acs 5.3 software developer's guide

Software Developer’s Guide for Cisco Secure Access Control System 5.3September 2011

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706 USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

Text Part Number: OL-22972-01

http://www.cisco.com

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Software Developer’s Guide for Cisco Secure Access Control System 5.3 © 2011 Cisco Systems, Inc. All rights reserved.

http://www.cisco.com/go/trademarks

OL-22972-01

C O N T E N T S

Preface vii

Audience vii

How This Guide Is Organized vii

Conventions iii-viii

Documentation Updates ix

Related Documentation ix

Obtaining Documentation and Submitting a Service Request x

C H A P T E R 1 Overview 1-1

Understanding Web Services 1-2

Understanding WSDL 1-3

Understanding WADL 1-3

C H A P T E R 2 Using the UCP Web Service 2-1

Understanding the Methods in the UCP Web Service 2-2

User Authentication 2-2

User Change Password 2-3

Using the WSDL File 2-4

Downloading the WSDL File 2-4

UCP WSDL File 2-4

Request and Response Schemas 2-7

User Authentication Request 2-7

User Authentication Response 2-7

User Change Password Request 2-7

User Change Password Response 2-7

Working with the UCP Web Service 2-7

Sample Client Code 2-8

C H A P T E R 3 Using the Monitoring and Report Viewer Web Services 3-1

Understanding the Methods in the Viewer Web Services 3-2

Get Version 3-2

Get Authentication Status By Date 3-3

Get Authentication Status By Time Unit 3-3

iiiSoftware Developer’s Guide for Cisco Secure Access Control System 5.3

Contents

Get Failure Reasons 3-4

Get RADIUS Accounting 3-4

Get API Version 3-5

Understanding the WSDL Files 3-5

Downloading the WSDL Files 3-6

Viewer WSDL Files 3-6

Integrating the Viewer Web Services with Your Application 3-9

Working with the Viewer Web Services 3-10

Required Files 3-10

Supported SOAP Clients 3-11

Connecting to the Viewer Web Services 3-11

Sample Client Code 3-12

C H A P T E R 4 Using the Configuration Web Services 4-1

Supported Configuration Objects 4-1

Identity Groups 4-2

Attribute Info 4-3

Group Associations 4-3

Query Object 4-3

Filtering 4-3

Sorting 4-4

Paging 4-5

Request Structure 4-5

URL Path 4-5

HTTP Methods 4-6

Response Structure 4-7

HTTP Status Codes 4-7

ACS REST Result 4-8

Returned Objects 4-9

WADL File 4-9

Schema File 4-9

Sample Code 4-10

C H A P T E R 5 Using the Scripting Interface 5-1

Understanding Import and Export in ACS 5-2

Importing ACS Objects Through the CLI 5-2

Exporting ACS Objects Through the CLI 5-3

Viewing the Status of Import and Export Processes 5-4

ivSoftware Developer’s Guide for Cisco Secure Access Control System 5.3

OL-22972-01

Contents

Terminating Import and Export Processes 5-5

Supported ACS Objects 5-5

Creating Import Files 5-7

Downloading the Template from the Web Interface 5-7

Understanding the CSV Templates 5-8

Creating the Import File 5-9

Adding Records to the ACS Internal Store 5-9

Updating the Records in the ACS Internal Store 5-10

Deleting Records from the ACS Internal Store 5-10

Using Shell Scripts to Perform Bulk Operations 5-11

Sample Shell Script 5-11

A P P E N D I X A Monitoring and Report Viewer Database Schema A-1

Configuring a Remote Database in ACS A-1

Understanding the Monitoring and Report Viewer Database Schema A-2

Raw Tables A-3

Aggregated Tables A-3

Microsoft SQL Server Schema A-4

Oracle Schema A-24

IN D E X

vSoftware Developer’s Guide for Cisco Secure Access Control System 5.3

OL-22972-01

Contents

viSoftware Developer’s Guide for Cisco Secure Access Control System 5.3

OL-22972-01

Preface

Welcome to the Software Developer Guide for the Cisco Secure Access Control System 5.3!

This document provides details about the interfaces that Cisco Secure Access Control System (ACS) offers that you can use to interact with external customer-developed applications.

This includes several web services for application access and scriptable access for bulk provisioning using the command-line interface (CLI). It also allows you to create a replica of the Monitoring and Troubleshooting database for application development.

AudienceThis guide is intended for software engineers and programmers who create custom applications to interact with ACS. The software engineers and programmers must be familiar with:

• Web Services Description Language (WSDL) File

• Web Application Description Language (WADL) File

• Web Services Tools

• REST Services Tools

How This Guide Is OrganizedTable 1 describes the contents of each chapter in this document.

Table 1 Organization

Chapter/ Appendix Title Description

1 Overview Provides an overview of the ACS 5.3 features in the form of web services. It also gives CLI commands that you can use in your custom applications to interact with ACS.

2 Using the UCP Web Service Describes the User Change Password web service, the methods that it provides, and how you can use it in your application.

viiSoftware Developer’s Guide for Cisco Secure Access Control System 5.3

OL-22972-01

Preface Conventions

ConventionsTable 2 describes the conventions followed in this document.

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.

3 Using the Monitoring and Report Viewer Web Services

Describes the web services that the Monitoring and Report Viewer component of ACS provides, and it also explains how to use these web services in your application.

4 Using the Configuration Web Services

Describes the Configuration Web Services, the CRUD methods that it provides, and explains how to use it in your application.

5 Using the Scripting Interface Describes the scripting interface that ACS provides. This interface allows you to perform bulk create, update, and delete operations on various ACS objects.

A Monitoring and Report Viewer Database Schema

Provides the Monitoring and Report Viewer database schema that allows you to create custom reporting applications.

Table 1 Organization (continued)

Chapter/ Appendix Title Description

Table 2 Conventions

Convention Description

bold font Commands and keywords.

italic font Variables for which you supply values.

[ ] Keywords or arguments that appear within square brackets are optional.

{x | y | z } A choice of required keywords appears in braces separated by vertical bars. You must select one.

[ x | y | z ] Optional alternative keywords are grouped in brackets separated by vertical bars.

string Nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks.

courier font Examples of information displayed on the screen.

bold courier font Examples of information you must enter.

< > Nonprinting characters, such as passwords, appear in angle brackets.

[ ] Default responses to system prompts appear in square brackets.

!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.

viiiSoftware Developer’s Guide for Cisco Secure Access Control System 5.3

OL-22972-01

Preface Conventions

Timesaver Means the described action saves time. You can save time by performing the action described in the paragraph.

Documentation Updates

Related DocumentationTable 4 lists a set of related technical documentation available on Cisco.com. To find end-user documentation for all products on Cisco.com, go to:

http://www.cisco.com/go/techdocs

Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.

Table 3 Updates to the Software Developer’s Guide for the Cisco Secure Access Control

System 5.3

Date Description

10/03/2011 Cisco Secure Access Control System Release 5.3.

Table 4 Product Documentation

Document Title Available Formats

Release Notes for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/ prod_release_notes_list.html

User Guide for Cisco Secure Access Control Sytem, 5.3

http://www.cisco.com/en/US/products/ps9911/ products_user_guide_list.html

Migration Guide for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/ prod_installation_guides_list.html

CLI Reference Guide for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/ prod_command_reference_list.html

Installation and Upgrade Guide for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/ prod_installation_guides_list.html

Supported and Interoperable Devices and Softwares for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/ products_device_support_tables_list.html

Regulatory Compliance and Safety Information for Cisco Identity Services Engine, Cisco 1121 Secure Access Control System, Cisco NAC Appliance, Cisco NAC Guest Server, and Cisco NAC Profiler

http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_system/5.1/ regulatory/compliance/csacsrcsi.html

ixSoftware Developer’s Guide for Cisco Secure Access Control System 5.3

OL-22972-01

http://www.cisco.com/en/US/products/ps9911/prod_release_notes_list.html

http://www.cisco.com/en/US/products/ps9911/prod_installation_guides_list.html

http://www.cisco.com/en/US/products/ps9911/prod_command_reference_list.html

http://www.cisco.com/en/US/products/ps9911/products_device_support_tables_list.html

http://www.cisco.com/en/US/products/ps9911/prod_installation_guides_list.html

http://www.cisco.com/en/US/products/ps9911/products_user_guide_list.html

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/regulatory/compliance/csacsrcsi.html



Preface Conventions

Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

License and Documentation Guide for the Cisco Secure Access Control System 5.3

http://www.cisco.com/en/US/products/ps9911/ products_documentation_roadmaps_list.html

Open Source and Third Party Licenses used in Cisco Secure Access Control System, 5.3

http://www.cisco.com/en/US/products/ps9911/ products_licensing_information_listing.html

Table 4 Product Documentation (continued)

Document Title Available Formats

xSoftware Developer’s Guide for Cisco Secure Access Control System 5.3

OL-22972-01

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

http://www.cisco.com/en/US/products/ps9911/products_licensing_information_listing.html

http://www.cisco.com/en/US/products/ps9911/products_documentation_roadmaps_list.html

Software Developer’sOL-22972-01

C H A P T E R 1
Overview
The Cisco Secure Access Control System (ACS) is a policy-based access control system and an integration point for network access control and identity management.

ACS 5.3 provides web services and command-line interface (CLI) commands that allow software developers and system integrators to programmatically access some ACS features and functions. ACS 5.3 also enables you to access to the Monitoring and Report Viewer database that you can use to create custom applications to monitor and troubleshoot ACS.

You can use these web service and CLI commands to:

• Integrate external applications directly with ACS.

• View and modify the information stored in ACS.

The User Change Password (UCP) web service allows users, defined in the ACS internal database, to first authenticate and then change their own password. ACS exposes the UCP web service to allow you to create custom web-based applications that you can deploy in your enterprise.

The Monitoring and Report Viewer web services allow you to create custom applications to track and troubleshoot events in ACS.

ACS REST web services allows you to manage the entities such as users and user groups only on your own management applications and use ACS PI to transfer these entities into ACS. This allows you to define these entities and use them on your own systems and on ACS.

The scripting interface in ACS allows you to perform create, read, update, and delete (CRUD) operations on ACS objects. You can create an automated shell script to perform bulk operations.

ACS allows you to export data from the Monitoring and Report Viewer database. You can use this data to create custom reporting applications. Appendix A, “Monitoring and Report Viewer Database Schema” in this document contains the Monitoring and Report Viewer database schema to help you create your custom application.

ACS 5.3 provides:

• UCP web service to perform the following operations:

– Authenticate User

– Change User Password

• Monitoring and Report Viewer web services that provide:

– Monitoring and Report Viewer version

– Monitoring and Report Viewer web services version

– Authentication status of a user by date

– Authentication status of a user by time

1-1 Guide for Cisco Secure Access Control System 5.3

Chapter 1 Overview Understanding Web Services

– A list of records that give the reasons for failures

– A list of RADIUS accounting records

• Configuration web services to perform the following operations:

– Create, read, update and delete objects, including creating and removing any associations to the objects

– Get a list of objects of the same type (For example, a list of all Users)

– Retrieve associated objects, including filtering capabilities

– Execute queries

• CLI commands to perform bulk operations on ACS objects for the following functions:

– Import

– Export

You can perform bulk operations on the following ACS objects—users, hosts, network devices, identity groups, network device groups (NDGs), downloadable access control lists (DACLs), and command sets.

Before you begin to use the ACS web services and CLI commands in scripts, you must have a working knowledge of:

• Web Services Description Language (WSDL) File

• Web Application Description Language (WADL) File

• Web Services Tools

This chapter contains the following sections:

• Understanding Web Services, page 1-2

• Understanding WSDL, page 1-3

Understanding Web ServicesWeb services are a subset of web-based applications that use the XML protocol to exchange data between the client and the server. Web services use:

• Hypertext Transfer Protocol Secure (HTTPS)—Transports messages between client applications and the web service server.

• Simple Object Access Protocol (SOAP)—Encodes messages in a common XML format so that they can be understood at either end (web service consumer and web service server) of a network connection. SOAP standardizes the format of the requests to the web service server. Any client application can interface with the ACS web server using SOAP over HTTPS.

• WSDL file—Describes the web service, its location, and its operations. ACS 5.3 exposes the following WSDL files:

– UCP WSDL

– Monitoring and Report Viewer WSDL

• Representational State Transfer (REST)—REST is a software architecture style for distributed systems. ACS Configuration web services are built using the REST architecture. This service provides a uniform set of operations for all resources.

1-2Software Developer’s Guide for Cisco Secure Access Control System 5.3

OL-22972-01

Chapter 1 Overview Understanding WSDL

RESTful web services typically map the four main HTTP methods; POST, GET, PUT, and DELETE to common operations; that is, create, retrieve, update, and delete, respectively.

• WADL file—Describes the REST interface. This includes description of objects and methods for the REST interface.

Understanding WSDLThe Web Services Definition Language (WSDL) is an XML format that describes network services as a collection of ports that operate on messages. WSDL is extensible to allow the description of endpoints and their messages, regardless of the message formats or network protocols that you use.

For more information on WSDL documentation and software downloads, refer to the World Wide Web Consortium website.

Note You can use any third-party applications to transform your WSDL file.

Understanding WADLThe Web Application Description Language (WADL) file describes REST Interface schema (object structure), HTTP methods, and URLs that are available for each object to invoke REST request.

The WADL files are designed to provide a machine processable description of HTTP based web applications. They are supplemented with XML schema for XML based data formats. ACS also provides XSD files that describe the objects structure. You can generate object classes out of XSD files, using third party tools.


OL-22972-01

Chapter 1 Overview Understanding WADL


OL-22972-01


C H A P T E R 2
Using the UCP Web Service
This chapter describes the environment that you must set up to use the User Change Password (UCP) web service and explains how you can use it.

The UCP web service allows you to authenticate an internal user and change the internal user password. You can use this web service interface to integrate ACS with your in-house portals and allow users in your organization to change their own passwords.

The UCP web service allows only the users in your organization to change their passwords. They can do so on the primary or secondary ACS servers.

The UCP web service compares the new password that you provide with the password policy that is configured in ACS for users. If the new password conforms to the defined criteria, your new password takes effect. After your password is changed on the primary ACS server, ACS replicates it to all the secondary ACS servers.

The Monitoring and Report Viewer provides a User_Change_Password_Audit report that is available under the ACS Instance catalog. You can generate this report to track all changes made to user passwords in the internal database, including the changes made through the UCP web service. You can use this report to monitor usage and failed authentications.

Enabling the Web Interface on ACS CLI

You must enable the web interface on ACS before you can use the UCP web service. To enable the web interface on ACS, from the ACS CLI, enter:

acs config-web-interface ucp enable

For more information on the acs config-web-interface command, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/ reference/cli_app_a.html#wp1887278.

Viewing the Status of the Web Interface from ACS CLI

To view the status of the web interface, from the ACS CLI, enter:

show acs-config-web-interface

For more information on the show acs-config-web-interface command, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/ command/reference/cli_app_a.html#wp1890877.

This following sections describe how to use the UCP web service:

• Understanding the Methods in the UCP Web Service, page 2-2

• Using the WSDL File, page 2-4

• Working with the UCP Web Service, page 2-7


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/reference/cli_app_a.html#wp1890877



Chapter 2 Using the UCP Web Service Understanding the Methods in the UCP Web Service

Understanding the Methods in the UCP Web ServiceThe UCP web service comprises the following methods:

• User Authentication, page 2-2

• User Change Password, page 2-3

User AuthenticationThe User Authentication method authenticates a user against an internal database.

Input Parameters

• Username

• Password

Purpose

Use the authenticateUser method for applications that require a two-step procedure to change a user password. For example, a ACS user interface application that prompts the user to change the password, does it in two steps:

1. It authenticates the user

2. It changes the user password.

To change a password:

Step 1 Connect to the UCP web application

A login page appears.

Step 2 Enter the username and password.

The authenticateUserweb service function is invoked. If your credentials match the data in the ACS internal store, your authentication succeeds.

Note This method does not perform any change and does not authorize you to perform any task. You use this method only to verify if the password is correct. However, after a successful authentication, you can move to the change password page to use the User Change Password method.

Output Parameters

The response from the User Authentication method could be one of the following:

• Authentication Succeeded

• Authentication Failed

Exceptions

This method displays an error message if:

• The authentication fails due to incorrect username or password.

• The user is disabled.


OL-22972-01

Chapter 2 Using the UCP Web Service Understanding the Methods in the UCP Web Service

• A web service connection error occurs, such as network disconnection or request timeout error.

• A system failure occurs, such as the database being down and unavailable.

User Change PasswordThe User Change Password method authenticates a user against an internal database and changes the user password.

Input Parameters

• Username

• Current password

• New password

Purpose

Use the changeUserPassword method for applications that require a single-step procedure to change the user password. Changing a user password is normally a two-step procedure. The first step is to authenticate the user and the second step is to change the user password.

The changeUserPassword method allows you to combine the two steps into one. A script or a single-page web application is an example of applications that require a single-step procedure to change the user password.

To change a password:

Step 1 Connect to the UCP web application

A login page appears.

Step 2 Enter the username and password.

The authenticateUser web service function is invoked.

If authentication succeeds, the web service compares the new password against the password policy that is configured in ACS.

If your new password meets the defined criteria, the changeUserPassword web service function is invoked to change your password.

Output Parameters

The response from the User Change Password method could be one of the following:

• Operation Succeeded

• Operation Failed

Exceptions

This method displays an error if:

• The authentication fails because of an incorrect username or password.

• The user is disabled.

• The password change operation fails because the password does not conform to the password complexity rules defined in ACS.


OL-22972-01

Chapter 2 Using the UCP Web Service Using the WSDL File

• A web service connection error occurs, such as network disconnection or request timeout error.

• A system failure occurs, such as the database being down and unavailable.

Using the WSDL FileThis section describes the WSDL file and the request and response schemas for the User Authentication and User Change Password methods. This section contains:

• Downloading the WSDL File, page 2-4

• UCP WSDL File, page 2-4

• Request and Response Schemas, page 2-7

Downloading the WSDL FileTo download the WSDL file from the ACS 5.3 web interface:

Step 1 Log into the ACS 5.3 web interface.

Step 2 Choose System Administration > Downloads > User Change Password.

Step 3 Click UCP WSDL to view the UCP WSDL file.

Step 4 Copy the WSDL file to your local hard drive.

Step 5 Click UCP web application example to download a sample web application and save it to your local hard drive.

UCP WSDL FileThe WSDL file is an XML document that describes the web services and the operations that the web services expose. The UCP WSDL is given below:

<?xml version="1.0" encoding="UTF-8"?><definitions name="changepass"targetNamespace="http://www.cisco.com/changepass.service"xmlns:tns="http://www.cisco.com/changepass.service"xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:SOAP="http://schemas.xmlsoap.org/wsdl/soap/"xmlns:MIME="http://schemas.xmlsoap.org/wsdl/mime/"xmlns:DIME="http://schemas.xmlsoap.org/ws/2002/04/dime/wsdl/"xmlns:WSDL="http://schemas.xmlsoap.org/wsdl/"xmlns="http://schemas.xmlsoap.org/wsdl/">

<WSDL:documentation>Copyright (c) 2009 Cisco Systems, Inc.


OL-22972-01


ACS5.1 WSDLService Interface for change password

This WSDL document defines the publication API calls forchanging userpassword.</WSDL:documentation>

<xsd:types><xsd:schema xmlns="http://www.w3.org/2001/XMLSchema"targetNamespace="http://www.cisco.com/changepass.service">

<xsd:simpleType name="UserNameType"><xsd:restriction base="string"><xsd:minLength value="1" /></xsd:restriction></xsd:simpleType>

<xsd:element name="usernameType" type="tns:UserNameType" />

<xsd:simpleType name="PasswordType"><xsd:restriction base="string"><xsd:minLength value="1" /></xsd:restriction></xsd:simpleType>

<xsd:element name="passwordType" type="tns:PasswordType" />

<xsd:simpleType name="StatusCodeType"><xsd:restriction base="string"><xsd:enumeration value="success" /><xsd:enumeration value="failure" /></xsd:restriction></xsd:simpleType>

<xsd:element name="ResponseType"><xsd:complexType><xsd:attribute name="status" type="tns:StatusCodeType" use="required" /><xsd:sequence><xsd:element name="errorMessage" type="xsd:string" minOccurs="0"

maxOccurs="unbounded" /></xsd:sequence></xsd:complexType></xsd:element></xsd:schema></xsd:types>

<message name="AuthUserRequest"><part name="user_name" element="tns:usernameType" /><part name="password" element="tns:passwordType" /></message>

<message name="AuthUserResponse"><part name="authUserResponse" element="tns:ResponseType" /></message>

<message name="ChangeUserPassRequest"><part name="user_name" element="tns:usernameType" /><part name="old_password" element="tns:passwordType" /><part name="new_password" element="tns:passwordType" /></message>


OL-22972-01

<message name="ChangeUserPassResponse"><part name="changeUserPassResponse" element="tns:ResponseType" /></message>

<WSDL:portType name="ChangePassword"><operation name="authenticateUser"><input message="tns:AuthUserRequest" name="authUserRequest" /><output message="tns:AuthUserResponse" name="authUserResponse" /></operation>

<operation name="changeUserPass"><input message="tns:ChangeUserPassRequest" name="changeUserPassRequest" /><output message="tns:ChangeUserPassResponse" name="changeUserPassResponse" /></operation></WSDL:portType>

<WSDL:binding name="changePassSoapBinding" type="tns:ChangePassword"><SOAP:binding style="document"transport="http://schemas.xmlsoap.org/soap/http" />

<WSDL:operation name="authenticateUser"><SOAP:operation soapAction="" /><input><SOAP:body use="literal" /></input><output><SOAP:body use="literal" /></output></WSDL:operation>

<WSDL:operation name="changeUserPass"><SOAP:operation soapAction="" /><input><SOAP:body use="literal" /></input><output><SOAP:body use="literal" /></output></WSDL:operation></WSDL:binding>

<WSDL:service name="changepassword"><documentation>ACS5.1 Programmatic Interface Service Definitions</documentation><port name="changepassword" binding="tns:changePassSoapBinding"><SOAP:address location="https://localhost:8080/PI/services/changepass/" /></port></WSDL:service>

</definitions>


OL-22972-01

Chapter 2 Using the UCP Web Service Working with the UCP Web Service

Request and Response SchemasThis section lists the request and response schemas of the User Authentication and User Change Password methods. This section contains the following schema:

• User Authentication Request, page 2-7

• User Authentication Response, page 2-7

• User Change Password Request, page 2-7

• User Change Password Response, page 2-7

User Authentication Request

<message name="AuthUserRequest"><part name="user_name" element="changepass:usernameType" /><part name="password" element="changepass:passwordType" /></message>

User Authentication Response

<message name="AuthUserResponse"> <part name="authUserResponse" element="changepass:ResponseType" /></message>

User Change Password Request

<message name="ChangeUserPassRequest"><part name="user_name" element="changepass:usernameType" /><part name="current_password" element="changepass:passwordType" /><part name="new_password" element="changepass:passwordType" /></message>

User Change Password Response

<message name="ChangeUserPassResponse"><part name="changeUserPassResponse" element="changepass:ResponseType" /></message>

Working with the UCP Web ServiceYou can create custom web-based applications to enable users to change their own password for your enterprise. This section describes how you can run a sample application that is developed using Python and provides the sample client code.

The ACS web interface provides a downloadable package that consists of:

• Python SOAP libraries for Linux and Windows

• Python script

• ReadMe—Contains installation instructions


OL-22972-01

Chapter 2 Using the UCP Web Service Working with the UCP Web Service

To download this package:


Step 2 Choose System Administration > Downloads > Scripts.

The Sample Python Scripts page appears.

Step 3 Click Python Script for Using the User Change Password Web Service.

Step 4 Save the .zip file to your local hard disk.

Sample Client Code shows a sample.zip file. This file contains a .war file. You have to deploy this .war file within a web server, such as Tomcat. This example allows your application to communicate with ACS through the UCP web service.

Note The Cisco Technical Assistance Center (TAC) supports only the default Python Script. TAC does not offer any support for modified scripts.

Sample Client Codefrom SOAPpy import SOAPProxy

# Get the ACS host / IPhost = raw_input('Please enter ACS host name or IP address:\n') targetUrl = 'https://' + host + '/PI/services/UCP/'

server = SOAPProxy(targetUrl, 'UCP')

# Get the usernameusername = raw_input('Please enter user name:\n')

# Get the old passwordoldPassword = raw_input('Please enter old password:\n')

# Get the new passwordnewPassword = raw_input('Please enter new password:\n')

# Call the changeUserPassword with the given inputans = server.changeUserPass(username, oldPassword, newPassword)

# Password changing failedif ans.status == 'failure':print '\nFailure:'

# Print all failure reasonsfor err in ans.errors: print errelse:# Password was changed successfullyprint 'Success'

Note You must have Python software to run this script.


OL-22972-01


C H A P T E R 3
Using the Monitoring and Report Viewer Web Services
This chapter describes the environment that you must set up to use the web services provided by the Monitoring and Report Viewer component of ACS 5.3. Hereafter this is referred to as Viewer web services. You can use these web services to create custom applications for tracking and troubleshooting ACS events.

The Viewer web services comprise the following methods:

• getVersion()—Returns the version of the Monitoring and Report Viewer server.

• getAuthenticationStatusByDate()—Returns the authentication status of a user by date.

• getAuthenticationStatusByTimeUnit()—Returns the authentication status of a user by time.

• getFailureReasons()—Returns a list of reasons for failure.

• getRadiusAccounting()—Returns a list of RADIUS accounting records.

• getAPIVersion()—Returns the version of the Viewer web services.

Enabling the Web Interface on ACS CLI

You must enable the web interface on ACS before you can use the Viewer web services. To enable the web interface on ACS, from the ACS CLI, enter:

acs config web-interface view enable

For more information on the acs config web-interface command, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/ command/reference/cli_app_a.html#wp1887278.

Viewing the Status of the Web Interface from ACS CLI




The following sections describe how to use the Monitoring and Report Viewer web services:

• Understanding the Methods in the Viewer Web Services, page 3-2

• Understanding the WSDL Files, page 3-5

• Integrating the Viewer Web Services with Your Application, page 3-9

• Working with the Viewer Web Services, page 3-10




Chapter 3 Using the Monitoring and Report Viewer Web Services Understanding the Methods in the Viewer Web Services

Understanding the Methods in the Viewer Web ServicesThis section describes the methods that are available in the Viewer web services:

• Get Version, page 3-2

• Get Authentication Status By Date, page 3-3

• Get Authentication Status By Time Unit, page 3-3

• Get Failure Reasons, page 3-4

• Get RADIUS Accounting, page 3-4

• Get API Version, page 3-5

Table 3-1 describes the classes that are used in the Viewer web services.

Note The Monitoring and Report Viewer places all web service classes in the com.cisco.acsview.nbapi package.

Get Version

Input Parameter

userCtx—(Required) User context object

Purpose

Use the getVersion method to view the version of the Monitoring and Report Viewer that is installed on your ACS server. You can enter this command in the CLI to call this web service to view the Monitoring and Report Viewer version.

Table 3-1 Viewer Web Services Class Information

Class Description

ACSViewWebServices Contains all web services that a client views in the client applications.

UserContext Contains the ACS username and the user password, which the Monitoring and Report Viewer server uses to authenticate the user.

AuthenticationParam Encapsulates the authentication query parameters, based on which records are queried and returned to you.

AuthenticationStatus Contains the Authentication Status record that is the query output received from ACS.

AccountingParam Encapsulates the accounting query parameters, based on which records are queried and returned to you.

AccountingStatus Contains the Accounting Status record that is the query output received from ACS.

AccountingDetail Contains a list of attribute values that comprise the query output received from ACS.

ACSViewNBException Contains the errors that the Monitoring and Report Viewer displays for any issues with the web services.


OL-22972-01


Output Parameters

Version of the Monitoring and Report Viewer server.

Exception


• The user is invalid

• The input is invalid

• The ACS instance is not running as the Monitoring and Report Viewer server

Get Authentication Status By Date

Input Parameters

• userCtx—(Required) User context object

• authParam—(Required) AuthenticationParam object

• startDate—(Required) The date from which you want the authentication status

• endDate—(Required) The date until which you want the authentication status

Purpose

Use the getAuthenticationStatusByDate method to view a user’s authentication status, arranged chronologically by date, for a specific period.

Output Parameter

Authentication status of the user, arranged chronologically by date, for the specified period.

Exception

This method displays an error if the:

• User context value is entered but passed as null

• Username and password are entered but passed as null

• Date value is entered but passed as null

Get Authentication Status By Time Unit

Input Parameters


• authParam—(Required) AuthenticationParam object

• lastX—(Required) The time until which you need the authentication status

• timeUnit—(Required) Time unit, specified in minutes, hours, or days

Purpose

Use the getAuthenticationStatusByTimeUnit method to view a user’s authentication status, arranged chronologically by time, for a specific period.


OL-22972-01


Output Parameter

A list of the user’s authentication status, arranged chronologically by time, for a specific period.

Exception

This method displays an error if the:

• User context value is entered but passed as null

• Username and password are entered but passed as null

• Date value is entered but passed as null

Get Failure Reasons

Input Parameter


Purpose

Use the getFailureReasons method to obtain a list of records that contain failure reasons.

Output Parameters

List of records that contain failure reasons.

Exception

This method displays an error if the user credentials are invalid.

Get RADIUS Accounting

Input Parameters


• acctParam—(Required) Accounting search parameters; valid values for matchOperator are valueLIKE, valueEQ, valueNE, valueGE, valueLE, valueGT, valueLT, attrEQ, valueIN, valueINNOT. The equation takes any one of the following forms:

– AttributeName, MatchArgument, MatchOp=[ valueLIKE | valueEQ | valueNE | valueGE | valueLE | valueGT | valueLT | attrEQ]

– AttributeName, MultipleValueMatchArgument, MatchOp=[ valueIN | valueINNOT ]

Attribute Name—As defined by standard RADIUS/Cisco A-V pair names. Attribute names are not case sensitive. However, the values are case sensitive.

valueLIKE—Looks for wildcard match (%). For example, %foo%.

valueEQ—Looks for an exact match.

valueNE—Performs a value not equal to comparison.

valueGE—Performs greater than or equal to comparison.

valueLE—Performs lesser than or equal to comparison.

valueGT—Performs a greater than comparison.

valueLT—Performs a lesser than comparison.


OL-22972-01

Chapter 3 Using the Monitoring and Report Viewer Web Services Understanding the WSDL Files

attrEQ—Compares a given attribute with another attribute; returns true or false.

valueIN—Multiple values are allowed for matchOperator valueIN.

valueINNOT—Multiple values are not allowed for matchOperator valueINNOT.

• returnAttributes—(Required) List of return attributes requested.

• startDate—(Required) Date from which you want the RADIUS accounting records.

• endDate—(Required) Date until which you want the RADIUS accounting records.

Purpose

Use the getRADIUSAccounting method to obtain a list of RADIUS accounting records.

Output Parameters

List of RADIUS accounting records.

Exception


• User credentials are invalid

• The acctParam parameter contains invalid values for matchOperator

• The acctParam parameter contains invalid value for matchValues

• A database select error occurs

Get API Version

Input Parameter


Purpose

Use the getAPIVersion method to obtain the version of the Viewer web services.

Output Parameter

Version of the Viewer web services.

Exception

This method displays an error if an authentication failure occurs.

Understanding the WSDL FilesThis section describes the WSDL files, the location from which you can download them, the class files, and the queries that you can use in the Viewer web services. This section contains the following:

• Downloading the WSDL Files, page 3-6

• Viewer WSDL Files, page 3-6

• Integrating the Viewer Web Services with Your Application, page 3-9


OL-22972-01


Downloading the WSDL FilesYou can download the WSDL files from the following location:

https://ip address or hostname/ACSViewWebServices/ACSViewWebServices?wsdl, where ip address or hostname is the IP address or hostname of your ACS server.

Viewer WSDL FilesWSDL is an XML document that describes a web service, the location of the service, and operations that the service exposes:

<definitions name="ACSViewWebServicesService" targetNamespace="http://nbapi.acsview.cisco.com/jaws" xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://nbapi.acsview.cisco.com/jaws" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <types> <schema elementFormDefault="qualified" targetNamespace="http://nbapi.acsview.cisco.com/jaws" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:soap11-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://nbapi.acsview.cisco.com/jaws" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <complexType name="getFailureReasons"> <sequence> <element name="userCtx" nillable="true" type="tns:UserContext"/> </sequence> </complexType> <complexType name="getAuthenticationStatusByDate"> <sequence> <element name="userCtx" nillable="true" type="tns:UserContext"/> <element name="authParam" nillable="true" type="tns:AuthenticationParam"/> <element name="startDate" nillable="true" type="dateTime"/> <element name="endDate" nillable="true" type="dateTime"/> </sequence> </complexType> <complexType name="getAuthenticationStatusByDateResponse"> <sequence> <element maxOccurs="unbounded" minOccurs="0" name="result" nillable="true" type="tns:AuthenticationStatus"/> </sequence> </complexType> <complexType name="getAuthenticationStatusByTimeUnit"> <sequence> <element name="userCtx" nillable="true" type="tns:UserContext"/> <element name="authParam1" nillable="true" type="tns:AuthenticationParam"/> <element name="lastX" type="int"/> <element name="timeUnit" nillable="true" type="string"/> </sequence> </complexType> <complexType name="getVersion"> <sequence> <element name="userCtx" nillable="true" type="tns:UserContext"/> </sequence> </complexType> <complexType name="ACSViewNBException"> <sequence> <element name="message" nillable="true" type="string"/> </sequence>


OL-22972-01


</complexType> <complexType name="FailureReason"> <sequence> <element name="authenFailureCode" nillable="true" type="string"/> <element name="possibleRootCause" nillable="true" type="string"/> <element name="resolution" nillable="true" type="string"/> </sequence> </complexType> <complexType name="AuthenticationParam"> <sequence> <element name="AAAClient" nillable="true" type="string"/> <element name="clientIPAddress" nillable="true" type="string"/> <element name="clientMACAddress" nillable="true" type="string"/> <element name="userName" nillable="true" type="string"/> </sequence> </complexType> <complexType name="AuthenticationStatus"> <sequence> <element name="authStatus" nillable="true" type="string"/> <element name="date" nillable="true" type="dateTime"/> <element name="errorCode" nillable="true" type="string"/> <element maxOccurs="unbounded" minOccurs="0" name="moreDetails" nillable="true" type="string"/> </sequence> </complexType> <complexType name="getAuthenticationStatusByTimeUnitResponse"> <sequence> <element maxOccurs="unbounded" minOccurs="0" name="result" nillable="true" type="tns:AuthenticationStatus"/> </sequence> </complexType> <complexType name="getVersionResponse"> <sequence> <element name="result" nillable="true" type="string"/> </sequence> </complexType> <complexType name="getFailureReasonsResponse"> <sequence> <element maxOccurs="unbounded" minOccurs="0" name="result" nillable="true" type="tns:FailureReason"/> </sequence> </complexType> <complexType name="UserContext"> <sequence> <element name="password" nillable="true" type="string"/> <element name="userName" nillable="true" type="string"/> </sequence> </complexType> <element name="getAuthenticationStatusByDate" type="tns:getAuthenticationStatusByDate"/> <element name="getAuthenticationStatusByDateResponse" type="tns:getAuthenticationStatusByDateResponse"/> <element name="getAuthenticationStatusByTimeUnit" type="tns:getAuthenticationStatusByTimeUnit"/> <element name="getAuthenticationStatusByTimeUnitResponse" type="tns:getAuthenticationStatusByTimeUnitResponse"/> <element name="getVersion" type="tns:getVersion"/> <element name="ACSViewNBException" type="tns:ACSViewNBException"/> <element name="getVersionResponse" type="tns:getVersionResponse"/> <element name="getFailureReasons" type="tns:getFailureReasons"/> <element name="getFailureReasonsResponse" type="tns:getFailureReasonsResponse"/> </schema> </types> <message name="ACSViewNBException">


OL-22972-01


<part element="tns:ACSViewNBException" name="ACSViewNBException"/> </message> <message name="ACSViewWebServices_getAuthenticationStatusByDate"> <part element="tns:getAuthenticationStatusByDate" name="parameters"/> </message> <message name="ACSViewWebServices_getAuthenticationStatusByTimeUnitResponse"> <part element="tns:getAuthenticationStatusByTimeUnitResponse" name="result"/> </message> <message name="ACSViewWebServices_getAuthenticationStatusByDateResponse"> <part element="tns:getAuthenticationStatusByDateResponse" name="result"/> </message> <message name="ACSViewWebServices_getVersionResponse"> <part element="tns:getVersionResponse" name="result"/> </message> <message name="ACSViewWebServices_getAuthenticationStatusByTimeUnit"> <part element="tns:getAuthenticationStatusByTimeUnit" name="parameters"/> </message> <message name="ACSViewWebServices_getVersion"> <part element="tns:getVersion" name="parameters"/> </message> <message name="ACSViewWebServices_getFailureReasons"> <part element="tns:getFailureReasons" name="parameters"/> </message> <message name="ACSViewWebServices_getFailureReasonsResponse"> <part element="tns:getFailureReasonsResponse" name="result"/> </message> <portType name="ACSViewWebServices"> <operation name="getAuthenticationStatusByDate"> <input message="tns:ACSViewWebServices_getAuthenticationStatusByDate"/> <output message="tns:ACSViewWebServices_getAuthenticationStatusByDateResponse"/> <fault message="tns:ACSViewNBException" name="ACSViewNBException"/> </operation> <operation name="getAuthenticationStatusByTimeUnit"> <input message="tns:ACSViewWebServices_getAuthenticationStatusByTimeUnit"/> <output message="tns:ACSViewWebServices_getAuthenticationStatusByTimeUnitResponse"/> <fault message="tns:ACSViewNBException" name="ACSViewNBException"/> </operation> <operation name="getVersion"> <input message="tns:ACSViewWebServices_getVersion"/> <output message="tns:ACSViewWebServices_getVersionResponse"/> <fault message="tns:ACSViewNBException" name="ACSViewNBException"/> </operation> <operation name="getFailureReasons"> <input message="tns:ACSViewWebServices_getFailureReasons"/> <output message="tns:ACSViewWebServices_getFailureReasonsResponse"/> <fault message="tns:ACSViewNBException" name="ACSViewNBException"/> </operation> </portType> <binding name="ACSViewWebServicesBinding" type="tns:ACSViewWebServices"> <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> <operation name="getAuthenticationStatusByDate"> <soap:operation soapAction=""/> <input> <soap:body use="literal"/> </input> <output> <soap:body use="literal"/> </output> <fault name="ACSViewNBException"> <soap:fault name="ACSViewNBException" use="literal"/> </fault> </operation> <operation name="getAuthenticationStatusByTimeUnit"> <soap:operation soapAction=""/>


OL-22972-01


<input> <soap:body use="literal"/> </input> <output> <soap:body use="literal"/> </output> <fault name="ACSViewNBException"> <soap:fault name="ACSViewNBException" use="literal"/> </fault> </operation> <operation name="getVersion"> <soap:operation soapAction=""/> <input> <soap:body use="literal"/> </input> <output> <soap:body use="literal"/> </output> <fault name="ACSViewNBException"> <soap:fault name="ACSViewNBException" use="literal"/> </fault> </operation> <operation name="getFailureReasons"> <soap:operation soapAction=""/> <input> <soap:body use="literal"/> </input> <output> <soap:body use="literal"/> </output> <fault name="ACSViewNBException"> <soap:fault name="ACSViewNBException" use="literal"/> </fault> </operation> </binding> <service name="ACSViewWebServicesService"> <port binding="tns:ACSViewWebServicesBinding" name="ACSViewWebServices"> <soap:address location="http://localhost:8080/ACSViewWebServices/ACSViewWebServices"/> </port> </service></definitions>

Integrating the Viewer Web Services with Your ApplicationThis section explains how to integrate the Viewer web services with your application.

To integrate your code with a Viewer web service and to ensure that you get a response after you invoke the web service:

Step 1 Obtain the certificate from the server to create the client certificate:

a. Verify the deployed web services from:

https://ip address or hostname/ACSViewWebServices/ACSViewWebServices?wsdl

For more information on the web services, see Understanding the Methods in the Viewer Web Services, page 3-2.

b. Click View Certificate and go to the Details tab.

c. Click Copy to File.


OL-22972-01

Chapter 3 Using the Monitoring and Report Viewer Web Services Working with the Viewer Web Services

d. In the welcome window, click Next.

e. In the Export File Format window, select DER encoded binary X.509(.CER), then click Next.

f. In the File to Export window, enter the filename and click Next.

g. In the Completing the Certificate Export Wizard window, click Finish.

A copy of the certificate is saved in your local system as server.cer.

h. Import the server certificate and store it as client.ks (the Client Certificate) using the following command:

keytool -import -file server.cer -keystore client.ks

Step 2 Verify the deployed Viewer web services from:

https://IPaddress(or)HostName/ACSViewWebServices/ACSViewWebServices?wsdl


Step 3 View the source and copy the WSDL file to your local system using:

soap:address location='https://acsview-cars1:443/ACSViewWebServices/ACSViewWebServices'/

For more information on the WSDL files, see Understanding the WSDL Files, page 3-5.

Step 4 Download the JAX-WS 2.0 libraries from the Sun Microsystems website.

Step 5 To view the information related to your artifacts, enter the wsimport -keep command at: https://IPAddress:443/ACSViewWebServ/ACSViewWebServices?wsdl

Include all the libraries in your location.

Step 6 Write the client code.

Step 7 Compile and run the client code.

Working with the Viewer Web ServicesThis section provides sample client code in Java. The requirements that this section describes apply only if you use Java as the client-side conversion tool. This section contains:

• Required Files, page 3-10

• Supported SOAP Clients, page 3-11

• Sample Client Code, page 3-12

Required FilesTo use Java (JAX-WS) 2.0 as the client-side conversion tool, you need the following JAR files. You can download the .jar files and the related tools from the Sun Microsystems website:

• activation.jar

• FastInfoset.jar

• http.jar

• jaxb-api.jar


OL-22972-01


• jaxb-impl.jar

• jaxb-xjc.jar

• jaxws-api.jar

• jaxws-rt.jar

• jaxws-tools.jar

• jsr173_api.jar

• jsr181-api.jar

• jsr250-api.jar

• resolver.jar

• saaj-api.jar

• saaj-impl.jar

• sjsxp.jar

Supported SOAP ClientsThe supported SOAP clients include:

• Apache

• JAX-WS

Connecting to the Viewer Web Services

To connect to the Viewer Web Services:

Step 1 Verify the deployed Viewer Web Services from:

https://ip address or hostname/ACSViewWebServices/ACSViewWebServices?wsdl


Step 2 Right click and select View Source/View Page Source option to view the source information.

The source information appears in a pop-up dialog box.

Step 3 Save the source information with the name ACSViewWebServices.wsdl on your local directory; <SERVICE_HOME>.

Step 4 Execute the following command to create the class files:

wsimport <SERVICE_HOME>/ACSViewWebServices.wsdl -d <SERVICE_HOME>


OL-22972-01


Step 5 Copy the “Sample Client Code” section on page 3-12 and save it as Client.java in <SERVICE_HOME> and compile it with the following command

javac -cp <SERVICE_HOME> <SERVICE_HOME>/Client.java -d <SERVICE_HOME>

This compiles the client code and places the package in the <SERVICE_HOME> directory.

Step 6 To run the Client code, execute the following command

java -cp <SERVICE_HOME> com.cisco.acsview.nbapi.jaws.Client.

Note The above mentioned steps are done in Java 1.6.0_25. JAVA_HOME is java installed directory, and the "path" environment variable should be added with the value <JAVA_HOME>/bin.

Sample Client CodeThis section provides sample client code for the Viewer web services.

package com.cisco.acsview.nbapi.jaws;

import java.util.Calendar;import java.util.GregorianCalendar;import java.util.ArrayList;import java.util.List;import java.util.Iterator;import com.sun.org.apache.xerces.internal.jaxp.datatype.XMLGregorianCalendarImpl;import javax.xml.datatype.XMLGregorianCalendar;import javax.xml.datatype.DatatypeFactory;import java.security.cert.X509Certificate;import javax.net.ssl.HostnameVerifier;import javax.net.ssl.HttpsURLConnection;import javax.net.ssl.SSLContext;import javax.net.ssl.SSLSession;import javax.net.ssl.TrustManager;import javax.net.ssl.X509TrustManager;

public class Client {private static void install() throws Exception {// Create a trust manager that does not validate certificate chainsTrustManager[] trustAllCerts = new TrustManager[] {new X509TrustManager() {public X509Certificate[] getAcceptedIssuers() {return null;}

public void checkClientTrusted(X509Certificate[] certs, String authType) {// Trust always}

public void checkServerTrusted(X509Certificate[] certs, String authType) {// Trust always


OL-22972-01


}}};

// Install the all-trusting trust managerSSLContext sc = SSLContext.getInstance("SSL");// Create empty HostnameVerifierHostnameVerifier hv = new HostnameVerifier() {public boolean verify(String arg0, SSLSession arg1) {return true;}};

sc.init(null, trustAllCerts, new java.security.SecureRandom());HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());HttpsURLConnection.setDefaultHostnameVerifier(hv);}

public static void install1() throws Exception {// Bypass hostname verification.HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {public boolean verify(String arg0, SSLSession arg1) {return true;}});}

public static void main(String args[]){try {install(); ACSViewWebServicesService serviceObj = new ACSViewWebServicesService();ACSViewWebServices service = serviceObj.getACSViewWebServices();UserContext userCtx = new UserContext();userCtx.setUserName("acsadmin");userCtx.setPassword("Acs5.1");getVersion(service,userCtx);getAPIVersion(service,userCtx);getAuthBydate(service,userCtx);getAuthByTime(service,userCtx);getRadiusAccounting(service,userCtx);getFailureReasons(service,userCtx);} catch (Exception ex) {ex.printStackTrace();}}

/*** getVersion provide the application version*/public static void getVersion(ACSViewWebServices service, UserContext userCtx){try{


OL-22972-01


String result = service.getVersion(userCtx);System.out.println("-------------------------*** Application Version***-------------------------"+"\n");System.out.println("Application Version : "+result);

System.out.println("-----------------------------------------------------------------------------"+"\n");}catch(Exception e){e.printStackTrace();}}/***getAuthByDate provides the data of the authentication success/failure betweenthe specified date range*/private static void getAuthBydate(ACSViewWebServices service, UserContext userCtx){try {System.out.println("-------------------------*** Authentication Status byDate Starts ***-------------------------"+"\n");AuthenticationParam authParam = new AuthenticationParam();/***** The following Attributes are optional.** If the parameters are not set, method will return all the authenticationssuccess/failure between the specified date range.** The Data will be filtered based on the attribute set which is fallingunder the specified date range.** The attributes set are exactly matched for filtering,ie., only the datawhich is matching the below attributes and with in the specified date range are retrived.*/ authParam.setAAAClient("MyClient");authParam.setClientIPAddress("10.77.241.203");authParam.setClientMACAddress("ABAC00019E05");authParam.setUserName("user1");/******* Optional Attributes Ends **************/DatatypeFactory datatypeFactory = DatatypeFactory.newInstance();GregorianCalendar gc1 = newGregorianCalendar(2011, Calendar.AUGUST, 4);XMLGregorianCalendar startDate =datatypeFactory.newXMLGregorianCalendar(gc1).normalize();GregorianCalendar gc2 = newGregorianCalendar(2011, Calendar.AUGUST, 6);XMLGregorianCalendar endDate =datatypeFactory.newXMLGregorianCalendar(gc2).normalize();java.util.List authStatusArray =service.getAuthenticationStatusByDate(userCtx,authParam, startDate, endDate);System.out.println("No of Records Retrieved : "+authStatusArray.size());for(int i=0; i<authStatusArray.size();i++){System.out.println("*************** Authentication Status : "+(i+1)+"***************");AuthenticationStatus status = (AuthenticationStatus)authStatusArray.get(i);java.util.List sarray = status.getMoreDetails();System.out.println(sarray.get(0) +" :: "+sarray.get(1));for(int j=0;j<sarray.size();j++){System.out.println(sarray.get(j)+" :: "+sarray.get(++j));}

System.out.println("******************************************************************");}System.out.println("-------------------------*** Authentication Status by


OL-22972-01


Date Ends ***-------------------------"+"\n");} catch (Exception ex) {ex.printStackTrace();}}

/*** getAuthByTime provides the data of the authentication success/failure in thespecified time.* Time can be provided in Minutes, Hours or Days*/private static void getAuthByTime(ACSViewWebServices service, UserContext userCtx){try {System.out.println("-------------------------*** Authentication Status byTime Starts ***-------------------------"+"\n");AuthenticationParam authParam = new AuthenticationParam();/***** The following Attributes are optional.** If the parameters are not set method will return all the authenticationssuccess/failure between the specified date range.** The Data will be filtered based on the attribute set which is fallingunder the specified date range.** The attributes set are exactly matched for filtering,ie., only the datawhich is matching the below attributes and with in the specified date range are retrived.*/ authParam.setAAAClient("MyClient");authParam.setClientIPAddress("10.77.241.203");authParam.setClientMACAddress("ABAC00019E05");authParam.setUserName("user1");/******* Optional Attributes Ends **************/java.util.List authStatusArray =service.getAuthenticationStatusByTimeUnit(userCtx,authParam, 20, "Hours");System.out.println("No of Records Retrieved : " + authStatusArray.size());for(int i=0; i<authStatusArray.size();i++){System.out.println("*************** Authentication Status : "+(i+1)+"***************");AuthenticationStatus status = (AuthenticationStatus)authStatusArray.get(i);java.util.List sarray = status.getMoreDetails();System.out.println(sarray.get(0) +" :: "+sarray.get(1));for(int j=0;j<sarray.size();j++){System.out.println(sarray.get(j)+" :: "+sarray.get(++j));}

System.out.println("******************************************************************");}System.out.println("-------------------------*** Authentication Status byTime Ends ***-------------------------"+"\n");} catch (Exception ex) {ex.printStackTrace();}}

/**** getAPIVersion provides the application API Version*/


OL-22972-01


public static void getAPIVersion(ACSViewWebServices service, UserContext userCtx){try{System.out.println("-------------------------*** API Version***-------------------------"+"\n");String apiresult = service.getAPIVersion(userCtx);System.out.println("API Version : "+apiresult);

System.out.println("-----------------------------------------------------------------------------"+"\n");}catch(Exception ex){ex.printStackTrace();}}

/**** getFailureReasons provide the Failure Code, Possible Root Cause and Resolution*/public static void getFailureReasons(ACSViewWebServices service, UserContextuserCtx){try{// Get Failure reason - ExampleSystem.out.println("-------------------------*** Failure Reasons Starts***-------------------------"+"\n");List result1 = service.getFailureReasons(userCtx);System.out.println("Failure reasons list is : " + result1.size());for (int i=0;i<result1.size() ;i++ ){System.out.println("Authentication Failure Code :"+((FailureReason)result1.get(i)).getAuthenFailureCode());System.out.println("Possible Root Cause :"+((FailureReason)result1.get(i)).getPossibleRootCause());System.out.println("Resolution :"+((FailureReason)result1.get(i)).getResolution());}System.out.println("-------------------------*** Failure Reasons Ends***-------------------------"+"\n");}catch(Exception ex){ex.printStackTrace();}}

/**** getRadiusAccounting provides the accounting details between the specifieddate range.*/public static void getRadiusAccounting(ACSViewWebServices service, UserContextuserCtx){try{System.out.println("-------------------------*** Radius Accounting Starts***-------------------------"+"\n");List acctParam = new ArrayList();AccountingParam acParam = new AccountingParam();List valList = acParam.getMatchValues();valList.add("11");


OL-22972-01


acParam.setAttributeName("cisco-h323-disconnect-cause/h323-disconnect-cause");acParam.setMatchOperator("valueINNOT");acctParam.add(acParam);List returnAttributes = new ArrayList();returnAttributes.add("cisco-h323-disconnect-cause/h323-disconnect-cause");DatatypeFactory datatypeFactory = DatatypeFactory.newInstance();GregorianCalendar gc1 = newGregorianCalendar(2011, Calendar.AUGUST, 5);XMLGregorianCalendar startDate =datatypeFactory.newXMLGregorianCalendar(gc1).normalize();GregorianCalendar gc2 = newGregorianCalendar(2011, Calendar.AUGUST, 7);XMLGregorianCalendar endDate =datatypeFactory.newXMLGregorianCalendar(gc2).normalize();AccountingStatus acctStatus = service.getRadiusAccounting(userCtx,acctParam,startDate, endDate, returnAttributes);List attrNames = acctStatus.getAttrNames();for(int x=0 ; x<attrNames.size() ; x++){System.out.println("Attribute Names : "+attrNames.get(x));}List acctDetailsList = (ArrayList)acctStatus.getAcctDetails();Iterator detailIterator = acctDetailsList.iterator();while(detailIterator.hasNext()){AccountingDetail acctDetailObj = (AccountingDetail)detailIterator.next();List acctDetails = (List)acctDetailObj.getAttrValues();for (int i=0;i<acctDetails.size() ;i++ ){System.out.println("Attribute Details : "+acctDetails.get(i));}}System.out.println("-------------------------*** Radius Accounting Ends***-------------------------"+"\n");}catch(Exception e){e.printStackTrace();}}}


OL-22972-01



OL-22972-01


C H A P T E R 4
Using the Configuration Web Services
This chapter describes the environment that you must set up to use the Configuration web service and explains how to use it.

The Configuration web services are implemented as REST interfaces over HTTPS. There is no HTTP support.

Configuring REST web services are available on all ACS servers in the deployment, but only the ACS primary instance provides the full service that supports read and write operations. Secondary ACS instances provide read only access to the configuration data.

The Monitoring and Report Viewer displays the messages and audit logs for all REST activities.

Enabling the REST Web Interface on ACS CLI

You must enable the web interface on ACS before you can use the REST web service. To enable the web interface on ACS, from the ACS CLI, enter:

acs config-web-interface rest enable

For more information on the acs config-web-interface command, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/ command/reference/cli_app_a.html#wp1887278.

Viewing the Status of the REST Web Interface from ACS CLI




Application that interacts with ACS configuration REST service may use any administrator account to authenticate to the REST service. Authorization for the used account should be set to allow all activities done by the REST client.

Supported Configuration ObjectsThe Rest PI in ACS provides services for configuring ACS and it is organized for each configuration feature. In ACS 5.3, the following two subsets of the ACS configuration are supported.

• Common configuration objects

• Identity configuration objects

Table 4-1 lists the supported configuration objects.



http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/reference/cli_app_a.html#wp1887278.

Chapter 4 Using the Configuration Web Services Supported Configuration Objects

This section contains:

• Identity Groups, page 4-2

• Attribute Info, page 4-3

• Group Associations, page 4-3

Identity GroupsIdentity Group object is used to manipulate nodes on the Identity Group hierarchy. The group name defines the full path of the node within the hierarchy. When you add a new node, you should be aware that the name of the node (which includes the full path) specifies where in the hierarchy the node should be attached. For example:

• All Groups:CDO:PMBU

• All Groups:CDO

• All Groups:CDO:PMBU:ACS-Dev

Note You must create the upper level hierarchy (parent node) and then create the leaf node. For example: To create the hierarchy, All Groups:US:WDC; we must create All Groups:US and

then go ahead creating the next level in hierarchy.

In order to retrieve child of certain group you can set a filter as“start with All groups:CDO”.

Table 4-1 Supported Configuration Objects

Feature Main Supported Classes Comments

Common Attribute Info Also known as dynamic attributes or AV pair. Attribute Info is composed within Protocol User.

ACS Version Supports Get method only.

Service Location Supports getall method only.

It allows to find the ACS instance that serve as primary and the ACS instance that provide Monitoring and Troubleshooting Viewer.

Error Message Supports getall method only.

It allows to retrieve all ACS message codes and message texts that are used on the REST Interface.

Identity Protocol User Full CRUD (Create, Read, Update, and Delete) and query support.

Identity Group Full CRUD and query support.

Query is used to retrieve subgroups of a specific node. The list of users for each group is fetched by querying on the users.


OL-22972-01

Chapter 4 Using the Configuration Web Services Query Object

Attribute InfoThe AttributeInfo structure is an array of pairs of attribute names and attribute values.

The attribute name refers to the user dictionary, where the definition of the attribute, such as value type, can be found. The value of the attribute must conform with the dictionary definition.

The following is an example of JAVA representation for a user that has two attributes:

User user = new User(); user.setDescription(description); user.setPassword(password); user.setName(userName); user.setAttributeInfo(new AttributeInfo[]{ new AttributeInfo("Department","Dev"), new AttributeInfo("Clock","10 Nov 2008 12:12:34") });

Group Associations The REST Interface schema shows the association of the user to the Identity group, as a group name property on the user object.

Here is an example of associating user to an identity group:

User user = new User(); user.setIdenityGroupName("IdentityGroup:All Groups:Foo"); user.setDescription(description); user.setPassword(password); user.setName(userName);

Query ObjectThe REST Interface schema exposes a query object to define criteria and other query parameters. The query object is used for users and identity groups.

The query object includes parameters that apply to:

• Filtering, page 4-3

• Sorting, page 4-4

• Paging, page 4-5

FilteringYou can use the query object to retrieve a filtered result set. You can filter users or identity groups, based on the following criteria:

• Simple condition— Includes property name, operation, and value. For example, name STARTS_WITH "A".

The following operations are supported for filtering:

• CONTAINS

• DOES_NOT_CONTAIN

• ENDS_WITH


OL-22972-01

Chapter 4 Using the Configuration Web Services Query Object

• EQUALS

• NOT_EMPTY

• NOT_EQUALS

• STARTS_WITH

• And condition— Includes set of simple conditions. All simple condition must be evaluated to be True in order for the and condition to be matched.

Here is the XML based example for the “And” filter.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ns2:query xmlns:ns2="query.rest.mgmt.acs.nm.cisco.com"> <criteria xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="ns2:AndFilter"> <simpleFilters> <propertyName>name</propertyName> <operation>STARTS_WITH</operation> <value>user</value> </simpleFilters> <simpleFilters> <propertyName>name</propertyName> <operation>ENDS_WITH</operation> <value>1</value> </simpleFilters> </criteria> <numberOfItemsInPage>100</numberOfItemsInPage> <startPageNumber>1</startPageNumber> </ns2:query>

Here is a Java based example for the ‘And’ filter:

Query query = new Query(); query.setStartPageNumber(1); query.setNumberOfItemsInPage(100);

SimpleFilter simpleFilter = new SimpleFilter(); simpleFilter.setOperation(FilterOperation.STARTS_WITH); simpleFilter.setPropertyName("name"); simpleFilter.setValue("user");

SimpleFilter simpleFilter1 = new SimpleFilter(); simpleFilter1.setOperation(FilterOperation.ENDS_WITH); simpleFilter1.setPropertyName("name"); simpleFilter1.setValue("1");

AndFilter andFilter = new AndFilter(); andFilter.setSimpleFilters(new SimpleFilter[] { simpleFilter, simpleFilter1 });

query.setCriteria(andFilter);

SortingYou can use the query object to sort the results. You can sort based on the following criteria:

• One property to sort by

• Direction of sorting (Ascending/Descending)


OL-22972-01

Chapter 4 Using the Configuration Web Services Request Structure

PagingYou can set the query object with the following paging parameters:

• Page number, which is the requested page

• Number of objects in a page

Paging is stateless. That is, the required page is calculated from scratch for every request. This means that paging could skip objects or return them twice, in case objects were added or deleted concurrently.

Request Structure ACS REST request is composed of:

• URL

• HTTP method

• Content—Includes ACS objects if applicable to the requested method. The ACS objects are represented in XML.

URL PathURL includes:

• Service name: Rest

• Package name: Identity or Common

• Object Type: User, Identity Group, and so on

• Object Identifier are valid with GET and DELETE methods

• Operation name is required for operations other than CRUD such as query.

Table 4-2 lists the URLs for each object.

Object Identifiers

Objects are identified by name or by object ID. Basic object key is the object name. You can also use Object ID for GET and Delete method. For POST and PUT, the method gets the object itself that includes the identifiers.

You can specify identifier on the URL in the following ways:

• Name as the key — Rest/{package}/{ObjectType}/name/{name}

• Object ID as the key — Rest//{package}/{ObjectType}/id/{id}

• For single instance per object type, no key is required — For example: REST/common/ACSVersion

Table 4-2 URL Summary Table

Object URL Comment

ACS Version ../Rest/Common/ACSVersion Single object exists

Service Location ../Rest/Common/ServiceLocation —

Error Message ../Rest/Common/ErrorMessage —


OL-22972-01

Chapter 4 Using the Configuration Web Services Request Structure

HTTP MethodsHTTP methods are mapped to configuration operations (CRUD - Create, Read, Update, and Delete).

The common intrinsic methods are not specified within the URL, and are determined by the HTTP request method. In other cases, you need to add the configuration operation into the URL. HTTP methods are mapped to ACS operations:

• HTTP GET—View an object or multiple objects

• HTTP POST—Create a new object

• HTTP DELETE—Delete a object

• HTTP PUT—Update an existing object. PUT is also used to invoke extrinsic methods (other than CRUD).

When HTTP PUT method is used for operations other than CRUD, the URL specifies the required operation. This is also used to distinguish the message from PUT method for update. The keyword “op” is included in the URL as follows:

Rest/{package}/{ObjectType}/op/{operation}

For example, /Rest/Identity/IdentityGroup/op/query

Table 4-3 describes the primary ACS REST methods and their mapping to HTTP messages.

User ../Rest/Identity/User/….. For some methods, there is additional data on the URL. SeeTable 4-3

Identity Group ../Rest/Identity/IdentityGroup/….. For some methods, there is additional data on the URL. SeeTable 4-3

Table 4-2 URL Summary Table (continued)

Object URL Comment

Table 4-3 HTTP Method Summary

FunctionHTTP Method URL Request content

Response on Success

getAll GET /{ObjectType} None Collection of Objects

getByName GET /{ObjectType}/name/ {name}1

None An Object

getById GET /{ObjectType}/id/{id}

None An Object

create POST /{ObjectType} Object

Note For create, the Object ID property should not be set.

Rest Response Result, which includes Object ID.

delete DELETE /{ObjectType}/name/ {name}1

None Rest Result


OL-22972-01

Chapter 4 Using the Configuration Web Services Response Structure

Note For the responses on failure, seeACS REST Result.

Response StructureThe response to Rest request is a standard HTTP response that includes HTTP status code and other data returned by web servers. In addition, the response can include the ACS Rest Result object or ACS configuration objects according to the type of request.

You should check the HTTP status code to know the type of objects expected in the response body.

• For 4xx HTTPS status codes except for 401 and 404, REST result Object is returned.

• For 5xx status codesother than 500, the message content includes a text that describe the server error.

• For 500 HTTP status code, REST result is returned.

• For 200 and 201 HTTP status code, objects per the specific method or object type is returned.

• For 204 HTTP status code, no object is returned.

HTTP Status CodesACS returns the following types of status codes:

• 2xx for success

• 4xx for client errors

• 5xx for server errors

ACS does not return the following types of status codes:

• 1xx

• 3xx

The HTTP status code is returned within the HTTP response headers as well as within the REST result object.

Table 4-4 lists the HTTP status codes that are returned by ACS.

delete DELETE /{ObjectType}/ id/{id}

None Rest Result

update2 PUT /{ObjectType} Object Rest Result

Query PUT /{ObjectType}/op/query

QueryObject List of Objects

1. Names in the URL are full names. ACS REST services does not support wildcards or regular expressions.

2. Update method replaces the entire object with the object provided in the request body, with the exception of sensitive properties.

Table 4-3 HTTP Method Summary (continued)

FunctionHTTP Method URL Request content

Response on Success


OL-22972-01

Chapter 4 Using the Configuration Web Services Response Structure

ACS REST ResultThe HTTP response for a REST request includes either requested objects or REST result object, see Table 4-3 for details. ACS result includes:

• HTTP status code

• HTTP status text

• ACS message code

• ACS message

Table 4-4 Usage of HTTP Status Codes

Status Code Message Usage in ACS Comment

200 Ok Successful Get, create and query

—

204 OK with no content Successful delete and update

No data is returned in the response body.

400 Bad Request Request errors: Object validation failure, XML syntax error, and other error in request message

The request contains bad syntax or cannot be executed.

For example, if you try to create an object with a name that already exists, the object validation fails.

Detailed reasons can be found in the REST result object.

401 Unauthorized Authentication Failure/ Time outs

Similar to 403 error, but specifically for use when authentication failed or credentials are not available.

403 Forbidden ACS is a secondary and can not fulfill the request or operation is not allowed per administrator authorizations.

The request was valid, but the server refuses to respond to it.

Unlike a 401 error, authenticating will make no difference. Also, this error is displayed when an non-read request was send to a secondary instance.

404 Not Found For cases where the URL is wrong or the REST Service is not enabled.

—

410 Gone A resource is not available anymore

A request was made for an object that does not exist. For example, deleting an object that does not exist.

500 Internal Server Error For any Server error that has no specific HTTP Code.

—


OL-22972-01

Chapter 4 Using the Configuration Web Services WADL File

• Object ID for successful CREATE method

Returned Objects ACS returns objects for GET method and for query operation. The type of returned object is determined by the request URL.

When a GET method returns multiple objects, these are included in the response. If the returned list is too long, you should use filtering or paging options.

WADL File The WADL files contain the object structure (schema) and the methods for every object.

The WADL files are mainly documentation aids. You cannot generate client applications using WADL files.

The WADL file structure is according to W3C specification. For more information, see http://www.w3.org/Submission/wadl/

To download the WADL files:

Step 1 From the ACS user interface, go to System Administration > Downloads > Rest Service

Step 2 Under ACS Rest Service WADL files, click Common or Identity and save the files to your local drive.

Schema File ACS is shipped with three XSD files that describe the structure of the objects supported on ACS 5.3 REST interfaces.

The three XSD files are:

• Common.xsd, that describes the following objects:

– Version

– AttributeInfo

– Error Message

– ResultResult, RestCreateResult

– BaseObject

– Service Location

– Status

– RestCommonOperationType


OL-22972-01

http://www.w3.org/Submission/wadl/

http://www.w3.org/Submission/wadl/

Chapter 4 Using the Configuration Web Services Sample Code

• Identity.xsd, that describes the following objects:

– Users

– IdentityGroup

• Query.xsd, that describes the structure of query objects.

You can download the schema files in the same way as you download the WADL files. You can use the schema with available tools such as JAXB to generate schema classes.

You can develop HTTP client or use any third party HTTP client code and integrate it with the schema classes generated from the XSD files.

Note It is highly recommended to generate REST client classes from the XSD files than coding XML or creating it manually.

Sample CodeACS provides sample code for client application to help you develop an application that interacts with ACS REST Interface. The sample code can be downloaded in the same way as WADL and schema files.

The sample code is based on Apache HTTP Client http://hc.apache.org/httpcomponents-client-ga/index.html and JAVA code generated by JAXB (xjc command) with the help of the XSD files. It includes sample codes for:

• Get ACS Version

• Get all users

• Get All Service Locations

• Get Filtered list of Users

• Get list of Error messages

• Get User by ID and by name

• Create, Delete, Update user

• Create, Delete, and Update identity group

• Get IdentityGroup by name or ID

• Get sub-tree of IdentityGroups

• Get all Users of an Identity Group


OL-22972-01

http://hc.apache.org/httpcomponents-client-ga/index.html


C H A P T E R 5
Using the Scripting Interface
This chapter describes the scripting interface that ACS 5.3 provides to perform bulk operations on ACS objects using the Import and Export features.

ACS provides the import and export functionalities through the web interface (graphical user interface) as well as the CLI. ACS exposes these functionalities through the CLI to enable you to create custom shell scripts for bulk operations on ACS objects. The import-data command allows you to:

• Add ACS objects

• Update ACS objects

• Delete ACS objects

The import and export functionalities in ACS 5.3 allow you to perform bulk operations such as Create, Update, and Delete on ACS objects and provide a migration path for customers migrating from ACS 4.x releases to ACS 5.3.

You can integrate ACS with any of your repositories and import data into ACS through automated scripts, using the Import and Export features. You can also encrypt the .csv file before you transfer the file for additional security, or, optionally, use Secure File Transfer Protocol (SFTP).

You can create a scheduled command that looks for a file with a fixed name in the repository to perform bulk operations. This option provides the functionality that was available in ACS 4.x releases.

ACS processes the import and export requests in a queue. Only one process can run at a time. When you use the ACS web interface for importing and exporting, you cannot manually control the queue.

ACS processes the queue in sequence. However, you can use the CLI to manage the import and export processes in ACS. The ACS CLI allows you to view the status of the queue and terminate the processes that are in the queue.

This chapter contains the following sections:

• Understanding Import and Export in ACS, page 5-2

• Supported ACS Objects, page 5-5

• Creating Import Files, page 5-7

• Using Shell Scripts to Perform Bulk Operations, page 5-11


Chapter 5 Using the Scripting Interface Understanding Import and Export in ACS

Understanding Import and Export in ACSYou can use the import functionality in ACS to add, update, or delete multiple ACS objects at the same time. ACS uses a comma-separated values (CSV) file to perform these bulk operations. This .csv file is called an import file.

ACS provides a separate .csv template for Add, Update, and Delete operations for each ACS object. The first record in the .csv file is the header record from the template that contains column (field) names. You must download these templates from the ACS web interface. The header record from the template must be included in the first row of any .csv file that you import.

You cannot use the same template to import all ACS objects. You must download the template that is designed for each ACS object and use the corresponding template while importing the objects.

You can use the export functionality to create a .csv file that contains all the records of a particular object type that are available in the ACS internal store.

You must have CLI administrator-level access to perform import and export operations. Additionally:

• To import ACS configuration data, you need CRUD permissions for the specific configuration object.

• To export data to a remote repository, you need read permission for the specific configuration object.

This section contains:

• Importing ACS Objects Through the CLI, page 5-2

• Exporting ACS Objects Through the CLI, page 5-3

• Viewing the Status of Import and Export Processes, page 5-4

• Terminating Import and Export Processes, page 5-5

Importing ACS Objects Through the CLIYou can import ACS objects from the ACS Configuration mode. You use the import-data command to perform the Import operation. This command takes the following arguments:

• Name of the remote repository where the import file resides. See Creating Import Files, page 5-7, for information on how to create the import file.

• Name of the import file.

• Type of ACS object that the import file contains.

ACS obtains the .csv file from the remote repository and processes the file. You can query ACS for the status of the import process using the import-export-status command. After the import process is complete, ACS generates a status file in the remote repository that includes any errors that ACS identified during this process.

For additional security during the import process, you have the option of encrypting the import file and using a secured remote repository for the import operation.

Also, the import process sometimes can run into errors. You can specify whether you want to terminate the import process or continue it until it is complete.

Note If you choose to use a secured remote repository for import, you must specify SFTP as the repository value.


OL-22972-01


For example, to add internal user records to an existing identity store, from the ACS CLI, enter:

import-data add user repository file-name result-file-name {abort-on-error | cont-on-error} {full | none | only-sec-repo | only-sec-files} secret-phrase

Syntax Description

repository—Name of the remote repository from which to import the ACS objects, in this case, the internal users.

file-name—Name of the import file in the remote repository.

result-file-name—Name of the file that contains the results of the import operation. This file is available in the remote repository when the import process completes or is terminated.

abort-on-error—Aborts the import operation if an error occurs during the import process.

cont-on-error—Ignores any errors that occur during the import process and continues to import the rest of the object.

full—Encrypts the import file using the GNU Privacy Guard (GPG) encryption mechanism and uses secured remote repository to import the file. If you specify the security type as full, you must specify SFTP as the repository value.

none—Neither encrypts the import file nor uses the secured remote repository for import.

secret phrase—Provide the secret phrase to decrypt the import file. If you specify the security type as full or only-sec-files, you must specify the secret phrase.

only-sec-repo—Uses the secured remote repository to import the file. If you specify the security type as only-sec-repo, you must specify SFTP as the repository value.

only-sec-files—Encrypts the import file using GPG encryption mechanism.

For more information on the import-data command, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/ command/reference/cli_app_a.html#wp1893385.

Exporting ACS Objects Through the CLIYou can export a list of ACS objects in a .csv file from ACS to your local drive. You can perform this operation from the ACS Configuration mode, using the export-data command. This command takes the following arguments:

• Object type to be exported.

• Name of the remote repository to which the .csv file should be downloaded after the export process is complete.

When ACS processes your export request, you can enter a command to query the progress of the export. After the export process is complete, the .csv file that is available in your remote repository should contain all the object records that exist in the ACS internal store.

Note When you export ACS objects through the web interface, use the available filters to export a subset of the records.

For additional security during the export process, you have the option of encrypting the export file and using a secured remote repository for the export operation.


OL-22972-01




Note If you choose to use a secured remote repository for export, you must specify SFTP as the repository value.

For example, to export internal user records, from the ACS CLI, enter:

export-data user repository file-name result-file-name {full | none | only-sec-repo | only-sec-files} secret-phrase

Syntax Description

repository—Name of the remote repository to which to export the ACS objects, in this case, the internal users.

file-name—Name of the export file in the remote repository.

result-file-name—Name of the file that contains the results of the export operation. This file is available in the remote repository when the export process completes.

full—Encrypts the export file using the GPG encryption mechanism and uses secured remote repository to export the file. If you specify the security type as full, you must specify SFTP as the repository value.

none—Neither encrypts the export file nor uses the secured remote repository for export.

secret phrase—Provide a secret phrase to encrypt the export file. If you specify the security type as full or only-sec-files, you must specify the secret phrase.

only-sec-repo—Uses the secured remote repository to export the file. If you specify the security type as only-sec-repo, you must specify SFTP as the repository value.

only-sec-files—Encrypts the export file using GPG encryption mechanism.

For more information on the export-data command, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/reference/cli_app_a.html#wp1893300.

Viewing the Status of Import and Export ProcessesYou can view the status of the import and export processes in ACS using the import-export-status command. Use this command to view the status of running import and export processes and to verify whether there are any pending processes.

You must run the import-export-status command from the ACS Configuration mode. Any user, irrespective of role, can issue this command.

import-export-status {current | all | id id}

Syntax Description

current—Displays the status of the currently running processes.

all—Displays the status of all the import and export processes, including any pending processes.

id—Displays the import or export status, based on a particular process that is specified by the process ID.

For more information on the import-export-status command, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/reference/cli_app_a.html#wp1893573.


OL-22972-01




Chapter 5 Using the Scripting Interface Supported ACS Objects

Terminating Import and Export ProcessesYou can use the import-export-abort command to terminate all import and export processes,or process that are currently running or queued. You must run the import-export-abort command from the ACS Configuration mode.

Only the super administrator can simultaneously terminate a running process and all pending import and export processes. However, a user who owns a particular import or export process can terminate that particular process by using the process ID, or by stopping the process when it is running.

import-export-abort {running | all | id id}

Syntax Description

current—Aborts any import or export process that is running currently.

all—Aborts all the import and export processes in the queue.

id—Aborts the import or export process, based on the process ID that you specify.

For more information on the import-export-abort command, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/command/reference/cli_app_a.html#wp1893490.

Supported ACS ObjectsWhile ACS 5.3 allows you to perform bulk operations (Add, Update, Delete) on ACS objects using the import functionality, you cannot import all ACS objects. The import functionality in ACS 5.3 supports the following ACS objects:

• Users

• Hosts

• Network Devices

• Identity Groups

• NDGs

• Downloadable ACLs

• Command Sets

Table 5-1 lists the ACS objects, their properties, and the property data types.

Table 5-1 ACS Objects – Property Names and Data Types

Property Name Property Data Type

Object Type: User

Username (Required in create, edit, and delete) String. Maximum length is 64 characters.

Description (Optional) String. Maximum length is 1024 characters.

Enabled (Required in create) Boolean.

Change Password (Required in create) Boolean.

Password (Required in create) String. Maximum length is 32 characters. Not available in Export.


OL-22972-01


Chapter 5 Using the Scripting Interface Supported ACS Objects

Enable Password (Optional) String. Maximum length is 32 characters.

User Identity Group (Optional) String. Maximum length is 256 characters.

List of attributes (Optional) String and other data types.

Object Type: Hosts

MAC address (Required in create, edit, delete) String. Maximum length is 64 characters.


Enabled (Optional) Boolean.

Host Identity Group (Optional) String. Maximum length is 256 characters.

List of attributes (Optional) String.

Object Type: Network Device

Name (Required in create, edit, delete) String. Maximum length is 64 characters.


Subnet (Required in create) String.

Support RADIUS (Required in create) Boolean.

RADIUS secret (Optional) String. Maximum length is 32 characters.

Support TACACS (Required in create) Boolean.

TACACS secret (Optional) String. Maximum length is 32 characters.

Single connect (Optional) Boolean.

Legacy TACACS (Optional) Boolean.

Support CTS (Required in create) Boolean.

CTS Identity (Optional) String. Maximum length is 32 characters.

CTS trusted (Optional) Boolean.

Password (Optional) String. Maximum length is 32 characters.

sgACLTTL (Optional) Integer.

peerAZNTTL (Optional) Integer.

envDataTTL (Optional) Integer.

Session timeout (Optional) Integer.

List of NDG names (Optional) String.

Object Type: Identity Group



Object Type: NDG



Object Type: Downloadable ACLs


Table 5-1 ACS Objects – Property Names and Data Types (continued)



OL-22972-01

Chapter 5 Using the Scripting Interface Creating Import Files

Fields that are optional can be left empty and ACS substitutes the default values for those fields.

For example, when fields that are related to a hierarchy are left blank, ACS assigns the value of the root node in the hierarchy. For network devices, if TrustSec is enabled, all related configuration fields are set to default values.

Creating Import FilesThis section describes how to create the .csv file for performing bulk operations on ACS objects. You can download the appropriate template for each of the objects. This section contains the following:

• Downloading the Template from the Web Interface, page 5-7

• Understanding the CSV Templates, page 5-8

• Creating the Import File, page 5-9

Downloading the Template from the Web InterfaceBefore you can create the import file, you must download the import file templates from the ACS web interface.

To download the import file templates for adding internal users:


Step 2 Choose Users and Identity Stores > Internal Identity Stores > Users.

The Users page appears.

Step 3 Click File Operations.

The File Operations wizard appears.

Step 4 Choose any one of the following:

• Add—Adds users to the existing list. This option does not modify the existing list. Instead, it performs an append operation.

• Update—Updates the existing internal user list.


Content (Required in create, edit, delete) String. Maximum length is 1024 characters.

Object Type: Command Set



Commands (in the form of grant:command:arguments)

(Optional) String.

Note This is a list with semicolons used as separators (:) between the values that you supply for grant.

Table 5-1 ACS Objects – Property Names and Data Types (continued)



OL-22972-01


• Delete—Deletes the list of users in the import file from the internal identity store.

Step 5 Click Next.

The Template page appears.

Step 6 Click Download Add Template.

Step 7 Click Save to save the template to your local disk.

The following list gives you the location from which you can get the appropriate template for each of the objects:

• User—Users and Identity Stores > Internal Identity Stores > Users

• Hosts—Users and Identity Stores > Internal Identity Stores > Hosts

• Network Device—Network Resources > Network Devices and AAA Clients

• Identity Group—Users and Identity Stores > Identity Groups

• NDG

– Location—Network Resources > Network Device Groups > Location

– Device Type—Network Resources > Network Device Groups > Device Type

• Downloadable ACLs—Policy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLs

• Command Set—Policy Elements > Authorization and Permissions > Device Administration > Command Sets

Follow the procedure described in this section to download the appropriate template for your object.

Understanding the CSV TemplatesYou can open your CSV template in Microsoft Excel or any other spreadsheet application and save the template to your local disk as a .csv file. The .csv template contains a header row that lists the properties of the corresponding ACS object.

For example, the internal user Add template contains the fields described in Table 5-2:

Table 5-2 Internal User Add Template

Header Field Description

name:String(64):Required Username of the user.

description:String(1024) Description of the user.

enabled:Boolean(true,false):Required Boolean field that indicates whether the user must be enabled or disabled.

changePassword:Boolean(true,false):Required

Boolean field that indicates whether the user must change password on first login.

password:String(32):Required Password of the user.

enablePassword:String(32) Enable password of the user.

UserIdentityGroup:String(256) Identity group to which the user belongs.

All the user attributes that you have specified would appear here.


OL-22972-01


Each row of the .csv file corresponds to one internal user record. You must enter the values into the .csv file and save it before you can import the users into ACS. See Creating the Import File, page 5-9 for more information on how to create the import file.

This example is based on the internal user Add template. For the other ACS object templates, the header row contains the properties described in Table 5-1 for that object.

Creating the Import FileAfter you download the import file template to your local disk, enter the records that you want to import into ACS in the format specified in the template. After you enter all records into the .csv file, you can proceed with the import function. The import process involves the following:

• Adding Records to the ACS Internal Store, page 5-9

• Updating the Records in the ACS Internal Store, page 5-10

• Deleting Records from the ACS Internal Store, page 5-10

Adding Records to the ACS Internal Store

When you add records to the ACS internal store, you add the records to the existing list. This is an append operation, in which the records in the .csv file are added to the list that exists in ACS.

To add internal user records to the Add template:

Step 1 Download the internal user Add template. See Downloading the Template from the Web Interface, page 5-7 for more information.

Step 2 Open the internal user Add template in Microsoft Excel or any other spreadsheet application. See Table 5-1 for a description of the fields in the header row of the template.

Step 3 Enter the internal user information. Each row of the .csv template corresponds to one user record.

Figure 5-1 Figure 5-1 shows a sample Add Users import file.

Figure 5-1 Add Users – Import File

Step 4 Save the add users import file to your local disk.


OL-22972-01


Updating the Records in the ACS Internal Store

When you update the records in the ACS store, the import process overwrites the existing records in the internal store with the records from the .csv file. This operation replaces the records that exist in ACS with the records from the .csv files.

The Update operation is similar to the Add operation except for one additional column that you can add to the Update templates.

The Update template can contain an Updated Name column for internal users and other ACS objects, and an Updated MAC address column for the internal hosts. The name shown in the Updated Name column replaces the name in the ACS identity store.

Instead of downloading the update template for each of the ACS objects, you can use the export file of that object, retain the header row, and update the data to create your updated .csv file.

To add an updated name or MAC address to the ACS objects, you must download and use the particular update template. Also, for the NDGs, the export template contains only the NDG name, so in order to update any other property, you must download and use the NDG update template.

Figure 5-2 shows a sample import file that updates existing user records.

Figure 5-2 Update Users–Import File

Note The second column, Updated name, is the additional column that you can add to the Update template. Also, the password value and the enabled password value are not mandatory in the case of an update operation for the user object.

Deleting Records from the ACS Internal Store

You can use this option to delete a subset of records from the ACS internal store. The records that are present in the .csv file that you import are deleted from the ACS internal store. The Delete template contains only the key column to identify the records that must be deleted.

For example, to delete a set of internal users from the ACS internal identity store, download the internal user Delete template and add the list of users that you want to delete to this Import file. Figure 5-3 shows a sample Import file that deletes internal user records.

Timesaver To delete all users, you can export all users and then use the export file as your import file to delete users.


OL-22972-01

Chapter 5 Using the Scripting Interface Using Shell Scripts to Perform Bulk Operations

Figure 5-3 Delete Users – Import File

Using Shell Scripts to Perform Bulk OperationsYou can write custom shell scripts that use the import and export CLI commands to perform bulk operations. The ACS web interface provides a sample Python script. To download this sample script:

Step 1 Log into the ACS web interface.

Step 2 Choose System Administration > Downloads > Scripts.

The downloadable package consists of:

• Python module, Pexpect

• Python script

• ReadMe—Contains installation instructions

Note You must have Python software to run this script.

Sample Shell Scriptimport pexpect

# Create connection to a specific IP using 'admin' usernameconnector = pexpect.spawn('ssh [email protected]')connector.expect('.ssword:*')# Enter passwordconnector.sendline('defaultPass')connector.expect('.$')# Defining a repository that point to the localdiscconnector.sendline('configure')connector.expect('.$')connector.sendline('repository localRepo')connector.expect('.$')connector.sendline('url disk:/')connector.expect('.$')connector.sendline('exit')connector.expect('.$')connector.sendline('exit')connector.expect('.$')


OL-22972-01

Chapter 5 Using the Scripting Interface Using Shell Scripts to Perform Bulk Operations

# Saving the repositoryconnector.sendline('write memory')connector.expect('.$')# Going into acs-config modeconnector.sendline('acs-config')connector.expect('.ername:*')# Enter acs admin usernameconnector.sendline('acsadmin')connector.expect('.ssword:*')# Enter acs admin passwordconnector.sendline('1111')connector.expect('.config-acs*') connector.sendline('import-data add device local device.csv device_res.csv cont-on-error none') # Performing the import commandconnector.expect('.$')# Exit acs-config modeconnector.sendline('exit')connector.expect('.$')# Exit ssh modeconnector.sendline('exit')


OL-22972-01

Software Developer’s GuideOL-22972-01

A
P P E N D I X A Monitoring and Report Viewer Database Schema
ACS allows you to export data from the Viewer database to a Microsoft Active Directory (AD) or an Oracle System ID (SID) in a remote server. This feature allows you to create custom reporting applications that meet your specific needs.

For example, you can export the data from the Viewer database to your remote database on another server that contains your customized reporting application. To export data, you must first configure a remote database in ACS.

This appendix describes how to configure a remote database and the tables in the Monitoring and Report Viewer database. This appendix provides the Monitoring and Report Viewer database schema for both Microsoft SQL server and Oracle SID.

The following topics are included:

• Configuring a Remote Database in ACS, page A-1

• Understanding the Monitoring and Report Viewer Database Schema, page A-2

– Microsoft SQL Server Schema, page A-4

– Oracle Schema, page A-24

Configuring a Remote Database in ACSYou can configure a remote database to which ACS exports the Monitoring and Report Viewer data at specified intervals. You can schedule the export job to be run once every 1, 2, 4, 6, 8, 12, or 24 hours.

You can create custom reporting applications that interact with this remote database. ACS supports the following databases:

• Oracle SQL Developer

• Microsoft SQL Server 2005

To configure a remote database:

Step 1 Log into the ACS web interface.

Step 2 From the Monitoring and Report Viewer, choose Monitoring Configuration > System Configuration > Remote Database Settings.

The Remote Database Settings Page appears as described in Table A-1.

A-1 for Cisco Secure Access Control System 5.3

Appendix A Monitoring and Report Viewer Database Schema Understanding the Monitoring and Report Viewer Database Schema

Step 3 Click Submit to configure the remote database.

To view the status of your export job in the Scheduler, from the Monitoring and Report Viewer, select Monitoring Configuration > System Operations > Scheduler.

Understanding the Monitoring and Report Viewer Database Schema

The Monitoring and Report Viewer collects data for:

• Accounting

• AAA Audit

Note The tables that contain AAA diagnostics, system diagnostics, and administrative audit data are not exported.

The Viewer database contains raw and aggregated tables. This section contains the following topics:

• Raw Tables, page A-3

• Aggregated Tables, page A-3

• Microsoft SQL Server Schema, page A-4

• Oracle Schema, page A-24

Table A-1 Remote Database Settings Page

Option Description

Publish to Remote Database Check the check box for ACS to export data to the remote database periodically. By default, ACS exports data to the remote database every 4 hours.

Server Enter the DNS name or the IP address of the remote database.

Port Enter the port number of the remote database.

Username Enter the username for remote database access.

Password Enter the password for remote database access.

Publish data every n hours Choose a time interval from the drop-down list box for ACS to export data at the specified interval. Valid options are 1, 2, 4, 6, 8, 12, and 24 hours.

Database Type The type of remote database that you want to configure:

• Click the Microsoft Database radio button to configure a Microsoft database and enter the name of the remote database.

• Click the Oracle SID radio button to configure an Oracle database and enter the system identifier for the Oracle database.

A-2Software Developer’s Guide for Cisco Secure Access Control System 5.3

OL-22972-01


Raw TablesThe raw tables contain individual records. The Monitoring and Report Viewer aggregates the records in the raw tables and stores the aggregated data in aggregated tables. The passed and failed bit fields in the raw tables are not encoded and are represented as 1s and 0s.

Aggregated TablesThe aggregated tables contain a count of passed and failed authentications for various data combinations. For example, for a user User1, from identity group A, with NAD B, and access policy C, the Monitoring and Report Viewer computes the passed and failed counts on a daily basis and stores it in the monthly tables.

Monthly Tables

The daily count of passed and failed authentications for various data combinations are stored in the monthly tables.

Yearly Tables

At the end of every month, the Monitoring and Report Viewer computes the passed and failed counts for that month and stores them in the yearly tables.

You can choose to work with individual records from the raw tables or you can get the counts directly from these aggregated tables. In the aggregated tables, passed and failed counts are available for various data combinations.

The Passed, Failed, TotalResponseTime, and MaxResponseTime fields are not part of any data combination. The total response time is computed in milliseconds for both passed and failed authentications. The day field in the month tables is set to date only and does not include the time.

Table A-2 provides a list of tables, a brief description, and a list of aggregated tables.

Table A-2 Monitoring and Report Viewer Database Schema

Purpose Table Description Aggregated Tables

Accounting TACACS Accounting (acstacacsaccounting)

TACACS Session—Start and stop, watchdog process, and rejected session information.

acstacacsaccountingmonth

acstacacsaccountingyear

RADIUS Accounting (acsradiusaccounting)

RADIUS Session—Start, stop, and update information.

acsradiusaccountingmonth

acsradiusaccountingyear

AAA Audit TACACS Authentication (acstacacsauthentication)

TACACS—Passed authentications and failed attempts.

acstacacsauthenticationmonth

acstacacsauthenticationyear

TACACS Authorization (acstacacsauthorization)

TACACS device administration—Command and session authorization passed and failed attempts.

acstacacsauthorizationmonth

acstacacsauthorizationyear

RADIUS Authentication (acsradiusauthentication)

RADIUS—Passed authentications and failed attempts.

acsradiusauthenticationmonth

acsradiusauthenticationyear


OL-22972-01


Microsoft SQL Server Schema

The Monitoring and Report Viewer database in Microsoft SQL Server contains the acstacacsauthentication tables:

The acstacacsauthentication table contains the fields described in Table A-3.

acstacacsauthentication

Table A-3 acstacacsauthentication Table

Column Data Type

ID integer

ACSTimestamp datetime

ACSViewTimestamp datetime

ACSServer varchar(500)

MessageCode varchar(10)

ACSSessionID varchar(500)

AccessService varchar(500)

ServiceSelectionPolicy varchar(500)

AuthorizationPolicy text

UserName varchar(500)

IdentityStore varchar(500)

AuthenticationMethod varchar(500)

AuthenType varchar(500)

NetworkDeviceName varchar(500)

DeviceIPAddress varchar(500)

IdentityGroup text

NetworkDeviceGroups text

Response text

PriviligeLevel varchar(10)

FailureReason varchar(500)

ADDomain varchar(500)

AuthenMethod varchar(500)

GroupMappingPolicyMatchedR varchar(500)

IdentityPolicyMatchedRule varchar(500)

QueryIdentityStores varchar(500)

RemoteAddress varchar(500)

SelectedAuthenticationIdenti varchar(500)

SelectedQueryIdentityStores varchar(500)

Service varchar(500)

AVPair text


OL-22972-01



ExecutionSteps text

OtherAttributes text

SelectedShellProfile varchar(500)

AuthorizationExceptionPolicyMa varchar(500)

ResponseTime integer

Passed bit

Failed bit

Table A-3 acstacacsauthentication Table (continued)

Column Data Type

Table A-4 acstacacsauthenticationmonth Table

Column Data Type

ID integer

Day smalldatetime









IdentityGroup text




UseCase varchar(500)

Passed integer

Failed integer

TotalResponseTime integer

MaxResponseTime integer


OL-22972-01



acsradiusauthentication

Table A-5 acstacacsauthenticationyear Table

Column Data Type

ID integer

Month varchar(10)









IdentityGroup text





Passed integer

Failed integer



Table A-6 acsradiusauthentication Table

Column Data Type

ID integer












OL-22972-01


AuthenticationMethod varchar(500)


IdentityGroup text


Response text

CallingStationID varchar(500)

NASPort varchar(500)

ServiceType varchar(500)

AuditSessionID varchar(500)

CTSSecurityGroup varchar(500)



ExecutionSteps varchar(4000)

FramedIPAddress varchar(500)

NASIdentifier varchar(500)

NASIPAddress varchar(500)

NASPortId varchar(500)

CiscoAVPair text


RadiusResponse text

ACSUserName varchar(500)

RadiusUserName varchar(500)

NACRole varchar(500)

NACPolicyCompliance varchar(500)

NACUsername varchar(500)

NACPostureToken varchar(500)

NACRadiusIsUserAuthenticated varchar(10)

SelectedPostureServer varchar(500)

SelectedIdentityStore varchar(500)

AuthenticationIdentityStore varchar(500)


ExternalPolicyServerMatchedRul varchar(500)

GroupMappingPolicyMatchedRule varchar(500)


NASPortType varchar(500)


Table A-6 acsradiusauthentication Table (continued)

Column Data Type


OL-22972-01



SelectedAuthorizationProfiles varchar(500)

SelectedExceptionAuthorization varchar(500)

SelectedQueryIdentityStores varchar(500)

EapAuthentication varchar(500)

EapTunnel varchar(500)

TunnelDetails text

CiscoH323Attributes text

CiscoSSGAttributes text



NADFailure bit

Passed bit

Failed bit


Column Data Type

Table A-7 acsradiusauthenticationmonth Table

Column Data Type

ID integer

Day smalldatetime









IdentityGroup text










OL-22972-01



CTSSecurityGroup varchar(500)

Passed integer

Failed integer



constraint ASA1234 primary key (ID) integer

Table A-7 acsradiusauthenticationmonth Table (continued)

Column Data Type

Table A-8 acsradiusauthenticationyear Table

Column Data Type

ID integer

Month varchar(10)









IdentityGroup text








SelectedAuthorizationProfilesCTSSecurityGroup

varchar(500)

Passed integer

Failed integer




OL-22972-01


acstacacsauthorization

Table A-9 acstacacsauthorization Table

Column Data Type

ID integer

ACSTIMESTAMP datetime

ACSViewTIMESTAMP datetime








Response text




CmdSet varchar(500)

MatchedCommandSet varchar(500)


SelectedCommandSet varchar(500)

AuthorizationFailureReason varchar(500)

FailedShellAttribute varchar(500)

IdentityGroup text




AuthorReplyStatus varchar(500)


GroupMappingPolicyMatchedRule varchar(500)





SelectedExceptionAuthorization varchar(500)

AVPair text

ExecutionSteps text



OL-22972-01



AuthenType varchar(500)



SelectedIdentityStore varchar(500)

SelectedQueryIdentityStore varchar(500)


Passed bit

Failed bit

Table A-9 acstacacsauthorization Table (continued)

Column Data Type

Table A-10 acstacacsauthorizationmonth Table

Column Data Type

ID integer

Day smalldatetime










CmdSet varchar(500)






IdentityGroup text



Passed integer

Failed integer


OL-22972-01



acstacacsaccounting

Table A-11 acstacacsauthorizationyear Table

Column Data Type

ID integer

Month varchar(10)










CmdSet varchar(500)






IdentityGroup text



Passed integer

Failed integer

Table A-12 acstacacsaccounting Table

Column Data Type

ID integer









OL-22972-01




AcctRequestFlags varchar(10)





Port varchar(500)



SourceIPAddress varchar(500)

PrivilegeLevel varchar(10)

CmdSet varchar(500)

ServerMsg varchar(500)

ServiceArgument varchar(500)

AVPair text

AcctInputPackets numeric(11)

AcctOutputPackets numeric(11)

AcctTerminateCause varchar(500)

AcctSessionTime numeric(11)

AcctSessionId varchar(500)

ExecutionSteps text

Response text



Started smallint

Stopped smallint

SessionKey varchar(500)

Table A-12 acstacacsaccounting Table (continued)

Column Data Type

Table A-13 acstacacsaccountingmonth Table

Column Data Type

ID integer

Day smalldatetime





OL-22972-01











CmdSet varchar(500)

Count integer

TotalResponseTime bigint

MaxResponseTime numeric(11)

Active integer

Throughput bigint

TotalSessionTime bigint

MaxSessionTime numeric(11)

Started integer

Stopped integer

Table A-13 acstacacsaccountingmonth Table (continued)

Column Data Type

Table A-14 acstacacsaccountingyear Table

Column Data Type

ID integer

Month varchar(10)












CmdSet varchar(500)


OL-22972-01


acsradiusaccounting

Count integer



Active integer

Throughput bigint



Started integer

Stopped integer

Table A-14 acstacacsaccountingyear Table (continued)

Column Data Type

Table A-15 acsradiusaccounting Table

Column Data Type

ID integer








AcctSessionId varchar(500)

AcctStatusType varchar(500)

AcctSessionTime varchar(500)


FramedProtocol varchar(500)

AcctInputOctets varchar(500)

AcctOutputOctets varchar(500)

AcctInputPackets varchar(500)

AcctOutputPackets varchar(500)


NASPort varchar(500)


CiscoAVPair text

Class varchar(500)



OL-22972-01




AcctMultiSessionID varchar(500)

AcctAuthentic varchar(10)

TerminationAction varchar(500)

SessionTimeout varchar(500)

IdleTimeout varchar(500)

AcctInterimInterval varchar(500)

AcctDelayTime varchar(500)

EventTimestamp varchar(500)


NASPortId varchar(500)

AcctTunnelConnection varchar(500)

AcctTunnelPacketLost varchar(500)


NetworkDeviceGroups varchar(500)




IdentityGroup varchar(500)

AuthorizationPolicy varchar(500)


SecurityGroup varchar(500)

TunnelDetails text

CiscoH323SetupTime datetime

CiscoH323ConnectTime datetime

CiscoH323DisconnectTime datetime

CiscoH323Attributes text

CiscoSSGAttributes text

ExecutionSteps text



Started smallint

Stopped smallint

SessionKey varchar(500)

Table A-15 acsradiusaccounting Table (continued)

Column Data Type


OL-22972-01




Table A-16 acsradiusaccountingmonth Table

Column Data Type

ID integer

Day smalldatetime


















Count integer



Active integer

Throughput bigint



Started integer

Stopped integer

Table A-17 acsradiusaccountingyear Table

Column Data Type

ID integer

Month varchar(10)


OL-22972-01


acsaaadiagnostics


















Count integer



Active integer

Throughput bigint



Started integer

Stopped integer

Table A-17 acsradiusaccountingyear Table (continued)

Column Data Type

Table A-18 acsaaadiagnostics Table

Column Data Type

ID integer





MessageSeverity varchar(10)


OL-22972-01


acsadministratorlogin

acsconfigurationchanges


Category varchar(500)

DiagnosticInfo text


Column Data Type

Table A-19 acsadministratorlogin Table

Column Data Type

ID integer





AdminName varchar(500)

AdminIPAddress varchar(100)

AdminSession varchar(100)

AdminInterface varchar(10)

Table A-20 acsconfigurationchanges Table

Column Data Type

ID integer





AdminName varchar(500)

AdminIPAddress varchar(100)

AdminSession varchar(100)

AdminInterface varchar(10)

ObjectType varchar(500)

ObjectName varchar(500)

RequestedOperation varchar(100)

OperationMessageText varchar(1000)

ConfigChangeData text

HostID varchar(100)


OL-22972-01


acslogcollectionfailures

acsmessagecatalog

RequestResponseType varchar(10)

FailureFlag varchar(10)

Details varchar(1000)

OperatorName varchar(500)

UserAdminFlag varchar(10)

AccountName varchar(500)

DeviceIP varchar(15)

IdentityStoreName varchar(500)

ChangePasswordMethod varchar(10)

AuditPasswordType varchar(10)

ObjectID varchar(100)

AppliedToACSInstance varchar(500)

LocalMode bit

Table A-20 acsconfigurationchanges Table (continued)

Column Data Type

Table A-21 acslogcollectionfailures Table

Column Data Type

ID integer



ACSLoggingCategory varchar(100)

Error text

Table A-22 acsmessagecatalog Table

Column Data Type

ID integer

MESSAGECODE integer

MESSAGECLASS varchar(100)

MESSAGETEXT text


OL-22972-01


acsprocessstatus

acssystemstatus

Table A-23 acsprocessstatus Table

Column Data Type

ID integer





NodeId smallint

NodeName varchar(500)

Role varchar(100)

DatabaseProc bit

Management bit

Runtime bit

Adclient bit

ViewDatabase bit

ViewCollector bit

ViewJobManager bit

ViewAlertManager bit

ViewLogProcessor bit

Table A-24 acssystemstatus Table

Column Data Type

ID integer





CPUUtilization decimal(5,2)

NetworkUtilizationRcvd integer

NetworkUtilizationSent integer

MemoryUtilization decimal(5,2)

DiskIOUtilization decimal(5,2)

DiskSpaceUtilizationRoot decimal(5,2)

DiskSpaceUtilizationAltRoot decimal(5,2)

DiskSpaceUtilizationBoot decimal(5,2)


OL-22972-01


acssystemdiagnostics

acsviewnetflowaggregation

DiskSpaceUtilizationHome decimal(5,2)

DiskSpaceUtilizationLocaldisk decimal(5,2)

DiskSpaceUtilizationOpt decimal(5,2)

DiskSpaceUtilizationRecovery decimal(5,2)

DiskSpaceUtilizationStoredconf decimal(5,2)

DiskSpaceUtilizationStoreddata decimal(5,2)

DiskSpaceUtilizationTmp decimal(5,2)

DiskSpaceUtilizationRuntime decimal(5,2)

AverageRadiusRequestLatency integer

AverageTacacsRequestLatency integer

DeltaRadiusRequestCount integer

DeltaTacacsRequestCount integer

Table A-24 acssystemstatus Table (continued)

Column Data Type

Table A-25 acssystemdiagnostics Table

Column Data Type

ID integer





MessageSeverity varchar(10)

Category varchar(100)

DiagnosticInfo text

Table A-26 acsviewnetflowaggregation Table

Column Data Type

ID integer


SourceUsername varchar(500)

SourceAddress varchar(15)

SourcePort varchar(50)

DestinationUsername varchar(500)

DestinationAddress varchar(15)


OL-22972-01


checkpointday

nadaaastatus

DestinationPort varchar(50)

SGTName varchar(100)

SGTValue integer

DGTName varchar(100)

DGTValue integer


Protocol varchar(50)

ACLDrops integer


Column Data Type

Table A-27 checkpointday Table

Column Data Type

ID integer

Type smallint

Timestamp datetime




NASIP varchar(41)

EndpointMAC varchar(100)

EndpointIP varchar(41)


VLAN varchar(100)

dACL varchar(100)

AuthenticationType varchar(500)

InterfaceName varchar(100)

Reason varchar(500)

Table A-28 nadaaastatus Table

Column Data Type

ID integer

Timestamp datetime

Alive bit



OL-22972-01


Oracle SchemaThe Monitoring and Report Viewer database in AD contains the following tables:

acstacacsauthentication

NASIP varchar(100)

DeviceGroups text


Column Data Type

Table A-29 acstacacsauthentication Table

Column Data Type

ID integer

ACSTimestamp timestamp

ACSViewTimestamp timestamp

ACSServer varchar2(500)

MessageCode varchar2(10)

ACSSessionID varchar2(500)

AccessService varchar2(500)

ServiceSelectionPolicy varchar2(500)

AuthorizationPolicy clob

UserName varchar2(500)

IdentityStore varchar2(500)

AuthenticationMethod varchar2(500)

AuthenType varchar2(500)

NetworkDeviceName varchar2(500)

DeviceIPAddress varchar2(500)

IdentityGroup clob

NetworkDeviceGroups clob

Response clob

PriviligeLevel varchar2(500)

FailureReason varchar2(500)

ADDomain varchar2(500)

AuthenMethod varchar2(500)

GroupMappingPolicyMatchedR varchar2(500)

IdentityPolicyMatchedRule varchar2(500)

QueryIdentityStores varchar2(500)

RemoteAddress varchar2(500)


OL-22972-01



SelectedAuthenticationIdenti varchar2(500)

SelectedQueryIdentityStores varchar2(500)

Service varchar2(500)

AVPair clob

ExecutionSteps clob

OtherAttributes clob

SelectedShellProfile varchar2(500)

AuthorizationExceptionPolicyMa varchar2(500)


Passed smallint

Failed smallint

Table A-29 acstacacsauthentication Table (continued)

Column Data Type

Table A-30 acstacacsauthenticationmonth Table

Column Data Type

ID integer

Day date









IdentityGroup clob




UseCase varchar2(500)

Passed integer

Failed integer




OL-22972-01



acsradiusauthentication

Table A-31 acstacacsauthenticationyear Table

Column Data Type

ID integer

Month varchar2(10)









IdentityGroup clob





Passed integer

Failed integer



Table A-32 acsradiusauthentication Table

Column Data Type

ID integer












OL-22972-01


AuthenticationMethod varchar2(500)


IdentityGroup clob


Response clob

CallingStationID varchar2(500)

NASPort varchar2(500)

ServiceType varchar2(500)

AuditSessionID varchar2(500)

CTSSecurityGroup varchar2(500)



ExecutionSteps clob

FramedIPAddress varchar2(500)

NASIdentifier varchar2(500)

NASIPAddress varchar2(500)

NASPortId varchar2(500)

CiscoAVPair clob


RadiusResponse clob

ACSUserName varchar2(500)

RadiusUserName varchar2(500)

NACRole varchar2(500)

NACPolicyCompliance varchar2(500)

NACUsername varchar2(500)

NACPostureToken varchar2(500)

NACRadiusIsUserAuthenticated varchar2(500)

SelectedPostureServer varchar2(500)

SelectedIdentityStore varchar2(500)

AuthenticationIdentityStore varchar2(500)


ExternalPolicyServerMatchedRul varchar2(500)

GroupMappingPolicyMatchedRule varchar2(500)


NASPortType varchar2(500)



Column Data Type


OL-22972-01



SelectedAuthorizationProfiles varchar2(500)

SelectedExceptionAuthorization varchar2(500)

SelectedQueryIdentityStores varchar2(500)

EapAuthentication varchar2(500)

EapTunnel varchar2(500)

TunnelDetails clob

CiscoH323Attributes clob

CiscoSSGAttributes clob



NADFailure smallint

Passed integer

Failed integer


Column Data Type

Table A-33 acsradiusauthenticationmonth Table

Column Data Type

ID integer

Day date









IdentityGroup clob










OL-22972-01




Passed integer

Failed integer



Table A-33 acsradiusauthenticationmonth Table (continued)

Column Data Type

Table A-34 acsradiusauthenticationyear Table

Column Data Type

ID integer

Month varchar2(10)









IdentityGroup clob










Passed integer

Failed integer




OL-22972-01


acstacacsauthorization

Table A-35 acstacacsauthorization Table

Column Data Type

ID integer

ACSTIMESTAMP timestamp

ACSViewTIMESTAMP timestamp








Response clob




CmdSet varchar2(500)

MatchedCommandSet varchar2(500)


SelectedCommandSet varchar2(500)

AuthorizationFailureReason varchar2(500)

FailedShellAttribute varchar2(500)

IdentityGroup clob




AuthorReplyStatus varchar2(500)


GroupMappingPolicyMatchedRule varchar2(500)





SelectedExceptionAuthorization varchar2(500)

AVPair clob

ExecutionSteps clob



OL-22972-01



AuthenType varchar2(500)



SelectedIdentityStore varchar2(500)

SelectedQueryIdentityStore varchar2(500)


Passed small int

Failed smallint

Table A-35 acstacacsauthorization Table (continued)

Column Data Type

Table A-36 acstacacsauthorizationmonth Table

Column Data Type

ID integer

Day date
















IdentityGroup clob



Passed integer

Failed integer


OL-22972-01



acstacacsaccounting

Table A-37 acstacacsauthorizationyear Table

Column Data Type

ID integer

Month varchar2(10)
















IdentityGroup clob



Passed integer

Failed integer

Table A-38 acstacacsaccounting Table

Column Data Type

ID integer









OL-22972-01




AcctRequestFlags varchar2(10)





Port varchar2(500)



SourceIPAddress varchar2(500)

PrivilegeLevel varchar2(10)


ServerMsg varchar2(500)

ServiceArgument varchar2(500)

AVPair clob

AcctInputPackets number(6)

AcctOutputPackets number(6)

AcctTerminateCause varchar2(500)

AcctSessionTime number(6)

AcctSessionId varchar2(500)

ExecutionSteps clob

Response clob



Started smallint

Stopped smallint

SessionKey varchar2(500)

Table A-38 acstacacsaccounting Table (continued)

Column Data Type

Table A-39 acstacacsaccountingmonth Table

Column Data Type

ID integer

Day date





OL-22972-01












Count integer

TotalResponseTime number(20)

MaxResponseTime number(6)

Active integer

Throughput number(20)

TotalSessionTime number(20)

MaxSessionTime number(6)

Started integer

Stopped integer

Table A-39 acstacacsaccountingmonth Table (continued)

Column Data Type

Table A-40 acstacacsaccountingyear Table

Column Data Type

ID integer

Month varchar2(10)














OL-22972-01


acsradiusaccounting

Count integer



Active integer




Started integer

Stopped integer

Table A-40 acstacacsaccountingyear Table (continued)

Column Data Type

Table A-41 acsradiusaccounting Table

Column Data Type

ID integer








AcctSessionId varchar2(500)

AcctStatusType varchar2(500)

AcctSessionTime varchar2(500)


FramedProtocol varchar2(500)

AcctInputOctets varchar2(500)

AcctOutputOctets varchar2(500)

AcctInputPackets varchar2(500)

AcctOutputPackets varchar2(500)


NASPort varchar2(500)


CiscoAVPair clob

Class varchar2(500)



OL-22972-01




AcctMultiSessionID varchar2(500)

AcctAuthentic varchar2(10)

TerminationAction varchar2(500)

SessionTimeout varchar2(500)

IdleTimeout varchar2(500)

AcctInterimInterval varchar2(500)

AcctDelayTime varchar2(500)

EventTimestamp varchar2(500)


NASPortId varchar2(500)

AcctTunnelConnection varchar2(500)

AcctTunnelPacketLost varchar2(500)


NetworkDeviceGroups varchar2(500)




IdentityGroup varchar2(500)

AuthorizationPolicy varchar2(500)


SecurityGroup varchar2(500)

TunnelDetails clob

CiscoH323SetupTime timestamp

CiscoH323ConnectTime timestamp

CiscoH323DisconnectTime timestamp

CiscoH323Attributes clob

CiscoSSGAttributes clob

ExecutionSteps clob



Started integer

Stopped integer

SessionKey varchar2(500)

Table A-41 acsradiusaccounting Table (continued)

Column Data Type


OL-22972-01




Table A-42 acsradiusaccountingmonth Table

Column Data Type

ID integer

Day date


















Count integer



Active integer




Started integer

Stopped integer

Table A-43 acsradiusaccountingyear Table

Column Data Type

ID integer

Month varchar2(10)


OL-22972-01


acsaaadiagnostics


















Count integer



Active integer




Started integer

Stopped integer

Table A-43 acsradiusaccountingyear Table (continued)

Column Data Type


Column Data Type

ID integer





MessageSeverity varchar2(10)


OL-22972-01


acsadministratorlogin

acsconfigurationchanges


Category varchar2(500)

DiagnosticInfo clob


Column Data Type

Table A-45 acsadministratorlogin Table

Column Data Type

ID integer





AdminName varchar2(500)

AdminIPAddress varchar2(100)

AdminSession varchar2(100)

AdminInterface varchar2(10)

Table A-46 acsconfigurationchanges Table

Column Data Type

ID integer





AdminName varchar2(500)

AdminIPAddress varchar2(100)

AdminSession varchar2(100)

AdminInterface varchar2(10)

ObjectType varchar2(500)

ObjectName varchar2(500)

RequestedOperation varchar2(100)

OperationMessageText varchar2(1000)

ConfigChangeData clob

HostID varchar2(100)


OL-22972-01


acslogcollectionfailures

acsmessagecatalog

RequestResponseType varchar2(10)

FailureFlag varchar2(10)

Details varchar2(1000)

OperatorName varchar2(500)

UserAdminFlag varchar2(10)

AccountName varchar2(500)

DeviceIP varchar2(15)

IdentityStoreName varchar2(500)

ChangePasswordMethod varchar2(10)

AuditPasswordType varchar2(10)

ObjectID varchar2(100)

AppliedToACSInstance varchar2(500)

LocalMode smallint

Table A-46 acsconfigurationchanges Table (continued)

Column Data Type

Table A-47 acslogcollectionfailures Table

Column Data Type

ID integer



ACSLoggingCategory varchar2(100)

Error clob

Table A-48 acsmessagecatalog Table

Column Data Type

ID smallint

MESSAGECODE integer

MESSAGECLASS varchar2(100)

MESSAGETEXT clob


OL-22972-01


acsprocessstatus

acssystemstatus

Table A-49 acsprocessstatus Table

Column Data Type

ID integer





NodeId smallint

NodeName varchar2(500)

Role varchar2(100)

DatabaseProc smallint

Management smallint

Runtime smallint

Adclient smallint

ViewDatabase smallint

ViewCollector smallint

ViewJobManager smallint

ViewAlertManager smallint

ViewLogProcessor smallintRuntimeRuntime

Table A-50 acssystemstatus Table

Column Data Type

ID integer





CPUUtilization decimal(5,2)

NetworkUtilizationRcvd integer

NetworkUtilizationSent integer

MemoryUtilization decimal(5,2)

DiskIOUtilization decimal(5,2)

DiskSpaceUtilizationRoot decimal(5,2)

DiskSpaceUtilizationAltRoot decimal(5,2)

DiskSpaceUtilizationBoot decimal(5,2)


OL-22972-01


acssystemdiagnostics

acsviewnetflowaggregation

DiskSpaceUtilizationHome decimal(5,2)

DiskSpaceUtilizationLocaldisk decimal(5,2)

DiskSpaceUtilizationOpt decimal(5,2)

DiskSpaceUtilizationRecovery decimal(5,2)

DiskSpaceUtilizationStoredconf decimal(5,2)

DiskSpaceUtilizationStoreddata decimal(5,2)

DiskSpaceUtilizationTmp decimal(5,2)

DiskSpaceUtilizationRuntime decimal(5,2)

AverageRadiusRequestLatency integer

AverageTacacsRequestLatency integer

DeltaRadiusRequestCount integer

DeltaTacacsRequestCount integer

Table A-50 acssystemstatus Table (continued)

Column Data Type

Table A-51 acssystemdiagnostics Table

Column Data Type

ID integer





MessageSeverity varchar2(10)

Category varchar2(100)

DiagnosticInfo clob


Column Data Type

ID integer


SourceUsername varchar2(500)

SourceAddress varchar2(15)

SourcePort varchar2(50)

DestinationUsername varchar2(500)

DestinationAddress varchar2(15)


OL-22972-01


checkpointday

nadaaastatus

DestinationPort varchar2(50)

SGTName varchar2(100)

SGTValue integer

DGTName varchar2(100)

DGTValue integer


Protocol varchar2(50)

ACLDrops integer

Table A-52 acsviewnetflowaggregation Table (continued)

Column Data Type

Table A-53 checkpointday Table

Column Data Type

ID integer

Type number(5)

Timestamp timestamp




NASIP varchar2(41)

EndpointMAC varchar2(100)

EndpointIP varchar2(41)


VLAN varchar2(100)

dACL varchar2(100)

AuthenticationType varchar2(500)

InterfaceName varchar2(100)

Reason varchar2(500)


Column Data Type

ID integer

Timestamp timestamp

Alive smallint



OL-22972-01


NASIP varchar2(100)

DeviceGroups clob


Column Data Type


OL-22972-01


I N D E X

E

exporting monitoring & report viewer data A-1

I

import and export

aborting processes 5-5

creating import files 5-7

csv templates 5-8

sample scripts 5-11

supported objects 5-5

viewing processes 5-4

M

monitoring & report viewer

database schema A-2

monitoring and report Viewer

WSDL file 3-6

monitoring and report viewer

integrating viewer web services 3-9

sample code 3-12

web services 3-2

P

performing bulk operations 5-2

R

remote database A-1

U

ucp

sample script 2-7

UCP web service

downloading WSDL file 2-4

methods 2-2

sample code 2-8

WSDL 2-4

using the scripting interface 5-1

W

web interface

enabling 2-1, 4-1

web services 1-2

WSDL file 1-3

monitoring and report viewer 3-6

UCP 2-4

IN-1 Guide for Cisco Secure Access Control System 5.3

Index

IN-2Software Developer’s Guide for Cisco Secure Access Control Syste
m 5.3
OL-22972-01

acs 5.3 software developer's guide

Documents