Applies To:Show Versions
- 2.2 PTF-02, 2.2 PTF-01, 2.2.0
ITCMconsole Command Line Interface
The ITCMconsole command line interface adds new functionality to the GLOBAL-SITE Controller. With these new commands you have an even greater ability to configure and run the controller.
This chapter lists the various ITCMconsole commands, including syntax requirements and functional descriptions. Table 6.1 outlines the conventions used in the command line syntax.
Using the ITCMconsole
To run the ITCMconsole, you have to be logged in as the root user. You can use the ITCMconsole in two ways, batch mode and interactive mode. For batch mode, if you are at the command prompt, and you know the entire command, you can type it out in a string (starting with ITCMconsole) on one line and then press the Enter key. For interactive mode, you have to be inside the ITCMconsole shell, which you open by typing ITCMconsole at the command prompt and pressing the Enter key. Interactive mode is very useful if you are unsure of the exact syntax of the commands, or if you want to see the online help for the commands. You use interactive mode by pressing the Enter key after each command, which allows the system to query you as to what you would like to type next.
For example, the interactive process shown in Figure 6.1 gets the same results as this string:
ITCMconsole user logadmin enable
Figure 6.1 Sample interactive mode for the ITCMconsole
[root@user /root]# ITCMconsole
Press ? for help at any time
Press Ctrl-U to clear the line
root Modify root user account
support Modify the support user account
logadmin Modify FTP user account
gsite Modify gsite user account
disable Disable the FTP user (logadmin)
enable Enable the FTP user (logadmin)
password Change the password for the FTP user (logadmin)
ITCMconsole___FCKpd___0gt;user logadmin enable
Logadmin account enabled
In interactive mode, you can use auto-complete (also known as tabbed complete). If you type the first few letters of a command and press the Tab key, the command completes itself without your having to type the entire command.
Ctrl + U clears all the text in front of the ITCMconsole prompt. Ctrl + X breaks you out of an interactive command prompt and returns you to the ITCMconsole prompt. The quit command closes the ITCMconsole shell.
We present the commands and examples in this chapter assuming that you are using interactive mode. If you are using batch mode, you need to preface each command with the prefix ITCMconsole. For example, to use the command show user in batch mode, you type:
ITCMconsole show user
Tip: You can type ITCMconsole or gsconfig to open the ITCMconsole command line interface.
The following lists in alphabetical order the individual ITCMconsole commands, with a concise definition, and a page reference where you can find the detailed description.
Displays the ITCMconsole commands or subcommands for that level and the online help for those commands.
Configures the access control list (ACL).
Configures default and user-defined alerts.
Sets the current date and time.
Sets a new, unique GLOBAL-SITE identifier.
Provides tools used to configure LDAP.
Checks if there is a valid license for the product.
Configures the network settings.
Configures outbound transfer rate limiting.
Reboots the machine.
Configures system services and daemons.
Shows details of the system.
Configures the system time zone.
Modifies system user accounts.
Configures the webserver.
Creates/modifies/deletes web users.
Allows/denies/sets priority for tcp wrappers.
The ? command displays the list of commands or subcommands and the corresponding online help for each.
To see the list of initial commands, at the ITCMconsole prompt, type:
Figure 6.2 demonstrates the results when you type alert ?.
Figure 6.2 Example of subcommand list text
raise Raise a named alert with optional data
add Add an alert with an associated action
delete Delete an alert and its associated action
modify Modify an existing alert
named_action Add/Delete/Modify a named action for alerts
setting Configure default settings for alerts
Figure 6.3 demonstrates the results when you type alert raise ?.
Figure 6.3 Example of command help text
ITCMconsole___FCKpd___2gt;alert raise ?
Raise a named alert with optional data.
Usage: alert raise [name][args]
[name] is the name of the alert and
[args] are any action overrides in the form of setting=value pairs.
Whether overrides are used depends on which actions are configured.
Available settings are:
description (used for trap messages and email subject lines)
toaddress (override for To: address field for email actions)
fromaddress (override for email From: address field)
attachment (file name for overriding email attachment field)
body (default body text for email actions)
command (overrides command to run for exec actions)
The access control list (ACL) tells the operating system what access rights each user has for a particular object. The .acl file is /config/default.acl.
Working with the default.acl file
You should only edit the /config/default.acl file if you understand the rules associated with it. Using the acl command, you can check the file syntax and migrate the default.acl file to the LDAP database. To see a sample ACL file, go to /config/sample1.acl.
To check the syntax of the acl file
If you modify the default.acl file, you should check the syntax of your changes. To do this, type:
To migrate the default.acl file to the LDAP database, type:
show alert [all | named | action | setting]
alert raise [name][args]
alert add [name][action][args]
alert delete [name]
alert modify add_action [name][action][args]
alert modify delete_action [name][action_name]
alert named_action add [action_name][subaction][args]
alert named_action delete [action name]
alert named_action add_subaction [name][subaction][args]
alert named_action delete_subaction [name][subaction]
alert setting add [variable=value]
alert setting delete [name]
You use the alert command to configure default alerts (see Default alerts, on page 7-3 ) and user-defined alerts (see Creating user-defined alerts, on page 7-4 ). Most default alerts have SNMP trap information associated with them. Alerts with OIDs can be triggered by specific events (see Figure 6.4 for a complete list of the default alerts and their triggers). For more specific information see Chapter 7, SNMP, MIBs, Traps, and Alerts .
To view all the alerts, actions, and global settings use the show alert all command.
Creating actions and subactions
User-defined alerts are made up of actions and/or subactions. Default alerts can be modified to use actions and/or subactions. Actions and subactions use one of the following: exec, email, or named_action. Actions and subactions tell the alert what to do when it triggers. Description is a required field and should be used to describe the triggering event for an alert.
Use exec when you want to run a command when the alert triggers. Commands run as root when triggered. The exec command requires a command to run when an alert triggers.
Use email when you want to send email notification of an event (modifying a default alert) or when you raise an alert. The email command requires a To address and may have one or more of the following:
- additional To addresses
You can add as many addresses as you want. Separate each address with a semi-colon (;).
- From address
The address you want to appear in the email From box. This variable is optional, press the Enter key to choose the default [none].
The text you want to appear in the body of the email. This variable optional, press the Enter key to choose the default [none].
The file name of any attachment you want sent with the email alert. This variable is optional, press the Enter key to choose the default [none].
The text for the subject line of the email.
A named_action groups together a set of email, exec, or other named_actions into a single entity. Once you create a named_action, you can reuse it in any number of alerts just by adding its name to the alert. If you need to use the same action more than once, then using a named_action is the most efficient way to do this.
Initially the named_action is created with a single subaction. Additional subactions may be added once the named_action has been created. The information you need to create a named_action depends on the type of subaction you use: email or exec, and the args you use (if any). Global settings provide values for any variables (args) that you do not give a value to. You use the following command to create a named_action.
alert named_action add [action_name][subaction][args]
Creating user-defined alerts
From the ITCMconsole, you can create your own user-defined alerts using the alert commands. User-defined alerts are not triggered by an event, they can however be issued by using the alert raise command. (If you want to send an alert based on an event, you need to modify a default alert. See Default alerts, on page 7-3 .) User-defined alerts do not have an OID and therefore cannot be used to send SNMP traps.
The show alert all command displays both default alerts and user-defined alerts. The main information that you need is the name of the alert and then only if you plan on modifying it in some way. You can also see what named actions or subactions you have assigned to an alert. You need the named_action (or subaction) if you wanted to change or delete it.
To create or modify a user-defined alert
- From the ITCMconsole, type:
- At the prompt for Alert name, type a name for the alert.
- Choose to add either a named_action, email, or exec as your action.
· A named_action is an user-defined action that you created previously. (Please see named_action, on page 6-7 for information on creating a named_action.) At the prompt, type the name of the named_action you created.
· An email action sends an email for the alert. At the prompt, type email (see email, on page 6-6 for more information). The steps that follow ask you for the to address, from address, body text, and if you want to add an attachment, the attachment name.
· An exec action runs scripts or executables for the alert (see exec, on page 6-6 for more information). At the prompt, type exec. The steps that follows asks you for a command to execute when the alert triggers and for a description of the alert.
Modifying default alerts
You can add or delete user-defined actions to the default alerts, but you cannot delete default alerts, change the name of the default alerts, or change the OID. Actions can be either named_action, email, or exec. For example, upon successful publication of a site, the snmpd sends the GLOBALSITE.globalsiteTrapPublicationSucceeded trap "Publication succeeded" to the destination IP address. You can modify the default alert and add an email action that sends mail to additional people, to inform them of the successful publication as well.
/*DESCRIPTION*/ "A disk drive has failed."
/*DESCRIPTION*/ "There is not enough memory to complete an operation."
/*DESCRIPTION*/ "The CPU usage exceeds its threshold."
/*DESCRIPTION*/ "The data disk is full."
/*DESCRIPTION*/ "The configuration disk is full."
/*DESCRIPTION*/ "Publication succeeded."
/*DESCRIPTION*/ "Publication failed."
/*DESCRIPTION*/ "There is no new version of this publication."
To modify a default alert
To modify a default alert, you first need to know the name of that alert. Default alert names can be fairly long and must be typed accurately. You can also find the names of the default alerts in the GLOBAL-SITE MIB, which can be accessed from the GLOBAL-SITE Controller home screen or from the Documentation section of the product CD splash screen.
Tip: If you are accessing the GLOBAL-SITE Controller from an SSH application, and this application allows you to copy and paste, we recommend you do so.
- To get the name of the alert from the ITCMconsole, type:
show alert all
- If possible copy the name of the alert you want to modify.
- From the ITCMconsole, type:
alert modify add_action
- At the prompt for Alert name paste or type the name of the alert.
- Choose to add either a named_action, email, or exec as your action.
· A named_action is an user-defined action that you created previously. (Please see exec, on page 6-6 for information on creating a named_action.) At the prompt, type the name of the named_action.
· An email action sends an email when the alert triggers (please see email, on page 6-6 for more information). At the prompt, type email. The steps that follow ask you for the to address, from address, description (subject line), body text, and if you want to add an attachment, the attachment name.
· An exec action runs scripts or executables for the alert (please see exec, on page 6-6 ). At the prompt, type exec. The steps that follows asks you for a command to execute when the alert triggers and a description of the alert.
Changing global settings
There are six global settings that you can assign a value to. These global settings become the default values in the alerts or actions you create. When you use the global settings you do not have to retype the same information over and over for each alert or action you create. If you leave a global setting without a value, the setting is ignored.
The global settings are:
used for default alert messages and email subject lines
the To address box for email actions
the From address box for email actions
the file name for the email attachment
the default body text for email actions
the command to run for exec actions
To set the global settings
Changing or setting the global settings requires that you know the name of the setting you want to change. The names are listed here, but you can also find them by typing:
alert setting add ?
Then, to change a setting, you type:
alert setting add [setting name]
For example, to change or set the description variable, type:
alert setting add description This is a GLOBAL-SITE alert.
When the setting changes, you see a confirmation message.
Warning: You are not given any warning if you are overwriting a global setting that you already gave a default value. Use the show alert all command to see any set global settings.
Overriding global settings
You use [args] to override the global settings within an individual alert, named_action, or sub_action. For example, if you create a new alert, named globalsite_action and you want to override the toaddress global setting, you type:
alert add globalsite_action email firstname.lastname@example.org
The date command allows you to reset the date and time ( using a 24 hour clock) on your machine. The format for the date command is: [MMDDhhmm[[CC]YY][.ss]].
Setting the date and time
You set the date and time using the following system:
- MM is the two-digit month number
- DD is the two-digit date
- hh is the two-digit hour (24 hour clock)
- mm is the two-digit minute
- CCYY (optional) is the four-digit year
- .ss (optional) is for seconds (0 - 61)
So to set the clock for October 10, 2001 at 4 p.m., you could type:
The GLOBAL-SITE identifier is a unique, pre-assigned numeric identifier provided by your vendor that distinguishes one GLOBAL-SITE from all others.
A host name must already be set prior to running this command.
The gs_identifier command resets the GLOBAL-SITE identifier on the controller. The identifier can be any integer, but it does not accept letters or special characters.
To show the current GLOBAL-SITE identifier, type:
Warning: If you change the GLOBAL-SITE identifier on a controller, you must update its gs_identifier information on all the GLOBAL-SITE Controllers that use that controller as a distributor. This is done from the web-based user interface from the Distributor List screen.
show ldap | host | admin | status
ldap sethost <hostname>
ldap setpassword <password> <password>
ldap checkhost [<hostname> [<userdn> <password>]]
ldap installhost <LDAP admin dn> <LDAP admin pwd>
This group of commands configures the LDAP server. The GLOBAL-SITE Controller uses the LDAP server for iControl and web user authentication purposes.
Running the LDAP server
To allow the LDAP server to start when you reboot the computer, type:
If you do not want the LDAP server to start when you reboot the computer, type:
To start or stop the LDAP server, type:
Administering the LDAP server
The command ldap setpassword modifies the LDAP root password.
You can change the LDAP host used for authentication with the ldap sethost command.
Checking the host name for the LDAP server
The ldap checkhost command shows whether the host has an LDAP server available for authentication. You can use the fully qualified domain name or the IP address as the <hostname> variable.
To see if a login is valid on the LDAP server, you can add the <userdn> and <password> pair to the command. The <userdn> must be a distinguished name, for example, cn=Manager,dc=f5,dc=com. To find the userdn for the local LDAP server, type:
show ldap admin
Changing the IP address of the controller
If for some reason you need to change the IP address for the GLOBAL-SITE Controller, you need to run the following command after you make the change:
ldap installhost <AdminDN> <LDAP admin password>
Changing the LDAP server
If you change the LDAP server you use for authentication, you need to stop and restart the CORBA daemon using the service corba stop and service corba start commands. For information on the CORBA daemon, see service, on page 6-28 of this chapter. Changes to the LDAP server are any of the following:
- remote host to local host
- local host to remote host
- remote host to a different remote host
To change from a remote LDAP server to a local LDAP server
If your controller currently points to a remote LDAP server and you need to set up a local LDAP server, use the following script. Note that when you type the new LDAP admin password, you are creating a new administrator password for the local LDAP server.
/usr/local/bin/setuplocalldap.sh <new LDAP admin password>
To change from a local LDAP server to a remote LDAP server
If your controller currently has an LDAP server, and you want to change to a remote server that is already set up, use the following script:
/usr/local/bin/useremoteldap.sh <hostname> <remote LDAP admin password>
To change from one remote LDAP server to a different remote LDAP server
If your controller currently points to one remote LDAP server and you want to change it to another remote LDAP server, use the following two commands:
ldap sethost <hostname>
ldap installhost <cn=manager,dc=f5,dc=com> <remote server's ldap admin pwd>
Checking status on the LDAP server
To see if the LDAP server is enabled and running, type:
show ldap status
To see what the host name is for the LDAP server, type:
show ldap host
license [check] <product>
Use license check to see if you are licensed for the product you purchased. Type:
If you are properly licensed, the response reads: Authorized for GLOBAL-SITE. If you are not authorized, please contact support to get a valid license key.
show netinet [config | dns | domains | hostname | defaultrouter | interfaces]
netinet defaultrouter <router> | none
netinet dns <dns> | none
netinet domains <domains> | none
netinet ntp <ntp server> | none
netinet hostname <host name>
netinet interface [add_sub | remove_sub | eth0 | eth1]
The netinet command configures your network devices. You first configured these devices during the First-Time Boot utility. Use this command to make any changes to the configuration of those devices.
For all netinet commands except the netinet ntp command, you need to reboot for your changes to take effect. To reboot, type reboot from the ITCMconsole. For netinet ntp, you need to stop and restart the NTP daemon for your changes to take effect. At the ITCMconsole, type the following to stop and restart the NTP daemon:
service ntpd stop
service ntpd start
Configuring network devices
Table 6.2 lists the devices you can configure with the netinet command.
Set the default router for the system. Use netinet defaultrouter none to clear the current settings for the default router.
Set the DNS for the system. Use netinet dns none to clear the current settings for DNS.
Set the search domains for the system. Use netinet domains none to clear the current settings for the domains.
Set the NTP server for the system. Use netinet ntp none to clear the current settings for the NTP.
Set the host name for the system.
With normal use of the controller, you should never need this command. If for some reason you change your host name manually (without using the netinet hostname command), use netinet hostsfile to synchronize software with the current host name.
Configure the network interface(s). See Configuring interfaces, on page 6-19 for more information on the netinet interface command.
Use the netinet route command to add, delete, or move static routes. In some network environments you need additional network routes besides the default route. This is common when the GLOBAL-SITE Controller uses multiple network interfaces, or the physical placement of the controller is in a multi-homed network. To add static routes, use the following command:
netinet route add <INTERFACE> <IP NETWORK> <IP NETMASK> <GATEWAY>
This example instructs the controller to forward all packets with a destination IP address inside the 192.168.12.0 network to the router at 192.168.11.254.
netinet route add eth0 192.168.12.0 255.255.255.0 192.168.11.254
In order for the newly added network route to take effect, you must reboot the GLOBAL-SITE Controller.
Warning: Be aware that changing the host name on a GLOBAL-SITE Controller resets the host name in the GLOBAL-SITE database. If you use this controller in conjunction with other GLOBAL-SITE Controllers, you need to update these controllers with the new host name of the changed controller.
You can change a variety values on the interface using the netinet interface <interface> command. Table 6.3 lists these values.
NIC negotiation is the setting of the duplex mode for the network interface card (NIC). You set the duplex during the First-Time Boot utility, but if you change or add a NIC, you need to reset the duplex mode.
To set the duplex mode for an interface
- You need to choose which interface you want to configure. To display a list of available interfaces, from the ITCMconsole command line, type:
- From the new prompt, type the name of interface you want to configure.
- From the new prompt, type duplex.
The ITCMconsole displays a list of available duplex modes.
- From the list of available duplex modes, type the corresponding number for the mode you want to use.
You get a confirmation of what mode you set.
Viewing your configuration
You can view your entire current configuration or the configuration of your network devices using the show netinet command. For example, to see, the entire configuration, type:
show netinet config
The display looks like Figure 6.4 .
Sample output for show netinet config
interface=eth0 ip=192.168.11.240 netmask=255.255.255.0
interface=eth1 ip=0.0.0.0 netmask=0.0.0.0
Changing the host name of the controller
You may need to change the host name of the controller, for instance if you move it from a test environment into production.
To change the host name of the controller
To change the host name for the GLOBAL-SITE Controller, type the following command:
netinet hostname <hostname>
show ratelimit [aggregate | classes | class | stats | status]
ratelimit aggregate [max | set| clear]
ratelimit custom [add | delete | modify | promote | demote]
The GLOBAL-SITE Controller regulates available Internet connection bandwidth with aggregate and custom rate limiting. If publication delivery degrades server performance, you can use the controller's rate limiting capability to slow down its output to particular servers and at particular times of day. This allows you to better manage available bandwidth and meet your traffic needs.
Warning: The GLOBAL-SITE Controller cannot limit the rate at which it receives data from clients and servers. It can only limit the rate at which it sends data to clients and servers.
Note: When both aggregate and custom rate limiting are in use at the same time, the custom rates take priority over the aggregate limit, although each individual custom class is limited to the aggregate limit.
Configuring aggregate rate limiting
To configure aggregate rate limiting, you need to know what type of network interface card (NIC) you have in your machine. If you opted to purchase the Gigabit NIC, that interface has a total capacity of 1000 Mbps. The standard NIC is 100 Mbps.
To set or modify the maximum possible bandwidth
Maximum bandwidth is set at installation time. If you are using rate limiting, maximum bandwidth must be modified if a new device is added or if the interface is connected to a hub that is slower than 100 Mbps. (If you are not using rate limiting, the setting for maximum possible bandwidth has no bearing on traffic flow.) The only valid values for maximum possible bandwidth are: 10, 100, and 1000. The command is:
ratelimit aggregate max <interface> <max value>
For example, to set the maximum bandwidth to 1000, on the eth0 interface, type:
ratelimit aggregate max eth0 1000
To add an aggregate rate limit to an interface
Use the ratelimit aggregate set command to add an aggregate rate limit to an interface. The command is:
ratelimit aggregate set <interface> <Mbps>
For example, to set a rate limit of 20 (on a 100 Mbps NIC), type:
ratelimit aggregate set eth0 20
To clear an aggregate rate limit
The clear command removes an aggregate rate limit from an interface. You only need to provide the interface name with the command, not the rate limit. The command is:
ratelimit aggregate clear <interface>
For example, to clear the rate limit from interface eth0, type:
ratelimit aggregate clear eth0
Configuring custom rate limiting
You use custom rate limiting to limit response data for protocols that use known ports, such as HTTP, when responding to clients. From the ITCMconsole, you can create or delete custom rate limit classes. These rate limit classes allow rate limiting based on specified characteristics of the outbound IP packets, such as source and destination IP addresses and ports.
To add a custom rate limit class
Custom rate limit classes have several variables which you can use to further limit traffic across the interface. If you choose not to use these variables to limit traffic rates, you opt out of using them. The command is:
ratelimit custom add <class name> <interface> <limit in Mbps> <non-optional variable(s)> [optional variables]
Configuring custom rate limiting involves three types of variables, required, non-optional (meaning you have to use at least one), and optional.
- From the ITCMconsole command prompt, type:
ratelimit custom add
- At the Class name prompt, type a name for the class.
- At the Interface prompt, type which interface you would like this class to be on.
- Enter the limit in Mbps that you want to use.
- For the non-optional variables, you must enter one or more IP addresses or ports. At the appropriate prompt, type a destination or source IP address, and/or a destination or source port for this class. The default is any, but you cannot have any for all the non-optional values. You must enter at least one actual IP address or port.
- Choose the relative priority for this class. The default is 5. The system uses priority to give one class a priority over another class when sending packets. It does not resolve filtering conflicts (see To promote or demote a class, on page 6-25 for more information on class order). Filtering traffic into classes is done in the order the classes appear in the show ratelimit classes list.
You can use priority as a quality of service tool in that you can give one class a higher priority than another, and that gives the customer with the higher priority more bandwidth than another customer.
- Type y or n to choose which optional variables you want to use. See Table 6.5 for the optional variables and their descriptions. If you do not want to use optional variables, type n for each of the options presented.
To modify a rate limit class
You can modify any of the rate limit variables using the following command:
ratelimit custom modify
The interactive mode asks you for: class name, the variable to modify, and then it displays the variable and asks for a new value. If you are unsure of the variable name or value, type:
show ratelimit class <class name>
You can use this command change the priority of a class.
ratelimit custom modify prior <number 1 - 8>
To promote or demote a class
You use the promote or demote commands to move a particular rate limit class up or down in the list of classes. Ranking the classes allows you to choose in what order traffic hits the filters, thereby controlling how the controller filters that traffic. This is important when a particular set of traffic may match multiple rules, such as an HTTP rule and a rule for traffic to a particular client. To see the order that the classes are in, type:
show ratelimit classes
If you decide you want to move a rate limit class so that it filters packets before another rate limit class, you use the following command:
ratelimit custom [promote | demote] <class name>
This command promotes (or demotes) a rate limit class by increments of one. If you want to move a class more than one spot up or down, you need to run this command again.
Viewing rate limit statistics
You use the show ratelimit command to view statistics for rate limits. You can view the statistics for aggregate rate limits by typing:
show ratelimit stats aggregate <interface>
You can view the statistics for a particular rate limit class by typing:
show ratelimit stats <class name>
Using the batch mode to create custom rate limits
If you choose to create custom rate limits in the batch mode (starting at the system prompt and starting each line with gsconfig) you need the short-hand names for the variables. See Table 6.6 for the shorthand variable name and its definition. Following is the usage of the commands for batch mode:
gsconfig ratelimit custom add <class> <interface> <limit in Mbsp> <non-optional variable(s)> <optional variables>
For example, to set a time-based rate limit for HTTP response traffic (port 8080), that is 100 Mbps by default, but 10 Mbps from 8:00 a.m. to 5:00 p.m., type:
gsconfig ratelimit custom add http_filter eth0 10 sport=8080 hours=8:00-17:00@100
The reboot command reboots the GLOBAL-SITE Controller immediately once you press the Enter key. You are not given any confirmation notice.
show <service name>
service alertd [enable | disable | start | stop]
service big3d [enable | disable | start | stop]
service corba [disable | dualmode | enable | ip | passphrase | start | stop]
service ITCMgswatch [enable | disable | start | stop]
service ntpd [enable | disable | start | stop]
service snmpd [enable | disable | start | stop | traps]
service sshd [enable | disable | start | stop]
service telnet [enable | disable]
service ftpd [enable | disable]
Use the service command to configure services on the GLOBAL-SITE Controller.
[enable | disable | start | stop]
You can enable and disable all services using the service enable | disable command. For FTP and Telnet, enable and disable also start and stop the service. You can also start and stop all other services with the service start | stop command.
Start the service now. On reboot, the GLOBAL-SITE Controller restarts the service only if it is enabled.
Stop the service now. On reboot, the GLOBAL-SITE Controller restarts the service only if it is enabled.
The service does not start now (except for FTP and Telnet). On reboot, the GLOBAL-SITE Controller starts the service.
The service does not stop now (except for FTP and Telnet). On reboot, the GLOBAL-SITE Controller does not start the service.
Table 6.7 lists the services that are configurable with the service command and what they are for.
The alert daemon watches for specified events and takes any appropriate actions associated with alerts when those events occur. If you stop alertd, no actions (email, exec, or traps) trigger for events configured in alert.conf.
The big3d daemon answers 3-DNS system queries. The 3-DNS uses big3d to collect information about the network path between the BIG-IP and the client requesting a connection. The daemon collects performance data, and returns the data to the requesting 3-DNS. The 3-DNS uses the path information for its own dynamic load balancing.
The CORBA daemon provides the iControl portal service. See the section Configuring the CORBA service, on page 6-29 for more information.
ITCMgswatch is a system event monitor. It detects events such as excessive CPU usage, excessive memory usage, and low configuration and data disk capacity. It uses thresholds and timeouts to determine when alerts will be sent for each of the items.
ntpd is used to configure the NTP daemon. The NTPd automatically updates the system time from and NTP (Network Time Protocol) server.
With this command, you configure the SNMPd and the SNMP trap community, destination, and port. See SNMP agent, on page 7-1 for more information on SNMP.
When running, the SSH daemon provides secure remote access to your controller.
Telnet allows non-secure access to your controller. You enable or disable Telnet with the service telnet command.
When enabled ftpd permits FTP access to the controller.
Configuring the CORBA service
The CORBA daemon provides the iControl portal service on a GLOBAL-SITE Controller. It is enabled by default so that the GLOBAL-SITE Controller can be an application-aware appliance on the CDN. If you stop the CORBA daemon, other products or iControl client programs cannot communicate with the GLOBAL-SITE Controller. Table 6.8 lists the available service corba commands and their use.
Displaying service status
Use the show command to see the status of the various services.
- show alertd [config | status]
- show big3d [config | status]
- show corba [config | dualmode | ip | port | status]
- show ftpd
- show ITCMgswatch [config | status]
- show ntpd [status | config | server]
- show snmpd [config | status | trap]
- show sshd [config | status]
- show telnet
The show command displays different kinds of information depending on what command it is paired with. You can see configuration information, status, and statistics. Using the show ? command lists the subcommands for the show command.
Using the show command
Use the show command to display pertinent information about a system in the GLOBAL-SITE Controller. The show command syntax is displayed in the syntax summary box at the start of each section of this chapter with four exceptions: acl, license, reboot, and stats.
The show command can also be paired with commands that do not appear as first level commands. For example, to configure FTPd you type service ftpd enable. However, to see if FTP is enabled, you type: show ftpd.
Viewing the software version
The show version command displays the version of the GLOBAL-SITE Controller you are running. It displays:
- Product name and version number.
- Build number
- Crypto Edition, which indicates that the unit is encrypted
- The machine ID number
The timezone command lets you set the timezone for the controller.
Setting the time zone
If you do not know the specific name of a time zone that you want to set, use the timezone config command. This command steps you through setting the time zone and you set it by selecting a country and city (for example America, Los Angeles). To get a list of actual time zones, use the timezone options command, which displays a complete list of time zones.
To set the time zone using country and city
- At the ITCMconsole prompt, type timezone config.
A display of countries with pre-assigned numbers appears.
- Type the assigned number by the country you want and press Enter.
A display of cities with pre-assigned numbers appears.
- Type the assigned number by the city you want and press Enter.
- Type Y to confirm the time zone you selected, or type N if the time zone is not correct. Accepting the time zone here sets the new time zone for the controller. Rejecting the time zone (typing N) returns you to the ITCMconsole prompt.
To set the time zone using a time zone name
- At the ITCMconsole prompt, type timezone options.
A list of all available named time zones appears.
- Find the time zone you want to use and note it so that you can type it exactly as it appears.
- Once you find the time zone you want to use, you can either use
Ctrl + X to escape to the ITCMconsole command prompt, or you can continue paging through the list until you come to the prompt.
- At the ITCMconsole prompt, type, timezone config <timezone>. For example to set the time zone for Los Angeles, California, you type:
timezone config US/Pacific
show user [root | support | logadmin | gsite]
user root [password]
user support [enable | disable | password]
user logadmin [enable | disable | password]
user gsite [enable | disable | password]
The user command lets you set passwords for the system accounts: root, support, logadmin, and gsite. You can also enable or disable any of those accounts except for root. The root account is always enabled. System user accounts are not the same as webuser accounts (see webuser, on page 6-36 ). System user accounts have access to the internal configurations of the controller and the command line.
Configuring user accounts
Warning: If you use regular command syntax to specify a password, the GLOBAL-SITE Controller command line displays the password on-screen, in clear text, and logs the password in the operating system history file. If you interactively specify a password, it does not appear on-screen or in the history file.
The root account is for managing command line access.
The support account manages technical support access.
The logadmin account configures the FTP log file access user account.
The gsite user is the system user on the GLOBAL-SITE Controller.
show webserver [allow | config | port | status]
webserver allow <IP address(es)> | all
webserver cert (same as FTBU)
The webserver command configures the Apache webserver for the web-based user interface.
Configuring the webserver
You can configure your webserver using the webserver commands on Table 6.9, on page 6-35 .
webuser add icontrol <username> <password> <password>
webuser delete icontrol <username>
webuser icontrol [enable | disable | admin | regular]
The webuser command creates iControl interface accounts. (Please see iControl documentation for more information on iControl and the iControl SDK.) To create web user accounts for the GLOBAL-SITE Controller, please use the Add User page on the web-based user interface. See the online help for that page for more information.
You create a user account using the webuser command in that you create one user/password pair for the Apache web server (to access the GLOBAL-SITE Controller) and for the iControl interface.
To add a user with access to the iControl interface
- From the ITCMconsole, type:
webuser add icontrol
- At the Username prompt, type the user name you want to assign.
- At the Password prompt, type the password for the user account. Passwords must be between 6 and 15 characters long. The interactive mode masks the password on the screen.
- Confirm the password at the Confirm Password prompt.
When you complete this process you receive confirmation.
Migrating htpasswd contents to the LDAP server
Warning: The webuser migrate command runs automatically when you upgrade from an earlier version of the GLOBAL-SITE Controller. You should never need to run it again.
The webuser migrate command migrates the contents of .htpasswd to the LDAP server. You need to use this command if you upgraded from an earlier version of the GLOBAL-SITE Controller that did not use LDAP authentication.
Configuring LDAP users
Use the webuser icontrol command to configure LDAP users. Once you create a user, you can enable or disable the user as an LDAP user, give the user LDAP administrative privileges, or return a user to regular LDAP privileges. Following is a procedure for giving LDAP administrative privileges, but you can use it for any of the webuser icontrol commands.
To give a user administrative privileges
Prior to giving a user account administrative privileges, the user account must already exist in the database.
- From the ITCMconsole, type:
webuser icontrol admin
- At the User to give LDAP Administrator privileges prompt, type the user name.
The system confirms that the user now has administrative privileges.
show wrapper [in.telenetd | big3d | slapd | sshd]
wrapper allow <service> <string>
wrapper allow_append <service> <string>
The wrapper command sets the permissions for access to services that are listed in the etc/hosts.allow file. By default those services are: in.telenetd, big3d, slapd, and sshd.
You can set access permission for in.telenetd, big3d, slapd, and sshd with the wrapper command. Once you have set permissions, if you use the wrapper allow command, you overwrite existing permissions. Instead, use wrapper allow_append to append new permissions to the original string in the etc/hosts.allow file.
To set access permission
To set permission for specific IP addresses, type:
wrapper allow slapd 192.168.0.0
To set permission for all users, type:
wrapper allow slapd all