2.3 Managing Devices

devices can be added to single connect manually, via an inventory system or via importing from an xlsx file the domain determines which method of integration is used element type in order to create, delete, or edit elements, log in to the single connect web gui navigate to device management > element type elements can be personalized by adding or editing properties on the “element type” screen to set the properties of an element type, follow the steps below navigate to device management > element type click the option button of the element type select the “show properties” option set preferred properties property key description sample value aaa auth username case sensitive if the device type is expected to recognize a case sensitive username, the property must be set as true false cli login password prompt pattern telnet connections behave differently during the authentication process based on the device, such as only password or only username being asked for authentication if only the password is required for authentication, set this parameter (?i) password\[ |>] cli login username and password prompt pattern telnet connections behave differently during the authentication process based on the device, such as only password or only username being asked for authentication if both the username and password are required for authentication, set this parameter (?i) username password cli login username prompt pattern telnet connections behave differently during the authentication process based on the device, such as only the password or only the username being asked for authentication if only the username is required for authentication, set this parameter (?i) (username|user|login)\[ |>] discovery commands hostname command to get hostname during device discovery discovery commands hostname pattern regex pattern to get hostname from output of the hostname command during device discovery discovery commands version command command to get version during discovery discovery model match regex match word or regex for output of version command during device discovery enforcer terminal behaviour context this is for keeping the actual context in the device and the context in xml policies synchronized alcatel and cisco can locate deeper contexts when a user enters them sequentially in one command line whereas huawei cannot when a command does not exist in the current context, huawei and alcatel looks for it in the root context whereas cisco does not alcatel enforcer terminal behaviour ctrl c this is for keeping actual context in the device and context in the xml policies synchronized devices have different behaviors when the user presses ctrl+c do nothing does not change the context abort ignores what the user wrote, does not change the context abort and go to root changes the context as root abort and go to root when no command changes the context as root only when the user did not write anything abort enforcer terminal behaviour ctrl z this is for keeping actual context in the device and context in the xml policies synchronized devices have different behaviors when the user press ctrl+z do nothing does not change the context abort and go to root does not execute the command if the user wrote something, then changes the context as root execute and go to root executes the command if the user wrote something, then changes the context as root abort and go to root enforcer terminal behaviour error message pattern this property is used to understand whether the command has executed successfully or is not in the command log entries the expected failure message returned by the command needs to be defined in this property (command not found)|(error ) enforcer terminal behaviour exc last line patterns skips command detection, policy enforcement and command logging when the last line matches one of these patterns (?i)password\[ |>] ^\s +\s (?i)more\s + enforcer terminal behaviour has prompt if the device type has no prompt like #,$, set the value as “false” true enforcer terminal behaviour prompt pattern when the user presses enter, the system tries to find this pattern in the last line if found, the system considers rest of characters as a command ?(>|#|\\]|\\$) enforcer terminal behaviour second attempt for prompt this is for the action for when the user presses enter but the command could not be detected because of no prompt being found in the last line sometimes while the user is typing a command, device may suddenly send some messages to user in this case, characters of the command may be mixed with the characters of the message so the actual command may not be detected when the user presses enter dont try and clean line sends specific byte series to the device in order to clean the line (guaranteed to cancel possible command) dont try and send enter sends enter to the device (may cause to execute a possible command without policy enforcement and logging) try and clean line sends tab to the device and waits for a short while if still no prompt is found in the last line, sends specific byte series to the device in order to clean the line (guaranteed to cancel possible command) try and send enter sends tab to the device and waits for a short while if still no prompt is found in the last line, sends enter to the device (may cause to execute the possible command without policy enforcement and logging) try and clean line nsso cli delay before enter for adjusting the delay time for the possibility of echo not coming from the device before the enter command 100 nsso cli delay between enters sometimes bulk commands which are copy/pasted aren't executed completely or some commands can be missed the reason being that, some commands have a response time and the response time can be more than the expected time single connect waits 500 milliseconds as default after each time the enter command is echoed from the device the value can change if it is not considered sufficient 500 shell terminal config fixed pty columns some devices send enter bytes when the command being typed is longer than the window width this causes problems with command detection to avoid it, this property should be set as 0 (or 1, according to the device) in order to force the device to assume unlimited window width additionally, it can also be used for working with an always fixed window width like 80 columns, even if the user changes window width of the client application 80 shell terminal config fixed pty lines forces the device to assume unlimited window height when this property is set as 0 (or 1, according to the device) additionally, it can also be used for working with an always fixed height, like 24 lines, even if the user changes the window height of client application 24 shell terminal config local echo this parameter must be set as true if the device side keys are not echoed false shell terminal config ssh echo process when a performance raise is to be desired, the property value can be set as "with queue" without queue shell terminal config ssh enable bouncycastle some devices do not support up to date encryption techniques for those devices, setting the value as "false" prevents performance loss shell terminal config telnet auth failure pattern when the defined values in this property are caught after entering username/password in telnet connections, authentication is considered as unsuccessful (?i) (error|username\[ |>]|user\[ |>]|login\[ |>]|password\[ |>]) shell terminal config telnet logon template in telnet connections, some devices ask for the username and password at the same time when logging on for devices with such behavior, this property must be defined lgi\ op="${username}",pwd="${password}"; manually adding a device log in to the single connect web gui navigate to device management > device inventory click the “new device discovery” button fill out the relevant device’s information and save by clicking “discover and add” deleting devices log in to the single connect web gui navigate to device management > device inventory expand the device groups that include the devices to be deleted click to select the device press ctrl or shift button and click additional devices right click one of the selected devices click “delete device” confirm the dialog box note the “aioc device available interface names” parameter must be defined at system config manager in order to select the interface name maintenance mode settings for devices log in to the single connect web gui navigate to device management > device inventory right click on the device to switch maintenance mode on select the “schedule maintenance time” option 5\ set the maintenance time and the user authorized during that maintenance time note maintenance policy groups only applies to devices at maintenance time operations policy group doesn’t apply at maintenance time see also policy management policy group defining device groups log in to the single connect web gui navigate to device management > device groups fill out the “device group name” field fill out the relevant device group information and save adding device group properties log in to the single connect web gui navigate to device management > device groups right click the device group containing the device of interest and select “show properties” 4\ on the “device group properties information” screen, select the required property keys, enter the related values and save property key definition globalusername the username to use when connecting to all devices covered by the device group this username must be pre defined as a user on all devices in the device group globalpassword it is the password of the globalusername the password to use when connecting to all devices covered by the device group globalsshkey this property only applies to ssh proxies in session manager modules if connecting to the device with an ssh key is preferred, “globalsshkey” should be defined for the device group globalsshkeypassphrase this property only applies to ssh proxies in session manager modules if the device to be connected has an ssh passphrase, “globalsshkeypassphrase” should be defined for the device group globalsecretkey this property only applies to the tacacs+ access manager module the secret key to use when authenticating all devices covered by the device group to tacacs+ servers it is a mandatory property when using the tacacs+ access manager globalenablepassword this property only applies to the tacacs+ access manager module bot/script users need to use a common password for switching to “enable mode” in scripts the "globalenablepassword" property allows to set a common password for a device group to be used when enable password is prompted useasrolegroup some devices can be defined in multiple device groups in this situation, device authorization can be defined on one device group the “useasrolegroup” device group property value must be set as “true” for the device group in which authorizations are managed with policy enforcement such as black key/white key showindevicetree when its value is set as “false”, the device group cannot be seen in the device inventory screen this property is used with the “ useasrolegroup” property after devices are authorized with the main device group, this property can be set for the device group then, users cannot see this device group in their device inventory users that have the same authorization level as the device group, defined by the group role can still only see the other device groups sapmmaillist when the following situations occur in sapm, “sapmmaillist” is notified •when a user retrieves a password for an sapm account that is in the device group •if an error occurs during resetting the password of an sapm account that is in the device group •if the password cannot be verified while checking the password of an sapm account that is in the device group •if a new user is detected on a device that has an sapm account that is in the device group addsessionusertouserselection this property only applies to ssh/telnet proxies and rdp/vnc proxies in session manager modules when the “addsessionusertouserselection” property is set as “true” on a device group, users can connect to target devices in the device group with their own username that is used to log in to single connect addmanuallogintouserselection this property only applies to ssh/telnet proxies in session manager modules default value is “false” when the value is set as “true”, the user can enter the device username and password manually adddevicesshkeytouserselection this property only applies to the devices that are imported from aws (amazon web services) if the value is set as “true”, connecting to devices with an ssh key is offered as a connection option this property can be used when the following conditions are set 1\ the “sshkeyname” and the “sshusername” property keys should be defined in the device properties for preferred devices 2 the ssh private key corresponding to the “sshkeyname” in the device property should be defined in the secret data vault approvalrequiredforconnection this property only applies to ssh proxies and rdp proxies in session manager modules when its value set as “true”, managerial approval via e mail is requested for users to connect to devices in the device group device group properties defining device group realms log in to the single connect web gui navigate to device management > device groups open the device group realms tab pick a device group name from the “device group” list on the right, pick a user group name from the “user group” list from the left and save now a new “device realm” has been created by matching a device group with a user group auto device discovery auto device discovery can be used to scan a network subnet or existing devices in device groups some parameters should be added to related element types to discover devices log in to the single connect web gui navigate to device management > element type select an element type to set required parameters and click the “options” button, then the “show properties” button set the following parameters discovery commands hostname command to get hostname discovery commands hostname pattern regex to get hostname from output of the hostname command discovery commands version command command to get version discovery model match regex match word or regex for output of version command global username/password and/or subnet addresses should be set on device groups global username/password to discover subnet or existing devices log in to the single connect web gui navigate to device management > device groups right click on the device group to be discovered and select “show properties” on the “device group properties information” screen, select “globalusername” and “globalpassword” as the “property key”, enter the related information, then save each property adding subnet to discover subnet log in to the single connect web gui navigate to device management > device groups right click on the device group to be discovered and select “add/edit subnet” set subnet information and save auto discovery steps log in to the single connect web gui navigate to device management > device inventory open the auto device discovery tab fill out the relevant device discovery information and click discover to schedule discovery 5\ fill out relevant device discovery information and click “save scheduler” access protocol protocol to discover devices if snmp protocol is selected, protocol to change after discovery should be selected possible element types possible element types in search range devices will be matched in these element types discover type if “subnet” is selected, the subnet of device groups is scanned if “existing devices” is selected, existing devices in the selected device groups are scanned for changes cron expression if user wants to scan periodically, a cron expression should be entered active directory device discovery ldap or active directory devices can be integrated with single connect some properties must be added from the system config manager for discovery configuration log in to the single connect web gui navigate to administration > system config man enter the related configuration parameters parameter name parameter value sc device integration ldap url mandatory ldap\ // ex ldap\ //10 20 30 40 389 sc device integration ldap eid 0 mandatory sc device integration ldap password 0 mandatory sc device integration ldap source name 0 mandatory sc device integration ldap root device group 0 mandatory sc device integration ldap basedn 0 mandatory dc= ,dc= ex dc=kron,dc=test sc device integration ldap device group search phrase 0 mandatory ex (cn=cert publishers) sc device integration ldap device search phrase 0 mandatory ex (objectclass=computer) sc device integration ldap device ip attribute 0 mandatory dnshostname sc device integration ldap device hostname attribute 0 sc device integration ldap device element type id attribute 0 sc device integration ldap device access protocol attribute 0 sc device integration ldap device port attribute 0 sc device integration ldap device default access protocol 0 mandatory ex rdp sc device integration ldap device default element type id 0 mandatory ex windows 7 sc device integration ldap device default port 0 adding devices automatically a job running periodically on single connect synchronizes user groups and devices from active directory this job checks the changes made to active directory since it is last run, and updates single connect accordingly manually trigger ldap sync job ldap sync job can be manually triggered log in to the single connect web gui navigate to administration > jobs scheduler click "trigger list" click the “trigger as simple trigger” link on the “ldapdatacollector” line bulk import devices can be added in bulk to single connect for this adding method follow the steps below log in to the single connect web gui navigate to administration > bulk import click on the “download template” link to create a bulk device list fill the downloaded microsoft excel file template with device list and save it in your computer 5\ select the device list file and click “upload file” after these steps, the device list is added into the parse result section of the bulk import screen 6\ click “import devices” the devices are added to the related device group in the device inventory rules to fill bulk import file ip address, hostname, access protocol, element type id group name(s) are mandatory areas one device must be defined in a row if it needs to be defined in multiple device groups, it should be separated by a semicolon (;) ex devicegroup1; devicegroup2; devicegroup device group names cannot contain the forward slash punctuation (/) device group names should be unique a device group cannot have both device group and device only the child group that is at the bottom of the device group tree can have devices the parent and child device group can be added by separating the parent device group from the child group with a forward slash (/) in the “group name(s)” field of the file ex when adding a device to “childdevicegroup3”, the group name field can be filled in the following ways /parentdevicegroup/childdevicegroup1/childdevicegroup2/childdevicegroup3 parentdevicegroup/childdevicegroup1/childdevicegroup2/childdevicegroup3 childdevicegroup1/childdevicegroup2/childdevicegroup3 childdevicegroup3 7\ if there is a forward slash (/) punctuation at the start of the device group path, the first device should be the parent device group ex when adding a new device to the current device group “ parentdevicegroup/childdevicegroup1/childdevicegroup2/childdevicegroup3” , if “/childdevicegroup2/childdevicegroup3” is written in the “group name(s)” field, the import operation will fail because “/childdevicegroup2” is not a parent group 8\ the device group path that is written in the “group name(s)” field can contain up to 10 device groups with parent and child relationships ex dg1/dg2/dg3/dg4/dg5/dg6/dg7/dg8/dg9/dg10 9\ if the device group path that is written in the “group name(s)” field does not exist in single connect, the device group path is created and then the devices are imported in this path