|
|
The CiscoSecure ACS provides a utility, CSUtil, that simplifies database management. You can use this utility to import username, password, and group information all at once from a standard text file to back up your database and to maintain your database. This appendix contains details on this utility.
This section describes how to import a text file into the CiscoSecure User Database. This allows you to add new users to the database and modify users' authentication information. The use of the CSUtil.exe allows you to add or modify information for many users. When the default location is used during installation, the import utility, CSUtil, is located in the following directory:
Note You can also use the database replication feature to replicate user information from one CiscoSecure ACS to another CiscoSecure ACS. See the section "Database Replication" later in this appendix for more information.
You have two options for running the CSUtil program:
Each entry must have the following information on a single line using colons to delimit the fields:
Note If the username does not exist, an error message is returned. Use the ADD keyword in this case.
Note If you do not provide a profile number, the user is added to the default group 0.
Here are examples of the syntax for the import text file:
The following are a list of command arguments used with CSUtil:
CSUtil [-q] [-c] [-d] [-g] [-i file] [-l file] [-m error] [-n] [-x]
CSUtil processes parameters left to right, guaranteeing the order in which they are executed.
Enter the following command after you complete creation of the import text file.
Note The database is modified not destroyed. You should see information scrolling down the screen indicating that the information is being modified or merged with the existing database.
Note The existing database is reinitialized and the text file is imported.
csutil -g -n -l groups.txt -i import.txt
To facilitate backup and restoration of the CiscoSecure ACS's configuration data and database, the CSUtil.exe utility is provided in the CiscoSecure ACS's Utils directory.
To perform a backup of the CiscoSecure ACS user and group data, execute the following instructions from the Windows NT command prompt (DOS window):
Net stop csauth—Stop the CSAuth authentication service to allow backup to take place.
Csutil -d users_and_groups.txt—Backup the users and groups data to a text file called users_and_groups.txt. To back up only the group data, use the command with a -g instead of a -d command switch.
Net start csauth—Restart the CSAuth authentication service.
The users_and_groups.txt file can then be backed up to tape and stored somewhere safe.
To use csutil -b to create a backup file, enter:
This creates the following files in Utils\SysBackups\directory_name\:
We strongly recommend that you use the CSUTIL.exe utility to construct an automated procedure to perform regular system backups as part of a comprehensive disaster recovery regime.
To restore from the backup file, execute the following instructions:
We strongly recommend that the above procedure is carried out as a part of a general backup regime that includes backups of the Windows NT system Registry using the tools supplied with Windows NT for this purpose. Rapid recovery can then be achieved if a serious system failure occurs.
Unexpected database file size growth can cause problems with the database. To avoid these problems, the CiscoSecure ACS allows you to institute a database maintenance schedule that performs a database compaction on a periodic basis. To facilitate this maintenance, a Windows NT batch command file, DB_compact.cmd, is included in the Utils directory of the CiscoSecure ACS.
The VarsDB.MDB file used by the CiscoSecure ACS is based on Microsoft ODBC technology. In common with most RDMBS, ODBC uses a deletion scheme that does not actually remove records from the database when they are deleted—records are simply marked as deleted and do not show up in queries, and so forth. To actually purge the database of the deleted records, a separate process, called compaction, must be run. In small databases with low transaction rates, it is not particularly important to regularly compact the database, because the database will stay a relatively consistent size. In a large database environment with large numbers of deletions, the database file can grow significantly over time. If compaction is not carried out, this can have serious effects on the overall operation of the system.
In order to avoid unexpected and problematic database file size growth, it is prudent to institute a database maintenance regime that performs a database compaction on a periodic basis. In order to facilitate this, an NT batch command file, DB_compact.cmd, is included with the CiscoSecure ACS (in the Utils directory). This file executes the following commands:
Authentication service will be interrupted while these commands execute because the authentication service is stopped.
Although DB_compact.cmd should not have any negative effect on the CiscoSecure ACS operation, there is always the possibility with compaction operations that something could go wrong. It is, therefore, always a good idea to perform a database backup prior to executing a database compaction. Then, if something does go wrong during the DB_compact.cmd run, a current backup will be available and service can be restored quickly. See the section "Database Backup and Restore Utility" earlier in this appendix for information on how to back up the CiscoSecure ACS database.
Posted: Tue Jan 21 03:46:22 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
