Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
Bookmark
|
Subscribe
|
6568
Views
6
Helpful
13
Comments

UCSD Custom Enhanced SSH (Credential Policy)

Alejandro Madurga Ainoza
Cisco Employee
Cisco Employee

‎01-07-2015 07:40 AM - edited ‎03-01-2019 06:32 AM

Task NameCustom SSH
Description

Custom SSH with enhancements

Prerequisites
  1. Tested on 5.1
  2. Tested on 6.0.1.0
CategoryWorkflow
Components
User Inputs
  1. Account Name
  2. IP address
  3. Commands to exectue
  4. Undo Commands
Output
  1. SSH_STDOUT
  2. SSH_STDERR
  3. SSH_EXITCODE

1  Custom SSH Task

1.1 Introduction

The OOTB SSH command execution custom task have some limitations that made the real usage almost impossible. To avoid this limitations the following Custom SSH task has been created.

1.2  OOTB SSH Limitations

1.2.1  IP Address and Hostname

An IP address is mandatory due Input type. Most of the time the customer are askin to use an IP or a Hostname. The custom task allows that.

1.2.2  Credentials

The username and password has to be entered on the SSH, with the Custom SSH it takes the credentials from the Credentials Policy, this make easier the maintenance and usage of the flows, because most of the time the Customer changes the admin credentials for security reasons. This Custom SSH uses the credentials from the policy, if the  credentials are changed there is no need to change the credentials on the workflows.

1.2.3  Finish execution of each command

The OOTB SSH does not wait for each command to be finished, it launch the command and finish without result waiting. This Custom SSH will wait for the finish of each command.

1.2.4  STDOUT and STDERR

The custom SSH will get all the STDOUT and STDERR from all the commands executed on the SSH.

1.2.5  Highest Return Code

The custom SSH will return the highest return code of all commands, so you will be able to check if the execution was successful or not.

1.2.6  Rollback

The custom SSH includes an option for the rollback, using the same features explained above.


1.3  Usage

1.3.1  Import the custom task using the portal

First import the custom tasks from the portal using the standard procedure:

  1. Extract the file on the Appendix A to your local computer
  2. Log in into the UCSD portal
  3. Go to Policies --> Orchestration

  

  1. Select Import
  2. Select the file extracted from the document and click Upload
  3. Click OK
  4. Check that the custom task is selected
  5. Click Import

  1. After finishing the import go to Custom Workflows Tasks tab



  2. Check the existence of the Custom SSH Task.


1.3.2  Using Custom Task

To be able to execute the task the following inputs has to be filled.

The Undo Commands are optional, so if you don’t enter undo commands then the task will not generate any rollback task.

Task Inputs

Input

Description

Mappable To Type

Mandatory

Account Name

gen_text_input

Y

IP Address

gen_text_input

Y

Commands to execute

gen_text_input

Y

Undo Commands

gen_text_input

The Account Name Input has to match the Credential Name for the credential Policy.

To create a credential policy:

  1. Go to  Policies > Physical Infrastructure Policies > Credential Policies

  1. Click on Add


  2. Enter the information for the Credentials



  • The Policy Name should match the Account Name on the task Input.
  1. Click  Submit
  2. The Custom Task Flow will use the Username, Password and Port for the connection.

Task Outputs

Output

Description

Type

SSH_STDOUT

SSH_STDOUT

gen_text_input

SSH_STDERR

SSH_STDERR

gen_text_input

SSH_EXITCODE

SSH_EXITCODE

gen_text_input

Just tested and created new workflow on UCSD 6.0.1.0:

Used a Nexus Cred policy

Screen Shot 2017-01-18 at 10.17.31 AM.png

Did not change the original task. 

Labels:
Custom_SSH_v3.wfdx.zip
SSHwithCredPol6010V2.wfdx.zip
Comments
Damien Gouju
Cisco Employee
Cisco Employee
‎02-25-2015 09:17 AM

Hi Alex,

I'm running UCSD 5.2.0.1. In this release, the credential policy needs to be of a type of infrastructure component and not as generic as it was in your example.

Which credential policy should be used for your task?

Thanks!!

Alejandro Madurga Ainoza
Cisco Employee
Cisco Employee
‎03-17-2015 01:51 PM

You are right, the credential type should be network device. I need to invest some time to fine tune the 5.2 version.

manuel.strauch
Level 1
Level 1
‎04-08-2016 05:57 AM

Hi Alex,

is there any option to add my User Inputs as a variable in the SSH script?

e.g. I need to setup a VLAN on a N5K as Fabricpath. So I want to reach this with a SSH script which simply sets up my newly created VLAN in "mode fabricpath".

You or someone have any idea how I can achieve this?

Thanks in advance!

Alejandro Madurga Ainoza
Cisco Employee
Cisco Employee
‎04-08-2016 06:02 AM

You can add variables to any task using the ${variablename} format.

That only works with workflow defined variables, for variables coming from other tasks on the workflow it should be like:

${TASKNAME.OUTPUTNAME}

so your script look like:

mode fabbricpath ${mytaskname.myoutputname}

manuel.strauch
Level 1
Level 1
‎04-08-2016 06:12 AM

Hi!

Thanks for the really quick reply.

That was obviously too easy for you

Now it works - thank you very much!

Orf Gelbrich
Cisco Employee
Cisco Employee
‎04-08-2016 07:16 AM

Nothing but a thing. Let me know if you need any other help.

Orf Gelbrich
Cisco Employee
Cisco Employee
‎04-08-2016 07:17 AM

I have a Asa example on the community site take a look at that. Thx.

manuel.strauch
Level 1
Level 1
‎04-08-2016 08:42 AM

For the SSH Part all is looking fine now. I would have had a question about UCSD and UCS, but I dont want to Hijack this thread... where should I place it correctly?

Orf Gelbrich
Cisco Employee
Cisco Employee
‎04-08-2016 08:57 AM

Ogelbric@cisco.com

-

Orf Gelbrich

Check out UCS Director Workflow INDEX<https://communities.cisco.com/docs/DOC-56419> on Cisco Communities Site

bjorntoresvinningen
Level 1
Level 1
‎01-18-2017 01:37 AM

I've been using this task for å long time, and its really great.

But now after UCSD upgrade to 6.x it stoppet working, giving the following error in the log

Jan 18, 2017 08:53:20 UTC Error occured at line # 49

Jan 18, 2017 08:53:20 UTC [Line#49] throw e;

Jan 18, 2017 08:53:20 UTC Task: getF5ActiveVCMP (custom_Custom SSH) failed with error - com.maverick.ssh.SshException: com.maverick.ssh.SshException in <eval> at line number 49 at column number 21, selectedContext=<None>

Jan 18, 2017 08:53:20 UTC Task #3 (getF5ActiveVCMP (custom_Custom SSH)) failed after 5 seconds

Any idea what might be wrong ?

I've test with both ipv4 and ipv6 devices,

Orf Gelbrich
Cisco Employee
Cisco Employee
‎01-18-2017 08:22 AM

Just tested on UCSD 6.0.1.0 and it works.  Did not change the custom task at all. Only added workflow around it.

bjorntoresvinningen
Level 1
Level 1
‎01-18-2017 12:59 PM

I found the error. For some odd reason my F5 credential policy had changed from port 22 to port 443.

Not sure if this happened during the upgrade, or if some other technician have been trying to do something, and not been aware of what they changed (most likely the last is the answer).

Anyway, Putting it back to port 22, and the problem was solved.

Thanks for testing Orf.

Orf Gelbrich
Cisco Employee
Cisco Employee
‎01-18-2017 01:19 PM

I have a ticket in place to be able to create cred pol. for new devices vs. hijacking existing ones.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
Discussions
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Top