|
|
This chapter describes how to install the Cisco Subscriber Edge Services Manager (SESM) software and bundled components, including SPE. It includes the following topics:
The installation images for SESM are available from the product CD-ROM or from the Cisco web site. This section includes the following topics:
The SESM installation program installs evaluation and licensed versions of SESM:
The license number is important when you are requesting technical support for SESM from Cisco. After installation, you can see your license number and the software version in the licensenum.txt file under the installation directory.
Step 1 Open a web browser and go to:
Step 2 Click the Login button. Provide your Cisco user ID and password.
To access the Cisco images from the CCO Software Center, you must have a valid Cisco user ID and password. See your Cisco account representative if you need help.
Step 3 Click Technical Support.
Step 4 In the popup menu, click Software Center.
Step 5 Click Web Software.
Step 6 Click Cisco Subscriber Edge Services Manager.
Step 7 Download the appropriate image based on the platform you intend to use for hosting the SESM web application.
Copy and uncompress the tar or zip file to a temporary directory. When you uncompress the file, the results are:
Table 2-1 shows the names of the compressed and executable files.
| Platform | Compressed Filename | Executable Installation Filename |
|---|---|---|
Solaris | sesm-3.1.x-pkg-sol.tar | sesm_sol.bin |
Linux | sesm-3.1.x-pkg-linux.tar | sesm_linux.bin |
Windows NT | sesm-3.1.x-pkg-win32.zip | sesm_win.exe |
The installation program writes to parts of the file system or Windows registry that are only accessible to a privileged user. The outcome of the installation is unpredictable if you are not privileged.
Log on as a privileged user as follows:
You can install SESM using the following installation modes:
-console argument on the command line when you execute the installation image.option fileName argument on the command line when you execute the installation image.The following sections provide more details about performing installations in these modes.
solaris> sesm_sol.bin
C:\> sesm_win.exe
To run in console mode, use the -console option on the command line.
solaris> sesm_sol.bin -console
C:\> sesm_win.exe -console
Examples of the .iss and .properties files are included in the installation download. Before you start the installation, you must modify both files to match your requirements.
To prepare for silent mode:
Step 1 Open the .properties and .iss files in any text editor.
 |
Note Before you begin, you might need to obtain write access to the files. |
Step 2 Edit the values for each parameter in the file. Table 2-2 describes each parameter. Save and close the file.
Step 3 To turn on the installation logging feature for a silent mode installation, open the .iss file in any text editor. Remove the first pound sign (#) from the following line:
Step 4 Save and close the file.
To run in silent mode, use the -options option on the command line, as follows:
imageName -options issFileName
Where:
For example:
solaris> sesm_sol.bin -options mysesm.iss
C:\> sesm_win.exe -options mysesm.iss
The -log option on the installation command line turns on the installation logging feature.
solaris> sesm_sol.bin -log location @ALL
C:\> sesm_win.exe -options -log location @ALL
Table 2-2 describes the installation and configuration parameters that you enter during the installation process. You can use the Value column in the table to record your planned input values.
You can change the value of any configuration parameter later by editing configuration files, as described in Chapter 4. You cannot change the values of the general installation parameters identified in the first part of the table.
| Category | Field | Explanation | ||
|---|---|---|---|---|
General installation parameters | Choose the type of installation:
Note Obtain your SESM license number from the License Certificate shipped with the CD-ROM or otherwise provided to you by your Cisco account representative. If you have not yet received a Certificate, choose one of the Evaluation modes. The licensenum.txt file in your root installation directory records your license number and the software version number you installed. This information is important when you access Cisco technical support for this product. | |||
License agreement | Read the displayed license agreement to ensure that you agree with the terms of the license. You must accept the agreement to proceed with installation. | |||
Note You must have write privileges to the installation directory. To specify the installation directory, you can either: accept the displayed default installation directory, click Browse to find a location, or type the directory name in the box. The default installation directories are:
| ||||
General installation parameters (continued) | Select one of the following:
Demo mode simulates the actions of an SESM deployment in both RADIUS and LDAP modes. It uses a local copy of a Merit RADIUS file to obtain profile information. See the Subscriber Edge Services Manager Solution Guide for more information about installing and using SESM in Demo mode. The difference between a demo installation and a typical installation is the contents of the configuration files. In addition, a demo installation does not install the SPE component. | |||
Web Application Host | Specify the IP address or host name of the host on which the SESM portal applications will run. For Demo mode, you can use the value localhost.
| |||
Specify the port on which the container (the J2EE web server) for the SESM portal applications will listen for HTTP requests from subscribers. The installation program updates the application startup scripts for NWSP, WAP, and PDA to use this value. If you want to run these applications simultaneously, you must edit the start scripts to ensure that each application uses a different port. The displayed default value is port 8080. Tip Each web server running on the same machine must listen on its own unique port. If another web server or another instance of the SESM portal application is listening on 8080, change this value. The application startup script uses the application port number to derive two other port numbers:
application port - 80 + 443
8080 - 80 + 443 = 8443
application port + 100
8080 + 100 = 8180
| ||||
SSG Deployment Option | Check this option if you are deploying SESM for a solution that uses the SSG. When you choose this option, the installation program configures the SESM components to work with one or more SSGs. Uncheck this option if you are deploying SESM for a self care solution that does not require an SSG component. In this case, the installation program does not prompt for any SSG information. The self care solutions require LDAP evaluation or LDAP license installations. | |||
Note If you are installing SESM in Demo mode, you are finished with the installation. | ||||
|
Tip Use the show run command on the SSG host device to determine how SSG is configured.
| Specify the port that SSG uses to listen for RADIUS requests from an SESM application. This value must match the value that was configured on the SSG host with the following command: Default: 1812. | |||
Specify the shared secret used for communication between SSG and an SESM application. This value must match the value that was configured on the SSG host with the following command: Default: | ||||
Enter the number of bits that SSG uses for port bundling when the port-bundle host key feature is enabled. This value must match the value that was configured on the SSG host with the following command: ssg port-map length
We recommend using the value 4. A value of 0 indicates that the SSG is not using the port-bundle host key mechanism. Note The port-bundle host key feature was introduced in Cisco IOS Release 12.2(2)B. If you are using an earlier release, use a value of 0 in this field. Default: 0. | ||||
When the port bundle size is 0, you must map SSGs to client subnets. The following category of parameters lets you map one client subnet for one SSG. You must manually edit the configuration file to:
See the "Associating SSGs with Subscriber Requests" section for more information. | ||||
One non-host key SSG | Enter the host name or IP address of the SSG host. | |||
Enter one client subnet address handled by this SSG. For example, 177.52.0.0. | ||||
Enter the mask that can be applied to subscriber IP addresses to derive their subnet. For example, 255.255.0.0. | ||||
Note If you are installing SESM in LDAP mode, skip the following two categories and continue with the "Directory server information" category later in this table. | ||||
RADIUS server details | Enter the IP address or the host name of the primary RADIUS server. | |||
Primary AAA server port | Enter the port number on the primary RADIUS server host that the RADIUS server listens on. The default is 1812. | |||
Enter the IP address or the host name of the secondary RADIUS server. If you are not using a secondary RADIUS server, enter the same value used for the primary server. | ||||
Enter the port number on the secondary RADIUS server host that the RADIUS server listens on. If you are not using a secondary RADIUS server, enter the same value used for the primary server. | ||||
Enter the shared secret used between the RADIUS server and SESM. If you are using a primary and a secondary server, the shared secret must be the same for both servers. Default: | ||||
Enter the password that the SESM application uses to request service profiles from RADIUS. It must match the service password values used in the service profiles in the RADIUS database. This password must also match the value that was configured on the SSG host with the following command: ssg service-password password
The service-password value must be the same on all of your SSGs. Default: | ||||
Enter the password that the SESM application uses to request service group profiles from RADIUS. It must match the service group password values used in the service group profiles in the RADIUS database. Default: | ||||
Note If you are installing SESM in RADIUS mode, you are finished with the installation of the standard components. If you are selected to install the captive portal solution from the custom installation window, go to the Captive Portal category later in this table. | ||||
Directory server information | Enter the IP address or the host name of the system on which the directory server is running. | |||
Enter the port on which the directory server listens. | ||||
Enter a user ID that has permissions to extend the directory schema. Use cn or uid as appropriate. For example:
cn=admin, ou=sesm, o=cisco
cn=Directory Manager
Note The default configuration by the Sun ONE installation process uses cn for the Directory Manager. See the "Sun ONE and iPlanet Installation and Configuration Requirements" section for more information. | ||||
Enter the password for the directory administrator. This is the password you entered during directory installation and configuration. For example: | ||||
Note The installation program attempts to access the directory server, using the information you provided. If access is unsuccessful, the installation program displays a window with the header "Warning—Please confirm these options." Verify the information you entered and also verify that the directory server is running. If the directory is not running, you can continue the installation of SPE components by clicking the Ignore button on the warning window. However, if you click Ignore, the installation program can not update the directory for SESM use. You must perform the updates at a later time before you run SESM web applications or CDAT. See the "Extending the Directory Schema and Loading Initial RBAC Objects" section for instructions. | ||||
Directory container information | Enter the organization and organizational unit that will hold the SESM service, subscriber, and policy information. Use the following format: ou=orgUnit,o=org
For example, the installation program's default values are: ou=sesm,o=cisco
The above defaults are the values used in the sample data file that comes with CDAT. | |||
Enter a user ID that has permissions to access and create objects in the organization and organizational unit named above. Use cn or uid as appropriate. For example: cn=admin,ou=sesm,o=cisco
uid=yourAdmin,ou=sesm,o=cisco
| ||||
Enter the password associated with the directory user ID. | ||||
Choose the component in distinguished name (dn) that allows access to the SESM container.
Note The SESM sample data uses cn. If you choose uid, you must edit the sample data before loading it into a Sun ONE or other directory that uses uid. See the "Loading Sample Data" section. | ||||
Note The installation program attempts to access the container using the information you provided. If it is unsuccessful, a warning message appears, as described in the previous note. | ||||
|
Configures RDP to SSG communication | Enter the IP address or host name on which the RDP will run.
| |||
Enter the port on which the RDP will listen. Default: 1812. | ||||
Enter the shared secret to be used for communication between the SSGs and RDP when the restricted client feature is turned off. This value must match the value configured on the SSG host devices, using the following command: radius-server key SharedSecret
When the restricted client feature is turned off, the shared secret must be the same on all SSGs. When the restricted client feature is turned on, this attribute is ignored. Instead, you configure a specific shared secret for each client (each SSG). See the "RDP MBean" section for more information. The next set of prompts from the installation program lets you choose whether to turn the restricted client feature on or off. Default: | ||||
Enter the password that RDP uses to request service profiles from the directory. This value must match two other configured values: 1. This password must match the value that was configured on the SSG host with the following command: ssg service-password password
2. This value must also match the service password value you entered for the SESM portal. See the SESM "Passwords" section. Default: | ||||
Enter the password that RDP uses to request service group profiles from the directory. This password must match the group password value you entered for the SESM portal. See the SESM "Passwords" section. Default: | ||||
Enter the password that SSG uses to request next hop tables from RDP. This password must match the value that was configured on the SSG host with the following command: ssg next-hop download nextHopTableName password
The service-password value must be the same on all of the SSGs that communicate with this RDP server. Default: | ||||
RDP Options | Choose this option to run RDP in proxy mode. RDP has two modes:
| |||
Choose this option if you want the SSG to perform automatic connections to services when a subscriber's profile includes the autoconnect attribute. When you choose this option, RDP includes the subscriber's service list and related information in replies to SSG. The service information consumes memory on the SSG device. Do not choose this option if space is a consideration on the SSG device. Instead, you can configure the SESM application to initiate automatic connections with the autoConnect attribute in the SESM MBean. See the "SESM MBean" section for more information. | ||||
Choose this option if you want to turn on the RDP restricted client feature, which allows RDP to service requests only from a preconfigured list of clients. The RDP clients are SSGs. If you check this option, the installation program prompts for configuration information for one client. You can add more clients by adding elements to the allowedClients attribute in the RADIUSServerSocket MBean. If you do not check this option, the RDP accepts requests from any client (any SSG). | ||||
If you choose the RDP Proxy mode option, the installation process prompts you for the following RADIUS server information. | ||||
AAA Server Details | Enter the IP address or the host name of the primary AAA server that you want RDP to communicate with. | |||
Enter the port number on the primary RADIUS server host that the RADIUS server listens on. | ||||
Enter the IP address or the host name of the secondary RADIUS server. If you are not using a secondary RADIUS server, enter the same value used for the primary server. | ||||
Secondary port | Enter the port number on the secondary RADIUS server host that the RADIUS server listens on. If you are not using a secondary RADIUS server, enter the same value used for the primary server. | |||
Enter the shared secret used between RDP and the RADIUS server. The shared secret must be the same for both servers. Default: | ||||
If you choose the RDP Add client option, the installation program prompts you for the following information about one RDP client. You can add more clients by adding elements to the allowedClients attribute in the RDPMBean, RADIUSServerSocket component. See the "RDP MBean" section for more information. | ||||
RDP Client | Enter the IP address of the SSG. | |||
Enter the shared secret used for SSG to RDP communication. This value must match the value configured on the SSG, using the following command: radius-server key SharedSecret
| ||||
If you are performing a Custom installation and you check the Captive Portal item, the installation program prompts you for captive portal configuration information. Note The configuration information you enter in the following parameters must match TCP redirect configuration values on the SSG. The easiest way to ensure that values match in both places is to accept all of the default values presented by the installation process. Then configure the SSG based on the example captiveportal/config/ssgconfig.txt file. See "Deploying a Captive Portal Solution,"for more information. | ||||
Enter the IP address or host name on which the captive portal solution will run. | ||||
Enter the port number on which the first listener in the captive portal web server will listen. This installation program sets up the captiveportal.jetty.xml file to create seven listeners in the web server, as follows:
Later in this installation procedure, you are prompted for a port number for each of these listeners. The port you enter now is used as the default value for the first listener. Note If you use the same port number for more than one listener, some redirections will not work. Default: 8090 | ||||
Choose this option if you want to install the Message Portal application. The Message Portal application is an example of an SESM portal that provides content for:
For those redirection types, the default URIs displayed later in this installation procedure refer to pages in the Message Portal application. | ||||
If you choose the Message Portal option above, the installation program prompts you for the following information. | ||||
Message Portal Server Configuration | Enter the port number on which the Message Portal web server will listen. The Message Portal web server has one listener. Default: 8085 | |||
Choose this option if you want the Message Portal application to redirect the subscriber to the originally requested URL after the message duration time elapses. If you do not choose this option, the subscriber must enter an URL to leave the message page. Default: true | ||||
Main web server configuration | Host | Enter the host name or IP address of the web server for the NWSP or other application that will respond to:
This value becomes the default value for the serviceportal.host system property in the captiveportal.xml file. | ||
Port | Enter the port number on which the web server named above will listen. This value becomes the default value for the serviceportal.port system property in the captiveportal.xml file. Default: 8080 | |||
Enable | Check this box to configure unauthenticated user redirections. | |||
Enter the port that the web server for the Captive Portal application will listen on for unauthenticated user redirections received from the SSG. The installation program displays the value that you entered earlier in the Captive Portal Port Number field. You can accept this default value. Note You must configure the SSG TCP redirect feature to send unauthenticated user redirections to this port. Default: 8090 | ||||
URL Out: Host URL Out: Port URL Out: URI | These fields define the URL to which browsers are redirected for unauthenticated user redirections. The default values reference the NWSP application.
| |||
Enable | Check this box to configure initial logon redirections. | |||
Enter the port that the Captive Portal web server will listen on for initial logon redirections. Note You must configure the SSG TCP redirect feature to send initial logon redirections to this port. Default: 8091 | ||||
URL Out: Host URL Out: Port URL Out: URI | These fields define the URL to which browsers are redirected for initial logon redirections. The default values reference the Message Portal application.
| |||
The length of time that the Message Portal application waits before attempting to redirect the browser to the user's originally requested URL. Default: 15 | ||||
Advertising Captivation | Enable | Check this box to configure advertising redirections. | ||
Enter the port that the Captive Portal web server will listen on for advertising redirections. Note You must configure the SSG TCP feature to send advertising redirections to this port. Default: 8092 | ||||
URL Out: Host URL Out: Port URL Out: URI | These fields define the URL to which browsers are redirected for advertising redirections. The default values reference the Message Portal application.
| |||
The length of time that the Message Portal application waits before attempting to redirect the browser to the user's originally requested URL. Default: 15 | ||||
Enable | Check this box to configure service redirections, including a default service redirection. | |||
Enter the port that the Captive Portal web server will listen on for default service redirections. Default service redirections are used for services whose address does not belong to the destination network of any of the specific service redirections. Note You must configure the SSG TCP feature to send default service redirections to this port. Default: 8093 | ||||
First Service Redirect Port In Second Service Redirect Port In Third Service Redirect Port In | Enter the ports that the Captive Portal web server will listen on for service redirections for Service1, Service2, and Service3. Note You must configure the SSG TCP feature to send redirections to these ports. Defaults: 8094, 8095, 8096 | |||
URL Out | Enter the URL to which browsers are redirected for any type of service redirection. The default value references the NWSP application, as follows:
This installation program assumes that the same URL is used for all service redirections. You can change this default configuration in the captiveportal.xml file. There is no requirement that all service redirections use the same page, port, or application. | |||
Details for Unconnected Service Redirection | Choose this option if you want the Captive Portal application to pass the service names to the content application that handles service redirections (NWSP in the default configuration). NWSP uses the service name to connect to the service. If you do not check this option, NWSP displays the page specified in the serviceNotGivenURI attribute in nwsp.xml. (The default installation setting for the serviceNotGivenURI attribute is the NWSP status page.) | |||
Redirect Service Names | Provide the service name as specified in the service profile. The default values provided in the installation program match services in the sample data installed with SESM. | |||
CDAT host | Enter the IP address or host name on which the CDAP application will run.
| |||
Enter the port number on which the CDAT web server will listen. The default is 8081. | ||||
Links for CDAT main window | Hosts and port numbers for remote SESM applications | The installation program prompts for host names and port numbers of all applications that you did not install during the current session. It uses this information to configure links on the CDAT main window pointing to the management consoles of these remote SESM applications. To skip the prompts for applications that you have not installed on any system or do not want CDAT to manage, click Next. | ||
The installation program installs the components on your system. When it is finished installing the files, and if it successfully connected to your LDAP directory, it displays the following additional prompts about modifications to the directory. | ||||
LDAP directory modifications | Choose this option if you are installing SESM to run with a new LDAP directory and you want the installation program to apply the SPE schema extensions to the directory. The extensions include the dess and auth classes and attributes. For more information about the extensions, see the Cisco Distributed Administration Tool Guide. If you do not choose this option, you must extend the directory schema later, before running the SESM application in LDAP mode and before logging into CDAT to create objects in the directory. See the "Post-Installation Configuration Tasks" section. Note The schema must be extended for each LDAP directory used in the SESM deployment. If multiple instances of SESM using just one LDAP directory exist, then the schema need only be extended in one of the installs where the SPE component is selected. | |||
Choose this option if you want the installation program to load the top-level RBAC objects. Some initial top-level rules and roles must be created in the directory before an administrator can log into CDAT and create additional objects. If you do not choose this option, you must install RBAC objects later, before running the SESM application in LDAP mode and before logging into CDAT to create objects in the directory. See the "Post-Installation Configuration Tasks" section. Note The RBAC objects must be installed into each LDAP directory used in the SESM deployment. If multiple instances of SESM using just one LDAP directory exist, then the RBAC objects must only be loaded in one of the installs where the SPE component is selected. | ||||
The Cisco SESM installation directory contains the following subdirectories and files:
This section lists some configuration tasks that might be required after you install SESM applications.
Step 1 Install and configure other software components required for your SESM solution, such as RADIUS servers, LDAP directory, and SSGs.
Step 2 (LDAP mode only) Update the LDAP directory with SPE schema extensions and load initial RBAC objects if you did not allow the installation program to do these tasks. See the "Extending the Directory Schema and Loading Initial RBAC Objects" section.
Step 3 (LDAP mode only) Optionally load sample data into the LDAP directory. See "Loading Sample Data" section.
Step 4 Add configuration information for additional SSGs, if the SSG port bundle host key feature is not used on the SSGs.
The SESM installation program caters to use of a single SSG or multiple SSGs with the host key feature. For multiple SSG support without the host key feature, you must configure the SSG to client subnet mapping. See the "Associating SSGs with Subscriber Requests" section.
Step 5 If you installed the captive portal solution, see the "Additional Configuration Steps" section for instructions on configuring an SSG to work with the installed captive portal features.
Step 6 If you installed the RDP server and turned on the restricted client feature, you might need to add more SSGs to the RDP's client list. The installation program accepts information for one client. See the"Using a Restricted Client List" section.
For information about starting SESM portals and logging on, see "Running SESM Components."
For information about configuring a customized SESM portal application, see the "Configuring a Customized SESM Application" section.
Posted: Fri Oct 18 10:04:01 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
