cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1035
Views
0
Helpful
9
Replies

Removing TMS Users from a VCS Local Authenticaion Database when removing TMS Provisioning Extensions

Chris Swinney
Level 5
Level 5

Hey All,

 

TMS - 14.3.2

TMSPE - 1.1

VCS - x8.2.1

 

I'm sure I have read this somewhere, but after a few hours of searching I haven't come across the answer again.

We have some VCS's that were used with TMSPE in order to efectivly populate the Local Authentication Database. I'm changing the we in which authenticate remote users and as such have removed the provision option key from the VCS. However, the TMS users still populate the Local Authentication Database on the VCS and they cannot be manually removed.

Is it possible to remove these users, or do I have to reset the VCS then reaply a system backup?

 

Cheers,

Chris

9 Replies 9

Wayne DeNardi
VIP Alumni
VIP Alumni

Might be a dumb question, but have you done a "reboot" (a "restart" won't work) on your VCS after removing the provisioning option key?

If you don't want to do the full reboot, you could try stopping and restarting the provisioning and opends services:

  1. log in as root
  2. /etc/init.d/S77provisioning stop
  3. wait a minute or two
  4. /etc/init.d/S76opends stop
  5. /etc/init.d/S76opends start
  6. /etc/init.d/S77provisioning start

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

 

Wayne
--
Please remember to mark helpful responses and to set your question as answered if appropriate.

Hi Wayne,

 

Unfortunately, this is one of the first things I did :(

I do like the pointers for shutting down and restarting the Provisioning services though - it might come in handy at some point.

 

Cheers,

Chris

Maybe a "tmsagent_destroy_and_purge_data" will help kill them (and all the rest of the provisioning and FindMe data on the VCS - note it will also reset the LDAP and replication passwords to factory defaults).

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne
--
Please remember to mark helpful responses and to set your question as answered if appropriate.

Hi Wayne,

I think this might be part of the answer, but as I have remove the Provisioning licensing key, I just get back a responses that the directory doesn't exist (I think this works for TMSPE as well as TMS Agent, doesn't it?).

Something is creeping back into my head that I need to add in the Provisioning option key, disable it, run the command then remove the key, but I can't be sure. To make matter worse, I can't find the key at this moment in time. Will have to wait till next week.

Cheers,

 

Chris

As an addition to above, the error received when running a :"tmsagent_destroy_and_purge_data" is

/bin/tmsagent_destroy_and_purge_data: line 41: /etc/init.d/opends: No such file or

directory

Which I suppose I should expect as I don't think OpenDS is used anymore with TMSPE.

In addition, I noted that the 'SIP Routes' are still visible on the VCS's whose provisioning key has been removed. These can, of course, be removed manually using the "xCommand SIPRouteDelete x" command.

I wonder what other remnants might be left over on a VCS once the provisioning license has been removed and what is the best way to clean this up?

OK More info. A factory reset (keeping things like IP, SSL keys, password etc.) does finally get rid of the provisioned data in the local database, however, restoring from a back up puts all the information back in the DB again.

I can't believe that by removing the provisioning option, that there isn't some kind of clean-up!

 

Does anyone know of a way to manually edit the local database file, ro where it might be located (via WinSCP)? I don't really want to re-configure the whole VCS again from scratch with over 30 zone, search rules, transforms etc etc.

OK - after a bit of snooping in the backup files, I found all the relevant information hiding in the "clusterdb.backup" file, however, along with a whole bunch of other useful stuff such the the IP Tables firewall config, and other system info.

As it doesn't look as though it is easily editable (in Notepad++), my first thought was to remove the file completely and try a restore (I'm mucking around with spare VCS's here and with a backup taken ;)), but then I though I would have a scan of the commands in root on the VCS. Pressing 'TAB' at the root prompt brings up a veritable treasure trove of commands and eye spy with my little eye, a whole bunch of commands to do with 'clusterdb'

One that caught my eye was (on a similar theme to above) was "clusterdb_destroy_and_purge_data.sh", so I though I'd give this a whirl. Bingo, the TMS provisioned data had gone, but so too had some pretty useful info, such as:

  • Most things in the System menu, but not to difficult to restore, such as DNS server, NTP server, SNMP info, Auto protection etc
  • BIG Gotcha, the IP gateway was removed, so don't reboot until at least this is put back in place.
  • IP Table Firewalls info (This is probably the most painful to re-configure - I really wish there was a simply way to extract and copy these between devices)
  • All local database users used for traversal zone info removed.
  • Another Gotcha Option Keys - managed to "extract" these from the backup file (search for "optionKeyConfiguration") - these have to be re-added after a reboot, but its easier to grab them before you run the above command
  • Admin password reset to default
  • SIP domains
  • Delegated Credential Checking

 

But all other configuration remains unaffected, or so it would appear.

This might not be a Cisco recommended practice, but hey, that's what we do, right?

 

Looks like running a "clusterdb_dump_data_to_csv.sh" prior to the purge, will copy the relevant info in the " /mnt/harddisk/persistent/clusterdb/upgrade" in a more easy to read format, although there ends up being a lot of files

P.S., you still need to manually delete the SIP Routes, otherwise phone book lookups won't work.

Login to the console via SSH on Admin, and use

xconfiguration SIP Routes

To show the SIP routes. Chances are there are at least a couple relating to Phone book services that point the localhost (127.0.0.1) for these services and are a hang over from provisioning being installed. You need delete these Routes so that phone book queries get routed through search rules.

Use

xcommand SIPRouteDelete x

Where x is the route you want to delete.

 

I "think" this now means that your VCS has provisioning fully removed yet kept "most" of the underlying config.

Conab Admin
Level 1
Level 1

Hi buddy,

To remove the TMS users deleted from TMS in VCS you need to perform a full synchronization.

You need to Login into your VCS system and go to System / TMS Provisioning Extension Services

Then click in Perform full synchronization in the end of the page.

Works for me!

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: