User Guide for Cisco Digital Media Manager 5.0

Alerts

Shows the total count of email and SNMP notification messages delivered in the past 1 hour. To jump directly to the Alerts page, click View Alerts. To understand the View Alerts page, see Managing Email, SNMP, Alerts, and Notifications.

License Features

Lists software feature module licenses that are installed on your DMM appliance and describes any constraints that these licenses impose.

Status

Summarizes the current state of your Video Portal appliance and of all registered DMPs in your network, assuming that you set up the hardware and installed the separately licensed software features for these device types. This gauge organizes data in these subsections:

•Digital Media Players — Counts the total number of registered DMPs and specifies how many were reachable or unreachable when you loaded this gauge in your browser. To jump directly to the DMP Manager page, click View All DMPs and DMP Groups. To understand DMP grouping and management practices, see Managing and Grouping Your DMPs, page 3-6.

•Video Portal Appliance — Shows you whether your Video Portal appliance¹ was unreachable at any time in the past 1 hour. Counts the number of Video Portal deployments that were pending or completed when you loaded this gauge in your browser. To jump directly to the live HTTP URL of your Video Portal, click Go to Video Portal. To jump directly to the DMM-VPM landing page, click Manage Video Portal. To understand the management and configuration options for desktop video, see Chapter 4, "Managing Desktop Video."

To update the data that this gauge shows, refresh your browser.

System Information

This gauge:

•Tells you the installed release version of your DMM server software.

•Shows free disk space and used disk space on your DMM appliance² and Video Portal³ appliance.

•Tells you whether the most recent replication of data succeeded between your Cisco DMS appliances.

Users Logged In (Past 1 Hour)

Counts the total number of users who logged in to each of your DMS appliances over the past 1 hour. To jump directly to the Users page in DMS-Admin, click View All Users. To understand user account settings and authentication settings for Cisco DMS products, see Managing User Accounts and Authentication Settings.

¹ This DMM release supports your use of only one Video Portal appliance.

² The disk space descriptions for your DMM appliance pertain only to the /dm2 partition where local copies of assets are stored temporarily after you upload them.

³ Even though your Video Portal appliance might report that it has ample free disk space, you should not use it to store video files or any other data except the files that Cisco DMS generates. We do not support any use of your Video Portal appliance as a storage server. Any unsupported data that you store on it will be lost irretrievably each time that you upgrade, restore, or reinstall Cisco software.

1. Work with any preexisting user accounts that you migrated from an earlier Cisco DMS release.

If you upgraded to Cisco DMS 5.0.x from any 4.1.x release on which you had licensed the features for digital signage networks, it is possible that some formerly redundant usernames from your licensed software modules are now unique. This will have occurred if an identical username was configured for use in both DMM-VPM and DMM-DSM. As just one possible example, you might have configured the username admin to work in both of these software modules. Migration during your upgrade will have consolidated all user accounts into DMS-Admin, and any redundant usernames from your preexisting DMM-DSM configuration now have a suffix appended to them. The suffix is exactly: _dsm. So, where this scenario supposes that the twice-used username was admin in Cisco DMS 4.1.x, the two migrated usernames in this newer Cisco DMS release would be:

•admin (for the user account that you migrated from DMM-VPM).

•admin_dsm (for the user account that you migrated from DMM-DSM).

You might now want to assign sufficient access rights and permissions to one of the migrated accounts so that you can delete the other account safely, without disrupting the approvals workflow or other established practices in your organization. In this example scenario, the ideal result might be that you are left with only one user account called admin, whose assigned rights and permissions across all of your installed Cisco DMS products are at least sufficient to manage all suitable features for desktop video and digital signage.

•To understand at a high-level tasks what you must do to assign rights and permissions to user accounts in Cisco DMS 5.0.x, see Task 4.

•To understand what you must do to delete an obsoleted user account that was formerly redundant, see Deleting User Accounts.

2. Create new user accounts. To create user accounts manually for DMM software modules, Video Portal Reports, and your Video Portal, you use DMS-Admin. Any user accounts that you create manually will be in addition to those whose creation you automate by importing user account data from an Active Directory server¹ . To understand how to create user accounts manually, see Configuring User Accounts Manually.

By default, each new user account that you create has the DMS-Admin user role of "Other" until you assign access rights and privileges to it in at least one DMM software module. User accounts are severely limited in their access when they have this user role. See Understanding User Roles in DMS-Admin.

3. Create user groups. To create a new user group, choose Administration > Users > Create Group, and then enter the required values. To save your work, click Save.

4. Assign access rights and permissions.

After you create user accounts, you assign access rights and privileges separately for these users in the DMM software modules that pertain to them. The access rights and privileges that you assign to a user account are always specific to an environment for desktop video or digital signage (the latter of which includes enterprise TV). Therefore, you assign access rights and privileges to users in the individually licensed and separately installed DMM software modules that are applicable per user:

•For desktop video, choose Video Portal > Users > User Accounts. To understand user access settings and permission levels for desktop video, see Chapter 4, "Managing Desktop Video."

•For digital signage or enterprise TV, choose Digital Signage > Settings > User Accounts. To understand user access settings and permission levels in a digital signage network, see Chapter 3, "Managing Digital Signage and Enterprise TV."

5. Assign users to user groups.

When you first create a user account in DMS-Admin, you can associate the account with a user group immediately or you can do so after you assign access rights and permissions to the user.

¹ To learn how to import user accounts from an Active Directory server, see Configuring Authentication Settings.

First Name

This required value might be identical for multiple users.

Last Name

This required value might also be identical for multiple users.

Email Address

The email address to be associated with this user account.

Username

A unique username. The name is unique in the sense that you have not used it as the name for any other user account for any component of Cisco DMS. You must enter the username.

Password

The password for the user account. You must enter a password, then reenter it.

Re-enter password

Active list

Signifies whether the account holder is an active or inactive user of Cisco DMS. Alternatively, signifies whether the account holder is active in your organization.

Company

The agency, corporation, nonprofit organization, or other such institution to be associated with this user account.

Department

The department within the institution.

Phone

The telephone number to be associated with this user account.

Unlabeled check box

Marks the groups to which this user should belong.

Groups column

Shows the group name.

Description column

Optional, brief description of the group and its purpose.

No Authentication

Requires users who log in to authenticate (enter a username and password) against the user account database for DMM, but does not impose any authentication restrictions for access to Video Portal or Video Portal Reports.

Embedded Authentication

Requires users who log in to DMM-DSM, DMM-ETV, DMM-VPM, Video Portal, and Video Portal Reports to authenticate against a user account database that is native to DMM and is independent of every other type of authentication that you might use in your network.

LDAP Authentication

Automatically deletes all user accounts, except the superuser account. Requires future users to authenticate against the user account data from your Active Directory server when they log in to DMM-DSM, DMM-ETV, DMM-VPM, Video Portal Reports, or Video Portal.

Although the user account data originates from your Active Directory server, Cisco DMS does not synchronize (replicate) the data automatically, in real time. Instead, you must resynchronize the user account data whenever you think it is appropriate to do so. You can resynchronize manually or you can schedule synchronizations to recur in the future at intervals that you specify. To learn how to synchronize manually and how to schedule the automated recurrence of synchronizations, see the "Synchronization Mode" row in Table 2-5.

Note Lightweight Directory Access Protocol (LDAP) is a highly complex data model and communications protocol for user authentication. The LDAP features in Cisco DMS are meant for use by qualified and experienced administrators of Microsoft Active Directory. Unless you are an Active Directory and LDAP expert, we recommend that you choose another option than LDAP.

Even though it is possible in Active Directory to use a blank value for a password, Cisco DMS does not allow it. Therefore, when you use LDAP authentication, any user whose Active Directory password is blank will be prevented from logging in to DMM-DSM, DMM-ETV, DMM-VPM, Video Portal, and Video Portal Reports until the password is changed on the Active Directory server. There is no requirement to resynchronize the affected user account in DMS-Admin after you change its password on your Active Directory server.

DMS-Admin synchronizes all user accounts in the Active Directory user base that you specify in a filter, excluding the users whose accounts are marked as disabled on your Active Directory server.

Anonymous

Enables or disables an anonymous LDAP connection between your DMM appliance and your Active Directory server. An anonymous connection is suitable when you want to see or use public information on the Active Directory server. In contrast, if you want to see or use privileged information on your Active Directory server, the server will require you to enter login credentials to prove that you have sufficient access rights. In the latter case, your Active Directory server will reject any attempt to use an anonymous login.

This check box is available to you only if you chose LDAP Authentication.

Host

Enter the routable IP address or DNS-resolvable hostname for the Active Directory server. This field is available to you only if you chose LDAP Authentication.

Port

Enter the TCP port number that your Active Directory server uses for its LDAP communications. This field is available to you only if you chose LDAP Authentication. The Active Directory port number by default is 389 for LDAP communications and 636 for LDAPS (Secure LDAP or LDAP over SSL) communications.

Use SSL Encryption

A check box, by which you enable or disable LDAPS connections between your DMM appliance and your Active Directory server. To enable LDAPS, check the check box; to disable LDAPS, uncheck it. An LDAPS connection is suitable when you want the communications between your DMM appliance and your Active Directory server to be encrypted, so that untrusted third parties are prevented from reading credentials that the servers exchange. This check box is available to you only if you chose LDAP Authentication.

Active Directory Certificate File

The method by which to upload the digital certificate that your Active Directory server uses for LDAPS communications. This field is available to you only if you checked the Use SSL Encryption check box.

The X.509 certificate that you provide must be DER-encoded and can be supplied in binary or printable (Base64) encoding. If you use Base64 encoding,the certificate file must include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

To open and use the Upload Certificate File dialog box:

1. Click Upload, then, click Add.

2. Browse to the file on a local volume.

3. Click the filename and press Enter.

4. To save your work and dismiss the dialog box, click OK.

Current Certificate File

Identifies the digital certificate that is installed in DMS-Admin for use during LDAPS communication with your Active Directory server.

Administrator DN

Enter the Active Directory server administrator distinguished name.

This field is available to you only if you chose LDAP Authentication and unchecked the Anonymous check box.

Password

Enter the password that is associated with the Administrator DN.

This field is available to you only if you chose LDAP Authentication and unchecked the Anonymous check box.

Tip If an error message tells you that your Active Directory password is not valid, confirm on your Active Directory server that you have not set the "User must change password at next login" flag. DMS-Admin cannot change your password on an Active Directory server. Instead, you must use the user interface that your Active Directory server provides for that purpose. While this flag is set, you are prevented from logging in to any Cisco DMS component until you have changed your password on the Active Directory server.

Update

Saves and applies your work on the Authentication Mode property sheet.

Cancel

Discards your work on the Authentication Mode property sheet and resets all values to their previous configuration.

Description

Enter a human-readable description for the filter.

User Base DN

Enter the distinguished name of the Active Directory user base that you will search.

Note Never use a filter in which you define the user base at the domain level. As one example, the following filter would be unacceptable: dc=cisco, dc=com. Instead, you should use filters that define the user base at a lower level, like this example does: ou=sanjose, dc=cisco, dc=com.

User Filter

Enter a user filter to limit the number of matching user accounts to import from the user base that you specified.

Add

Adds the filter, exactly as entered, without first validating it.

Validate

Validates the filter to confirm, before you add it, that it will return meaningful results.

Tip If an error message tells you that filter validation failed, confirm on your LDAP server that your filter did not make any reference to an empty organizational unit (OU) container. Filters fail when they point to empty containers.

Clear

Clears all entries from the Define Filters property sheet.

Synchronization

Tip We recommend that you use the Initial synchronization option and the Overwrite synchronization option during off-peak hours only. These synchronization types are CPU-intensive for your DMM appliance and might cause its performance to drop temporarily to an unacceptable level.

One of the following:

•Initial — Runs a one-time synchronization for a new filter that you never synchronized previously.

•Update — Runs an incremental, fast update to find and make up for any differences between user accounts that match your Active Directory filter and your local copy of those user accounts.

•Overwrite — Overwrites your local copy of user accounts that correspond to your Active Directory filter with new copies of those user accounts. In addition, deletes your local copy of each user account that has been deleted from Active Directory since the last time that you ran a synchronization.

•Delete — Deletes your local copy of user accounts that correspond to a defined Active Directory filter and deletes the entry for that filter from DMS-Admin.

Access Rights

One or both of the following:

•VP — When checked, this check box enables login access to your Video Portal for users who match the corresponding Active Directory filter. When you uncheck the check box, those same users are prevented from logging in to your Video Portal.

•VPR — When checked, this check box enables login access to see and use Video Portal Reports for users who match the corresponding Active Directory filter. When you uncheck this check box, those same users are prevented from seeing and using Video Portal Reports.

Update

Submits your selections for the type of synchronization and the scope of access that you chose and configured. Synchronization of the specified type starts immediately.

Cancel

Discards any changes you made to the configuration of behaviors for synchronizations and the scope of access, and resets all entries to their previous values on the LDAP Bookmarks property sheet and the Scheduling property sheet.

Synchronization Mode

Enables one or the other of two possible modes, which are mutually exclusive, to receive updated user account information from your Active Directory server. Click one radio button:

•Manual Synchronization — Mode that requires during each subsequent synchronization of each configured LDAP bookmark that you must choose Administration > Settings > Authentication > Synchronize Users > LDAP Bookmarks; then, click Update. When you choose this mode, you delete any schedule that you configured previously to define automatic synchronizations.

•Automatic Synchronization — Mode that automates and schedules the recurrence of incremental updates of all user accounts that correspond to your defined Active Directory filters in DMS-Admin. As soon as you click this radio button, fields and elements that were hidden from you become available for your use, so that you can complete this required procedure:

1. Click the calendar icon () to choose the start date for synchronization.

2. Choose the hour and minute when synchronization should begin, and then choose either AM or PM as the period.

3. From the Repeat Interval list, choose the interval of recurrence:

–Never — Synchronization will occur one time and will not recur.

–Every Day — Synchronization will recur once every 24 hours, starting at the specified hour and minute.

–Every Week — Synchronization will recur once every 7 days, starting at the specified hour and minute.

–Every Month — Synchronization will recur once each month, starting at the specified hour and minute.

–Custom — Synchronization will recur at the interval you define, starting at the specified hour and minute. Choose whether the interval type is Days, Weeks, or Months. If the interval type is Days, choose a day of the month from 1 to 30. If the interval type is Weeks, choose the day of the week. If the interval type is Months, choose an interval of recurrence from 1 to 6.

4. (Optional) If, in addition to the start date and time that you specified, a one-time synchronization should also start immediately, check the Synchronize users immediately check box. This check box is available to you only if you clicked the Automatic Synchronization radio button.

Update

Submits your selections for the type of synchronization and the scope of access that you chose and configured. Synchronization of the specified type starts immediately.

Cancel

Discards any changes you made to the configuration of behaviors for synchronizations and the scope of access, and resets all entries to their previous values on the LDAP Bookmarks property sheet and the Scheduling property sheet.

DMM Attribute Name

Values that DMS-Admin uses to describe and identify various attributes that it associates with each user account. You cannot change the values in this column. They are for your reference only, to help you enter suitable values (and recognize suitable values when you see them) in the LDAP Attribute Name column and the Values to Use by Default column.

LDAP Attribute Name

Values that your Active Directory server uses — which correspond one-to-one with values in the DMM Attribute Row column — to describe and identify attributes of each user account. In its factory-default configuration, DMS-Admin prepopulates all fields in this column with the most commonplace values that Active Directory servers use for this purpose. If the values for these attributes differ on your Active Directory server or if you prefer to import objects that use other Active Directory attributes, you can edit the values in this column.

Ordinarily, DMS-Admin will not import any user account from your Active Directory server when the value in it is blank for any of these attributes:

•Login User Name — This required value always must be unique.

•First Name — This required value might be identical for multiple users.

•Last Name — This required value might also be identical for multiple users.

However, you can import and synchronize all of the Active Directory user accounts that match your filters, even if some of the user accounts are incomplete because one or more of their attributes have blank values. To prevent these undefined attributes from blocking the import of the user accounts they are meant to describe, you can enter generic values for most attributes in the Values to Use by Default column. DMS-Admin takes the generic values that you enter, and then inserts them automatically where they are needed. Nonetheless, you cannot ever enter a value to use by default for the Login User Name attribute, because each username is unique.

Values to Use by Default

Enter text to insert automatically when the value is blank for the corresponding attribute in an Active Directory user account that you import or synchronize. To ensure that DMS-Admin imports each valid user account that matches a filter, we recommend that you enter values for these attributes:

•First Name

•Last Name

For your convenience, you can also enter values to insert automatically when the values are blank for other attributes — such as Company, Department, or Phone Number — but this is optional.

Note You cannot enter a value to use by default as the Login User Name value.

Reset to Factory Default

Returns all values in the LDAP Attribute Name column to the most commonplace values that Active Directory servers use. If you entered different values manually because the labels for these attributes differ on your Active Directory server or because you prefer to import user accounts that use other Active Directory attributes, DMS-Admin deletes what you entered.

Update

Saves and applies your work in the Manage Attributes property sheet.

1. Configure SNMP server settings for your DMM appliance.

a. Choose Settings > SNMP, and then enter the required values so that your DMM appliance can run or will stop the SNMP server service:

  ·    Server Status — Click the radio button to enable or disable SNMP monitoring.

  ·    Host — The routable IP address or DNS-resolvable hostname of the NMS.

  ·    Port — The number to identify which UDP port is reserved for SNMP traffic.

  ·    Community String — A password that identifies the community of the external SNMP server to which DMS conveys notifications. By default, the entry is public.

b. Click Save.

2. Load both the CISCO-DIGITAL-MEDIA-SYSTEMS-MIB.my file and its corresponding "agent capabilities" file into the MIB browser for your NMS. Manufacturer documentation for your NMS should tell you how to load these files. When your NMS prompts you to enter the SNMP port number for your DMM appliance, use the port number 161.