Cisco Unfied Operations Manager (CUOM) supports ACS Authentication and Authorization. The procedure is similar to integrating CiscoWorks LMS with ACS for TACACS+ authentication. Once CUOM has been successfully integrated with Cisco Secure ACS, Operations Manager, Service Monitor and Common Services will be added as Shared Profile components in ACS. This will import applications tasks and user roles into ACS.
To integrate the Operation Manager server with Cisco Secure ACS, first on the Operations Manager create a System Identity User. Before you create a System Identity User, you need to create a Local User which will later be mapped to the System Identity User. To create a Local user, go to Administration > Server Administration (Common Services) Security > Local User Setup and click on Add to create a new user. Enter the username (say cuomadmin) and a password. Select the Full Authorization radio button so that the user has all the privilege rights. Authorization could fail if you try to perform certain tasks in Operations Manager and if the user does not have Full Authorization. Next step is to create the System Identity User, choose Administration > Server Administration (Common Services) > System identity Setup, replace the System Identity Setup username with the local username you created in the previous step (cuomadmin) and enter the same password and click Apply.
On the ACS, create an administrator user (cuomadmin) with all privileges in ACS. CUOM registration with ACS can fail if this user does not have administrator privilege. On ACS 4.2, go to User Setup, in the User: box enter the username (cuomadmin) and click Add/Edit. Enter the password for the user and also give the user account all privileges. Now add the Operations Manager server as a AAA client on the ACS. For this go to Network Configuration and click on Add Entry. Enter the AAA Client Hostname, AAA Client IP Address (CUOM IP Address), Shared Secret (say P@ssw0rd) and select TACACS+ (Cisco IOS) from the drop down list for Authenticate Using.
Now on the CUOM, Go to Administration > Server Administration (Common Services) > Security > AAA Mode Setup and then select the ACS radio button. Enter the ACS IP address and port number as 49. If you have multiple ACS Servers, enter the secondary and tertiary ACS details also. In the Login box enter the ACS Administrator name and password (You must know the ACS Administrator HTTP credential to register the CUOM with the ACS server). Also enter the ACS Shared Secret (P@ssw0rd) that we created when we added the CUOM as an AAA Client in ACS. To register all the installed application with ACS select the corresponding check box. Then Click Apply. Click Ok if the registration is successfull. Now you will have to restart the CUOM daemon manager for the changes to take effect. In the Server, on the CLI go to NMSROOT\bin (where NMSROOT is the directory where CUOM is installed, default is C:\Program Files\CSCOpx) and enter the following commands
net stop crmdmgtd
net start crmdmgtd
If the registration was successful, on the ACS you should be able to see Cisco Unified Operations, Cisco Unified Service Monitor and Ciscoworks Common Services under the Shared Profile Components. Here you could edit roles and create custom roles. Create users in ACS with the required privilege. Ensure that the System Identity User in ACS is assigned all roles and that Common Services users have been assigned the proper privileges. Now you can log into the CUOM with the username defined in ACS.
In case if you are locked out or if your ACS Admin user does not have enough privileges, you can revert from the ACS mode back to local user mode by first shutting down the daemons and run the following script
NMSROOT\bin\perl ResetLoginModule.pl
Then restart the daemon.
To integrate the Operation Manager server with Cisco Secure ACS, first on the Operations Manager create a System Identity User. Before you create a System Identity User, you need to create a Local User which will later be mapped to the System Identity User. To create a Local user, go to Administration > Server Administration (Common Services) Security > Local User Setup and click on Add to create a new user. Enter the username (say cuomadmin) and a password. Select the Full Authorization radio button so that the user has all the privilege rights. Authorization could fail if you try to perform certain tasks in Operations Manager and if the user does not have Full Authorization. Next step is to create the System Identity User, choose Administration > Server Administration (Common Services) > System identity Setup, replace the System Identity Setup username with the local username you created in the previous step (cuomadmin) and enter the same password and click Apply.
On the ACS, create an administrator user (cuomadmin) with all privileges in ACS. CUOM registration with ACS can fail if this user does not have administrator privilege. On ACS 4.2, go to User Setup, in the User: box enter the username (cuomadmin) and click Add/Edit. Enter the password for the user and also give the user account all privileges. Now add the Operations Manager server as a AAA client on the ACS. For this go to Network Configuration and click on Add Entry. Enter the AAA Client Hostname, AAA Client IP Address (CUOM IP Address), Shared Secret (say P@ssw0rd) and select TACACS+ (Cisco IOS) from the drop down list for Authenticate Using.
Now on the CUOM, Go to Administration > Server Administration (Common Services) > Security > AAA Mode Setup and then select the ACS radio button. Enter the ACS IP address and port number as 49. If you have multiple ACS Servers, enter the secondary and tertiary ACS details also. In the Login box enter the ACS Administrator name and password (You must know the ACS Administrator HTTP credential to register the CUOM with the ACS server). Also enter the ACS Shared Secret (P@ssw0rd) that we created when we added the CUOM as an AAA Client in ACS. To register all the installed application with ACS select the corresponding check box. Then Click Apply. Click Ok if the registration is successfull. Now you will have to restart the CUOM daemon manager for the changes to take effect. In the Server, on the CLI go to NMSROOT\bin (where NMSROOT is the directory where CUOM is installed, default is C:\Program Files\CSCOpx) and enter the following commands
net stop crmdmgtd
net start crmdmgtd
If the registration was successful, on the ACS you should be able to see Cisco Unified Operations, Cisco Unified Service Monitor and Ciscoworks Common Services under the Shared Profile Components. Here you could edit roles and create custom roles. Create users in ACS with the required privilege. Ensure that the System Identity User in ACS is assigned all roles and that Common Services users have been assigned the proper privileges. Now you can log into the CUOM with the username defined in ACS.
In case if you are locked out or if your ACS Admin user does not have enough privileges, you can revert from the ACS mode back to local user mode by first shutting down the daemons and run the following script
NMSROOT\bin\perl ResetLoginModule.pl
Then restart the daemon.
