This guide covers basic configuration for adding new nodes, providing access credentials and checking operation.

There is an advanced configuration guide which then covers compliance management, creating support for new operating systems.

Steps

Prerequisites

opConfig installed and setup
Understanding of opConfig terms and operation refer to

Configure access: Adding Credential Sets, Managing Credential Sets

Credentials for all connections made by opConfig are configurable from the opConfig GUI ONLY. Before anything else you need to create sets of credentials to access you devices. At this point in time, opConfig supports only Telnet and SSH, and for SSH only password-based authentication is supported.

Select the menu "System", then "Edit Credential Sets". Credential sets can be shared by any number of nodes.

Each credential set has to have a unique name, by which it is referenced in the nodes' connection settings. The description field is self-explanatory and optional.

A credential set has to specify a User Name property, which is used when logging in to the nodes the set applies to. At this time, opConfig supports only password-based authentication at the node, and the Password property of the credential set establishes the primary password for this user name.

SSH Key-based authentication

SSH Key-based authentication is supported from version 3.0.2. Considerations:

A key with no passphrase is needed.
The key needs to be added to the device.
The key needs to be set in RFC4716 format.

As a key example configuration:

opConfig > opConfig adding nodes and credentials > Screen Shot 2020-03-23 at 3.11.40 pm.png

Unprivileged user

Some commands cannot be performed by an unprivileged user, which is why opConfig also supports elevating the privileges on demand. To control this, a credential set can optionally include a Superuser/Privileged/Enable Password. Depending on the node's platform and personality, different mechanisms will be used to gain increased privileges:

On Cisco IOS devices, this password is used with the enable command.
With personality bash (the default for Unix-like systems), the command sudo is used to become the superuser. Sudo therefore needs to be installed and configured on such nodes, and the User Name in question needs to be authorized for sudo.

Naturally not all commands require elevated privileges; see the section on Command Sets for how to determine and configure those.

Please note that the Credential Set editing dialogs never show existing passwords (or their legth or existence); You can only overwrite password entries. All credential sets are stored in the database in encrypted form.

Adding or Modifying Nodes

To tell opConfig to run commands for a node it needs to be told about the node's existence and what properties the node has (e.g. what platform, what OS, what credential set, what protocol to use to contact the node ). Adding a node for opConfig can be done using the GUI or the command line tools opconfig-cli.pl and opnode_admin.pl. You can add node information manually to opConfig, or you can import node's info from NMIS or OpenAudit.

opConfig can connect to any node (and run commands for it) as long as it has valid connection settings for it (and as long as it is not disabled for opConfig).

Add a node Using the GUI

Add or Import

Import is only available for opConfig version prior to 4.0.0. opConfig versions >= 4.0.0 share that information in the database.

System menu
- Edit Nodes.
  - "Import new Nodes from NMIS" or "Add Node" - These let you create new node records either automatically or manually.

If you successfully import the node from NMIS you should only need to add the credential set and the transport protocol (which are in the connection tab). Import generally works for "Linix" like devices and for Cisco devices. For all other device types you simply need to add some details by hand. You will see what configuration you MUST still add displayed as part of the "Edit Node" screen.

The problem reports are fairly self-explanatory (and clickable).

The following is a breakdown on the information opConfig uses about the device.

General TAB - This is generic information about the device and is the information imported from NMIS / OpenAudit. Only the host entry needs to be correct here, and it must be a usable FQDN or IP address the rest is informational only.
Connection TAB - To connect to a node, opConfig needs to know some information about it
1. Personality this is the CLI Parsing to use to enable the issuing of commands e.g. line endings, prompts etc. The Personality includes information about the prompts, line-ending conventions etc. a node is subject to; for example, the 'ios' personality handles understanding the > prompt and "enable" command and "bash" understands shell prompts. The personalities supported are available in the drop down.
2. CredentialSet - NOT automatic and needs to be set - authentication and authorization in the form of the access credential set created earlier.
3. Transport (Telnet or SSH) - NOT automatic and needs to be set Also note this cannot get flagged as not being changed in the Configuration Problems window so do check it.
OS info TAB - Once connected to a node we need to know the OS and maybe version, subversion, platform in use to select the right commands to issue and how to parse the command results. This where COMMAND SETS ("command_sets.nmis" file) that opConfig uses, makes association between the OS and maybe a version and maybe a major release or train and the command to issue and how to parse it.
1. These fields should be automatically populated if your device was discovered by NMIS or OpenAudit and if they are Cisco IOS or Linux devices
2. The OS field and potentially the version and other fields must match the 'os' => and any 'version' => fields in the command_sets.nmis file.
3. See the command sets section later and have a look in the file if you want to know what os and version fields will work. If the import did not get results you can try the following: for Cisco IOS typically if you put OS as "IOS" and version as "12.2" you will get results and Linux OSs use just OS as "Linux"

Once you have added the device you will either need to wait for the polling cycles to complete per your cron Schedule or use command line tools below to determine results.

Import (and discovery) from the Command Line

opConfig CLI tools are found in /usr/local/omk/bin

Simply run opconfig-cli.pl without options to see a brief usage of help.

opconfig-cli.pl can import nodes from NMIS, to import you'd run

opconfig-cli.pl act=import_from_nmis
##optionally you can limit it to the names of known nodes with an argument of nodes=
opconfig-cli.pl act=import_from_nmis nodes=nodeX,nodeY

If you have already setup credential sets, then you can let opConfig guess which to use for your node using

opconfig-cli.pl act=discover node=TheNewNodeName

If none of the Transport+Credential Set combinations work for the node, opconfig-cli.pl will print an error message.

Checking operation

opConfig 4 Troubleshooting

Extend and customise with advanced configuration

opConfig 4 User Manual

You may also want to use visual panels to communicate related information, tips or things users need to be aware of.