Download NAS Server - HP Software Education Services

Opsware Network Automation
System
Module 1
Course Introduction
© 2007
2006 Opsware Inc. All rights reserved. Proprietary and confidential.
Welcome
 Introductions
 Facilities
 Course Objectives
 Course Outline
 Daily Agenda
 Lab Exercises
 Course Survey
2
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Facilities
 Break and lunch rooms
 Restrooms
 Telephones and e-mail
 Fire and emergency procedures
3
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Course Objectives
Upon completion of this two-part course, participants
will be able to:
Install, configure, test, utilize, and maintain the
Opsware Network Automation System and supporting
applications
4
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Course Outline
 Module 1: Course Introduction
 Module 2: NAS Installation and Planning
 Module 3: User Management, Access, and
Authorization
 Module 4: Workflows
 Module 5: NAS APIs
 Module 6: Managing Server Health
 Module 7: Administrative Settings
 Module 8: Administrative Troubleshooting
5
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Daily Agenda
Day 1
 Module 1
09:00 – 09:15
 Module 2
09:15 – 10:15
 Module 3
10:30 – 11:15
 Module 4
11:15 – 12:00
 Lunch Break 12:00 – 13:00
6
 Module 5
13:00 – 14:00
 Module 6
14:00 – 14:45
 Module 7
15:00 – 16:00
 Module 8
16:00 – 17:00
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Lab Exercises
 There are lab exercises in this course.
7
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Thank you for attending
 Please fill out the surveys…
8
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Opsware Network
Automation System
Module 2
Installation and Planning
© 2007
2006 Opsware Inc. All rights reserved. Proprietary and confidential.
Module Objectives
At the conclusion of this module, you should be able
to:
 Identify the implementation requirements for
installing the NAS system, including the:
– Software requirements
– Database requirements
– Hardware requirements
– Network requirements
 Explain the NAS implementation best practices.
10
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Software Requirements
 Operating Systems
–
–
–
–
–
–
Microsoft Windows 2000 Server (SP2 or better)
Microsoft Windows 2003 Server (SP1 or better)
Sun Solaris 9 (8/04 or higher)
Sun Solaris 10
Redhat Linux Advanced Server 3 update 2
SUSE Enterprise Linux 9
 Database
–
–
–
–
–
MySQL 3.23 (Ships with the product)
Microsoft SQL Server 2000 (SP2 or better)
Microsoft SQL Server 2005 (SP1 or better)
Oracle 9i Release 2
Oracle 10g Release 2
 Browsers
– Internet Explorer 6.0 (SP1 or better)
– Firefox 1.0
– Mozilla 1.7.x
11
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Minimum Hardware Requirements
 Processor
– 2 GHz Pentium 4 or better (Windows/Linux)
– 1.2 GHz or better UltraSPARC III
 RAM
(Windows/Linux)
– 1 GB (recommended)
(Solaris)
– 1 GB (minimum)
– 2 GB (recommended)
 Disk
– 20 GB (application data)
– 100 GB (database data)
12
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Supported Protocols and Ports
Port
13
Protocols
Windows
Solaris
Use
SSH (TCP)
22
22, 8022
Opsware NAS to network devices(22); SSH client to
NAS proxy (22 or 8022)
SCP (TCP)
22
22
Opsware NAS server to network devices
telnet (TCP)
23
23, 8023
Opsware NAS server to network devices; telnet client to
NAS proxy (23 or 8023)
rlogin (TCP)
513
513
Opsware NAS server to network devices
TFTP (UDP)
69
69
Network devices to Opsware NAS server
FTP (TCP)
20, 21
20,21
Opsware NAS server to network devices
SNMP (UDP)
161
161
Opsware NAS server to network devices
SNMP trap (UDP)
162
162
Opsware NAS server to NMS
syslog (UDP)
514
514
Network devices to Opsware NAS server
JNDI
1099
1099
AAA server to Opsware NAS server
RMI
4444
4444
AAA server to Opsware NAS server. APIs also use RMI
HTTPS
443
443
Secured URL connections
HTTP redirect to HTTPS
80
80
Redirect to HTTPS
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Disk and Database Considerations
 The majority of disk utilization by NAS is with the storage of
configuration data in the database.
 The database can either be installed on the same host as NAS
or on a different host. Disk space considerations for both NAS
and the database should be considered separately.
 The database size depends largely on the stability and size of
the customer environment.
– As the number of managed nodes increases, the database size increases
linearly.
– The number of changes per device per day in a customer environment
will dictate how much data must be kept in the database.
– The number of days/months/years historical data required by the
customer will dictate how much data must be kept in the database.
14
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Network Requirements
 Every network management application creates an additional
load on the network to provide management.
 Opsware Network Automation creates network load when
managing network devices because:
– Obtaining the configuration requires transmission of that configuration
over the network.
– Detecting configuration changes requires the receipt of events/messages
over the network.
– Recording management information in the database requires database
transactions.
– Integration with other management applications requires the exchange of
management information over the network.
15
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Application Scalability
 Processing Power
 Memory Utilization
 Disk Requirements
 Network Requirements & Impact
16
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Processing Power
 Opsware Network Automation functions are contained in
scheduled tasks.
 Each task acts as an independent process, and is executed
according to the scheduler.
 The number of concurrent tasks is directly proportional to the
processing required.
17
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Memory Utilization
 Opsware Network Automation is made up of multiple
component applications.
– NAS Management Engine
– NAS TFTP Server
– NAS Syslog Server
 Each component application has specific memory
requirements.
 Each task has specific memory requirements.
18
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Impact of Network on High Availability Deployment
 HA deployments increase the amount of network traffic for
management, as sources of data must be duplicated (syslog, SNMP
traps).
 HA database topologies can create a large network overhead
depending upon the complexity of the deployment.
 HA typically requires duplication of syslog messaging and SNMP
traps.
 HA typically requires additional traffic to monitor/maintain the HA
configuration itself (synchronization, replication, and so on)
19
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Using Multimaster for Redundancy
Realm: Primary Network
(10.1.0.0/16)
Realm: Overlap Network
(10.1.2.0/24)
Opsware
Gateway
Opsware
Gateway
Multimaster
NAS Core1
Opsware
Gateway
NAS Core2
M
Separate NAS core to
provide local management
and UI for subsidiary
ul
ter
r
te
as
as
ltim
tim
Mu
Two NAS cores in primary
network for HA and
disaster recovery
NAS Core3
20
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Realm: Subsidiary
(10.1.0.0/16)
Emergency failover and
recovery handled by cores
on the primary network
Installation Procedures
 License Files
 Installing on Windows/Linux
 Installing on Solaris
 Setting up Admin Settings
 Adding Devices
21
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Obtaining a License
 Support will generate a license file using the license generation
server.
 Data needed to generate a license:
– Customer name
– Customer contact Information
– Phone number
– E-mail address
– Product and version number
– Expiration date (used for evaluations)
– Node Count
22
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
License Files
 NAS will not start up without a valid license file.
 NAS has (4) registered events regarding license file management:
– License Almost Exceeded
– License Almost Expired
– License Exceeded
– License Expired
 License files should be considered confidential information and
should not exist in public/non-secured locations.
23
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Installing on Windows
 On Windows:
– Verify the IIS is not running as a service – if it is running, stop the service
and make sure the startup is set to manual.
– If using MySQL locally make sure that the DB is started and running.
– If using MS SQL obtain SA password from DBA.
– Double-click the setup.exe file
24
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
X11 Server Requirements for Unix Installs
 Opsware Network Automation has a GUI installer. For UNIX
installations, this means that either local X11 services or the
availability of an X11 server is required to complete the
installation.
 http://www.pexus.com/ (Freeware X11 Server)
– X-Deep/32 is an X Window Server for Windows NT/2000/9X/ME/XP that
can be used to connect to host systems running UNIX, LINUX, IBM AIX,
HP-UX, Sun Solaris, or any other operating system that supports X
Windows System, in a LAN environment or from a home PC connecting
to office LAN via a Virtual Private Network (VPN).
– This release is based off X11R6.5.1 release of X Window System from
the Open Group.
 Can use VNC
25
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Port Conflicts
 The NAS installer will not complete if there are any port conflicts.
 Common Conflicts are:
– Syslog (UDP 514)
– HTTP (TCP 80 or 443)
– TFTP (UDP 69)
– Telnet/SSH (TCP 22/23)
On Solaris and Linux, use the below to:
 Track down currently listening ports
netstat –an | grep “LISTEN”
 Check for active services in the inetd.conf file
grep –v “^#” /etc/inetd.conf
26
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Installing on Solaris and Linux
 Log into the server as root - other acceptable alternatives to
root
– "su -" "sudo ", example: "sudo bash" "Login: root"
– Mysql must be running as root
 Setup the Display to point to X11 server:
root@gohan:/export/spare/home/aquilter$ export
DISPLAY=10.1.2.136:0.0
root@gohan:/export/spare/tc$ set | grep DISPLAY
DISPLAY=10.1.2.136:0.0
Set the setup.bin file to be executable:
root@gohan:/export/spare/tc$ chmod +x setup.bin
27
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Installing on Solaris and Linux (cont’d)
 Turn off Syslog Listener:
Edit /etc/rc2.d/S74syslog and change
/usr/sbin/syslogd >/dev/msglog 2>&1 &
to
/usr/sbin/syslogd -t >/dev/msglog 2>&1 &
( -t Disables the syslogd UPD port to turn off logging of remote
messages.)
Then restart syslog with /etc/init.d/syslog stop then /etc/init.d/syslog
start
28
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Questions
1.
2.
3.
4.
29
What is the minimum system memory required to support NAS on a Windows platform?
a. 256 MB
b. 512 MB
c. 768 MB
d. 1024 MB (1 GB)
What is the recommended minimum disk space for application data?
a. 25 GB
b. 5 GB
c. 10 GB
d. 20 GB
What is the recommended minimum disk space for database data?
a. 90 GB
b. 80 GB
c. 100 GB
d. 120 GB
What is the minimum version of MySQL supported?
a. MySQL 1.5
b. MySQL 3.3
c. MySQL 3.23.55
d. MySQL 1.7
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Question - Answers
1.
What is the minimum system memory required to support NAS on a Windows platform?
a.
b.
c.
d.
2.
What is the recommended minimum disk space for application data?
a.
b.
c.
d.
3.
90 GB
80 GB
100 GB
120 GB
What is the minimum version of MySQL supported?
a.
b.
c.
d.
30
25 GB
5 GB
10 GB
20 GB
What is the recommended minimum disk space for database data?
a.
b.
c.
d.
4.
256 MB
512 MB
768 MB
1024 MB (1 GB)
MySQL 1.5
MySQL 3.3
MySQL 3.23.55
MySQL 1.7
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Syslog Messaging
 NAS relies on syslog messaging to perform dynamic change
detection.
 Syslog messages can quickly become an unmanageable
behavior.
– During a failure, there are bursts of large amounts of messages (up to 10-15
messages/second per device).
– Each message is carried in a IP packet, and averages between 50-100
bytes.
Example
 The failure of one PVC in a large frame-relay network (1000 branch
sites) with 5 devices at each branch can cause an immediate burst of
messages from 5000 devices.
 This could cause up to 60 MB of aggregate burst data funneled
directly towards the NAS Syslog Server
31
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Disk – Core Applications
 The Opsware Network
Automation installation root
is the rendition directory.
 The jre directory contains the
application configuration
files.
 The server directory contains
the application code, drivers,
TFTP root, and log files.
32
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
NAS Directory Structure
./rendition/
./addins
./client
./content
./docs
./jre
./resource
./server
./lib/drivers
./ext/tftp/tftpdroot
./log
./Uninstaller
Driver Directory (./rendition/server/lib/drivers)
Driver Content
 Driver Packages
 Driver Temporary Files
 Driver and File System
Interactions
– On-demand virus scanning
– Orphaned temporary files
33
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Header
Log Directory (./rendition/server/log)
 NAS logging files
 jboss_wrapper
– Location of troubleshooting
logging
 tftp_wrapper
 syslog_wrapper
34
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Database Connectivity
 Each task will result in a database operation.
– Query (searches, policy compliance, etc.)
– Insert (add devices, add scripts, etc.)
– Update (edit devices, edit configuration, etc.)
 Each database operation results in network traffic
approximately equal to the payload of the associated task.
– Size of configuration data, diagnostic data, etc.
– Size of search results
– Size of edit operations
35
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Questions
1.
What is the relationship between memory usage and the number of tasks?
2.
True or False - The NAS driver packages are located in
./rendition/lib/drivers.
3.
Why would you install NAS and a database on the same server? (Check
all that apply.)
4.
36
a.
Lower cost
b.
Single point of failure
c.
Reduction in network traffic
d.
NAS has its own system
You plan for Syslog messaging, because… (Check all that apply.)
a.
NAS relies on syslog for change detection.
b.
Syslog messages can become unmanageable.
c.
Syslog bursts take 2-5 messages per second per device.
d.
Syslog uses IP packets that average between 50-100 bytes.
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Questions - Answers
1.
What is the relationship between memory usage and the number of tasks?
The amount of memory is directly proportional to the number of
tasks, and memory increases with number of tasks.
2.
True or False - The NAS driver packages are located in
./rendition/server/lib/drivers.
3.
Why would you install NAS and a database on the same server?
4.
37
a.
Lower cost
b.
Single point of failure
c.
Reduction in network traffic
d.
NAS has its own system
You plan for Syslog messaging, because…
a.
NAS relies on syslog for change detection.
b.
Syslog messages can become unmanageable.
c.
Syslog bursts take 2-5 messages per second per device.
d.
Syslog uses IP packets that average between 50-100 bytes.
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Environments
 Each environment is different.
– Device platforms
– Business practices
– Network protocols
 Each user will worry about different aspects of the
implementation.
– System
– Application
– Network
– Database
38
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Device Access Methods
 Opsware Network Automation gains access to network devices
in several ways:
– Direct CLI
– Telnet, SSH, and/or via a Console Server
– Indirect CLI
– NAT, Bastion Host
– SNMP
 Opsware Network Automation access files located on network
devices in several ways:
– TFTP, FTP, SCP
39
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Getting Around Firewalls
NAT Service
Bastion Host Information
Console Servers
40
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Overlapping IP Address Management
Core 2 will manage the
remote Site (Overlap 1) via
the Gateway mesh
41
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
User Authentication Services
NAS provides integration with various external
authentication services.
– Windows ActiveDirectory
– TACACS
– SecurID
– Radius
42
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Windows ActiveDirectory
 Integration with AD allows
authentication into the Web
and the CLI interface of NAS
to be controlled by AD.
 A Domain Admin user and a
Domain Controller are
required.
 You can specify individual
users or user groups.
43
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
TACACS
 TACACS + is a Cisco proprietary AAA service (CiscoSecure™)
aka ACS or CiscoSecure.
 Integration with TACACS + allows authentication into the Web
and CLI interface of NAS to be controlled by TACACS.
 TACACS + can also be used to access network devices.
44
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
RSA SecurID™
 RSA SecurID™ is a secure one-time password (OTP) AAA
service often used in conjunction with TACACS.
 Integration with RSA SecuriD allows authentication into the
Web and CLI interfaces of NAS.
 SecurID can also be used to access network devices.
45
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Syslog Messaging
 Change Detection
– Syslog messages are used to determine when a change has occurred on a
managed device.
– Syslog message patterns are used to match messages received with
messages known to signify changes.
– When a message matches any of the patterns, a corresponding snapshot
operation is scheduled.
 Change Attribution
– Syslog messages contain information that can be used to identify the
source of the configuration change.
– When a snapshot operation is scheduled, the resultant change is
attributed to the user identified in the syslog message.
– Change attribution also occurs on operations scheduled while using NAS
interfaces
46
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Direct Logging
 Direct logging occurs when
the network devices are
configured to log messages
directly to the NAS Syslog
Server.
 Direct logging results in the
most messages directed at
the NAS Syslog Server.
 Note the NAS does not store
syslog messages and cannot
act as a relay to other
servers.
47
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Default Syslog Patterns
(regular expressions):
SYS-6-CFG_CHG
SYS-5-CONFIG
SYS-5-RESTART
SYS-5-SYS_RESET
SYS-5-RELOAD
\*\*added\*\*
apache:.*POST
\*\*defined\*\*
\*\*deleted\*\*
login:
apache:.*command=
Relay
 The Syslog relay is the forwarding of syslog messages from
one server to another.
 Most customer environments will have an existing syslog
architecture.
 Syslog is not a guaranteed delivery protocol.
 Syslog relay doubles the chance that syslog messages will be
lost while in transit.
48
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
RFC 3164 Compliance Requirement
 RFC 3164 covers the Syslog protocol.
 NAS Syslog Server supports relay only from RFC compliant
syslog servers.
 NAS provides a way to work around this issue:
– NAS SyslogReaderClient
 Commonly seen RFC Compliant syslog servers:
-Syslog NG
-Kiwi Syslog
 Commonly seen non-RFC compliant syslog servers:
– CiscoWorks™
– Solaris syslogd
49
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
RFC Compliant Syslog servers:
 Syslog-NG
– http://www.balabit.com/products/syslog_ng/
 Kiwi Syslog Deamon
– http://www.kiwisyslog.com/syslog-info.php
 Syslog-NG or Kiwi Syslog can enhance performance of the
NAS Syslog Server by filtering syslog messages that the NAS
Syslog Server does require.
 Support for the above products is provided by the respective
vendors.
50
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
SyslogReaderClient
 The NAS SyslogReaderClient is a small component of NAS that
is installed on a target syslog server (Solaris).
 The NAS SyslogReaderClient maintains its own syslog
message patterns.
 The NAS SyslogReaderClient watches the local syslog
messages, and forwards matching messages to the NAS
Management Engine directly.
51
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Questions
1. Name two of the three methods for getting around
firewalls?
a. __________
b. _________
2. Where is the NAS SyslogReaderClient installed?
a.
b.
c.
d.
NAS syslog server
Target syslog server
NAS syslog client
Target syslog client
3. What is the definition of a syslog relay?
52
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Questions - Answers
1. Name two of the three methods for getting around firewalls?
a. NAT
b. BASTION Host
c. Console server
2. Where is the NAS SyslogReaderClient installed?
a.
b.
c.
d.
NAS syslog server
Target syslog server
NAS syslog client
Target syslog client
3. What is the definition of a syslog relay?
a. Syslog message forwarding mechanism (Responses may
vary.)
53
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Additional Installation Topics
 API
 Integration
 Custom Fields
 Security
 Miscellaneous
–
–
–
–
54
NAS Tools
Database Migration
AAA Agent
Customer Banner
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
API
 API exists in Java, Perl and SOAP flavors.
 API allows for scripts to be executed from “home-grown”
or other external systems to perform operations on or
using NAS data.
 API encapsulate core NAS functions for use by other
systems.
55
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Integration and Extensibility
 The functionality of any network management application is
maximized by its capability to inter-operate with other network
management applications.
 NAS provides a flexible integration architecture through
various integration points that include:
– NAS Connectors
– Custom Data Fields
– CLI Interface
– API
56
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Integrating with NAS
 With Connectors:
– NAS Connectors are installable components that directly integrate with
other network management applications.
– The NAS Management Engine will receive management information
through the connector component directly.
– The NAS Management Engine will forward management information to
the target system using syslog, SNMP traps, and/or other custom
mechanisms.
 Without Connectors:
– Many customer environments have “home-grown” solutions that they do
not want to discard.
– Many customer environments have specific pain-points that can be
creatively solved through integration.
– Many customer environments have a large library of scripts that they trust
and do not want to eliminate.
57
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Custom Data Fields
 NAS includes eight custom data fields per table for user customization.
– Device Configuration & Diagnostics
– Devices
– Device Blades/Modules
– Device Interfaces
– Device Groups
– Users
– Tasks
– Telnet/SSH Sessions
 Custom data fields are viewable/setable from the WebUI.
 Custom data fields are viewable/setable from the CLI/API.
 Custom data fields are searchable.
58
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Securing Opsware Network Automation
 NAS will be given privileged information to maintain
management of network devices.
– SNMP read/write community strings
– Device Access Credentials
– Possibly including security devices themselves
– Topological information
– Available networks, available ports, wireless keys
– Security specific information
– Access control lists, allowed hosts
59
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Addressing Security Issues
 TFTP (RFC 1350)
– TFTP, no user name and password used
 Clear-Text Protocols (Telnet , SNMP)
 Virus Scanning
– On-demand virus scanning impacts NAS performance
60
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
NAS Tools
 NAS Tools allow the NAS Administrator to:
– Change database connection information
– Save device passwords to file
 Database changes are not common, but are required for
some situations.
 Export of the device passwords is a mechanism to assist in
the cold storage of password information.
61
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
NAS Database Migration
 The database migration tool was created to support a
database platform change.
– Example: If customers wanted to migrate from a MySQL database
to an Oracle database for their ONA implementation.
– The tool includes support for MySQL to MySQL, where each
database may exist on a different host.
 The tool has found a strong use case from migrating
application data from QA/Test environments into
Production environments.
62
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
NAS AAAReaderClient
 NAS AAAReaderClient is similar to the NAS
SyslogReaderClient.
– Instead of watching a local syslog file, the AAAReaderClient watches a
local AAA service log file.
 NAS AAAReaderClient provides the change detection and
change attribution features similar to the SyslogReaderClient.
– The difference is that the source of the change information is the AAA
service (TACACS or other).
63
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Customer Banner
 Located in <default install
directory>\resource
 File is called
customer_banner.html
– Can contain plain text or html
64
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Installation Best Practices
 Guidelines to follow that will lead to a successful implementation
– Initial Configuration - Take the time to configure the system before turning it over
to the users.
– Administrative
– Password Selection
– Device Access Methods
– Configure Syslog
– Polling and Diagnostics Tasks
– Database Pruning Parameters
– Server Monitoring
– Event Notification & Response Rules
– Device Password Rules
– Scaled Import - Perform a scaled import of devices to catch problems early
across a broad range of customer devices.
– Task Scheduling - Use the capabilities of the scheduling engine to minimize
customer perception of failed tasks.
– Peak Traffic Impact Analysis - Ensure that the customer is aware of the effect
this application is going to have on their network.
65
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Guidelines for Password Rules
 Avoid password rules that apply to the system group
“Inventory”
 Order password rules in-order of most widely used to
least widely used.
 Use the device group, IP range, and host name
limiters to be as accurate as possible.
66
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Nortel Specific
 Some common configuration
settings that should be
reviewed for Nortel
installations are summarized
on the right.
 Nortel devices will also
experience some
performance benefits if you
increase the timeout to two
minutes using an access
variable.
67
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
 Administrative Settings
– Flash Storage Space
– Flash Low Event
– Flash Low Threshold
– Nortel BayRS MIB/OS Versions
 Event Notification &
Response Rules
– Compress Flash Storage when
available space detected to be
low
Scaling Import
 It is important to scale the import of network devices.
– 5% of device count initial imported
– 15% of device count imported next
– 35% of device count imported next
– 100% of device count (full deployment)
 There are a lot of variables involved in the initial load of devices
into a management application; reducing the set of devices to
troubleshoot will reduce the amount of time to full-deployment.
68
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Scaling Import (cont’d)
 Guidelines
– Pick a set of devices that covers each of the respective devices
families in the customer environment for the initial load; this will
allow support to get a heads up on any device issues that may
occur at this site.
– Do not move forward to the next phase until all devices have had a
successful snapshot or a support ticket for the issue has been
generated.
– Test increasingly advanced features at each phase.
1.Discovery, Snapshot
2.Change Detection
3.Command Scripts, Diagnostics
4.Policy Manager, ACL Manager, Software Center
69
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Task Scheduling
 Stagger large polling tasks
by device groups.
– Try to keep the system busy
at a consistent rate.
– Try to avoid a huge queue of
pending tasks.
 Use the Retry Count and
Retry Interval on devices that
have intermittent
success/failures.
– Baystack switches, or WAN
connected routers may fall
into this category.
70
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Change Windows
 It is critical to be aware of the change control process and
how NAS will interact with them.
– Common change processes schedule applications for windows
of time to operate; if this is the case, schedule all operations to
occur during this time.
– This situation may affect real-time change detection; be aware
that real-time change detection will perform operations outside
of the change window if this feature is enabled.
– Pay attention to the pending and running task queues during
the importation phases; if the amount of time required to
complete a “full pass” is longer than the assigned change
window, the application will have to be tuned/configured to
meet the change control process.
71
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Module Summary
In this module, you learned to:
 Identify the implementation requirements for installing the
NAS system.
– Hardware requirements
– Software requirement
– Browser requirements
– Database requirements
– Operating system requirements
– Network requirements
 Explain the NAS implementation best practices.
72
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Opsware Network
Automation System
Module 3
Authorizing User Access
© 2007
2006 Opsware Inc. All rights reserved. Proprietary and confidential.
Module Objectives
At the conclusion of this module, you should be able to:
 Plan for users, access and authorization.
 Differentiate between roles and permissions.
 Create user accounts and user groups.
 Edit user accounts.
 Add users to user groups.
 Create Views and Partitions
 Add Users, User Groups, Devices & Device Groups to
partitions.
74
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
User Accounts Basics
 Users
 Logged on Users
 New User
 User Groups
 New User Groups
 User Roles and Permission
75
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Users
 Properties
–
–
–
–
Login name
First name
Last name
E-mail address
 Actions
–
–
–
–
76
Edit
Delete
Permissions
Configuration Changes
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Viewing All Users
To view all users, select Admin  Users
77
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Creating New Users
The required fields are username and password
However, user should belong to a group
78
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
New User Form – User Information
79
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
New User Form – Authentication Requirements
80
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Viewing Logged on Users
 Properties
– User Name
– User Host
– Last Access Time
81
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
User Groups

Limited Access User
–



Power User
–
Power Command, All Scripts
permissions
–
All Tasks except change admin and
user settings
Full Access User
–
Full Access Command, All Scripts
permissions
–
All Tasks but only to a single device
at a time and no recurring tasks
Administrator
–
82
Limited Access Command
permissions
Administrator Command
permissions
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
User Group and Roles
Group
Limited Access User
Roles
Limited Access (Command permission)
Full Access User
Full Access (Command Permission )
All Scripts (Script Permission )
All Devices (Modify Device Permission )
Power (Command Permission )
All Scripts (Script Permission )
All Devices (Modify Device Permission )
Administrator (Command Permission)
Power User
Administrator
83
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
New User Group and Permissions
From the Admin menu, select the New
User Group menu item to invoke the
new user group window.
Enter the name of the group.
Select which roles to grant the group
84
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
New User Group and Permissions cont’d
Assign members to the User Group
85
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Adding Users to User Group
86

Admin  Users.

Edit.

Add User Group.

Save.
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Viewing User Groups
Select the group, drill down for details,
select an action and modify the group
properties
87
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
User Roles and Permissions
Users are granted access permissions based on their roles.
Only the system administrator or user with similar permission
can modify permissions for all users.
88
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Creating User Roles – Command Permission
89
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Creating User Roles – Modify Device Permission
90
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Creating User Roles – Script Permission
91
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Creating User Roles – View Partition Permission
92
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Viewing User Permission Summary Page
1. From the Admin menu, select
User Roles & Permission
menu item.
2. Identify the User Group
3. Click on Permissions
4. View Permissions for the
following:
• Administrator
• Power User
• Limited Access User
• Full Access User
93
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Views and Partitions
 Use Views & Partitions to control
visibility of devices, device groups,
users and user groups
 Ability to partition:
– Devices & Device Groups
– Users & User Groups
 Create User Roles for each type
– Assign these Roles to a User
Group
94
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Views – Devices & Device Groups
 Devices & Device Groups
– Once the Devices & Device
Groups has been selected, all
partitions under this view inherit
this property
– Create partitions that hold the
devices
95
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Views – Devices & Device Groups
 Device Groups
– Can be set to a particular
partition
 Devices
– Can assign an individual device
to a partition
96
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Views – Users & User Groups
 Users & User Groups
– Once the Users & User Groups
has been selected, all partitions
under this view inherit this
property
– Create partitions for the different
User filtering you want to
accomplish
– These partitions are technically
device groups, but have no
devices in them.
97
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Views – Users
 Users
– Assign them to the correct
partition in the Users View
– Assign the correct User Group
(which has the correct View
Partition Permission)
98
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Views –User Groups
 User Groups
– Assign them to the
correct partition in
the Users View
– Can assign multiple
partitions
– This enables you
to use User
Groups to control
view access to
Users and
Devices
99
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Auto-created Users
 NAS automatically creates additional users by change
detection
 For example:
– NAS notices that username “tim” logged into a network device
directly
– Username “tim” does not currently exist in NAS
– NAS automatically creates a new username “tim_auto” (with no
permissions)
 When no particular username is used, NAS might use one of
the other attributes (e.g. IP of the telnet client that the person
is using) to create a new user (192.168_auto)
100
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Questions
1. How would you display the users on the Opsware NAS server?
2. Which two of the following are not required fields when
creating a user account?
A. Login Name
B. Street Address
C. Password
D. E-mail Address
3. List three user roles.
4. List three types of permissions granted to a user.
101
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Questions - Answers
1. How would you display the users on the Opsware NAS
server? Admin->Users
2. Which two of the following are not required fields when
creating a user account?
A. Login name
B. Street address
C. Password
D. E-mail address
3. List three user roles. Limited, Full, Power
4. List three types of permissions granted to a user. Command,
Script, Modify
102
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Module Summary
In this module, you learned how to:
 Differentiate between roles and permissions.
 Create user accounts.
 Edit user accounts.
 Add users to user groups.
103
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Lab Exercise
Managing Users, Access & Authentication
104
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Opsware Network
Automation System
Module 4
Workflows
© 2007
2006 Opsware Inc. All rights reserved. Proprietary and confidential.
Modules Objectives
At the conclusion of this module, you should be able to:
 Explain the workflow process
 Create, edit and run workflows
106
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Workflow Overview
 Process manager for network configuration (change control)
 Benefits
– Ensures that network changes are completed based on pre-defined policies.
– Ensures the correct sequence of policy process completion.
– Ensures that appropriate people approve policies.
 Workflow Wizard
– Aids with the easy setup of tasks.
 Process flow
– Project
– Originator
– Approver (approved, not approved, suspended, override)
– FYI recipients
107
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Workflow Process
Eight-step Approach
1. Start Setup Wizard.
2. Enable Workflow.
3. Manage approval rules. Create a new rule or modify existing
rules.
4. Originator setup. Define the user who has process origination
permissions.
5. Set up tasks. Determine which tasks to include in the process.
6. Set up the device group. Identify which device group to use for
workflow.
7. Set up approver. Note, originator cannot approve tasks.
8. Identify FYI users (originator need not be added). Save
workflow.
108
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Creating a Workflow – Steps 1-2
Step 1: Start Setup Wizard
Step 2: Enable Workflow
Admin  Workflow Setup
109
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Creating a Workflow – Steps 3-5
Step 3:
Create New Approval Rules or
Modify Existing Rules.
Step 4:
Set up Originator.
Step 5:
Create Tasks for Approval.
110
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Creating a Workflow – Steps 6 & 7
Step 6:
Set up device group to use
for workflow.
Step 7:
Set up the list of
approvers.
Check here if no
approvers required.
111
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Creating a Workflow – Step 8
Step 8:
Identify FYI Users.
Save Workflow.
112
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Managing Workflow Approval Rules
Delete a rule
Decrease priority
Increase priority
113
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
GUI changes with Workflow Enabled
Note that tasks specified in
the Workflow Rule cannot be
performed for this device
without an approval unless
Override Approval permission
has been granted.
114
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Questions
1. What is a workflow?
2. True or False. The originator can override an approval.
3. How many approvers are needed to approve a task?
A) 1
B) 2
C) It depends on setup
4. True or False. Approval overrides can be flagged and system
administrator can be notified.
115
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Questions - Answers
1. What is a workflow? Process manager (Answers may
vary.)
2. True or False. The originator can override an approval. True,
if the approver is not available and no verification is
required.
3. How many approvers are needed to approve a task?
A) 1
B) 2
C) It depends on setup
Only 1 (A) approver is needed.
4. True or False. Approval overrides can be flagged and system
administrator can be notified.True
116
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Module Summary
In this module, you learned to:
 Explain the workflow process
 Create, edit and run workflows
117
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Lab Exercise
Managing Workflows
118
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Opsware Network
Automation System
Module 5
NAS APIs
© 2007
2006 Opsware Inc. All rights reserved. Proprietary and confidential.
Modules Objectives
At the conclusion of this module, you should be able to:
 Explain the NAS API architecture.
 Understand the structure of APIs
 Create simple Java / Perl code based on the NAS
API
 Understand how to use Web Services API (WSAPI)
with NAS
120
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
NAS API
 API enables scripts to be executed from “homegrown” or other external systems to perform
operations on NAS data.
 API encapsulates core NAS functions for use by other
systems.
 API exists in Java, and Perl flavors as well as a
SOAP interface
121
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
NAS API Architecture
Perl API
Mgmt Engine
RMI
Java API
RMI
Syslog Svr
NAS Client
TFTP Svr
NAS Server
122
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
DB
Installing NAS API
© 2006 Opsware Inc. All rights reserved. Proprietary and confidential.
Installing Perl API Packages
 Install the NAS client if the API program runs
remotely from the NAS server.
 Install the packages (Windows, UNIX).
 In Windows, run
<installdir>\rendition\client\sdk\setup_perl.bat script
 In UNIX, perform the following steps:
1. Install Perl packages.
2. Set install directory and path.
3. Use the make command to complete the install.
124
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Installing Perl API Manually
 Avoid this, if at all possible.
 Install Java SDK 1.4.2.
–
–
–
–
It has to be 1.4.2, not 1.4.1 or 1.5.
It can be any of 1.4.2_01 through 1.4.2_06.
Java RMI serialization is inconsistent across releases.
Install bcprov-jdk14-119.jar into
$JAVA_HOME/jre/lib/ext/.
 Install Perl packages.
– Use Inline-Java 0.33.
– The later version doesn’t support an option used by NAS API.
125
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Testing the API for Perl - Example
#!/usr/bin/perl
use TrueControlAPI;
use strict;
my $username = "jb";
my $password = "asdf";
my $TrueControlHost = "localhost";
true_open($username, $password,"$TrueControlHost:1099");
my $res = true_exec("show user -u $username");
my $resultset = $res->getResultSet();
if($resultset->next())
{
print(true_getValue($resultset,"UserID"), "\n");
print(true_getValue($resultset,"FirstName"), "\n" );
print(true_getValue($resultset,"LastName"), "\n" );
print(true_getValue($resultset,"EmailAddress"), "\n");
print(true_getValue($resultset,"CreateDate"), "\n");
print(true_getValue($resultset, "PrivilegeLevel"), "\n");
print(true_getValue($resultset, "AaaUserName"), "\n");
}
true_close();
126
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Installing Java API Packages
 Windows Installation
– Java Runtime Environment c:<install directory>
– NAS Client JAR <install directory>/client
– Libraries <install directory>/jre/lib/ext
 UNIX Installation
– UNIX installation consists of libraries, archives, configuration files,
and APIs.
– Library JARs are located in <install directory>/jre/lib/ext.
– NAS API JAR is located in <install directory>/jre/client/NASclient.jar.
– Configuration files are located in <install directory>/jre.
127
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Testing the API for Java - Example
package com.rendition.api.examples;
import com.rendition.api.*;
class Example0 {
private static String username="admin";
private static String password="rendition";
private static String hostname="localhost";
public static void main(String args[]) {
System.out.println("Starting Example0");
Session session=new Session();
try {
session.open(username,password,hostname);
System.out.println("Session connectivity verified");
session.close();
}
catch (RenditionAPIException e)
{
System.err.println(e);
} } }
128
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Scripting with NAS API
© 2006 Opsware Inc. All rights reserved. Proprietary and confidential.
Run script in API
 Create and run in one command
 Can ask for user input in Perl or Java
 Specify mode
 Specify a single device or groups of devices
 Set schedule
130
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Using Perl API in Advanced Scripts
 Advanced Scripts can be in Perl.
 Advanced Scripts can use Perl API.
 Install Perl API on NAS Server host.
 Server Install includes C:\Rendition\client
directory
– No need to install NAS Client.
 Admin Settings -> Server -> Advanced Scripting
– Set Path to Interpreter to the location where Perl is
installed (typically C:\Perl\bin).
131
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Advanced Scripts Device Variables
132













$tc_device_id$
$tc_device_hostname$
$tc_device_ip$
$tc_device_desc$
$tc_device_fqdn$
$tc_device_vendor$
$tc_device_model$
$tc_device_softwareversion$
$tc_device_type$
$tc_device_serialnumber$
$tc_device_assettag$
$tc_device_location$
$tc_device_lastaccess$
The NAS internal device identifier
The host name of the device
The primary IP address of the device
Device description
Device Fully Qualified Domain Name (FQDN)
Device vendor
Device model
Device software version
Device type
Device serial number
Device asset tag field
Device location
When NAS last accessed the device

$tc_device_custom_XXX$
XXX is the custom field API name

$tc_device_username$
User name for regular device access

$tc_device_password$
Password for regular device access
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Additional Advanced Script Device Variables
133

$tc_device_enable_username$
User name for privileged-mode device access

$tc_device_enable_password$
Password for privileged-mode device access

$tc_device_snmp_ro$
SNMP read-only string (password)

$tc_device_snmp_rw$
SNMP read-write string (password)

$tc_device_port_count$
Device port count

$tc_device_port_name_list$
Device port name list

$tc_device_port_status_list$
Device port status list

$tc_device_port_description_list$
Device port description list

$tc_device_port_ip_list$
The primary IP on each port

$tc_device_port_ip_mask_list$
The IP netmasks for the primary IP on each port

$UserName$
Opsware Network Automation username of the user
who scheduled the script task

$Password$
Opsware Network Automation password of the user
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Custom NAS Extensions
 A combination of
– Event Rules
– Advanced Scripts
– API
 Allows a broad range of extensions
– Remediation on Policy Failure
– Integration with external systems
– Things we haven’t thought of
134
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
API Scripting – Details & Examples
135
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Result Object
 Contains:
–
–
–
–
–
136
String ReturnStatus
Boolean Succeeded
String Text
ResultSet ResultSet
String StackTrace
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Return Status
 Example values:
– 200 OK: Generic Succeeded
– 503 Operation Failed: Device with Host name 'foo' not found.
 Java: String status = result.getReturnStatus();
 Perl: $status = my $result->getReturnStatus();
137
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Succeeded
 Example values:
–
–
True
False
 Java: if (result.getSucceeded()) { … }
 Perl: if ($result->getSucceeded()) { … }
 It is a good practice to always check this! It makes your
code more robust.
138
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Text (ResultText)
 Commands that return text:
– show config
– show diagnostic
– show session
 Java: String text = result.getText();
 Perl: my $text = $result->getText();
 Not always set! Not all commands return text.
139
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
ResultSet Manipulation
 Commands that return a table in the CLI return a ResultSet in
the API.
ONA>list access -host Fred
200 OK: Generic Succeeded
+----+--------------+-------------------------+
| ID | Display Name | Create Date
|
+----+--------------+-------------------------+
| 80 |
| 2004-05-10 14:57:41.207 |
| 85 |
| 2005-02-23 19:47:16.1
| 90 |
| 2005-04-15 11:06:43.287 |
| 91 |
| 2005-04-15 11:07:12.81
| 92 |
| 2005-04-15 11:12:52.867 |
| 95 |
| 2005-04-19 10:20:04.413 |
|
|
+----+--------------+-------------------------+
140
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
ResultSet in Java
Session s = new Session();
s.open(s_username, s_password);
Result result = s.exec (“show access –host “ +
host);
System.out.println("ID\tName\tDate");
ResultSet rs = result.getResultSet();
while (rs.next())
{
int id = rs.getInt("DeviceAccessLogID");
String name = rs.getString("DisplayName");
Date date = rs.getTimestamp("CreateDate");
System.out.println("" + id + "\t" + name
+ "\t" + date);
}
141
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
ResultSet in Perl
true_open($username,
$password,"$TrueControlHost:1099");
my $result = true_exec("show access -ip $ip");
print "ID\tName\tDate\n";
my $rs = $res->getResultSet();
if ($rs->next()) {
my $id
= true_getValue($rs,"DeviceAccessLogID");
my $name = true_getValue($rs,"DisplayName");
my $date = true_getValue($rs,"CreateDate");
print "$id\t$name\$date\n";
}
true_close();
142
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
true_getValue() in Perl
 Perl is dynamically typed.
 Can do $rs->getInt("DeviceID").
– Requires more work.
– Error prone - Should add exception handling.
143
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Column Names
 Column Names are different in CLI and API.
 API Column Names reflect the SQL Schema.
 Schema is documented in the Java API Guide only.
So you'll need the Java API even if you are only
using Perl.
144
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Custom Data
 NAS provides for custom data fields for the following:
– Device Configuration & Diagnostics
– Devices
– Device Blades/Modules
– Device Interfaces
– Device Groups
– Users
– Tasks
– Telnet/SSH Sessions
 You can configure eight fields per Object.
– UI uses configurable names.
– API uses schema column names.
145
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Error Handling in Perl API
eval {
... # Code that may generate exceptions
}
if ($@) {
if
(caught("com.rendition.api.ResultSetException")) {
...
}
}
146
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Direct SQL Scripting
 Avoid this if at all possible, when there's something
missing from the API.
 You can access the NAS database directory from
Perl or Java, if you have the database user name
and password.
147
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Direct SQL in Perl - Example
use DBI;
use Mysql;
$dbhost
$dbuser
$dbpass
$conn =
= "localhost";
= "foo";
= "foo";
DBI->connect('DBI:mysql:$dbname;host=$dbhost',
$dbuser, $dbpass);
print "User ID\tName\n";
$rs = executeSql("select UserID,UserName from RN_USER");
while ($row = $rs->fetchrow_hashref()) {
my $id = $row->{UserID};
my $name = $row->{UserName};
print "$id\t$name\n";
}
$rs->finish();
148
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Direct SQL in Perl (cont’d)
$rs = executeSql("select count(*) from RN_DEVICE");
@row = $rs->fetchrow_array;
$count = @row[0];
print "Device count is $count\n";
$rs->finish();
$conn->disconnect();
exit;
sub executeSql {
$sql = $_[0];
my $query = $conn->prepare($sql) || die $query>errstr;
$query->execute();
return $query;
}
149
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Direct SQL in Java - Example
import java.sql.*;
...
Connection conn = null;
try {
Class.forName("org.gjt.mm.mysql.Driver");
String dsn = "jdbc:mysql://" + dbhost + "/"
+ dbname;
conn = DriverManager.getConnection(dsn,
dbuser,
dbpass);
int groupID = getGroupID(conn, group);
...
}
finally {
close(conn);
}
150
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Direct SQL in Java (cont’d)
private int getGroupID(Connection conn, String group) {
Statement stmt = conn.createStatement();
ResultSet rs = null;
try {
String query = "select DeviceGroupID from "
+ "RN_DEVICE_GROUP where "
+ DeviceGroupName = '" + group + "'";
rs = stmt.executeQuery(query);
if (!rs.next())
throw new Exception("No Device Group named "
+ group);
return rs.getInt("DeviceGroupID");
}
finally {
close(rs);
close(stmt);
}
}
151
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Direct SQL in Java (cont’d)
private void close(Connection conn) {
try
{
if (conn != null) conn.close();
}
catch (SQLException ex)
{
}
}
152
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Java Message Services Connector
•
This provides a JMS interface to the NAS API.
•
A JMS Text Message contains SOAP (XML) Envelopes.
Data
Event
“Syslog”
JMS
Opsware
Network
Automation
SOAP XML
.java
JMS Server
JMS connector
153
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Using SOAP Web Services API in Other Programming Languages
•SOAP API can be used in any language, not necessary with JMS.
•The following is an example using SOAP API in PERL Script.
use SOAP::Lite;
my $soap = SOAP::Lite
-> uri('http://opsware.com/nas/')
-> readable(1)
-> proxy('http://jbrennan0:8080/soap/');
my $name = SOAP::Data->name('{http://opsware.com/nas/}username')->prefix('nas');
my $pass = SOAP::Data->name('{http://opsware.com/nas/}password')->prefix('nas');
my $host = SOAP::Data->name('{http://opsware.com/nas/}host')->prefix('nas');
print $soap
-> login($name->value("jd"),
$pass->value("asdf"),
$host->value("localhost:1099"))
-> result;
154
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Module Summary
In this module, you learned to:
 Explain the NAS API architecture.
 Understand the structure of APIs
 Create simple Java / Perl code based on the NAS
API
 Understand how to use Web Services API (WSAPI)
with NAS
155
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Opsware Network
Automation System
Module 6
Managing Server Health
© 2007
2006 Opsware Inc. All rights reserved. Proprietary and confidential.
Module Objectives
At the conclusion of this module, you should be able to:
 Check the server status with the built-in NAS monitoring tools
 Explain data pruning tasks
 Configure and use Event Notification & Response Rules
157
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Server Monitoring Overview
 Why monitor the server?
To avoid:
– Error messages
– Poor performance
 How do you monitor server health?
– Opsware NAS tools
– Other available system monitoring tools
158
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Default Server Monitoring Settings
The following settings are enabled by default:
 ConfigMonitor
 RMIMonitor
 DatabaseDataMonitor
 RunExternalTaskMonitor
 DatabaseMonitor
 SMTPMonitor
 DiskMonitor
 SSHMonitor
 HTTPMonitor
 LDAPMonitor
 MemoryMonitor
159
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
 SyslogMonitor
 TelnetMonitor
 TFTPMonitor
Configuring the Server for Monitoring
• Admin  Administrative Settings  Server Monitoring
• Verify Enable Server Monitoring state.
• Verify Delay values.
• Verify Delay Between Monitoring Runs
• Verify other parameters
160
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Viewing System Status
161
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Viewing System Detail Status - Examples
Server Configuration
Database
Configuration
162
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Viewing System Detail Status – Examples cont’d
Memory
The memory and disk monitor tasks provide
detail status reports on the available system
memory and disk space respectively
163
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Disk
Data Pruning Overview
 Configured by system administrator
 Pruning removes obsolete configuration files except:
– Devices with only one configuration
– Current configurations
– Configurations scheduled for deployment
 Pruning also removes other obsolete data
164
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Configuring for Database Pruning
 Configurations
 Diagnostics
 Events
 Tasks
 Sessions
 Log files
 Topology Data
 Diagram files
165
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Running Data Pruning - Example
166
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Questions
1. List four of the server monitoring tools.
A. ______
B. _______
C.__________
D.__________
2. Why would you monitor server health?
3. List two of the functions of data pruning.
167
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Questions - Answers
1. List four of the server monitoring tools.
A. DiskMonitor
B. LDAPMonitor
C. MemoryMonitor
D. HTTPMonitor
2. Why would you monitor server health?
1. To minimize error messages
2. To avoid poor performance
3. List two of the functions of data pruning.
1. Removes obsolete configuration files.
2. Removes obsolete events.
168
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Event Notification and
Response Rules
© 2006 Opsware Inc. All rights reserved. Proprietary and confidential.
Events Notification Overview
 Several operations in Opsware NAS generate
events.
 Event types
– Device access failure
– User login
 Events are stored in the database.
 Events rules can trigger other events or tasks.
 Events trigger on:
– Event type (one or more per event rule)
– Time window (e.g., 9 a.m. – 5 p.m.)
– Device groups
170
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Configuring for Event Notification
• Over 16 pre-packaged notification rules
• Inactive rules marked with a # sign
• Edit or delete a rule based on requirements
171
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Creating an Event Notification & Response Rule
172
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Editing a Response Rule – Example
173
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Questions
1. Which of the following is not true for event rules?
A. Event rules trigger on event type.
B. Event rules trigger on device groups.
C. Event rules trigger time windows.
D. Event rules trigger on task name.
2. Which of the following is not an event type?
A. User Name
B. User Deleted
C. User Login
D. User Message
174
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Questions - Answers
1. Which of the following is not true for event rules?
A. Event rules trigger on event type.
B. Event rules trigger on device groups.
C. Event rules trigger time windows.
D. Event rules trigger on task name.
2. Which of the following is not an event type?
A. User Name
B. User Deleted
C. User Login
D. User Message
175
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Module Summary
In this module, you learned how to:
 Check server status with the following Opsware NAS tools.
–
–
–
–
–
–
–
E-mail Notification
Configuration Monitoring
Database Data Monitoring
Disk Monitoring
HTTP Monitoring
LDAP Monitoring
Memory Monitoring
 Explain data pruning tasks
 Configure and use Event Notification Rules
176
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Lab Exercise
Managing Event Notification and Response Rules
177
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Opsware Network
Automation System
Module 7
Administrative Settings
© 2007
2006 Opsware Inc. All rights reserved. Proprietary and confidential.
Modules Objectives
At the conclusion of this module, you should be able to:
 Explain the NAS server administrative settings
 Properly configure and manage the NAS server
administrative settings
179
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Administrative Settings Overview
 Configuration Management
 Device Access
 Server
 Workflow
 User Interface
 Telnet/SSH
 Reporting
 External Authentication
 Server Monitoring
180
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Configuration Management – Change Detection
Settings
181
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Configuration Management – Change User
Identification Settings
182
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Configuration Management – Startup/Running,
ACL’s, and Policy Settings
183
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Configuration Management – Pre & Post Task Snapshots
184
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Configuration Management – Diagnostics, Flash Storage,
Boot Detection
185
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Device Access – Device Connection Methods
186
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Device Access - Detect Network and Bastion Host
Settings
187
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Device Access - SecurID and Task Credentials
Settings
188
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Devices Access – Nortel Discovery and Gateway
Mesh Settings
189
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Server Settings – TFTP & Email, Tasks, and Syslog
190
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Server Settings – Device Import & IP Reassignment
191
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Server Settings – DNS Resolution, Auditing, DB Pruning
Other Settings include:
Advanced Scripting
Event Filtering
192
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Workflow Settings
193
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
User Interface Settings – Security, Date Display, and Menu
Customization
194
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
User Interface Settings – Config Comparison, Software
Center, Templates and Script window settings
195
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
User Interface Settings – Device Selector & Misc
196
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Telnet/SSH Settings
197
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Telnet/SSH Settings – Device SSO, Telnet Client & Server
198
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Telnet/SSH Settings – SSH Settings
199
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Reporting Settings
Reporting Settings
200
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Reporting Settings – cont’d
Reporting Settings
201
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Reporting Settings – Single View, Diagramming, and Other
Reporting Settings
202
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
User Authentications Settings
203
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
User Authentications Settings – cont’d
204
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Server Monitoring Settings
205
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Starting and Stopping System Events
The NAS system start/stop services consist of:
• A Management Engine
• A TFTP Server
• A Syslog Server
• Content (Drivers, Content)
206
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Questions
1. List five of the Opsware NAS administrative
settings.
207
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Questions - Answers
1. List five of the Opsware NAS administrative
settings.
–
–
–
–
–
–
–
–
–
208
Configuration Management
Device Access
Server
Workflow
User Interface
Telnet/SSH
Reporting
External Authentication
Server Monitoring
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Module Summary
In this module, you learned how to:
 Configure the NAS server for operations.
209
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Opsware Network
Automation System
Module 8
Administrative Troubleshooting
© 2007
2006 Opsware Inc. All rights reserved. Proprietary and confidential.
Module Objectives
At the conclusion of this module, you should be able to:
 Identify NAS-related problems.
 Diagnose NAS-related problems.
 Isolate NAS-related problems.
 Resolve NAS-related problems.
 Locate additional references and support materials
– Contacting Opsware Support
– Reporting a problem
– Knowledge Base
– Class registration
– Documentation
– The Opsware Network (TON)
211
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Steps for Reporting Problems to Support
 Specify the location of the log file, if appropriate.
 Specify the hardware and OS platform.
 Provide a detailed description of the problem (exact
error message).
 Include customer contact information.
 Capture a trace (if requested).
212
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Categories of NAS Problems
 Operating system problems
– Solaris
– Windows
 NAS-specific problems
– Installation
– Operation (device not found, access denied, invalid user name, and so
on)
 Network device problems
– Mis-configured devices
– Bad interfaces
– Incorrect version of OS, firmware, and so on
213
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
General Installation Problems (all platforms)
 Verify all the prerequisites
 Problems during Setup program execution
– Bound port issues (80, 443, 1099, etc.)
– Not enough disk space
214
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
General Installation Problems (cont’d)
 Database Issues during Install
– Can you telnet to the database IP Address & port number?
– Can you connect to the database using the root username & password?
– Can the root / SA account create new databases in the server?
– Is the database server setup correctly?
215
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Installation on Solaris & Linux
 Verify all the prerequisites
 Issues during Setup program launch
– "There is not enough space to install, please choose another
directory“
– No X-Windows Specified
 Problems during Setup program execution
216
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
X Window example
217
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Installation on Windows
 Verify all the prerequisites
 Issues during Setup program launch
 Problems during Setup program execution
 Close the loop to ensure successful install
218
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Install Failure Logs
 Check /Rendition/Opsware_Network_Automation_InstallLog.log
for Fatal errors
 Reference Fatal errors in 2nd log file located
/Rendition/Server/log
 Determine problem and reinstall both application and database
(if MySQL)
219
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Login Problems
 The Opsware Network Automation system’s web login screen
won’t load
– Check the TrueControl Management Service
 License and Password Errors
 I get a Server Error when I try to log in
220
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Configure Logging Level
221
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Debug Level
 99-Fatal
 75-Server Error (default)
 50-Warning
 25-Info
 10-Debug
 0-Trace
222
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
logging.rcx file
 Logging is controlled by the config file
<installdir>/jre/ logging.rcx
 A pair of options for each area of functionality
 For example:
<option name="log/DataConnection">System.out
</option><option name="log/DataConnection/level">0</option>
<option name="log/Discover">System.out
</option><option name="log/Discover/level">0</option>
223
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Archive Log files
 <Installdir>\server\ext\jboss\server\default\log\server.log
 Logfile rollover
– Size based
– Time based
-Edit
<installdir>\server\ext\jboss\server\default\conf\log4j.xm
l
 Change the following:
from
<!-- Rollover at midnight each day -->
<param name="DatePattern" value="'.'yyyy-MM-dd"/>
<!-- Rollover at the top of each hour
<param name="DatePattern" value="'.'yyyy-MM-dd-HH"/> -->
to
<!-- Rollover at midnight each day
<param name="DatePattern" value="'.'yyyy-MM-dd"/> -->
<!-- Rollover at the top of each hour --> <param
name="DatePattern" value="'.'yyyy-MM-dd-HH"/>
 In Admin Setting, click Save to reload the new settings.
224
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Sending Log Files
AdminTroubleshootingSend Troubleshooting Info
225
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Reading the Server.log File
 Make sure the correct logs are turned up (troubleshooting).
 Server.log located in <rendition
dir>/server/ext/jboss/server/default/log
 Key areas to focus on
 Using a utility to help view the log
226
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Loading devices

Installation succeeded and ready to load devices

Set yourself up for success
1.
2.
3.
227
Turn up discovery & dataconnection logs
Test that send troubleshooting email works
Disable notification for initial configuration up to prevent email floods.
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Notification Failures
 Problem – Unable to send e-mail notification, syslog, or SNMP
alerts.
 Symptom – No event notification messages or ability to send
e-mail.
 Recommended actions
– Run the SMTP monitor and get results.
– Send a test e-mail to admin.
– Set the event and debug log to debug and rerun the task.
228
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Additional Resources and Information
 Contacting Opsware Support
–
–
–
–
229
www.opsware.com
Reporting a problem
Knowledge Base
Registering for a class
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
NAS Documentation online
230
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Using The Opsware Network (TON)
231
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
The NAS TON Solutions
The NAS TON Solutions include:
SNMP Extensions
Interface Manager (CatOS)
Dynamic Groups Rev 1&2
Interface Manager (IOS)
Historical Alerts
Syntax Checker (IOS)
Advanced Script Boiler Plate (IOS)
232
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
The NAS TON Extensions
The NAS TON Extensions include:
Security Alert Service
Before & After Report
Field Extensions Pack
PDF Reports
233
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
The NAS TON Integrations
The NAS TON Integrations include:
Checkpoint HTML Viewer
234
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Questions
1. What 2 levels of logging are most useful for troubleshooting
devices discovery and snapshots?
2. What steps would you take to check access permission?
3. What is the location of the jboss_wrapper.log?
4. What steps would you take to change the logging level?
5. How would you test to see if NAS can send out emails?
6. What are the three major components of TON?
235
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Review Questions - Answers
1.
What 2 levels of logging are most useful for troubleshooting devices discovery
and snapshots?
1.
2.
2.
What steps would you take to check access permission?
1.
2.
3.
3.
Check for the legal username.
Check for the password.
Other steps
What is the location of the jboss_wrapper.log?
1.
4.
/Rendition/server/log
What steps would you take to change the logging level?
1.
5.
Admin-> Troubleshooting. Select the option you want and select the logging level from the
drop down menu.
How would you test to see if NAS can send out emails?
1.
6.
From Admin-> Troubleshooting, in the upper right hand corner, click on the “Send Test Email
to Admin User” link.
What are the three major components of TON?
1.
2.
3.
236
Discover
DataConnection
Solutions
Extensions
Integrations
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.
Module Summary
In this module, you learned to:
 Identify NAS-related problems.
 Diagnose NAS-related problems.
 Isolate NAS-related problems.
 Resolve NAS-related problems.
 Locate additional references and support materials
– Contacting Opsware Support
– Reporting a problem
– Knowledge Base
– Class registration
– Documentation
– The Opsware Network (TON)
237
© 2007 Opsware Inc. All rights reserved. Proprietary and confidential.