Admin Console Probe Guide for Hub
advertisement
About This Guide .......................................................................................................................................................... 5 Related Documentation ............................................................................................................................................... 5 Platform Compatibility ................................................................................................................................................. 6 Setting up a Tunnel ...................................................................................................................................................... 8 Controlling the Ports Assigned to Tunnels .......................................................................................................... 10 Creating Tunnel Access Lists ............................................................................................................................... 10 Creating a Static Route to a Hub ................................................................................................................................ 11 Creating Hub-to-Hub Queues ..................................................................................................................................... 12 About UIM Queues ............................................................................................................................................. 13 Reserved UIM Subject IDs ................................................................................................................................... 14 Controlling the Hub's Connectivity Behavior ............................................................................................................. 15 Checking the Status of Other Hubs ............................................................................................................................ 15 Modifying the Log File Settings .................................................................................................................................. 16 hub ............................................................................................................................................................................. 20 Advanced .................................................................................................................................................................... 21 SSL ....................................................................................................................................................................... 23 Tunnel Settings.................................................................................................................................................... 24 Hub List....................................................................................................................................................................... 25 Name Services ............................................................................................................................................................ 26 Queue List .................................................................................................................................................................. 27 Robot List ................................................................................................................................................................... 28 Tunnel ........................................................................................................................................................................ 28 1 - Tunnel Server ................................................................................................................................................. 29 2 - Tunnel Client .................................................................................................................................................. 31 3 - Tunnel Access List .......................................................................................................................................... 32 Configuration Cannot be Retrieved............................................................................................................................ 33 Queue Always Contains Messages ............................................................................................................................. 34 Viewing the Log File ................................................................................................................................................... 34 The CA UIM hub serves as the communication center for a group of robots. A hub binds robots into a logical group with the hub as the central connection point. Hubs are commonly set up based on physical constraints (such as a lab, floor, or building) or by service functions (such as development). A hub can also connect other hubs into a hierarchy of hubs. Architecturally, a hub is a robot that gains its management capabilities through the presence of the hub probe. By configuring this probe, you can modify how the hub handles the following UIM services. ■ Message distribution: All messages generated by robots are routed through the hub, which either forwards the messages to other hubs or dispatches them to local subscribers (users and probes). ■ Name service: The hub translates /domain/hub/robot/probe addresses into the IP address and port registered by the service on start-up so that applications can connect to the service, using TCP/IP. ■ Authorization. The hub handles logins to the domain. ■ Authentication. The hub authenticates requests and user access rights to probes and Infrastructure (hub, robot, and spooler). ■ Tunneling. Hub-to-hub tunnels enable secure communication from one site to another site, much like a VPN. Note: You also can configure the hub probe with Infrastructure Manager. This guide explains how to use Admin Console to view and modify configuration for the hub probe. It is written for the CA Unified Infrastructure Management Administrator. See also: ■ Documentation for other versions of the hub probe ■ The Release Notes for the hub probe ■ User documentation for Admin Console For compatibility information, refer to the: ■ Support Matrix for Nimsoft Probes — platform support for individual probes ■ Nimsoft Compatibility Support Matrix — platform and database compatibility for primary Nimsoft components In the Admin Console hub configuration GUI, you can: ■ Set up tunnel servers and tunnel clients (see page 8) ■ Control the ports assigned to tunnels (see page 10), which is recommended if the hub will have more than one tunnel client ■ Create tunnel access lists (see page 10) to restrict access to a tunnel ■ Create hub-to-hub queues (see page 12) ■ Control the hub's connectivity behavior (see page 15) ■ Check the status of other hubs (see page 15) ■ Modify the log file settings (see page 16) To open the hub configuration GUI: 1. In the Admin Console navigation tree, expand a hub and select its robot. 2. Click the arrow next to the hub probe and select Configure. Note the following: ■ When you click Save, all modifications are written to the configuration file and the hub probe uses the new configuration. The hub process does not restart. ■ To restart the process, Deactivate and then Activate the hub probe. Follow these steps to set up a tunnel between two hubs. Important: If your tunnel server will have multiple tunnel clients, you can control the port assignments instead of letting the hub assign them based on the configuration for the controller probe. To control them, follow the steps in Controlling the Ports Assigned to Tunnels (see page 10) before you create client certificates. Note: Fields marked with an asterisk are required. 1. Ensure that both hubs appear in the Admin Console navigation pane. If either does not, create a static route to the hub (see page 11). 2. Determine which hub will be the tunnel server. Recommendation: Because the tunnel server uses a fair amount of computing power, designate the system with the lower load as the tunnel server. If a central hub will have several remote hubs attached to it, make the remote hubs the tunnel servers so that each remote hub only adds a small amount of overhead to the central hub. 3. Activate tunneling on the tunnel server: a. In Admin Console, expand the hub that will be the tunnel server, then open its hub probe in the configuration GUI. b. Select the Tunnel node. Check Tunnel Active and click Save. Note: Enabling tunneling is a one-time task. If tunneling is enabled, it cannot be disabled. 4. Set up the tunnel server: a. Navigate to 1 - Tunnel Server. b. In Tunnel Server CA Initialization: – Enter information about your organization. – Create a password to be used to establish trust between the tunnel server and its clients. c. Select Actions > Perform Tunnel Server CA Initialization. The CA certificate appears in the tunnel client certificate list. d. Modify Tunnel Server Settings (optional): – Set Server Port to any available port (default is 48003). – Increase the Security Setting as desired. 5. Create the tunnel client certificate: a. b. 6. In Tunnel Client Certificate Entry: – Enter the organization information. – Enter the password that you created when you initialized the tunnel server. – Specify how long the certificate will be active. Select Actions > Create Client Certificate. The certificate appears in the tunnel client certificate list. Set up the tunnel client: a. Copy all of the text in the Certificate field (below the Tunnel Client Certificate List) and close the GUI. b. In Admin Console, expand the hub that will be the tunnel client and open its hub probe. c. Navigate to Tunnel, check Tunnel Active, and click Save. d. Reopen the GUI and navigate to 2 - Tunnel Client. e. Under Tunnel Client Certificates Config, click New. In the fields that appear: – Leave Certificate ID blank. – Server is the tunnel server's IP address. – If your environment uses NAT (network address translation), disable Check Server Common Name Value. Note: When this option is enabled, the tunnel server must verify that the tunnel is coming from the IP address specified in the certificate. IP address mapping requires that this be disabled in NAT-ed environments. However, CA recommends you leave this option enabled in all other cases. f. 7. – Optional: Enter a Description. – Enter the Password you created for the tunnel server. – Optional: modify the Keep Alive setting. – In the Certificate field, paste the text you copied from the tunnel server. Click Save at the top of the page. If you created a static route to a hub that is now connected to the message bus by a tunnel, you must delete the static route: g. Expand the hub from which you configured the static route, then open its hub probe in the configuration GUI. h. Navigate to Name Services and remove the static route. Important! This must be done to ensure that all UIM data flows through the secure tunnel and not through the static route. The tunnel is now active. If your tunnel server will have more than one tunnel client and you want to control the port assignments, perform the following steps on the tunnel server before you create client certificates. Important: This configuration is recommended for advanced users only. Contact Support if you need assistance. 1. In Admin Console, expand the hub that will be the tunnel server. Open its hub probe in the configuration GUI and navigate to Advanced > Tunnel Settings. 2. In Tunnel Advanced Settings: 3. ■ Enable Ignore Controller First Probe Port. ■ Specify the First Tunnel Port, the port to be used by the first tunnel you set up. For each additional tunnel, the tunnel server increments the number and assigns that port to the tunnel client. The client keeps that port as long as the hub is running. Note the following: – The server does not keep track of disconnected clients. If a tunnel client is connected to the server, this number increments, even if a previously used port becomes available. However, if there are no active clients, the counter resets. – If you plan to configure more than one tunnel, we recommend you specify the first port. Make sure you do NOT use the port range that the controller probe uses. – If this field is blank, the operating system assigns random ports. – Make sure you do NOT use the port range that the controller probe uses. Click Save. By default, all UIM requests and messages can be routed over the tunnel and dispatched on the other side. This routing is transparent. A tunnel Access List lets you restrict the access privileges for UIM users, addresses and commands. The Access List is created on the tunnel client hub. Recommendation: Use Infrastructure Manager to create these lists. Tunnel access lists created with the Admin Console hub configuration GUI may have issues. Refer to Access List in the Infrastructure Manager hub configuration guide for details. If a hub does not appear in the Admin Console navigation pane, you can create a static route to it. Follow these steps. 1. In Admin Console, expand the primary hub, then open its hub probe in the configuration GUI. 2. Navigate to Name Services. 3. In Static Hub List Entry: ■ Leave Active and Synchronize checked. ■ Enter the IP address of the secondary hub. 4. Select Actions > Create Static Hub. 5. Close the configuration GUI. 6. Verify that the secondary hub appears in the navigation pane. If you have any secondary hubs in your deployment, you must create queues so that messages from those hubs can reach the primary hub. You will create: ■ Attach queues on all secondary hubs. These queues collect messages. ■ Corresponding get queues on any intermediary secondary hubs and on the primary hub. These queues get the messages from the attach queues. You can either create one attach queue with the wildcard (*) subject to collect all messages, or create separate queues for different messages or groups of messages. To learn more, refer to About UIM Queues (see page 13). Follow these steps: 1. In Admin Console, expand the hub, open the hub probe configuration GUI, and navigate to Queue List. 2. In the Queue List Configuration table, click New. 3. In the fields below the table, specify the required information. Some fields are specific to the type of queue being created. ■ Queue Name: Enter a unique and descriptive name. Recommendation: for usability, use a name similar or identical to the subject. ■ Active: Leave checked if you want to queue to be active immediately. ■ Type: Select attach, get, or post. Note: The remaining fields in this area are active if they are required for the selected type. ■ Subject (attach or post queues): Select the subject. Note that: – If the subject is asterisk (*), the queue holds all subjects. – If the desired subject is not listed, enter it in the Queue List Entry Subject to Add field, then select Actions > Add Subject to List. ■ Hub Address (get queues): Address for the hub that has the corresponding attach queue. ■ Remote Queue Name (get queues), which is the corresponding attach queue. – If desired, enter a Bulk Size, which specifies how many messages can be transferred simultaneously (in one bulk). The only time you need to change this value from '<default>' is when you see that the queue grows and never shrinks to zero (see Subscribers Queues on the Status tab). This indicates that the hub has problems delivering the messages to the target hub fast enough. The reason for this behavior could be that the number of QoS messages delivered to the hub from the robots has increased a lot (See Statistics button on the General tab) or that the latency is too high and slows down the deliveries (See Response Check, right-clicking a hub in the hubs list). UIM components use queues to pass messages. Messages are placed into queues based on their Subject ID, which classifies every UIM message. Most queues are created automatically during installation (when hub-to-robot communication is set up) or deployment (during which some probes create the queues they require). Hub-to-hub queues must be created manually. If you have any secondary hubs in your deployment, you must create queues so that those hubs can communicate with the primary hub. You can create three types of queues: ■ An Attach queue collects messages (based on subject) for forwarding to another hub. ■ A Post queue sends a stream of messages (based on subject) directly to a destination hub. ■ A Get queue retrieves messages collected by an attach queue on another hub. An attach or post queue's subject attribute determines which messages are directed to the queue: ■ The wildcard (*) subject collects all messages in one queue. ■ Queues can collect messages for more than one subject. Add a new subject with all desired subjects separated by commas (for example, alarms, alarms2). Note: A number of subjects are reserved for use by UIM components. They are listed in Reserved UIM Subject IDs (see page 13). Keep in mind that queues are first-in-first-out lists, which means messages in a wildcard queue are not prioritized based on subject. If a hub transfers thousands of messages each second, a critical alarm message might have to wait behind less urgent QoS messages. Recommendation: In a high-volume environment, create separate queues for important subjects, such as alarm, or for subjects that will create many messages. Create one multiple-subject queue for all subjects that are not critical. The following table shows the subjects used by UIM components, the types of messages that use them, and the component that generates them. All messages with the same subject should also have identical data structures. Subject Used by Generated by alarm Alarm messages alarm2 Enriched alarm messages alarm_new Alarm message whose footprint is not previously recorded alarm_update Alarm message whose footprint already exists alarm_close Message sent when a client closes (acknowledges) an alarm and removes it from the currently active alarms alarm_assign Message sent when a client closes (acknowledges) an alarm and removes it from the currently active alarms alarm_stats statistical event messages generated by the NAS probe that contain severity level summary information for all open alarms audit Audit messages: probe package distributions, activations, etc. audit probe probe_discovery device information discovery probes QOS_BASELINE messages containing baseline data points for QoS metrics QOS_DEFINITION message that specifies a QoS definition QOS_MESSAGE All QoS messages When you install a hub, the way it connects with other hubs is determined by default values that are sufficient for most hubs. However, you may want to adjust a hub's connectivity settings to meet the needs of your deployment or to improve performance. For example: ■ Hub Settings control the hub's request timeout, update interval and login mode. ■ Robot Settings specify the alarm sent for events that occur on robots connected to the hub. ■ Queue Settings control the behavior and size of queues. ■ Broadcast Configuration settings specify whether and where the hub lets other hubs know it is active. ■ Lockout Configuration settings let you avoid leaving the system vulnerable to brute-force password guessing. To modify the connectivity behavior: 1. In Admin Console, open the hub probe in the configuration GUI and navigate to Advanced. 2. Modify the settings as needed. Refer to Advanced (see page 21) for details on the settings. 3. Click Save at the top of the page. To check the status of another hub within your domain, follow these steps: 1. In Admin Console, open the hub configuration GUI for any hub in the domain. 2. Navigate to Hub List. 3. In the table that shows the status and other information for all hubs in the domain, select the hub you want to check. 4. Click Actions and choose the desired command: – Alive Check to view the status of the selected hub. – Response Check to view the response time (connect - reconnect, no transfer) between your hub and the one selected in the list. – Transfer Check to transfer data from your hub to the selected hub and view the transfer rate. All UIM probes maintain log files. By default, the log file records: ■ Only messages classified as 0 - Fatal. This keeps a minimal amount of data. ■ Up to 1024 KB of data. If you are troubleshooting or debugging, you may want to view the hub's activity in more detail or keep more data in the log file. To do this: 1. In Admin Console, open the hub probe in the configuration GUI and navigate to the hub node. 2. In General Configuration, set the log level and file size as desired. 3. Activate the changes. Either: ■ Click Actions > Set In-Memory Log Level. This applies the changes without restarting the probe, but does not retain the changes when the probe is restarted. This lets you view the hub's current activity in more detail. ■ Click Save at the top of the page. This restarts the hub and retains new settings. While most hubs perform their tasks sufficiently with little or no interaction from the administrator, you can modify various configuration settings for better performance and usability. Tunnels ■ Caching the SSL sessions can significantly speed up the server/client connection time. ■ If a non-functioning tunnel will significantly impact your operations, increase the level of alarm sent if a connection is lost or cannot be made. These settings are found on the Advanced > Tunnel Settings (see page 24) node in the Admin Console hub configuration GUI. Queues ■ If the size of a get or post queue never shrinks to zero or if it always has many messages, increase the Bulk Size on the queue. This allows the hub to transfer multiple messages in one packet. This section describes the configuration information and options available through the Admin Console hub configuration GUI. The navigation pane organizes hub configuration into the following nodes: ■ hub (see page 20) ■ Advanced (see page 21) SSL (see page 23) Tunnel Settings (see page 24) ■ Hub List (see page 25) ■ Name Services (see page 26) ■ Queue List (see page 27) ■ Robot List (see page 28) ■ Tunnel (see page 28) 1 - Tunnel Server (see page 29) 2 - Tunnel Client (see page 31) 3 - Tunnel Access List (see page 32) To access the hub configuration interface, select the hub's robot in the Admin Console navigation pane. In the Probes list, click the arrow to the left of the hub probe and select Configure. Navigation: hub This section lets you view information about the hub and adjust log file settings. Probe Information This section displays the probe name, start time, version and vendor. Hub Information This section displays the hub name, domain, IP address, hub address (/domain/hub_name/robot_name/hub), and uptime data. License Information This section displays details about the license used for the hub's robot is displayed; the total number of licenses and the number available is also shown. An invalid license stops the message flow from the hub to its subscribers (mostly service probes) and prevents the robot spoolers from uploading their messages. General Configuration This section lets you modify log file settings. ■ Log Level specifies the level of alarm information saved in the log file. 0 - Fatal (default) logs the least; 5 - Trace logs all alarms. Recommendation: Log as little as possible during normal operation to reduce disk consumption. Increase the level when debugging. ■ Log Size controls the amount of data retained in the log file (in KB, default is 1024). Large log files can cause performance issues, therefore use caution when changing this size. One command is available. ■ Actions > Set In-Memory Log Level makes changes to the log file settings take effect immediately without restarting the hub, which lets you view more detail about the hub's current activity. The settings are retained until the hub restarts. Navigation: hub > Advanced This section allows you to control the hub's connectivity behavior. Hub Settings This section controls how the hub communicates. ■ Hub Request Timeout specifies how long the hub waits for a response from other hubs. Default: 30 seconds. ■ Hub Update Interval specifies how often the hub sends its messages to the other hubs. Default: 600 seconds. ■ Origin identifies the sender for data sent by the probes. It is used when reports are generated. This field obtains the origin from the controller probe configuration. This field is blank if the origin is not specified in the controller, and the hub name is used. The origin is specified in the Controller probe configuration. ■ Disable IP Validation turns off the IP address validation the hub does for all computers sending requests to its probes. It is typically used when using NAT (Network Address Translation). ■ Login Mode provides three options: – Normal (default) allows logins from any robot connected to the hub. – Local Machine Only allows logins only from the computer hosting the hub. Attempts from any other robot connected to the hub are refused. – No Login disables all logins to the hub. Broadcast Configuration This section controls whether and where the hub lets other hubs know it is active. ■ Broadcast On (default) enables the hub to broadcast its status. ■ Broadcast Address is the IP address on which the hub broadcasts. Default is 255.255.255.255 (the default broadcast address for any local network). Lockout Configuration This section controls the lockout settings for the hub to avoid leaving the system vulnerable to brute-force password guessing. ■ Login Failure Count specifies the number of attempts from a single IP address. ■ Lockout Time specifies the number of seconds that must pass before a user can attempt to log in after a failure. Robot Settings This section controls the alarm settings for events that occur on all robots connected to the hub. ■ Inactive Robot Alarm Severity specifies the level or warning sent when a robot fails to respond. ■ Audit Settings for Robots lets you turn auditing on or off for all of the hub's robots, or allow each robot to use its own settings. ■ Note: Auditing records important events, such as starting and stopping the robot. ■ Audit Once per User Queue Settings This section controls the behavior and size of queues. ■ Reconnect Interval is the number of seconds between a disconnected hub's attempts to reconnect (default is 180). ■ Disconnect Passive Queues specifies how long a queue can be passive (receive no messages) before being disconnected (default is 180). ■ Post Reply Timeout specifies how long a hub waits for a reply to a message. A timeout occurs if no response is received within this interval. ■ Alarm Queue Size is the size of the queue file on the hub. An alarm is sent if the queue exceeds this threshold (default is 10 MB) Navigation: hub > Advanced > SSL This section lets you configure a hub to use SSL. SSL This section lets you configure SSL settings. This configuration must be done on all hubs that require SSL. ■ Login Mode provides three options: – Normal (login allowed) lets only UIM users log in to the hub. – Compatibility Mode (recommended) is mixed SSL/Normal mode. The system checks for SSL compatibility. If SSL compatibility does not exist, the system uses the UIM login. – SSL Only lets the hub communicate only with components that support SSL. Important: This mode significantly reduces traffic bandwidth and performance. Also note that some probes (particularly older ones) do not support SSL. Mixing different versions of UIM components is not possible with the SSL Only mode. Note: SSL settings for UIM components are controlled each component's hub. The hub propagates SSL settings to the robots; the robots then propagate the settings to the probes. ■ Cypher Type specifies the Cypher Suite used by that the OpenSSL library. Navigation: hub > Advanced > Tunnel Settings This section let you control the behavior of the hub's tunnels. Tunnel Advanced Settings These settings control how tunnels connect. ■ ■ ■ Ignore Controller First Probe Port controls how tunnel ports are assigned. – Enabled: the hub uses the First Tunnel Port setting (recommended if the hub will have more than one tunnel server). – Disabled: the tunnel is assigned the port number specified as First Probe Port in the controller probe configuration. First Tunnel Port specifies the port to be used by the first tunnel you set up. For each additional tunnel, the tunnel server increments the number and assigns that port to the tunnel client. The client keeps that port as long as the hub is running. Note the following: – The server does not keep track of disconnected clients. If a tunnel client is connected to the server, this number increments, even if a previously used port becomes available. However, if there are no active clients, the counter resets. – If you plan to configure more than one tunnel, we recommend you specify the first port. Make sure you do NOT use the port range that the controller probe uses. – If this field is blank, the operating system assigns random ports. Hang Timeout (in seconds, default is 120) specifies the interval between automatic tunnel restart attempts. The tunnel server continuously checks the status of its tunnels. If a tunnel does not respond, the hub attempts to restart it. If it does not respond within the time specified, it attempts another restart, and will continue to do so until the tunnel is active. Tunnel SSL Session Cache These settings control SSL caching. ■ Use Client Cache / Use Server Cache enables caching of SSL sessions, which allows previous session credentials to be used. Enabling both options significantly speeds up the server/client connection time. ■ Server Cache Timeout (in seconds) specifies how long the cached sessions are valid for reuse by the client. Default is 7200 (2 hours). ■ Server Cache Size specifies how much data is stored in the cache. Default is 1024 KB. Navigation: hub > Hub List This section lists all the hubs within a UIM domain, displays information about them, and lets you check their status. Hub List This section displays the following information about each hub: ■ Domain ■ Name ■ Status ■ Version of the hub probe ■ Last Updated, date and time when the hub probe was last restarted ■ IP address ■ Port Three commands let you check the status of other hubs: ■ Actions > Alive Check checks the status of the selected hub. ■ Actions > Response Check checks the response time (connect - reconnect, no transfer) between your hub and the one selected in the list. ■ Actions > Transfer Check transfers data from your hub to the one selected in the list and checks the transfer rate. Navigation: hub > Name Services This section lets you ensure hubs separated by firewalls or routers can discover each other and that hubs in a NAT environment can return requests. Static Hub List Entry This section lets you enter information for the static route. ■ Active: enable to ensure the route is active upon creation. ■ Synchronize: enable to ensure the hub sends status information to the static hub. ■ Hostname/IP of the static hub. One command is available. ■ Actions > Create Static Hub sets up the static route. Static Hub List This section displays the hubs to which there is a static route from the hub being configured. ■ Active indicates he route is active. ■ Synchronize indicates the hub is sending status information to the static hub. ■ Name, IP, Domain, and Robot Name identify the static hub. One command is available. ■ Actions > Remove Static Hub removes the selected static hub. Network Aliases In a NAT environment, network aliases let the hub know the appropriate return address for requests from remote hubs. ■ From Address is the address from which the remote hub sends requests. ■ To Address is the address to which the responses should be sent. Navigation: hub > Queue List This section lets you create hub-to-hub queues. Queue List Entry This section lets you add a new queue subject. ■ Subject To Add lets you specify the new subject. Note: Some subjects are reserved for use by UIM probes. See Reserved UIM Subject IDs (see page 13). One command is available. ■ Actions > Add Subject To List adds a queue subject immediately so it can be used in a new queue. Queue List Configuration This section lets you enter information for new queues or view the configuration of existing queues. Some fields are specific to the type of queue being created. ■ New and Delete let you add and delete queues. ■ Queue Name is the name of the queue being created. ■ Active shows the queue status. ■ Type specifies the type of queue being created: attach, post or get. ■ Hub Address (get queues) is the UIM address of the hub that has the corresponding attach queue. ■ Subject (attach or post queues) specifies the type(s) of messages to collect in the queue. ■ Remote Queue Name (get queues) is the name of the corresponding attach queue. ■ Remote Queue List (get queues) displays available attach queues found in the domain. ■ Bulk Size specifies the number of messages to be transferred in one package. Navigation: hub > Robot List This section lists all the robots controlled by the hub, displays information about them, and lets you restart them. Robot List This section displays the following information about each robot. ■ Name ■ Status ■ IP address ■ Version of the robot probes ■ OS version and information Two commands are available. ■ Actions > Alive Check checks the status of the selected robot. ■ Actions > Restart restarts the selected robot. Navigation: hub > Tunnel This section enables tunneling on a tunnel server or tunnel client. This must be done once on each hub that will have a tunnel. Tunnel Activation ■ Tunnel Active: Check this option and then click Save to enable tunneling. Navigation: hub > 1 - Tunnel Server This section lets you configure a hub to be a tunnel server. Certificate Authority (CA) Initialization This section lets you designate a hub as a Certificate Authority. Note: This is a one-time task. After it has been done, this section will display Tunnel Server CA Is Initialized. Server Settings This section shows the tunnel server's status. ■ Active indicates the tunnel is running. ■ Tunnel Server Status shows whether the tunnel is running or stopped (change the status with the Actions commands). ■ Common Name is the IP address of the tunnel server. ■ Expiration Days shows the date the tunnel expires. ■ Server Port is the port the tunnel server will use to transfer data (default is 48003). ■ Security Setting specifies the encryption level used for tunneled packets: ■ – NONE: No encryption but uses authentication. Fast but not very secure. – LOW: Fast but not very secure encryption and authentication. – MEDIUM: Slow but secure encryption and authentication. – HIGH: Slow but very secure encryption and authentication. – CUSTOM: Slowest but most secure encryption and authentication. Custom Cipher * is specified when the Security Setting is Custom. CA Certificates This section lets you create the CA certificates, which give the hub the authority to issue client certificates. ■ Organization Name, Organization Unit Name, and Email Address identify the issuing entity. ■ Country Name, State or Province Name, and Locality Name are the location of the receiving entity. ■ Common Name is the IPV4 or IPV6 address (hexadecimal format) for the tunnel server hub. ■ Beginning Date and Ending Date specify when the certificate is valid. Client Certificate Configuration This section lets you create client certificates. Note: Every tunnel client that will connect with the tunnel server requires a unique client certificate. ■ Organization Name, Organization Unit Name, and Email Address identify the receiving entity. ■ Country Name, State or Province Name, and Locality Name are the location of the receiving entity. ■ Common Name is the IPV4 or IPV6 address (hexadecimal format) for the tunnel client hub. Note: The tunnel client hub must be active when the certificate is created. ■ Password lets you specify the password that will allow the tunnel client hub to access the tunnel server. ■ Beginning Date and Ending Date show when the certificate is valid. ■ Certificate * displays the client certificate text, which must be copied to the tunnel client hub configuration. One command is available. ■ Actions > Create Tunnel Server Client Certificate creates the certificate. Client Certificate List This section lists your client certificates. ■ New and Delete let you add and delete certificates. ■ Rows in the table display information about the certificates. ■ Fields below the table display details for the selected certificate. ■ Certificate * displays the certificate text, which must be copied and pasted into the tunnel client hub configuration. Navigation: hub > Tunnel > 2 - Tunnel Client This section lets you configure a hub to be a tunnel client. Client Certificate Configuration This section lets you add, delete and view tunnel client certificates. ■ New and Delete add and delete tunnel client certificates. ■ Certificate ID is the number assigned to the certificate. ■ Active shows the certificate status. ■ Server * specifies the IP address of the tunnel server hub. ■ Server Port * specifies the port to be used for tunneled data. ■ Check Server 'Common Name' Value makes the tunnel server verify that the tunnel is coming from the IP address specified in the client certificate. IP address mapping requires that this be disabled in NAT environments. However, CA recommends you leave this option enabled in all other cases. ■ Description lets you describe the tunnel. ■ Password * is the password that was defined when the tunnel client certificate was created. ■ Keep Alive (in seconds) specifies the interval at which small data packets are sent. This is to allow for firewall connection disruption on idle connections. ■ Certificate * is where you paste the client certificate text (which was created on the tunnel server hub). Navigation: hub > Tunnel > Tunnel Access List This section lets you restrict the access privileges for UIM users, addresses and commands. Recommendation: Due to issues with tunnel access lists created with this release of the Admin Console hub configuration GUI, CA recommends you use Infrastructure Manager to create these lists. Refer to Access List in the Infrastructure Manager hub configuration guide for details. Tunnel Access List This section lets you create tunnel access lists. ■ New and Delete let you create or delete an access list. ■ Source IP * is the IP address of the tunnel server, or the wildcard character (*). ■ Destination Address * is the address of the target hub, robot or probe. ■ Probe Command is the specific command you want to allow or deny. To find the command set, click the icon next to the hub probe and select Probe Utility. ■ User * to whom you want to allow or deny access (regular expression is allowed). ■ Mode * These settings let you specify the access mode. – ACCEPT access for the specified user, command or probe. – DENY access for the specified user, command or probe. – LOG all requests through the tunnel with information recorded when the access list is processed. Note: This is normally used for debugging purposes when testing commands against targets before setting them up as accept or deny rules. The result can be viewed in the hub log file before your deny or accept rules. Troubleshooting topics: Configuration Cannot be Retrieved (see page 33) Queue Always Contains Messages (see page 34) Viewing the Log File (see page 34) If your problem is not addressed here: ■ Look for a solution or ask other users for help on the CA UIM Community Forum. ■ Contact Support. ■ Send us feedback with the "rate this page" link below. We will strive to include a solution in the next release of this document. Problem: You see Error: Configuration was unable to be retrieved hen you try to open the hub configuration GUI. Solution: Deploy the mpse probe to the hub. The mpse probe contains all available probe configuration GUIs accessed through Admin Console. 1. Click Archive above the navigation pane. 2. In the navigation pane, check the box next to the target robot. 3. Locate the mpse probe in your local archive and check the box next to it. 4. At the top of the probe list, click Deploy. 5. Click Infrastructure. Problem: Queue size is never zero. If a queue never shrinks to zero or if it always has many messages in the queue, the hub is not able to deliver the messages to the target hub fast enough. This could be because that the number of QoS messages delivered to the hub from the robots has significantly increased or that the latency is too high and slows down the deliveries. Solutions: ■ If the queue collects messages for one subject, increase the bulk size of the queue so that messages are transferred in bulk. ■ If it is a wildcard or multiple-subject queue, you can create separate queues for different subjects. Advanced users may find it helpful to view the log file. Click the icon next to the hub probe and select View Log. You also can modify the log file settings (see page 16) so that it retains more data for troubleshooting.
