Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Opsware Network Automation System Module 1 Course Introduction © 2007 2006 Opsware Inc. All rights reserved. Proprietary and confidential. Welcome Introductions Facilities Course Objectives Course Outline Daily Agenda Lab Exercises Course Survey 2 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Facilities Break and lunch rooms Restrooms Telephones and e-mail Fire and emergency procedures 3 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Course Objectives Upon completion of this two-part course, participants will be able to: Install, configure, test, utilize, and maintain the Opsware Network Automation System and supporting applications 4 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Course Outline Module 1: Course Introduction Module 2: NAS Installation and Planning Module 3: User Management, Access, and Authorization Module 4: Workflows Module 5: NAS APIs Module 6: Managing Server Health Module 7: Administrative Settings Module 8: Administrative Troubleshooting 5 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Daily Agenda Day 1 Module 1 09:00 – 09:15 Module 2 09:15 – 10:15 Module 3 10:30 – 11:15 Module 4 11:15 – 12:00 Lunch Break 12:00 – 13:00 6 Module 5 13:00 – 14:00 Module 6 14:00 – 14:45 Module 7 15:00 – 16:00 Module 8 16:00 – 17:00 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Lab Exercises There are lab exercises in this course. 7 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Thank you for attending Please fill out the surveys… 8 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Opsware Network Automation System Module 2 Installation and Planning © 2007 2006 Opsware Inc. All rights reserved. Proprietary and confidential. Module Objectives At the conclusion of this module, you should be able to: Identify the implementation requirements for installing the NAS system, including the: – Software requirements – Database requirements – Hardware requirements – Network requirements Explain the NAS implementation best practices. 10 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Software Requirements Operating Systems – – – – – – Microsoft Windows 2000 Server (SP2 or better) Microsoft Windows 2003 Server (SP1 or better) Sun Solaris 9 (8/04 or higher) Sun Solaris 10 Redhat Linux Advanced Server 3 update 2 SUSE Enterprise Linux 9 Database – – – – – MySQL 3.23 (Ships with the product) Microsoft SQL Server 2000 (SP2 or better) Microsoft SQL Server 2005 (SP1 or better) Oracle 9i Release 2 Oracle 10g Release 2 Browsers – Internet Explorer 6.0 (SP1 or better) – Firefox 1.0 – Mozilla 1.7.x 11 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Minimum Hardware Requirements Processor – 2 GHz Pentium 4 or better (Windows/Linux) – 1.2 GHz or better UltraSPARC III RAM (Windows/Linux) – 1 GB (recommended) (Solaris) – 1 GB (minimum) – 2 GB (recommended) Disk – 20 GB (application data) – 100 GB (database data) 12 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Supported Protocols and Ports Port 13 Protocols Windows Solaris Use SSH (TCP) 22 22, 8022 Opsware NAS to network devices(22); SSH client to NAS proxy (22 or 8022) SCP (TCP) 22 22 Opsware NAS server to network devices telnet (TCP) 23 23, 8023 Opsware NAS server to network devices; telnet client to NAS proxy (23 or 8023) rlogin (TCP) 513 513 Opsware NAS server to network devices TFTP (UDP) 69 69 Network devices to Opsware NAS server FTP (TCP) 20, 21 20,21 Opsware NAS server to network devices SNMP (UDP) 161 161 Opsware NAS server to network devices SNMP trap (UDP) 162 162 Opsware NAS server to NMS syslog (UDP) 514 514 Network devices to Opsware NAS server JNDI 1099 1099 AAA server to Opsware NAS server RMI 4444 4444 AAA server to Opsware NAS server. APIs also use RMI HTTPS 443 443 Secured URL connections HTTP redirect to HTTPS 80 80 Redirect to HTTPS © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Disk and Database Considerations The majority of disk utilization by NAS is with the storage of configuration data in the database. The database can either be installed on the same host as NAS or on a different host. Disk space considerations for both NAS and the database should be considered separately. The database size depends largely on the stability and size of the customer environment. – As the number of managed nodes increases, the database size increases linearly. – The number of changes per device per day in a customer environment will dictate how much data must be kept in the database. – The number of days/months/years historical data required by the customer will dictate how much data must be kept in the database. 14 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Network Requirements Every network management application creates an additional load on the network to provide management. Opsware Network Automation creates network load when managing network devices because: – Obtaining the configuration requires transmission of that configuration over the network. – Detecting configuration changes requires the receipt of events/messages over the network. – Recording management information in the database requires database transactions. – Integration with other management applications requires the exchange of management information over the network. 15 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Application Scalability Processing Power Memory Utilization Disk Requirements Network Requirements & Impact 16 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Processing Power Opsware Network Automation functions are contained in scheduled tasks. Each task acts as an independent process, and is executed according to the scheduler. The number of concurrent tasks is directly proportional to the processing required. 17 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Memory Utilization Opsware Network Automation is made up of multiple component applications. – NAS Management Engine – NAS TFTP Server – NAS Syslog Server Each component application has specific memory requirements. Each task has specific memory requirements. 18 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Impact of Network on High Availability Deployment HA deployments increase the amount of network traffic for management, as sources of data must be duplicated (syslog, SNMP traps). HA database topologies can create a large network overhead depending upon the complexity of the deployment. HA typically requires duplication of syslog messaging and SNMP traps. HA typically requires additional traffic to monitor/maintain the HA configuration itself (synchronization, replication, and so on) 19 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Using Multimaster for Redundancy Realm: Primary Network (10.1.0.0/16) Realm: Overlap Network (10.1.2.0/24) Opsware Gateway Opsware Gateway Multimaster NAS Core1 Opsware Gateway NAS Core2 M Separate NAS core to provide local management and UI for subsidiary ul ter r te as as ltim tim Mu Two NAS cores in primary network for HA and disaster recovery NAS Core3 20 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Realm: Subsidiary (10.1.0.0/16) Emergency failover and recovery handled by cores on the primary network Installation Procedures License Files Installing on Windows/Linux Installing on Solaris Setting up Admin Settings Adding Devices 21 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Obtaining a License Support will generate a license file using the license generation server. Data needed to generate a license: – Customer name – Customer contact Information – Phone number – E-mail address – Product and version number – Expiration date (used for evaluations) – Node Count 22 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. License Files NAS will not start up without a valid license file. NAS has (4) registered events regarding license file management: – License Almost Exceeded – License Almost Expired – License Exceeded – License Expired License files should be considered confidential information and should not exist in public/non-secured locations. 23 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Installing on Windows On Windows: – Verify the IIS is not running as a service – if it is running, stop the service and make sure the startup is set to manual. – If using MySQL locally make sure that the DB is started and running. – If using MS SQL obtain SA password from DBA. – Double-click the setup.exe file 24 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. X11 Server Requirements for Unix Installs Opsware Network Automation has a GUI installer. For UNIX installations, this means that either local X11 services or the availability of an X11 server is required to complete the installation. http://www.pexus.com/ (Freeware X11 Server) – X-Deep/32 is an X Window Server for Windows NT/2000/9X/ME/XP that can be used to connect to host systems running UNIX, LINUX, IBM AIX, HP-UX, Sun Solaris, or any other operating system that supports X Windows System, in a LAN environment or from a home PC connecting to office LAN via a Virtual Private Network (VPN). – This release is based off X11R6.5.1 release of X Window System from the Open Group. Can use VNC 25 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Port Conflicts The NAS installer will not complete if there are any port conflicts. Common Conflicts are: – Syslog (UDP 514) – HTTP (TCP 80 or 443) – TFTP (UDP 69) – Telnet/SSH (TCP 22/23) On Solaris and Linux, use the below to: Track down currently listening ports netstat –an | grep “LISTEN” Check for active services in the inetd.conf file grep –v “^#” /etc/inetd.conf 26 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Installing on Solaris and Linux Log into the server as root - other acceptable alternatives to root – "su -" "sudo ", example: "sudo bash" "Login: root" – Mysql must be running as root Setup the Display to point to X11 server: root@gohan:/export/spare/home/aquilter$ export DISPLAY=10.1.2.136:0.0 root@gohan:/export/spare/tc$ set | grep DISPLAY DISPLAY=10.1.2.136:0.0 Set the setup.bin file to be executable: root@gohan:/export/spare/tc$ chmod +x setup.bin 27 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Installing on Solaris and Linux (cont’d) Turn off Syslog Listener: Edit /etc/rc2.d/S74syslog and change /usr/sbin/syslogd >/dev/msglog 2>&1 & to /usr/sbin/syslogd -t >/dev/msglog 2>&1 & ( -t Disables the syslogd UPD port to turn off logging of remote messages.) Then restart syslog with /etc/init.d/syslog stop then /etc/init.d/syslog start 28 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Questions 1. 2. 3. 4. 29 What is the minimum system memory required to support NAS on a Windows platform? a. 256 MB b. 512 MB c. 768 MB d. 1024 MB (1 GB) What is the recommended minimum disk space for application data? a. 25 GB b. 5 GB c. 10 GB d. 20 GB What is the recommended minimum disk space for database data? a. 90 GB b. 80 GB c. 100 GB d. 120 GB What is the minimum version of MySQL supported? a. MySQL 1.5 b. MySQL 3.3 c. MySQL 3.23.55 d. MySQL 1.7 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Question - Answers 1. What is the minimum system memory required to support NAS on a Windows platform? a. b. c. d. 2. What is the recommended minimum disk space for application data? a. b. c. d. 3. 90 GB 80 GB 100 GB 120 GB What is the minimum version of MySQL supported? a. b. c. d. 30 25 GB 5 GB 10 GB 20 GB What is the recommended minimum disk space for database data? a. b. c. d. 4. 256 MB 512 MB 768 MB 1024 MB (1 GB) MySQL 1.5 MySQL 3.3 MySQL 3.23.55 MySQL 1.7 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Syslog Messaging NAS relies on syslog messaging to perform dynamic change detection. Syslog messages can quickly become an unmanageable behavior. – During a failure, there are bursts of large amounts of messages (up to 10-15 messages/second per device). – Each message is carried in a IP packet, and averages between 50-100 bytes. Example The failure of one PVC in a large frame-relay network (1000 branch sites) with 5 devices at each branch can cause an immediate burst of messages from 5000 devices. This could cause up to 60 MB of aggregate burst data funneled directly towards the NAS Syslog Server 31 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Disk – Core Applications The Opsware Network Automation installation root is the rendition directory. The jre directory contains the application configuration files. The server directory contains the application code, drivers, TFTP root, and log files. 32 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. NAS Directory Structure ./rendition/ ./addins ./client ./content ./docs ./jre ./resource ./server ./lib/drivers ./ext/tftp/tftpdroot ./log ./Uninstaller Driver Directory (./rendition/server/lib/drivers) Driver Content Driver Packages Driver Temporary Files Driver and File System Interactions – On-demand virus scanning – Orphaned temporary files 33 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Header Log Directory (./rendition/server/log) NAS logging files jboss_wrapper – Location of troubleshooting logging tftp_wrapper syslog_wrapper 34 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Database Connectivity Each task will result in a database operation. – Query (searches, policy compliance, etc.) – Insert (add devices, add scripts, etc.) – Update (edit devices, edit configuration, etc.) Each database operation results in network traffic approximately equal to the payload of the associated task. – Size of configuration data, diagnostic data, etc. – Size of search results – Size of edit operations 35 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Questions 1. What is the relationship between memory usage and the number of tasks? 2. True or False - The NAS driver packages are located in ./rendition/lib/drivers. 3. Why would you install NAS and a database on the same server? (Check all that apply.) 4. 36 a. Lower cost b. Single point of failure c. Reduction in network traffic d. NAS has its own system You plan for Syslog messaging, because… (Check all that apply.) a. NAS relies on syslog for change detection. b. Syslog messages can become unmanageable. c. Syslog bursts take 2-5 messages per second per device. d. Syslog uses IP packets that average between 50-100 bytes. © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Questions - Answers 1. What is the relationship between memory usage and the number of tasks? The amount of memory is directly proportional to the number of tasks, and memory increases with number of tasks. 2. True or False - The NAS driver packages are located in ./rendition/server/lib/drivers. 3. Why would you install NAS and a database on the same server? 4. 37 a. Lower cost b. Single point of failure c. Reduction in network traffic d. NAS has its own system You plan for Syslog messaging, because… a. NAS relies on syslog for change detection. b. Syslog messages can become unmanageable. c. Syslog bursts take 2-5 messages per second per device. d. Syslog uses IP packets that average between 50-100 bytes. © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Environments Each environment is different. – Device platforms – Business practices – Network protocols Each user will worry about different aspects of the implementation. – System – Application – Network – Database 38 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Device Access Methods Opsware Network Automation gains access to network devices in several ways: – Direct CLI – Telnet, SSH, and/or via a Console Server – Indirect CLI – NAT, Bastion Host – SNMP Opsware Network Automation access files located on network devices in several ways: – TFTP, FTP, SCP 39 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Getting Around Firewalls NAT Service Bastion Host Information Console Servers 40 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Overlapping IP Address Management Core 2 will manage the remote Site (Overlap 1) via the Gateway mesh 41 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. User Authentication Services NAS provides integration with various external authentication services. – Windows ActiveDirectory – TACACS – SecurID – Radius 42 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Windows ActiveDirectory Integration with AD allows authentication into the Web and the CLI interface of NAS to be controlled by AD. A Domain Admin user and a Domain Controller are required. You can specify individual users or user groups. 43 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. TACACS TACACS + is a Cisco proprietary AAA service (CiscoSecure™) aka ACS or CiscoSecure. Integration with TACACS + allows authentication into the Web and CLI interface of NAS to be controlled by TACACS. TACACS + can also be used to access network devices. 44 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. RSA SecurID™ RSA SecurID™ is a secure one-time password (OTP) AAA service often used in conjunction with TACACS. Integration with RSA SecuriD allows authentication into the Web and CLI interfaces of NAS. SecurID can also be used to access network devices. 45 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Syslog Messaging Change Detection – Syslog messages are used to determine when a change has occurred on a managed device. – Syslog message patterns are used to match messages received with messages known to signify changes. – When a message matches any of the patterns, a corresponding snapshot operation is scheduled. Change Attribution – Syslog messages contain information that can be used to identify the source of the configuration change. – When a snapshot operation is scheduled, the resultant change is attributed to the user identified in the syslog message. – Change attribution also occurs on operations scheduled while using NAS interfaces 46 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Direct Logging Direct logging occurs when the network devices are configured to log messages directly to the NAS Syslog Server. Direct logging results in the most messages directed at the NAS Syslog Server. Note the NAS does not store syslog messages and cannot act as a relay to other servers. 47 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Default Syslog Patterns (regular expressions): SYS-6-CFG_CHG SYS-5-CONFIG SYS-5-RESTART SYS-5-SYS_RESET SYS-5-RELOAD \*\*added\*\* apache:.*POST \*\*defined\*\* \*\*deleted\*\* login: apache:.*command= Relay The Syslog relay is the forwarding of syslog messages from one server to another. Most customer environments will have an existing syslog architecture. Syslog is not a guaranteed delivery protocol. Syslog relay doubles the chance that syslog messages will be lost while in transit. 48 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. RFC 3164 Compliance Requirement RFC 3164 covers the Syslog protocol. NAS Syslog Server supports relay only from RFC compliant syslog servers. NAS provides a way to work around this issue: – NAS SyslogReaderClient Commonly seen RFC Compliant syslog servers: -Syslog NG -Kiwi Syslog Commonly seen non-RFC compliant syslog servers: – CiscoWorks™ – Solaris syslogd 49 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. RFC Compliant Syslog servers: Syslog-NG – http://www.balabit.com/products/syslog_ng/ Kiwi Syslog Deamon – http://www.kiwisyslog.com/syslog-info.php Syslog-NG or Kiwi Syslog can enhance performance of the NAS Syslog Server by filtering syslog messages that the NAS Syslog Server does require. Support for the above products is provided by the respective vendors. 50 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. SyslogReaderClient The NAS SyslogReaderClient is a small component of NAS that is installed on a target syslog server (Solaris). The NAS SyslogReaderClient maintains its own syslog message patterns. The NAS SyslogReaderClient watches the local syslog messages, and forwards matching messages to the NAS Management Engine directly. 51 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Questions 1. Name two of the three methods for getting around firewalls? a. __________ b. _________ 2. Where is the NAS SyslogReaderClient installed? a. b. c. d. NAS syslog server Target syslog server NAS syslog client Target syslog client 3. What is the definition of a syslog relay? 52 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Questions - Answers 1. Name two of the three methods for getting around firewalls? a. NAT b. BASTION Host c. Console server 2. Where is the NAS SyslogReaderClient installed? a. b. c. d. NAS syslog server Target syslog server NAS syslog client Target syslog client 3. What is the definition of a syslog relay? a. Syslog message forwarding mechanism (Responses may vary.) 53 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Additional Installation Topics API Integration Custom Fields Security Miscellaneous – – – – 54 NAS Tools Database Migration AAA Agent Customer Banner © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. API API exists in Java, Perl and SOAP flavors. API allows for scripts to be executed from “home-grown” or other external systems to perform operations on or using NAS data. API encapsulate core NAS functions for use by other systems. 55 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Integration and Extensibility The functionality of any network management application is maximized by its capability to inter-operate with other network management applications. NAS provides a flexible integration architecture through various integration points that include: – NAS Connectors – Custom Data Fields – CLI Interface – API 56 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Integrating with NAS With Connectors: – NAS Connectors are installable components that directly integrate with other network management applications. – The NAS Management Engine will receive management information through the connector component directly. – The NAS Management Engine will forward management information to the target system using syslog, SNMP traps, and/or other custom mechanisms. Without Connectors: – Many customer environments have “home-grown” solutions that they do not want to discard. – Many customer environments have specific pain-points that can be creatively solved through integration. – Many customer environments have a large library of scripts that they trust and do not want to eliminate. 57 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Custom Data Fields NAS includes eight custom data fields per table for user customization. – Device Configuration & Diagnostics – Devices – Device Blades/Modules – Device Interfaces – Device Groups – Users – Tasks – Telnet/SSH Sessions Custom data fields are viewable/setable from the WebUI. Custom data fields are viewable/setable from the CLI/API. Custom data fields are searchable. 58 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Securing Opsware Network Automation NAS will be given privileged information to maintain management of network devices. – SNMP read/write community strings – Device Access Credentials – Possibly including security devices themselves – Topological information – Available networks, available ports, wireless keys – Security specific information – Access control lists, allowed hosts 59 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Addressing Security Issues TFTP (RFC 1350) – TFTP, no user name and password used Clear-Text Protocols (Telnet , SNMP) Virus Scanning – On-demand virus scanning impacts NAS performance 60 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. NAS Tools NAS Tools allow the NAS Administrator to: – Change database connection information – Save device passwords to file Database changes are not common, but are required for some situations. Export of the device passwords is a mechanism to assist in the cold storage of password information. 61 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. NAS Database Migration The database migration tool was created to support a database platform change. – Example: If customers wanted to migrate from a MySQL database to an Oracle database for their ONA implementation. – The tool includes support for MySQL to MySQL, where each database may exist on a different host. The tool has found a strong use case from migrating application data from QA/Test environments into Production environments. 62 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. NAS AAAReaderClient NAS AAAReaderClient is similar to the NAS SyslogReaderClient. – Instead of watching a local syslog file, the AAAReaderClient watches a local AAA service log file. NAS AAAReaderClient provides the change detection and change attribution features similar to the SyslogReaderClient. – The difference is that the source of the change information is the AAA service (TACACS or other). 63 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Customer Banner Located in <default install directory>\resource File is called customer_banner.html – Can contain plain text or html 64 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Installation Best Practices Guidelines to follow that will lead to a successful implementation – Initial Configuration - Take the time to configure the system before turning it over to the users. – Administrative – Password Selection – Device Access Methods – Configure Syslog – Polling and Diagnostics Tasks – Database Pruning Parameters – Server Monitoring – Event Notification & Response Rules – Device Password Rules – Scaled Import - Perform a scaled import of devices to catch problems early across a broad range of customer devices. – Task Scheduling - Use the capabilities of the scheduling engine to minimize customer perception of failed tasks. – Peak Traffic Impact Analysis - Ensure that the customer is aware of the effect this application is going to have on their network. 65 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Guidelines for Password Rules Avoid password rules that apply to the system group “Inventory” Order password rules in-order of most widely used to least widely used. Use the device group, IP range, and host name limiters to be as accurate as possible. 66 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Nortel Specific Some common configuration settings that should be reviewed for Nortel installations are summarized on the right. Nortel devices will also experience some performance benefits if you increase the timeout to two minutes using an access variable. 67 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Administrative Settings – Flash Storage Space – Flash Low Event – Flash Low Threshold – Nortel BayRS MIB/OS Versions Event Notification & Response Rules – Compress Flash Storage when available space detected to be low Scaling Import It is important to scale the import of network devices. – 5% of device count initial imported – 15% of device count imported next – 35% of device count imported next – 100% of device count (full deployment) There are a lot of variables involved in the initial load of devices into a management application; reducing the set of devices to troubleshoot will reduce the amount of time to full-deployment. 68 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Scaling Import (cont’d) Guidelines – Pick a set of devices that covers each of the respective devices families in the customer environment for the initial load; this will allow support to get a heads up on any device issues that may occur at this site. – Do not move forward to the next phase until all devices have had a successful snapshot or a support ticket for the issue has been generated. – Test increasingly advanced features at each phase. 1.Discovery, Snapshot 2.Change Detection 3.Command Scripts, Diagnostics 4.Policy Manager, ACL Manager, Software Center 69 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Task Scheduling Stagger large polling tasks by device groups. – Try to keep the system busy at a consistent rate. – Try to avoid a huge queue of pending tasks. Use the Retry Count and Retry Interval on devices that have intermittent success/failures. – Baystack switches, or WAN connected routers may fall into this category. 70 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Change Windows It is critical to be aware of the change control process and how NAS will interact with them. – Common change processes schedule applications for windows of time to operate; if this is the case, schedule all operations to occur during this time. – This situation may affect real-time change detection; be aware that real-time change detection will perform operations outside of the change window if this feature is enabled. – Pay attention to the pending and running task queues during the importation phases; if the amount of time required to complete a “full pass” is longer than the assigned change window, the application will have to be tuned/configured to meet the change control process. 71 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Module Summary In this module, you learned to: Identify the implementation requirements for installing the NAS system. – Hardware requirements – Software requirement – Browser requirements – Database requirements – Operating system requirements – Network requirements Explain the NAS implementation best practices. 72 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Opsware Network Automation System Module 3 Authorizing User Access © 2007 2006 Opsware Inc. All rights reserved. Proprietary and confidential. Module Objectives At the conclusion of this module, you should be able to: Plan for users, access and authorization. Differentiate between roles and permissions. Create user accounts and user groups. Edit user accounts. Add users to user groups. Create Views and Partitions Add Users, User Groups, Devices & Device Groups to partitions. 74 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. User Accounts Basics Users Logged on Users New User User Groups New User Groups User Roles and Permission 75 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Users Properties – – – – Login name First name Last name E-mail address Actions – – – – 76 Edit Delete Permissions Configuration Changes © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Viewing All Users To view all users, select Admin Users 77 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Creating New Users The required fields are username and password However, user should belong to a group 78 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. New User Form – User Information 79 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. New User Form – Authentication Requirements 80 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Viewing Logged on Users Properties – User Name – User Host – Last Access Time 81 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. User Groups Limited Access User – Power User – Power Command, All Scripts permissions – All Tasks except change admin and user settings Full Access User – Full Access Command, All Scripts permissions – All Tasks but only to a single device at a time and no recurring tasks Administrator – 82 Limited Access Command permissions Administrator Command permissions © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. User Group and Roles Group Limited Access User Roles Limited Access (Command permission) Full Access User Full Access (Command Permission ) All Scripts (Script Permission ) All Devices (Modify Device Permission ) Power (Command Permission ) All Scripts (Script Permission ) All Devices (Modify Device Permission ) Administrator (Command Permission) Power User Administrator 83 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. New User Group and Permissions From the Admin menu, select the New User Group menu item to invoke the new user group window. Enter the name of the group. Select which roles to grant the group 84 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. New User Group and Permissions cont’d Assign members to the User Group 85 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Adding Users to User Group 86 Admin Users. Edit. Add User Group. Save. © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Viewing User Groups Select the group, drill down for details, select an action and modify the group properties 87 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. User Roles and Permissions Users are granted access permissions based on their roles. Only the system administrator or user with similar permission can modify permissions for all users. 88 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Creating User Roles – Command Permission 89 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Creating User Roles – Modify Device Permission 90 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Creating User Roles – Script Permission 91 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Creating User Roles – View Partition Permission 92 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Viewing User Permission Summary Page 1. From the Admin menu, select User Roles & Permission menu item. 2. Identify the User Group 3. Click on Permissions 4. View Permissions for the following: • Administrator • Power User • Limited Access User • Full Access User 93 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Views and Partitions Use Views & Partitions to control visibility of devices, device groups, users and user groups Ability to partition: – Devices & Device Groups – Users & User Groups Create User Roles for each type – Assign these Roles to a User Group 94 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Views – Devices & Device Groups Devices & Device Groups – Once the Devices & Device Groups has been selected, all partitions under this view inherit this property – Create partitions that hold the devices 95 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Views – Devices & Device Groups Device Groups – Can be set to a particular partition Devices – Can assign an individual device to a partition 96 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Views – Users & User Groups Users & User Groups – Once the Users & User Groups has been selected, all partitions under this view inherit this property – Create partitions for the different User filtering you want to accomplish – These partitions are technically device groups, but have no devices in them. 97 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Views – Users Users – Assign them to the correct partition in the Users View – Assign the correct User Group (which has the correct View Partition Permission) 98 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Views –User Groups User Groups – Assign them to the correct partition in the Users View – Can assign multiple partitions – This enables you to use User Groups to control view access to Users and Devices 99 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Auto-created Users NAS automatically creates additional users by change detection For example: – NAS notices that username “tim” logged into a network device directly – Username “tim” does not currently exist in NAS – NAS automatically creates a new username “tim_auto” (with no permissions) When no particular username is used, NAS might use one of the other attributes (e.g. IP of the telnet client that the person is using) to create a new user (192.168_auto) 100 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Questions 1. How would you display the users on the Opsware NAS server? 2. Which two of the following are not required fields when creating a user account? A. Login Name B. Street Address C. Password D. E-mail Address 3. List three user roles. 4. List three types of permissions granted to a user. 101 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Questions - Answers 1. How would you display the users on the Opsware NAS server? Admin->Users 2. Which two of the following are not required fields when creating a user account? A. Login name B. Street address C. Password D. E-mail address 3. List three user roles. Limited, Full, Power 4. List three types of permissions granted to a user. Command, Script, Modify 102 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Module Summary In this module, you learned how to: Differentiate between roles and permissions. Create user accounts. Edit user accounts. Add users to user groups. 103 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Lab Exercise Managing Users, Access & Authentication 104 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Opsware Network Automation System Module 4 Workflows © 2007 2006 Opsware Inc. All rights reserved. Proprietary and confidential. Modules Objectives At the conclusion of this module, you should be able to: Explain the workflow process Create, edit and run workflows 106 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Workflow Overview Process manager for network configuration (change control) Benefits – Ensures that network changes are completed based on pre-defined policies. – Ensures the correct sequence of policy process completion. – Ensures that appropriate people approve policies. Workflow Wizard – Aids with the easy setup of tasks. Process flow – Project – Originator – Approver (approved, not approved, suspended, override) – FYI recipients 107 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Workflow Process Eight-step Approach 1. Start Setup Wizard. 2. Enable Workflow. 3. Manage approval rules. Create a new rule or modify existing rules. 4. Originator setup. Define the user who has process origination permissions. 5. Set up tasks. Determine which tasks to include in the process. 6. Set up the device group. Identify which device group to use for workflow. 7. Set up approver. Note, originator cannot approve tasks. 8. Identify FYI users (originator need not be added). Save workflow. 108 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Creating a Workflow – Steps 1-2 Step 1: Start Setup Wizard Step 2: Enable Workflow Admin Workflow Setup 109 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Creating a Workflow – Steps 3-5 Step 3: Create New Approval Rules or Modify Existing Rules. Step 4: Set up Originator. Step 5: Create Tasks for Approval. 110 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Creating a Workflow – Steps 6 & 7 Step 6: Set up device group to use for workflow. Step 7: Set up the list of approvers. Check here if no approvers required. 111 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Creating a Workflow – Step 8 Step 8: Identify FYI Users. Save Workflow. 112 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Managing Workflow Approval Rules Delete a rule Decrease priority Increase priority 113 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. GUI changes with Workflow Enabled Note that tasks specified in the Workflow Rule cannot be performed for this device without an approval unless Override Approval permission has been granted. 114 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Questions 1. What is a workflow? 2. True or False. The originator can override an approval. 3. How many approvers are needed to approve a task? A) 1 B) 2 C) It depends on setup 4. True or False. Approval overrides can be flagged and system administrator can be notified. 115 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Questions - Answers 1. What is a workflow? Process manager (Answers may vary.) 2. True or False. The originator can override an approval. True, if the approver is not available and no verification is required. 3. How many approvers are needed to approve a task? A) 1 B) 2 C) It depends on setup Only 1 (A) approver is needed. 4. True or False. Approval overrides can be flagged and system administrator can be notified.True 116 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Module Summary In this module, you learned to: Explain the workflow process Create, edit and run workflows 117 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Lab Exercise Managing Workflows 118 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Opsware Network Automation System Module 5 NAS APIs © 2007 2006 Opsware Inc. All rights reserved. Proprietary and confidential. Modules Objectives At the conclusion of this module, you should be able to: Explain the NAS API architecture. Understand the structure of APIs Create simple Java / Perl code based on the NAS API Understand how to use Web Services API (WSAPI) with NAS 120 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. NAS API API enables scripts to be executed from “homegrown” or other external systems to perform operations on NAS data. API encapsulates core NAS functions for use by other systems. API exists in Java, and Perl flavors as well as a SOAP interface 121 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. NAS API Architecture Perl API Mgmt Engine RMI Java API RMI Syslog Svr NAS Client TFTP Svr NAS Server 122 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. DB Installing NAS API © 2006 Opsware Inc. All rights reserved. Proprietary and confidential. Installing Perl API Packages Install the NAS client if the API program runs remotely from the NAS server. Install the packages (Windows, UNIX). In Windows, run <installdir>\rendition\client\sdk\setup_perl.bat script In UNIX, perform the following steps: 1. Install Perl packages. 2. Set install directory and path. 3. Use the make command to complete the install. 124 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Installing Perl API Manually Avoid this, if at all possible. Install Java SDK 1.4.2. – – – – It has to be 1.4.2, not 1.4.1 or 1.5. It can be any of 1.4.2_01 through 1.4.2_06. Java RMI serialization is inconsistent across releases. Install bcprov-jdk14-119.jar into $JAVA_HOME/jre/lib/ext/. Install Perl packages. – Use Inline-Java 0.33. – The later version doesn’t support an option used by NAS API. 125 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Testing the API for Perl - Example #!/usr/bin/perl use TrueControlAPI; use strict; my $username = "jb"; my $password = "asdf"; my $TrueControlHost = "localhost"; true_open($username, $password,"$TrueControlHost:1099"); my $res = true_exec("show user -u $username"); my $resultset = $res->getResultSet(); if($resultset->next()) { print(true_getValue($resultset,"UserID"), "\n"); print(true_getValue($resultset,"FirstName"), "\n" ); print(true_getValue($resultset,"LastName"), "\n" ); print(true_getValue($resultset,"EmailAddress"), "\n"); print(true_getValue($resultset,"CreateDate"), "\n"); print(true_getValue($resultset, "PrivilegeLevel"), "\n"); print(true_getValue($resultset, "AaaUserName"), "\n"); } true_close(); 126 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Installing Java API Packages Windows Installation – Java Runtime Environment c:<install directory> – NAS Client JAR <install directory>/client – Libraries <install directory>/jre/lib/ext UNIX Installation – UNIX installation consists of libraries, archives, configuration files, and APIs. – Library JARs are located in <install directory>/jre/lib/ext. – NAS API JAR is located in <install directory>/jre/client/NASclient.jar. – Configuration files are located in <install directory>/jre. 127 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Testing the API for Java - Example package com.rendition.api.examples; import com.rendition.api.*; class Example0 { private static String username="admin"; private static String password="rendition"; private static String hostname="localhost"; public static void main(String args[]) { System.out.println("Starting Example0"); Session session=new Session(); try { session.open(username,password,hostname); System.out.println("Session connectivity verified"); session.close(); } catch (RenditionAPIException e) { System.err.println(e); } } } 128 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Scripting with NAS API © 2006 Opsware Inc. All rights reserved. Proprietary and confidential. Run script in API Create and run in one command Can ask for user input in Perl or Java Specify mode Specify a single device or groups of devices Set schedule 130 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Using Perl API in Advanced Scripts Advanced Scripts can be in Perl. Advanced Scripts can use Perl API. Install Perl API on NAS Server host. Server Install includes C:\Rendition\client directory – No need to install NAS Client. Admin Settings -> Server -> Advanced Scripting – Set Path to Interpreter to the location where Perl is installed (typically C:\Perl\bin). 131 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Advanced Scripts Device Variables 132 $tc_device_id$ $tc_device_hostname$ $tc_device_ip$ $tc_device_desc$ $tc_device_fqdn$ $tc_device_vendor$ $tc_device_model$ $tc_device_softwareversion$ $tc_device_type$ $tc_device_serialnumber$ $tc_device_assettag$ $tc_device_location$ $tc_device_lastaccess$ The NAS internal device identifier The host name of the device The primary IP address of the device Device description Device Fully Qualified Domain Name (FQDN) Device vendor Device model Device software version Device type Device serial number Device asset tag field Device location When NAS last accessed the device $tc_device_custom_XXX$ XXX is the custom field API name $tc_device_username$ User name for regular device access $tc_device_password$ Password for regular device access © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Additional Advanced Script Device Variables 133 $tc_device_enable_username$ User name for privileged-mode device access $tc_device_enable_password$ Password for privileged-mode device access $tc_device_snmp_ro$ SNMP read-only string (password) $tc_device_snmp_rw$ SNMP read-write string (password) $tc_device_port_count$ Device port count $tc_device_port_name_list$ Device port name list $tc_device_port_status_list$ Device port status list $tc_device_port_description_list$ Device port description list $tc_device_port_ip_list$ The primary IP on each port $tc_device_port_ip_mask_list$ The IP netmasks for the primary IP on each port $UserName$ Opsware Network Automation username of the user who scheduled the script task $Password$ Opsware Network Automation password of the user © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Custom NAS Extensions A combination of – Event Rules – Advanced Scripts – API Allows a broad range of extensions – Remediation on Policy Failure – Integration with external systems – Things we haven’t thought of 134 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. API Scripting – Details & Examples 135 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Result Object Contains: – – – – – 136 String ReturnStatus Boolean Succeeded String Text ResultSet ResultSet String StackTrace © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Return Status Example values: – 200 OK: Generic Succeeded – 503 Operation Failed: Device with Host name 'foo' not found. Java: String status = result.getReturnStatus(); Perl: $status = my $result->getReturnStatus(); 137 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Succeeded Example values: – – True False Java: if (result.getSucceeded()) { … } Perl: if ($result->getSucceeded()) { … } It is a good practice to always check this! It makes your code more robust. 138 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Text (ResultText) Commands that return text: – show config – show diagnostic – show session Java: String text = result.getText(); Perl: my $text = $result->getText(); Not always set! Not all commands return text. 139 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. ResultSet Manipulation Commands that return a table in the CLI return a ResultSet in the API. ONA>list access -host Fred 200 OK: Generic Succeeded +----+--------------+-------------------------+ | ID | Display Name | Create Date | +----+--------------+-------------------------+ | 80 | | 2004-05-10 14:57:41.207 | | 85 | | 2005-02-23 19:47:16.1 | 90 | | 2005-04-15 11:06:43.287 | | 91 | | 2005-04-15 11:07:12.81 | 92 | | 2005-04-15 11:12:52.867 | | 95 | | 2005-04-19 10:20:04.413 | | | +----+--------------+-------------------------+ 140 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. ResultSet in Java Session s = new Session(); s.open(s_username, s_password); Result result = s.exec (“show access –host “ + host); System.out.println("ID\tName\tDate"); ResultSet rs = result.getResultSet(); while (rs.next()) { int id = rs.getInt("DeviceAccessLogID"); String name = rs.getString("DisplayName"); Date date = rs.getTimestamp("CreateDate"); System.out.println("" + id + "\t" + name + "\t" + date); } 141 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. ResultSet in Perl true_open($username, $password,"$TrueControlHost:1099"); my $result = true_exec("show access -ip $ip"); print "ID\tName\tDate\n"; my $rs = $res->getResultSet(); if ($rs->next()) { my $id = true_getValue($rs,"DeviceAccessLogID"); my $name = true_getValue($rs,"DisplayName"); my $date = true_getValue($rs,"CreateDate"); print "$id\t$name\$date\n"; } true_close(); 142 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. true_getValue() in Perl Perl is dynamically typed. Can do $rs->getInt("DeviceID"). – Requires more work. – Error prone - Should add exception handling. 143 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Column Names Column Names are different in CLI and API. API Column Names reflect the SQL Schema. Schema is documented in the Java API Guide only. So you'll need the Java API even if you are only using Perl. 144 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Custom Data NAS provides for custom data fields for the following: – Device Configuration & Diagnostics – Devices – Device Blades/Modules – Device Interfaces – Device Groups – Users – Tasks – Telnet/SSH Sessions You can configure eight fields per Object. – UI uses configurable names. – API uses schema column names. 145 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Error Handling in Perl API eval { ... # Code that may generate exceptions } if ($@) { if (caught("com.rendition.api.ResultSetException")) { ... } } 146 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Direct SQL Scripting Avoid this if at all possible, when there's something missing from the API. You can access the NAS database directory from Perl or Java, if you have the database user name and password. 147 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Direct SQL in Perl - Example use DBI; use Mysql; $dbhost $dbuser $dbpass $conn = = "localhost"; = "foo"; = "foo"; DBI->connect('DBI:mysql:$dbname;host=$dbhost', $dbuser, $dbpass); print "User ID\tName\n"; $rs = executeSql("select UserID,UserName from RN_USER"); while ($row = $rs->fetchrow_hashref()) { my $id = $row->{UserID}; my $name = $row->{UserName}; print "$id\t$name\n"; } $rs->finish(); 148 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Direct SQL in Perl (cont’d) $rs = executeSql("select count(*) from RN_DEVICE"); @row = $rs->fetchrow_array; $count = @row[0]; print "Device count is $count\n"; $rs->finish(); $conn->disconnect(); exit; sub executeSql { $sql = $_[0]; my $query = $conn->prepare($sql) || die $query>errstr; $query->execute(); return $query; } 149 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Direct SQL in Java - Example import java.sql.*; ... Connection conn = null; try { Class.forName("org.gjt.mm.mysql.Driver"); String dsn = "jdbc:mysql://" + dbhost + "/" + dbname; conn = DriverManager.getConnection(dsn, dbuser, dbpass); int groupID = getGroupID(conn, group); ... } finally { close(conn); } 150 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Direct SQL in Java (cont’d) private int getGroupID(Connection conn, String group) { Statement stmt = conn.createStatement(); ResultSet rs = null; try { String query = "select DeviceGroupID from " + "RN_DEVICE_GROUP where " + DeviceGroupName = '" + group + "'"; rs = stmt.executeQuery(query); if (!rs.next()) throw new Exception("No Device Group named " + group); return rs.getInt("DeviceGroupID"); } finally { close(rs); close(stmt); } } 151 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Direct SQL in Java (cont’d) private void close(Connection conn) { try { if (conn != null) conn.close(); } catch (SQLException ex) { } } 152 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Java Message Services Connector • This provides a JMS interface to the NAS API. • A JMS Text Message contains SOAP (XML) Envelopes. Data Event “Syslog” JMS Opsware Network Automation SOAP XML .java JMS Server JMS connector 153 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Using SOAP Web Services API in Other Programming Languages •SOAP API can be used in any language, not necessary with JMS. •The following is an example using SOAP API in PERL Script. use SOAP::Lite; my $soap = SOAP::Lite -> uri('http://opsware.com/nas/') -> readable(1) -> proxy('http://jbrennan0:8080/soap/'); my $name = SOAP::Data->name('{http://opsware.com/nas/}username')->prefix('nas'); my $pass = SOAP::Data->name('{http://opsware.com/nas/}password')->prefix('nas'); my $host = SOAP::Data->name('{http://opsware.com/nas/}host')->prefix('nas'); print $soap -> login($name->value("jd"), $pass->value("asdf"), $host->value("localhost:1099")) -> result; 154 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Module Summary In this module, you learned to: Explain the NAS API architecture. Understand the structure of APIs Create simple Java / Perl code based on the NAS API Understand how to use Web Services API (WSAPI) with NAS 155 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Opsware Network Automation System Module 6 Managing Server Health © 2007 2006 Opsware Inc. All rights reserved. Proprietary and confidential. Module Objectives At the conclusion of this module, you should be able to: Check the server status with the built-in NAS monitoring tools Explain data pruning tasks Configure and use Event Notification & Response Rules 157 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Server Monitoring Overview Why monitor the server? To avoid: – Error messages – Poor performance How do you monitor server health? – Opsware NAS tools – Other available system monitoring tools 158 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Default Server Monitoring Settings The following settings are enabled by default: ConfigMonitor RMIMonitor DatabaseDataMonitor RunExternalTaskMonitor DatabaseMonitor SMTPMonitor DiskMonitor SSHMonitor HTTPMonitor LDAPMonitor MemoryMonitor 159 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. SyslogMonitor TelnetMonitor TFTPMonitor Configuring the Server for Monitoring • Admin Administrative Settings Server Monitoring • Verify Enable Server Monitoring state. • Verify Delay values. • Verify Delay Between Monitoring Runs • Verify other parameters 160 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Viewing System Status 161 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Viewing System Detail Status - Examples Server Configuration Database Configuration 162 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Viewing System Detail Status – Examples cont’d Memory The memory and disk monitor tasks provide detail status reports on the available system memory and disk space respectively 163 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Disk Data Pruning Overview Configured by system administrator Pruning removes obsolete configuration files except: – Devices with only one configuration – Current configurations – Configurations scheduled for deployment Pruning also removes other obsolete data 164 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Configuring for Database Pruning Configurations Diagnostics Events Tasks Sessions Log files Topology Data Diagram files 165 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Running Data Pruning - Example 166 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Questions 1. List four of the server monitoring tools. A. ______ B. _______ C.__________ D.__________ 2. Why would you monitor server health? 3. List two of the functions of data pruning. 167 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Questions - Answers 1. List four of the server monitoring tools. A. DiskMonitor B. LDAPMonitor C. MemoryMonitor D. HTTPMonitor 2. Why would you monitor server health? 1. To minimize error messages 2. To avoid poor performance 3. List two of the functions of data pruning. 1. Removes obsolete configuration files. 2. Removes obsolete events. 168 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Event Notification and Response Rules © 2006 Opsware Inc. All rights reserved. Proprietary and confidential. Events Notification Overview Several operations in Opsware NAS generate events. Event types – Device access failure – User login Events are stored in the database. Events rules can trigger other events or tasks. Events trigger on: – Event type (one or more per event rule) – Time window (e.g., 9 a.m. – 5 p.m.) – Device groups 170 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Configuring for Event Notification • Over 16 pre-packaged notification rules • Inactive rules marked with a # sign • Edit or delete a rule based on requirements 171 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Creating an Event Notification & Response Rule 172 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Editing a Response Rule – Example 173 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Questions 1. Which of the following is not true for event rules? A. Event rules trigger on event type. B. Event rules trigger on device groups. C. Event rules trigger time windows. D. Event rules trigger on task name. 2. Which of the following is not an event type? A. User Name B. User Deleted C. User Login D. User Message 174 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Questions - Answers 1. Which of the following is not true for event rules? A. Event rules trigger on event type. B. Event rules trigger on device groups. C. Event rules trigger time windows. D. Event rules trigger on task name. 2. Which of the following is not an event type? A. User Name B. User Deleted C. User Login D. User Message 175 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Module Summary In this module, you learned how to: Check server status with the following Opsware NAS tools. – – – – – – – E-mail Notification Configuration Monitoring Database Data Monitoring Disk Monitoring HTTP Monitoring LDAP Monitoring Memory Monitoring Explain data pruning tasks Configure and use Event Notification Rules 176 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Lab Exercise Managing Event Notification and Response Rules 177 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Opsware Network Automation System Module 7 Administrative Settings © 2007 2006 Opsware Inc. All rights reserved. Proprietary and confidential. Modules Objectives At the conclusion of this module, you should be able to: Explain the NAS server administrative settings Properly configure and manage the NAS server administrative settings 179 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Administrative Settings Overview Configuration Management Device Access Server Workflow User Interface Telnet/SSH Reporting External Authentication Server Monitoring 180 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Configuration Management – Change Detection Settings 181 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Configuration Management – Change User Identification Settings 182 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Configuration Management – Startup/Running, ACL’s, and Policy Settings 183 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Configuration Management – Pre & Post Task Snapshots 184 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Configuration Management – Diagnostics, Flash Storage, Boot Detection 185 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Device Access – Device Connection Methods 186 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Device Access - Detect Network and Bastion Host Settings 187 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Device Access - SecurID and Task Credentials Settings 188 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Devices Access – Nortel Discovery and Gateway Mesh Settings 189 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Server Settings – TFTP & Email, Tasks, and Syslog 190 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Server Settings – Device Import & IP Reassignment 191 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Server Settings – DNS Resolution, Auditing, DB Pruning Other Settings include: Advanced Scripting Event Filtering 192 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Workflow Settings 193 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. User Interface Settings – Security, Date Display, and Menu Customization 194 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. User Interface Settings – Config Comparison, Software Center, Templates and Script window settings 195 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. User Interface Settings – Device Selector & Misc 196 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Telnet/SSH Settings 197 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Telnet/SSH Settings – Device SSO, Telnet Client & Server 198 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Telnet/SSH Settings – SSH Settings 199 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Reporting Settings Reporting Settings 200 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Reporting Settings – cont’d Reporting Settings 201 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Reporting Settings – Single View, Diagramming, and Other Reporting Settings 202 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. User Authentications Settings 203 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. User Authentications Settings – cont’d 204 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Server Monitoring Settings 205 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Starting and Stopping System Events The NAS system start/stop services consist of: • A Management Engine • A TFTP Server • A Syslog Server • Content (Drivers, Content) 206 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Questions 1. List five of the Opsware NAS administrative settings. 207 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Questions - Answers 1. List five of the Opsware NAS administrative settings. – – – – – – – – – 208 Configuration Management Device Access Server Workflow User Interface Telnet/SSH Reporting External Authentication Server Monitoring © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Module Summary In this module, you learned how to: Configure the NAS server for operations. 209 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Opsware Network Automation System Module 8 Administrative Troubleshooting © 2007 2006 Opsware Inc. All rights reserved. Proprietary and confidential. Module Objectives At the conclusion of this module, you should be able to: Identify NAS-related problems. Diagnose NAS-related problems. Isolate NAS-related problems. Resolve NAS-related problems. Locate additional references and support materials – Contacting Opsware Support – Reporting a problem – Knowledge Base – Class registration – Documentation – The Opsware Network (TON) 211 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Steps for Reporting Problems to Support Specify the location of the log file, if appropriate. Specify the hardware and OS platform. Provide a detailed description of the problem (exact error message). Include customer contact information. Capture a trace (if requested). 212 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Categories of NAS Problems Operating system problems – Solaris – Windows NAS-specific problems – Installation – Operation (device not found, access denied, invalid user name, and so on) Network device problems – Mis-configured devices – Bad interfaces – Incorrect version of OS, firmware, and so on 213 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. General Installation Problems (all platforms) Verify all the prerequisites Problems during Setup program execution – Bound port issues (80, 443, 1099, etc.) – Not enough disk space 214 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. General Installation Problems (cont’d) Database Issues during Install – Can you telnet to the database IP Address & port number? – Can you connect to the database using the root username & password? – Can the root / SA account create new databases in the server? – Is the database server setup correctly? 215 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Installation on Solaris & Linux Verify all the prerequisites Issues during Setup program launch – "There is not enough space to install, please choose another directory“ – No X-Windows Specified Problems during Setup program execution 216 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. X Window example 217 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Installation on Windows Verify all the prerequisites Issues during Setup program launch Problems during Setup program execution Close the loop to ensure successful install 218 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Install Failure Logs Check /Rendition/Opsware_Network_Automation_InstallLog.log for Fatal errors Reference Fatal errors in 2nd log file located /Rendition/Server/log Determine problem and reinstall both application and database (if MySQL) 219 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Login Problems The Opsware Network Automation system’s web login screen won’t load – Check the TrueControl Management Service License and Password Errors I get a Server Error when I try to log in 220 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Configure Logging Level 221 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Debug Level 99-Fatal 75-Server Error (default) 50-Warning 25-Info 10-Debug 0-Trace 222 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. logging.rcx file Logging is controlled by the config file <installdir>/jre/ logging.rcx A pair of options for each area of functionality For example: <option name="log/DataConnection">System.out </option><option name="log/DataConnection/level">0</option> <option name="log/Discover">System.out </option><option name="log/Discover/level">0</option> 223 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Archive Log files <Installdir>\server\ext\jboss\server\default\log\server.log Logfile rollover – Size based – Time based -Edit <installdir>\server\ext\jboss\server\default\conf\log4j.xm l Change the following: from <!-- Rollover at midnight each day --> <param name="DatePattern" value="'.'yyyy-MM-dd"/> <!-- Rollover at the top of each hour <param name="DatePattern" value="'.'yyyy-MM-dd-HH"/> --> to <!-- Rollover at midnight each day <param name="DatePattern" value="'.'yyyy-MM-dd"/> --> <!-- Rollover at the top of each hour --> <param name="DatePattern" value="'.'yyyy-MM-dd-HH"/> In Admin Setting, click Save to reload the new settings. 224 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Sending Log Files AdminTroubleshootingSend Troubleshooting Info 225 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Reading the Server.log File Make sure the correct logs are turned up (troubleshooting). Server.log located in <rendition dir>/server/ext/jboss/server/default/log Key areas to focus on Using a utility to help view the log 226 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Loading devices Installation succeeded and ready to load devices Set yourself up for success 1. 2. 3. 227 Turn up discovery & dataconnection logs Test that send troubleshooting email works Disable notification for initial configuration up to prevent email floods. © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Notification Failures Problem – Unable to send e-mail notification, syslog, or SNMP alerts. Symptom – No event notification messages or ability to send e-mail. Recommended actions – Run the SMTP monitor and get results. – Send a test e-mail to admin. – Set the event and debug log to debug and rerun the task. 228 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Additional Resources and Information Contacting Opsware Support – – – – 229 www.opsware.com Reporting a problem Knowledge Base Registering for a class © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. NAS Documentation online 230 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Using The Opsware Network (TON) 231 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. The NAS TON Solutions The NAS TON Solutions include: SNMP Extensions Interface Manager (CatOS) Dynamic Groups Rev 1&2 Interface Manager (IOS) Historical Alerts Syntax Checker (IOS) Advanced Script Boiler Plate (IOS) 232 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. The NAS TON Extensions The NAS TON Extensions include: Security Alert Service Before & After Report Field Extensions Pack PDF Reports 233 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. The NAS TON Integrations The NAS TON Integrations include: Checkpoint HTML Viewer 234 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Questions 1. What 2 levels of logging are most useful for troubleshooting devices discovery and snapshots? 2. What steps would you take to check access permission? 3. What is the location of the jboss_wrapper.log? 4. What steps would you take to change the logging level? 5. How would you test to see if NAS can send out emails? 6. What are the three major components of TON? 235 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Review Questions - Answers 1. What 2 levels of logging are most useful for troubleshooting devices discovery and snapshots? 1. 2. 2. What steps would you take to check access permission? 1. 2. 3. 3. Check for the legal username. Check for the password. Other steps What is the location of the jboss_wrapper.log? 1. 4. /Rendition/server/log What steps would you take to change the logging level? 1. 5. Admin-> Troubleshooting. Select the option you want and select the logging level from the drop down menu. How would you test to see if NAS can send out emails? 1. 6. From Admin-> Troubleshooting, in the upper right hand corner, click on the “Send Test Email to Admin User” link. What are the three major components of TON? 1. 2. 3. 236 Discover DataConnection Solutions Extensions Integrations © 2007 Opsware Inc. All rights reserved. Proprietary and confidential. Module Summary In this module, you learned to: Identify NAS-related problems. Diagnose NAS-related problems. Isolate NAS-related problems. Resolve NAS-related problems. Locate additional references and support materials – Contacting Opsware Support – Reporting a problem – Knowledge Base – Class registration – Documentation – The Opsware Network (TON) 237 © 2007 Opsware Inc. All rights reserved. Proprietary and confidential.