your trap changes, click Save (below the table). |
Step 4 | If you want to configure receivers for the server internal SNMP traps, refer to the procedures in the following topics, depending on whether you want to send the information as an email or trap notification. |
Cisco Evolved Programmable Network Manager Supported Alarms provides a complete list of server internal SNMP traps, their probable cause, and recommended actions to remedy the problem. If that document does not provide the information you need, follow this procedure to troubleshoot and get more information about Cisco EPN Manager server issues.
Step 1 | Ping the notification receiver from the Cisco EPN Manager server to ensure that there is connectivity between Cisco EPN Manager and your management application. |
Step 2 | Check if any firewall ACL settings are blocking port 162, and open communications on that port if needed. |
Step 3 | Log in to
Cisco EPN Manager
with a user ID that has Administrator privileges. Select
Administration
>
Logging and download the log files. Then compare
the activity recorded in these log files with the activity you are seeing in
your management application:
The messages you see in these logs should match the activity you see in your management application. If you find major differences, open a support case with Cisco Technical Assistance Center (TAC) and attach the suspect log files with your case. See Open a Cisco Support Case. |
By default, users can create Cisco support requests from different parts of the Cisco EPN Manager GUI. If desired, you can configure the sender e-mail address and other e-mail characteristics. If you do not configure them, users can supply the information when they open a case.
If you do not want to allow users to create requests from the GUI client, you can disable that feature.
Step 1 | Choose , then choose . |
Step 2 | Click the Support Request tab. |
Step 3 | Select the type
of interaction you prefer:
|
Step 4 | Select your
technical support provider:
|
To help Cisco improve its products, Cisco EPN Manager collects the following data and sends it to Cisco:
Product information—Product type, software version, and installed licenses.
System information—Server operating system and available memory.
Network information—Number and type of devices on your network.
This feature is enabled by default. Data is collected on a daily, weekly, and monthly basis and is posted to a REST URL in the Cisco cloud using HTTPS. Choose
, then choose , and: