Tuesday, December 03, 2019

AWS EC2 WinSCP SCP su root

To copy files to Amazon Linux via WinSCP using SCP as root:


Open WinSCP | New Session
Set File protocol: SCP
Set Host name:
Set Advanced | Environment | SCP /Shell: sudo su -

 You can now authenticate as ec2-user with your private key,or perhaps with a password if you allow that, and copy files to directories requiring root access.
 

 
Posted by at No comments:

Monday, December 02, 2019

CUCM SQL user CTI control device

To find the devices that a particular user has control of, where for example the user ID is rmaslanka1:

  • run sql select enduser.userid, device.name from enduser,device,enduserdevicemap where enduserdevicemap.fkenduser=enduser.pkid and enduserdevicemap.fkdevice=device.pkid and enduser.userid = 'rmaslanka1'


To find the users that have control of a particular device, where for example the device name is SEPAAAABBBBCCC:

  • run sql select enduser.userid, device.name from enduser,device,enduserdevicemap where enduserdevicemap.fkenduser=enduser.pkid and enduserdevicemap.fkdevice=device.pkid and device.name = 'SEPAAAABBBBCCC'
Posted by at No comments:

Sunday, December 01, 2019

Create an AWS EC2 based SFTP server

Create a server in AWS Management Console:
  1. Navigate to Services | Compute | EC2
  2. Pick a region from upper right drop down
    • Remember: EC2 is a per region service. Instances will be deployed in the region selected.
  3. Choose Launch Instance and then optionally select Free tier only checkbox.
  4. Chose Amazon Linux 2 AMI (HVM), SSD Volume Type.  
  5. Chose t2.micro instance and then Next: Configure Instance Details
  6. Keep all the options default assuming Number of Instances is 1 and  chose Next: Add Storage
  7. Keep default 8 GB General Purpose SSD (gp2) and chose Next: Add Tags
    • Remember: 12 month free tier provides 30 GB of EBS storage, combined over any combination of General Purpose (SSD) or Magnetic Disks
  8. Add tags as desired and chose Next: Configure Security Group
    • Tags are key value pairs you define to assist with management as your AWS environment grows.
    • A simple but useful tag example might be Name : OpenSSHserver01
  9. Chose Create a new security group, name it WebDMZ or something appropriate. The idea is we are controlling access to this server from the Internet.  Chose Review and Launch
    • One rule needs to be SSH over TCP port 22 from Anywhere, or optionally a specific IP if possible.
  10. Review options and choose Launch
  11. When prompted, chose an existing keypair or create a new one. If creating new, download the keypair to a known location.  Chose Launch Instances.
  12. Chose View Instances and monitor progress.
  13. When the Instance State changes to running you can test remote access.
Test remote access:
  1. In the AWS Console, copy the IPv4 Public Address to your clipboard.
  2. If you created a new keypair, in Windows run PuTTYgen.
  3. Choose Load and point to your .pem file you downloaded previously. You may have to change the file type to All Files *.* to find it.  Then choose Save private key to use it in PuTTY.  Name and save it somewhere appropriate.
  4. Open PuTTY, expand SSH and chose Auth.
  5. Browse to the new private key you just saved.
  6. Choose Session, paste the IPv4 Public Address into Host Name (or IP Address)
  7. When prompted for a user name, enter ec2-user
  8. It would be a good idea to run sudo yum update to apply any available updates.
Change server remote access from keypair to user / password authentication:
  1. Set a password for ec2-user via sudo passwd ec2-user
  2. Open sshd_config file via sudo nano ../../etc/ssh/sshd_config
  3. Change PasswordAuthentication no to PasswordAuthentication yes
  4. Restart the SSH service via sudo service sshd restart
  5. Test access via SFTP using username / password authentication (I personally use the WinSCP client)
  6. Test CRUD access by copying and deleting file in /home/ec2-user folder
Create a CHROOT jail for SFTP user(s):
  1. Create a new user group via sudo groupadd sftponly where sftponly is your group name
  2. Add a new user and prevent SSH login via /bin/false via sudo useradd -g sftponly -s /bin/false -m -d /home/sftpuser sftpuser where sftpuser is the username
    1. IF the user already exists, modify it appropriately via sudo usermod -G sftponly -s /bin/false sftpuser
  3. Set the new user password via sudo passwd sftpuser
  4. Change the permissions on the user's home directory. Make root the owner, essentially disabling access from the new user. Run:
    1. sudo chown root /home/sftpuser
    2. sudo chmod 755 /home/sftpuser
  5. Create a home sub-directory that the new user can use, here sftpfolder. Run:
    1. sudo mkdir /home/sftpuser/sftpfolder
    2. sudo chmod 755 /home/sftpuser/sftpfolder
    3. sudo chown sftpuser:sftponly /home/sftpuser/sftpfolder
  6. Configure SSH via sudo nano  ../../etc/ssh/sshd_config
  7. Change the sftp subsystem. Change subsystem sftp /usr/lib/openssh/sftp-server line to subsystem sftp internal-sftp
  8. Add information re: the sftponly group to the SSH configuration. Add the following to the end of the sshd_config file: 
    • Match Group sftponly
      • ChrootDirectory %h
      • ForceCommand internal-sftp
      • AllowTcpForwarding no
      • X11Forwarding no
  9. restart SSH via service sshd restart
Posted by at No comments:

Wednesday, September 18, 2019

Cisco CP-8800-A-KEM

Running sip88xx.12-5-1SR3-74 on 8851 phones and installing 28 button CP-8800-A-KEM.

 NOTES:

  • You must enable One Column Display on the device it's connected to or the CP-8800-A-KEM will light but will not register.
  • If the Line Mode is set to the default Session Line Mode the KEM button configuration actually begins on button 6, even though the device Add on Module(s) numbering starts at 11.
  • If the device Line Mode is set to Enhanced Line Mode, the KEM button configuration begins on button 11 as indicated in the Add on Module field.
  • Custom wallpaper normally deployed on the phones gets mangled on the KEM.
Posted by at No comments:

Sunday, September 01, 2019

Cisco Unity Connection add delete contacts via CUPI example

This is a sample of how to add and / or delete contacts in the Unity Connection database using the CUPI interface.
This was created using Python 3.6.2 and Cisco Unity Connection 12.5.

 This script was created after finding Extension was a required field in the Unity Connection BAT process and needs to be unique, creating challenges in environments where single DNs may need multiple names associated with them.

 Ultimately I found the Extension field in the BAT file can simply be left blank.

 With that, I would suggest using the built in Unity Connection BAT process to manage contacts when possible.  
Unity Connection provides the ability to add contacts manually and via the Bulk Administration tool GUI but there are some limitations.
When adding Unity Connection contacts manually, only the Alias (unique) and the DisplayName is required. When adding Unity Connection contacts via Bulk Administration, an Alias (unique) and Extension (unique) is required. A problem arises when you only want to leverage Unity Connection contacts as additional directory entries, and where you might have multiple names or spellings for the same transfer destination.
Manually, you can add as many contacts as you require with variations of DisplayNames, all using the same TransferNumber, as the TransferNumber does not need to be unique. If you are managing thousands of DisplayName variations though (full names vs. acronyms vs. friendly names, etc.), manual entry is likely not acceptable.
Since BAT requires a unique Extension, if you enter it accurately you are required to still enter a TransferNumber, but now need to leverage multiple AlternateNames per contact to deal with name variations. This is undesireable as contact AlternateNames are not easily searchable via the GUI, and additionally User and Contact names can't be managed seperately if the extensions are the same.
For example, you may want need to manage directory entries for the President of the United Sates. Several years ago, the user BObama may have had extension 1111. This year, user DTrump may have the extension 1111. You might have historically had a directory entry (contact) with DisplayName POTUS with extension 1111. You might want a second directory entry (contact) with DisplayName P O T U S with extension 1111. You cannot add either contact with BAT, as a user already has that extension number. You can use AlternateNames in the User but when you delete and add a new user every four years, you need to remember to re-add all the asociated alternate names, which aren't searchable. If you choose to manage those more permanant AlternateNames in a contact and via BAT, you now need to create a bogus unique Extension for the contact and again manage unsearchable AlternateNames. If you want to be able to search for the AlternateNames, you need to BAT multiple contacts with multiple bogus Extesnsions and use the DisplayName in each instead.
None of this is perfect.
The CUC CUPI interface allows for bulk contact additions and deletions where Extension is not required.
This sample assumes your BAT file columns will be Alias, DisplayName, FirstName, LastName, TransferEnabled, TransferExtension and saved in UTF-8 format without BOM.

You can find my Github repository here: https://github.com/raymaslanka/Cisco-UCXN-CUPI-add-delete-contacts, or gist here:

Posted by at No comments:

Tuesday, July 16, 2019

Cisco CUACA Attendant Console Advanced Notes

Replication Issue:

Installing CUACA version 12.0.4.20-14 on Windows 2012 R2, SQL 2016 and using the CUACA High Availability (Resilient Installations) option.

I was presented with "Licensing information on publisher and subscriber servers is not in sync. Please validate replication configuration." after applying the correct Server, Sessions and Resilient Server licenses on the publisher.  Attempting to install replication via the CUACA GUI Replication drop down was a miserable failure.  A good visual of the steps required can be found here regardless: https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-attendant-console-advanced/200513-Installation-of-Replication-for-CUAC-Adv.html 

Hostnames and FQDNS resolved, SQL servers were installed correctly, firewall exceptions were in order, sa passwords checked, administrator rights to servers were good, prerequisites were verified a dozen times, CUACA uninstalled and reinstalled with new DBs, etc. etc.

TAC finally found and supplied a DLL that needed to be replaced.  See CSCvp67232.  The DLL is DBComponent.dll, the modified date on the fixed version is Thursday, ‎May ‎23, ‎2019, ‏‎5:12:26 AM and it belongs in C:\Program Files (x86)\Cisco\Utilities\DB Component and C:\Program Files (x86)\Cisco\Attendant Admin\Web\Application\Bin.

Cool.  Replication still doesn't work. 

TAC insisted it was a firewall issue after they were unable to telnet to a port the servers were not listening on. That's not how that works, but you should probably double check yours anyway.

Ultimately I found a MS Application Error on the 2012 subscriber server in the cascading mess of errors indicating the local MS DTC detected that the MS DTC on has the same unique identity as the local subscriber server.  The error text indicates the servers were likely cloned in an unsupported method. This is not unlikely in this particular environment.

There is a brief reference to this in the latest troubleshooting guide but the link to Microsoft's website is broken and you do not need to reinstall CUAC.

The fix is running 'msdtc -uninstall' and 'msdtc -install' from a command line running as administrator on the subscriber server, reboot everything, uninstall and reinstall CUACA Replication and enjoy your day.

MS DTC error message

 CUCM Synchronization Issue:

When defining a device to use as a template for CUAC Queue Devices, the Owner User ID on the CUCM template device appears to need a value.  If the Owner is left Anonymous in CUCM you will find an error code 9100 Function Parameter error in the CUCM Sync Report when the process is complete.  If you lucky enough to be synching lots of devices and impatient when running the report you might catch a better description of the culprit before it finishes.

Not a helpful description

Now this... this is a helpful description.


Transfer to voicemail:

In CUACA User Configuration | General Properties the Maximum internal device digit length needs to be long enough to include the DN length plus the voicemail prefix defined in the client under Options | Dialing.  For example, if are using +E.164 DNs and a prefix of 12345, you internal device digit length needs to be 18.



Posted by at 1 comment:

Tuesday, June 11, 2019

Find CUCM users that are LDAP inactive

Option 1: SQL via CUCM CLI

Note: status of 2 is inactive, 1 is active, and 0 is local

 run sql select count(*) from enduser where status=2

run sql select userid, firstname, lastname from enduser where status=2

 Option 2: simple lookup on newer CUCM versions

Note: not sure when this option was introduced

Find user where Is disabled local user 




Posted by at No comments:
Subscribe to: Posts (Atom)