Frequently Asked Questions

Network Configuration Management, Network Change & Configuration Management Software, Network Device Management, Configure Switches, Routers, Firewalls & Other Network Devices

General Product Information

What is ManageEngine Network Configuration Manager?

ManageEngine Network Configuration Manager is a comprehensive Network Change and Configuration Management (NCCM) solution that enables the Network Administrator to efficiently and effortlessly manage the configurations of Network Devices. Network Configuration Manager offers multi-vendor network device configuration, continuous monitoring of configuration changes, notifications on respective changes, detailed operation audit and trails, examining device configurations for compliance to a defined set of policies and standards, real-time compliance status reporting, easy and safe recovery to trusted configurations, automation of configuration tasks and insightful reporting. For more details, click here.

What does Network Configuration Manager do?

Network Configuration Manager can manage network devices such as switches, routers, firewalls wireless access points and integrated access devices etc. from multiple vendors such as Cisco, HP, Nortel, Force10, D-Link, Juniper, NetScreen, Juniper, NETGEAR, Dell, 3Com, Foundry, Fortinet, ADTRAN, Enterasys, Huawei, Extreme, Proxim, Aruba and Blue Coat. It discovers network devices, builds up an inventory database and allows IT administrators to take control of configuring the devices from a central console. The web-based administrator console provides the User Interface to perform all the configuration operations. Additionally, it can be accessed from anywhere using any standard web browser.

Can Network Configuration Manager Manage the Configurations of Cisco Devices?

Yes, Network Configuration Manager can manage the configurations of cisco devices. Cisco router configuration, Cisco switch configuration and Cisco firewall configuration can be done using Network Configuration Manager. Apart from cisco devices, Network Configuration Manager can be used to manage the configurations of switches, routers, firewalls, wireless access points and integrated access devices from other vendors such as HP, 3com, Foundry, FortiGate and NetScreen.

Can Network Configuration Manager be used to manage router configuration / switch configuration / firewall configuration?

Yes, Network Configuration Manager can be used to manage router configuration, switch configuration and firewall configuration from multiple vendors such as Cisco, HP, 3Com, Foundry, FortiGate and NetScreen.

What are the devices supported by Network Configuration Manager?

Network Configuration Manager at present supports switches, routers, firewalls, wireless access points and integrated access devices. For new device support, send your request.

What are the vendors supported by Network Configuration Manager?

Network Configuration Manager at present supports Cisco, HP, Nortel, Force10, D-Link, Juniper, NetScreen, Juniper, NETGEAR, Dell, 3Com, Foundry, Fortinet, ADTRAN, Enterasys, Huawei, Extreme, Proxim, Aruba and Blue Coat. For new vendor support, send your request.

Is Network Configuration Manager available for evaluation or direct purchasing?

Network Configuration Manager is available for both evaluation and direct purchase. Please contact our sales team at +1-888-720-9500 or email sales@manageengine.com

Do I need any prerequisite software to be installed before using Network Configuration Manager?

There is no prerequisite software installation required to use Network Configuration Manager. MySQL, TFTP server and Syslog server are bundled with the product itself. If you want to received change management notifications via email, you need to configure an external SMTP server (optional).

What is the Licensing Policy for Network Configuration Manager?

Professional Evaluation Edition download valid for 30 days, capable of supporting a maximum of 50 devices. Free support would be offered during evaluation.

Professional Edition - Licensing based on the number of devices support needed. Priority support would be offered. For more information / to get license, contact sales@manageengine.com

Free Edition - download valid for ever, capable for supporting a maximum of two devices.

Do I have to reinstall Network Configuration Manager when moving to the Professional Edition?

No. You need not have to reinstall or shut down the server. You just need to enter the new license file in the "Register" link present in the top right corner of the Network Configuration Manager web interface.

What are the browser versions supported by Network Configuration Manager?

Web Interface requires one of the following browsers** to be installed in the system:

  • IE 7 and above (on Windows)
  • Firefox 2.0 and above (on Windows and Linux)

** Network Configuration Manager is optimized for 1024 x 768 resolution and above

What are the System Configuration Requirements for Network Configuration Manager?

Refer to the information available in the System Requirements section.

Logging in to the Web Interface

I forgot the password to login to Web Interface

You can a get a new password for an account using the Login Name and Email Id of that account (the Email id should match with the one that was configured for the user earlier)

  • Click 'Forgot Password?' link in the login screen
  • Provide the Login Name in the text filed
  • Provide the Email Id configured for the service
  • The password will be mailed to your mail account
  • Use that auto generated password for logging into the service which you can choose to change later on

How do I change the password of my login account?

Login to the Network Configuration Manager Web Interface

Users with admin privileges can change their Login Password through the 'Edit Account Settings' functionality of "Admin" Tab. Ordinary users (that is, users who do not have admin privileges) can change their Login Password through the 'Edit Account Settings' functionality present in left-hand side of "Home" Page.

To Change Login Password,

  • click "Admin" tab >> "Change Password "
  • enter the old password
  • enter new password
  • confirm the new password
  • click "Save"
  • password is now reset

Inventory (Devices)

What is Config Conflict and how to resolve it?

A configuration conflict occurs when there is a difference between the startup and running configuration of your device. NCM will indicate a conflict by showing "Conflict Detected" status in the "Config Conflict" column of device list. You can click the status to see the difference between two configurations. This can have a huge impact if something goes wrong and you want to reset the device. The device will always start with the Startup Configuration after reset and all the changes made in running configuration will be lost. To resolve this conflict, or to sync the running and startup configuration, please follow the steps given below:
  • Please select one or more devices from the list in Inventory.
  • Click on the 3 horizontal dots more-option on the top right corner of the page to get more options.
  • Click on "Sync Configuration".

What is Compliance Status?

A set of rules can be defined for the configuration of any device. These rules can be anything like, a particular keyword or line(s), must or must not be present in a particular configuration. One or more of these rules can be combined into a Compliance policy and then these policies can be associated with a particular device or a group of devices. If any particular device configuration is violating the associated rules, NCM will show a compliance violation for that particular device. To resolve the compliance status, please change the device configuration accordingly. Alternatively, if any remediation configlet is associated with the said rule, you can choose to execute that to make the required changes to the configuration automatically.

What is Baseline Conflict and How to resolve it?

If there is any difference between the baseline configuration and the running configuration of your device, NCM will consider that as a baseline running conflict. This will be shown as "Conflict Detected" status in the "Baseline Conflict" column of device list. To resolve such conflict you need to label your running configuration as baseline configuration. To do that please follow the steps given below:
  • Click on the device that has the baseline-running conflict.This will open the device details page.
  • Check the Current Version and the Baseline version in front of Running Config header.
  • Click on the "Current Version" to see the configuration details.
  • In configuration details page click the More Option Icon
  • Click on "Set as Baseline". This will change the status back to "In Sync".
What is the impact of Baseline Conflict?

Unlike Startup Running conflict, there won't be any major impact if the Baseline Running conflict is ignored. Baseline configurations are just the well-known labelled configuration. The conflict status shows you the changes made from that well-known configuration till date. If you consider your current running configuration as well set and want to save it as baseline you can choose to do that. Please click here to see how to do that.

Why the credential icon   is grayed in the device list?

Credential icon in device list indicates whether the credentials for a particular device are provided or not. So if the credential icon is grayed out, it means there are no credential associated with the device and you won't be able to take the backup of the device. To know more on how to provide credential to a device, please click here

Can I apply the same credentials to multiple devices?

Yes, the same set of credentials can be provided to any number of devices. Please click here to see how to provide credentials to a set of devices at a time. You can also choose to create a device group with a set of devices and then apply the credential to that group from Device Group page in inventory. Also if you find yourself using the same credentials multiple times, please save those credentials as a credential profile, and next time while applying the credential just select the profile and NCM will fill all the necessary details.

What happens if I unmanage a device? 

If a device is in the unmanaged state, you won't be able to perform any important operations like Configuration Backup, Upload Config, Automatic Change Detection, Sync Configuration, Compliance Management or Change Management etc. Any schedule that contains the unmanaged device won't perform the scheduled task for the said device, even if the schedule was created when the device was in the managed state.

Discovery

I have my devices listed in a text file. Can I import them to the inventory of Network Configuration Manager?

Network Configuration Manager provides the option to import devices from a text file and add them to the inventory. To import devices from a text file, Network Configuration Manager requires that the entries in the file conform to a specific format. For more details, refer to the section on "Device Addition" in help documentation.

Can I apply same set of credentials to multiple devices as a bulk operation?

Yes. You can apply the same set of credentials 'as they are' to multiple devices. In such cases, to avoid the cumbersome task of entering the credentials for each device separately, Network Configuration Manager offers the flexibility of creating common credentials and sharing the common credentials among multiple devices. This is called as 'Credential Profile'. For more details, click here.

What happens when existing devices are rediscovered?

If a device is already discovered and added to NCM successfully there won't be any effect if you run the same profile again and try to discover the device again.
In case the device was not added during first discovery due to some reason, and now it satisfies all the conditions to be added then the device will be added to NCM successfully.
 
Why devices are discovered as unknown devices or why the reachable devices are not added to NCM?
 
A device will be shown as unknown in discovery notification and won't be added to NCM if any of the following condition is met:
  • Device is not reachable: Make sure the device is up and running and is reachable via ping.
  • SNMP is not enabled: NCM can discover only SNMP enabled devices, so make sure that SNMP is enabled for the device.
  • Wrong credentials: Make sure the selected credential profile applies to the device you are trying to discover.
  • SysObjectID not present in NCM: If all the above mentioned criteria's doesn't apply to the device you are trying to discover, then please check the list of SysObectID's supported by NCM under Settings > NCM > SysObjectID Finder. 
Click on Add and provide the device ip address and other required information and click next. NCM will find the SysObjectID for the device and you can assign it to appropriate device template.
You can get more information about adding SysObjectID and their usage here, If you are still having trouble discovering your device(s), please contact NCM support team.
 
Where can I find and edit all the added discovery profiles?
  • Go to Settings > Discovery > Discovery Reports
  • There you can see the list of all the discovery profiles created earlier.
  • You can click on any profile to edit it.
  • You can also delete the profile by clicking on the bin icon for the respective row.
Can I reschedule the already added profile?
 
Yes, to reschedule a profile, use the following guidelines:
  • Go to Settings > Discovery > Discovery Reports
  • Click on the profile you want to reschedule, this will open the edit discovery page, at the bottom of the page, expand the schedule section and edit the parameters as required.
  • Click Save to save the changes.

Where can I view/edit the credential profiles for discovery?
 
To view/edit any credential profile use the following steps:
  • Go to Settings > Discovery > Credentials
  • All the available credentials will be displayed under SNMP tab.
  • You can click on any of the credential to open the edit wizard.
  • You can also delete a particular credential by clicking the bin icon.

Is there any report where I can check the status of previous discoveries?
 
Yes, you can always check the details like no of devices added, deleted or the time it took to discover all the device etc. under Settings > Discovery > Discovery Reports > Select Reports from the top right corner.
 
Can I choose multiple credential profiles while creating a discovery profile?
 
Yes, there is no restriction on the number of credential selection, so you can select as many credentials as you like.

Credential

What should be done if the protocol needed is not listed for the chosen Device(s)?
 
After adding the device, while applying the credentials, if you don't find the protocol that you need, listed in the apply credential slide, then it means the Device Template used to add the device, does not support that particular protocol. To resolve the issue please contact ncm-support team and we will create a new device template for you, which can then be used to get the desired results.

What is the purpose of additional credentials for a device?
 
Additional credentials option can be used to provide following additional details:
TFTP/SCP Server Public IP: When the device is present outside the private network (i.e. when the private IP of Network Configuration Manager is not reachable for the device) this parameter can be used to provide the public IP of the Network Configuration Manager server (NAT'ed IP of Network Configuration Manager). This IP will be used in Configuration backup via TFTP / SCP. In case you have not chosen any TFTP or SCP protocol, this field can be ignored.
Telnet/SSH Port: By default NCM uses port number 23 for Telnet protocols and 22 for SSH protocols, if you wish to change it, you can change this field. If you choose to change this field, the change will be effective only for the selected device.
Login Prompt: The text/symbol that appears on the console to get the typed login name is referred as login prompt. For example, "Username@" here '@' is the login prompt. Another example is "Login:" here ':' is the login prompt. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for NCM to access the device properly.
Password Prompt: The text displayed on the console when asking for the password. For example, "Password:" has ':' as the password prompt. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for NCM to access the device properly.
Enable User Prompt: The text displayed on the console when asking for Enable UserName. For example, "Username@" here '@' is the login prompt. Another example is "Login:" here ':' is the login prompt. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for NCM to access the device properly.
Enable Password Prompt: The text displayed on the console when asking for password. For example, "Password:" has ':' as the password prompt. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for NCM to access the device properly.

What is "Prompt" in Credentials?
 
Prompt is a text/symbol that appears on the console after successfully logging into a device. Please refer the image given below for more details.
 
In the image given above, after providing the correct username and password the device name is shown with '#' symbol which is the indicator that the user can now enter commands to use the device. That '#' symbol is the prompt in this case, and shall be provided while applying the credentials. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for NCM to access the device properly.

What is "Enable Prompt" in Credentials?
 
Enable Prompt is a text/symbol that appears on the console after you have successfully entered into the enable mode of device. Please refer the image given below for more details.
In the image given above, after providing the correct username and password and executing the 'enable' command, user is in enable mode and the device name is shown with '#' symbol which is the indicator that the user can now execute commands in enable mode. That '#' symbol is the enable prompt in this case, and shall be provided while applying the credentials. These prompts are pre-defined in device's settings and while applying the credential one shall provide the exact prompts for NCM to access the device properly.

What is the difference between Telnet and Telnet-TFTP protocol in credentials?
 
Telnet-TFTP has one advantage over Telnet protocol and that is, it allows you to do file transfers. So any operations which operate with a file transfer will not work with Telnet protocol but will work on Telnet-TFTP. One such important operation is uploading a configuration to the device

What is the difference between SSH and SSH-TFTP / SSH-SCP protocol in credentials?
 
SSH-TFTP and SSH-SCP protocols allow file transfers for various operations like uploading a configuration to the device. These operations can't be performed with SSH protocol. SSH-SCP is a more secure protocol than SSH-TFTP.

What is a Credential Profile?
 
A credential profile is a set of credential that can be saved and then can be used later to apply credentials to a particular device or to a group of devices at a time. Following are some of the benefits of creating a credential profile:
  • It eases the process of applying credentials to multiple devices at a time.
  • You can name common credentials, to make them easily identifiable.
  • You won't have to provide every single parameter multiple times for devices that are using same credentials.
  • If any parameter for accessing multiple devices is changed and all those devices are associated with a single credential profile, then you can simply edit the credential profile instead of changing credentials for each device one by one.

What to do if Enable Username and password are not configured?
 
If your device doesn't use any username or password for entering the enable mode, you can simply configure the "Enable Prompt" value in credentials and ignore the "Enable Username" and "Enable Password" fields.

What to do if Enable Username is configured without a password?
 
If your device is configured to use only a username to enter enable mode and not the password, please provide the "Enable Username" and "Enable Prompt" while applying credential and you can provide any dummy value in the "Enable Password" field.

Can we have multiple values for prompts?
 
Yes, multiple values in the form of a regular expression can be provided for prompts while applying credentials. NCM will determine the appropriate prompt value from the ones provided in the regular expression.

Can we have one profile for SNMP/SSH/Telnet protocols?
 
Yes multiple protocols can be included and configured in a single credential profile. Please click here to know more on how to create a credential profile. Once the profile is configured with multiple protocols, you can use it to apply the credentials and while applying credentials, you can select the appropriate protocol for that particular device or set of devices.

Can we have one profile for SNMP/SSH/Telnet protocols?
 
When credentials are applied to multiple devices using a credential profile, it is easy to edit the credential profile to edit credentials for all the associated devices. But in case if you want to change credential for a single device out of that set, you will have to remove the association from the credential profile first. Please follow the steps given below to change credential for a single device associated to a credential profile along with other devices.
  • Click on the credential icon for the said device from device list. Alternatively you can select the device and click on the 3 horizontal dots on top right and click on "Apply Credentials".
  • Select the desired protocol
  • Select "---Select---" option from "Use Credential Profile" dropdown to disassociate the device from the credential profile
  • Make the necessary changes to credential parameters.
  • Click on Save.

SysObjectID

What is a SysObjectID?
 
SysOID or System Object ID is an id provided to all the SNMP agents. This ID is used by Network Management systems like NCM to automatically detect the monitoring capabilities of the given device and some other useful information about the device.

What is the use of SysOID in NCM?
 
NCM uses SysOID for mainly 2 operations as described below:
 
Discovery: To add a device in NCM it must be associated to one of the device templates available in NCM, and during discovery NCM use device's SysOID to determine the appropriate template for the given device.
 
EOL/EOS Information: NCM also determines the EOL (End of Life) and EOS (End of Sale) dates for a particular device based on its SysOID. Although this information can also be gathered using the Series and Model of the device but it may not be accurate. So please keep the SysOID mapping updated for your devices under Settings > NCM > Device SysOID Mapping page.

Where can I find the manually added SysOIDs?
 
You can find all the manually added SysOIDs under Settings > NCM > SysObjectID Finder > Click on Custom on the top right corner.

Can I edit/delete the already added SysOID?
 
You can't edit the default SysOIDs present in NCM but you can always edit or delete the SysOIDs which are added manually. To edit SysOIDs please follow the steps given below:
  • Go To Settings > NCM > SysObjectID Finder
  • Click on Custom in the top right corner
  • Click on the SysOID entry you want to edit
  • Provide the new device template, series and model information (latter two are optional)
  • Click save
  • You can also delete a particular entry by clicking the bin icon given in front of it 
 
 
Can I update SysOID for a whole group of devices?
 
Yes, you can update SysOIDs group wise.
Please select the 'Select Device Group option' under Update SysOID page and select the group you want to update from the given drop down. Only public groups will be shown in the drop down, so make sure the group you are trying to update is marked public.
Alternatively you can select multiple devices from the given list of devices.  

I have triggered the update option from Update SysOID page but still I can't see the SysOID mapping in Device SysOID Mapping page.
 
Updation of SysOID may take several minutes depending upon the no. of devices you have selected and also the no. of SNMP profiles you have selected. So please wait for some time and if you still don't see the SysOID's updated in the mapping table, please make sure you have chosen the right SNMP profiles to update the information. Also make sure that the devices you are trying to update the information for, are SNMP enabled.
 
If none of the above mentioned troubleshooting methods works for you, kindly contact the NCM support team and we will be happy to help you. 
 
While adding new SysOID after providing the device hostname/IP address, system is not proceeding to next step
 
Please make sure the device is reachable and also the SNMP is enabled for the device.
Also make sure the credentials provided to find the SysOID are correct.
If any of the reasons mentioned above is the root cause for your issue, then you will receive an error message after the timeout exceeds.
If this information doesn't help and you are still facing the issue in finding SysOID, feel free to contact NCM support team, we will be happy to help you.
 

Device Template

What is a device template?
 
Device Template is a set of configurations, which contains some device specific commands to enable NCM to perform backups and other device specific actions on a particular device.
NCM comes bundled with over 200 device templates which in turn supports over 4000 devices.
You can also add custom device templates according to your requirements to manage additional devices, or a new device template can be requested from NCM support team. 
 
What are all the important information one needs to know before creating / editing a device template?
 
Try to gather following information about your device, before you try to edit/create a device template:
 
Mandatory:
  • Command to disable pagination in the devices.
  • Command to fetch the startup configuration. (Only if the device supports startup configuration)
  • Command to fetch the running configuration.
  • Command sequence to fetch the configuration using Telnet or SSH.
  • Command sequence to show the configuration version information.
 
Optional:
  • Command to enter configuration mode on the device.
  • Command to exit configuration mode.
  • Command sequence to upload configuration using Telnet or SSH.
  • Command sequence to commit a configuration change on the device. 
 
What are the command template variables used by NCM?
 
Following is the list of all the command template variables used by NCM in device templates:
 
      Variable              Description
${UserInput:tftp_server_address} IP Address of TFTP Server which can be found under Settings > NCM > Server Settings > TFTP Server
${UserInput:file_name} Filename to save the configuration on TFTP or SCP server
${UserInput:HostIpAddress} IP Address of Syslog Server which can be found under Settings > NCM > Server Settings > Syslog Server
${UserInput:LoggingLevel} Syslog level on or above which  
${UserInput:scp_server_address} IP Address of SCP Server which can be found under Settings > NCM > Server Settings > SCP Server
${UserInput:scp_username} SCP server username
${UserInput:scp_password} SCP server password
 
  
Note: Not all commands are supported on device.
 
 
What are some of the best practices while creating/editing a device template?
 
Please go through the following best practices:
  • Try to check multiple device templates to get a hang of all the appropriate command syntax.
  • Gather all the information required for your device template. 
  • Find out whether you need to use any pre-command or command variable while creating/editing the device template, if yes what are they and where to use them.
  • Try to create a device template tweaking existing device templates instead of going for a completely new device template from scratch.
  • Always make a backup copy of a device template before modifying it.

Inventory & Change Detection

How does Network Configuration Manager help me in keeping track of configuration changes?

One of the ways to detect configuration changes in a device is by monitoring syslog messages. Many devices generate syslog messages whenever their configuration undergoes a change. By listening to these messages, it is possible to detect any configuration change in the device. This comes in handy for administrators to keep track of the changes being made and to detect any unauthorized changes.

Network Configuration Manager leverages this change notification feature of devices to provide real-time change detection and tracking. A syslog server comes in-built with Network Configuration Manager. It occupies port 514.

Besides the real-time change detection, configuration changes could also be tracked through scheduled, periodic backup of device configuration. For more details refer to the section "Configuration Change Detection" in help documentation.

Reports

Can I receive automatically generated reports on Device Configuration in my mailbox?

Yes, Network Configuration Manager provides option to mail reports to email IDs. You can schedule reports to be generated at any point of time and reports will be mailed to your email ID.

Can Network Configuration Manager generate email alerts?

Yes, Network Configuration Manager can be configured to send email alerts whenever there happens a change in configuration. For more details refer to the section "Change Management " in help documentation.

Does Network Configuration Manager maintain historical data about Device Configuration?

'Yes it maintains historical data of device configuration. The historical data are available in the device properties page of each device. For more details refer to the section "Device Configuration Details" in help documentatio

Security Aspects

How much security does Network Configuration Manager offer to my configuration?

Network Configuration Manager offers a good level of security to your configuration as all the configuration information retrieved from devices are encrypted and stored in DB. Also device credential information are also encrypted and stored in DB.

Can we install our own SSL certificate? How?

Yes, you can install your own SSL certificates in Network Configuration Manager. Please follow the steps below to do that:

If you are using keytool utilities for certificate generation

The Network Configuration Manager runs as a HTTPS service. It requires a valid CA-signed SSL certificate with the principal name as the name of the host on which it runs. By default, on first time startup, it creates a self signed certificate. This self signed certificate will not be trusted by the user browsers. Thus, while connecting to Network Configuration Manager, you need to manually verify the certificate information and the hostname of Network Configuration Manager server carefully and should force the browser to accept the certificate.

To make the Network Configuration Manager server identify itself correctly to the web browser and the user:

  • you need to obtain a new signed certificate from a CA for the Network Configuration Manager host or
  • you can configure an existing certificate obtained from a CA with wild-card principal support for the Network Configuration Manager host

Step 1: The first step is to create the public-private key pair that will be used for the SSL handshake

  • Go to <Network Configuration Manager_Home>/jre/bin folder
  • Execute the command "./keytool -genkey -alias Network Configuration Manager -keyalg RSA -keypass <privatekey_password> -storepass <keystore_password> -validity <no_of days> -keystore <keystore_filename>"
  • The command will prompt you to enter details about you and your organization:
    1. For the 'first and the last name' enter the FQDN of the server running Network Configuration Manager
    2. For other fields enter the relevant information
    3. <keystore_password> is the password to access the keystore, <privatekey_password> is the password to protect your private key and <no_of_days> is the validity of the key pair in number of days, from the day it was created
  • This will create a keystore file named <keystore_filename> in the same folder, with the generated key pair

Step 2: Create a Certificate Signing Request (CSR) for submission to a certificate authority to create a signed certificate with the public key generated in the previous step.

  • Go to <Network Configuration Manager_Home>/jre/bin folder
  • Execute the command "keytool -certreq -keyalg RSA -alias Network Configuration Manager -keypass <privatekey_password> -storepass <keystore_password> -file <csr_filename> -keystore <keystore_filename>"
    • Note that the <csr_filename> that you choose should have .csr extension. The <privatekey_password>, <keystore_password> and <keystore_filename> are the ones used in the last step
  • This will create a CSR file named <csr_filename> in the same folder

Step 3 : Submit the CSR to a Certificate Authority (CA) to obtain a CA signed certificate

  • Some of the prominent CAs are Verisign (http://verisign.com), Thawte (http://www.thawte.com), RapidSSL (http://www.rapidssl.com). Check their documentation / website for details on submitting CSRs and this will involve a cost to be paid to the CA
  • This process usually takes a few days time and you will be returned your signed SSL certificate and the CA's certificate as .cer files
  • Save them both in the <Network Configuration Manager_Home>/jre/bin folder

Step 4: Import the CA-signed certificate to the Network Configuration Manager server

  • Import your SSL certificate into your keystore
  • Go to <Network Configuration Manager_Home>/jre/bin folder
  • Execute the command "keytool -import -alias Network Configuration Manager -keypass <privatekey_password> -storepass <keystore_password> -keystore <keystore_filename> -trustcacerts -file <your_ssl_certificate>"
  • <your_ssl_certificate> is the certificate you obtained from the CA, a .cer file saved in the previous step. The <privatekey_password>, <keystore_password> and <keystore_filename> are the ones used in the previous steps
  • Now copy the <keystore_filename> to the <Network Configuration Manager_Home>/conf folder

Step 5: Finally, configure the Network Configuration Manager server to use the keystore with your SSL certificate

  • Go to <Network Configuration Manager_Home>/conf folder
  • Open the file server.xml
  • Search for the entry 'keystoreFile', which will have the default value set to "conf/server.keystore". Change the value to "conf/<keystore_filename>" where <keystore_filename> is the one used in the previous steps
  • Also search for the entry 'keystorePass' (which will infact be next to keystoreFile), which will have the default value set to "RGV2aWNlRXhwZXJ0". Change the value to "<keystore_password>" where <keystore_password> is the one used in the previous steps
  • Restart the Network Configuration Manager server and connect through the web browser. If you are able to view the Network Configuration Manager login console without any warning from the browser, you have successfully installed your SSL certificate in Network Configuration Manager!

Note 1: Tomcat by default accepts only the JKS (Java Key Store) and PKCS #12 format keystores. In case, the keystore is of PKCS #12 format, include the following option in the server.xml file along with the keystore name,

keystoreType=”PKCS12″

This tells tomcat that the format is PKCS12. Restart the server after this change.

To configure existing wild card supported SSL certificate,

  • Go to <Network Configuration Manager_Home>/conf folder
  • Open the file server.xml
  • Search for the entry 'keystoreFile', which will have the default value set to "conf/server.keystore". Change the value to "conf/<keystore_filename>" where <keystore_filename> is the one belong to the existing wild-card certificate.
  • Also search for the entry 'keystorePass' (which will in fact be next to keystoreFile), which will have the default value set to "RGV2aWNlRXhwZXJ0". Change the value to "<keystore_password>" where <keystore_password> is the one used to protected the existing wild-card certificate keystore.
  • Restart the Network Configuration Manager server and connect through the web browserconsole. If you are able to view the Network Configuration Manager login console without any warning from the browser, you have successfully installed your SSL certificate in Network Configuration Manager!

Note 2: Please refer your CA's documentation for more details and troubleshooting

If you are using OpenSSL / Microsoft Utilities

Follow these steps to enable using your own certificates :

  • Generate the certificate signing request and generate the certificate using MS CA, as you did before (or use the cert generated before). DO NOT use the one generate using keytool
  • Have tested here with the Base64 encoded certs, so use the same
  • Download OpenSSL from here http://www.slproweb.com/download/Win32OpenSSL_Light-0_9_8e.exe and install it in your system
  • After install, go to the OpenSSL\bin folder
  • Copy the private key (generated with your CSR), your certificate and the root certificate into this bin folder
  • Run this command on the command prompt : openssl pkcs12 -export -in <cert_file>.cer -inkey <private_key>.key -out <keystore_file>.p12 -name Network Configuration Manager -CAfile <root_cert_file>.cer -caname Network Configuration Manager -chain, where
  1. cert_file is the certificate with the .cer extention
  2. private_key is the private key file with a .key extension
  3. keystore_file is the keystore that will be generated with a .p12 or .pfx extension
  4. root_cert_file is the root certificate with a .cer extension
  5. provide extension to all the file entries on the command line
  • When prompted for password, enter 'RGV2aWNlRXhwZXJ0'
  • This will generate the keystore file <keystore_file>.p12 on the same folder
  • Copy this file to <Network Configuration Manager_Install_Folder>\conf folder
  • Move to <Network Configuration Manager_Install_Folder>\conf folder
  • Open the file server.xml and do the following changes
  • Search for the entry 'keystoreFile', which will have the default value set to "conf/server.keystore". Change the value to "conf/<keystore_file>.p12"
  • Make sure the entry for 'keystorePass' is set to "RGV2aWNlRXhwZXJ0"
  • Add a new entry keystoreType=”PKCS12″ next to the keystorePass entry
  • Save the server.xml file
  • Restart the Network Configuration Manager server and connect through the web browser. If you are able to view the Network Configuration Manager login console without any warning from the browser, you have successfully installed your SSL certificate in Network Configuration Manager!

I want to prevent unauthorized configuration changes to my core devices.

You can make use of the 'Change Management' feature of Network Configuration Manager. For more details refer to the section "Configuration Change Management " in help documentation.

Miscellaneous

I have enabled syslog-based change detection for my device. But the product does not seem to detect any configuration changes.

Configuration change messages will be generated only at certain logging levels. So check if the logging level in the device is set to one of the values listed in the "Syslog Config for Change Detection" - logging level drop-down. Also, ensure if syslog server is running and the syslog port (514) is free for Network Configuration Manager's use.

Has Network Configuration Manager been reviewed by any independant reviewers?

Yes. Network Configuration Manager has been reviewed by the following magazines/reviewers:

  • SC Magazine, the world's longest running monthly publication focusing on information security has reviewed Network Configuration Manager.
  • 3d2f, a web portal featuring reviews on software products has reviewed Network Configuration Manager. Report available here.