Cisco Unified Communications Domain Manager 11.5(3 ... · Cisco Unified Communications Domain Manager 11.5(3) Planning and Install Guide First Published: 2017-11-09 Last Modified:

Cisco Unified Communications Domain Manager 11.5(3) Planningand Install GuideFirst Published: 2017-11-09

Last Modified: 2018-04-20

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITEDWARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain versionof the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDINGANYOTHERWARRANTYHEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS"WITH ALL FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FORA PARTICULAR PURPOSEANDNONINFRINGEMENTORARISING FROMACOURSEOFDEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, networktopology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentionaland coincidental.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnershiprelationship between Cisco and any other company. (1721R)

© 2018 Cisco Systems, Inc. All rights reserved.

https://www.cisco.com/go/trademarks

https://www.cisco.com/go/trademarks

C O N T E N T S

P r e f a c e Cisco Unified CDM Planning and Install Guide Change History vii

Cisco Unified CDM Planning and Install Guide Change History vii

P A R T I Planning 1

C H A P T E R 1 Deployment Topologies 3

Deployment Topologies 3

Multinode Cluster with Unified Nodes 4

Clustering Considerations 6

Cisco Unified Communications Domain Manager 10.x/11.5(x) Redundancy and Disaster

Recovery 6

Capacity Considerations 7

C H A P T E R 2 Hierarchy 9

Understanding Hierarchy 9

Navigating the Hierarchy 10

Manage the Hierarchy Structure 10

C H A P T E R 3 Multi-tenancy within Cisco Unified Communications Domain Manager 11

Data Partitioning 11

Parent-Child Relationships 12

Data Access 12

Security 12

C H A P T E R 4 Authentication Management 15

User Authentication 15

Credential Policies 15

Cisco Unified Communications Domain Manager 11.5(3) Planning and Install Guide iii

Field Reference for Data/CredentialPolicy 17

Standard Users and Sign-in 22

LDAP Users and Sign-in 23

SSO Users and Login 23

C H A P T E R 5 Entitlement Management 25

Entitlement 25

Entitlement Enforcement 26

C H A P T E R 6 IOS Device Features 29

IOS Device Features 29

IOS Device Transaction Strategy 31

IOS Command Builders and Commands 31

C H A P T E R 7 Upgrade Planning 33

API Compatibility 33

Default Schema Upgrade Issues 33

P A R T I I Install 35

C H A P T E R 8 Prepare to Install 37

Installation Prerequisites 37

Multinode Cluster Hardware Specifications 37

Standalone Hardware Specification 38

Browser Compatibility for CUCDM 39

C H A P T E R 9 Install Cisco Unified Communications Domain Manager 43

Multinode Installation 43

Standalone Installation 47

Create Virtual Machines from OVA Files 48

View Installation and Upgrade Transactions 52

C H A P T E R 1 0 Upgrade Cisco Unified Communications Domain Manager 53

Upgrade a Multinode Environment 53

Upgrade a Standalone Environment 57

Cisco Unified Communications Domain Manager 11.5(3) Planning and Install Guideiv

Contents

Cancel Running Imports 60

Audit Template Customizations 61

View Template Customization Audit Reports 61

Turn off Scheduled Imports 62

Cisco Unified Communications Domain Manager 11.5(3) Planning and Install Guide v

Contents

Cisco Unified Communications Domain Manager 11.5(3) Planning and Install Guidevi

Contents

Cisco Unified CDM Planning and Install GuideChange History

• Cisco Unified CDM Planning and Install Guide Change History, page vii

Cisco Unified CDM Planning and Install Guide Change HistoryDescriptionSectionDate

Updated the procedure and added noteon using Self-service web proxies.

Multinode InstallationApril, 2018

Updated information on converting thedatabase to WiredTiger storage engine.

Upgrade a Multinode EnvironmentApril, 2018

Updated note on template installationand upgrade.

Standalone InstallationApril, 2018

Updated information on converting thedatabase to WiredTiger storage engine.

Upgrade a Standalone EnvironmentApril, 2018

Updated note on visibility for Provideradministrator’s view.

Data AccessApril, 2018

Updated the commands to disable TLS1.1 and below.

Create Virtual Machines from OVAFiles, on page 48

April, 2018

Updated the browser compatibilityinformation for Unified CDM.

Browser Compatibility for CUCDM,on page 39

April, 2018

Cisco Unified Communications Domain Manager 11.5(3) Planning and Install Guide vii

Cisco Unified Communications Domain Manager 11.5(3) Planning and Install Guideviii

Cisco Unified CDM Planning and Install Guide Change HistoryCisco Unified CDM Planning and Install Guide Change History

P A R T IPlanning• Deployment Topologies, page 3

• Hierarchy, page 9

• Multi-tenancy within Cisco Unified Communications Domain Manager, page 11

• Authentication Management, page 15

• Entitlement Management, page 25

• IOS Device Features, page 29

• Upgrade Planning, page 33

C H A P T E R 1Deployment Topologies

• Deployment Topologies, page 3

• Multinode Cluster with Unified Nodes, page 4

• Clustering Considerations, page 6

• Cisco Unified Communications Domain Manager 10.x/11.5(x) Redundancy and Disaster Recovery,page 6

• Capacity Considerations, page 7

Deployment TopologiesCisco Unified Communications Domain Manager 10.x/11.5(x) is deployed either as a single node, or as acluster of multiple nodes with High Availability (HA) and Disaster Recovery (DR) qualities.

Each node can be assigned one or more of the following functional roles:

WebProxy

load balancing across multiple application roles

Standalone

combines the Application and Database roles for use in a nonclustered environment

Unified

similar to the Standalone role combining Application and Database roles, but clustered with other nodesto provide HA and DR capabilities

The nginx web server is installed on theWebProxy, Standalone, and Unified node, but is configured differentlyfor each role.

In a clustered environment containing multiple Unified nodes, a load balancing function is required to offerHA (High Availability providing failover between redundant roles). Either an external third-party load balancer(not recommended) or one or more WebProxy nodes can provide the load balancing function.

The following deployment topologies are defined:

Cisco Unified Communications Domain Manager 11.5(3) Planning and Install Guide 3

Test or Small Production

a single Standalone node with Application and Database roles combined

Production with Unified nodes

a clustered six node system consisting of:

• 4 Unified nodes (each with combined Application and Database roles)

• 2 WebProxy nodes to provide load balancing. The two WebProxy nodes can be omitted if anexternal load balancer is available.

Cisco supports deployment of either the WebProxy node or a DNS load balancer. Here are someconsiderations in choosing a WebProxy node vs. DNS:

• The Proxy takes load off the Unified node to deliver static content (HTML/JAVA scripts). Whenusing DNS or a third-party load balancer, the Unified node has to process this information.

• DNS does not know the state of the Unified node.

• TheWebProxy detects if a Unified node is down or corrupt. In this case, theWebProxy will selectthe next Unified node in a round robin scheme.

Cisco recommends that you run no more than two Unified nodes and oneWebProxy node on a physical server(VMware server). Cisco also recommends that the disk subsystems be unique for each Unified node.

Multinode Cluster with Unified NodesThe recommended multinode deployment using Unified nodes has the following characteristics:

• Four or six Unified nodes - each node combining Application and Database roles - are clustered andsplit over two geographically disparate locations.

• Two Web Proxy nodes to provide High Availability that ensure an Application role failure is gracefullyhandled. It may be omitted if an external load balancer is available.

•Web Proxy and Unified nodes can be contained in separate firewalled networks.

• Database synchronization takes places between all Database roles, thus offering Disaster Recovery, andHigh Availability.

• All nodes in the cluster are active.

Cisco Unified Communications Domain Manager 11.5(3) Planning and Install Guide4

Multinode Cluster with Unified Nodes

Primary and fall-back Secondary Database servers can be configured manually.

Figure 1: A Graphical Representation of a Recommended Multinode Cluster

WebProxies can be configured to load balance across two or four Unified nodes.Note

In a Non-Geo Redundant configuration, four Unified Nodes and one Proxy Node are configured at one DataCenter. All the four Unified Nodes are active and one of the four Unified Nodes will be designated as Primaryand will function to write to the internal database and to sync any changes across the other three UnifiedNodes. The subsequent figure illustrates the Non-Geo Redundant Multi-Node Cluster deployment.

Geo Redundant Multi-Node Cluster Active-Active Deployment

In a Geo-Redundant configuration, two Unified Nodes and one Web Proxy Node are configured at each DataCenter. One of the four Unified Nodes will be designated as Primary and will function to write to the internaldatabase and to sync any changes across the other three Unified Nodes. The maximum supported latency is20 ms Round Trip Time (RTT).The subsequent figure illustrates the Geo Redundant Multi-Node ClusterActive-Active deployment.


Multinode Cluster with Unified Nodes

Clustering ConsiderationsThe cluster contains multiple nodes that can be contained in separate firewalled networks.

Open network ports on firewalls to allow internode communication. Port requirements are described in thePlatform Guide.

All communication between nodes is encrypted.

PortsNode type

22 (SSH and SFTP), 80 (HTTP), 161 and 162 (SNMP), 443 and 8443 (HTTPS)WebProxy

22 (SSH and SFTP), 80 (HTTP), 161 and 162 (SNMP), 443 and 8443 (HTTPS), 27019,27020, and 27030 (database)

Unified

• 22/SSH is used for remote administration.

• 80 and 443 are used for the web server.

• 161 and 162 are used for sending and receiving SNMP.

• 8443 is used for intercluster communication.

• 27019, 27020, and 27030 are used for database queries and replication.

Cisco Unified Communications Domain Manager 10.x/11.5(x) Redundancy andDisaster Recovery

High Availability (HA) is an approach to IT system design and configuration that ensures Cisco UnifiedCommunications Domain Manager 10.x/11.5(x) is operational and accessible during a specified timeframe.High Availability is achieved using redundant hardware and resources. Cisco recommends the use of twophysical data centers, where the primary site contains three VMs and the secondary site contains three VMs.If there is a failure, an automatic failover to the secondary DR (Disaster Recovery) site takes place.

Web server proxy nodes perform load-balancing between application roles, so that load is distributed. Duringprovisioning, the web server proxy is provided with all the IP addresses of the application nodes. The webserver software then does load balancing among these nodes, according to its configuration. If a node fails torespond in a set time, the proxy sends the transaction to another node. If an Application role is lost, theWebProxy transparently bypasses the faulty Application role.

The proxy web server that is configured to be located in the primary site normally load balances to the twounified nodes in the primary site. The proxy web server falls back to the two nodes in the Disaster Recoverysite if the nodes in the primary site are down. The web proxy nodes in the secondary site defaults load balancingto the two unified nodes configured for the secondary site.

Data is replicated between unified node roles, and role failure is recoverable. Data replication is done usingthe database replication facility. Automatic failover between unified node roles occurs while there is greaterthan 50% unified node role availability. Once there is insufficient role availability, the systemmust be manuallyreprovisioned.


Clustering Considerations

HA can be increased by adding nodes to the cluster. Application performance and availability can be increasedby adding more application role servers.

Backups can be scheduled to run automatically across the cluster. Backups include application data,configuration, and software. Backups can take place to both local disk and remote network location. Everynode upgrade includes a snapshot backup which allows any upgrade to be rolled back.

Capacity ConsiderationsFor capacity considerations, see the Cisco Hosted Collaboration Solution, Capacity Planning Guide.


Capacity Considerations


Capacity Considerations

C H A P T E R 2Hierarchy

• Understanding Hierarchy, page 9

• Navigating the Hierarchy, page 10

• Manage the Hierarchy Structure, page 10

Understanding HierarchyIt is important to understand hierarchy used in Cisco Unified Communications Domain Manager 10.(x) orlater to successfully provide collaboration services for users.

Hierarchy levels are used to organize configuration tasks and control scoping visibility.

There are four standard hierarchy levels:

• Provider

• Reseller (optional)

• Customer

• Site

The order of the hierarchy is maintained. Provider is the top level of the hierarchy. Reseller is beneath Provider,but is optional. Customer is beneath Provider or Reseller. Site is beneath Customer.

Intermediate nodes can be created between the standard hierarchy nodes to provide logical grouping of lowerhierarchy nodes. For instance, the Provider could create intermediate nodes to group Customers by industry,or a Customer could create intermediate nodes to group Sites by region.

Each hierarchy node, standard and intermediate, can have one or more administrators to manage that nodeand the hierarchy beneath that node. The administrator's scope does not include other nodes at the same level.Thus, an administrator for Customer A can see Customer A and Customer A's sites, but cannot see CustomerB or Customer B's Sites.

Administrators at the standard levels have dedicated menu layouts, according to the role assigned when thenode is created. So the Provider administrator's menu layout is not the same as a Customer administrator'smenu layout.

The four standard hierarchy nodes are automatically synchronized with the HCM-F hierarchy. Site nodes aremapped to Locations in HCM-F.


Navigating the HierarchyNavigate through the hierarchy by using the hierarchy bar at the top of the page. Each hierarchy node selectionfrom the bar that is a parent node may further enable a drop-down list to select its child node.

Use the tree icon on the hierarchy bar at the top of the page to show a tree view of the entire hierarchy. Choosea hierarchy node on the tree to navigate to the node.

The hierarchy level to which an object belongs is indicated in a list view of the objects in the Hierarchy column.The hierarchy is indicated in a dot notation in theformat<System>.<Provider>.<Reseller>.<Customer>.<Site>, for examplesys.hcs.VS-P1.VS-OB.GenCorp.GenCorp-EMEA.GenCorp-London.

Manage the Hierarchy StructureHierarchy levels are created and deleted by adding and deleting Providers, Resellers, Customers, Sites, andIntermediate nodes. Permissions for these operations are available to administrators that are configured athigher levels in the hierarchy. For example, Provider administrators have permission to create and deleteResellers; both Provider and Reseller administrators have permission to create and delete Customers; etc.These operations are available from the Provider Management, Reseller Management, CustomerManagement, and Site Management menu items. Note that the Provider Management menu item is onlyavailable to the built-in hcsadmin account.

Each business entity that is created (Provider, Reseller, Customer, Site) will create a new node in the hierarchythat will appear in the hierarchy bar at the top of the Cisco Unified Communications Domain Manager userinterface. New intermediate nodes can be created between the standard nodes using theHierarchyManagementmenu item. Deleting both standard hierarchy nodes and intermediate nodes is done with a special cascadedelete page available in each of the Hierarchy Management menu items. For example: Site Management> Delete Site, Customer Management > Delete Customer, and Hierarchy Management > DeleteIntermediate Node.


Navigating the Hierarchy

C H A P T E R 3Multi-tenancy within Cisco UnifiedCommunications Domain Manager

• Data Partitioning, page 11

• Parent-Child Relationships, page 12

• Data Access, page 12

• Security, page 12

Data PartitioningData in the multitenant system is "partitioned" by a means of fully configurable hierarchy nodes.

The system canmodel the hierarchical nature of various businesses and manage the allocation of infrastructure.This infrastructure includes network devices, users, and other entities in the system. Hierarchy rules can beapplied to various models in the system including creating hierarchy nodes, hierarchy node types (for example:provider, reseller, customer).

Devolved administration is enabled by creating administrators with different roles for different types ofhierarchy nodes. For example:

• An administrator is responsible for the setup of the overall system.

• Provider administrators own and manage infrastructure and define services available to resellers orcustomers.

• Resellers offer the infrastructure and services to customers or enterprises.

• Customers and enterprises are grouped into various groupings.

• Groupings such as divisions or branches belong to customers.

• Physical locations hold users and phones.

• Users consume services and manage their own configurable settings.

The flexible mechanism is used to define as many levels as needed. Hierarchy node instances of differenttypes can be created and the required business rules can be defined.


Parent-Child RelationshipsAll entities in the system reside at a specific hierarchy and the data displayed is within the scope of the specifiedhierarchy. Every entity in the system - including users, device models, and network components - has a parenthierarchy defined. A user is for example provisioned with a specific hierarchy node in a parent-childrelationship. Usernames must be unique within a specific hierarchy.

The hierarchy at which an entity resides is always displayed in the list view of the item. For example, to seeat which hierarchy users are defined in the system, sign in to the system as a provider, reseller, customer, orsite administrator and navigate to User Management > Users. The resulting list view shows the hierarchy atwhich each user resides. Furthermore, the users displayed are scoped by the setting of the hierarchy bar at thetop of the UI. Only users that reside at the current setting of the hierarchy bar and below are displayed in thelist view.

Data AccessData security in the system is achieved by data partitioning and user roles. With data partitioning, the systemensures that administrative users who access the system can only view and perform operations on instancesof entities that are provisioned at their parent hierarchy, that is at the same hierarchy level as they are or atsub-trees of that hierarchy. The system restricts access to resources based on user’s parent hierarchy and thisrestriction is enforced in API middleware for every operation that is requested. This partitioning is enforcedacross the various system interfaces, for example loaders, API, and the GUI.

When an administrator navigates to a particular hierarchy and views a list of model instances, there maybe instances visible that were created at a higher level. For example, a Provider administrator’s view ofthe list of menu layouts may show instances created above the Provider’s hierarchy.This visibility is required for a Field Display Policy that can be cloned at a lower level. It does not altera user’s modify permissions on model instances created at higher hierarchies. Conversely, a Provideradministrator who inspects the list at a hierarchy level below the provider level can modify instancescreated at the provider’s hierarchyA setting Visible at Lower Hierarchy is enabled when the model is designed. It is available for Data,Domain, and Relation definitions. For Relations, the setting overrides the setting in any related models.

Note

The access profile is used to define a user’s role, the permissions to the specific entities that the user can see,and the method the user can use to interact with these entries. The permissions include details of each entitytype in the system, and the relevant privileges related to that entity type.

The data partitioning determines the hierarchy of the specific instances that the user interacts; while the roleand access profile assigned to the user determines the operations that can be performed on these instances.

SecurityFor detailed information on security profiles in Cisco Unified Communications Domain Manager 8.1(x), seeDeployment Guide for Cisco Unified Communications Domain Manager 8.1(5).

The system defaults to a self-signed web certificate.

• A unique web certificate can be copied onto the host using scp or system download.


Parent-Child Relationships

• The web certificate is installed using web cert add <certificate file>.

• Custom private certificate and the Subject AlternativeName (SAN) generated certificate setup is supportedwith the command: web cert add_san <filename>. See

The Subject Alternate Name (SAN) certificate signing request is not supported in Unified CDM forauthenticating Unified CDM servers own SAN cerificates or web proxy servers using a different name orIP address.

Note

SSH keys are used for SFTP, passwordless SSH, and SCP.

• Keys can be created using keys createkey.

• The public key copied to a remote host using keys sendkey <user@host>.

• A host can be authorized for incoming connections using keys add <host>.

The system uses an internal repository to check whether security package updates are available.

More repositories can be added with:

security repos add <repo-name> <url> <distro> <section> <categories>

For example, security repos mymirror add http://archive.ubuntu.com/ubuntu/ precise-updates mainuniverse multiverse

In order to check whether there are security updates available, use:

security check

The system can be updated using:

security update


Security


Security

C H A P T E R 4Authentication Management

• User Authentication, page 15

• Credential Policies, page 15

• Field Reference for Data/CredentialPolicy, page 17

• Standard Users and Sign-in, page 22

• LDAP Users and Sign-in, page 23

• SSO Users and Login, page 23

User AuthenticationWhen signing in to the user interfaces, the credentials of the user can be authenticated based on user credentialsin:

• The internal system database

• An LDAP-based external authentication server

• A SAML-based identity management server

Administrator users are users that are able to sign in to the administrator interface. Presence of an administratorinterface means that a system user instance exists.

Subscribers are system users that have, and are linked to, user accounts in one or more UC applications.Subscriber management supports the management of UC application user accounts that in turn may also beconfigured for local, LDAP or SAML authentication.

API users are system users that connect directly to Cisco Unified Communications Domain Manager10.x/11.5(x) using the API. The system controls access to its service through HTTP basic authentication. Thetechnique is defined in section 11.1 of RFC1945.

Credential PoliciesCisco Unified Communications Domain Manager helps secure user accounts by authenticating user sign-incredentials before allowing system access. Administrators can specify settings for, among other things, failed


sign-in attempts, lockout durations, password reset questions, and so on. The number of questions in thePassword Reset Question Pool must be equal to (or more than) the number set in the Number of QuestionsAsked During Password Reset field. Collectively, these rules form a credential policy, which can be appliedat any hierarchy level, and determine user sign-in behavior at that specific level.

A credential policy is not mandatory at specific levels in the hierarchy. However, a default credential policyis provided at the sys.hcs level. Administrators at lower levels can copy and edit this default policy if necessary.Administrators can also save it at their own hierarchy level so that it can be applied to the associated users atthat level. If the administrators at the various levels do not create a credential policy at their level, it is inheritedfrom the closest level above them. If a Provider Administrator has defined a credential policy, but a CustomerAdministrator has not, the customer automatically inherits the credential policy from the Provider. A differentcredential policy can also be defined for each user.

For each administrator user where IP address throttling (sign-in Limiting per Source) is required, manuallycreate and assign a credential policy. The credential policy must have IP address, and username and emailthrottling enabled.

The credential policy can be used to manage such password features as:

• The number of days from the date of creation for which a password can not be reused. The default is15.

• The number of character changes (inserts, removals, or replacements) that a password should have froma previous password. The default is 0 (disabled).

• The number of days within which a user’s password cannot be changed. The default set to 0, whichmeans that this re-use option is disabled.

The number of days can be set from 1 to a maximum value of 365 days (24 hour units from the activationtime). This Minimum Password Age value only applies:

• to users changing their own password

• to users if an administrator resets or changes of the user’s password, and does not enable the ChangePassword on Next Login option for the user.

In other words, if an administrator resets or changes the user’s password, and enables the user’s ChangePassword on Next Login option, the value is not affected.

The default credential policy is defined at the sys.hcs level.

Credential Policies are not applicable for SSO authenticated users. For LDAP Synched users, only thesession timeouts are applicable.

Note

See "Assign a Credential Policy to a User" in the UserManagement Chapter of Cisco Unified CommunicationsDomain Manager 10.6(3) Maintain and Operate Guide for information on how to configure a credentialpolicy for a specific user and "Credential Policies Rate Limiting" in the Troubleshooting User Access chapterof Cisco Unified Communications Domain Manager Version 10.6(3) Troubleshooting Guide for more detailson rate limiting of failed login attempts.

The table below illustrates the conditions that credential policy rules apply:


Credential Policies

Data/Credential PolicyData/User

User Specific PasswordValidation

Generic Password Validation

MinimumPassword Age(days)

NumberofDifferentPasswordCharacters

Password ReuseTime Limit

Minimum PasswordLength

ChangePassword onNext Login

Condition

not appliednotapplied

appliedappliedN/AAdmin changesuser’s password

not appliedappliedappliedappliedEnabledUser changesown password

appliedappliedappliedappliedDisabledUser changesown password

Field Reference for Data/CredentialPolicyTable 1:

Name

nameField Name

Credential policy nameDescription

StringType

Idle Session Timeout (minutes)

idle_session_timeoutField Name

Defines the number of minutes a session will remainactive in case there is no activity in the session.

Description

IntegerType

20Default

Absolute Session Timeout (minutes)

absolute_session_timeoutField Name


Field Reference for Data/CredentialPolicy

Name

Defines the maximum number of minutes a sessioncan be active. A value of 0 disables absolute sessiontimeout.

Description

IntegerType

1440Default

Password Expires (months) *

password_expiresField Name

The interval at which the password expires, in months.Description

StringType

6Default

[”Never Expire”, “3”, “4”, “5”, “6”, “7”, “8”, “9”, “10”,“11”, “12”]

Choices

User Must Change Password on First Login

change_password_on_first_loginField Name

Indicates that users must be forced to changepassword on the first login

Description

BooleanType

Lock Duration (minutes)

failed_login_lock_durationField Name

The number of minutes that a user account must belocked for after the failed password attempts havereached the threshold.

Description

IntegerType

30Default

Disable Failed Login Limiting per User

disable_failed_login_limiting_per_userField Name

Disable failed login limiting per user.Description



Name

BooleanType

Disable Failed Login User Account

disable_failed_login_user_accountField Name

Enabling this field will result in user account beingdisabled if failed login attempt reaches ‘Failed LoginCount per User’within ‘Reset Failed Login Count perUser (minutes)’. This field is disabled by default.

Description

BooleanType

Failed Login Count per User

failed_login_count_per_userField Name

The maximum number of failed login attempts for agiven user. This is also referred to as the burst size.

Description

IntegerType

20Default

Reset Failed Login Count per User (minutes)

reset_failed_login_count_per_userField Name

The number of minutes before the counter is reset forfailed login attempts for a given user. This is typicallythe interval within which a single failure is permitted,also referred to as the permitted longterm rate offailure.

Description

IntegerType

5Default

Disable Failed Login Limiting per Source

disable_failed_login_limiting_per_sourceField Name

Disable failed login limiting per source.Description

BooleanType

Failed Login Count per Source



Name

failed_login_count_per_sourceField Name

The maximum number of failed login attempts for agiven source IP address. This is also referred to asthe burst size.

Description

IntegerType

10Default

Reset Failed Login Count per Source (minutes)

reset_failed_login_count_per_sourceField Name

The number of minutes before the counter is reset forfailed login attempts for a given source. This istypically the interval within which a single failure ispermitted, also referred to as the permitted long-termrate of failure.

Description

IntegerType

10Default

Number of Questions Asked During PasswordReset

password_reset_questions_numberField Name

Determines the number of questions asked during apassword reset. The number should be less than orequal to number of entries in Reset Question Pool ifcustom question are not allowed

Description

IntegerDefault

Password Reset Question Pool

password_reset_questions.password_reset_questions.[n]Field Name

List of question fromwhich password reset questionsare drawn.

Description

ArrayType

Password Reuse Time Limit

password_reuse_time_limitField Name



Name

Period (number of days) from time of creation forwhich a password can not be reused. Defaults to 15days. Only values between 0-365 (inclusive) areallowed. A 0 (zero) value means that password reusetime limit does not apply.

Description

IntegerType

15Default

Minimum Password Length

minimum_password_lengthField Name

Minimum length (number of characters) for password.Description

IntegerType

8Default

Enable Password Complexity Validation

enable_password_complexity_validationField Name

Enable password complexity validation, defaults toFalse.When set to True, passwords shall be validatedagainst the password complexity rules.

Description

BooleanType

Inactive days before disabling user account

inactive_days_before_disabling_userField Name

The number of days a user can be inactive beforedisabling the account. With a value of 0 no checksare done.

Description

IntegerType

Session Login Limit Per User

session_login_limit_per_userField Name

The maximum number of concurrent login sessionspermitted for a user. A zero (0) value means that userlogin sessions should not be restricted.

Description



Name

IntegerType

Number of Different Password Characters

num_different_password_charactersField Name

The minimum number of character changes (inserts,removals, or replacements) required between the oldand new passwords.

Description

IntegerType

Minimum Password Age (days)

minimum_password_ageField Name

The number of days within which a user cannotchange their password. A zero (0) value means thatpassword age validation is disabled.

Description

IntegerType

Standard Users and Sign-inWhen creating a system user that uses the standard authorizationmethod, the password is stored in the internalsystem database. Cisco Unified Communications Domain Manager 10.x/11.5(x) uses the PBKDF2 algorithmwith an SHA256 hash, a key stretching mechanism recommended by the National Institute of StandardsTechnology (NIST), Computer Security Resource Center (CSRC).

When signing in as a standard user, go to the URL:

http://{hostname}/login

A sign-in page theme can be applied to the sign-in page during the log in process by adding the suffix'?theme={theme_name} where {theme_name} is an available theme. For example:http://{hostname}/login/?theme=default

When signing in, the username can be entered in either of the following formats:

{username}@hierarchy or {email address}

The hierarchy is in dot notation and corresponds with the hierarchy to which the user belongs. The hierarchylevel is the level at which the user is created.

The hierarchy on the log in form is prefixed with sys.

For example: [email protected]


Standard Users and Sign-in

LDAP Users and Sign-inWhen creating a system user using the LDAP authorization method, specify the LDAP server and the LDAPusername. The LDAP username corresponds to the sign-in Attribute Name specified in the LDAP networkconnection.

When signing in as an LDAP user, go to the URL:

http://{host name}/login

Regardless of the sign-in Attribute Name specified in the LDAP network connection, the user email addresscan be used to log in.

When signing in with LDAP credentials, the username is in the format:

{user ID}[@hierarchy]

Note:

• @hierarchy is not required when the user ID corresponds to the user's email address.

• {user ID} corresponds to the sign-in attribute name (for example email address, user principal name,sAMaccountName). The sign-in attribute name is configured in the Authentication attribute of the LDAPdevice connection associated with this hierarchy.

• The hierarchy is in dot notation and corresponds with the hierarchy to which the user belongs. Thehierarchy level is the level at which the user is created.

SSO Users and LoginWhen creating a system user using the SSO authorization method, the SSO Identity Provider must be specifiedand the SSO username.

When signing in as an SSO user, go to the URL:

http://{host name}/sso/{SSO login URI}/login

For example:

http://host.Agency1.CustomerA.com/sso/CustomerA/Agency1/login

This URL format also applies to self-service users.

Log in using the relevant SSO identity provider credentials.


LDAP Users and Sign-in


SSO Users and Login

C H A P T E R 5Entitlement Management

• Entitlement, page 25

• Entitlement Enforcement, page 26

EntitlementCisco Unified Communications DomainManager Entitlement represents the set of rules surrounding the suiteof services and devices (and their number) available for particular subscribers. For instance, one customermay specify that end users may only have voice service with a maximum of two devices, one being a flavorof IP set, and the other being an analog set. Another customer may configure their end users to have bothvoice and voicemail services, with a maximum of ten devices limited to SIP sets. Both of these are valid rulesets intended to govern their respective users' service or device set.

There are four principal Cisco Unified Communications DomainManager models fromwhich the entitlementrule sets are built:

• Device Types

• Device Groups

• Entitlement Catalogs

• Entitlement Profiles

Device Types

Device types represent the suite of physical devices which may be grouped into device groups for subsequententitlement purposes. These device types should mirror the supported product types available on the CiscoUnified Communications Manager.

The device type data model is prepopulated with a snapshot of current product types; however, the provideradministrator can add, as well as update or remove, additional device types, if needed.

Device Groups

A device group is a subset of device types. Device groups are not necessarily discrete; that is, different devicegroups may share specific device types.


Provider administrators can add, delete, and update device groups. Reseller and customer administrators canonly view device groups.

Entitlement Catalogs

An entitlement catalog specifies supported device groups and available services (broad categories offunctionality) for a particular hierarchy. The services which are available to be selected in an entitlementcatalog are as follows: Voice, Voicemail, Presence, Extension Mobility, Single Number Reach, WebEx, andCMR. Entitlement catalogs also set the maximum allowed number of total devices and the maximum allowednumber of devices in each device group within the catalog.

If entitlement is to be used, an entitlement catalog must exist at the Provider hierarchy node. No more thanone entitlement catalog may exist at any given hierarchy node. The entitlement catalog at a particular hierarchynode restricts the device groups, device counts, and services which are available to entitlement profiles at orbelow that node in the hierarchy. No entitlement profile may exceed the restrictions imposed by its associatedentitlement catalog. Similarly, an entitlement catalog at a particular hierarchy imposes limitations on anysubsequent entitlement catalogs beneath it in the hierarchy structure. No entitlement catalog created deeperin the hierarchy structure may exceed the restrictions specified in a higher entitlement catalog.

Provider administrators can add, update, and delete entitlement catalogs at their hierarchy level and below.Reseller and customer administrators can only view entitlement catalogs.

Entitlement Profiles

Entitlement profiles establish the set of services, device groups, and device limits to which an end user maysubscribe. No entitlement profile may exceed the specifications dictated by the hierarchy-associated entitlementcatalog. An entitlement profile may not exist at a particular hierarchy node unless an entitlement catalog existsat or above the entitlement profile's hierarchy node.

Unlike entitlement catalogs, there may be multiple entitlement profiles at a given hierarchy node. Each ofthese entitlement profiles must have a unique name within the hierarchy. Additionally, no device type mayappear in more than one device group within a given entitlement profile.

Entitlement profiles can be assigned to users when users are synched from Cisco Unified CommunicationsManager or from LDAP, or when users are added or modified in Cisco Unified Communications DomainManager via Subscriber Management and User Management.

One entitlement profile at a given hierarchy node can be designated as the default entitlement profile. Thedefault entitlement profile is applied to any users at or below the hierarchy node, if those users are not explicitlyassigned another entitlement profile.

Provider administrators can add, update, and delete entitlement profiles at their hierarchy level and below.Reseller and customer administrators can only view entitlement profiles.

Entitlement Enforcement

Service Levels

The following table shows the impact to a user when a service is disabled in the entitlement profile appliedto the user.



An entitlement profile can be explicitly assigned to a user, or implicitly applied if an entitlement profileis designated as the default entitlement profile in a hierarchy node at or above the user's hierarchy node.

Note

ResultService disabled

Adding a phone to a user in Subscriber Management fails. For an existing user with a phonewith this profile (where voice is disabled), the update of the user from "SubscriberManagement"fails, unless the existing phones for the user are dissociated.

Voice

Adding Voicemail to a user in SubscriberManagement fails. For an existing user with Voicemail,updates in Subscriber Management fail after an entitlement profile with Voicemail disabled isapplied to the user.

Voicemail

Enabling Cisco Unified Communications Manager IM and Presence Service for a user inSubscriberManagement fails. For an existing user with Cisco Unified CommunicationsManagerIM and Presence Service enabled, updates in Subscriber Management fail after an entitlementprofile with Presence disabled is applied to the user.

Presence

Adding Extension Mobility to a user in Subscriber Management fails. For an existing user withExtension Mobility, updates in Subscriber Management fail after an entitlement profile withExtension Mobility disabled is applied to the user.

Extension Mobility

For a new user, adding Single Number Reach in SubscriberManagement fails, and for an existinguser with Enable Mobility checked, adding Single Number Reach fails after an entitlementprofile with Single Number Reach disabled is applied to the user.

Single Number Reach

Adding or assigningWebEx feature to the subscriber fails, if this field is disabled. For an existingsubscriber if you enable WebEx and an entitlement profile with "WebEx disabled" is applied,the update operation fails.

WebEx

Adding or assigning CMR feature to the subscriber fails, if this field is disabled. For an existingsubscriber if you enable CMR and entitlement profile with " CMR disabled is applied", theupdate operation fails.

CMR

Device Groups

A user to whom an entitlement profile is applied is limited to devices in the device groups assigned in theentitlement profile. Adding a Phone to a user in Subscriber Management fails if the added Phone is not in adevice group assigned to the entitlement profile applied to the user.

Device Limits

A user to whom an entitlement profile is applied is subject to the following device limits set in the entitlementprofile:

• Total number of devices

• Total number of devices in a device group

Adding a Phone to a user in Subscriber Management fails if the total number of devices limit or the totalnumber of devices in a device group limit is exceeded.



Transaction Log

The transaction log messages contain detailed information that can be used to determine what entitlementprofile limitation caused an action to fail.



C H A P T E R 6IOS Device Features

• IOS Device Features, page 29

IOS Device FeaturesCisco Unified CDM 10.6(2) introduced two new IOS Device features:

• Local Break Out (LBO)

• Analog Gateway

Both features coordinate configuration between Cisco Unified CM, HCM-F, and an IOS gateway devicedeployed on the customer's premises. New menu items, bulk loaders, and APIs have been introduced toconfigure LBO and Analog Gateways.

For additional information on Local Break Out, see Cisco Hosted Collaboration Solution, Release 11.5 DialPlan Management Guide for Cisco Unified Communications Domain Manager, Release 10.(x)/11.5(x).

Both LBO and Analog Gateway use a device type called an IOS Device. This device represents a physicalIOS router or gateway that can support either SIP Local Gateway functionality or AnalogGateway functionality.The IOS Device must be configured first, which syncs the device to HCM-F as a Customer Equipment object,and to Prime Collaboration Assurance if configured. Once the IOSDevice is configured, a SIP Local Gatewayor an Analog Gateway can be configured.

Note • In Cisco Unified CDM version 10.6(2) and later, H.323 gateway capability is not supported for LBO.

• Analog Gateway supports only VG-series gateways.

• Analog Gateway supports SCCP andMGCP protocols. For provisioning details, see the IOS DeviceManagement section of Cisco Unified Communications Domain Manager, Maintain and OperateGuide available at https://www.cisco.com/c/en/us/support/unified-communications/hosted-collaboration-solution-version-11-5/model.html#~tab-component-documentation.

Configure the IOS Device and SIP Local Gateway at the customer hierarchy node. Configure the AnalogGateway at a site hierarchy node. A customer can have multiple IOS Devices, but each IOS Device can have


https://www.cisco.com/c/en/us/support/unified-communications/hosted-collaboration-solution-version-11-5/model.html#~tab-component-documentation

https://www.cisco.com/c/en/us/support/unified-communications/hosted-collaboration-solution-version-11-5/model.html#~tab-component-documentation

only one SIP Local Gateway or one Analog Gateway. IOS Devices cannot be shared across customers. AnIOS Device can be shared across sites.

Figure 2: IOS Device, SIP Local Gateway, and Analog Gateway

IOS commands are generated for the associated IOS device because of the following:

• An IOS Device is created.

• An Analog Gateway is created.

• A SIP Local Gateway is created.

• A SIP Local Gateway is associated with a Site.

The configuration is also pushed to HCM-F and Cisco Unified CM as needed. The following table shows theconfiguration created for each object.

IOS CommandsCUCM ConfigurationHCM-F ConfigurationCUCDM ConfigurationObject

Commands for settingVoIP service and codecpreferences

NoneA new CustomerEquipment instance iscreated in SDR for thecustomer

A new IOS data model iscreated

IOS Device

Analog gatewaycommands

The correspondinggateway device isconfigured includingports, endpoints, andphone devices

NoneA new Analog gatewaydata model is created

Analog Gateway

SIP gateway, dial peer,and translation rulecommands.

NoneNoneA new SIP gateway datamodel is created to storeconfiguration derivedfrom the SIP trunk

SIP Local Gateway


IOS Device Features

IOS CommandsCUCM ConfigurationHCM-F ConfigurationCUCDM ConfigurationObject

Translation rules for areacodes and DN to E164associations.

Local Break Out dialplan configuration

NoneSeveral data models arecreated to track theassociation

Associate SIP LocalGateway to Site

For more information about generated IOS commands for analog MGCP and SCCP gateway, see the IOSDevice Management section of Cisco Unified Communications Domain Manager, Maintain and OperateGuide.

IOS Device Transaction StrategyIOS device configuration changes on Cisco Unified CDM are pushed to HCM-F and Cisco Unified CM aspart of the transaction. The transaction succeeds once the API calls to HCM-F and Cisco Unified CM aresuccessful. If the API call to HCM-F or Cisco Unified CM fails, the transaction fails and is rolled back.

However, the strategy for managing IOS commands is different. Rather than attempting to keep the IOS devicein lock-step with the commands generated in Cisco Unified CDM, the generated IOS commands are storedin Cisco Unified CDM. An administrator can access the IOS commands and copy and paste them into theIOS device CLI. Thus, the IOS device is loosely coupled to Cisco Unified CDM. This method avoids networkaccess problems resulting from IOS devices being in the customer's network rather than in the provider's datacenter.

IOS commands generated by multiple configuration activities can be consolidated into a single window. Twomethods an administrator can use are:

• Copy and paste generated IOS commands to the IOS device CLI after each configuration activity.

• Do several configuration activities, consolidate the generated commands, and copy and paste theconsolidated commands to the IOS device CLI.

IOS Command Builders and CommandsThe IOS commands generated for each IOS configuration activity are customizable at any level of the hierarchydown to site. Cisco Unified CDM comes with a full working set of IOS commands, but service providers,resellers, and customers can tailor those commands to their specific requirements. The IOS commands to begenerated for each operation (for instance AddIOSDevice) are stored in a component called an IOS CommandBuilder.

The IOS commands in the command builder contain variables to include data that can change for eachinvocation of the builder. For example, the IP address of the Dial Peer created differs for each SIP LocalGateway depending on the SIP trunk assigned. The IP address is represented as a variable (pwf.PBXIP) inthe command builder. When the AddSipLocalGateway event triggers the builder, the variable is replaced withthe actual IP address in the resulting set of commands. Here's a snippet of the dial peer command builder:dial-peer voice {{pwf.INTLACCESSPREFIX}} voiptranslation-profile outgoing VOIPOUT80 {{pwf.PREFERENCE}}voice-class codec 1service dsappvoice-class sip options-keepalive up-interval 120 down-interval 60 retry 2session target {{pwf.PBXIP}}destination-pattern .Tsession protocol sipv2The items in bold are the variables that are substituted with real values when the command builder is triggered.


IOS Device Features

The following diagram shows the sequence that occurs when an operation such as adding an IOS device isexecuted on CUCDM:

Figure 3: IOS Device Workflow

A configuration activity can generate multiple events. Every event can have one or more command buildersassociated with it. See Cisco Unified Communications Domain Manager, Release 11.5(1) Maintain andOperate Guide for details about triggered events and default command builders. To generate new IOS commandswithout changing an existing command builder, clone the existing command builder and associate the newcommand builder to the same event.

Command Builder Scope

Command builders can also be cloned andmodified at the provider, reseller, customer, or intermediate hierarchynode, again depending on the scope desired. For example, if the service provider wants to apply a specificcustomization to all customers, clone and modify the IOS Command Builders at the provider hierarchy node.If a specific customer has a unique change required, clone and modify the command builder at the customerhierarchy node.

IOS Command Consolidation and Regeneration

Tomake copying IOS commands easier, CiscoUnified CDMhas a tool to consolidate IOS commands generatedby multiple events into one contiguous list.

To pick up changes in variables that are used when building IOS commands, Cisco Unified CDM comes witha tool to manually regenerate IOS commands. IOS commands are also automatically regenerated when theEnable Command Builder switch is turned on for a SIP Local Gateway or Analog Gateway.


IOS Device Features

C H A P T E R 7Upgrade Planning

• API Compatibility, page 33

• Default Schema Upgrade Issues, page 33

API CompatibilityIn general, APIs are backwards compatible from CiscoUnified CommunicationsDomainManager 10.x/11.5(x)to Cisco Unified Communications Domain Manager 10.1(2) . However, you should check the Cisco UnifiedCommunications Domain Manager, Release 11.5(1) API Reference Guide for any non-compatible changes,and plan updates to clients impacted by non-compatible changes.

Default Schema Upgrade Issues



Default Schema Upgrade Issues

P A R T IIInstall• Prepare to Install, page 37

• Install Cisco Unified Communications Domain Manager, page 43

• Upgrade Cisco Unified Communications Domain Manager, page 53

C H A P T E R 8Prepare to Install

• Installation Prerequisites, page 37

• Multinode Cluster Hardware Specifications, page 37

• Standalone Hardware Specification, page 38

• Browser Compatibility for CUCDM, page 39

Installation PrerequisitesInstall Cisco Unified Communications DomainManager (Unified CDM) in the same domain as Cisco HostedCollaboration Mediation Fulfillment.

Before installation, consider the prerequisites described in this section.

• HCM-F services are activated and running.

• Network connectivity is available betweenUnified CDMnodes and the HCM-F, UC application servers,and WebEx servers.

Multinode Cluster Hardware SpecificationsThe Virtual Machine Requirements table identifies the resource requirements for a multinode cluster of fourUnified Nodes and two Web Proxy nodes.

For complete details on fundamental concepts and requirements of virtual machines within the HCSsolution, see Cisco HCS Virtual Machine Requirements document.

Note

For deployments where the total number of users is expected to exceed 100,000, configure 16 GB of RAMfor each Unified node, in this case the VM Memory and Reservation must also be raised to 16 GB. Thememory allocation for the Web Proxy nodes does not change.

Note


http://www.cisco.com/c/en/us/support/unified-communications/hosted-collaboration-solution-hcs/tsd-products-support-series-home.html

Table 2: Virtual Machine Requirements

NetworkDiskCPUMemoryVM LevelQuantityNode Type

1 Gbpsminimum

370 GB partitioned as follows:

• 20 GB for OS

• 50 GB for application

• 50 GB for compressed backups

• 250 GB for database

4vCPU @ 2 GHz8 GBVMware 5.1 orlater

4 or 6dependingon thespecificconfiguration

Unified

1 Gbpsminimum


• 20 GB for OS


• 50 GB for compressed backups

• 250 GB for database

4vCPU @ 2 GHz16 GB(If thetotalnumberof usersis morethan100,000)

VMware 5.1 orlater

4 or 6dependingon thespecificconfiguration

Unified

1 Gbpsminimum


• 20 GB for OS


2vCPU @ 2 GHz4 GBVMware 5.1 orlater

2Web Proxy

The size of the database storage partition supports the maximum deployment size for the release. Furtherincrease in the size of the partition is not required when new customers are on-boarded.

Configure the disk requirements on the VMware GUI Resources tab, where a disk can be created. Performthis task after importing the OVA but before booting the system.

Standalone Hardware SpecificationVirtual machine requirements are specified in the following table.


Standalone Hardware Specification

NetworkDiskCPUMemoryVMQuantityPurpose

1 Gbit/s minimum180 GB partitioned asfollows:

• 20 GB for OS

• 50 GB forapplication

• 50 GB forcompressedbackups

• 60 GB for databasestorage

4vCPU @ 2 GHz8 GB>= VMware4.1

1Standalonenode

The Database storage partition is sized at the initial installation to support the maximum deployment size forthe release. Further increase in the size of the partition is not required as new customers are on-boarded.

For the disk requirements, the disk should be set up on the VMware GUI Resources tab where a disk can becreated. Perform this task after the OVA import but prior to the boot of the system.

Browser Compatibility for CUCDMThe following table describes web browser compatibility for Cisco Unified Communications DomainManagerwithin Cisco Hosted Collaboration Solution.

Table 3: Legend

DefinitionSymbol and Abbreviation

Browser not supported✖

Browser supported✔

Microsoft Internet ExplorerIE

Mozilla FirefoxMF

Google ChromeGC

Apple SafariAS

Extended Support ReleaseESR


Browser Compatibility for CUCDM

Cisco Unified Communications Domain Manager 8.1(x) Browser Compatibility Tables

Table 4: Cisco Unified Communications Domain Manager 8.1(x) Windows Browser Compatibility

GC34

GC29

GC25

GC 8MF28.0

MF23

MF20.x

MF17.xESR

MF10.x

MF9.x

MF8.x

MF4.x

MF3.x

IE11

IE10

IE 9IE 8OperatingSystem

HCSRelease

Windows7

HCS8.x

Windows8

✔✔✔✔Windows7

HCS9.x

Windows8

✔✖✖✔✖✖✖✖✖✖✖✔✔✖✖Windows7

HCS10.x

✔✖✖✖✖✖Windows8

✔✔✔WindowsXP

For CUCDM 8.1.9 ER1, the following browsers have been tested manually:

•Windows 7- Chrome 51, Firefox 46, IE10, IE11

•Windows 10 - Chrome 60, Edge 38, Firefox 54, IE11

Table 5: Cisco Unified Communications Domain Manager 8.1(x) MacOS X Browser Compatibility

GC 34GC 22MF 28MF 23MF17.xESR

MF11.x

MF10.x

MF 4.xAS 6.xAS 5.xAS 4.xOperating SystemHCS Release

OS X 10.8(Mountain Lion)

HCS 8.x

OS X 10.9(Mavericks)

OS X 10.8(Mountain Lion)

HCS 9.x

OS X 10.9(Mavericks)



GC 34GC 22MF 28MF 23MF17.xESR

MF11.x

MF10.x

MF 4.xAS 6.xAS 5.xAS 4.xOperating SystemHCS Release

✔✔(nESR)

✔OS X 10.8(Mountain Lion)

HCS 10.x

✔✔OS X 10.8.5(Mountain Lion)

✔OS X 10.9(Mavericks)

Cisco Unified Communications Domain Manager 10.x Browser Compatibility Tables

Table 6: Cisco Unified Communications Domain Manager 10.x Windows Compatibility

GC 34GC 29GC 25GC 8MF 20.xMF10.x

MF 9.xMF 4.xMF 3.xIE 11IE 10IE 9IE 8OperatingSystem

HCSRelease

✔✔ (MF28)

✔ seeNote

✔ seeNote

Windows7

HCS10.x

✔Windows8

✔✔ (MF23)

✔ (MF17)

WindowsXP

IE 10 and IE 11 running on Windows 7 require adjustments to the browser's SSL/TLS settings to workwith HCS 10.x:

Note

1 Access Tools > Internet Options.

2 Select the Advanced tab.

3 Scroll to the Security heading.

4 • For IE 10, locate and check Use TLS 1.0, and uncheck Use SSL3 if checked.

• For IE 11, locate and check both Use TLS 1.0 and Use TLS 1.2.

5 Click Apply, then OK.

If TSL1.2 does not work, check Use SSL3 and Use TLS 1.2 on both IE 10 and IE 11.

For CUCDM 11.5(3), the following browsers are tested manually:



Table 7:

SafariIEFirefoxEdgeChromeOS \ Browser

N/AN/A584664Windows 7

N/A11584664Windows 10

N/AN/A58N/A64Ubuntu 16

N/AN/A58N/A64Mac OSX10.12.1

Table 8: Cisco Unified Communications Domain Manager 10.x MacOS X Browser Compatibility

GC 34GC 22MF 20.xMF 11.xMF 10.xMF 4.xAS 6.xAS 5.xAS 4.xOperating SystemHCS Release

✔(OS X10.8.5)

✔(MF 23)✔ (MF17)

✔OS X 10.8(Mountain Lion)

HCS 10.x

✔✔(MF 28)OS X 10.8.5(Mountain Lion)

✔OS X 10.9(Mavericks)



C H A P T E R 9Install Cisco Unified Communications DomainManager

• Multinode Installation, page 43

• Standalone Installation, page 47

• Create Virtual Machines from OVA Files, page 48

• View Installation and Upgrade Transactions, page 52

Multinode InstallationInstall a multinode consisting of either four or six Unified instances of Cisco Unified Communications DomainManager (Unified CDM) 10.x+ and two WebProxy instances.

• AWebProxy node installs only the front-end web server, with the ability to distribute load amongmultiple middleware nodes.

• A Unified node consists of the Application and Database roles on one node. For geo-redundancy, thereare two or four Unified nodes in the Primary Site and two Unified nodes in the Disaster Recovery (DR)Site in active-active setup.

Cisco Hosted Collaboration Solution supports three configurations of Cisco Unified CommunicationsDomain Manager 10.x+. These configurations provide the service provider with options for scale andGeo-Redundancy support.

Geo-Redundancy(Y/N)

Supported Scale (#Subscribers)

Number of ProxyNodes

Number of UnifiedNodes

Configuration

NA20,00001StandaloneCUCDM

Yes(Active-Active)

200,00024Multi-NodeCUCDM (acrossData Centers)

Yes(Active-Passive)

200,00026


Geo-Redundancy(Y/N)

Supported Scale (#Subscribers)

Number of ProxyNodes

Number of UnifiedNodes

Configuration

No200,00024Multi-NodeCUCDM (OneData Center)

Note • For geo-redundant Multinode Cluster deployment with six Unified Nodes, there are four Unifiednodes in the Primary Site and two Unified nodes in the Disaster Recovery (DR) Site in active-standbysetup.

• Installation of the template and upgrade takes approximately two hours. You can follow the progresson the GUI transaction list.

Before You Begin

If you received the product on DVD, extract the Unified CDM ISO to get the platform-install ISO and theUnified CDM template file.

If you selected electronic software delivery, use the link that you received to download the product ISO file.Mount the Unified CDM ISO to get the platform-install ISO and the Unified CDM template file.

Optionally, download or extract language pack template files to support languages other than English.

Procedure

Step 1 Install the WebProxy instances.For each WebProxy instance, create a new VM using the platform-install OVA. Use the instructions shownin Create Virtual Machines from OVA Files, on page 48. For role, select (3) WebProxy. Specify theappropriate data center (Primary/DR site) for each WebProxy instance.

Step 2 Install the Unified instances.For each Unified instance, create a new VM using the platform-install OVA. Use the instructions shown inCreate Virtual Machines from OVA Files, on page 48. For role, select (2) Unified. Specify the appropriatedata center (Primary/DR Site) for each Unified instance.

The following Unified nodes are required in the cluster:

• One Unified node as the Primary node at the Primary site

• One Unified node as the Secondary node at the Primary site

For six Unified Node Multi Cluster deployment there are three Unified node as the Secondary nodeat the Primary site

Note

• Two Unified nodes as the Secondary nodes at the DR site

Step 3 Install VMware tools on each node.a) In vSphere, right-click the name of the appropriate VM.


Multinode Installation

b) Select Guest > Install/Upgrade VMware Tools.If you are prompted to disconnect the mounted CD-ROM, click Yes.

c) Log in to each node and run the app install vmware command.d) Verify by executing the app list command.

Step 4 Prepare each node to be added to the cluster. On each WebProxy and Unified node, except for the primaryUnified node, run the cluster prepnode command.

Step 5 Add nodes to the cluster.a) Log in to the primary Unified node.b) Add the Unified and WebProxy nodes to the cluster with the cluster add <ip_addr> command.c) Verify the list of nodes in the cluster with the cluster list command.

Step 6 Add the network domain.a) Configure the domain with the cluster run all network domain <domain_name> command.b) Verify the configured network domain with the cluster run all network domain command.

Each node shows the domain that you configured.c) Verify the DNS configuration with the cluster run all network dns command.

Each node responds with the DNS server address.d) Attempt to contact each node in the cluster with the cluster run all diag ping <hostname> command.e) (Optional) Shut down all the nodes with the cluster run all system shutdown command. Take a snapshot

of each node. Restart each node.

Step 7 Configure the cluster.a) Provide a weight for each database server with the database weight add <database_ip> <priority>

command.Use weights of 40, 30, 20, and 10 for the four Unified nodes and weights of 60, 50, 40, 30, 20, and 10 forthe six Unified nodes. The higher the value, the more priority.

For Multinode Cluster deployment with four Unified Nodes in a geo-redundant system containing twodata center infrastructures in two physical locations the following weights are used:

• Specify a weight of 40 for the Primary node at the Primary site

• Specify a weight of 30 for the Secondary node at the Primary site

• Specify weights of 20 and 10 for the Secondary nodes at the DR site

For Multinode Cluster deployment with six Unified Nodes in a geo-redundant system containing two datacenter infrastructures in two physical locations the following weights are used:

• Specify a weight of 60 for the Primary node at the Primary site




• Specify weights of 20 and 10 for the Secondary nodes at the DR site

For information on web weight used for Web Proxy node, refer Cisco Unified CommunicationsDomain Manager Best Practices Guide.

Note

b) Select a Primary Unified node and set it up as the Primary Unified node with the following command:cluster provision primary <IP address of primary database node>.



Allow approximately 2 hours for the operation to complete for two WebProxy and four Unified nodes.

If no primary node exists, you are prompted to select a node to be the primary node.

c) When provisioning is complete, verify the status of the cluster with the cluster status command.If a service is down, run the cluster run <node_ip> app start command to restart the service.

d) (Optional) If required, set the web weights configurations (Active-Active, Active-Standby, Standalone).From the primary Unified node, run the required web weight commands for the Web Proxy nodes. SeeMulti Data Center Deployments in the Cisco Unified Communications Domain Manager Best PracticesGuide for detailed information.

e) (Optional) If required, enable or disable Self-service or admin web services on the web proxy nodes. Thismay be required for security purposes.The commands must be run on the relevant web proxy node. It isnot recommended to run the commands on a standalone system, but only on a cluster. The commands willautomatically reconfigure and restart the nginx process, which results in some downtime. Request URLsto a disabled service will redirect the user to the active service.

• To disable or enable admin or Self-service web services on the web proxy node: use web servicedisable <selfservice|admin> or web service enable <selfservice|admin> command.

• To list web services on the web proxy node: use the web service list command.

f) (Optional) Shut down all the nodes gracefully, snapshot and restart:

1 From the selected primary Unified node, run cluster run notme system shutdown.

2 From the selected primary Unified node, run system shutdown.

3 Take a VMWare snapshot of each node and then remove any previous snapshot.

4 Restart each node.

Step 8 Initialize the database and clear all data with the voss cleardown command on the primary database node.Step 9 Import the template.

a) Copy the template file to the primary Unified node with the scp <template_file>platform@<unified_node_ip_address>:media command.

b) Log in to the primary Unified node and import the template with the app templatemedia/<template_file>command.The following message appears: Services have been restarted. Please ignore anyother messages to restart services.The template upgrade automatically restarts necessaryapplications.

c) When prompted to set the sysadmin password, provide and confirm a password.d) When prompted to set the hcsadmin password, provide and confirm a password.

Step 10 Review the output from the app template command and confirm that the message Script/opt/platform/admin/home/template_xxxxxx/install_script completedsuccessfully appears.

• If there are no errors indicated, make a backup or snapshot.

• If there was an error, the install script has stopped with a failure message listing the problem. Resolvethe problem and retry the installation.

Step 11 (For Cisco Unified CDM 10.6(1) only) Install the Macro_Update.template file on secondary Unified nodes.



a) Upload the newMacro_Update.template file to themedia directory on the Unified CDM server via SFTP.

1 From the VM console, enter sftp platform@<cucdm10 hostname>.

2 Enter cd media.

3 Enter put Macro_Update_xx.template.

b) Enter the following command: app template media/Macro_Update_xx.template.The template installs on each secondary node in less than a minute.

Step 12 Check for needed security updates by running the cluster run all security check command on the primarynode.If at least one update is required for any node, run the cluster run all security update command on theprimary node.After the security update is successful, reboot the cluster with the cluster run all system reboot command.If a node does not properly reboot but the console shows that all processes have terminated, you can manuallyreboot the node without any system corruption.

Step 13 (Optional) Install language templates for languages other than English.a) Copy the language template file to any Unified node with the scp <language_template_file>

platform@<unified_node_ip_address>:./media command.b) Log in to the Unified node and install the template with the app templatemedia/<language_template_file>

command.

Example:For example, to install French, app template media/CUCDMLanguagePack_fr-fr.template.

Standalone Installation

Before You Begin

If you received the product on DVD, extract the platform-install OVA and template files from the ISO file.

If you selected electronic software delivery, use the link that you received to download the product ISO file.Mount the ISO and extract the platform-install OVA and the template file.

Installation of the template and upgrade takes approximately two hours. You can follow the progress onthe GUI transaction list.

Note

Procedure

Step 1 Create a new VM using the platform-install OVA.


Standalone Installation

Use the instructions shown in Create Virtual Machines from OVA Files, on page 48. When prompted for arole, select Standalone.

Step 2 After the system has rebooted, sign-in as the platform user.Step 3 Issue the system provision command.Step 4 Initialize the database and clear all data with the voss cleardown command.Step 5 Issue the network domain <your_domain> command.Step 6 Issue the security update command.Step 7 Issue the system reboot command.Step 8 Import the Unified CDM template.

a) Use SFTP to transfer the template file to the platform user's media directory server.

1 Execute the sftp command to access the platform account on the Unified CDM server, e.g., sftpplatform@<CUCDMserver>/password

2 Navigate to the media directory and transfer the template file using the put command:sftp> cd mediasftp> put CUCDM.template

b) Install the template with the app template media/<template_file> command.The following message appears: Services have been restarted. Please ignore anyother messages to restart services.The template upgrade automatically restarts necessaryapplications.

c) When prompted to set the sysadmin password, provide and confirm a password.d) When prompted to set the hcsadmin password, provide and confirm a password.

Step 9 Review the output from the app template command and confirm that the message Script/opt/platform/admin/home/template_xxxxxx/install_script completedsuccessfully appears.

• If there are no errors indicated, make a backup or snapshot.

• If there was an error, the install script has stopped with a failure message listing the problem. Resolvethe problem and retry the installation.

Step 10 Issue the system reboot command.Step 11 Install VMware tools:

a) In vSphere, right-click the name of the appropriate VM.b) Select Guest > Install/Upgrade VMware Tools.

If you are prompted to disconnect the mounted CD-ROM, click Yes.

c) Log in to the node and run the app install vmware command.

Create Virtual Machines from OVA FilesYou can import the OVA file into VMware vCenter Server. One OVA file is used to deploy all the functionalroles. You choose the specific role when the installation wizard is run.


Create Virtual Machines from OVA Files

Procedure

Step 1 Sign in to vSphere to access the ESXi Host.Step 2 Choose File > Deploy OVF Template.Step 3 Choose Source, browse to the location of the .ova file, and click Next.Step 4 On the Name and Location page, enter a Name for this server.Step 5 On the Deployment Configuration page, select the appropriate node type.Step 6 Choose the resource pool in which to locate the VM.Step 7 Choose the data store you want to use to deploy the new VM.Step 8 On the Disk Format page, choose Thick provisioned Eager Zeroed format for the virtual disk format.

In production environments, "thick provisioning" is mandatory. Thick provisioned Lazy Zero is alsosupported, but Thin provisioned is not supported.

Note

Step 9 On the Network Mapping, choose your network on which this VM will reside.Step 10 Do not select Power on after deployment.Step 11 On the Ready to Complete page, click Finish to start the deployment.Step 12 After the VM is created, verify the memory, CPU, and disk settings against the requirements shown in

Multinode Cluster Hardware Specifications, on page 37.Step 13 Power on the VM.Step 14 Select the following options in the installation wizard:

DescriptionOptionname

Option

The IP address of the server.IP1

The network mask for the server.netmask2

The IP address of the network gateway.gateway3

The DNS server is optional. Ensure that the DNS server is capable of looking up allhostnames referred to, including NTP server and remote backup locations.

DNS4

The NTP server is mandatory to ensure that time keeping is accurate and synchronizedamong nodes in the same cluster.

NTP5

The hostname, not the fully qualified domain name (FQDN).hostname6

• AWebProxy role installs only the front-end web server together with ability todistribute load among multiple middleware nodes.

• AnApplication node is the main transaction processing engine and includes a webserver which can operate by itself, or route transactions from a web node.

• A Database node provides persistent storage of data.

• A Standalone node consists of the Web, Application, and Database roles on onenode.

• AUnified node consists of theWeb, Application, and Database roles on one node.On installation, the system needs to be clustered with other nodes and the clusterprovisioned.

role7



DescriptionOptionname

Option

The system's geographic location (data center name, city, country that a customer canuse to identify the system location). You cannot change this setting once set.

datacenter

8

Platform passwordmust be at least eight characters long andmust contain both uppercaseand lowercase letters and at least one numeric or special character.

platformpassword

9

Enable or disable FIPS compliant Cisco Unified CDM. If FIPS is enabled on a system,all install scripts and templates are encrypted and decrypted using FIPS 140-2 complaintencryption algorithms. Once enabled, FIPS mode cannot be disabled.

fipsmode

10

See the list of roles below the table.role11

Enable boot loader configuration password. See the example below the table.bootpassword

12

Completes the installation configuration and installs Cisco Unified CommunicationsDomain Manager.

install13

The default security protocol for the web server is TLSv1.2. To disable TLSv1.1 and below, see the CiscoUnified Communications Domain Manager 11.5(3) Maintain and Operate Guide for detailed information.

If fips mode is selected upon installation, the system is enabled for adherence to Federal InformationProcessing Standards (FIPS). If fips mode is not selected upon installation, it can be enabled from the commandline interface using the system fips enable command.

The following roles are available:

• AWebProxy role installs only the front-end web server together with ability to distribute load amongmultiple middleware nodes.

• An Application node is the main transaction processing engine and includes a web server which canoperate by itself, or route transactions from a web node.

• A Database node provides persistent storage of data.

• A Standalone node consists of the Web, Application and Database roles on a single node.

• A Unified node consists of the Web, Application and Database roles on a single node. On installation,the system needs to be clustered with other nodes and the cluster provisioned.

Password protection can be enabled on the Unified CDM boot loader configuration from theIinstall Wizardupon first install and also from the CLI. The console example below shows the output:

(1) ip (199.29.21.89)(2) netmask (255.255.255.0(3) gateway (199.29.21.1)(4) dns (199.29.88.56)(5) ntp (199.29.88.56)(6) boot password (disabled)(7) hostname (atlantic)(8) role (UNDEFINED)(9) data centre (earth)(10) platform password (UNDEFINED)



(11) fips mode (disabled)Select option ? 6Valid passwords must contain:at least one lower- and one upper-case letter,at least one numeric digitand a special character eg. !#@$%&^*Password: Please enter platform user password:Please re-enter passwordPassword:NOTE: The system boot password is now set for user platform.

When the boot password is set, the wizard will show this:

(6) boot password (*****)

For multi-node installations, also refer to the topic on Clustering the System. Detailed configuration can beapplied from the Command Line Interface (CLI). Use network help or network for details. For example,domain can be configured using network domain add <domain-name>. For a geo-redundantdeployment, the data center information is equivalent to the location information.

Once all details are entered, installation will commence.When installation is complete, the systemwill reboot.

Log in to the platform and run the following command from the CLI:

• For a fresh install: voss cleardown (confirm at the prompt). Note that this command removes anydata from the database.

• For an existing installation: voss upgrade_db on one of the application nodes.

Security updates that are a part of the installation are installed automatically. For a system upgrade, however,run security update to apply all the latest security updates. A system notification upon completion willinstruct the user to reboot. This should always be done, because some critical updates on a system layerrequires this action to be completed for the security patches to take affect. For a cluster, if a node does notproperly reboot but the console shows all processes have terminated, you canmanually reboot the node withoutany system corruption.

The system is ready for use.

The login message would for example looks the same as the following:

Last login: Wed Nov 2 11:12:45 UTC 2016 from oigumbor-m-thwh.visionoss.int on pts/6Last failed login: Wed Nov 2 11:19:53 UTC 2016 from riza-dell-laptop.visionoss.int onssh:nottyThere were 2 failed login attempts since the last successful login.host: dev-test, role: webproxy,application,database, load: 0.21, USERS: 3date: 2016-11-02 11:19:57 +00:00, up: 14:19network: 172.29.253.14, ntp: 172.29.1.15HEALTH: NOT MONITOREDdatabase: 31GbWEB CERT EXPIRED AT: 2016-01-19 07:58:44Failed logins: 2 since Wed Nov 02 11:19:53 2016 from riza-dell-laptop.visionoss.intmail - local mail management keys - ssh/sftp credentials

network - network management backup - manage backupsvoss - voss management tools log - manage system logs

database - database management notify - notifications controlschedule - scheduling commands selfservice - selfservice managementdiag - system diagnostic tools system - system administrationsnmp - snmp configuration user - manage users

cluster - cluster management drives - manage disk drives



web - web server management app - manage applicationssecurity - security update tools

The application: upmessage indicates the application status. If the message is NOT PROVISIONED,then for a standalone installation, the system provision command can be run. This command, however,runs automatically during the standalone installation.

If the user failed to log in prior to a successful login, the count, date and origin of the attempts are shown asFailed logins. A successful login resets this login count.

After provisioning, if the admin or Self-Service GUI needs to be disabled on the web proxy nodes for securitypurposes, run the command on the relevant web proxy node:

web service disable <selfservice|admin>

If needed, the web service can be enabled again by:

web service enable <selfservice|admin>

These commands will automatically reconfigure and restart the nginx process, so will include some downtime.Request URLs to the disabled service will redirect the user to the active service. It is not recommended to runthese commands on a standalone configuration.

When the installation of the OVA is complete, a sign-in prompt for the platform user is displayed.

What to Do Next

Return to Multinode Installation, on page 43 or Standalone Installation, on page 47 to complete the overallinstallation procedure.

View Installation and Upgrade TransactionsUse this procedure to view transactions from a Cisco Unified CDM installation or upgrade.

Procedure

Step 1 Log in as the sysadmin administrator.Step 2 Select Administration Menu > Transactions.Step 3 To view details on a transaction, click the transaction.


View Installation and Upgrade Transactions

C H A P T E R 10Upgrade Cisco Unified Communications DomainManager

• Upgrade a Multinode Environment, page 53

• Upgrade a Standalone Environment, page 57

• Cancel Running Imports, page 60

• Audit Template Customizations, page 61

• View Template Customization Audit Reports, page 61

• Turn off Scheduled Imports, page 62

Upgrade a Multinode Environment

Before You Begin

• Log in to the user interface and notedown the information in the About > Extended Version. Thisinformation is useful to troubleshoot issues during an upgrade.

• Create a new backup using the platform command-line interface. You can back up the cluster, or backup each node individually.


You can reduce the time for upgrade by performing backup activities before the upgrademaintenance window. You can also reduce the time for upgrade and backup by runningnode upgrades in parallel (a process that includes a backup). Use the following CLIcommand:

cluster upgrade media/platform-install-1.x.x-x.iso fast

If reducing the length of time for the upgrade is a primary consideration, you can useVMware snapshots for your backup. Consider the following when using VMwaresnapshots for your backup:

Note

• Cisco cannot guarantee that a VMware snapshot can be used to successfully restoreUnified CDM or any Cisco HCS Management application. If you cannot restorethe application from a snapshot, your only recourse is to reinstall the application.

•When the backup is complete and you do not need the VMware snapshot for restoreactivities, delete the snapshot immediately to preserve LUN space.

For more information about the risks of using VMware snapshots, see the “Backup andRestore” chapter in the Cisco Hosted Collaboration Solution, Maintain and OperateGuide.

• Turn off any scheduled imports. See Turn off Scheduled Imports, on page 62.

• Check for running imports. Either wait for them to complete or cancel them. See Cancel Running Imports,on page 60.

• Run template customization audits at the sys and sys.hcs hierarchy levels. View the audit reports toverify that all template customizations are as expected. See Audit Template Customizations, on page61.

•When you upgrade to Cisco Unified CDM 11.5.2, you must convert the database to the WiredTigerstorage engine.


Procedure

Step 1 Use SFTP to transfer the upgrade .iso file to the platform user's media folder on the primary Unified node.a) sftp platform@<unified_node_hostname>b) cd media



c) put <upgrade_iso_file>

Step 2 On the primary Unified node, verify the .iso image with the ls -l media command.Step 3 On the primary Unified node, run the cluster upgrade media/<platform-xxx.iso> command to upgrade the

cluster.Step 4 After the upgrade is complete, verify the cluster status with the cluster status and cluster run all diag health

commands.Step 5 Run the cluster run all security update command to complete all the security updates.Step 6 Run the notme system reboot command on the primary Unified node, followed by the system reboot

command. This process takes some time as all services must be stopped.Step 7 Run the database config command on all database nodes to identify the storage engine type:

• If the output on a node shows storageEngine: mmapv1 (for Cisco Unified CDM11.5.2 or earlier release),follow steps to Convert to WiredTiger.

• If the output on a node shows storageEngine: WiredTiger (for Cisco Unified CDM 11.5.3 or laterrelease), skip the Convert to WiredTiger step.

Step 8 Convert to WiredTiger storage engine type (if necessary):

1 Run the cluster run all system shutdown command to reboot all the nodes. This process takes time asall services must be stopped.

2 Create a VMWare snapshot for all the unified servers, to revert the systems if there is a database engineconversion error.

3 Boot all the systems in VMWare.

4 Run the cluster run application app stop voss-deviceapi command to stop transactions from beingscheduled.

5 Log into the non-primary nodes and run the database convert_to_wiredtiger command on each node.Wait until the conversion completes.

6 Log into primary unified node, and run the database convert_to_wiredtiger command and wait until itcompletes successfully.

7 Run the database config command and ensure that the storage engine for all database nodes showsasstorageEngine: WiredTiger.

8 Run the cluster run application app start voss-deviceapi command.

Step 9 Run the cluster run all system shutdown command to reboot all the nodes. This process takes some time asall services must be stopped.

Step 10 On the primary Unified node, run the voss upgrade_db command.Step 11 Use SFTP to transfer the upgrade template file to the platform user's media folder on the primary Unified

node.a) sftp platform@<unified_node_hostname>b) cd media



c) put <upgrade_template_file>

Step 12 On the primary Unified node, run the ls -l media command to verify the template file.Step 13 On the primary Unified node, run the app template media/<CUCDM-xxx.template> command. It is

recommended to run this command on the VMWare console, not SSH.The following message appears:Running the DB-query to find the current environment's existing solution ˓→deploymentconfig...

The template upgrade automatically detects the deployment mode: “Enterprise”, “Provider with HCM-F” or“Provider without HCM-F”.Verify that the following message also displays:

Cleaning up any existing tdkadmin account (to prevent upgrade-issues, and ˓→for your

security).… ..

tdkadmin has been successfully removed

Python functions are deployed.

System artifacts are imported.

A message displays according to the selected deployment type:

"Importing EnterpriseOverlay.json"

"Importing ProviderOverlay_Hcmf.json ..."

"Importing ProviderOverlay_Decoupled.json ..."

When prompted to set the admin password, provide and confirm a password.

The template installation automatically restarts the necessary applications. If a cluster is detected, the installationpropagates changes throughout the cluster.

Step 14 After the Unified CDM template gets installed successfully, execute the following commands:a) Run the cluster run application voss get_extra_functions_version -c command.b) Run the cluster run all security check command to show, if any security updates are available in the

console.c) If there are security updates available after running the cluster run all security check command, run the

cluster run all security update command to complete all the security updates.d) After the Security update is completed, check the status of the clusters by running the cluster

statuscommand.e) Reboot all the nodes by running the cluster run all system reboot command.f) Ensure the nodes are up by running the app status command.

Step 15 Review the output from the app template command and confirm that the upgrade message appears:

Deployment summary of PREVIOUS template solution (i.e. BEFORE upgrade):-----------------------------------------------------------------------Product: [PRODUCT]Version: [PREVIOUS PRODUCT RELEASE]Iteration-version: [PREVIOUS ITERATION]Platform-version: [PREVIOUS PLATFORM VERSION]followed by updated product and version details:Deployment summary of UPDATED template solution (i.e. current values after˓→installation):



-------------------------------------------------------------------------------˓→----------Product: [PRODUCT]Version: [UPDATED PRODUCT RELEASE]Iteration-version: [UPDATED ITERATION]Platform-version: [UPDATED PLATFORM VERSION]

• If no errors are indicated, make a backup or snapshot.

• For an unsupported upgrade path, the install script stops with the message: Upgrade failed dueto unsupported upgrade path. Please log in as sysadmin and seeTransaction logs for more detail. You can restore to the backup or revert to the VMsnapshot made before the upgrade.

• If there are errors for another reason, the install script stops with a failure message that indicates theproblem. Resolve the problem, revert to the snapshot made before the upgrade, and retry the installation.

Step 16 Run the voss post-upgrade-migrations command. Run this command on a single node of a cluster.Data migrations that are not critical to the system operation can have significant execution time at scale. Theseoperations are performed after the primary upgrade, to allow the migration to proceed while the system is inuse; thus limiting the upgrade windows.

A transaction is queued on Unified CDM and its progress is displayed as it executes.

Upgrade a Standalone Environment

Before You Begin

• Log in to the user interface and notedown the information in the About > Extended Version. Thisinformation is useful to troubleshoot issues during an upgrade.

• Create a new backup using the platform CLI.



You can reduce the time for upgrade by performing backup activities before the upgrademaintenance window. You can also reduce the time for upgrade and backup by runningnode upgrades in parallel (a process that includes a backup).

If reducing the length of time for the upgrade is a primary consideration, you can useVMware snapshots for your backup. Consider the following when using VMwaresnapshots for your backup:

Note

• Cisco cannot guarantee that a VMware snapshot can be used to successfully restoreUnified CDM or any Cisco HCS management application. If you cannot restorethe application from a snapshot, your only recourse is to reinstall the application.

•When the backup is complete and you do not need the VMware snapshot for restoreactivities, delete the snapshot immediately to preserve LUN space.

For more information about the risks of using VMware snapshots, see the “Backup andRestore” chapter in the Cisco Hosted Collaboration Solution, Maintain and OperateGuide.

• Turn off any scheduled imports. See Turn off Scheduled Imports, on page 62.

• Check for running imports. Either wait for them to complete or cancel them. See Cancel Running Imports,on page 60.

• Run template customization audits at the sys and sys.hcs hierarchy levels. View the audit reports toverify that all template customizations are as expected. See Audit Template Customizations, on page61.

•When you upgrade to Cisco Unified CDM 11.5.2, you must convert the database to the WiredTigerstorage engine.


Procedure

Step 1 Use SFTP to transfer the upgrade .iso file to the platform user's media folder on the server.a) sftp platform@<cucdm_server_hostname>b) cd mediac) put <upgrade_platform_iso>

Step 2 Log in to the server CLI as platform user.Step 3 Run the app upgrade media/<upgrade_iso_file> command.

The upgrade may fail, if a backup is created when there is lack of space. This can be prevented by runningapp upgrade media/<upgrade_iso_file> backup none command.

Step 4 Run the security update command.Step 5 Run the system shutdown command. Since all services must be stopped, this takes some time.Step 6 Run the database config command on all database nodes to identify the storage engine type:



• If the output on a node shows storageEngine: mmapv1 (for Cisco Unified CDM11.5.2 or earlier release),follow steps to Convert to WiredTiger.

• If the output on a node shows storageEngine: WiredTiger (for Cisco Unified CDM 11.5.3 or laterrelease), skip the Convert to WiredTiger step.

Step 7 Convert to WiredTiger storage engine type (if necessary):

1 Reboot the node. Run the system shutdown command. Since all services must be stopped, this takes sometime.

2 Create a VMWare snapshot for all the unified servers, to revert the systems if there is a database engineconversion error.

3 Boot all the systems in VMWare.

4 Run app stop voss-deviceapi to stop transactions from being scheduled.

5 Log into the node and run the database convert_to_wiredtiger command on each node. Wait until theconversion completes.

6 Run the database config command and ensure that the storage engine for all database nodes shows asstorageEngine: WiredTiger.

7 Run the app start voss-deviceapi command.

Step 8 Run the voss upgrade_db command.Step 9 Run the system reboot command. Since all services must be stopped, this takes some time.Step 10 Use SFTP to transfer the upgrade template file to the platform user's media folder on the server:

a) sftp platform@<cucdm_server_hostname>b) cd mediac) put <upgrade_template_file>

Step 11 Upgrade the template with the app template media/<template_file> command. It is recommended to runthis command on the VMWare console, not SSH.The following message appears:Running the DB-query to find the current environment's existing solution ˓→deploymentconfig...

The template upgrade automatically detects the deployment mode: “Enterprise”, “Provider with HCM-F” or“Provider without HCM-F”.Verify that the following message also displays:

Cleaning up any existing tdkadmin account (to prevent upgrade-issues, and ˓→for your

security).… ..

tdkadmin has been successfully removed

Python functions are deployed.

System artifacts are imported.

A message displays according to the selected deployment type:

"Importing EnterpriseOverlay.json"

"Importing ProviderOverlay_Hcmf.json ..."



"Importing ProviderOverlay_Decoupled.json ..."

When prompted to set the admin password, provide and confirm a password.

The template installation automatically restarts the necessary applications. If a cluster is detected, the installationpropagates changes throughout the cluster.

Step 12 Review the output from the app template command and confirm that the upgrade message appears:

Version: [PREVIOUS PRODUCT RELEASE]Iteration-version: [PREVIOUS ITERATION]Platform-version: [PREVIOUS PLATFORM VERSION]followed by updated product and version details:Deployment summary of UPDATED template solution (i.e. current values after˓→installation):-------------------------------------------------------------------------------˓→----------Product: [PRODUCT]Version: [UPDATED PRODUCT RELEASE]Iteration-version: [UPDATED ITERATION]Platform-version: [UPDATED PLATFORM VERSION]

• If no errors are indicated, make a backup or snapshot.

• For an unsupported upgrade path, the install script stops with the message: Upgrade failed dueto unsupported upgrade path. Please log in as sysadmin and seeTransaction logs for more detail. You can restore to the backup or revert to the VMsnapshot made before the upgrade.

• If there are errors for another reason, the install script stops with a failure message that indicates theproblem. Resolve the problem, revert to the snapshot made before the upgrade, and retry the installation.

Step 13 Run the system reboot command.Step 14 Run the voss post-upgrade-migrations command. Run this command on a single node of a cluster.

Data migrations that are not critical to the system operation can have significant execution time at scale. Theseoperations are performed after the primary upgrade, to allow the migration to proceed while the system is inuse; thus limiting the upgrade windows.

A transaction is queued on Unified CDM and its progress is displayed as it executes.

What to Do Next

• Log in to the user interface as hcsadmin and verify the upgrade by selectingAbout >ExtendedVersion.If your web browser cannot open the user interface, clear your browser cache before trying to open theinterface again.

• Reactivate any scheduled imports that you turned off before upgrading.

Cancel Running ImportsCancel running imports to reduce load on the system and improve upgrade performance.


Cancel Running Imports

Procedure

Step 1 Log in as [email protected] 2 Select Administration Tools > Transaction to view Transactions.Step 3 Hover over the Action heading, then click the search icon.Step 4 In the Search String field, type Import and hit enter.

Import jobs are displayed.Step 5 Look for jobs that have Status of "Processing" and either wait for them to complete or cancel them.Step 6 To cancel a job, click the job, then click the Cancel button.

Audit Template CustomizationsYou can run the template customization audit tool on a selected hierarchy node to identify template definitionsand instances that were not delivered in the standard template packages during an installation or upgrade.

The audit report includes custommodel schema definitions as well as data, domain, and view instances createdon the hierarchy node as a result of workflow execution.

Use the report to verify that there are no unexpected instances at the specified hierarchy node.

Procedure

Step 1 Log in as hcsadmin, provider, reseller, or customer administrator.Step 2 Set the hierarchy path to the level from which you want to run your audit.

From a given hierarchy node, you can audit customized templates at the node, and at nodes directly above orbelow the node in the hierarchy tree.

Step 3 Select Administration Tools > Reports > Audit Template Customization.Step 4 Select the hierarchy node for which you want to audit customized templates.Step 5 Click Save.

What to Do Next

View the audit report. See View Template Customization Audit Reports, on page 61.

View Template Customization Audit Reports

Procedure

Step 1 Log in as hcsadmin, provider, reseller, or customer administrator.Step 2 Select Administration Tools > Reports > Template Customization Reports.


Audit Template Customizations

A list of template customization audit reports is displayed.Step 3 Click a report to view the details.

The message field shows howmany customized templates were found at the hierarchy node. The details fieldslists the model type and instance of each customized template.

Turn off Scheduled ImportsTurn off scheduled imports to reduce load on the system and improve upgrade performance.

Procedure

Step 1 Log in as [email protected] 2 Select Administration Tools > Scheduling to view scheduled jobs.Step 3 Click each scheduled job. On the Base tab, uncheck the Activate check box.


Turn off Scheduled Imports

Documents

Cisco Unified Communications Domain Manager 11.5(3 ... · Cisco Unified Communications Domain Manager 11.5(3) Planning and Install Guide First Published: 2017-11-09 Last Modified: