Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Words and Phrases
| Search for | Example | Results |
|---|---|---|
| A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
|
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Using Boolean Operators
| Search for | Operator | Example |
|---|---|---|
|
Two or more words in the same topic |
|
|
| Either word in a topic |
|
|
| Topics that do not contain a specific word or phrase |
|
|
| Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
| A combination of search types | ( ) parentheses |
|
- Configure NNMi to Support Public Key Infrastructure User Authentication
- User Authentication Strategies
- Configuring NNMi for PKI User Authentication (X.509 Certificate Authentication)
- Certificate Validation (CRL and OCSP)
- Configuring NNMi to Restrict Certificates Used for NNMi Log On Access
- Example: Configuring NNMi to Require a Smart Card Log on
- Configuring CLI Authentication for PKI User Authentication
- Troubleshooting PKI User Authentication Issues
Configuring CLI Authentication for PKI User Authentication
Authorized users can use the NNMi command line interface (CLI) to configure NNMi settings without having to navigate the NNMi console.
Public Key Infrastructure (PKI) user authentications depend on client-side operating system and web browser settings to perform user authentication. Therefore, CLI sessions cannot use PKI user authentication because the commands run outside the web browser environment. To enable CLI authentication as a non-root user, you can provide authorized users read access to the following file (root users already have read access to this file):
Windows: %NnmDataDir%\nmsas\NNM\conf\props\nms-users.properties
Linux: $NnmDataDir/nmsas/NNM/conf/props/nms-users.properties
This file contains the encrypted password for the NNMi “system” user. Any user who can read this file can invoke CLI commands as the “system” user.
Note Windows users who log on as a member of the Administrators group already have read access to the nms-users.properties file, so no further configuration is necessary for Windows users who belong to the Administrators group. For more information about configuring security, see the NNMi help .
Read access to the nms-users.properties file can be achieved using the normal Linux chmod command. However, it is recommended to configure operating system-based Access Control Lists (ACLs) to provide fine-grained access control to this file. For more information, see Setting ACLs to Enable Non-Root Users to Run CLI Commands.
Setting ACLs to Enable Non-Root Users to Run CLI Commands
ACL commands differ widely among operating systems and file system types on the same operating system. In addition, you might need to configure the operating system to enable ACLs; for example, adding a ,acl entry to /etc/fstab on Linux.
This section provides an example using Linux (RHEL and SuSE) ACL commands with ext3 and ext4 file systems. If you are using a different file system type or operating system, see your operating system ACL documentation for more information.
This example gives the operating system user user1 read permission for the nms-users.properties file.
Note When setting ACL permissions, specify the complete set of permissions for the given file. The provided permissions overwrite the previous permissions.
Grant permission
-
Query the current ACLs using the following command:
chacl –l nms-users.properties
The output will look something like the following:
nms-users.properties [u::rw-,u:user2:r--,u:user3:r--,g::r--,m::r--,o::---]
-
Append the new permission (
,u:user1:r--) to the list output in the square brackets ([ ]), and run the following command:chacl <results from within square brackets in the ACL list>,u:user1:r-- nms-users.properties
Note ACLs provide user-level control, group-level control, or both. You could also create a Linux group; for example, nnmiadm, and then provide read access to the nms-users.properties file to the group. Then, by adding or removing Linux users to or from that group, you are also granting or removing access to the nms-users.properties file, thereby granting or removing authentication as “system” user to CLI commands.
Caution Use caution when setting ACLs because incorrect settings that prevent permissions for the nmsproc user or nmsgrp group can cause NNMi to stop functioning.
List ACLs
Run the following command:
chacl -l nms-users.properties
Remove permission
-
Query the current ACLs using the following command:
chacl –l nms-users.properties
- Identify and delete the user that you want to delete (user1):
,u:user1:r-- -
Paste the rest of the ACL listing into the chacl command:
chacl <list results minus user1> nms-users.properties
Note Each of the directories in the nms-users.properties file path must be accessible. Normally the permission for these folders is very restrictive, preventing access. This path includes the following directories:
$NnmDataDir/nmsas$NnmDataDir/nmsas/NNM$NnmDataDir/nmsas/NNM/conf$NnmDataDir/nmsas/NNM/conf/props
You can use ACLs also on these folders, or regular Linux chmod to grant “search” access (in other words, the execute bit, or 0711 mode) to “other”.
Note Running the nnmrestore.ovpl command to restore from an NNMi backup, overwrites the existing ACLs. In this case, after restoring NNMi, recreate and apply your ACLs manually using the procedure for adding users to ACLs described earlier in this section.
Note In an application failover or high availability (HA) environment, you must set ACLs on both nodes manually by logging onto the primary node, running the appropriate ACL commands, and then repeating the process on the secondary node.
Note In a Global Network Management (GNM) environment, each separate node might have its own ACLs with different users. For example, a user that has CLI access on a regional manager may not have CLI access on the global manager.
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to network-management-doc-feedback@hpe.com.
Help Topic ID:
Product:
Topic Title:
Feedback: