ACS 5.3 Software Developer's Guide

Software Developers Guide for Cisco Secure Access Control System 5.
3
September 2011
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883
Text Part Number: OL-22972-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Software Developers Guide for Cisco Secure Access Control System 5.3 2011 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
Preface
vii vii vii
Audience Conventions
How This Guide Is Organized

iii-viii ix ix
Documentation Updates Related Documentation
Obtaining Documentation and Submitting a Service Request

1
CHAPTER
Overview
1-1 1-2
Understanding Web Services Understanding WSDL Understanding WADL

2
1-3 1-3
CHAPTER
Using the UCP Web Service
2-1 2-2
Understanding the Methods in the UCP Web Service User Authentication 2-2 User Change Password 2-3 Using the WSDL File 2-4 Downloading the WSDL File 2-4 UCP WSDL File 2-4 Request and Response Schemas 2-7 User Authentication Request 2-7 User Authentication Response 2-7 User Change Password Request 2-7 User Change Password Response 2-7 Working with the UCP Web Service Sample Client Code 2-8
3
2-7
CHAPTER
Using the Monitoring and Report Viewer Web Services Understanding the Methods in the Viewer Web Services Get Version 3-2 Get Authentication Status By Date 3-3 Get Authentication Status By Time Unit 3-3
3-1 3-2
Software Developers Guide for Cisco Secure Access Control System 5.3 OL-22972-01
iii
Contents
Get Failure Reasons 3-4 Get RADIUS Accounting 3-4 Get API Version 3-5 Understanding the WSDL Files 3-5 Downloading the WSDL Files 3-6 Viewer WSDL Files 3-6 Integrating the Viewer Web Services with Your Application Working with the Viewer Web Services 3-10 Required Files 3-10 Supported SOAP Clients 3-11 Connecting to the Viewer Web Services 3-11 Sample Client Code 3-12
4
3-9
CHAPTER
Using the Configuration Web Services Supported Configuration Objects Identity Groups 4-2 Attribute Info 4-3 Group Associations 4-3 Query Object 4-3 Filtering 4-3 Sorting 4-4 Paging 4-5 Request Structure 4-5 URL Path 4-5 HTTP Methods 4-6 Response Structure 4-7 HTTP Status Codes 4-7 ACS REST Result 4-8 Returned Objects 4-9 WADL File Schema File Sample Code
4-9 4-9 4-10 4-1
4-1
CHAPTER
Using the Scripting Interface
5-1
Understanding Import and Export in ACS 5-2 Importing ACS Objects Through the CLI 5-2 Exporting ACS Objects Through the CLI 5-3 Viewing the Status of Import and Export Processes
5-4
Software Developers Guide for Cisco Secure Access Control System 5.3
iv
OL-22972-01
Contents
Terminating Import and Export Processes Supported ACS Objects

5-5
5-5
Creating Import Files 5-7 Downloading the Template from the Web Interface 5-7 Understanding the CSV Templates 5-8 Creating the Import File 5-9 Adding Records to the ACS Internal Store 5-9 Updating the Records in the ACS Internal Store 5-10 Deleting Records from the ACS Internal Store 5-10 Using Shell Scripts to Perform Bulk Operations Sample Shell Script 5-11
A
5-11
APPENDIX
Monitoring and Report Viewer Database Schema Configuring a Remote Database in ACS
A-1
A-1
Understanding the Monitoring and Report Viewer Database Schema Raw Tables A-3 Aggregated Tables A-3 Microsoft SQL Server Schema A-4 Oracle Schema A-24
INDEX
A-2
Contents
vi
OL-22972-01
Preface
Welcome to the Software Developer Guide for the Cisco Secure Access Control System 5.3! This document provides details about the interfaces that Cisco Secure Access Control System (ACS) offers that you can use to interact with external customer-developed applications. This includes several web services for application access and scriptable access for bulk provisioning using the command-line interface (CLI). It also allows you to create a replica of the Monitoring and Troubleshooting database for application development.
Audience
This guide is intended for software engineers and programmers who create custom applications to interact with ACS. The software engineers and programmers must be familiar with:

Web Services Description Language (WSDL) File Web Application Description Language (WADL) File Web Services Tools REST Services Tools
How This Guide Is Organized

Table 1 describes the contents of each chapter in this document.
Table 1 Organization
Chapter/ Appendix 1
Title Overview
Description Provides an overview of the ACS 5.3 features in the form of web services. It also gives CLI commands that you can use in your custom applications to interact with ACS. Describes the User Change Password web service, the methods that it provides, and how you can use it in your application.
vii
Preface Conventions
Table 1
Organization (continued)
Chapter/ Appendix 3
Title Using the Monitoring and Report Viewer Web Services
Description Describes the web services that the Monitoring and Report Viewer component of ACS provides, and it also explains how to use these web services in your application. Describes the Configuration Web Services, the CRUD methods that it provides, and explains how to use it in your application. Describes the scripting interface that ACS provides. This interface allows you to perform bulk create, update, and delete operations on various ACS objects. Provides the Monitoring and Report Viewer database schema that allows you to create custom reporting applications.
Using the Configuration Web Services Using the Scripting Interface
Monitoring and Report Viewer Database Schema
Conventions
Table 2 describes the conventions followed in this document.
Table 2 Conventions
Convention bold font italic font [ ] {x | y | z } [x|y|z] string

courier
Description Commands and keywords. Variables for which you supply values. Keywords or arguments that appear within square brackets are optional. A choice of required keywords appears in braces separated by vertical bars. You must select one. Optional alternative keywords are grouped in brackets separated by vertical bars. Nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks.
font font
Examples of information displayed on the screen. Examples of information you must enter. Nonprinting characters, such as passwords, appear in angle brackets. Default responses to system prompts appear in square brackets. An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.
bold courier
< > [ ] !, #
Note
Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.
viii
OL-22972-01
Preface Conventions
Timesaver
Means the described action saves time. You can save time by performing the action described in the paragraph.
Documentation Updates
Table 3 Updates to the Software Developers Guide for the Cisco Secure Access Control System 5.3
Date 10/03/2011
Description Cisco Secure Access Control System Release 5.3.
Related Documentation
Table 4 lists a set of related technical documentation available on Cisco.com. To find end-user documentation for all products on Cisco.com, go to: http://www.cisco.com/go/techdocs
Note
We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.
Table 4 Product Documentation
Document Title Release Notes for the Cisco Secure Access Control System 5.3 User Guide for Cisco Secure Access Control Sytem, 5.3 Migration Guide for the Cisco Secure Access Control System 5.3 CLI Reference Guide for the Cisco Secure Access Control System 5.3 Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3 Supported and Interoperable Devices and Softwares for the Cisco Secure Access Control System 5.3
Available Formats http://www.cisco.com/en/US/products/ps9911/ prod_release_notes_list.html http://www.cisco.com/en/US/products/ps9911/ products_user_guide_list.html http://www.cisco.com/en/US/products/ps9911/ prod_installation_guides_list.html http://www.cisco.com/en/US/products/ps9911/ prod_command_reference_list.html http://www.cisco.com/en/US/products/ps9911/ prod_installation_guides_list.html http://www.cisco.com/en/US/products/ps9911/ products_device_support_tables_list.html
Regulatory Compliance and Safety Information http://www.cisco.com/en/US/docs/net_mgmt/ for Cisco Identity Services Engine, Cisco 1121 cisco_secure_access_control_system/5.1/ Secure Access Control System, Cisco NAC regulatory/compliance/csacsrcsi.html Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler
ix
Preface Conventions
Table 4
Product Documentation (continued)
Document Title
Available Formats
License and Documentation Guide for the Cisco http://www.cisco.com/en/US/products/ps9911/ Secure Access Control System 5.3 products_documentation_roadmaps_list.html Open Source and Third Party Licenses used in Cisco Secure Access Control System, 5.3 http://www.cisco.com/en/US/products/ps9911/ products_licensing_information_listing.html
Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the Whats New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
OL-22972-01
CH A P T E R
Overview
The Cisco Secure Access Control System (ACS) is a policy-based access control system and an integration point for network access control and identity management. ACS 5.3 provides web services and command-line interface (CLI) commands that allow software developers and system integrators to programmatically access some ACS features and functions. ACS 5.3 also enables you to access to the Monitoring and Report Viewer database that you can use to create custom applications to monitor and troubleshoot ACS. You can use these web service and CLI commands to:

Integrate external applications directly with ACS. View and modify the information stored in ACS.
The User Change Password (UCP) web service allows users, defined in the ACS internal database, to first authenticate and then change their own password. ACS exposes the UCP web service to allow you to create custom web-based applications that you can deploy in your enterprise. The Monitoring and Report Viewer web services allow you to create custom applications to track and troubleshoot events in ACS. ACS REST web services allows you to manage the entities such as users and user groups only on your own management applications and use ACS PI to transfer these entities into ACS. This allows you to define these entities and use them on your own systems and on ACS. The scripting interface in ACS allows you to perform create, read, update, and delete (CRUD) operations on ACS objects. You can create an automated shell script to perform bulk operations. ACS allows you to export data from the Monitoring and Report Viewer database. You can use this data to create custom reporting applications. Appendix A, Monitoring and Report Viewer Database Schema in this document contains the Monitoring and Report Viewer database schema to help you create your custom application. ACS 5.3 provides:
UCP web service to perform the following operations:

Authenticate User Change User Password
Monitoring and Report Viewer web services that provide:

Monitoring and Report Viewer version Monitoring and Report Viewer web services version Authentication status of a user by date Authentication status of a user by time
1-1
Chapter 1 Understanding Web Services
Overview
A list of records that give the reasons for failures A list of RADIUS accounting records
Configuration web services to perform the following operations:

Create, read, update and delete objects, including creating and removing any associations to the
objects
Get a list of objects of the same type (For example, a list of all Users) Retrieve associated objects, including filtering capabilities Execute queries
CLI commands to perform bulk operations on ACS objects for the following functions:
Import Export
You can perform bulk operations on the following ACS objectsusers, hosts, network devices, identity groups, network device groups (NDGs), downloadable access control lists (DACLs), and command sets. Before you begin to use the ACS web services and CLI commands in scripts, you must have a working knowledge of:

Web Services Description Language (WSDL) File Web Application Description Language (WADL) File Web Services Tools Understanding Web Services, page 1-2 Understanding WSDL, page 1-3
This chapter contains the following sections:

Understanding Web Services

Web services are a subset of web-based applications that use the XML protocol to exchange data between the client and the server. Web services use:

Hypertext Transfer Protocol Secure (HTTPS)Transports messages between client applications and the web service server. Simple Object Access Protocol (SOAP)Encodes messages in a common XML format so that they can be understood at either end (web service consumer and web service server) of a network connection. SOAP standardizes the format of the requests to the web service server. Any client application can interface with the ACS web server using SOAP over HTTPS. WSDL fileDescribes the web service, its location, and its operations. ACS 5.3 exposes the following WSDL files:
UCP WSDL Monitoring and Report Viewer WSDL
Representational State Transfer (REST)REST is a software architecture style for distributed systems. ACS Configuration web services are built using the REST architecture. This service provides a uniform set of operations for all resources.
1-2
OL-22972-01
Chapter 1
Overview Understanding WSDL
RESTful web services typically map the four main HTTP methods; POST, GET, PUT, and DELETE to common operations; that is, create, retrieve, update, and delete, respectively.
WADL fileDescribes the REST interface. This includes description of objects and methods for the REST interface.
Understanding WSDL
The Web Services Definition Language (WSDL) is an XML format that describes network services as a collection of ports that operate on messages. WSDL is extensible to allow the description of endpoints and their messages, regardless of the message formats or network protocols that you use. For more information on WSDL documentation and software downloads, refer to the World Wide Web Consortium website.
Note
You can use any third-party applications to transform your WSDL file.
Understanding WADL
The Web Application Description Language (WADL) file describes REST Interface schema (object structure), HTTP methods, and URLs that are available for each object to invoke REST request. The WADL files are designed to provide a machine processable description of HTTP based web applications. They are supplemented with XML schema for XML based data formats. ACS also provides XSD files that describe the objects structure. You can generate object classes out of XSD files, using third party tools.
1-3
Chapter 1 Understanding WADL
Overview
1-4
OL-22972-01
CH A P T E R

This chapter describes the environment that you must set up to use the User Change Password (UCP) web service and explains how you can use it. The UCP web service allows you to authenticate an internal user and change the internal user password. You can use this web service interface to integrate ACS with your in-house portals and allow users in your organization to change their own passwords. The UCP web service allows only the users in your organization to change their passwords. They can do so on the primary or secondary ACS servers. The UCP web service compares the new password that you provide with the password policy that is configured in ACS for users. If the new password conforms to the defined criteria, your new password takes effect. After your password is changed on the primary ACS server, ACS replicates it to all the secondary ACS servers. The Monitoring and Report Viewer provides a User_Change_Password_Audit report that is available under the ACS Instance catalog. You can generate this report to track all changes made to user passwords in the internal database, including the changes made through the UCP web service. You can use this report to monitor usage and failed authentications.
Enabling the Web Interface on ACS CLI
You must enable the web interface on ACS before you can use the UCP web service. To enable the web interface on ACS, from the ACS CLI, enter:
acs config-web-interface ucp enable
For more information on the acs config-web-interface command, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/ reference/cli_app_a.html#wp1887278.
Viewing the Status of the Web Interface from ACS CLI
To view the status of the web interface, from the ACS CLI, enter:
show acs-config-web-interface
For more information on the show acs-config-web-interface command, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/ command/reference/cli_app_a.html#wp1890877. This following sections describe how to use the UCP web service:

Understanding the Methods in the UCP Web Service, page 2-2 Using the WSDL File, page 2-4 Working with the UCP Web Service, page 2-7
2-1
Chapter 2 Understanding the Methods in the UCP Web Service
Understanding the Methods in the UCP Web Service

The UCP web service comprises the following methods:

User Authentication, page 2-2 User Change Password, page 2-3
User Authentication
The User Authentication method authenticates a user against an internal database.
Input Parameters

Username Password
Purpose
Use the authenticateUser method for applications that require a two-step procedure to change a user password. For example, a ACS user interface application that prompts the user to change the password, does it in two steps:
1. 2.
It authenticates the user It changes the user password.
To change a password:
Step 1
Connect to the UCP web application A login page appears.
Step 2
Enter the username and password. The authenticateUserweb service function is invoked. If your credentials match the data in the ACS internal store, your authentication succeeds.
Note
This method does not perform any change and does not authorize you to perform any task. You use this method only to verify if the password is correct. However, after a successful authentication, you can move to the change password page to use the User Change Password method.
Output Parameters
The response from the User Authentication method could be one of the following:

Authentication Succeeded Authentication Failed
Exceptions
This method displays an error message if:

The authentication fails due to incorrect username or password. The user is disabled.
2-2
OL-22972-01
Chapter 2
Using the UCP Web Service Understanding the Methods in the UCP Web Service
A web service connection error occurs, such as network disconnection or request timeout error. A system failure occurs, such as the database being down and unavailable.
User Change Password

The User Change Password method authenticates a user against an internal database and changes the user password.
Input Parameters

Username Current password New password
Purpose
Use the changeUserPassword method for applications that require a single-step procedure to change the user password. Changing a user password is normally a two-step procedure. The first step is to authenticate the user and the second step is to change the user password. The changeUserPassword method allows you to combine the two steps into one. A script or a single-page web application is an example of applications that require a single-step procedure to change the user password. To change a password:
Step 1
Connect to the UCP web application A login page appears.
Step 2
Enter the username and password. The authenticateUser web service function is invoked. If authentication succeeds, the web service compares the new password against the password policy that is configured in ACS. If your new password meets the defined criteria, the changeUserPassword web service function is invoked to change your password.
Output Parameters
The response from the User Change Password method could be one of the following:

Operation Succeeded Operation Failed
Exceptions
This method displays an error if:

The authentication fails because of an incorrect username or password. The user is disabled. The password change operation fails because the password does not conform to the password complexity rules defined in ACS.
2-3
Chapter 2 Using the WSDL File
A web service connection error occurs, such as network disconnection or request timeout error. A system failure occurs, such as the database being down and unavailable.
Using the WSDL File

This section describes the WSDL file and the request and response schemas for the User Authentication and User Change Password methods. This section contains:

Downloading the WSDL File, page 2-4 UCP WSDL File, page 2-4 Request and Response Schemas, page 2-7
Downloading the WSDL File

To download the WSDL file from the ACS 5.3 web interface:
Step 1 Step 2 Step 3 Step 4 Step 5
Log into the ACS 5.3 web interface. Choose System Administration > Downloads > User Change Password. Click UCP WSDL to view the UCP WSDL file. Copy the WSDL file to your local hard drive. Click UCP web application example to download a sample web application and save it to your local hard drive.
UCP WSDL File

The WSDL file is an XML document that describes the web services and the operations that the web services expose. The UCP WSDL is given below:
<?xml version="1.0" encoding="UTF-8"?>     <definitions name="changepass" targetNamespace="http://www.cisco.com/changepass.service" xmlns:tns="http://www.cisco.com/changepass.service" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:MIME="http://schemas.xmlsoap.org/wsdl/mime/" xmlns:DIME="http://schemas.xmlsoap.org/ws/2002/04/dime/wsdl/" xmlns:WSDL="http://schemas.xmlsoap.org/wsdl/" xmlns="http://schemas.xmlsoap.org/wsdl/"> <WSDL:documentation> Copyright (c) 2009 Cisco Systems, Inc.
2-4
OL-22972-01
Chapter 2
Using the UCP Web Service Using the WSDL File
ACS5.1 WSDL Service Interface for change password This WSDL document defines the publication API calls for changing user password. </WSDL:documentation>
<xsd:types> <xsd:schema xmlns="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.cisco.com/changepass.service">
<xsd:simpleType name="UserNameType"> <xsd:restriction base="string"> <xsd:minLength value="1" /> </xsd:restriction> </xsd:simpleType> <xsd:element name="usernameType" type="tns:UserNameType" /> <xsd:simpleType name="PasswordType"> <xsd:restriction base="string"> <xsd:minLength value="1" /> </xsd:restriction> </xsd:simpleType> <xsd:element name="passwordType" type="tns:PasswordType" /> <xsd:simpleType name="StatusCodeType"> <xsd:restriction base="string"> <xsd:enumeration value="success" /> <xsd:enumeration value="failure" /> </xsd:restriction> </xsd:simpleType> <xsd:element name="ResponseType"> <xsd:complexType> <xsd:attribute name="status" type="tns:StatusCodeType" use="required" /> <xsd:sequence> <xsd:element name="errorMessage" type="xsd:string" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> </xsd:complexType> </xsd:element> </xsd:schema> </xsd:types> <message name="AuthUserRequest"> <part name="user_name" element="tns:usernameType" /> <part name="password" element="tns:passwordType" /> </message> <message name="AuthUserResponse"> <part name="authUserResponse" element="tns:ResponseType" /> </message> <message name="ChangeUserPassRequest"> <part name="user_name" element="tns:usernameType" /> <part name="old_password" element="tns:passwordType" /> <part name="new_password" element="tns:passwordType" /> </message>
2-5
Chapter 2 Using the WSDL File
<message name="ChangeUserPassResponse"> <part name="changeUserPassResponse" element="tns:ResponseType" /> </message> <WSDL:portType name="ChangePassword"> <operation name="authenticateUser"> <input message="tns:AuthUserRequest" name="authUserRequest" /> <output message="tns:AuthUserResponse" name="authUserResponse" /> </operation> <operation name="changeUserPass"> <input message="tns:ChangeUserPassRequest" name="changeUserPassRequest" /> <output message="tns:ChangeUserPassResponse" name="changeUserPassResponse" /> </operation> </WSDL:portType> <WSDL:binding name="changePassSoapBinding" type="tns:ChangePassword"> <SOAP:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" /> <!-This is the SOAP binding for the Change Password publish operations. --> <WSDL:operation name="authenticateUser"> <SOAP:operation soapAction="" /> <input> <SOAP:body use="literal" /> </input> <output> <SOAP:body use="literal" /> </output> </WSDL:operation> <WSDL:operation name="changeUserPass"> <SOAP:operation soapAction="" /> <input> <SOAP:body use="literal" /> </input> <output> <SOAP:body use="literal" /> </output> </WSDL:operation> </WSDL:binding> <WSDL:service name="changepassword"> <documentation> ACS5.1 Programmatic Interface Service Definitions </documentation> <port name="changepassword" binding="tns:changePassSoapBinding"> <SOAP:address location="https://localhost:8080/PI/services/changepass/" /> </port> </WSDL:service> </definitions>
2-6
OL-22972-01
Chapter 2
Using the UCP Web Service Working with the UCP Web Service
Request and Response Schemas

This section lists the request and response schemas of the User Authentication and User Change Password methods. This section contains the following schema:

User Authentication Request, page 2-7 User Authentication Response, page 2-7 User Change Password Request, page 2-7 User Change Password Response, page 2-7
User Authentication Request

<message name="AuthUserRequest"> <part name="user_name" element="changepass:usernameType" /> <part name="password" element="changepass:passwordType" /> </message>
User Authentication Response

<message name="AuthUserResponse"> <part name="authUserResponse" element="changepass:ResponseType" /> </message>
User Change Password Request

<message name="ChangeUserPassRequest"> <part name="user_name" element="changepass:usernameType" /> <part name="current_password" element="changepass:passwordType" /> <part name="new_password" element="changepass:passwordType" /> </message>
User Change Password Response

<message name="ChangeUserPassResponse"> <part name="changeUserPassResponse" element="changepass:ResponseType" /> </message>
Working with the UCP Web Service

You can create custom web-based applications to enable users to change their own password for your enterprise. This section describes how you can run a sample application that is developed using Python and provides the sample client code. The ACS web interface provides a downloadable package that consists of:

Python SOAP libraries for Linux and Windows Python script ReadMeContains installation instructions
2-7
Chapter 2 Working with the UCP Web Service
To download this package:

Step 1 Step 2
Log into the ACS 5.3 web interface. Choose System Administration > Downloads > Scripts. The Sample Python Scripts page appears. Click Python Script for Using the User Change Password Web Service. Save the .zip file to your local hard disk.
Step 3 Step 4
Sample Client Code shows a sample.zip file. This file contains a .war file. You have to deploy this .war file within a web server, such as Tomcat. This example allows your application to communicate with ACS through the UCP web service.
Note
The Cisco Technical Assistance Center (TAC) supports only the default Python Script. TAC does not offer any support for modified scripts.
Sample Client Code

from SOAPpy import SOAPProxy # Get the ACS host / IP host = raw_input('Please enter ACS host name or IP address:\n') targetUrl = 'https://' + host + '/PI/services/UCP/' server = SOAPProxy(targetUrl, 'UCP') # Get the username username = raw_input('Please enter user name:\n') # Get the old password oldPassword = raw_input('Please enter old password:\n') # Get the new password newPassword = raw_input('Please enter new password:\n') # Call the changeUserPassword with the given input ans = server.changeUserPass(username, oldPassword, newPassword) # Password changing failed if ans.status == 'failure': print '\nFailure:' # Print all failure reasons for err in ans.errors: print err else: # Password was changed successfully print 'Success'
Note
You must have Python software to run this script.
2-8
OL-22972-01
CH A P T E R
Using the Monitoring and Report Viewer Web Services

This chapter describes the environment that you must set up to use the web services provided by the Monitoring and Report Viewer component of ACS 5.3. Hereafter this is referred to as Viewer web services. You can use these web services to create custom applications for tracking and troubleshooting ACS events. The Viewer web services comprise the following methods:

getVersion()Returns the version of the Monitoring and Report Viewer server. getAuthenticationStatusByDate()Returns the authentication status of a user by date. getAuthenticationStatusByTimeUnit()Returns the authentication status of a user by time. getFailureReasons()Returns a list of reasons for failure. getRadiusAccounting()Returns a list of RADIUS accounting records. getAPIVersion()Returns the version of the Viewer web services.
Enabling the Web Interface on ACS CLI
You must enable the web interface on ACS before you can use the Viewer web services. To enable the web interface on ACS, from the ACS CLI, enter:
acs config web-interface view enable
For more information on the acs config web-interface command, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/ command/reference/cli_app_a.html#wp1887278.
Viewing the Status of the Web Interface from ACS CLI
For more information on the show acs-config-web-interface command, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/ command/reference/cli_app_a.html#wp1890877. The following sections describe how to use the Monitoring and Report Viewer web services:

Understanding the Methods in the Viewer Web Services, page 3-2 Understanding the WSDL Files, page 3-5 Integrating the Viewer Web Services with Your Application, page 3-9 Working with the Viewer Web Services, page 3-10
3-1
Chapter 3 Understanding the Methods in the Viewer Web Services
Understanding the Methods in the Viewer Web Services

This section describes the methods that are available in the Viewer web services:

Get Version, page 3-2 Get Authentication Status By Date, page 3-3 Get Authentication Status By Time Unit, page 3-3 Get Failure Reasons, page 3-4 Get RADIUS Accounting, page 3-4 Get API Version, page 3-5
Table 3-1 describes the classes that are used in the Viewer web services.
Table 3-1 Viewer Web Services Class Information
Class ACSViewWebServices UserContext AuthenticationParam AuthenticationStatus AccountingParam AccountingStatus AccountingDetail ACSViewNBException
Description Contains all web services that a client views in the client applications. Contains the ACS username and the user password, which the Monitoring and Report Viewer server uses to authenticate the user. Encapsulates the authentication query parameters, based on which records are queried and returned to you. Contains the Authentication Status record that is the query output received from ACS. Encapsulates the accounting query parameters, based on which records are queried and returned to you. Contains the Accounting Status record that is the query output received from ACS. Contains a list of attribute values that comprise the query output received from ACS. Contains the errors that the Monitoring and Report Viewer displays for any issues with the web services.
Note
The Monitoring and Report Viewer places all web service classes in the com.cisco.acsview.nbapi package.
Get Version
Input Parameter
userCtx(Required) User context object

Purpose
Use the getVersion method to view the version of the Monitoring and Report Viewer that is installed on your ACS server. You can enter this command in the CLI to call this web service to view the Monitoring and Report Viewer version.
3-2
OL-22972-01
Chapter 3
Using the Monitoring and Report Viewer Web Services Understanding the Methods in the Viewer Web Services
Output Parameters
Version of the Monitoring and Report Viewer server.

Exception

The user is invalid The input is invalid The ACS instance is not running as the Monitoring and Report Viewer server
Get Authentication Status By Date

Input Parameters

userCtx(Required) User context object authParam(Required) AuthenticationParam object startDate(Required) The date from which you want the authentication status endDate(Required) The date until which you want the authentication status
Purpose
Use the getAuthenticationStatusByDate method to view a users authentication status, arranged chronologically by date, for a specific period.
Output Parameter
Authentication status of the user, arranged chronologically by date, for the specified period.
Exception
This method displays an error if the:

User context value is entered but passed as null Username and password are entered but passed as null Date value is entered but passed as null
Get Authentication Status By Time Unit

Input Parameters

userCtx(Required) User context object authParam(Required) AuthenticationParam object lastX(Required) The time until which you need the authentication status timeUnit(Required) Time unit, specified in minutes, hours, or days
Purpose
Use the getAuthenticationStatusByTimeUnit method to view a users authentication status, arranged chronologically by time, for a specific period.
3-3
Chapter 3 Understanding the Methods in the Viewer Web Services
Output Parameter
A list of the users authentication status, arranged chronologically by time, for a specific period.
Exception
This method displays an error if the:

User context value is entered but passed as null Username and password are entered but passed as null Date value is entered but passed as null
Get Failure Reasons

Input Parameter

Purpose
Use the getFailureReasons method to obtain a list of records that contain failure reasons.
Output Parameters
List of records that contain failure reasons.

Exception
This method displays an error if the user credentials are invalid.
Get RADIUS Accounting

Input Parameters

userCtx(Required) User context object acctParam(Required) Accounting search parameters; valid values for matchOperator are valueLIKE, valueEQ, valueNE, valueGE, valueLE, valueGT, valueLT, attrEQ, valueIN, valueINNOT. The equation takes any one of the following forms:
AttributeName, MatchArgument, MatchOp=[ valueLIKE | valueEQ | valueNE | valueGE |
valueLE | valueGT | valueLT | attrEQ]

AttributeName, MultipleValueMatchArgument, MatchOp=[ valueIN | valueINNOT ]
Attribute NameAs defined by standard RADIUS/Cisco A-V pair names. Attribute names are not case sensitive. However, the values are case sensitive. valueLIKELooks for wildcard match (%). For example, %foo%. valueEQLooks for an exact match. valueNEPerforms a value not equal to comparison. valueGEPerforms greater than or equal to comparison. valueLEPerforms lesser than or equal to comparison. valueGTPerforms a greater than comparison. valueLTPerforms a lesser than comparison.
3-4
OL-22972-01
Chapter 3
Using the Monitoring and Report Viewer Web Services Understanding the WSDL Files
attrEQCompares a given attribute with another attribute; returns true or false. valueINMultiple values are allowed for matchOperator valueIN. valueINNOTMultiple values are not allowed for matchOperator valueINNOT.

returnAttributes(Required) List of return attributes requested. startDate(Required) Date from which you want the RADIUS accounting records. endDate(Required) Date until which you want the RADIUS accounting records.
Purpose
Use the getRADIUSAccounting method to obtain a list of RADIUS accounting records.

Output Parameters
List of RADIUS accounting records.

Exception

User credentials are invalid The acctParam parameter contains invalid values for matchOperator The acctParam parameter contains invalid value for matchValues A database select error occurs
Get API Version

Input Parameter

Purpose
Use the getAPIVersion method to obtain the version of the Viewer web services.
Output Parameter
Version of the Viewer web services.

Exception
This method displays an error if an authentication failure occurs.
Understanding the WSDL Files

This section describes the WSDL files, the location from which you can download them, the class files, and the queries that you can use in the Viewer web services. This section contains the following:

Downloading the WSDL Files, page 3-6 Viewer WSDL Files, page 3-6 Integrating the Viewer Web Services with Your Application, page 3-9
3-5
Chapter 3 Understanding the WSDL Files
Downloading the WSDL Files

You can download the WSDL files from the following location: https://ip address or hostname/ACSViewWebServices/ACSViewWebServices?wsdl, where ip address or hostname is the IP address or hostname of your ACS server.
Viewer WSDL Files

WSDL is an XML document that describes a web service, the location of the service, and operations that the service exposes:
<definitions name="ACSViewWebServicesService" targetNamespace="http://nbapi.acsview.cisco.com/jaws" xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://nbapi.acsview.cisco.com/jaws" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <types> <schema elementFormDefault="qualified" targetNamespace="http://nbapi.acsview.cisco.com/jaws" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:soap11-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://nbapi.acsview.cisco.com/jaws" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <complexType name="getFailureReasons"> <sequence> <element name="userCtx" nillable="true" type="tns:UserContext"/> </sequence> </complexType> <complexType name="getAuthenticationStatusByDate"> <sequence> <element name="userCtx" nillable="true" type="tns:UserContext"/> <element name="authParam" nillable="true" type="tns:AuthenticationParam"/> <element name="startDate" nillable="true" type="dateTime"/> <element name="endDate" nillable="true" type="dateTime"/> </sequence> </complexType> <complexType name="getAuthenticationStatusByDateResponse"> <sequence> <element maxOccurs="unbounded" minOccurs="0" name="result" nillable="true" type="tns:AuthenticationStatus"/> </sequence> </complexType> <complexType name="getAuthenticationStatusByTimeUnit"> <sequence> <element name="userCtx" nillable="true" type="tns:UserContext"/> <element name="authParam1" nillable="true" type="tns:AuthenticationParam"/> <element name="lastX" type="int"/> <element name="timeUnit" nillable="true" type="string"/> </sequence> </complexType> <complexType name="getVersion"> <sequence> <element name="userCtx" nillable="true" type="tns:UserContext"/> </sequence> </complexType> <complexType name="ACSViewNBException"> <sequence> <element name="message" nillable="true" type="string"/> </sequence>
3-6
OL-22972-01
Chapter 3
</complexType> <complexType name="FailureReason"> <sequence> <element name="authenFailureCode" nillable="true" type="string"/> <element name="possibleRootCause" nillable="true" type="string"/> <element name="resolution" nillable="true" type="string"/> </sequence> </complexType> <complexType name="AuthenticationParam"> <sequence> <element name="AAAClient" nillable="true" type="string"/> <element name="clientIPAddress" nillable="true" type="string"/> <element name="clientMACAddress" nillable="true" type="string"/> <element name="userName" nillable="true" type="string"/> </sequence> </complexType> <complexType name="AuthenticationStatus"> <sequence> <element name="authStatus" nillable="true" type="string"/> <element name="date" nillable="true" type="dateTime"/> <element name="errorCode" nillable="true" type="string"/> <element maxOccurs="unbounded" minOccurs="0" name="moreDetails" nillable="true" type="string"/> </sequence> </complexType> <complexType name="getAuthenticationStatusByTimeUnitResponse"> <sequence> <element maxOccurs="unbounded" minOccurs="0" name="result" nillable="true" type="tns:AuthenticationStatus"/> </sequence> </complexType> <complexType name="getVersionResponse"> <sequence> <element name="result" nillable="true" type="string"/> </sequence> </complexType> <complexType name="getFailureReasonsResponse"> <sequence> <element maxOccurs="unbounded" minOccurs="0" name="result" nillable="true" type="tns:FailureReason"/> </sequence> </complexType> <complexType name="UserContext"> <sequence> <element name="password" nillable="true" type="string"/> <element name="userName" nillable="true" type="string"/> </sequence> </complexType> <element name="getAuthenticationStatusByDate" type="tns:getAuthenticationStatusByDate"/> <element name="getAuthenticationStatusByDateResponse" type="tns:getAuthenticationStatusByDateResponse"/> <element name="getAuthenticationStatusByTimeUnit" type="tns:getAuthenticationStatusByTimeUnit"/> <element name="getAuthenticationStatusByTimeUnitResponse" type="tns:getAuthenticationStatusByTimeUnitResponse"/> <element name="getVersion" type="tns:getVersion"/> <element name="ACSViewNBException" type="tns:ACSViewNBException"/> <element name="getVersionResponse" type="tns:getVersionResponse"/> <element name="getFailureReasons" type="tns:getFailureReasons"/> <element name="getFailureReasonsResponse" type="tns:getFailureReasonsResponse"/> </schema> </types> <message name="ACSViewNBException">
3-7
Chapter 3 Understanding the WSDL Files
<part element="tns:ACSViewNBException" name="ACSViewNBException"/> </message> <message name="ACSViewWebServices_getAuthenticationStatusByDate"> <part element="tns:getAuthenticationStatusByDate" name="parameters"/> </message> <message name="ACSViewWebServices_getAuthenticationStatusByTimeUnitResponse"> <part element="tns:getAuthenticationStatusByTimeUnitResponse" name="result"/> </message> <message name="ACSViewWebServices_getAuthenticationStatusByDateResponse"> <part element="tns:getAuthenticationStatusByDateResponse" name="result"/> </message> <message name="ACSViewWebServices_getVersionResponse"> <part element="tns:getVersionResponse" name="result"/> </message> <message name="ACSViewWebServices_getAuthenticationStatusByTimeUnit"> <part element="tns:getAuthenticationStatusByTimeUnit" name="parameters"/> </message> <message name="ACSViewWebServices_getVersion"> <part element="tns:getVersion" name="parameters"/> </message> <message name="ACSViewWebServices_getFailureReasons"> <part element="tns:getFailureReasons" name="parameters"/> </message> <message name="ACSViewWebServices_getFailureReasonsResponse"> <part element="tns:getFailureReasonsResponse" name="result"/> </message> <portType name="ACSViewWebServices"> <operation name="getAuthenticationStatusByDate"> <input message="tns:ACSViewWebServices_getAuthenticationStatusByDate"/> <output message="tns:ACSViewWebServices_getAuthenticationStatusByDateResponse"/> <fault message="tns:ACSViewNBException" name="ACSViewNBException"/> </operation> <operation name="getAuthenticationStatusByTimeUnit"> <input message="tns:ACSViewWebServices_getAuthenticationStatusByTimeUnit"/> <output message="tns:ACSViewWebServices_getAuthenticationStatusByTimeUnitResponse"/> <fault message="tns:ACSViewNBException" name="ACSViewNBException"/> </operation> <operation name="getVersion"> <input message="tns:ACSViewWebServices_getVersion"/> <output message="tns:ACSViewWebServices_getVersionResponse"/> <fault message="tns:ACSViewNBException" name="ACSViewNBException"/> </operation> <operation name="getFailureReasons"> <input message="tns:ACSViewWebServices_getFailureReasons"/> <output message="tns:ACSViewWebServices_getFailureReasonsResponse"/> <fault message="tns:ACSViewNBException" name="ACSViewNBException"/> </operation> </portType> <binding name="ACSViewWebServicesBinding" type="tns:ACSViewWebServices"> <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> <operation name="getAuthenticationStatusByDate"> <soap:operation soapAction=""/> <input> <soap:body use="literal"/> </input> <output> <soap:body use="literal"/> </output> <fault name="ACSViewNBException"> <soap:fault name="ACSViewNBException" use="literal"/> </fault> </operation> <operation name="getAuthenticationStatusByTimeUnit"> <soap:operation soapAction=""/>
3-8
OL-22972-01
Chapter 3
<input> <soap:body use="literal"/> </input> <output> <soap:body use="literal"/> </output> <fault name="ACSViewNBException"> <soap:fault name="ACSViewNBException" use="literal"/> </fault> </operation> <operation name="getVersion"> <soap:operation soapAction=""/> <input> <soap:body use="literal"/> </input> <output> <soap:body use="literal"/> </output> <fault name="ACSViewNBException"> <soap:fault name="ACSViewNBException" use="literal"/> </fault> </operation> <operation name="getFailureReasons"> <soap:operation soapAction=""/> <input> <soap:body use="literal"/> </input> <output> <soap:body use="literal"/> </output> <fault name="ACSViewNBException"> <soap:fault name="ACSViewNBException" use="literal"/> </fault> </operation> </binding> <service name="ACSViewWebServicesService"> <port binding="tns:ACSViewWebServicesBinding" name="ACSViewWebServices"> <soap:address location="http://localhost:8080/ACSViewWebServices/ACSViewWebServices"/> </port> </service> </definitions>
Integrating the Viewer Web Services with Your Application

This section explains how to integrate the Viewer web services with your application. To integrate your code with a Viewer web service and to ensure that you get a response after you invoke the web service:
Step 1
Obtain the certificate from the server to create the client certificate:
a.
Verify the deployed web services from: https://ip address or hostname/ACSViewWebServices/ACSViewWebServices?wsdl For more information on the web services, see Understanding the Methods in the Viewer Web Services, page 3-2.
b. c.
Click View Certificate and go to the Details tab. Click Copy to File.
3-9
Chapter 3 Working with the Viewer Web Services
d. e. f. g.
In the welcome window, click Next. In the Export File Format window, select DER encoded binary X.509(.CER), then click Next. In the File to Export window, enter the filename and click Next. In the Completing the Certificate Export Wizard window, click Finish. A copy of the certificate is saved in your local system as server.cer.
h.
Import the server certificate and store it as client.ks (the Client Certificate) using the following command:
keytool -import -file server.cer -keystore client.ks
Step 2
Verify the deployed Viewer web services from: https://IPaddress(or)HostName /ACSViewWebServices/ACSViewWebServices?wsdl For more information on the web services, see Understanding the Methods in the Viewer Web Services, page 3-2.
Step 3
View the source and copy the WSDL file to your local system using: soap:address location='https://acsview-cars1:443/ACSViewWebServices/ACSViewWebServices'/ For more information on the WSDL files, see Understanding the WSDL Files, page 3-5. Download the JAX-WS 2.0 libraries from the Sun Microsystems website. To view the information related to your artifacts, enter the wsimport -keep command at: https://IPAddress:443/ACSViewWebServ/ACSViewWebServices?wsdl Include all the libraries in your location. Write the client code. Compile and run the client code.
Step 4 Step 5
Step 6 Step 7
Working with the Viewer Web Services

This section provides sample client code in Java. The requirements that this section describes apply only if you use Java as the client-side conversion tool. This section contains:

Required Files, page 3-10 Supported SOAP Clients, page 3-11 Sample Client Code, page 3-12
Required Files
To use Java (JAX-WS) 2.0 as the client-side conversion tool, you need the following JAR files. You can download the .jar files and the related tools from the Sun Microsystems website:

activation.jar FastInfoset.jar http.jar jaxb-api.jar
3-10
OL-22972-01
Chapter 3
Using the Monitoring and Report Viewer Web Services Working with the Viewer Web Services
jaxb-impl.jar jaxb-xjc.jar jaxws-api.jar jaxws-rt.jar jaxws-tools.jar jsr173_api.jar jsr181-api.jar jsr250-api.jar resolver.jar saaj-api.jar saaj-impl.jar sjsxp.jar
Supported SOAP Clients

The supported SOAP clients include:

Apache JAX-WS
Connecting to the Viewer Web Services

To connect to the Viewer Web Services:
Step 1
Verify the deployed Viewer Web Services from: https://ip address or hostname/ACSViewWebServices/ACSViewWebServices?wsdl For more information on the web services, see Understanding the Methods in the Viewer Web Services, page 3-2.
Step 2
Right click and select View Source/View Page Source option to view the source information. The source information appears in a pop-up dialog box. Save the source information with the name ACSViewWebServices.wsdl on your local directory; <SERVICE_HOME>. Execute the following command to create the class files:
wsimport <SERVICE_HOME>/ACSViewWebServices.wsdl -d <SERVICE_HOME>
Step 3 Step 4
3-11
Step 5
Copy the Sample Client Code section on page 3-12 and save it as Client.java in <SERVICE_HOME> and compile it with the following command
javac -cp <SERVICE_HOME> <SERVICE_HOME>/Client.java -d <SERVICE_HOME>
This compiles the client code and places the package in the <SERVICE_HOME> directory.
Step 6
To run the Client code, execute the following command

java -cp <SERVICE_HOME> com.cisco.acsview.nbapi.jaws.Client.
Note
The above mentioned steps are done in Java 1.6.0_25. JAVA_HOME is java installed directory, and the "path" environment variable should be added with the value <JAVA_HOME>/bin.
Sample Client Code

This section provides sample client code for the Viewer web services.
package com.cisco.acsview.nbapi.jaws; import import import import import import import import import import import import import import import java.util.Calendar; java.util.GregorianCalendar; java.util.ArrayList; java.util.List; java.util.Iterator; com.sun.org.apache.xerces.internal.jaxp.datatype.XMLGregorianCalendarImpl; javax.xml.datatype.XMLGregorianCalendar; javax.xml.datatype.DatatypeFactory; java.security.cert.X509Certificate; javax.net.ssl.HostnameVerifier; javax.net.ssl.HttpsURLConnection; javax.net.ssl.SSLContext; javax.net.ssl.SSLSession; javax.net.ssl.TrustManager; javax.net.ssl.X509TrustManager;
public class Client { private static void install() throws Exception { // Create a trust manager that does not validate certificate chains TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted(X509Certificate[] certs, String authType) { // Trust always } public void checkServerTrusted(X509Certificate[] certs, String authType) { // Trust always
3-12
OL-22972-01
Chapter 3
} } }; // Install the all-trusting trust manager SSLContext sc = SSLContext.getInstance("SSL"); // Create empty HostnameVerifier HostnameVerifier hv = new HostnameVerifier() { public boolean verify(String arg0, SSLSession arg1) { return true; } }; sc.init(null, trustAllCerts, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); HttpsURLConnection.setDefaultHostnameVerifier(hv); } public static void install1() throws Exception { // Bypass hostname verification. HttpsURLConnection.setDefaultHostnameVerifier( new HostnameVerifier() { public boolean verify(String arg0, SSLSession arg1) { return true; } }); } public static void main(String args[]) { try { install(); ACSViewWebServicesService serviceObj = new ACSViewWebServicesService(); ACSViewWebServices service = serviceObj.getACSViewWebServices(); UserContext userCtx = new UserContext(); userCtx.setUserName("acsadmin"); userCtx.setPassword("Acs5.1"); getVersion(service,userCtx); getAPIVersion(service,userCtx); getAuthBydate(service,userCtx); getAuthByTime(service,userCtx); getRadiusAccounting(service,userCtx); getFailureReasons(service,userCtx); } catch (Exception ex) { ex.printStackTrace(); } }
/** * getVersion provide the application version */ public static void getVersion(ACSViewWebServices service, UserContext userCtx) { try {
3-13
String result = service.getVersion(userCtx); System.out.println("-------------------------*** Application Version ***-------------------------"+"\n"); System.out.println("Application Version : "+result); System.out.println("----------------------------------------------------------------------------"+"\n"); } catch(Exception e) { e.printStackTrace(); } } /** *getAuthByDate provides the data of the authentication success/failure between the specified date range */ private static void getAuthBydate(ACSViewWebServices service, UserContext userCtx) { try { System.out.println("-------------------------*** Authentication Status by Date Starts ***-------------------------"+"\n"); AuthenticationParam authParam = new AuthenticationParam(); /** *** The following Attributes are optional. ** If the parameters are not set, method will return all the authentications success/failure between the specified date range. ** The Data will be filtered based on the attribute set which is falling under the specified date range. ** The attributes set are exactly matched for filtering,ie., only the data which is matching the below attributes and with in the specified date range are retrived. */ authParam.setAAAClient("MyClient"); authParam.setClientIPAddress("10.77.241.203"); authParam.setClientMACAddress("ABAC00019E05"); authParam.setUserName("user1"); /******* Optional Attributes Ends **************/ DatatypeFactory datatypeFactory = DatatypeFactory.newInstance(); GregorianCalendar gc1 = newGregorianCalendar(2011, Calendar.AUGUST, 4); XMLGregorianCalendar startDate = datatypeFactory.newXMLGregorianCalendar(gc1).normalize(); GregorianCalendar gc2 = newGregorianCalendar(2011, Calendar.AUGUST, 6); XMLGregorianCalendar endDate = datatypeFactory.newXMLGregorianCalendar(gc2).normalize(); java.util.List authStatusArray = service.getAuthenticationStatusByDate(userCtx,authParam, startDate, endDate); System.out.println("No of Records Retrieved : "+authStatusArray.size()); for(int i=0; i<authStatusArray.size();i++) { System.out.println("*************** Authentication Status : "+(i+1)+" ***************"); AuthenticationStatus status = (AuthenticationStatus)authStatusArray.get(i); java.util.List sarray = status.getMoreDetails(); System.out.println(sarray.get(0) +" :: "+sarray.get(1)); for(int j=0;j<sarray.size();j++) { System.out.println(sarray.get(j)+" :: "+sarray.get(++j)); } System.out.println("******************************************************************"); } System.out.println("-------------------------*** Authentication Status by
3-14
OL-22972-01
Chapter 3
Date Ends ***-------------------------"+"\n"); } catch (Exception ex) { ex.printStackTrace(); } } /** * getAuthByTime provides the data of the authentication success/failure in the specified time. * Time can be provided in Minutes, Hours or Days */ private static void getAuthByTime(ACSViewWebServices service, UserContext userCtx) { try { System.out.println("-------------------------*** Authentication Status by Time Starts ***-------------------------"+"\n"); AuthenticationParam authParam = new AuthenticationParam(); /** *** The following Attributes are optional. ** If the parameters are not set method will return all the authentications success/failure between the specified date range. ** The Data will be filtered based on the attribute set which is falling under the specified date range. ** The attributes set are exactly matched for filtering,ie., only the data which is matching the below attributes and with in the specified date range are retrived. */ authParam.setAAAClient("MyClient"); authParam.setClientIPAddress("10.77.241.203"); authParam.setClientMACAddress("ABAC00019E05"); authParam.setUserName("user1"); /******* Optional Attributes Ends **************/ java.util.List authStatusArray = service.getAuthenticationStatusByTimeUnit(userCtx,authParam, 20, "Hours"); System.out.println("No of Records Retrieved : " + authStatusArray.size()); for(int i=0; i<authStatusArray.size();i++) { System.out.println("*************** Authentication Status : "+(i+1)+" ***************"); AuthenticationStatus status = (AuthenticationStatus)authStatusArray.get(i); java.util.List sarray = status.getMoreDetails(); System.out.println(sarray.get(0) +" :: "+sarray.get(1)); for(int j=0;j<sarray.size();j++) { System.out.println(sarray.get(j)+" :: "+sarray.get(++j)); } System.out.println("******************************************************************"); } System.out.println("-------------------------*** Authentication Status by Time Ends ***-------------------------"+"\n"); } catch (Exception ex) { ex.printStackTrace(); } } /** ** getAPIVersion provides the application API Version */
3-15
public static void getAPIVersion(ACSViewWebServices service, UserContext userCtx) { try { System.out.println("-------------------------*** API Version ***-------------------------"+"\n"); String apiresult = service.getAPIVersion(userCtx); System.out.println("API Version : "+apiresult); System.out.println("----------------------------------------------------------------------------"+"\n"); } catch(Exception ex) { ex.printStackTrace(); } } /** ** getFailureReasons provide the Failure Code, Possible Root Cause and Resolution */ public static void getFailureReasons(ACSViewWebServices service, UserContext userCtx) { try { // Get Failure reason - Example System.out.println("-------------------------*** Failure Reasons Starts ***-------------------------"+"\n"); List result1 = service.getFailureReasons(userCtx); System.out.println("Failure reasons list is : " + result1.size()); for (int i=0;i<result1.size() ;i++ ) { System.out.println("Authentication Failure Code : "+((FailureReason)result1.get(i)).getAuthenFailureCode()); System.out.println("Possible Root Cause : "+((FailureReason)result1.get(i)).getPossibleRootCause()); System.out.println("Resolution : "+((FailureReason)result1.get(i)).getResolution()); } System.out.println("-------------------------*** Failure Reasons Ends ***-------------------------"+"\n"); } catch(Exception ex) { ex.printStackTrace(); } } /** ** getRadiusAccounting provides the accounting details between the specified date range. */ public static void getRadiusAccounting(ACSViewWebServices service, UserContext userCtx) { try { System.out.println("-------------------------*** Radius Accounting Starts ***-------------------------"+"\n"); List acctParam = new ArrayList(); AccountingParam acParam = new AccountingParam(); List valList = acParam.getMatchValues(); valList.add("11");
3-16
OL-22972-01
Chapter 3
acParam.setAttributeName("cisco-h323-disconnect-cause/h323-disconnect-cause"); acParam.setMatchOperator("valueINNOT"); acctParam.add(acParam); List returnAttributes = new ArrayList(); returnAttributes.add("cisco-h323-disconnect-cause/h323-disconnect-cause"); DatatypeFactory datatypeFactory = DatatypeFactory.newInstance(); GregorianCalendar gc1 = newGregorianCalendar(2011, Calendar.AUGUST, 5); XMLGregorianCalendar startDate = datatypeFactory.newXMLGregorianCalendar(gc1).normalize(); GregorianCalendar gc2 = newGregorianCalendar(2011, Calendar.AUGUST, 7); XMLGregorianCalendar endDate = datatypeFactory.newXMLGregorianCalendar(gc2).normalize(); AccountingStatus acctStatus = service.getRadiusAccounting(userCtx,acctParam, startDate, endDate, returnAttributes); List attrNames = acctStatus.getAttrNames(); for(int x=0 ; x<attrNames.size() ; x++) { System.out.println("Attribute Names : "+attrNames.get(x)); } List acctDetailsList = (ArrayList)acctStatus.getAcctDetails(); Iterator detailIterator = acctDetailsList.iterator(); while(detailIterator.hasNext()) { AccountingDetail acctDetailObj = (AccountingDetail)detailIterator.next(); List acctDetails = (List)acctDetailObj.getAttrValues(); for (int i=0;i<acctDetails.size() ;i++ ) { System.out.println("Attribute Details : "+acctDetails.get(i)); } } System.out.println("-------------------------*** Radius Accounting Ends ***-------------------------"+"\n"); } catch(Exception e) { e.printStackTrace(); } } }
3-17
3-18
OL-22972-01
CH A P T E R
Using the Configuration Web Services

This chapter describes the environment that you must set up to use the Configuration web service and explains how to use it. The Configuration web services are implemented as REST interfaces over HTTPS. There is no HTTP support. Configuring REST web services are available on all ACS servers in the deployment, but only the ACS primary instance provides the full service that supports read and write operations. Secondary ACS instances provide read only access to the configuration data. The Monitoring and Report Viewer displays the messages and audit logs for all REST activities.
Enabling the REST Web Interface on ACS CLI
You must enable the web interface on ACS before you can use the REST web service. To enable the web interface on ACS, from the ACS CLI, enter:
acs config-web-interface rest enable
For more information on the acs config-web-interface command, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/ command/reference/cli_app_a.html#wp1887278.
Viewing the Status of the REST Web Interface from ACS CLI
For more information on the show acs-config-web-interface command, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/ command/reference/cli_app_a.html#wp1890877. Application that interacts with ACS configuration REST service may use any administrator account to authenticate to the REST service. Authorization for the used account should be set to allow all activities done by the REST client.
Supported Configuration Objects

The Rest PI in ACS provides services for configuring ACS and it is organized for each configuration feature. In ACS 5.3, the following two subsets of the ACS configuration are supported.

Common configuration objects Identity configuration objects
Table 4-1 lists the supported configuration objects.
4-1
Chapter 4 Supported Configuration Objects
Table 4-1
Supported Configuration Objects
Feature Common
Main Supported Classes Attribute Info
Comments Also known as dynamic attributes or AV pair. Attribute Info is composed within Protocol User. Supports Get method only. Supports getall method only. It allows to find the ACS instance that serve as primary and the ACS instance that provide Monitoring and Troubleshooting Viewer.
ACS Version Service Location
Error Message
Supports getall method only. It allows to retrieve all ACS message codes and message texts that are used on the REST Interface.
Identity
Protocol User Identity Group
Full CRUD (Create, Read, Update, and Delete) and query support. Full CRUD and query support. Query is used to retrieve subgroups of a specific node. The list of users for each group is fetched by querying on the users.
This section contains:

Identity Groups, page 4-2 Attribute Info, page 4-3 Group Associations, page 4-3
Identity Groups
Identity Group object is used to manipulate nodes on the Identity Group hierarchy. The group name defines the full path of the node within the hierarchy. When you add a new node, you should be aware that the name of the node (which includes the full path) specifies where in the hierarchy the node should be attached. For example:

All Groups:CDO:PMBU All Groups:CDO All Groups:CDO:PMBU:ACS-Dev
Note
You must create the upper level hierarchy (parent node) and then create the leaf node.
For example: To create the hierarchy, All Groups:US:WDC; we must create All Groups:US and then go ahead creating the next level in hierarchy.
In order to retrieve child of certain group you can set a filter asstart with All groups:CDO.
4-2
OL-22972-01
Chapter 4
Using the Configuration Web Services Query Object
Attribute Info
The AttributeInfo structure is an array of pairs of attribute names and attribute values. The attribute name refers to the user dictionary, where the definition of the attribute, such as value type, can be found. The value of the attribute must conform with the dictionary definition. The following is an example of JAVA representation for a user that has two attributes:
User user = new User(); user.setDescription(description); user.setPassword(password); user.setName(userName); user.setAttributeInfo(new AttributeInfo[]{ new AttributeInfo("Department","Dev"), new AttributeInfo("Clock","10 Nov 2008 12:12:34") });
Group Associations
The REST Interface schema shows the association of the user to the Identity group, as a group name property on the user object. Here is an example of associating user to an identity group:
User user = new User(); user.setIdenityGroupName("IdentityGroup:All Groups:Foo"); user.setDescription(description); user.setPassword(password); user.setName(userName);
Query Object
The REST Interface schema exposes a query object to define criteria and other query parameters. The query object is used for users and identity groups. The query object includes parameters that apply to:

Filtering, page 4-3 Sorting, page 4-4 Paging, page 4-5
Filtering
You can use the query object to retrieve a filtered result set. You can filter users or identity groups, based on the following criteria:
Simple condition Includes property name, operation, and value. For example, name STARTS_WITH "A". The following operations are supported for filtering:

CONTAINS DOES_NOT_CONTAIN ENDS_WITH
4-3
Chapter 4 Query Object
EQUALS NOT_EMPTY NOT_EQUALS STARTS_WITH
And condition Includes set of simple conditions. All simple condition must be evaluated to be True in order for the and condition to be matched.
Here is the XML based example for the And filter.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ns2:query xmlns:ns2="query.rest.mgmt.acs.nm.cisco.com"> <criteria xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="ns2:AndFilter"> <simpleFilters> <propertyName>name</propertyName> <operation>STARTS_WITH</operation> <value>user</value> </simpleFilters> <simpleFilters> <propertyName>name</propertyName> <operation>ENDS_WITH</operation> <value>1</value> </simpleFilters> </criteria> <numberOfItemsInPage>100</numberOfItemsInPage> <startPageNumber>1</startPageNumber> </ns2:query>
Here is a Java based example for the And filter:

Query query = new Query(); query.setStartPageNumber(1); query.setNumberOfItemsInPage(100); SimpleFilter simpleFilter = new SimpleFilter(); simpleFilter.setOperation(FilterOperation.STARTS_WITH); simpleFilter.setPropertyName("name"); simpleFilter.setValue("user"); SimpleFilter simpleFilter1 = new SimpleFilter(); simpleFilter1.setOperation(FilterOperation.ENDS_WITH); simpleFilter1.setPropertyName("name"); simpleFilter1.setValue("1"); AndFilter andFilter = new AndFilter(); andFilter.setSimpleFilters(new SimpleFilter[] { simpleFilter, simpleFilter1 }); query.setCriteria(andFilter);
Sorting
You can use the query object to sort the results. You can sort based on the following criteria:

One property to sort by Direction of sorting (Ascending/Descending)
4-4
OL-22972-01
Chapter 4
Using the Configuration Web Services Request Structure
Paging
You can set the query object with the following paging parameters:

Page number, which is the requested page Number of objects in a page
Paging is stateless. That is, the required page is calculated from scratch for every request. This means that paging could skip objects or return them twice, in case objects were added or deleted concurrently.
Request Structure
ACS REST request is composed of:

URL HTTP method ContentIncludes ACS objects if applicable to the requested method. The ACS objects are represented in XML.
URL Path
URL includes:

Service name: Rest Package name: Identity or Common Object Type: User, Identity Group, and so on Object Identifier are valid with GET and DELETE methods Operation name is required for operations other than CRUD such as query.
Table 4-2 lists the URLs for each object.

Object Identifiers
Objects are identified by name or by object ID. Basic object key is the object name. You can also use Object ID for GET and Delete method. For POST and PUT, the method gets the object itself that includes the identifiers. You can specify identifier on the URL in the following ways:

Name as the key Rest/{package}/{ObjectType}/name/{name} Object ID as the key Rest//{package}/{ObjectType}/id/{id} For single instance per object type, no key is required For
URL Summary Table
example: REST/common/ACSVersion
Table 4-2
Object ACS Version Service Location Error Message
URL ../Rest/Common/ACSVersion ../Rest/Common/ServiceLocation ../Rest/Common/ErrorMessage
Comment Single object exists
4-5
Chapter 4 Request Structure
Table 4-2
URL Summary Table (continued)
Object User Identity Group
URL ../Rest/Identity/User/.. ../Rest/Identity/IdentityGroup/..
Comment For some methods, there is additional data on the URL. SeeTable 4-3 For some methods, there is additional data on the URL. SeeTable 4-3
HTTP Methods
HTTP methods are mapped to configuration operations (CRUD - Create, Read, Update, and Delete). The common intrinsic methods are not specified within the URL, and are determined by the HTTP request method. In other cases, you need to add the configuration operation into the URL. HTTP methods are mapped to ACS operations:

HTTP GETView an object or multiple objects HTTP POSTCreate a new object HTTP DELETEDelete a object HTTP PUTUpdate an existing object. PUT is also used to invoke extrinsic methods (other than CRUD).
When HTTP PUT method is used for operations other than CRUD, the URL specifies the required operation. This is also used to distinguish the message from PUT method for update. The keyword op is included in the URL as follows: Rest/{package}/{ObjectType}/op/{operation} For example, /Rest/Identity/IdentityGroup/op/query Table 4-3 describes the primary ACS REST methods and their mapping to HTTP messages.
Table 4-3 HTTP Method Summary
Function getAll getByName
HTTP Method GET GET
URL /{ObjectType}
Request content None
Response on Success Collection of Objects An Object
/{ObjectType}/name None / {name}1 /{ObjectType}/id/{i d} /{ObjectType} None Object

Note
getById create
GET POST
An Object Rest Response Result, which includes Object ID. Rest Result
For create, the Object ID property should not be set.
delete
DELETE
/{ObjectType}/name None / {name}1
4-6
OL-22972-01
Chapter 4
Using the Configuration Web Services Response Structure
Table 4-3
HTTP Method Summary (continued)
Function delete update2 Query
HTTP Method DELETE PUT PUT
URL /{ObjectType}/ id/{id} /{ObjectType}
Request content None Object
Response on Success Rest Result Rest Result List of Objects
/{ObjectType}/op/qu QueryObject ery
1. Names in the URL are full names. ACS REST services does not support wildcards or regular expressions. 2. Update method replaces the entire object with the object provided in the request body, with the exception of sensitive properties.
Note
For the responses on failure, seeACS REST Result.
Response Structure
The response to Rest request is a standard HTTP response that includes HTTP status code and other data returned by web servers. In addition, the response can include the ACS Rest Result object or ACS configuration objects according to the type of request. You should check the HTTP status code to know the type of objects expected in the response body.

For 4xx HTTPS status codes except for 401 and 404, REST result Object is returned. For 5xx status codesother than 500, the message content includes a text that describe the server error. For 500 HTTP status code, REST result is returned. For 200 and 201 HTTP status code, objects per the specific method or object type is returned. For 204 HTTP status code, no object is returned.
HTTP Status Codes

ACS returns the following types of status codes:

2xx for success 4xx for client errors 5xx for server errors 1xx 3xx
ACS does not return the following types of status codes:

The HTTP status code is returned within the HTTP response headers as well as within the REST result object. Table 4-4 lists the HTTP status codes that are returned by ACS.
4-7
Chapter 4 Response Structure
Table 4-4
Usage of HTTP Status Codes
Status Code Message 200 204 400 Ok OK with no content Bad Request
Usage in ACS Successful Get, create and query Successful delete and update
Comment No data is returned in the response body.
Request errors: Object The request contains bad syntax validation failure, XML or cannot be executed. syntax error, and other error For example, if you try to create in request message an object with a name that already exists, the object validation fails. Detailed reasons can be found in the REST result object.
401
Unauthorized
Authentication Failure/ Time outs
Similar to 403 error, but specifically for use when authentication failed or credentials are not available. The request was valid, but the server refuses to respond to it. Unlike a 401 error, authenticating will make no difference. Also, this error is displayed when an non-read request was send to a secondary instance.
403
Forbidden
ACS is a secondary and can not fulfill the request or operation is not allowed per administrator authorizations.
404
Not Found
For cases where the URL is wrong or the REST Service is not enabled. A resource is not available anymore A request was made for an object that does not exist. For example, deleting an object that does not exist.
410
Gone
500
Internal Server Error
For any Server error that has no specific HTTP Code.
ACS REST Result

The HTTP response for a REST request includes either requested objects or REST result object, see Table 4-3 for details. ACS result includes:

HTTP status code HTTP status text ACS message code ACS message
4-8
OL-22972-01
Chapter 4
Using the Configuration Web Services WADL File
Object ID for successful CREATE method
Returned Objects
ACS returns objects for GET method and for query operation. The type of returned object is determined by the request URL. When a GET method returns multiple objects, these are included in the response. If the returned list is too long, you should use filtering or paging options.
WADL File
The WADL files contain the object structure (schema) and the methods for every object. The WADL files are mainly documentation aids. You cannot generate client applications using WADL files. The WADL file structure is according to W3C specification. For more information, see http://www.w3.org/Submission/wadl/ To download the WADL files:
Step 1 Step 2
From the ACS user interface, go to System Administration > Downloads > Rest Service Under ACS Rest Service WADL files, click Common or Identity and save the files to your local drive.
Schema File
ACS is shipped with three XSD files that describe the structure of the objects supported on ACS 5.3 REST interfaces. The three XSD files are:
Common.xsd, that describes the following objects:

Version AttributeInfo Error Message ResultResult, RestCreateResult BaseObject Service Location Status RestCommonOperationType
4-9
Chapter 4 Sample Code
Identity.xsd, that describes the following objects:

Users IdentityGroup
Query.xsd, that describes the structure of query objects.
You can download the schema files in the same way as you download the WADL files. You can use the schema with available tools such as JAXB to generate schema classes. You can develop HTTP client or use any third party HTTP client code and integrate it with the schema classes generated from the XSD files.
Note
It is highly recommended to generate REST client classes from the XSD files than coding XML or creating it manually.
Sample Code
ACS provides sample code for client application to help you develop an application that interacts with ACS REST Interface. The sample code can be downloaded in the same way as WADL and schema files. The sample code is based on Apache HTTP Client http://hc.apache.org/httpcomponents-client-ga/index.html and JAVA code generated by JAXB (xjc command) with the help of the XSD files. It includes sample codes for:

Get ACS Version Get all users Get All Service Locations Get Filtered list of Users Get list of Error messages Get User by ID and by name Create, Delete, Update user Create, Delete, and Update identity group Get IdentityGroup by name or ID Get sub-tree of IdentityGroups Get all Users of an Identity Group
4-10
OL-22972-01
CH A P T E R

This chapter describes the scripting interface that ACS 5.3 provides to perform bulk operations on ACS objects using the Import and Export features. ACS provides the import and export functionalities through the web interface (graphical user interface) as well as the CLI. ACS exposes these functionalities through the CLI to enable you to create custom shell scripts for bulk operations on ACS objects. The import-data command allows you to:

Add ACS objects Update ACS objects Delete ACS objects
The import and export functionalities in ACS 5.3 allow you to perform bulk operations such as Create, Update, and Delete on ACS objects and provide a migration path for customers migrating from ACS 4.x releases to ACS 5.3. You can integrate ACS with any of your repositories and import data into ACS through automated scripts, using the Import and Export features. You can also encrypt the .csv file before you transfer the file for additional security, or, optionally, use Secure File Transfer Protocol (SFTP). You can create a scheduled command that looks for a file with a fixed name in the repository to perform bulk operations. This option provides the functionality that was available in ACS 4.x releases. ACS processes the import and export requests in a queue. Only one process can run at a time. When you use the ACS web interface for importing and exporting, you cannot manually control the queue. ACS processes the queue in sequence. However, you can use the CLI to manage the import and export processes in ACS. The ACS CLI allows you to view the status of the queue and terminate the processes that are in the queue. This chapter contains the following sections:

Understanding Import and Export in ACS, page 5-2 Supported ACS Objects, page 5-5 Creating Import Files, page 5-7 Using Shell Scripts to Perform Bulk Operations, page 5-11
5-1
Chapter 5 Understanding Import and Export in ACS
Understanding Import and Export in ACS

You can use the import functionality in ACS to add, update, or delete multiple ACS objects at the same time. ACS uses a comma-separated values (CSV) file to perform these bulk operations. This .csv file is called an import file. ACS provides a separate .csv template for Add, Update, and Delete operations for each ACS object. The first record in the .csv file is the header record from the template that contains column (field) names. You must download these templates from the ACS web interface. The header record from the template must be included in the first row of any .csv file that you import. You cannot use the same template to import all ACS objects. You must download the template that is designed for each ACS object and use the corresponding template while importing the objects. You can use the export functionality to create a .csv file that contains all the records of a particular object type that are available in the ACS internal store. You must have CLI administrator-level access to perform import and export operations. Additionally:

To import ACS configuration data, you need CRUD permissions for the specific configuration object. To export data to a remote repository, you need read permission for the specific configuration object. Importing ACS Objects Through the CLI, page 5-2 Exporting ACS Objects Through the CLI, page 5-3 Viewing the Status of Import and Export Processes, page 5-4 Terminating Import and Export Processes, page 5-5
This section contains:

Importing ACS Objects Through the CLI

You can import ACS objects from the ACS Configuration mode. You use the import-data command to perform the Import operation. This command takes the following arguments:

Name of the remote repository where the import file resides. See Creating Import Files, page 5-7, for information on how to create the import file. Name of the import file. Type of ACS object that the import file contains.
ACS obtains the .csv file from the remote repository and processes the file. You can query ACS for the status of the import process using the import-export-status command. After the import process is complete, ACS generates a status file in the remote repository that includes any errors that ACS identified during this process. For additional security during the import process, you have the option of encrypting the import file and using a secured remote repository for the import operation. Also, the import process sometimes can run into errors. You can specify whether you want to terminate the import process or continue it until it is complete.
Note
If you choose to use a secured remote repository for import, you must specify SFTP as the repository value.
5-2
OL-22972-01
Chapter 5
Using the Scripting Interface Understanding Import and Export in ACS
For example, to add internal user records to an existing identity store, from the ACS CLI, enter:
import-data add user {full | none | only-sec-repo | only-sec-files}
repository file-name result-file-name {abort-on-error secret-phrase
| cont-on-error}
Syntax Description
repositoryName of the remote repository from which to import the ACS objects, in this case, the internal users. file-nameName of the import file in the remote repository. result-file-nameName of the file that contains the results of the import operation. This file is available in the remote repository when the import process completes or is terminated.
abort-on-errorAborts
the import operation if an error occurs during the import process.
cont-on-errorIgnores any errors that occur during the import process and continues to import the rest
of the object.
fullEncrypts the import file using the GNU Privacy Guard (GPG) encryption mechanism and uses secured remote repository to import the file. If you specify the security type as full, you must specify SFTP as the repository value. noneNeither
encrypts the import file nor uses the secured remote repository for import.
secret phraseProvide full
the secret phrase to decrypt the import file. If you specify the security type as or only-sec-files, you must specify the secret phrase. the secured remote repository to import the file. If you specify the security type you must specify SFTP as the repository value. the import file using GPG encryption mechanism.
only-sec-repoUses
as
only-sec-repo,
only-sec-files Encrypts
For more information on the import-data command, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/ command/reference/cli_app_a.html#wp1893385.
Exporting ACS Objects Through the CLI

You can export a list of ACS objects in a .csv file from ACS to your local drive. You can perform this operation from the ACS Configuration mode, using the export-data command. This command takes the following arguments:

Object type to be exported. Name of the remote repository to which the .csv file should be downloaded after the export process is complete.
When ACS processes your export request, you can enter a command to query the progress of the export. After the export process is complete, the .csv file that is available in your remote repository should contain all the object records that exist in the ACS internal store.
Note
When you export ACS objects through the web interface, use the available filters to export a subset of the records. For additional security during the export process, you have the option of encrypting the export file and using a secured remote repository for the export operation.
5-3
Chapter 5 Understanding Import and Export in ACS
Note
If you choose to use a secured remote repository for export, you must specify SFTP as the repository value. For example, to export internal user records, from the ACS CLI, enter:
export-data user only-sec-files}
repository file-name result-file-name secret-phrase
{full | none | only-sec-repo |
Syntax Description
repositoryName of the remote repository to which to export the ACS objects, in this case, the internal users. file-nameName of the export file in the remote repository. result-file-nameName of the file that contains the results of the export operation. This file is available in the remote repository when the export process completes.
fullEncrypts the export file using the GPG encryption mechanism and uses secured remote repository
to export the file. If you specify the security type as full, you must specify SFTP as the repository value.
noneNeither
encrypts the export file nor uses the secured remote repository for export.
secret phraseProvide full
a secret phrase to encrypt the export file. If you specify the security type as or only-sec-files, you must specify the secret phrase.
only-sec-repoUses the secured remote repository to export the file. If you specify the security type as only-sec-repo, you must specify SFTP as the repository value. only-sec-filesEncrypts
the export file using GPG encryption mechanism.
For more information on the export-data command, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/refer ence/cli_app_a.html#wp1893300.
Viewing the Status of Import and Export Processes

You can view the status of the import and export processes in ACS using the import-export-status command. Use this command to view the status of running import and export processes and to verify whether there are any pending processes. You must run the import-export-status command from the ACS Configuration mode. Any user, irrespective of role, can issue this command.
import-export-status
{current | all | id id }
Syntax Description
currentDisplays the status of the currently running processes. allDisplays the status of all the import and export processes, including any pending processes. idDisplays the import or export status, based on a particular process that is specified by the process ID. For more information on the import-export-status command, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/refer ence/cli_app_a.html#wp1893573.
5-4
OL-22972-01
Chapter 5
Using the Scripting Interface Supported ACS Objects
Terminating Import and Export Processes

You can use the import-export-abort command to terminate all import and export processes,or process that are currently running or queued. You must run the import-export-abort command from the ACS Configuration mode. Only the super administrator can simultaneously terminate a running process and all pending import and export processes. However, a user who owns a particular import or export process can terminate that particular process by using the process ID, or by stopping the process when it is running.
import-export-abort
{running | all | id id}
Syntax Description
currentAborts any import or export process that is running currently. allAborts all the import and export processes in the queue. idAborts the import or export process, based on the process ID that you specify. For more information on the import-export-abort command, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/refer ence/cli_app_a.html#wp1893490.
Supported ACS Objects

While ACS 5.3 allows you to perform bulk operations (Add, Update, Delete) on ACS objects using the import functionality, you cannot import all ACS objects. The import functionality in ACS 5.3 supports the following ACS objects:

Users Hosts Network Devices Identity Groups NDGs Downloadable ACLs Command Sets
Table 5-1 lists the ACS objects, their properties, and the property data types.
Table 5-1 ACS Objects Property Names and Data Types
Property Name
Object Type: User
Property Data Type (Required in create, edit, and delete) String. Maximum length is 64 characters. (Optional) String. Maximum length is 1024 characters. (Required in create) Boolean. (Required in create) Boolean. (Required in create) String. Maximum length is 32 characters. Not available in Export.
Username Description Enabled Change Password Password
5-5
Chapter 5 Supported ACS Objects
Table 5-1
ACS Objects Property Names and Data Types (continued)
Property Name Enable Password User Identity Group List of attributes

Object Type: Hosts
Property Data Type (Optional) String. Maximum length is 32 characters. (Optional) String. Maximum length is 256 characters. (Optional) String and other data types. (Required in create, edit, delete) String. Maximum length is 64 characters. (Optional) String. Maximum length is 1024 characters. (Optional) Boolean. (Optional) String. Maximum length is 256 characters. (Optional) String. (Required in create, edit, delete) String. Maximum length is 64 characters. (Optional) String. Maximum length is 1024 characters. (Required in create) String. (Required in create) Boolean. (Optional) String. Maximum length is 32 characters. (Required in create) Boolean. (Optional) String. Maximum length is 32 characters. (Optional) Boolean. (Optional) Boolean. (Required in create) Boolean. (Optional) String. Maximum length is 32 characters. (Optional) Boolean. (Optional) String. Maximum length is 32 characters. (Optional) Integer. (Optional) Integer. (Optional) Integer. (Optional) Integer. (Optional) String. (Required in create, edit, delete) String. Maximum length is 64 characters. (Optional) String. Maximum length is 1024 characters. (Required in create, edit, delete) String. Maximum length is 64 characters. (Optional) String. Maximum length is 1024 characters. (Required in create, edit, delete) String. Maximum length is 64 characters.
MAC address Description Enabled Host Identity Group List of attributes Name Description Subnet Support RADIUS RADIUS secret Support TACACS TACACS secret Single connect Legacy TACACS Support CTS CTS Identity CTS trusted Password sgACLTTL peerAZNTTL envDataTTL Session timeout List of NDG names Name Description
Object Type: NDG
Object Type: Network Device
Object Type: Identity Group
Name Description Name
Object Type: Downloadable ACLs
5-6
OL-22972-01
Chapter 5
Using the Scripting Interface Creating Import Files
Table 5-1
ACS Objects Property Names and Data Types (continued)
Property Name Description Content Name Description Commands (in the form of grant:command:arg uments)
Property Data Type (Optional) String. Maximum length is 1024 characters. (Required in create, edit, delete) String. Maximum length is 1024 characters. (Required in create, edit, delete) String. Maximum length is 64 characters. (Optional) String. Maximum length is 1024 characters. (Optional) String.
Note
Object Type: Command Set
This is a list with semicolons used as separators (:) between the values that you supply for grant.
Fields that are optional can be left empty and ACS substitutes the default values for those fields. For example, when fields that are related to a hierarchy are left blank, ACS assigns the value of the root node in the hierarchy. For network devices, if TrustSec is enabled, all related configuration fields are set to default values.
Creating Import Files

This section describes how to create the .csv file for performing bulk operations on ACS objects. You can download the appropriate template for each of the objects. This section contains the following:

Downloading the Template from the Web Interface, page 5-7 Understanding the CSV Templates, page 5-8 Creating the Import File, page 5-9
Downloading the Template from the Web Interface

Before you can create the import file, you must download the import file templates from the ACS web interface. To download the import file templates for adding internal users:
Step 1 Step 2
Log into the ACS 5.3 web interface. Choose Users and Identity Stores > Internal Identity Stores > Users . The Users page appears. Click File Operations. The File Operations wizard appears. Choose any one of the following:

Step 3
Step 4
AddAdds users to the existing list. This option does not modify the existing list. Instead, it performs an append operation. UpdateUpdates the existing internal user list.
5-7
Chapter 5 Creating Import Files
Step 5
DeleteDeletes the list of users in the import file from the internal identity store.
Click Next. The Template page appears. Click Download Add Template. Click Save to save the template to your local disk.
Step 6 Step 7
The following list gives you the location from which you can get the appropriate template for each of the objects:

UserUsers and Identity Stores > Internal Identity Stores > Users HostsUsers and Identity Stores > Internal Identity Stores > Hosts Network DeviceNetwork Resources > Network Devices and AAA Clients Identity GroupUsers and Identity Stores > Identity Groups NDG
LocationNetwork Resources > Network Device Groups > Location Device TypeNetwork Resources > Network Device Groups > Device Type
Downloadable ACLsPolicy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLs Command Set Policy Elements > Authorization and Permissions > Device Administration > Command Sets
Follow the procedure described in this section to download the appropriate template for your object.
Understanding the CSV Templates

You can open your CSV template in Microsoft Excel or any other spreadsheet application and save the template to your local disk as a .csv file. The .csv template contains a header row that lists the properties of the corresponding ACS object. For example, the internal user Add template contains the fields described in Table 5-2:
Table 5-2 Internal User Add Template
Header Field name:String(64):Required description:String(1024) enabled:Boolean(true,false):Required changePassword:Boolean(true,false): Required password:String(32):Required enablePassword:String(32) UserIdentityGroup:String(256)
Description Username of the user. Description of the user. Boolean field that indicates whether the user must be enabled or disabled. Boolean field that indicates whether the user must change password on first login. Password of the user. Enable password of the user. Identity group to which the user belongs.
All the user attributes that you have specified would appear here.
5-8
OL-22972-01
Chapter 5
Using the Scripting Interface Creating Import Files
Each row of the .csv file corresponds to one internal user record. You must enter the values into the .csv file and save it before you can import the users into ACS. See Creating the Import File, page 5-9 for more information on how to create the import file. This example is based on the internal user Add template. For the other ACS object templates, the header row contains the properties described in Table 5-1 for that object.
Creating the Import File

After you download the import file template to your local disk, enter the records that you want to import into ACS in the format specified in the template. After you enter all records into the .csv file, you can proceed with the import function. The import process involves the following:

Adding Records to the ACS Internal Store, page 5-9 Updating the Records in the ACS Internal Store, page 5-10 Deleting Records from the ACS Internal Store, page 5-10
Adding Records to the ACS Internal Store

When you add records to the ACS internal store, you add the records to the existing list. This is an append operation, in which the records in the .csv file are added to the list that exists in ACS. To add internal user records to the Add template:
Step 1 Step 2 Step 3
Download the internal user Add template. See Downloading the Template from the Web Interface, page 5-7 for more information. Open the internal user Add template in Microsoft Excel or any other spreadsheet application. See Table 5-1 for a description of the fields in the header row of the template. Enter the internal user information. Each row of the .csv template corresponds to one user record. Figure 5-1 Figure 5-1 shows a sample Add Users import file.
Figure 5-1
Add Users Import File
Step 4
Save the add users import file to your local disk.
5-9
Chapter 5 Creating Import Files
Updating the Records in the ACS Internal Store

When you update the records in the ACS store, the import process overwrites the existing records in the internal store with the records from the .csv file. This operation replaces the records that exist in ACS with the records from the .csv files. The Update operation is similar to the Add operation except for one additional column that you can add to the Update templates. The Update template can contain an Updated Name column for internal users and other ACS objects, and an Updated MAC address column for the internal hosts. The name shown in the Updated Name column replaces the name in the ACS identity store. Instead of downloading the update template for each of the ACS objects, you can use the export file of that object, retain the header row, and update the data to create your updated .csv file. To add an updated name or MAC address to the ACS objects, you must download and use the particular update template. Also, for the NDGs, the export template contains only the NDG name, so in order to update any other property, you must download and use the NDG update template. Figure 5-2 shows a sample import file that updates existing user records.
Figure 5-2 Update UsersImport File
Note
The second column, Updated name, is the additional column that you can add to the Update template. Also, the password value and the enabled password value are not mandatory in the case of an update operation for the user object.
Deleting Records from the ACS Internal Store

You can use this option to delete a subset of records from the ACS internal store. The records that are present in the .csv file that you import are deleted from the ACS internal store. The Delete template contains only the key column to identify the records that must be deleted. For example, to delete a set of internal users from the ACS internal identity store, download the internal user Delete template and add the list of users that you want to delete to this Import file. Figure 5-3 shows a sample Import file that deletes internal user records.
Timesaver
To delete all users, you can export all users and then use the export file as your import file to delete users.
5-10
OL-22972-01
Chapter 5
Using the Scripting Interface Using Shell Scripts to Perform Bulk Operations
Figure 5-3
Delete Users Import File
Using Shell Scripts to Perform Bulk Operations

You can write custom shell scripts that use the import and export CLI commands to perform bulk operations. The ACS web interface provides a sample Python script. To download this sample script:
Step 1 Step 2
Log into the ACS web interface. Choose System Administration > Downloads > Scripts. The downloadable package consists of:

Python module, Pexpect Python script ReadMeContains installation instructions
Note
You must have Python software to run this script.
Sample Shell Script

import pexpect # Create connection to a specific IP using 'admin' username connector = pexpect.spawn('ssh [email protected]') connector.expect('.ssword:*') # Enter password connector.sendline('defaultPass') connector.expect('.$') # Defining a repository that point to the localdisc connector.sendline('configure') connector.expect('.$') connector.sendline('repository localRepo') connector.expect('.$') connector.sendline('url disk:/') connector.expect('.$') connector.sendline('exit') connector.expect('.$') connector.sendline('exit') connector.expect('.$')
5-11
Chapter 5 Using Shell Scripts to Perform Bulk Operations
# Saving the repository connector.sendline('write memory') connector.expect('.$') # Going into acs-config mode connector.sendline('acs-config') connector.expect('.ername:*') # Enter acs admin username connector.sendline('acsadmin') connector.expect('.ssword:*') # Enter acs admin password connector.sendline('1111') connector.expect('.config-acs*') connector.sendline('import-data add device local device.csv device_res.csv cont-on-error none') # Performing the import command connector.expect('.$') # Exit acs-config mode connector.sendline('exit') connector.expect('.$') # Exit ssh mode connector.sendline('exit')
5-12
OL-22972-01
A P P E N D I X

ACS allows you to export data from the Viewer database to a Microsoft Active Directory (AD) or an Oracle System ID (SID) in a remote server. This feature allows you to create custom reporting applications that meet your specific needs. For example, you can export the data from the Viewer database to your remote database on another server that contains your customized reporting application. To export data, you must first configure a remote database in ACS. This appendix describes how to configure a remote database and the tables in the Monitoring and Report Viewer database. This appendix provides the Monitoring and Report Viewer database schema for both Microsoft SQL server and Oracle SID. The following topics are included:

Configuring a Remote Database in ACS, page A-1 Understanding the Monitoring and Report Viewer Database Schema, page A-2
Microsoft SQL Server Schema, page A-4 Oracle Schema, page A-24
Configuring a Remote Database in ACS

You can configure a remote database to which ACS exports the Monitoring and Report Viewer data at specified intervals. You can schedule the export job to be run once every 1, 2, 4, 6, 8, 12, or 24 hours. You can create custom reporting applications that interact with this remote database. ACS supports the following databases:

Oracle SQL Developer Microsoft SQL Server 2005
To configure a remote database:

Step 1 Step 2
Log into the ACS web interface. From the Monitoring and Report Viewer, choose Monitoring Configuration > System Configuration > Remote Database Settings. The Remote Database Settings Page appears as described in Table A-1.
A-1
Appendix A Understanding the Monitoring and Report Viewer Database Schema
Table A-1
Remote Database Settings Page
Option Publish to Remote Database Server Port Username Password Publish data every n hours Database Type
Description Check the check box for ACS to export data to the remote database periodically. By default, ACS exports data to the remote database every 4 hours. Enter the DNS name or the IP address of the remote database. Enter the port number of the remote database. Enter the username for remote database access. Enter the password for remote database access. Choose a time interval from the drop-down list box for ACS to export data at the specified interval. Valid options are 1, 2, 4, 6, 8, 12, and 24 hours. The type of remote database that you want to configure:

Click the Microsoft Database radio button to configure a Microsoft database and enter the name of the remote database. Click the Oracle SID radio button to configure an Oracle database and enter the system identifier for the Oracle database.
Step 3
Click Submit to configure the remote database. To view the status of your export job in the Scheduler, from the Monitoring and Report Viewer, select Monitoring Configuration > System Operations > Scheduler.
Understanding the Monitoring and Report Viewer Database Schema

The Monitoring and Report Viewer collects data for:

Accounting AAA Audit
Note
The tables that contain AAA diagnostics, system diagnostics, and administrative audit data are not exported. The Viewer database contains raw and aggregated tables. This section contains the following topics:

Raw Tables, page A-3 Aggregated Tables, page A-3 Microsoft SQL Server Schema, page A-4 Oracle Schema, page A-24
A-2
OL-22972-01
Appendix A
Monitoring and Report Viewer Database Schema Understanding the Monitoring and Report Viewer Database Schema
Raw Tables
The raw tables contain individual records. The Monitoring and Report Viewer aggregates the records in the raw tables and stores the aggregated data in aggregated tables. The passed and failed bit fields in the raw tables are not encoded and are represented as 1s and 0s.
Aggregated Tables
The aggregated tables contain a count of passed and failed authentications for various data combinations. For example, for a user User1, from identity group A, with NAD B, and access policy C, the Monitoring and Report Viewer computes the passed and failed counts on a daily basis and stores it in the monthly tables.
Monthly Tables
The daily count of passed and failed authentications for various data combinations are stored in the monthly tables.
Yearly Tables
At the end of every month, the Monitoring and Report Viewer computes the passed and failed counts for that month and stores them in the yearly tables. You can choose to work with individual records from the raw tables or you can get the counts directly from these aggregated tables. In the aggregated tables, passed and failed counts are available for various data combinations. The Passed, Failed, TotalResponseTime, and MaxResponseTime fields are not part of any data combination. The total response time is computed in milliseconds for both passed and failed authentications. The day field in the month tables is set to date only and does not include the time. Table A-2 provides a list of tables, a brief description, and a list of aggregated tables.
Table A-2 Monitoring and Report Viewer Database Schema
Purpose
Accounting
Table TACACS Accounting (acstacacsaccounting) RADIUS Accounting (acsradiusaccounting)
Description TACACS SessionStart and stop, watchdog process, and rejected session information. RADIUS SessionStart, stop, and update information. TACACSPassed authentications and failed attempts.
Aggregated Tables acstacacsaccountingmonth acstacacsaccountingyear acsradiusaccountingmonth acsradiusaccountingyear acstacacsauthenticationmonth acstacacsauthenticationyear
AAA Audit
TACACS Authentication (acstacacsauthentication) TACACS Authorization (acstacacsauthorization)
TACACS device acstacacsauthorizationmonth administrationCommand and acstacacsauthorizationyear session authorization passed and failed attempts. RADIUSPassed authentications and failed attempts. acsradiusauthenticationmonth acsradiusauthenticationyear
RADIUS Authentication (acsradiusauthentication)
A-3
Microsoft SQL Server Schema

The Monitoring and Report Viewer database in Microsoft SQL Server contains the acstacacsauthentication tables: The acstacacsauthentication table contains the fields described in Table A-3.
acstacacsauthentication
Table A-3 acstacacsauthentication Table
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode ACSSessionID AccessService ServiceSelectionPolicy AuthorizationPolicy UserName IdentityStore AuthenticationMethod AuthenType NetworkDeviceName DeviceIPAddress IdentityGroup NetworkDeviceGroups Response PriviligeLevel FailureReason ADDomain AuthenMethod GroupMappingPolicyMatchedR IdentityPolicyMatchedRule QueryIdentityStores RemoteAddress SelectedAuthenticationIdenti SelectedQueryIdentityStores Service AVPair
Data Type integer datetime datetime varchar(500) varchar(10) varchar(500) varchar(500) varchar(500) text varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) text text text varchar(10) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) text
A-4
OL-22972-01
Appendix A
Table A-3
acstacacsauthentication Table (continued)
Column ExecutionSteps OtherAttributes SelectedShellProfile AuthorizationExceptionPolicyMa ResponseTime Passed Failed

acstacacsauthenticationmonth
Table A-4
Data Type text text varchar(500) varchar(500) integer bit bit
acstacacsauthenticationmonth Table
Column ID Day ACSServer MessageCode AccessService ServiceSelectionPolicy UserName IdentityStore NetworkDeviceName DeviceIPAddress IdentityGroup NetworkDeviceGroups FailureReason ADDomain UseCase Passed Failed TotalResponseTime MaxResponseTime
Data Type integer smalldatetime varchar(500) varchar(10) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) text text varchar(500) varchar(500) varchar(500) integer integer integer integer
A-5
acstacacsauthenticationyear
Table A-5 acstacacsauthenticationyear Table
Column ID Month ACSServer MessageCode AccessService ServiceSelectionPolicy UserName IdentityStore NetworkDeviceName DeviceIPAddress IdentityGroup NetworkDeviceGroups FailureReason ADDomain UseCase Passed Failed TotalResponseTime MaxResponseTime
acsradiusauthentication
Table A-6
Data Type integer varchar(10) varchar(500) varchar(10) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) text text varchar(500) varchar(500) varchar(500) integer integer integer integer
acsradiusauthentication Table
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode ACSSessionID AccessService ServiceSelectionPolicy AuthorizationPolicy UserName IdentityStore
Data Type integer datetime datetime varchar(500) varchar(10) varchar(500) varchar(500) varchar(500) text varchar(500) varchar(500)
A-6
OL-22972-01
Appendix A
Table A-6
acsradiusauthentication Table (continued)
Column AuthenticationMethod NetworkDeviceName IdentityGroup NetworkDeviceGroups Response CallingStationID NASPort ServiceType AuditSessionID CTSSecurityGroup FailureReason UseCase ExecutionSteps FramedIPAddress NASIdentifier NASIPAddress NASPortId CiscoAVPair ADDomain RadiusResponse ACSUserName RadiusUserName NACRole NACPolicyCompliance NACUsername NACPostureToken NACRadiusIsUserAuthenticated SelectedPostureServer SelectedIdentityStore AuthenticationIdentityStore AuthorizationExceptionPolicyMa ExternalPolicyServerMatchedRul GroupMappingPolicyMatchedRule IdentityPolicyMatchedRule NASPortType QueryIdentityStores
Data Type varchar(500) varchar(500) text text text varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(4000) varchar(500) varchar(500) varchar(500) varchar(500) text varchar(500) text varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(10) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500)
A-7
Table A-6
Column SelectedAuthorizationProfiles SelectedExceptionAuthorization SelectedQueryIdentityStores EapAuthentication EapTunnel TunnelDetails CiscoH323Attributes CiscoSSGAttributes OtherAttributes ResponseTime NADFailure Passed Failed
acsradiusauthenticationmonth
Table A-7
Data Type varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) text text text text integer bit bit bit
acsradiusauthenticationmonth Table
Column ID Day ACSServer MessageCode AccessService ServiceSelectionPolicy AuthorizationPolicy UserName IdentityStore NetworkDeviceName IdentityGroup NetworkDeviceGroups CallingStationID FailureReason NASIdentifier NASIPAddress ADDomain UseCase SelectedAuthorizationProfiles
Data Type integer smalldatetime varchar(500) varchar(10) varchar(500) varchar(500) text varchar(500) varchar(500) varchar(500) text text varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500)
A-8
OL-22972-01
Appendix A
Table A-7
acsradiusauthenticationmonth Table (continued)
Column CTSSecurityGroup Passed Failed TotalResponseTime MaxResponseTime constraint ASA1234 primary key (ID)
acsradiusauthenticationyear
Table A-8
Data Type varchar(500) integer integer integer integer integer
acsradiusauthenticationyear Table
Column ID Month ACSServer MessageCode AccessService ServiceSelectionPolicy AuthorizationPolicy UserName IdentityStore NetworkDeviceName IdentityGroup NetworkDeviceGroups CallingStationID FailureReason NASIdentifier NASIPAddress ADDomain UseCase
Data Type integer varchar(10) varchar(500) varchar(10) varchar(500) varchar(500) text varchar(500) varchar(500) varchar(500) text text varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500)
SelectedAuthorizationProfilesCTSSecurityGro varchar(500) up Passed Failed TotalResponseTime MaxResponseTime integer integer integer integer
A-9
acstacacsauthorization
Table A-9 acstacacsauthorization Table
Column ID ACSTIMESTAMP ACSViewTIMESTAMP ACSServer MessageCode ACSSessionID AccessService ServiceSelectionPolicy AuthorizationPolicy UserName Response NetworkDeviceName DeviceIPAddress PriviligeLevel CmdSet MatchedCommandSet SelectedShellProfile SelectedCommandSet AuthorizationFailureReason FailedShellAttribute IdentityGroup NetworkDeviceGroups AuthenMethod AuthorizationExceptionPolicyMa AuthorReplyStatus FailureReason GroupMappingPolicyMatchedRule IdentityPolicyMatchedRule QueryIdentityStores RemoteAddress SelectedAuthorizationProfiles SelectedExceptionAuthorization AVPair ExecutionSteps OtherAttributes
Data Type integer datetime datetime varchar(500) varchar(10) varchar(500) varchar(500) varchar(500) text varchar(500) text varchar(500) varchar(500) varchar(10) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) text text varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) text text text
A-10
OL-22972-01
Appendix A
Table A-9
acstacacsauthorization Table (continued)
Column AuthenType IdentityStore ADDomain SelectedIdentityStore SelectedQueryIdentityStore ResponseTime Passed Failed

acstacacsauthorizationmonth
Table A-10
Data Type varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) integer bit bit
acstacacsauthorizationmonth Table
Column ID Day ACSServer MessageCode AccessService ServiceSelectionPolicy AuthorizationPolicy UserName NetworkDeviceName DeviceIPAddress PriviligeLevel CmdSet MatchedCommandSet SelectedShellProfile SelectedCommandSet AuthorizationFailureReason FailedShellAttribute IdentityGroup NetworkDeviceGroups TotalResponseTime Passed Failed
Data Type integer smalldatetime varchar(500) varchar(10) varchar(500) varchar(500) text varchar(500) varchar(500) varchar(500) varchar(10) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) text text integer integer integer
A-11
acstacacsauthorizationyear
Table A-11 acstacacsauthorizationyear Table
Column ID Month ACSServer MessageCode AccessService ServiceSelectionPolicy AuthorizationPolicy UserName NetworkDeviceName DeviceIPAddress PriviligeLevel CmdSet MatchedCommandSet SelectedShellProfile SelectedCommandSet AuthorizationFailureReason FailedShellAttribute IdentityGroup NetworkDeviceGroups TotalResponseTime Passed Failed
acstacacsaccounting
Table A-12 acstacacsaccounting Table
Data Type integer varchar(10) varchar(500) varchar(10) varchar(500) varchar(500) text varchar(500) varchar(500) varchar(500) varchar(10) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) text text integer integer integer
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode ACSSessionID AccessService UserName
Data Type integer datetime datetime varchar(500) varchar(10) varchar(500) varchar(500) varchar(500)
A-12
OL-22972-01
Appendix A
Table A-12
acstacacsaccounting Table (continued)
Column RemoteAddress AcctRequestFlags AuthenMethod ServiceType Service NetworkDeviceName Port NetworkDeviceGroups DeviceIPAddress SourceIPAddress PrivilegeLevel CmdSet ServerMsg ServiceArgument AVPair AcctInputPackets AcctOutputPackets AcctTerminateCause AcctSessionTime AcctSessionId ExecutionSteps Response OtherAttributes ResponseTime Started Stopped SessionKey
acstacacsaccountingmonth
Table A-13
Data Type varchar(500) varchar(10) varchar(20) varchar(20) varchar(500) varchar(500) varchar(500) text varchar(500) varchar(500) varchar(10) varchar(500) varchar(500) varchar(500) text numeric(11) numeric(11) varchar(500) numeric(11) varchar(500) text text text integer smallint smallint varchar(500)
acstacacsaccountingmonth Table
Column ID Day ACSServer MessageCode AccessService
Data Type integer smalldatetime varchar(500) varchar(10) varchar(500)
A-13
Table A-13
acstacacsaccountingmonth Table (continued)
Column UserName RemoteAddress Service NetworkDeviceName NetworkDeviceGroups DeviceIPAddress SourceIPAddress PrivilegeLevel CmdSet Count TotalResponseTime MaxResponseTime Active Throughput TotalSessionTime MaxSessionTime Started Stopped
acstacacsaccountingyear
Table A-14
Data Type varchar(500) varchar(500) varchar(500) varchar(500) text varchar(500) varchar(500) varchar(10) varchar(500) integer bigint numeric(11) integer bigint bigint numeric(11) integer integer
acstacacsaccountingyear Table
Column ID Month ACSServer MessageCode AccessService UserName RemoteAddress Service NetworkDeviceName NetworkDeviceGroups DeviceIPAddress SourceIPAddress PrivilegeLevel CmdSet
Data Type integer varchar(10) varchar(500) varchar(10) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) text varchar(500) varchar(500) varchar(10) varchar(500)
A-14
OL-22972-01
Appendix A
Table A-14
acstacacsaccountingyear Table (continued)
Column Count TotalResponseTime MaxResponseTime Active Throughput TotalSessionTime MaxSessionTime Started Stopped
acsradiusaccounting
Table A-15 acsradiusaccounting Table
Data Type integer bigint numeric(11) integer bigint bigint numeric(11) integer integer
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode ACSSessionID UserName CallingStationID AcctSessionId AcctStatusType AcctSessionTime ServiceType FramedProtocol AcctInputOctets AcctOutputOctets AcctInputPackets AcctOutputPackets FramedIPAddress NASPort NASIPAddress CiscoAVPair Class AcctTerminateCause
Data Type integer datetime datetime varchar(500) varchar(10) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(20) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) text varchar(500) varchar(500)
A-15
Table A-15
acsradiusaccounting Table (continued)
Column AccessService AuditSessionID AcctMultiSessionID AcctAuthentic TerminationAction SessionTimeout IdleTimeout AcctInterimInterval AcctDelayTime EventTimestamp NASIdentifier NASPortId AcctTunnelConnection AcctTunnelPacketLost NetworkDeviceName NetworkDeviceGroups ServiceSelectionPolicy IdentityStore ADDomain IdentityGroup AuthorizationPolicy FailureReason SecurityGroup TunnelDetails CiscoH323SetupTime CiscoH323ConnectTime CiscoH323DisconnectTime CiscoH323Attributes CiscoSSGAttributes ExecutionSteps OtherAttributes ResponseTime Started Stopped SessionKey
Data Type varchar(500) varchar(500) varchar(500) varchar(10) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) text datetime datetime datetime text text text text integer smallint smallint varchar(500)
A-16
OL-22972-01
Appendix A
acsradiusaccountingmonth
Table A-16 acsradiusaccountingmonth Table
Column ID Day ACSServer MessageCode AccessService UserName CallingStationID AcctTerminateCause TerminationAction NASIdentifier NASIPAddress NetworkDeviceName NetworkDeviceGroups IdentityStore ADDomain IdentityGroup AuthorizationPolicy AcctStatusType FramedIPAddress Count TotalResponseTime MaxResponseTime Active Throughput TotalSessionTime MaxSessionTime Started Stopped
acsradiusaccountingyear
Table A-17
Data Type integer smalldatetime varchar(500) varchar(10) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) integer bigint numeric(11) integer bigint bigint numeric(11) integer integer
acsradiusaccountingyear Table
Column ID Month
Data Type integer varchar(10)
A-17
Table A-17
acsradiusaccountingyear Table (continued)
Column ACSServer MessageCode AccessService UserName CallingStationID AcctTerminateCause TerminationAction NASIdentifier NASIPAddress NetworkDeviceName NetworkDeviceGroups IdentityStore ADDomain IdentityGroup AuthorizationPolicy AcctStatusType FramedIPAddress Count TotalResponseTime MaxResponseTime Active Throughput TotalSessionTime MaxSessionTime Started Stopped
acsaaadiagnostics
Table A-18 acsaaadiagnostics Table
Data Type varchar(500) varchar(10) varchar(500) varchar(500) varchar(255) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) varchar(500) integer bigint numeric(11) integer bigint bigint numeric(11) integer integer
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode MessageSeverity
Data Type integer datetime datetime varchar(500) varchar(10) varchar(10)
A-18
OL-22972-01
Appendix A
Table A-18
acsaaadiagnostics Table
Column ACSSessionID Category DiagnosticInfo

acsadministratorlogin
Table A-19
Data Type varchar(500) varchar(500) text
acsadministratorlogin Table
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode AdminName AdminIPAddress AdminSession AdminInterface

acsconfigurationchanges
Table A-20
Data Type integer datetime datetime varchar(500) varchar(10) varchar(500) varchar(100) varchar(100) varchar(10)
acsconfigurationchanges Table
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode AdminName AdminIPAddress AdminSession AdminInterface ObjectType ObjectName RequestedOperation OperationMessageText ConfigChangeData HostID
Data Type integer datetime datetime varchar(500) varchar(10) varchar(500) varchar(100) varchar(100) varchar(10) varchar(500) varchar(500) varchar(100) varchar(1000) text varchar(100)
A-19
Table A-20
acsconfigurationchanges Table (continued)
Column RequestResponseType FailureFlag Details OperatorName UserAdminFlag AccountName DeviceIP IdentityStoreName ChangePasswordMethod AuditPasswordType ObjectID AppliedToACSInstance LocalMode
acslogcollectionfailures
Table A-21
Data Type varchar(10) varchar(10) varchar(1000) varchar(500) varchar(10) varchar(500) varchar(15) varchar(500) varchar(10) varchar(10) varchar(100) varchar(500) bit
acslogcollectionfailures Table
Column ID ACSViewTimestamp ACSServer ACSLoggingCategory Error

acsmessagecatalog
Table A-22
Data Type integer datetime varchar(500) varchar(100) text
acsmessagecatalog Table
Column ID MESSAGECODE MESSAGECLASS MESSAGETEXT
Data Type integer integer varchar(100) text
A-20
OL-22972-01
Appendix A
acsprocessstatus
Table A-23 acsprocessstatus Table
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode NodeId NodeName Role DatabaseProc Management Runtime Adclient ViewDatabase ViewCollector ViewJobManager ViewAlertManager ViewLogProcessor
acssystemstatus
Table A-24
Data Type integer datetime datetime varchar(500) varchar(10) smallint varchar(500) varchar(100) bit bit bit bit bit bit bit bit bit
acssystemstatus Table
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode CPUUtilization NetworkUtilizationRcvd NetworkUtilizationSent MemoryUtilization DiskIOUtilization DiskSpaceUtilizationRoot DiskSpaceUtilizationAltRoot DiskSpaceUtilizationBoot
Data Type integer datetime datetime varchar(500) varchar(10) decimal(5,2) integer integer decimal(5,2) decimal(5,2) decimal(5,2) decimal(5,2) decimal(5,2)
A-21
Table A-24
acssystemstatus Table (continued)
Column DiskSpaceUtilizationHome DiskSpaceUtilizationLocaldisk DiskSpaceUtilizationOpt DiskSpaceUtilizationRecovery DiskSpaceUtilizationStoredconf DiskSpaceUtilizationStoreddata DiskSpaceUtilizationTmp DiskSpaceUtilizationRuntime AverageRadiusRequestLatency AverageTacacsRequestLatency DeltaRadiusRequestCount DeltaTacacsRequestCount
acssystemdiagnostics
Table A-25
Data Type decimal(5,2) decimal(5,2) decimal(5,2) decimal(5,2) decimal(5,2) decimal(5,2) decimal(5,2) decimal(5,2) integer integer integer integer
acssystemdiagnostics Table
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode MessageSeverity Category DiagnosticInfo

acsviewnetflowaggregation
Table A-26
Data Type integer datetime datetime varchar(500) varchar(10) varchar(10) varchar(100) text
acsviewnetflowaggregation Table
Column ID ACSViewTimestamp SourceUsername SourceAddress SourcePort DestinationUsername DestinationAddress
Data Type integer datetime varchar(500) varchar(15) varchar(50) varchar(500) varchar(15)
A-22
OL-22972-01
Appendix A
Table A-26
Column DestinationPort SGTName SGTValue DGTName DGTValue NASIPAddress Protocol ACLDrops

checkpointday
Table A-27
Data Type varchar(50) varchar(100) integer varchar(100) integer varchar(15) varchar(50) integer
checkpointday Table
Column ID Type Timestamp AuditSessionID ACSServer ACSSessionID NASIP EndpointMAC EndpointIP UserName VLAN dACL AuthenticationType InterfaceName Reason
nadaaastatus
Table A-28 nadaaastatus Table
Data Type integer smallint datetime varchar(100) varchar(100) varchar(100) varchar(41) varchar(100) varchar(41) varchar(500) varchar(100) varchar(100) varchar(500) varchar(100) varchar(500)
Column ID Timestamp Alive ACSServer
Data Type integer datetime bit varchar(100)
A-23
Table A-28
nadaaastatus Table
Column NASIP DeviceGroups
Data Type varchar(100) text
Oracle Schema
The Monitoring and Report Viewer database in AD contains the following tables:
acstacacsauthentication
Table A-29 acstacacsauthentication Table
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode ACSSessionID AccessService ServiceSelectionPolicy AuthorizationPolicy UserName IdentityStore AuthenticationMethod AuthenType NetworkDeviceName DeviceIPAddress IdentityGroup NetworkDeviceGroups Response PriviligeLevel FailureReason ADDomain AuthenMethod GroupMappingPolicyMatchedR IdentityPolicyMatchedRule QueryIdentityStores RemoteAddress
Data Type integer timestamp timestamp varchar2(500) varchar2(10) varchar2(500) varchar2(500) varchar2(500) clob varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) clob clob clob varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500)
A-24
OL-22972-01
Appendix A
Table A-29
acstacacsauthentication Table (continued)
Column SelectedAuthenticationIdenti SelectedQueryIdentityStores Service AVPair ExecutionSteps OtherAttributes SelectedShellProfile ResponseTime Passed Failed
acstacacsauthenticationmonth
Table A-30
Data Type varchar2(500) varchar2(500) varchar2(500) clob clob clob varchar2(500) integer smallint smallint
AuthorizationExceptionPolicyMa varchar2(500)
acstacacsauthenticationmonth Table
Column ID Day ACSServer MessageCode AccessService ServiceSelectionPolicy UserName IdentityStore NetworkDeviceName DeviceIPAddress IdentityGroup NetworkDeviceGroups FailureReason ADDomain UseCase Passed Failed TotalResponseTime MaxResponseTime
Data Type integer date varchar2(500) varchar2(10) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) clob clob varchar2(500) varchar2(500) varchar2(500) integer integer integer integer
A-25
acstacacsauthenticationyear
Table A-31 acstacacsauthenticationyear Table
Column ID Month ACSServer MessageCode AccessService ServiceSelectionPolicy UserName IdentityStore NetworkDeviceName DeviceIPAddress IdentityGroup NetworkDeviceGroups FailureReason ADDomain UseCase Passed Failed TotalResponseTime MaxResponseTime
acsradiusauthentication
Table A-32
Data Type integer varchar2(10) varchar2(500) varchar2(10) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) clob clob varchar2(500) varchar2(500) varchar2(500) integer integer integer integer
acsradiusauthentication Table
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode ACSSessionID AccessService ServiceSelectionPolicy AuthorizationPolicy UserName IdentityStore
Data Type integer timestamp timestamp varchar2(500) varchar2(10) varchar2(500) varchar2(500) varchar2(500) clob varchar2(500) varchar2(500)
A-26
OL-22972-01
Appendix A
Table A-32
Column AuthenticationMethod NetworkDeviceName IdentityGroup NetworkDeviceGroups Response CallingStationID NASPort ServiceType AuditSessionID CTSSecurityGroup FailureReason UseCase ExecutionSteps FramedIPAddress NASIdentifier NASIPAddress NASPortId CiscoAVPair ADDomain RadiusResponse ACSUserName RadiusUserName NACRole NACPolicyCompliance NACUsername NACPostureToken NACRadiusIsUserAuthenticated SelectedPostureServer SelectedIdentityStore AuthenticationIdentityStore AuthorizationExceptionPolicyMa ExternalPolicyServerMatchedRul GroupMappingPolicyMatchedRule IdentityPolicyMatchedRule NASPortType QueryIdentityStores
Data Type varchar2(500) varchar2(500) clob clob clob varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) clob varchar2(500) varchar2(500) varchar2(500) varchar2(500) clob varchar2(500) clob varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500)
A-27
Table A-32
Column SelectedAuthorizationProfiles SelectedExceptionAuthorization SelectedQueryIdentityStores EapAuthentication EapTunnel TunnelDetails CiscoH323Attributes CiscoSSGAttributes OtherAttributes ResponseTime NADFailure Passed Failed
acsradiusauthenticationmonth
Table A-33
Data Type varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) clob clob clob clob integer smallint integer integer
acsradiusauthenticationmonth Table
Column ID Day ACSServer MessageCode AccessService ServiceSelectionPolicy AuthorizationPolicy UserName IdentityStore NetworkDeviceName IdentityGroup NetworkDeviceGroups CallingStationID FailureReason NASIdentifier NASIPAddress ADDomain UseCase SelectedAuthorizationProfiles
Data Type integer date varchar2(500) varchar2(10) varchar2(500) varchar2(500) clob varchar2(500) varchar2(500) varchar2(500) clob clob varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500)
A-28
OL-22972-01
Appendix A
Table A-33
acsradiusauthenticationmonth Table (continued)
Column CTSSecurityGroup Passed Failed TotalResponseTime MaxResponseTime

acsradiusauthenticationyear
Table A-34
Data Type varchar2(500) integer integer integer integer
acsradiusauthenticationyear Table
Column ID Month ACSServer MessageCode AccessService ServiceSelectionPolicy AuthorizationPolicy UserName IdentityStore NetworkDeviceName IdentityGroup NetworkDeviceGroups CallingStationID FailureReason NASIdentifier NASIPAddress ADDomain UseCase SelectedAuthorizationProfiles CTSSecurityGroup Passed Failed TotalResponseTime MaxResponseTime
Data Type integer varchar2(10) varchar2(500) varchar2(10) varchar2(500) varchar2(500) clob varchar2(500) varchar2(500) varchar2(500) clob clob varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) integer integer integer integer
A-29
acstacacsauthorization
Table A-35 acstacacsauthorization Table
Column ID ACSTIMESTAMP ACSViewTIMESTAMP ACSServer MessageCode ACSSessionID AccessService ServiceSelectionPolicy AuthorizationPolicy UserName Response NetworkDeviceName DeviceIPAddress PriviligeLevel CmdSet MatchedCommandSet SelectedShellProfile SelectedCommandSet AuthorizationFailureReason FailedShellAttribute IdentityGroup NetworkDeviceGroups AuthenMethod AuthorizationExceptionPolicyMa AuthorReplyStatus FailureReason GroupMappingPolicyMatchedRule IdentityPolicyMatchedRule QueryIdentityStores RemoteAddress SelectedAuthorizationProfiles SelectedExceptionAuthorization AVPair ExecutionSteps OtherAttributes
Data Type integer timestamp timestamp varchar2(500) varchar2(10) varchar2(500) varchar2(500) varchar2(500) clob varchar2(500) clob varchar2(500) varchar2(500) varchar(10) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) clob clob varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) clob clob clob
A-30
OL-22972-01
Appendix A
Table A-35
acstacacsauthorization Table (continued)
Column AuthenType IdentityStore ADDomain SelectedIdentityStore SelectedQueryIdentityStore ResponseTime Passed Failed

acstacacsauthorizationmonth
Table A-36
Data Type varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) integer small int smallint
acstacacsauthorizationmonth Table
Column ID Day ACSServer MessageCode AccessService ServiceSelectionPolicy AuthorizationPolicy UserName NetworkDeviceName DeviceIPAddress PriviligeLevel CmdSet MatchedCommandSet SelectedShellProfile SelectedCommandSet AuthorizationFailureReason FailedShellAttribute IdentityGroup NetworkDeviceGroups TotalResponseTime Passed Failed
Data Type integer date varchar2(500) varchar2(10) varchar2(500) varchar2(500) clob varchar2(500) varchar2(500) varchar2(500) varchar2(10) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) clob clob integer integer integer
A-31
acstacacsauthorizationyear
Table A-37 acstacacsauthorizationyear Table
Column ID Month ACSServer MessageCode AccessService ServiceSelectionPolicy AuthorizationPolicy UserName NetworkDeviceName DeviceIPAddress PriviligeLevel CmdSet MatchedCommandSet SelectedShellProfile SelectedCommandSet AuthorizationFailureReason FailedShellAttribute IdentityGroup NetworkDeviceGroups TotalResponseTime Passed Failed
acstacacsaccounting
Table A-38
Data Type integer varchar2(10) varchar2(500) varchar2(10) varchar2(500) varchar2(500) clob varchar2(500) varchar2(500) varchar2(500) varchar2(10) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) clob clob integer integer integer
acstacacsaccounting Table
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode ACSSessionID AccessService UserName
Data Type integer timestamp timestamp varchar2(500) varchar2(10) varchar2(500) varchar2(500) varchar2(500)
A-32
OL-22972-01
Appendix A
Table A-38
acstacacsaccounting Table (continued)
Column RemoteAddress AcctRequestFlags AuthenMethod ServiceType Service NetworkDeviceName Port NetworkDeviceGroups DeviceIPAddress SourceIPAddress PrivilegeLevel CmdSet ServerMsg ServiceArgument AVPair AcctInputPackets AcctOutputPackets AcctTerminateCause AcctSessionTime AcctSessionId ExecutionSteps Response OtherAttributes ResponseTime Started Stopped SessionKey
acstacacsaccountingmonth
Table A-39
Data Type varchar2(500) varchar2(10) varchar2(20) varchar2(20) varchar2(500) varchar2(500) varchar2(500) clob varchar2(500) varchar2(500) varchar2(10) varchar2(500) varchar2(500) varchar2(500) clob number(6) number(6) varchar2(500) number(6) varchar2(500) clob clob clob integer smallint smallint varchar2(500)
acstacacsaccountingmonth Table
Column ID Day ACSServer MessageCode AccessService
Data Type integer date varchar2(500) varchar2(10) varchar2(500)
A-33
Table A-39
acstacacsaccountingmonth Table (continued)
Column UserName RemoteAddress Service NetworkDeviceName NetworkDeviceGroups DeviceIPAddress SourceIPAddress PrivilegeLevel CmdSet Count TotalResponseTime MaxResponseTime Active Throughput TotalSessionTime MaxSessionTime Started Stopped
acstacacsaccountingyear
Table A-40
Data Type varchar2(500) varchar2(500) varchar2(500) varchar2(500) clob varchar2(500) varchar2(500) varchar2(10) varchar2(500) integer number(20) number(6) integer number(20) number(20) number(6) integer integer
acstacacsaccountingyear Table
Column ID Month ACSServer MessageCode AccessService UserName RemoteAddress Service NetworkDeviceName NetworkDeviceGroups DeviceIPAddress SourceIPAddress PrivilegeLevel CmdSet
Data Type integer varchar2(10) varchar2(500) varchar2(10) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) clob varchar2(500) varchar2(500) varchar2(10) varchar2(500)
A-34
OL-22972-01
Appendix A
Table A-40
acstacacsaccountingyear Table (continued)
Column Count TotalResponseTime MaxResponseTime Active Throughput TotalSessionTime MaxSessionTime Started Stopped
acsradiusaccounting
Table A-41
Data Type integer number(20) number(6) integer number(20) number(20) number(6) integer integer
acsradiusaccounting Table
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode ACSSessionID UserName CallingStationID AcctSessionId AcctStatusType AcctSessionTime ServiceType FramedProtocol AcctInputOctets AcctOutputOctets AcctInputPackets AcctOutputPackets FramedIPAddress NASPort NASIPAddress CiscoAVPair Class AcctTerminateCause
Data Type integer timestamp timestamp varchar2(500) varchar2(10) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(20) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) clob varchar2(500) varchar2(500)
A-35
Table A-41
acsradiusaccounting Table (continued)
Column AccessService AuditSessionID AcctMultiSessionID AcctAuthentic TerminationAction SessionTimeout IdleTimeout AcctInterimInterval AcctDelayTime EventTimestamp NASIdentifier NASPortId AcctTunnelConnection AcctTunnelPacketLost NetworkDeviceName NetworkDeviceGroups ServiceSelectionPolicy IdentityStore ADDomain IdentityGroup AuthorizationPolicy FailureReason SecurityGroup TunnelDetails CiscoH323SetupTime CiscoH323ConnectTime CiscoH323DisconnectTime CiscoH323Attributes CiscoSSGAttributes ExecutionSteps OtherAttributes ResponseTime Started Stopped SessionKey
Data Type varchar2(500) varchar2(500) varchar2(500) varchar2(10) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) clob timestamp timestamp timestamp clob clob clob clob integer integer integer varchar2(500)
A-36
OL-22972-01
Appendix A
acsradiusaccountingmonth
Table A-42 acsradiusaccountingmonth Table
Column ID Day ACSServer MessageCode AccessService UserName CallingStationID AcctTerminateCause TerminationAction NASIdentifier NASIPAddress NetworkDeviceName NetworkDeviceGroups IdentityStore ADDomain IdentityGroup AuthorizationPolicy AcctStatusType FramedIPAddress Count TotalResponseTime MaxResponseTime Active Throughput TotalSessionTime MaxSessionTime Started Stopped
acsradiusaccountingyear
Table A-43
Data Type integer date varchar2(500) varchar2(10) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) integer number(20) number(6) integer number(20) number(20) number(6) integer integer
acsradiusaccountingyear Table
Column ID Month
Data Type integer varchar2(10)
A-37
Table A-43
acsradiusaccountingyear Table (continued)
Column ACSServer MessageCode AccessService UserName CallingStationID AcctTerminateCause TerminationAction NASIdentifier NASIPAddress NetworkDeviceName NetworkDeviceGroups IdentityStore ADDomain IdentityGroup AuthorizationPolicy AcctStatusType FramedIPAddress Count TotalResponseTime MaxResponseTime Active Throughput TotalSessionTime MaxSessionTime Started Stopped
acsaaadiagnostics
Table A-44
Data Type varchar2(500) varchar2(10) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) varchar2(500) integer number(20) number(6) integer number(20) number(20) number(6) integer integer
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode MessageSeverity
Data Type integer timestamp timestamp varchar2(500) varchar2(10) varchar2(10)
A-38
OL-22972-01
Appendix A
Table A-44
Column ACSSessionID Category DiagnosticInfo

acsadministratorlogin
Table A-45
Data Type varchar2(500) varchar2(500) clob
acsadministratorlogin Table
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode AdminName AdminIPAddress AdminSession AdminInterface

acsconfigurationchanges
Table A-46
Data Type integer timestamp timestamp varchar2(500) varchar2(10) varchar2(500) varchar2(100) varchar2(100) varchar2(10)
acsconfigurationchanges Table
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode AdminName AdminIPAddress AdminSession AdminInterface ObjectType ObjectName RequestedOperation OperationMessageText ConfigChangeData HostID
Data Type integer timestamp timestamp varchar2(500) varchar2(10) varchar2(500) varchar2(100) varchar2(100) varchar2(10) varchar2(500) varchar2(500) varchar2(100) varchar2(1000) clob varchar2(100)
A-39
Table A-46
acsconfigurationchanges Table (continued)
Column RequestResponseType FailureFlag Details OperatorName UserAdminFlag AccountName DeviceIP IdentityStoreName ChangePasswordMethod AuditPasswordType ObjectID AppliedToACSInstance LocalMode
acslogcollectionfailures
Table A-47
Data Type varchar2(10) varchar2(10) varchar2(1000) varchar2(500) varchar2(10) varchar2(500) varchar2(15) varchar2(500) varchar2(10) varchar2(10) varchar2(100) varchar2(500) smallint
acslogcollectionfailures Table
Column ID ACSViewTimestamp ACSServer ACSLoggingCategory Error

acsmessagecatalog
Table A-48
Data Type integer timestamp varchar2(500) varchar2(100) clob
acsmessagecatalog Table
Column ID MESSAGECODE MESSAGECLASS MESSAGETEXT
Data Type smallint integer varchar2(100) clob
A-40
OL-22972-01
Appendix A
acsprocessstatus
Table A-49 acsprocessstatus Table
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode NodeId NodeName Role DatabaseProc Management Runtime Adclient ViewDatabase ViewCollector ViewJobManager ViewAlertManager ViewLogProcessor
acssystemstatus
Table A-50
Data Type integer timestamp timestamp varchar2(500) varchar2(10) smallint varchar2(500) varchar2(100) smallint smallint smallint smallint smallint smallint smallint smallint smallintRuntimeRuntime
acssystemstatus Table
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode CPUUtilization NetworkUtilizationRcvd NetworkUtilizationSent MemoryUtilization DiskIOUtilization DiskSpaceUtilizationRoot DiskSpaceUtilizationAltRoot DiskSpaceUtilizationBoot
Data Type integer timestamp timestamp varchar2(500) varchar2(10) decimal(5,2) integer integer decimal(5,2) decimal(5,2) decimal(5,2) decimal(5,2) decimal(5,2)
A-41
Table A-50
acssystemstatus Table (continued)
Column DiskSpaceUtilizationHome DiskSpaceUtilizationLocaldisk DiskSpaceUtilizationOpt DiskSpaceUtilizationRecovery DiskSpaceUtilizationStoredconf DiskSpaceUtilizationStoreddata DiskSpaceUtilizationTmp DiskSpaceUtilizationRuntime AverageRadiusRequestLatency AverageTacacsRequestLatency DeltaRadiusRequestCount DeltaTacacsRequestCount
acssystemdiagnostics
Table A-51
Data Type decimal(5,2) decimal(5,2) decimal(5,2) decimal(5,2) decimal(5,2) decimal(5,2) decimal(5,2) decimal(5,2) integer integer integer integer
acssystemdiagnostics Table
Column ID ACSTimestamp ACSViewTimestamp ACSServer MessageCode MessageSeverity Category DiagnosticInfo

acsviewnetflowaggregation
Table A-52
Data Type integer timestamp timestamp varchar2(500) varchar2(10) varchar2(10) varchar2(100) clob
Column ID ACSTimestamp SourceUsername SourceAddress SourcePort DestinationUsername DestinationAddress
Data Type integer timestamp varchar2(500) varchar2(15) varchar2(50) varchar2(500) varchar2(15)
A-42
OL-22972-01
Appendix A
Table A-52
acsviewnetflowaggregation Table (continued)
Column DestinationPort SGTName SGTValue DGTName DGTValue NASIPAddress Protocol ACLDrops

checkpointday
Table A-53 checkpointday Table
Data Type varchar2(50) varchar2(100) integer varchar2(100) integer varchar2(15) varchar2(50) integer
Column ID Type Timestamp AuditSessionID ACSServer ACSSessionID NASIP EndpointMAC EndpointIP UserName VLAN dACL AuthenticationType InterfaceName Reason
nadaaastatus
Table A-54 nadaaastatus Table
Data Type integer number(5) timestamp varchar2(100) varchar2(100) varchar2(100) varchar2(41) varchar2(100) varchar2(41) varchar2(500) varchar2(100) varchar2(100) varchar2(500) varchar2(100) varchar2(500)
Column ID Timestamp Alive ACSServer
Data Type integer timestamp smallint varchar2(100)
A-43
Table A-54
nadaaastatus Table
Column NASIP DeviceGroups
Data Type varchar2(100) clob
A-44
OL-22972-01
I N D EX
E
exporting monitoring & report viewer data
A-1
U
ucp sample script
2-7
I
import and export aborting processes creating import files csv templates sample scripts
5-8 5-11 5-5 5-4 5-5 5-7
UCP web service downloading WSDL file methods WSDL

2-2 2-8 2-4
sample code
2-4
using the scripting interface
5-1
supported objects viewing processes
W
web interface
M
monitoring & report viewer database schema WSDL file
3-6 A-2
enabling web services WSDL file UCP
2-1, 4-1 1-2 1-3 3-6
monitoring and report viewer

2-4
monitoring and report Viewer monitoring and report viewer integrating viewer web services sample code web services
3-12 3-2 3-9
P
performing bulk operations
5-2
R
remote database
A-1
IN-1
Index
IN-2
OL-22972-01

ACS 5.3 Software Developer's Guide

Uploaded by

Copyright:

Available Formats

ACS 5.3 Software Developer's Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ACS 5.3 Software Developer's Guide

Uploaded by

Copyright:

Available Formats

What is the purpose of this document?

What is the purpose of this document?

What are some of the main web services discussed in this document?

What are some of the main web services discussed in this document?

Software Developers Guide for Cisco Secure Access Control System 5.

Text Part Number: OL-22972-01

How This Guide Is Organized

Documentation Updates Related Documentation

Obtaining Documentation and Submitting a Service Request

Understanding Web Services Understanding WSDL Understanding WADL

Using the UCP Web Service

Using the Scripting Interface

Terminating Import and Export Processes Supported ACS Objects

How This Guide Is Organized

Using the UCP Web Service

Title Using the Monitoring and Report Viewer Web Services

Using the Configuration Web Services Using the Scripting Interface

Monitoring and Report Viewer Database Schema

Convention bold font italic font [ ] {x | y | z } [x|y|z] string

Description Cisco Secure Access Control System Release 5.3.

Product Documentation (continued)

Obtaining Documentation and Submitting a Service Request

UCP web service to perform the following operations:

Monitoring and Report Viewer web services that provide:

Chapter 1 Understanding Web Services

Configuration web services to perform the following operations:

This chapter contains the following sections:

Understanding Web Services

Overview Understanding WSDL

Chapter 1 Understanding WADL

Using the UCP Web Service

Chapter 2 Understanding the Methods in the UCP Web Service

Using the UCP Web Service

Understanding the Methods in the UCP Web Service

User Authentication, page 2-2 User Change Password, page 2-3

It authenticates the user It changes the user password.

Connect to the UCP web application A login page appears.

Authentication Succeeded Authentication Failed

This method displays an error message if:

User Change Password

Username Current password New password

Connect to the UCP web application A login page appears.

Operation Succeeded Operation Failed

This method displays an error if:

Chapter 2 Using the WSDL File

Using the UCP Web Service

Using the WSDL File

Downloading the WSDL File

UCP WSDL File

Using the UCP Web Service Using the WSDL File

<xsd:types> <xsd:schema xmlns="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.cisco.com/changepass.service">

Chapter 2 Using the WSDL File

Using the UCP Web Service

Request and Response Schemas

User Authentication Request

User Authentication Response

User Change Password Request

User Change Password Response

Working with the UCP Web Service

Chapter 2 Working with the UCP Web Service