简介
本文档介绍BroadWorks Application Server(AS)中不同类型的管理员帐户以及如何创建新帐户的步骤。
背景信息
Cisco BroadWorks是安装在Linux操作系统之上的应用程序,可通过多个接口访问。因此,它带有多个不同的管理员帐户:
- 根用户 — 在操作系统安装过程中创建的帐户。它提供对系统的完全访问权限,因此必须谨慎使用。它不在本文的讨论范围之内;您必须应用操作系统供应商提供的指南来管理根访问并保证其安全。例如,如果您的BroadWorks安装在Red Hat Enterprise Linux(RHEL)之上,则可以参考Red Hat的超级用户访问文档。
- BroadWorks管理员(也称为bwadmin) — 用于管理BroadWorks应用程序并通过命令行界面(CLI)对其进行访问的帐户。
- 系统管理员 — 用于通过Web界面登录BroadWorks应用程序的帐户。
- 经销商/企业/服务提供商/组管理员 — 用于管理特定经销商/企业/服务提供商/组的帐户。
先决条件
要求
Cisco 建议您了解以下主题:
- 基本BroadWorks管理。
- 基本的Linux命令。
使用的组件
本文档中的信息基于BroadWorks AS版本R24。
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
BroadWorks管理员
配置
初始BroadWorks管理员帐户是在BroadWorks安装期间创建的。要创建其他帐户,请执行以下步骤:
步骤1:使用根凭证登录BroadWorks CLI。
第二步:导航到/usr/local/broadworks/bw_base/sbin目录:
[root@as1 ~]# cd /usr/local/broadworks/bw_base/sbin
第三步:运行bwuseradd -h命令以列出配置选项:
[root@as1 sbin]# ./bwuseradd –h
Missing argument: role
bwuseradd Version 1.14
USAGE: bwuseradd
<-r, --role BWORKS|BWSUPERADMIN|OPERATOR|VIEWER> [-p, --passwd password] [-d, --default] [-c, --centralized] [-v, --verbose] [-h, --help] Parameters:
: the new user name -r, --role : the user assigned role -p, --passwd : the user password. Enclose the password in single quotes if it contains special characters. -d, --default : reset passwd -c, --centralized : for centralized user management -v, --verbose : run in verbose mode -h, --help : print this Help Description: Invokes Unix/ldap commands to create a local/centralized bw user Example: bwuseradd -r OPERATOR --passwd admin123 admin
创建新帐户时,必须选择以下四个角色之一:
- BWSUPERADMIN — 此角色具有安装文件的根访问权限。此角色用于安装和升级Cisco BroadWorks。
- BWORKS — 此角色可以使用CLI或Cisco BroadWorks服务器上提供的其他工具启动、停止和执行修改。
- 操作员 — 此角色可以配置Cisco BroadWorks配置文件,但无法启动或停止Cisco BroadWorks。
- 查看器 — 此角色可以查看当前配置,但无法执行任何修改。
有关本节中使用的命令的详细信息,请参阅UNIX用户帐户配置指南。
第四步:运行bwuseradd命令以创建新用户:
[root@as1 sbin]# ./bwuseradd -r BWORKS --passwd bwadmin1 bwadmin1
Changing password for user bwadmin1.
passwd: all authentication tokens updated successfully.
User will be required to change password upon next login
Expiring password for user bwadmin1.
passwd: Success
WARNING: Please make sure this user is created on all servers.
WARNING: Do not forget to run 'config-ssh -createKeys
' for the new user.
第五步:如果AS以集群模式安装,请在辅助节点上运行相同的命令:
[root@as2 sbin]# ./bwuseradd -r BWORKS --passwd bwadmin1 bwadmin1
Changing password for user bwadmin1.
passwd: all authentication tokens updated successfully.
User will be required to change password upon next login
Expiring password for user bwadmin1.
passwd: Success
WARNING: Please make sure this user is created on all servers.
WARNING: Do not forget to run 'config-ssh -createKeys
' for the new user.
第六步:以新用户身份登录;系统会提示您重置密码:
bwadmin1@as1's password:
You are required to change your password immediately (administrator enforced)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user bwadmin1.
Current password:
New password:
Retype new password:
步骤 7.运行bin命令导航到/usr/local/broadworks/bw_base/bin(在主AS上):
bwadmin1@as1.mleus.lab$ bin
bwadmin1@as1.mleus.lab$ pwd
/usr/local/broadworks/bw_base/bin
步骤 8运行config-ssh命令以创建公共密钥对:
bwadmin1@as1.mleus.lab$ ./config-ssh -createKeys bwadmin1@as2
==============================================
==== SSH CONFIGURATION TOOL version 2.2.22 ====
=> Setting default settings <=
Setting 'StrictHostKeyChecking no'
Setting 'ServerAliveInterval 250'
=> DNS Sanity test <=
[###############]
[...............]
Configured: y, Reachable: y, Resolved: y, Required: n.
Using bwadmin1@as1.mleus.lab as local peer name for as1.mleus.lab.
=> DNS OK <=
=> Peer reachability test <=
[###]
[...]
=> Creating SSH keys <=
Creating keys for bwadmin1@as2...
bwadmin1@as2's password:
Generating ecdsa key...
Generating rsa key...
Creating keys for bwadmin1@as1.mleus.lab...
bwadmin1@as1.mleus.lab's password:
Generating ecdsa key...
Generating rsa key...
=> Keying SSH <=
Preparing bwadmin1@as1.mleus.lab for keying...
Cleaning public keys for bwadmin1@as2...
Sharing keys with bwadmin1@as2...
Pushing local public keys...
bwadmin1@as2's password:
Pulling remote public keys...
bwadmin1@as2's password:
Sharing keys with bwadmin1@as2... [done]
=> Fully meshing SSH peers <=
=> Recursing with bwadmin1@as2 <=
Pushing config-ssh script to bwadmin1@as2...
Launching config-ssh on bwadmin1@as2...
=> Setting default settings <=
Adding 'StrictHostKeyChecking no'
Adding 'ServerAliveInterval 250'
=> DNS Sanity test <=
[###############]
[...............]
Configured: y, Reachable: y, Resolved: y, Required: n.
Using bwadmin1@as2.mleus.lab as local peer name for as2.mleus.lab.
=> DNS OK <=
=> Peer reachability test <=
[###]
[...]
=> Keying SSH <=
Preparing bwadmin1@as2.mleus.lab for keying...
Cleaning public keys for bwadmin1@as1.mleus.lab...
Sharing keys with bwadmin1@as1.mleus.lab...
Pushing local public keys...
Pulling remote public keys...
Sharing keys with bwadmin1@as1.mleus.lab... [done]
=> Testing ssh configuration <=
Testing bwadmin1@as2... [done]
==== SSH CONFIGURATION TOOL completed ====
验证
要验证新用户,请使用新凭证登录CLI并运行一些基本的BroadWorks命令:
bwadmin1@as1.mleus.lab$ bwshowver
AS version Rel_24.0_1.944
Built Sat Jun 6 00:26:50 EDT 2020
- BASE revision 909962
- AS revision 909962
Patching Info:
Active Patches: 701
bwadmin1@as1.mleus.lab$ bwcli
======================================================================
BroadWorks Command Line Interface
Type HELP for more information
======================================================================
AS_CLI>
系统管理员
配置
步骤1:导航到https://<AS_FQDN>/登录页,然后登录AS Web界面。
第二步:导航到System > Profile > Administrators。
第三步:单击Add按钮。
第四步:填写所有字段:
有两种类型的管理员可供选择:
第五步:单击OK保存更改。
验证
导航到System > Profile > Administrators并搜索新创建的帐户:
注销并使用新凭证集重新登录(系统会提示您更改密码):
浏览菜单以确认所有必需选项均可用。
您还可以通过CLI验证新凭证。打开BroadWorks CLI(BWCLI)并使用新凭据集运行login命令:
AS_CLI> login webadmin
Password:
webadmin logging in...
经销商/企业/服务提供商/组管理员
配置
步骤1:导航到https://<AS_FQDN>/登录页,然后登录AS Web界面。
第二步:导航到System > Profile,然后进一步导航到Reseller、Enterprises、Service Providers或Group,以便为您创建管理员。本配置示例中使用了服务提供商,但其他实体的配置相同。
第三步:选择您要添加新管理员的服务提供商。
第四步:导航到Profile > Administrators,然后单击Add按钮。
第五步:填写所有字段:
有三种管理员类型可供服务提供商/企业选择(对于经销商和组,没有类型选择):
-
服务提供商创建普通管理员,其网络界面的访问权限由您在Administrator Policies(管理员策略)页面上设置的策略决定。
-
客户创建客户管理员。 客户管理员仅有权访问其服务提供商的组、用户、服务实例和更改密码页面。 客户管理员有权访问所有组的组页,但对Intercept Group页的只读访问权限除外,对Call Capacity页没有访问。 您可以进一步通过您在Administrator Policies页面上设置的策略来限制客户管理员访问。
-
Password Reset Only仅允许管理员修改用户密码。管理员无权访问Web界面中的任何其他页面、数据或命令。
第六步:单击OK保存更改。
验证
导航到System > Profile > Service Providers或Enterprises,然后选择您为其创建管理员帐户的实体。然后导航到Profile > Administrators并搜索新创建的管理员:
注销并使用新凭证集重新登录(系统会提示您更改密码):
浏览菜单以确认仅显示与特定服务提供商/企业相关的设置。
使用CLI命令添加管理员帐户
也可通过BWCLI命令创建所有Web访问帐户。本文档未对此进行详细介绍,但下面是供参考的相应命令:
- 系统管理员:
AS_CLI/SubscriberMgmt/Administrator> h add
When adding a new administrator to the system, you set the administrator user
ID, access level, first and last names, and password.
Parameters description:
userId : The user ID for the administrator.
type : when set to "system", allows for complete access to the Application
Server CLI and its functions.
When set to "prov", allows only limited access to the Application
Server CLI, specifically functions in the network level only.
readOnly : Cannot configure the system.
attribute: Additional attributes to include through the add command.
lastName : The user's last name.
firstName: The user's first name.
language : Indicates the language to be used for the administrator.
======================================================================
add
, String {2 to 80 characters}
, Choice = {system, prov}
, Choice = {false, true} [
, Multiple Choice = {lastName, firstName, language}]
, String {1 to 30 characters}
, String {1 to 30 characters}
, String {1 to 40 characters}
- 经销商管理员:
AS_CLI/SubscriberMgmt/Reseller/Administrator> h add
This command is used to add a new reseller administrator. When this command is
used, you are prompted for password information.
Parameters description:
resellerId: The ID of the reseller.
userId : The user ID for the reseller administrator.
attribute : Additional attributes to include with the name command.
lastName : This parameter specifies the reseller administrator's last name.
firstName : This parameter specifies the reseller administrator's first name.
language : This parameter specifies the reseller administrator's supported
language.
======================================================================
add
, String {1 to 36 characters}
, String {2 to 80 characters} [
, Multiple Choice = {lastName, firstName, language}]
, String {1 to 30 characters}
, String {1 to 30 characters}
, String {1 to 40 characters}
- 企业/服务提供商管理员:
AS_CLI/SubscriberMgmt/ServiceProvider/Administrator> h add
When adding a new service provider administrator to the system, the
corresponding service provider administrator's user ID, first name, and last
names are set. You are prompted for password information.
Parameters description:
svcProviderId: The service provider.
userId : The user ID for the service provider administrator.
adminType : When set to "normal", the service provider administrator has all
standard access rights and privileges.
When set to "customer", the customer administrator only has
access to the Group, User, and Change Password web portal pages.
Also, the customer administrator has no access to Call Capacity
and has read-only access to Intercept Group pages.
When set to "passwordResetOnly", this value allows the service
provider administrator to reset the user's web and portal
password only.
attribute : Additional attributes to include through the add command.
lastName : The service provider administrator's last name.
firstName : The service provider administrator's first name.
language : The service provider's supported language.
======================================================================
add
, String {1 to 30 characters}
, String {2 to 80 characters}
, Choice = {normal, customer, passwordResetOnly} [
, Multiple Choice = {lastName, firstName, language}]
, String {1 to 30 characters}
, String {1 to 30 characters}
, String {1 to 40 characters}
- 组管理员:
AS_CLI/SubscriberMgmt/Group/Administrator> h add
When adding a new group administrator to the system, the corresponding group
name and service provider, and the group administrator's user ID, first name,
and last name are set.
Parameters description:
svcProviderId: The ID of the service provider to whom the group and group
administrator belong.
groupId : The ID of the group to which the administrator belongs.
userId : The user ID for the group administrator.
attribute : Additional attributes to include through the add command.
lastName : The group administrator's last name.
firstName : The group administrator's first name.
language : The supported language for the group administrator.
======================================================================
add
, String {1 to 30 characters}
, String {1 to 30 characters}
, String {2 to 161 characters} [
, Multiple Choice = {lastName, firstName, language}]
, String {1 to 30 characters}
, String {1 to 30 characters}
, String {1 to 40 characters}