System Commands

The Policy Manager command line interface (CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.) includes the following system commands:

system admin-password-reset

System Commands

system boot-image

system cleanup

system create-api-client

system export-endpoints-csv

system factory-reset

system gen-recovery-key

system gen-support-key

system install-image

system morph-vm

system patch-rollback

system refresh-license

system refresh-network

system reset-server-certificate

system restart

system shutdown

system sso-reset

system start-rasession

system status-rasession

system terminate-rasession

system update

system upgrade

system admin-password-reset

Resets the admin password for the Policy Manager WebUI back to the default setting.

system apps-access-reset

Use the system apps-access-reset command to reset the access control restrictions for Policy Manager.

Syntax

system apps-access-reset

Example

The following example resets the access control restrictions for Policy Manager:

[appadmin]# system apps-access-reset

Policy Manager application access is restored

system boot-image

Use the system boot-image command to set system boot image control options.

Syntax

system boot-image [-l] [-a <version>]

The following table describes the required and optional parameters for the system boot-image command:

Table 1: Boot-Image Command Parameters

Flag/Parameter

Description

-l

Lists the boot images installed on the system.

-a <version>

Sets the active boot image version in A.B.C.D syntax. This field is optional.

Example

The following example sets the system boot image control options:

[appadmin]# system boot-image -l

system cleanup

Use the system cleanup command to perform a system cleanup operation that purges the following records:

System and application log files

Past authentication records

Audit records

Expired guest accounts

Past auto and manual backups

Stored reports

Syntax

system cleanup <num_days

The following table describes the required parameter for the system cleanup command:

Table 2: System Cleanup Command Parameter

Flag/Parameter

Description

<num_days>

This is the cleanup interval that specifies the number of days to retain the data. This field is mandatory.

Example

The following example performs a system cleanup operation that retains records for four days:

[appadmin]# system cleanup 4

 

********************************************************

* *

* WARNING: This command will perform system cleanup *

* operation that will result in purging of: *

* [*] system and application log files *

* [*] past authentication records *

* [*] audit records *

* [*] expired guest accounts *

* [*] past auto and manual backups *

* [*] stored reports etc... *

* *

********************************************************

Are you sure you want to continue? [y|n]: y

INFO - Starting system cleanup

INFO - Purging diagnostic dumps

INFO - Detected empty core directory

INFO - Performing system cleanup tasks

INFO - Purging platform logs

INFO - Purging application logs

INFO - Performing database cleanup tasks

INFO - Completed system cleanup

system create-api-client

Use the system create-api-client command create a new APIApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. client.

Syntax

system create-api-client <Client_ID> <Client_Secret>

Example

The following example creates an APIApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. client and specifies the client ID and client secret:

[appadmin]#system create-api-client Win.139 college52

system export-endpoints-csv

use this command to export endpoints and endpoint profile details to a zip file that can be downloaded from Admin UI - Backup files under Administration > Server Manager > Local Shared Folders. When using an XMLExtensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. file to export or import a very large number of endpoints, performance is sometimes degraded.

When using an XMLExtensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. file to export a very large number of endpoints (> 250 K), performance is sometimes degraded or the user interface hangs and out-of-memory error messages are logged. Although exporting CSVComma-Separated Values. A file format that stores tabular data in the plain text format separated by commas. files through the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. is still supported, users should be aware that importing ZIP files that contain CSVComma-Separated Values. A file format that stores tabular data in the plain text format separated by commas. files of endpoints and endpoint profiles is not currently allowed through either the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. or the user interface (UIUser Interface.).

system factory-reset

The system factory-reset command restores a Policy Manager hardware appliance to factory defaults. This command is available only to the appadmin user on a physical appliance. It is not available on a virtual machine.

 

The system factory-reset command is inherently a destructive one as it wipes out data, including any licenses on the current partition and any backups currently stored on the server. Hence, the user should create data backups outside of the target Policy Manager server before running this command. This command is not available on Policy Manager installations hosted on a cloud services platform such as Amazon Web ServicesWeb services allow businesses to share and process data programmatically. Developers who want to provide integrated applications can use the API to programmatically perform actions that would otherwise require manual operation of the user interface. (AWS) or Azure.

The system factory-reset command essentially consists of two operations:

Resets all Policy Manager configurations in the current partition only, including Policy Manager server settings, all ClearPass Guest, Onboard and extensions, Active DirectoryMicrosoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. domain settings, NTPNetwork Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. settings, hostname, network settings, and date, time, and password settings.

Cleans and resets Policy Manager logs and configuration files, including those for Policy Manager Guest.

When running the system factory-reset in a Policy Manager cluster:

If the current server is a publisher, running this command will drop it from the cluster. The standby publisher then becomes the publisher.

If the current server is a subscriber node, it will be dropped from the cluster, and will become a stand-alone node.

After successful configuration and reboot, you will be presented with the bootstrap configuration screen, where you will have to reset all the Policy Manager parameters.

Example

The following example restores a Policy Manager hardware appliance to factory defaults:

[appadmin]# system factory-reset

system gen-recovery-key

Use the system gen-recovery-key command to generate the recovery key for the Policy Manager server.

Example

The following example generates the recovery key for the system:

[appadmin]# system gen-recovery-key

Recovery key='04U22FsdGVkX318To8NDW4ayzi6Q17Lz3KA417DW5y+2A2ZvGj41c='

system gen-support-key

The system gen-support-key command uses the Support Engineer's email ID and outputs a token. The Support Engineer uses this token to generate a password in an Policy Manager server. With this password, the Support Engineer gains previleged access to the Policy Manager server.

Syntax

system gen-support-key

Example

The following example generates the support key for the system:

[appadmin]#system gen-support-key

system gen-support-key

Support key='01U2FsdGVkX1+/WS9jZKQajERyzXhM8mF6zAKrzxrHvaM='

system install-image

The system install-image command installs a fresh image of the major product version specified in the second partition of a Policy Manager hardware appliance.

This command is available only for the appadmin user on a physical appliance. It is not available on a virtual machine.

 

The system install-image command is supported for Policy Manager versions prior to 6.7 as well as versions 6.7 and above. This command is not available on Policy Manager installations hosted on a cloud services platform such as Amazon Web ServicesWeb services allow businesses to share and process data programmatically. Developers who want to provide integrated applications can use the API to programmatically perform actions that would otherwise require manual operation of the user interface. (AWS) or Azure.

After successful execution of the system install-image command, the system will reboot and you will return to the installed image.

After successful configuration and reboot, you will be presented with the bootstrap configuration screen, where you will have to reset all the ClearPass parameters.

 

Any data present in the second partition prior to the execution of the system install-image command will be wiped out. Also, no licensing information from where the command is executed is carried forward.

You can apply the system install-image command in the following ways:

Table 3: System Install-Image Command Methods

System install-image Method

Description

system install-image http(s)://hostname/<filename>

Installs the Policy Manager image through http or https.

system install-image user@hostname:/<filename>

Installs the image through SCPSecure Copy Protocol. SCP is a network protocol that supports file transfers between hosts on a network. (Secure Copy Protocol).

system install-image <filename>

Installs the image imported to the Policy Manager server and available locally (offline install-image).

Example

[appadmin]#system install-image CPPM-x86_64-6.X.Y.Z-<any-image>.signed.tar

X.Y.Z stands for a specific patch release version.

<any-image> stands for the description of the patch.

signed.tar is common nomenclature for all types of updates.

system morph-vm

Use the system morph-vm command to convert an evaluation virtual machine (VMVirtual Machine. A VM is an emulation of a computer system. VMs are based on computer architectures and provide functionality of a physical computer.) to a production virtual machine. With this command, licenses are still required to be installed after the morph operation is completed.

 

When you use the system morph-vm CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command in Policy Manager 6.7 or later to morph a virtual appliance (VAVirtual Appliance. VA is a pre-configured virtual machine image, ready to run on a hypervisor.) to a larger size, all the licenses are deleted. This issue does not affect configuration data. After the upgrade, contact Aruba's Technical Assistance Center (TACTechnical Assistance Center.) to have the licenses activated again.

To convert an evaluation virtual machine to a production virtual machine:

1. Determine the type of the appliance to which you want to morph your evaluation virtual machine .

2. Procure the license for the target virtual appliance.

3. Shut down the virtual machine.

4. Determine the required capacity of an additional hard disk and attach it to the target virtual appliance.

5. Adjust the CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. and Memory settings for the evaluation virtual machine to match the target virtual appliance.

6. Boot the virtual machine.

7. Execute the system morph-vm command. The configuration data from the evaluation virtual machine will migrate to the newly-attached disk. The node will reboot as a virtual machine of the selected appliance model.

8. Log in to the user interface and enter the permanent license. The evaluation virtual machine is now a production virtual machine. The licenses present on the system before running the system morph-vm command will be retained.

Syntax

system morph-vm <C1000V | C2000V | C3000V>

The following table describes the parameters for the system morph-vm command:

Table 4: System Morph-VM Command

Flag/Parameter

Description

<vm-version>

This is the updated Policy Manager version of the virtual appliances. The following options are available:

C1000V

C2000V

C3000V

This field is mandatory.

Example

The following example converts an evaluation virtual machine to a production C3000V virtual appliance:

[appadmin]# system morph-vm C3000V

system patch-rollback

The system patch-rollback command allows a user with appadmin credentials to revert to the most recent installed version of Policy Manager. For example, if a Policy Manager system is at 6.9.1 and cumulative update 6.9.x is applied, Policy Manager can be reverted to 6.9.1 through the system patch-rollback command.

This command can also be used if there is a problem that occurs after the patch update process—for example, if an issue is identified in production that was not identified during testing, resulting in a degradation of capabilities.

 

Before using this command to revert command to revert from 6.9.x to 6.9.0, you must first download the 6.9.0_source-rollback-package from the Software Updates page and install it (see Software Updates).

Important Points

When issuing the system patch-rollback command, keep in mind the following points:

Patch-rollback is supported only for Policy Manager versions 6.7 and above.

The system patch-rollback command reverts only the most recently installed cumulative patch update within the major version. After the cumulative patch is reverted, the user will be in the patch version that was installed prior to the patch update.

 

The system patch-rollback command cannot be used after an upgrade to revert to an earlier major version.

Although you can only roll back to the last version that was installed, if multiple hotfix patches are included within the cumulative patch version you are rolling back from, then you can roll back multiple hotfix patches, one at a time, to a specific hotfix within the current version. To roll back to the previously installed version, you must first roll back each intervening hotfix patch.

As best practice, users should always back up all data before proceeding with an update.

This command can also be used at the cluster level. In this case, system patch-rollback must be run individually on each appliance in the cluster within 24 hours after the rollback in order to maintain the cluster status. For patch rollback across a cluster, the appadmin user must go to each Policy Manager server in the cluster to rollback the last applied patch.

Any custom skins that are installed in the current version are retained after the rollback to the earlier version.

System rollback events are logged in the Event Viewer.

Syntax

system patch-rollback

Example

[appadmin]# system patch-rollback

****************************************************************************************

* WARNING: This command is recommended to be executed from local console unless otherwise instructed by TAC * Execution through SSH console may result in system instability.

*

* WARNING: This command will undo software changes done by the currently installed patch. Configuration

*changes should not be affected by this action.

* As a best practice, please be sure to back-up this system before starting the operation.

*

* Are you sure you want to continue? y

*******************************************************************************************

INFO: Preparing for rollback

INFO: 2018022-clearpass-6.8-updates-2 will be rolled back

INFO: This will take a few minutes to complete. Please wait.

INFO: Running pre-rollback scripts

INFO: Executing rollback

INFO: Running post-rollback scripts

INFO: Please reboot now for the changes to take effect.

*******************************************************************************************

For example, if Policy Manager has been installed in the order 6.9.0 > 6.9.1 > 6.9.2, when the appadmin user executes the system patch-rollback command, the system would revert to a time just before Policy Manager 6.9.2 was installed.

If, in this example, the installed 6.9.2 patch added an rpm-X, system patch-rollback deletes rpm-Y, and updates rpm-Z to rpm-Z+1 version. Then system patch-rollback deletes rpm-X, adds rpm-Y, and restores rpm-Z.

Also note that if, for example, a system was at 6.9.0 and cumulative update 6.9.3 is applied, the system can only be reverted to 6.9.0 because that was the last installed version. It cannot be reverted to 6.9.2.

 

For more information, refer to the "After You Update: Performing a Patch Rollback" section in the most recent version of the ClearPass 6.9 Release Notes.

 

 

The system patch-rollback command also removes any configuration and database changes that were done as part of post-installation during the patch update.

system refresh-license

Use the system refresh-license command to refresh the license count information.

Syntax

system refresh-license

Example

The following example refreshes the license count information:

[appadmin]# system refresh-license

INFO: Refreshing license count information

INFO: Successfully refreshed license count information

system refresh-network

Use the system refresh-network command to refresh the newly added or removed network adapters in Policy Manager so that they are reflected in the system. This command also enforces network adapter ordering and associates the lower-order MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address to eth0 and the next higher-order MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address to eth1, and so on. Ensure that you have the console session available.

The system refresh-network command is useful when you bring up a virtual machine without one or more of the network interface cards (NICs) and you then add them at a later stage. This command is required when you delete NICs and add them back into the system (VMware ESXi may generate new MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses as a result).

For the network refresh to take effect, you must reboot the Policy Manager server.

 

Using this command may result in loss of network connectivity.

Syntax

system refresh-network

This command includes no additional parameters

system reset-server-certificate

Use the system reset-server-certificate command to reset the HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. server certificate or RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. /EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  server certificate or both.

After executing the command, the Policy Manager services are restarted to reflect the changes.

Syntax

system reset-server-certificate

Example

The following example resets the HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands., RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. /EAPExtensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. , and RadSec server certificates:

[appadmin]# system reset-server-certificate

******************************************************************

* *

* WARNING: When the command is completed Policy Manager services *

* are restarted to reflect the changes. *

* *

******************************************************************

Continue? [y|n]: y

0: Reset Http and Radius/EAP Server Certificates

1: Reset Radius/EAP Server Certificate

2: Reset Http Server Certificate

3: Reset RadSec Server Certificate

4: Quit

Updating the server certificate...

Updating of server certificate complete

system restart

Use the system restart command to restart the system.

 

Executing this command shuts down all running applications and reboots the system.

Syntax

system restart

Example

The following example restarts the system with a confirmation before proceeding:

[appadmin]# system restart

system restart

*********************************************************

* WARNING: This command will shut down all applications *

* and reboot the system *

********************************************************

Are you sure you want to continue? [y|Y]: y

system shutdown

Use the system shutdown command to shut down the current Policy Manager server.

 

Executing this command shuts down all running applications and powers off the system.

Syntax

[appadmin]# system shutdown

Example

The following example shuts down the system with a confirmation before proceeding:

[appadmin]# system shutdown

********************************************************

* WARNING: This command will shut down all applications *

* and power off the system *

********************************************************

Are you sure you want to continue? [y|Y]: y

system sso-reset

Use the system sso-reset command to reset the Single Sign-On (SSOSingle Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts.) configuration.

Syntax

system sso-reset

system start-rasession

Use the system start-rasession command to start a Remote Assistance (RARouter Advertisement. The RA messages are sent by the routers in the network when the hosts send multicast router solicitation to the multicast address of all routers.) session.

Syntax

system start-rasession [duration_hours | duration_mins | contact_id | cppm_server_ip]

The following table describes the parameters for the system start-rasession command:

Table 5: System Start Remote Assistance Session Command Parameters

Parameter

Action/Description

duration_hours

Specify the session duration in hours.

You can specify values from 0 to 12.

duration_mins

Specify the session duration in minutes.

You can specify values from 0 to 59.

contact_id

Enter the username ID part of the Aruba TACTechnical Assistance Center. or Engineering contact.

cppm_server_ip

Specify the Policy Manager server IP address.

system status-rasession

Use the system status-rasession command to view the status of a Remote Assistance session.

Syntax

system status-rasession <session_id>

Example

The following example displays the status of a Remote Assistance session 3001:

[appadmin]# system status-rasession 3001

system terminate-rasession

Use the system terminate-rasession command to terminate a running Remote Assistance session.

Syntax

system terminate-rasession <session_id>

Example

The following example terminates a running RemoteAssist session 3001:

[appadmin]# system terminate-rasession 3001

system update

The system update command provides options to manage system patch updates.

Syntax

system update [-i [-f] <user@hostname:/<filename> | http://hostname/<filename>>]

system update [-f]

system update [-l]

The following table describes the required and optional parameters for the system update command:

Table 6: System Update Command Parameters

Flag/Parameter

Description

-i user@hostname:/<filename> | http://hostname/<filename>

Installs the specified patch on the system. This field is optional.

-f

Reinstalls the patch in the event of a problem with the initial installation attempt. This field is optional.

-l

Lists the patches installed on the system. This field is optional.

 

This command supports Secure Copy (SCPSecure Copy Protocol. SCP is a network protocol that supports file transfers between hosts on a network.), HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection., HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands., and local uploads.

Example

The following example of the system update command will reinstall the patch if necessary and list the patches currently installed on the Policy Manager server:

[appadmin]# system update -f -l

system upgrade

The system upgrade command upgrades the system. This command provides you with the following system upgrade options:

From a Linux server

From a Web server

Performing an offline upgrade

Syntax

system upgrade <session_id>

Syntax

Upgrading from a Linux server

system upgrade user@hostname:/<filepath> [-w] [-l] [-L]

See Example 1: Upgrading from a Linux Server.

Upgrading from a Web server

system upgrade http://hostname/<filepath> [-w] [-l] [-L]

See Example 2: Upgrading from a Web Server.

Performing an offline upgrade

system upgrade <filepath> [-w] [-l] [-L]

See Example 3: Performing an Offline Upgrade.

Table 7: System Upgrade Command Parameters

Flag/Parameter

Description

-w

Restores last (one) week of access tracker records after the upgrade.

-l

Restores all access tracker records from this version.

-L

Does not backup or restore access tracker records from this version.

<filepath>

Enter the filepath using the syntax provided in the two examples below. This field is mandatory.

 

This command supports Secure Copy (SCPSecure Copy Protocol. SCP is a network protocol that supports file transfers between hosts on a network.), HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection., HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands., and local uploads.

 

If none of these system upgrade command options are specified, Access Tracker records are backed up, but they are not restored by default.

Example 1: Upgrading from a Linux Server

To upgrade the Policy Manager image from a Linux server:

1. Upload the upgrade image to a Linux server.

2. Use the following syntax to upload the upgrade image:

system upgrade user@hostname:/<filepath> [-w] [-l] [-L]

For example:

[appadmin]# system upgrade admin@sun.us.arubanetworks

Example 2: Upgrading from a Web Server

To upgrade the Policy Manager image from a Web server:

1. Upload the upgrade image to a Web server.

2. Use the following syntax to upload the upgrade image:

system upgrade http://hostname/<filepath> [-w] [-l] [-L]

For example:

[appadmin]# system upgrade http://sun.us.arubanetworks.com/downloads/PolicyManager-x86-64-upgrade-71.tgz

Example 3: Performing an Offline Upgrade

To perform an offline upgrade:

1. Log in to the Aruba Support Center and select the Download Software tab.

2. Navigate to the ClearPass > Policy Manager > Current Release folder > Upgrade folder.

The Upgrade page opens.

3. In the Description/Remarks section, click the link for the appropriate upgrade.

The upgrade file is uploaded to your local system.

4. Navigate to the Policy Manager Software Updates page at Administration > Agents and Software Updates > Software Updates.

5. In the Firmware & Patch Updates section of the Software Updates page, click the Import Updates button.

The Import from File dialog opens.

6. Browse to the location of the upgrade file on your system, then click Import.

The selected upgrade file is uploaded to the Policy Manager.

7. Log in to the Policy Manager command line interface (CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.) with the following user name: appadmin.

8. Initiate the upgrade process by entering the following command:

system upgrade <filepath> [-w] [-l] [-L]

For example:

[appadmin]# system upgrade CPPM-upgradeimage.bin

9. After the upgrade process is complete, restart the machine by issuing the following command in the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.:

system restart

The Policy Manager restarts and boots up to the most recent version of Policy Manager.