|
|
This chapter describes how to install the Cisco Subscriber Edge Services Manager (SESM) software and bundled components, including SPE. It includes the following topics:
This section describes prerequisites to installing SESM. It includes the following topics:
This section describes platform requirements for installing the SESM components.
Windows NT Platform Requirements
You must have the following hardware and software to install the SESM software on Windows NT platforms:
Table 3-1 shows RAM and disk space requirements for a single instance of each component in SESM. These requirements are approximately the same on the Sun Solaris and the Windows NT platforms.
| Component Name | Disk Space (MB) | RAM |
|---|---|---|
Jetty server | 1.1 | The Jetty server provides the J2EE application environment in which the NWSP and CDAT applications execute. The application memory needs specified for NWSP and CDAT, below, include Jetty server usage. |
SESM and the NWSP application | 9.1 | RAM requirements increase relative to the number of instances running and the specific load. The following numbers are approximations:
|
RDP | 2.4 | 32 MB. The RDP memory requirements do not expand based on load. RDP never requires more than 32 MB of RAM. |
DESS | 1.9 | N/A |
CDAT | 4.9 | RAM requirements increase proportionally to the number of objects stored in the directory. For most directory sizes, the 64 MB requirements of the operating system (OS) and other system software should be sufficient for heavily populated directories. |
This section describes the SESM requirements regarding the Java Runtime Environment (JRE) and the Java Development Kit (JDK). The section includes the following topics:
On older Solaris platforms, you might need to apply Solaris operating system upgrades (patches). To determine if the machine requires patches, go to the Sun Microsystems Java site and start the process of dowloading the JRE Version 1.2.2. After you log in, you a list of download options appears, including the necessary patches for your operating system version. You should also download the README file, which contains instructions on how to apply the patches.
1. It searches for a JDK Version 1.2.2 that is already installed.
2. Failing that, it searches for a JRE Version 1.2.2 or later that is already installed.
3. Failing that, it installs and uses the bundled JRE Version 1.2.2.
To search for an existing JDK or JRE, the installation program looks in the following locations:
On Windows NT and Solaris, you can explicitly specify the location of a pre-installed JDK or JRE by starting the installation process on a command line and specifying the javahome parameter, as follows:
installImageName -is:javahome location
Where:
If you change the location of the JDK or JRE after installation, make the corresponding change in the following two startup files:
Table 3-2 shows the path names of the startup scripts that you need to change.
| Platform | Generic Startup Script | RDP Startup Script |
|---|---|---|
Solaris | jetty/bin/start.sh | rdp/bin/runrdp.sh |
Windows | jetty\bin\start.cmd | rdp\bin\runrdp.cmd |
http://java.sun.com/products/j2se
On systems that will be used to customize an SESM application, we recommend that you install the JDK before you install SESM. In that way, the SESM installation program uses the JDK in the application startup scripts, rather than a JRE. The JDK is necessary for recompiling the changed JSPs. See the "Recompiling a Customized JSP" section for more information.
If you install the JDK after installing SESM, then you must:
The SESM installation program does not attempt to communicate with SSGs or RADIUS servers. Therefore, SSGs and RADIUS servers do not need to be configured and running for you to install SESM components.
However, you should be prepared to provide correct communication information about those network components during the installation. Otherwise, you must manually edit the configuration files at a later time for the SESM application to work correctly.
The installation program updates configuration files with information that you provide about communicating with SSGs and RADIUS servers. Table 3-5 describes the configuration information that the installation program prompts you for.
If you are installing SESM in DESS mode, the installation program establishes communication with your LDAP directory, if possible.
For communication to occur, perform the following LDAP installation and configuration tasks before you run the SESM installation program:
Step 2 Enable the Allow Clear Text Passwords attribute if your LDAP directory is the NDS eDirectory. An SESM deployment in DESS mode does not work on NDS without the cleartext password attribute enabled.
You can enable the cleartext password attribute in NDS by using the freely downloadable ConsoleOne application from Novell.
The clear text password attribute is a property of the LDAP Group object of a server. The LDAP Group object stores the configuration data for a defined LDAP group within the directory tree. The Allow Clear Text Passwords attribute allows transmission of bind requests that include passwords over nonencrypted connections. By default, only passwords exchanged over SSL connections are encrypted.
See the NDS documentation for more information about the cleartext password option.
Step 3 Create a container in the LDAP hierarchy for SESM data. The container consists of an LDAP organization and organizational unit. For more information about how SESM data is organized in the LDAP object hierarchy, see the Cisco Distributed Administration Tool Guide.
If you intend to load the sample data that comes with CDAT, you might want to name the container to match the contents of the sample data file. Alternatively, you can edit the sample data file before you load it to match the names you use. The sample data uses the following names:
cisco
sesm
Step 4 Create the following administrator accounts. They can be the same accounts, but they do not have to be the same.
If the installation program does not perform these tasks, you must do them at a later time before running an SESM web application or CDAT.
You can install all SESM components together on the same machine (a typical installation), or you can install some components separately in a distributed manner (a custom installation). Table 3-3 describes components that must be installed together on the same machine.
| SESM Mode | Component Dependencies |
|---|---|
RADIUS mode |
|
DESS mode |
|
The installation images for SESM are available from the product CD-ROM or from the Cisco web site. It includes the following topics:
The SESM installation program installs evaluation and licensed versions of SESM:
The license number is important when you are requesting technical support for SESM from Cisco. After installation, you can see your license number and the software version in the licensenum.txt file under the installation directory.
If you purchased a contract that allows you to obtain the SESM software from the Cisco web site, follow these procedures:
Step 2 Click the Login button. Provide your Cisco user ID and password.
To access the Cisco images from the CCO Software Center, you must have a valid Cisco user ID and password. See your Cisco account representative if you need help.
Step 3 Under Service and Support, click Software Center.
Step 4 Click Web Software.
Step 5 Click Cisco Subscriber Edge Services Manager.
Step 6 Download the appropriate image based on the platform you intend to use for hosting the SESM web application.
Copy and uncompress the tar or zip file to a temporary directory. When you uncompress the file, the results are:
Table 3-4 shows the names of the compressed and executable files.
| Platform | Compressed File Name | Executable Installation File Name |
|---|---|---|
Solaris | sesm_sol.tar | sesm_sol.bin |
Windows NT | sesm_win.zip | sesm_win.exe |
This section describes how to install SESM. It includes the following topics:
The installation program writes to parts of the file system or Windows registry that are only accessible to a privileged user. The outcome of the installation is unpredictable if you are not privileged.
Log on as a privileged user as follows:
You can install SESM using the following installation modes:
-console argument on the command line when you execute the installation image. option fileName argument on the command line when you execute the installation image. The following sections provide more details about performing an installation in these modes.
solaris> sesm_sol.bin
C:\> sesm_win.exe
To run in console mode, use the -console option on the command line.
solaris> sesm_sol.bin -console
C:\> sesm_win.exe -console
Examples of the .iss and .properties files are included in the installation download. You must modify both files to match your requirements before you start the installation.
To prepare for silent mode:
 |
Note Before you begin, you might need to obtain write access to the files. |
Step 2 Edit the values for each parameter in the file. Table 3-5 describes each parameter. Save and close the file.
Step 3 To turn on the installation logging feature for a silent mode installation, open the .iss file in any text editor. Remove the first pound sign (#) from the following line:
Step 4 Save and close the file.
To run in silent mode, use the -options option on the command line, as follows:
imageName -options issFileName
Where:
For example:
solaris> sesm_sol.bin -options mysesm.iss
C:\> sesm_win.exe -options mysesm.iss
Table 3-5 describes the installation and configuration parameters that you enter during the installation process. You can use the Value column in the table to record your planned input values.
You can change the value of any configuration parameter later by editing configuration files, as described in Chapter 4. You cannot change the values of the general installation parameters identified in the first part of the table.
| Category | Input Summary | Explanation | Value | ||
|---|---|---|---|---|---|
General installation parameters | Choose the type of installation:
Note Obtain your SESM license number from the License Certificate shipped with the CD-ROM or otherwise provided to you by your Cisco account representative.
The licensenum.txt file in your root installation directory records your license number and the software version number you installed. This information is important when you access Cisco technical support for this product. |
| |||
License agreement | Read the displayed license agreement to ensure that you agree with the terms of the license. You must accept the agreement to proceed with installation. |
| |||
Note You must have write privileges to the installation directory. To specify the installation directory, you can do any of the following:
The default installation directories are:
|
| ||||
General installation parameters (continued) | Select one of the following:
The difference between a demo installation and a typical installation is the contents of the configuration files. In addition, a demo mode installation does not install the DESS component. |
| |||
Specify the port on which the NWSP application's web server will listen for HTTP requests from subscribers. The installation program updates the application startup script to use this value. The displayed default is port 8080. Tips Change this value to 80 if you plan to use captive portal mode. Tips Each web server running on the same machine must listen on its own unique port. If another web server or another instance of the NWSP application is listening on 8080, change this value. The application startup script uses the application port number to derive two other port numbers:
|
| ||||
Choose this option to configure the captive portal application. Note If you do not choose this option, the installation program installs the captive portal application but does not configure it. The captive portal application runs on the same web server with the NWSP application. It captures the original URL that was requested by the subscriber and forwards it to the SESM web application along with the redirect. The SESM web application can then honor the subscriber's originally requested URL after authentication occurs. |
| ||||
Note The following section applies only if you choose the captive portal option in the previous section. | |||||
Enter the host name or IP address for the host of the captive portal application. This installation program installs the captive portal application on the same machine with the NWSP application. |
| ||||
Enter 80, the port number on which the captive portal application's web server will listen. This installation program configures the captive portal application to run in the same J2EE container with the NWSP application. Therefore, the port number must match the port number used for the NWSP port. |
| ||||
Enter the URI of the SESM web application's home page (that is, the page you want the subscriber to see first). The URI is appended to the NWSP host and port entered previously to create the URL to which the captive portal application redirects the subscriber's browser. For example, the URI for the NWSP application is: /decorate/pages/home.jsp
The leading slash is required. Continuing the example, if the NWSP host name is myhost and the NWSP port is 80, the captive portal application would redirect an unauthenticated subscriber to the following URL: myhost:80/decorate/pages/home.jsp
The URI indicates the directory structure of the NWSP application's files within the J2EE container's directory. The URI is location-independent. You can deploy your SESM web application on many host machines, and, although the host and port would change for each host machine, the URI would not change. |
| ||||
Note If you are installing SESM in Demo mode, you are finished with the installation. | |||||
|
Tips You can use a show run command on the SSG host to determine how SSG is configured.
| Specify the port that SSG uses to listen for RADIUS requests from an SESM application. This value must match the value that was configured on the SSG host with the following command: The default value is 1812. |
| |||
Specify the shared secret used for communication between SSG and an SESM application. This value must match the value that was configured on the SSG host with the following command: The default value is |
| ||||
Enter the number of bits that SSG uses for port bundling when the host key feature is enabled. This value must match the value that was configured on the SSG host with the following command: ssg port-map length
The value must be 0 or 4. A value of 0 indicates that the SSG is not using the host key and port bundle mechanism. Note The host key feature is introduced in Cisco IOS Release 12.2(2)B. If you are using an earlier release, use a value of 0 in this field. The default value is 0. |
| ||||
When the port bundle size is 0, you must map SSGs to client subnets. The following category of parameters lets you map one client subnet for one SSG. You must manually edit the configuration file to:
See the "Associating SSGs and Subscriber Requests" section for more information. | |||||
One non-host key SSG | Enter the host name or IP address of the SSG host. |
| |||
Client subnet | Enter one client subnet address handled by this SSG. For example, 177.52.0.0. |
| |||
Enter the mask that can be applied to subscriber IP addresses to derive their subnet. For example, 255.255.0.0. |
| ||||
Note If you are installing SESM in DESS mode, skip the following two categories and continue with the "Directory server information" category. | |||||
SESM to RADIUS server communication | Enter the IP address or the host name of the primary RADIUS server. |
| |||
Primary AAA server port | Enter the port number on the primary RADIUS server host that the RADIUS server listens on. The default is 1812. |
| |||
Enter the IP address or the host name of the secondary RADIUS server. If you are not using a secondary RADIUS server, enter the same value used for the primary server. |
| ||||
Enter the port number on the secondary RADIUS server host that the RADIUS server listens on. If you are not using a secondary RADIUS server, enter the same value used for the primary server. |
| ||||
Enter the shared secret used between the RADIUS server and SESM. If you are using a primary and a secondary server, the shared secret must be the same for both servers. The default value is |
| ||||
Service Password | Enter the password that the SESM application uses to request service and group profiles from RADIUS. This password must match the value that was configured on the SSG host with the following command: ssg service-password password
The service-password value must be the same on all of your SSGs. The default value is |
| |||
Note If you are installing SESM in RADIUS mode, you are finished with the installation. | |||||
Enter the IP address or the host name of the system where the directory server is running. |
| ||||
Enter the port on which the directory server listens. |
| ||||
Enter a user ID that has permissions to extend the directory schema. The default value is cn=admin, ou=sesm, o=cisco. |
| ||||
Directory admin password | Enter the password for the directory administrator. |
| |||
Note The installation program attempts to access the directory server, using the information you just provided. If access is unsuccessful, the installation program displays a window with the header "Warning—Please confirm these options." You should verify the information you entered and also verify that the directory server is currently running. If the directory is not running, you can continue the installation of DESS components by clicking the Ignore button on the warning window. However, if you click Ignore, the installation program can not update the directory for SESM use. You must perform the updates at some later time before running SESM web applications or CDAT. See the "Extending the Directory Schema and Installing Initial RBAC Objects" section for instructions. | |||||
Directory container information | Enter the organization and organizational unit that will hold the SESM service, subscriber, and policy information. Use the following format: ou=orgUnit,o=org
For example, the installation program's default values are: ou=sesm,o=cisco
The above defaults are the values used in the sample data file that comes with CDAT. |
| |||
Enter a user ID that has permissions to access and create objects in the organization and organizational unit named above. Use the following format: cn=userID,ou=orgUnit,o=org
For example, the default values are: cn=admin,ou=sesm,o=cisco
|
| ||||
Directory password | Enter the password associated with the directory user ID. |
| |||
Note The installation program attempts to access the container using the information you just provided. If it is unsuccessful, a warning message appears, as described in the previous note. | |||||
Enter the port number on which the CDAT web server will listen. The default is 8081. |
| ||||
|
Configures RDP to SSG communication | Enter the IP address or host name of the RDP.
|
| |||
Enter the port on which the RDP will listen. The default is 1812. |
| ||||
Enter the shared secret to be used for communication between SSG and RDP. It must be a different value from the shared secret used for RDP to RADIUS communication. The default is |
| ||||
Enter the password that RDP uses to request service profiles from the directory. This password must match the value that was configured on the SSG host with the following command: ssg service-password password
The service-password value must be the same on all of your SSGs. The default value is |
| ||||
Enter the password that SSG uses to request next hop tables from RDP. This password must match the value that was configured on the SSG host with the following command: ssg next-hop download nextHopTableName password
The service-password value must be the same on all of your SSGs. The default is |
| ||||
Choose this option to run RDP in proxy mode. RDP has two modes:
|
| ||||
RDP (continued) | Choose this option if you want SSG to perform automatic connections to services when a subscriber's profile includes the autoconnect attribute. When you choose this option, RDP includes the subscriber's service list and related information in replies to SSG. This service information consumes memory on the SSG host—the node route processor (NRP). Do not choose this option if space is a consideration on the NRPs. Instead, you can configure the SESM application to initiate automatic connections. See the "autoConnect" section for more information. |
| |||
If you choose Proxy mode for RDP, then the installation process prompts you for the following RADIUS server information. | |||||
RDP to RADIUS communication | Enter the IP address or the host name of the primary RADIUS AAA server that you want RDP to communicate with. |
| |||
Enter the port number on the primary RADIUS server host that the RADIUS server listens on. |
| ||||
Enter the IP address or the host name of the secondary RADIUS server. If you are not using a secondary RADIUS server, enter the same value used for the primary server. |
| ||||
Enter the port number on the secondary RADIUS server host that the RADIUS server listens on. If you are not using a secondary RADIUS server, enter the same value used for the primary server. |
| ||||
Enter the shared secret used between RDP and the RADIUS server. The shared secret must be the same for both servers. The default is |
| ||||
The installation program installs the components on your system. When it is finished installing the files, it displays an additional window about modifications to the LDAP directory. | |||||
Choose this option if you want the installation program to apply the DESS schema extensions to the LDAP directory. These extensions include the dess and auth classes and attributes. For more information about the extensions, see the Cisco Distributed Administration Tool Guide. If you do not choose this option, you must extend the directory schema later, before running the SESM application in DESS mode and before logging into CDAT to create objects in the directory. See "Extending the Directory Schema and Installing Initial RBAC Objects" section for more information. Note If you are installing DESS in multiple locations, you only need to extend the schema one time. |
| ||||
Choose this option if you want the installation program to load the top-level RBAC objects. If you do not choose this option, you must install RBAC objects later, before running an SESM application in DESS mode and before logging into CDAT to create objects in the directory. See "Extending the Directory Schema and Installing Initial RBAC Objects" section for more information. Note If you are installing DESS in multiple locations, you only need to extend the schema one time. |
| ||||
The Cisco SESM installation directory contains the following subdirectories and files:
When you install SESM in DESS mode, the installation directory contains the following additional directories:
This section outlines the steps to take after you successfully complete an installation.
Step 2 Add configuration information for additional SSGs, if the host key feature is not used.
The SESM installation program caters to use of a single SSG or multiple SSGs with the host key feature. For multiple SSG support without the host key feature, you must configure the SSG to client subnet mapping. See the "Associating SSGs and Subscriber Requests" section for instructions.
Step 3 Start the NWSP web application with the startNWSP script in the jetty bin directory. See "Running SESM Components" for information about this script.
Step 4 Start a web browser. See the "Supported Browsers" section. Access the NWSP application as described in the "Accessing the NWSP Application" section.
See the "Customizing the NWSP Application" section for information about customizing the NWSP application.
Posted: Wed Jul 24 12:21:45 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
