Blue Coat® Systems Director Command Line Interface Reference Version SGME 6.1.x Director Command Line Interface Reference © 2015 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. Americas: Blue Coat Systems, Inc. 384 Santa Trinita Avenue Sunnyvale, CA 94085 Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland Document Number: 231-03037 Document Revision: SGME 6.1.x 07/2015 ii Contents Chapter 1: Introduction Audience for this Document .............................................................................................................7 Organization of this Document.........................................................................................................7 Content Filtering Policy and Role-Based Access............................................................................7 Document Conventions .....................................................................................................................9 Conventions and Global Concepts ...................................................................................................9 Command Modes .......................................................................................................................10 General Conventions .................................................................................................................11 Global CLI Response Conventions ..........................................................................................11 URL Syntax..................................................................................................................................12 Related Blue Coat Documentation .................................................................................................13 Chapter 2: Standard and Enable Mode Commands Standard Mode Commands ............................................................................................................15 Content Filtering Policy Commands..............................................................................................15 >cli ...............................................................................................................................................16 >enable ........................................................................................................................................18 >exit .............................................................................................................................................19 >help ............................................................................................................................................20 >no ...............................................................................................................................................21 >ping ...........................................................................................................................................22 >show ..........................................................................................................................................23 >slogin .........................................................................................................................................26 >standby .....................................................................................................................................27 >tcpdump ...................................................................................................................................29 >traceroute ..................................................................................................................................30 >upgrade-package .....................................................................................................................31 Enable Mode Commands.................................................................................................................31 #archive ....................................................................................................................................... 32 #clear............................................................................................................................................ 38 #cli................................................................................................................................................ 39 #configure ................................................................................................................................... 40 #content....................................................................................................................................... 41 #debug......................................................................................................................................... 48 #device ........................................................................................................................................ 49 #disable ....................................................................................................................................... 50 #exit.............................................................................................................................................. 51 #file .............................................................................................................................................. 52 #help ............................................................................................................................................ 53 #job............................................................................................................................................... 54 iii Director Command Line Interface Reference #line-vty ...................................................................................................................................... #monitoring................................................................................................................................ #no ............................................................................................................................................... #ping............................................................................................................................................ #push-policy............................................................................................................................... #reload ........................................................................................................................................ #remote-config ........................................................................................................................... #show .......................................................................................................................................... #slogin ......................................................................................................................................... #ssl ............................................................................................................................................... #standby ..................................................................................................................................... #tcpdump upload url................................................................................................................ #traceroute.................................................................................................................................. #write .......................................................................................................................................... 55 56 59 60 61 62 63 69 87 88 89 90 91 92 Chapter 3: Configuration Mode Commands Content Filtering Policy Commands ............................................................................................. 93 (config) #aaa authentication login default.............................................................................. 94 (config) #abort-on-errors ........................................................................................................... 96 (config) #access-list access_list_name...................................................................................... 97 (config) #archive ....................................................................................................................... 102 (config) #arp .............................................................................................................................. 103 (config) #banner........................................................................................................................ 104 (config) #cdn ............................................................................................................................. 105 (config) #clear............................................................................................................................ 106 (config) #cli ................................................................................................................................ 107 (config) #clock........................................................................................................................... 108 (config) #configuration ............................................................................................................ 109 (config) #content options......................................................................................................... 111 (config) #content url-list .......................................................................................................... 112 (config) #continue-on-errors................................................................................................... 113 (config) #debug......................................................................................................................... 114 (config) #device device_id ...................................................................................................... 115 (config) #device-acl .................................................................................................................. 121 (config) #dmc request-timeout ............................................................................................... 123 (config) #dmc timeout ............................................................................................................. 124 (config) #exit.............................................................................................................................. 125 (config) #file .............................................................................................................................. 126 (config) #folder folder_id .......................................................................................................... 127 (config) #group group_id........................................................................................................ 129 (config) #help ............................................................................................................................ 131 (config) #hostname................................................................................................................... 132 (config) #interface interface_number .................................................................................... 133 (config) #ip ................................................................................................................................ 135 (config) #job job_id................................................................................................................... 137 (config) #lcd............................................................................................................................... 141 iv Contents (config) #license ........................................................................................................................ 142 (config) #login-banner ............................................................................................................. 143 (config) #line-vty ...................................................................................................................... 144 (config) #logging ...................................................................................................................... 145 (config) #mail-config................................................................................................................ 147 (config) #mc-migration............................................................................................................ 149 (config) #monitoring ................................................................................................................ 150 (config) #no ............................................................................................................................... 153 (config) #ntp .............................................................................................................................. 163 (config) #ntpdate ...................................................................................................................... 164 (config) #ping............................................................................................................................ 165 (config) #push-policy ............................................................................................................... 166 (config) #ldap-server................................................................................................................ 167 (config) #radius-server ............................................................................................................ 172 (config) #reload......................................................................................................................... 175 (config) #remote-config ........................................................................................................... 176 (config) #require-config-lock enable...................................................................................... 185 (config) #restore-db userdb..................................................................................................... 186 (config) #role ............................................................................................................................. 187 (config) #role-substitution-variable ....................................................................................... 189 (config) #show .......................................................................................................................... 191 (config) #slogin ......................................................................................................................... 193 (config) #snmp-server.............................................................................................................. 194 (config) #ssh .............................................................................................................................. 196 (config) #ssl ............................................................................................................................... 198 (config) #standby...................................................................................................................... 200 (config) #tacacs-server ............................................................................................................. 201 (config) #tcpdump.................................................................................................................... 203 (config) #telnet-management.................................................................................................. 204 (config) #traceroute .................................................................................................................. 205 (config) #upgrade-package ..................................................................................................... 206 (config) #username................................................................................................................... 208 Appendix A: Commands Available to Delegated Users Standard Mode Commands Available for Delegated Users .................................................... 213 Enable Mode Commands Available for Delegated Users ........................................................ 213 Configure Mode Commands Available for Delegated Users .................................................. 213 Appendix B: Third-Party Copyright Notices v Director Command Line Interface Reference vi Chapter 1: Introduction This document describes all of the commands offered in the Blue Coat® Director Command-Line Interface (CLI). First the terms and conventions used throughout this documented are described. Then the commands are listed along with syntax and descriptions of their functionality. Audience for this Document This reference guide is written for system administrators and experienced users who are familiar with network configuration. Blue Coat assumes that you have a functional network topography, that you and your Blue Coat Sales representative have determined the correct number and placement of the Director appliances, and that those appliances have been installed in an equipment rack and at least minimally configured as outlined in the Quick Start Guide shipped with your Blue Coat Director appliance. Organization of this Document This document contains the following chapters: Chapter 1 – Introduction The organization of this document; conventions used; descriptions of the CLI modes; and instructions for saving your configuration. Chapter 2 – Standard and Enable Mode Commands All of the standard mode commands, including syntax and examples, in alphabetical order. All of the enable mode commands (except for the configuration mode commands, which are described in Chapter 3), including syntax and examples, in alphabetical order. Chapter 3 – Configuration Mode Commands The configuration mode commands are the most used and most elaborate of all of the CLI commands. For better readability you will notice that in the command reference chapters, each command heading is preceded with the appropriate prompt. Content Filtering Policy and Role-Based Access SGME 5.5 introduces for the first time role-based access to the Director Management Console and command line. Role-based access is used for content filtering policy, which is discussed in more detail in the Blue Coat Director Configuration and Management Guide. 7 Director Command Line Interface Reference The following table summarizes the impact of this change: User Description sadmin The sadmin user, introduced in SGME 5.5, can execute any command in this book. sadmin has the following unique capabilities: • Can create delegated users • Can create user groups • Can associate delegated users with user groups • Can associate user groups with devices (or custom groups) • Can associate Content Policy overlays with devices (or custom groups) admin or any privilege 15 user admin and sadmin can both: • Create Content Policy overlays • Create and provide values for substitution variables used in content filtering policy delegated user Create content filtering policy allow lists and block lists and push those lists to devices assigned by sadmin. In addition, because delegated users have privilege level 10, they can execute any commands listed in Appendix A: "Commands Available to Delegated Users". Throughout this book, commands that are restricted to particular users are noted. An example follows: (config) # username username {role {role_name} user-group user_group_name} This command is used with content filtering policy. This command is available for the sadmin user only. Creates a locally authenticated delegated user and specifies a role and user group name for the user user. For example, the following commands: director (config) # username FinAdmin password director director (config) # username FinAdmin role delegated-admin usergroup Finance_policy Create a delegated user named FinAdmin with password director and associates the user with the group Finance_policy. 8 Chapter 1: Introduction Document Conventions The following table lists the typographical and CLI syntax conventions used in this manual. Table 1–1 Document conventions Convention Description Italics The first use of a new or Blue Coat-proprietary term. Monospaced font Command-line text that will appear on your administrator workstation. Monospaced italics A command-line variable that should be substituted with a literal name or value pertaining to the appropriate facet of your network system. Monospaced boldface A literal command that should be entered as shown. { } One of the parameters enclosed within the braces must be supplied. [ ] Optional parameters. | Separates required or optional parameters. Conventions and Global Concepts This section describes various conventions and global concepts that are used throughout this document. Case-Insensitivity Commands and parameters are case-insensitive. All string comparisons are case-insensitive unless otherwise specified. The cases of characters in strings to be stored persistently are maintained, however. Command Abbreviation You can abbreviate commands, provided you supply enough command characters as to be unambiguous. For example: # configure terminal Can be shortened to: # conf t Using Spaces in Parameters Spaces cannot be used in parameter values unless the entire value is enclosed in double quotation marks. Correct: (config) # group “Group of Groups” Incorrect: (config) # group Group of Groups 9 Director Command Line Interface Reference Illegal and Escaped Characters The colon (:) and question mark (?) characters cannot be used in entry fields or parameter values unless you perform the following tasks: ❐ If you use a colon character in a field or parameter (for example, in a URL), either enclose the entire URL in double quotation marks or escape it by preceding it with a / character. Examples of using a colon character in a URL: http/://www.example.com “http://www.example.com” ❐ To use a question mark in a field or parameter (for example, in a URL), first enter cli help disable, which causes Director to ignore the question mark character. Command Modes Director has the following command modes: ❐ Standard, which is the mode when you first log in to Director. This mode allows you to monitor Director without making changes. ❐ Enable, which provides more advanced control than standard mode. However, enable mode commands do not allow you to make permanent changes to Director’s configuration. Initially, enable mode does not require a password; however, Blue Coat strongly recommends you set an enable mode password. ❐ Configuration, which enables you to configure the Director appliance and devices connected to it. The command prompt changes to reflect the mode you are using: 10 Prompt Mode > Standard, which enables you to set basic settings. Standard mode does not require a password. After you log in to Director, you start with standard mode. # Enable, which enables you to set more advanced settings. By default, enable mode does not require a password but Blue Coat recommends you create a password. From standard mode, enter enable to start enable mode. (config) # Configuration, which enables you to configure the Director appliance. From enable mode, enter configure to start configuration mode. Chapter 1: Introduction For More Information For more information, see one of the following: ❐ Standard mode commands: “Standard Mode Commands” on page 15 ❐ Enable mode commands: “Enable Mode Commands” on page 31 ❐ Configuration mode commands: Chapter 3: "Configuration Mode Commands" General Conventions Following are possible results if you enter more parameters than are allowed for a particular command: ❐ The command could have no effect and you will receive an error message and some usage help. This is true of most commands, unless otherwise noted. ❐ The surplus parameters could be ignored and the valid part of the command will be executed. This is the case for some no commands. This behavior is implemented to make it easier for users to negate commands that they have in their cut and paste buffer, such as from the output of show configuration. Global CLI Response Conventions The responses printed by the CLI will follow certain conventions, detailed below. ❐ If the response is an error, there will be one or more lines that begin with %. These lines will contain user-printable strings explaining the error. The cli printmessage-codes command allows you to print error codes along with each error message. ❐ The last line printed will always be the prompt for the next command from the user. Initially, it will be hostname >, where hostname is the fully-qualified host name of Director. If no host name is defined, the prompt is director >. In enable mode the prompt is hostname #, and in configuration mode it is hostname (config) #. When entering a submode, the word config is suffixed by another string, as documented in the command description. The prompt can also be overridden by the cli prompt-override command. ❐ Successful changes to system state usually have no response at all. As a general rule, the only commands that have a response are those that were queries, or commands that resulted in an error. ❐ If you type an incomplete command, for example, show, the response will look like: % Type 'show ?' for help. ❐ If you type an ambiguous command, for example, e, the response will look like: % Ambiguous command 'e'. % Type 'e?' for a list of possibilities. 11 Director Command Line Interface Reference ❐ If you type an unrecognized command, for example, cle, the response will look like: % Unrecognized command 'cle'. % Type '?' for help. Note that this can occur after valid commands, such as conf tu: % Unrecognized command 'tu' % Type 'conf ?' for help. URL Syntax All commands that accept a URL as a download source or upload destination follow the same conventions. This includes content management commands with urls-from and regexes-from arguments, because Director downloads a file list from the supplied URL. All such URLs are formatted as: protocol://host/path The SCP protocol must use the format: scp://host/path For FTP, a URL such as: ftp://host/path specifies a relative path, and a URL such as: ftp://host/path specifies an absolute path. If path is a directory, it must end with a / character. The following protocols are generally supported: ❐ HTTP ❐ HTTPS (not supported for all commands) ❐ FTP ❐ SCP (not supported for all commands) When specifying HTTP or HTTPS for uploading, a PUT operation is performed. For SCP, note that this URL syntax is different from what is accepted by the UNIX scp command. When you use the file protocol, the path specifies an absolute path on the local file system. For specifying user names and passwords, all commands that accept a URL allow the following optional parameters after the URL (except for the content management commands urls-from and regexes-from): [username username [password password]] If no user name or password is specified, the file will be uploaded or downloaded anonymously. If a user name is specified without a password, the user will be prompted for a password, which will not be echoed back. If the protocol is SCP, a user name must be specified. 12 Chapter 1: Introduction FTP and SCP URLs can specify absolute or relative paths (relative to the home directory of the specified user). A URL such as: ftp://host/path specifies a relative path, and a URL such as: ftp://host/path specifies an absolute path. This is consistent with what many other Internet applications support, even though it does not conform with the appropriate RFCs. When specifying an upload destination URL, the last part of the URL can specify the name of an existing directory on the target. For all protocols except SCP, the URL must end with a trailing slash to indicate that the last part is a directory. For example, the command: debug upload dump mydump.tgz ftp://host/path1/path2/ is equivalent to: debug upload dump mydump.tgz ftp://host/path1/path2/mydump.tgz Related Blue Coat Documentation ❐ Blue Coat Director Configuration and Management Guide ❐ Blue Coat Director Getting Started Guide ❐ ProxySG Appliance Configuration and Management Guide Suite ❐ Blue Coat Director API Reference Guide 13 Director Command Line Interface Reference 14 Chapter 2: Standard and Enable Mode Commands This chapter describes and provides examples for the standard and enable mode CLI commands. Standard Mode Commands Standard mode is the default mode when you first log on. From Standard mode, you can view but you cannot change configuration settings. In contrast to Enable mode, this mode cannot be password-protected. Standard mode has a short list of commands. Important: For a description of the help command and instructions on using the CLI help, see “>help” on page 20. The Standard mode prompt is a greater-than sign; for example: director > traceroute host Content Filtering Policy Commands Enable mode includes certain commands related to content filtering policy, which is new in SGME 5.5. For more information, see “Content Filtering Policy and Role-Based Access” on page 7. 15 Director Command Line Interface Reference > cli Synopsis Changes the CLI's treatment of modes. This command is also available in enable and configuration modes. Syntax > cli {capture {file | help disable | print-message-codes | promptoverride string | raw-input | watch {config-changes {enable | disable} | console-logging {enable | disable} | health-changes {enable | disable} | partner-changes {enable | disable}} Subcommands > cli capture file filename Captures CLI output to a file in your home directory, specifying the name of the file to which to capture. The capture applies only to the current session and is automatically terminated when the administrator logs out. The capture file remains but capture would not be automatically enabled for subsequent command line sessions. When capturing is enabled, the following is captured: • The command line and ? when a help query is made • The results of any help queries • The prompt and full command entered when you press Enter • The response to any commands entered Command completions are not captured; in other words, none of the following output is captured: • resulting from pressing the Tab key • extending the command line • reprinting the command prompt • printing the list of possible completions filename is created in the user’s home directory, which is under: /local/userfiles/username If filename already exists, the output is appended to it. The file remains open for write until any of the following conditions is met: • you enter no cli capture, • you leave the CLI (which includes running the "xyzzy" command), • you specify a different filename > cli help disable The help system is normally invoked with the '?' key. The command help disable disables the help system, and you must then type out help to access the help system. To re-enable the help system, use the command no cli help disable. 16 Chapter 2: Standard and Enable Mode Commands This option applies only to the current session and is not persistent across sessions. Note: You must enter cli help disable before entering a command (such as a URL) that includes a question mark. In other words, any command in which you enter a question mark character (?) fails unless you enter cli help disable first. > cli print-message codes Print error codes along with each error message. Not every error has an associated code but codes can be useful to help Blue Coat Support troubleshoot an issue. Examples follow: • (No message codes) % Operation failed. • (With message codes) % (code 17) Operation failed. Note: This command applies only to the current session; it does not persist among sessions or apply to other administrators who are logged in to Director at the same time. > cli prompt-override prompt_string Changes the prompt from its default behavior (the hostname, followed by punctuation and words to indicate what command mode you are in) to display a single prompt all the time. This option applies only to the current session and is not persistent across sessions. > cli raw-input Enters raw input mode (help, completion, and command line editing would be disabled for this session). > cli watch {config-changes | console-logging | health-changes | partner-changes} {enable | disable} Enables you to watch (or not watch) changes to configuration, console log messages, health change notifications, or partner change notifications. When you enable change notification, the first line of the message is: % Configuration changed. For example, the following command disables console log messages during the session: cli watch console-logging disable Note: This setting is not stored in persistent storage; it applies only to the current command line session. Example director > cli help disable director > ? % (code 2) Unrecognized command '?'. % (code 53) Type 'help' for help. 17 Director Command Line Interface Reference > enable Synopsis Use this command to enter enable mode. Enable mode commands enable you to view and change your configuration settings. In some configurations, you must provide a password. Syntax > enable This changes the prompt to the enable prompt after you enter the enable password: Enable Password: director # The enable command does not have any parameters or subcommands. Note: To exit enable mode, enter disable. Example director > enable Enable Password:****** director # 18 Chapter 2: Standard and Enable Mode Commands > exit Synopsis Use this command to exit the command line. This command will close some SSH applications, such as putty. Syntax > exit The exit command does not have any parameters or subcommands. Example director > exit 19 Director Command Line Interface Reference > help Synopsis Lists all top-level commands currently available. This command is helpful for those with small terminal screens for whom the list of commands shown by '?' scrolls off the screen. This command also provides information about how to use the help feature. Syntax > help The help command does not have any parameters or subcommands. Example director > help Commands currently available: cli no tcpdump help standby exit slogin enable show upgrade-package ping traceroute Help may be requested at any point in a command by typing a question mark '?'. 1. For a list of available commands with full descriptions, type '?' by itself at the prompt. 2. For help completing a parameter or command, type '?' anywhere in the line. For example: 's?' will list all commands beginning with 's'. 'show ?' will list all possible parameters to the 'show' command. 20 Chapter 2: Standard and Enable Mode Commands > no Synopsis Use this command to negate certain options related to CLI commands, content, and devices. Syntax > no {cli options} Subcommands > no cli options > no cli capture Disables capturing of CLI output to a file. > no cli help disable The command no cli help disable re-enables the help system so that typing the command '?' will give help on completing the line. > no cli print-message-codes Do not print error codes along with each error message. Note: This command applies only to the current session; it does not persist among sessions or apply to other administrators who are logged in to Director at the same time. For examples, see “>cli” on page 16. > no cli prompt-override Removes the CLI prompt override. > no cli raw-input Disables raw input mode (help, completion, and command line editing would be reenabled). Example director > no cli print-message-codes director > 21 Director Command Line Interface Reference > ping Synopsis Use this command to send ICMP echo request packets. This command is also available in enable and configuration modes. Syntax > ping [-c count] [-i delay] [-s packet-size] host [programoptions] -c count specifies how many ping packets to send. Without this parameter, ping continues until you press Control+C. -i delay specifies the delay, in seconds, between ping packets. -s packet_size specifies the size of ping packets, in bytes. host specifies the host for which you want to send ICMP echo request packets. > ping program_options The ping command supports standard UNIX options. For a list of available options, enter ping by itself. Example director > ping -c 2 10.25.36.47 PING 10.25.36.47 (10.25.36.47): 56 data bytes 64 bytes from 10.25.36.47: icmp_seq=0 ttl=255 time=0.202 ms 64 bytes from 10.25.36.47: icmp_seq=1 ttl=255 time=0.214 ms ----10.25.36.47 PING Statistics---2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.202/0.208/0.214/0.008 ms 22 Chapter 2: Standard and Enable Mode Commands > show Synopsis Use this command to display running system information. Syntax > show [subcommands] Subcommands > show arp Displays content of the running ARP cache. > show arp [configured] Displays static ARP entries configured on this system. > show arp [statistics] Displays ARP statistics. > show clock Displays system time, date, and timezone. > show devices <device-id> Displays information about devices added or registered. > show file systems Displays information about files on this system. > show groups <groups id> Displays information about groups on this system. > show hosts Displays DNS-related information. > show interfaces [ether-0] [lo] Displays information about configured interfaces or the specified interface. > show ip Displays IP statistics. > show ip default-gateway [configured] Displays the running default (the default-gateway command) or configured default (the default-gateway configured command) gateway. > show ip default-gateway-v6 Displays the IPv6 address configured as the default gateway. > show ip icmp Displays Internet Control Message Protocol (ICMP) statistics. > show ip igmp Displays Internet Group Management Protocol (IGMP) statistics. 23 Director Command Line Interface Reference > show ip route [configured] Displays routing information. The route command displays the dynamic routes currently in use, and the route configured command displays any static routes configured for this system. > show ip tcp [conns | listeners] show ip tcp displays TCP statistics. show ip tcp conns displays information about active TCP connections. show ip tcp listeners displays information about configured TCP listen ports. > show ip udp [conns] The udp command displays UDP statistics and the udp conns command displays UDP connection information. > show ldap-server Displays your LDAP server configuration. > show license Displays the license installed on the Blue Coat Director. > show logging Displays logging settings, including audit logging information. > show login-banner Displays the login banner displayed for access to the Director Management Console. > show monitoring Displays device health monitoring information. > show monitoring alerts [all | alert-id | device device_id | group group_id | severity [all | warning | disconnected | critical] | state [all | active | inactive] | status [all | acknowledged | unacknowledged]] Displays alerts information. For example, the following command displays alerts with the severity of disconnected: show monitoring alerts severity disconnected > show monitoring health [all | device device_id | group group_id | summary] Displays health of a group or device. > show monitoring statistics [device device_id] Displays device statistics. > show platform Displays the hardware platform type (for example, 510). > show privilege Displays current user privilege level. Privilege levels are expressed as an integer between 1 (low) and 15 (high). To set a user’s privilege level, see “(config) #username” on page 208. 24 Chapter 2: Standard and Enable Mode Commands > show require-config-lock Displays whether a configuration lock is enabled or disabled. For more information about configuration locks, refer to Appendix A, Administering Director, in the Blue Coat Director Configuration and Management Guide. > show standby-settings Displays the standby (Director redundancy) settings. > show status Displays status of this machine. > show tcpdump Displays tcpdump. > show telnet-management Displays the configuration of the Telnet server. > show upgrade-package Displays information about installed software packages on the appliance. > show version [detail] The version command displays normal system version information and the version detail command displays full version information in a compact format. Example director > show privilege Currently logged in as admin Your current privilege level is 1 Your maximum allowed privilege level is 15 25 Director Command Line Interface Reference > slogin Synopsis Opens an SSH connection to a remote host. When you are finished, type the command exit to return to the Director CLI. This command is also available in enable and configuration modes. The slogin command supports password authentication only. RSA authentication is not supported. Important: When the slogin command is run from configuration mode, it will release the configuration lock so that you do not lock out other users during the slogin session. Syntax > slogin [-l username] hostname [program_options] Subcommands > slogin -l username Enter a user name to log in to the remote host. > slogin hostname Opens the SSH connection to the host. > slogin [program_options] Specifies optional parameters passed to the standard UNIX slogin program. For a list of potential program options, enter slogin by itself or look at slogin man pages. Example director > slogin -l admin 10.25.36.47 admin@10.25.36.47's password: 10.25.36.47 - Blue Coat SGOS> 26 Chapter 2: Standard and Enable Mode Commands > standby Synopsis Configures the Director’s standby configuration. The Director standby feature is designed to minimize Director service disruptions caused by network outage, disaster, or Director failure. When standby is deployed, the Director configuration is mirrored to a second Director whose only function is to take over for the first Director if a failure occurs. Normally, only one Director is active in a standby pair; the active Director is the only Director that performs configuration and monitoring tasks. The active Director mirrors its configuration and state data to the partner Director, which does not allow administrative access so that synchronization can be maintained between the two Directors. Syntax > standby {make-active | make-primary partner_ip password | makesecondary partner_ip username | make-standalone} Subcommands > standby make-active Makes this Director active. You use the active Director for all Director tasks, including remote administration using overlays, profiles, jobs, and so on. The normal state of the primary Director is active. > standby make-primary secondary_ip-address password Makes this Director the primary appliance in a standby pair. The primary Director performs all day-to-day Director operations. All changes on the primary Director are propagated to the secondary Director by means of the sync utility running over SSH. The primary Director continually executes SSH commands on the secondary Director to verify connectivity. When you execute the make-primary command, the Director reboots. > standby make-secondary primary_ip-address password Makes this Director the secondary appliance in a standby pair. The secondary Director takes over for the primary Director when a failure occurs. The normal state of the secondary Director is reserve, which means it cannot perform any monitoring or configuration operations and will not accept Management Console connections. If you configure the secondary Director to be active, it performs all functions previously performed by the primary Director. When you execute the make-secondary command, Director reboots. To access the secondary Director, you must log in with the standbyuser user name. > standby make-standalone 27 Director Command Line Interface Reference Takes the Director out of the standby pair. This is the factory default state of Director. A standalone Director cannot participate in a standby pair until an administrator changes its identity to primary or secondary. When you execute the make-standalone command, Director reboots. Example director > standby make-primary 192.168.0.2 thunder 28 Chapter 2: Standard and Enable Mode Commands > tcpdump Synopsis Starts tcpdump in the background with the program option parameters provided. If tcpdump was already running, this starts another instance (presumably with parameters that pass through a disjoint set of packets, otherwise some will be printed twice). Control returns to the user immediately, and packets are printed as they arrive. Important: If you do not specifically exclude packets between Director and the host you are connecting from, an infinite feedback loop results because printing packets generates SSH/telnet traffic, which generates more packets. This command is also available in enable and configuration modes. Syntax > tcpdump {filter options | start | stop} Subcommands > tcpdump filter options With no options specified, captures all packets. options is a standard set of UNIX tcpdump options (with the exception of -D, -k, -R, and -U, which are not supported for Director). For more information about filtering options, see the tcpdump man page. > tcpdump start Starts tcpdump. > tcpdump stop Stops tcpdump. Example director > tcpdump -i ether-0 -c 3 director > tcpdump start tcpdump: listening on ether-0 director > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 3 packets captured 3 packets received by filter 0 packets dropped by kernel director > tcpdump stop 29 Director Command Line Interface Reference > traceroute Synopsis Determines the route packets take to a destination. The command executes until the entire route to the host is traced, or until you press Control+C. This command is also available in enable and configuration modes. Syntax > traceroute host Subcommands None. Example director > traceroute 172.16.45.142 1: 172.16.45.141 (172.16.45.141) 1: 172.16.45.142 (172.16.45.142) Resume: pmtu 1500 hops 1 back 1 30 0.362ms pmtu 1500 0.837ms reached Chapter 2: Standard and Enable Mode Commands > upgrade-package Synopsis Enables you to roll back to the previously installed software version. Subcommands > upgrade-package rollback Enables you to roll back to the previously installed system image. After you roll back, Director reboots. If there is no package to which to roll back, the following message displays: No previously installed package available for rollback. To upgrade a Director 510, see “(config) #upgrade-package” on page 206. Enable Mode Commands Enable mode provides a robust set of commands that enable you to view, manage, and change Director settings for features such as managing jobs, device records, or user privileges. Important: The enable mode subcommand configure, referred to as configuration mode, enables you to manage the Director features. See Chapter 3: "Configuration Mode Commands" for detailed information about this command and its subcommands. To access enable mode: From standard mode, enter enable, as follows: director > enable Password:******** director # By default, an enable mode password is not required. Press <Enter> to go in to enable mode. If a login password is configured, you must re-enter the password or passcode that is registered on their local, RADIUS/SecurID, TACACS or LDAP authentication domain. 31 Director Command Line Interface Reference # archive Synopsis Use this command to manipulate Director backups (that is, archives) on this Director appliance. Note: Director does not archive its IP addresses so an archive taken on one Director appliance can be restored on another Director appliance without changing the target Director’s IP addresses. Syntax # archive {{all | config | device-backup | event-log | job-report} {create [archive_name url [username username password password] | key keyname]} | delete archive_name | move archive_name_old archive_name_new | fetch {archive_name url [username username password password]} | upload {archive_name} url [username username password password]}} | {delete key keyname | generate key keyname | input key keyname {show | no-show}} Subcommands See one of the following sections: • “Specifying What to Archive” • “Working With Archive Keys” on page 33 • “Creating, Encrypting, and Uploading an Archive” on page 34 • “Creating an Archive and Optionally Encrypting It” on page 34 • “Deleting or Renaming Archives” on page 35 • “Fetching an Archive” on page 35 • “Uploading an Archive” on page 35 Specifying What to Archive The following subcommands specify the scope of the archive: • all—Includes configuration, event log, device backup, and job report backup data. Note: The following configuration settings are not preserved when you create an archive: ❐ Director’s IP addresses ❐ SNMP (after restoring the archive, SNMP will be disabled and SNMP contact information reverts to its default values) ❐ NTP • config—Includes the Director configuration files only. This archive includes the device settings, network settings, profiles, overlays, and scheduled job data. 32 Chapter 2: Standard and Enable Mode Commands • device-backup—Archives all device backups. • event-log—Includes event log data only stored in /var/log/messages. Director components generate these syslog entries during runtime. The archive event-log includes all of the /var/log/files and logs files in the /local/log/ directory. • job-report—Includes job report data only. Job reports list the job commands as well as errors that are encountered. Working With Archive Keys An archive key is an RSA public-private key pair that can be used to encrypt the archive on this Director appliance. To restore a Director archive on an appliance other than the one for which it was created, you import the key pair on the other appliance. Creating archive keys is optional but is highly recommended. Use the following subcommands to work with archive keys: • generate key keyname Generates an RSA key pair and stores it on this Director as keyname. Director ships with an archive key named default that you do not need to generate. After generating the key, if you want to restore this archive on a different Director appliance, you must use the following command to display the key: director # show archive key keyname Enter pass phrase here: Entering show archive key ? displays the available archive keys on this Director appliance. The key’s passphrase is the user name of the user who created the passphrase. To add that key to the target Director appliance, use input key keyname command. Note: The following error indicates you do not have the appropriate privilege to use this command: % Error while generating key "test2" Only the Director admin user can use this command. • input key keyname [show | no-show] Reads the RSA key pair and imports it in this Director appliance. Use this command before you restore an archive that was created on another Director appliance. In other words, if the key for the archive is not stored on this Director appliance, use this command to import the key on this Director before you restore the archive. The show or no-show attributes can be used to make the key viewable or nonviewable with the show archive key keyname command. If the input key is encrypted, you must enter the decryption passphrase. The passphrase is the user name of the user who created the key. Note that a zero length passphrase is not valid. • delete key keyname 33 Director Command Line Interface Reference Deletes keyname from this Director. Creating, Encrypting, and Uploading an Archive To create an archive, encrypt it with an archive key, and upload the archive to an external server, use the following syntax: director (config)# archive {all | config | device-backup | eventlog | job-report} {upload current url [username username password password] {key keyname} For the meaning of the all, config, device-backup, event-log, and jobreport parameters, see “Specifying What to Archive” on page 32. Prerequisite: Creating and uploading an archive requires the archive file be encrypted with an existing encryption key. For more information about generating an archive key, see “Working With Archive Keys” on page 33. The upload current parameters are required to create and upload the archive file to an external server in one step. current is a reserved archive name that can be used only for this purpose. The current archive is temporary; after the archive is uploaded, it is deleted from Director. For information about valid URL syntax, see “URL Syntax” on page 12. An example follows: director# archive all upload current scp://192.168.0.50/director/ username director password bluecoat key default The command creates an archive file, encrypts it using the default key, and uploads it to an external server using the SCP protocol, storing the archive in a directory named director. Creating an Archive and Optionally Encrypting It To create an archive, encrypt it with an archive key, and optionally uploading the archive to an external server, use the following syntax: director (config)# archive {all | config | device-backup | eventlog | job-report} {create [archive_name url [username username password password] | [key keyname]} For the meaning of the all, config, device-backup, event-log, and jobreport parameters, see “Specifying What to Archive” on page 32. For information about valid URL syntax, see “URL Syntax” on page 12. The username and password parameters are required only if the external server requires authentication. If you omit archive_name, the archive is created with a name like the following: sgmearchive-director-all-2008.12.03-004256.tgz Note: archive_name cannot include space characters. To encrypt the archive, you must use the key parameter. Before encrypting an archive, you must generate an RSA public-private key pair as discussed in “Working With Archive Keys” on page 33. An example follows: 34 Chapter 2: Standard and Enable Mode Commands director (config)# archive all create director_510_sgme5.4_12-0208.tgz key default This command creates and archive named director_510_sgme5.4_12-0208.tgz and encrypts it with the key named default. Deleting or Renaming Archives To rename or delete an existing archive, you must specify the name of the archive. Examples follow: director # archive all delete sgme_5.4.1.1_510.tgz director # archive device-backup move sgme_5.4.1.1_backups.tgz sgme_5.4.1.1_backups_old.tgz Fetching an Archive Fetching an archive downloads it from an external server to this Director. To restore the archive on Director, you must use the configuration mode command discussed in “Restoring an Archive” on page 102. Command syntax follows: director # archive {all | config | device-backup | event-log | jobreport} fetch {archive_name url [username username password password]} For the meaning of the all, config, device-backup, event-log, and jobreport parameters, see “Specifying What to Archive” on page 32. The archive_name parameter is required and it specifies the name of the archive file to store on this Director appliance. url must also contain the archive file name if there is more than one archive in the directory specified by url. If archive_name and the file name in url are different, archive_name specifies the name of the archive that is stored on this Director. The username and password parameters must be used only if the external server requires authentication. For information about valid URL syntax, see “URL Syntax” on page 12. For example, director # archive all fetch sgme_5.4.1.1_510.tgz ftp:// 192.168.0.50/director-5.4.1.1-36821-3192.tgz username director password bluecoat This example fetches an archive named director-5.4.1.1-36821-3192.tgz from the FTP server 192.168.0.50/ and stores it on Director as sgme_5.4.1.1_510.tgz. After fetching the archive, you must perform the following tasks: • If the archive was encrypted using a key that is not stored on this Director appliance, you must input the key as discussed in “Working With Archive Keys” on page 33. • To restore (that is, install) the archive on this Director appliance, you must use the configuration mode command discussed in “Restoring an Archive” on page 102. Uploading an Archive To upload an archive to an external server, use the following command: 35 Director Command Line Interface Reference director # archive {all | config | device-backup | event-log | jobreport} upload {archive_name url [username username password password]} For the meaning of the all, config, device-backup, event-log, and jobreport parameters, see “Specifying What to Archive” on page 32. archive_name must match the name of a previously saved archive on this Director. to display archive names, enter one of the following commands; director (config)# archive {all | config | device-backup | eventlog | job-report} upload ? director (config)# show archive {all | config | device-backup | event-log | job-report} url can optionally specify a different archive file name to store on url. The username and password parameters must be used only if the external server requires authentication. For information about valid URL syntax, see “URL Syntax” on page 12. For example, director # archive all upload sgme_5.4.1.1_12-5-08.tgz ftp:// 198.162.0.50/director-5.4.1.1.tgz username director password bluecoat This example uploads an archive named sgme_5.4.1.1_12-5-08.tgz to the FTP server 198.162.0.50 and stores it on the server as director-5.4.1.1.tgz. Example The following example shows how to create an archive on the source Director, upload it to an FTP server, and to install it on the target Director. The source and target Directors can be the same Director appliances or different Director appliances. • Generate the key (source Director) director # archive generate key mykey director # show archive key mykey When prompted, enter a passphrase for the private key. Copy the entire key to a text editor application; you will need it later. • Switch to configuration mode (source Director) director # configuration terminal director (config)# • Create the archive (source Director) director (config) # archive all create sgme_5.4.1.1_04-01-09.tgz director (config) # archive config upload ftp://192.168.0.2/ uploads/sgme/sgme_5.4.1.1_04-01-09.tgz username director password bluecoat • Input the archive key (target Director) director # archive input key mykey show Input the private key you copied earlier and, when prompted, enter the private key’s pass phrase. 36 Chapter 2: Standard and Enable Mode Commands • Switch to configuration mode (target Director) director # configuration terminal director (config)# • Fetch and install the archive (target Director) director (config)# archive config fetch sgme_5.4.1.1_04-01-09 ftp://192.168.0.2/sgme_5.3.1.2_08-04-08.tgz username director password bluecoat director (config)# archive config restore sgme_5.4.1.1_04-01-09 key mykey 37 Director Command Line Interface Reference # clear Synopsis This command clears specified options. This command is also available in configuration mode. Syntax # clear [subcommands] Subcommands # clear arp statistics Clears runtime information for the ARP protocol. # clear arp-cache Clears the contents of the ARP cache. # clear ip # clear ip all statistics Clears runtime statistics for all IP protocols. # clear ip icmp statistics Clears runtime statistics for ICMP protocols. # clear ip igmp statistics Clears runtime statistics for IGMP protocols. # clear ip statistics Clears the runtime statistics for IP protocols. # clear ip tcp statistics Clears runtime statistics for TCP protocols. # clear ip udp statistics Clears runtime statistics for UDP protocols. Example director # clear arp statistics 38 Chapter 2: Standard and Enable Mode Commands # cli Synopsis Sets CLI options. This command is also available in standard and configuration modes. For information, see “>cli” on page 16. 39 Director Command Line Interface Reference # configure Synopsis Starts configuration mode, which enables you to manage the Director features. See Chapter 3: "Configuration Mode Commands" for detailed information about this command. 40 Chapter 2: Standard and Enable Mode Commands # content Synopsis Issues content management commands, which enable you to pre-populate the object cache on selected devices with the content you specify. You specify content by URL, and content commands also enable you to prioritize, delete, query, and revalidate those URLs. In addition, URLs can be specified individually, by URL list, or by regular expressions. You can optionally place text files containing URL lists and regular expressions on a Web server to which Director and the devices have access. Subcommands that use urls-from can be used to distribute, query, revalidate, or delete content on devices using these text files. For example, suppose you place a text file containing a regular expression list of URLs on a Web server at URL http:// www.example.com/private/list-of-urls.txt. Use the content distribute urlsfrom command to cause devices to get the content list from list-of-urls.txt at that URL; use content revalidate urls-from to validate the URLs; or use content delete urls-from to delete content listed in list-of-urls.txt from devices. (Other variations are discussed in this section; the preceding are examples only and not a complete list.) Similarly, you can create a URL list specified by a unique identifier and use the URL list to distribute, query, revalidate, or delete content on devices. This command is also available in configuration mode. Syntax # content subcommands Subcommands This section discusses the following subcommands: • “cancel command” on page 41 • “delete” on page 42 • “distribute” on page 43 • “[no] content priority one-time” on page 43 • “content query” on page 44 • “regex-list” on page 47 • “revalidate” on page 47 Note: For a discussion of the options subcommand, see “(config) #content options” on page 111. cancel command Cancels currently executing content commands. # content cancel command {{all | {command_id {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} | all} 41 Director Command Line Interface Reference To cancel all currently executing content commands on all devices and groups, enter: # content cancel command all To cancel a particular command ID currently executing on all devices and groups, enter: # content cancel command command_id all To get valid values for the addr-device, device, group, model, or os-version subcommands, enter ? for the value. For example: director # content cancel command 1 group ? <group ID> Austin AustinDev AustinDevGroup1 Sunnyvale SunnyvaleDev SunnyvaleQA delete Deletes content from the object cache of specified devices based on whether the content matches URLs or regular expression. # content delete {{regex url_regex | regexes-from url | regex-list regex-list_id | url-list url_list_id | urls-from url | url url} {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version}} To get valid values for the addr-device, device, group, model, or osversion subcommands, enter ? for the value. For example: director # remote-config clear-byte-cache model ? <model ID> 200-B 200-C Examples: • To delete content based on a regular expression: # content delete regex url_regex {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} Deletes content from the object cache of specified devices based on a regular expression. • To delete content from the object cache of specified devices by regular expressions in a text file stored at url. (The URL you specify must be reachable by Director and the devices you specify. The URL must also specify the full path to the text file as well as the text file name.): # content delete regexes-from url {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} • 42 To delete content from the object cache of specified devices, where the content is specified by url. In other words, this command deletes one piece of content: Chapter 2: Standard and Enable Mode Commands # content delete url url {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | osversion sgos_version} distribute Adds (that is, pre-populates) the object cache of specified devices with content specified by URL or regular expression. Note: The content distribute command replaces the deprecated content pull command. # content distribute {{url url | url-list url_list_id | urls-from url} {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version}} To get valid values for the addr-device, device, group, model, or osversion subcommands, enter ? for the value. For example: director # content distribute url-list CEOUpdate model ? <model ID> 200-B 200-C Examples: • To pre-populate the object cache of specified devices with content specified by url. In other words, this command adds one piece of content to the object cache. # content distribute url url {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | osversion sgos_version} • To pre-populate the object cache of specified devices with content specified by URLs in a URL list: # content distribute url-list list_id {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} • To pre-populate the object cache of specified devices where the content is specified by URLs listed in a text file stored at url. (The URL you specify must be reachable by Director and the devices you specify. The URL must also specify the full path to the text file as well as the text file name.) # content distribute urls-from url {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} [no] content priority one-time Prioritizes URLs content commands according to by URL or regular expression. The one-time parameter means that the command is forgotten after it completes; in other words, content priority returns to its previous value. Preceding the command with the optional no parameter removes the URL prioritization. Priority levels range from 0 (lowest) to 7 (highest). Prioritization does the following: • Pre-populates important content first so devices cache high priority content before lower priority content. 43 Director Command Line Interface Reference • In the event devices purge their object cache, makes sure that higher priority content is purged after lower priority content. A device purges its object cache for a variety of reasons, including low available disk space. # [no] content priority one-time {{priority#_0-7 regex-list regexlist_id | regexes-from url | urls-from url | url-list url_list_id} {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version}} To get valid values for the addr-device, device, group, model, or osversion subcommands, enter ? for the value. For example: director # content priority one-time 7 regexes-from https:// myserver.example.com/regexes/regexes.txt model ? <model ID> 200-B 200-C Examples: • To set the priority for objects specified by a regular expression list on the specified set of devices: # [no] content priority one-time priority#_0-7 regex-list regexlist_id {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} • To set the priority for objects specified by URLs listed in a text file stored at url. (The URL you specify must be reachable by Director and the devices you specify. The URL must also specify the full path to the text file as well as the text file name.) # [no] content priority one-time priority#_0-7 regexes-from url {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version | model model | os-version sgos_version} • To set the priority for objects in a specified URL list object on the specified set of devices: # [no] content priority one-time priority#_0-7 url-list url_list_id {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} content query Returns information about the contents of devices’ object cache. Options include verbosity of the returned information, and filtering by a variety of parameters. The content query commands can return the following levels of detail: • concise • detail • summary # content query {{command {command_id {concise | detail | summary} [status {all | failed | issued | pending | remaining | successful}]} | {{in-progress {detail | summary}} | {{info {concise | detail | summary} {url url | urls-from url | url-list list}} | {liveness device device_id} | {{outstanding {all | 44 Chapter 2: Standard and Enable Mode Commands regex regex | regex-list list_id | regexes-from url | url url | url-list list_id | urls-from url} addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version}} To get valid values for the addr-device, device, group, model, or osversion subcommands, enter ? for the value. For example: director # content query in-progress detail os-version ? <os-version> 5.3.1.11 5.4.2.1 • content query command # content query {{command {command_id {concise | detail | summary}} [status {all | failed | issued | pending | remaining | successful}]} Queries devices for information on the objects they are storing and displays concise execution status of content commands for the specified command ID. The concise parameter provides the execution status for the specified command and other information, such as the command name, the start time and possibly the end time. The detail command provides additional information about the specified command ID. The format of the output for the detail command depends on the type of command (that is, output for the content distribute command is different than that for the content cancel command). For the detail and summary commands, it is possible to filter the output based on a device or group ID. It is also possible to further filter the output to display only successful, failed, remaining, pending, or issued device commands. The definition of the successful and failed commands is specific to each command. For the content distribute, delete, and revalidate commands, a command is successful if it could be delivered to the device. For content query commands, a command is successful if the content is present in the device’s object cache. Example: # content query command CEO_Update09 detail status pending • content query in-progress # content query {{in-progress {detail | summary} addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version}} Displays detailed or summary information about distributes and revalidates in progress on the specified set of devices. The detail parameter displays the complete list of URLs being distributed and revalidated. The summary parameter displays only the number of URLs being distributed and revalidated. • content query info 45 Director Command Line Interface Reference # content query info {concise | detail | summary} {url url | urlsfrom url | url-list list} {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | osversion sgos_version} Runs the show content command for the specified URLs, and displays the results for the devices specified. The concise, detail, and summary parameters determine the level of information returned: • concise displays counters for number of URLs whose content is in the object cache of specified devices, and does not include content inprogress • detail displays each URL with the complete response from the device. • summary displays only the status of each URL. The following information applies to the concise, detail, and summary parameters: • url displays query results for content specified by a particular URL. • url-list displays query results for content specified in a URL list. • urls-from displays query results for content specified by URLs listed in a text file stored at url. (The URL you specify must be reachable by Director and the devices you specify. The URL must also specify the full path to the text file as well as the text file name.) • addr-device ip_address_or_hostname queries a particular device specified by its IP address or host name. • • all queries all known devices. • device device_id queries a particular device specified by its ID. • group group_id queries a group of devices. content query liveness # content query liveness device device_id Display liveness information for the specified device ID. • content query outstanding # content query {outstanding {all | regex regex | regex-list list_id | regexes-from url | url url | url-list list_id | urlsfrom url} addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} Displays information about all incomplete content management commands on the specified set of devices. Example: # content query outstanding urls-from url all Displays information about incomplete content management commands for content specified by URLs listed in a text file stored at url. (The URL you specify must be reachable by Director and the devices you specify. The URL must also specify the full path to the text file as well as the text file name.) 46 Chapter 2: Standard and Enable Mode Commands • content query status # content query status {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} Displays the status of specified devices. regex-list Enables you to input a regular expression list. When you are finished, press Control+D to save the list or Control+C to cancel without saving the list. # content regex-list regex_list_id input revalidate Revalidates content in the specified devices’ object cache. # content revalidate {{regex regex | regex-list list_id | regexesfrom url | url url | url-list list_id | urls-from url {addrdevice ip_address_or_hostname} {all | device device_id | group group_id | model model | os-version sgos_version}} To get valid values for the addr-device, device, group, model, or os-version subcommands, enter ? for the value. For example: director # content query in-progress detail os-version ? <os-version> 5.3.1.11 5.4.1.2 Examples: • To revalidate objects specified by regular expression on the specified set of devices: # content revalidate regex url_regex {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} • To revalidate a single object on the specified set of devices: # content revalidate url url {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | osversion sgos_version} • To revalidate objects specified by URLs listed in a text file stored at url. (The URL you specify must be reachable by Director and the devices you specify. The URL must also specify the full path to the text file as well as the text file name.) # content revalidate urls-from url {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} 47 Director Command Line Interface Reference # debug Synopsis System debugging information and commands. Syntax # debug [subcommands] Subcommands # debug dump # debug dump delete filename Deletes the specified dump file from the system. # debug dump generate Generates a debugging dump file. # debug dump move old_filename new_filename Renames the old dump file name to the new dump file name. # debug dump upload filename url Uploads the specified debugging dump file to a remote URL in one of the formats discussed in “URL Syntax” on page 12. If the path ends with a directory name, it must end with “/” (a forward slash). Example director # debug dump generate Generating debugging dump... Dump file successfully written to sgmeinfo-cjd-d2-2004.04.23-163334.tgz 48 Chapter 2: Standard and Enable Mode Commands # device Synopsis Use this command to reconnect to a device with which you have lost the connection. Syntax # device [subcommands] Subcommands # device device_id reconnect Drops the existing connection and reinitiates connection to the specified device. Example director # device 10.25.36.47 reconnect 49 Director Command Line Interface Reference # disable Synopsis Exits enable mode and returns you to standard mode. Syntax # disable The disable command does not have any parameters or subcommands. Example director # disable director > 50 Chapter 2: Standard and Enable Mode Commands # exit Synopsis Exits the system. If you want to exit enable mode and return to standard mode, use the Enable mode command disable. Syntax # exit The exit command does not have any parameters or subcommands. Example director # exit Connection closed by foreign host. 51 Director Command Line Interface Reference # file Synopsis This command manages text files created with commands such as cli capture. This command is also available in configuration mode. Syntax # file [subcommands] Subcommands # file text-file # file text-file delete filename Deletes the specified text file from the system. # file text-file move filename Renames the old file name to the new file name. # file text-file upload filename url Uploads the specified text file to a remote URL in one of the URL formats discussed in “URL Syntax” on page 12. If the path ends with a directory name, it must end with “/” (a forward slash). Example director # file text-file move myfile.txt yourfile.txt 52 Chapter 2: Standard and Enable Mode Commands # help Synopsis Lists all top-level commands currently available. This command is also available in standard and configuration modes. See “>help” on page 20 for more information. 53 Director Command Line Interface Reference # job Synopsis This command allows you to immediately execute or cancel a specified job, or immediately update the status of all jobs. Syntax # job [subcommands] Subcommands # job job_id # job job_id cancel Immediately cancels all running instances of the specified job. # job job_id execute Immediately executes the commands in the specified job. # job update-status This command starts an immediate poll on outstanding jobs, bypassing the timeout to get immediate status without waiting for the polling timeout. Example director # job 2004Apr23112257PDT cancel 54 Chapter 2: Standard and Enable Mode Commands # line-vty Synopsis This command sets the number of screen lines. If the number of lines to output is greater than the screen size, the CLI output handler pauses output by displaying the --More-- prompt. The default value of screen size is 24. Press the Enter key to display more lines one by one the space bar to display another group of screen lines, or enter, q or Control+C to end further displays. If the number of lines is set to 0 (zero), then paging is disabled. Important: This is a per-session variable and it is not saved to the configuration database. Syntax # line-vty length number Specifies the number of screen lines that will display. Set to 0 (zero) to disable paging. Example director # line-vty length 0 55 Director Command Line Interface Reference # monitoring Synopsis Refreshes the health monitoring statistics for one or more devices; and generates health reports and Performance Analysis reports for devices and e-mails those reports. Syntax director # monitoring {refresh health-state {all | device device_id | group group_id}} | {generate-report {health | performance} subcommands}}} Refreshes the health monitoring statistics of all devices, devices specified by device ID, or all devices in a specified group. More options are available in configuration mode as discussed in “(config) #monitoring” on page 150. Subcommands This section discusses the following subcommands: • “generate-report health” on page 56 • “generate-report performance” on page 57 • “refresh health-state” on page 58 generate-report health director# monitoring generate-report health {{all | device device_id | group group_id | model model | os-version sgos_version} {Last-Hour | Last-Day | Last-Week | Last-Month | Last-Year} {mail {From: email_address_list | To: email_address_list | Cc: email_address_list | BCC: email_address_list}} [username username | password password] Generates and e-mails health reports for specified devices. • Specify the devices for which to generate and e-mail reports using the parameters: {all | device device_id | group group_id | model model | os-version sgos_version} To get valid values for parameters other than all, enter the parameter followed by the question mark character. For example, to get valid values for os-version groups, enter: director (config) # monitoring generate-report health osversion ? • Specify the period of time over which to average report values using the parameters: {Last-Hour | Last-Day | Last-Week | Last-Month | Last-Year} 56 Chapter 2: Standard and Enable Mode Commands • Specify e-mail parameters as discussed in the following table: E-mail parameter Description From: Enter one e-mail address to appear on the From line in the e-mail. This e-mail address is also used to return reports to this address in the event the e-mail failed to deliver. E-mail addresses must be in the format name@domain. For example, bob.smith@example.com To: Enter one or more e-mail addresses to which to send the reports. Cc: Enter one or more e-mail addresses to copy on the report e-mail. BCC: Enter one or more e-mail addresses to blind copy on the report e-mail. username If the SMTP server requires authentication, enter a valid user name. password Enter the user’s password. Note: To set up the SMTP server, see “(config) #mail-config” on page 147. The following example shows how to generate health reports for all devices in the SGOS 5.4.1.1 OS Version group, compiled over the last day, to two users. The SMTP server requires authentication from the user named email.user@example.com. director# monitoring generate-report health os-version 5.4.1.1 Last-Day mail From: director.user@bluecoat.com To: john.doe@example.com,jane.doe@example.com username email.user@example.com password bluecoat generate-report performance Generates and e-mails performance analysis reports for specified devices. director# monitoring generate-report performance {{all | device device_id | group group_id | model model | os-version sgos_version} {Last-Hour | Last-Day | Last-Week | Last-Month | Last-Year} {Bytes | Kilo-Bytes | Mega-Bytes | Giga-Bytes} {mail {From: email_address_list | To: email_address_list | Cc: email_address_list | Bcc: email_address_list}} [username username | password password] Generates and e-mails performance reports for specified devices. • Specify the devices for which to generate and e-mail reports using the parameters: {all | device device_id | group group_id | model model | os-version sgos_version} To get valid values for parameters other than all, enter the parameter followed by the question mark character. For example, to get valid values for os-version groups, enter: director # monitoring generate-report health os-version ? 57 Director Command Line Interface Reference • Specify the period of time over which to average report values using the parameters: {Last-Hour | Last-Day | Last-Week | Last-Month | Last-Year} • Specify e-mail parameters as discussed in the following table: E-mail parameter Description From: Enter one e-mail address to appear on the From line in the e-mail. This e-mail address is also used to return reports to this address in the event the e-mail failed to deliver. E-mail addresses must be in the format name@domain. For example, bob.smith@example.com To: Enter one or more e-mail addresses to which to send the reports. Cc: Enter one or more e-mail addresses to copy on the report e-mail. BCC: Enter one or more e-mail addresses to blind copy on the report e-mail. username If the SMTP server requires authentication, enter a valid user name. password Enter the user’s password. Note: To set up the SMTP server, see “(config) #mail-config” on page 147. The following example shows how to generate performance reports for all devices in the SGOS 5.4.1.1 OS Version group, compiled over the last day in units of MB, to two users. The SMTP server requires authentication from the user named email.user@example.com. director# monitoring generate-report performance os-version 5.4.1.1 Last-Day Mega-Bytes mail From: director.user@bluecoat.com To: john.doe@example.com,jane.doe@example.com username email.user@example.com password bluecoat refresh health-state director# monitoring refresh health-state {all | device device_id | group group_id} Refreshes the health monitoring statistics of all devices, devices specified by device ID, or all devices in a specified group. 58 Chapter 2: Standard and Enable Mode Commands # no Synopsis This command negates specified options. Syntax # no subcommands Subcommands # no cli # no cli capture Disables capturing of CLI output to a file. # no cli help disable The command no cli help disable re-enables the help system so that typing the command '?' will give help on completing the line. # no cli print-message-codes Specifies not to print error codes along with each error message. # no cli prompt-override Removes the CLI prompt override. # no cli raw-input Disables raw input mode (help, completion, and command line editing would be reenabled). # no content priority one-time For syntax, see “[no] content priority one-time” on page 43. # no session session-ip username username Kills the Management Console session running on the specified IP address and user name. Entering no session ? displays the list of currently loggedin users and the IP addresses used by Director Management Console sessions. Example director # no session 192.168.0.2 username admin 59 Director Command Line Interface Reference # ping Synopsis Sends ICMP echo request packets. This command is also available in standard and configuration modes. See “>ping” on page 22 for more information. 60 Chapter 2: Standard and Enable Mode Commands # push-policy Synopsis This command is related to content filtering policy. This command is available to delegated users. If admin, sadmin, or another privilege 15 user runs the command, an error is displayed. This command is intended to be used by delegated users because the user must be a member of a user group that is associated with a device or custom group. In addition, the device or custom group with which the user is associated must be associated with a Content Policy overlay. Before a delegated user can use this command, the sadmin user must perform all of the following tasks: • Create delegated users • Create delegated user groups and associate users with user groups • Create Content Policy overlays • Associate a Content Policy overlay with devices or a custom group • Associate user groups with devices or custom groups For more information about content filtering policy commands and role-based access, see “Content Filtering Policy and Role-Based Access” on page 7. Syntax # push-policy {device device_id | group custom_group_name | central} Subcommands # push-policy device device_id Pushes content filtering policy defined in the associated Content Policy overlay and URL/category allow lists and block lists to the specified device_id. # push-policy group custom_group_name Pushes content filtering policy defined in the associated Content Policy overlay and URL/category allow lists and block lists to the custom group named custom_group_name. Note: Content filtering policy cannot be pushed to System groups, such as All, Model groups, or OS Version groups. # push-policy central Writes a central policy file on the specified location in user-group configurations. This command only works on user-groups using a central policy file. 61 Director Command Line Interface Reference # reload Synopsis This command allows you to reboot or shut down this machine. This command is also available in Configuration mode. Syntax # reload [halt [force] | force] Subcommands # reload With no optional subcommands, reboots this machine, but warns you if there are outstanding configuration changes. Blue Coat strongly recommends using the write memory command before the reload command to avoid losing pending configuration changes. For more information, see “#write” on page 92. # reload force Reboots the appliance, discarding any pending configuration changes. To apply pending configuration changes, use the write memory command (see “#write” on page 92). # reload halt [force] Shuts down the appliance. halt shuts down the appliance. halt force shuts down this machine even if there are outstanding configuration changes. These changes will then be lost. To apply pending configuration changes, use the write memory command (see “#write” on page 92). Example director # reload halt force 62 Chapter 2: Standard and Enable Mode Commands # remote-config Synopsis Configures and manages remote devices. More options are available in configure mode as discussed in “(config) #remote-config” on page 176. Syntax # remote-config subcommands Subcommands This command has the following subcommands: • “backup restore device” • “clear-byte-cache” on page 63 • “clear-dns-cache” on page 63 • “clear-object-cache” on page 64 • “diff” on page 64 • “download-system url” on page 64 • “execute” on page 65 • “license-key update” on page 66 • “overlay” on page 66 • “profile” on page 67 • “reboot” on page 67 • “reconnect” on page 67 • “validate-system version” on page 68 backup restore device # remote-config backup restore device device_id backup_id Restores a backup to a device. clear-byte-cache # remote-config clear-byte-cache {all | device device_id | group group_id | model model | os-version sgos_version} This command enables you to clear the byte cache on single devices, all devices, or groups of devices. To get valid values for the addr-device, device, group, model, or osversion subcommands, enter ? for the value. For example: director # remote-config clear-byte-cache model ? <model ID> 200-B 200-C clear-dns-cache # remote-config clear-dns-cache {all | device device_id | group group_id | model model | os-version sgos_version} 63 Director Command Line Interface Reference This command enables you to clear the DNS cache on single devices, all devices, or groups of devices. To get valid values for the addr-device, device, group, model, or osversion subcommands, enter ? for the value. For example: director # remote-config clear-dns-cache model ? <model ID> 200-B 200-C clear-object-cache # remote-config clear-object-cache {all | device device_id | group group_id | model model | os-version sgos_version} This command enables you to clear the object cache on single devices, all devices, or groups of devices. To get valid values for the addr-device, device, group, model, or osversion subcommands, enter ? for the value. For example: director # remote-config clear-object-cache group ? <group ID> Austin AustinDev AustinDevGroup1 Sunnyvale SunnyvaleDev SunnyvaleQA diff # remote-config diff [context | unified] {{backups first_device_id first_backup_id second_device_id second_backup_id} | {overlays first_overlay_id second_overlay_id} | {profiles first_profile_id second_profile_id}} Compares backups, overlays, or profiles using a diff utility and formats the output in one of the following ways: • context format uses an identification line for each file, containing the filename and modification date. • unified (default) uses plus and minus signs to indicate differences: each line that occurs only in the left file is preceded by a minus sign, each line that occurs only in the right file is preceded by a plus sign, and common lines are preceded by a space. download-system url # remote-config download-system url url {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} Downloads a system image to a device or group of devices. To get valid values for the addr-device, device, group, model, or osversion subcommands, enter ? for the value. For example: director # remote-config download-system url https:// myserver.example.com/sgos os-version ? <os-version> 5.3.1.3 5.4.1.1 64 Chapter 2: Standard and Enable Mode Commands execute # remote-config execute {{addr-device ip_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} {command command | disable-health | enable-health | input [errors-only]}} This command enables you to execute various commands on single devices, all devices, or groups of devices. If you use the input subcommand, you can execute commands in bulk. To get valid values for the addr-device, device, group, model, or osversion subcommands, enter ? for the value. For example: director # remote-config execute os-version ? <os-version> 5.3.1.11 5.4.1.2 Note: To get help for commands you can execute, you must first designate a device using remote-config help device device_id as discussed in “help device” on page 179. Enables you to perform the following operations on a single configured device, all configured devices, or a group of configured devices: command command executes a single command. To run enable mode commands on a device, you must use the input parameter. enable-health enables health monitoring on the devices. disable-health disables health monitoring on the devices. input [errors-only] runs a set of commands. After you enter remoteconfig execute followed by input, type the set of commands to execute on the specified devices, followed by Control+D to save the commands or Control+C to cancel without running the commands. The optional errors-only parameter causes only errors to display. Notes: • For enable and configuration mode commands to complete successfully, the devices must be configured with the correct enable mode password. To set the enable mode password on a device, use the following command as discussed in “(config) #device device_id” on page 115: (config device device_id) # enable-password enablepassword • Commands execute in the device’s configuration mode by default. To run enable mode commands on a device, you must use the input parameter and enter the commands in the format shown: exit commands config t For example, to run commands that cause all devices to display their version and bandwidth gains, enter the following: 65 Director Command Line Interface Reference director # remote-config execute all input Enter your commands now. Press Ctrl-D to finish, Ctrl-C to abort. exit show version show bandwidth-gain config t (Press Control+D) To run the same commands but display only error messages, enter the following: director # remote-config execute all input errors-only Enter your commands now. Press Ctrl-D to finish, Ctrl-C to abort. exit show version show bandwidth-gain config t (Press Control+D) license-key update # remote-config license-key update {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version}} [errors-only | username web_power_username password web_power_password] Updates the license-key for a device or group of devices, displaying only device errors. You can optionally update the BlueTouch Online user name and password used to upgrade the devices’ license key. To get valid values for the addr-device, device, group, model, or osversion subcommands, enter ? for the value. For example: director # remote-config license-key update os-version ? <os-version> 5.3.1.11 5.4.1.2 Note: The BlueTouch Online user name and password are not validated. They are used only if the license must be fetched from BlueTouch Online. (BlueTouch Online was previously referred to as WebPower.) overlay # remote-config overlay overlay_id execute {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} [errors-only] Executes the specified overlay against the specified device or group of devices, optionally displaying only errors. To get valid values for the addr-device, device, group, model, or osversion subcommands, enter ? for the value. For example: director # remote-config overlay 210Basic execute os-version ? <os-version> 5.3.1.11 5.4.1.2 66 Chapter 2: Standard and Enable Mode Commands Note: Usually, a profile or overlay displays results for all devices in a group when the profile or overlay is executed on a group of devices under a banner similar to: +------------------------------------------| Output for device "name" +------------------------------------------- However, if the group has no substitution variables defined for it but some of the devices in the group have substitution variables defined for them, profile or overlay execution displays errors for the devices without substitution variables and it displays the result of the command execution for devices with substitution variables. The error displays as follows: Error: The device <name> does not have a value for the required substitution variable variable-name. profile # remote-config profile profile_id execute {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} [errors-only] Executes the specified profile against the specified device or group of devices, optionally displaying only errors. To get valid values for the addr-device, device, group, model, or osversion subcommands, enter ? for the value. For example: director # remote-config profile 510Edge execute os-version ? <os-version> 5.3.1.11 5.4.1.2 reboot # remote-config reboot {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} Reboots the given device or group of devices. The command waits until all the specified devices have finished rebooting before returning. This command can therefore be used, for example, in schedules when you need to reboot a device between two other commands. To get valid values for the addr-device, device, group, model, or osversion subcommands, enter ? for the value. For example: director # remote-config reboot device ? <device ID> Dev142 QA143 reconnect # remote-config reconnect {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} Reconnects the given device or group of devices. this command does not wait for the reconnect process to complete before returning. It just initiates the reconnect process. 67 Director Command Line Interface Reference To get valid values for the addr-device, device, group, model, or osversion subcommands, enter ? for the value. For example: director # remote-config reconnect device ? <device ID> Dev142 QA143 validate-system version # remote-config validate-system version version {addr-device ip_address_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version} Validates the image version of a certain device or group of devices. The version is validated for all digits you enter. For example, the following command succeeds for all devices running SGOS 5.x: # remote-config validate-system version 5 all However, the following command fails if any device is not running SGOS 5.3.0.6: # remote-config validate-system version 5.3.0.6 all Example director # remote-config backup restore device 10.25.36.47 bu2 68 Chapter 2: Standard and Enable Mode Commands # show Synopsis Use this command to display running system information. Syntax # show subcommands Subcommands This section discusses the following subcommands: • “aaa authentication login” on page 70 • “access-lists” on page 70 • “archive” on page 70 • “arp” on page 71 • “banner” on page 71 • “category-list” on page 71 • “cli” on page 72 • “clock” on page 72 • “configuration” on page 72 • “content” on page 73 • “debug dumps” on page 73 • “device-hierarchy” on page 73 • “devices” on page 73 • “dmc timeout” on page 74 • “file” on page 75 • “folder-hierarchy” on page 75 • “folders” on page 75 • “groups” on page 75 • “hosts” on page 76 • “interfaces” on page 76 • “ip” on page 76 • “jobs” on page 77 • “jobs-detailed” on page 78 • “lcd” on page 78 • “ldap-server” on page 78 • “license” on page 78 • “line-vty” on page 78 69 Director Command Line Interface Reference • “list-settings” on page 79 • “mail-config” on page 79 • “monitoring alerts” on page 79 • “ntp” on page 80 • “platform” on page 80 • “privilege” on page 80 • “radius” on page 80 • “remote-config” on page 80 • “require-config-lock” on page 82 • “role” on page 82 • “role-hierarchy” on page 83 • “role-substitution-variable” on page 83 • “running-config” on page 83 • “sessions” on page 83 • “snmp” on page 83 • “special-groups” on page 83 • “ssh” on page 84 • “standby-settings” on page 84 • “status” on page 84 • “syslog” on page 85 • “tacacs” on page 85 • “tcpdump” on page 85 • “telnet-management” on page 85 • “upgrade-package” on page 85 • “user-group” on page 85 • “usernames” on page 86 • “version” on page 86 • “#slogin” on page 87 aaa authentication login # show aaa authentication login Displays the list of login authentication methods. access-lists # show access-lists Displays the contents of current access lists. archive # show archive # show archive all [archive_name] 70 Chapter 2: Standard and Enable Mode Commands Displays a specified saved Director archive. If an archive_name is not specified, a list of archives will be displayed. # show archive config [archive_name] Displays a specified saved config archive. If an archive_name is not specified, a list of archives will be displayed. # show archive device-backup [archive_name] Displays a specified device archive. If an archive_name is not specified, a list of archives will be displayed followed by the available space for backups. # show archive event-log [archive_name] Displays a specified saved event-log archive. If an archive_name is not specified, a list of archives will be displayed followed by the available space for log files. # show archive job-report [archive_name] Displays a specified saved job-report archive. If an archive_name is not specified, a list of archives will be displayed followed by the available space for job reports. # show archive key key_name Displays a specified archive key. A pass phrase must be entered to display the key. Using ? as the key name displays the list of keys currently on this Director appliance. The pass phrase is the name of the user who created the key. # show archive keys Displays the names (but not values) of existing archive keys. arp # show arp [configured | statistics] Without optional arguments, displays the contents of the system’s running Address Resolution Protocol (ARP) cache. The optional configured parameter displays the list of static ARP entries that were configured with the arp command. The optional statistics parameter displays ARP statistics. banner # show banner Displays the current banner. For example, director (config) # show banner Copyright (c) 1997-2010, Blue Coat Systems, Inc. Welcome to SG-ME 5.5.1.1 #45678 2010.04.06-013904 certificate-signing-request # show certificate-signing-request Display the certificate signing request. category-list # show category-list 71 Director Command Line Interface Reference For admin and super-admin users this displays all the categories from the master category list. For the delegated users it displays the categories associated with them. If the categories are not associated to particular delegated user, and the categories are associated to all the users in the usergroup, those categories are displayed. For information about categories, see KB article 1567 and the Blue Coat WebFilter URL Categories data sheet. cli #show cli-timeout Displays the CLI timeout configured on the appliance. The default value is 900 seconds/15minutes. clock # show clock Displays the current system time, date, and timezone. configuration # show configuration [files filename | lock-holder | options subcommands | revision | running] Without any optional parameters, the show configuration command displays commands that can be used to re-create this Director’s configuration. # show configuration files [filename] Displays a list of the names of all configuration files on the system, or, if you specify a filename, displays the contents of the specified configuration file's saved state. # show configuration lock-holder Displays identity and idle time of the holder on the write lock for this node. # show configuration options {exclude-devices | exclude-jobs | exclude-priorities | exclude-groups} exclude-devices displays the Director’s configuration without commands related to device configuration. exclude-jobs displays the Director’s configuration without commands related to job configuration. exclude-priorities displays the Director’s configuration without commands related to content priority configuration. exclude-groups displays the Director’s configuration without commands related to group configuration. # show configuration revision Displays versioning information for the active configuration file. # show configuration running [options {exclude-devices | exclude-jobs | exclude-priorities | exclude-groups}] Without the options parameter, displays the running configuration of this Director. This is different from Director’s saved configuration, which is displayed by the show configuration command. 72 Chapter 2: Standard and Enable Mode Commands The running configuration includes any configuration changes that have been made but not yet saved. Use the following guidelines: • Director Management Console: Any configuration changes made using the Director Management Console are saved only after you exit the Management Console. Until then, the changes are part of Director’s running configuration. • Command line: Configuration changes are saved only after you enter the write memory command. Until then, the changes are part of Director’s running configuration. exclude-devices displays the Director’s running configuration without commands related to device configuration. exclude-jobs displays the Director’s running configuration without commands related to job configuration. exclude-priorities displays the Director’s running configuration without commands related to content priority configuration. exclude-groups displays the Director’s running configuration without commands related to group configuration. content # show content # show content options Displays content management options. # show content regex-list [list_id] Displays a summary of the regular expression list or, with the optional list_id parameter, displays information about a particular regular expression ID. # show content url-list [list_id] Displays a summary of the URL expression list or, with the optional list_id parameter, displays information about a particular URL ID. debug dumps # show debug dumps Displays a list of the dump files saved on the system followed by the space available for dump files. device-hierarchy # show device-hierarchy Displays the hierarchy of groups and devices, including device group assignments and groups that are nested in other groups. devices # show devices Displays all top-level devices. # show devices [device_id | {device_id substitution-variable}] 73 Director Command Line Interface Reference Displays detailed information about the specified device; that is, its address, name, comment, Web configuration port, protocol, authtype, simple authentication info (username, and password), model, SGOS version, and RSA authentication information (user name, client user name and identity, and known host key). Entering a device ID and the optional substitution-variable parameter displays all substitution variables defined for that device and inherited from groups to which the device belongs (in other words, the group hierarchy to which the device belongs). For example, director # show devices Dev142 substitution-variable Substitution-Variable:SNMPContact Value:user@example.com Device:Dev142 Substitution-Variable:DNS Value:172.16.36.10 Group:Austin Substitution-Variable:SNMPContact Value:user@example.com Group:AustinDev Substitution-Variable:DNSAlt Value:10.107.4.77 Group:Sunnyvale This example shows that the device Dev142 has one substitution variable defined for it; and two other variables (DNS and DNSAlt) it inherits from groups to which it belongs. # show devices max-supported Displays the maximum number of devices supported by your Director appliance. # show devices state [configured | connected | disconnected | not-registered | registered] Without an optional parameter, displays the state of all devices that were added to this Director. Add one of the optional arguments to display the state of certain devices (for example, the configured parameter displays the state of configured devices only). # show devices versions Displays the device versions supported by Director. Only major and minor numbers are displayed for the versions supported. Complete version strings are displayed for versions that are not supported. dmc request-timeout # show dmc request-timeout Display the timeout period set for requests made in Director Management Console. (Available in SGME 6.1.8.1 and later) dmc timeout # show dmc timeout Display the timeout period set for Director Management Console sessions. 74 Chapter 2: Standard and Enable Mode Commands file # show file # show file systems Displays a list of valid file systems for the local machine. Each is shown with the following: their filename; full capacity; amount of remaining free space; miscellaneous flags; and type, which is either image (can hold software images) or var (where all machine-specific information is kept: logs, configurations, home Directories, etc.). # show file text-files [filename] Displays the contents of a text file, using the UNIX less command. If no filename is specified, a list of files is displayed. Common keystrokes used with the less command: • Up and Down arrow keys to move up or down one line at a time • <space> to move down a page • b to move up a page • > to move to the end • / followed by a search string and <cr> to do a forward search • < to move to the beginning • ? followed by a search string and <cr> to do a backward search • n to find next occurrence of search string in same direction as last search • q to quit folder-hierarchy # show folder-hierarchy Displays the hierarchy of folders for profiles, overlays, jobs, and content collections. folders # show folders [folder_id] With no optional parameter, displays information about all configured folders. By specifying an optional folder_id, displays information about the specified folder. Displayed information includes folder ID, friendly name, parent and child folders, overlays, profiles, jobs, regular expression lists, URL lists, and jobs. groups # show groups [group_id | {group_id substitution-variable}] Displays information about the specified group. This includes its group ID, friendly name, comment, its parent's group ID (if it is not a top-level group), a list of all its devices (ID only) and a list of all its subgroups (ID only). If the named group does not exist, an error is given. If no group is specified, a list of all groups (their ID and friendly name only) is displayed. Entering a group ID and the optional substitution-variable parameter displays all substitution variables defined for that group and inherited from other groups. 75 Director Command Line Interface Reference For example, director # show groups AustinDev substitution-variable Substitution-Variable:SNMPContact Value:user@example.com Group:AustinDev Substitution-Variable:DNS Value:172.16.36.10 Group:Austin This example shows that the group AustinDev has one substitution variable defined for it and it inherits one variable (DNS) from a parent group. For more information about substitution variables, see the Blue Coat Director Configuration and Management Guide. hosts # show hosts Displays DNS-related information: a list of all name servers, a list of all domain names, a list of all static-hostname to IP-address mappings, and the hostname of the local machine. The name servers and domain names are listed in the order in which they will be tried. interfaces # show interfaces Displays all of the information for all interfaces. # show interfaces [interface_number] Displays all of the information about the specified interface. # show interfaces [configured interface_number] Displays the values that can be set by the user with their configured values. ip # show ip Displays IP-specific information for all interfaces. # show ip [access-lists] Displays IP access-list information. # show ip [default-gateway [configured]] Displays the running default (the default-gateway command) or configured default (the default-gateway configured command) gateway. # show ip [default-gateway-v6 [configured]] Displays the running default IPv6 (the default-gateway command) or configured default IPv6 (the default-gateway configured command) gateway. # show ip icmp Displays ICMP statistics. # show ip igmp Displays IGMP statistics. 76 Chapter 2: Standard and Enable Mode Commands # show ip [interface [interface_number] | [configured [interface_number]]] The interface command displays running IP-related state of all interfaces; the interface interface_number command displays running IP-related state of the specified interface; the interface configured command displays the configured IP-related state of all network interfaces; and the interface configured interface_number command displays the configured IP-related state of the specified network interface. # show ip [route [configured]] Displays routing information. The route command displays the dynamic routes currently in use, and the route configured command displays the static IP routes that have been configured for this system. # show ip [tcp [conns | listeners]] The tcp command displays TCP statistics, the tcp conns command displays TCP connection information, and the tcp listeners command displays TCP listener information. # show ip [udp [conns]] The udp command displays UDP statistics and the udp conns command displays UDP connection information. jobs # show jobs [job_id {commands | date-time-pairs | execution subcommands | status | time-of-day | substitution-variables | validate}] With no job_id specified, the command displays a list of all jobs. Optional parameters follow: # show jobs job_id displays the properties of the specified job, including the recipient and sender addresses for e-mail notification, the schedule type, the job type, and next run time if configured. # show jobs job_id commands displays commands associated with this job. # show jobs job_id date-time-pairs displays date-time pairs associated with this job. # show jobs job_id execution {ids | last} displays execution details. ids displays a list of all saved execution reports for this job and last displays details for the last (that is, most recent) execution of this job. # show jobs job_id status displays the current status of this job. # show jobs job_id time-of-day displays time-of-day settings for this job. # show jobs job_id substitution-variables displays any substitution variables defined for profiles or overlays pushed by this job. # show jobs job_id validate validates substitution variables for profiles or overlays pushed by this job. 77 Director Command Line Interface Reference An example follows: director # show jobs Job1 validate overlay:SG210Basic device:Dev142 % Conflicts found, unable to apply the substitution variables. Target-Device:Dev142 Substitution-Variable:DNS Value:10.107.4.77 Group:Sunnyvale Value:10.107.4.60 Group:AustinDev In this example, a job named Job1 pushes a profile named SG210Basic that has a substitution variable conflict. The variable DNS is defined in two places with different values; as a result, the job will fail to execute. For more information about resolving substitution variable conflicts, see the Blue Coat Director Configuration and Management Guide. jobs-detailed # show jobs-detailed [n-days] Without the optional parameter, displays detailed information about all configured jobs. Information includes job ID, friendly name, comment, whether the job is enabled, scheduling type, and job type. With the optional n-days parameter, displays information about jobs executed in the last n number of days. lcd # show lcd Displays the LCD panel settings PIN. A value of 0000 means that no PIN is set. To set the front panel LCD PIN, see “(config) #lcd” on page 141. ldap-server # show ldap-server Displays the LDAP server(s) details, if configured. license # show license Displays the validity of the currently installed license on your Blue Coat Director. line-vty # show line-vty Displays the current number of screen lines. 78 Chapter 2: Standard and Enable Mode Commands list-settings # show list-settings Displays the list settings for the logged in user. If the list settings are not set for the user, the list settings are inherited from the user-group the delegated user belongs to. This command is available to delegated users only. # show logging Displays all configuration parameters associated with logging: the list of SCP servers; the logging trap level; and the console log level. mail-config # show mail-config Displays SMTP mail configuration parameters for e-mailing health reports and Performance Analysis Reports. monitoring alerts # show monitoring alerts {[device device_id [metric subcommands]] | [group group_id] [metric subcommands]] | {metric subcommands} |[severity {all | warning | critical | disconnected}] | [all | active | inactive] | [all | acknowledged | unacknowledged] | [days number_of_days]} This command displays alerts with a specific metric, severity, state, status, range for number of days; optionally, for a device or for a group. You must specify a metric to view and you can optionally filter the results by severity, state, status, and number of days. metric subcommands follow: • adn-connection-status: Application Delivery Network alerts based on connection status • adn-manager-status: Application Delivery Network connection status indicates whether or not the device is connected to the ADN network and, if it is connected, what its status is (for example, approved, pending, and so on) • cpu-utilization: Indicates when CPU utilization has crossed the threshold limit • device-connection: Indicates whether Director has lost or re- established a connection with a device • disk-status: Displays the status of disks • health-check-status: Indicates when a device’s health checks have crossed a threshold • interface-utilization: Display alerts when the traffic on the interface approaches maximum bandwidth • license-expiration: Display alerts of impending license expiration • license-utilization: Display alerts for licenses that have user limits, and monitors the number of users • memory-pressure: (SGOS 5.2 and earlier) Display alerts when memory resources become limited, causing new connections to be delayed 79 Director Command Line Interface Reference • memory-utilization: (SGOS 5.3 and later) Display alerts when memory resources become limited, causing new connections to be delayed • sensor: Indicates problems detected by device sensors (for example, motherboard over-temperature) Note: The alerts displayed by a particular device are SGOS version-dependant. Director displays only the alerts that are supported by the version of SGOS the device runs. Examples: director # show monitoring alerts metric all severity warning This example displays alerts for all metrics filtered by severity. director # show monitoring alerts group AustinDev metric healthcheck-status severity all active unacknowledged days 30 This example displays only acknowledged, active health-check-status alerts for the group AustinDev, of all severities, that have occurred in the last 30 days. ntp # show ntp Displays Network Time Protocol (NTP) configuration: the current list of NTP servers, their version numbers, and whether they are marked as preferred. Also indicates whether NTP is enabled. Note: Version 3 is hardcoded into the configuration database when the management node is created. When the NTP server is up, the correct version is returned. platform # show platform Displays your Director appliance’s hardware type (for example, 510). privilege # show privilege Displays the current user's privilege level, both current and maximum. The current level will reflect only what mode the user is in (standard, enable, or configuration); the maximum level will be whatever is configured as the maximum privilege level for that username. radius # show radius Displays all RADIUS server configuration settings. remote-config # show remote-config # show remote-config backups [device_id [backup_id]] Displays the given backups available for all the devices on the system. If you specify a device ID, only the given backups available for this device are displayed. If you specify a device ID and a backup ID, the contents of the specified backup are displayed. 80 Chapter 2: Standard and Enable Mode Commands # show remote-config help Displays the device used for command line completion and help. # show remote-config license-key username Displays the BlueTouch Online user name, if any, entered when applying a license upgrade to a device. (BlueTouch Online was previously referred to as WebPower.) # show remote-config overlays [{overlay_id | substitutionvariables | {validate | all | device device_id | group group_id | model model_number | os-version sgos_version} substitution-variable}] Displays a summary of overlays. If you specify overlay_id, this command displays the comment, friendly name, and list of commands for the specified overlay. If you specify overlay_id and the optional substitution-variable parameter, the names of any substitution variables defined for that overlay display. If you specify overlay_id and the optional validate parameter, the names of any substitution variables defined for that overlay display. To get valid values for the device, group, model, or os-version parameters, enter ? for the value. An example validation follows: director # show remote-config overlays SG210Basic validate all substitution-variable % Conflicts found, unable to apply the substitution variables. Target-Device:Dev142 Substitution-Variable:DNS Value:10.107.4.77 Group:Sunnyvale Value:10.107.4.60 Group:AustinDev Valid Substitution Variables: Target-Device:QA143 Substitution-Variable:DNS Value:10.107.4.77 Group:Sunnyvale This example validates substitution variables in the overlay 210Basic for all devices. One conflict was found; for more information about resolving substitution variable conflicts, see the Blue Coat Director Configuration and Management Guide. # show remote-config profiles [{profile_id | substitutionvariables | {validate | all | device device_id | group group_id | model model | os-version sgos_version} substitution-variable}] Displays a list of all the profiles in the system, and their comments. If you specify profile_id, this command displays the contents of the given profile, along with its comment and friendly name. If you specify profile_id and the optional substitution-variable parameter, the names of any substitution variables defined for that profile display. 81 Director Command Line Interface Reference If you specify profile_id and the optional validate parameter, the names of any substitution variables defined for that profile display. To get valid values for the device, group, model, or os-version parameters, enter ? for the value. An example validation follows: director # show remote-config profiles Basic210Config validate all substitution-variable % Conflicts found, unable to apply the substitution variables. Target-Device:Dev142 Substitution-Variable:DNS Value:10.107.4.77 Group:Sunnyvale Value:10.107.4.60 Group:AustinDev Valid Substitution Variables: Target-Device:QA143 Substitution-Variable:DNS Value:10.107.4.77 Group:Sunnyvale This example validates substitution variables in the profile Basic210Config for all devices. One conflict was found; for more information about resolving substitution variable conflicts, see the Blue Coat Director Configuration and Management Guide require-config-lock # show require-config-lock Displays current configuration lock mode. By default, the require configuration lock mode is disabled. role # show role delegated-admin user-groups This command is used for content filtering policy. This command is available for the sadmin, admin, and privilege 15 users. Displays the list of user groups. For example, director # show role delegated-admin user-groups unassigned Fin_policy HR_policy # show role delegated-admin user-groups policy-file-association Displays the user group associated with central policy file. # show role delegated-admin user-group user-group-name {all | user username } list-settings Displays the list settings of the delegated users. # show role delegated-admin user-group user-group-name {all | user username } categories Displays the categories assigned to the users. The all option displays the categories of the user group level. If categories are not set for the user, the categories are inherited from the user-group the delegated user belongs to. 82 Chapter 2: Standard and Enable Mode Commands role-hierarchy # show role-hierarchy This command is used for content filtering policy. This command is available for the sadmin, admin, and all privilege 15 users. Displays the hierarchy of user groups (used for content filtering policy). For example, # show role-hierarchy delegated-admin: unassigned Finance_policy HR_policy role-substitution-variable # show role-substitution-variable {device device_id | group custom_group_name} This command is used for content filtering policy. This command is available for the sadmin, admin, delegated-admin, and all privilege 15 users. Displays the substitution variables defined for the specified device or custom group. # show role-substitution-variable user-group user-group-name Displays the substitution variables for a user group. running-config # show running-config [brief | options {exclude-devices | excludejobs | exclude-priorities | exclude-groups}] With no optional parameters or with the optional brief parameter, displays commands required to configure Director to its currently running state. options subcommands filter output by excluding information from devices, jobs, priorities, and groups. sessions # show sessions Displays information about active Management Console sessions. Information includes user name, IP address from which the Management Console is being run, whether the user acquired the configuration lock, session ID, and last activity. snmp # show snmp [traps] Displays SNMP configuration information. The snmp traps command displays a list of the MIBs in Director and whether their traps are disabled or enabled. special-groups # show special-groups Displays all model and SGOS version groups. For example: 83 Director Command Line Interface Reference director # show special-groups Device:Dev142 Parent:200-C Parent:5.3.1.11 Device:QA143 Parent:200-B Parent:5.4.1.2 The command displays groups and devices in the following order: • Devices in custom groups and for each device, which model and operating system group it belongs to. • Model groups and each device in each model group. • Operating system groups and each device in each operating system group. ssh # show ssh # show ssh client Displays all SSH client settings. # show ssh client [authorized-keys [user username] | identity [user username] | knownhosts [user username]] Without an optional parameter, the command displays user identities, user known hosts, and user authorized public keys. # show ssh client [authorized-keys [user username] displays RSA authorized public keys for all users or for the specified user. # show ssh client [identity [user username]] Displays known host identities for all users or for the specified user. # show ssh client [knownhosts [user username]] Displays known host public keys for all users or for the specified user. # show ssh server [hostkey | knownhosts] Without an optional argument, the command displays all SSH server information. # show ssh server [hostkey] Displays the host public keys. # show ssh server [knownhosts] Displays all known host public keys. standby-settings # show standby-settings Displays the standby pair settings for the Director. This includes the identity of the primary and secondary. For more information, see Chapter 12, Configuring Director Redundancy, in the Blue Coat Director Configuration and Management Guide. status # show status 84 Chapter 2: Standard and Enable Mode Commands Displays general Director status information. This includes hardware installed (number of disks, amount of memory, number of CPUs), system uptime, and CPU load. syslog # show syslog [archived number] Using the command without the optional parameter enters an interactive mode where you can scroll through the current system logs using the same keys the UNIX less command uses. The common ones are: • Up and Down arrow keys to move up or down one line at a time • <space> to move down a page • b to move up a page • > to move to the end • / followed by a search string and <cr> to do a forward search • < to move to the beginning • ? followed by a search string and <cr> to do a backward search • n to find next occurrence of search string in same direction as last search • q to quit # show syslog [archived number] Used without an archive number, the command displays the list of numbers of syslog archives. Enter an archive number displays the corresponding log message. tacacs # show tacacs Displays all TACACS+ server configuration settings. tcpdump # show tcpdump Displays tcpdump output. telnet-management # show telnet-management Displays whether or not Telnet logins are enabled, and displays options related to the Telnet server. upgrade-package # show upgrade-package Displays the list of installed software packages. user-group # show user-group user_group_name objects This command is used for content filtering policy. This command is available for the sadmin, admin, delegated-admin, and all privilege 15 users. Displays objects associated with the specified user group name. For example, to display the objects associated with the user group named Finance_policy: 85 Director Command Line Interface Reference director # show user-group Finance_policy objects Policy-type: local central Policy path: content policy overlay: Send sg-commands: disable http username: http password: Associated Usernames: FinAdmin Assoc-Device:Dev143 Name:SunnyvaleDev Address:192.168.0.143 PolicyTemplate:FinancePolicyOverlay Following is an explanation of the example: • Associated Usernames displays the delegated users who are members of this user group • Assoc-Device displays the device IDs of all devices associated with the user group • Name is the friendly name of each device • Address displays the device’s IP address • PolicyTemplate displays the names of the Policy templates associated with the device. usernames # show usernames [username] Displays a list of all usernames of all the users in the system. The privilege level is listed for each username. If a username is specified, the information is shown only for that user. Note that this list does not reflect who is currently logged in. version # show version [detail] Displays version information for the software installed on the local machine and also includes Director’s hardware serial number. If you use the version detail command, the output contains a few more fields, and is shown in a more compact format. 86 Chapter 2: Standard and Enable Mode Commands # slogin Synopsis Opens an SSH connection to a remote host. When you are finished, type the command exit to return to the Director CLI. This command is also available in Standard and Configuration mode. For information, see “>slogin” on page 26. Important: When the slogin command is run from Configuration mode, it will release the configuration lock so that you do not lock out other users during the slogin session. 87 Director Command Line Interface Reference # ssl (Introduced in SGME 6.1.9.1) Configure security settings on the Director appliance. For more information on the subcommands, see “(config) #ssl” on page 198. 88 Chapter 2: Standard and Enable Mode Commands # standby Configures the Director’s standby configuration. The Director standby feature is designed to minimize Director service disruptions caused by network outage, disaster, or Director failure. When standby is deployed, the Director configuration is mirrored to a second Director whose only function is to take over for the first Director if a failure occurs. For information, see “>standby” on page 27. 89 Director Command Line Interface Reference # tcpdump upload url Synopsis Displays IP packets on the wire. This command is also available in standard and configuration modes. Syntax # tcpdump upload url Upload a tcpdump file to an external server. url must be in one of the formats discussed in “URL Syntax” on page 12. For information about other options available with tcpdump, see “>tcpdump” on page 29. Example # tcpdump upload ftp://192.168.0.2/uploads/ # tcpdump upload ftp://192.168.0.2/uploads/tcpdump.txt 90 Chapter 2: Standard and Enable Mode Commands # traceroute Synopsis Determines the route packets take to a destination. This command is also available in standard and configuration modes. For information, see “>traceroute” on page 30. 91 Director Command Line Interface Reference # write Synopsis Writes running configuration to persistent storage, making the changes permanent. This command is also available in configuration mode. Syntax # write memory Writes running configuration to persistent storage. To make settings permanent (that is, permanent across multiple sessions with multiple administrators), you must use this command. Example director # write memory 92 Chapter 3: Configuration Mode Commands With the configure command you can attempt to acquire a write lock on the configuration state of this Director. If you succeed, you enter Configuration mode. This affects what set of commands are available. The word config is inserted into the prompt to the left of the trailing # character. Syntax configure terminal [force] If you fail to acquire a write lock (because someone else had the lock), you will see an error message containing information about the current lock holder. The full output will look similar to the following example: director # configure terminal % Lock is currently owned by: Username: admin Remote address: 10.25.36.47 Last active: 2004/04/28 07:29:05 Note that active here means making configuration changes, rather than any keystrokes in the CLI. If the force option is specified, the Director will break the lock of anyone else who has it, instead of failing. The other client will be notified asynchronously that it has lost the lock. After the lock is broken, the breaker automatically acquires the lock. Content Filtering Policy Commands Configuration mode includes certain commands related to content filtering policy, which is new in SGME 5.5. For more information, see “Content Filtering Policy and Role-Based Access” on page 7. 93 Director Command Line Interface Reference (config) # aaa authentication login default Synopsis Director enables you to use the following authentication schemes for user access to Director: • LDAP: Supports authentication and authorization. You can configure all new LDAP users to have privilege level 15 access, if needed. For more information, see “(config) #ldap-server” on page 167. • RADIUS: Supports authentication and authorization. For more information, see “(config) #radius-server” on page 172. Important: To use RADIUS authentication, you must specify a shared secret (also referred to as a key) when you configure the RADIUS server in Director. • TACACS: Supports authentication only. All users authenticated by TACACS have privilege level 15 access. For more information, see “(config) #tacacs-server” on page 201. • Local: Supports authentication and authorization. For more information, see “(config) #username” on page 208. The aaa authentication login default command enables you to use any combination of the preceding mechanisms to authenticate and authorize users. Use the aaa authentication login default command to determine the order in which the repositories are searched. Local authentication must always be searched. For example, suppose your company has RADIUS and TACACS servers to authenticate and authorize users. When a user named joe.jones logs in to Director, you can configure Director to search for joe.jones in RADIUS, TACACS, and local user repositories. The following command causes Director to first search RADIUS; if joe.jones is not found, Director searches TACACS; if joe.jones is not found, Director searches its local repository; and if joe.jones is not found, Director denies the login attempt: (config) # aaa authentication login default radius tacacs local If you have only a RADIUS server to authenticate and authorize users, use the following command: (config) # aaa authentication login default radius local Note that local must always be in the list. Syntax (config) # aaa authentication login default {local | radius | tacacs} subcommands 94 Chapter 3: Configuration Mode Commands Subcommands (config) # aaa authentication login default local {radius [tacacs+]| tacacs+ [radius]} Configures default authentication for login using the local password file. (config) # aaa authentication login default radius {local [tacacs+] | tacacs+ [local]} Configures default authentication for login using a RADIUS server. Although both combinations of the local command are listed as optional, you must choose at least one of them so that local is present somewhere in the list. (config) # aaa authentication login default tacacs+ {local [radius]| radius [local]} Configures default authentication for login using a TACACS+ server. Although both combinations of the local command are listed as optional, you must choose at least one of them so that local is present somewhere in the list. Example director (config) # aaa authentication login default tacacs+ local radius 95 Director Command Line Interface Reference (config) # abort-on-errors Causes a job to stop executing if errors are encountered. This command should not be used in the command line; the command is used only by the Management Console and is listed here for completeness. 96 Chapter 3: Configuration Mode Commands (config) # access-list access_list_name Synopsis Use this command to create or edit access list settings. Most of the commands in this submode are also available by entering the configuration command accesslist access_list_name. An access list is consumed by an access group; in other words, an access list sets up the list of access rules for an interface (for example, to deny TCP requests from a particular network). The access list is associated with a particular interface using an access group. For more information about access groups, see “(config) #interface interface_number” on page 133. Syntax (config) # [no] access-list access_list_name This changes the prompt to: director (config acl access_list_name) # Following is a general discussion of the command syntax. This information applies to all access-list commands. Prefacing this command with the optional no command removes the access list. access-list Actions Possible actions are as follows: • deny—The specified packets are dropped. • permit—The specified packets are allowed. • reject—The specified packets are dropped and Director returns an error code to the sender of the packet, or respond with an ICMP unreachable message, depending on whether matching is done on outbound or inbound traffic, respectively. Protocol Enables you to selectively permit, deny, or reject traffic from the following IP protocols (transport layer and below only): • All protocols (use the ip subcommand to specify all protocols) • tcp • udp • icmp (including ICMP types) You have the option of including ICMP message type as part of the filter. Omitting the ICMP type means you match all ICMP message types. To do this, enter icmp icmp_type for the protocol, where icmp_type is defined as follows: • 0 (echo-reply) • 3 (unreachable) • 4 (source-quench) 97 Director Command Line Interface Reference • 5 (redirect) • 8 (echo) Source and Destination Source and destination addresses can be used to selectively permit, reject, or deny protocol traffic to and from source and destination addresses and address wildcards. Specify the source address first in the following format: source_ip_address wildcard_mask. Together, they specify a network address range used to match packets. source_ip_address is the IP address of the source. wildcard_mask is the opposite of a subnet mask for source_ip_address. For example, if source_ip_address is 10.1.1.0, its subnet mask would be a Class C mask (24-bit) mask of 255.255.255.0. wildcard_mask for this source_ip_address is 0.0.0.255. Port Number Matching This information applies to the UDP and TCP protocols only. UDP and TCP access lists enable you to use port numbers as part of the access list filter. Omitting the port number means the filter applies to all ports. You can also use one of the following operators: • gt (greater than) • lt (less than) • == (equal to) • != (not equal to) • range—destination port range, specified as the lower port number, space, and the higher port number For example, range 5000 6000 Subcommands This section discusses the following subcommands: • “comment” • “deny” on page 99 • “exit” on page 99 • “help” on page 99 • “permit” on page 99 • “reject” on page 100 • “show access-lists” on page 100 comment (config acl access_list_name) # [no] comment comment Enter an optional description for this access list. 98 Chapter 3: Configuration Mode Commands Prefacing this command with the optional no command removes the comment from the access list. deny (config acl access_list_name) # [no] deny ip_protocol any {any | destination_ip_address wildcard_mask | host ip_address} [log] Drops packets using the specified IP protocol from any source address. To drop packets for all IP protocols, enter ip for ip_protocol. For more information, including information about the ICMP protocol, source and destination addresses, and port number matching for TCP and UDP protocols, see “Subcommands” on page 98. Prefacing this command with the optional no command removes the deny rule. (config acl access_list_name) # deny ip_protocol source_ip_address wildcard_mask {any | destination_ip_address destination_wildcard | host ip_address} [log] Drops packets using the specified IP protocol from a specified source address. (config acl access_list_name) # deny ip_protocol host ip_address {any | destination_ip_address wildcard_mask | host ip_address} [log] Drops the packet for the host source address for the specified IP protocol. After you set up an access list, you must associate it with a Director interface using an access group as discussed in “(config) #interface interface_number” on page 133. exit (config acl access_list_name) # exit Exits the access-list submode and returns to configuration mode. help (config acl access_list_name) # help Displays help for subcommands. permit (config acl access_list_name) # [no] permit ip_protocol (config acl access_list_name) # permit ip_protocol any {any | destination_ip_address destination_wildcard | host ip_address} [log] Passes the packet through for any source address for the specified IP protocol. To pass the packet through for all IP protocols, enter ip for ip_protocol. For more information, including information about the ICMP protocol, source and destination addresses, and port number matching for TCP and UDP protocols, see “Subcommands” on page 98. Prefacing this command with the optional no command removes the permit rule. (config acl access_list_name) # permit ip_protocol source_ip_address source_wildcard {any | destination_ip_address destination_wildcard | host ip_address} [log] 99 Director Command Line Interface Reference Passes the packet through for the specified source address. (config acl access_list_name) # permit ip_protocol host ip_address {any | destination_ip_address destination_wildcard | host} [log] Passes the packet through for the host source address for the specified IP protocol. After you set up an access list, you must associate it with a Director interface using an access group as discussed in “(config) #interface interface_number” on page 133. reject (config acl access_list_name) # [no] reject ip_protocol (config acl access_list_name) # reject ip_protocol any {any | destination_ip_address destination_wildcard | host ip_address} [log] Either returns an error code to the sender of the packet or responds with an ICMP unreachable message, depending on whether matching is done on outbound or inbound traffic, respectively, for any source address for the specified IP protocol. For more information, including information about the ICMP protocol, source and destination addresses, and port number matching for TCP and UDP protocols, see “Subcommands” on page 98. Prefacing this command with the optional no command removes the reject rule. (config acl access_list_name) # reject ip_protocol source_ip_address source_wildcard {any | destination_ip_address destination_wildcard | host ip_address} [log] Either returns an error code to the sender of the packet or responds with an ICMP unreachable message, depending on whether matching is done on outbound or inbound traffic, respectively, for the specified source address for the specified IP protocol. (config acl access_list_name) # reject ip_protocol host ip_address {any | destination_ip_address destination_wildcard | host} [log] Either returns an error code to the sender of the packet or responds with an ICMP unreachable message, depending on whether matching is done on outbound or inbound traffic, respectively, for the host source address for the specified IP protocol. After you set up an access list, you must associate it with a Director interface using an access group as discussed in “(config) #interface interface_number” on page 133. show access-lists (config acl access_list_name) # show access-lists Displays information about configured access lists. 100 Chapter 3: Configuration Mode Commands Example director (config acl bc) # deny udp 10.107.0.62 0.0.255.255 192.168.0.11 0.0.255.255 gt 5000 director (config acl bc) # show access-lists Access-list bc, type "filter" 0: deny 0.0.0.0 255.255.255.255 10.107.0.62 0.0.0.0 ip log 1: deny 10.107.0.62 0.0.255.255 192.168.0.11 0.0.255.255 udp gt 5000 101 Director Command Line Interface Reference (config) # archive Synopsis Manipulates archives on this system. With the exception of the restore subcommand, this command is also available in enable mode. See “#archive” on page 32 for information. Note: Director does not archive its IP addresses so an archive taken on one Director appliance can be restored on another Director appliance without changing the target Director’s IP addresses. Syntax Restoring an Archive To restore an archive (that is, to install an archive located on this Director appliance), use the following command: director (config)# archive {all | config | device-backup | eventlog | job-report} restore archive_name [key keyname]} Prerequisites: Before restoring an archive, you must perform all of the following tasks: • Fetch the archive to this Director. For more information, see “Fetching an Archive” on page 35. • If the archive was encrypted with a key that is not already stored on this Director, you must input the archive key. For the meaning of the all, config, device-backup, event-log, and jobreport parameters, see “Specifying What to Archive” on page 32. archive_name must match the name of a previously saved archive on this Director. to display archive names, enter one of the following commands; director (config)# archive {all | config | device-backup | eventlog | job-report} restore ? director (config)# show archive {all | config | device-backup | event-log | job-report} If the archive was encrypted with an archive key, you must enter a value for the key parameter. For example, director (config)# archive all restore sgmearchive-director-all2008.12.03-004256.tgz key mykey 102 Chapter 3: Configuration Mode Commands (config) # arp Synopsis Adds a permanent entry to the Address Resolution Protocol (ARP) cache or sets parameters for ARP. Syntax (config) # arp subcommands Subcommands (config) # arp ip_address MAC_address Adds a permanent (static) entry to the ARP cache. (config) # arp timeout seconds Sets the ARP cache timeout value in seconds. The default value is 14400 seconds (4 hours). Example director (config) # arp timeout 28800 103 Director Command Line Interface Reference (config) # banner Synopsis Changes the banner displayed on an SSH command session and serial console. The default banner is similar to the following: Copyright (c) 1997-2009, Blue Coat Systems, Inc. Welcome to SG-ME 6.1.1.1 #45678 2012.01.05-013904 For configuring a banner for the Director Management Console, see “(config) #login-banner” on page 143. Syntax (config) # banner input banner-text The input parameter enables you to enter banner text. After input, enter the banner text, ending with Control+D. Subcommands There are no subcommands of this command. Example director (config) # banner input Enter your banner now. Press Ctrl-D when finished, or Ctrl-C to abort. Welcome to Director for Example Corp. Director is running SGME 6.1 build 76543 director (config) # show banner Welcome to Director for Example Corp. Director is running SGME 6.1 build 76543 104 Chapter 3: Configuration Mode Commands (config) # cdn Synopsis This command has been deprecated; use “(config) #content options” on page 111 instead. 105 Director Command Line Interface Reference (config) # clear Synopsis Clears certain options. This command is also available in enable mode. See “#clear” on page 38 for information. 106 Chapter 3: Configuration Mode Commands (config) # cli Synopsis Sets Command Line Interface (CLI) options. Syntax (config) # cli [subcommands] Subcommands (config) # cli sg-cli-timeout #h #m #s Sets the amount of time of user inactivity before the administrator is logged out of the command line session on the ProxySG appliance. The timeout applies to standard, enable, and configuration mode sessions. The default value is 1440 minutes. This setting applies to all users and is persistent across sessions (provided you use the write memory command as discussed in “#write” on page 92). It is only read when an administrator logs in, so if multiple administrators are logged in when the timeout is changed, it will immediately affect only the administrator who made the change. The others will be affected the next time they log in. (config) # show sg-cli-timeout Display the timeout period set for CLI sessions on the ProxySG appliance. (config) # cli timeout #h #m #s Sets the amount of time of user inactivity before the administrator is logged out of the command line session. The timeout applies to standard, enable, and configuration mode sessions. This setting applies to all users and is persistent across sessions (provided you use the write memory command as discussed in “#write” on page 92). It is only read when an administrator logs in, so if multiple administrators are logged in when the timeout is changed, it will immediately affect only the administrator who made the change. The others will be affected the next time they log in. (config) # show cli timeout Display the timeout period set for CLI sessions. The other subcommands for this command are discussed in “>cli” on page 16. Example director (config) # cli timeout 2h 30m 107 Director Command Line Interface Reference (config) # clock Synopsis Use this command to set the current system time, and optionally also the date. This command is not available if a local NTP server is running. Note that, unlike most configuration commands, this command does not wait for a write memory command to be committed to persistent storage. Syntax (config) # clock [subcommands] Subcommands (config) # clock set hh:mm[:ss] [yyyy/mm/dd] Sets the time and, optionally, the date. (config) # clock timezone continent country [state_or_province] city Sets the local timezone. A state or province is required for some countries (for example, United States and Canada), but not for others (for example, Europe, Australia). Examples director (config) # clock timezone america united_states california los_angeles director (config) # clock set 12:20:45 2012/07/30 108 Chapter 3: Configuration Mode Commands (config) # configuration Synopsis Manipulates configuration files. A configuration includes the following: • Director’s network configuration (IP address, DNS servers, and so on) • Profiles, overlays, jobs, groups, and devices • Objects associated with profiles, overlays, jobs, and groups (for example, substitution variables, URL lists, regular expression lists, and so on) The following are not included in a configuration: • Alerts • SNMP (after restoring the archive, SNMP will be disabled and SNMP contact information reverts to its default values) • NTP Note: Configurations are stored on Director; they are not archived. Syntax director (config) # configuration {delete {filename | initial} | destroy-old-files | move {{source_filename | initial} destination_filename} | new filename [keep-console] | restorefactory-defaults | restore-sgme4-files | revert | switch-to {filename | initial} write [to]} Subcommands (config) # configuration delete {filename | initial} Deletes either the specified configuration file or the initial configuration. Deleting the currently-active file is not permitted. (config) # configuration destroy-old-files Destroys old configuration files. This precludes downgrades. (config) # configuration move {source_filename | initial} destination_filename Moves the specified configuration file from the first filename or the initial configuration to the destination file name. This command can also be used to rename a file. (config) # configuration new filename [keep-console] Create a new configuration file. The optional keep-console command preserves the current network settings. (config) # configuration restore-factory-defaults Restore the configuration back to factory defaults. Use this command only in if necessary; for example, if errors prevent you from using Director. You can also use it to reset Director to defaults after testing Director in your deployment. After using this command, Director reboots. 109 Director Command Line Interface Reference (config) # configuration restore-sgme4-files Use this command only if you downgrade from SGME 5.3.x to SGME 4.2.2.1 to restore the SGME 4.2.2.1 configuration files. (config) # configuration revert Reverts the running state of the system back to the last-saved state. (config) # configuration switch-to {filename | initial} Discards the currently-running configuration and makes active the specified configuration. Subsequent configuration saves (using configuration write or write memory) will be written to this configuration. Note: Changing configurations affects all users connected to Director using the command line, the Management Console, and the serial console. (config) # configuration write [to filename] Commits all changes requested to persistent storage. Before this command is executed, all changes are held only in memory, and are not committed, and thus would be lost on a reboot. If the to filename option is used, the configuration is saved to a new configuration file, which then becomes the active configuration, to which all subsequent calls to the configuration write command will save. This command is the same as “#write” on page 92. Example director (config) # configuration switch-to fn-2 110 Chapter 3: Configuration Mode Commands (config) # content options Synopsis Enables you to set performance options for content jobs. For related commands, see: • “(config) #content url-list” on page 112 • “#content” on page 41 Syntax director (config)# content options {throttle delay delay_sec numcommands integer | timeout {completed-cmds seconds | outstanding-cmds seconds}} Sets options to manipulate the number of content commands that complete per unit time. where delay_sec is the number of minutes to delay between sending batches of content, integer is the number of content commands to send in one batch, and seconds is the number of seconds to wait for commands to complete. Defaults follow: • Outstanding commands timeout: 10,800 seconds (that is, three hours) • Completed commands timeout: 3,600 seconds (that is, one hour) • Number of commands in a batch: 25 • Length of time between batches of commands: 10 seconds Note: Older ProxySG models—such as the SG200—might not function properly if the throttle options defaults are changed from their defaults (25 commands every 10 seconds). On these older models—because of slower processors and smaller amounts of RAM—you should expect to process a maximum of 400,000 URLs. The commands that are the equivalent of Director defaults follow: director (config) # content options throttle delay 10 num-commands 25 director (config) # content options timeout completed-cmds 3600 director (config) # content options timeout outstanding-cmds 10800 111 Director Command Line Interface Reference (config) # content url-list Synopsis Enables you to manipulate URL list objects. For related commands, see: • “#content” on page 41 • “(config) #content options” on page 111 Syntax director (config)# content url-list list_id {comment comment | create | name name | input} Subcommands director (config)# content url-list list_id comment comment Adds an optional comment to the URL list object. director (config)# content url-list list_id create Creates a URL list object with unique identifier list_id. director (config)# content url-list list_id name name Adds a “friendly” name to this URL list object. director (config)# content url-list input Enables you to input a URL list. Put each URL on a separate line. When you’re finished, press Control+D to save the list or Control+C to cancel without saving the list. Note: Every URL must start with the protocol (also referred to as the schema); for example, http://. URLs that start with www. or a similar prefix are not valid and will result in job execution failure. 112 Chapter 3: Configuration Mode Commands (config) # continue-on-errors Causes a job to continue executing if errors are encountered. This command should not be used in the command line; the command is used only by the Management Console and is listed here for completeness. 113 Director Command Line Interface Reference (config) # debug Synopsis System debugging information and commands. This command is also available in enable mode. See “#debug” on page 48 for information about this command. 114 Chapter 3: Configuration Mode Commands (config) # device device_id Synopsis This command manages device records, creating a record with the specified device ID if one did not previously exist. Most of the commands in this submode are also available by entering the configuration command device device_id. Common Authentication Commands For Director to connect to a device, you must enter the following commands at minimum: (config device device_id) # address hostname_or_ip_address (config device device_id) # enable-password enable-password (config device device_id) # web-config port port_number (config device device_id) # protocol sshv2 port port_number This command is required only if you use a port other than the default, 22. (config device device_id) # front-panel-pin pin This command is required only if a front panel PIN is set on the device. Commands for SSH Simple Authentication SSH Simple authentication means Director uses an unencrypted user name and password to authenticate itself with the device. Because the user name and password are not encrypted, Blue Coat strongly recommends you use SSH-RSA authentication as discussed in the next section. For Director to authenticate itself with a device non-securely using SSH Simple authentication, you must enter the following commands in addition to the commands discussed in “Common Authentication Commands” on page 115: (config device device_id) # auth simple password password (config device device_id) # auth simple username username Commands for SSH-RSA Authentication For a device to authenticate securely with Director using SSH-RSA, you have the following options: • Add the device using SSH Simple authentication and upload keyrings to the device to change it to SSH-RSA The commands required to perform these tasks are discussed in this section. • Register the device with Director, which adds it and causes it to authenticate using SSH-RSA in one step This is discussed in Chapter 4, Registering Devices, in the Blue Coat Director Configuration and Management Guide. SSH-RSA communication authenticates Director with devices using a secure channel and private/public key cryptography. To authenticate, Director uses a reserved user name director and a keyring stored on the device. For Director to use SSH-RSA authentication, you must enter the following commands in addition to the commands discussed in “Common Authentication Commands” on page 115: 115 Director Command Line Interface Reference (config device device_id) # auth simple username username (config device device_id) # auth simple password password The auth simple username and auth simple password commands are required for Director to use the device’s CLI to set up SSH-RSA authentication. (config device device_id) # auth rsa username director This reserved user name is required for Director to authenticate the device. (config device device_id) # auth rsa key {copy device_id sshv1} | generate sshv2} This command gives you the choice of copying a keyring from another device or generating a new keyring for the device. (config device device_id) # pushkey sshv2 (config device device_id) # authtype rsa Syntax (config) # device device_id This changes the prompt to: (config device device_id) # Note: The device ID can be a maximum of 250 characters in length and cannot include the following characters: {, }, <, >, (, ), #, or $. Subcommands See one of the following sections: • “address” on page 117 • “auth rsa” on page 117 • “authtype” on page 117 • “comment” on page 118 • “create” on page 118 • “dnsname” on page 118 • “enable-password” on page 118 • “exit” on page 118 • “front-panel-pin” on page 118 • “help” on page 118 • “dipv6address” on page 118 • “name” on page 118 • “no” on page 118 • “overlay” on page 119 • “protocol” on page 119 • “pushkey” on page 119 116 Chapter 3: Configuration Mode Commands • “pushpassword” on page 119 • “reconnect” on page 119 • “serial-console-password” on page 120 • “serial-number” on page 120 • “state” on page 120 • “substitution-variable” on page 120 • “web-config port” on page 120 address (config device device_id) # address hostname_or_ip_address Sets the IP v4 address of this device. To set the IP v6 address on the device, see “dipv6address” on page 118. auth rsa (config device device_id) # auth rsa {key {copy device_id sshv2} | {generate sshv2} | knownhost key sshv2} (config device device_id) # auth rsa key copy device_id2 sshv2 Sets the SSH-RSA key pair for connections to this device to be a copy of the key used for device_id2. This command does not change any settings for device_id2, so any future changes to the key for device_id2 will not be automatically be copied to this device. (config device device_id) # auth rsa key generate sshv2 Creates an SSH-RSA private key for the device. (config device device_id) # auth rsa knownhost key sshv2 key_length exponent key Specifies or changes the known host public key for this device. (config device device_id) # auth rsa username director Sets the username that will be used to log in to a device if authtype is set to rsa. Important: The user name must be director or connection to Director will fail. (config device device_id) # auth simple {password password | username username} Sets the password that Director uses to log in to a device if the authtype command is set to simple. Important: For Director to connect to the device, you must supply both a user name and a password. For example, if the device’s user name is admin and the password is bluecoat, enter the following commands: (config device device_id) # auth simple password bluecoat (config device device_id) # auth simple username admin authtype (config device device_id) # authtype [rsa | simple] 117 Director Command Line Interface Reference Sets the type of authentication used to connect to a specified device. simple is standard username/password authentication. rsa is available only if the protocol is sshv2 (that is, SSH-RSA). comment (config device device_id) # comment comment Associates a comment with the device record. create (config device device_id) # create Creates a new device record. Equivalent to the following command: director (config) # device device_id create dnsname (config device device_id) # dnsname name Enter the hostname for this device. This options allows you to use a human readable name instead of a dotted IP address to access the device. enable-password (config device device_id) # enable-password enable-password Sets the password used to access enable mode on this device. exit (config device device_id) # exit Exits device submode and returns to configuration mode. front-panel-pin (config device device_id) # front-panel-pin pin Specifies the front panel PIN for this device. help (config device device_id) # help Displays help information. dipv6address (config device device_id) # ipv6address hostname_or_ip_address Sets the IPv6 address of this device. name (config device device_id) # name friendly-name Assigns a friendly name to this device. no (config device device_id) # no subcommands (config device device_id) # no address config device device_id) # no ipv6address hostname_or_ip_address Removes the IP address or hostname from this device. (config device device_id) # no auth rsa {key sshv2 | knownhost key sshv2 | username} 118 Chapter 3: Configuration Mode Commands Removes parameters for RSA device authorization. (config device device_id) # no auth simple {password | username} Removes parameters for simple device authorization. (config device device_id) # no authtype Resets the device authorization type to the default. (config device device_id) # no comment Removes the comment from this device. (config device device_id) # no dnsname Removes the hostname configured on this device. (config device device_id) # no enable-password Clears the enable password from this device record. (config device device_id) # no front-panel-pin Clears the front panel PIN from this device record. (config device device_id) # no name Removes the friendly name from this device protocol. (config device device_id) # no protocol Resets the protocol for this device to its default, which is telnet. (config device device_id) # no web-config port Resets the port for the Web configuration interface on this device to the default, which is 8082. overlay director (config device device_id) # overlay content_policy_overlay_id This command is used with content filtering policy. This command is available for the sadmin user only. Associates the indicated Content Policy overlay with the device. protocol (config device device_id) # protocol sshv2 port port_number Connect to this device using RSA-SSH on port_number. The default port number is 22. pushkey (config device device_id) # pushkey sshv2 Logs into the device and adds Director’s RSA-SSH public key to its authorized key list. pushpassword (config device device_id) # pushpassword {enable-password password | front-panel-pin pin | password password} Sets the enable password, front panel PIN, and login password on this device and device record. reconnect 119 Director Command Line Interface Reference (config device device_id) # reconnect Drops the existing connection and reinitiates connection to the device. serial-console-password (config device device_id) # serial-console-password password Specifies the password to secure serial console on this device. serial-number (config device device_id) # serial-number serial# Sets the hardware serial number of this device. state (config device device_id) # state {configured | not-registered | registered} Sets the state of this device as one of the following: • configured means the device is being managed by Director and has already been configured using a profile or overlay. • not-registered means the device is not yet managed by Director because it has not been registered. • registered means the device has been added to or registered with Director. substitution-variable (config device device_id) # substitution-variable name input Creates a substitution variable of name for this device. The input subcommand enables you to enter a value for the substitution variable. After input, enter the value of the substitution variable, ending with Control+D. For more information about substitution variables, see Chapter 11, Managing Substitution Variables, in the Blue Coat Director Configuration and Management Guide. A substitution variable name can be a maximum of 64 characters in length, alphanumeric characters only. If there are any spaces, reserved characters, or special characters, errors occur. Reserved characters for SGOS include ? (question mark—reserved for command help) or % (percent—reserved for errors). In addition, * (asterisk) is a special character and cannot be used in a substitution variable. Note: To create substitution variables for use with content filtering policy, see “(config) #role-substitution-variable” on page 189 instead. web-config port (config device device_id) # web-config port port_number Sets the device’s HTTPS Console port. To find this value, log in to the ProxySG Management Console for the device and click Services > Management Services. The port value displays in the right pane in the Port column for HTTPS-Console. 120 Chapter 3: Configuration Mode Commands (config) # device-acl Synopsis Associates a device or a custom group with a user group. Delegated users in this user group can push block lists and allow lists to these devices or groups. This command is used with content filtering policy. This command is available for the sadmin user only. For more information about content filtering policy commands, see “Content Filtering Policy and Role-Based Access” on page 7. Syntax director (config) # [no] device-acl role delegated-admin user-group user_group_name {device device_id | group custom_group_name} For example, the following command associates the user group Finance_policy with the custom group DevAustin: director (config) # device-acl role delegated-admin user-group Finance_policy group DevAustin Preceding the command with the optional no subcommand disassociates the device or custom group from the user group. Related Commands • To create a user group, director (config) # role delegated-admin user-group group_name For more information, see “(config) #role” on page 187 • To create a delegated user authorized locally, director (config) # username username role delegated-admin • To create a delegated user authorized by RADIUS, director (config) # username username auth-type radius • To associate delegated users with a user group, director (config) # username username role delegated-admin usergroup group_name See “(config) #username” on page 208. • To create a Content Policy overlay, director (config) # remote-config overlay overlay_id policy_type enable director (config) # remote-config overlay overlay_id director (config remote-config overlay "overlay_id") # input For more information, see “overlay” on page 179. • To associate a Content Policy overlay with a device, director (config) # device device_id overlay content_policy_overlay_name For more information, see “(config) #device device_id” on page 115 • To create substitution variables, 121 Director Command Line Interface Reference director (config) # [no] role-substitution-variable variable_name (device device_id | group group_name} input For more information, see “(config) #role-substitution-variable” on page 189 122 Chapter 3: Configuration Mode Commands (config) # dmc request-timeout Synopsis Configures the length of time that requests made in Director Management Console can be inactive before the request times out. (Introduced in SGME 6.1.8.1) Syntax (config) # dmc request-timeout <number_of_seconds> where <number_of_seconds> is an integer greater than 30 Subcommands There are no subcommands for this command. Example Set the request timeout to be 31 seconds and then verify the setting using the #show command. (config) # dmc request-timeout 31 (config) # show dmc request-timeout DMC request timeout: 31 123 Director Command Line Interface Reference (config) # dmc timeout Synopsis Configures the length of time the Director Management Console can be inactive before the session is closed. Syntax (config) # dmc timeout time Subcommands (config) # no dmc timeout Resets the timeout period for Director Mangement Console sessions to the default timeout of 15 minutes. (config) # show dmc timeout Display the timeout period set for Director Mangement Console sessions. 124 Chapter 3: Configuration Mode Commands (config) # exit Synopsis This command allows you to exit configuration mode and return to enable mode. Syntax (config) # exit The exit command does not have any parameters or subcommands. Example director (config) # exit director # 125 Director Command Line Interface Reference (config) # file Manipulates files on this system. This command is also available in enable mode. 126 Chapter 3: Configuration Mode Commands (config) # folder folder_id Synopsis This command enables you to add jobs, profiles, overlays, regular expression lists, and URL lists to folders; and enables you to nest folders. Like the device command, entering folder folder_id starts folder mode. Syntax (config) # folder folder_id subcommands Entering folder folder_id changes the prompt to the following: director (config folder folder_id) # Subcommands This section discusses the following topics: • “Folder Submode Commands” • “Negating Folder Commands” on page 128 Folder Submode Commands director (config folder folder_id) # [no] comment comment Adds a comment to the folder. Preceding the command with the optional no parameter removes the selected comment, or without the optional comment parameter, removes all comments from the folder. director (config folder folder_id) # create Creates the folder. director (config folder folder_id) # exit Returns to configuration mode. director (config folder folder_id) # help Displays help for subcommands. director (config folder folder_id) # job job_id Includes the specified Job ID in this folder. director (config folder folder_id) # [no] name name Gives the folder a friendly name. Preceding the command with the optional no parameter removes the folder’s friendly name. director (config folder folder_id) # overlay overlay_id Copies the specified overlay to this folder. director (config folder folder_id) # [no] parent folder_id Specifies the parent of this folder; in other words, makes this folder the child of folder_id. 127 Director Command Line Interface Reference Preceding the command with the optional no parameter removes the parent folder from this folder, meaning this folder becomes a top-level folder. director (config folder folder_id) # profile profile_id Copies the specified profile to this folder. director (config folder folder_id) # regex-list list_id Copies the specified regular expression list to this folder. director (config folder folder_id) # url-list list_id Copies the specified URL list to this folder. Negating Folder Commands This section discusses how to negate certain folder commands. To negate these commands, you must be in configuration mode and not in folder submode. If you are currently in folder submode, enter exit to return to configuration mode as shown in the following example: director (config folder "MyFolder") # exit director (config) # Command syntax follows: director (config) # no folder folder_id [comment | job job_id | name | overlay overlay_id | parent | profile profile_id | regexlist list_id | url-list list_id] With no optional parameter, deletes the specified folder. The contents of the folder, if any, remain in other folders or, if this was the only folder, move to the Unassigned folder. Other options follow: (config) # no folder folder_id comment Deletes the folder’s comment. (config) # no folder folder_id job job_id Deletes the specified job from the folder but does not delete the job itself. (config) # no folder folder_id name Deletes the folder’s friendly name. (config) # no folder folder_id overlay overlay_id Deletes the specified overlay from the folder but does not delete the overlay itself. (config) # no folder folder_id parent Removes parent folders from this folder, making this folder a top-level folder. (config) # no folder folder_id profile profile_id Deletes the specified profile from the folder but does not delete the profile itself. (config) # no folder folder_id regex-list list_id Deletes the specified regular expression lists from the folder but does not delete the list itself. (config) # no folder folder_id url-list list_id Deletes the specified URL list from the folder but does not delete the list itself. 128 Chapter 3: Configuration Mode Commands (config) # group group_id Synopsis This command allows you to manage groups of devices. Most of the commands in this submode are also available by entering the configuration command group group_id. Syntax (config) # group group_id This changes the prompt to: director (config group group_id) # Subcommands (config group “group_id”) # [no] comment comment Sets the comment associated with a group. This can be used to hold longer, more detailed information than the friendly name. Unlike the friendly name, the comment is shown only when information about this group is specifically requested. Preceding the command with the optional no parameter removes the comment from this group. (config group group_id) # create Creates a top-level group with this name. (config group “group_id”) # [no] device device_id Adds a device to this group. Preceding the command with the optional no parameter removes a device from this group but does not delete the device itself. (config group group_id) # exit Exits group submode and returns to configuration mode. (config group group_id) # help Displays help information. (config group group_id) # name friendly_name Sets the friendly name associated with a group. If the group already had a name, the old name is overwritten. (config group group_id) # [no] parent parent_group_id Makes this group a child of another group. Preceding the command with the optional no parameter makes this group a top-level group. (config group group_id) # [no] substitution-variable name [input variable_value] Adds a substitution variable to a custom group or a system group. 129 Director Command Line Interface Reference The input command loads the value of the substitution variable into Director. Enter the entire contents of the variable value, ending with Control+D. Preceding this command with the optional no parameter removes the substitution variable from the group. The input parameter is not valid if the command is preceded by no. For more information about substitution variables, see the Blue Coat Director Configuration and Management Guide. Example director (config) # group g1 director (config group “g1”) # device 10.25.36.47 130 Chapter 3: Configuration Mode Commands (config) # help Lists all top-level commands currently available. This command is also available in Standard and Enable modes. See “>help” on page 20 for more information. 131 Director Command Line Interface Reference (config) # hostname Synopsis Sets this machine’s hostname. Syntax (config) # hostname hostname Sets Director’s host name. When you change the host name, the prompts of all logged in clients are changed as soon as you press another key. Important: Make sure your DNS servers can resolve the host name you enter to Director’s IP address. Example director (config) # hostname Director_2 director_2 (config) # 132 Chapter 3: Configuration Mode Commands (config) # interface interface_number Synopsis The commands in this submode allow you to configure the specified interface. Syntax (config) # interface interface_number This changes the prompt to: director (config interface interface_number) # Subcommands See one of the following sections: • “Configuring an Interface” • “Binding an Access List to an Interface” on page 134 • “Other Commands” on page 134 Configuring an Interface This section discusses how to configure an interface’s duplex, IP address, and speed settings; and how to disable an interface. (config interface interface_number) # [no] duplex {half | full | auto} Set the duplex for this interface. Preceding the command with the optional no parameter removes the duplex setting. (config interface interface_number) # [no] ip address ip_address netmask Sets the IP address and netmask on this interface. Preceding the command with the optional no parameter removes the IP address. To set an interface’s default gateway and DNS servers, see “(config) #ip” on page 135. (config interface interface_number) # [no] ipv6address ip_address netmask Sets the IP v6 address and netmask on this interface. Preceding the command with the optional no parameter removes the IP address. To set an interface’s default gateway and DNS servers, see “(config) #ip” on page 135. (config interface interface_number) # [no] shutdown Disables this interface. Preceding the command with the optional no parameter enables the interface. (config interface interface_number) # [no] speed {10 | 100 | 1000 | auto} Sets the speed for this interface. Note that if the speed command is set to auto, duplex is also automatically set to auto. Preceding the command with the optional no parameter restores the default auto setting. 133 Director Command Line Interface Reference Binding an Access List to an Interface This section discusses how to bind an existing access list to an interface. An access list has no effect until it is bound to an interface. For more information about access lists, see “(config) #access-list access_list_name” on page 97. (config interface interface_number) # ip {access-group access_list_name {in | out}} Sets an access list to be associated with inbound or outbound traffic on an interface. A check is done to verify that the access list exists and is of type filter. The following example binds an access list named permitOne to interface ether-0 to filter inbound traffic. director (config interface ether-0) # ip access-group permitOne in Other Commands (config interface interface_number) # exit Exits interface submode and returns to configuration mode. (config interface interface_number) # help Displays help information. (config device interface_number) # show Displays system information as discussed in “(config) #show” on page 191. Entering show interfaces displays the list of interfaces along with configuration information (for example, IP address, speed, and duplex) and statistics (for example, number of packets received and number of bytes received). 134 Chapter 3: Configuration Mode Commands (config) # ip Synopsis Configures IP protocol settings, including default gateway, static routing, and detailed IP protocol options. Syntax (config) # [no] ip {subcommands} Subcommands (config) # [no] ip access-list {list_name | extended list_name} Entering ip access-list list_name changes to access-list submode (see “(config) #access-list access_list_name” on page 97). (config) # [no] ip default-gateway ip_address Sets Director’s default gateway. (config) # [no] ip default-gateway-v6 ip_address Sets Director’s default IPv6 gateway. (config) # [no] ip domain-list domain_name Adds a domain name that will be used to the DNS suffix list. This list is used to complete unqualified host names. Do not include a leading period character in domain_name. The specified domain name is added to the bottom of the list. If the domain you enter was already in the list, this command has no effect. (config) # [no] ip host hostname ip_address Adds a static mapping between a host name and an IP address. Note that multiple IPs for a single hostname are possible. (config) # [no] ip icmp rate-limit milliseconds Limits the rate at which ICMP errors are generated to at most one every millisecond. You can enter a range from 0 to 60000. (config) # [no] ip name-server ip_address Adds a DNS server to the list of DNS servers used to resolve names. The DNS server specified is put at the bottom of the list. If it was already in the list, this command has no effect. You can add both IPv4 and IPv6 DNS servers. (config) # [no] ip route network_prefix netmask gateway_address Adds an entry to the static routing table. For example, to add a static route for IP addresses 192.0.0.0 through 192.0.0.254 to the static routing table of an appliance whose IP address is 192.10.29.1, enter the following command: (config) # ip route 192.0.0.0 /24 192.10.29.1 (config) # [no] ip tcp {path-mtu-discovery | selective-ack | syncookies | sync-rexmits value | timestamp | unsync-rexmits value | window-size size} 135 Director Command Line Interface Reference Sets various TCP protocol parameters. Prefacing this command with the optional no command sets the parameter back to its default. The parameters are as follows: path-mtu-discovery Enables TCP path-Maximum Transmission Unit (MTU) discovery. For more information about path MTU discovery, see RFC 1191. selective-ack Enable the use of the selective-acknowledgement (SACK) TCP option. This might increase WAN throughput when the peer also uses this option. to be enabled. This option is enabled by default. For more information, see RFC 2018. syn-cookies Enable the SYN-cookie mechanism as a defense against SYN-flood attacks. This option is disabled by default. For more information, see this discussion of SYN cookies. sync-rexmits value Set the number of retransmits while in an unsynchronized state. If this number of retransmissions is reached, the connection will be dropped. value must be between 1 and 100. The default value is 3. timestamp Enable the use of the timestamp option, which can improve performance by allowing finer-grained estimates of round-trip time. It can also aid in error detection on connections with large window sizes. The is feature is enabled by default. unsync-rexmits value Set the number of retransmits while in a connected state before dropping the connection. I value must be between 1 and 100. The default value is 12. window-size size Set the receive window size in bytes that will be advertised in TCP connection setup. size must be in the range from 1024 to 1073725440. The default value is 16Kb. For more information, see RFC 1323. Example director (config) # ip icmp rate-limit 5000 136 Chapter 3: Configuration Mode Commands (config) # job job_id Synopsis The commands in this submode allow you to manage jobs. Most of the commands in this submode are also available by entering the Configuration command job job_id. Syntax (config) # job job_id This changes the prompt to: (config job job_id) # Note: The job ID can be a maximum of 250 characters in length and cannot include the following characters: {, }, <, >, (, ), #, or $. Subcommands • “cancel” on page 137 • “commands-type” on page 137 • “comment” on page 138 • “create” on page 138 • “date-time-pairs” on page 138 • “disable” on page 138 • “execute” on page 138 • “exit” on page 138 • “help” on page 138 • “input” on page 138 • “name” on page 139 • “no” on page 139 • “saved-executions” on page 139 • “time-of-day” on page 139 • “type” on page 140 cancel (config job job_id) # cancel Cancels the currently running job_id. commands-type (config job job_id) # commands-type {configuration | content | other} Sets the job type as configuration, content, or other and determines how the job displays in the Jobs tab page of the Management Console. For example, if you use the following command: (config job MyJob) # commands-type content 137 Director Command Line Interface Reference When you log in to the Management Console and click the Jobs tab, the job displays if you click either Content Jobs or All from the Show list in the Job Library section. comment (config job job_id) comment comment Assigns a comment to this job. create (config job job_id) create Creates an empty job. date-time-pairs (config job job_id) date-time-pairs yyyy/mm/dd hh:mm[:ss] Configures the parameters for the date-time-pairs job type. disable (config job job_id) disable Disables this job. email (config job job_id) email {from-address e-mail address | to-address one or more e-mail addresses} Specifies sender and recipient e-mail addresses for notifications for the job. You can specify multiple recipients by entering the e-mail addresses as comma-separated values. Because using this command overwrites any previous entries, it might be more efficient to maintain the addresses in the Director Management Console. Alternatively, you could keep a commaseparated list of addresses in a text file and copy and paste it into the CLI when you need to add or remove recipients. Note: Blue Coat recommends that you double-check the e-mail addresses before entering them. The CLI does not validate your entries. execute (config job job_id) execute Immediately executes the commands in this job. exit (config job job_id) exit Exits job submode and returns to configuration mode. help (config job job_id) help Displays help information. input (config job job_id) input job-contents Enter the commands to execute in the job. When you are finished, press Control+D to save the job or Control+C to cancel without saving any commands. 138 Chapter 3: Configuration Mode Commands name (config job job_id) name friendly_name Sets the friendly name associated with this job. Although the friendly name cannot be used in place of a Job ID when a Job ID is required in a command, the friendly name identifies the job in the Management Console. no (config job job_id) no [subcommands] The no command negates the following job configuration settings: (config job job_id) no comment Removes all comments from this job. (config job job_id) no date-time-pairs {all | yyyy/mm/dd hh:mm[:ss]} Specifying a particular date-time pair removes only that date-time pair from the job, or use the all parameter to remove all date-time pairs. (config job job_id) no disable Enables this job. (config job job_id) no execution {all | id execution_id} Deletes either all reports for this job or deletes the job report with the specified execution ID. (config job job_id) no name Removes the friendly name from this job. (config job job_id) no saved-executions Resets the number of saved job reports to unlimited. In other words, this command will never cause old job reports to be deleted. (config job job_id) no time-of-day {absolute {start | stop} | day {all | fri | mon | sat | sun | thu | tue | wed | weekdays} | time {all | hh:mm[:ss]} Removes certain job start/stop/repeat time parameters from this job. saved-executions (config job job_id) saved-executions number_of_reports [force] Sets the number of job reports to save for this job. To save an unlimited number of reports, enter 0. If Director produces a new report for this job and the total saved reports are greater than this value, the oldest job report is deleted. Reports are deleted in order of oldest to newest. You cannot set the value to be less than the existing number of reports unless you use the force option. If you use the force option and the value is set to be less than the current number of saved reports, reports are deleted until they total the new value. time-of-day (config job job_id) time-of-day {absolute {start | stop} yyyy/mm/dd hh:mm[:ss] | day {all | fri | mon | sat | sun | thu | tue | wed | weekdays} | time hh:mm[:ss]} 139 Director Command Line Interface Reference Sets start/stop/repeat times for this job. type (config job job_id) type {date-time-pairs | time-of-day} Selects the type of time specification to be used for this job: • date-time-pairs means the job runs at the dates and times you specify. Recurrence options are not available; in other words, the job runs only at the dates and times you specify. For more information about configuring date-time pairs, see “(config job job_id) date-time-pairs yyyy/mm/dd hh:mm[:ss]” on page 138. • time-of-day means the job runs at the times and days of the week you specify; in other words, recurrence is supported. For more information about configuring time-of-day options, see “(config job job_id) time-of-day {absolute {start | stop} yyyy/mm/dd hh:mm[:ss] | day {all | fri | mon | sat | sun | thu | tue | wed | weekdays} | time hh:mm[:ss]}” on page 139. Example director (config) # job j1 Director (config job j1) # type date-time-pairs 140 Chapter 3: Configuration Mode Commands (config) # lcd Synopsis Sets the LCD panel PIN. Syntax (config) # lcd pin 4_digit_pin_number Sets the PIN for accessing the LCD panel. Example director (config) # lcd pin 2331 141 Director Command Line Interface Reference (config) # license Synopsis Allows you to import a license file in to the Blue Coat Director. A valid license is required to manage the devices in your network. Syntax (config) # license {input | passphrase} Subcommands (config) # license input The input parameter enables you to copy and paste the contents of your license file. You will be prompted to enter the passphrase you entered when generating the license file on the Blue Coat Licensing Portal. This passphrase is required to decrypt the license file and complete the license installation. Enter Control+D when finished. (config) # license passphrase passphrase Enter the passphrase you entered when generating the license file on the Blue Coat Licensing Portal. If the passphrase includes spaces, enclose the passphrase within quotation marks. (config) # show license Displays the license that you have installed. Example (config) # license input Enter pass phrase here:XXXXXXXXXXXXXXXXXXXXXXXXXXXX Enter your license file contents now. Press Ctrl-D when finished, or Ctrl-C to abort. uynffeu645837ty8utngnm 4yr943rnftv8anv9inv...... (config) # license passphrase “life is good” (config) # show license Serial number:0000290001 Component name: Director 6 License type: Try and Buy Expiration date: 2012-01-24 Expired: No Days left: 42 Max device count: 300 Actual device count:113 142 Chapter 3: Configuration Mode Commands (config) # login-banner Synopsis Allows you to configure a login banner that displays when users access the Director Management Console. Input login banner text in the English language only; support for any other language has not been tested. For configuring a banner for SSH or serial console access, see “(config) #banner” on page 104 Syntax (config) # [no] login-banner {acceptance-required | enable | fetchlogo | input | logo-url} Subcommands (config) # login-banner acceptance-required Mandates that users must accept the login-banner prior to accessing the Director Management Console. Users who decline the banner are not permitted access to the Management Console. (config) # login-banner enable Enables the login banner. The text that you entered is displayd on login. (config) # login-banner fetch-logo url Allows you to enter an FTP server or an HTTP server URL from which the Director can fetch a logo for the login banner. The image formats supported are jpg, jpeg, gif, png, and bmp. (config) # login-banner logo-url url Sets the logo for the login banner. (config) # login-banner input <enter> banner-text The input parameter enables you to enter banner text. Enter the banner text, and press Control+D when finished. (config) # show login-banner Dislays the login banner that you have configured. Example director (config) # login-banner fetch-logo ftp://10.125.38.21/ Common/companylogo.jpg director (config) # login-banner logo-url ftp://10.125.38.21/ Common/companylogo.jpg 143 Director Command Line Interface Reference (config) # line-vty Synopsis Configures the number of lines visible on a terminal session. The default is 24. This command is also available in Enable mode. See “#line-vty” on page 55 for information. 144 Chapter 3: Configuration Mode Commands (config) # logging Synopsis Configures audit and console logging. Provided you specify an external server that uses the Secure Copy Protocol (SCP), audit logs are transferred from Director’s /var/logs/messages directory to the /local/logs/scplogs directory using a cron job. Another cron job transfers logs from /local/logs/scplogs to the external server, after which the /local/logs/ scplogs directory is cleared. You also have the option of transferring logs and clearing the directory manually. Details about audit logging follow: • Stored in subdirectories of /local/logs/scplogs (for example, the contents of backup jobs are stored in /local/logs/scplogs/backups). • Event logs, stored in the /var/log/messages file, are transferred every hour to the /local/logs/scplogs/messages directory using a cron job. • A cron job runs every five minutes to transfer audit logs from subdirectories of /local/logs/scplogs to an external server using the Secure Copy Protocol (SCP), if a server is configured. • After the files are transferred, the logs are deleted; however, if no external server is specified, no transfer takes place. • After the contents of the audit log directory reach 1GB in size, the overflow policy is enacted. The overflow policy can be set to delete the oldest log files first (the default), to disable commands that trigger audit logging, or to stop creating new audit log files. Syntax (config) # logging subcommands Subcommands (config) # logging hostname_or_ip_address Sends logging data to the specified external server. The server must support the SCP protocol. (config) # logging console {emerg | alert | crit | err | warning | notice | notice_minor} Sets the level at which messages are sent to console sessions. emerg results in the fewest log message being sent to the console; notice_minor (the default) results in the most log messages. (config) # logging dump-contents {clear | overflow-policy {delete | stop-logging | stop-processing} | url scp_server_url} where scp_server_url is in the format scp://ip_or_hostname/path Moves log messages to the SCP server specified by the url subcommand with the following options: (config) # logging dump-contents clear 145 Director Command Line Interface Reference Clears (that is, deletes) the log messages in Director’s /local/logs/ scplogs directory. Use this command only after moving the log files to an external server. (config) # logging dump-contents overflow-policy {delete | stop-logging | stop-processing} Sets policy to apply when the /local/logs/scplogs directory has 1GB or less available space as one of the following: delete Deletes the oldest files first. stop-logging Stop logging until the /local/logs/scplogs directory has more than 1GB of available space. stop-processing Stops processing any commands that trigger audit logging. (config) # logging local {warning | notice | notice_minor} Sets the level at which messages are saved locally. (config) # logging trap {emerg | alert | crit | err | warning | notice | notice_minor} Sets the level at which messages are sent to syslog servers. emerg results in the fewest log message being sent to syslog servers; notice_minor results in the most log messages. Trap messages for Director events are limited to startup, shutdown, and standby events. Standby events are discussed in the Blue Coat Director Configuration and Management Guide. Example director (config) # logging console warning 146 Chapter 3: Configuration Mode Commands (config) # mail-config Synopsis Specify an outgoing Simple Mail Transport Protocol (SMTP) server to e-mail the following types of information: • Performance analysis reports Includes bandwidth savings, effective throughput, and acceleration information available for proxies. • Health reports Enables you to monitor CPU and memory usage of devices. • Activate user accounts with LDAP authentication For more information about these reports, see the Blue Coat Director Configuration and Management Guide. Syntax and Subcommands director (config) # [no] mail-config {smtp_server_host-or-ip listen_port} [auth {enable | disable}] {user-credentials [username username password password]} Preceding the command with the optional no parameter removes the specified mail configuration. Parameter Description smtp_server_host-or-ip SMTP server’s fully qualified host name or IP address. Guidelines for Simple Mail Transfer Protocol (SMTP) servers follow: • You can specify an SMTP mail server by either a fully qualified host name or IP address Make sure the SMTP server meets all of the following availability requirements: • It must be reachable by Director • It must be capable of sending emails to all addresses you specify In other words, you can choose either a corporate server or an external, publicly reachable SMTP server provided the server meets the preceding requirements. • SSL and Transport Layer (TLS) encryption are not supported • User name/password authentication is supported port specifies the SMTP server’s listen port 147 Director Command Line Interface Reference Parameter Description auth (optional) determines whether or not the SMTP server requires user name and password authentication. The following example configures Director to use the server smtp.example.com that listens on port 55 and specifies the server requires authentication: director (config) # mail-config smtp.example.com 55 auth enable Note: Changes you make to the SMTP server configuration with this command do not automatically display in the Management Console. To view the new parameters, close and restart the Management Console as discussed in the Blue Coat Director Configuration and Management Guide. Related Command To set up the report e-mails and specify the user name and password (if any) for SMTP server authentication, see “generate-report health” on page 56 or “generate-report performance” on page 57. 148 Chapter 3: Configuration Mode Commands (config) # mc-migration Synopsis (Introduced in SGME 6.1.18.1) Generate a metadata file containing all of the devices managed in Director, and then use the metadata to import the devices to Blue Coat Management Center. Syntax (config) # mc-migration [subcommands] Subcommands This section discusses the following subcommands: delete (config) # mc-migration delete <file> where <file> is the name of the metadata file. Delete an existing metadata file. generate (config) # mc-migration generate Generate a metadata file including all managed devices. The metadata is encrypted and compressed in a tgz.gpg file, for example, SGME-Director-to-MCMigration-2015.03.13-154907.tgz.gpg. The CLI prompts you to enter a passphrase. Enter a passphrase consisting of at least four characters and press the ENTER key. Be sure to record the passphrase; you need it to import the devices to Management Center. upload (config) # mc-migration upload <file> <server> [username username] where: • <file> is the name of the metadata file. • <server> is the hostname or IP address of an external server: http://<hostname[:port]>/<path and filename> ftp://<hostname>/<path and filename> scp://<hostname>//<path and filename> Upload the metadata file to your external server. When you type this subcommand, the CLI prompts you to enter a passphrase. Additional Information For information on importing devices and other features in Management Center, refer to documentation at: https://bto.bluecoat.com/documentation/All-Documents/ Management%20Center 149 Director Command Line Interface Reference (config) # monitoring Synopsis Health monitoring commands that maintain the health status of all the devices managed by Director. It also keeps a track of all the alerts sent by a device and allows these alerts to managed by a Director administrator. Additional parameters are available in enable mode as discussed in “#monitoring” on page 56. To view alert metrics you set up with these commands, see Chapter 10, Monitoring Devices, in the Blue Coat Director Configuration and Management Guide. Subcommands director (config) # monitoring {{alerts {acknowledge {alert alert_id | all | device device_id | group group_id | input alert_ids}} | {add-comment alert alert_id comment comment} | {delete {alert alert_id | all | device device_id | group group_id | input alert_ids}} | {unacknowledge {alert alert_id | all | device device_id | group group_id} | input alert_ids}} | {diagnose {device-state subcommands | standby-state subcommands}} This section discusses the following subcommands: • “alerts” on page 150 • “db reset” on page 151 • “diagnose” on page 151 alerts The alerts subcommand enables you to acknowledge alerts, add comments to alerts, delete alerts, and unacknowledge alerts. director (config) # monitoring alerts {acknowledge {alert alert_id | all | device device_id | group group_id | input input}} | addcomment alert alert_id comment comment} | {delete {alert alert_id | all | device device_id | group group_id} | input input}} | {unacknowledge {alert alert_id | all | device device_id | group group_id | input alert_ids}}} director (config) # monitoring alerts acknowledge {alert alert_id | all | device device_id | group group_id | input alert_ids} Sets the status of alerts to acknowledge for a single alert_id, all alerts, for a particular device_id or for all devices in a group_id. To acknowledge, unacknowledge, or delete several alerts at one time, use the input command to specify the alert IDs. An example follows: director (config) # monitoring alerts delete input Enter your alert id now.Press Ctrl-D when finished, or CtrlC to abort. director (config) # monitoring alerts add-comment alert alert_id comment comment 150 Chapter 3: Configuration Mode Commands Adds an optional comment—up to 512 bytes in length—to a particular alert_id. director (config) # monitoring alerts delete {alert alert_id | all | device device_id | group group_id | input list_of_ids} Deletes a single alert_id, all alerts in the system, all alerts for a particular device_id, or all alerts for all devices in a group_id. Using the optional input parameter enables you to enter a list of IDs to delete. When you are finished, press Control+D to delete the alerts or Control+C to cancel without deleting any alerts. director (config) # monitoring alerts unacknowledge {alert alert_id | all | device device_id | group group_id} Sets the status of alerts to unacknowledge for a single alert_id, all alerts, for a particular device_id or for all devices in a group_id. db reset director (config) # monitoring db reset Use to reset the database only if advised to do so by Blue Coat Support. diagnose director (config) # monitoring diagnose {device-state {added | auto-registered | auto-registered-failed | connected | critical | deleted | disconnected | ok | warning} | {job-state {finished | started}}{standby-state {forced-active | forced-primary | forced-secondary | forced-standalone | partner-invalid | partner-lost | partner-regained | partner-valid | primaryinactive | secondary-reserve | sync-failed | sync-regained}} Diagnostic command that sends a trap to SNMP trapsinks (that is, the host names or IP addresses to which SNMP traps are sent). When this trap is sent, the varbinds (that is, variable bindings) in the body of the trap have the following fixed values that cannot be changed: sgHostname = "0.0.0.0" sgSerialNumber = "0000000000" sgDeviceId = "test-SG-id" sgDeviceName = "test-SG-name" Discussion of the subcommands follows: director (config) # monitoring diagnose device-state {added | auto-registered | auto-registered-failed} These commands apply to adding or registering devices (that is, ProxySG appliances) with Director as discussed in the Blue Coat Director Configuration and Management Guide. director (config) # monitoring diagnose device-state {connected | critical | deleted | disconnected | ok | warning} These commands apply to the state of devices managed by Director (for example, disconnected means a device is not reachable from Director). director (config) # monitoring diagnose job-state {finished | started} These commands apply to the state of Director jobs. For example, when a job finishes, the job-state-finished trap sends a notification message. 151 Director Command Line Interface Reference director (config) # monitoring diagnose standby-state {forcedactive | forced-primary | forced-secondary | forcedstandalone | partner-invalid | partner-lost | partnerregained | partner-valid | primary-inactive | secondaryreserve | sync-failed | sync-regained} These commands apply only to two redundant Director 510 appliances configured as primary and secondary. This is also referred to as Director standby. For more information about standby, refer to Chapter 12, Configuring Director Redundancy, in the Blue Coat Director Configuration and Management Guide. 152 Chapter 3: Configuration Mode Commands (config) # no Synopsis Negates certain configuration options. Syntax (config) # no [subcommands] Subcommands This section discusses the following subcommands: • “access-list” on page 154 • “arp” on page 154 • “cli” on page 154 • “clock” on page 154 • “content” on page 154 • “device” on page 155 • “enable” on page 156 • “folder” on page 156 • “group” on page 156 • “hostname” on page 156 • “interface” on page 156 • “ip” on page 157 • “job” on page 157 • “lcd pin” on page 158 • “logging” on page 158 • “ntp” on page 158 • “radius-server” on page 159 • “remote-config” on page 159 • “require-config-lock enable” on page 160 • “session” on page 160 • “snmp-server” on page 160 • “ssh” on page 161 • “ssl” on page 161 • “tacacs-server” on page 161 • “telnet-management” on page 162 • “username” on page 162 153 Director Command Line Interface Reference access-list For a complete discussion of access-list commands, including no commands, see “(config) #access-list access_list_name” on page 97. arp (config) # no arp {ip_address | timeout} Removes a permanent entry from the ARP cache or resets the ARP-cache timeout. cli (config) # no cli subcommands (config) # no cli capture Disables capturing of CLI output to a file. (config) # no cli help disable Reenables the help system. (config) # no cli print-message-codes Specifies not to print error codes along with each error message. (config) # no cli prompt-override Removes the CLI prompt override. (config) # no cli raw-input Disables Raw Input mode (help, completion, and command line editing would be reenabled). (config) # no cli timeout Resets the command line timeout to the default. For more information about the command line timeout, see “(config) #cli” on page 107. clock (config) # no clock timezone Resets the local time zone to Coordinated Universal Time (UTC). content (config) # no content [subcommands] (config) # no content options timeout {completed-cmds | outstanding-cmds} Resets the timeout for completed or in-progress (outstanding) content management commands to the default value. (config) # no content priority one-time options For syntax, see “[no] content priority one-time” on page 43. (config) # no regex-list list_id [comment | name] Deletes the specified regular expression list. The optional comment and name subcommands delete only the optional comment from the regular expression list or the list’s “friendly” name. (config) # no url-list list_id [comment | name] 154 Chapter 3: Configuration Mode Commands Deletes the specified URL list. The optional comment and name subcommands delete only the optional comment from the URL list or the list’s “friendly” name. device (config) # no device device_id [address | auth {rsa {key sshv2 | knownhost key sshv2 | username} | simple {username | password} | authtype | comment | enable-password | name | protocol sshv2 port | serial-console-password | serial-number | substitutionvariable name1 name2 ... namen | web-config port] With no optional parameter specified, removes the specified device, meaning it will no longer be managed by Director. Optional parameters follow: (config) # no device device_id address Removes the IP address or host name from the specified device record. (config) # no device device_id auth {rsa {key sshv2 | knownhost key sshv2 | username} | simple {username | password}} Negates certain device authorization parameters for the specified device record (but not from the device itself). Examples follow: (config) # no device device_id auth rsa key sshv2 deletes RSA keys from the device record. This command can be used only with devices that use the SSH-RSA protocol to authenticate with Director. (config) # no device device_id auth rsa knownhost key sshv2 deletes public keys from the device record. This command can be used only with devices that use the SSH-RSA protocol to authenticate with Director. (config) # no device device_id auth simple username deletes the user name for the record of a device that uses simple authentication with Director. (config) # no device device_id authtype Sets the device’s authentication type to simple. (config) # no device device_id comment Removes the comment from the device record. (config) # no device device_id enable-password Removes the device’s enable password. (config) # no device device_id name Removes the device’s friendly name. (config) # no device device_id overlay overlay_id Removes the specified overlay from the device. (config) # no device device_id protocol sshv2 port Sets the port used for SSH v2 communication with the device to its default, port 22. (config) # no device device_id serial-console-password 155 Director Command Line Interface Reference Removes the serial console password from the device record. To set the serial console password to a different value, use the following command discussed in “(config) #device device_id” on page 115: (config device device_id) # serial-console-password password (config) # no device device_id serial-number Removes the hardware serial console password from the device record. Because a hardware serial number is required to register and manage a device, you must supply a new serial number as discussed in “(config) #device device_id” on page 115. (config) # no device device_id substitution-variable name1 name2 ... namen Removes the indicated substitution variables from the device record. (config) # no device device_id web-config port Removes from the device record the port used to access the device’s Management Console. Because a port is required to register and manage a device, you must enter a new port as using the following command as discussed in “(config) #device device_id” on page 115: (config device device_id) # web-config port port_number enable (config) # no enable password Removes the device’s enable password. folder See “Negating Folder Commands” on page 128. group See “(config) #group group_id” on page 129. hostname (config) # no hostname Removes Director's host name. interface (config) # no interface interface_number [duplex | ip {access-group {in | out} | address [ip_address netmask]} shutdown | speed} With no optional parameters, removes all configuration information for the specified interface; if the specified interface is dynamic (for example, a bridge interface) the interface is completely removed from the system. (config) # no interface interface_number [duplex] Resets the duplex for the specified interface to its default. (config) # no interface interface_number [ip {access-group {in | out} | address [ip_address netmask]}] Either removes an access group from the specified interface or removes all IP addresses or the specified IP address and netmask from the specified interface. For example, the following command removes all IP addresses from an interface: 156 Chapter 3: Configuration Mode Commands (config) # no interface interface_number ip address (config) # no interface interface_number [shutdown] Re-enables this interface. (config) # no interface interface_number [speed] Resets the speed of this interface to its default, which is auto. ip (config) # no ip [subcommands] (config) # no ip default-gateway Removes the default gateway. (config) # no ip domain-list domain_name Removes the specified domain name. (config) # no ip host hostname ip_address Removes a static host mapping. (config) # no ip icmp rate-limit Resets the parameters for ICMP to the default values. (config) # no ip name-server ip_address Removes a DNS server. (config) # no ip route network_prefix netmask [gateway-address gateway_ip_address] Either removes all entries or removes the specified gateway IP address from the static routing table. (config) # no ip tcp {path-mtu-discovery | selective-ack | syncookies | sync-rexmits | timestamp | unsync-rexmits | window-size} Resets parameters for TCP, as follows: the path-mtu-discovery command disables path MTU discovery, the selective-ack command disables selective ACKs, the syn-cookies command disables the SYNcookie mechanism, the sync-rexmits command resets the number of retransmissions in the connected state to the default, the timestamp command disables TCP timestamps, the unsync-rexmits command resets the number of retransmissions in the unconnected state to the default, and the window-size command resets the TCP window size to the default. job (config) # no job job_id Removes the specified job. (config) # no job job_id [comment] Removes the comment from this job. (config) # no job job_id [date-time-pairs yyyy/mm/dd hh:mm[:ss]] Negates certain parameters for the date-time-pairs job type for the specified job. (config) # no job job_id [disable] 157 Director Command Line Interface Reference Enables the specified job. (config) # no job job_id [execution {all | execution_id}] Either deletes all reports for the specified job or deletes a job report with the specified execution ID for the specified job. (config) # no job job_id [name] Removes the friendly name from the specified job. (config) # no job job_id [saved-executions] Makes the number of saved job reports unlimited. (config) # no job job_id [time-of-day {absolute {start | stop} | day {all | fri | mon | sat | sun | thu | tue | wed | weekdays} | time time hh:mm[:ss]}] The absolute command removes start and end dates/times for the job specified, the day command removes a day on which the specified job executes, and the time command removes a time on which the specified job executes. lcd pin (config) # no lcd pin Resets the PIN for accessing the LCD panel to its default. logging (config) # no logging (config) # no logging hostname_or_ip_address Removes a syslog daemon server from the list of servers to which log messages are sent. (config) # no logging console Disables most console logging. (config) # no logging dump-contents Stops audit logs from being transferred to the external server. (config) # no logging local Disables all local logging. (config) # no logging trap Disables logging to external servers. ntp (config) # no ntp (config) # no ntp enable Disables NTP on this machine. (config) # no ntp peer hostname_or_ip_address [prefer | version] Removes the NTP peer specified, specifies not to prefer the NTP peer specified over others (the prefer option), or resets the expected NTP version for the NTP peer specified to the default (the version option). (config) # no ntp server hostname_or_ip_address [prefer | version] 158 Chapter 3: Configuration Mode Commands Removes the NTP server specified, specifies not to prefer the NTP server specified over others (the prefer option), or resets the expected NTP version for the NTP server specified to the default (the version option). radius-server (config) # no radius-server (config) # no radius-server host hostname_or_ip_address [acctport | auth-port | key | request-stype | response-stype | retransmit | timeout] Negates the RADIUS parameters for the specified hostname or IP address. (config) # no radius-server key Disables the authentication and encryption key for RADIUS servers. (config) # no radius-server request-stype Resets global RADIUS server request service-type to the default. (config) # no radius-server response-stype Resets global RADIUS server response service-type to the default. (config) # no radius-server retransmit Specifies not to retry RADIUS servers before declaring failure. (config) # no radius-server timeout Resets global RADIUS server timeout to the default. remote-config (config) # no remote-config (config) # no remote-config backup un-pinned Removes all un-pinned backups from all ProxySG on the management node. (config) # no remote-config backup device device_id backup_id [comment | name | pin] You can delete the specified backup, remove the backup’s comment (the comment option), remove the backup’s friendly name (the name option), or enable the backup to be automatically rotated out (the pin option). (config) # no remote-config help device Disables using a device for command completion and help. (config) # no remote-config license-key Deletes the BlueTouch Online user name and password, if any, entered when you upgraded a device license. (BlueTouch Online was previously referred to as WebPower.) (config) # no remote-config overlay overlay_id [command sequence_number | comment | name] You can remove the specified overlay, remove the specified command from the specified overlay (the command option), remove the comment string from the specified overlay (the comment option), or remove the friendly name from the specified overlay (the name option). 159 Director Command Line Interface Reference (config) # no remote-config profile profile_id [command sequence_number | comment | name] You can remove the specified profile, remove the specified command from the specified profile (the command option), remove the comment string from the specified profile (the comment option), or remove the friendly name from the specified profile (the name option). require-config-lock enable (config) # no require-config-lock enable Disables the explicit configuration lock. It sets the configuration in the user interface to implicitly acquire the configuration lock, as required, to make changes to the configuration settings. The Acquire Lock button does not display on the user interface when the CLI is set to no requireconfig-lock enable. session (config) # no session session-ip username username Kills the Management Console session running on the specified IP address and user name. This command ends the session immediately, causing the user to lose any work in progress but not yet saved. Entering no session ? displays the list of currently logged-in users and the IP addresses used by Director Management Console sessions. Because you can run a maximum of five Management Console sessions at one time, use this command to log off Management Console users to permit another user to log in. snmp-server (config) # no snmp-server (config) # no snmp-server community Resets the community name to the default (public) on this node. (config) # no snmp-server contact Clears the SNMP contact string on this node. (config) # no snmp-server enable [authtraps | inform | traps] Disables the SNMP server, or, if you enter one of the command options, either disables receiving of SNMP authorization traps or disables sending of SNMP informs or traps on this node. SNMP traps are limited to Director startup and shutdown events. (config) # no snmp-server host hostname Stops sending SNMP notifications to a host. (config) # no snmp-server inform default-community Resets the default community name used to send SNMP informs to hosts without a community string override to its default (public). (config) # no snmp-server location Clears the SNMP location string on this node. (config) # no snmp-server traps default-community Reset the default community name to use for sending traps to its default. 160 Chapter 3: Configuration Mode Commands (config) # no snmp-server traps default-version Reset the default version to use for sending traps to its default. ssh (config) # no ssh (config) # no ssh client user username authorized-key rsakey {all | sshv1 key_length exponent key | sshv2 key} Removes either all known host public keys for the specified user account or removes an SSHv1 or 2 authorized key for this user account. (config) # no ssh client user username known-host hostname_or_ip_address Removes a known host public key for the specified user. (config) # no ssh server auth {allowpassword | allowrsa | permitemptypassword} allowpassword Disallows users from authenticating using a password RSA. allowrsa Disallows users from authenticating using RSA. permitemptypassword This setting prevents Director from sending requests to the RADIUS server without a password. Use this command if users receive account locked out errors attempting to log in to a Director appliance. For more information, see “ssh server” on page 196. Note: This command persists across Director reboots. (config) # no ssh server enable {sshv1 | sshv2} Disables either the SSHv1 server or the SSHv2 server on this machine. (config) # no ssh server hostkey rsakey {sshv1 | sshv2} Deletes the RSA host key either for SSHv1 or SSHv2. (config) # no ssh server knownhost hostname_or_ip_address Removes known host entries. ssl (config) # no ssl (config) # no ssl registration-password Clears the registration password. tacacs-server (config) # no tacacs-server [subcommands] (config) # no tacacs-server host hostname [key | port | singleconnection | timeout] Either removes this host from the list of TACACS servers or, if you specify an option, does one of the following for the specified host: the key command removes the key override, the port command resets the port to the default, the single-connection command disables Single Connection mode, and the timeout command removes the timeout override. 161 Director Command Line Interface Reference (config) # no tacacs-server key Resets the key to the default. (config) # no tacacs-server timeout Resets the communication timeout to the default. telnet-management (config) # no telnet-management {args | enable} Prevents sending Telnet arguments to the server (args parameter) or disables the use of the Telnet server (enable parameter). username (config) # no username username Removes the specified user account from the system. (config) # no username username [password] Specifies not to require a password for the specified user to log in. (config) # no username username [privilege] Resets the specified user’s privilege level to the default (15), which is the maximum value. Example director (config) # no ssh server auth allowpassword 162 Chapter 3: Configuration Mode Commands (config) # ntp Synopsis Enables and disables the ntpd (NTP daemon) and Network Time Protocol (NTP) settings. Syntax (config) # [no] ntp enable Enables NTP on Director. Preceding the command with the optional no subcommand disables NTP. Also see “(config) #ntpdate” on page 164. (config) # ntp peer ip_address_or_hostname [prefer | version version_number] Either adds an NTP peer or changes the settings for the specified NTP peer. (config) # ntp server [prefer | version version_number] Either adds an NTP server or changes the settings for the specified NTP server. Example director (config) # ntp enable 163 Director Command Line Interface Reference (config) # ntpdate Synopsis Sets the system clock from a remote NTP server. Syntax (config) # ntpdate ip_address_or_hostname Sets the system clock from a specified NTP server. Differences between this command and ntp include: • ntpdate synchronizes the clock with an NTP server one time whereas ntp starts and stops the ntpd service, and the ntpd keeps Director’s clock in synchronization constantly. • ntp has an algorithm that calculates and fixes the drift in your server's clock, whereas ntpdate does not keep any state to perform this service for you so will not provide the same kind of accuracy. • If Director’s clock is inaccurate by several hours, and you are using ntp, you should restart Director. On restart, ntp uses ntpdate to reset the system clock. Important: Do not use ntpdate if the ntpd is running. Doing so can result in unpredictable performance. Instead, use the reload command to restart Director as discussed in “(config) #reload” on page 175. For more information, see one of the following articles. Note that the Director ntp and ntpdate commands do not support optional command-line switches discussed in these articles. Director’s commands support only the parameters discussed in this book. • Compare NTP and NTPDATE—ServerFault • Sample NTPATE man page Because the system time is not stored in the configuration file, this command does not wait for a write memory command to be committed to persistent storage. Example director (config) # ntpdate 10.25.36.47 164 Chapter 3: Configuration Mode Commands (config) # ping Synopsis Sends ICMP echo request packets. This command is also available in Standard and Configuration modes. See “>ping” on page 22 for more information. 165 Director Command Line Interface Reference (config) # push-policy Synopsis See “#push-policy” on page 61. 166 Chapter 3: Configuration Mode Commands (config) # ldap-server Synopsis Configures your LDAP server settings. Director enables you to use the following authentication schemes for user access to Director: • LDAP: Supports authentication to an AD server. Authorization is defined locally on the Blue Coat Director. • RADIUS: Supports authentication and authorization. • TACACS: Supports authentication only. All users authenticated by TACACS have privilege level 15 access. For more information, see “(config) #tacacs-server” on page 201. • Local: Supports authentication and authorization. For more information, see “(config) #username” on page 208. To use a combination of the preceding authentication and authorization mechanisms, see “(config) #aaa authentication login default” on page 94. Syntax (config) # ldap-server {{admin-mail email_address} | anonymous {enable |disable} | bind-password bind_password | bind-username bind_username | ca-certificate input certificate_details | default-admin-privilege {enable | disable} | distinguished-name Base_DN | primary-server hostname port port_number | alternateserver hostname port port_number | referrals {enable | disable} | ssl {enable | disable} | test-ldap | timeout nnh nnm nns | username username userprincipalname userprincipalname | version {2 | 3}} (config) # no ldap-server {admin-mail | bind-password | bindusername | ca-certificate | distinguished-name | primary-server {port} | alternate-server {port} | timeout nnh nnm nns | username username userprincipalname userprincipalname} Removes the LDAP configuration for the specified attribute. (config) # test-ldap-configuration username username password password Tests your LDAP configuration, see “test-ldap” on page 170. Subcommands See one of the following sections for more information: • “admin-mail” on page 168 • “anonymous” on page 168 • “bind-password” on page 168 • “bind-username” on page 168 • “ca-certificate” on page 168 167 Director Command Line Interface Reference • “default admin-privilege” on page 168 • “distinguished-name” on page 169 • “primary-server” on page 169 • “alternate-server” on page 169 • “referrals” on page 169 • “ssl” on page 169 • “timeout” on page 169 • “username” on page 169 • “version” on page 170 admin-mail (config) # ldap-server admin-mail email-address Sets the email address for contacting the administrator when a new LDAP user logs in to the appliance. anonymous (config) # ldap-server anonymous {enable |disable} Enables or disables an anonymous bind connection to the LDAP server. If enabled, you do not need to enter the bind username and bind password for querying the LDAP server bind-password (config) # ldap-server bind-password bind_password Sets the password that allows you to bind to the LDAP server for authenticating users. bind-username (config) # ldap-server bind-username bind_username Sets the username that allows you to bind to the LDAP server for authenticating users. Specify the domain for the bind user account. For example: Domain\Administrator This user should have permissions to start querying for users starting at the Base DN and then through each node in the subsequent hierarchy that you have set up on your directory server. ca-certificate (config) # ldap-server ca-certificate input certificate_details Ctrl D when done Allows you to import the SSL certificate required to set up secure LDAP. To enable trust between the LDAP server and the Director, you must import the trusted root certificate signed by the issuing Certificate Authority in to the Director. default admin-privilege director (config) # ldap-server default-admin-privilege {enable | disable} 168 Chapter 3: Configuration Mode Commands Sets the default access privilege for all new LDAP users to privilege 15 access on the Director. distinguished-name director (config) # ldap-server distinguished-name Base DN Sets the Distinguished Name (DN) that uniquely identifies each entry on a global level. The Base DN is a concatenation of the directory tree structure; it defines the tree in the LDAP directory that contains the users you wish to authenticate, and it serves as the starting point for the search. primary-server director (config) # ldap-server primary-server ip_address or hostname port port number Sets the IP address and port, or hostname for the primary LDAP server. For simple LDAP the default port is 389; For secure LDAP the default port is 636. Note: For secure LDAP, you must specify the hostname. Use the common name (CN) defined in your CA certificate as the hostname for your AD server. If you do not enter the same hostname, authentication will fail because the Director will be unable to connect with the server. alternate-server director (config) # ldap-server alternate-server ip_address or hostname port port number Sets the IP address and port, or hostname for the alternate LDAP server. referrals director (config) # ldap-server referrals {enable | disable} Enables or disables LDAP referrals; LDAP referral is only supported on LDAPv3. When you enable referral, if the configured LDAP server does not contain the directory information for authenticating the user, the LDAP server can return a referral to another server. The Blue Coat Director can follow the referral to authenticate the user. ssl director (config) # ldap-server ssl {enable | disable} Enables or disables secure LDAP or LDAP over SSL. timeout director (config) # ldap-server timeout nnh nnm nns where nn is number, h is hour, m is min, s is sec Determines the length of time that the Blue Coat Director waits for a response from the LDAP server. When this value is reached, the Director closes the connection to the server. The default value is 120 seconds. username director (config) # ldap-server username username userprincipalname userprincipalname 169 Director Command Line Interface Reference Allows you to add the specified username to the Blue Coat Director. The userprincipalname is a user attribute that is specified in the Active Directory server; this attribute uniquely identifies a user across multiple domains and in AD it is typically the name of a user in an e-mail address format. By default, when attempts to log in to the Director, an account with the username is created. You must enable the account to allow access to the user. To enable a user acccount: director (config) # ldap-server username username userprincipalname userprincipalname enable version director (config) # ldap-server version {2 | 3} Defines the LDAP version to use for communicating with the LDAP server. test-ldap director (config) # test-ldap-configuration username username password password Validates your LDAP configuration. The Test LDAP button performs the following checks: • • Verifies that the Blue Coat Director can connect to the configured primary and alternate AD server's IP address and port. This test includes these things, if configured. • DNS name resolution. • Connectivity test to the primary and alternate hosts. • Ability to connect over SSL using the certificate details provided. Verifies that the Blue Coat Director is able to authenticate the user against the AD server. This check validates that the Blue Coat Director can complete either of the following: • Perform an anonymous bind • Use the bind credentials defined in your settings to query the Base DN. Note: If you have configured both a primary and an alternate server, the authentication validation is performed only against the primary server; the alternate server is used for authentication only if the primary server is unavailable. To explicitly test the settings for the alternate server, you must replace the IP address and port for your primary server with those of the alternate server, or temporarily block access to the primary AD server. Example: director (config) # test-ldap-configuration username <need username in the format that the admin must enter here> password test Server Connection: Primary Server: Ok 170 Chapter 3: Configuration Mode Commands Alternate Server: Ok Authentication: User authentication: Failed Reason: the AD server could not authenticate the user because the password is incorrect. 171 Director Command Line Interface Reference (config) # radius-server Synopsis Configures RADIUS server settings. Director enables you to use the following authentication schemes for user access to Director: • LDAP: Support authentication to an AD server. Authorization is defined locally on the Blue Coat Director. For more information, see “(config) #ldap-server” on page 167. • RADIUS: Supports authentication and authorization. • TACACS: Supports authentication only. All users authenticated by TACACS have privilege level 15 access. For more information, see “(config) #tacacs-server” on page 201. • Local: Supports authentication and authorization. For more information, see “(config) #username” on page 208. To use a combination of the preceding authentication and authorization mechanisms, see “(config) #aaa authentication login default” on page 94. Syntax (config) # radius-server {{host hostname_or_ip_address} | key shared_key}} [[auth-port port_number | acct-port port_number | request-stype type | response-stype type | retransmit number_of_tries | timeout #h #m #s]] Subcommands See one of the following sections for more information: • “host” on page 172 • “key” on page 173 • “acct-port” on page 173 • “auth-port” on page 173 • “request-stype” on page 173 • “response-stype” on page 173 • “retransmit” on page 173 • “timeout” on page 173 host (config) # radius-server host hostname_or_ip_address key shared_key Adds the specified host to the list of RADIUS hosts using required subcommands only. When you specify a RADIUS server, you must also specify a shared key—either explicitly with the key subcommand or by specifying a default key as shown in the following subcommand. 172 Chapter 3: Configuration Mode Commands key (config) # radius-server key shared_key Specifies a default shared key to be used if you add a RADIUS server without the key subcommand. acct-port (config) # radius-server host hostname_or_ip_address key shared_key [acct-port port_number] Sets the port number to use for accounting requests to the specified RADIUS host auth-port (config) # radius-server host hostname_or_ip_address key shared_key [auth-port port_number] Sets the port number to use for authorization requests to the specified RADIUS host. request-stype (config) # radius-server host hostname_or_ip_address key shared_key [request-stype request_stype_1-11] Sets the global RADIUS-host communication request service-type. Can be overridden on a per-host basis. The service-type specified is be used in the request packet sent to the RADIUS host. If you specify this subcommand without specifying a RADIUS server, it is used as a default value if you add a RADIUS server without the requeststype subcommand. response-stype (config) # radius-server host hostname_or_ip_address key shared_key [response-stype response_stype_1-11] Sets the global RADIUS-host communication response service-type to privilege-level mapping with all RADIUS hosts. Can be overridden on a perhost basis. The service-type is expected in the RADIUS-host response. If a match is found, the mapping privilege-level provided is used for the user logging in. If you specify this subcommand without specifying a RADIUS server, it is used as a default value if you add a RADIUS server without the responsestype subcommand. retransmit (config) # radius-server host hostname_or_ip_address key shared_key [retransmit number_of_tries] Sets the number of times the node will retry this RADIUS host before giving up. To disable retransmission for this host, set it to 0 (zero). If you specify this subcommand without specifying a RADIUS server, it is used as a default value if you add a RADIUS server without the retransmit subcommand. timeout (config) # radius-server host hostname_or_ip_address key shared_key [timeout #h #m #s] 173 Director Command Line Interface Reference Sets the timeout on communication with all RADIUS hosts in the form nh nm ns, where n is a number and h, m, and s set the hour, minute and second. You can enter one, two, or all three time parameters. Can be overridden on a perhost basis. If you specify this subcommand without specifying a RADIUS server, it is used as a default value if you add a RADIUS server without the timeout subcommand. 174 Chapter 3: Configuration Mode Commands (config) # reload Synopsis Reboots or shuts down this machine. This command is also available in enable mode. See “#reload” on page 62 for more information. 175 Director Command Line Interface Reference (config) # remote-config Synopsis This command allows you to configure and manage remote devices. Syntax (config) # remote-config subcommands Subcommands This section discusses the following subcommands: • “associate-overlay” on page 176 • “associate-profile” on page 176 • “backup” on page 176 • “clear-byte-cache” on page 178 • “clear-dns-cache” on page 178 • “clear-object-cache” on page 178 • “diff” on page 178 • “dissociate-overlay” on page 178 • “dissociate-profile” on page 178 • “download-system url” on page 178 • “execute” on page 179 • “help device” on page 179 • “license-key” on page 179 • “overlay” on page 179 • “profile” on page 181 • “reboot” on page 182 • “reconnect” on page 183 • “validate-system version” on page 183 associate-overlay (config) # remote-config associate-overlay <overlay_id> <type device | group> <device_id | group_id> (Introduced in SGME 6.1.10.1) Associate an overlay to device or group of devices. associate-profile (config) # remote-config associate-profile <profile_id> <type device | group> <device_id | group_id> (Introduced in SGME 6.1.10.1) Associate a profile to device or group of devices. backup 176 Chapter 3: Configuration Mode Commands (config) # remote-config backup Changes the prompt to (config remote-config backup) (config remote-config backup) # addr-device ip_address_or_hostname | addr6-device ip_address Takes a snapshot of the configuration for the specified device address. If necessary, removes the oldest backup to make room for this newest one. (config remote-config backup) # all Takes a snapshot of the configuration for all devices. If necessary, removes the oldest backup to make room for this newest one. (config remote-config backup) # [no] device device_id [backup_id {comment backup_comment | name backup_name | pin}] Takes a snapshot of the configuration for the specified device. If necessary, removes the oldest backup to make room for this newest one. Prefacing the command with no removes the indicated device backup. The optional commands add a comment or friendly name for the specified device backup, or promote the specified automatic backup to permanent status, meaning this backup will not be automatically removed when old backups are deleted. The system will not allow you to pin the last unpinned backup slot. The final slot must be reserved for automatic backups. (config remote-config backup) # exit Exits backup submode and returns to configuration mode. (config remote-config backup) # group group_id Takes a snapshot of the configuration for the specified group of devices. If necessary, removes the oldest backup to make room for this newest one. (config remote-config backup) # help Displays help information. (config remote-config backup) # model model Takes a snapshot of the configuration for tall devices with the specified appliance model. To display a list of valid models, enter model ?. If necessary, the command removes the oldest backup to make room for this newest one. (config remote-config backup) # no un-pinned Deletes all backups that are not pinned. (config remote-config backup) # options max-backups max_backups_value Master count of total automated backups allowed per device. If max_backups_value is less than the number of automated backups currently saved for any given device, warning messages display and max_backups_value is automatically set to the lowest possible value. For example, if a device already has seven backups, and you try to set maxbackups to 5, it will instead be set to 7. The same check is made to make sure a given device will not end up with all its possible backups pinned. For example, if a device has five pinned backups, and you try to set max-backups to 5, it will instead be set to 6. 177 Director Command Line Interface Reference (config remote-config backup) # restore device device_id backup_id Restores the specified backup to the specified device. (config remote-config backup) # os-version sgos_version Takes a snapshot of the configuration for tall devices with the specified SGOS version. To display a list of valid versions, enter os-version ?. If necessary, the command removes the oldest backup to make room for this newest one. clear-byte-cache (config) # remote-config clear-byte-cache {all | device device_id | group | group_id | model model | os-version sgos_version} Clears the byte cache on all devices, a specific device, or on a group on devices. clear-dns-cache (config) # remote-config clear-dns-cache {all | device device_id | group | group_id | model model | os-version sgos_version} Clears the DNS cache on all devices, a specific device, or on a group on devices. clear-object-cache (config) # remote-config clear-object-cache {all | device device_id | group | group_id | model model | os-version sgos_version} Clears the object cache on all devices, a specific device, or on a group on devices. diff Compares backups, overlays, or profiles using a diff utility and formats the output in one of the following ways: • context format uses an identification line for each file, containing the filename and modification date. • unified (default) uses plus and minus signs to indicate differences: each line that occurs only in the left file is preceded by a minus sign, each line that occurs only in the right file is preceded by a plus sign, and common lines are preceded by a space. This command is discussed in “#remote-config” on page 63. dissociate-overlay (config) # remote-config dissociate-overlay <overlay_id> <type device | group> <device_id | group_id> (Introduced in SGME 6.1.10.1) Dissociate an overlay from a device or group of devices. dissociate-profile (config) # remote-config dissociate-profile <profile_id> <type device | group> <device_id | group_id> (Introduced in SGME 6.1.10.1) Dissociate a profile from a device or group of devices. download-system url This command is discussed in “#remote-config” on page 63. 178 Chapter 3: Configuration Mode Commands execute This command is discussed in “#remote-config” on page 63. help device (config) # remote-config help device device_id Sets the specified device to be the designated device for command completion help. When the user needs help while constructing an SGOS command, the Director will communicate with this device to retrieve command help and to complete help commands. If this value is not set, a message displays if you attempt to access device help. license-key This command is discussed in “#remote-config” on page 63. overlay (config) # remote-config overlay overlay_id [comment | copy new_overlay_id | create | execute subcommands | input | name name | policy_type {enable | disable} | reference {device device_id | url url} | policy_type {enable | disable} | refresh [device device_id | url url]] To enter overlay submode, enter (config) # remote-config overlay overlay_id (config remote-config overlay overlay_id) # comment overlay_comment Assigns a comment string to this overlay. (config remote-config overlay overlay_id) # copy new_overlay_id Copies the entered overlay. (config remote-config overlay overlay_id) # create Creates a new overlay with this ID. (config remote-config overlay overlay_id) # execute (config remote-config overlay overlay_id) # execute addr-device ip_address_or_hostname | model model | os-version sgos_version [errors-only] Executes the overlay on the device with the specified address. The errors-only option specifies to display only errors. These errors could be Director errors or errors the device generates executing the commands. Device-generated errors display the % (percent) character on the beginning of a line of device output. (config remote-config overlay overlay_id) # execute all [errorsonly] Executes the overlay on all groups and devices. The errors-only option specifies to display only errors. These errors could be Director errors or errors the device generates executing the commands. Device-generated errors display the % (percent) character on the beginning of a line of device output. (config remote-config overlay overlay_id) # execute device device_id 179 Director Command Line Interface Reference Executes the overlay on the specified device. The errors-only option specifies to display only errors. These errors could be Director errors or errors the device generates executing the commands. Device-generated errors display the % (percent) character on the beginning of a line of device output. (config remote-config overlay overlay_id) # execute group group_id Executes the overlay on the specified group of devices. The errors-only option specifies to display only errors. These errors could be Director errors or errors the device generates executing the commands. Devicegenerated errors display the % (percent) character on the beginning of a line of device output. (config remote-config overlay overlay_id) # execute {model model | os-version sgos_version group_id} Executes the overlay on devices of the specified model or running the specified version of SGOS. The errors-only option specifies to display only errors. These errors could be Director errors or errors the device generates executing the commands. Device-generated errors display the % (percent) character on the beginning of a line of device output. (config remote-config overlay overlay_id) # exit Exits overlay submode and returns to configuration mode. (config remote-config overlay overlay_id) # help Displays help information. (config remote-config overlay overlay_id) # input This command loads an overlay into the Director. Enter the entire contents of the overlay, ending with Control+D. The commands you enter replace the entire overlay. Be careful when using the input command that you do not include any device-specific commands that could destabilize the Director's connection to the device, such as setting the device's IP address. (config remote-config overlay overlay_id) # name name Sets the friendly name associated with an overlay. If the overlay already had a name, the old one is overwritten. (config remote-config overlay overlay_id) # no {comment | name | reference} Removes from the overlay its comment, friendly name, or reference device. (config remote-config overlay overlay_id) # policy_type {enable | disable} This command is used with content filtering policy. This command is available for the sadmin, admin, and all privilege 15 users. The enable subcommand creates a Content Policy overlay. That is, the overlay has manual settings that make it usable with content filtering policy. The disable subcommand changes the overlay type to be a normal overlay, and not the content policy overlay. 180 Chapter 3: Configuration Mode Commands (config remote-config overlay overlay_id)# reference {device device_id | url} This command determines the reference device or URL for the overlay. The reference is used to get refreshables and, if you specify a reference device, to start the Management Console viewer to add configurable settings for the overlay. (config remote-config overlay overlay_id) # reference device device_id Sets the reference device to device_id. Refreshables are fetched from this device ID and the device’s Management Console viewer can be used to get configurable settings. (config remote-config overlay overlay_id) # reference url url_id Sets the reference to a URL. Refreshables for the overlay are stored in a text file at this URL. (config remote-config overlay overlay_id) # refresh [device device_id | url url] (config remote-config overlay overlay_id) # refresh Fetches refreshables for the overlay from the reference. (config remote-config overlay overlay_id) # refresh device device_id Fetches refreshables for the overlay from a device. (config remote-config overlay overlay_id) # refresh url url Fetches refreshables for the overlay from a URL. profile (config) # remote-config profile profile_id [comment | copy new_profile_id | create | execute subcommands | input | name name | reference {device device_id | url url} | refresh [device device_id | url url]] To enter profile submode, enter (config) # remote-config profile profile_id (config remote-config profile profile_id) # comment Adds a comment to this profile. (config remote-config profile profile_id) # copy new_profile_id Copies this profile. (config remote-config profile profile_id) # create Creates a new profile with this profile ID. (config remote-config profile profile_id) # execute {addr-device ip_address_or_hostname | all | device device_id | group group_id model model | os-version sgos_version} [errors-only] Pushes out a profile to the specified device, group of devices; or to devices of the specified model or running the specified version of SGOS. This will make the configuration on the device be exactly that of the profile; that is, the devices' configurations are reset, and then the configuration commands in the profile are applied. 181 Director Command Line Interface Reference The errors-only option specifies to display only errors. These errors could be Director errors or errors the device generates executing the commands. Device-generated errors display the % (percent) character on the beginning of a line of device output. (config remote-config profile profile_id) # exit Exits profile submode and returns to configuration mode. (config remote-config profile profile_id) # help Displays help information. (config remote-config profile profile_id) # input This command loads a profile into Director. Enter the entire contents of the profile, ending with Control+D. The commands you enter replace the entire profile. Be careful when using the input command that you do not include any device-specific commands that could destabilize Director's connection to the device, such as setting the device's IP address. (config remote-config profile profile_id) # name name Assigns a friendly name to this profile. (config remote-config profile overlay_id) # no {comment | name | reference} Removes from the profile its comment, friendly name, or reference device. (config remote-config profile profile_id) # reference (config remote-config profile profile_id) # reference device device_id Sets the reference-device to a device. (config remote-config profile profile_id) # reference url url_id Sets the reference-url to a URL. (config remote-config profile profile_id) # refresh [device device_id | url url] This command determines the reference device or URL for the profile. The reference is used to get profile data. If you specify a URL, profile data is stored in a text file at this URL. (config remote-config profile profile_id) # refresh Fetches the overlay from the reference. (config remote-config profile profile_id) # refresh device device_id Fetches the profile data from a device. (config remote-config profile profile_id) # refresh url url Fetches the profile data from a URL, where url is in one of the formats discussed in “URL Syntax” on page 12. reboot (config) # remote-config reboot [addr-device ip_or_hostname | all | device device_id | group group_id | model model | os-version sgos_version] 182 Chapter 3: Configuration Mode Commands (config) # remote-config reboot addr-device ip_or_hostname Reboots the device with the specified IP address or hostname. (config) # remote-config reboot all Reboots all known devices. (config) # remote-config reboot device device_id Reboots the specified device. (config) # remote-config reboot group group_id Reboots all devices in the specified group. (config) # remote-config reconnect {model model | os-version sgos_version} Reboots all devices of the specified model or that run the specified version of SGOS. reconnect (config) # remote-config reconnect {addr-device ip_or_hostname | all | device device_id | group group_id | model model | osversion sgos_version} Reconnects to devices specified as follows: (config) # remote-config reconnect addr-device ip_or_hostname Reconnects to a specific device at the specified host name or IP address. (config) # remote-config reconnect all Reconnects to all known devices. (config) # remote-config reconnect device device_id Reconnects to a specific device_id. (config) # remote-config reconnect group group_id Reconnects to all devices in group_id. (config) # remote-config reconnect {model model | os-version sgos_version} Reconnects to all devices of the specified model or that run the specified version of SGOS. validate-system version (config) # remote-config validate-system version version {addrdevice ip_address_or_hostname | all | device device_id | group group_id model model | os-version sgos_version} Validates the image version of a certain device or group of devices. Example director (config) # remote-config backup restore device 10.25.36.47 bu2director director (config) # remote-config backup addr6-device 2001:5c0:9168::161 183 Director Command Line Interface Reference Backup complete for device "82". ID 82-2012.03.05-124232 184 Chapter 3: Configuration Mode Commands (config) # require-config-lock enable Synopsis Requires Management Console users to explicitly acquire the configuration lock before making changes to Director’s running configuration. This command causes the Acquire Lock button to display in the Director Management Console. To release the configuration lock, enter no require-config-lock enable as discussed in “(config) #require-config-lock enable” on page 185. When you release the configuration lock, any changes you made to Director’s configuration are committed. To show the current state of the configuration lock enter show require-configlock as discussed in “(config) #require-config-lock enable” on page 185. For more information, see the discussion of configuration changes in Appendix A, Administering Director, in the Blue Coat Director Configuration and Management Guide. 185 Director Command Line Interface Reference (config) # restore-db userdb Synopsis This command is related to content filtering policy. This command is available for the sadmin user only and should be used only when advised to do so by Blue Coat Support. Enables you to restore the user database (which contains information about the associations between delegated users, user groups, and Content Policy overlays). However, it does not restore the devices, groups, or user groups themselves. Backups are made automatically once a day. Syntax director (config) # restore-db userdb backup_name Restores the daily backup you select. For example, director (config) # restore-db userdb userdb-backup-Wed 186 Chapter 3: Configuration Mode Commands (config) # role Synopsis Creates a user group for use with content filtering policy. This command is available to the sadmin user only. Users associated with this group can apply content filtering policy to devices or custom groups also associated with the user groups. For more information about content filtering policy commands, see “Content Filtering Policy and Role-Based Access” on page 7. Syntax director (config) # role delegated-admin user-group user_group_name Creates the specified user group. The user group name can be a maximum of 45 alphanumeric characters in length. Related Commands • To create a delegated user authorized locally, director (config) # username username role delegated-admin • To create a delegated user authorized by RADIUS, director (config) # username username auth-type radius User Groups • To associate delegated users with a user group, director (config) # username username role delegated-admin usergroup group_name See “(config) #username” on page 208. • To associate a user group with a device or with a custom group, director (config) # [no] device-acl role delegated-admin usergroup user_group_name {device device_id | group custom_group_name} For more information, see “(config) #device-acl” on page 121 • To set the policy type for a user-group to local, director (config) # role delegated-admin user-group user_group_name set-policy-type local • To set the policy type for a user-group to central, director (config) # role delegated-admin user-group user_group_name set-policy-type central central_file_path username username password password • To set whether changes to the central policy file is automatically or manually sent to the devices, director (config) # role delegated-admin user-group user_group_name set-policy-type central send-sg-commands {enable | disable} Overlays • To create a Content Policy overlay, 187 Director Command Line Interface Reference director (config) # remote-config overlay overlay_id policy_type enable director (config) # remote-config overlay overlay_id director (config remote-config overlay "overlay_id") # input For more information, see “overlay” on page 179. • To associate a content policy overlay with a user group, director (config) # role delegated-admin user-group user_group_name overlay content_policy_overlay_name • To disassociate an overlay from a user group, director (config) # no role delegated-admin user-group user_group_name overlay • To associate a Content Policy overlay with a device, director (config) # device device_id overlay content_policy_overlay_name For more information, see “(config) #device device_id” on page 115. Substitution Variables • To create substitution variables, director (config) # [no] role-substitution-variable variable_name {device device_id | group group_name} input For more information, see “(config) #role-substitution-variable” on page 189 List Settings • To enable or disable the list settings for the delegated users. director (config) # role delegated-admin user-group user_group_name {all | user user_name } list-settings {allow_urls|block_urls|allow_categories|block_categories} {enable|disable} The all option can be used to apply the settings for all the users in the user group. Categories • To associate a set of categories to the delegated user from the master category list, director (config) # role delegated-admin user-group user_group_name {all | user user_name } categories input The all option can be used to apply the settings for all the users in the user group. 188 Chapter 3: Configuration Mode Commands (config) # role-substitution-variable Synopsis Enables you to define substitution variables and values for use with content filtering policy for selected devices. This command is used with content filtering policy. If the target is a device or group, only a delegated user can run the command. If non-delegated users try to execute these commands error occur. If the target is a user-group, this command is available available for the delegated and non-delegated users. When executed, substitution variables are created with the prefix of user-group. These substitution variables are common to all users that belong to a particular user group. Any user belonging to the same user group can create, edit, view, and delete those substitution variables. Syntax and Subcommands director (config) # [no] role-substitution-variable variable_name (device device_id | group group_name} input Creates a substitution variable named variable_name for the specified device ID. Use the input subcommand to specify a value for the substitution variable. Prefacing the command with the optional no parameter removes the specified substitution variable. If a delegated user runs the command, variable_name is prefixed with the name of the user’s user group. If admin, sadmin, or another privilege 15 user runs the command and the target type is user-group, the group is not added to the start of the substitution variable name because these users do not belong to delegated user groups. The substitution variable is created with the user-group-name as a prefix. If admin, sadmin, or another privilege 15 user runs the command and the target type is device or group, the command will not execute. See “(config) #device device_id” on page 115 or “(config) #group group_id” on page 129 instead. For example, director (config) # role-substitution-variable HR_policy_url_blocklist device QA142 input For non-delegated admin normal substitution variable will be created. Enter your value now. Press Ctrl-D when finished, or Ctrl-C to abort. www.example.com^D Related Commands • To create a user group, director (config) # role delegated-admin user-group group_name For more information, see “(config) #role” on page 187 • To create a delegated user authorized locally, 189 Director Command Line Interface Reference director (config) # username username role delegated-admin • To create a delegated user authorized by RADIUS, director (config) # username username auth-type radius • To associate delegated users with a user group, director (config) # username username role delegated-admin usergroup group_name See “(config) #username” on page 208. • To create a Content Policy overlay, director (config) # remote-config overlay overlay_id policy_type enable director (config) # remote-config overlay overlay_id director (config remote-config overlay "overlay_id") # input For more information, see “overlay” on page 179. • To associate a Content Policy overlay with a device, director (config) # device device_id overlay content_policy_overlay_name For more information, see “(config) #device device_id” on page 115. • To input values to the substitution variables of a user group, director (config) # role-substitution-variable {allow_urls | block_urls | allow_categories | block_categories} user-group user-group-name input • To remove substitution variables from a user group, director (config) # no role-substitution-variable {allow_urls | block_urls | allow_categories | block_categories} user-group user-group-name 190 Chapter 3: Configuration Mode Commands (config) # show Synopsis Displays running system information. This command is also available in enable mode. See “#show” on page 69 for information. All subcommands of the show command are discussed in “#show” on page 69 except show ssl, which is discussed in the following section. Subcommands director (config) # show categories-list For admin and super-admin users this displays all the categories from the master category list. For the delegated users it displays the categories associated with them. If the categories are not associated to particular delegated user, and the categories are associated to all the users in the usergroup, those categories are displayed. director (config) # show devices <device_id> associated-overlays (Introduced in SGME 6.1.10.1) Show associated overlays for this device. director (config) # show devices <device_id> associated-profiles (Introduced in SGME 6.1.10.1) Show associated profiles for this device. director (config) # show dmc timeout Display the timeout period set for Director Mangement Console sessions. usergroup, those categories are displayed. director (config) # show groups <group_id> associated-overlays (Introduced in SGME 6.1.10.1) Show associated overlays for this group. director (config) # show groups <group_id> associated-profiles (Introduced in SGME 6.1.10.1) Show associated profiles for this group. director (config) # show list-settings Displays the list settings for the logged in user. If the list settings are not set for the user, the list settings are inherited from the user-group the delegated user belongs to. director (config) # show role delegated-admin user-groups policyfile-association Displays the user group associated with central policy file. director (config) # show role delegated-admin user-group usergroup-name {all | user username } list-settings Displays the list settings of the delegated users. director (config) # show role delegated-admin user-group usergroup-name {all|user username } categories Displays the categories assigned to the users. The all option displays the categories of the user group level. If categories are not set for the user, the categories are inherited from the user-group the delegated user belongs to. 191 Director Command Line Interface Reference director (config) # show role-substitution-variable user-group user-group-name Displays the substitution variables for a user group. director (config) # show ssl director (config) # show ssl appliance-certificate Displays the Director’s appliance certificate. director (config) # show ssl appliance-certificate-request Displays the request for the Director’s appliance certificate or creates one if it did not already exist. 192 Chapter 3: Configuration Mode Commands (config) # slogin Synopsis Opens an SSH connection to a remote host. When you are finished, type the command exit to return to the Director command line. This command is also available in standard and enable modes. See “>slogin” on page 26 for information. Important: When the slogin command is run from configuration mode, it will release the configuration lock so that you do not lock out other users during the slogin session. 193 Director Command Line Interface Reference (config) # snmp-server Synopsis Configures Simple Network Management Protocol (SNMP) server options. For general information about SNMP, see RFC 2578, RFC 3411, RFC 1901, and RFC 1157. Syntax (config) # snmp-server {community community_name} | contact contact_string | enable [authtraps | inform | traps] | host hostname {inform community_string | version version community_string} | location location_string | traps {defaultcommunity | default-version | device-state | job-state | standby-state } Subcommands (config) # snmp-server community community_name Sets the SNMP server community name on this node. By default, Director has no SNMP community name. The community name must be an alphanumeric string of up to 16 characters in length; special characters like underscore (_), asterisk (*), pound (#), and so on are not supported. (config) # snmp-server contact contact_string Sets the SNMP contact string on this node. (config) # snmp-server enable [authtraps | inform | traps] Without an optional parameter, enables the SNMP server on this node. Following is a description of optional parameters: (config) # snmp-server enable authtraps Enables receiving authorization traps on this node. (config) # snmp-server enable inform Enables sending of SNMP informs on this node. Unlike a trap, an inform message is confirmed (that is, a response message is sent back). (config) # snmp-server enable traps Enables sending of SNMP traps on this node. SNMP traps are limited to Director startup and shutdown events. (config) # snmp-server host hostname inform community_string Adds a host from the list of hosts to which to send SNMP informs. (config) # snmp-server host hostname traps {community_string | version version_1_or_2c community_string} Adds a host from the list of hosts to which to send SNMP traps. If a version number is specified, the version number overrides the default settings of the traps version (which is 2c). (config) # snmp-server inform default-community community_name Changes the community used to send SNMP informs to hosts that do not have a community string override. 194 Chapter 3: Configuration Mode Commands (config) # snmp-server location location_string Sets the SNMP location string on this node. (config) # snmp-server traps [default-community | default-version | device-state | job-state | standby-state] Sets the following SNMP trap options: (config) # snmp-server traps default-community community-name Sets the default community name to use. (config) # snmp-server traps default-version version Sets the default version to use. (config) # snmp-server traps device-state [added | all | autoregistered | auto-registered failed | connected | critical | deleted | disconnected | ok | warning] enable Enables device-state traps. (config) # snmp-server traps job-state [all | finished | started] enable Enables job-state traps. (config) # snmp-server traps standby-state [all | forced-active | forced-primary | forced-secondary | forced-standalone | partner-invalid | partner-lost | partner-regained | partnervalid | primary-inactive | secondary-reserve | sync-failed | sync-regained] enables Enables standby-state traps. Example director (config) # snmp-server enable inform 195 Director Command Line Interface Reference (config) # ssh Synopsis Manipulates Secure Shell (SSH) settings that you use to log in to a remote host from Director (ssh client) or that you use to log in to Director remotely using an SSH application (ssh server). Syntax (config) # ssh {client subcommands | server subcommands} Subcommands The ssh command has the following subcommands: • “ssh client” on page 196 • “ssh server” on page 196 ssh client Sets options to be used when you log in to a remote host from Director using the slogin command as discussed in “>slogin” on page 26. (config) # ssh client user username {authorized-key rsakey {sshv1 key_length exponent key [comment] | sshv2 key} | knownhost hostname_or_ip_address rsakey key_length exponent key} (config) # ssh client user username authorized-key rsakey {sshv1 key_length exponent key [comment] | sshv2 key Adds to the list of RSA public keys that can be used to log in to the specified user's account. Note: You cannot assign an RSA key to a disabled user account. (config) # ssh client user username knownhost hostname_or_ip_address rsakey key_length exponent key Specifies a known host with its public key for the specified user account. ssh server Sets options to be used when you log in to Director using an SSH application. (config) # ssh server auth {allowpassword | allowrsa | permitemptypassword} allowpassword enables users to log in to a remote host using a password. allowrsa enables users to log in to a remote host using RSA encryption. permitemptypassword (default setting) allows Director to send empty passwords for TACACS, LDAP, and local user accounts. RADIUS is an exception; to prevent account lock-out errors, the Director does not send empty passwords to the RADIUS servers. (director) config # no ssh server auth permitemptypassword allows you to change the default behavior and disallow an empty password. For a local user account, when you disallow an empty password, users will be required to create a password for authenticating access to the Director. 196 Chapter 3: Configuration Mode Commands For RADIUS you cannot configure Director to send empty passwords. The default option is no ssh server auth permitemptypassword; It cannot be modified. Note: These commands are persistent across Director reboots. (config) # ssh server enable {sshv1 | sshv2} Enables you to log in to Director remotely using either SSHv1 or SSHv2. To disable access using SSH, use the no ssh server enable {sshv1 | sshv2} command. (config) # ssh server hostkey rsakey generate {sshv1 [key_size] | sshv2} Regenerates either the SSHv1 or SSHv2 RSA host key. If the key size of the SSHv1 host key is not specified, the default of 1024 bits is used. (config) # ssh server knownhost hostname_or_ip_address rsakey key_length exponent key Specifies a listing of a known host with its public key. Example director (config) # ssh server hostkey rsakey generate sshv2 197 Director Command Line Interface Reference (config) # ssl Synopsis Manipulates Secure Sockets Layer (SSL) settings. Syntax (config) # ssl {disable | enable | legacy-renegotiation-enable | legacy-renegotiation-disable | registration-password password} Subcommands (config) # ssl disable (Introduced in SGME 6.1.9.1) Disable SSLv2 protocol communication to Director. (config) # ssl enable (Introduced in SGME 6.1.9.1) Enable SSLv2 protocol communication to Director. SSLv2 is disabled by default. Important: To ensure that your SSLv2 setting remains enabled after a reboot, use the #write memory command to write running configuration to persistent storage. For more information, see “#write” on page 92. (config) # ssl gencsr bits <number_of_bits> passphrase <passphrase> signing-attributes <list_of_attributes> (Introduced in SGME 6.1.12.1) Generate a certificate signing request (CSR) and a new private key, which overrides any existing private key. Then, submit the CSR to the certificate authority (CA) to generate a public key. The number of bits must be a minimum of 2048 bits. The passphrase must be a minimum of four characters to a maximum of 20. Separate attributes to add into the certificate signing request fields with a semi-colon (;), for example: “C=CA;CN=bluecoat.com;OU=Director” To load the key, run (config) # ssl load-private-key. (config) # ssl install-certificate public (Introduced in SGME 6.1.12.1) Install the public certificate on the Director appliance. When you enter this command, the CLI displays the following: Enter public certificate contents now. Press Ctrl-D when finished, or Ctrl-C to abort. (config) # ssl legacy-renegotiation-enable Enables SSL renegotiation with SSL clients. Use this command, if you would like to allow backward compatibility for older Web browsers. Use caution when enabling SSL renegotiation with legacy clients, because the Director permits a less secure option that may expose your network to security vulnerabilities. (config) # ssl legacy-renegotiation-disable 198 Chapter 3: Configuration Mode Commands This is the default setting. This option forces the Director to renegotiate the session credentials only with an SSL client, such as a Web browser, that adheres to the security requirements of the SSL handshake. It disallows SSL renegotiation with legacy SSL clients that do not comply with the security requirements of the SSL handshake. (config) # ssl load-private-key (Introduced in SGME 6.1.12.1) Load the private key. You must have generated the key using the (config) # ssl gencsr command. (config) # ssl registration-password password Sets the registration password for ProxySG authentication for models that do not support appliance certificates. To determine if your appliance supports appliance certificates, use one of the following commands. Each command returns the device certificate if it exists: • Command that returns an error if the device does not have an appliance certificate: (config) # remote-config execute {addr-device ip_address_or_hostname | device device_id input errors-only} exit show ssl certificate appliance-key config t • Command that returns the device certificate if it exists: (config) # remote-config execute {addr-device ip_address_or_hostname | device device_id input [errorsonly]} exit show ssl ssl-device-profile bluecoat-appliance-certificate config t You must press Control+D after the command to send it to the device. For more information, see “execute” on page 179. (config) # ssl delete {all-certificates | public-certificate} (Introduced in SGME 6.1.12.1) Delete the installed private key, the public certificate, and CSR certificates; or delete only the public certificate. Example director (config) # ssl registration-password ? ****** director (config) # ssl registration-password test director (config) # 199 Director Command Line Interface Reference (config) # standby Synopsis Configures the Director’s standby configuration. The Director standby feature is designed to minimize Director service disruptions caused by network outage, disaster, or Director failure. When standby is deployed, the Director configuration is mirrored to a second Director whose only function is to take over for the first Director if a failure occurs. For information, see “>standby” on page 27. 200 Chapter 3: Configuration Mode Commands (config) # tacacs-server Synopsis Configures Terminal Access Controller Access-Control System (TACACS) servers. Director enables you to use the following authentication schemes for user access to Director: • LDAP: Supports authentication to an AD server. Authorization is defined locally on the Blue Coat Director. For more information, see “(config) #ldap-server” on page 167. • RADIUS: Supports authentication and authorization. For more information, see “(config) #radius-server” on page 172. • TACACS: Supports authentication only. All users authenticated by TACACS have privilege level 15 access. • Local: Supports authentication and authorization. For more information, see “(config) #username” on page 208. For more information about using multiple authentication schemes, see “(config) #aaa authentication login default” on page 94. Syntax (config) # tacacs-server {{host hostname {key keyname | port port single-connection | timeout #h #m #s} | key password | timeout #h #m #s} Subcommands (config) # tacacs-server host hostname Adds this host to the list of TACACS servers. (config) # tacacs-server host hostname key password Sets the authentication and encryption key used for communications with this TACACS server. (config) # tacacs-server host hostname port port_number Sets the default port number to use for TACACS+ requests to the specified host. (config) # tacacs-server host hostname single-connection Enables single connection mode, where the original TCP connection is held open for multiple TACACS sessions, instead of reopening a new one every time. (config) # tacacs-server host hostname timeout #h #m #s Sets the timeout for communication with this TACACS server. Format the time as the number of hours, followed by the number of minutes, followed by the number of seconds. For example, the following command sets the timeout at four hours and one minute: 201 Director Command Line Interface Reference (config) # tacacs-server host hostname timeout 4h 1m 0s (config) # tacacs-server key password Sets the authentication and encryption key used for communications with this TACACS server. (config) # tacacs-server timeout #h #m #s Sets the timeout on communication with this TACACS server. Format the time as the number of hours, followed by the number of minutes, followed by the number of seconds. For example, the following command sets the timeout at four hours and one minute: (config) # tacacs-server timeout 4h 1m 0s Example director (config) # tacacs-server timeout 2h 30m 202 Chapter 3: Configuration Mode Commands (config) # tcpdump Synopsis This command is also available in standard and enable modes. For information, see “>tcpdump” on page 29. 203 Director Command Line Interface Reference (config) # telnet-management Synopsis Configures a Telnet server to be used to communicate with Director. Note: Because Telnet is not secure, Director recommends you not enable the Telnet server. Instead, always connect to Director securely using SSH-RSA as discussed in the Blue Coat Director Configuration and Management Guide. Syntax (config) # telnet-management args args Sets command line arguments to pass to the Telnet server. (config) # [no] telnet-management enable Enables the Telnet server on this Director appliance. Preceding the command with no disables the Telnet server. Example director (config) # telnet-management enable 204 Chapter 3: Configuration Mode Commands (config) # traceroute Synopsis Determines the route packets take to a destination. This command is also available in standard and enable modes. For information, see “>traceroute” on page 30. 205 Director Command Line Interface Reference (config) # upgrade-package Synopsis Enables you to upgrade to or to roll back from a Director upgrade image. Syntax director (config) # upgrade-package {delete filename | fetch remote_url [username username password password] | install filename | rollback | verify filename} Note: To display the filename list, use the show upgrade-package command. Director 510 enables you to install, delete, verify, or roll back to one filename at a time. For example, if you initially installed SGME 4.2.2.1, upgrade to SGME 5.2.2.1 and later upgrade to SGME 5.3.1.2, you can roll back to or delete the SGME 5.2.2.1 image only. Each upgrade-package subcommand is discussed as follows: director (config) # upgrade-package delete filename Deletes the upgrade image specified by filename. You should delete upgrade images only after verifying the upgrade to the current version. After deleting an upgrade image, that image is not available for rollback. director (config) # upgrade-package fetch remote_url [username username password password] Validates and fetches the upgrade image from an external server using a remote_url formatted as follows: • https://<hostname[:port]>/<path and filename> • http://<hostname[:port]>/<path and filename> • ftp://<hostname>/<path and filename> • scp://<hostname>/<path and filename> The following is an example of the upgrade package on an external server: http://your_server/SGME/Director-6.1.3-99635 The following is an example of the download URL for the upgrade package on BTO: https://bto.bluecoat.com/download/direct/ 4536183438735678802733092383907 Specifying a username and password in the URL is not supported. For more information about getting an upgrade image, see the Director Release Notes or Chapter 15, Upgrading Director, in the Blue Coat Director Configuration and Management Guide. director (config) # upgrade-package install filename Installs the upgrade package you previously fetched using upgradepackage fetch. When the upgrade package is installed, the previous SGME image is repackaged and made available for rollback. director (config) # upgrade-package rollback filename 206 Chapter 3: Configuration Mode Commands Rolls back to the previous SGME image. To downgrade to SGME 6.1.2.x, first issue the upgrade-package fetch command, and then issue the upgrade-package rollback command. For example: director (config) # upgrade-package verify filename Verifies the integrity of the upgrade package. The upgrade-package fetch command verifies the package when it is fetched from the external server, so this command is useful if you did not use the upgrade-package fetch to retrieve the package. 207 Director Command Line Interface Reference (config) # username Synopsis Manages local user and delegated user accounts. Every command beginning with username creates a user account with that name if one did not already exist. In addition, the actions specific to the command entered are performed. Note that all of these commands pertain only to local user accounts. Director enables you to use the following authentication schemes for user access to Director: • LDAP: Supports authentication to an AD server. Authorization is defined locally on the Blue Coat Director. For more information, see “(config) #ldap-server” on page 167. • RADIUS: Supports authentication and authorization. For more information, see “(config) #radius-server” on page 172. • TACACS: Supports authentication only. All users authenticated by TACACS have privilege level 15 access. For more information, see “(config) #tacacs-server” on page 201. • Local: Supports authentication and authorization. The username command manages local authentication and authorization. To use a combination of the preceding authentication and authorization mechanisms, see “(config) #aaa authentication login default” on page 94. Syntax (config) # username subcommands Director has the following built-in user accounts: • sadmin: The administrator for content filtering policy. sadmin has certain privileges that admin and other privilege 15 users do not have. For details, see the Blue Coat Director Configuration and Management Guide. • admin: The default administrator account with privilege level 15. The admin account cannot be disabled. • monitor: The default user monitor account with privilege level 15. Subcommands (config) # [no] username username Creates a user with the specified user name. Until a password is set for this account, it is disabled. Preceding the command with the optional no parameter removes the user from Director. If the user is authenticated using RADIUS, the command does not prevent the RADIUS user from logging in to Director. See one of the following sections for more information: • “auth-type radius” on page 209 208 Chapter 3: Configuration Mode Commands • “disable” on page 209 • “password | nopassword” on page 209 • “privilege” on page 210 • “role” on page 210 auth-type radius (config) # [no] username username auth-type radius This command is used with content filtering policy. This command is available for the sadmin user only. Creates a delegated user that is authenticated by RADIUS. Important: To authenticate users in RADIUS, you must specify a key (that is, shared secret) and you must set up the user in the RADIUS server for Callback NAS Prompt. To set up the RADIUS server with Director, see “(config) #radius-server” on page 172. Preceding the command with the optional no subcommand disassociates the user from user groups, devices, and custom groups with which it was associated previously. The no subcommand does not delete any user groups or devices that are associated with the user, however. Finally, the user can still log in to Director provided RADIUS is enabled for authentication. To create a delegated user that is authenticated locally, see “role” on page 210. disable (config) # username username disable Disables the account so the user cannot log in using local authentication. You cannot disable admin or sadmin. password | nopassword (config) # username username nopassword Specifies that no password is required for this user to log in (and the user can log in without being prompted for a password). (config) # username username password {cleartext_password | 0 cleartext_password | 7 encrypted_password} Sets the password as follows: • Enter a password without the optional 0 or 7 subcommands, or enter the optional 0 subcommand, for the password to be clear text. • To Base64-encrypt the password, perform the following tasks: 1. Enter (config) # username username password cleartext_password 2. Enter director (config) # show configuration 3. Look for output similar to the following: username admin password 7 KW25kt7gvYupk In this example, KW25kt7gvYupk is the password in Base64-encrypted form. 209 Director Command Line Interface Reference 4. Enter (config) # username username password 7 encrypted_password privilege (config) # username username privilege {1 | 7 | 15} Sets the user’s maximum privilege level. All users log in at level 1. If the maximum privilege level is 1, the enable command is not allowed and results in an error. If the maximum privilege level is 7, the enable command will succeed, but the configure command is not allowed, and results in an error. If a user's privilege level is changed while they are logged in, it takes effect immediately. If it is lowered, the system will force the user out of modes they are no longer allowed to be in; if it is raised, the user can immediately access the newly available modes. Be aware that any user with privilege 15 can make any change to the system, including changing other users' accounts. role (config) # [no] username username {role {role_name | delegatedadmin} user-group user_group_name} This command is used with content filtering policy. This command is available for the sadmin user only. Creates a locally authenticated delegated user and specifies a role and user group name for the user user. For example, the following commands: director (config) # username FinAdmin password director director (config) # username FinAdmin role delegated-admin user-group Finance_policy Create a delegated user named FinAdmin with password director and associates the user with the group Finance_policy. To authenticate the delegated user with RADIUS instead, see “auth-type radius” on page 209. Preceding the command with the optional no command disassociates the user from the role. If the user is authenticated using RADIUS, the command does not prevent the RADIUS user from logging in but it does disassociate the user from user groups. Related Commands for Content Filtering Policy • To create a user group, director (config) # role delegated-admin user-group group_name For more information, see “(config) #role” on page 187 • To create a Content Policy overlay, director (config) # remote-config overlay overlay_id policy_type enable director (config) # remote-config overlay overlay_id director (config remote-config overlay "overlay_id") # input For more information, see “overlay” on page 179. 210 Chapter 3: Configuration Mode Commands • To associate a Content Policy overlay with a device, director (config) # device device_id overlay content_policy_overlay_name For more information, see “(config) #device device_id” on page 115. • To create substitution variables, director (config) # [no] role-substitution-variable variable_name (device device_id | group group_name | user-group user-group-name} input For more information, see “(config) #role-substitution-variable” on page 189 211 Director Command Line Interface Reference 212 Appendix A: Commands Available to Delegated Users The commands discussed in this appendix are available to Director delegated users, although some subcommands of these commands are not available. Director delegated users have a privilege level 10, so they can execute more commands than a privilege level 7 user. Because delegated users are assumed to not be familiar with Director commands, you might consider requiring delegated users to access Director using the Management Console only. Director does not provide a way to lock users out of the command line. Standard Mode Commands Available for Delegated Users the following standard mode commands are available to delegated users: cli enable exit help no ping show tcpdump traceroute Enable Mode Commands Available for Delegated Users The following enable mode commands are available to delegated users: cli configure disable exit help line-vty no ping push-policy reload show tcpdump traceroute write Configure Mode Commands Available for Delegated Users The following configure mode commands are available to delegated users: cli enable exit help line-vty 213 Director Command Line Interface Reference no ping push-policy reload require-config-lock role-substitution-variable show ssl tcpdump traceroute write 214 Appendix B: Third-Party Copyright Notices Blue Coat Systems, Inc. utilizes third party software from various sources. Portions of this software are copyrighted by their respective owners as indicated in the copyright notices below. The following lists the copyright notices for: Jpam 0.5 -------------Apache Software License 2.0 General information: Copyright 2007 © The Apache Software Foundation TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION Definitions. "'License' shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "'Licensor' shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "'Legal Entity' shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, 'control' means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "'You' (or 'Your') shall mean an individual or Legal Entity exercising permissions granted by this License. "'Source' form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "'Object' form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "'Work' shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "'Derivative Works' shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "'Contribution' shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, 'submitted' means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as 'Not a Contribution.' "'Contributor' shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, nonexclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, nonexclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: 1.You must give any other recipients of the Work or Derivative Works a copy of this License; and 2.You must cause any modified files to carry prominent notices stating that You changed the files; and 3.You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and 4.If the Work includes a 'NOTICE' text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE 215 Director API Reference text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. NTP 3.5 ******************************************************************************************************************************************* ******************************** Copyright (c) University of Delaware 1992-2011 Permission to use, copy, modify, and distribute this software and its documentation for any purpose with or without fee is herebygranted, provided that the above copyright notice appears in all copies and that both the copyright notice and this permission notice appear in supporting documentation, and that the name University of Delaware not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. The University of Delaware makes no representations about the suitability this software for any purpose. It is provided "as is" without express or implied warranty. ******************************************************************************************************************************************* ******************************** Tomcat TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work. "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, 216 Appendix B: Third-Party Copyright Notices including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. Java JRE SUN MICROSYSTEMS, INC. ("SUN") IS WILLING TO LICENSE THIS SPECIFICATION TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS AGREEMENT. PLEASE READ THE TERMS AND CONDITIONS OF THIS AGREEMENT CAREFULLY. BY DOWNLOADING THIS SPECIFICATION, YOU ACCEPT THE TERMS AND CONDITIONS OF THE AGREEMENT. Specification: JAVA PLATFORM, STANDARD EDITION ("Specification") Version: 6 Status: Final Release Release: December 7, 2006 Copyright 2006 SUN MICROSYSTEMS, INC. 4150 Network Circle, Santa Clara, California 95054, U.S.A All rights reserved. LIMITED LICENSE GRANTS 1. License for Evaluation Purposes. 217 Director API Reference Sun hereby grants you a fully-paid, non-exclusive, non-transferable, worldwide, limited license (without the right to sublicense), under Sun's applicable intellectual property rights to view, download, use and reproduce the Specification only for the purpose of internal evaluation. This includes (i) developing applications intended to run on an implementation of the Specification, provided that such applications do not themselves implement any portion(s) of the Specification, and (ii) discussing the Specification with any third party; and (iii) excerpting brief portions of the Specification in oral or written communications which discuss the Specification provided that such excerpts do not in the aggregate constitute a significant portion of the Specification. 2. License for the Distribution of Compliant Implementations. Sun also grants you a perpetual, non-exclusive, non-transferable, worldwide, fully paid-up, royalty free, limited license (without the right to sublicense) under any applicable copyrights or, subject to the provisions of subsection 4 below, patent rights it may have covering the Specification to create and/or distribute an Independent Implementation of the Specification that: (a) fully implements the Specification including all its required interfaces and functionality; (b) does not modify, subset, superset or otherwise extend the Licensor Name Space, or include any public or protected packages, classes, Java interfaces, fields or methods within the Licensor Name Space other than those required/authorized by the Specification or Specifications being implemented; and (c) passes the Technology Compatibility Kit (including satisfying the requirements of the applicable TCK Users Guide) for such Specification ("Compliant Implementation"). In addition, the foregoing license is expressly conditioned on your not acting outside its scope. No license is granted hereunder for any other purpose (including, for example, modifying the Specification, other than to the extent of your fair use rights, or distributing the Specification to third parties). Also, no right, title, or interest in or to any trademarks, service marks, or trade names of Sun or Sun's licensors is granted hereunder. Java, and Javarelated logos, marks and names are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. 3. Pass-through Conditions. You need not include limitations (a)-(c) from the previous paragraph or any other particular "pass through" requirements in any license You grant concerning the use of your Independent Implementation or products derived from it. However, except with respect to Independent Implementations (and products derived from them) that satisfy limitations (a)-(c) from the previous paragraph, You may neither: (a) grant or otherwise pass through to your licensees any licenses under Sun's applicable intellectual property rights; nor (b) authorize your licensees to make any claims concerning their implementation's compliance with the Specification in question. 4. Reciprocity Concerning Patent Licenses. a. With respect to any patent claims covered by the license granted under subparagraph 2 above that would be infringed by all technically feasible implementations of the Specification, such license is conditioned upon your offering on fair, reasonable and non-discriminatory terms, to any party seeking it from You, a perpetual, non-exclusive, non-transferable, worldwide license under Your patent rights which are or would be infringed by all technically feasible implementations of the Specification to develop, distribute and use a Compliant Implementation. b. With respect to any patent claims owned by Sun and covered by the license granted under subparagraph 2, whether or not their infringement can be avoided in a technically feasible manner when implementing the Specification, such license shall terminate with respect to such claims if You initiate a claim against Sun that it has, in the course of performing its responsibilities as the Specification Lead, induced any other entity to infringe Your patent rights. c. Also with respect to any patent claims owned by Sun and covered by the license granted under subparagraph 2 above, where the infringement of such claims can be avoided in a technically feasible manner when implementing the Specification such license, with respect to such claims, shall terminate if You initiate a claim against Sun that its making, having made, using, offering to sell, selling or importing a Compliant Implementation infringes Your patent rights. 5. Definitions. For the purposes of this Agreement: "Independent Implementation" shall mean an implementation of the Specification that neither derives from any of Sun's source code or binary code materials nor, except with an appropriate and separate license from Sun, includes any of Sun's source code or binary code materials; "Licensor Name Space" shall mean the public class or interface declarations whose names begin with "java", "javax", "com.sun" or their equivalents in any subsequent naming convention adopted by Sun through the Java Community Process, or any recognized successors or replacements thereof; and "Technology Compatibility Kit" or "TCK" shall mean the test suite and accompanying TCK User's Guide provided by Sun which corresponds to the Specification and that was available either (i) from Sun's 120 days before the first release of Your Independent Implementation that allows its use for commercial purposes, or (ii) more recently than 120 days from such release but against which You elect to test Your implementation of the Specification. This Agreement will terminate immediately without notice from Sun if you breach the Agreement or act outside the scope of the licenses granted above. DISCLAIMER OF WARRANTIES THE SPECIFICATION IS PROVIDED "AS IS". SUN MAKES NO REPRESENTATIONS OR WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT (INCLUDING AS A CONSEQUENCE OF ANY PRACTICE OR IMPLEMENTATION OF THE SPECIFICATION), OR THAT THE CONTENTS OF THE SPECIFICATION ARE SUITABLE FOR ANY PURPOSE. This document does not represent any commitment to release or implement any portion of the Specification in any product. In addition, the Specification could include technical inaccuracies or typographical errors. LIMITATION OF LIABILITY TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, INCLUDING WITHOUT LIMITATION, LOST REVENUE, PROFITS OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED IN ANY WAY TO YOUR HAVING, IMPELEMENTING OR OTHERWISE USING USING THE SPECIFICATION, EVEN IF SUN AND/OR ITS LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You will indemnify, hold harmless, and defend Sun and its licensors from any claims arising or resulting from: (i) your use of the Specification; (ii) the use or distribution of your Java application, applet and/or implementation; and/or (iii) any claims that later versions or releases of any Specification furnished to you are incompatible with the Specification provided to you under this license. RESTRICTED RIGHTS LEGEND U.S. Government: If this Specification is being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), then the Government's rights in the Software and accompanying documentation shall be 218 Appendix B: Third-Party Copyright Notices only as set forth in this license; this is in accordance with 48 C.F.R. 227.7201 through 227.7202-4 (for Department of Defense (DoD) acquisitions) and with 48 C.F.R. 2.101 and 12.212 (for non-DoD acquisitions). REPORT If you provide Sun with any comments or suggestions concerning the Specification ("Feedback"), you hereby: (i) agree that such Feedback is provided on a non-proprietary and non-confidential basis, and (ii) grant Sun a perpetual, non-exclusive, worldwide, fully paid-up, irrevocable license, with the right to sublicense through multiple levels of sublicensees, to incorporate, disclose, and use without limitation the Feedback for any purpose. GENERAL TERMS Any action related to this Agreement will be governed by California law and controlling U.S. federal law. The U.N. Convention for the International Sale of Goods and the choice of law rules of any jurisdiction will not apply. The Specification is subject to U.S. export control laws and may be subject to export or import regulations in other countries. Licensee agrees to comply strictly with all such laws and regulations and acknowledges that it has the responsibility to obtain such licenses to export, re-export or import as may be required after delivery to Licensee. This Agreement is the parties' entire agreement relating to its subject matter. It supersedes all prior or contemporaneous oral or written communications, proposals, conditions, representations and warranties and prevails over any conflicting or additional terms of any quote, order, acknowledgment, or other communication between the parties relating to its subject matter during the term of this Agreement. No modification to this Agreement will be binding, unless in writing and signed by an authorized representative of each party. Rev. April, 2006 PostgreSQL is released under the BSD license. PostgreSQL Database Management System (formerly known as Postgres, then as Postgres95) Portions Copyright (c) 1996-2008, The PostgreSQL Global Development Group Portions Copyright (c) 1994, The Regents of the University of California Permission to use, copy, modify, and distribute this software and its documentation for any purpose, without fee, and without a written agreement is hereby granted, provided that the above copyright notice and this paragraph and the following two paragraphs appear in all copies. IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. JDOM.jar Copyright (C) 2000-2004 Jason Hunter & Brett McLaughlin. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the disclaimer that follows these conditions in the documentation and/or other materials provided with the distribution. 3. The name "JDOM" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact request@jdom.org. 4. Products derived from this software may not be called "JDOM", nor may "JDOM" appear in their name, without prior written permission from the JDOM Project Management request@jdom.org. In addition, we request (but do not require) that you include in the end-user documentation provided with the redistribution and/or in the software itself an acknowledgement equivalent to the following: "This product includes software developed by the JDOM Project (http://www.jdom.org/)." Alternatively, the acknowledgment may be graphical using the logos available at http://www.jdom.org/images/logos. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE JDOM AUTHORS OR THE PROJECT CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This software consists of voluntary contributions made by many individuals on behalf of the JDOM Project and was originally created by Jason Hunter jhunter@jdom.org and Brett McLaughlin brett@jdom.org>. For more information on the JDOM Project, please see http://www.jdom.org. JFreeChart JFreeChart is a free (LGPL) chart library for the Java(tm) platform. BPF Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that: (1) source code distributions retain the above copyright notice and this paragraph in its entirety, (2) distributions including binary code include the above copyright notice and this paragraph in its entirety in the documentation or other materials provided with the distribution, and (3) all advertising materials mentioning features or use of this software display the following acknowledgement: 219 Director API Reference This product includes software developed by the University of California, Lawrence Berkeley Laboratory and its contributors. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. DES Software DES functions written 12 Dec 1986 by Phil Karn, KA9Q; large sections adapted from the 1977 public-domain program by Jim Gillogly. EXPAT Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Finjan Software Copyright (c) 2003 Finjan Software, Inc. All rights reserved. Flowerfire Copyright (c) 1996-2002 Greg Ferrar ISODE ISODE 8.0 NOTICE Acquisition, use, and distribution of this module and related materials are subject to the restrictions of a license agreement. Consult the Preface in the User's Manual for the full terms of this agreement. 4BSD/ISODE SMP NOTICE Acquisition, use, and distribution of this module and related materials are subject to the restrictions given in the file SMP-README. UNIX is a registered trademark in the US and other countries, licensed exclusively through X/Open Company Ltd. MD5 RSA Data Security, Inc. MD5 Message-Digest Algorithm Copyright (c) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. THE BEER-WARE LICENSE" (Revision 42): <phk@FreeBSD.org <mailto:phk@FreeBSD.org>> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp Microsoft Windows Media Streaming Copyright (c) 2003 Microsoft Corporation. All rights reserved. OpenLDAP Copyright (c) 1999-2001 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. http://www.openldap.org/software/release/license.html The OpenLDAP Public License Version 2.7, 7 September 2001 Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain copyright statements and notices, 2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and 3. Redistributions must contain a verbatim copy of this document. The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license. THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 220 Appendix B: Third-Party Copyright Notices BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. OpenSSH Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland. All rights reserved This file is part of the OpenSSH software. The licences which components of this software fall under are as follows. First, we will summarize and say that all components are under a BSD licence, or a licence more free than that. OpenSSH contains no GPL code. 1) As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than "ssh" or "Secure Shell". [Tatu continues] However, I am not implying to give any licenses to any patents or copyrights held by third parties, and the software includes parts that are not under my direct control. As far as I know, all included source code is used in accordance with the relevant license agreements and can be used freely for any purpose (the GNU license being the most restrictive); see below for details. [However, none of that term is relevant at this point in time. All of these restrictively licenced software components which he talks about have been removed from OpenSSH, i.e., - RSA is no longer included, found in the OpenSSL library - IDEA is no longer included, its use is deprecated - DES is now external, in the OpenSSL library - GMP is no longer used, and instead we call BN code from OpenSSL - Zlib is now external, in a library - The make-ssh-known-hosts script is no longer included - TSS has been removed - MD5 is now external, in the OpenSSL library - RC4 support has been replaced with ARC4 support from OpenSSL - Blowfish is now external, in the OpenSSL library [The licence continues] Note that any information and cryptographic algorithms used in this software are publicly available on the Internet and at any major bookstore, scientific library, and patent office worldwide. More information can be found e.g. at "http://www.cs.hut.fi/ crypto". The legal status of this program is some combination of all these permissions and restrictions. Use only at your own responsibility. You will be responsible for any legal consequences yourself; I am not making any claims whether possessing or using this is legal or not in your country, and I am not taking any responsibility on your behalf. NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 2) The 32-bit CRC compensation attack detector in deattack.c was contributed by CORE SDI S.A. under a BSD-style license. Cryptographic attack detector for ssh - source code Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that this copyright notice is retained. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS SOFTWARE. Ariel Futoransky <futo@core-sdi.com> <http://www.core-sdi.com> 3) ssh-keygen was contributed by David Mazieres under a BSD-style license. Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. Modification and redistribution in source and binary forms is permitted provided that due credit is given to the author and the OpenBSD project by leaving this copyright notice intact. 4) The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public domain and distributed with the following license: @version 3.0 (December 2000) 221 Director API Reference Optimised ANSI C code for the Rijndael cipher (now AES) @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be> @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be> @author Paulo Barreto <paulo.barreto@terra.com.br> This code is hereby placed in the public domain. THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 5) One component of the ssh source code is under a 3-clause BSD license, held by the University of California, since we pulled these parts from original Berkeley code. Copyright (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 6) Remaining components of the software are provided under a standard 2-term BSD licence with the following names as copyright holders: Markus Friedl Theo de Raadt Niels Provos Dug Song Aaron Campbell Damien Miller Kevin Steves Daniel Kouril Wesley Griffin Per Allansson Nils Nordman Simon Wilkinson Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 222 Appendix B: Third-Party Copyright Notices LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. OpenSSL Copyright (c) 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved. http://www.openssl.org/about/ http://www.openssl.org/about/ OpenSSL is based on the excellent SSLeay library developed by Eric A. Young <mailto:eay@cryptsoft.com> and Tim J. Hudson <mailto:tjh@cryptsoft.com>. The OpenSSL toolkit is licensed under a Apache-style license which basically means that you are free to get and use it for commercial and non-commercial purposes. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic related :-). 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License.] Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. 5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). PCRE Copyright (c) 1997-2001 University of Cambridge University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714. Written by: Philip Hazel <ph10@cam.ac.uk> Permission is granted to anyone to use this software for any purpose on any computer system, and to redistribute it freely, subject to the following restrictions: 223 Director API Reference 1. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 2. Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the University of Cambridge, England. ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ PHAOS SSLava and SSLavaThin Copyright (c) 1996-2003 Phaos Technology Corporation. All Rights Reserved. The software contains commercially valuable proprietary products of Phaos which have been secretly developed by Phaos, the design and development of which have involved expenditure of substantial amounts of money and the use of skilled development experts over substantial periods of time. The software and any portions or copies thereof shall at all times remain the property of Phaos. PHAOS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, REGARDING THE SOFTWARE, OR ITS USE AND OPERATION ALONE OR IN COMBINATION WITH ANY OTHER SOFTWARE. PHAOS SHALL NOT BE LIABLE TO THE OTHER OR ANY OTHER PERSON CLAIMING DAMAGES AS A RESULT OF THE USE OF ANY PRODUCT OR SOFTWARE FOR ANY DAMAGES WHATSOEVER. IN NO EVENT WILL PHAOS BE LIABLE FOR SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF ADVISED OF THE POSSIBLITY OF SUCH DAMAGES. RealSystem The RealNetworks® RealProxy™ Server is included under license from RealNetworks, Inc. Copyright 1996-1999, RealNetworks, Inc. All rights reserved. SNMP Copyright (C) 1992-2001 by SNMP Research, Incorporated. This software is furnished under a license and may be used and copied only in accordance with the terms of such license and with the inclusion of the above copyright notice. This software or any other copies thereof may not be provided or otherwise made available to any other person. No title to and ownership of the software is hereby transferred. The information in this software is subject to change without notice and should not be construed as a commitment by SNMP Research, Incorporated. Restricted Rights Legend: Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013; subparagraphs (c)(4) and (d) of the Commercial Computer Software-Restricted Rights Clause, FAR 52.227-19; and in similar clauses in the NASA FAR Supplement and other corresponding governmental regulations. PROPRIETARY NOTICE This software is an unpublished work subject to a confidentiality agreement and is protected by copyright and trade secret law. Unauthorized copying, redistribution or other use of this work is prohibited. The above notice of copyright on this source code product does not indicate any actual or intended publication of such source code. STLport Copyright (c) 1999, 2000 Boris Fomitchev This material is provided "as is", with absolutely no warranty expressed or implied. Any use is at your own risk. Permission to use or copy this software for any purpose is hereby granted without fee, provided the above notices are retained on all copies. Permission to modify the code and to distribute modified code is granted, provided the above notices are retained, and a notice that the code was modified is included with the above copyright notice. The code has been modified. Copyright (c) 1994 Hewlett-Packard Company Copyright (c) 1996-1999 Silicon Graphics Computer Systems, Inc. Copyright (c) 1997 Moscow Center for SPARC Technology Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Hewlett-Packard Company makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Silicon Graphics makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Moscow Center for SPARC Technology makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. SmartFilter Copyright (c) 2003 Secure Computing Corporation. All rights reserved. SurfControl Copyright (c) 2003 SurfControl, Inc. All rights reserved. Symantec AntiVirus Scan Engine Copyright (c) 2003 Symantec Corporation. All rights reserved. TCPIP Some of the files in this project were derived from the 4.X BSD (Berkeley Software Distribution) source. Their copyright header follows: 224 Appendix B: Third-Party Copyright Notices Copyright (c) 1982, 1986, 1988, 1990, 1993, 1994, 1995 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the University of California, Berkeley and its contributors. 4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Trend Micro Copyright (c) 1989-2003 Trend Micro, Inc. All rights reserved. unixsocket -------------Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims 225 Director API Reference licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of he Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distribute as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. 226 Appendix B: Third-Party Copyright Notices zlib Copyright (c) 2003 by the Open Source Initiative This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. ICU License - ICU 1.8.1 and later COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1995-2003 International Business Machines Corporation and others All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, provided that the above copyright notice(s) and this permission notice appear in all copies of the Software and that both the above copyright notice(s) and this permission notice appear in supporting documentation. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder PHP COPYRIGHTSThe PHP License, version 3.01 Copyright (c) 1999 - 2006 The PHP Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact group@php.net. 4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from group@php.net. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo" 5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes PHP software, freely available from <http://www.php.net/software/>". THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at group@php.net. For more information on the PHP Group and the PHP project, please see <http://www.php.net>. ZEND COPYRIGHTS The Zend Engine License, version 2.00 Copyright (c) 1999-2002 Zend Technologies Ltd. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The names "Zend" and "Zend Engine" must not be used to endorse or promote products derived from this software without prior permission from Zend Technologies Ltd. For written permission, please contact license@zend.com. 4. Zend Technologies Ltd. may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by Zend Technologies Ltd. No one other than Zend Technologies Ltd. has the right to modify the terms applicable to covered code created under this License. 5. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes the Zend Engine, freely available at http://www.zend.com" 6. All advertising materials mentioning features or use of this software must display the following acknowledgment: 227 Director API Reference "The Zend Engine is freely available at http://www.zend.com" THIS SOFTWARE IS PROVIDED BY ZEND TECHNOLOGIES LTD. ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ZEND TECHNOLOGIES LTD. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. TSRM COPYRIGHTSTSRM (Thread Safe Resource Manager) license. Copyright (c) 1999, 2000, Andi Gutmans, Sascha Schumann, Zeev Suraski. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Neither name of the copyright holders nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. REGEX COPYRIGHTS Regex. Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved. This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University of California. Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redistribute it, subject to the following restrictions: 1. The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from flaws in it. 2. The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever read sources, credits must appear in the documentation. 3. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software. Since few users ever read sources, credits must appear in the documentation. 4. This notice may not be removed or altered. libgd COPYRIGHTS libgd Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 by Cold Spring Harbor Laboratory. Funded under Grant P41RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000 Philip Warner. Portions relating to PNG copyright 1999, 2000 Greg Roelofs. Portions relating to libttf copyright 1999, 2000 John Ellson (ellson@lucent.com). Portions relating to JPEG and to color quantization copyright 2000, Doug Becker and copyright (C) 1994-1998, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation._ This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS."_ The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.1, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions. mail.jar Sun Microsystems, Inc. ("Sun") ENTITLEMENT for SOFTWARE Permitted Uses: 1. You may reproduce and use the Software for Individual, Commercial, or Research and Instructional Use for the purposes of designing, developing, testing, and running Your applets and application("Programs"). 2. Subject to the terms and conditions of this Agreement and restrictions and exceptions set forth in the Software's documentation, You may reproduce and distribute portions of Software identified as a redistributable in the documentation ("Redistributable"), provided that: 228 Appendix B: Third-Party Copyright Notices (a) you distribute Redistributable complete and unmodified and only bundled as part of Your Programs, (b) your Programs add significant and primary functionality to the Redistributable, (c) you distribute Redistributable for the sole purpose of running your Programs, (d) you do not distribute additional software intended to replace any component(s) of the Redistributable, (e) you do not remove or alter any proprietary legends or notices contained in or on the Redistributable. (f) you only distribute the Redistributable subject to a license agreement that protects Sun's interests consistent with the terms contained in this Agreement, and (g) you agree to defend and indemnify Sun and its licensors from and against any damages, costs, liabilities, settlement amounts and/or expenses (including attorneys' fees) incurred in connection with any claim, lawsuit or action by any third party that arises or results from the use or distribution of any and all Programs and/or Redistributable. 3. Java Technology Restrictions. You may not create, modify, or change the behavior of, or authorize your licensees to create, modify, or change the behavior of, classes, interfaces, or subpackages that are in any way identified as "java", "javax", "sun" or similar convention as specified by Sun in any naming convention designation. B. Sun Microsystems, Inc. ("Sun") SOFTWARE LICENSE AGREEMENT READ THE TERMS OF THIS AGREEMENT ("AGREEMENT") CAREFULLY BEFORE OPENING SOFTWARE MEDIA PACKAGE. BY OPENING SOFTWARE MEDIA PACKAGE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ACCESSING SOFTWARE ELECTRONICALLY, INDICATE YOUR ACCEPTANCE OF THESE TERMS BY SELECTING THE "ACCEPT" BUTTON AT THE END OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS, PROMPTLY RETURN THE UNUSED SOFTWARE TO YOUR PLACE OF PURCHASE FOR A REFUND OR, IF SOFTWARE IS ACCESSED ELECTRONICALLY, SELECT THE "DECLINE" (OR "EXIT") BUTTON AT THE END OF THIS AGREEMENT. IF YOU HAVE SEPARATELY AGREED TO LICENSE TERMS ("MASTER TERMS") FOR YOUR LICENSE TO THIS SOFTWARE, THEN SECTIONS 1-5 OF THIS AGREEMENT "SUPPLEMENTAL LICENSE TERMS") SHALL SUPPLEMENT AND SUPERSEDE THE MASTER TERMS IN RELATION TO THIS SOFTWARE. 1. Definitions. (a) "Entitlement" means the collective set of applicable documents authorized by Sun evidencing your obligation to pay associated fees (if any) for the license, associated Services, and the authorized scope of use of Software under this Agreement. (b) "Licensed Unit" means the unit of measure by which your use of Software and/or Service is licensed, as described in your Entitlement. (c) "Permitted Use" means the licensed Software use(s) authorized in this Agreement as specified in your Entitlement. The Permitted Use for any bundled Sun software not specified in your Entitlement will be evaluation use as provided in Section 3. (d) "Service" means the service(s) that Sun or its delegate will provide, if any, as selected in your Entitlement and as further described in the applicable service listings at www.sun.com/service/servicelist. (e) "Software" means the Sun software described in your Entitlement. Also, certain software may be included for evaluation use under Section 3. (f) "You" and "Your" means the individual or legal entity specified in the Entitlement, or for evaluation purposes, the entity performing the evaluation. 2. License Grant and Entitlement. Subject to the terms of your Entitlement, Sun grants you a nonexclusive, nontransferable limited license to use Software for its Permitted Use for the license term. Your Entitlement will specify (a) Software licensed, (b) the Permitted Use, (c) the license term, and (d) the Licensed Units. Additionally, if your Entitlement includes Services,then it will also specify the (e) Service and (f) service term. If your rights to Software or Services are limited in duration and the date such rights begin is other than the purchase date, your Entitlement will provide that beginning date(s). The Entitlement may be delivered to you in various ways depending on the manner in which you obtain Software and Services, for example, the Entitlement may be provided in your receipt, invoice or your contract with Sun or authorized Sun reseller. It may also be in electronic format if you download Software. 3. Permitted Use. As selected in your Entitlement, one or more of the following Permitted Uses will apply to your use of Software. Unless you have an Entitlement that expressly permits it, you may not use Software for any of the other Permitted Uses. If you don't have an Entitlement, or if your Entitlement doesn't cover additional software delivered to you, then such software is for your Evaluation Use. (a) Evaluation Use. You may evaluate Software internally for a period of 90 days from your first use. (b) Research and Instructional Use. You may use Software internally to design, develop and test, and also to provide instruction on such uses. (c) Individual Use. You may use Software internally for personal, individual use. (d) Commercial Use. You may use Software internally for your own commercial purposes. (e) Service Provider Use. You may make Software functionality accessible (but not by providing Software itself or through outsourcing services) to your end users in an extranet deployment, but not to your affiliated companies or to government agencies. 4. Licensed Units. Your Permitted Use is limited to the number of Licensed Units stated in your Entitlement. If you require additional Licensed Units, you will need additional Entitlement(s). 5. Restrictions. (a) The copies of Software provided to you under this Agreement are licensed, not sold, to you by Sun. Sun reserves all rights not expressly granted. (b) You may make a single archival copy of Software, but otherwise may not copy, modify, or distribute Software. However if the Sun documentation accompanying Software lists specific portions of Software, such as header files, class libraries, reference source code, and/or redistributable files, that may be handled differently, you may do so only as 229 Director API Reference provided in the Sun documentation. (c) You may not rent, lease, lend or encumber Software. (d) Unless enforcement is prohibited by applicable law, you may not decompile, or reverse engineer Software. (e) The terms and conditions of this Agreement will apply to any Software updates, provided to you at Sun's discretion, that replace and/or supplement the original Software, unless such update contains a separate license. (f) You may not publish or provide the results of any benchmark or comparison tests run on Software to any third party without the prior written consent of Sun. (g) Software is confidential and copyrighted. (h) Unless otherwise specified, if Software is delivered with embedded or bundled software that enables functionality of Software, you may not use such software on a stand-alone basis or use any portion of such software to interoperate with any program(s) other than Software. (i) Software may contain programs that perform automated collection of system data and/or automated software updating services. System data collected through such programs may be used by Sun, its subcontractors, and its service delivery partners for the purpose of providing you with remote system services and/or improving Sun's software and systems. (j) Software is not designed, licensed or intended for use in the design, construction, operation or maintenance of any nuclear facility and Sun and its licensors disclaim any express or implied warranty of fitness for such uses. (k) No right, title or interest in or to any trademark, service mark, logo or trade name of Sun or its licensors is granted under this Agreement. 6. Term and Termination. The license and service term are set forth in your Entitlement(s). Your rights under this Agreement will terminate immediately without notice from Sun if you materially breach it or take any action in derogation of Sun's and/or its licensors' rights to Software. Sun may terminate this Agreement should any Software become, or in Sun's reasonable opinion likely to become, the subject of a claim of intellectual property infringement or trade secret misappropriation. Upon termination, you will cease use of, and destroy, Software and confirm compliance in writing to Sun. Sections 1, 5, 6, 7, and 9-15 will survive termination of the Agreement. 7. Java Compatibility and Open Source. Software may contain Java technology. You may not create additional classes to, or modifications of, the Java technology, except under compatibility requirements available under a separate agreement available at www.java.net. Sun supports and benefits from the global community of open source developers, and thanks the community for its important contributions and open standards-based technology, which Sun has adopted into many of its products. Please note that portions of Software may be provided with notices and open source licenses from such communities and third parties that govern the use of those portions, and any licenses granted hereunder do not alter any rights and obligations you may have under such open source licenses, however, the disclaimer of warranty and limitation of liability provisions in this Agreement will apply to all Software in this distribution. 8. Limited Warranty. Sun warrants to you that for a period of 90 days from the date of purchase, as evidenced by a copy of the receipt, the media on which Software is furnished (if any) will be free of defects in materials and workmanship under normal use. Except for the foregoing, Software is provided "AS IS". Your exclusive remedy and Sun's entire liability under this limited warranty will be at Sun's option to replace Software media or refund the fee paid for Software. Some states do not allow limitations on certain implied warranties, so the above may not apply to you. This limited warranty gives you specific legal rights. You may have others, which vary from state to state. 9. Disclaimer of Warranty. UNLESS SPECIFIED IN THIS AGREEMENT, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT THESE DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. 10. Limitation of Liability. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED TO THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event will Sun's liability to you, whether in contract, tort (including negligence), or otherwise, exceed the amount paid by you for Software under this Agreement. The foregoing limitations will apply even if the above stated warranty fails of its essential purpose. Some states do not allow the exclusion of incidental or consequential damages, so some of the terms above may not be applicable to you. 11. Export Regulations. All Software, documents, technical data, and any other materials delivered under this Agreement are subject to U.S. export control laws and may be subject to export or import regulations in other countries. You agree to comply strictly with these laws and regulations and acknowledge that you have the responsibility to obtain any licenses to export, re-export, or import as may be required after delivery to you. 12. U.S. Government Restricted Rights. If Software is being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), then the Government's rights in Software and accompanying documentation will be only as set forth in this Agreement; this is in accordance with 48 CFR 227.7201 through 227.7202-4 (for Department of Defense (DOD) acquisitions) and with 48 CFR 2.101 and 12.212 (for non-DOD acquisitions). 13. Governing Law. Any action related to this Agreement will be governed by California law and controlling U.S. federal law. No choice of law rules of any jurisdiction will apply. 14. Severability. If any provision of this Agreement is held to be unenforceable, this Agreement will remain in effect with the provision omitted, unless omission would frustrate the intent of the parties, in which case this Agreement will immediately terminate. 15. Integration. This Agreement, including any terms contained in your Entitlement, is the entire agreement between you and Sun relating to its subject matter. It supersedes all prior or contemporaneous oral or written communications, proposals, representations and warranties and prevails over any conflicting or additional terms of any quote, order, acknowledgment, or other communication between the parties relating to its subject matter during the term of this Agreement. No modification of this Agreement will be binding, unless in writing and signed by an authorized representative of each party. 230 Appendix B: Third-Party Copyright Notices iText MOZILLA PUBLIC LICENSE Version 1.1 1. Definitions. 1.0.1. "Commercial Use" means distribution or otherwise making the Covered Code available to a third party. 1.1. "Contributor" means each entity that creates or contributes to the creation of Modifications. 1.2. "Contributor Version" means the combination of the Original Code, prior Modifications used by a Contributor, and the Modifications made by that particular Contributor. 1.3. "Covered Code" means the Original Code or Modifications or the combination of the Original Code and Modifications, in each case including portions thereof. 1.4. "Electronic Distribution Mechanism" means a mechanism generally accepted in the software development community for the electronic transfer of data. 1.5. "Executable" means Covered Code in any form other than Source Code. 1.6. "Initial Developer" means the individual or entity identified as the Initial Developer in the Source Code notice required by Exhibit A. 1.7. "Larger Work" means a work which combines Covered Code or portions thereof with code not governed by the terms of this License. 1.8. "License" means this document. 1.8.1. "Licensable" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently acquired, any and all of the rights conveyed herein. 1.9. "Modifications" means any addition to or deletion from the substance or structure of either the Original Code or any previous Modifications. When Covered Code is released as a series of files, a Modification is: A. Any addition to or deletion from the contents of a file containing Original Code or previous Modifications. B. Any new file that contains any part of the Original Code or previous Modifications. 1.10. "Original Code" means Source Code of computer software code which is described in the Source Code notice required by Exhibit A as Original Code, and which, at the time of its release under this License is not already Covered Code governed by this License. 1.10.1. "Patent Claims" means any patent claim(s), now owned or hereafter acquired, including without limitation, method, process, and apparatus claims, in any patent Licensable by grantor. 1.11. "Source Code" means the preferred form of the Covered Code for making modifications to it, including all modules it contains, plus any associated interface definition files, scripts used to control compilation and installation of an Executable, or source code differential comparisons against either the Original Code or another well known, available Covered Code of the Contributor's choice. The Source Code can be in a compressed or archival form, provided the appropriate decompression or dearchiving software is widely available for no charge. 1.12. "You" (or "Your") means an individual or a legal entity exercising rights under, and complying with all of the terms of, this License or a future version of this License issued under Section 6.1. For legal entities, "You" includes any entity which controls, is controlled by, or is under common control with You. For purposes of this definition, "control" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity. 2. Source Code License. 2.1. The Initial Developer Grant. The Initial Developer hereby grants You a world-wide, royalty-free, non-exclusive license, subject to third party intellectual property claims: (a) under intellectual property rights (other than patent or trademark) Licensable by Initial Developer to use, reproduce, modify, display, perform, sublicense and distribute the Original Code (or portions thereof) with or without Modifications, and/or as part of a Larger Work; and (b) under Patents Claims infringed by the making, using or selling of Original Code, to make, have made, use, practice, sell, and offer for sale, and/or therwise dispose of the Original Code (or portions thereof). (c) the licenses granted in this Section 2.1(a) and (b) are effective on the date Initial Developer first distributes Original Code under the terms of this License. (d) Notwithstanding Section 2.1(b) above, no patent license is granted: 1) for code that You delete from the Original Code; 2) separate from the Original Code; or 3) for infringements caused by: i) the modification of the Original Code or ii) the combination of the Original Code with other software or devices. 2.2. Contributor Grant. Subject to third party intellectual property claims, each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license (a) under intellectual property rights (other than patent or trademark) Licensable by Contributor, to use, reproduce, modify, display, perform, sublicense and distribute the Modifications created by such Contributor (or portions thereof) either on an unmodified basis, with other Modifications, as Covered Code and/or as part of a Larger Work; and (b) under Patent Claims infringed by the making, using, or selling of Modifications made by that Contributor either alone and/ or in combination with its Contributor Version (or portions of such combination), to make, use, sell, offer for sale, have made, and/or otherwise dispose of: 1) Modifications made by that Contributor (or portions thereof); and 2) the combination of Modifications made by that Contributor with its Contributor Version (or portions of such combination). (c) the licenses granted in Sections 2.2(a) and 2.2(b) are effective on the date Contributor first makes Commercial Use of the Covered Code. (d) Notwithstanding Section 2.2(b) above, no patent license is granted: 1) for any code that Contributor has deleted from the Contributor Version; 2) separate from the Contributor Version; 3) for infringements caused by: i) third party modifications of Contributor Version or ii) the combination of Modifications made by that Contributor with other software (except as part of the Contributor Version) or other devices; or 4) under Patent Claims infringed by Covered Code in the absence of Modifications made by that Contributor. 231 Director API Reference 3. Distribution Obligations. 3.1. Application of License. The Modifications which You create or to which You contribute are governed by the terms of this License, including without limitation Section 2.2. The Source Code version of Covered Code may be distributed only under the terms of this License or a future version of this License released under Section 6.1, and You must include a copy of this License with every copy of the Source Code You distribute. You may not offer or impose any terms on any Source Code version that alters or restricts the applicable version of this License or the recipients' rights hereunder. However, You may include an additional document offering the additional rights described in Section 3.5. 3.2. Availability of Source Code. Any Modification which You create or to which You contribute must be made available in Source Code form under the terms of this License either on the same media as an Executable version or via an accepted Electronic Distribution Mechanism to anyone to whom you made an Executable version available; and if made available via Electronic Distribution Mechanism, must remain available for at least twelve (12) months after the date it initially became available, or at least six (6) months after a subsequent version of that particular Modification has been made available to such recipients. You are responsible for ensuring that the Source Code version remains available even if the Electronic Distribution Mechanism is maintained by a third party. 3.3. Description of Modifications. You must cause all Covered Code to which You contribute to contain a file documenting the changes You made to create that Covered Code and the date of any change. You must include a prominent statement that the Modification is derived, directly or indirectly, from Original Code provided by the Initial Developer and including the name of the Initial Developer in (a) the Source Code, and (b) in any notice in an Executable version or related documentation in which You describe the origin or ownership of the Covered Code. 3.4. Intellectual Property Matters (a) Third Party Claims. If Contributor has knowledge that a license under a third party's intellectual property rights is required to exercise the rights granted by such Contributor under Sections 2.1 or 2.2, Contributor must include a text file with the Source Code distribution titled "LEGAL" which describes the claim and the party making the claim in sufficient detail that a recipient will know whom to contact. If Contributor obtains such knowledge after the Modification is made available as described in Section 3.2, Contributor shall promptly modify the LEGAL file in all copies Contributor makes available thereafter and shall take other steps (such as notifying appropriate mailing lists or newsgroups) reasonably calculated to inform those who received the Covered Code that new knowledge has been obtained. (b) Contributor APIs. If Contributor's Modifications include an application programming interface and Contributor has knowledge of patent licenses which are reasonably necessary to implement that API, Contributor must also include this information in the LEGAL file. (c) Representations. Contributor represents that, except as disclosed pursuant to Section 3.4(a) above, Contributor believes that Contributor's Modifications are Contributor's original creation(s) and/or Contributor has sufficient rights to grant the rights conveyed by this License. 3.5. Required Notices. You must duplicate the notice in Exhibit A in each file of the Source Code. If it is not possible to put such notice in a particular Source Code file due to its structure, then You must include such notice in a location (such as a relevant directory) where a user would be likely to look for such a notice. If You created one or more Modification(s) You may add your name as a Contributor to the notice described in Exhibit A. You must also duplicate this License in any documentation for the Source Code where You describe recipients' rights or ownership rights relating to Covered Code. You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Code. However, You may do so only on Your own behalf, and not on behalf of the Initial Developer or any Contributor. You must make it absolutely clear than any such warranty, support, indemnity or liability obligation is offered by You alone, and You hereby agree to indemnify the Initial Developer and every Contributor for any liability incurred by the Initial Developer or such Contributor as a result of warranty, support, indemnity or liability terms You offer. 3.6. Distribution of Executable Versions. You may distribute Covered Code in Executable form only if the requirements of Section 3.1-3.5 have been met for that Covered Code, and if You include a notice stating that the Source Code version of the Covered Code is available under the terms of this License, including a description of how and where You have fulfilled the obligations of Section 3.2. The notice must be conspicuously included in any notice in an Executable version, related documentation or collateral in which You describe recipients' rights relating to the Covered Code. You may distribute the Executable version of Covered Code or ownership rights under a license of Your choice, which may contain terms different from this License, provided that You are in compliance with the terms of this License and that the license for the Executable version does not attempt to limit or alter the recipient's rights in the Source Code version from the rights set forth in this License. If You distribute the Executable version under a different license You must make it absolutely clear that any terms which differ from this License are offered by You alone, not by the Initial Developer or any Contributor. You hereby agree to indemnify the Initial Developer and every Contributor for any liability incurred by the Initial Developer or such Contributor as a result of any such terms You offer. 3.7. Larger Works. You may create a Larger Work by combining Covered Code with other code not governed by the terms of this License and distribute the Larger Work as a single product. In such a case, You must make sure the requirements of this License are fulfilled for the Covered Code. 4. Inability to Comply Due to Statute or Regulation. If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Code due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be included in the LEGAL file described in Section 3.4 and must be included with all distributions of the Source Code. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it. 5. Application of this License. This License applies to code to which the Initial Developer has attached the notice in Exhibit A and to related Covered Code. 232 Appendix B: Third-Party Copyright Notices 6. Versions of the License. 6.1. New Versions. Netscape Communications Corporation ("Netscape") may publish revised and/or new versions of the License from time to time. Each version will be given a distinguishing version number. 6.2. Effect of New Versions. Once Covered Code has been published under a particular version of the License, You may always continue to use it under the terms of that version. You may also choose to use such Covered Code under the terms of any subsequent version of the License published by Netscape. No one other than Netscape has the right to modify the terms applicable to Covered Code created under this License. 6.3. Derivative Works. If You create or use a modified version of this License (which you may only do in order to apply it to code which is not already Covered Code governed by this License), You must (a) rename Your license so that the phrases "Mozilla", "MOZILLAPL", "MOZPL", "Netscape", "MPL", "NPL" or any confusingly similar phrase do not appear in your license (except to note that your license differs from this License) and (b) otherwise make it clear that Your version of the license contains terms which differ from the Mozilla Public License and Netscape Public License. (Filling in the name of the Initial Developer, Original Code or Contributor in the notice described in Exhibit A shall not of themselves be deemed to be modifications of this License.) 7. DISCLAIMER OF WARRANTY. COVERED CODE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS" BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE COVERED CODE IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE COVERED CODE IS WITH YOU. SHOULD ANY COVERED CODE PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT THE INITIAL DEVELOPER OR ANY OTHER CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS LICENSE. NO USE OF ANY COVERED CODE IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER. 8. TERMINATION. 8.1. This License and the rights granted hereunder will terminate automatically if You fail to comply with terms herein and fail to cure such breach within 30 days of becoming aware of the breach. All sublicenses to the Covered Code which are properly granted shall survive any termination of this License. Provisions which, by their nature, must remain in effect beyond the termination of this License shall survive. 8.2. If You initiate litigation by asserting a patent infringement claim (excluding declatory judgment actions) against Initial Developer or a Contributor (the Initial Developer or Contributor against whom You file such action is referred to as "Participant") alleging that: (a) such Participant's Contributor Version directly or indirectly infringes any patent, then any and all rights granted by such Participant to You under Sections 2.1 and/or 2.2 of this License shall, upon 60 days notice from Participant terminate prospectively, unless if within 60 days after receipt of notice You either: (i) agree in writing to pay Participant a mutually agreeable reasonable royalty for Your past and future use of Modifications made by such Participant, or (ii) withdraw Your litigation claim with respect to the Contributor Version against such Participant. If within 60 days of notice, a reasonable royalty and payment arrangement are not mutually agreed upon in writing by the parties or the litigation claim is not withdrawn, the rights granted by Participant to You under Sections 2.1 and/or 2.2 automatically terminate at the expiration of the 60 day notice period specified above. (b) any software, hardware, or device, other than such Participant's Contributor Version, directly or indirectly infringes any patent, then any rights granted to You by such Participant under Sections 2.1(b) and 2.2(b) are revoked effective as of the date You first made, used, sold, distributed, or had made, Modifications made by that Participant. 8.3. If You assert a patent infringement claim against Participant alleging that such Participant's Contributor Version directly or indirectly infringes any patent where such claim is resolved (such as by license or settlement) prior to the initiation of patent infringement litigation, then the reasonable value of the licenses granted by such Participant under Sections 2.1 or 2.2 shall be taken into account in determining the amount or value of any payment or license. 8.4. In the event of termination under Sections 8.1 or 8.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or any distributor hereunder prior to termination shall survive termination. 9. LIMITATION OF LIABILITY. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU, THE INITIAL DEVELOPER, ANY OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED CODE, OR ANY SUPPLIER OF ANY OF SUCH PARTIES, BE LIABLE TO ANY PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. 10. U.S. GOVERNMENT END USERS. The Covered Code is a "commercial item," as that term is defined in 48 C.F.R. 2.101 (Oct. 1995), consisting of "commercial computer software" and "commercial computer software documentation," as such terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 (June 1995), all U.S. Government End Users acquire Covered Code with only those rights set forth herein. 11. MISCELLANEOUS. This License represents the complete agreement concerning subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. This License shall be governed by California law provisions (except to the extent applicable law, if any, provides otherwise), excluding its conflict-oflaw provisions. With respect to disputes in which at least one party is a citizen of, or an entity chartered or registered to do business in the United States of America, any litigation relating to this License shall be subject to the jurisdiction of the Federal 233 Director API Reference Courts of the Northern District of California, with venue lying in Santa Clara County, California, with the losing party responsible for costs, including without limitation, court costs and reasonable attorneys' fees and expenses. The application of the United Nations Convention on Contracts for the International Sale of Goods is expressly excluded. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not apply to this License. 12. RESPONSIBILITY FOR CLAIMS. As between Initial Developer and the Contributors, each party is responsible for claims and damages arising, directly or indirectly, out of its utilization of rights under this License and You agree to work with Initial Developer and Contributors to distribute such responsibility on an equitable basis. Nothing herein is intended or shall be deemed to constitute any admission of liability. 13. MULTIPLE-LICENSED CODE. Initial Developer may designate portions of the Covered Code as "Multiple-Licensed". "Multiple-Licensed" means that the Initial Developer permits you to utilize portions of the Covered Code under Your choice of the NPL or the alternative licenses, if any, specified by the Initial Developer in the file described in Exhibit A. 234