Cisco Secure Access Control System (ACS) 5.2 and User Change Password (UCP)
As the ACS evolved, one of the less known features of ACS has also evolved at a significant level: User Change Password (UCP). If you had Cisco Secure Access Control Server version 4.x, 3.x or earlier; and you only required a local ACS database for user account management, then you are familiar it. This is a service which lets users change their account password through a GUI based interactive interface (for both ACS 4.x and ACS 5.x) or CLI of their operating systems (only for ACS 5.x).
The User Change Password (UCP) service allows users defined in the ACS internal database to first authenticate themselves, and then change their own password. This service can be utilized to aid the IT staff by lowering the requests for password change. A permanent link or tool can be provided to users to facilitate their own password change.
The UCP service available in ACS 5.x can be used to create custom web-based applications and that can be deployed in an enterprise’s internal/external web portals to facilitate user password change as self-help.
In this article I will cover UCP under two main sections.
- UCP through HTTP(S).
- UCP through Command Line.
UCP through HTTP(S)
To enable password change through GUI for ACS local database users, broadly we need to follow these steps:
- Enable UCP ACS web interface on ACS.
- Configure web server to cater UCP GUI interface.
We will use the following, in addition to ACS:
- Ubuntu 10.04.1 LTS
- Apache Tomcat 6.0.24 (To server JSP pages)
Let us begin with configuring UCP through HTTP(S):
- Get the required files to deploy on web server from ACS. Navigate to System Administration > Downloads > User Change Password > UCP web application example, as shown in figure 1.
- Install and start the tomcat service.
- Place the extracted files from ‘UCP.war’ from step 1 under /var/lib/tomcat6/webapps/ROOT:
- Enable UCP ACS web interface on ACS:
- Check the UCP GUI page to ensure that password change is working using HTTP.
- Enable SSL on UCP GUI.
ACS will ask you to save ‘UCP.war’ file. Save it.
export JAVA_HOME=/usr/lib/jvm/java-1.6.0-openjdk/ sudo aptitude install tomcat6 tomcat6-admin tomcat6-common sudo /etc/init.d/tomcat6 start or sudo service tomcat6 start
$ ls /var/lib/tomcat6/webapps/ROOT/ cisco_logo.JPG index.jsp META-INF WEB-INF $
acs52/admin# show acs-config-web-interface migration interface is enabled ucp interface is disabled view interface is enabled acs52/admin# acs52/admin# acs config-web-interface ucp enable acs52/admin# show acs-config-web-interface migration interface is enabled ucp interface is enabled view interface is enabled acs52/admin#
Access the tomcat server using any browser, at http://<tomcat-server-ip>:8080.
You should see output as shown in figure 2.
Now, ensure that password change is works. Use any local account on ACS local database and try to change its password using the UCP GUI interface as shown in figure 3 and figure 4.
If you try to use a wrong password, you will page as shown in figure 5.
Create a certificate key store by executing following command:
/usr/lib/jvm/java-1.6.0-openjdk/bin/keytool -genkey -alias tomcat -keyalg RSA
Where /usr/lib/jvm/java-1.6.0-openjdk is my JAVA_HOME (refer to step 2).
The keystore location would be under your home directory; for example, for user ‘pbanga’ it would be /home/prem/.keystore.
Create a backup of default server.xml file:
~$sudo cp /var/lib/tomcat6/conf/server.xml /var/lib/tomcat6/conf/server.xml.orig
Locate the following code in server.xml file and uncomment it.
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
Now add the keystore that we created above as
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/home/pbanga/.keystore" />
Restart the Tomcat 6 service:
~$sudo service tomcat6 restart * Stopping Tomcat servlet engine tomcat6 [ OK ] * Starting Tomcat servlet engine tomcat6 [ OK ]
At this stage, if you launch a web browser at https://<tomcat-server-ip>:8443, you should be able to establish a secure connection as shown in figure 6.
It would also be good to add automatic re-direction, to ensure that if anyone tries to use HTTP it gets re-directed to HTTPS connection automatically.
To enable automatic re-direction we need to make a change in file /var/lib/tomcat6/conf/web.xml
Put the below code under </welcome-file-list> and right above </web-app>.
<security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <!– auth-constraint goes here if you requre authentication –> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Now restart Tomcat 6 service.
~$ sudo service tomcat6 restart * Stopping Tomcat servlet engine tomcat6 [ OK ] * Starting Tomcat servlet engine tomcat6 [ OK ] ~$