User Manual KCA ( PDF 1181 MB)
Contents
1. WE server server The following is a description of the KCA system components and their functions Hardware components Client PC A Windows based computer running a java enabled web browser The user logs into the KCA web site is authenticated and is presented with a list of all accessible channels When the user selects a channel he is transferred to the appropriate Kaveman switch that the selected channel is attached to and given appropriate control of that channel using the JView applet KCA Bridge running on IIS Web Server An IIS web server providing a common entry point for the complete system with a single Universal Resource Locator URL When a user logs on to the system the authentication process begins The IIS bridge retrieves a list of accessible chan nels from Active Directory services based on user group permissions and presents them to the user Each accessible channel is presented as a unique URL 2004 Digital V6 Corp All rights reserved Introduction Active Directory Server A Windows 2000 2003 domain controller running Active Directory Ser vices This server stores all the Kaveman switches channel objects and user data information that the Administrator has created and put in the Active Directory Kaveman Digital V6 Kaveman Switch with attached servers Software components Software installations on the IIS Server and the Domain Controller must be performed in order2. 7 O 2004 Digital V6 Corp All rights reserved Software Installation and Configuration Figure 2 2 Stopping the default web site E Internet Information Services IIS Manager Ca File Action View Window Help e Am xren 2P 2 y m1 Internet Information Services DI K M2003 local computer H Application Pools 1 Web Sites E iisstart htm pagerror gif Default Web Site E 3 3 Kaveman Central Explore EJ Web Service Extensic Pen Permissions Browse E Start Pause To configure the new web site After creating the new web site you must configure it to run Kaveman Centralized Access 1 Right click the Kaveman Centralized Access web site and select Properties 2 Onthe Documents tab ensure Enable default content page Enable Default Document on Windows 2000 is checked and that Default asp is the only file selected Figure 2 3 Configuring the KCA web site Kaveman Centralized Access Properties 2 x Web site Performance ISAPI Filters Home Directory Documents Directory Security HTTP Headers Custom Errors IV Enable default content page Add Remove Moye Up Moye Down 1 Enable document footer Append an HTML Formatted Footer to every document your Web server returns Browse Cancel Apply Help Kaveman Centralized Access User Manual 8 Software Installation and Configuration 3 On the Directory Securit
3. 2004 Digital V6 Corp All rights reserved Software Installation and Configuration To upload the files to Kaveman 1 2 Rename Kavemankey pem to Kavemankey key On the Kaveman use the Web interface Flash File System to delete previous certificates and keys from Kaveman file system Copy the new Kaveman crt and Kaveman key to file system of Kaveman unit Reboot the Kaveman To create the Root certificate 1 E pa On the Domain Controller open a web browser and enter http iis2000 certsrv to access the certsrv web site Select Retrieve the CA certificate or certificate revocation list and click Next Select a certificate from the CA Certificate list Click Download CA certificate Save the certificate To get the IIS Server to trust Kaveman AnPPEN Copy the Root certificate to the IIS Server Open Internet Explorer Click Tools gt Internet Options On the Content tab click the Certificates button On the Trusted Root Certification Authorities tab click the Import button Follow the instructions in the Certificate Import Wizard Kaveman Centralized Access User Manual 16 USING THE KCA SNAP IN How it Works The KCA Snap in uses existing user accounts to assign privileges When a user group is added to the Active Directory using the Users and Computers Snap in the group becomes available to the KCA Snap in for the Select Groups dialog By combining user groups and channel groups admin istrators ar
4. Enter http localhost kvmconfig asp in the address bar When prompted log in to the kvmconfig web page as administrator or another account configured in Active Directory The following form appears Figure 2 6 Configuring the KCA Bridge KCA Bridge and TimeSync Configuration Page Microsoft Internet Explorer E lol x Ele Edt View Favorites Tools Help amp Q Back O x 2 2 Search se Favorites P Media Ze Address Lei http 192 168 30 202 kvmeonfig asp sl E EI Go Links gt KCA Bridge and TimeSync Configuration Page Enter the passphrase here Remember this is the same passphrase as the one used in the Kaveman snap in console Passphrase PE EE Enter the account name and password here for the Active Directory Network Access Account which is going to be used to read Active Directory contents Account Name addemo administrator Account Password Jesse Confirm Password PE Submit 1 1 l p Internet O 2004 Digital V6 Corp All rights reserved Software Installation and Configuration 4 Enter the required information 5 Click Submit The following page is generated Figure 2 7 Code generated by KCA Bridge configuration 3 KCA Bridge and TimeSync Configuration Page Microsoft Internet Explorer lol Sl File Edit View Favorites Tools Help a Q Back v O x 2 2 Search Favorites Media O da Address http 192 168 30 202 kvmeonfig
5. Notepad To execute the timesync vbs script 1 From a DOS prompt go to C Program Files DigitalV6 KavemanllS 2 Enter the following command cscript timesync vbs Each time the script is run the results will be appended to the tslog txt file To configure a Kaveman Access Manager Account 1 Invoke the OSD menu and scroll to the Security settings Kaveman Centralized Access User Manual 12 Software Installation and Configuration 13 2 Enter the KCA Access Manager Account and password information 3 Ensure this account is used every time a new Kaveman object is created see To identify the Access Manager on page 20 To enable Cookies on the IIS Bridge Windows 2003 Server 1 Log into the bridge machine using the Active Directory Network Access Account Open Internet Explorer Click Tools gt Internet Options On the Security tab select Trusted sites and click the Sites button Add the Kaveman name to the list of trusted sites H P bb Using SSL to Encrypt the Link Between the IIS Server and Kaveman The Kaveman Centralized Access system requires a Secure Sockets Layer SSL connection between the IIS Server and the Kaveman unit This requires an SSL certificate and a private key to be created and copied to each Kaveman that the IIS Server will be accessing Windows Certificate Services must be installed on the Domain Controller if you are using Windows 2000 The following steps create a certificate and private
6. To install the Active Directory schema Snap in If the schema Snap in application is not installed on your Domain Controller you can install it by doing the following 1 Open a DOS window 2 Type regsvr32 schmmgmt dl1l and press Enter 3 Typemmc a and press Enter 4 Add the Active Directory Schema Snap in To run the KCA Snap in 1 Click Start gt Programs gt Administrative Tools gt KCA Snap in The Snap in MMC starts and displays the first Kaveman Container object under the root DC object The administrator can now begin adding new Kaveman objects to the container Every Kaveman object will have the appropriate number of channels automatically created For more information on adding and managing Kaveman related objects please see Using the KCA Snap In on page 17 To configure DNS entries for each Kaveman Open the DNS service MMC on the Domain Controller and for each new Kaveman unit to be cre ated enter a DNS entry for that Kaveman and associate the appropriate IP address with it Config ure that IP address on the Kaveman unit Software Installation on the IIS Server To install the KCA software on the IIS server 1 On the IIS Server run setup exe from the IIS directory on the Kaveman Centralized Access installation CD ROM 2 Follow the on screen instructions entering the Product Key where required All software components including DLLs will be copied and registered The default target directory is C Progra
7. asp E BE Links i a KCA Bridge and TimeSync Configuration Page Success TimeSync configuration Please paste the following contents all text between the horizontal lines into C Program Files Digital V6 KavemanlIS isconfig txt 010200000166000000A40000EA261A273AAE27A379309CF8F3804C3FD83C1680D9ALF13ABCABOC944F9CEEF8859BBE2071A77192D13156FI1 addemo administrator D4COS76EA6EDO377 01020000016600000044000011423EB99B3219A22C19E33A0164160LAAE6C5586F91C8F1570890611D96DAASDCEFES3CCB88ABYSCFSSAEO Success Bridge Configuration Please paste the following contents all text between the horizontal lines into C Program Files Digital V6 KavemanlIS config asp lt dim IISKey AccountName IISPassword CommonKey IISKey 010200000166000000A4000064889FCDD12F8A7BACF878BDZ23EACAD2CBO038FAZFZ2A4C38FC77FEC7997EEE5488E7D2AZ215DFFB AccountName addemovadministrator IISPassword D4COS76EA6ED0377 sil GammanZarr fAINANNANNIEENNANNNA ANNNNAPARETOBENENT APANANAPNAEETADIROATSNANADAPANNENAPTEAFOROEANIBRAATATARDABNAO Internet Z To save the tsconfig txt file 1 Open C Program Files DigitalV6 KavemanllS tsconfig txt in Notepad 2 Copy the tsconfig txt text block to the file and save To save the config asp file 1 Open C Program Files DigitalV6 KavemanllS config asp in Notepad 2 Copy the config asp text block to the file and save If either tsconfig txt or config asp are not generated automatically create them using
8. key Preparing the Domain Controller 1 From the Control Panel double click Add Remove Programs 2 Click Add Remove Windows Components 3 Install Internet Information Services IIS 4 After IIS is loaded install Certificate Services Select Enterprise root CA as the Certification Authority type and add the company and server information when prompted To download the OpenSSL for Windows toolkit into the Domain Controller 1 Go to http www stunnel org download stunnel win32 0penssl 0 9 7 o0penssl zip 2 Open the file or save it to your local system 3 Extract the contents of the zipped file to C openssl To create a certificate config file 1 Goto C Program Files Digitalv6 Kaveman openssl 2 Copy the contents of this folder to C openssl 3 Customize the contents to suit your needs The following is the contents of the sample file openssl cnf The bold fields can be customized req default_bits 1024 default_keyfile privkey pem distinguished name req distinguished name req distinguished name O 2004 Digital V6 Corp All rights reserved Software Installation and Configuration countryName CA countryName default CA countryName min 2 2 countryName max stateOrProvinceName Ontario stateOrProvinceName_default Ontario localityName Markham localityName_default Markham organizationName DV6 organizationName_default DV6 organizationName_max 64 organizationalU
9. privileges on all enabled group different privileges on each channel of channels of a Kaveman a Kaveman Users must know which Kaveman unit to KCA gives users a convenient log into before controlling a channel to comprehensive list of all their enabled assign privileges channels in a virtual giant Kaveman Kaveman Centralized Access User Manual 2 Introduction KCA System Overview The following diagram depicts the major components required for the KCA system This diagram displays Kaveman 16 units however the layout works equally well with Kaveman 1 and Kaveman 8 units Domain Controller running Active Directory Services access Active Directory using ADSI C IIS Server running KCA Bridge ASP Figure 1 1 KCA system overview Client PC running Web browser S 0 CC DEE EE CT KAVEMAN Ka server KCA System Components server O 000000 00 Ethernet Hub Switch OK DEE ME AKK Co Sol KAVEMAN 5 server server E oboe KAVEMAN
10. to all Kaveman units with a domain Provides users with centralized access to all Kaveman channels within a domain e A single point of entry is provided via web interface KCA Web Site e User logs into web server and is given access only to permitted channels e The user is redirected to the appropriate Kaveman and channel when a link on the web interface is selected Provides administrators with centralized access management for all channels e Using the KCA Snap in an administrator can assign users groups specific control over any channels within the entire system The following access rights can be configured for each user group Kaveman Centralized Access User Manual 1 Introduction e Full Control User Group has full control over a channel e No Power User Group has full control except for power control e View Only User Group has no mouse keyboard power control e Channels can be grouped logically as well as by their respective Kaveman unit when assigning access rights Provides administrators with centralized management of all Kaveman units e Administrators can manage any Kaveman directly from the KCA web interface e The following special features are available and can be performed on all Kaveman units e Synchronize Date and Time a script that can be executed to automatically synchronize date and time on all Kaveman units within network e Synchronize Channel Names a function on the KCA web site to synch
11. 2 Select the channels you want to grant access to Click Select All to select all the channels for that Kaveman or use Shift or CTRL click to select specific channels ef A channel group can span multiple Kaveman units Step 2 Select user groups 1 Select the Groups User names in Pane 2 that you want to apply to the selected channels To add more user groups to a channel group select the channel group and click the Add button On the Select Groups dialog box double click the groups you want to add and click OK g If the user or group does not appear in the list type the name in the lower panel 21 O 2004 Digital V6 Corp All rights reserved Using the KCA Snap In Figure 3 7 Selecting user groups to assign to channels Permission ee E Kaveman Logical Group Groups User klarest z name info fji Administrators ADDEMO2 com Builtin Channels Bett Publishers ADDEMO2 com Users 10 Gert x 11 Channel 11 12 Channel 12 Look in m 13 Channel 13 14 Channel 14 2 ke i DZ Account Operators ADDEMO2 com Builtin 2 Tech Support B Administrators ADDEMO2 com Builtin 3 Channel 3 Backup Operators ADDEMO2 com Builtin 4 Channel 4 F Cert Publishers ADDEMO2 com Users S Ziele 4 DnsAdmins ADDEMO2 com Users 7 Channel 7 Domain Admins ADDEMO2 com Users 8 Channel 8 B Domain Computers ADDEMO2 com Users 3 Channel 3 G Domain Controllers ADDEMO2 com Users vi Clear All Add Check Names DnsAdmins c
12. DC com Kaveman Conta 10 x E Fie Action View Favorites Window Help 2 x A e AmB Rea Name DC addemo DC com nan Container ki6demo1 kl6demoz2 databaseservers webservers a m E 2 Grant full access to Wendy on the web servers channel groups on both Kaveman units Figure 3 9 Editing permissions example Kaveman units 5 Permission Kaveman Logical Group Groups User ET Sa webservers S P Wendy ADDEMO2 com Users Kaveman Jg Channels Select the webservers logical f group and then select both of y the available channels Next add Wendy to the Groups User field Allow Wendy full access Access Lei with no restrictions When Access Grented D Poner Restricted To D D met ze 3 Grant view access to Wendy on the database servers channel groups on both Kaveman units Wendy can now log in and view all the channels to which she has access In this example she has only four channels on two Kaveman units but in practice she could have any number of channels grouped and condensed into channel logical groups accessed by scroll bar 23 O 2004 Digital V6 Corp All rights reserved Select the databaseservers group j to which Wendy will have limited access The user sees her User ID here Channel logical groups are opened to show channel names access levels and Kaveman units Users click
13. DIGITAL E The Engine of Innovation Kaveman Centralized Access KCA User Manual Part Number 950 0029 Revision 03 Kaveman Centralized Access User Manual Part Number 950 0029 Revision 03 Copyright 2004 Digital V6 Corp All rights reserved Digital V6 Kaveman Kaveman 1 Kaveman 8 and Kaveman 16 are trademarks of Digital V6 Corp Windows Windows 98 Windows 2000 Windows NT Windows ME and Windows XP are trade marks of Microsoft Corporation Silicon Graphics and IRIX are trademarks of Silicon Graphics Inc Linux is a registered trademark of Linus Torvalds No part of this publication may be reproduced or transmitted in any form or by any means elec tronic or mechanical including photocopying recording or any information storage or retrieval system for any purpose without the express written permission of Digital V6 Corp Contents CONTENTS E En A A A E A iv GE OPP vi WADI NN NE vii ut e H e Vu sand vidi nnbenknieeiek dk m 1 BackaroundasruraGesr eres eie 1 KCA System EE 1 KCA Benefits EE 2 KCA System EE EE 3 KCA System GOMPONGMts ax ee geegent geed deed ege 3 el tee Lull EE 3 S ttwar e COMPONENTS sce TEE 4 Software Installation and Configuration rrrrnnnnnnnnnvnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn 5 Hardware Requrem ensuass EE 5 Software Installation on the Domain Controller rrrrrnrrrnnnnnnvrrnnnnnnrvnnnnnnnvnnnnnnrrrnnnnnnnrrrnnennnnnnennr 5 To install the KCA software on th
14. ase64 encoded PKCS 10 file or a renewal request using a base64 encoded PKCS 7 file e Paste the clipboard contents into the request field of the page e Select Web Server from the Certificate Template drop down 4 Click Submit Figure 2 8 Submitting a Certificate Request Microsoft Certificate Services Microsoft Internet Explorer E B xi Fie Edt View Favorites Tools Help e Bak gt Q a Qsearch Favorites AHistory Eh amp Address hetpijfiszooojcertsrvicertraxtiasp zl ge Links Microsoft Certificate Services iis2000 Submit A Saved Request Paste a base64 encoded PKCS 10 certificate request or PKCS 7 renewal request generated by an external application such as a web server into the request field to submit the request to the certification authority CA Saved Request 2rcxBHPpisp1iFwV04sUiSB3 Onszbjfeq fNyaenv BO3b3 WWKPOI w rw pVvRt8 yaTNN F KxbTzsSOH2 Base64 Encoded KoZ IhvcNAQEEBQADGYEAVIEm46KCBX1zJ7NI8c1v Certificate Request aKnIugRzTIkVrVmPEIZJZ19MzxTjiflyu 7cR51s PKCS 10 or 7 NKX2 4ELZGg0geLLgbu 7xRSberPR CVywOdsmM le Browse for a file to insert Certificate Template web Server z Additional Attributes Attributes 4 wl EE Local intranet gl 4 5 Select Base 64 encoded and click Download CA certificate 6 Save the certificate to C Opensss Kaveman crt Select All Files as the Save as type to preserve the crt extension 15 O
15. ation Figure 2 5 Application Pool Identities Windows 2003 DefaultAppPool Properties x Recycling Performance Health Identity Application pool identity Select a security account For this application pool Predefined Network Service v Configurable User name IWAM_KVM2003 Password eesccvceses 10 Start the Kaveman Centralized Access web site if it is not already running To set the Active Server Page for Windows 2003 servers 1 Select Web Service Extensions and change the Active Server Page from Prohibited to Allowed KCA Bridge Configuration Before a user can successfully log into the IIS Server the KCA system must be configured The configuration file config asp will be created and saved in the same directory as the default asp The following information will be required e Passphrase e Account name e Account password Passphrase The passphrase is used to encrypt and decrypt the Kaveman Access Manager Account pass word The account name and password is stored in the Active Directory for each Kaveman object When a Kaveman object is created see Using the KCA Snap In on page 17 the adminis trator is prompted for this passphrase The same passphrase must be used in the configuration screen and in the Snap in screens Using this passphrase the Snap in will encrypt the Kaveman Access Manager Account password and write it into the Kaveman object This account allows the IIS Se
16. e Domain Controller cccececceeeeeeeeeeeeeeeeeeeeeeeeecaaeeeseneeeseaeeseeeeee 5 To make the Kav manJdt tile tege Eege g ende r Der Muren rusen 5 To modily the E TEE 5 To change the schema RE 6 To install the Active Directory schema Gnap Jn nnn nennn nnt 6 To runthe KGA Snap iii E 6 To configure DNS entries for each kavemanm unnustu nnn nnnnn nnt 6 Software Installation on the IIS Server EEN 6 To install the KCA software on the IIS eener 6 Creating a New Web Sills sai ae tee ea Ee 7 To create a New Web TEE 7 To configure the new web Site cch icin NEE ENEE EENS eid eet 8 To set the Active Server Page for Windows 2003 Servers nmarsvrrrrrrnnnnvnnrrrrrnnnnnnnrrrrrennnnrenrrrrnennnnnnrenn 10 KCA Bridge Configuration EE 10 KCA Date and Time Synchronization dE 11 To open the kvmconfig WED page mrrrnnnrrnnnnnnnnrrrnnnnnnnrnnnnnnnnnrnnnnrennnrnnsnnennnnneesennnnrnensrennnrnesesennnrnessennnnnee 11 TO Save thetsconhg KEME nu avurrnudsdemtnsndidaebaddada rentefri 12 TO save the contigasp RUE 12 To execute the timesync vbs script 12 To configure a Kaveman Access Manager Account mnnnnnnrannnnnnnnvrnnnvennnvnnnnnnrnnrrnnnrrrnnnnnerrrrnnnrneesrennnnnnne 12 To enable Cookies on the IIS Bridge Windows 2003 Gene 13 Using SSL to Encrypt the Link Between the IIS Server and kaveman 13 Preparing the Domain Controller nern nnrnnntnnntsrenssrtasstnssetnsetnnstnnnetnnnnnnnnnnnnnnent 13 To download the OpenSSL for Windows t
17. e able to make quick and accurate changes to channel privileges The KCA Snap in further empowers administrators by using DNS Administrators simply specify the DNS host name of the Kaveman in the Kaveman object itself Definitions Table 3 1 KCA Snap in definitions Administrator One or more people who use the KCA Snap in to centrally set up and maintain Kaveman KVM Switch Units including assignment of their IP addresses naming of access managers and assignment of Kaveman channels servers KCA Access The new Kaveman account type Access Manager is added to Disabled Manager Account and Normal It is required by IIS to log into Kaveman and create a session on behalf of a user User or End User Programmers and others who must have access to or control of a channel in order to maintain or install software data etc on a target server KCA Snap in A proprietary Microsoft Management Console MMC that allows easy management and creation of Kaveman related objects in the Active Directory tree This chapter describes how to use this Snap in interface Three Easy Steps to Setting up Kaveman Channels Administrators must complete three steps to set up Kaveman KVM switches and channel groups e Create Kaveman objects e Create channel groups e Assign user privileges to channel groups These three steps are described below including a simple setup example The steps and example assume you are using KCA with one or more Kave
18. el 11 Channel 12 Channel 13 Channel 14 Channel 15 Channel 16 Editing Permissions When you create new groups you will need to edit their permissions and restrictions to certain channels The Permission dialog box lets you associate channel groups with user groups Kaveman Centralized Access User Manual 20 Using the KCA Snap In e The Active Directory standard Snap in Users and Computers lists all the domain s user groups and properties To edit permissions 1 Click the Edit Permissions icon to get the Permission dialog box which is shown below with sequence numbers 1 2 3 indicating the order of selection Figure 3 6 Editing Kaveman permissions ADDEMO2 com Builtin ADDEMO2 com Users You can select by Kaveman or by group 10 Channel 10 Click to add 11 Channel 11 1 12 Channel 12 more users 13 Channel 13 groups 14 Channel 14 15 Channel 15 16 Channel 16 Tech Support 2 3 Channel 3 4 Channel 4 5 Channel 5 6 Channel 6 7 8 3 Channel 7 ALLOW must be enabled for users to have any access Channel 8 Channel 9 Permission Allow 1 Select the channels Access 2 Select the groups or users for the channels 3 Choose the permissions for the channels Then click Apply or OK Restricted To 3 When Access Granted iden No Restricts access Step 1 Select channels 1 Select the Kaveman or Logical Group from the drop down list
19. for the KCA system to function Please refer to Software Installation and Configuration on page 5 for more information The current version of KCA only supports single domain environments The DC IIS Kaveman Clients must belong to the same domain To access Kaveman Administrator Functions on the KCA web site you must log in as admin istrator Kaveman Centralized Access User Manual 4 SOFTWARE INSTALLATION AND CONFIGURATION Hardware Requirements The following two Windows based systems are required for KCA e Windows 2000 or Windows 2003 Domain Controller with Active Directory Services and DNS e Windows 2000 or Windows 2003 server with IIS services referred to as the IIS Server Both machines must be on the same domain or the IIS Server will be unable to search the Directory Tree when a user logs on There is a separate software installation for each machine Software Installation on the Domain Controller To install the KCA software on the Domain Controller 1 Onthe Domain Controller run setup exe from the DC directory of the Kaveman Centralized Access installation CD ROM 2 Follow the on screen instructions entering the Product Key where required All software components including DLLs will be copied and registered The default target directory is C Program Files DigitalV6 Kaveman Set the option for Every One to use this application To make the Kaveman ldf file 1 After successfully installi
20. m Files DigitalV6 KavemanllS Set the option for Every One to use this application Kaveman Centralized Access User Manual 6 Software Installation and Configuration Creating a New Web Site After the software has been installed on both the Domain Controller and the IIS Server the next stage is to create and configure the KCA web site To create a new web site 1 Open the Internet Information Services IIS Manager 2 Right click Web Site and select New gt Web Site For Windows 2000 Server right click the machine name and select New gt Web Site Figure 2 1 Creating a new web site E Internet Information Services IIS Manager Eg File Action View Window Help gt MIBIE SB r m i Internet Information Services Local version E W K M2003 local computer kym2003 local computer Yes IIS v6 0 3 Application Pools s a WS J Web Sery All Tasks gt Web Site from file New Window from Here Refresh Properties Help 3 Follow the instructions in the Web Site Creation Wizard ensuring you include the following e web site description Kaveman Centralized Access e IP address for the web site IP address of the IIS e path to the home directory e disable the allow anonymous access to the web site box e ensure Read and Run Scripts are enabled Click Finish when done 5 Onthe IIS Manager right click Default Web Site and select Stop
21. ma Step 3 Select permissions 1 Inthe Permission field check the Allow box If you do not check the Allow box the group has no access to the channels 2 Check either No Power and View Only or No Power to restrict the access rights of the group if necessary 3 Click Apply to save the changes and continue editing permissions or click OK to save and exit the Permissions dialog bo Summary Table 3 2 x Summary of Editing Actions Action Result Highlight a user group Left Pane 1 turns from dark to grey permissions check boxes get updated Select two or more user groups The user group with lesser privileges imposes them on the other group Override permissions Could allow Control privileges to a View only group Clear permissions boxes The specified user group will be removed from the specified channels Kaveman Centralized Access User Manual 22 Using the KCA Snap In A Simple Example The objective of this example is to create two Kaveman units that each have one web server chan nel and one database channel You want to assign a user Wendy full access to the web server channels and only view access to the database channels 1 Create two Kaveman units K16demo1 and K16demo2 and two channel groups database servers and web servers as shown in the screen below Figure 3 8 Creating Kaveman objects example hii Kaveman Snap In DC addemo
22. man 16 units Creating Kaveman Objects You the administrator have a list of Kaveman IP addresses that were locally assigned to each Kaveman making them all accessible remotely in a single domain that we will call addemo2 com You should also have or create a predefined set of users and groups One of the Kaveman Centralized Access User Manual 17 Using the KCA Snap In user IDs on each Kaveman has to have privileges of an Access Manager You could use a root account for all Kaveman units but an alternative is to log in to each Kaveman and assign an access manager for KCA To create a Kaveman object 1 Click Start Programs Administrative Tools KCA Snap in to access the KCA Snap in screen The screen displays our initial domain DC addemo2 DC com and a Kaveman Container the beginnings of a tree Figure 3 1 Kaveman Snap in screen n KCA Snap In DC ADDEMO2 DC com Kayveman Container n Console Window Help OD GM Action view Favorites 3 R Tree Favorites Name S DC ADDEMO2 DC com a EEE Container 2 Right click the Kaveman Container and click New gt Kaveman This container holds all Kaveman related objects and can also contain other Kaveman containers Figure 3 2 Creating a new Kaveman object D KCA Snap In DC ADDEMO02 DC comiKaveman Container Console Window Help D GM Action View Favorites 3 Q Tree Favorites Name SJ DC ADDEMO2 DC com br a
23. n Container De C tes 7 If you click No or if this is the first Kaveman object being created enter the following information when prompted e Passphrase e Kaveman account name e Password for this Kaveman 19 O 2004 Digital V6 Corp All rights reserved Using the KCA Snap In 8 Once the Kaveman object has been created you can rename the 16 channels by right clicking them and choosing Rename To identify the Access Manager 1 Right click the new object and click Properties 2 Onthe Advanced tab ensure the Access manager account is listed as the Access ID You can change the password and passphrase from the Advanced tab For more information about setting up the Access Manager account see To configure a Kaveman Access Manager Account on page 12 Grouping Channels 1 Right click the container and click New gt Group Enter the Group Name and Description when prompted In the directory tree right click the new group icon and click Properties On the Members tab click the Add button On the Select Channels dialog box choose the Kaveman you want from the Select Kaveman drop down list Using Shift or CTRL click select the channels you want to assign to this group 7 Click Add 8 Click OK gt OK to close the screens and save your changes H P bb Figure 3 5 Grouping channels w Select Channels d x Select Kaveman KCAltest Re Select Channels AND Channel 3 Tech Support Chann
24. ng Kaveman Centralized Access to the Domain Controller click Start gt Programs gt Digitalv6 gt KCA gt Idifmake exe This creates the Kaveman ldf file containing all schema changes new classes and properties that are required to support Kaveman Centralized Access Running this program does not modify the schema it only creates the LDF file To modify the schema 1 Onthe Domain Controller open a DOS window 2 Navigate to C Program Files DigitalV6 Kaveman and verify that the Kaveman Idf file exists If not go to To make the Kaveman ldf file on page 5 3 Enter the following DOS command ldifde i f Kaveman ldf v This will modify the schema by adding all Digital V6 classes and properties A Running this command modifies the existing schema in your Active Directory Performing a system backup is highly recommended prior to changing the schema Kaveman Centralized Access User Manual 5 Software Installation and Configuration To change the schema master If an error occurs during the schema modification process you may need to change the schema master to allow modifications to be made on the controller To change the schema master 1 Open the schema mmc Right click Active Directory Schema Select Operations Master Enable the box The schema may be modified on this controller Go to To make the Kaveman ldf file on page 5 The schema should correctly import all new classes and properties with no errors H E END
25. nitName IT Department organizationalUnitName_default IT Department organizationalUnitName_max 64 commonName Kavemanl6 commonName default Kavemanl6 commonName max 64 emailAddress support digitalv6 com emailAddress default support digitalv6 com emailAddress_max 40 The commonName should include the full DNS Host Name e g K16demo1 addemo com To create a Certificate Signing Request 1 1 From a DOS prompt go to C OPENSSL 2 2 Enter the following command create bat This batch file performs the following actions openssl req config openssl cnf newkey rsa 1024 nodes keyout Kavemankey pem keyform PEM out Kavemanreq pem outform PEM During this process you will be prompted with a list of options Press Enter to use the default set tings you assigned in the openssl cnf file Kaveman Centralized Access User Manual 14 Software Installation and Configuration The files Kavemankey pem and Kavemanreq pem have been created and stored in C openssl To submit a Certificate Request 1 On the Domain Controller copy the contents of Kavemanreq pem to the clipboard 2 Open a web browser and enter http Name of the Domain Controller machine certsrv i e http iis2000 certsrv to access the certsrv web site 3 When prompted do the following e Login using administrator rights e Select Request a Certificate Select Advanced request Select Submit a certificate using a b
26. ntralized Access User Manual Index configuration 10 configuring 11 cookies 13 kvmconfig asp 11 passphrase 10 timesync vbs 12 tsconfig txt 12 KCA Snap in 17 O overview 1 S schemas Active Directory 6 changing schema master 6 creating LDF file 5 modifying 5 security 13 Snap in creating objects 17 definitions 17 editing permissions 20 example 23 grouping channels 20 overview 17 software installation configuration 5 domain controller 5 IIS server 6 synchronizing dates and times 11 W web site configuring 8 creating new 7 setting Active Server Page 10 26
27. on a channel name link to directly connect to the Kaveman and then to the channel Gakk gr aa Using the KCA Snap In Figure 3 10 Editing permissions example database servers DS si Karenan Logcal Group databaveververs X Channel 2 Charred 2 d Deel You must Allow Wendy access Ai A J Des Ai Select Al G D s Ge Penman tier Ae eg Access E o P ca EM No Power No d WhenAccers Granted and View Orly Power You can restrict Wendy to limited Revected To P e 5 ae channel privileges j Figure 3 11 KCA Web Interface Welcome screen F Kaveman Centralized Access Microsoft Internet Explorer ml G loj xj File Edt Yew Favortes Tools Help gt Search Favores Wf Meda O wv An B Address Wtecliecgbegt Ga me Feauenmlmsanr Centralized Access tome eek Welcome to the Kaveman Centralized Access Web Interface User Wendy has access to 4 channels in the following logical groups ebservers Channel Name click to control Channel 1 1 Channel Number Channel Access Kaveman Unit FULL ACCESS kledemot Channel 1 1 FULL ACCESS k16demo2 databaseservers Channel Name click to control Channat2 2 2 VIEW ONLY Channel Number Channel Access Kaveman Unit VIEW ONLY k16demo1 ki6demo2 Copyright 2003 by Digital v inc AU rights reserved Channel Privilege Report Automatic seeking and reporting of channel mappings is a major benefit of KCA and Active Direc
28. oolkit into the Domain Controller rrrrrrnnrrvrrrronnrrrrrrrnnnnnnnr 13 To create a certificate config fie 13 To create a Certificate Signing Heouest 14 To submit a Certificate Heouest netrn nsn ntttnttntntstensttnsstennstnnsennnetnnetnnnatnnntnnnnnnnnn nent 15 To upload the files to Kaveman eernrnnvnnnornrnnvnnvnnnnnnvnnnennnnnnnnvenennnnnneennnnneneeennnnnnnesennnnneneeennnnnneeennnnenne 16 To create the Root Certificate eee ccccessccceceeeseeceeeeeeseeceeeeenseececeeeneaeeeeessneaaeeesneaeseeesnseaeeeeenseeeeeeenenaaes 16 To get the IIS Server to trust Kaveman renannvnnnnnvnnnonrvnnnnrnnnnnnnnnnnrnnnnnnennrrrrennnnnnnrrrrensnnrnnnrnrreennrnnnnnenenn 16 Using the KCA Sapa lt araea ara raaa aaea raia rama a serere eae aaia e maaar Ei Merah raara aidai 17 How t e EE 17 Three Easy Steps to Setting up Kaveman Channels rrrnnnnnrvnnnnnnnrnnnnnnnrrnnnnnrrrrnnnennvrnnnennnnnnne 17 iv 2004 Digital V6 Corp All rights reserved Contents Creating Kaveman CHE sebebietefiegeggegbeggEdggeE degt gege EE Ee eebe ts 17 To create a Kaveman object eeececceceeecceceeeeeecceeeeeseececeeeesaaaeeeeeneeaaeceeensecaesesnsneaeeeeeeneaaeeeesneeaeeeeeneaaaes 18 To identify the Access Manager ek 20 Eelef EE e EE 20 Editing Sne ee Se 20 TO GA ee 21 A Simple E a TEE 23 Channel Se ET E 24 Kepntaeklrtoruaft tt gd 25 IND gt EE EE NR e 26 Kaveman Centralized Access User Manual v Figures FIGURES Figure 1 1 KCA s
29. re deployed to control a number of servers a centralized user authentication and permission control system means convenience and easy administration of all Kaveman switches Using Microsoft Active Directory Services the KCA Kaveman Centralized Access system allows administrators to easily configure access permissions for every channel attached to each Kaveman unit on a network The system allows centralized access to all channels through a single point of entry namely a web interface KCA Web Site A user logs into the KCA Web Site config ured by the administrator on an IIS Server is authenticated and is then presented with a list of channels he has access to regardless of what Kaveman unit s these channels are physically attached to The entire set of channels attached to all Kaveman units is viewed as being attached to a single virtual Kaveman with up to hundreds of channels For an overview of Microsoft Active Directory please visit http www microsoft com windows2000 server evaluation features dirlist asp KCA System Features Stores all user access configuration in Active Directory Tree e Benefit from existing Microsoft Active Directory Services running on any Windows 2000 2003 Server and store all pertinent data e Administrator can use custom KCA Snap in Console to create Kaveman related objects within the directory tree Reference existing users and groups in a tree and assign individual access rights to channels attached
30. ronize channel names on all Kaveman units with the names given in the Active Directory server e Upgrade firmware a function on the KCA web site to upgrade firmware on all Kaveman units found in Active directory Provides administrators with session termination capability e Allows administrator to take control of a channel a user is controlling by terminating his session at any time e Users can lock a channel in Java Viewer and prevent other users from viewing controlling that channel except in above case e Users can see who is currently viewing the channel they are now controlling e Administrators can set timeouts for JView and VNC to terminate inactive sessions e A Kill Session Link is available on the User Activity web page KCA Benefits The purpose of Kaveman Centralized Access KCA Snap in is to give administrators a central location to create Kaveman objects for each unit on the network and to configure user access to Kaveman channels By combining user groups and channel groups you can make quick and accurate changes to channel privileges Table 1 1 KCA Benefits Kaveman without Active Directory Kaveman Centralized Access System administrator must log in to each System administrator has a central point of Kaveman switch to set access to each access Active Directory to configure channel access by all users System administrator must assign a user System administrator can assign a user or the same user
31. rver to log into the Kaveman and create a special session for use only by the logged in user each time The user is given authorized access rights to the selected channel Kaveman Centralized Access User Manual 10 Software Installation and Configuration 11 Account name The Account Name is used exclusively by the IIS Bridge when searching the Active Directory for a user s channel permissions when a user logs into the IIS Server For security set the Kaveman Container security tab to allow read access only to this account Enter the Active Directory Net work Access Account name using both a domain and user name e g addemo administrator Account password This is the password for the network account used to read Active Directory KCA Date and Time Synchronization During the Bridge configuration process you will also be able to configure the date and time syn chronization feature available on all Kaveman units The KCA system includes a script called timesync vbs found on the IIS Server at C Program Files Digitalv6 KavemanllS This script synchronizes the date and time of all Kaveman units found in the Active Directory tree of the root domain This script can be run manually or automatically using the Windows Scheduled Tasks system tool The date and time is synchronized with the date and time of the IIS Server executing the script To open the kvmconfig web page 1 2 3 Log into the IIS Server and open a web browser
32. tory Users are able to find all their channel privileges in one place updated regularly with maxi mum accuracy and with no added administrative workload Hundreds of Kaveman units are compressed into one huge virtual Kaveman with seamless access While the virtual Kaveman appears to attach the user through the IIS Web server the load on this server is actually much reduced by attaching users directly from the target Kaveman with no detour through IIS Kaveman Centralized Access User Manual 24 Appendix A CONTACT INFORMATION Kaveman products are manufactured and supported by Digital V6 Corp Corporate Headquarters Digital V6 Corp 3993 14th Avenue Markham Ontario L3R 4Z6 Canada http www digitalv6 com Phone Toll free Fax General Inquiries Support Sales Inquiries Kaveman 1 905 513 3109 1 866 922 2333 1 905 513 3111 info digitalv6 com support digitalv6 com sales digitalv6 com 25 INDEX Access Manager 20 B benefits 2 C certificate request creating 14 submitting 15 certificates 13 uploading 16 Channel privilege report 24 components hardware 3 software 4 configuring DNS entries 6 contacting Digital V6 Corp 25 creating certificate configuration file 13 E encryption 13 F features 1 K Kaveman Access Manager account 12 KCA components 3 system overview 3 web interface 24 KCA Bridge account name 11 account password 11 config asp 12 Kaveman Ce
33. ure 3 5 Grouping Channels AAA 20 Figure 3 6 Editing Kaveman permissions een cette entrees settee ee eee eta ae eee ee ena aeeeeeeeeaaeeeeeenaeeeeneeaa 21 Figure 3 7 Selecting user groups to assign to channels nnen n nnt 22 Figure 3 8 Creating Kaveman objects example c ccccccceeeeeeeeeeeeaeeeeeeeeeseaeeeeeaeeeseaaeeeeeaeeetaeeeseeeeeeeeees 23 Figure 3 9 Editing permissions example Kaveman unts 23 Figure 3 10 Editing permissions example database Servers mmmmmvvervrnvvvvrrrrnvrrrennrennrrrnnrrrnrrrenerennnr 24 Figure 3 11 KCA Web Interface Welcome screen 24 vi 2004 Digital V6 Corp All rights reserved Tables TABLES Table ial KGA Benefits ruan biene dd ee 2 Table 3 1 KCA Snap in definitions cccccccceeeeeeeeeeeeeeeeeeeeeeeeaeeteeeeeeeeaeeesceeeeecaaeeeeeeeeesaaeeseneeesnaeesseeeeees 17 Table 3 2 Summary of Editing Achons nenn nnt 22 Kaveman Centralized Access User Manual vii INTRODUCTION Background A Digital V6 Kaveman is a KVM switch that allows up to 6 remote users access to and control of any of the attached servers using a common browser over a TCP IP network Currently each Kaveman unit is designed to work as a stand alone KVM switch with a separate internal database for user authentication and permission control Administrators can configure specific access levels for every user for all attached channels within the switch In an environment where multiple Kaveman switches a
34. uvemap Container Properties Kaveman Container Refresh Group All Tasks View gt New Window From Here 3 On the New Kaveman dialog box enter the following information e Kaveman type select the Kaveman type from the drop down list Kaveman Centralized Access User Manual 18 Using the KCA Snap In Kaveman Name a meaningful name within your network environment Avoiding embedded blanks underscores and dashes may reduce typing errors later on Case is ignored e DNSHosiName this field is automatically populated with the Kaveman name and the domain to which the Active Directory and KCA are applied e g KCAtest addemo com where KCAtest is the Kaveman Name and addemo2 com is the domain Description a description of the Kaveman object you are creating Figure 3 3 New Kaveman dialog box la new Kaveman Kaveman type Kaveman 16 Name KCAtest DNS Hostname KCAtest ADDEMD2 Com Description Server 1 Cancel Click OK 5 The next dialog box asks if you want to copy an existing Kaveman account object and password If there are no existing accounts you will not see this dialog box 6 If you click Yes select the Kaveman object you want to copy from the list on the Select Kaveman dialog box and click OK to finish the object creation Figure 3 4 Selecting Kaveman properties w Select Kaveman xj Name in Folder EV 23 TE ET pe t t2 ADDEMO2 com Kavema
35. y tab click the Authentication and access control Edit button 4 Disable the Anonymous access check box if it is checked 5 Inthe Authenticated access panel check only Basic Authentication and enter the Default domain e g addemo com In Windows 2000 click the Edit button to enter the Default domain Figure 2 4 Authenticating the KCA web site Authentication Methods x 1 Enable anonymous access Use the Following Windows user account for anonymous access User name IUSR_KVM2003 Password ecveccvece Browse Authenticated access For the Following authentication methods user name and password are required when anonymous access is disabled or access is restricted using NTFS access control lists I Integrated Windows authentication I Digest authentication for Windows domain servers IV Basic authentication password is sent in clear text I MET Passport authentication Default domain addemo com Select Realm Select cm me 6 For Windows 2000 only on the Home Directory tab set Application Protection to Low IIS Process 7 Click OK to save your changes and return to the IIS Manager 8 For Windows 2003 only right click DefaultAppPool in the Application Pools folder and select Properties 9 On the Identity tab choose Predefined and select Network Service from the list 9 O 2004 Digital V6 Corp All rights reserved Software Installation and Configur
36. ystem Overview mrnvnnrrrrrnannvnnnnnrrnnnnnvnnnerrennnnrnnnen rann nnnnnnenrensnnrnnnnnnrenennnnssennenesrrnsennrnennnn 3 Figure 2 1 Creating a new web eite eeeeeceeeeeeeeeeceeeeeeeeaeeeeeeeeecaaeeedeaeeeseaeeeeeaaeeseeeeeesaaeeseeeeesoaeeeeeeeee 7 Figure 2 2 Stopping the default Web Site mranrrnannrrnnnnvrnnnnrrnnnnrnnnnnrrnnnnnnnnnnn renn nnnnrrn renn nnnenennressrnnnsnnnneennn 8 Figure 2 3 Configuring the KCA web Site uannnrnnonrrrnnnnvrnnrnr vnr nrrnnnrnrrnnnnnnnnrnnaenennr annen nrennnnnnnnrnnenennrneennnnernnn 8 Figure 2 4 Authenticating the KCA web eite nnna 9 Figure 2 5 Application Pool Identities Windows 20072 10 Figure 2 6 Configuring the KCA Bridge 11 Figure 2 7 Code generated by KCA Bridge configuration ccccceseceeeeeeeeeeeeaeeeeeeeeecaaeeeeeeeeeseaeeneneees 12 Figure 2 8 Submitting a Certificate Heouest vnr nrnnnnnrvnnnnrnnnnnvnnnnnrrnnnnnvnnerrrenannnnnnenrnesnnrnnsnnnnenn 15 Figure 3 1 Kaveman Gnap Jnecreen ttnt tnn tEn Sst Ea SEE En sE EnnEn nnn nnn nnnn ennen nnet 18 Figure 3 2 Creating a new Kaveman object rrrnnnnrnnnnrrnnnnnrnnnnnrrnnnnrnnnnnvnnnnnrrennnnvnnerrrenannnnnrrnrresnnrnnnnnnnenn 18 Figure 3 3 New Kaveman dialog box rrnnnrnonnrrrnnnnnnnnrrnnnrennrrrnnrnnnnrrnnernnnnrrenerennrnanerennnrnenerensrnrenerensrnensenennn 19 Figure 3 4 Selecting Kaveman properties rarnnrnnnnrrnnnnnvnnnnrrnnnnnnnnnnnrrennnrnnnrnrrenannnnnnennennnnnnnnennnnennrnesnnnnnenn 19 Fig
Download Pdf Manuals
Related Search