Home > Articles > Cisco Network Technology > General Networking > Cisco Secure Access Control System (ACS) 5.2 and User Change Password (UCP)

Cisco Secure Access Control System (ACS) 5.2 and User Change Password (UCP)

Contents

  1. UCP through HTTP(S)
  2. UCP through Command Line
  3. Summary
  4. Resources

Article Description

This article teaches you how to use the User Change Password (UCP) service in Cisco ACS to allow users defined in the ACS internal database to first authenticate themselves and then change their own password.

From the author of

AAA Identity Management Security

AAA Identity Management Security

$59.99 (Save 20%)

As the ACS evolved, one of the less known features of ACS has also evolved at a significant level: User Change Password (UCP). If you had Cisco Secure Access Control Server version 4.x, 3.x or earlier; and you only required a local ACS database for user account management, then you are familiar it. This is a service which lets users change their account password through a GUI based interactive interface (for both ACS 4.x and ACS 5.x) or CLI of their operating systems (only for ACS 5.x).

The User Change Password (UCP) service allows users defined in the ACS internal database to first authenticate themselves, and then change their own password. This service can be utilized to aid the IT staff by lowering the requests for password change. A permanent link or tool can be provided to users to facilitate their own password change.

The UCP service available in ACS 5.x can be used to create custom web-based applications and that can be deployed in an enterprise’s internal/external web portals to facilitate user password change as self-help.

In this article I will cover UCP under two main sections.

  • UCP through HTTP(S).
  • UCP through Command Line.

UCP through HTTP(S)

To enable password change through GUI for ACS local database users, broadly we need to follow these steps:

  • Enable UCP ACS web interface on ACS.
  • Configure web server to cater UCP GUI interface.

We will use the following, in addition to ACS:

  • Ubuntu 10.04.1 LTS
  • Apache Tomcat 6.0.24 (To server JSP pages)

Let us begin with configuring UCP through HTTP(S):

  1. Get the required files to deploy on web server from ACS. Navigate to System Administration > Downloads > User Change Password > UCP web application example, as shown in figure 1.
  2. ACS will ask you to save ‘UCP.war’ file. Save it.

  3. Install and start the tomcat service.
  4. export JAVA_HOME=/usr/lib/jvm/java-1.6.0-openjdk/
    sudo aptitude install tomcat6 tomcat6-admin tomcat6-common
    sudo /etc/init.d/tomcat6 start
    or
    sudo service tomcat6 start
  5. Place the extracted files from ‘UCP.war’ from step 1 under /var/lib/tomcat6/webapps/ROOT:
  6. $ ls /var/lib/tomcat6/webapps/ROOT/
    cisco_logo.JPG index.jsp META-INF WEB-INF
    $
  7. Enable UCP ACS web interface on ACS:
  8. acs52/admin# show acs-config-web-interface
    migration interface is enabled
    ucp interface is disabled
    view interface is enabled
    acs52/admin#
    acs52/admin# acs config-web-interface ucp enable
    acs52/admin# show acs-config-web-interface
    migration interface is enabled
    ucp interface is enabled
    view interface is enabled
    acs52/admin#
  9. Check the UCP GUI page to ensure that password change is working using HTTP.
  10. Access the tomcat server using any browser, at http://<tomcat-server-ip>:8080.

    You should see output as shown in figure 2.

    Now, ensure that password change is works. Use any local account on ACS local database and try to change its password using the UCP GUI interface as shown in figure 3 and figure 4.

    If you try to use a wrong password, you will page as shown in figure 5.

  11. Enable SSL on UCP GUI.
  12. Create a certificate key store by executing following command:

    /usr/lib/jvm/java-1.6.0-openjdk/bin/keytool -genkey -alias tomcat -keyalg RSA

    Where /usr/lib/jvm/java-1.6.0-openjdk is my JAVA_HOME (refer to step 2).

    The keystore location would be under your home directory; for example, for user ‘pbanga’ it would be /home/prem/.keystore.

    Create a backup of default server.xml file:

    ~$sudo cp /var/lib/tomcat6/conf/server.xml /var/lib/tomcat6/conf/server.xml.orig

    Locate the following code in server.xml file and uncomment it.

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
     maxThreads="150" scheme="https" secure="true"
     clientAuth="false" sslProtocol="TLS" />

    Now add the keystore that we created above as

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
     maxThreads="150" scheme="https" secure="true"
     clientAuth="false" sslProtocol="TLS" keystoreFile="/home/pbanga/.keystore" />

    Restart the Tomcat 6 service:

    ~$sudo service tomcat6 restart
    * Stopping Tomcat servlet engine tomcat6 	 [ OK ]
    * Starting Tomcat servlet engine tomcat6 	 [ OK ]

    At this stage, if you launch a web browser at https://<tomcat-server-ip>:8443, you should be able to establish a secure connection as shown in figure 6.

    It would also be good to add automatic re-direction, to ensure that if anyone tries to use HTTP it gets re-directed to HTTPS connection automatically.

    To enable automatic re-direction we need to make a change in file /var/lib/tomcat6/conf/web.xml

    Put the below code under </welcome-file-list> and right above </web-app>.

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Protected Context</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <!– auth-constraint goes here if you requre authentication –>
    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>

    Now restart Tomcat 6 service.

    ~$ sudo service tomcat6 restart 
     * Stopping Tomcat servlet engine tomcat6 	[ OK ] 
     * Starting Tomcat servlet engine tomcat6 	[ OK ] 
    ~$
2. UCP through Command Line | Next Section