Product Documentation


Dec 18, 2015

Answers to frequently asked questions about Command Center are available in the following categories:


Q: How do I verify that Command Center service has started properly?

A: To verify that the Command Center service has started properly, you can do one of the following:

  • Windows operating system: In Window Service console, see the status of the service.
  • Linux: Use the /int.d/NSCCService status command to verify that the service has started.
  • You can also check the status of the service in the logs/wrapper.log file. Verify that the following log entry is present at the end of the file "Please connect to web client using port <port number>."

Q:Which are the weak ciphers in Command Center and how do I remove these weak ciphers from Command Center?

A: TLS_DHE_RSA_WITH_AES_128_CBC_SHA and TLS_DHE_RSA_WITH_AES_256_CBC_SHA are the weak ciphers configured by default on Command Center. Because of these weak ciphers, the Command Center login page fails to load.

To remove these ciphers from a standalone Command Center

  1. Stop the Command Center service.
  2. Remove these ciphers from the following files:
    • <CC_Homel>/apache/tomcat/conf/backup/server.xml
    • <CC_Home>/conf/ transportProvider.conf
  3. Start the command center service.

To remove these ciphers from a Command Center HA pair

  1. Stop the Command Center service on the secondary node and then stop the Command Center service on the primary node.
  2. Remove these ciphers from the following files on both the primary and secondary node:
    • <CC_Homel>/apache/tomcat/conf/backup/server.xml
    • <CC_Home>/conf/ transportProvider.conf
  3. Start the Command Center service on the primary node and the start the Command Center service on the secondary node.

Q: I am not able to connect to the Command Center client. What are the possible causes ?

Possible Cause: Command Center service has not started properly.

Action: Check to see if the Command Center service is started. If not, start the service.


Possible Cause: You have not presented valid root-user credentials.

Action: Provide the correct credentials. If the error occurs even with the correct credentials, shut down the server and check the securitydbData.XML file. If it is empty, reinitialize the database.


Possible Cause: If the PostgreSQL service has not started, the Command Center service does not start.

Action: In wrapper.log file, if you see a " PostgreSQL doesn't start in timely fashion" entry, start the PostgreSOL service first and then start the Command Center server.


Possible Cause: To access the Command Center client, you are using Internet Explorer with compatibility mode enabled.

Action: Disable compatibility mode, and then access the client.


Other possible causes :

  • You are using host name that contains an underscore special character.

  • The Command Center client is running with a NATed IP address.

  • The Firewall is blocking the ports required by Command Center. If the firewall is enabled, disable it or unblock the ports needed for communication with the client.

  • The connection to the database has been lost. To check, view the log entry in the logs/wrapper.log file.

  • The host name used to access the Command Center server does not resolve to the Command Center IP address.

  • The browser cache was not cleared after an upgrade.

  • The port you are using to access the client has been modified from the default (Https 8443 or Http 9090).



Q: I am not able to access the user interface of the secondary Command Center over port 8443.

A: You can only access the primary Command Center through the GUI when configured in HA mode. The secondary Command Center only monitors the state and is not accessible through GUI.



Q: Can Command Center be monitored through any SNMP Manger?

A: Yes, since Command Center behaves as an SNMP agent on port 8161, any SNMP manager can contact Command Center through this port. Command Center can be monitored by loading NS-CC-MIB, which is in the <CC_Home>/mibs folder on any SNMP manager.


Q: Do I need to add Command Center agent as a trap destination on the devices managed by Command Center agent ?

A: No. Command Center server adds its IP address as a trap destination in the discovered devices. Command Center Agent does not add itself as a trap destination but only does the performance data collection, syslog, and entity monitoring. Traps are still handled by the Command Center server.



Q: How do I change the default ports used by Command Center ?

A: You can change the default port (8443 or 9090) to any standard TCP port by modifying the Server Port details in the Administration > Settings > Access Settings window. The changes in access settings are effective only after a restart.


Q: Can I back up and restore data?

A: You can do a data backup and restore only on a Command Center appliance.


Q: Is a license required for evaluation-mode installation of the software version of command center?

A: No.


Q: I am not able to log on to the Command Center server. Where can I view the current Command Center version?

A: You can find the version information in the <CCHome>/conf/AboutDialogProps.xml file.

Q: Which Oracle JDBC driver version does Citrix Command Center use?

A: Command Center uses Oracle JDBC Driver version



Q: What databases does Command Center support?

A: For detailed information about supported databases, see


Q: Does Command Center support any database resiliency solution, such as mirroring, or any other replication methods that I can consider implementing?

A: You can replicate a MySQL database in Command Center. Use Command Center in an HA setup with MySQL two-way replication.


Q: How do I migrate from one type of database to another? 

A: To migrate from one type of database to another, for example from MS SQL to Oracle:

  1. Stop Command Center.
  2. Migrate the database (for example, from MS SQL to Oracle) with the help of your database administrator.
  3. In the <CCHome>\bin\ directory, execute the database_switch.bat (Windows) or (Linux) script. Include an argument identifying the new database.


    <CCHome> \bin\database_switch.bat ORACLE
    <CCHome> \bin\ sh ORACLE

  4. Open the <CCHOME>\classes\hbnlib\hibernate.cfg.xml file in a text editor and, under <!--For Using Oracle DB , Uncomment the below tags -->, edit the following line to specify the host name, port number, and connection string of the new database:

    <property name="connection.url">jdbc:oracle:thin:@HOST_NAME:PORT_NUMBER:CONNECT_STRING</property>


    <property name="connection.url">jdbc:oracle:thin:@</property>

  5. In the <CCHome>\bin\admintools directory, execute the EncryptPassword script and specify the user name, current password, and the new password to get the encrypted password for the new password that you specified. 

    On a Windows system, enter the following command:
    <CCHome>\bin\admintools EncryptPassword.bat root rootpassword newpassword

    On a Linux operating system, enter the following command:
    <CCHome>\bin\admintools sh root rootpassword newpassword


    <CCHome>\bin\admintools EncryptPassword.bat root public Password123

    <CCHome>\bin\admintools sh root public Password123

    The system returns the encrypted version of the new password. For example:

  6. In the hibernate.cfg.xml file, under <!--For Using Oracle DB , Uncomment the below tags -->, copy the new encrypted password to the property name line. For example:

    <property name="connection.encryptedpassword">e8063X6</property>
  7. Save the changes.
  8. Restart Command Center and verify that it is using the new database.
Q: When Command Center is installed in "Evaluation" mode, what is the default DB size allocated to it?
A: For installation in "Evaluation" mode, there is no DB size limit for the internal DB. It depends on the available storage space of the system that the user installs on.
Q: When Command Center is installed in "Typical" mode, can we install the packaged PostgreSQL DB?
A: We do not recommend the usage of PostgreSQL DB in a production deployment.

Q:Can I configure ciphers on Command Center?

A: Yes, you can configure ciphers on Command Center.

A Command Center server or an appliance ships with a set of predefined ciphers. The default ciphers which are supported by Command Center are:


To use ciphers other than the predefined cipher, you have to explicitly define them in the server.xml and transportProvider.conf files.

To configure a cipher
  1. Open server.xml file located in the path <CC_HOME>\apache\tomcat\conf\backup, and include one or more ciphers as follows:


    Figure 1. Server.xml

  2. Open transportProvider.conf file located in the path CC_HOME>\conf, and include one or more ciphers as follows:


    Figure 2. TransportProvider.conf

Installation & Setup

Updated: 2013-07-03

Q: After installing the latest version of Command Center 5.0, I do not see the Start option under Windows Start > Programs > Command Center options. How do I start the Command Center server?

A: The Command Center server is installed and service is started automatically when you install Command Center version 5.0. You can directly access the Command Center server from the web browser by typing either of the following in the address field:




  • ComputerName is the fully qualified domain name (FQDN), host name, or IP address of the Command Center server.
  • PortNumber is the port that the Command Center client and server use to communicate with each other. The default port number for HTTP is 9090, and for HTTPS it is 8443.


Q: Where do I view the installation log statements for Command Center version 5.0 or later ?

A: If installation is successful, for either Windows or Linux, the path to the logs is:
  • :<CC_HOME>\ _Citrix Command Center_installation\Logs

    If you cancel the installation before the installation starts, or some error occurs during the pre-installation steps, the location depends on whether you are running windows or Linux.

  • Windows:


  • Linux:



Q: After installing Command Center, I am unable to start it properly. Where do I look for the log statements regarding startup and shutdown?

A: A Look for the wrapper.log file in the <CCHome>/logs directory. The information in this log file includes the log statements regarding startup and shutdown. If you do not find the wrapper.log file in logs directory, check for the file in <CCHOME> directory.
Note: These logs are created only when you run Command Center as a service.


Q: After moving the MS SQL database to a new host, how to point the Command Center server to the new host?

A: The procedure to point Command Center server to new host:
  1. In the <CCHOME>/classes/hbnlib/ hibernate.cfg.xml file search for the following line:

    <property name="connection.url">jdbc:sqlserver://<dbserver IP>:1433;databaseName=<database name>/property>

  2. Replace the existing database server IP address with the IP address or DNS name of the new database host, and replace existing database name with new database.
  3. If you have changed the encrypted password for the database, do the following:
    • To obtain the encrypted password, run the command

      EncryptPassword.bat file available under <CCHOME>/bin/admintools directory.

      The usage is shown below:

      "Usage : EncryptPassword UserName Password EncryptPassword"

      "UserName - CC UserName with admin privileges, say root"

      "Password - Password of the User"

      "EncryptPassword - The password to be encrypted."


      <CCHome>\bin\admintools>EncryptPassword.bat root public mynewpassword

      Encrypted Password for password "mynewpassword" is: ceMv9Me6gF5h6Cn1

    • In the < CCHOME>/classes/hbnlib/ hibernate.cfg.xml file copy the new encrypted.

      The usage is shown below:

      <property name="connection.driver_class"></property>

      <property name="connection.url">jdbc:sqlserver://;databaseName=CCDB</property>

      <property name="connection.username">yourdbusername</property>

      <property name="connection.encryptedpassword"> ceMv9Me6gF5h6Cn1</property>

      <property name="dialect">org.hibernate.dialect.SQLServerDialect</property>

      <property name="databasename">MSSQL</property>
      Note: The password is copied to the tag with property name - "connection.encryptedpassword".
  4. Restart the Command Center server for the changes to take effect.
Note: The above procedure only points Command Center server to the new database host. To migrate the data to the new host, use the tools provided by MS SQL. For more information about the MS SQL data migration, refer to the MS SQL documentation.


Q: How can I change MSSQL database ports for Command Center ?

  1. Stop the Command Center service.
  2. Edit the <cc_home>/classes/hbnlib/hibernate.cfg.xml to change the port details.
    For example, to specify the port number as 1443:


Q: The Postgres database server does not start in a timely fashion. What can I do?

A: For Windows: From the Windows Service Manager, start the PostgresForCommandCenter service. Verify that the service has started, and then start the Command Center service.

If the Postgres service does not start, go to <CCHOME>/pgsql/startup-scripts and execute the following scripts to reinstall Postgres service:
  • UninstallPostgres.bat
  • CreatePostgresUser.bat
  • InstallPostgres.bat

For Linux: In /<CC_home>/pgsql/startup-scripts directory and run the following scripts:

  • su ccpostgres
  • sh
  • sh

If the Postgres database does not start even after restarting the service, check if the Zlib libraries are installed on the Linux system.

Note: Reinstalling the Postgres service does not result in any loss of data.



Updated: 2013-06-26

Q: Why am I getting a "User not authorized" message when I log on?

A: This message appears if you belongs to a group to which no permissions are assigned. Generally, a users created on the fly in an external authentication server faces this issue. To resolve the issue, the administrator has to log on to the authentication server and assign the user to a proper group.


Q: Can I control the list of tasks that are visible to the user in Command Center?

A: Yes, you can use the Custom View Scope feature in Command Center.


Q: Why am I not able to see all the groups when I use the Browse option of Add Group after choosing external Authentication?

A: The Active Directory server always returns 1000 records at a time. You can directly key in the group name in the field instead of using Browse and select option.


Q: After a force failover, why am I not able to log on if external authentication is set as RADIUS in a Command Center HA setup?

A: You have to log on to Command Center as a local user with Admin privileges and change the Client IP address to the current Command Center server IP address (which was the secondary IP address before the forced failover).


Q: Which are the wildcard characters supported in Custom View Scope?

A: Command Center supports '%' wildcard character for contains case only.


Q: What Active Directory versions does Command Center support?

A: Windows 2008, Windows 2008R2, and Windows 2012.


Q: How can I do a factory reset of root user authorization?

A: Run the following script:



Q: Does Command Center support secure LDAP?



Q: Can users belonging to a subdomain log on to Command Center?

A: Yes. Subdomain users can log on to Command Center if subdomain LDAP is configured.


Citrix Network

Q: NetScaler discovery is failing for one particular device. What could be the cause?

A: For successful NetScaler discovery, the SNMP Manager list must be empty or Command Center must be listed as one of the SNMP Managers. Verify the SNMP Managers configured on the device.


Q: Is it possible to view the device label as a host name or system name instead of as an IP Address?

A: Yes. In Administration > Server Settings change the Device Label value to display the System Name/Host Name.


Q: Which IP address should I use to discover an SDX device?

A: Use the SVM IP address to discover the SDX device in Command Center.


Q: When I discover a CloudBridge Advanced Platform by using the SVM IP address, the CloudBridge instances on the CloudBridge Advanced Platform are not discovered in Command Center?

A: Only the CloudBridge accelerators on a CloudBridge Advanced Platform are discovered.


Q: Are NAT, SNIP, and MIP based discovery of NetScaler devices supported in Command Center?

A: Yes. But SNIP and MIP cannot be used for the discovery of a device configured in HA mode.


Q: I changed the credentials of my device; do I have to change the credentials in Command Center also?

A: Yes, you have to update the credentials in the device profile that is used to discover that device. After you update the profile, you have to rediscover the device.


Q: How can I back up the configuration files, such as ns.conf, for a device?

A: Command Center backs up the NetScaler configuration(ns.conf, the certificates, and so on) the first time the device is discovered and at regular intervals. By Default, the archive interval is 12 hours. You can back up the configuration files on demand from the page that lists the properties of that device.


Q: Where is the ns.conf file located on my Command Center ?

A: The file is located on the database as a plain text.



Q: I am trying to discover a NetScaler device with SNMP v3 profile and the discovery fails with the following error message: Problem in finding device HA Mode for this device. For input string: " " . What should I do?

A: On the NetScaler device, in the SNMP v3 view, verify if you have set the subtree value to 1. If it is not set to 1, then clear the SNMP v3 configuration (SNMP view, SNMP group, and SNMP user) from the NetScaler device. Delete the device from Command Center and re-discover.




Q: I am not able to view the configuration change history for a device.

A: Check the "Configuration Changes Duration" value you have configured. You may not be able to view the history as there may not be any configuration changes in specified duration.


Q: Can I export and mail the change management reports ?

A: Yes, you can use the Schedule option of Audit policies to schedule export and mailing of the reports.





Updated: 2014-08-27

Q: Why is the "Send Mail" action not working?

Possible Cause : The mail server credentials might be incorrect or mail server might not be accessible from Command Center.

Action : Check the mail server credentials and verify that the mail server is accessible from command center server. If the mail server credentials are not correct, edit the settings in Administration > Mail Server Settings .

You can refer to the exception logged under logs > stderr file.

Example of log entry for this exception:

Exception while sending mail notification. Sending failed; 
nested exception is: 
class javax.mail.MessagingException: Could not connect to SMTP host:, port: 25; 
nested exception is: Connection refused: connect 
Invalid HostName or Port, unable to connect the mail server 

Possible Cause : The Events/Alarms fields are not configured correctly.

Action: Check if Event/Alarm fields are configured correctly. The Message field, should match or be a part of the message of any incoming Event/Alarm.

Example of log entry for this exception:

Failed Object, Message.


Q: Can I keep a historical log of SNMP alarms and events in Command Center ?

A: Currently, only 10000 events are displayed, due to user-interface restrictions, but, by default, the events/alarms from the past 6 months are stored in the database.


Q: Command Center is not receiving the traps sent by a device. What are the possible causes?

A: The possible reasons for not receiving traps could be:

  • If you enable firewall on Command Center server, it does not receive the traps

  • SNMP port is being used by some other application in the Command Center server system.

  • Event triggers are set to suppress the action.

  • Custom View Scope is set for the device.

  • Triggers are set with incorrect message fields.

  • Triggers have alarm age set to a high value.

  • If Command Center is installed on a Linux server, the iptable configuration might cause filtering of SNMP packets.

  • Traps from unmanaged devices are not processed by Command Center.

  • The default Trap port has been changed by the administrator under Administration > Settings > Trap Forward Settings.


Q: Do I need to specifically enable SNMP on Command Center? if yes, how can I do so?

A: You need not enable SNMP. It is already running on port 8161. When the Command Center service is running, Command Center behaves as an SNMP agent on port 8161, and any SNMP manager can contact Command Center through this port.


Q: Can I set triggers for all of the devices?

A: Yes. In theAdd Filters window, leave the Devices field empty. All the devices discovered are then selected.


Q: Alarm Triggers actions are not being initiated for the generic category of alarms.

A: Since Alarms are not updated for generic traps, such as reboot, you have to manually clear the alarm to reenable the alarm trigger action, or you have to create triggers for the generic category of events.


Q: Syslogs and AppFirewall reports are not generated. What are the possible causes?

  • Syslog settings on the NetScaler are not properly configured for Command Center to receive the syslog messages.
  • Syslog port 514 is occupied by other application.
  • AppFirewall related syslogs are not generated for the ICA type for a specified time period.


Q: Since all traps are sent to both the Command Center agent and the main Command Center, does the Command Center agent ignore these or are they sent to the database through the SQL connection?

A: Traps are handled only by the Command Center server, which adds its IP address as a trap destination on the NetScaler device during NetScaler device discovery.


Q: How can I customize the purge interval?

A: You can specify the interval at which Command Center should purge syslog data. By default, Command Center stores syslog messages for the last 90 days. To customize the purge interval, navigate to Administration > Server Settingsand specify the number of days in theSyslog Clean interval (in days) field. Only the records older than the number of days that you specify are purged. For example, if you specify as 45 days, Command Center purges syslog messages that are older than 45 days.

Q: I am able to view unwanted IPs in Failure Objects.

A: The unwanted IP addresses are from AppFirewall Client IP. Create a filter to suppress AppFirewall alarms.


Q: Is it possible to export data from Command Center for Syslogs, Appfirewall and AGEE logs?

A: No.


Q: Why am I not able to receive the SNMP traps from the device?

A: If the wrapper.log file contains the following entry: "WARNING : Traps cannot be received on port : 162", failure to receive the traps could have the following possible causes:

Possible Cause1 : If any other SNMP trap service is running on port 162, which is receiving the traps, Command Center might not be able to receive the SNMP traps.

Action :
  • In case of Windows, check to see if SNMP is running and, if so, stop it. Then stop the Command Center service. Check the output of netstat using the following command in the command prompt:
    C:netstat -ano| find "162"
    Sample Output:
    TCP              LISTENING       1892 
      UDP    [::]:162            *:*                    6340 ) 
    If you see " UDP [::]:162 *:*" in the output, it confirms that the port 162 is being used by some other application.
  • Check to see if the traps are being logged in the CC FaultOut logs under logs/fault.
  • If the traps are being logged, check to see if any filter action (for example, a suppress action) is configured, or if the user has configured any custom view scope.
  • In case of Linux, check to see if SNMP packets are being filtered because of iptable configuration. In this case, tcpdump still shows that the packets are reaching their destination.

Possible Cause 2: Traps from unmanaged devices are not processed by Command Center.

Action: Check if to see if the trap destination and port are correctly configured on the device.


Q: Why am I not able to view the old events?

A: Explanation: By default, Command Center does not display the entire database. The default is a maximum 10,000 events, no older than 6 months.

Possible Cause 1: Command Center displays only 10,000 events in client GUI.

Action: You can change this setting by modifying the value of the EVENT_WINDOW_SIZE parameter in the NmsProcessesBE.conf file, which is in the <CC_HOME>/conf directory.

Possible Cause 2: Events older than 6 months are deleted.

Action : By default, the interval for cleaning the events is 6 months. You can change the interval by modifying the value of the CLEAN_EVENT_INTERVAL parameter in NmsProcessesBE.conf file, which is in the <CC_HOME>/conf.


Q: I am not able to view "Available Failed Objects" for a particular trap category. How do I troubleshoot the problem?

A: Explanation: When Command Center receives a trap, the failed objects become persistent in the Command Center database. The "Available Failed Objects" popup window displays that data.

Possible Cause: If Command Center has not received a trap for that category even once, you cannot see any failed objects for that particular trap.

Action: You can edit the field manually

Sample Events/Alarms:

For an entity-related event/alarm,(entityup/down, entityNameChanged, or entityofs), configure the failed object in the event/alarm trigger:

failedobject = $vserver_name OR $service_name OR $interface_name

For a Threshold event/alarm

failedobject = $counterName:$instance

  • Rx Average bandwidth(bits/sec):LO/1
  • Vserver current client connections:CC_Vsvr(




Q: When I generate a report, I encounter a "No Data to Chart" message.

A: Possible Cause 1: Counters for polling are disabled.

Action: Check to see if you have enabled the counter for polling in the Configure Polled Counters interface. If you have enabled it, clear the Exclude Zero Values check box for that polled counter, and then see if the report is generated.


Check the PerformanceErr file to see if there are any error messages logged for the particular counter and device. Some of the common error messages are: Error: "Invalid instance… Dropping packet for instance with value."

Explanation : This error is generally observed in Command Center version 3.x.

Action : Upgrade to 4.0 should take care of this. Error: "Request timed Out".

Explanation : This error appears when SNMP requests to the device are timing out.

Action : You can check the network connectivity and verify the accuracy of SNMP credentials in the device profile. Error: "Could not poll… No such object in this MIB".

Explanation : This error occurs when a particular version of the device does not support the counter for which the report is being generated.


Q: The Command Center graphs and values from the NetScaler device do not match.

A: A rate-counter value is calculated as the difference between two successive poll values divided by poll interval. The graphs plotted with these counters do not match with the exact values collected from the device.


Command Center Appliance

Updated: 2013-06-26

Q: Can Command Center appliances be monitored through any other SNMP Manager?

A: Yes, Command Center Appliance can be monitored by loading Command Center appliance MIB NS-CC-MIB onto any SNMP Manager. The MIB, which is in the <CC_Home>/mibs directory, currently supports only the CC appliance host name object. Contact and Location are not supported.

Note that the Command Center agent does not add itself as a trap destination; it does only performance data collection, syslog, and entity monitoring. Traps are still handled by Command Center server.



Q: Is there a process for configuring SNMP traps on a Command Center appliance?

A: No. Users cannot configure SNMP traps on a Command Center appliance.


Q: Is evaluation license supported for Command Center appliance ?

A: Yes, it is supported from Command Center version 5.0, build 35.11 onwards.