SevOne NMS Implementation Guide

Multi-Peer Implementations

The Cluster Manager provides an Integration tab to enable you to build your cluster and to add new appliances as peers into an existing cluster. Please refer to section Build Your SevOne NMS Cluster below for details.

Change Password

1. In the Old Password field, enter your current password.

2. In the New Password field, enter your new password.

3. In the Confirm Password field, enter your new password a second time.

User Settings

1. In the Given name field, enter the name to display next to the word Welcome on the Welcome Dashboard.

2. In the Surname field, enter the surname to appear next to the given name on the navigation bar.

3. In the Email Address field, enter the email address to which SevOne NMS sends you alerts and reports.

4. Select the Admin notifications check box to subscribe to email receipt of Admin Notifications.

User Time

1. Click the Date Format drop-down and select the date format to use by default.

2. Click the Time Zone drop-down and select a time zone. This is the time zone that appears as the default for the graphs and reports you create. If a time zone does not appear in the list, you can add time zones on the Cluster Manager > Cluster Settings tab.

3. Select the Startup Check check box if you want SevOne NMS to verify that the time zone for the application is the same as the time zone for the browser.

4. Click the Week starts on drop-down and select the start day of the week. Options are Saturday, Sunday, Monday, or Default to Cluster Settings (where it picks the day set in Cluster Manager > Cluster Settings > General subtab).

   The value set in Cluster Manager > Cluster Settings > General > Week starts on field overwrites any user specified setting when reports are mailed. For example,
   Cluster Manager > Cluster Settings > General > Week starts on is set to Sunday .
   Administration > My Preferences > Week starts on is set to Monday .
   When reports are mailed, it will choose the day set in Cluster Manager (Sunday as shown in this example) as the week's start day.

Localization

1. Click the Language drop-down and select a language. This option appears when you select the Enable Localization check box on the Cluster Manager > Cluster Settings > General subtab. Localization is a work in progress beta feature.

2. Click Save.

Welcome

The Welcome page on the Startup Wizard provides a link to howto.sevone.com which is a great source to help you get started.

Scan Subnets

The Scan Subnets wizard page enables you to create IP address ranges to scan your network for items that can be pinged.

Each IP address range assigns devices to the peer on which you are logged on, creates devices, checks SNMP, and groups devices into a device group with the name you give to the IP address range. All subnets are scanned one time upon click of the Finish button. The entries you make on this wizard page are duplicated on the Discovery Manager Watched Subnets tab. The Device Manager displays the devices from which data is polled.

1. Click Add Subnet to add a row to the list.

2. In the Subnet Name field, enter the name of the subnet block.

3. In the Start IP Address field, enter the low end of the IP address range.

4. In the End IP Address field, enter the high end of the IP address range.

5. Click Update to add the subnet to the list to watch.

6. Repeat the previous steps to create additional subnets.

7. Click Next.

Technologies

When you enable devices to send data to SevOne NMS, default settings enable you to monitor the many technologies on the devices you add to SevOne NMS. SNMP and VMware require you to enter some information about your network and the Technologies wizard page enables you to get started.

Discovery

The Discovery wizard page enables you to set the time for SevOne NMS to perform the daily Automatic Discovery process and to define the email server that SevOne NMS uses to email reports and alerts.

Discovery is the process to query and update information about the devices that are in SevOne NMS. Device discovery creates new objects in SevOne NMS, updates existing objects, and ultimately deactivates and deletes unused objects.

• Manual Discovery - The Manual Device discovery process runs every two minutes to scan the devices in SevOne NMS that you mark for discovery

• Automatic Discovery - The Automatic Discovery process tests the various plugins/technologies you configure for each device and updates the device's current state.

You define the Automatic Discovery time for each peer in the cluster on the Cluster Manager > Peer Settings tab.

1. Click the Run the Automatic Discovery daily at drop-down and select the time to run the Automatic Discovery process.

2. Click the second drop-down and select the time zone.

User Access

The User Access page enables you to add users who are to be members of the Administrators user role. You must define the email server before you can add Administrator role users. You add all other users with any other user role on the User Role Manager.

Each user can update their user settings, except username, on the Preferences page.

1. Click Add User to add a row to the list.

2. In the Username field, enter the name for the user to enter into the Username field on the Login page. After you save the user information, you cannot edit the Username.

3. In the Given Name field, enter the given name to display.

4. In the Surname field, enter the surname to display.

5. In the Email Address field, enter the email address where you want SevOne NMS to send emails to the user.

6. Click Update to save the user credentials. SevOne NMS sends an email to the user with the user's log on credentials.

7. Click Finish to start the scan of any subnets you define on the Scan Subnets wizard page and to display the Setup is Complete wizard page.

Setup is Complete

The Setup is Complete wizard page provides links to additional workflows to help you get started.

• Click Create Device Groups to navigate to the Device Groups page where you segment the devices in your network for user access, reports, and alerts.

• Click Manage User Access & Authentication to navigate to the User Manager page where you manage user information, credentials, and user role assignments.

• Click Create & View Reports to navigate to the Report Manager page that provides access to the workflows that enable you to combine and customize several graphs, tables, and other individual reports into a single easy to retrieve report.

Click Monitor Discovery Process to navigate to the Welcome Dashboard.

Hot Standby Appliance

When you add the vPAS as a Hot Standby Appliance (HSA) you must contact SevOne Support via phone or go to IBM SevOne Support customer portal to ensure that the Hot Standby Appliance is appropriately implemented.

New Appliance/vPAS to Add a Peer to an Existing Cluster

When you receive a new appliance/vPAS that you want to add to an existing cluster, perform the following steps. The SevOne NMS Cluster Manager > Integration tab enable you to add this appliance as a new peer to your SevOne cluster.

• All data on this peer/appliance will be deleted.

• You need to know the name of this peer (appears in the cluster hierarchy on the left side of the SevOne NMS Cluster Manager). The peer name is defined when you perform the steps in the SevOne NMS Installation Guide and you can change the peer name from the peer level on the Cluster Manager.

• You need to know the IP address of this appliance (appears in the cluster hierarchy on the left side of the SevOne NMS Cluster Manager). You define the IP address when you perform the steps in the SevOne NMS Installation Guide.

• You need to know the temporary integration password of the peer/appliance (appears besides the countdown timer). For example, Your appliance is currently in INCORPORATE mode. Your temporary password is 0fdf318beaed7e6e. You have 9:23 remaining until incorporate mode is turned off.

• You need to be able to access the Cluster Manager on a peer that is already in the cluster to which you intend to add this appliance.

• If you do not complete the steps within ten minutes, you must start again at step 2. Click Allow Peering … to queue this peer/appliance for peering within the following ten minutes.

Perform the following steps to add this appliance to an existing SevOne cluster.

1. SevOne NMS: From the Startup Wizard on the new appliance, select the Add this appliance to an existing SevOne NMS Cluster option and click Next to access the Cluster Manager > Integration tab.

2. Click Allow Peering on the new appliance.

3. SevOne NMS: Log on to a peer that already exists in the destination SevOne NMS cluster.

4. SevOne NMS: Click the Administration menu, select Cluster Manager, and then select the Peers tab.
   SevOne NMS: Click Settings and select Cluster Management.

5. Click Add Peer to display a pop-up.

6. Enter the Peer Name, IP Address, and temporary integration password of the new peer/appliance.

7. On the pop-up, click Add Peer.

   • All data on the peer/appliance you are adding is deleted.

   • Do not do anything on the peer you are adding until a Success message appears on the peer on which you click Add Peer.

   • You can continue working and performing business as usual on all peers that are already in the cluster.

   • The new peer appears on the Peers tab in the destination cluster with a status message. Click Refresh to update the status.

   • The new peer appears in the cluster hierarchy on the left.

8. After the Success message appears on the peer in the destination cluster, you can go to the peer you just added and the entire cluster hierarchy to which you added the peer should appear on the left.

9. SevOne NMS: You can use the Device Mover to move devices to the new peer.

If the integration fails, Click View Failed Logs on the SevOne NMS Peers tab on the peer that is in the destination cluster to display a log of the integration messages.

Click Clear Failed to remove failed attempts from the list. Failed attempts are not automatically removed from the list which enables you to navigate away from the Peers tab during the integration.

New Appliances in a New Multi Peer SevOne NMS Implementation

When you receive multiple PAS appliances/vPASs and you plan to create a brand new SevOne NMS cluster, there are two approaches.

Cluster Manager, Appliance Level, Appliance Settings For Common Criteria

The Cluster Manager enables you to implement Common Criteria mode for a single peer SevOne NMS implementation. Perform the following steps to enable the appliance to meet Common Criteria security standards.

1. Log on to SevOne NMS via HTTPS.

2. Click the Administration menu and select Cluster Manager to display the Cluster Manager.

3. In the cluster hierarchy, click next to a peer then click <appliance IP address> to display the appliance level information on the Appliance Overview tab.

4. Select the Appliance Settings tab.

5. Select the Enable Common Criteria check box.

6. Click Save to display a confirmation message pop-up.

7. Click OK on the pop-up to display another confirmation pop-up that informs you that a restart is required to enable Common Criteria mode.

8. Click OK on the second confirmation pop-up to start the Common Criteria enable process and to restart the appliance. If you click Cancel, the common Criteria enable process starts but remains incomplete until after the appliance is restarted.

9. Watch the status messages as the system checks and adjusts settings to meet Common Criteria standards. The page displays green check marks to display the status of the Common Criteria mode success.

   If you did not click OK to restart the appliance, you must restart the appliance before the Common Criteria mode is enabled.

10. Click Save. A Date and Time subtab appears to enable you to define the appliance system date and time for Common Criteria.

11. Select the Date and Time subtab.

12. In the Date and Time field, enter the system time for the appliance.

13. Click Save to save the Date and Time settings.

Other Common Criteria Considerations

The Cluster Manager at the cluster level provides security settings that enforce password standards. On the Cluster Settings tab, the Security subtab enables you to define security settings.

1. In the Inactivity Timeout field, enter the number of minutes a user can remain inactive before SevOne NMS automatically logs the user out of the application (between 5 and 86400). The default is 30. You can override this setting for each individual user from the User Manager.

2. Select the Enable Hard Timeout check box to enable hard timeout for all users in the cluster with the exception of the admin user. Enable the check box to allow you to enter the number of minutes in Hard Timeout field the user can remain alive before SevOne NMS automatically logs them out of the application. The default value is 30 minutes. Hard Timeout field can range between 5 minute to 86400 minutes (60 days).

3. In the Minimum Password Length field, enter the number of characters users must have in their password (between 0 and 99). The default is 0. Enter 0 (zero) to disable this feature.

4. In the Enforce Password History field, enter the number of password changes a user must make before they can repeat a password (between 0 and 999). The default is 0.

5. In the Minimum Password Age field enter the number of days a user must wait between password changes (between 0 and 999). The default is 0. This feature prevents users from circumventing Password History enforcement. Enter 0 (zero) to disable this feature.

6. In the Password Change Notification field, enter the number of days to wait after a password change before a user receives a password change notification (between 0 and 999). The default is 0. Enter 0 (zero) to disable this feature.

7. In the Maximum Password Age field, enter the number of days a user account can remain enabled before the user must change their password (between 0 and 999). The default is 0. Enter 0 (zero) to disable this feature.

8. Select the Mask Read Community String check box to mask Read Community Strings on user interfaces. Write Community Strings are masked by default.

9. Select the Require Strong Passwords check box to enforce the complexity of user passwords. If you select this check box, passwords must contain at least one special character !@#$%^&*=+_?<>/~()-[{]}|\;:", and at least two of the following three types of characters: lowercase letters, UPPERCASE letters, and numbers. In addition, passwords cannot contain more than two of a given type of character in succession (upper and lowercase letters count as the same type). An example of a valid password: 8s0h43o@7!o&p3. If your current password does not meet this requirement, you will be forced to change the password at the next log on.

10. Select the Require Strong Passwords for mysql users check box to enforce the complexity of MySQL user passwords. If you select this check box, minimum length of the MySQL password must be at least 14 symbols long, contain at least one special character +-_@[]:,.%, at least one number, at least one UPPERCASE letter, and at least one lowercase letter. The valid characters are a-z, A-Z, 0-9, +-_@[]:,.%. The invalid characters are *$!#^;&. An example of a valid password: 8s0H43o@7]o%p3. Current MySQL passwords that do not meet this requirement will be changed to a random, compliant password.

    By selecting the check box, the following warning message will appear. Please read the warning message and proceed with caution.
    

    Select No to make no changes.

    Select Yes will require a restart of the MySQL database and services of each peer. Click on Save button to apply the changes. This action may result in you intermittently losing access to SevOne NMS User Interface as the MySQL services are being restarted. Depending on the cluster and load per appliance, times will vary.

    Log in to the SevOne NMS via the Command Line Interface (CLI) as user root to check the progress of the restart of mysqld services. Execute the command below.

    Check mysqld services restart progress

    $ SevOne-peer-do "supervisorctl status mysqld mysqld2"

    Example: View status of MySQL services

    $ SevOne-peer-do "supervisorctl status mysqld mysqld2"
    --- Gathering peer list...
    --- Running command on 10.168.116.40...
    Authorized uses only. All activity may be monitored and reported.
    mysqld RUNNING pid 14358, uptime 0:00:12
    mysqld2 STARTING
    Connection to 10.168.116.40 closed.
    [ OKAY ]
    --- Running command on 10.168.117.67...
    Authorized uses only. All activity may be monitored and reported.
    mysqld RUNNING pid 5043, uptime 1:21:47
    mysqld2 RUNNING pid 5085, uptime 1:21:36
    Connection to 10.168.117.67 closed.
    [ OKAY ]
    --- Running command on 10.168.118.17...
    Authorized uses only. All activity may be monitored and reported.
    mysqld RUNNING pid 17089, uptime 1:20:49
    mysqld2 RUNNING pid 17206, uptime 1:20:35
    Connection to 10.168.118.17 closed.
    [ OKAY ]
    --- Running command on 10.168.117.30...
    Authorized uses only. All activity may be monitored and reported.
    mysqld RUNNING pid 16234, uptime 1:19:51
    mysqld2 RUNNING pid 16355, uptime 1:19:36
    Connection to 10.168.117.30 closed.
    [ OKAY ]

    The processes are seen in transition between RUNNING and STARTING but you have to wait until all the peers have the mysqld and mysqld2 services in RUNNING state and the uptime is seen as close to the current time. The ones highlighted in red have still not restarted and are yet to be processed - the process is performed one peer at a time.

    Example: Completion of MySQL services after restart on all appliances

    $ SevOne-peer-do "supervisorctl status mysqld mysqld2"
    --- Gathering peer list...
    --- Running command on 10.168.116.40...
    Authorized uses only. All activity may be monitored and reported.
    mysqld RUNNING pid 14731, uptime 0:04:35
    mysqld2 RUNNING pid 14873, uptime 0:04:13
    Connection to 10.168.116.40 closed.
    [ OKAY ]
    --- Running command on 10.168.117.67...
    Authorized uses only. All activity may be monitored and reported.
    mysqld RUNNING pid 22565, uptime 0:02:58
    mysqld2 RUNNING pid 22800, uptime 0:02:43
    Connection to 10.168.117.67 closed.
    [ OKAY ]
    --- Running command on 10.168.118.17...
    Authorized uses only. All activity may be monitored and reported.
    mysqld RUNNING pid 9207, uptime 0:01:54
    mysqld2 RUNNING pid 9267, uptime 0:01:33
    Connection to 10.168.118.17 closed.
    [ OKAY ]
    --- Running command on 10.168.117.30...
    Authorized uses only. All activity may be monitored and reported.
    mysqld RUNNING pid 7949, uptime 0:00:38
    mysqld2 RUNNING pid 7996, uptime 0:00:23
    Connection to 10.168.117.30 closed.
    [ OKAY ]

    This indicates that the setting for Require Strong Passwords for mysql users is now enabled.

    If the password was not already set for the MySQL user, or if the existing password did not meet the secure complexity requirements, then SevOne NMS will automatically set a password that meets these requirements, but the actual password may not be known to the user. In such cases, you can optionally change the password and meet the complexity requirements. Please refer to SevOne Data Platform Security Guide, section Change MySQL User Credentials for details on how to change the MySQL user credentials.

11. Select the Allow Forcelogin check box to enable SevOne NMS integration with other software applications via the Forcelogin script.

12. Select the Force Same Origin Policy check box to prevent SevOne NMS from being loaded outside of the current domain. This includes portals and the use of the force login script to load SevOne NMS into an iframe from where a malicious user could log a user's activity. Note: If you clear this check box, the application security is lowered in a way that can prevent SevOne NMS from passing specific security scans.

13. Select the Rest API Validate Certificates check box to enforce REST API to validate the certificates of the other appliances when calling their REST API services.

14. Select the Require HTTPS check box to require a secure connection for all dynamic content. You must log on via HTTPS to enable this check box.

15. Select the Allow insecure code in Simple attachment check box for SevOne NMS administrators to allow/disallow usage of custom code in the Simple attachments.

16. Enable render graph security option, when unchecked, allows the administrator to share the exact URL (for example, http://<SevOne NMS IP address>/doms/graphs/renderGraph.php?is[]=1%3A7983%3A471642%3A834&timespan=Today) of the report with a user who has more restrictive (reduced) permissions. The user can enter the exact URL in the browser to view the entire contents of the report. However, for security reasons, it is highly recommended that this option is always checked to prevent users with more restrictive (reduced) permissions from crafting the URL to view a report.

17. In the Account Lockout section:

    1. In the Disable Inactive Users field, enter the number of days a user can go without logging on before their account is disabled (between 0 and 999). The default is 0. Enter 0 (zero) to disable this feature, so that inactive users will never be disabled.

       Note: This setting does not affect the Guest users you define on the Authentication Settings page for LDAP, TACACS, and RADIUS; nor does it affect the “admin” user.

    2. In the Threshold field, enter the number of incorrect log on attempts a user can make (within the Counter Reset time span) before the account is locked. Enter 0 (zero) to disable this feature. Note: When you set this to anything other than 0 (zero), log on becomes dependent upon validation from the cluster leader peer. If the cluster leader peer is not accessible from a peer on which a user attempts to log on, access to the application will not be available. The minimum value is 0 attempts and the maximum value is 99999 attempts.

    3. If you enter a number in the Threshold field, in the Counter Reset field, enter the number of minutes during which the user enters an incorrect user name and password combination before the account is locked. Set this to 0 (zero) to disable this feature. Example: Enter 3 as the Threshold and 2 as the Counter Reset. If the user incorrectly enters their user name and password combination three times in a two minute time span, the account is locked for the number of minutes you enter in the Duration field. The minimum value is 0 minutes and the maximum value is 99999 minutes.

    4. If you enter a number in the Threshold field, in the Duration field, enter the number of minutes for the account to be locked after the Threshold/Counter Reset combination is exceeded (between 0 - minimum value and 99999 - maximum value). The default is 0.

18. Click Save to save the Security settings.