Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

This section covers the setup of the yarngate application

This section assumes that that Yarngate access has been configured and the user can login to Yarngate using LDAP credentials

This section assumes that Customers/Clusters/Interfaces have been added either manually via the administration application or via Bulk import of Customers/Cluster/Interfaces

Yarngate Access Profiles and Access rules

Access to the yarngate application and the various roles is controlled by the Authentication policy that matches LDAP groups to Yarnman Role

Once a user has access to Yarngate their system access is determined by

Entitlement Group

The entitlement profile defines what systems can be accessed. To access Entitlements Group setup - from Yarngate menu, select Access Rules->Entitlements Group, then select New Entitlement Group. Access can be added using Customers, Clusters or specific interfaces.

Note that the add Customer/Cluster/Interface button needs to be pressed for each entry

Entitlement Group bulk Import

There is an option to bulk import using excel

Download the template and setup as necessary and upload

Matching Group

The match group defines match of LDAP groups or users for access

For access testing you can also add a unique username that can be used with the test access function

Access Profile

The access profile defines the configuration of the access - note that screenshot below show screen after General Settings first saved

  • CUCM - there is additional template configuration required

  • UCXN - there is additional template configuration required

CUCM Template

CUCM Roles (Custom)

  1. If custom CUCM roles are required they can be created, Go Access Profiles->CUCM Templates->Roles then select New Role Template

  2. The roles will need to be imported from a test CUCM use the latest version of CUCM in scope to import the latest roles - Yarngate handles backward compatibility for roles

  3. Select the interface to import the role

  4. Select the required Roles

CUCM Credential Policy

  1. Create the credential policy with the required settings - Go System Templates → CUCM Templates → Credential Policies, then select New Credential Policy

CUCM Access Control Group

  1. Create the Access Control profile - Go System Templates → CUCM Templates → Access Control Groups, then select New Access Control Group Template

CUCM default Roles

To view the list of system default roles refer to CUCM System Default roles or via SSH run the following command

run sql select name from functionrole where isstandard ="t"

Custom role template

Refer to Cisco documentation for the capabilities of the various role resource privileges

Note that Yarngate will assert the role resource privileges to check if that resource privilege exists in the target system, if it does not exist that resource privilege will not be used, this permits backwards compatibility with the custom role templates

Its recommended where possible to use the inbuilt cucm roles, as using a custom roles incurs a slight performance penalty with having to check/validate no changes have been made to the target system(s) when creating a session.

UCXN Templates

Authentication Rule

  1. Create the required Authentication rule - Go System Templates → UCXN Templates → Authentication Rule, then select New Authentication Rule Template

User template

Note that the user template must exist

Access Rule

The access rule links all of the configuration together - Go Access Rules → Rules, then select New Access Rule

Test Access

The test access tool can be used to check what access users have

Note that the User key needs to be defined in matching groups

Configure policies

policies are a set of checks or parameters that are applied to Caches when they run.

Node Age

This policy is applied to a NodeName discovery, this allows for reports to be run on Nodes that have been removed from Yarngate (eg the interface) or if a node in a cluster is removed.

Defines the number of days before a Node is marked as Inactive, and when the Node is deleted. Below shows the Default

A custom policy can be added by Navigating to Administration > Caching > Policies > Create Policy

Account age

A custom policy can be added by Navigating to Administration > Caching > Policies > Create Policy

Audit Config

An Audit policy are used with the Node Cache and System Audit Check report. Yarngate will collect via AXL/Soap the audit configuration settings and check these against the policy to validate

  • audit enabled

  • detailed audit enabled

  • correct audit level (6, informational)

  • being sent to one of the Syslog servers defined (the cucm audit config can only send to 1 syslog server)

An Audit policy can be added by Navigating to Administration > Caching > Policies > Create Policy

Configure Caches

Nodes

The Node Cache is used to speed up reporting by not needing to continually poll the systems each time a report is run. The Node Cache is populated via entitlement group(s).

Policies are applied to the Node cache to check for Audit configuration settings, and age out deleted or unreachable Nodes as per the Policy.

A Schedule is recommended to be applied to keep the cache up-to date, and to be run just before a maintenance windows end, to allow the capture of any new nodes or removal.

Navigate to Administration > Caching > Caches > Create Cache

Apply the Node, Audit Policy and Entitlement group(s) and press save

Once saved navigate back to the new cache, the Add a schedule button will be visible

Add the required details for the schedule with enable toggled at the bottom

Navigate back to the cache to see the status of the Schedule.

To modify or disable the schedule press modify, make the required changes and press save

To Modify a schedule toggle enable to Off with the required changes, once save toggle it to on. The scheduler wont allow a time from the past to be saved.

Subnet Groups

Subnet groups contain either Individual host or Subnets, These are then linked to Subnet Group Lists.

Subnet Lists

Subnet List contain 1 or more groups of Subnets, These are applied to robot accounts to validate Robot accounts are being used from known hosts/systems.

Robot Accounts

Robot accounts are manually entered and assigned to a Subnet List. These will feed into the Robot report.

Exception Report Log not currently in use, will be removed from view. leave blank

Admin Users

Provides a Cache and history of all Admin user accounts

Reporting

Templates

Templates can be used to preform on going AdHoc reports with pre-filled details, or assigned to a Schedule to preform reoccurring reports.

Navigate to Administration > Reporting > Templates

Select the template type and populate the presets.

Select a Template followed by pressing Create Report From Template, to run an adhoc report.

Refer to the report types below for further detailed information.

Schedules

Reports are created based on a Schedule with the option to send Element counters to winprtg

Robot Accounts

System Audit Check

  • No labels

yarnlab website