Alliance MX 15.2 System Center Administration Guide · Administration Guide Part Number Release 15.2 IPC ... Updates the SysView keystore on the System Center Administrator’s account;

Administration Guide

Part Number Release 15.2IPC777 Commerce DriveFairfield, CT 06825-5500 USAProduced by Technical Publications

DO NOT DISTRIBUTE OR COPY

Note

A sample only for your review.

Alliance MX 15.2 System Center Administration Guide

Chapter 9: Administrative Scripts 275

9 Administrative Scripts

The scripts described in this chapter include those that an System Center administrator uses to manage:• Devices (nodes), including the generation and update of credentials and keys for ESS

IPC system components• Dual interface system failuresFor a description of scripts used by the DAM utilities, see Chapter 10: 15.1 DAM—Node Management (ESS Networks) on page 319.Scripts typically require IP address information for devices on a network. For tips on the many ways that you can obtain this information, see section 9.2 Obtaining IP Address Details on page 278.

In This Chapter9.1 Script List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2779.2 Obtaining IP Address Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2789.3 Generating Credentials and Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279

9.3.1 Generating and Holding Credentials for New ESS Installations . . . . . . . . . . . . . . . . . .2819.3.1.1 Manually Generating Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282

9.4 Updating Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2829.5 Forcing a Failover (Redundant Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2839.6 Kadmin UI and Principal Account Management for the MAXaccess Appliance . . . . . . . . . . .284

9.6.1 Managing Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2869.6.1.1 Add Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2889.6.1.2 Delete Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2929.6.1.3 View Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2939.6.1.4 Modify Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297


9.1 Script List 277

9.1 Script ListThe following list includes scripts described in this chapter.

Table 9-1: Administrative Scripts

Script Name Purpose Account Run From More Information

create_keys.exp Generates and stores credentials; also updates devices (ESS servers, SysView, SIPX cards)

Administrator’s account; log in as root (su - rootcsh); run from /usr/sx/db/

Section 9.3 Generating Credentials and Keys on page 279

To generate and store credentials only, add the gen_only argument to the create_keys.exp script


Section 9.3.1.1 Manually Generating Credentials on page 282

./pop_keystore.pl -storepass=password

Updates the SysView keystore on the System Center


Section 9.3.1 Generating and Holding Credentials for New ESS Installations on page 281

nodemgt.pl Opens the DAM menu:• Backup/Restore• Check Availability• Get Logs• Check Version

/usr/sx/db/nodemgt directory

Section 10.1 15.1 Diagnostic, Administration, and Monitoring Main Menu on page 321

max_failover_force In redundant interface systems, this script forces a NIC failover

/usr/sx/db directory using the ipcinstall account

Section 9.5 Forcing a Failover (Redundant Interface) on page 283 and the IQ/MAX Station I&M Guide.

July 2008 IPC Proprietary

286 Chapter 9: Administrative Scripts

• At the syscen:/usr/sx/db> prompt, type kadminui and press RETURN. The Kadmin UI Tool main screen displays (Figure 9-2 on page 286).

• At the Enter Principal Admin name prompt, type ipcinstall press RETURN. This account is loaded by default and may be replaced by a different account name as deemed necessary by the company’s system administrator.

• Type the password and press RETURN. 2 To manage principal user accounts (add, modify, delete, view, import, list all), type 1

and press RETURN. For instructions, see section 9.6.1 Managing Principals on page 286.

3 To manage password policies for principal user accounts (add, modify, delete, view, list all), type 2 and press RETURN. For instructions, see section 9.6.2 Managing Policies on page 305.

Figure 9-2: Kadmin UI Tool (Main Menu)

9.6.1 Managing PrincipalsYou use the Kadmin UI Tool’s Principal Management menu to access the options shown in Figure 9-3 on page 287.

################################################

# #

# kadmin #

# #

# Kadmin UI Tool #

# #

################################################

1. Principal Management

2. Policy Management

E. Exit/Previous menu

Enter choice:

If you are going to use a customized password policy (not the default shown in Figure 9-1 on page 285), be sure to create it before you create or modify a principal user account. See section 9.6.2.1 Create Policy on page 307.


9.6 Kadmin UI and Principal Account Management for the MAXaccess Appliance 287

To open kadminui’s principal management option1 Log in to the System Center:

• Open a Command Tool window.• At the syscen:/usr/sx/db> prompt, type kadminui and press RETURN. The

Kadmin UI Tool main screen displays (Figure 9-2 on page 286).• At the Enter Principal Admin name prompt, type ipcinstall press RETURN.• Type the password and press RETURN.

2 To manage principal user accounts, type 1 and press RETURN. For option instructions, see the following sections: • Section 9.6.1.1 Add Principals on page 288 • Section 9.6.1.2 Delete Principal on page 292• Section 9.6.1.3 View Principal on page 293• Section 9.6.1.4 Modify Principal on page 297• Section 9.6.1.5 List Details for All Principal User Accounts on page 299• Section 9.6.1.6 Import Principals From a File on page 302

Figure 9-3: Kadmin Principal Management Menu##########################################################

# #

# Kadmin Principal Management #

# #

# The Options Below Allow you to Manage Kadmin Principal #

# #

##########################################################

1. Add Principals

2. Delete Principal

3. View Principal

4. Modify Principal

5. List All Principal Details

6. Import Principals From a File


Enter choice:



9.6.1.1 Add PrincipalsUse 1. Principal Management > 1. Add Principals to create a single user account for administrator users of the MAXaccess Appliance, the server managing the MAXaccess 1000 feature, and for traders using MAXaccess Soft Turret (see page 284).You can run the 1 Add Principals procedure multiple times or create and use an import file (see page 302).When you view principal details, you will see the full format of a Kerberos principal account name, for example: swhoiswho/syscen.ipc.com. The format is:

Name[/Qualifier[/Qualifier[...]]]@realm

Where: Name is what you enter in kadminui as the Principal Account Name/Qualifier is the host, for example NGST@realm is usually a domain name, for example, @ipc.com

When you create an account, you assign an existing password policy to the account. The system automatically validates the password you enter against the policy you assign to the user name when you create a principal account. If the password does not meet the specified criteria, an error message displays and the account is not created. See section 9.6.1.1.1 About kadminui Passwords on page 290.Examples:• If you create a password that contains the same characters as the user name, then this

error message displays:ERROR: Password is in the password dictionary while creating “username”. Please try again.

• If the policy states there are two character classes, and you enter a password in all lower case characters, then this error message displays:ERROR: Password does not contain enough character classes while creating “username”. Please try again.

To create a principal user account1 Open the Kadmin UI Tool menu:

• Log in to the System Center (Alliance MX 15.2 or higher) and open a Command Tool window.




For a description of the details included in the list, see section 9.6.1.3 View Principal on page 293.

To display a list of all principal accounts and corresponding details1 Open the Kadmin UI Tool menu:



• At the Enter Principal Admin name prompt, type ipcinstall press RETURN.• Type the password and press RETURN.

2 Type 1, Principal Management, and press RETURN. 3 From the Kadmin Principal Management menu (Figure 9-3 on page 287), type 5,

List All Principal Details, and press RETURN.

4 From the Kerberos Principal Management List Principals (Figure 9-9 on page 301) menu, type 1, List all principals, and press RETURN. A list is automatically displayed containing details of each principal.

5 After the last account has displayed, press RETURN to continue.

To interrupt the scrolling of details at any time, press Ctrl+c.

To create a file containing this information, use the File Editor tool. To open the editor window, right click in the Command Tool window and click File Editor. Highlight the principal detail text and use the Copy/Paste keys to add it to the editor window. To save the text file, click File and select Save As.



Figure 9-9: List Principals Menu—Details for all Principal Accounts in a List##########################################################

# #

# Kerberos Principal Management #

# #

# List Principals #

# #

##########################################################

1. List all principals


Enter choice: 1

All principal Details

======================

**K/M**

Principle:K/[email protected] Expiration date: [never]

Last password change: [never]

Password expiration date: [none]

Maximum ticket life: 0 days 10:00:00

Maximum renewable life: 7 days 00:00:00

Last modified: Thu Oct 11 12:08:21 EDT 2007 ([email protected])

Last successful authentication: [never]

Last failed authentication: [never]

Failed password attempts: 0

Numberof keys: 1

Key:vno 1, Triple DES cbc mode with HMAC/sha1, no salt

Attributes:DISALLOW_ALL_TIX

Policy:[none]

....

Press return to continue...



9.6.1.6 Import Principals From a FileYou can create multiple principal user accounts using a comma-separated value formatted file (.CSV). The import file can exist locally or on a thumb drive (providing that you include the full path with the name of the file). The system validates the passwords in the file against criteria of the policy you select during the import process. Only accounts whose password meets the criteria will actually be created during the import and the system identifies which accounts are not created, see Figure 9-11 on page 305. All new accounts in the CSV file receive the same policy.For example, of the accounts shown in Figure 9-10 on page 304, all are created with the default policy, except for principal_account_name3. The password, short, does not contain at least two character classes (lower case, upper case, number, special character symbols, etc.), see Figure 9-11 on page 305. For a complete description on creating passwords, see section 9.6.1.1.1 About kadminui Passwords on page 290.

To create a CSV file of Principal Names and Passwords using Microsoft Excel 1 Open Excel and create a file with the principal names in the first column and the

corresponding passwords in the second column (see Figure 9-10: A Sample Principals Import CSV File on page 304). Passwords cannot be the same as the principal name. Be sure that the passwords comply with an account policy that you created in the procedure To create a new Kerberos account policy on page 307.

2 Save the file as a .CSV file:a Click File > Save As. The Save As dialog box opens. b Navigate to the folder or device where you want to save the file in the Save in field.c Type a name in the File name text box.d Click the Save as type drop-down button, scroll down, and click CSV (MS-DOS)

(*.csv). The file name updates to display .csv at the end of the name.e Click Save.f The .CSV file must be copied to either the System Center’s hard disk or to

removable media, such as a floppy disk or a USB flash drive, and inserted in a drive or USB port on the System Center. This file should not be password protected so that it can be imported. However, you should delete all CSV copies of the file after it is imported.

3 Maintain security of password information in the original worksheet file by hiding the password column and adding password protection to the worksheet:a Click the heading of the column that contains the passwords (typically column B)

to select the column.



b Click Format > Column > Hide to hide the column.c Click Tools > Protection > Protect Sheet. The Protect Sheet dialog box opens. d De-select the Select locked cells and Select unlock cells check boxes in the Allow all

users of this worksheet to list box. Scroll down the list to be sure that none of the check boxes are selected.

e Be sure that the Protect worksheets and contents of locked cells check box is selected.

f Type a password that you will be sure to remember in the Password to unprotect sheet text box. Be careful about the password entered, because there is no way to display the hidden column if you forget the password.

g Click OK. The Confirm Password dialog box opens. h Retype the same password and click OK. At this point you should not be able to

select or do anything in the sheet. i You can save and close the spreadsheet file at this point. You may also password

protect the file by clicking Tools > Options > Security and entering additional passwords to open and modify the file. Be careful about the passwords entered, because there is no way to open or modify the file if you forget the passwords.

To import principal account names and passwords from a CSV file1 Open the Kadmin UI Tool menu:



• At the Enter Principal Admin name prompt, type ipcinstall press RETURN.• Type the password and press RETURN.

2 Type 1, Principal Management, and press RETURN. 3 From the Kadmin Principal Management menu (Figure 9-3 on page 287), type 6,

Import Principals From a File, and press RETURN.4 From the Kerberos Principal Management Add Principals from a CSVs (Figure 9-9 on

page 301) menu, type 1, Add Principal Lists, and press RETURN.5 Type the name of the CSV file if located in current directory (/usr/sx/db which runs

kadminui), or include the full path information if located not in current directory. For example, for a thumb drive, enter /rmdisk/noname/filename.csv.



6 A list of policies displays. Type the number for the policy to apply to each new account and press RETURN. The system displays the creation status for each new account. Error messages are displayed for those accounts that are not created as shown in Figure 9-11 on page 305.

7 To continue, press RETURN.

Figure 9-10: A Sample Principals Import CSV File

Import file created using Microsoft Excel (save as .csv)

Above import file (.csv) viewed in WordPad



Figure 9-11: Add Principals from a CSVs—Example

9.6.2 Managing PoliciesYou use the Kadmin UI Tool’s Policy Management menu to access the options shown in Figure 9-12 on page 307.

##########################################################

# #

# Kerberos Principal Management #

# #

# Add Principals from a CSVs #

# #

##########################################################

1. Add principal lists


Enter choice:1

Enter a CSV file (principal account name, password) or type ‘e’ for Exit: /rmdisk/noname/test.csv

The policy list

===============

1. default

2. custom_policy


Enter one of the polices for all new principals: 2

Principal "principal_account_name1" created.


ERROR : Password does not contain enough character classes while creating "principal_account_name3".




Chapter 10: 15.1 DAM—Node Management (ESS Networks) 319

1015.1 DAM—Node Management (ESS Networks)

You can use Diagnosis, Administration, and Monitoring tools to:• Diagnose the cause or nature of a technical issue• Administer and configuration of appliance and services• Monitor the configuration, status, and run-time state of the MAXaccess Appliance

and services

There are two System Center DAM tools, each utility is unique and serves a different purpose:• 15.1 DAM, see page 321

A menu-driven utility used for node management of ESS networks; available in Alli-ance 15.1 or higher.

• 15.2 DAM, see page 339Script tools used for MAXaccess Appliance management; available in Alliance 15.2 or higher.

! DAM tools are case-sensitive.

Basic and advanced system configuration information generated by the 15.2 DAM scripts can also be viewed and modified in SysView. For more information, see the Alliance 15.2 SysView Guide.


320 Chapter 10: 15.1 DAM—Node Management (ESS Networks)

In This Chapter10.1 15.1 Diagnostic, Administration, and Monitoring Main Menu . . . . . . . . . . . . . . . . . . . . . . .321

10.1.1 Backup File Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32310.1.2 Opening the 15.1 DAM Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32310.1.3 Backup Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32310.1.4 Check Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32610.1.5 Get Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329

10.1.5.1 Log File (Archive) Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33210.1.6 Get Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33210.1.7 Restoring ESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335


10.1 15.1 Diagnostic, Administration, and Monitoring Main Menu 321

10.1 15.1 Diagnostic, Administration, and Monitoring Main Menu 15.1 DAM is menu-driven. This utility allows you to manage specific nodes, such as SIPX card, ESS, IQ/MAX, associated with an ESS network and uses ssh and SCP connections with keys. For information on generating keys, see section 9.3 Generating Credentials and Keys on page 279. Using the DAM menu, the system executes the following scripts for each of the node types, SyC, ESS, and SIPX card.

Table 10-1: 15.1 DAM Scripts and Service Availability by Node

Node – Script Name1 Backup Restore Check Availability

Get Version

Get Logs

System CenterGet Version script – /usr/local/bin/ckversionGet Logs script – /usr/sx/db/nodemgt/getLogs/damlogs.pl

X X

ESSBackup/Restore script – /opt/ipc/ess/sbin/essbkres.bashGet Version script – /usr/local/SipProxy/getVersion.plGet Logs script – /usr/local/SipProxy/getLogs.pl

X X X X X

SIPXCheck Availability script – /opt/sipx/bin/checkAvailabilityGet Version script – /opt/sipx/bin/getVersionGet Logs script – /opt/sipx/bin/retrieveLogs

X X X

IQMAXGet Logs script – /opt/apollo/tools/max_turret_dump_logs

X



Figure 10-1: 15.1 Diagnostic, Administration, and Monitoring Main Menu

The submenus associated with the DAM menu dynamically change because they depend upon the services of the specific system; therefore, the menu selections that display on your system may be different from those in this chapter. For example, if you type 2, Check Availability, and you do not see an SIPX option, then there is not an active SIPX card in your network.Each DAM main menu selection allows you to choose a single node, a range, or all the devices in the system from a Selection Menu. For an example, see Figure 10-2.

Figure 10-2: Backup Services, Selection Menu

1. Script names/locations are provided as a general reference only; use the DAM Main menu to perform the action.

####################################################################

# Backup Services #

# Selection Menu #

####################################################################

1. Single device

2. Range of devices

3. All devices

0 Exit/Previous menu

Enter choice:



10.1.1 Backup File LocationAfter a DAM backup is executed, a backup file for each IP address/hostname entered is written to a .tar file at the following location:

/var/dam/backups/xxx.xx.xxx.xx/xxx.xx.xxx.xx.tar

Where xxx.xx.xxx.xx is the IP address or hostname of the ESS server selected for back up. If there is an existing backup file it is automatically overwritten.

10.1.2 Opening the 15.1 DAM MenuTo open the DAM menu, use the nodemgt.pl script.

To open the DAM menu1 Using an administrator’s account, log into a System Center. For instructions, see

section 1.2.5 Log in to the Alliance MX System Center on page 10.2 Open a Command Tool window and navigate to the /usr/sx/db/nodemgt directory:

a Right-click the desktop to open the Installer window and click Windows > Command Tool. A Command Tool window opens and the current directory is /usr/sx/db.

b Type cd nodemgt and press RETURN. 3 Run the script that opens the DAM Main menu (Figure 10-1 on page 322) by typing

nodemgt.pl and pressing RETURN.

10.1.3 Backup Services

Use the 1 Backup option of the DAM utility to back up node configuration and database information.

!Backing up a server includes its credentials. Do not generate new credentials before restoring an existing backup because it will fail—the existing backup was created with different credentials. Always back up a server after generating new credentials from the System Center to be sure that you have a valid backup.

You should always perform a system backup whenever keys are generated so that the credentials remain in sync.



To backup ESS network files1 You must know the IP addresses or hostnames of the servers you want to back up,

unless you choose to back up all ESS servers. For more information, see section 9.2 Obtaining IP Address Details on page 278.

2 From the DAM Main menu (see section 10.1.2 Opening the 15.1 DAM Menu on page 323), type 1 Backup, and press RETURN. The Backup Services Main menu displays (Figure 10-3 on page 324).

Figure 10-3: Backup Services Main Menu

3 Type the number of the service for backup and press RETURN. The Backup Services Selection Menu displays (Figure 10-4 on page 325).

Selections that display here depend on the setup of the network.



Figure 10-4: Backup Services, Selection Menu

4 On the Selection Menu, type the number and press RETURN to choose to back up the ESS database of one, some, or all ESS servers in the System Center’s server farm. If you enter 3, you are not asked to enter IP address information.• Use 1, Single device to backup a single node (ESS servers). You are prompted to

enter the IP address or hostname. Output similar to the following displays:Enter IP address or Hostname:159.63.77.166/usr/X11R6/bin/xauth: creating new authority file /home/ipcs-vcsa/.Xauthority'unknown': I need something more specific.Operation completed successfully.Please press return to continue...

• Use 2, Range of devices to backup a range of nodes. You are prompted to enter the first IP address or hostname, then the IP address of the ending node (in ascending order).

• Use 3, All devices to back up all nodes. With this option, you are not prompted to enter IP address information of the servers you want to back up.

5 At the Operation completed successfully prompt, press RETURN. The main menu displays (Figure 10-3 on page 324).

The backup file is successfully created even though this statement displays in the output: 'unknown': I need something more specific.

####################################################################

# Backup Services #

# Selection Menu #

####################################################################

1. Single device

2. Range of devices

3. All devices

0 Exit/Previous menu

Enter choice:



• 3, All devices to restore all nodes. With this option, you are not prompted to enter IP address information.

6 The System Center automatically restarts. Backup files are restored when Operation completed successfully displays.

If there are different credentials in the backup file than there are on the System Center and ESS server, then the following error displays: error 2026 - SSL connection error. Contact IPC Global Support for assistance with this error.


Chapter 11: 15.2 DAM: MAXaccess Appliance Management 339

1115.2 DAM: MAXaccess Appliance Management

You can use DAM tools to:• Diagnose the cause or nature of a technical issue• Administer and configuration of appliance and services• Monitor the configuration, status, and run-time state of the MAXaccess Appliance

and services

There are two System Center DAM tools, each utility is unique and serves a different purpose:• 15.1 DAM, see page 319

A menu-driven utility used for node management of ESS networks; available in Alli-ance 15.1 or higher.

• 15.2 DAMScript tools used for MAXaccess Appliance management; available in Alliance 15.2 or higher.

! DAM tools are case-sensitive.

Basic and advanced system configuration information generated by the 15.2 DAM scripts can also be viewed and modified in SysView. For more information, see the SysView Guide.


340 Chapter 11: 15.2 DAM: MAXaccess Appliance Management

In This Chapter11.1 15.2 Diagnostic, Administration, and Monitoring Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . .342

11.1.1 Script Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34311.1.2 Script Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346

11.1.2.1 Kerberos Accounts and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34811.1.3 Script Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348

11.1.3.1 Standard Command Line Options for the Server . . . . . . . . . . . . . . . . . . . . . . .34911.1.4 Running Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35611.1.5 Execution Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358

11.1.5.1 Resolving Permission Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35911.1.5.2 Verify Script Permissions on the System Center . . . . . . . . . . . . . . . . . . . . . . . .361

11.1.6 Getting Script Help Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36211.2 Diagnosis with 15.2 DAM Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363

11.2.1 Platform and Service Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36411.2.1.1 Check Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36511.2.1.2 Obtaining Internal State Information with -d (Dump State) . . . . . . . . . . . . . . .36511.2.1.3 Verify Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38011.2.1.4 Check Versions—MAXaccess 1000 and DAM tools . . . . . . . . . . . . . . . . . . . . .381

11.2.2 Logging Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38211.2.3 Resolving Common MAXaccess Soft Turret Issues . . . . . . . . . . . . . . . . . . . . . . . . . . .38411.2.4 Common Kerberos with System Center DAM Components . . . . . . . . . . . . . . . . . . . . .386

11.2.4.1 kinit and Ticket Expired Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38711.2.4.2 kdc-propagate.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38911.2.4.3 klist and kdestroy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38911.2.4.4 echo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39011.2.4.5 ifconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

11.3 appl_network.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39111.4 appl_platform.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39111.5 application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39211.6 callhistory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39311.7 callhistoryp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39411.8 discoverdam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39411.9 ha . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39511.10 ipcngstall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39611.11 kclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397

!To access 15.2 DAM script utilities, you must be either assigned a Kerberos principal account ID, have access to an account name and password, or create an account. For more information, see section 9.6 Kadmin UI and Principal Account Management for the MAXaccess Appliance on page 284).



11.1 15.2 Diagnostic, Administration, and Monitoring Scripts15.2 DAM is a script-driven architecture utility (dam-run.sh) that resides and supports the MAXaccess Appliance. Each application daemon has a corresponding DAM command line tool for accessing its DAM functions. The DAM scripts are accessed through the Kerberizer utility from the System Center. The Kerberizer utility is a Kerberos-enabled client/server infrastructure that allows a command line residing on the appliance server to be invoked from System Center using special account security, see section 11.1.2.1 Kerberos Accounts and Security on page 348.With the 15.2 DAM scripts, you can perform these tasks such as these:• Check the service name and version (-N, -v)• Check the service for details on configuration, status, runtime, and logging (-f, -c, -s,

-d, -l, -L)• Start, stop, and restart the all the services at once (-S, -H, -R)

This topic provides the basics about the 15.2 DAM tools and how you use them, in addition to a detailed description of each script:• 11.1.1 Script Summary on page 343

Lists each 15.2 DAM script and its purpose.• 11.1.2 Script Locations on page 346

Describes the DAM architecture and where you can access the DAM scripts. • 11.1.3 Script Syntax on page 348

Describes the format you must follow for all the scripts.• 11.1.4 Running Scripts on page 356

Includes procedures on how to execute a 15.2 DAM script locally or remotely.• 11.1.5 Execution Errors on page 358

Describes errors you may encounter when executing a 15.2 DAM command.• 11.1.6 Getting Script Help Online on page 362

You can view up-to-date help at any time.

For a detailed description of all available options (switch arguments), see Table 11-3: 15.2 DAM Standard Command Line Options for the Server on page 353


11.1 15.2 Diagnostic, Administration, and Monitoring Scripts 343

11.1.1 Script SummaryTable 11-1 describes the 15.2 DAM scripts and directs you to a list of available options.All 15.2 DAM hooks are located on the System Center under /opt/ipc/dam/bin>. The following scripts must be run from this directory location, see section 11.1.2 Script Locations on page 346.For command line syntax to run the commands, see section 11.1.3 Script Syntax on page 348.

Table 11-1: 15.2 DAM Script (/opt/ipc/dam/bin) Descriptions1

Script Tool Name and Comments

appl_network.sh DAM Network ToolUse to view network configuration information (status, version). For available options, see page 391.

appl_platform.sh DAM Platform ToolUse to view platform configuration information (status, version). For available options, see page 391.

application Application DaemonA 15.2 DAM hook used to check the application daemon running on the MAXaccess Appliance. For available options, see page 392.

callhistory NGST callhistoryd DaemonIQ/MAX service for the Call History pane in the soft turret. Use to display information about the Call History application. For available options, see page 393.

callhistoryp NGST callhistorypd Daemon IQ/MAX service for the Call History pane in the soft turret (with no true persistence). Use to display information about database access by the callhistory application/daemon. For available options, see page 394.

discoverdam Dam Discover ToolUse to view a list of available services on the MAXaccess Appliance; you cannot tell from this list which services are actually running. For available options, see page 394.

ha Load Balancing and FailoverUse to stop and restart clusters (for load balancing and redundancy). For available options, see page 395.



11.1.2 Script Locations15.2 DAM is accessed remotely using HTTP and all remote access is authenticated by Kerberos (Figure 11-1 on page 347). There are three ways to access the 15.2 DAM tools:• Remotely at the System Center console (or any facility that can access the console)

using a Command Line window.• Over the Internet using SysView.

SysView provides access to these DAM functions: download logs, configuration, sta-tus, start/stop, and reboot of the box. For more information, see the Alliance 15.2 Sys-View User Guide.

• From the appliance server itself.Locally at the target server, you can use the Command Line window (only when a SyC shell is possible).

usaged.sh IPC-NGST Usage DaemonThis script (usage daemon) is called by the 15.2 DAM tool when processing command line requests and gathers usage statistics (aggregate sums on a session basis for speaker use, UI collapse, callback type). For available options, see page 408.

whoiswho IPC MAXaccess 1000 whoiswho DaemonUsed for Kerberos authentication (TRID/PIN) and authorization (logon) of soft turret connections. You can use it to manage servers remotely on MAXaccess Appliance. For available options, see page 409.

whoiswho_syc IPC MAXaccess 1000 whoiswho DaemonUse to manage servers on the System Center directly. The whoiswho_syc service (on the Master server) is local to the System Center, so you do not need to include remote appliance directions in the script command line (see Figure 11-55). For available options, see page 410.

1. These reserved scripts also reside in the /opt/ipc/dam/bin location: dam-run-sudo.sh, dam-run.sh, kerberosAuthentication.sh, and notify_appliance_group_config.sh.

Table 11-1: 15.2 DAM Script (/opt/ipc/dam/bin) Descriptions1 (continued)

Script Tool Name and Comments

By default, the MAXaccess Appliance does not allow remote access using a shell utility (.ssh). Contact Professional Services for more information.



Figure 11-1: System Center and MAXaccess Appliance 15.2 DAM File Locations

Scripts located on the System Center (/opt/ipc/dam/bin) have “dam hooks” that allow you to use the same set of commands on the appliance (/opt/ipc/lib/dam). For a list of commands, see section 11.1.1 Script Summary on page 343.Because all appliance management DAM operations are authenticated using the single authority, Kerberos, you must enter these credentials as part of the script command (first you authenticate to the System Center, then you authenticate to the soft turret server).

Hooks:/opt/ipc/dam/bin/dam-run-sudo.sh/opt/ipc/dam/bin/dam-run.sh

Kclient:/opt/ipc/dam/bin/kclient



11.1.2.1 Kerberos Accounts and SecurityBecause 15.2 DAM is accessed remotely using HTTP and all remote access is authenticated by Kerberos, you must have both a Kerberos account (see section 9.6 Kadmin UI and Principal Account Management for the MAXaccess Appliance on page 284) and an operating system account to access 15.2 DAM utilities from the command line.To access 15.2 DAM information in SysView (for example, Tools > Application Server > Advanced), you need both the Kerberos account and a SysView account that has System Operator and/or System Administrator 2 roles assigned to it. The System Operator role allows access to basic configuration information for routine maintenance; System Administrator 2 role allows access to advanced system configuration information.

11.1.3 Script SyntaxTo execute any 15.2 DAM script command, use this format at the syscen:/opt/ipc/dam/bin> prompt (or /opt/ipc/bin/dam location if running on the appliance):

script_name -s server -l local_principal -r remote_principal -o [available_options]

Where:• script_name

Is the command (script or tool) to be executed, see Table 11-1 on page 343. Option-ally you can include ./ before the command to run the command from the current directory.

• -l Is the switch that precedes the name of the local principal.

• local_principalIs the local Kerberos principal that identifies who you are. For example, ipcin-stall. To create a Kerberos account, see section 9.6 Kadmin UI and Principal Account Management for the MAXaccess Appliance on page 284.

Before you can execute 15.2 DAM scripts, you will need to create a Principal account (or have access to an account name and password). For more information, see section 9.6 Kadmin UI and Principal Account Management for the MAXaccess Appliance on page 284.



• -r Is the switch that precedes the name of the remote principal of the service.

• remote_principal Is the fixed full name of the remote principal to the server you are interested in. It always has this format: dam/[FQDN] where FQDN is the Fully Qualified Domain Name. For example: dam/ngst4.ipc.com

• available_options Is the task option, see Table 11-3 on page 353.

In the online help, you will see [-a local_principal_cache_file], this is an option reserved for SysView. For script services that are local to the System Center, for example, portallocationService.sh or whoiswho_syc, you do not need to include the remote appliance pointer information; the syntax for those scripts is simply the dam command name and the option(s). For example, syscen:/opt/ipc/dam/bin>./whoiswho_syc -h.

11.1.3.1 Standard Command Line Options for the ServerTable 11-3: 15.2 DAM Standard Command Line Options for the Server contains a general list of options (a.k.a. script switches or arguments) you can use with most of the 15.2 DAM script commands. If an option is not applicable to a target, the DAM utility returns a message stating that the option is not supported for the target or returns a list of applicable options.

The scripts can also be run if the -r remote_principal and -l local_principal components are reversed. For example, both of these entries run successfully:proxy -s ngst11.ipc.com -r dam/ngst11.ipc.com -l ipcinstall -o -h

proxy -s ngst11.ipc.com -l ipcinstall -r dam/ngst11.ipc.com -o -h

Before you run a script, you can use the -h help option with any DAM command to see the script usage format and options information. See this instruction: To see the execution format for any script on page 363.

Examples are not provided for each script option output because the content depends on what is actually applicable to the combination of tool, service, network condition, etc.For example, running the -v (version) option for the whoiswho tool returns ImageName, LongName, and Version information; whereas appl_network.sh only returns version number information.



Table 11-2: 15.2 DAM Script Options Summary identifies which options are not available (X) for each script. The logtool script has its own set of options.

Table 11-2: 15.2 DAM Script Options Summary 123

1. X = Option is available for the 15.2 DAM script.

Script N v c p g F s d l L f S H R I r

appl_network.sh X X X X X X X X X X

appl_platform.sh X X X X X X X X X

application X X X X X X X X X X

callhistory X X X X X

callhistoryp X X X X X

discoverdam X X X X

ha X X X X X X X X X X

ipcngstall X X X X X

kclient4 X X X

license5 X X X X X X X X X X

licenseService.sh X X X X X X X X

logtool6 X X X

ngsttele X X X X X X X X

persistence X X X X X X X X

portallocatorService.sh X X X X X X X X X

proxy X X X X X X X

usaged.sh7 X X X X X X X

whoiswho X X X X X X X X

whoiswho_syc X X X X X X X X X



2. -h option applies to all scripts.3. Option descriptions:

-h, --help Prints this help text-N, --name Prints the display name of the target daemon-v, --version Prints the version info of the target daemonFor logtool, -v is --level=LEVEL(S); Restrict log entries to those at the given level(s). Separate levels by commas to search multiple levels at once (e.g., level,info,crit)-c, --config Prints the runtime configuration of the target daemon-p,--put-config=CONFIG_DIRECTIVES Apply CONFIG_DIRECTIVES to the target-g, --get-config Get config_directives from the target-F, --config-files Prints a list of all configuration files used by the target daemon-s, --status Prints the status of the target daemon-d, --dump-state Prints the instance information of the target daemon-l,--log-level=LOG_LEVEL Set the logging level of the target to LOG_LEVEL-L, --log-file Prints the logfiles written to by the target daemon-f, --format <arg> Specifies the output format (text only supported)-S, --start Start the target daemon-H, --stop Stop the target daemon-R, --restart Restart the target daemon-r <args> Allows turning on and off flags for a specific instance (only arg allowed if using)For portallocatorService.sh,-r is for -- reloading the cacheFor whoiswho_syc, -r is for -- reloading the cache from databaseFor more information, see Table 11-3: 15.2 DAM Standard Command Line Options for the Server on page 353.

4. kclient allows these options: -h, --help; Display this message-v, --version; Display the program version-e, --error; Expect error information to be sent from kserver-c --cache; specifies an alternate credential cache file-o --outformat; Kerberos message format for sent request, plain, safe, priv-i --informat; Kerberos message format for response, plain, safe, priv-l --localprinc; local Kerberos principal-r --remoteprinc; remote Kerberos principal-k --keytab; use keytab to authenticate local principle-g --getfile; echo to stdout the file named by this option-p --putfile; copy from stdin to the file named by this option-u --url; url to which the message is sent-t --timeout; time in seconds to wait for response, default=30

5. license includes -u | --in-use; prints the current license usage



6. logtool has additional options, the complete list is:-h, --help; Display this message.-l, --list; List all targets.-L, --list-available; List only those targets that have log files.-c, --config-file=PXTH Read target configuration from the given file. This option may be omitted to discover targets dynamically through the DAM infrastructure.-g, --get=TARGET(S) Retrieve logs for the given target(s).-t, --tar; Output results in a compressed tar archive.-A, --all-targets; Retrieve logs for all available targets.-a, --all-rotations; For each target, retrieve logs from all rotations.-E, --error-file; Output any errors to a file with the given name. The file will be created in /tmp. If -t is also used, the error file will be returned in the compressed tar archive.-k, --keyword=KEYWORD; Restrict log entries to those containing KEYWORD-b, --begin-date=DATE; Restrict log entries to those occurring on or after DATE (mm-dd-yyyy-HH:MM:SS:tz format, where tz is offset in minutes from UTC)-e, --end-date=DATE; Restrict log entries to those occurring before or on DATE (mm-dd-yyyy-HH:MM:SS:tz format, where tz is offset in minutes from UTC)-v, --level=LEVEL(S); Restrict log entries to those at the given level(s). Separate levels by commas to search multiple levels at once (e.g., level,info,crit)

7. usage.d also includes these options:-D, --debug; Starts the target in debug mode, only valid on target start up-C, --config-file; Uses this configuration file when starting the target, only valid on target start up-u, --in-use Not supported.



Table 11-3: 15.2 DAM Standard Command Line Options for the Server

Option Function Description1

-c --config Returns the runtime configuration of the target. This is not the contents of any configuration file, this is the target’s own idea of what it’s runtime configuration is. This includes any and all runtime configurable parameters, whether explicitly set by a configuration file, command line option or environment variable, etc or not, as in the case of a default value. This is not a dump of internal state. The purpose of this script is to identify cases where a given configuration file says one thing, but the target thinks another. To this end, the output contains the pathname of any configuration files used. Script example output for whoiswho:authtype=1

credentialcache=/tmp/whoiswho.cc

damport=3500

heartbeatinterval=60

kerberos=true

keytab=/etc/opt/ipc/ngst/cwhoiswho.keytab

localservicename=cwhoiswho

masterhostname=syscen.ipc.com

masterport=4000

masteruri=http://syscen.ipc.com:80/whoswhoProxy/WhosWhoProxy

mode=slave

msgtype=1

recvtimeout=30

remoteservicename=swhoiswho

slavehostname=ngst11.ipc.com

slaveport=3000

Script example output for callhistoryp:multicastaddress=230.0.0.1bindaddress=127.0.0.1port=9999daemon=true



-d --dump-state This switch is optional; it does not apply to every script.Displays significant internal state information of the target. The type of information displayed depends on the target and is helpful in diagnosing field problems. For example, the significant internal state of telephony might include information such this as LACs, TRID, current call states, etc. You would likely see timer list details. See section 11.2.1.2 Obtaining Internal State Information with -d (Dump State) on page 365.

-F --format The option argument specifies the output format, the default for all tools is text. Defined formats can be text, html, xml and json. The -h (help) option list all formats that the tool supports.

-f --config-files Returns a list of all configuration files upon which the target relies.

-g --get-config Returns the current configuration as the same format of string as the -p option. This option is used to support a remote configuration tool that understands the configuration of the target. This switch is optional; it does not apply to every script.

-h --help Displays online help for the DAM tool. The help description includes standard options (common to most DAM tools) and their supported arguments. When an option is not implemented or applicable to a tool, either:• Online help notes that the option is not supported.• When the option is used, a message displays stating the option is not

supported.

-H --stop Stop (halt) the target if it is currently running. This switch applies only to ipcngstall.

Table 11-3: 15.2 DAM Standard Command Line Options for the Server (continued)

Option Function Description1



When a DAM command executes successfully, the following message appears above the output:

{“short_error”:”success”,”long_error”:”Success”}

For execution errors, see section 11.1.5 Execution Errors on page 358 and section 11.2.4.1 kinit and Ticket Expired Errors on page 387.

To run a 15.2 DAM script locally1 Open a Command Tool window. At the prompt, type cd /opt/ipc/dam/bin and

press RETURN.

2 Type the name of the script and provide authentication and switch information according to the script’s usage rules. For a list of script names, see section 11.1.1 Script Summary on page 343. For a discussion of the script syntax, see section 11.1.3 Script Syntax on page 348.

3 Press RETURN. For an example of the whoiswho script execution and output, see Figure 11-2. For script services that are local to the System Center, for example, licenseService.sh, portallocationService.sh, or whoiswho_syc, you do not need to include the remote appliance pointer information; For example: syscen:/opt/ipc/dam/bin>./whoiswho_syc -h

When the script output exceeds the length of the terminal window, break up the output by page using |more. For example, when running the application script when there are soft turret users logged in, see section 11.5 application on page 392.

The BASH shell tool (http://www.gnu.org/software/bash/) is helpful when running the 15.2 DAM scripts because it allows you to easily manipulate the entered text. For example, to copy and paste, highlight the displayed text and select the up arrow. To clear an entire line, select the down arrow. To edit character by character, use the right arrow, left arrow, and Backspace keys.You can also create a text file of the standard DAM commands for a site and copy and paste from there into the command line window. At that point, you can just change the option.

When running 15.2 DAM on the appliance, use this directory location: /opt/ipc/lib/dam.

http://www.gnu.org/software/bash/



Figure 11-2: whoiswho Script Execution and Output

To run a 15.2 DAM script remotely1 From a terminal emulator application window, at the syscen$> type

su - rmtinstall and press RETURN. Type the password and press RETURN again.

For a discussion of the script syntax, see section 11.1.3 Script Syntax on page 348.2 Press RETURN.

11.1.5 Execution ErrorsA DAM command execution can fail for reasons other than network connection failures:• Command syntax—For more a complete description of syntax formatting, see section

11.1.3 Script Syntax on page 349.

If your Windows PC does not have a terminal emulator application installed, you can download a free version of PuTTY from here: http://www.chiark.greenend.org.uk/~sgtatham/putty/

syscen:/opt/ipc/dam/bin> ./whoiswho -s ngst4.ipc.com -l ipcinstall -r dam/ngst4.ipc.com -o -c

{"short_error":"success","long_error":"Success"}

credentialcache=/tmp/whoiswho.cc

damport=3500

heartbeatinterval=60

kerberos=true

keytab=/etc/opt/ipc/ngst/cwhoiswho.keytab

localservicename=cwhoiswho

masterhostname=syscen.ipc.com

masterport=4000

masteruri=http://syscen.ipc.com:80/whoswhoProxy/WhosWhoProxy

mode=slave

recvtimeout=30

remoteservicename=swhoiswho

slavehostname=ngst4.ipc.com

slaveport=3000

syscen:/opt/ipc/dam/bin>

http://www.chiark.greenend.org.uk/~sgtatham/putty/



• Some options are either not available yet for a DAM tool or will not be supported. In this case, a “not-supported” error message displays:syscen%./whoiswho -s ngst11.ipc.com -l ipcinstall -r dam/ngst11.ipc.com -o -l{"short_error":"success","long_error":"Success"}log-level is not supported

• Has the correct script syntax was entered? Have you defined the local and remote principals properly in the command? While you can switch the order in the command, you must use the correct argument with each. -r is for the remote principal (Kerberos) and -l is for the local principal (dam/FQDN). In the following example, the wrong argument was used for the local principal (-r instead of -l), and a “remote principal error” was returned.:syscen:/opt/ipc/dam/bin> discoverdam -s ngst12.ipc.com -r ipcin-stall -l dam/ngst12.ipc.com -o -hinvalid remote principal specified, must include hostname{"short_error":"kclient","long_error":"remote principal error"}syscen:/opt/ipc/dam/bin>

• To reduce the amount of typing and potential for a typographic errors—IPC servers do include the BASH shell (allows copy and paste), so you can use that tool if you are familiar with it. See 11.1.4 Running Scripts on page 356.

• Test environmentsIf you are running the scripts remotely on a Windows PC, for example, in a test environment where the DNS is not routing, does the hosts file (C:\WIN-DOWS\system32\drivers\etc\hosts) file contains the IP address to host name mapping?

• General execution errorWhen you encounter an “curl_easy_perform” error, try running the command again.syscen:/usr/sx/db> logtool -s ngstll.ipc.com -l ipcinstall -r dam/ngst11.ipc.com -o -herror sending request: Couldn't resolve host name{"short_error":"kclient","long_error":"curl_easy_perform"}

11.1.5.1 Resolving Permission ErrorsBecause of the Kerberizer’s additional security, you can encounter permission errors when running DAM utilities. • See Figure 11-3: Ticket Expiration Error on page 360 and section 11.2.4.1 kinit and

Ticket Expired Errors on page 387.



• See Figure 11-4: Incorrect Kerberos Principal on page 360• Root-level privilege errors

While many DAM tools don’t require a root-level privilege, there some commands where you’ll see a permission denied error because you must be a root-level user, for example, start ("-S"), stop ("-H") and restart ("-R") options. For sample output, see Figure 11-5: Exited with status 1 Error and Solution on page 361. To verify permissions on the System Center, see this instruction: Verify Script Permis-sions on the System Center on page 361.

Figure 11-3: Ticket Expiration Error

Figure 11-4: Incorrect Kerberos Principal

DAM Output:syscen% ./whoiswho -s ngst11.ipc.com -l ipcinstall -r dam/ngst11.ipc.com -o -h{"short_error":"kclient","long_error":"krb5_get_credentials: Ticket expired"}

Solution:syscen% kinit -p ipcinstallPassword for [email protected]:

DAM Output:syscen% ./whoiswho -s ngst12.ipc.com -l ipcinstall -r dam/ngst12.ipc.com -o -nlocal principal not in credential cache : ipcinstalldo you need to run kinit?{"short_error":"kclient","long_error":"local principal not in cache"}syscen%

Solution:syscen% kinit -p ipcinstallPassword for [email protected]:



Figure 11-5: Exited with status 1 Error and Solution

11.1.5.2 Verify Script Permissions on the System CenterWhen you encounter a permissions error, you may need to verify that a root-level privilege account is not required.

To verify script permissions on the System CenterAt the syscen:/opt/ipc/dam/bin> prompt, type ls -lsa and press RETURN. The list of scripts with permissions displays, see Figure 11-6 on page 362.

DAM Output:syscen% ./whoiswho -s ngst11.ipc.com -l ipcinstall -r dam/ngst11.ipc.com -o -R{"short_error":"kserver","long_error":"kserver:Child process whoiswho -R exited with status: 1"}sh: /etc/init.d/whoiswhod: Permission denied

Solution:syscen% ./ipcngstall -s ngst11.ipc.com -l ipcinstall -r dam/ngst11.ipc.com -o [status|start|stop|restart]

syscen% ./ipcngstall -s ngst11.ipc.com -l ipcinstall -r dam/ngst11.ipc.com -o status{"short_error":"success","long_error":"Success"}ngstteled (pid 27755 24348 24304 23980) is running...[ OK ]persistenceGrpLdrd (pid 27768 24349 24306 23982) is running...[ OK ]applicationd (pid 27777 24352 24307 23984) is running...[ OK ]callhistoryd (pid 27789 24351 24309 23983) is running...[ OK ]callhistorypd (pid 27801 24353 24308 23985) is running...[ OK ]whoiswhod (pid 27809) is running...[ OK ]licensed (pid 27818) is running...[ OK ]proxy (pid 27826 3394) is running...[ OK ]



Figure 11-6: System Center 15.2 DAM Script Permissions

11.1.6 Getting Script Help OnlineYou can obtain script usage details online at any time in a Command Tool window just by including the -h or -- help options with the script name. The general format is:

syscen:/opt/ipc/dam/bin> ls -lsa

total 788

2 drwxr-xr-x 2 root other 1024 Jun 20 17:24 ./

2 drwxr-xr-x 3 root other 512 Jun 20 17:22 ../

2 lrwxrwxrwx 1 root root 15 Jun 20 19:08 appl_network.sh-> dam-run-sudo.sh*

2 lrwxrwxrwx 1 root root 15 Jun 20 19:08 appl_platform.sh-> dam-run-sudo.sh*

2 lrwxrwxrwx 1 root root 10 Jun 20 19:08 application -> dam-run.sh*

2 lrwxrwxrwx 1 root root 10 Jun 20 19:08 callhistory -> dam-run.sh*

2 lrwxrwxrwx 1 root root 10 Jun 20 19:08 callhistoryp -> dam-run.sh*

4 -rwxr-xr-x 1 root root 1457 Apr 9 13:40 dam-run-sudo.sh*

4 -rwxr-xr-x 1 root root 1603 May 28 14:07 dam-run.sh*

2 lrwxrwxrwx 1 root root 10 Jun 20 19:08 discoverdam -> dam-run.sh*

2 lrwxrwxrwx 1 root root 15 Jun 20 19:08 ha -> dam-run-sudo.sh*

2 lrwxrwxrwx 1 root root 15 Jun 20 19:08 ipcngstall -> dam-run-sudo.sh*

148 -rwxr-xr-x 1 root other 74988 Jun 20 12:35 kclient*

2 -rwxr-xr-x 1 root other 33 Jun 20 16:05 kerberosAuthentication.sh*

2 lrwxrwxrwx 1 root root 10 Jun 20 19:08 license -> dam-run.sh*

14 -rwxr-xr-x 1 root root 6315 Jun 20 16:05 licenseService.sh*

2 lrwxrwxrwx 1 root root 10 Jun 20 19:08 logtool -> dam-run.sh*

2 lrwxrwxrwx 1 root root 10 Jun 20 19:08 ngsttele -> dam-run.sh*

2 lrwxrwxrwx 1 root root 10 Jun 20 19:08 notify_appliance_group_config.sh -> dam-run.sh*

2 lrwxrwxrwx 1 root root 10 Jun 20 19:08 persistence -> dam-run.sh*

14 -rwxr-xr-x 1 root root 6625 Apr 30 09:54 portallocatorService.sh*

2 lrwxrwxrwx 1 root root 10 Jun 20 19:08 proxy -> dam-run.sh*

22 -rwxr-xr-x 1 root root 10910 Apr 11 13:20 rcfe_tool.sh*

2 lrwxrwxrwx 1 root root 10 Jun 20 19:08 usaged.sh -> dam-run.sh*

2 lrwxrwxrwx 1 root root 10 Jun 20 19:08 whoiswho -> dam-run.sh*

544 -rwxr-xr-x 1 root root 268820 Jun 20 12:36 whoiswho_syc*



11.2 Diagnosis with 15.2 DAM Tools 363

./script_name -h (or ./script_name for System Center hooks)

To see the execution format for any script1 Open a Command Tool window (either locally or remotely).2 At the syscen: prompt, type cd /opt/ipc/dam/bin and press RETURN.

3 Type ./ and the name of the script, for example, ./whoiswho. For a list of script names, see section 11.1.1 Script Summary on page 343.

4 Type -h (or -- help) option after the script name and press RETURN. The system returns help (format and option details). Each 15.2 DAM tool script description includes a sample output of the available online help. For example, see Figure 11-32: appl_network.sh Option Help Descriptions on page 391.

If you omit the option, a missing parameter prompt is returned along with usage information for the command (see Figure 11-7). Follow the structure provided when writing the command for execution.

Figure 11-7: Obtaining Usage Details (whoiswho Example)

11.2 Diagnosis with 15.2 DAM Tools15.2 DAM tools can be used as platform and service tools, see page 364, and logging tools, see page 382.• 11.2.3 Resolving Common MAXaccess Soft Turret Issues on page 384

A description of how 15.2 DAM is used for platform, service, and logging, in addition to other helpful troubleshooting commands.

When running 15.2 DAM on the appliance, use this directory location: /opt/ipc/lib/dam

syscen:/opt/ipc/dam/bin> ./whoiswho

Missing parameter

usage: whoiswho -s server -r remote_principal [ -a local_principal_cache_file | -l local_principal] [ -o whoiswho options]


-a local_principal_cache_file is reserved for internal use by SysView



• 11.2.4 Common Kerberos with System Center DAM Components on page 386 Describes other UNIX commands that you can use in conjunction with DAM tools to diagnose a MAXaccess Appliance system.• klist, see section 11.2.4.3 klist and kdestroy on page 389• Kinit, see section 11.2.4.1 kinit and Ticket Expired Errors on page 387• echo, see section 11.2.4.4 echo on page 390• kclient, see section 11.11 kclient on page 397• ifconfig, see section 11.2.4.5 ifconfig on page 390• logtool, see section 11.2.2 Logging Tools on page 382

For a description of each script, sample uses, and a summary of which switches are available for it, see the individual script descriptions starting with section 11.3 appl_network.sh on page 391. Several of the scripts allow the -d, dump, option which can be used for obtaining internal state information on the system, see page 365.When working with the MAXaccess Appliance and Kerberos, keep the following information in mind:• Kerberos is sensitive to time differences. System clocks on devices using Kerberos

(appliances and System Center) must be synchronized to within five minutes of one another or authentication fails. Using NTP ensures this synchronization of time. If you need to adjust the time on the System Center, see section 2.3 Changing the System Center Date, Time, or Time Zone on page 54.

• DNS name resolution is required (both forward and backward).• Hostname/Domainname or IP address changes require you to re-register.• Tickets expire if a connection remains open for longer than 24 hours, see 11.2.4.1 kinit

and Ticket Expired Errors on page 387.

11.2.1 Platform and Service ToolsYou can use 15.2 DAM tools to verify service and platform information, start, stop, and restart the targets and perform service neutral tasks such as checking the target name, version, and configuration. Basic tasks include:

When the Kerberizer, a System Center wrapper, is not functioning, you cannot access 15.2 DAM commands using SysView or the System Center to troubleshoot the system. Contact Professional Services for additional instructions.



• Starting and stopping targets—use the appl_platform.sh and ipcngstall tools.• Restarting targets—use appl_network.sh and ha tools. • Verifying services are running—For example, to verify that the license service is

running or not, use the license tool. See section 11.2.1.3 Verify Licenses on page 380.

11.2.1.1 Check ServicesYou can verify that all services are running using SysView or the 15.2 DAM tool, ipcngstall.

To see the status of all daemons using ipcngstall1 At the Command Window prompt, syscen:/usr/sx/db>, type cd /opt/ipc/dam/bin

and press RETURN.2 Type ./ipcngstall -s FQDN -l ipcinstall -r dam/FQDN -o -s, where

FQDN is the fully qualified domain name, and -s is the status option. For example:syscen%./ipcngstall -s ngstha1.ipc.com -r dam/ngstha1.ipc.com -o -s

For the sample output, see Figure 11-41: ipcngstall Sample Output for Status on page 396.

To stop an start all the services1 Run the ipcngstall command with the -H stop option2 Execute the command again using the -S, start option.

11.2.1.2 Obtaining Internal State Information with -d (Dump State)The dump state option (-d) returns significant internal state information of the target. The type of information displayed depends on the target and is helpful in diagnosing field problems.

The following sample dump state outputs are for general information only.• appl_network.sh, see page 367 and page 368• appl_platform_sh, see page 368• application, see page 368• ha, see page 371

The dump state option does not apply to: callhistory, callhistoryp, discoverdam, ipcngstall, kclient, licenseServer.sh, logtool, and portallocatorService.sh.



• license, see page 372, page 373, and page 374• ngsttele, see page 374• persistence, see page 374• proxy, see page 374• whoiswho, see page 377• whoiswho_syc, see page 379• usaged.sh, see page 375 and page 376



Figure 11-8: appl_network.sh Dump State, Sample Output (part 1 of 2)



Figure 11-9: appl_network.sh Dump State, Sample Output (part 2 of 2)

Figure 11-10: appl_platform.sh Dump State Sample Output

Figure 11-11: application Dump State Sample Output (no soft turret users online)

syscen:/opt/ipc/dam/bin> application -s ngst11.ipc.com -l ipcinstall -r dam/ngst11.ipc.com -o -d


MAXaccess 1000 AppsGroupLeader: INTERNAL STATE REPORT

Number of running sessions: 0

Highest session id: 0




Figure 11-12: application Dump State Sample Output, a soft turret user online, page 1 of 2syscen:/opt/ipc/dam/bin> application -s ngst11.ipc.com -l ipcinstall -r

dam/ngst11.ipc.com -o -d|more


MAXaccess 1000 AppsGroupLeader: INTERNAL STATE REPORT

Number of running sessions: 1

Highest session id: 304

My list of current sessions below:

Session: 295, PID: 19680, State: CHILD_FORKED

Start Internal State Dump for Session 295 Pid 19680

Login State: Logged IN

Force Login: YES

TRID: 105

Password: 105

Initialized: YES

Lock State: Unlocked

Link State: UP

Telephony State: UP

Apps State: Ready(3 of 3)

Application: CallManager

Selected side: LEFT

Title:READY

First line:Ready

Second line:

Privacy:OFF

Conference:OFF

Callback information below

Selecting callback:OFF

Right side Title:DIALTONE LINE

Right side First line:HANDSET

Right side Second line:912033397004

Use |more for page breaks



Figure 11-13: application Dump State Sample Output, a soft turret user online, page 2 of 2 INITIATED: 0

RECEIVED: 0

MISSED: 0

The Initiated Call History records are listed as follows:

The Received Call History records are listed as follows:

The Missed Call History records are listed as follows:

Application: Speakers

A total of 0 speaker channels have been assigned

-------Selected Speaker Channels-----------

Speaker State Information

-------------Speaker Grid Info-TOP LEFT-------------

Assigned Channel Index: -1

No Speaker Channel Assigned!

-------------Speaker Grid Info-TOP RIGHT------------



-------------Speaker Grid Info-BOTTOM LEFT----------



-------------Speaker Grid Info-BOTTOM RIGHTt--------



--More--Application: Directory: FavoritesButtonRecordList

Offset Button Record at float 1 dump: Module: "FAVORITE"

Visual Identity: "FEATURE_DISABLED"

Top Icon: ""

Bottom Icon: ""

The output continues to show a Button Record dump for all keys.

Use |more for page breaks



Figure 11-14: ha Dump State Sample Output

Cluster information:

IP Virtual Server version 1.2.1 (size=4096)

Prot LocalAddress:Port Scheduler Flags

-> RemoteAddress:Port Forward Weight ActiveConn InActConn

TCP 10.204.156.216:http wlc persistent 60 mask 255.255.255.240

-> ngstha1.ipc.com:http Local 1 0 0

-> ngstha3.ipc.com:http Route 1 0 0

Connection information:

IPVS connection entries

pro expire state source virtual destination

Connection statistics:

IP Virtual Server version 1.2.1 (size=4096)

Prot LocalAddress:Port Conns InPkts OutPkts InBytes OutBytes

-> RemoteAddress:Port

TCP 10.204.156.216:http 0 0 0 0 0

-> ngstha1.ipc.com:http 0 0 0 0 0

-> ngstha3.ipc.com:http 0 0 0 0 0

LVS sync daemon state:

master sync daemon (mcast=eth0, syncid=0)



Figure 11-15: license Dump State Sample Output (Part 1 of 3)In this example, three appliances are in the cluster (Ngst7a, Ngst7b, and Ngst7c). There are four active sessions: one on ngst7a and Ngst7b and two on Ngst7c.License –d from system center command prompt

License information:

Product='NGST'; Feature='58000156 License NGST Concurrent Sessions';

Total licenses=10; In Use (total across all LSDs)=4;

Usage by LSD:LSD id 0 (Myself : ngst7c.ipc.com) uses 2 licenses

LSD id 1 (ngst7a.ipc.com) uses 1 licenses

LSD id 2 (ngst7b.ipc.com) uses 1 licenses

End license information


Product='NGST';






Here are the licenses that I have : pairs are (product, feature)

License id: 9303('NGST','') ('NGST','58000156 License NGST Concurrent Sessions')

License id: 13399('NGST','') ('NGST','58000156 License NGST Concurrent Sessions')

License –d on Ngst7a

LicenseCacheController, Time[Thu May 22 09:09:00 2008]




Usage by LSD:LSD id 0 (Myself : ngst7a.ipc.com) uses 1 licenses


LSD id 2 (ngst7c.ipc.com) uses 2 licenses


Usage by LSD:LSD id 0 (Myself : ngst7a.ipc.com) uses 1 licenses





License id: 10277

('NGST','') ('NGST','58000156 License NGST Concurrent Sessions')



Figure 11-16: license Dump State Sample Output (Part 2 of 3)

License –d on Ngst7b





Usage by LSD:LSD id 0 (Myself : ngst7b.ipc.com) uses 1 licenses





Product='NGST';


Usage by LSD:LSD id 0 (Myself : ngst7b.ipc.com) uses 1 licenses





License id: 15339


License –d on Ngst7c










Product='NGST';








Figure 11-17: license Dump State Sample Output (Part 3 of 3)

Figure 11-18: ngsttele Dump State Sample Output

Figure 11-19: persistence Dump State Sample Output

Figure 11-20: proxy Dump State Sample Output


License id: 9303


License id: 13399




Figure 11-21: usaged.sh Dump State Sample Output (Page 1 of 2)syscen:/opt/ipc/dam/bin> usaged.sh -s ngst11.ipc.com -l ipcinstall -r

dam/ngst11.ipc.com -o -d


config address=0x9aa8450

pipe address=0x9aa8c48

stats address=0x9aa8968

bus address=0x9aa8e50

fdin=4

fdout=-1

fdcb=5

debug=NO

fdin_name=/var/opt/ipc/ngst/usaged/usaged.in

fdout_name=/var/opt/ipc/ngst/usaged/usaged.out

stats_filename=/var/opt/ipc/ngst/usaged/usage.log

mcastaddress=230.0.0.1

mcastport=9999

baddress=127.0.0.1

bport=9999

fdin_name=/var/opt/ipc/ngst/usaged/usaged.in

fdout_name=/var/opt/ipc/ngst/usaged/usaged.out

fdin=4

fdout=-1

mcastaddress=230.0.0.1

mcastport=9999

bindaddress=127.0.0.1

bindport=9999

fd=5

filename=/var/opt/ipc/ngst/usaged/usage.log

Name=

Value=1

Sessions=1

Name=1280X1024

Value=106

Sessions=106

Name=1400X1050

Value=12



Figure 11-22: usaged.sh Dump State Sample Output (Page 2 of 2)

Sessions=12

Name=COLLAPSE_COUNT

Value=0

Sessions=136

Name=EXPLORER6

Value=8

Sessions=8

Name=EXPLORER7

Value=93

Sessions=93

Name=FIREFOX1.5

Value=14

Sessions=14

Name=FIREFOX2

Value=3

Sessions=3

Name=INCALL

Value=105

Sessions=105

Name=MANUAL

Value=22

Sessions=22

Name=OUTCALL

Value=8

Sessions=8

Name=SPEAKER_CLICKED_COUNT

Value=8

Sessions=136




Figure 11-23: whoiswho Dump State Sample Output (page 1 of 2)

syscen:/opt/ipc/dam/bin> whoiswho -s ngst11.ipc.com -l ipcinstall -r dam/ngst11.ipc.com -o -d


6001/ipc/6001/6001; 6002/ipc/6002/6002; 6003/ipc/6003/6003; 6004/ipc/6004/6004; 6005/ipc/6005/6005


6011/ipc/6011/6011; 6012/ipc/6012/6012; andy1/ipc/111/111; joan1/ipc/105/105; joe1/ipc/120/120

joe2/ipc/121/121; joe3/ipc/122/122; joe4/ipc/123/123; joe5/ipc/124/124; joe6/ipc/125/125

kathy1/ipc/110/100; london1/ipc/101/1011; london2/ipc/102/102; london3/ipc/103/103; mike1/ipc/108/108

mike2/ipc/109/109; mike3/ipc/126/126; mike4/ipc/127/127; mike5/ipc/128/128; mike6/ipc/129/129

mike/ipc/130/130; steve1/ipc/115/115; steve2/ipc/116/116; steve3/ipc/117/117; steve4/ipc/118/118

steve5/ipc/119/119; test/ipc/12/12; uitester600/ipc/600/600; uitester601/ipc/601/601; uitester602/ipc/602/602

uitester603/ipc/603/603; uitester604/ipc/604/604; uitester605/ipc/605/605; uitester606/ipc/606/606; uitester607/ipc/607/607












Figure 11-24: whoiswho Dump State Sample Output (page 2 of 2)










uitester698/ipc/698/698; uitester699/ipc/699/699; user104/ipc/104/104; user106/ipc/106/106; user107/ipc/107/107

user112/ipc/112/112; user113/ipc/113/113; user114/ipc/114/114

Total Trid = 143




Figure 11-25: whoiswho_sys Dump State Sample Output (page 1 of 2)syscen:/opt/ipc/dam/bin> whoiswho_syc -d



6011/ipc/6011/6011; 6012/ipc/6012/6012; andy1/ipc/111/111; joan1/ipc/105/105; joe1/ipc/120/120

joe2/ipc/121/121; joe3/ipc/122/122; joe4/ipc/123/123; joe5/ipc/124/124; joe6/ipc/125/125

kathy1/ipc/110/100; london1/ipc/101/1011; london2/ipc/102/102; london3/ipc/103/103; mike1/ipc/108/108

mike2/ipc/109/109; mike3/ipc/126/126; mike4/ipc/127/127; mike5/ipc/128/128; mike6/ipc/129/129

mike/ipc/130/130; steve1/ipc/115/115; steve2/ipc/116/116; steve3/ipc/117/117; steve4/ipc/118/118

steve5/ipc/119/119; test/ipc/12/12; uitester600/ipc/600/600; uitester601/ipc/601/601; uitester602/ipc/602/602












uitester658/ipc/658/658; uitester659/ipc/659/659; uitester660/ipc/660/660; i 661/i /661/661 i 662/i /662/662



Figure 11-26: whoiswho_sys Dump State Sample Output (page 2 of 2)

11.2.1.3 Verify LicensesYou can verify license usage using any of these methods:• Run the 15.2 DAM script, license.• In SysView, use Tools > Licenses > View Licenses.• In SysView, run the Soft Turret Trader Connection report (Soft Turret > Soft Turret Port

Reports).

To verify license information using 15.2 DAM Tools1 Using a DAM command, first verify that the daemon is running. Execute either with

the ipcngstall -s command or the license -s command using standard DAM syntax:

Usage: /opt/ipc/dam/bin/[dam_hook] -s [ngst IP or FQDN] -l local_principal -r dam/[ngst_FQDN] –o [DAM switch]where:dam_hook command

uitester661/ipc/661/661; uitester662/ipc/662/662








uitester698/ipc/698/698; uitester699/ipc/699/699; user104/ipc/104/104; user106/ipc/106/106; user107/ipc/107/107

user112/ipc/112/112; user113/ipc/113/113; user114/ipc/114/114

Total Trid = 143




-s: 159.63.79.242 or ngst11.ipc.com-l: kerberos principal identifying the user (e.g. ipcinstall)-r: kerberos principal used by remote kserver; always in the format of dam/[ngst_FQDN] (e.g. dam/ngst11.ipc.com)-o: DAM switches supported

Example:On the ngst11.ipc.com appliance, at the syscen:/opt/ipc/dam/bin> prompt, type: license -s ngst11.ipc.com -l ipcinstall -r dam/ngst11.ipc.com -o -s

• If the service is not running, restart the service by typing ipcngstall -s ngst11.ipc.com -l ipcinstall -r dam/ngst11.ipc.com -o -R

2 If the service is running, execute the license command with -u, the use option. The output displays how many licenses are in use and how many are available.Example:On the ngst11.ipc.com appliance, at the syscen:/opt/ipc/dam/bin> prompt, type: license -s ngst11.ipc.com -l ipcinstall -r dam/ngst11.ipc.com -o -u

11.2.1.4 Check Versions—MAXaccess 1000 and DAM toolsYou can check the software version either using the MAXaccess Soft Turret (after logon, select the Options key), or running the proxy 15.2 DAM command with the -c (configuration) option.

To determine the software version using proxy1 At the Command Window prompt, syscen:/usr/sx/db>, type cd /opt/ipc/dam/bin

and press RETURN.2 Type ./proxy -s FQDN -l ipcinstall -r dam/FQDN -o -s, where FQDN is

the fully qualified domain name, and -s is the status option. For example:syscen%./proxy -s ngstha1.ipc.com -r dam/ngstha1.ipc.com -o -c

To determine DAM hook usage and version output, use -v optionFor example, to determine the version information of the whoiswho daemon:

syscen% /opt/ipc/dam/bin/whoiswho –s ngst11.ipc.com –l ipcinstall –r dam/ngst11.ipc.com –o –v

You can also see licence information using the -d dump status output, see Figure 11-15: license Dump State Sample Output (Part 1 of 3) on page 372.




ImageName=/opt/ipc/whoiswho/bin/whoiswhodLongName=IPC MAXaccess 1000 whoiswho DaemonVersion=1.0.0

11.2.2 Logging ToolsOptions are used in conjunction with the logtool to list available logging targets, retrieve logs for the given target(s), specify output in tar format and retrieve logs at the given logging level. You must be a root user to view kserver logs.

Log files on the MAXaccess Application are stored in /var/log/. Logs on the System Center are located in /usr/tomcat5/logs. For example:

syscen:/usr/tomcat5/logs> ls./ sysconfig.log.2 whoiswhoproxy.log.4../ whoiswhoproxy.log whoiswhoproxy.log.5license.log whoiswhoproxy.log.1 whoiswhoproxy.log.6portallocator.log whoiswhoproxy.log.10 whoiswhoproxy.log.7sysconfig.log whoiswhoproxy.log.2 whoiswhoproxy.log.8sysconfig.log.1 whoiswhoproxy.log.3 whoiswhoproxy.log.9

To view contents of a log file, use tail -f. For example:syscen/usr/tomcat5/logs> tail -f /usr/tomcat5/logs/sysconfig.log

Rotation rules apply to DAM logs (overwrite every 10th log) as described in section 4.2.1.2 Log File Rotation on page 89.Use the logtool (section 11.14 logtool on page 401) command to generate a list of logs and search them for key words, see Figure 11-27 on page 383.

SysView provides a user-friendly interface for downloading and viewing soft turret log tools in Soft Turret > Appliance. See the SysView Guide for instructions.



Figure 11-27: Logtool -l Option Example (List of Logs)

In the following example, Figure 11-28, the logtool searched within the multiple levels (crit, warning, error) for a particular key word (trid=0).

syscen:/opt/ipc/dam/bin> logtool -s ngst12.ipc.com -l ipcinstall -r dam/ngst12.ipc.com -o -l


appl_network.sh (None)

appl_platform.sh (None)

application SYSLOG:/LOG_LOCAL3:NGSTAppsGroupLeader

callhistory SYSLOG:/LOG_LOCAL3:callhistoryd

callhistoryp SYSLOG:/LOG_LOCAL3:callhistorypd

enableSSH.sh (None)

ha

SYSLOG:/local6:ipcha, IPC HA logs

SYSLOG:/local6:heartbeat, heartbeat logs

SYSLOG:/local6:ldirectord, ldirectord logs

SYSLOG:/local6:mon, mon logs

license SYSLOG:/LOG_LOCAL5:licensed

ngsttele SYSLOG:/LOG_LOCAL0:ngsttele

persistence SYSLOG:/LOG_LOCAL1:persistence

platform_mond_tool (None)

proxy SYSLOG:/LOG_LOCAL4:proxy

rcfe_tool.sh (None)

setapacheport.sh (None)

usaged.sh

SYSLOG:/LOG_LOCAL3:usaged

FILE://var/opt/ipc/ngst/usaged/usage.log

DAM script input

Successful Output



Figure 11-28: Logtool Search (multiple levels, key word is trid=0)

11.2.3 Resolving Common MAXaccess Soft Turret IssuesGeneral monitoring of the logs and system status with the logtool script (section 11.2.2 Logging Tools on page 382) and SysView provide valuable information for solving product issues. In addition to log monitoring, Table 11-4 lists several 15.2 DAM scripts that can be used to help target a resolution for MAXaccess Soft Turret issues. For a list of Alliance 15.2 alarms related to MAXaccess 1000, see the Advanced System Center Reference Manual, alarms 467 through 688.

syscen% /opt/ipc/dam/bin/logtool -s ngst11.ipc.com -r dam/ngst11.ipc.com -l ipcinstall -o "-g proxy -v crit,warning,error -k trid=0"Wed 05 07 2008 -04:00 19:18:36 [local4] [crit] ngst11 proxy[18528]: (sid=0, trid=0) sessionmgr.cpp session_shutdown 332 Session-Mgr::session_shutdown not implemented, broken session is 85Thu 05 08 2008 -04:00 12:36:04 [local4] [crit] ngst11 proxy[18528]: (sid=0, trid=0) sessionmgr.cpp session_shutdown 332 Session-Mgr::session_shutdown not implemented, broken session is 97Thu 05 08 2008 -04:00 13:12:18 [local4] [warning] ngst11 proxy[18528]: (sid=0, trid=0) ipclicenseimpl.cpp ~LicenseServiceImpl 615 ERROR: There were 8 more calls to getLicense than calls to putLicense. This is a strong indication of a programming error in the use of Licensing APIsThu 05 08 2008 -04:00 13:12:22 [local4] [warning] ngst11 proxy(worker)[5447]: (sid=0, trid=0) config.cpp readConfigFromDNS 445 Warning: I can't find any DNS/TXT records for _ipclicense-WarnLevel

DAM script input

Output



Table 11-4: 15.2 DAM Scripts or Tasks for MAXaccess 1000 Issues

Issue Script or Task Description

Cannot open the MAXaccess Soft Turret.

• Use ipcngstall to check status of services.

• Use the echo command to see that the Kerberizer is working, if it isn’t, then the Apache service is not operating, see page 390.

• Verify that the URL is not an IP.• Was the URL typed correctly?• Was the IE security certificate

installed? For instructions, see the MAXaccess Soft Turret User’s Guide.

After entering MAXaccess Soft Turret logon credentials, the Logon window continues to display.

• Use proxy, see page 407 to search for authentication failures. Use whoiswho, see page 409 to see if the TRID is valid or not mapped for soft turret.

In a proxy log, a non-valid TRID = 0.

MAXaccess Soft Turret does not log on.

• Use ngsttele, see page 404 to check services or use SysView’s Appliance View page.

• Use license and licenseService.sh, see page 399 and page 400.

MAXaccess Soft Turret cannot log on while services are loading.

If you can log into the MAXaccess Soft Turret, but have a port issue.

• Use portallocatorService.sh, see page 406.

• In SysView, run the Soft Turret Trader Connection report (Soft Turret > Soft Turret Port Reports) for TRIDs on dedicated ports or run the whoiswho script to verify the TRID is valid.



11.2.4 Common Kerberos with System Center DAM ComponentsMIT Kerberos (v1.6.3) tools can be used with DAM components for diagnosis.

• MAXaccess Soft Turret buttons do not display.

• Upon log on, the soft turret continues to display: Downloading Profile...

• The MAXaccess Soft Turret suddenly looses connection and closes.

• Use persistence, see page 405. This can indicate loss of connection from a station card failure (a RAD station card is taken out). This message displays in the persistence log: backroom link is down and the 290 alarm displays.To determine the card LAC, use SysView to view the Trader Logon report, then the station port details (Soft Turret > View Station Port > Config).

• MAXaccess Soft Turret suddenly logs out.

• Monitor TRIDs and ports.

• Use ngsttele, see page 404. Use ngsttele status (-s) to determine if telephony is running.

MAXaccess Soft Turret displays license error message during logon.

• Use license and licenseService.sh, see page 399 and page 400.

See 11.2.1.3 Verify Licenses on page 380.

History pane issues. • Use callhistory and callhistoryp.

The Speaker Selection pane is grayed out so that visible speakers cannot be assigned, and this error message displays: Speaker Selection Error, No available audio source!

Use SysView:• Determine TRID station LAC. In

SysView, run the Trader Logon to Soft Turret report (Reports > Soft Turret Port Reports).

• Change the port configuration to Hard Turret using SysView (Soft Turret > Port Config > Port Based).

The soft turret user accessed a dedicated port with no speaker channel. To correct the issue, in the Port Allocation Rules table, set all the ports with zero (0) speaker channels to Hard Turret and use the reuse allocation mode.

Table 11-4: 15.2 DAM Scripts or Tasks for MAXaccess 1000 Issues (continued)

Issue Script or Task Description



• /usr/sx/db>kadminui, see section 9.6 Kadmin UI and Principal Account Management for the MAXaccess Appliance on page 284

• /usr/local/bin>kinit, see section 11.2.4.1 kinit and Ticket Expired Errors on page 387• /usr/sx/db>kdc-propogate.sh, see section 11.2.4.2 kdc-propagate.sh on page 389The configuration file is located here: /etc/krb5.conf

11.2.4.1 kinit and Ticket Expired ErrorsYou can run the kinit command anytime you encounter this error message:"long_error":"krb5_get_credentials: Ticket expired

This command is used primarily by SysView to authenticate a Kerberos account and create a cached ticket for the session. Tickets expire when a connection stays open for 24 hours.

To run kinit and create a new ticket1 From the Command line, type kinit and press RETURN.2 Enter the account password and press RETURN.If you choose to run the command without including the account name, then kinit assumes the account last logged in. For example:

syscen:/opt/ipc/dam/bin> kinit -p ipcinstallPassword for [email protected]:

To avoid encountering ticket expiration errors, open a new window each time you want to run a DAM command.



Figure 11-29: kinit Option Help Descriptions

syscen:/opt/ipc/dam/bin> kinit -h

kinit: illegal option -- h

Usage: kinit [-5] [-4] [-V] [-l lifetime] [-s start_time]

[-r renewable_life] [-f | -F] [-p | -P] [-a | -A]

[-v] [-R] [-k [-t keytab_file]] [-c cachename]

[-S service_name][-X <attribute>[=<value>]] [principal]

options: valid with Kerberos:

-5 Kerberos 5 (available)

-4 Kerberos 4 (available)

(Default behavior is to try Kerberos 5)

-V verbose Either 4 or 5

-l lifetime Either 4 or 5

-s start time 5

-r renewable lifetime 5

-f forwardable 5

-F not forwardable 5

-p proxiable 5

-P not proxiable 5

-a include addresses 5

-A do not include addresses 5

-v validate 5

-R renew 5, or both 5 and 4

-k use keytab 5, or both 5 and 4

-t filename of keytab to use 5, or both 5 and 4

-c Kerberos 5 cache name 5

-S service 5, or both 5 and 4

-X <attribute>[=<value>] 5



11.2.4.2 kdc-propagate.shUse this script to send a read-only version of security data from the master KDC to the slave KDC so that authorizations can occur. This script obtains a list of NGST servers, exports a read-only version into a temporary file, then performs the propagation. If no problems are returned, (for example, Problem dumping database, Problem retrieving slave names, Problem running kprop for <servername>), then the propagation was successful.To run this script, follow the script name with the realm (e.g., IPC.COM). In order to push out changes to the IPC KDC, run the script as root.

Figure 11-30: kdc-propogate.sh Syntax

11.2.4.3 klist and kdestroyUse the klist command to view a list of active Kerberos tickets. For ticket information, see 11.2.4.1 kinit and Ticket Expired Errors on page 387. You can run this command without any options (see Figure 11-31). Whenever you use the kinit command, you create a ticket. If you want to clear all tickets, run the kdestroy command.

syscen:/opt/ipc/dam/bin> kdc-propagate.sh -h

usage: 4 [-r realm]

Documents

Alliance MX 15.2 System Center Administration Guide · Administration Guide Part Number Release 15.2 IPC ... Updates the SysView keystore on the System Center Administrator’s account;