Junos Pulse Secure Access Service. DMI Solutions Guide. Release 7.1. Published:
Size: px
Start display at page:

Download "Junos Pulse Secure Access Service. DMI Solutions Guide. Release 7.1. Published: 2011-01-31"

Transcription

1 Junos Pulse Secure Access Service DMI Solutions Guide Release 7.1 Published:

2 Juniper Networks, Inc North Mathilda Av enue Sunny v ale, Calif ornia Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, serv ice marks, registered trademarks, or registered serv ice marks are the property of their respectiv e owners. Juniper Networks assumes no responsibility f or any inaccuracies in this document. Juniper Networks reserv es the right to change, modify, transf er, or otherwise rev ise this publication without notice. Products made or sold by Juniper Networks or components thereof might be cov ered by one or more of the f ollowing patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785. Junos Pulse Mobile Security Gateway Setup Guide Copy right 2010, Juniper Networks, Inc. All rights reserv ed. Printed in USA. Rev ision History Preliminary The inf ormation in this document is current as of the date listed in the rev ision history.

3 END USER LICENSE AGREEMENT READ THIS END USER LICENSE AGREEMENT ("AGREEMENT") BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TER MS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer's principal off ice is located in the Americas) or Juniper Networks (Cay man) Limited (if the Customer's principal off ice is located outside the Americas) (such applicable entity being ref erred to herein as "Juniper"), and (ii) the person or organization that originally purchased f rom Juniper or an authorized Juniper reseller the applicable license(s) f or use of the Software ("Customer") (collectiv ely, the "Parties"). 2. The Sof tware. In this Agreement, "Sof tware" means the program modules and f eatures of the Juniper or Juniper-supplied sof tware, f or which Customer has paid the applicable license or support f ees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer purchased f rom Juniper or an authorized Juniper reseller. "Sof tware" also includes updates, upgrades and new releases of such sof tware. "Embedded Sof tware" means Sof tware which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment. 3. License Grant. Subject to pay ment of the applicable f ees and the limitations and restrictions set f orth herein, Juniper grants to Customer a non-exclusiv e and non-transf erable license, without right to sublicense, to use the Software, in executable f orm only, subject to the f ollowing use restrictions: a. Customer shall use Embedded Sof tware solely as embedded in, and f or execution on, Juniper equipment originally purchased by Customer f rom Juniper or an authorized Juniper reseller. b. Customer shall use the Sof tware on a single hardware chassis hav ing a single processing unit, or as many chassis or processing units f or which Customer has paid the applicable license f ees; prov ided, howev er, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use such Software on a single computer containing a single phy sical random access memory space and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA sof tware on multiple computers or v irtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are phy sically contained on a single chassis. c. Product purchase documents, paper or electronic user docum entation, and/or the particular licenses purchased by Customer may specify limits to Customer's use of the Sof tware. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls, connections, subscribers, clusters, nodes, realms, dev ices, links, ports or transactions, or require the purchase of separate licenses to use particular f eatures, f unctionalities, serv ices, applications, operations, or capabilities, or prov ide throughput, perf ormance, conf iguration, bandwidth, interf ace, processing, temporal, or geographical limits. In addition, such limits may restrict the use of the Sof tware to managing certain kinds of networks or require the Sof tware to be used only in conjunction with other specif ic Sof tware. Customer's use of the Sof tware shall be subject to all such limitations and purchase of all applicable licenses. d. For any trial copy of the Software, Customer's right to use the Sof tware expires 30 day s af ter download, installation or use of the Sof tware. Customer may operate the Software af ter the 30-day trial period only if Customer pay s f or a license to do so. Customer may not extend or create an additional trial period by re-installing the Sof tware af ter the 30-day trial period. e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer's enterprise network. Specif ically, serv ice prov ider customers are expressly prohibited f rom using the Global Enterprise Edition of the Steel- Belted Radius sof tware to support any commercial network access serv ices. The f oregoing license is not transf erable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable license(s) f or the Sof tware f rom Juniper or an authorized Juniper reseller. 4. Use Prohibitions. Notwithstanding the f oregoing, the license prov ided herein does not permit the Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, rev erse engineer, or create deriv ativ e works based on the Sof tware; (b) make unauthorized copies of the Sof tware (except as necessary f or backup purposes); (c) rent, sell, transf er, or grant any rights in and to any copy of the Sof tware, in any form, to any third party ; (d) remov e any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Sof tware is embedded; (e) distribute any copy of the Sof tware to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any 'locked' or key -restricted feature, function, serv ice, application, operation, or capability without f irst purchasing the applicable license(s) and obtaining a v alid key f rom Juniper, ev en if such f eature, f unction, serv ice, application, operation, or capability is enabled without a key ; (g) distribute any key f or the Sof tware prov ided by Juniper to any third party ; (h) use the

4 Sof tware in any manner that extends or is broader than the uses purchased by Customer f rom Juniper or an authorized Juniper reseller; (i) use Embedded Sof tware on non-juniper equipm ent; (j) use Embedded Sof tware (or make it av ailable f or use) on Juniper equipment that the Customer did not originally purchase f rom Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Sof tware to any third party without the prior written consent of Juniper; or (l) use the Sof tware in any manner other than as expressly prov ided herein. 5. Audit. Customer shall maintain accurate records as necessary to v erify compliance with this Agreem ent. Upon request by Juniper, Customer shall f urnish such records to Juniper and certify its compliance with this Agreement. 6. Conf identiality. The Parties agree that aspects of the Sof tware and associated documentation are the conf idential property of Juniper. As such, Customer shall exercise all reasonable commercial eff orts to maintain the Sof tware and associated documentation in conf idence, which at a minimum includes restricting access to the Sof tware to Customer employ ees and contractors hav ing a need to use the Sof tware f or Customer's internal business purposes. 7. Ownership. Juniper and Juniper's licensors, respectiv ely, retain ownership of all right, title, and interest (including copy right) in and to the Sof tware, associated documentation, and all copies of the Sof tware. Nothing in this Agreement constitutes a transf er or conv ey ance of any right, title, or interest in the Sof tware or associated documentation, or a sale of the Sof tware, associated documentation, or copies of the Sof tware. 8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Sof tware shall be as set f orth in the warranty statement that accompanies the Sof tware (the "Warranty Statement"). Nothing in this Agreement shall giv e rise to any obligation to support the Software. Support serv ices may be purchased separately. Any such support shall be gov erned by a separate, written support services agreement. TO THE MAXIMU M EXTENT PER MITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTEN T PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper's or its suppliers' or licensors' liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer f or the Sof tware that gav e rise to the claim, or if the Sof tware is embedded in another Juniper product, the price paid by Customer f or such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set f orth herein, that the same ref lect an allocation of risk between the Parties (including the risk that a contract remedy may f ail of its essential purpose and cause consequential loss), and that the same f orm an essential basis of the bargain between the Parties. 9. Termination. Any breach of this Agreement or f ailure by Customer to pay any applicable f ees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer's possession or control. 10. Taxes. All license f ees pay able under this agreement are exclusiv e of tax. Customer shall be responsible f or pay ing Taxes arising f rom the purchase of the license, or importation or use of the Sof tware. If applicable, v alid exemption documentation f or each taxing jurisdiction shall be prov ided to Juniper prior to inv oicing, and Customer shall promptly notify Juniper if their exemption is rev oked or modif ied. All pay ments made by Customer shall be net of any applicable withholding tax. Customer will prov ide reasonable assistance to Juniper in connection with such withholding taxes by promptly : prov iding Juniper with v alid tax receipts and other required documentation showing Customer's pay ment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notify ing and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and Customer will prom ptly pay or reimburse Juniper f or all costs and damages related to any liability incurred by Juniper as a result of Customer's non-compliance or delay with its responsibilities herein. Customer's obligations under this Section shall surv iv e termination or expiration of this Agreement. 11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable f oreign agency or authority, and not to export or re-export the Software or any direct product thereof in v iolation of any such restrictions, laws or regulations, or without all necessary approv als. Customer shall be liable f or any such v iolations. The v ersion of the Sof tware supplied to Customer may contain encry ption or other capabilities restricting Customer's ability to export the Sof tware without an export license.

5 12. Commercial Computer Sof tware. The Sof tware is "commercial computer sof tware" and is prov ided with restricted rights. Use, duplication, or disclosure by the United States gov ernment is subject to restrictions set forth in this Agreement and as prov ided in DFARS through , FAR , FAR (b)(2), FAR , or FAR (ALT III) as applicable. 13. Interf ace Inf ormation. To the extent required by applicable law, and at Customer's written request, Juniper shall prov ide Customer with the interf ace inf ormation needed to achiev e interoperability between the Sof tware and another independently created program, on pay ment of applicable f ee, if any. Customer shall observ e strict obligations of conf identiality with respect to such inf ormation and shall use such inf ormation in compliance with any applicable terms and conditions upon which Juniper makes such inf ormation av ailable. 14. Third Party Sof tware. Any licensor of Juniper whose sof tware is embedded in the Sof tware and any supplier of Juniper whose products or technology are embedded in (or serv ices are accessed by ) the Software shall be a third party benef iciary with respect to this Agreement, and such licensor or v endor shall hav e the right to enf orce this Agreement in its own name as if it were Juniper. In addition, certain third party sof tware may be prov ided with the Sof tware and is subject to the accompany ing license(s), if any, of its respectiv e owner(s). To the extent portions of the Sof tware are distributed under and subject to open source licenses obligating Juniper to make the source code f or such portions publicly av ailable (such as the GNU General Public License ("GPL") or the GNU Library General Public License ("LGPL")), Juniper will make such source code portions (including Juniper modif ications, as appropriate) av ailable upon request f or a period of up to three y ears f rom the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Av e., Sunnyv ale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at and a copy of the LGPL at Miscellaneous. This Agreement shall be gov erned by the laws of the State of Calif ornia without ref erence to its conf licts of laws principles. The prov isions of the U.N. Conv ention f or the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusiv e jurisdiction of, and v enue in, the state and federal courts within Santa Clara County, Calif ornia. This Agreement constitutes the entire and sole agreem ent between Juniper and the Customer with respect to the Sof tware, and supersedes all prior and contemporaneous agreements relating to the Sof tware, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreem ent executed by an authorized Juniper representativ e and Customer shall gov ern to the extent such terms are inconsistent or conf lict with terms contained herein. No modif ication to this Agreement nor any waiv er of any rights hereunder shall be eff ectiv e unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held inv alid, the Parties agree that such inv alidity shall not aff ect the v alidity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English v ersion will gov ern. (For Canada: Les parties aux présentés conf irment leur v olonté que cette conv ention de même que tous les documents y compris tout av is qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties conf irm that this Agreement and all related documentation is and will be in the English language)). Juniper Networks, Inc. 5

6 Table of Contents Introduction... 8 Related Information... 8 Inbound DMI... 9 Host System and Logical Systems... 9 Device Specific RPCs create-logical-system delete-logical-system get-user-stats get-failed-login-count get-role-count get-resource-profile-count get-vlan-throughput get-ivs-throughput get-rollback-partition-information validate-custom-expression get-active-users disable-all-users enable-all-users delete-active-sessions refresh-roles add-certificate get-certificate-info get-staged-package-information IVE Schema Sample Code Get DMI Agent Configuration Configure DMI Agent Get Client Types Add Client Type Get Network Configuration Configure Network Settings Create a Realm Create a Realm in Logical System Delete a Realm Create a Role in Logical System Delete a Role Create a Resource Profile Create a Resource Profile in Logical System Delete a Resource Profile Create a Resource Policy Create a Resource Policy in Logical System Delete a Resource Policy Create a Web Bookmark for a Role Create a Web Bookmark for a Role in Logical System Juniper Networks, Inc. 6

7 Delete a Web Bookmark for a Role Get Syslog Events Configure License Client Settings Error conditions References Juniper Networks, Inc. 7

8 Introduction The Device M anagement Interface (DMI) is an XML-RPC-based protocol used to manage Juniper devices. The protocol allows administrators and third-party applications to configure and manage Juniper devices bypassing their native interfaces. The Juniper Secure Access product, with IVE version 6.4, is compliant with DMI v1.3 specification. The readers of this document are urged to read the DMI specification before using this guide. IMPORTANT: This feature is geared toward service providers. Juniper Networks Technical Support does not offer developer support for this feature. If you require assistance, contact your Juniper Networks account team. DMI clients can be s tand-alone applications, or can be e mbedded in larger applications, such as network management solutions and service provider OSS s. DMI clients can connect to the IVE in one o f two ways: inbound and outbound. Inbound connection is initiated i nto the device by the client, while out bound connection is initiated by the device into an always-available application hosting a DMI client. Juniper s NSM product uses the outbound connection. The DMI inbound and outbound connection features in the IVE enable the IVE administrator to connect to and m anage the system without having to us e the browser as the administrator s interface to the IVE. IVE version 6.3 supported t he outbound connection type. 6.4 introduces support for the inbound connection type. With the new inbound DMI feature, the administrator can now connect to the IVE using an SSH secure shell Command Line Interface (CLI) to manage the device. The IVE can also be managed by integrating any SSH-aware, netconf 1 supporting application by programming the application to comply with DMI version 1.3. More information about DMI is available in the DMI specification document 2. This document serves as a reference guide for achieving the following tasks in IVE: Configuring the i nbound DMI agent Issuing RPC requests to retrieve t he configuration of the device Issuing RPC requests to configure the device Issuing RPC requests to receive real time logs and alerts from the device Issuing IVE specific RPCs to get state parameter d ata from the device Issuing RPC requests for software image m anagement Issuing RPC requests to backup/restore device configuration Related Information In addition to this guide, the following should be r eferred to, while administering the IVE using i nbound DMI connection. DMI specification document 2 The specification document for the Juniper-wide Device Management Interface IVE Schema The XML configuration schema of the IVE. More information about the schema is available in the later part of this document Juniper Update repository The repository contains the common schema of all DMI compliant devices and the main configuration schema of IVE. For each release of the product, the schema is updated in the repository. More information about the repository can be found i n section of DMI specification document. RFC 4741: NETCONF Configuration Protocol 1 The protocol specification RFC document of NETCONF, the protocol that is used extensively by DMI. Juniper Networks, Inc. 8

9 Inbound DMI The inbound DMI connection is available to the administrator of the root IVS in the IVE. The base license for the IVE will enable DMI Agent configuration option available. Once the base license is installed, the DMI agent in the IVE can be c onfigured i n the DMI Agent page under the Configuration m enu. The page can be used to configure both inbound and outbound DMI agent. To enable the inbound DMI agent, the following needs to be c onfigured: The network interface on which the inbound agent should be enabled The TCP port on which the inbound agent should accept connections The administrator realm to be us ed for authenticating the inbound DMI users While the internal interface is available for all SA devices, the management interface is available for inbound in the SA6000 and SA6500 devices. The TCP port needs to be a valid value between 1 and and it is important that the port configured is not used by any other process in the IVE. It is recommended that either the default value or a value higher than 1024 be used for the TCP port. The default choice for the interface is the internal interface and the default value for the TCP port is 22. DMI uses SSH protocol for communication 1. To connect to the IVE using i nbound connection, the standard SSH shell 2 can be us ed as the command line i nterface. For a bet ter user ex perience, a s imple client can be b uilt around the standard SSH client. Since netconf protocol is used by DMI, while connecting to the IVE using inbound, netconf channel needs to be specified as a p arameter in the ssh command. The following command invokes ssh to connect to the IVE s inbound DMI agent ssh l <user> <ip address> -p <port> -s netconf The -s parameter tells the ssh server to use the netconf channel for this connection. DMI relies on t he Netconf protocol for managing device configurations. After the user is authenticated, the IVE responds with system: capability string to the client. The SSH client displays this to the user. At this point, the user can execute RPC commands to configure, manage and get information from the IVE. The standard schema for the RPCs and the schema for the RPC-replies are elaborated in the DMI specification document. To close the inbound session, close-session RPC can be used. More information about close-session RPC is available in section 7.8 of NETCONF Configuration Protocol RFC 1 Host System and Logical Systems For DMI purposes, the root IVS system is called the host system and virtual systems are called logical systems. The connection is said to be either i n the host system context or in the logical system context. S ome RPCs are available in both contexts, while others a re a vailable o nly in host system context. The following table lists the standard (ie, no n- product-specific) DMI RPCs and the contexts in which they are available. DMI RPC Host System Logical System get-system-information Juniper Networks, Inc. 9

10 get-cluster-information get-hardware-inventory get-software-inventory get-license-inventory edit-config get-config get-alarm-information get-syslog-events set-logical-system clear-logical-system get-configurationinformation get-logical-systeminformation request-package-add request-reboot backup restore The DMI specification document describes the schema for the standard DMI RPCs and their replies. The Sample Code section contains examples of some of the RPCs listed in the table. Device Specific RPCs DMI also allows products to define their own non-standard RPCs, called device-specific RPC s. IVE makes use of t his option and supports a s et of Remote Procedure Calls that are specific only to IVE. These are m ainly used in getting runtime state information from the IVE. The table bel ow contains the list of device specific RPCs of IVE and the context in which the calls are available. Juniper Networks, Inc. 10

11 IVE specific RPC Host System Logical System create-logical-system delete-logical-system get-user-stats get-failed-login-count get-role-count get-resource-profile-count get-vlan-throughput get-ivs-throughput validate-custom-expression get-active-users disable-all-users enable-all-users refresh-roles delete-active-sessions add-certificate get-certificate-info get-rollback-partitioninformation get-staged-packageinformation The following subsections elaborate these IVE-specific RPCs, outline the schema for the requests and t he replies and also illustrate each of the calls with examples. create-logical-system The create-logical-system RPC is used to create a n ew IVS. This RPC can be issued only in the Root IVS context. Juniper Networks, Inc. 11

12 Schema for RPC <!-- create-logical-system --> <xs:complextype name="create-logical-system"> <dmi:rpc-info> <name>create Logical System</name> <avail> <matches> <match> <operational-mode>logicalsystems</operational-mode> <value>false</value> </match> <match> <value>true</value> </match> </matches> </avail> This command creates a new logical system <rpc-reply-tag>create-logical-system-reply</rpcreply-tag> </dmi:rpc-info> <xs:sequence> <xs:element name="name" type="xs:string"> <dmi:param-info> <name>logical System Name</name> The name of the logical system to create </dmi:param-info> <xs:element name="description" type="xs:string" minoccurs="0"> <dmi:param-info> <name>logical System Description</name> The detail description of the logical system Juniper Networks, Inc. 12

13 </dmi:param-info> <xs:element name="enabled" type="xs:boolean"> <dmi:param-info> <name>enabled</name> The enable/disable state of the logical system. </dmi:param-info> <xs:element name="initial-configuration" type="xs:string"> <dmi:param-info> <name>logical System Initial configuration</name> Initialize the IVS using the default configuration or copy the configuration from an existing IVS. Specify the name of an existing logical system, or "- Default Config -" </dmi:param-info> <xs:element name="admin-username" type="xs:string" minoccurs="0"> <dmi:param-info> <name>logical System Admin Username</name> The default admin username for the logical system </dmi:param-info> <xs:element name="admin-password" type="xs:string" minoccurs="0"> Juniper Networks, Inc. 13

14 <dmi:param-info> <name>logical System Admin Password</name> The default admin password for the logical system </dmi:param-info> <xs:element name="minimum-guaranteed-users" type="xs:int"> <dmi:param-info> <name>minimum Guaranteed Users</name> The number of concurrent user logins </dmi:param-info> <xs:element name="burstable-maximum-users" type="xs:int"> <dmi:param-info> <name>burstable Maximum Users</name> The maximum concurrent user logins during peak time </dmi:param-info> <xs:element name="total-maximum-bandwidth" type="xs:int" minoccurs="0"> <dmi:param-info> <name>total Maximum Bandwidth</name> The maximum bandwidth available to this logical system </dmi:param-info> Juniper Networks, Inc. 14

15 <xs:element name="nc-maximum-bandwidth" type="xs:int" minoccurs="0"> <dmi:param-info> <name>nc Maximum Bandwidth</name> The maximum bandwidth available to Network Connect in this logical system </dmi:param-info> <xs:element name="vlans"> <dmi:param-info> <name>vlans</name> VLANs available to this logical system </dmi:param-info> <xs:complextype> <xs:sequence> <xs:choice minoccurs="1" maxoccurs="unbounded"> <xs:element name="vlan" minoccurs="1" maxoccurs="unbounded"> <dmi:param-info> <name>vlan</name> Selected VLAN </dmi:param-info> </xsd:annotation> </xs:choice> </xs:sequence> </xs:complextype> <xs:element name="default-vlan" type="xs:string"> Juniper Networks, Inc. 15

16 <dmi:param-info> <name>default VLAN</name> The default VLAN in this logical system </dmi:param-info> <xs:element name="sign-in-url-prefix" type="xs:string" minoccurs="0"> <dmi:param-info> <name>sign-in URL Prefix</name> The sign-in URL prefix used for logical system sign-in </dmi:param-info> <xs:element name="internal-interface-virtual-ports" minoccurs="0"> <dmi:param-info> <name>virtual Ports (Internal Interface)</name> The virtual port on internal interface used for logical system sign-in </dmi:param-info> <xs:complextype> <xs:sequence> <xs:choice minoccurs="0" maxoccurs="unbounded"> <xs:element name="internal-interface-virtualport" minoccurs="0" maxoccurs="unbounded"> <dmi:param-info> <name>virtual Port</name> Selected virtual port Juniper Networks, Inc. 16

17 </dmi:param-info> </xsd:annotation> </xs:choice> </xs:sequence> </xs:complextype> <xs:element name="external-interface-virtual-ports" minoccurs="0"> <dmi:param-info> <name>virtual Ports (External Interface)</name> The virtual port on external interface used for logical system sign-in </dmi:param-info> <xs:complextype> <xs:sequence> <xs:choice minoccurs="0" maxoccurs="unbounded"> <xs:element name="external-interface-virtualport" minoccurs="0" maxoccurs="unbounded"> <dmi:param-info> <name>virtual Port</name> Selected virtual port </dmi:param-info> </xsd:annotation> </xs:choice> </xs:sequence> </xs:complextype> <xs:element name="nc-ip-pools" minoccurs="0"> <dmi:param-info> <name>nc IP Ranges</name> Network Connect Connection Profile IP Juniper Networks, Inc. 17

18 address pools are restricted to the IP ranges listed here </dmi:param-info> <xs:complextype> <xs:sequence> <xs:choice minoccurs="0" maxoccurs="unbounded"> <xs:element name="nc-ip-pool" minoccurs="0" maxoccurs="unbounded"> <dmi:param-info> <name>nc IP Range</name> Network Connect connection profile IP address pool </dmi:param-info> </xsd:annotation> </xs:choice> </xs:sequence> </xs:complextype> </xs:sequence> </xs:complextype> Schema for RPC-REPLY <!-- logical-system-rpc-reply --> <xs:complextype name="logical-system-rpc-reply"> <dmi:rpc-reply-info> Reply to the create-logical-system and deletelogical-system RPCs <rpc-list> <rpc-tag>create-logical-system</rpc-tag> <rpc-tag>delete-logical-system</rpc-tag> </rpc-list> </dmi:rpc-reply-info> Juniper Networks, Inc. 18

19 <xs:choice> <xs:element name="ok"> <name>ok</name> <desc>success return</desc> <xs:complextype/> <!-- empty element --> <xs:element name="rpc-error"> <name>rpc Error</name> <desc>error return</desc> <xs:complextype> <xs:sequence> <xs:element name="error-type"> <name>error Type</name> <desc>error Type</desc> <xs:simpletype> <xs:restriction base="xs:string"> <xs:enumeration value="transport"/> <xs:enumeration value="rpc"/> <xs:enumeration value="protocol"/> <xs:enumeration value="application"/> </xs:restriction> </xs:simpletype> <xs:element name="error-tag"> <name>error Tag</name> <desc>the reason for error</desc> Juniper Networks, Inc. 19

20 <xs:simpletype> <xs:restriction base="xs:string"> <xs:enumeration value="in-use"/> <xs:enumeration value="invalid-value"/> <xs:enumeration value="too-big"/> <xs:enumeration value="missing-attribute"/> <xs:enumeration value="bad-attribute"/> <xs:enumeration value="unknown-attribute"/> <xs:enumeration value="missing-element"/> <xs:enumeration value="bad-element"/> <xs:enumeration value="unknown-element"/> <xs:enumeration value="unknown-namespace"/> <xs:enumeration value="access-denied"/> <xs:enumeration value="lock-denied"/> <xs:enumeration value="resource-denied"/> <xs:enumeration value="rollback-failed"/> <xs:enumeration value="data-exists"/> <xs:enumeration value="data-missing"/> <xs:enumeration value="operation-notsupported"/> <xs:enumeration value="operation-failed"/> <xs:enumeration value="partial-operation"/> </xs:restriction> </xs:simpletype> <xs:element name="error-severity"> <name>error Severity</name> <desc>error Severity</desc> <xs:simpletype> <xs:restriction base="xs:string"> <xs:enumeration value="error"/> <xs:enumeration value="warning"/> </xs:restriction> </xs:simpletype> </xs:sequence> </xs:complextype> </xs:choice> </xs:complextype> The following is an ex ample of creating a ne w logical system, passing only the mandatory parameters for the RPC. The XML code creates a logical system with default config, setting Internal Port as the default vlan port for the newly created IVS. Juniper Networks, Inc. 20

21 Example for RPC <rpc message-id='101' xmlns='urn:ietf:params:xml:ns:netconf:base:1.0'> <create-logical-system> <name>test</name> <initial-configuration>- Default Config -</initialconfiguration> <enabled>true</enabled> <minimum-guaranteed-users>3</minimum-guaranteed-users> <burstable-maximum-users>4</burstable-maximum-users> <vlans> <vlan>internal Port</vlan> </vlans> <default-vlan>internal Port</default-vlan> </create-logical-system> </rpc> If the RPC is successful, the following is the response received. On error conditions, the error m essage explains the reason the command failed. Example for RPC-REPLY <rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <ok/> </rpc-reply> An example of the same RPC with all the parameters passed is gi ven below. This assumes that the virtual ports and the NC IP pools are al ready configured in the IVE, without which the command would fail. The RPC creates an IVS with configuration copied from the Root IVS. Example for RPC <rpc message-id='101' xmlns='urn:ietf:params:xml:ns:netconf:base:1.0'> <create-logical-system> <name>test</name> <initial-configuration>root</initial-configuration> Juniper Networks, Inc. 21

22 </rpc> <enabled>true</enabled> <admin-username>admin</admin-username> <admin-password>dana123</admin-password> <burstable-maximum-users>4</burstable-maximum-users> <vlans> </vlans> <vlan>internal Port</vlan> <default-vlan>internal Port</default-vlan> <internal-virtual-ports> <minimum-guaranteed-users>3</minimum-guaranteedusers> <internal-virtual-port>int_vp1</internalvirtual-port> <internal-virtual-port>int_vp2</internalvirtual-port> </internal-virtual-ports> <nc-ip-pools> <nc-ip-pool> </nc-ip-pool> <nc-ip-pool> </nc-ip-pool> </nc-ip-pools> </create-logical-system> delete-logical-system The delete-logical-system RPC, as the nam e implies, del etes an IVS in the IVE. This command requires the nam e of the IVS to be s pecified as the parameter in the call. Schema for the RPC Juniper Networks, Inc. 22

23 <!-- delete-logical-system --> <xs:complextype name="delete-logical-system"> <dmi:rpc-info> <name>delete Logical System</name> <avail> <matches> <match> <operational-mode>logicalsystems</operational-mode> <value>false</value> </match> <match> <value>true</value> </match> </matches> </avail> This command deletes an existing logical system <rpc-reply-tag>delete-logical-system-reply</rpcreply-tag> </dmi:rpc-info> <xs:sequence> <xs:element name="name" type="xs:string"> <dmi:param-info> <name>logical System Name</name> The name of the logical system to delete </dmi:param-info> </xs:sequence> </xs:complextype> Delete logical system RPC takes the nam e of the IVS as the parameter and if the IVS with the gi ven name is present, deletes it from the IVE. Example for RPC Juniper Networks, Inc. 23

24 <rpc message-id='101' xmlns='urn:ietf:params:xml:ns:netconf:base:1.0'> <delete-logical-system> <name>test</name> </delete-logical-system> </rpc> If the RPC is successful the following reply is received. Example for RPC-REPLY <rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <ok/> </rpc-reply> get-user-stats The get-user-stats RPC retrieves the number of users existing presently and in the last 24 hour interval in the IVE. Optionally, the RPC takes a pa rameter i f the data has to be r eset after the retrieval. This call can be executed in both the host-system context and in the logical-system context and t he data is pertinent to the appropriate IVS. Schema for RPC <!-- get-user-stats --> <xs:complextype name="get-user-stats"> <dmi:rpc-info> <name>get user statistics</name> This command returns AllocatedUserCount CurrentUserCount MaxUsersin24Hrs MinUsersin24Hrs <rpc-reply-tag>user-stats</rpc-reply-tag> </dmi:rpc-info> <xs:sequence> <xs:element name="reset" type="xs:boolean" minoccurs="0"> Juniper Networks, Inc. 24

25 <dmi:param-info> <name>reset Stats</name> This will govern the reseting of this statistics data. By default, the data is not reset. </dmi:param-info> </xs:sequence> </xs:complextype> As shown in the schema bel ow, the following are the data sent back by the IVE: Total num ber of allocated users Total num ber of current users Maximum num ber of active users in the last 24 ho ur period Minimum number of active users in the last 24 h our period Schema for RPC-REPLY <!-- user-stats --> <xs:complextype name="user-stats"> <dmi:rpc-reply-info> User Statistics <rpc-list> <rpc-tag>get-user-stats</rpc-tag> </rpc-list> </dmi:rpc-reply-info> <xs:sequence> <xs:element name="allocated-user-count" type="xs:string"> <name>allocated User Count</name> <desc>the Allocated User Count for the logical system</desc> Juniper Networks, Inc. 25

26 <xs:element name="current-user-count" type="xs:string"> <name>current user count</name> <desc>the number of users logged in currently</desc> <xs:element name="max-active-user-count-24hrs" type="xs:string"> <name>max active user count in the last 24 Hrs</name> <desc>the Max active user count for a 24 Hrs moving window</desc> <xs:element name="min-active-user-count-24hrs" type="xs:string"> <name>min active user count in the last 24 Hrs</name> <desc>the Min active user count for a 24 Hrs moving window</desc> </xs:sequence> </xs:complextype> An example of the get-user-stats RPC call and t he reply are rendered below. Juniper Networks, Inc. 26

27 Example for RPC <rpc message-id="14"> <get-user-stats/> </rpc> Example for RPC-REPLY <rpc-reply message-id="12" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <user-stats> <allocated-user-count>10</allocated-user-count> <current-user-count>3</current-user-count> <max-active-user-count-24hrs>2</max-active-usercount-24hrs> <min-active-user-count-24hrs>0</min-active-usercount-24hrs> </user-stats> </rpc-reply> get-failed-login-count The get-failed-login-count RPC is used to retrieve the number of failures in the last 24 h our interval due to number of users exceeding the limit and due to authentication failure. Similar to get-user-stats RPC, this also takes the reset option as a par ameter. Schema for the RPC <!-- get-failed-login-count --> <xs:complextype name="get-failed-login-count"> <dmi:rpc-info> <name>get failed login count for Authentication failure and Exceeded user</name> This command returns the Number of Logins refused due to exceeding allowed limits and Auth failure (24 hour moving window) <rpc-reply-tag>failed-login-count</rpc-reply-tag> </dmi:rpc-info> Juniper Networks, Inc. 27

28 <xs:sequence> <xs:element name="reset" type="xs:boolean" minoccurs="0"> <dmi:param-info> <name>reset Stats</name> This will govern the reseting of this statistics data. By default, the data is not reset. </dmi:param-info> </xs:sequence> </xs:complextype> Schema for RPC-REPLY <!-- failed-login-count --> <xs:complextype name="failed-login-count"> <dmi:rpc-reply-info> Failed Login statistics Info <rpc-list> <rpc-tag>get-failed-login-count</rpc-tag> </rpc-list> </dmi:rpc-reply-info> <xs:sequence> <xs:element name="exceeded-user-count" type="xs:string"> <name>number of login failures due to exceeded login user limit</name> <desc>the Number of user logins refused due to exceeded user count.</desc> Juniper Networks, Inc. 28

29 <xs:element name="failed-auth-count" type="xs:string"> <name>number of login failures due to authentication failure</name> <desc>the Number of user logins refused due to authentication failure.</desc> </xs:sequence> </xs:complextype> An example of the get-failed-login-count RPC and its response are gi ven bel ow. Example for RPC <rpc message-id="12"> <get-failed-login-count/> </rpc> Example for RPC-REPLY <rpc-reply message-id="12" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <failed-login-count> <exceeded-user-count>2</exceeded-user-count> <failed-auth-count>4</failed-auth-count> </failed-login-count> </rpc-reply> get-role-count To retrieve the number of administrative roles and t he user roles available in the IVS, the get-role-count RPC can be used. The RPC can be executed in bot h the host-system and in the logical-system context and t he RPC reply contains the statistics pertinent to the IVS currently set. Juniper Networks, Inc. 29

30 Schema for RPC <!-- get-role-count --> <xs:complextype name="get-role-count"> <dmi:rpc-info> <name>get The roles count</name> This command returns the admin and user role count. <rpc-reply-tag>role-count</rpc-reply-tag> </dmi:rpc-info> </xs:complextype> Schema for RPC-REPLY <!-- role-count --> <xs:complextype name="role-count"> <dmi:rpc-reply-info> Number for roles configured <rpc-list> <rpc-tag>get-role-count</rpc-tag> </rpc-list> </dmi:rpc-reply-info> <xs:sequence> <xs:element name="admin-role-count" type="xs:string"> <name>admin roles Count</name> <desc>the total number of admin roles configured for the logical system</desc> Juniper Networks, Inc. 30

31 <xs:element name="user-role-count" type="xs:string"> <name>user roles Count</name> <desc>the total number of user roles configured for the logical system</desc> </xs:sequence> </xs:complextype> An example of the RPC and its reply follow. Example for RPC <rpc message-id="12"> <get-role-count/> </rpc> Example for RPC-REPLY <rpc-reply message-id="12" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <role-count> <admin-role-count>2</admin-role-count> <user-role-count>1</user-role-count> </role-count> </rpc-reply> get-resource-profile-count The number of resource profiles in the IVS can be retrieved with the get-resource-profile-count RPC. Here is the schema for the RPC and its reply. Schema for the RPC Juniper Networks, Inc. 31

32 <!-- get-resource-profile-count --> <xs:complextype name="get-resource-profile-count"> <dmi:rpc-info> <name>get the resource profile count</name> This command returns the number of resource profiles in the logical system. <rpc-reply-tag>resource-profile-count</rpc-replytag> </dmi:rpc-info> </xs:complextype> Schema for RPC-REPLY <!-- resource-profile-count --> <xs:complextype name="resource-profile-count"> <dmi:rpc-reply-info> Number for resource profiles configured. <rpc-list> <rpc-tag>get-resource-profile-count</rpc-tag> </rpc-list> </dmi:rpc-reply-info> <xs:sequence> <xs:element name="profile-count" type="xs:string"> <name>resource profile Count</name> <desc>the total number of resource profiles configured for the logical system</desc> </xs:sequence> </xs:complextype> Juniper Networks, Inc. 32

33 Example of the RPC request and its response are rendered bel ow. Example for RPC <rpc message-id="12"> <get-resource-profile-count/> </rpc> Example for RPC-REPLY <rpc-reply message-id="12" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <resource-profile-count> <profile-count>20</profile-count> </resource-profile-count> </rpc-reply> get-vlan-throughput The throughput of a s pecific VLAN can be retrieved using the get-vlan-throughput RPC. The RPC reply contains the throughput for the VLAN in bytes. The schema for the RPC and its reply are given below. Schema for the RPC <!-- get-vlan-throughput --> <xs:complextype name="get-vlan-throughput"> <dmi:rpc-info> <name>get VLAN Throughput</name> This command returns the throughput for the VLAN id sent as parameter <rpc-reply-tag>vlan-throughput</rpc-reply-tag> </dmi:rpc-info> Juniper Networks, Inc. 33

34 <xs:sequence> <xs:element name="vlanid" type="xs:string"> <dmi:param-info> <name>vlan ID</name> The ID of the VLAN whose throughput is required. The values should be in the range Indicated the internal interface. </decription> </dmi:param-info> <xs:element name="reset" type="xs:boolean" minoccurs="0"> <dmi:param-info> <name>reset Stats</name> This will govern the reseting of the statistics data. By default, the data is not reset. </dmi:param-info> </xs:sequence> </xs:complextype> Schema for RPC-REPLY <!-- vlan-throughput --> <xs:complextype name="vlan-throughput"> <dmi:rpc-reply-info> VLAN throughput information <rpc-list> <rpc-tag>get-vlan-throughput</rpc-tag> </rpc-list> </dmi:rpc-reply-info> Juniper Networks, Inc. 34

35 <xs:sequence> <xs:element name="max-throughput" type="xs:string"> <name>maximum throughput over the last 24 Hrs</name> <desc>maximum throughput over the last 24 Hrs</desc> <xs:element name="min-throughput" type="xs:string"> <name>minimum throughput over the last 24 Hrs</name> <desc>minimum throughput over the last 24 Hrs</desc> <xs:element name="avg-throughput" type="xs:string"> <name>average throughput over the last 24 Hrs</name> <desc>average throughput over the last 24 Hrs</desc> </xs:sequence> </xs:complextype> An example of the RPC and its response are gi ven bel ow. Example for RPC <rpc message-id="12"> <get-vlan-throughput> Juniper Networks, Inc. 35

36 <vlanid>0</vlanid> </get-vlan-throughput> </rpc> Example for RPC-REPLY <rpc-reply message-id="12" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <vlan-throughput> <max-throughput> </max-throughput> <min-throughput>0</min-throughput> <avg-throughput> </avg-throughput> </vlan-throughput> </rpc-reply> get-ivs-throughput A variation to getting the throughput in IVE is to retrieve the value for a gi ven IVS. If there are multiple VLANs assigned for an IVS, then the throughput will be a c onsolidated value of all the IVSes. The RPC also takes the reset parameter, which if set would reset the current throughput values. The schema for the RPC and its reply follow. Schema for the RPC <!-- get-throughput --> <xs:complextype name="get-throughput"> <dmi:rpc-info> <name>get throughput for the logical system</name> This command returns the consolidated throughput for all the VLANS for a logical system <rpc-reply-tag>ivs-throughput</rpc-reply-tag> </dmi:rpc-info> <xs:sequence> <xs:element name="reset" type="xs:boolean" minoccurs="0"> <dmi:param-info> <name>reset Stats</name> Juniper Networks, Inc. 36

37 This will govern the reseting of the statistics data. By default, the data is not reset. </dmi:param-info> </xs:sequence> </xs:complextype> Schema for RPC-REPLY <!-- ivs-throughput --> <xs:complextype name="ivs-throughput"> <dmi:rpc-reply-info> IVS throughput information <rpc-list> <rpc-tag>get-throughput</rpc-tag> </rpc-list> </dmi:rpc-reply-info> <xs:sequence> <xs:element name="max-throughput" type="xs:string"> <name>maximum throughput over the last 24 Hrs</name> <desc>maximum throughput over the last 24 Hrs</desc> <xs:element name="min-throughput" type="xs:string"> <name>minimum throughput over the last 24 Hrs</name> <desc>minimum throughput over the last 24 Juniper Networks, Inc. 37

38 Hrs</desc> <xs:element name="avg-throughput" type="xs:string"> <name>average throughput over the last 24 Hrs</name> <desc>average throughput over the last 24 Hrs</desc> </xs:sequence> </xs:complextype> An example of the RPC and its response are rendered below. Example for RPC <rpc message-id="12"> <get-ivs-throughput> <name>test</name> </get-ivs-throughput> </rpc> Example for RPC-REPLY <rpc-reply message id="12" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <ivsthroughput> <maxthroughput> </maxthroughput> <minthroughput>0</minthroughput> <avgthroughput> </avgthroughput> </ivsthroughput> </rpc-reply> Juniper Networks, Inc. 38

39 get-rollback-partition-information The get-rollback-partition-information RPC retrieves the device rollback version information such as os-name, os-version and os build number. Schema for RPC <?xml version="1.0" encoding="utf-8"?> <xs:schema xmlns:xs=" <!-- get-rollback-partition-information --> <xs:complextype name="get-rollback-partition-information"> <dmi:rpc-info> <name>get Rollback Partition Information</name> This command returns IVE s rollback partition information <rpc-reply-tag>rollback-partitioninformation</rpc-reply-tag> </dmi:rpc-info> </xs:complextype> </xs:schema> Schema for RPC-REPLY <xs:complextype name="rollback-partition-information"> <dmi:rpc-reply-info> Rollback Software Image Information <rpc-list> <rpc-tag>get-rollback-partitioninformation</rpc-tag> </rpc-list> </dmi:rpc-reply-info> <xs:sequence> <xs:element name="os-name" type="xs:string"> Juniper Networks, Inc. 39

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information