IBM Network Performance Insight 1.1.1 Document Revision R2E1 Configuring Network Performance Insight IBM
Note Before you use this information and the product it supports, read the information in Notices on page 43. This edition applies to version _1_, release _1_, modification _1_ of _IBM Network Performance Insight and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation 2015, 2016. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents Configuring Network Performance Insight............... v Intended audience............ v Organization.............. v Network Performance Insight overview..... v Service Management Connect........ vii Network Performance Insight technical training.. vii Support information........... vii Conventions used in this publication..... viii Typeface conventions.......... viii Chapter 1. Introduction........ 1 Chapter 2. Configure npi.conf file settings............... 3 Editing default settings in a configuration file... 3 Controlling Network Performance Insight system 5 Configuring the Network Performance Insight for communicating with Jazz for Service Management.. 6 Configuring NCIM database connectivity..... 8 Configuring the OMNIbus Standard Input probe to work with Network Performance Insight.... 10 Chapter 3. Configure Jazz for Service Management portal......... 13 Logging in to the Dashboard Application Services Hub portal.............. 13 Starting Jazz for Service Management application servers............... 14 Stopping Jazz for Service Management application servers........... 14 Common directory locations for Jazz for Service Management............. 15 Groups and users............ 18 Creating users and groups in a repository... 18 Granting roles to npiadmin user....... 19 Single sign-on............. 19 Configuring single sign-on on the Jazz for Service Management server........ 20 Configuring the SSL communication for integration 22 Generating the SSL certificate for Network Performance Insight system........ 22 Exporting SSL personal certificate for Network Performance Insight system........ 23 Copying Jazz for Service Management root certificate to Network Performance Insight... 24 Adding the root certificate to your browser... 25 Adding the root certificate to JRE keystore on your desktop............. 26 Adding the LDAP user registry as a federated repository............... 26 Configuring Network Performance Insight console integration on Jazz for Service Management... 28 Appendix A. Starting Jazz for Service Management application servers... 31 Appendix B. Stopping Jazz for Service Management application servers... 33 Appendix C. Common directory locations for Jazz for Service Management............ 35 Appendix D. service npi command reference.............. 39 Appendix E. npid command reference 41 Notices.............. 43 Trademarks.............. 45 Terms and conditions for product documentation.. 46 Copyright IBM Corp. 2015, 2016 iii
iv Configuring Network Performance Insight
Configuring Network Performance Insight Intended audience Organization You can configure IBM Network Performance Insight, Version 1.1.1 and its integration services through user interface console and command line interface. You can also administer and manage application security and single sign-on from Dashboard Application Services Hub portal. Related information: Configuring network discovery on Tivoli Network Manager The audience who are network administrator or operations specialist responsible forconfiguring the Network Performance Insight product suite on an enterprise network. To install Network Performance Insight successfully, you must have a thorough understanding of the following subjects: v Network Performance Insight 1.1.1 system v Basic principles of network protocols and network management v Flow concepts v RHEL Administration v Jazz for Service Management Read this summary to help you find the information that you need. v Chapter 1, Introduction, on page 1 v Chapter 2, Configure npi.conf file settings, on page 3 v Chapter 3, Configure Jazz for Service Management portal, on page 13 Network Performance Insight overview IBM Network Performance Insight is a flow-based network traffic performance monitoring system. Network Performance Insight provides comprehensive, flexible, and scalable traffic data management with visualization and reporting to support complex, multi-vendor, multi-technology networks. It offers a range of dashboard views with robust security features that are designed to meet the needs of executive management and converging network and IT operations teams. Network Performance Insight offers near real-time and interactive view on the traffic data that helps in reduced network repair times and optimized network performance. Network Performance Insight provides IBM Netcool Operations Insight with network performance monitoring capabilities to address modern network management challenges around application-oriented, software-defined-networks in the enterprise data centers and intranet. Copyright IBM Corp. 2015, 2016 v
The following diagram shows how data is flowing through the various components in Network Performance Insight: The flow records that are sent by the configured flow exporters are collected by Collector, and sent to Inventory or Analytics component based on the information that they contain. Analytics component performs flow data aggregation. These results are then stored in Network Performance Insight database. Additionally, you can enable or disable the processing of flow records on each flow interface on Dashboard Application Services Hub portal. The dashboards provide up-to-date actionable information to provide an insight into network problems and streamline root cause analysis. The data from the Storage component can be queried to display the results on Network Health Dashboard or OMNIbus Web GUI from Active Event List or Event Viewer. You must integrate Network Performance Insight with IBM Tivoli Network Manager and Tivoli Netcool/OMNIbus components of IBM Netcool Operations Insight to take advantage of its network topology views and fault management capabilities. Network Performance Insight includes the following documents: v Release summary v Quick Start Guide v Installing Network Performance Insight v Configuring Network Performance Insight v Integrating with Netcool Operations Insight vi Configuring Network Performance Insight
v Getting Started with Network Performance Insight v Troubleshooting Network Performance Insight v References v Technical notes Related information: Service Management Connect IBM Network Performance Insight on IBM Knowledge Center Connect, learn, and share with Service Management professionals: product support technical experts who provide their perspectives and expertise. Access Network and Service Assurance community at https://www.ibm.com/ developerworks/servicemanagement/nsa/index.html. Use Service Management Connect in the following ways: v Become involved with transparent development, an ongoing, open engagement between other users and IBM developers of Tivoli products. You can access early designs, sprint demonstrations, product roadmaps, and prerelease code. v Connect one-on-one with the experts to collaborate and network about Tivoli and the Network and Service Assurance community. v Read blogs to benefit from the expertise and experience of others. v Use wikis and forums to collaborate with the broader user community. Related information: IBM Network Performance Insight community on developerworks Network Performance Insight technical training Support information For Tivoli technical training information, see the following Network Performance Insight Training website at https://tnpmsupport.persistentsys.com/ updated_trainings. If you have a problem with your IBM Software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need: Online Access the IBM Software Support site at http://www.ibm.com/software/ support/probsub.html. IBM Support Assistant The IBM Support Assistant is a free local software serviceability workbench that helps you resolve questions and problems with IBM Software products. The Support Assistant provides quick access to support-related information and serviceability tools for problem determination. To install the Support Assistant software, go to http://www.ibm.com/software/ support/isa. Troubleshooting Guide For more information about resolving problems, see the problem determination information for this product. Configuring Network Performance Insight vii
Conventions used in this publication Several conventions are used in this publication for special terms, actions, commands, and paths that are dependent on your operating system. Typeface conventions This publication uses the following typeface conventions: Bold Italic Monospace Bold monospace v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) v Keywords and parameters in text v Citations (examples: titles of publications, diskettes, and CDs) v Words defined in text (example: a nonswitched line is called a point-to-point line) v Emphasis of words and letters (words as words example: "Use the word that to introduce a restrictive clause."; letters as letters example: "The LUN address must start with the letter L.") v New terms in text (except in a definition list): a view is a frame in a workspace that contains data. v Variables and values you must provide:... where myname represents... v Examples and code examples v File names, programming keywords, and other elements that are difficult to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options v Command names, and names of macros and utilities that you can type as commands v Environment variable names in text v Keywords v Parameter names in text: API structure parameters, command parameters and arguments, and configuration parameters v Process names v Registry variable names in text v Script names viii Configuring Network Performance Insight
Chapter 1. Introduction Requires simple configuration settings. Network Performance Insight collects data from the monitored flow-enabled devices. The processed and aggregated data can be viewed from the Network Health Dashboard after integration with IBM Tivoli Network Manager. This version has minimal system requirements for the large data that it can manage. Important: Summary. Before you configure Network Performance Insight, read the Release Network Performance Insight, v1.1.1 integrates with IBM Tivoli Network Manager and IBM Tivoli Netcool/OMNIbus components of IBM Netcool Operations Insight 1.4. For Network Performance Insight to be fully functional and for traffic data to be available on Jazz for Service Management, you must perform the following configurations: v Configure Network Performance Insight configuration file. Create and edit the Network Performance Insight configuration file npi.conf. v Configure the Jazz for Service Management portal where Network Performance Insight is federated for visualization of traffic data and events from Network Health Dashboard. Configure Dashboard Application Services Hub to access the federated Network Performance Insight user interfaces that are available through Network Health Dashboard. v Configure your network discovery by using the following tools available in Tivoli Network Manager GUI: Discovery Configuration Wizard to perform initial discoveries. Discovery Configuration GUI to perform subsequent discoveries. v Configure the launch-in-context Traffic Details dashboards from Active Event List or Event Viewer on Dashboard Application Services Hub. For more information, see Configuring integration with Tivoli Netcool/OMNIbus in Integrating Network Performance Insight. Related information: Configuring network discovery on Tivoli Network Manager Copyright IBM Corp. 2015, 2016 1
2 Configuring Network Performance Insight
Chapter 2. Configure npi.conf file settings npi.conf file settings. The npi.conf file settings must be updated in the following scenarios: v To override the default Network Performance Insight settings. v To configure the communication between Network Performance Insight and Jazz for Service Management. v To configure the connectivity to Tivoli Network Manager to access the Network Connectivity and Inventory Model (NCIM) database that contains the topology data and the Network Manager reports. Note: The NCIM database is a relational database that consolidates topology data discovered by Network Manager. (OSI layers 1, 2 and 3). v To configure the OMNIbus Standard Input probe for event processing in Network Performance Insight. Editing default settings in a configuration file Typically, the npi.conf file must be configured to override some default settings. Procedure 1. Create or edit npi.conf file in Notepad or similar application and add the lines according to your requirement. Configure NetFlow data collection 2. To change the default listener port, add the comma-separated list of socket addresses with in square brackets to the npi.conf file: collector.flow.udp.ports= ["socketaddress1", "socketaddress2",...] The default UDP listener port for any IP address is 4379. Currently, only UDP is supported. Note: Socket address is a form of ipaddress:portnumber where ipaddress is optional. For example, <10.1.2.3>:4390, 4990 3. To black list flow exporter IP addresses, add the following lines to npi.conf file: collector.flow.exporter.blacklist = ["ipaddress1", "ipaddress2",...] Add the comma-separated list of IP addresses in square brackets. The flow data from these exporters in the list is blocked from further processing. Configure logging 4. To specify the retention period for the historical log files, add the following lines to npi.conf file: logging.history = nn Where nn is an integer value. Note: The default value is 10. A new npi.log file is created everyday and the log file that is created on the previous day is renamed to npi- Copyright IBM Corp. 2015, 2016 3
<mm_dd_yyyy>.log. This setting determines how many days these log files are maintained in the <NPI_Home>/log directory. 5. To configure the log level for the error messages that are logged in npi.log file, add the following lines to npi.conf file: logging.level = {INFO WARN ERROR ALL OFF} If you do not set any values, the default logging level is INFO. After you restart the Network Performance Insight server, the logging level that you entered becomes the default logging level. If you set the logging level as OFF, the logging is disabled. Table 1. Log level rules for different options Logging level INFO WARN ERROR ALL OFF INFO YES NO NO YES NO WARN YES YES NO YES NO ERROR YES YES YES YES NO Configure DNS server 6. To set or edit the DNS server details, add the following lines to npi.conf file: dns.server.address= "<DNS_Server_IP_Add>" dns.server.port= <DNS_Server_Port_Number> The default DNS server port number is 53. Typically, if you do not set the DNS server IP address setting in npi.conf, it looks for nameserver setting in /etc/resolv.conf file during DNS lookup and resolution. If the nameserver setting is not there in this file, then it defaults to localhost. Configure the networking timeouts for DNS resolution 7. To set or edit the networking timeouts for resiliency in DNS resolution, add the following lines to npi.conf file: Setting Default value Description dns.network.initiationn.timeout 30 seconds The maximum amount of time the DNS Service waits in Disconnected state before it attempts to connect to the DNS Server. dns.network.connection.timeout 10 seconds The maximum amount of time the DNS Service waits in Connecting state for the networking layer to respond that the connection is established. dns.network.acknowledgement.timeout 5 seconds The maximum amount of time the DNS Service waits in Waiting state for the networking layer to respond with an acknowledgment that the outbound packet is written to the operating system/networking buffers. 4 Configuring Network Performance Insight
Setting Default value Description dns.network.disconnect.timeout 5 seconds The maximum amount of time the DNS Service waits in Disconnecting state before it resets and moves to Disconnected state to close the connection. Configuring backup snapshots count 8. To specify the maximum number of backup snapshots, add the following lines to npi.conf file: storage.maxbackupsnapshotcount = n Where n is an integer value. Note: The default value is 7. The backup procedure maintains a total of 7 backup snapshots at any point in the <NPI_Home>/work/backup-snapshot directory. Next steps 9. Save the npi.conf file in the <NPI_Home>/conf directory. 10. Restart the system. For more information, see Controlling Network Performance Insight system in Installing Network Performance Insight. Controlling Network Performance Insight system Commands to control the Network Performance Insight application processes. About this task You can control the system that is running Network Performance Insight in the following ways: v Use the service npi command options v Use the npid command options v Use the chkconfig utility to disable the npi service. Procedure v Run the service npi command to start, stop, and restart Network Performance Insight by using the following commands:./ service npi Usage: {start stop restart kill status version help} For more information, see service npi command reference in Command Line Interface. v Run the npid command to start, stop, and restart Network Performance Insight by using the following commands: cd <NPI_Home>/bin./npid Usage: {start stop restart kill status version help} For more information, see npid command reference in Command Line Interface. v Disable the npi service in runlevels 2, 3, 4, and 5 by using the chkconfig command with the following option: chkconfig service npi off Chapter 2. Configure npi.conf file settings 5
npid command reference Usage for the npid command. Run the npid command to start, stop, and restart Network Performance Insight. Location <NPI_Home>/bin NPI_Home is the location where Network Performance Insight is installed. For example, /opt/ibm/npi. Syntax npid {start stop restart kill status version help} Parameters start Starts Network Performance Insight application. stop Stops Network Performance Insight application. restart Stops and starts Network Performance Insight application. kill Kills the Network Performance Insight application process by using the command kill -9. status Checks if Network Performance Insight process is running when you use the command ps -eaf. version Shows the version of Network Performance Insight that is installed. help Displays the usage for npid command. Configuring the Network Performance Insight for communicating with Jazz for Service Management This configuration in npi.conf file helps Network Performance Insight server to communicate with the server where Jazz for Service Management is installed. About this task You can use the template file npi-dash.template that is available in <NPI_Home>/conf folder. 6 Configuring Network Performance Insight
Procedure 1. Create or edit npi.conf file and enter the following details: Table 2. Configurations for Network Performance Insight Property Description Recommended value https.port https.keystore.file https.keystore.password https.key.password security.dash.hostname security.dash.port security.dash.username Secure port on which Network Performance Insight application console can be accessed Full path for the keystore file that stores SSL certificate that is used by Network Performance Insight. Password for SSL keystore that is used by Network Performance Insight. Password for SSL Key that is used by Network Performance Insight Full DNS name for Jazz for Service Management server. If this parameter is left blank, Network Performance Insight integration with Netcool Operations Insight does not work. This entry must be added before you start Dashboard Application Services Hub for the first time. HTTPS port on which Jazz for Service Management server communicates. Administrator user name for Jazz for Service Management 9443 conf/security/ security.keystore WebAS Note: Use the encrypted password. To encrypt, follow the steps in Encrypting Object Server password in Integrating with Tivoli/Netcool OMNIbus. WebAS Note: Use the encrypted password. To encrypt, follow the steps in Encrypting Object Server password in Integrating with Tivoli/Netcool OMNIbus. <myserver.ibm.com> The default Dashboard Application Services Hub HTTPS port is 16311. Copy Dashboard Application Services Hub root signer certificate file by using the name WebSphereCACert.pem to <NPI_Home>/conf/security folder. Without this file, Network Performance Insight cannot connect to Dashboard Application Services Hub secure port. smadmin Chapter 2. Configure npi.conf file settings 7
Table 2. Configurations for Network Performance Insight (continued) Property Description Recommended value security.dash.password security.dash.domain Password for Jazz for Service Management administrator user. This password can be encrypted. Domain name of the server. This entry must be added before you start Dashboard Application Services Hub for the first time. smadmin Note: Use the encrypted password. To encrypt, follow the steps in Encrypting Object Server password in Integrating with Tivoli/Netcool OMNIbus..ibm.com Example entries: https.port=9443 https.keystore.file= conf/security/security.keystore https.keystore.password= 86qTwzkzrq3gJcKwGbIHlQ== https.key.password= 86qTwzkzrq3gJcKwGbIHlQ== security.dash.hostname= <myserver.ibm.com> security.dash.port=16311 security.dash.username= smadmin security.dash.password= UZceWXqtBVIrfu50FfWVmg== security.dash.domain=.your-domain.com 2. Save this file to <NPI_home>/conf directory. <NPI_home> is where Network Performance Insight is installed. For example, /opt/ibm/npi. 3. Restart your system. Configuring NCIM database connectivity This configuration helps to federate IBM Tivoli Network Manager NCIM Topology database that can be hosted on Oracle or IBM DB2 database into Network Performance Insight storage. Before you begin Make sure that the following conditions are met before you connect the NCIM database: v Install and configure the latest version of Tivoli Network Manager. v Install either IBM DB2 or Oracle database to host the NCIM topology database, configure an instance, and create a database before Network Manager is installed. v Install the Network Manager. During installation, the NCIM topology database is installed on the database that you created in the previous step. v Your Oracle or DB2 instance is up and running. v Compatible JDBC driver to connect to IBM DB2 database for Tivoli Network Manager is used. For more information, see DB2 JDBC Driver Versions and Downloads. v is used. ojdbc6-11gr2.jar that is available in the <NPI_Home>/lib directory 8 Configuring Network Performance Insight
About this task Modify the Network Performance Insight npi.conf configuration file in <NPI_Home>/conf folder. You can use the template file npi-itnm.template that is available in <NPI_Home>/conf folder. Procedure 1. Open the npi.conf file from <NPI_Home>/conf folder. 2. Add the following settings for NCIM database connectivity: itnm.host = <myserver.ibm.com> itnm.platform = "database-platform-type" itnm.port = <database_port_number> itnm.username = "<user_name>" itnm.password = "<password>" itnm.database = "NCIM" Where: Table 3. Configurations for NCIM database connectivity Property Description Default value itnm.host itnm.platform Hostname where Tivoli Network Manager is running. Supported database for NCIM <myserver.ibm.com> DB2 Oracle itnm.port Port number where NCIM database is running. Note: By default, it is DB2. Typical default values: 1521 itnm.username itnm.password Valid user name that is used to log in to NCIM database. Valid password to log in to NCIM database. 50000 db2inst1 or oracle based on the database that NCIM is supported on. Based on the database that NCIM is supported on: db2inst1 itnm.database Tivoli Network Manager topology database oracle NCIM Chapter 2. Configure npi.conf file settings 9
Configuring the OMNIbus Standard Input probe to work with Network Performance Insight Modify the Network Performance Insight npi.conf configuration file in <NPI_Home>/conf folder. Before you begin v Configure the host name resolution to resolve omnihost to the actual host name where Tivoli Netcool/OMNIbus is installed. Add an alias entry in the /etc/hosts file as follows: <IP_Address> <fully_qualified_host_name> <alias> For example, 192.0.2.0 <myserver.ibm.com> omnihost v Ensure that you have the following 32-bit Linux operating system libraries. lib32z1 lib32ncurses5 lib32bz2-1.0 libstdc++6 lib32stdc++6 Note: The Standard Input probe is a 32-bit application and requires some 32-bit libraries to work on a 64-bit environment. About this task The Standard Input probe is bundled with Network Performance Insight and is installed along with it. This probe works with minimal or no configuration settings. If you want to change the ready for immediate deployment settings, you can change the following settings by using the template file npi-noi.template that is available in <NPI_Home>/conf folder: Note: Change or add these settings only when recommended by IBM Support Professional. Procedure 1. Open the npi.conf file from <NPI_Home>/conf folder. 2. Add the following setting for Tivoli Netcool/OMNIbus Standard Input (STDIN) probe to send events to OMNIbus: event.netcool.home = "<netcool_installation_directory>" event.netcool.omnibus.home = "<omnibus_installation_directory>" event.netcool.omnibus.temp = "<temp_directory_for_log_files>" event.netcool.omnibus.stdin.args = "<additional_probe_command_line_args>" event.netcool.omnibus.stdin.props = "<omnibus_stdin_probe_properties_file_location>" event.netcool.omnibus.stdin.rules = "<omnibus-stdin-probe-rules-file_location>" Where Table 4. Configurations for OMNIbus REST APIs Property Description Default value event.netcool.home Root installation directory for your Netcool products NCHOME $NCHOME defaults to /opt/ibm/tivoli/netcool. 10 Configuring Network Performance Insight
Table 4. Configurations for OMNIbus REST APIs (continued) Property Description Default value event.netcool.omnibus.home Root OMNIbus Installation directory NCHOME/omnibus event.netcool.omnibus.temp event.netcool.omnibus.stdin.args Temp directory where the log files are located You can configure the STDIN probe to log at other levels (for ex, DEBUG), and to a different log location by specifying this setting in the npi.conf file. Anything that is specified in this setting is passed directly on the command line to the STDIN probe at startup. <NPI_HOME>/probe/omnibus/var -messagelevel INFO -messagelog /var/tmp/stdin.probe.debug.log Or -messagelevel DEBUG -raw event.netcool.omnibus.stdin.props STDIN probe properties file location <NPI_HOME>/probe/omnibus/ probes/linux2x86/stdin.props event.netcool.omnibus.stdin.rules STDIN probe rules file location <NPI_HOME>/probe/omnibus/ probes/linux2x86/stdin.rules Note: By default, the Event Service processor that starts the STDIN probe configures the probe to log to the /opt/ibm/npi/probe/omnibus/var/ stdin.probe.log file. Chapter 2. Configure npi.conf file settings 11
12 Configuring Network Performance Insight
Chapter 3. Configure Jazz for Service Management portal Jazz for Service Management must be set up for Network Performance Insight federation to work correctly and you can access the web-based visualizations. Perform the following tasks: v Configure Network Performance Insight console integrations. v Create the users and assign roles in the user repository. v Configure single sign-on. v Configure SSL for integration with Network Performance Insight. Logging in to the Dashboard Application Services Hub portal Depending upon your organization s deployment, you can access the reporting interface through Dashboard Application Services Hub. Procedure v Access the reporting interface from Dashboard Application Services Hub as follows: 1. Open a web browser and enter the following URL for the Jazz for Service Management UI and reporting server: https://host.domain:port/dash_context_root For example: https://<myserver.ibm.com>:16311/ibm/console Where: host.domain is the fully qualified host name or IP address of the Jazz for Service Management UI and reporting server. When single sign-on (SSO) is enabled, ensure that you use the fully qualified host name in the URL of the Jazz for Service Management reporting and UI server. SSO requires that the browser pass LTPA cookies to the Jazz for Service Management application server, and these cookies contain the fully qualified host name. port is the secure HTTP port number that was specified during installation. The default value is 16311. /DASH_context_root is the context root for the console that was specified during installation. The default value is /ibm/console. 2. Enter the user ID and password in the Dashboard Application Services Hub login page. Click Log in. 3. The Dashboard Application Services Hub Welcome page opens. Note: Console Integration icon is available only after you complete the task Configuring Network Performance Insight console integration on Jazz for Service Management that is available in Configuring Network Performance Insight. Click Console Integration icon ( ) on the navigation bar and select the dashboard of your choice under System Configuration. Copyright IBM Corp. 2015, 2016 13
v Click Incident ( ) on the navigation bar and select Network Health Dashboard under Network Availability. Starting Jazz for Service Management application servers You can start any Jazz for Service Management virtualization and reporting servers by using the IBM WebSphere startserver command. You might need to restart the application server after you complete a configuration task for an integration service, or after you stop the application server for maintenance. About this task The same procedure applies to any Jazz for Service Management application server. Procedure 1. On the relevant Jazz for Service Management server, open a command window. 2. Change to the JazzSM_WAS_Profile/bin directory. The default location for <JazzSM_WAS_Profile> is /opt/ibm/jazzsm/profile. 3. Run the following command: AIX Linux./startServer.sh server_name Where server_name Enter the name of the application server that was specified when the application server profile was created. For example, server1. Stopping Jazz for Service Management application servers You can stop any Jazz for Service Management application server by using the IBM WebSphere stopserver command. You might need to restart the application server after you complete a configuration task for an integration service, or stop the application server for maintenance. To start the server again, use the startserver command. Procedure 1. On the relevant Jazz for Service Management server, open a command window. 2. Change to the JazzSM_WAS_Profile/bin directory. The default location for <JazzSM_WAS_Profile> is /opt/ibm/jazzsm/profile. 3. Run the following command: AIX Linux./stopServer.sh <server_name> -username <WAS_admin_user_name> -password <WAS_admin_password> Where server_name Enter the name of the application server that was specified when the application server profile was created. For example, server1. 14 Configuring Network Performance Insight
WAS_admin_user_name The default user name is smadmin. WAS_admin_password This is the password that is specified at the time of installation. Example stopserver.sh server1 -username smadmin -password jazzsmpwd Common directory locations for Jazz for Service Management Jazz for Service Management topics use path name variables for paths to common directories, for example, home directories. Jazz for Service Management home directory The JazzSM_HOME variable describes the location where Jazz for Service Management is installed. This location can be specified during installation. If not specified, the following default locations are used: AIX Linux v Root user installations: /opt/ibm/jazzsm v Non-root user installations: <user_home_directory>ibm/jazzsm Jazz for Service Management profile directory The JazzSM_WAS_Profile variable describes the location of the application server profile that is used for Jazz for Service Management. This location is in the /profile subdirectory of the Jazz for Service Management home directory. AIX Linux v Root user installations: /opt/ibm/jazzsm/profile v Non-root user installations: <user_home_directory>ibm/jazzsm/profile Jazz for Service Management profile name The JazzSM_Profile_Name variable refers to the name assigned to the WebSphere Application Server profile for Jazz for Service Management. The default name is JazzSMProfile. Installation images home directory The Install_Imgs_Home variable describes the common root directory that contains the extracted contents of the installation images depending on the installation scenario. Full installation IBM DB2, IBM WebSphere Application Server. Attention: You must extract the contents of the installation media for this software to the same common root directory, otherwise the full installation displays error messages for missing software. Custom installation IBM WebSphere Application Server, if you do not want to use an existing installation. Chapter 3. Configure Jazz for Service Management portal 15
Note: It is not necessary to extract the contents of the installation media for this software to the same common root directory, but it is preferable to maintain all extracted installation media in a central location. Jazz for Service Management installation images home directory The JazzSM_Image_Home variable describes the common root directory in which the Jazz for Service Management is extracted. It contains the launchpad, IBM Installation Manager, IBM Prerequisite Scanner, the Installation Manager repository with the software packages for the integration services except Tivoli Common Reporting. Tip: Ensure that the path to the JazzSM_Image_Home directory does not contain any spaces or special characters, otherwise the launchpad does not start. IBM DB2 home The DB2_HOME variable describes the location where IBM DB2 is installed. This location is specified during installation. If not specified, the following default locations are used: AIX Linux v Root user installations: /opt/ibm/db2 v Non-root user installations: $HOME/sqllib $HOME represents the non-root user's home directory. WebSphere Application Server home directory The WAS_HOME variable describes the location where WebSphere Application Server is installed. This location is specified during installation. If not specified, the following default locations are used: AIX Linux v Root user installations: /opt/ibm/websphere/appserver v Non-root user installations: <user_home_directory>ibm/websphere/appserver Administration Services home directory The ADMIN_HOME variable describes the location where Administration Services is installed. This location can be specified during installation. If not specified, the following default locations are used: AIX Linux v Root user installations: /opt/ibm/jazzsm/admin v Non-root user installations: /home/nonrootuser_name/ibm/jazzsm/admin Administration Services UI home directory The ADMINUI_HOME variable describes the location where Administration Services UI is installed. This location can be specified during installation. If not specified, the following default locations are used: AIX Linux v Root user installations: /opt/ibm/jazzsm/adminui v Non-root user installations: /home/nonrootuser_name/ibm/jazzsm/adminui 16 Configuring Network Performance Insight
Registry Services home directory The REGISTRY_HOME variable describes the location where Registry Services is installed. This location can be specified during installation. If not specified, the following default locations are used: AIX Linux v Root user installations: /opt/ibm/jazzsm/registry v Non-root user installations: /home/nonrootuser_name/ibm/jazzsm/registry Security Services home directory The SECURITY_HOME variable describes the location where Security Services is installed. This location can be specified during installation. If not specified, the following default locations are used: AIX Linux v Root user installations: /opt/ibm/jazzsm/security v Non-root user installations: /home/nonrootuser_name/ibm/jazzsm/security Dashboard Application Services Hub home directory The DASH_HOME variable describes the location where Dashboard Application Services Hub is installed. This location can be specified during installation. If not specified, the following default locations are used: AIX Linux v Root user installations: /opt/ibm/jazzsm/ui v Non-root user installations: <user_home_directory>ibm/jazzsm/ui Dashboard Application Services Hub profile directory The DASH_Profile variable describes the location of the application server profile that is used for Dashboard Application Services Hub. This location is in the/profiles subdirectory of the Jazz for Service Management home directory. AIX Linux v Root user installations: /opt/ibm/jazzsm/profile v Non-root user installations: <user_home_directory>ibm/jazzsm/profile Full installation log directory The Simple_install_log_dir directory into which general and offering specific logs are created during full installation: AIX Linux v On UNIX systems: $HOME/jazzsm_launchpad/logs/ IBM Prerequisite Scanner installation directory The ips_root directory that contains the contents of the extracted Prerequisite Scanner platform package. If not specified, the default locations are used: Linux v On UNIX systems: Install_Imgs_Home/PrereqScanner/UNIX_Linux Related information: Common directory locations AIX Chapter 3. Configure Jazz for Service Management portal 17
Groups and users All the required users and groups must be set up on the system before integration. Create the following groups on the user repository that is used by the Jazz for Service Management server: v npiuser v npiadministrator v ConsoleUser v ConsoleAdmin v WriteAdmin v ReadAdmin v manager-gui v manager-script v manager-jmx v manager-status A user who has access to all event management tasks that includes menu creation and tool creation must exist. If such a user does not exist, then create an appropriate user. Ensure that the user is assigned to a group npiadministrator or Netcool_OMNIbus_User and user role as ncw_admin or ncw_user. Create the following users: v npiadmin Must be a part of all the groups that are created earlier. v npiuser Must be a part of the ConsoleUser and npiuser groups that are created earlier. Creating users and groups in a repository Security relies on users and user groups. You define the groups to which the users belong in the application server. For this purpose, you can configure a federated repository as a user registry or WebSphere Application Server-based repository. Procedure 1. Log in to Jazz for Service Management server. See Logging in to the Dashboard Application Services Hub portal on page 13. 2. Expand Console Settings > WebSphere Administrative Console. 3. Click Launch WebSphere Administrative Console. 4. In the side pane, open Users and Groups > Manage Groups. 5. Click Create. 6. Create all the groups that are specified in Groups and users. 7. Click Close. On the Manage Groups page, the table shows the existing groups. 8. In the side pane, open Users and Groups > Manage Users. 9. Click Create. 10. Create all the users that are specified in Groups and users. 11. Assign this new user to a group. a. Click Group Membership. 18 Configuring Network Performance Insight
Single sign-on b. On the Group Membership page, click Search. c. In the Available column, select a group and click Add. d. Click Close. e. Restart your application server. What to do next Alternatively you can use LDAP user registry, see Adding the LDAP user registry as a federated repository on page 26. Granting roles to npiadmin user Console users are granted access to resources based on the role to which they have been assigned. Procedure 1. Log in to Dashboard Application Services Hub portal as admin user. By default, smadmin. 2. In the navigation pane, select Console Settings > User Roles. 3. To assign a role to a user, click Search. A list of available users is displayed. 4. Click npiadmin user from the User ID column. A list of available roles for the selected user is displayed on a new page. Those roles that are currently associated with the selected user are checked. 5. Select all the roles and assign to npiadmin user. This grants all the Dashboard Application Services Hub roles to npiadmin user. 6. Click Save. What to do next Log off from Dashboard Application Services Hub and log in again to ensure all the privileges that include admin privileges are available to the npiadmin user. Related tasks: Creating users and groups in a repository on page 18 Security relies on users and user groups. You define the groups to which the users belong in the application server. For this purpose, you can configure a federated repository as a user registry or WebSphere Application Server-based repository. The single sign-on (SSO) capability in Tivoli products means that you can log on to one Tivoli application, and then start other Tivoli web-based or web-enabled applications without having to reenter your user credentials. The repository for the user IDs can be the Tivoli Netcool/OMNIbus ObjectServer or a Lightweight Directory Access Protocol (LDAP) registry. A user logs on to one of the participating applications, at which time their credentials are authenticated at a central repository. With the credentials authenticated to a central location, the user can then start from one application to another to view related data or perform actions. Single sign-on can be achieved between applications that are deployed to Dashboard Application Services Hub servers on multiple machines. Chapter 3. Configure Jazz for Service Management portal 19
Single sign-on capabilities require that the participating products use Lightweight Third Party Authentication (LTPA) as the authentication mechanism. When SSO is enabled, a cookie is created containing the LTPA token and inserted into the HTTP response. When the user accesses other web resources (portlets) in any other application server process in the same Domain Name Service (DNS) domain, the cookie is sent with the request. The LTPA token is then extracted from the cookie and validated. If the request is between different cells of application servers, you must share the LTPA keys and the user registry between the cells for SSO to work. The realm names on each system in the SSO domain are case-sensitive and must match exactly. Configuring single sign-on on the Jazz for Service Management server Use these instructions to establish single sign-on support and configure a federated repository. Before you begin Configuring SSO is a prerequisite to integrating products that are deployed on multiple servers. All Jazz for Service Management server instances must point to the central user registry (such as a Lightweight Directory Access Protocol server). About this task To configure Global Security to enable SSO, follow these steps: Procedure 1. Log in to Jazz for Service Management server as admin user. See Logging in to the Dashboard Application Services Hub portal on page 13. 2. In the navigation pane, click Console Settings > Websphere Administrative Console and click Launch Websphere administrative console. 3. In the WebSphere Application Server administrative console navigation pane, click Security > Global security. 4. In the Administrative Security section, select the Enable administrative security check box. 5. In the Application Security section, select the Enable application security check box. 6. In the Authentication section, expand Web and SIP security and click Single sign-on (SSO). 7. Click Enabled option if the SSO is disabled. 8. Click Requires SSL if all the requests are expected to use HTTPS. 9. Enter the fully qualified domain names in the Domain name field where SSO is effective. For example,.ibm.com If the domain name is not fully qualified, the Jazz for Service Management Server does not set a domain name value for the LtpaToken cookie and SSO is valid only for the server that created the cookie. Single sign-on feature is necessary for different components of Netcool Operations Insight to interact 20 Configuring Network Performance Insight
with each other. For SSO to work across the Tivoli applications, their application servers must be installed in same domain (use the same domain name). 10. Set the LTPA V2 Cookie name to LtpaToken2. 11. Optional: Enable the Interoperability Mode option if you want to support SSO connections in WebSphere Application Server version 5.1.1 or later to interoperate with previous versions of the application server. 12. Select the Web inbound security attribute propagation check box to propagate information from the first login application server to the other application servers. 13. Clear the Set security cookies to HTTPOnly to help prevent cross-site scripting attacks check box. 14. Click OK to save your changes. 15. Stop and restart all the Jazz for Service Management server instances. What to do next When you start Jazz for Service Management, you must use a URL in the format protocol://host.domain:port /*. If you do not use a fully qualified domain name, Jazz for Service Management cannot use SSO between Tivoli products. The configured single sign-on uses SSO tokens that are set in HTTP cookies to carry authenticated sessions. By default, these cookies expire after 120 minutes. To change this value, follow these steps: 1. In the WebSphere Application Server administrative console navigation pane, click Security > Global security. 2. In the Authentication section, click LTPA. 3. Change the LTPA timeout value to a different value. This value must be greater than the Cache timeout. The credentials expire after the specified period you might have to revalidate your credentials. Related tasks: Stopping Jazz for Service Management application servers on page 14 You can stop any Jazz for Service Management application server by using the IBM WebSphere stopserver command. You might need to restart the application server after you complete a configuration task for an integration service, or stop the application server for maintenance. To start the server again, use the startserver command. Starting Jazz for Service Management application servers on page 14 You can start any Jazz for Service Management virtualization and reporting servers by using the IBM WebSphere startserver command. You might need to restart the application server after you complete a configuration task for an integration service, or after you stop the application server for maintenance. Related information: Configuring Jazz for Service Management for SSO Chapter 3. Configure Jazz for Service Management portal 21
Configuring the SSL communication for integration The Secure Sockets Layer (SSL) protocol provides secure communications between remote server processes or endpoints. SSL security can be used for establishing communications inbound to and outbound from an endpoint. To establish secure communications, a certificate and an SSL configuration must be specified for the endpoint. Before you begin Configure SSL communication after you install Network Performance Insight. About this task You must configure the SSL one time only. If you are reinstalling or upgrading Network Performance Insight, back up the /opt/ibm/npi/conf/security folder from previous installation and restore it in new installation. Follow these steps to complete the SSL configuration for the integration of Network Performance Insight with Tivoli Netcool/OMNIbus. Generating the SSL certificate for Network Performance Insight system SSL uses digital certificates for key exchange and authentication. When a client initiates an SSL connection, the server presents the client with a certificate that is signed by a Certificate Authority (CA). A CA is a trusted party that guarantees the identity of the certificate and its creator. The server certificate contains the identity of the server, the public key, and the digital signature of the certificate issuer. Procedure 1. Log in to the Jazz for Service Management server as admin user. See Logging in to the Dashboard Application Services Hub portal on page 13. 2. Expand Console Settings > WebSphere Administrative Console. 3. Click Launch WebSphere Administrative Console. 4. Expand Security and select SSL certificate and key management > Keystores and certificates > NodeDefaultKeyStore. 5. Click Personal certificates from the Additional Properties section. 6. Select Chained Certificate from the Create list. A chained personal certificate is a personal certificate that is created by using another certificate's private key to sign it. Provide the following mandatory details as needed: Option Description Suggested value Alias Root certificate used to sign the certificate Specifies the alias name to identify the certificate in the keystore and is used to label the certificate object. Specifies the personal certificate in the keystore that is used to create the chained personal certificate NPI root 22 Configuring Network Performance Insight