The initial communication between Entuity and a device is through Telnet, and SSH using a command line access credential set specified in Entuity. All required executables are included in the package and installed in the appropriate location.
However, configuration retrieval is through a separate transfer mechanism, using FTP, SCP, SFTP or TFTP. The mechanism details are specified through a step definition in the task.
- the Entuity server must be running the transfer server.
- although you can use multiple types of transfer servers at the same time, they must all use the same transfer directory.
- TFTP and FTP: these use the root directory. When the TFTP/FTP client accesses the server, you can only access the transfer server's root directory and its subdirectories.
- SFTP and SCP: you cannot set the root directory when using these. When you access the server, you must access the desired location using the absolute path, which is specified fully from the Entuity server's root dir of the running server. You can restrict a SFTP/SCP user's access to the desired transfer directory for the SFTP/SCP only by changing the user's access privileges in the operating system. Therefore, you cannot 'copy run scp://10.0.0.1/configname', instead you have to 'copy run scp://10.0.0.1/abs/path/to/trans/dir/configname'.
- the transfer directory must be the same as that set during configure. The transfer directory can be changed in entuity\etc\entuity.cfg, wherein other transfer settings can also be edited.
Note, Cisco IOS has an option to specify FTP credentials as a part of device configuration. If FTP credentials were configured as a part of the configuration, the default retrieval script will use them instead of those specified in entuity.cfg.
If you are using SSH: CLI, SCP, and SFTP transfer methods are secure.
If you are using Telnet: SCP and SFTP transfer methods are secure. On newer devices, Cisco can encrypt passwords in config using hashing algorithms (currently Types 8 and 9 are considered secure). Other password types are easily revertible and no longer considered secure.
To retrieve configurations with TFTP servers:
Before you can use configuration management, a transfer server must be configured and running. Configuration management can be used with any TFTP server.
In Linux environments, consult with your system administrator on a suitable TFTP server. In Windows environments, the Entuity ISO image includes a suitable open source TFTP server, OpenTFTPServer. OpenTFTPServer is not installed by Entuity configure.
Note, TFTP does not have an authentication mechanism, and the configuration files require global read and write permissions. Placing the TFTP root directory under the web root is a security risk, and Entuity advises against doing this. FTP is also not encrypted and its files are transferred in a clear text.
To set up OpenTFTPServer:
- Install the TFTP server to the same machine as the Entuity server. From entuity_home\integ\TFTPServer, double click on TFTPServerMTInstallerv1.61.exe.
- Through the wizard, specify the location of the TFTP server, and click Next.
- The Installer will then display the GNU General Public License. Click Next to accept the license terms and install the server. The installer will then display the install complete dialog.
- Configure the TFTP server.
- Navigate to the TFTP server folder and edit TFTPServerMT.ini:
- in the [HOME] section, set the directory to which the TFTP server does the initial saving of the configuration file. The TFTP root directory must be the same as the Transfer Directory defined through configure. You can verify or change it under the tftpHome key specified in entuity\etc\entuity.cfg (by default, enntuity\cm_transfer).
- in the [TFTP-OPTIONS] section, set the file operation permissions to allow writing to these folders.
- Navigate to the TFTP server folder and edit TFTPServerMT.ini:
Please see this article for examples of TFTP server configurations.
To set up an FTP server:
Entuity configuration management does not include an FTP server, but would work with the leading FTP servers, e.g. Microsoft IIS FTP (Windows), vsftpd (Linux).
Requirements when using an FTP server:
- it must be configured to place device configurations in the same transfer directory as specified during configure.
- it must have full access rights to the directory.
- when you have a running FTP server on the Entuity server machine, you must ensure each device from which you want to receive configuration can access the FTP server.
To preconfigure Cisco devices for FTP access:
Before you can use FTP on devices that require command line delivery of credentials, you can configure the device. For example, an optimal configuration on IOS would be:
R837(config)#ip ftp username EYEAccess
R837(config)#ip ftp password EYEPassword
To manage FTP access to non-Cisco devices:
FTP server credentials are specified through the lcm section of entuity.cfg, and apply to non-Cisco devices. The default settings are:
- [lcm] is the section name.
- FTPUsername identifies the FTP server account, by default anonymous.
- FTPPassword identifies the account password, by default EYE.
Required transfer server settings:
Entuity supports any third-party TFTP, FTP, SCP and SFTP servers. However, Entuity configuration management does not check that the transfer server is running before attempting a retrieval. If the server is not running, the retrieval fails and Entuity raises CM Running Configuration Retrieval Failed and CM Startup Configuration Retrieval Failed events.
The required transfer server settings are as follows:
The TFTP root directory must be the same as the Transfer Directory defined through configure. You can verify or change it under the tftpHome key specified in entuity\etc\entuity.cfg (by default entuity\cm_transfer).
The FTP root directory must be the same as the Transfer Directory defined through configure. You can verify or change it under the tftpHome key specified in entuity\etc\entuity.cfg (by default entuity\cm_transfer). An associated user has read, write and change privileges in the location specified under the 'tftpHome' key in entuity.cfg.
SCP and SFTP:
The user account that is used to transfer configuration files to the SCP or SFTP server must have read, write and change privileges in the location specified under the tftpHome key in entuity.cfg.