在BroadWorks中配置新的管理員使用者
簡介
本文檔介紹BroadWorks應用程式伺服器(AS)中不同型別的管理員帳戶以及如何建立新帳戶的步驟。
背景資訊
Cisco BroadWorks是安裝在Linux作業系統之上的應用程式,可通過多個介面訪問。因此,它帶有多個不同的管理員帳戶:
- Root使用者 — 在OS安裝過程中建立的帳戶。它提供對系統的完全訪問許可權,因此必須謹慎使用。它不在本文的討論範圍之內;您必須應用作業系統供應商提供的指南來管理根訪問並保證其安全。例如,如果您的BroadWorks安裝在Red Hat Enterprise Linux(RHEL)之上,則可以參考Red Hat的超級使用者訪問文檔。
- BroadWorks administrator(也稱為bwadmin) — 用於管理BroadWorks應用程式並通過命令列介面(CLI)對其進行訪問的帳戶。
- 系統管理員 — 用於通過Web介面登入BroadWorks應用程式的帳戶。
- 經銷商/企業/服務提供商/組管理員 — 用於管理特定經銷商/企業/服務提供商/組的帳戶。
必要條件
需求
思科建議您瞭解以下主題:
- 基本BroadWorks管理。
- 基本的Linux命令。
採用元件
本文檔中的資訊基於BroadWorks AS版本R24。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
BroadWorks管理員
設定
初始BroadWorks管理員帳戶是在BroadWorks安裝期間建立的。要建立其他帳戶,請執行以下步驟:
步驟1.使用根憑證登入到BroadWorks CLI。
步驟2.導覽至/usr/local/broadworks/bw_base/sbin目錄:
[root@as1 ~]# cd /usr/local/broadworks/bw_base/sbin步驟3.運行bwuseradd -h命令以列出配置選項:
[root@as1 sbin]# ./bwuseradd –h
Missing argument: role
bwuseradd Version 1.14
USAGE: bwuseradd
<-r, --role BWORKS|BWSUPERADMIN|OPERATOR|VIEWER> [-p, --passwd password] [-d, --default] [-c, --centralized] [-v, --verbose] [-h, --help] Parameters:
: the new user name -r, --role : the user assigned role -p, --passwd : the user password. Enclose the password in single quotes if it contains special characters. -d, --default : reset passwd -c, --centralized : for centralized user management -v, --verbose : run in verbose mode -h, --help : print this Help Description: Invokes Unix/ldap commands to create a local/centralized bw user Example: bwuseradd -r OPERATOR --passwd admin123 admin
建立新帳戶時,必須選擇以下四個角色之一:
- BWSUPERADMIN — 此角色具有安裝檔案的根訪問許可權。此角色用於安裝和升級Cisco BroadWorks。
- BWORKS — 此角色可以使用CLI或Cisco BroadWorks伺服器上提供的其他工具啟動、停止和執行修改。
- 操作員 — 此角色可以配置Cisco BroadWorks配置檔案,但不能啟動或停止Cisco BroadWorks。
- VIEWER — 此角色可以檢視當前配置,但無法執行任何修改。
有關本節中使用的命令的詳細資訊,請參閱UNIX使用者帳戶配置指南。
步驟4.運行bwuseradd命令以建立新使用者:
[root@as1 sbin]# ./bwuseradd -r BWORKS --passwd bwadmin1 bwadmin1
Changing password for user bwadmin1.
passwd: all authentication tokens updated successfully.
User will be required to change password upon next login
Expiring password for user bwadmin1.
passwd: Success
WARNING: Please make sure this user is created on all servers.
WARNING: Do not forget to run 'config-ssh -createKeys
' for the new user.
步驟5.如果在群集模式下安裝了AS,請在輔助節點上運行相同的命令:
[root@as2 sbin]# ./bwuseradd -r BWORKS --passwd bwadmin1 bwadmin1
Changing password for user bwadmin1.
passwd: all authentication tokens updated successfully.
User will be required to change password upon next login
Expiring password for user bwadmin1.
passwd: Success
WARNING: Please make sure this user is created on all servers.
WARNING: Do not forget to run 'config-ssh -createKeys
' for the new user.
步驟6.以新使用者身份登入;系統會提示您重置密碼:
bwadmin1@as1's password:
You are required to change your password immediately (administrator enforced)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user bwadmin1.
Current password:
New password:
Retype new password:步驟7.在主AS上運行bin命令導航到/usr/local/broadworks/bw_base/bin:
bwadmin1@as1.mleus.lab$ bin
bwadmin1@as1.mleus.lab$ pwd
/usr/local/broadworks/bw_base/bin步驟8.運行config-ssh命令以建立通用金鑰對:
bwadmin1@as1.mleus.lab$ ./config-ssh -createKeys bwadmin1@as2
==============================================
==== SSH CONFIGURATION TOOL version 2.2.22 ====
=> Setting default settings <=
Setting 'StrictHostKeyChecking no'
Setting 'ServerAliveInterval 250'
=> DNS Sanity test <=
[###############]
[...............]
Configured: y, Reachable: y, Resolved: y, Required: n.
Using bwadmin1@as1.mleus.lab as local peer name for as1.mleus.lab.
=> DNS OK <=
=> Peer reachability test <=
[###]
[...]
=> Creating SSH keys <=
Creating keys for bwadmin1@as2...
bwadmin1@as2's password:
Generating ecdsa key...
Generating rsa key...
Creating keys for bwadmin1@as1.mleus.lab...
bwadmin1@as1.mleus.lab's password:
Generating ecdsa key...
Generating rsa key...
=> Keying SSH <=
Preparing bwadmin1@as1.mleus.lab for keying...
Cleaning public keys for bwadmin1@as2...
Sharing keys with bwadmin1@as2...
Pushing local public keys...
bwadmin1@as2's password:
Pulling remote public keys...
bwadmin1@as2's password:
Sharing keys with bwadmin1@as2... [done]
=> Fully meshing SSH peers <=
=> Recursing with bwadmin1@as2 <=
Pushing config-ssh script to bwadmin1@as2...
Launching config-ssh on bwadmin1@as2...
=> Setting default settings <=
Adding 'StrictHostKeyChecking no'
Adding 'ServerAliveInterval 250'
=> DNS Sanity test <=
[###############]
[...............]
Configured: y, Reachable: y, Resolved: y, Required: n.
Using bwadmin1@as2.mleus.lab as local peer name for as2.mleus.lab.
=> DNS OK <=
=> Peer reachability test <=
[###]
[...]
=> Keying SSH <=
Preparing bwadmin1@as2.mleus.lab for keying...
Cleaning public keys for bwadmin1@as1.mleus.lab...
Sharing keys with bwadmin1@as1.mleus.lab...
Pushing local public keys...
Pulling remote public keys...
Sharing keys with bwadmin1@as1.mleus.lab... [done]
=> Testing ssh configuration <=
Testing bwadmin1@as2... [done]
==== SSH CONFIGURATION TOOL completed ====驗證
若要驗證新使用者,請使用新憑據登入到CLI並運行一些基本的BroadWorks命令:
bwadmin1@as1.mleus.lab$ bwshowver
AS version Rel_24.0_1.944
Built Sat Jun 6 00:26:50 EDT 2020
- BASE revision 909962
- AS revision 909962
Patching Info:
Active Patches: 701
bwadmin1@as1.mleus.lab$ bwcli
======================================================================
BroadWorks Command Line Interface
Type HELP for more information
======================================================================
AS_CLI>系統管理員
設定
步驟1.導覽至https://<AS_FQDN>/Login頁面並登入AS Web介面。
步驟2.導航到System > Profile > Administrators。
步驟3.按一下「Add」按鈕。
步驟4.填寫所有欄位:
有兩種型別的管理員可供選擇:
-
系統授予管理員對系統完全訪問許可權。
-
設定使管理員對系統的訪問許可權受到限制,以便新增新客戶和管理客戶帳戶。
步驟5.按一下OK儲存更改。
驗證
導航到System > Profile > Administrators,然後搜尋新建立的帳戶:
註銷並使用新憑據重新登入(系統提示您更改密碼):
瀏覽選單以確認所有必需選項均可用。
您還可以通過CLI驗證新憑據。開啟BroadWorks CLI(BWCLI)並使用一組新的憑據運行login命令:
AS_CLI> login webadmin
Password:
webadmin logging in...經銷商/企業/服務提供商/組管理員
設定
步驟1.導覽至https://<AS_FQDN>/Login頁面並登入AS Web介面。
步驟2.導航到System > Profile,然後進入要為其建立管理員的Reseller、Enterprises、Service Providers或Group。本配置示例中使用了服務提供程式,但其他實體的配置完全相同。
步驟3.選擇要新增新管理員的服務提供商。
步驟4.導航到Profile > Administrators,然後點選Add按鈕。
步驟5.填寫所有欄位:
有三種管理員型別可供服務提供商/企業選擇(對於經銷商和組,沒有型別選擇):
-
服務提供程式建立普通管理員,該管理員可通過「管理員策略」頁面上設定的策略來訪問Web介面。
-
Customer建立customer administrator。 客戶管理員僅有權訪問其服務提供商的Groups、Users、Service Instances和Change Password頁面。 客戶管理員有權訪問所有組的組頁,但對Intercept Group頁的只讀訪問許可權除外,對Call Capacity頁沒有訪問。 您可以通過在Administrator Policies頁上設定的策略來進一步限制客戶管理員訪問。
-
密碼重置僅允許管理員修改使用者密碼。管理員無權訪問Web介面中的任何其他頁面、資料或命令。
步驟6.按一下OK儲存更改。
驗證
導航到System > Profile > Service Providers或Enterprises,然後選擇您為其建立管理員帳戶的實體。然後導航到Profile > Administrators,並搜尋新建立的管理員:
註銷並使用新憑據重新登入(系統提示您更改密碼):
瀏覽選單,確認僅顯示與特定服務提供商/企業相關的設定。
使用CLI命令新增管理員帳戶
也可通過BWCLI命令建立所有Web訪問帳戶。本檔案沒有詳細介紹此功能,但以下是相關命令以供參考:
- 系統管理員:
AS_CLI/SubscriberMgmt/Administrator> h add When adding a new administrator to the system, you set the administrator user ID, access level, first and last names, and password. Parameters description: userId : The user ID for the administrator. type : when set to "system", allows for complete access to the Application Server CLI and its functions. When set to "prov", allows only limited access to the Application Server CLI, specifically functions in the network level only. readOnly : Cannot configure the system. attribute: Additional attributes to include through the add command. lastName : The user's last name. firstName: The user's first name. language : Indicates the language to be used for the administrator. ====================================================================== add, String {2 to 80 characters} , Choice = {system, prov} , Choice = {false, true} [ , Multiple Choice = {lastName, firstName, language}] , String {1 to 30 characters} , String {1 to 30 characters} , String {1 to 40 characters} - 經銷商管理員:
AS_CLI/SubscriberMgmt/Reseller/Administrator> h add This command is used to add a new reseller administrator. When this command is used, you are prompted for password information. Parameters description: resellerId: The ID of the reseller. userId : The user ID for the reseller administrator. attribute : Additional attributes to include with the name command. lastName : This parameter specifies the reseller administrator's last name. firstName : This parameter specifies the reseller administrator's first name. language : This parameter specifies the reseller administrator's supported language. ====================================================================== add, String {1 to 36 characters} , String {2 to 80 characters} [ , Multiple Choice = {lastName, firstName, language}] , String {1 to 30 characters} , String {1 to 30 characters} , String {1 to 40 characters} - 企業/服務提供商管理員:
AS_CLI/SubscriberMgmt/ServiceProvider/Administrator> h add When adding a new service provider administrator to the system, the corresponding service provider administrator's user ID, first name, and last names are set. You are prompted for password information. Parameters description: svcProviderId: The service provider. userId : The user ID for the service provider administrator. adminType : When set to "normal", the service provider administrator has all standard access rights and privileges. When set to "customer", the customer administrator only has access to the Group, User, and Change Password web portal pages. Also, the customer administrator has no access to Call Capacity and has read-only access to Intercept Group pages. When set to "passwordResetOnly", this value allows the service provider administrator to reset the user's web and portal password only. attribute : Additional attributes to include through the add command. lastName : The service provider administrator's last name. firstName : The service provider administrator's first name. language : The service provider's supported language. ====================================================================== add, String {1 to 30 characters} , String {2 to 80 characters} , Choice = {normal, customer, passwordResetOnly} [ , Multiple Choice = {lastName, firstName, language}] , String {1 to 30 characters} , String {1 to 30 characters} , String {1 to 40 characters} - 組管理員:
AS_CLI/SubscriberMgmt/Group/Administrator> h add When adding a new group administrator to the system, the corresponding group name and service provider, and the group administrator's user ID, first name, and last name are set. Parameters description: svcProviderId: The ID of the service provider to whom the group and group administrator belong. groupId : The ID of the group to which the administrator belongs. userId : The user ID for the group administrator. attribute : Additional attributes to include through the add command. lastName : The group administrator's last name. firstName : The group administrator's first name. language : The supported language for the group administrator. ====================================================================== add, String {1 to 30 characters} , String {1 to 30 characters} , String {2 to 161 characters} [ , Multiple Choice = {lastName, firstName, language}] , String {1 to 30 characters} , String {1 to 30 characters} , String {1 to 40 characters}
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
1.0 |
30-Jan-2023 |
初始版本 |
意見