Admin Console Probe Guide for Hub

advertisement
About This Guide .......................................................................................................................................................... 5
Related Documentation ............................................................................................................................................... 5
Platform Compatibility ................................................................................................................................................. 6
Setting up a Tunnel ...................................................................................................................................................... 8
Controlling the Ports Assigned to Tunnels .......................................................................................................... 10
Creating Tunnel Access Lists ............................................................................................................................... 10
Creating a Static Route to a Hub ................................................................................................................................ 11
Creating Hub-to-Hub Queues ..................................................................................................................................... 12
About UIM Queues ............................................................................................................................................. 13
Reserved UIM Subject IDs ................................................................................................................................... 14
Controlling the Hub's Connectivity Behavior ............................................................................................................. 15
Checking the Status of Other Hubs ............................................................................................................................ 15
Modifying the Log File Settings .................................................................................................................................. 16
hub ............................................................................................................................................................................. 20
Advanced .................................................................................................................................................................... 21
SSL ....................................................................................................................................................................... 23
Tunnel Settings.................................................................................................................................................... 24
Hub List....................................................................................................................................................................... 25
Name Services ............................................................................................................................................................ 26
Queue List .................................................................................................................................................................. 27
Robot List ................................................................................................................................................................... 28
Tunnel ........................................................................................................................................................................ 28
1 - Tunnel Server ................................................................................................................................................. 29
2 - Tunnel Client .................................................................................................................................................. 31
3 - Tunnel Access List .......................................................................................................................................... 32
Configuration Cannot be Retrieved............................................................................................................................ 33
Queue Always Contains Messages ............................................................................................................................. 34
Viewing the Log File ................................................................................................................................................... 34
The CA UIM hub serves as the communication center for a group of robots. A hub binds
robots into a logical group with the hub as the central connection point. Hubs are
commonly set up based on physical constraints (such as a lab, floor, or building) or by
service functions (such as development). A hub can also connect other hubs into a
hierarchy of hubs.
Architecturally, a hub is a robot that gains its management capabilities through the
presence of the hub probe. By configuring this probe, you can modify how the hub
handles the following UIM services.
■
Message distribution: All messages generated by robots are routed through the
hub, which either forwards the messages to other hubs or dispatches them to local
subscribers (users and probes).
■
Name service: The hub translates /domain/hub/robot/probe addresses into the IP
address and port registered by the service on start-up so that applications can
connect to the service, using TCP/IP.
■
Authorization. The hub handles logins to the domain.
■
Authentication. The hub authenticates requests and user access rights to probes
and Infrastructure (hub, robot, and spooler).
■
Tunneling. Hub-to-hub tunnels enable secure communication from one site to
another site, much like a VPN.
Note: You also can configure the hub probe with Infrastructure Manager.
This guide explains how to use Admin Console to view and modify configuration for the
hub probe. It is written for the CA Unified Infrastructure Management Administrator.
See also:
■
Documentation for other versions of the hub probe
■
The Release Notes for the hub probe
■
User documentation for Admin Console
For compatibility information, refer to the:
■
Support Matrix for Nimsoft Probes — platform support for individual probes
■
Nimsoft Compatibility Support Matrix — platform and database compatibility for
primary Nimsoft components
In the Admin Console hub configuration GUI, you can:
■
Set up tunnel servers and tunnel clients (see page 8)
■
Control the ports assigned to tunnels (see page 10), which is recommended if the
hub will have more than one tunnel client
■
Create tunnel access lists (see page 10) to restrict access to a tunnel
■
Create hub-to-hub queues (see page 12)
■
Control the hub's connectivity behavior (see page 15)
■
Check the status of other hubs (see page 15)
■
Modify the log file settings (see page 16)
To open the hub configuration GUI:
1.
In the Admin Console navigation tree, expand a hub and select its robot.
2.
Click the arrow next to the hub probe and select Configure.
Note the following:
■
When you click Save, all modifications are written to the configuration file and the
hub probe uses the new configuration. The hub process does not restart.
■
To restart the process, Deactivate and then Activate the hub probe.
Follow these steps to set up a tunnel between two hubs.
Important: If your tunnel server will have multiple tunnel clients, you can control the
port assignments instead of letting the hub assign them based on the configuration for
the controller probe. To control them, follow the steps in Controlling the Ports Assigned
to Tunnels (see page 10) before you create client certificates.
Note: Fields marked with an asterisk are required.
1.
Ensure that both hubs appear in the Admin Console navigation pane. If either does
not, create a static route to the hub (see page 11).
2.
Determine which hub will be the tunnel server.
Recommendation: Because the tunnel server uses a fair amount of computing
power, designate the system with the lower load as the tunnel server. If a central
hub will have several remote hubs attached to it, make the remote hubs the tunnel
servers so that each remote hub only adds a small amount of overhead to the
central hub.
3.
Activate tunneling on the tunnel server:
a.
In Admin Console, expand the hub that will be the tunnel server, then open its
hub probe in the configuration GUI.
b.
Select the Tunnel node. Check Tunnel Active and click Save.
Note: Enabling tunneling is a one-time task. If tunneling is enabled, it cannot be
disabled.
4.
Set up the tunnel server:
a.
Navigate to 1 - Tunnel Server.
b.
In Tunnel Server CA Initialization:
–
Enter information about your organization.
–
Create a password to be used to establish trust between the tunnel server
and its clients.
c.
Select Actions > Perform Tunnel Server CA Initialization. The CA certificate
appears in the tunnel client certificate list.
d.
Modify Tunnel Server Settings (optional):
–
Set Server Port to any available port (default is 48003).
–
Increase the Security Setting as desired.
5.
Create the tunnel client certificate:
a.
b.
6.
In Tunnel Client Certificate Entry:
–
Enter the organization information.
–
Enter the password that you created when you initialized the tunnel
server.
–
Specify how long the certificate will be active.
Select Actions > Create Client Certificate. The certificate appears in the tunnel
client certificate list.
Set up the tunnel client:
a.
Copy all of the text in the Certificate field (below the Tunnel Client Certificate
List) and close the GUI.
b.
In Admin Console, expand the hub that will be the tunnel client and open its
hub probe.
c.
Navigate to Tunnel, check Tunnel Active, and click Save.
d.
Reopen the GUI and navigate to 2 - Tunnel Client.
e.
Under Tunnel Client Certificates Config, click New. In the fields that appear:
–
Leave Certificate ID blank.
–
Server is the tunnel server's IP address.
–
If your environment uses NAT (network address translation), disable Check
Server Common Name Value.
Note: When this option is enabled, the tunnel server must verify that the
tunnel is coming from the IP address specified in the certificate. IP address
mapping requires that this be disabled in NAT-ed environments. However,
CA recommends you leave this option enabled in all other cases.
f.
7.
–
Optional: Enter a Description.
–
Enter the Password you created for the tunnel server.
–
Optional: modify the Keep Alive setting.
–
In the Certificate field, paste the text you copied from the tunnel server.
Click Save at the top of the page.
If you created a static route to a hub that is now connected to the message bus by a
tunnel, you must delete the static route:
g.
Expand the hub from which you configured the static route, then open its hub
probe in the configuration GUI.
h.
Navigate to Name Services and remove the static route.
Important! This must be done to ensure that all UIM data flows through the secure
tunnel and not through the static route.
The tunnel is now active.
If your tunnel server will have more than one tunnel client and you want to control the
port assignments, perform the following steps on the tunnel server before you create
client certificates.
Important: This configuration is recommended for advanced users only. Contact
Support if you need assistance.
1.
In Admin Console, expand the hub that will be the tunnel server. Open its hub
probe in the configuration GUI and navigate to Advanced > Tunnel Settings.
2.
In Tunnel Advanced Settings:
3.
■
Enable Ignore Controller First Probe Port.
■
Specify the First Tunnel Port, the port to be used by the first tunnel you set up.
For each additional tunnel, the tunnel server increments the number and
assigns that port to the tunnel client. The client keeps that port as long as the
hub is running. Note the following:
–
The server does not keep track of disconnected clients. If a tunnel client is
connected to the server, this number increments, even if a previously used
port becomes available. However, if there are no active clients, the
counter resets.
–
If you plan to configure more than one tunnel, we recommend you specify
the first port. Make sure you do NOT use the port range that the controller
probe uses.
–
If this field is blank, the operating system assigns random ports.
–
Make sure you do NOT use the port range that the controller probe uses.
Click Save.
By default, all UIM requests and messages can be routed over the tunnel and dispatched
on the other side. This routing is transparent.
A tunnel Access List lets you restrict the access privileges for UIM users, addresses and
commands. The Access List is created on the tunnel client hub.
Recommendation: Use Infrastructure Manager to create these lists. Tunnel access lists
created with the Admin Console hub configuration GUI may have issues. Refer to Access
List in the Infrastructure Manager hub configuration guide for details.
If a hub does not appear in the Admin Console navigation pane, you can create a static
route to it. Follow these steps.
1.
In Admin Console, expand the primary hub, then open its hub probe in the
configuration GUI.
2.
Navigate to Name Services.
3.
In Static Hub List Entry:
■
Leave Active and Synchronize checked.
■
Enter the IP address of the secondary hub.
4.
Select Actions > Create Static Hub.
5.
Close the configuration GUI.
6.
Verify that the secondary hub appears in the navigation pane.
If you have any secondary hubs in your deployment, you must create queues so that
messages from those hubs can reach the primary hub. You will create:
■
Attach queues on all secondary hubs. These queues collect messages.
■
Corresponding get queues on any intermediary secondary hubs and on the primary
hub. These queues get the messages from the attach queues.
You can either create one attach queue with the wildcard (*) subject to collect all
messages, or create separate queues for different messages or groups of messages. To
learn more, refer to About UIM Queues (see page 13).
Follow these steps:
1.
In Admin Console, expand the hub, open the hub probe configuration GUI, and
navigate to Queue List.
2.
In the Queue List Configuration table, click New.
3.
In the fields below the table, specify the required information. Some fields are
specific to the type of queue being created.
■
Queue Name: Enter a unique and descriptive name.
Recommendation: for usability, use a name similar or identical to the subject.
■
Active: Leave checked if you want to queue to be active immediately.
■
Type: Select attach, get, or post.
Note: The remaining fields in this area are active if they are required for the
selected type.
■
Subject (attach or post queues): Select the subject. Note that:
–
If the subject is asterisk (*), the queue holds all subjects.
–
If the desired subject is not listed, enter it in the Queue List Entry Subject
to Add field, then select Actions > Add Subject to List.
■
Hub Address (get queues): Address for the hub that has the corresponding
attach queue.
■
Remote Queue Name (get queues), which is the corresponding attach queue.
–
If desired, enter a Bulk Size, which specifies how many messages can be
transferred simultaneously (in one bulk). The only time you need to change this
value from '<default>' is when you see that the queue grows and never shrinks
to zero (see Subscribers Queues on the Status tab). This indicates that the hub
has problems delivering the messages to the target hub fast enough. The
reason for this behavior could be that the number of QoS messages delivered
to the hub from the robots has increased a lot (See Statistics button on the
General tab) or that the latency is too high and slows down the deliveries (See
Response Check, right-clicking a hub in the hubs list).
UIM components use queues to pass messages. Messages are placed into queues based
on their Subject ID, which classifies every UIM message. Most queues are created
automatically during installation (when hub-to-robot communication is set up) or
deployment (during which some probes create the queues they require).
Hub-to-hub queues must be created manually. If you have any secondary hubs in your
deployment, you must create queues so that those hubs can communicate with the
primary hub.
You can create three types of queues:
■
An Attach queue collects messages (based on subject) for forwarding to another
hub.
■
A Post queue sends a stream of messages (based on subject) directly to a
destination hub.
■
A Get queue retrieves messages collected by an attach queue on another hub.
An attach or post queue's subject attribute determines which messages are directed to
the queue:
■
The wildcard (*) subject collects all messages in one queue.
■
Queues can collect messages for more than one subject. Add a new subject with all
desired subjects separated by commas (for example, alarms, alarms2).
Note: A number of subjects are reserved for use by UIM components. They are listed in
Reserved UIM Subject IDs (see page 13).
Keep in mind that queues are first-in-first-out lists, which means messages in a wildcard
queue are not prioritized based on subject. If a hub transfers thousands of messages
each second, a critical alarm message might have to wait behind less urgent QoS
messages.
Recommendation: In a high-volume environment, create separate queues for important
subjects, such as alarm, or for subjects that will create many messages. Create one
multiple-subject queue for all subjects that are not critical.
The following table shows the subjects used by UIM components, the types of messages
that use them, and the component that generates them. All messages with the same
subject should also have identical data structures.
Subject
Used by
Generated by
alarm
Alarm messages
alarm2
Enriched alarm messages
alarm_new
Alarm message whose footprint is not
previously recorded
alarm_update
Alarm message whose footprint already
exists
alarm_close
Message sent when a client closes
(acknowledges) an alarm and removes it
from the currently active alarms
alarm_assign
Message sent when a client closes
(acknowledges) an alarm and removes it
from the currently active alarms
alarm_stats
statistical event messages generated by the
NAS probe that contain severity level
summary information for all open alarms
audit
Audit messages: probe package
distributions, activations, etc.
audit probe
probe_discovery
device information
discovery probes
QOS_BASELINE
messages containing baseline data points for
QoS metrics
QOS_DEFINITION
message that specifies a QoS definition
QOS_MESSAGE
All QoS messages
When you install a hub, the way it connects with other hubs is determined by default
values that are sufficient for most hubs. However, you may want to adjust a hub's
connectivity settings to meet the needs of your deployment or to improve performance.
For example:
■
Hub Settings control the hub's request timeout, update interval and login mode.
■
Robot Settings specify the alarm sent for events that occur on robots connected to
the hub.
■
Queue Settings control the behavior and size of queues.
■
Broadcast Configuration settings specify whether and where the hub lets other
hubs know it is active.
■
Lockout Configuration settings let you avoid leaving the system vulnerable to
brute-force password guessing.
To modify the connectivity behavior:
1.
In Admin Console, open the hub probe in the configuration GUI and navigate to
Advanced.
2.
Modify the settings as needed. Refer to Advanced (see page 21) for details on the
settings.
3.
Click Save at the top of the page.
To check the status of another hub within your domain, follow these steps:
1.
In Admin Console, open the hub configuration GUI for any hub in the domain.
2.
Navigate to Hub List.
3.
In the table that shows the status and other information for all hubs in the domain,
select the hub you want to check.
4.
Click Actions and choose the desired command:
–
Alive Check to view the status of the selected hub.
–
Response Check to view the response time (connect - reconnect, no transfer)
between your hub and the one selected in the list.
–
Transfer Check to transfer data from your hub to the selected hub and view the
transfer rate.
All UIM probes maintain log files. By default, the log file records:
■
Only messages classified as 0 - Fatal. This keeps a minimal amount of data.
■
Up to 1024 KB of data.
If you are troubleshooting or debugging, you may want to view the hub's activity in
more detail or keep more data in the log file. To do this:
1.
In Admin Console, open the hub probe in the configuration GUI and navigate to the
hub node.
2.
In General Configuration, set the log level and file size as desired.
3.
Activate the changes. Either:
■
Click Actions > Set In-Memory Log Level. This applies the changes without
restarting the probe, but does not retain the changes when the probe is
restarted. This lets you view the hub's current activity in more detail.
■
Click Save at the top of the page. This restarts the hub and retains new settings.
While most hubs perform their tasks sufficiently with little or no interaction from the
administrator, you can modify various configuration settings for better performance and
usability.
Tunnels
■
Caching the SSL sessions can significantly speed up the server/client connection
time.
■
If a non-functioning tunnel will significantly impact your operations, increase the
level of alarm sent if a connection is lost or cannot be made.
These settings are found on the Advanced > Tunnel Settings (see page 24) node in the
Admin Console hub configuration GUI.
Queues
■
If the size of a get or post queue never shrinks to zero or if it always has many
messages, increase the Bulk Size on the queue. This allows the hub to transfer
multiple messages in one packet.
This section describes the configuration information and options available through the
Admin Console hub configuration GUI. The navigation pane organizes hub configuration
into the following nodes:
■
hub (see page 20)
■
Advanced (see page 21)
SSL (see page 23)
Tunnel Settings (see page 24)
■
Hub List (see page 25)
■
Name Services (see page 26)
■
Queue List (see page 27)
■
Robot List (see page 28)
■
Tunnel (see page 28)
1 - Tunnel Server (see page 29)
2 - Tunnel Client (see page 31)
3 - Tunnel Access List (see page 32)
To access the hub configuration interface, select the hub's robot in the Admin Console
navigation pane. In the Probes list, click the arrow to the left of the hub probe and
select Configure.
Navigation: hub
This section lets you view information about the hub and adjust log file settings.
Probe Information
This section displays the probe name, start time, version and vendor.
Hub Information
This section displays the hub name, domain, IP address, hub address
(/domain/hub_name/robot_name/hub), and uptime data.
License Information
This section displays details about the license used for the hub's robot is displayed;
the total number of licenses and the number available is also shown. An invalid
license stops the message flow from the hub to its subscribers (mostly service
probes) and prevents the robot spoolers from uploading their messages.
General Configuration
This section lets you modify log file settings.
■
Log Level specifies the level of alarm information saved in the log file. 0 - Fatal
(default) logs the least; 5 - Trace logs all alarms.
Recommendation: Log as little as possible during normal operation to reduce
disk consumption. Increase the level when debugging.
■
Log Size controls the amount of data retained in the log file (in KB, default is
1024). Large log files can cause performance issues, therefore use caution
when changing this size.
One command is available.
■
Actions > Set In-Memory Log Level makes changes to the log file settings take
effect immediately without restarting the hub, which lets you view more detail
about the hub's current activity. The settings are retained until the hub
restarts.
Navigation: hub > Advanced
This section allows you to control the hub's connectivity behavior.
Hub Settings
This section controls how the hub communicates.
■
Hub Request Timeout specifies how long the hub waits for a response from
other hubs. Default: 30 seconds.
■
Hub Update Interval specifies how often the hub sends its messages to the
other hubs. Default: 600 seconds.
■
Origin identifies the sender for data sent by the probes. It is used when reports
are generated. This field obtains the origin from the controller probe
configuration. This field is blank if the origin is not specified in the controller,
and the hub name is used. The origin is specified in the Controller probe
configuration.
■
Disable IP Validation turns off the IP address validation the hub does for all
computers sending requests to its probes. It is typically used when using NAT
(Network Address Translation).
■
Login Mode provides three options:
–
Normal (default) allows logins from any robot connected to the hub.
–
Local Machine Only allows logins only from the computer hosting the hub.
Attempts from any other robot connected to the hub are refused.
–
No Login disables all logins to the hub.
Broadcast Configuration
This section controls whether and where the hub lets other hubs know it is active.
■
Broadcast On (default) enables the hub to broadcast its status.
■
Broadcast Address is the IP address on which the hub broadcasts. Default is
255.255.255.255 (the default broadcast address for any local network).
Lockout Configuration
This section controls the lockout settings for the hub to avoid leaving the system
vulnerable to brute-force password guessing.
■
Login Failure Count specifies the number of attempts from a single IP address.
■
Lockout Time specifies the number of seconds that must pass before a user can
attempt to log in after a failure.
Robot Settings
This section controls the alarm settings for events that occur on all robots
connected to the hub.
■
Inactive Robot Alarm Severity specifies the level or warning sent when a robot
fails to respond.
■
Audit Settings for Robots lets you turn auditing on or off for all of the hub's
robots, or allow each robot to use its own settings.
■
Note: Auditing records important events, such as starting and stopping the
robot.
■
Audit Once per User
Queue Settings
This section controls the behavior and size of queues.
■
Reconnect Interval is the number of seconds between a disconnected hub's
attempts to reconnect (default is 180).
■
Disconnect Passive Queues specifies how long a queue can be passive (receive
no messages) before being disconnected (default is 180).
■
Post Reply Timeout specifies how long a hub waits for a reply to a message. A
timeout occurs if no response is received within this interval.
■
Alarm Queue Size is the size of the queue file on the hub. An alarm is sent if
the queue exceeds this threshold (default is 10 MB)
Navigation: hub > Advanced > SSL
This section lets you configure a hub to use SSL.
SSL
This section lets you configure SSL settings. This configuration must be done on all
hubs that require SSL.
■
Login Mode provides three options:
–
Normal (login allowed) lets only UIM users log in to the hub.
–
Compatibility Mode (recommended) is mixed SSL/Normal mode. The
system checks for SSL compatibility. If SSL compatibility does not exist, the
system uses the UIM login.
–
SSL Only lets the hub communicate only with components that support
SSL.
Important: This mode significantly reduces traffic bandwidth and
performance. Also note that some probes (particularly older ones) do not
support SSL. Mixing different versions of UIM components is not possible
with the SSL Only mode.
Note: SSL settings for UIM components are controlled each component's
hub. The hub propagates SSL settings to the robots; the robots then
propagate the settings to the probes.
■
Cypher Type specifies the Cypher Suite used by that the OpenSSL library.
Navigation: hub > Advanced > Tunnel Settings
This section let you control the behavior of the hub's tunnels.
Tunnel Advanced Settings
These settings control how tunnels connect.
■
■
■
Ignore Controller First Probe Port controls how tunnel ports are assigned.
–
Enabled: the hub uses the First Tunnel Port setting (recommended if the
hub will have more than one tunnel server).
–
Disabled: the tunnel is assigned the port number specified as First Probe
Port in the controller probe configuration.
First Tunnel Port specifies the port to be used by the first tunnel you set up.
For each additional tunnel, the tunnel server increments the number and
assigns that port to the tunnel client. The client keeps that port as long as the
hub is running. Note the following:
–
The server does not keep track of disconnected clients. If a tunnel client is
connected to the server, this number increments, even if a previously used
port becomes available. However, if there are no active clients, the
counter resets.
–
If you plan to configure more than one tunnel, we recommend you specify
the first port. Make sure you do NOT use the port range that the controller
probe uses.
–
If this field is blank, the operating system assigns random ports.
Hang Timeout (in seconds, default is 120) specifies the interval between
automatic tunnel restart attempts. The tunnel server continuously checks the
status of its tunnels. If a tunnel does not respond, the hub attempts to restart
it. If it does not respond within the time specified, it attempts another restart,
and will continue to do so until the tunnel is active.
Tunnel SSL Session Cache
These settings control SSL caching.
■
Use Client Cache / Use Server Cache enables caching of SSL sessions, which
allows previous session credentials to be used. Enabling both options
significantly speeds up the server/client connection time.
■
Server Cache Timeout (in seconds) specifies how long the cached sessions are
valid for reuse by the client. Default is 7200 (2 hours).
■
Server Cache Size specifies how much data is stored in the cache. Default is
1024 KB.
Navigation: hub > Hub List
This section lists all the hubs within a UIM domain, displays information about them,
and lets you check their status.
Hub List
This section displays the following information about each hub:
■
Domain
■
Name
■
Status
■
Version of the hub probe
■
Last Updated, date and time when the hub probe was last restarted
■
IP address
■
Port
Three commands let you check the status of other hubs:
■
Actions > Alive Check checks the status of the selected hub.
■
Actions > Response Check checks the response time (connect - reconnect, no
transfer) between your hub and the one selected in the list.
■
Actions > Transfer Check transfers data from your hub to the one selected in
the list and checks the transfer rate.
Navigation: hub > Name Services
This section lets you ensure hubs separated by firewalls or routers can discover each
other and that hubs in a NAT environment can return requests.
Static Hub List Entry
This section lets you enter information for the static route.
■
Active: enable to ensure the route is active upon creation.
■
Synchronize: enable to ensure the hub sends status information to the static
hub.
■
Hostname/IP of the static hub.
One command is available.
■
Actions > Create Static Hub sets up the static route.
Static Hub List
This section displays the hubs to which there is a static route from the hub being
configured.
■
Active indicates he route is active.
■
Synchronize indicates the hub is sending status information to the static hub.
■
Name, IP, Domain, and Robot Name identify the static hub.
One command is available.
■
Actions > Remove Static Hub removes the selected static hub.
Network Aliases
In a NAT environment, network aliases let the hub know the appropriate return
address for requests from remote hubs.
■
From Address is the address from which the remote hub sends requests.
■
To Address is the address to which the responses should be sent.
Navigation: hub > Queue List
This section lets you create hub-to-hub queues.
Queue List Entry
This section lets you add a new queue subject.
■
Subject To Add lets you specify the new subject.
Note: Some subjects are reserved for use by UIM probes. See Reserved UIM
Subject IDs (see page 13).
One command is available.
■
Actions > Add Subject To List adds a queue subject immediately so it can be
used in a new queue.
Queue List Configuration
This section lets you enter information for new queues or view the configuration of
existing queues. Some fields are specific to the type of queue being created.
■
New and Delete let you add and delete queues.
■
Queue Name is the name of the queue being created.
■
Active shows the queue status.
■
Type specifies the type of queue being created: attach, post or get.
■
Hub Address (get queues) is the UIM address of the hub that has the
corresponding attach queue.
■
Subject (attach or post queues) specifies the type(s) of messages to collect in
the queue.
■
Remote Queue Name (get queues) is the name of the corresponding attach
queue.
■
Remote Queue List (get queues) displays available attach queues found in the
domain.
■
Bulk Size specifies the number of messages to be transferred in one package.
Navigation: hub > Robot List
This section lists all the robots controlled by the hub, displays information about them,
and lets you restart them.
Robot List
This section displays the following information about each robot.
■
Name
■
Status
■
IP address
■
Version of the robot probes
■
OS version and information
Two commands are available.
■
Actions > Alive Check checks the status of the selected robot.
■
Actions > Restart restarts the selected robot.
Navigation: hub > Tunnel
This section enables tunneling on a tunnel server or tunnel client. This must be done
once on each hub that will have a tunnel.
Tunnel Activation
■
Tunnel Active: Check this option and then click Save to enable tunneling.
Navigation: hub > 1 - Tunnel Server
This section lets you configure a hub to be a tunnel server.
Certificate Authority (CA) Initialization
This section lets you designate a hub as a Certificate Authority.
Note: This is a one-time task. After it has been done, this section will display Tunnel
Server CA Is Initialized.
Server Settings
This section shows the tunnel server's status.
■
Active indicates the tunnel is running.
■
Tunnel Server Status shows whether the tunnel is running or stopped (change
the status with the Actions commands).
■
Common Name is the IP address of the tunnel server.
■
Expiration Days shows the date the tunnel expires.
■
Server Port is the port the tunnel server will use to transfer data (default is
48003).
■
Security Setting specifies the encryption level used for tunneled packets:
■
–
NONE: No encryption but uses authentication. Fast but not very secure.
–
LOW: Fast but not very secure encryption and authentication.
–
MEDIUM: Slow but secure encryption and authentication.
–
HIGH: Slow but very secure encryption and authentication.
–
CUSTOM: Slowest but most secure encryption and authentication.
Custom Cipher * is specified when the Security Setting is Custom.
CA Certificates
This section lets you create the CA certificates, which give the hub the authority to
issue client certificates.
■
Organization Name, Organization Unit Name, and Email Address identify the
issuing entity.
■
Country Name, State or Province Name, and Locality Name are the location of
the receiving entity.
■
Common Name is the IPV4 or IPV6 address (hexadecimal format) for the tunnel
server hub.
■
Beginning Date and Ending Date specify when the certificate is valid.
Client Certificate Configuration
This section lets you create client certificates.
Note: Every tunnel client that will connect with the tunnel server requires a unique
client certificate.
■
Organization Name, Organization Unit Name, and Email Address identify the
receiving entity.
■
Country Name, State or Province Name, and Locality Name are the location of
the receiving entity.
■
Common Name is the IPV4 or IPV6 address (hexadecimal format) for the tunnel
client hub.
Note: The tunnel client hub must be active when the certificate is created.
■
Password lets you specify the password that will allow the tunnel client hub to
access the tunnel server.
■
Beginning Date and Ending Date show when the certificate is valid.
■
Certificate * displays the client certificate text, which must be copied to the
tunnel client hub configuration.
One command is available.
■
Actions > Create Tunnel Server Client Certificate creates the certificate.
Client Certificate List
This section lists your client certificates.
■
New and Delete let you add and delete certificates.
■
Rows in the table display information about the certificates.
■
Fields below the table display details for the selected certificate.
■
Certificate * displays the certificate text, which must be copied and pasted into
the tunnel client hub configuration.
Navigation: hub > Tunnel > 2 - Tunnel Client
This section lets you configure a hub to be a tunnel client.
Client Certificate Configuration
This section lets you add, delete and view tunnel client certificates.
■
New and Delete add and delete tunnel client certificates.
■
Certificate ID is the number assigned to the certificate.
■
Active shows the certificate status.
■
Server * specifies the IP address of the tunnel server hub.
■
Server Port * specifies the port to be used for tunneled data.
■
Check Server 'Common Name' Value makes the tunnel server verify that the
tunnel is coming from the IP address specified in the client certificate. IP
address mapping requires that this be disabled in NAT environments. However,
CA recommends you leave this option enabled in all other cases.
■
Description lets you describe the tunnel.
■
Password * is the password that was defined when the tunnel client certificate
was created.
■
Keep Alive (in seconds) specifies the interval at which small data packets are
sent. This is to allow for firewall connection disruption on idle connections.
■
Certificate * is where you paste the client certificate text (which was created
on the tunnel server hub).
Navigation: hub > Tunnel > Tunnel Access List
This section lets you restrict the access privileges for UIM users, addresses and
commands.
Recommendation: Due to issues with tunnel access lists created with this release of the
Admin Console hub configuration GUI, CA recommends you use Infrastructure Manager
to create these lists. Refer to Access List in the Infrastructure Manager hub
configuration guide for details.
Tunnel Access List
This section lets you create tunnel access lists.
■
New and Delete let you create or delete an access list.
■
Source IP * is the IP address of the tunnel server, or the wildcard character (*).
■
Destination Address * is the address of the target hub, robot or probe.
■
Probe Command is the specific command you want to allow or deny. To find
the command set, click the icon next to the hub probe and select Probe Utility.
■
User * to whom you want to allow or deny access (regular expression is
allowed).
■
Mode *
These settings let you specify the access mode.
–
ACCEPT access for the specified user, command or probe.
–
DENY access for the specified user, command or probe.
–
LOG all requests through the tunnel with information recorded when the
access list is processed.
Note: This is normally used for debugging purposes when testing
commands against targets before setting them up as accept or deny rules.
The result can be viewed in the hub log file before your deny or accept
rules.
Troubleshooting topics:
Configuration Cannot be Retrieved (see page 33)
Queue Always Contains Messages (see page 34)
Viewing the Log File (see page 34)
If your problem is not addressed here:
■
Look for a solution or ask other users for help on the CA UIM Community Forum.
■
Contact Support.
■
Send us feedback with the "rate this page" link below. We will strive to include a
solution in the next release of this document.
Problem: You see Error: Configuration was unable to be retrieved hen you try to open
the hub configuration GUI.
Solution: Deploy the mpse probe to the hub. The mpse probe contains all available
probe configuration GUIs accessed through Admin Console.
1.
Click Archive above the navigation pane.
2.
In the navigation pane, check the box next to the target robot.
3.
Locate the mpse probe in your local archive and check the box next to it.
4.
At the top of the probe list, click Deploy.
5.
Click Infrastructure.
Problem: Queue size is never zero.
If a queue never shrinks to zero or if it always has many messages in the queue, the hub
is not able to deliver the messages to the target hub fast enough. This could be because
that the number of QoS messages delivered to the hub from the robots has significantly
increased or that the latency is too high and slows down the deliveries.
Solutions:
■
If the queue collects messages for one subject, increase the bulk size of the queue
so that messages are transferred in bulk.
■
If it is a wildcard or multiple-subject queue, you can create separate queues for
different subjects.
Advanced users may find it helpful to view the log file. Click the icon next to the hub
probe and select View Log. You also can modify the log file settings (see page 16) so that
it retains more data for troubleshooting.
Download