Configuring Administration Settings

This chapter describes how to configure networking, system, security, and maintenance settings for the SCC. It includes these topics:

•Configuring networking settings

•Configuring system settings

•Configuring security settings

•Configuring maintenance settings

This chapter assumes that you have installed and performed the initial configuration of the SCC. For details, see the SteelCentral Controller for SteelHead Installation Guide.

Configuring networking settings

This section describes how to modify network settings in the SCC.

Configuring general host settings

You view and modify general host settings in the Administration > Networking: Host Settings page.

The Host Settings page isn’t controlled by the SCC Network role but by the SCC General Settings role. The Host Settings page accepts IPv4 and IPv6 addresses.

When you initially run the installation wizard, you set required network host settings for the SCC. Use these groups of controls on this page only if you require modifications, additional configuration, or want to verify the DNS configuration:

•Name - Modify the hostname only if your deployment requires it.

•DNS Settings - We recommend you use DNS resolution.

•Hosts - If you don’t use DNS resolution, or if the host doesn’t have a DNS entry, you can create a host-IP address resolution map.

•Configure How this Appliance Connects to the Network - Configure proxy addresses for web or FTP proxy access to the SteelHead. You can also create a whitelist of domains allowed to bypass the proxy. Because SteelHead backups to SCC are blocked if a proxy is enabled, this option lets you enter an exception to allow direct SteelHead to SCC communication.

Changing the hostname from IPv4 to IPv6

The SCC uses the SSH and HTTPS to communicate with appliances. The SSH connection is initiated from SCC and merely changing the SCC hostname from the SteelHead will not disconnect and reinitiate the SSH connection.

Explicitly breaking SSH/HTTPS channels

You must explicitly break the SSH and HTTPS channels on the SCC. You can break the channels in any one of these ways:

•The IPv4 channel can be broken by disabling the IPv4 address from the Interface.

•The IPv6 channel can be broken by disabling the IPv6 address from the Interface.

•Rebooting the SCC.

Alternatively, you can also break the SSH/HTTPS channels by:

•running the CLI command no scc enable on the SteelHead.

•specifying the new IP address of SteelHead in the Manage > Appliances: Appliances Pages: Host Settings. For details about change the SteelHead appliance IP address in the SCC, see “Managing host settings” on page 242.

-or-

changing the IP address in SCC in the Host Settings page. For details, see “To modify host settings” on page 77.

This table summarizes the CLI steps to establish the SSH/HTTPS channels.

Appliance conditions	No SSH/HTTPS channels	There is SSH/HTTPS channel already over IPv4	There is SSH/HTTPS channel already over IPv6
SteelHead & SCC reachable over IPv4 and IPv6	To establish an SSH/HTTPS channels: scc hostname <ip-address> scc enable	Until the existing SSH/HTTPS channel is broken explicitly the IPv4 SSH/HTTPS channel will continue to exist. Break the channels using the procedures described above. To reestablish the SSH/HTTPS channels: scc hostname <ip-address> scc enable	Until the existing SSH/HTTPS channel is broken explicitly the IPv6 SSH/HTTPS channel will continue to exist. Break the channels using the procedures described above. To reestablish the SSH/HTTPS channels: scc hostname <ip-address> scc enable
SteelHead & SCC reachable over IPv4 only	To establish the SSH/HTTPS channel over IPv4: scc hostname <ip-address> scc enable	To establish the SSH/HTTPS channel over IPv4: scc hostname <ip-address> scc enable	Not applicable
SteelHead & SCC reachable over IPv6 only	To establish the SSH/HTTPS channel over IPv6: scc hostname <ip-address> scc enable	Not applicable	To establish the SSH/HTTPS channel over IPv6: scc hostname <ip-address> scc enable

To change the hostname

1. Choose Administration > Networking: Host Settings to display the Host Settings page.

2. Under Name, modify the value in the Hostname field.

3. Click Apply to apply your changes to the running configuration.

4. Click Save to Disk to save you settings permanently.

To specify DNS settings

1. Choose Administration > Networking: Host Settings to display the Host Settings page.

2. Under DNS Settings, complete the configuration as described in this table.

Control	Description
Primary DNS Server	Specify the IP address for the primary name server. The IP address can be either IPv4 or IPv6. For IPv6 specify an IP address using this format: eight 16-bit hexadecimal strings separated by colons, 128-bits. For example: 2001:38dc:0052:0000:0000:e9a4:00c5:6282 You don’t need to include leading zeros. For example: 2001:38dc:52:0:0:e9a4:c5:6282 You can replace consecutive zero strings with double colons (::). For example: 2001:38dc:52::e9a4:c5:6282
Secondary DNS Server	Optionally, specify the IP address for the secondary name server.
Tertiary DNS Server	Optionally, specify the IP address for the tertiary name server.
DNS Domain List	Specify an ordered list of domain names. If you specify domains, the system automatically finds the appropriate domain for each of the hosts that you specify in the system.

To modify host settings

This procedure is required when you want to override DNS-provided host information.

1. Choose Administration > Networking: Host Settings to display the Host Settings page.

2. Under Hosts, complete the configuration as described in this table.

Control	Description
Add a New Host	Displays the controls for adding a new host.
IP Address	Specify the IP address, either IPv4 or IPv6, for the host. For IPv6 specify an IP address using this format: eight 16-bit hexadecimal strings separated by colons, 128-bits. For example: 2001:38dc:0052:0000:0000:e9a4:00c5:6282 You don’t need to include leading zeros. For example: 2001:38dc:52:0:0:e9a4:c5:6282 You can replace consecutive zero strings with double colons (::). For example: 2001:38dc:52::e9a4:c5:6282
Hostname	Specify a hostname.
Add	Adds the host.
Remove Selected	Select the check box next to the name and click Remove Selected.
Apply	Applies your settings to the running configuration.

3. Click Save to Disk to save your changes permanently.

To set a proxy

1. Choose Administration > Networking: Host Settings to display the Host Settings page.

2. Under Configure How this Appliance Connects to the Network, complete the configuration as described in this table.

Control	Description
Enable Proxy Settings	Provides network proxy access to the SteelHead. Enables the SteelHead to use a proxy to contact the Riverbed licensing portal and fetch licenses in a secure environment. You can optionally require user credentials to communicate with the proxy, and you can specify the method used to authenticate and negotiate user credentials. Proxy access is disabled by default. RiOS supports these proxies: Squid, Blue Coat Proxy SG, Microsoft WebSense, and McAfee Web Gateway.
Web/FTP Proxy	Specify the IP address, either IPv4 or IPv6, for the network or FTP proxy. For IPv6 specify an IP address using this format: eight 16-bit hexadecimal strings separated by colons, 128-bits. For example: 2001:38dc:0052:0000:0000:e9a4:00c5:6282 You don’t need to include leading zeros. For example: 2001:38dc:52:0:0:e9a4:c5:6282 You can replace consecutive zero strings with double colons (::). For example: 2001:38dc:52::e9a4:c5:6282
Port	Optionally, specify the port for the network or FTP proxy. The default port is 1080.
Enable Authentication	Optionally, select to require user credentials for use with network or FTP proxy traffic. Specify these values to authenticate the users: •User Name - Specify a username. •Password - Specify a password. •Authentication Type - Select an authentication method from the drop-down list: –Basic - Authenticates user credentials by requesting a valid username and password. This is the default setting. –NTLM - Authenticates user credentials based on an authentication challenge and response. –Digest - Provides the same functionality as basic authentication; however, digest authentication improves security because the system sends the user credentials across the network as a Message Digest 5 (MD5) hash.
Proxy Whitelist	Optionally, add or remove domains from a proxy whitelist.
Apply	Applies your changes to the running configuration.

3. Click Save to Disk to save your settings permanently.

Configuring base interfaces

You view and modify settings for the appliance primary and auxiliary interfaces in the Networking: Base Interfaces page.

When you initially ran the Configuration wizard, you set required settings for the base interfaces. Only use the controls on this page if you require modifications or additional configuration:

•Primary Interface - On the appliance, the primary interface is the port you connect to the LAN switch. The primary interface is the appliance management interface. You connect to the primary interface to use the Management Console or the CLI.

•Auxiliary Interface - On the appliance, the auxiliary interface is an optional port you can use to connect the appliance to a non-Riverbed network management device. The IP address for the auxiliary interface must be on a subnet different from the primary interface subnet.

•Main Routing Table - Displays a summary of the main routing table for the appliance. If necessary, you can add static routes that might be required for out-of-path deployments or particular device management subnets.

To modify the configuration for base interfaces

1. Choose Administration > Networking: Base Interfaces to display the Base Interfaces page.

Modifying the base interfaces

2. Under Primary Interface, complete the configuration as described in this table.

Control	Description
Enable Primary Interface	Enables the appliance management interface, which can be used for both managing the SCC and serving data for a server-side out-of-path (OOP) configuration.
Obtain IPv4 Address Automatically	Displays multiple IPv4 values assigned by DHCP server. (A DHCP server must be available so that the system can request the IP address from it.)
Enable IPv4 Dynamic DNS	Select this option to send the hostname with the DHCP request for registration with Dynamic DNS.
Specify IPv4 Address Manually	Select this option if you don’t use a DHCP server to set the IPv4 address. Specify these settings: •IPv4 Address - Specify an IP address. •IPv4 Subnet Mask - Specify a subnet mask. •Default IPv4 Gateway - Specify the default gateway IPv4 address. The default gateway must be in the same network as the primary interface. You must set the default gateway for in-path configurations.
Obtain IPv6 Address Automatically	Displays multiple IPv6 values assigned by DHCP server. (A DHCP server must be available so that the system can request the IP address from it.) Note: If you change the primary or aux interface from IPv4 to IPv6 you must restart the httpd service. From the SCC command line, run this command: pm process httpd restart
Enable IPv6 Dynamic DNS	Select this option to send the hostname with the DHCP request for registration with Dynamic DNS.
Specify IPv6 Address Manually	Select this option and specify these settings to set an IPv6 address. •IPv6 Auto-Assigned - Displays the link-local address that is automatically generated when IPv6 is enabled on the interface. •IPv6 Address - Specify a combination of both the IPv6 address and IPv6 prefix. Use this format: <IPv6-address>/<IPv6-prefix>. For example: 210::33/64 •Add a New IPv6 Address - This option allows you to configure multiple IPv6 Addresses to the interface. Use this format: <IPv6-address>/<IPv6-prefix>. New IPv6 addresses are displayed as an entry with this label: IPv6-<address>. •IPv6 Gateway - Specify the gateway IP address. The gateway must be in the same network as the primary interface. To modify an existing IPv6 address, empty the contents of the corresponding text field and click Apply. To delete an existing IPv6 address, update the contents of the corresponding text field and click Apply. Note: If you selected Specify IPv6 Address Manually and assigned multiple IP addresses to your interface, then if you select Obtain IPv6 Address Automatically and click Apply, all the IP address assigned manually will be deleted. Note: If you change the primary or aux interface from IPv4 to IPv6 you must restart the httpd service. From the SCC command line, run this command: pm process httpd restart
MTU	Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. The default value is 1500.

3. Under Auxiliary Interface, complete the configuration as described in this table.

Control	Description
Enable Aux Interface	Enables an auxiliary interface, which can be used only for managing the SCC. Typically this is used for device-management networks.
Obtain IPv4 Address Automatically	Displays multiple IPv4 values assigned by DHCP server. (A DHCP server must be available so that the system can request the IP address from it.)
Enable IPv4 Dynamic DNS	Select this option to send the hostname with the DHCP request for registration with Dynamic DNS.
Specify IPv4 Address Manually	Select this option if you don’t use a DHCP server to set the IPv4 address. Specify these settings: •IPv4 Address - Specify an IP address. •IPv4 Subnet Mask - Specify a subnet mask.
Obtain IPv6 Address Automatically	Displays multiple IPv6 values assigned by DHCP server. (A DHCP server must be available so that the system can request the IP address from it.) Note: If you change the primary or aux interface from IPv4 to IPv6 you must restart the httpd service. From the SCC command line, run this command: pm process httpd restart
Enable IPv6 Dynamic DNS	Select this option to send the hostname with the DHCP request for registration with Dynamic DNS.
Specify IPv6 Address Manually	Select this option and specify these settings to set an IPv6 address. •IPv6 Auto-Assigned - Displays the link-local address that is automatically generated when IPv6 is enabled on the interface. •IPv6 Address - Specify a combination of both the IPv6 address and IPv6 prefix. Use this format: <IPv6-address>/<IPv6-prefix>. For example: 210::33/64 •Add a New IPv6 Address - This option allows you to configure multiple IPv6 Addresses to the interface. Use this format: <IPv6-address>/<IPv6-prefix>. New IPv6 addresses are displayed as an entry with this label: IPv6 -<address>. To modify an existing IPv6 address, update the contents of the corresponding text field and click Apply. To delete an existing IPv6 address, empty the contents of the corresponding text field and click Apply. Note: If you selected Specify IPv6 Address Manually and assigned multiple IP addresses to your interface, then if you select Obtain IPv6 Address Automatically and click Apply, all the IP address assigned manually will be deleted. Note: If you change the primary or aux interface from IPv4 to IPv6 you must restart the httpd service. From the SCC command line, run this command: pm process httpd restart
MTU	Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. The default value is 1500.

4. Click Save to Disk to save your settings permanently.

To configure routes for IPv4

Under Main IPv4 Routing Table, you can configure a static route for out-of-path deployments or if your device-management network requires static routes. You can add or remove routes from the list as described in this table.

Control	Description
Add a New Route	Displays the controls for adding a new route.
Destination IPv4 Address	Specify the destination IP address for the out-of-path appliance or network management device.
IPv4 Subnet Mask	Specify the subnet mask.
Gateway IPv4 Address	Specify the IP address for the gateway. The gateway must be in the same network as the primary or auxiliary interface you’re configuring.
Interface	Select an interface for the IPv4 route from the drop-down list.
Add	Adds the route to the table list.
Remove Selected	Select the check box next to the name and click Remove Selected.

Click Save to Disk to save your settings permanently.

To configure routes for IPv6

Under Main IPv6 Routing Table, you can configure static routing in the main routing table if your device-management network requires static routes. You can add or remove routes from the list as described in this table.

Control	Description
Add a New Route	Displays the controls for adding a new route.
Destination IPv6 Address	Specify the destination IP address.
IPv6 Prefix	Specify a prefix. The prefix length is from 0 to 128 bits, separated from the address by a forward slash (/).
Gateway IPv6 Address	Specify the IP address for the gateway. The gateway must be in the same network as the primary or auxiliary interface you’re configuring.
Interface	Select an interface for the IPv6 route from the drop-down list.
Add	Adds the route to the table list.
Remove Selected	Select the check box next to the name and click Remove Selected.

Click Save to Disk to save your settings permanently.

Configuring system settings

This section describes how to configure system settings to assist you in system administration. This section includes these topics:

•Setting announcements

•Configuring alarm parameters

•Configuring the date and time

•Configuring monitored ports

•Configuring SNMP basic settings

•Configuring SNMPv3

•Configuring SNMP authentication and access control

•Configuring email notification

•Configuring log settings

•Changing the account password

•Managing configuration files

Setting announcements

You can create or modify a login message or a message of the day. The login message appears in the SCC Login page. The message of the day appears on the Dashboard and when you first log in to the CLI.

To set an announcement

1. Choose Administration > System Settings: Announcements to display the Announcements page.

Setting announcements

2. Use the controls to complete the configuration as described in this table.

Control	Description
Login Message	Type a message in the text box to appear on the Login page.
MOTD	Specify a message in the text box to appear in the Dashboard.
Apply	Applies your settings to the running configuration.

3. Click Save to Disk to save your settings permanently.

Configuring alarm parameters

You can set alarms in the Alarms page.

Enabling alarms is optional.

RiOS 7.0 and later use hierarchical alarms. The system groups certain alarms into top-level categories, such as the SSL Settings alarm. When an alarm triggers, its parent expands to provide more information. As an example, the System Disk Full top-level parent alarm aggregates over multiple partitions. If a specific partition is full, the System Disk Full parent alarm triggers and the Alarm Status report displays more information regarding which partition caused the alarm to trigger.

Disabling a parent alarm disables its children. You can enable a parent alarm and disable any of its child alarms. You can’t enable a child alarm without first enabling its parent.

The children alarms of a disabled parent appear on the Alarm Status report with a suppressed status. Disabled children alarms of an enabled parent appear on the Alarm Status report with a disabled status. For details about alarm status, see “Viewing SCC alarm status reports” on page 382.

When an alarm reaches its rising threshold, it is activated; it is reset when it reaches the lowest or reset threshold. After an alarm is triggered, it isn’t triggered again until it has fallen below the reset threshold.

To set alarm parameters

1. Choose Administration > System Settings: Alarms to display the Alarms page.

Setting alarms

2. Under Enable SCC Alarms, complete the configuration as described in this table.

Control	Description
CPU Utilization	Enables an alarm if the average and peak threshold for the CPU utilization is exceeded. When an alarm reaches the rising threshold, it is activated; when it reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it isn’t triggered again until it has fallen below the reset threshold. By default, this alarm is enabled, with a rising threshold of 90 percent and a reset threshold of 80 percent. •Rising Threshold - Specify the rising threshold. When an alarm reaches the rising threshold, it is activated. The default value is 90 percent. •Reset Threshold - Specify the reset threshold. When an alarm reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it isn’t triggered again until it has fallen below the reset threshold. The default value is 80 percent.
Disk Full	Enables an alarm if the system partitions (not the RiOS data store) are full or almost full. For example, RiOS monitors the available space on /var, that’s used to hold logs, statistics, system dumps, TCP dumps, and so on. By default, this alarm is enabled. This alarm monitors these system partitions: •Partition "/boot Full" Free Space •Partition "/bootmgr Full" Free Space •Partition "/config Full" Free Space •Partition "/data Full" Free Space •Partition "/scratch Full" Free Space •Partition "/var Full" Free Space
Hardware	Fan Error - Enables an alarm and sends an email notification if a fan is failing or has failed and needs to be replaced. By default, this alarm is enabled. Flash Error - Enables an alarm when the system detects an error with the flash drive hardware. By default, this alarm is enabled. IPMI - Enables an alarm and sends an email notification if an Intelligent Platform Management Interface (IPMI) event is detected (not supported on all appliance models). This alarm triggers when there has been a physical security intrusion. These events trigger this alarm: •Chassis intrusion (physical opening and closing of the appliance case) •Memory errors (correctable or uncorrectable ECC memory errors) •Hard drive faults or predictive failures •Power supply status or predictive failures By default, this alarm is enabled. Memory Error - Enables an alarm and sends an email notification if a memory error is detected: for example, when a system memory stick fails. Power Supply - Enables an alarm and sends an email notification if an inserted power supply cord doesn’t have power, as opposed to a power supply slot with no power supply cord inserted. By default, this alarm is enabled.
Licensing	Enables an alarm and sends an email notification if a license on the SCC is removed, is about to expire, has expired, or is invalid. This alarm triggers if the SCC has no MSPEC license installed for its currently configured model. •Autolicense critical event - This alarm triggers on an appliance when the Riverbed Licensing Portal can’t respond to a license request with valid licenses. •Autolicense information event - This alarm triggers if an information event for autolicense occurs, for example, when the portal returns licenses that are associated with a token that has been used on a different appliance. •Insufficient Appliance Management License(s) - This alarm triggers if the SCC has insufficient license(s). •Invalid License(s) - This alarm triggers if one or more licenses are invalid. •License(s) Expired - This alarm triggers if one or more features have at least one license installed, but all of them are expired. •License(s) Expiring - This alarm triggers if the license for one or more features is going to expire within two weeks. •License(s) Missing - This alarm triggers if one or more licenses are missing. Note: The licenses expiring and licenses expired alarms are triggered per feature. For example, if you install two license keys for a feature, LK1-FOO-xxx (expired) and LK1-FOO-yyy (not expired), the alarms don’t trigger, because the feature has one valid license. By default, this alarm is enabled.
Link Duplex	Enables an alarm and sends an email notification when an interface wasn’t configured for half-duplex negotiation but has negotiated half-duplex mode. Half-duplex significantly limits the optimization service results. The alarm displays which interface is triggering the duplex alarm. •Interface aux Half-Duplex - Select to enable an alarm on this interface. •Interface primary Errors - Select to enable an alarm on this interface. The alarm displays which interface is triggering the duplex alarm. By default, this alarm is enabled.
Link I/O Errors	Enables an alarm and sends an email notification when the link error rate exceeds 0.1 percent while either sending or receiving packets. This threshold is based on the observation that even a small link error rate reduces TCP throughput significantly. A properly configured LAN connection experiences very few errors. •Interface aux Half-Duplex - Select to enable an alarm on this interface. •Interface primary Errors - Select to enable an alarm on this interface. The alarm clears when the rate drops below 0.05 percent. You can change the default alarm thresholds by entering the alarm linkers threshold xxxxx CLI command at the system prompt. For details, see the Riverbed Command-Line Interface Reference Manual. By default, this alarm is enabled.
Link State	Enables an alarm and sends an email notification if an Ethernet link is lost due to a network event. Depending on that link is down, the system can no longer be optimizing and a network outage could occur. •Interface aux Down- Select to enable an alarm on this interface. •Interface primary Down - Select to enable an alarm on this interface. This alarm is often caused by surrounding devices, like routers or switches, interface transitioning. It also accompanies service or system restarts on the appliance. For WAN/LAN interfaces, the alarm triggers if in-path support is enabled for that WAN/LAN pair. By default, this alarm is disabled.
Memory Paging	Enables the memory paging alarm. If 100 pages are swapped every couple of hours, the system is functioning properly. If thousands of pages are swapped every few minutes, contact Riverbed Support at https://support.riverbed.com. By default, this alarm is enabled.
Process Dump Creation Error	Enables an alarm that indicates that the system has detected an error while trying to create a process dump. To correct the issue, contact Riverbed Support at https://support.riverbed.com.
SCC Configuration Backup	Enables an alarm when an SCC configuration backup occurs.
SCC External Configuration Backup/Restore	Enables an alarm when an SCC external configuration backup and restore failure occurs.
SCC External Statistics Backup/Restore	Enables an alarm when an SCC statistics backup and restore failure occurs.
Secure Vault	Enables an alarm and sends an email notification if the system encounters a problem with the secure vault: •Secure Vault Locked - Indicates that the secure vault is locked. To optimize SSL connections or to use RiOS data store encryption, the secure vault must be unlocked.
SSL	Enables an alarm if an error is detected in your SSL configuration. By default, this alarm is enabled.
Temperature	Enables an alarm when the CPU temperature exceeds the rising threshold. When the CPU returns to the reset threshold, the rising alarm is cleared. •Critical Temperature - Enables an alarm and sends an email notification if the CPU temperature exceeds the rising threshold. When the CPU returns to the reset threshold, the critical alarm is cleared. The default value for the rising threshold temperature is 70ºC; the default reset threshold temperature is 67ºC. •Warning Temperature - Enables an alarm and sends an email notification if the CPU temperature approaches the rising threshold. When the CPU returns to the reset threshold, the warning alarm is cleared. –Rising Threshold - Specify the rising threshold (ºC). When an alarm reaches the rising threshold, it is activated. The default value is 70ºC. –Reset Threshold - Specify the reset threshold (ºC). When an alarm reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it isn’t triggered again until it has fallen below the reset threshold. The default value is 67ºC.

3. Under SCC Managed Appliance Alarms, complete the configuration as described in this table.

Control	Description
Appliance too slow to respond	Enables an alarm when the appliance is too slow to respond. By default, this alarm is enabled.
Configuration Change	Enables an alarm when a configuration change is detected. By default, this alarm is enabled.
Duplex Interface	Enables an alarm when the appliance duplex interface is detected.
High Appliance Usage Warning	Enables an alarm when high appliance usage is detected. •Connection Limit Warning - Enables an alarm when a connection limit is detected. By default, this alarm is enabled.
PFS and RSP enabled together	Enables an alarm when PFS and RSP are enabled together. By default, this alarm is enabled.
Time drift	Enables an alarm when time drift is detected. By default, this alarm is enabled.
Too Many Half Open/Closed Connections	Enables an alarm when too many half-opened or half-closed connections are active. By default, this alarm is enabled.
Unmanaged Appliances	You can set these alarms for unmanaged appliances: •Add Unmanaged Peer Exceptions - Select to enable an alarm when the SCC detects unmanaged peers. •Ignore Peer - Select to enable an alarm when a peer is ignored. •Comment - Optionally, specify a comment.
Apply	Applies your settings to the running configuration.

4. Click Save to Disk to save your settings permanently.

To add an unmanaged peer exception

1. Under CMC Managed Appliance Alarms, click + Add Unmanaged Peer Exception to display the controls.

2. Complete the configuration as described in this table.

Control	Description
Ignore Peer	Specify the IP address to suppress the alarm of the peer that’s unmanaged.
Comment	Type a description to help you identify the unmanaged peer.
Apply	Applies your settings to the running configuration.

3. Click Save to Disk to save your settings permanently.

Related topic

•Viewing performance details reports

Configuring SNMP basic settings

You configure SNMP basic contact and trap receiver settings to allow events to be reported to an SNMP agent in the SNMP Basic page.

Traps are messages sent by an SNMP entity that indicate the occurrence of an event. The default system configuration doesn’t include SNMP traps.

RiOS 7.0 and later provide support for these SNMP versions:

•SNMPv1

•SNMPv2c

•SNMPv3, that provides authentication through the User-based Security Model (USM).

•View-Based Access Control Mechanism (VACM), that provides richer access control.

•SNMPv3 authentication using AES 128 and DES encryption privacy.

You set the default community string on the SNMP Basic page. To set more than one SNMP community string, see the Riverbed Knowledge Base article S16345 Can I Have More Than One SNMP Community String?

For details about SNMP traps sent to configured servers, see SNMP traps.

To set SNMP Basic parameters

1. Choose Administration > System Settings: SNMP Basic to display the SNMP Basic page.

Setting SNMP basic

2. Under SNMP Server Settings, complete the configuration as described in this table.

Control	Description
Enable SNMP Traps	Enables event reporting to an SNMP entity.
System Contact	Specify the username for the SNMP contact.
System Location	Specify the physical location of the SNMP system.
Read-Only Community String	Specify a password-like string to identify the read-only community: for example, public. This community string overrides any VACM settings. Community strings can’t contain the pound sign (#).
Apply	Applies your settings to the running configuration.

To add or remove a trap receiver

1. Under Trap Receivers, complete the configuration as described in this table.

Control	Description
Add a New Trap Receiver	Displays the controls to add a new trap receiver.
Receiver	Specify the destination IPv4 or IPv6 address or hostname for the SNMP trap. For IPv6 specify an IP address using this format: eight 16-bit hexadecimal strings separated by colons, 128-bits. For example: 2001:38dc:0052:0000:0000:e9a4:00c5:6282 You don’t need to include leading zeros. For example: 2001:38dc:52:0:0:e9a4:c5:6282 You can replace consecutive zero strings with double colons (::). For example: 2001:38dc:52::e9a4:c5:6282
Destination Port	Specify the destination port.
Receiver Type	Select SNMPv1, v2c, or v3 (user-based security model).
Remote User	(Appears only when you select v3.) Specify a remote username.
Authentication	(Appears only when you select v3). Optionally, select either Supply a Password or Supply a Key to use while authenticating users.
Authentication Protocol	(Appears only when you select v3.) Select an authentication method from the drop-down list: •MD5 - Specifies the Message-Digest 5 algorithm, a widely used cryptographic hash function with a 128-bit hash value. This is the default value. •SHA - Specifies the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA is considered to be the successor to MD5.
Password/Password Confirm	(Appears only when you select v3 and Supply a Password.) Specify a password. The password must have a minimum of eight characters. Confirm the password in the Password Confirm text box.
Security Level	(Appears only when you select v3.) Determines whether a single atomic message exchange is authenticated. Select one of these levels from the drop-down list: •No Auth - Doesn’t authenticate packets and doesn’t use privacy. This is the default setting. •Auth - Authenticates packets but doesn’t use privacy. •AuthPriv - Authenticates packets using AES 128 and DES to encrypt messages for privacy. Note: A security level applies to a group, not to an individual user.
Privacy Protocol	(Appears only when you select v3 and AuthPriv.) Select either the AES or DES protocol from the drop-down list. AES uses the AES128 algorithm.
Privacy	(Appears only when you select v3 and AuthPriv.) Select Same as Authentication Key, Supply a Password, or Supply a Key to use while authenticating users. The default setting is Same as Authentication Key.
Privacy Password	(Appears only when you select v3 and Supply a Password.) Specify a password. The password must have a minimum of eight characters. Confirm the password in the Privacy Password Confirm text box.
MD5/SHA Key	(Appears only when you select v3 and Authentication as Supply a Key.) Specify a unique authentication key. The key is either a 32-hexadecimal digit MD5 or a 40-hexadecimal digit SHA digest created using md5sum or sha1sum.
Privacy MD5/SHA Key	(Appears only when you select v3 and Privacy as Supply a Key.) Specify the privacy authentication key. The key is either a 32-hexadecimal digit MD5 or a 40-hexadecimal digit SHA digest created using md5sum or sha1sum.
Community	For v1 or v2 trap receivers, specify the SNMP community name. For example, public or private v3 trap receivers need a remote user with an authentication protocol, a password, and a security level.
Enable Receiver	Select to enable the new trap receiver. Clear to disable the receiver.
Add	Adds a new trap receiver to the list.
Remove Selected	Select the check box next to the name and click Remove Selected.

2. Click Save to Disk to save your settings permanently.

To test an SNMP trap

1. Choose Administration > System Settings: SNMP Basic to display the SNMP Basic page.

2. Under SNMP Trap Test, click Run.

Configuring SNMPv3

SNMPv3 provides additional authentication and access control for message security: for example, you can verify the identity of the SNMP entity (manager or agent) sending the message.

RiOS 7.0 supports SNMPv3 message encryption for increased security.

Using SNMPv3 is more secure than using SNMPv1 or v2; however, it requires more configuration steps to provide the additional security features.

Basic steps

1. Create the SNMP-server users. Users can be authenticated using either a password or a key.

2. Configure SNMP-server views to define which part of the SNMP MIB tree is visible.

3. Configure SNMP-server groups, which map users to views, allowing you to control who can view what SNMP information.

4. Configure the SNMP-server access policies that contain a set of rules defining access rights. Based on these rules, the entity decides how to process a given request.

To create users for SNMPv3

1. Choose Administration > System Settings: SNMP v3 to display the SNMP v3 page.

Setting SNMPv3

2. Under Users, complete the configuration as described in this table.

Control	Description
Add a New User	Displays the controls to add a new user.
User Name	Specify the username.
Authentication Protocol	Select an authentication method from the drop-down list: •MD5 - Specifies the Message-Digest 5 algorithm, a widely used cryptographic hash function with a 128-bit hash value. This is the default value. •SHA - Specifies the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA is considered to be the successor to MD5.
Authentication	Optionally, select either Supply a Password or Supply a Key to use while authenticating users.
Password/Password Confirm	Specify a password. The password must have a minimum of eight characters. Confirm the password in the Password Confirm text box.
Use Privacy Option	Select to use SNMPv3 encryption.
Privacy Protocol	Select either the AES or DES protocol from the drop-down list. AES uses the AES128 algorithm.
Privacy	Select Same as Authentication, Supply a Password, or Supply a Key to use while authenticating users. The default setting is Same as Authentication.
Privacy Password	(Appears only when you select Supply a Password.) Specify a password. The password must have a minimum of eight characters. Confirm the password in the Privacy Password Confirm text box.
Key	(Appears only when you select Supply a Key.) Specify a unique authentication key. The key is an MD5 or SHA-1 digest created using md5sum or sha1sum.
MD5/SHA Key	(Appears only when you select Supply a Key.) Specify a unique authentication key. The key is either a 32-hexadecimal digit MD5 or a 40-hexadecimal digit SHA digest created using md5sum or sha1sum.
Add	Adds the user.
Remove Selected	Select the check box next to the name and click Remove Selected.

3. Click Save to Disk to save your settings permanently.

Configuring SNMP authentication and access control

You configure SNMP ACL contact settings to allow events to be reported to an SNMP agent in the SNMP ACLs page.

The features on this page apply to SNMPv1, v2c, and v3 unless noted otherwise:

•Security Names - Identify an individual user (v1 or v2c only).

•Secure Groups - Identify a security-name, security model by a group, and referred to by a group name.

•Secure Views - Create a custom view using the VACM that controls who can access which MIB objects under agent management by including or excluding specific OIDs: for example, some users have access to critical read/write control data, while some users have access only to read-only data.

•Security Models - A security model identifies the SNMP version associated with a user for the group in which the user resides.

•Secure Access Policies - Defines who gets access to which type of information. An access policy is composed of <group-name, security-model, security-level, read-view-name>.

An access policy is the configurable set of rules, based on which the entity decides how to process a given request.

To set secure usernames

1. Choose Administration > System Settings: SNMP ACLs to display the SNMP ACLs page.

Setting SNMP ACLs secure names

2. Under Security Names, complete the configuration as described in this table.

Control	Description
Add a New Security Name	Displays the controls to add a security name.
Security Name	Specify a name to identify a requester allowed to issue gets and sets (v1 and v2c only). The specified requester can make changes to the view-based access-control model (VACM) security name configuration. This control doesn’t apply to SNMPv3 queries. To restrict v3 USM users from polling a particular subnet, use the RiOS Management ACL feature, located in the Administration > Security: Management ACL page. Traps for v1 and v2c are independent of the security name.
Community String	Specify the password-like community string to control access. Use a combination of uppercase, lowercase, and numerical characters to reduce the chance of unauthorized access to the SteelHead. Community strings don’t allow printable 7-bit ASCII characters, except for white spaces. Also, the community strings can’t begin with a pound sign (#) or a hyphen (-). If you specify a read-only community string (located in the SNMP Basic page under SNMP Server Settings), it takes precedence over this community name and allows users to access the entire MIB tree from any source host. If this isn’t desired, delete the read-only community string. To create multiple SNMP community strings on a SteelHead, leave the default public community string and then create a second read-only community string with a different security name. You can also delete the default public string and create two new SNMP ACLs with unique names.
Source IP Address and Mask Bits	Specify the host IPv4 or IPv6 address and mask bits to which you permit access using the security name and community string.
Add	Adds the security name.
Remove Selected	Select the check box next to the name and click Remove Selected.

To set secure groups

1. Choose Administration > System Settings: SNMP ACLs to display the SNMP ACLs page.

Setting SNMP ACLs groups

2. Under Groups, complete the configuration as described in this table.

Control	Description
Add a New Group	Displays the controls to add a new group.
Group Name	Specify a group name.
Security Models and Name Pairs	Click the + and select a security model from the drop-down list: •v1 or v2c - Displays another drop-down list. Select a security name. •v3 (usm) - Displays another drop-down list. Select a user. To add another Security Model and Name pair, click the plus sign (+).
Add	Adds the group name and security model and name pairs.
Remove Selected	Select the check box next to the name and click Remove Selected.

3. Click Save to Disk to save your settings permanently.

To set secure views

1. Choose Administration > System Settings: SNMP ACLs to display the SNMP ACLs page.

Setting SNMP ACLs views

2. Under Views, complete the configuration as described in this table.

Control	Description
Add a New View	Displays the controls to add a new view.
View Name	Specify a descriptive view name to facilitate administration.
Includes	Specify the Object Identifiers (OIDs) to include in the view, separated by commas. For example, .1.3.6.1.4.1. By default, the view excludes all OIDs. You can specify .iso or any subtree or subtree branch. You can specify an OID number or use its string form. For example, .iso.org.dod.internet.private.enterprises.rbt.products.steelhead.system.model
Excludes	Specify the OIDs to exclude in the view, separated by commas. By default, the view excludes all OIDs.
Add	Adds the view.
Remove Selected	Select the check box next to the name and click Remove Selected.

To add an access policy

1. Choose Administration > System Settings: SNMP ACLs to display the SNMP ACLs page.

Setting SNMP ACLs access policies

2. Under Access Policies, complete the configuration as described in this table.

Control	Description
Add a New Access Policy	Displays the controls to add a new access policy.
Group Name	Select a group name from the drop-down list.
Security Level	Determines whether a single atomic message exchange is authenticated. Select one of these from the drop-down list: •No Auth - Doesn’t authenticate packets and doesn’t use privacy. This is the default setting. •Auth - Authenticates packets but doesn’t use privacy. •AuthPriv - Authenticates packets using AES or DES to encrypt messages for privacy. A security level applies to a group, not to an individual user.
Read View	Select a view from the drop-down list.
Add	Adds the policy to the policy list.
Remove Selected	Select the check box next to the name and click Remove Selected.

3. Click Save to Disk to save your settings permanently.

Configuring email notification

You can configure email notification for events and failures in the Email page.

By default, email addresses aren’t specified for event and failure notification.

To set event and failure email notification

1. Choose Administration > System Settings: Email to display the Email page.

Setting email notification

2. Under Email Notification, complete the configuration as described in this table.

Control	Description
SMTP Server	Specify the SMTP server. You must have external DNS and external access for SMTP traffic for this feature to function. The SCC doesn’t support IPv6 addresses to specify an SMTP server. For sending email over IPv6, you should specify the hostname of the email server. Note: Make sure you provide a valid SMTP server to ensure that the users you specify receive email notifications for events and failures.
SMTP Port	Specify the port number for the SMTP server. Typically you don’t need to change the default port 25.
Report Events via Email	Select this option to report alarm events through email. Specify a list of email addresses to receive the notification messages. Separate addresses by spaces, semicolons, commas, or vertical bars. These alarms are events: •Admission control •CPU utilization (rising threshold, reset threshold) •Temperature (rising threshold, reset threshold) •Data store wrap frequency •Domain authentication alert •Network interface duplex errors •Network interface link errors •Fan error •Flash error •Hardware error •IPMI •Licensing •Memory error •Neighbor incompatibility •Network bypass
	•NFSv2/v4 alarm •Non-SSL servers detected on upgrade •Optimization service (general service status, optimization service) •Extended memory paging activity •Secure vault •System disk full •Software version mismatch •Storage profile switch failed •TCP Stop Trigger scan has started •Asymmetric routes •Expiring SSL certificates •SSL peering certificate SCEP automatic reenrollment •Connection forwarding (ACK timeout, failure, lost EOS, lost ERR, keepalive timeout, latency exceeded, read info timeout) •Prepopulation or Proxy File Service •VSP general alarm •Storage profile switch failed •TCP Stop Trigger scan has started •Asymmetric routes •Expiring SSL certificates •SSL peering certificate SCEP automatic reenrollment •Connection forwarding (ACK timeout, failure, lost EOS, lost ERR, keepalive timeout, latency exceeded, read info timeout) •Prepopulation or Proxy File Service •VSP general alarm
Report Failures via Email	Select this option to report alarm failures through email. Specify a list of email addresses to receive the notification messages. Separate addresses by spaces, semicolons, commas, or vertical bars. These alarms are failures: •Data store corruption •System details report •Domain join error •RAID •Optimization service - unexpected halt •Critical temperature •Disk error •SSD wear warning
Override Default Sender’s Address	Select this option to configure the SMTP protocol for outgoing server messages for errors or events. Specify a list of email addresses to receive the notification messages. Separate addresses by commas. You can also configure the outgoing email address sent to the client recipients. The default outgoing address is do-not-reply@hostname.domain. If you don’t specify a domain the default outgoing email is do-not-reply@hostname. You can configure the host and domain settings in the Networking > Networking: Host Settings page.
Report Failures to Technical Support	Select this option to report serious failures such as system crashes to Riverbed Support. We recommend that you activate this feature so that problems are promptly corrected. Note: This option doesn’t automatically report a disk drive failure. In the event of a disk drive failure, contact Riverbed Support at support@riverbed.com.
Apply	Applies your settings to the running configuration.

3. Click Save to save your settings permanently.

Configuring log settings

You set up local and remote logging in the Logging page.

By default, the system rotates each log file every 24 hours or when the file size reaches one Gigabyte uncompressed. You can change this to rotate every week or month and you can rotate files based on size.

The automatic rotation of system logs deletes your oldest log file, labeled as Archived log #10, pushes the current log to Archived log # 1, and starts a new current-day log file.

To set up logging

1. Choose Administration > System Settings: Logging to display the Logging page.

Setting logging

2. Under Logging Configuration, complete the configuration as described in this table.

Control	Description
Minimum Severity	Select the minimum severity level for the system log messages. The log contains all messages with this severity level or higher. Select one of these levels from the drop-down list: •Emergency - The system is unusable; action must be taken immediately. •Alert - Action must be taken immediately. •Critical - Conditions that affect the functionality of the SteelHead. •Error - Conditions that probably affect the functionality of the SteelHead. •Warning - Conditions that could affect the functionality of the SteelHead, such as authentication failures. •Notice - Normal but significant conditions, such as a configuration change. This is the default setting. •Info - Informational messages that provide general information about system operations. Note: This control applies to the system log only. It doesn’t apply to the user log.
Maximum Number of Log Files	Specify the maximum number of logs to store. The default value is 10.
Lines Per Log Page	Specify the number of lines per log page. The default value is 100.
Rotate Based On	Specifies the rotation option: •Time - Select Day, Week, or Month from the drop-down list. The default setting is Day. •Disk Space - Specify how much disk space, in megabytes, the log uses before it rotates. The default value is 16 MB. Note: The log file size is checked at 10-minute intervals. If there is an unusually large amount of logging activity, it is possible for a log file to grow larger than the set disk space limit in that period of time.
Apply	Applies your setting to the running configuration.

To add a remote log server

1. Choose Administration > System Settings: Logging to display the Logging page.

Adding remote log servers

2. Complete the configuration as described in this table.

Control	Description
Add a New Log Server	Displays the controls for configuring new log servers.
Server IP or Hostname	Specify the server IP address. The IP address can be either IPv4 or IPv6. For IPv6 specify an IP address using this format: eight 16-bit hexadecimal strings separated by colons, 128-bits. For example: 2001:38dc:0052:0000:0000:e9a4:00c5:6282 You don’t need to include leading zeros. For example: 2001:38dc:52:0:0:e9a4:c5:6282 You can replace consecutive zero strings with double colons (::). For example: 2001:38dc:52::e9a4:c5:6282
Minimum Severity	Select the minimum severity level for the log messages. The log contains all messages with this severity level or higher. Select one of these levels from the drop-down list: •Emergency - The system is unusable; action must be taken immediately. •Alert - Action must be taken immediately. •Critical - Conditions that affect the functionality of the SteelHead. •Error - Conditions that probably affect the functionality of the SteelHead. •Warning - Conditions that could affect the functionality of the SteelHead, such as authentication failures. •Notice - Normal but significant conditions, such as a configuration change. This is the default setting. •Info - Informational messages that provide general information about system operations.
Add	Adds the server to the list.
Remove Selected	Select the check box next to the name and click Remove Selected.

To rotate logs

1. Choose Administration > System Settings: Logging to display the Logging page.

2. Under Log Actions, click Rotate Logs. After the logs are rotated, this message appears:

“Logs have been successfully rotated.”

The log file #1 may include data for only a partial day because the logs haven’t completed the current 24-hour period.

Configuring per-process logging

You can filter a log by one or more applications or one or more processes. This is particularly useful when capturing data at a lower severity level where an SCC might not be able to sustain the flow of logging data the service is committing to disk.

To filter a log

1. Choose Administration > System Settings: Logging to display the Logging page.

Per-process logging

2. Under Per-Process Logging, complete the configuration as described in this table.

Control	Description
Add a New Process Logging Filter	Displays the controls for adding a process level logging filter.
Process	Select a process to include in the log from the drop-down list: •alarmd - Alarm control and management. •cifs - CIFS Optimization. •cmcfc - CMC automatic registration utility. •rgp - SCC connector, which handles SCC appliance communication. •rgpd - SCC client daemon, the connection manager. •cli - Command-line interface. •mgmtd - Device control and management, which directs the entire device management system. It handles message passing between various management daemons, managing system configuration and general application of system configuration on the hardware underneath through the Hardware Abstraction Layer Daemon (HALD). •http - HTTP optimization. •hald - Hardware Abstraction Layer Daemon, which handles access to the hardware. •notes - Lotus Notes optimization. •mapi - MAPI optimization. •nfs - NFS optimization. •pm - Process Manager, which handles launching of internal system daemons and keeps them up and running. •sched - Process Scheduler, which handles one-time scheduled events. •virtwrapperd - VSP VMWare interface. •vspd - VSP Watchdog. •statsd - Statistics Collector, which handles queries and storage of system statistics. •wdt - Watchdog Timer, the motherboard watchdog daemon. •webasd - Web Application Process, which handles the web user interface. •domain auth - Windows Domain Authentication.
Minimum Severity	Select the minimum severity level for the log messages. The log contains all messages with this severity level or higher. Select one of these levels from the drop-down list: •Emergency - The system is unusable; action must be taken immediately. •Alert - Action must be taken immediately. •Critical - Conditions that affect the functionality of the SteelHead. •Error - Conditions that probably affect the functionality of the SteelHead. •Warning - Conditions that could affect the functionality of the SteelHead, such authentication failures. •Notice - Normal but significant conditions, such as a configuration change. •Info - Informational messages that provide general information about system operations.
Add	Adds the filter to the list. The process now logs at the selected severity and higher level.
Remove Selected	Select the check box next to the name and click Remove Selected to remove the filter.

3. Click Save to Disk to save your settings permanently.

Changing the account password

You can change the password in the My Account page.

You must be logged in as the administrator user to change the administrator password.

The My Account page enables you to restore user preferences. User preferences are set for individual users and don’t affect the appliance configuration.

If any user preference settings result in an unsafe state, the SCC can’t display the page.

To change the my account password

1. Choose Administration > System Settings: My Account to display the My Account page.

Setting the account password

2. Under Password, complete the configuration as described in this table.

Control	Description
Change Password	Specify this option to change the password.
New Password	Specify a new password.
Confirm New Password	Confirm the new password.
Apply	Applies your settings to the running configuration.

3. Click Save to Disk to save your settings permanently.

User preferences are used to remember the state of the Management Console across sessions on a per-user basis. They don’t affect the configuration of the appliance.

To restore user preferences

1. Under User Preferences, click Restore Defaults.

2. Click Save to Disk to save your settings permanently.

Managing configuration files

You can save, activate, and import configurations in the Configurations page.

Each SCC has an active, running configuration and a written, saved configuration.

When you apply your settings in the SCC, the values are applied to the active running configuration, but the values aren’t written to disk and saved permanently.

When you save your configuration settings, the values are written to disk and saved permanently. They take effect after you restart the RiOS services to which the configuration was pushed.

Each time you save your configuration settings, they’re written to the current running configuration, and a backup is created. For example, if the running configuration is myconfig and you save it, myconfig is backed up to myconfig.bak and myconfig is overwritten with the current configuration settings.

The Configuration Manager is a utility that enables you to save configurations as backups or to activate configuration backups. For detailed information, see the SteelHead User Guide for SteelHead CX.

Some configuration settings require that you to restart the SCC service for the settings to take effect. For details about restarting the appliance service, see “Rebooting and shutting down the SCC” on page 174.

To manage configurations

1. Choose Administration > System Settings: Configurations to display the Configurations page.

Managing configurations

2. Complete the configuration as described in this table.

Control	Description
Current Configuration: <configuration name>	View Running Config - Displays the running configuration settings in a new browser window. Save - Saves settings that have been applied to the running configuration. Revert - Reverts your settings to the running configuration.
Save Current Configuration	Specify a new filename to save settings that have been applied to the running configuration as a new file, and then click Save As.

To import a configuration

1. Choose Administration > System Settings: Configurations to display the Configurations page.

Importing a configuration

2. Complete the configuration as described in this table.

Control	Description
Import a New Configuration	Displays the controls for importing a new configuration.
IP/Hostname	Specify the IP address or hostname of the SteelHead from which you want to import the configuration.
Remote Admin Password	Specify the administrator password for the remote SteelHead.
Remote Config Name	Specify the name of the configuration you want to import from the remote SteelHead.
New Config Name	Specify a new, local configuration name.
Import Shared Data Only	Takes a subset of the configuration settings from the imported configuration and combines them with the current configuration to create a new configuration. Import shared data is enabled by default.
Import	When the Import Shared Data Only check box is selected, activates the imported configuration and makes it the current configuration. This is the default. When the Import Shared Data Only check box isn’t selected, adds the imported configuration to the Configuration list. It doesn’t become the active configuration until you select it from the list and click Activate.
Remove Selected	Select the check box next to the name and click Remove Selected.
To Change Active Configuration	Under Change Active Configuration, select the configuration to activate from the drop-down list and click Activate.

3. Click Save to Disk to save your settings permanently.

Tip: Click the configuration name to display the configuration settings in a new browser window.

To change the active configuration

1. Choose Administration > System Settings: Configurations to display the Configurations page.

2. Under Change Active Configuration, select the configuration from the drop-down list and click Activate.

Configuring security settings

This section describes how to configure security settings in the SCC. This section includes these topics:

•Configuring general security settings

•Configuring SCC security

•Importing a certificate authority

•Importing CAs into the trusted CA store

•Managing user permissions

•Configuring password policy

•Setting RADIUS servers

•Configuring TACACS+ access

•Configuring SAML

•Unlocking the secure vault

•Configuring a management ACL

•Configuring web settings

•Enabling REST API access

Configuring general security settings

You can prioritize local, RADIUS, and TACACS+ authentication methods for the system and set the authorization policy and default user for RADIUS and TACACS+ authorization systems in the General Security Settings page.

Make sure to put the authentication methods in the order in that you want authentication to occur. If authorization fails using the first method, the next method is attempted, and so forth, until all the methods have been attempted.

Tip: To set TACACS+ authorization levels (admin or read-only) to allow certain members of a group to log in, add these attribute to users on the TACACS+ server:
service = rbt-exec {
local-user-name = "monitor"
}
where you replace monitor with admin for write access.

For details about setting up RADIUS and TACACS+ servers, see the SteelHead Deployment Guide.

To set general security settings

1. Choose Administration > Security: General Security Settings to display the General Security Settings page.

Configuring general security settings

2. Under Authentication Methods, complete the configuration as described in this table.

Control	Description
Authentication Methods	Specifies the authentication method. Select an authentication method from the drop-down list. The methods are listed in the order in which they occur. If authorization fails on the first method, the next method is attempted, and so on, until all of the methods have been attempted.
For RADIUS/TACACS+, fallback only when servers are unavailable.	Specifies that the SteelHead falls back to a RADIUS or TACACS+ server only when all other servers don’t respond. This is the default setting. You must select this option if you want a safety account login on AAA servers that are unreachable. When this feature is disabled, the SteelHead doesn’t fall back to the RADIUS or TACACS+ servers. If it exhausts the other servers and doesn’t get a response, it returns a server failure.
Safety Account	Creates a safety account so that admin/sys admin users can login to the SCC even if remote authentication servers are unreachable. A safety account increases security and conforms to Defense Information Systems Agency (DISA) requirements. Only the selected safety account will be allowed to login in cases where the AAA server isn’t reachable. (Only one user can be assigned to the safety account.) You can create a system administrator user in the Administrator > Security: User Permissions page. For details, see “Managing user permissions” on page 128.
Safety Account User	Select the user from the drop-down list.
Authorization Policy	Appears only for some Authentication Methods. Optionally, select one of these policies from the drop-down list: •Remote First - Check the remote server first for an authentication policy, and only check locally if the remote server doesn’t have one set. This is the default behavior. •Remote Only - Checks the remote server. •Local Only - Checks the local server. All remote users are mapped to the user specified. Any vendor attributes received by an authentication server are ignored.
Default User	Select the default user from the drop-down box.
Apply	Applies your settings to the running configuration.

3. Click Save to Disk to save your settings permanently.

Related topic

•Configuring password policy

Configuring password policy

You can change the password policy and strength in the Password Policy page.

Selecting a password policy

You can choose one of these password policy templates, depending on your security requirements:

•Strong - Sets the password policy to more stringent enforcement settings. Selecting this template automatically prepopulates the password policy with stricter settings commonly required by higher security standards such as for the Department of Defense.

•Basic - Reverts the password policy to its predefined settings so you can customize your policy.

To set a password policy

1. Choose Administration > Security: Password Policy to display the Password Policy page.

Setting a password policy

2. Select the Enable Account Control check box to set a password policy. Enabling account control makes password use mandatory.

Passwords for all users expire as soon as account control is enabled. Account control forces all users to create new passwords that follow the password requirements defined in the password policy. All new passwords are then controlled by the password policy.

The passwords also expire after the number of days specified by the administrator in the Password Policy page. As a consequence of this change, when users try to log in to the Management Console and their password has expired, the Expired Password page asks them to change their password. After they change their password, the system automatically logs them in to the Management Console.

RiOS doesn’t allow empty passwords when account control is enabled.

3. Optionally, select either the Basic or Strong template. When you select the basic template, the system prepopulates the page with the secure settings. Also, the system prompts a user logging into the SteelHead after 60 days to change their password. By default, RiOS locks out a user logging into the SteelHead after 300 days without a password change. After the system locks them out, an administrator must unlock the user account. For details, see “Unlocking an account” on page 139.

4. Under Password Management, complete the configuration as described in this table.

Control	Description
Login Attempts Before Lockout	Specify the maximum number of unsuccessful login attempts before temporarily blocking user access to the SteelHead appliance. The user is prevented from further login attempts when the number is exceeded. The default for the strong security template is 3. The lockout expires after the amount of time specified in Timeout for User Login After Lockout elapses.
Timeout for User Login After Lockout	Specify the amount of time, in seconds, that must elapse before a user can attempt to log in after an account lockout due to unsuccessful login attempts. The default for the strong security template is 300.
Days Before Password Expires	Specify the number of days the current password remains in effect. The default for the strong security template is 60. To set the password expiration to 24 hours, specify 0. To set the password expiration to 48 hours, specify 1. Leave blank to turn off password expiration.
Days to Warn User of an Expiring Password	Specify the number of days the user is warned before the password expires. The default for the strong security template is 7.
Days to Keep Account Active After Password Expires	Specify the number of days the account remains active after the password expires. The default for the strong security template is 305. When the time elapses, RiOS locks the account permanently, preventing any further logins.
Days Between Password Changes	Specify the minimum number of days before which passwords can’t be changed.
Minimum Interval for Password Reuse	Specify the number of password changes allowed before a password can be reused. The default for the strong security template is 5.
Enable Temporary Password Setting	Specify a temporary password to improve security and to conform to Defense Information Systems Agency (DISA) requirements. A temporary password can be enabled only if Account Control is enabled. If a temporary password is set, then the password set by Admin/Sys Admin for the new user shall expire on the first log in of the new user. A password expired page will appear for new users after the first login. If a temporary password is set and the Admin/Sys Admin resets the password for the existing user, the password will expire at the first log in after the reset. A password expired page will appear for existing users upon the first login after a password reset.

5. Under Password Characteristics, complete the configuration as described in this table.

Control	Description
Minimum Password Length	Specify the minimum password length. The default for the strong security template is 14 alphanumeric characters.
Minimum Uppercase Characters	Specify the minimum number of uppercase characters required in a password. The default for the strong security template is 1.
Minimum Lowercase Characters	Specify the minimum number of lowercase characters required in a password. The default for the strong security template is 1.
Minimum Numerical Characters	Specify the minimum number of numerical characters required in a password. The default for the strong security template is 1.
Minimum Special Characters	Specify the minimum number of special characters required in a password. The default for the strong security template is 1.
Minimum Character Differences Between Passwords	Specify the minimum number of characters that must be changed between the old and new password. The default for the strong security template is 4.
Maximum Consecutively Repeating Characters	Specify the maximum number of times a character can occur consecutively.
Prevent Dictionary Words	Select to prevent the use of any word that’s found in a dictionary as a password. By default, this control is enabled.
Apply	Applies your settings to the running configuration.

6. Click Save to Disk to save your settings permanently.

Unlocking an account

RiOS temporarily locks out an account after a user exceeds the configured number of login attempts.

Account lockout information appears on the User Permissions page.

When an account is locked out, the lockout ends after one of these events:

•The configured lockout time elapses.

•The administrator unlocks the account. RiOS never locks out administrator accounts.

To unlock an account

1. Log in as an administrator (admin).

2. Choose Administration > Security: User Permissions to display the User Permissions page.

3. Click Clear Login Failure Details.

When the user logs into their account successfully, RiOS resets the login failure count.

Resetting an expired password

RiOS temporarily locks out an account when its password expires. Passwords expire for one of these reasons:

•An administrator enables Account Control.

•The expiration time for a password elapses.

•An administrator disables a user account and then enables it.

•An administrator uses a CLI command to encrypt a password.

After a user password expires, the user must update their password within the number of days specified in Days to Keep Account Active After Password Expires. The default value is 305 days. After the time elapses, RiOS locks the account permanently, preventing any further logins.

To reset the password and unlock the account

1. Log in as an administrator (admin).

2. Choose Administration > Security: User Permissions to display the User Permissions page.

3. Click Clear Login Failure Details.

4. Type and confirm the new password and click Change Password.

Related topic

•Managing user permissions

Setting RADIUS servers

You set RADIUS server authentication in the RADIUS page.

RADIUS is an access control protocol that uses a challenge and response method for authenticating users. Setting up RADIUS server authentication is optional.

Enabling this feature is optional.

To set RADIUS server authentication

1. Choose Administration > Security: RADIUS to display the RADIUS page.

Setting RADIUS and adding RADIUS servers

2. Under Default RADIUS Settings, complete the configuration as described in this table.

Control	Description
Set a Global Default Key	Enables a global server key for the RADIUS server.
Global Key	Specify the global server key.
Confirm Global Key	Confirm the global server key.
Timeout	Specify the time-out period in seconds (1 to 60). The default value is 3.
Retries	Specify the number of times you want to allow the user to retry authentication. The default value is 1.
Apply	Applies your settings to the running configuration.

To add a new RADIUS Server

1. Under RADIUS server, complete the configuration as described in this table.

Control	Description
Add a RADIUS Server	Displays the controls to add a RADIUS server.
Hostname or IP Address	Specify the hostname or server IP address. The IP address can be either IPv4 or IPv6. For IPv6 specify an IP address using this format: eight 16-bit hexadecimal strings separated by colons, 128-bits. For example: 2001:38dc:0052:0000:0000:e9a4:00c5:6282 You don’t need to include leading zeros. For example: 2001:38dc:52:0:0:e9a4:c5:6282 You can replace consecutive zero strings with double colons (::). For example: 2001:38dc:52::e9a4:c5:6282
Authentication Port	Specify the port for the server.
Authentication Type	Select one of these authentication types: •PAP - Password Authentication Protocol (PAP), which validates users before allowing them access to the RADIUS server resources. PAP is the most flexible protocol but is less secure than CHAP. •CHAP - Challenge-Handshake Authentication Protocol (CHAP), which provides better security than PAP. CHAP validates the identity of remote clients by periodically verifying the identity of the client using a three-way handshake. This validation happens at the time of establishing the initial link and might happen again at any time. CHAP bases verification on a user password and transmits an MD5 sum of the password from the client to the server. •MS-CHAPv2 - MS-CHAP is the Microsoft version of CHAP. MS-CHAPv2 is a more secure authentication protocol than PAP or CHAP. (CHAP uses MD5 while MS-CHAPv2 uses MD4 and SHA-1 which might not be FIPS compliant.)
Override the Global Default Key	Overrides the global server key for the server.
	Server Key - Specify the override server key.
	Confirm Server Key - Confirm the override server key.
Timeout	Specify the time-out period in seconds (1 to 60). The default value is 3.
Retries	Specify the number of times you want to allow the user to retry authentication. Valid values are from 0 to 5. The default value is 1.
Enabled	Enables the new server.
Add	Adds the RADIUS server to the list.
Remove Selected	Select the check box next to the name and click Remove Selected.

2. Click Save to Disk to save your settings permanently.

To modify RADIUS server settings, click the server IP address in the list of radius servers. Use the Status drop-down list to enable or disable a server in the list.

Configuring TACACS+ access

You set up TACACS+ server authentication in the TACACS+ page.

TACACS+ is an authentication protocol that allows a remote access server to forward a login password for a user to an authentication server to determine whether access is allowed to a given system.

Enabling this feature is optional.

For details about configuring RADIUS and TACACS+ servers to accept login requests from the SteelHead, see the SteelHead Deployment Guide.

To set a TACACS+ server

1. Choose Administration > Security: TACACS+ to display the TACACS+ page.

Setting TACACS+ and adding TACACS+ servers

2. Under Default TACACS+ Settings, complete the configuration as described in this table.

Control	Description
Set a Global Default Key	Enables a global server key for the server.
Global Key	Specify the global server key.
Confirm Global Key	Confirms the global server key.
Timeout	Specify the time-out period in seconds (1 to 60). The default value is 3.
Retries	Specify the number of times you want to allow the user to retry authentication. Valid values are from 0 to 5. The default is 1.
Apply	Applies your settings to the running configuration.

To add a TACACS+ server

1. Under TACACS+ Servers, complete the configuration as described in this table.

Control	Description
Add a TACACS+ Server	Displays the controls for adding a TACACS+ server.
Hostname or IP Address	Specify the hostname or server IP address.
Authentication Port	Specify the port for the server. The default value is 49.
Authentication Type	Select either PAP or ASCII as the authentication type. The default value is PAP.
Override the Global Default Key	Specify this option to override the global server key for the server.
Server Key	Specify the override server key.
Confirm Server Key	Confirm the override server key.
Timeout	Specify the time-out period in seconds (1 to 60). The default is 3.
Retries	Specify the number of times you want to allow the user to retry authentication. Valid values are from 0 to 5. The default is 1.
Enabled	Enables the new server.
Add	Adds the TACACS+ server to the list.
Remove Selected	Select the check box next to the name and click Remove Selected.

2. Click Save to Disk to save your settings permanently.

Related topic

•Configuring general security settings

Configuring SAML

You set up SAML in the Administration > Security: SAML page.

Security Assertion Markup Language (SAML) 2.0 is an XML standard that acts as an authentication interface between a SCC and an identity provider (IdP). You can use the IdP to provide additional requirements for authentication, which can be multi-factor authentication methods such as common access card (CAC) or personal identity verification (PIV).

When an SCC receives a login request, it determines if there is a local login available, and if so, the SCC provides access with the local credential. If SAML is enabled, user authentication through AAA is disabled and the SCC redirects the authentication request to the IdP. The IdP authenticates the user, informs the SCC of the verified identify, and redirects the user to the SCC, which allows access.

SAML authentication process

To enable IdP authentication, you configure the SCC and the IdP with XML metadata that provides detailed appliance identification. The metadata also establishes a trust relationship between the SCC and the IdP.

Administrators must add users to the IdP server to provide them login access, and those users need to correspond to SCC users. You can have one-to-one mapping of users between IdP and SCC, or you can have multiple users on IdP map to a single account on the SCC, such as the admin account. (You have to create individual user accounts on the SCC for one-to-one mapping as the user accounts determine the access permissions.)

You can enable SAML on a single appliance using the SAML page of that appliance (this procedure is an example of how to enable SAML in an SCC), or you can configure SAML in a policy and then push the policy across multiple appliances. For more details on how to configure SAML in a policy, see “Managing SAML” on page 279.

Before you enable SAML on a single appliance or on multiple appliances, you must configure IdP individually for each appliance because the IdP metadata required to enable SAML is unique for each appliance.

You must be logged in as the administrator to enable SAML.SCC

To enable SAML in SCC

1. Choose Administration > Security: SAML to display the SAML page.

Configuring IdP

2. Under Download SteelCentral Controller Metadata, select Download XML to download the SCC metadata in XML format.

The sp_metadata.xml file downloads to your local machine.

3. Configure SCC in your IdP.

Refer to the documentation for your IdP for specific instructions. In general, you complete these steps:

–Log in to the IdP website.

–Upload the metadata from the sp_metadata.xml file and provide any other required details.

–When the configuration is complete, download the IdP metadata.

4. In the SCC Management console, under SAML > IdP Configuration, configure the SAML request and response settings as described in this table.

Control	Description
IdP Metadata	Paste the IdP metadata you copied or received from the IdP website.
Security Settings	Sign Authentication Request - Select this option to have SCC sign the SAML authentication request sent to the identity provider. Signing the initial login request sent by SCC allows the identity provider to verify that all login requests originate from a trusted service provider.
	Requires Signed Assertions - Select if SAML assertions must be signed. Some SAML configurations require signed assertions to improve security.
	Requires Encrypted Assertions - Select this option to indicate to the SAML identity provider that SCC requires encrypted SAML assertion responses. When this option is selected, the identity provider encrypts the assertion section of the SAML responses. Even though all SAML traffic to and from SCC is already encrypted by the use of HTTPS, this option adds another layer of encryption.
Attribute	User Name Attribute - Enter the name of the IdP variable that carries the username of the user. The user name attribute is mandatory and must be sent by your identify provider in the SAML response to align the login with a configured SteelHead account. Default value is samlNameId.
Attribute	Member of Attribute - Enter the name of the IdP variable that carries the role of the user. Default value is memberOf.

5. Click Apply to save your configuration settings.

Validating IdP

6. Under Validate the IdP Configuration, click Validate.

The IdP Validation window appears.

7. Click Go to IdP.

The IdP login page opens.

8. Log in to the IdP website.

The page indicates if your IdP configuration was successful.

9. After successful validation, return to the SAML page in the management console and select the Enable SAML check box and click Apply.

Tip: If the validation status on the SCC page does not update after a successful validation, reload the page to refresh the status.

With SAML enabled, all web login requests are redirected to the IdP.

10. Click Save to Disk to save your settings permanently.

If you make changes to the SAML settings after you validate the IdP configuration, you need to validate again with the new settings and enable SAML again.

Usage Notes

SAML authentications are only available in the Management Console web interface; they are not available through the CLI. Users can log in to a SAML-enabled SCC through the CLI but they are authenticated using the local, RADIUS, or TACACS+ authentication methods. We recommend that you set strong passwords for Riverbed appliances.

Troubleshooting

•If a user who has not been set up in the IdP tries to log in to the SCC, the login fails on the IdP login page. (This failed login is not tracked in the SCC logs.) Log in to SCC through CLI.

•If the user has been set up but their user role has not been defined in the IdP, the login succeeds but the SCC displays an error page (instead of the dashboard). Log in to SCC through CLI.

•If you cannot log in using SAML (for example, if the IdP server is unavailable), you can log in through the CLI and disable SAML using the no aaa saml enable command. Once SAML is disabled, you revert to the previously configured authentication method for the web interface. For command details, see the Riverbed Command-Line Interface Reference Manual.

•If SAML stopped working, in the Administration > Security: SAML page, click Apply. SAML authentication will be disabled for SCC. Then click Validate. The error message displayed can help you identify and fix the problem.

Unlocking the secure vault

You can unlock and change the password for the secure vault in the Secure Vault page.

The secure vault contains sensitive information from your SCC configuration, including SSL private keys and the RiOS data store encryption key. These configuration settings are encrypted on the disk at all times, using AES 256-bit encryption.

Initially the secure vault is keyed with a default password known only to the RiOS software. This enables the system to automatically unlock the vault during system start up. You can change the password, but the secure vault doesn’t automatically unlock upon start up. To optimize SSL connections or to use RiOS data store encryption, the secure vault must be unlocked.

To unlock or change the password of the secure vault

1. Choose Administration > Security: Secure Vault to display the Secure Vault page.

Unlocking the secure vault

2. Under Unlock Secure Vault, complete the configuration as described in this table.

Control	Description
Password	Specify a password and click Unlock Secure Vault. Initially the secure vault is keyed with a default password known only to the RiOS software. This enables the system to automatically unlock the vault during system start up. You can change the password, but the secure vault doesn’t automatically unlock on start up. To optimize SSL connections or to use RiOS data store encryption, you must unlock the secure vault.
Unlock Secure Vault	Unlocks the vault.

3. Under Change Password, complete the configuration as described in this table.

Control	Description
Current Password	Specify the current password. If you’re changing the default password that ships with the product, leave the text box blank.
New Password	Specify a new password for the secure vault.
New Password Confirm	Retype the new password for the secure vault.
Change Password	Changes the password to the new value.

4. Click Save to Disk to save your settings permanently.

Configuring a management ACL

You can secure access to an SCC using an internal management Access Control List (ACL) in the Management ACL page. SCCs are subject to the network policies defined by a corporate security policy, particularly in large networks. Using an internal management ACL, you can:

•restrict access to certain interfaces or protocols of an SCC.

•restrict inbound IP access to an SCC, protecting it from access by hosts that don’t have permission without using a separate device (such as a router or firewall).

•specify which hosts or groups of hosts can access and manage an SCC by IP address, simplifying the integration of SteelHeads into your network.

The management ACL provides these safeguards to prevent accidental disconnection from the SteelHead, the SCC, and the embedded Shark feature:

•It detects the IP address you’re connecting from and displays a warning if you add a rule that denies connections to that address.

•It always allows the default SteelHead ports 7800, 7801, 7810, 7820, and 7850.

•It always allows a previously connected SCC to connect and tracks any changes to the IP address of the SCC to prevent disconnection.

•It converts well-known port and protocol combinations, such as SSH, Telnet, HTTP, HTTPS, SNMP, and SOAP into their default management service and protects these services from disconnection: for example, if you specify protocol 6 (TCP) and port 22, the management ACL converts this port and protocol combination into SSH and protects it from denial.

•It tracks changes to default service ports and automatically updates any references to changed ports in the access rules.

To set up a management ACL

1. Choose Administration > Security: Management ACL to display the Management ACL page.

Configuring management ACL and adding new rules

2. Under Management ACL Settings, complete the configuration as described in this table.

Control	Description
Enable Management ACL	Select this check box to enable the management ACL.
Apply	Applies your settings to the running configuration.

3. Click Save to Disk to save your settings permanently.

Adding ACL management rules

The management ACL contains rules that define a match condition for an inbound IP packet. You set a rule to allow or deny access to a matching inbound IP packet. When you add a rule on an SCC, the destination specifies the SCC itself, and the source specifies a remote host.

The ACL rules list contains default rules that allow you to use the management ACL with branch service RiOS features, such as DNS caching. These default rules allow access to certain ports required by these features. The list also includes default rules that allow access to the SCC and the embedded Shark feature.

To add an ACL management rule

1. Under Management ACL Settings, complete the configuration as described in this table.

Control	Description
Add a New Rule	Displays the controls for adding a new ACL rule.
Action	Select one of these rule types from the drop-down list: •Allow - Allows a matching packet access to the SteelHead. This is the default action. •Deny - Denies access to any matching packets.
Service	Optionally, select Specify Protocol, or HTTP, HTTPS, SOAP, SNMP, SSH, Telnet. When specified, the Destination Port is dimmed.
Protocol	(Appears only when Service is set to Specify Protocol.) Optionally, select All, TCP, UDP, or ICMP from the drop-down list. The default setting is All. When set to All or ICMP, the Service and Destination Ports are dimmed.
Source Network	Optionally, specify the source subnet of the inbound packet: for example, 1.2.3.0/24.
Destination Port	Optionally, specify the destination port of the inbound packet, either a single port value or a port range of port1-port2, where port1 must be less than port2. Leave it blank to specify all ports.
Interface	Optionally, select an interface name from the drop-down list. Select All to specify all interfaces.
Description	Optionally, describe the rule to facilitate administration.
Rule Number	Optionally, select a rule number from the drop-down list. By default, the rule goes to the end of the table (just above the default rule). SteelHeads evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule don’t match, the system consults the next rule. For example, if the conditions of rule 1 don’t match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted. Note: The default rule, Allow, which allows all remaining traffic from everywhere that hasn’t been selected by another rule, can’t be removed and is always listed last.
Log Packets	Tracks denied packets in the log. By default, packet logging is enabled.
Add	Adds the rule to the list. The Management Console redisplays the Rules table and applies your modifications to the running configuration, which is stored in memory.
Remove Selected	Select the check box next to the name and click Remove Selected.
Move Selected	Moves the selected rules. Click the > next to the desired rule position; the rule moves to the new position.

2. Click Save to Disk to save your settings permanently.

If you add, delete, edit, or move a rule that could disconnect connections to the SCC, a warning message appears. Click Confirm to override the warning and allow the rule definition anyway. Use caution when overriding a disconnect warning.

Usage notes

•When you change the default port of services, such as SSH, HTTP, HTTPS, on either the client or server-side SCC and create a management ACL rule denying that service, the rule will not work as expected. The SCC on the other end (either server or client) of an in-path deployment doesn’t know that the default service port has changed, and consequently optimizes the packets to that service port. To work-around this problem, add a pass-through rule to the client-side SCC for the management interfaces. The pass-through rule prevents the traffic from coming from the local host when optimized.

•A management ACL rule that denies access from port 20 on the server-side SCC in an out of-path deployment prevents data transfer using active FTP. In this deployment, the FTP server and client can’t establish a data connection because the FTP server initiates the SYN packet and the management rule on the server-side SCC blocks the SYN packet. To work-around this problem:

–use passive FTP instead of active FTP. With passive FTP, the FTP client initiates both connections to the server.

- or -

–add a rule to either allow source port 20 on the server-side SteelHead or allow the IP address of the FTP server.

For detailed information about restoring default rule settings for PPS and RSP, see the SteelHead User Guide for SteelHead CX.

Configuring web settings

You can configure web user interface settings in the Web Settings page.

You can also manage SSL certificates used by the SCC in the Web Settings page:

•View certificate details.

•View certificate in PEM format.

•Replace a signed certificate by importing a certificate and private key or generating a self-signed certificate and new private key.

•Generate a certificate signing request (CSR).

To configure web settings

1. Choose Administration > Security: Web Settings to display the Web Settings page.

Configuring web settings

2. Under Web Settings, complete the configuration as described in this table.

Control	Description
Default Web Login ID	Specify the username that appears in the authentication page. The default value is admin.
Web Inactivity Timeout	Specify the number of idle minutes before time-out. The default value is 15. A value of 0 disables time-out.
Allow Session Timeouts When Viewing Auto-Refreshing Pages	By default, session time-out is enabled, which stops the automatic updating of the report pages when the session times out. Clear the Allow box to disable the session time-out, remain logged in indefinitely, and automatically refresh the report pages. Note: Disabling this feature poses a security risk.
Apply	Applies your settings to the running configuration.

3. Click Save to Disk to save your settings permanently.

To manage web certificates

1. Choose Administration > Security: Web Settings to display the Web Settings page. The identity certificate details are displayed.

2. Complete the configuration as described in this table.

Control	Description
Issued To/Issued By	Common Name - Specifies the common name of the certificate authority.
	Email - Specifies the organization email.
	Organization - Specifies the organization name (for example, the company).
	Locality - Specifies the city.
	State - Specifies the state.
	Country - Specifies the country.
Validity	Issued On - Specifies the date the certificate was issued.
Validity	Expires On - Specifies the date the certificate expires.
Fingerprint	Specifies the SSL fingerprint.
Key	Type - Specifies the key type.
Key	Size - Specifies the sizes in bytes.

3. To view the certificate in PEM format, under Web Certificate, select the PEM tab. The certificate appears in PEM format.

4. To replace an existing certificate, under Web Certificate, select the Replace tab, and complete the configuration as described in this table.

Control	Description
Import Certificate and Private Key	Imports the certificate and key. The page displays controls for browsing to and uploading the certificate and key files. You can also use the text box to copy and paste a PEM file. The private key is required regardless of whether you’re adding or updating the certificate.
Certificate	Select the action. •Upload - Browse to the local file in PKCS-12, PEM, or DER formats. •Paste it here (PEM) - Copy and then paste the contents of a PEM file.
Private Key	Select the private key origin. •The Private Key is in a separate file (see below) - You can either upload it or copy and paste it. •This file includes the Certificate and Private Key •The Private Key for this Certificate was created with a CSR generated on this appliance.
Separate Private Key	Select the action: •Upload (PEM or DER formats) - Browse to the local file in PEM or DER formats. •Paste it here (PEM only) - Paste the contents of a PEM file.
Decryption Password	Specify the decryption password, if necessary. Passwords are required for PKCS-12 files, optional for PEM files, and never needed for DER files.
Import Certificate and Key	Imports the certificate and key.
Generate Self-Signed Certificate and New Private Key	Select to generate a new private key and self-signed public certificate.
	Organization Name - Specify the organization name (for example, the company).
	Organization Unit Name - Specify the organization unit name (for example, the section or department).
	Locality - Specify the city.
	State (no abbreviations) - Specify the state.
	Country (2-letter code) - Specify the country (2-letter code only).
	Email Address - Specify the email address of the contact person.
	Validity Period (Days) - Specify how many days the certificate is valid. The default value is 730.
Private Key	Cipher Bits - Select the key length from the drop-down list. The default value is 1024.
Generate Certificate and Key	Generates a private key and CSR.
Apply	Applies your settings to the running configuration.

5. To generate a CSR, under Web Certificate, select the Generate CSR tab and complete the configuration as described in this table.

Control	Description
Common Name (required)	Specify the common name (hostname) of the peer.
Organization Name	Specify the organization name (for example, the company).
Organization Unit Name	Specify the organization unit name (for example, the section or department).
Locality	Specify the city.
State	Specify the state. Don’t abbreviate.
Country (2-letter code)	Specify the country (2-letter code only).
Email Address	Specify the email address of the contact person.
Generate CSR	Generates the Certificate Signing Request.

6. Click Save to Disk to save your settings permanently.

Enabling REST API access

You enable access to the Riverbed REST API in the REST API Access page.

REST (Representational State Transfer) is a framework for API design. REST builds a simple API on top of the HTTP protocol. It is based on generic facilities of the standard HTTP protocol, including the six basic HTTP methods (GET, POST, PUT, DELETE, HEAD, INFO) and the full range of HTTP return codes. You can discover REST APIs by navigating links embedded in the resources provided by the REST API that follow common encoding and formatting practices.

For detailed information about REST API calls, see the SteelHead User Guide for SteelHead CX.

To enable REST API access

1. Choose Administration > Security: REST API Access to display the REST API Access page.

Enabling REST API access

2. Under REST API Access Settings, select the Enable REST API Access check box.

3. Click Apply to apply your settings to the running configuration.

4. Click Save to Disk to save your settings permanently.

Before an appliance can access the REST API, you must generate an access code for the system to use to authenticate access.

To generate the access code

1. Choose Administration > Security: REST API Access to display the REST API Access page.

2. Complete the configuration as described in this table.

Control	Description
Add Access Code	Displays the controls for adding an access code.
Description of Use	Type a description, such as the hostname or IP address of the appliance you’re using.
Generate New Access Code	Generates the new access code. Click Add to add the code to the running configuration. The access code is displayed in the table.
Import New Access Code	Copy and paste an existing access code in the text box.
Add	Adds the access code to the running configuration. The access code is displayed in the table.

3. Click the access code name to expand the page display the access code.

Displaying the REST API access code

4. Copy the access code from the text field into a text editor such as Notepad.

5. To use the access code in an external script, copy the access code copied from the Management Console REST API Access page into the configuration file of your external script.

The script uses the access code to make a call to the appliance/system to request an access token. The appliance/system validates the access code and returns an access token for use by the script. Generally the access token is kept by the script for a session only (defined within your script), but note that the script can make many requests using the same access token. These access tokens have some lifetime—usually around an hour —in which they’re valid. When they expire, the access code must fetch a new access token. The script uses the access token to make REST API calls with the appliance/system.

6. Click Save to Disk to save your settings permanently.

Configuring maintenance settings

This section describes how to manage your system including managing SCC backups, viewing job status, managing licenses, upgrading your software, and shutting down and rebooting the system.

We recommend you back up the SCC before you perform a software upgrade.

This section includes these topics:

•Managing external backups

•Setting daily maintenance window settings

•Displaying scheduled jobs

•Managing licenses

•Upgrading your software

•Rebooting and shutting down the SCC

Managing external backups

You configure external backups to an external file share (CIFS/NFS/SSH) in the External Backups page.

You can configure external backups:

•using a username and password to authenticate the external backup using CIFS or SSH.

•using a hostname or IP address and the remote path using NFS.

•using a Rivest-Shamir-Adleman (RSA) public security key using SSH. Configuring external backups using a public key eliminates the need for password authentication. The public key is generated with 2048-bit encryption.

These types of data are backed up:

•SteelHead configuration information (such as policies and host settings) as configured by the SCC.

•SteelHead statistics (such as traffic summary, connection history and data store cost) as reported by the SCC.

•SCC configuration information (such as networking, system settings and security settings).

This type of backup is distinct from appliance backups that serve an archival purpose for a specific appliance.

If you have greater than 1000 appliances in your deployment, an external backup may take more than three hours.

Some external SCC backups via SSH can partially or completely fail with a particular set of Windows-based SSH servers, yet can succeed without issue with a different set of servers, for example:

•SolarWinds SFTP/SCP server - The backup server configuration works, but the actual backup or restore operations fail with either Error 13 (permission denied) or Error 74 (IO Error).

•WinSSHD - Ensure that the configured SSH server directory is writable by the username that the SCC uses to connect. It isn’t, the server configuration itself doesn’t work.

We recommend that you change the path used for your backups prior to upgrading to SCC 8.5. If a statistics backup has been performed using SCC 8.5 or later against a given backup location, you will not be able to restore statistics from that location to SCC versions prior to SCC 8.5.

Riverbed hasn’t tested or qualified any Windows-based SSH servers. If you have successfully integrated one of these servers in your network, contact Riverbed Support.

Configuring external SCC backups

You can configure the external backups in the External Backup page. For detailed information, see the SteelHead Deployment Guide.

If you have more than 1000 appliances in your deployment, appliance backups may take more than 3 hours.

To configure external backups

1. Choose Administration > Maintenance: External Backup to display the External Backup page.

Configuring external backups

2. Under Backup Server, specify the external location for the backup by completing the configuration as described in this table.

Control	Description
Protocol	Select from the drop-down list the file server protocol for the backup server for storing or retrieving the backup: •CIFS - Specify a domain name, username, and password. •NFS - Specify the hostname or IP address and the remote path. •SSH - Specify a username and password or you can configure a backup using an RSA public key that doesn’t require password authentication. Note: If you back up to an NFS or SSH server and the same backup location is subsequently exposed via CIFS, the backup can fail. If the backups and restores are slow, use CIFS and NFS.
Hostname or IP Address	Specify the hostname or IP address for the backup server.
Remote Path	Specify the directory path on the backup server for the backup file. For example, for CIFS: \<sharename>\<directory>\<directory> or <sharename>/<directory> For example, for NFS: /<mount>/<point>/<directory> For example, for SSH: /<directory>/<directory> Note: The directory must already exist on the backup server.
CIFS Domain (CIFS only)	Specify the CIFS domain. Tip: If the username corresponds to a local account (as opposed to a domain account), this field should contain the NETBIOS name of the backup server.
User Name	Specify a valid username for CIFS or SSH access.
Password	Supply a valid password for CIFS or SSH access.
Password Confirm	Confirm the password for CIFS or SSH access.
Time Limit for Statistics Backup	Specify the time limit, in minutes. The default value is 0.
Disk Space Limit	Specify the disk space limit, in megabytes. The default value is 0.
Total Capacity	Select the drop-down error to view more information. •Available Space - Displays the available space, such as: Available to SCC Data and Reserved for Other SCC. •Used Space - Displays the used space, such as: Used by SCC Configuration Snapshots, Used by Appliance Snapshots, and Used by Statistics. •Used by Other Data - Displays the used by other data information.

3. Click Save to Disk to save your settings permanently.

Configuring external SCC backups using an RSA public key

You can configure external backups in the External Backup page using an RSA public key. Configuring external backups using an RSA public key eliminates the need for password authentication.

To configure external backups using an RSA public key

1. Choose Administration > Maintenance: External Backup to display the External Backup page.

Configuring external backups using an RSA public key

2. Under Backup Server, specify the external location for the backup by completing the configuration as described in this table.

Control	Description
Protocol	Select SSH from the drop-down list. Note: If you back up to an NFS or SSH server and the same backup location is subsequently exposed via CIFS, the backup can fail.
Hostname or IP Address	Specify the hostname or IP address for the backup server.
Remote Path	Specify the directory path on the backup server for the backup file. For example, for SSH: /<directory>/<directory> Note: The directory must already exist on the backup server.
User Name	Specify the username.
SSH Authentication Type	Select Public Key and click Generate Key to generate the public key. The public key is generated in the Public Key text box.
Public Key	After you click Generate Key, the key appears in the text box. Copy the public key to the user’s target machine: for example: /u/administrator/.ssh/authorized_keys
Generate Key	Generates the public key in the Public Key text box.
Time Limit for Statistics Backup	Specify the time limit, in minutes. The default value is 0.
Disk Space Limit	Specify the disk space limit, in megabytes. The default value is 0.
Total Capacity	Select the drop-down error to view more information. •Available Space - Displays the available space, such as: Available to SCC Data and Reserved for Other SCC. •Used Space - Displays the used space, such as: Used by SCC Configuration Snapshots, Used by Appliance Snapshots, and Used by Statistics. •Used by Other Data - Displays the used by other data information.

3. Click Save to Disk to save your settings permanently.

Scheduling external backups

You can schedule external backups for SCC configurations.

To schedule an external backup

1. Under Scheduling, set the options to schedule and statistics backup as described in this table.

Control	Description
Schedule SCC Configuration Backup	Enables the backup of appliance configuration data. Complete these settings: •Start at - Specify the start using this format: yyyy/mm/dd hh:mm:ss •Repeat every - Specify the number of days the SCC configuration backup operation should be repeated. •Maximum SCC Snapshots Retained - Specify the maximum number of SCC snapshots.
Schedule Appliance Snapshots Backup	Enables the backup of appliance snapshots data. You should perform a full backup before you can schedule appliance snapshot backup. Complete these settings: •Start at - Specify the start date using this format: yyyy/mm/dd hh:mm:ss •Repeat every - Specify the number of days for that the SCC snapshot backup operation should be repeated.
Schedule Statistics Backup	Enables the backup of appliance statistic data. Statistics backups are incremental. Complete these settings: •Start at - Specify the start date using this format: yyyy/mm/dd hh:mm:ss •Repeat every - Specify the number of days for that the statistics backup operation should be repeated.
Apply	Applies your changes to the running configuration.

2. Click Save to Disk to save your settings permanently.

Viewing backup operations

You can view the current status of back up operation and perform backup operations in the Backup Operations panel of the External Backup page. You can perform these backup operations on SCC Configurations and snapshots, Appliance snapshots, and statistics.

A backup operation displays these status operations:

•success, <time-stamp>

•running <time-duration>, <percentage-complete>

•failed <time-stamp>

•failed <time-stamp>, last success: <time-stamp>

•idle indicates that there is no backup or restore history. The system doesn’t retain a record of backup and restore statuses from prior to system startup (including reboots).

To perform a backup operation

1. Choose Administration > Maintenance: External Backup to display the External Backup page.

2. Under Backup Operations, select a backup operation from the drop-down list and complete the configuration as described in this table.

Operation	Description
Backup SCC Configuration	Performs a backup of the current SCC configurations. •New Snapshot Name - Specify the new snapshot name in the text box.
Restore SCC Snapshot	Restores the specified SCC snapshot. •Restore Snapshot Name - Select the name from the drop-down list. •Restore Secure Vault - Select to enable the restore secure vault option. •Vault Password - Specify the vault password. Leave blank if using the factory password. •Restore Primary and Aux network interfaces - Select to restore primary and auxiliary network interfaces.
Remove SCC Snapshot	Removes the specified SCC snapshot. •Remove Snapshot Name - Select the snapshot name from the drop-down list.
Backup Appliance Snapshots	Performs a backup of the current appliance snapshot. •Exclude nightly snapshots older than <number> Days - Specify the number of days to be excluded. The default is 0.
Restore Appliance Snapshot	Restores the specified appliance snapshot.
Backup Statistics	Performs a backup of the current SCC statistics.
Restore Statistics	Restores the latest statistics backup.

3. Click Start to begin the operation.

Setting daily maintenance window settings

You can set the time for daily maintenance jobs in the Maintenance Window page. The maintenance window is used for nightly jobs, for example, preventative database maintenance and backups for all appliances.

To set daily maintenance window settings

1. Choose Administration > Maintenance: Maintenance Window to display the Maintenance Window page.

Configuring a maintenance window

2. Complete the configuration as described in this table.

Control	Description
Start Time	Specify the start time for the job. Use this format: hh:mm:ss The duration of Maintenance Window should be at least three hours.
End Time	Specify the end time for the job. Use this format: hh:mm:ss
Apply	Applies your changes to the running configuration.

3. Click Save to Disk to save your settings permanently.

Displaying scheduled jobs

You can view completed, pending, inactive jobs, as well as jobs that were not completed because of an error in the Scheduled Jobs page. You can also delete a job, change its status, or modify its properties.

Jobs are commands that are scheduled to execute at a time you specify.

You can use the Management Console to:

•schedule an appliance reboot or shut down.

•generate multiple TCP trace dumps on a specific date and time.

To schedule all other jobs, you must use the Riverbed CLI.

For details about scheduling jobs using the CLI, see the Riverbed Command-Line Interface Reference Manual.

To display job status

1. Choose Administration > Maintenance: Scheduled Jobs to display the Scheduled Jobs page.

Displaying scheduled jobs

2. Click the Job ID number to display details about the job.

3. Optionally, under Details for Job <#>, complete the configuration as described in this table.

Control	Description
Name	Specify a name for the job.
Comment	Specify a comment.
Interval (seconds)	Specify the number of seconds between job recurrences. Specify 0 to run the job one-time only.
Executes on	Specify the start time and end time using the format yyyy/mm/dd hh:mm:ss
Enable/Disable Job	Select the check box to enable the job, clear the check box to disable the job.
Apply Changes	Applies the changes to the current configuration.
Cancel/Remove This Job	Cancels and removes the job.
Execute Now	Runs the job.
Remove Selected Jobs	Select the check box next to the name and click Remove Selected Jobs.

4. Click Save to Disk to save your settings permanently.

Managing licenses

This section describes how to install, update, and remove a license. It also describes how to use flexible licensing to manage model configurations and upgrades.

Licenses can be permanent or temporary. Permanent licenses don’t display an expiration date in their Status column on the Licenses page; temporary licenses display an expiration date in their Status column. For example, evaluation licenses typically expire in 60 days and display a date within that range.

The system warns you two weeks before a license expires by activating the Expiring License alarm. After a license expires, the system activates the Expired License alarm. You can add a license to extend the functionality of expiring licenses. If more than one license exists for a feature, the system uses the license with the latest expiration date.

Managing SCC licenses

You perform all license management and update or remove expired licenses on the appliance in the Licenses page.

For details, see the SteelHead User Guide. For details about hardware platforms that require hardware upgrades, see the Upgrade and Maintenance Guide. For details about installation and configuration, see the SteelHead Installation and Configuration Guide for SteelHead CX.

To install a license

1. Choose Administration > Maintenance: Licenses to display the Licenses page.

Adding licenses

The Licenses page includes a table of licenses with a column showing the date and time the license was installed and the approximate relative time it was installed. The next column shows whether the installation was done manually or automatically.

2. Under Licenses, complete the configuration as described in this table.

Control	Description
Add a New License	Displays the controls to add a new license.
Licenses Text Box	Copy and paste the license key provided by Riverbed Support or Sales into the text box. Separate multiple license keys with a space, Tab, or Enter.
Add	Adds the license.
Fetch Updates Now	Contacts the Riverbed license portal and downloads all applicable licenses for the SteelHead.

3. Click Save to Disk to save your settings permanently.

Removing a license

We recommend that you keep old licenses in case you want to downgrade to an earlier software version; however, in some situations you might want to remove a license.

To remove a license

1. Choose Administration > Maintenance: Licenses to display the Licenses page.

2. Select the license you want to delete.

3. Click Remove Selected.

Upgrading your software

You can upgrade or revert to a backup version of the software in the Software Upgrade page. You can also enable and disable image signature verification, and view and upload image signing certificates. Image verification is enabled by default. We strongly recommend that it remain enabled at all times. Disable this feature only when absolutely necessary.

For more information about image signature verification, see “Image signature verification” on page 22.

The bottom of the page displays the software version history, including the version number and the software installation date.

Software Upgrade page

To find allowed upgrades between RiOS versions and recommended upgrade paths, use the Software Upgrade tool on the Riverbed Support site at https://support.riverbed.com. The tool includes all of the recommended intermediate RiOS versions.

The SCC performs centrally managed software upgrades (immediate or scheduled) on any managed SteelHead. You can schedule upgrades to run immediately or schedule them during early morning maintenance windows, including the ability to schedule appliances reboots separately.

To enable image signature verification

We strongly recommend this feature remain enabled at times.

1. Choose Administration > Maintenance: Software Upgrade to display the Software Upgrade page.

2. Select Image Signature Verification and click Apply.

To disable image signature verification

Disable this feature only when absolutely necessary.

1. Choose Administration > Maintenance: Software Upgrade to display the Software Upgrade page.

2. Deselect Image Signature Verification and click Apply.

To add an image signing certificate

1. Choose Administration > Maintenance: Software Upgrade to display the Software Upgrade page.

2. Expand the Image Signing Certificate section.

3. Select Import.

Import image signing certificate

4. Select a how you want to import your certificate.

–Upload - This method supports uploading certificates in PKCS-12, DER, and PEM formats.

–Paste it here - This method supports only certificates in PEM format.

5. Click Import Image Signing Certificate.

A dialog box appears and displays a warning that the existing certificate will be replaced by the one you are importing.

6. Click Import.

To view the details of an image signing certificate

1. Choose Administration > Maintenance: Software Upgrade to display the Software Upgrade page.

2. Expand the Image Signing Certificate section.

3. Select Details.

To revert the RiOS software version

1. Choose Administration > Maintenance: Software Upgrade to display the Software Upgrade page.

2. Under Software Upgrade, complete the configuration as described in this table.

Control	Description
Switch to Backup Version	Switches to the backup version on the next reboot.
Cancel	Cancels the software version switch on the next reboot.

To upgrade or revert software versions

1. Choose Administration > Maintenance: Software Upgrade to display the Software Upgrade page.

Upgrading or reverting RiOS software version

2. Under Software Upgrade, click Switch to Backup Version.

The appliance will revert to the backup version of its RiOS software when restarted. The button label changes to Cancel Version Switch; clicking it will cancel the reversion.

To upgrade the RiOS software version

1. Download the software image from the Riverbed Support site to a location such as your desktop. Optionally, in RiOS 8.5 and later, you can download a delta image directly from the Riverbed Support site to the SCC. The downloaded image includes only the incremental changes. The smaller file size means a faster download and less load on the network. To download a delta image, skip to step 2.

2. Choose Administration > Maintenance: Software Upgrade to display the Software Upgrade page.

3. Under Install Upgrade, complete the configuration as described in this table.

Control	Description
From URL	Select this option and specify the URL. Use one of these formats: http://host/path/to/file https://host/path/to/file ftp://user:password@host/path/to/file scp://user:password@host/path/to/file
From Riverbed Support Site	Click this option and select the target release number from the drop-down list. The system uploads and installs the new image immediately after you click Install. To upload and install the image later, schedule another date or time before you click Install.
From Local File	Select this option and specify the path, or click Browse to go to the local file directory. If you specify a file to upload in the Local File text box, the image is uploaded immediately; however the image is installed and the system is rebooted at the time you specify.
Schedule Upgrade for Later	Schedules the upgrade process. Specify the date and time to run the upgrade: yyyy/mm/dd hh:mm:ss
Install	Click to install the software upgrade on your system, unless you schedule it for later. The software image can be quite large; uploading the image to the appliance and installing it can take a few minutes. Downloading a delta image directly from the Riverbed Support site is faster because the downloaded image includes only the incremental changes. As the upgrade progresses, status messages appear. After the installation is complete, the system reminds you to reboot the appliance to switch to the new version of the software.
Cancel	Cancels your changes.

4. Choose Administration: Maintenance > Reboot/Shut Down and click Reboot.

The appliance can take a few minutes to reboot. This is normal behavior as the software is configuring the recovery flash device. Don’t press Ctrl+C, unplug, or otherwise shut down the system during this first boot. There is no indication displayed during the system boot that the recovery flash device is being configured.

After the reboot, the Dashboard, Software Upgrade, and Support pages of the Management Console display the RiOS version upgrade.

Related topic

•Displaying scheduled jobs

Rebooting and shutting down the SCC

You can reboot or shut down the system in the Reboot/Shutdown page.

Rebooting the system disrupts existing network connections that are currently proxied through it. Rebooting can take a few minutes.

When you shut down the system, connections are broken and optimization ceases. Shutting down the appliance can take a few minutes.

To restart the system, you must manually turn on the SCC.

Your unsaved configuration changes are lost if the configuration isn’t saved prior to reboot or shutdown.

To reboot or shut down the system

1. Choose Administration > Maintenance: Reboot/Shutdown to display the Reboot/Shutdown page.

Rebooting and shutting down

2. Click Reboot. After you click Reboot, you’re logged out of the system and RiOS reboots.

3. Click Shut Down to shut down the system. After you click Shut Down, the system is turned off. To restart the system, you must manually turn on the SteelHead.

Control	Description
Time Zone	Select a time zone from the drop-down list. The default value is GMT. Note: If you change the time zone, log messages retain the previous time zone until you reboot.
Set Time Manually	Select to set the time manually. Select these options: •Change date - Specify the date in this format: yyyy/mm/dd •Change time - Specify military time in this format: hh:mm:ss
Use NTP Time Synchronization	Select to use NTP time synchronization.
Change Date	Specify the date in this format: yyyy/mm/dd
Change Time	Specify military time in this format: hh:mm:ss
Apply	Applies your settings to the running configuration.

Control	Description
Add a New NTP Server	Displays the controls to add a server.
Hostname or IP Address	Specify the hostname or IP address for the NTP server. You can connect to an NTP public server pool: for example, 0.riverbed.pool.ntp.org. When you add an NTP server pool, the server is selected from a pool of time servers. The IP address can be either IPv4 or IPv6. For IPv6 specify an IP address using this format: eight 16-bit hexadecimal strings separated by colons, 128-bits. For example: 2001:38dc:0052:0000:0000:e9a4:00c5:6282 You don’t need to include leading zeros. For example: 2001:38dc:52:0:0:e9a4:c5:6282 You can replace consecutive zero strings with double colons (::). For example: 2001:38dc:52::e9a4:c5:6282
Version	Select the NTP server version from the drop-down list: 3 or 4.
Enabled/Disabled	Select Enabled from the drop-down list to connect to the NTP server. Select Disabled from the drop-down list to disconnect from the NTP server.
Key ID	Specify the MD5 or SH1 key identifier to use to authenticate the NTP server. The valid range is from 1 to 65534. The key ID must appear on the trusted keys list.
Add	Adds the NTP server to the server list.
Remove Selected	Select the check box next to the name and click Remove Selected.

Control	Description
Add a New NTP Authentication Key	Displays the controls to add an authentication key to the key list. Both trusted and untrusted keys appear on the list.
Key ID	Optionally, specify the secret MD5 or SHA1 key identifier for the NTP server. The valid range is from 1 to 65534.
Key Type	Select the authentication key type: MD5 or SHA1.
Secret	Specify the shared secret. You must configure the same shared secret for both the NTP server and the NTP client. The MD5 shared secret: •is limited to 16 alphanumeric characters or fewer, or exactly 40 characters hexadecimal. •can’t include spaces or pound signs (#) •can’t be empty •is case sensitive The SHA1 shared secret: •is limited to exactly 40 characters hexadecimal •can’t include spaces or pound signs (#) •can’t be empty •is case sensitive The secret appears in the key list as its MD5 or SHA1 hash value.
Add	Adds the authentication key to the trusted keys list.
Remove Selected	Select the check box next to the name and click Remove Selected.

Control	Description
Add Port	Displays the controls to add a new port.
Port Number	Specify the port to be monitored.
Port Description	Specify a description of the type of traffic on the port.
Add	Displays the controls for adding a port.
Remove Selected	Select the check box next to the name and click Remove Selected.

Control	Description
Never	Select to require the current user to log in when the SCC opens.
When logged in as admin	Select to log in as the admin user for the appliance when the SCC opens. Note: The registered user must have administrative privileges.
When logged in as the appliance registered user	Select to log in when the SCC opens using the same name as the registered user to log in to the SCC. For this option to function properly, the SCC login must match the registered user login for the system.

Control	Description
	These settings control the log in information used when the SCC for an individual appliance is accessed directly from the Dashboard of the SCC. These settings control how the URLs are generated for the appliances shown on the Dashboard.
Always use http	Select to always generate the appliance URL using the HTTP protocol.
Always use https	Select to always generate the appliance URL using the HTTPS protocol.
Use https if enabled, otherwise http	Select to generate the appliance URL automatically based on whether the appliance is SSL-enabled (HTTPS) or not (HTTP).
Use the Fully-Qualified Domain Name provided by the appliance	Select to use the fully qualified domain name provided by the appliance. This is the default setting. If the FQDN isn’t obtainable, the registered address will be used. Note: The SCC resolves the FQDN to an IP.
Use the IP Address/Hostname registered with the SCC	Select to use the IP Address/Hostname registered with the SCC.

Control	Description
Use Common Appliance Credentials	Displays the controls for the common administration login. When enabled, the Common Appliance Username/Password is used for all appliance connections. The appliance-specific username/password is ignored
User Name	Enter the username.
Password	Enter the password.
Confirm Password	Confirm the password.

Control	Description
Enable/disable the certificate authority	Select the check box to enable certificate authority. - or - Clear the check box to disable certificate authority.
Cipher bits	Select the key length from the drop-down list. The default value is 2048.
Signing algorithm	Select the signing algorithm from the drop-down list. The default value is SHA256withRSA.
Apply	Applies the settings to the running configuration. After you click Apply, the Certificate Authority tabs are displayed for viewing or replacing the certificate.

Control	Description
Details	Displays the certificate details.
PEM	Displays the certificate in PEM format.
Replace	Displays the controls for replace or generating a CA-Signed certificate.
Import Existing Private Key and CA-Signed Public Certificate (One File in PEM format)	Select this option if the existing private key and CA-signed certificate are located in one file. The page expands displaying Private Key and CA-Signed Public Certificate controls for browsing to the key and certificate files or a text box for copying and pasting the key and certificate.
Private Key	The private key is required regardless of whether you’re adding or updating. •Local File - Browse to the local file. •Text - Paste the content of the file. •Decryption Password - Specify the password used to decrypt, if necessary. •Change - Changes the settings.
Import Existing Private Keys and CA-Signed Public Certificate (Two Files in PEM format)	Select this option if the existing private key and CA-signed certificate are located in two files. The page expands displaying Private Key and CA-Signed Public Certificate controls for browsing to the key and certificate files or text boxes for copying and pasting the keys and certificates.
Private Key	A private key is optional for existing server configurations. •Private Key Local File - Browse to the local file containing the private key. •Private Key Text - Paste the private key text.
CA-Signed Public Certificate	•LocalCert Text - Paste the content of the certificate text file. •File - Browse to the local file. •Decryption Password - Specify the password used to decrypt, if necessary. •Change - Changes the settings.
Generate New Private Key and Self-Signed Public Certificate	Select this option to generate a new private key and self-signed public certificate. •Cipher Bits - Select the key length from the drop-down list. The default value is 2048. •Common Name - Specify the domain name of the server. •Organization Name - Specify the organization name (for example, the company). •Organization Unit Name - Specify the organization unit name (for example, the section or department). •Locality - Specify the city. •State (no abbreviations) - Specify the state. •Country (2-letter code) - Specify the country (2-letter code only). •Email Address - Specify the email address of the contact person. •Validity Period (Days) - Specify how many days the certificate is valid. •Change - Changes the settings. •Generate New Private Key and Certificate - Generates new private key and certificate.

Control	Description
Optional Local Name	Optionally, specify the name of the trusted CA store.
Local File	Select this option and browse to the local file.
Cert text	Select this option to copy and paste the certificate authority.
Add	Adds the certificate authority to the trusted CA store.

Management Console page	Feature (to configure or change this feature)	Required settings for read permission	Required settings for read/write permission
Manage > Topology: Sites & Networks	Networks	Network Settings Read-Only	Network Settings read/write Policy Push read/write
Manage > Topology: Sites & Networks	Sites	Network Settings Read-Only QoS/Path Selection Read-Only	Network Settings read/write Policy Push read/write QoS/Path Selection read/write
Manage > Applications: App Definitions	Applications	Network Settings Read-Only	Network Settings read/write Policy Push read/write
Manage > Services: Quality of Service	Enable QoS	Network Settings Read-Only	Network Settings read/write QoS/Path Selection read/write Policy Push read/write
	Manage QoS Per Interface	Network Settings Read-Only	Network Settings read/write QoS/Path Selection read/write Policy Push read/write
	QoS Profile	QoS/Path Selection Read-Only	QoS/Path Selection read/write Policy Push read/write
Manage > Services: QoS Profile Details	QoS Profile Name	QoS/Path Selection Read-Only	QoS/Path Selection read/write Policy Push read/write
	QoS Classes	QoS/Path Selection Read-Only	QoS/Path Selection read/write Policy Push read/write
	QoS Rules	QoS/Path Selection Read-Only	Network Settings read/write QoS/Path Selection read/write Policy Push read/write
Manage > Services: Path Selection	Enable Path Selection	Network Settings Read-Only	Network Settings read/write Policy Push read/write
	Path Selection Rules	Network Settings Read-Only QoS/Path Selection Read-Only	Network Settings read/write QoS/Path Selection read/write Policy Push read/write
	Uplink Status	Network Settings Read-Only QoS/Path Selection Read-Only Reports read/write	—
Manage > Topology: Clusters	Interceptor Clusters	Network Settings Read-Only	Interceptor/Cluster Settings read/write Policy Push read/write

Page	Description
SCC Settings	Manages the SCC features: for example, host settings, network settings and reports.
AAA Configurations	Authenticates and authorizes SCC users.

Page	Description
Global	Configures Global group settings.
<group>	Configures the <group> settings.

Control	Description
admin/monitor	Click the right arrow to modify the admin and monitor accounts.
Clear Login Failure Details	Clears the account log in failure details and closes the fields for changing the password.
Change Password	Enables password protection. Password protection is an account control feature that allows you to select a password policy for more security. When you enable account control on the Administration > Security: Password Policy page, a user must use a password. When a user has a null password to start with, the administrator can still set the user password with account control enabled. However, once the user or administrator changes the password, it can’t be reset to null as long as account control is enabled. •Password - Specify a password in the text box. •Password Confirm - Retype the new administrator password.
Enable Account	Activates the account. Clear the check box to disable the administrator or monitor account. When enabled, you may make the account the default user for RADIUS and TACACS+ authorization. You may only designate one account as the default user. Once enabled, the default user account may not be disabled or removed. The Accounts table displays the account as permanent.
Allow Policy Push for Non-Admin Connected Appliances	Enables administrator users to perform configuration pushes to appliances connected with nonadministrator role-based management users, provided the nonadministrator role-based management users have read/write privileges on the appliance.
Apply	Applies your changes to the running configuration.