Nimsoft Monitor hub Guide - Nimsoft Library

Nimsoft® Monitorhub Guidev5.4 series

Legal NoticesCopyright © 2012, Nimsoft CorporationWarrantyThe material contained in this document is provided "as is," and is subject to being changed, without notice, in future editions.Further, to the maximum extent permitted by applicable law, Nimsoft Corporation disclaims all warranties, either express orimplied, with regard to this manual and any information contained herein, including but not limited to the implied warranties ofmerchantability and fitness for a particular purpose. Nimsoft Corporation shall not be liable for errors or for incidental orconsequential damages in connection with the furnishing, use, or performance of this document or of any informationcontained herein. Should Nimsoft Corporation and the user have a separate written agreement with warranty terms coveringthe material in this document that conflict with these terms, the warranty terms in the separate agreement shall control.Technology LicensesThe hardware and/or software described in this document are furnished under a license and may be used or copied only inaccordance with the terms of such license.No part of this manual may be reproduced in any form or by any means (including electronic storage and retrieval or translationinto a foreign language) without prior agreement and written consent from Nimsoft Corporation as governed by United Statesand international copyright laws.Restricted Rights LegendIf software is for use in the performance of a U.S. Government prime contract or subcontract, Software is delivered andlicensed as "Commercial computer software" as defined in DFAR 252.227-7014 (June 1995), or as a "commercial item" asdefined in FAR 2.101(a) or as "Restricted computer software" as defined in FAR 52.227-19 (June 1987) or any equivalent agencyregulation or contract clause. Use, duplication or disclosure of Software is subject to Nimsoft Corporation’s standardcommercial license terms, and non-DOD Departments and Agencies of the U.S. Government will receive no greater thanRestricted Rights as defined in FAR 52.227-19(c)(1-2) (June 1987). U.S. Government users will receive no greater than LimitedRights as defined in FAR 52.227-14 (June 1987) or DFAR 252.227-7015 (b)(2) (November 1995), as applicable in any technicaldata.TrademarksAdobe®, Acrobat®, Acrobat Reader®, and Acrobat Exchange® are registered trademarks of Adobe Systems Incorporated.Intel® and Pentium® are U.S. registered trademarks of Intel Corporation.Java(TM) is a U.S. trademark of Sun Microsystems, Inc.Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation.Netscape(TM) is a U.S. trademark of Netscape Communications Corporation.Oracle® is a U.S. registered trademark of Oracle Corporation, Redwood City, California.UNIX® is a registered trademark of the Open Group.

Contact NimsoftFor your convenience, Nimsoft provides a single site where you can access informationabout Nimsoft products.At http://support.nimsoft.com/, you can access the following:■■■■■Online and telephone contact information for technical assistance and customerservicesInformation about user communities and forumsProduct and documentation downloadsNimsoft Support policies and guidelinesOther helpful resources appropriate for your productProvide FeedbackIf you have comments or questions about Nimsoft product documentation, you cansend a message to support@nimsoft.com.

ContentsChapter 1: hub x 7hub General Overview ................................................................................................................................................. 8hub Configuration ........................................................................................................................................................ 9The General tab ..................................................................................................................................................... 9The Hubs tab ....................................................................................................................................................... 23The Robots tab .................................................................................................................................................... 25The Name Services tab ........................................................................................................................................ 27The Queues tab ................................................................................................................................................... 29The Tunnels tab ................................................................................................................................................... 34The Status tab ..................................................................................................................................................... 43Advanced Configuration Settings ............................................................................................................................... 51Glossary 55Contents 5

Chapter 1: hub 5.4This description applies to hub version 5.4x.This section contains the following topics:Documentation Changes (see page 8)hub General Overview (see page 8)hub Configuration (see page 9)Advanced Configuration Settings (see page 51)Chapter 1: hub x 7

hub General OverviewDocumentation ChangesThis table describes the version history for this document.Version Date What's New?5.4x October 2011 Initial Releasehub General OverviewThe Hub is the communication central for a group of Robots. It is essentially a serviceprocess controlled by the Robot, and its purpose and mission is to bind other Robotsinto a logical group with the Hub as the central connection point. Therefore, it is quitecommon to set up a Hub with regards to physical constraints (such as a departmentfloor or building, a lab. etc.) or by service functions (such as Development Robots).A Hub also has the functionality to connect other Hubs into a hierarchy of Hubs.Note: It is recommended that at least two Hubs should be installed on the same Domainand network to ensure you have a backup of the user/security data.A Hub should never be installed on a DHCP client.The Hub is responsible for the following Nimsoft services:■■■■■Message distributionAll messages generated on the Robots are routed through the Hub, and the Hubdecides how to handle the messages; some are forwarded to other hubs and othersare dispatched to local subscribers, both users and probes.Name serviceTranslate Nimsoft addresses on the form /domain/hub/robot/probe into the IPaddress and port registered by the service on start-up so that applications canconnect to the service, using TCP/IP.AuthorizationHandle login on the Domain.AuthenticationAuthenticate requests and user access rights to probes and Infrastructure (Hub,Robot and Spooler).TunnelTunnel Nimsoft requests from one site to another site, much like a VPN for Nimsoft.8 hub Guide

hub Configurationhub ConfigurationThe Hub may be configured by double-clicking the Hub element in the InfrastructureManager application (or right-clicking + Configure). This will bring up the configurationprogram.The General tabFieldsDescriptionHub information This information is vital and instructs/reflects the actual name of the Hub and its Domain. ADomain is a way to group a number of Hub's together. All Hub's within a Domain exchangenaming information amongst them.Hub nameDomainHub IPHub addressVersionUptimeModify (button)The name of this Hub.The name of the Domain this Hub belongs to.The IP address of this Hub.The address of this hub on the format ////Hub.The version number and distribution date of the Hub software.Displays for how long the Hub probe has been running since the last time it was started.Clicking this button opens the Edit Hub Address dialog, enabling you to edit the addressparameters. Note that the Hub will restart the controller if you modify these parameters.Chapter 1: hub x 9

hub ConfigurationFieldsLicenseinformationLicenses usedExpire dateOwnerModify (button)Log settingsLog-levelLog SizeLogin settingsfor the HubDescriptionThe Hub maintains a license system used by all of the Robots connected to the specific Hub. Aninvalid license causes the message flow from the Hub to its subscribers (mostly service probes)to stop. It will also deny the various Robot Spoolers to upload their messages as long as thelicense key is invalid. In short, things stop working! The license key is built using various fieldsas the ones described below.The number of robots currently connected to this Hub, and the number of robots the licenseallows.When the Nimsoft license expires. Asterisk (*) means an unlimited license.Displays the owner of the license.Clicking this button opens the Edit License dialog. The dialog has a window containing thelicense key for this Hub. License keys must be provided from Nimsoft and typed in exactly asspecified.This section of the Setup tab is dedicated to configuring the logging facilities.Sets the level of details written to the logfile. Log as little as possible during normal operationto reduce disk consumption, and increase the level of detail when debugging.The default size of the log file is 100 KB. This field allows you to change the size of the log fileaccording your needs.Normal (login allowed):Allows normal login on the HUB. That means that it is possible to log on the hub from anyrobot.Local machine only:Allows normal login on the HUB if attempting to log in from the computer hosting the Hub.Attempts to log in from other robots are refused.No login:Disables login – it is not possible to log on the Hub when this option is checked.AdvancedEnable tunneling Enables the Tunnel tab, where you can define tunnels. If later un-checking this option (andclicking the Apply button), all defined tunnels will be stopped.Disable IPvalidationStatistics(button)When a computer sends a request to a probe, the computers’ IP-address is validated. TheDisable IP validation option disables this validation. The option is typically used when usingNAT (Network Address Translation). See Setting up a Tunnel in a NATed network.Opens the Statistics window, displaying traffic statistics for the Hub for the selected periodThe graph shows the number of messages sent and received per minute, in addition to thenumber of requests.The Period field below the graph lets you specify a period. Clicking the Get button, the valuesfor the specified period will be displayed in the graph.10 hub Guide

hub ConfigurationFieldsMonitor(button)View Log(button)DescriptionOpens the Monitor window, displaying the current Hub traffic (see description below thetable).Clicking this button opens the Log Viewer window, which will display the contents from thehub’s log-file. See also the log settings above, giving you the possibility to set the level of detailfor the logging facility.The Log Viewer window includes a menu line with the following options:SaveGiving you the possibility to save the file or to print the contents of the file.EditOffers copy and find functionality.ActionsThe possibility to limit the output in the window to display the most current contents onlyPossibility to start/stop the low viewerThe possibility to specify a piece of text to be highlighted, and/or that the date field ishighlighted from the moment you select the action Date Highlight.Checking the traffic statisticsClicking the Statistics button in the lower right corner of the Hub GUI opens theStatistics window.Chapter 1: hub x 11

hub ConfigurationThis enables you to study the total traffic managed by the Hub:■■■Requests per minuteSent messages per minuteReceived messages per minuteThe information found here is important to avoid bottlenecks and to tune your Nimsoftsystem.The calendar functionality at the bottom of the window lets you specify a specific period(maximum 30 days back in time).Using the hub monitorClicking the Monitor button in the lower right corner of the Hub GUI opens the Monitorwindow. This enables you to study the messages flow through the Hub.12 hub Guide

hub ConfigurationThe Monitor window contains three tool buttons, letting you select between threedifferent views:■■■TrafficTrafficSnifferTunnelClicking the Traffic button, the Monitor shows a graph, presenting■■The number of messages sent and received per second.The number of requests per second.Chapter 1: hub x 13

hub ConfigurationTwo lists appear at the bottom of the window:■■SnifferSubscribers, listing the permanent queues defined under the Queues tab.Subjects, listing all subjects defined for the different queues.Clicking the Sniffer button opens a new view. Using the Sniffer filter, you may study themessages received from a specific probe, a specific robot or messages containing aspecific subject.Clicking the Start button, the window will list all messages matching your filteringcriteria with the most recent message first in the list.14 hub Guide

hub ConfigurationSelecting a message in the list opens a callout containing vital information about themessage, such as QoS name, QoS source and target, the time the sample was recorded,the sample value etc.TunnelClicking the Tunnel button opens a new view. Clicking the Start button, the window willstart listing all accesses performed through the different active tunnels defined.Each entry in the list contains the following information:■ The name of the client that executed the command (IP address and port number).■ The start and stop time for the transfer.■ The total time used by the request through the tunnel (both directions).■ The Nimsoft address that the command was sent to.■ The last command issued during the message transfer.■ The number of bytes sent and received during the session.Chapter 1: hub x 15

hub ConfigurationHub Advanced SettingsClicking the Settings button in the General tab of hub GUI opens the Hub AdvancedSettings dialog.The Hub Advanced Settings has the following three tabs:Fields DescriptionGeneralBroadcastOnSelecting this option turns the Nimsoft discovery broadcast on/off. Youmay specify a broadcast address on which the Hub broadcasts (tells allother Hubs that it is alive). The default broadcast address is255.255.255.255.16 hub Guide

hub ConfigurationFieldsHubSettingsQueueSettingsOriginDescriptionHub Request TimeoutThe Hub communicates with the other hubs on the Nimsoft. This is thetimeout value for this request.Default is 30 seconds.Hub Update IntervalThe interval at which the Hub sends status information to the other hubson the Nimsoft.Default is 600 seconds.Reconnect IntervalQueues that have been disconnected (see below) will be reconnected atthe interval specified here.Default is 180 seconds.Disconnect passive queuesQueues that have been passive (no messages) will be disconnected afterthe number of seconds specified in this field.Default is 180 seconds.Post Reply TimeoutIf the hub posts a message and does not get a reply within the specifiednumber of seconds, a timeout will occur.Alarm on queue sizeSpecify a number that will be used to calculate the size of the queue file(in Mebibytes) on the hub, beyond which an alarm will be raised. Bydefault, this value is 10.This means, if the size of the queue file on the disk increases beyond 10 *1024 * 1024 = 10485760 bytes (also known as 10 mebibyte (MiB)), thealarm will be raised.QoS data from probes are tagged with a name to identify the origin ofthe data.The Setup > Advanced section in the Controller GUI lets you specify anorigin name, and this name will be used to identify the origin of the data.If leaving this field blank, the Hub name will be used.Specifying another origin name in this field, you can override the defaultHub name.Chapter 1: hub x 17

hub ConfigurationFieldsLock outtimeDescriptionTo avoid leaving the system vulnerable to brute-force passwordguessing, the Hub implements extra security measures.If a user has "Lock After Fails" consecutive login failures or there are"Lock After Fails" consecutive login failures from an IP address, thesystem will not permit new login attempts until "Lock Out Time" secondshave passed.It should be noted that these changes are not persistent, that is they donot survive over a Hub Stop and Start.SSLSSL settings are specific to each Hub. You need to repeat the procedurebelow for every Hub requiring SSL.NormalCompatibility ModeNimsoft only. This is default mode.Mixed SSL/Nimsoft mode. The system checks for SSL compatibility. Ifthere is no SSL compatibility, the system uses Nimsoft. This is therecommended mode.18 hub Guide

hub ConfigurationFieldsSSL OnlyDescriptionThe Hub will only communicate with components using SSL. The Hub willpropagate the SSL settings to the robots, which in turn propagate thesettings to the probes.On selecting the SSL Only option, the following warning messageappears. Click OK to confirm.Important: Using SSL will significantly reduce traffic bandwidth andperformance. At this point some probes do not support SSL.If you run a Hub in SSL Only mode, the older components will not be ableto talk to the new Nimsoft components. So mixing different versions ofNMS is not possible ,if you, for some reason want to use the SSL Onlymode.LDAPThe LDAP tab provides two options: Direct LDAP and Nimsoft Proxy HubChapter 1: hub x 19

hub ConfigurationFieldsDirect LDAPDescription20 hub Guide

hub ConfigurationFieldsDescriptionSelecting this option, the HUB can be configured to forward loginrequests to a LDAP server. This makes it possible to log on the Nimsoftconsoles as a LDAP user. Using ACLs (Access Control Lists), defined in theInfrastructure Manager, users belonging to different groups in LDAP canbe assigned different permissions in Nimsoft.Note: Direct LDAP is only available on Linux and Windows hubs, due tothe availability of the LDAP library the hub uses. So native LDAP is notsupported on Solaris.The parameters:Server Name: The HUB can be configured to point to a specific LDAPserver, using IP address or host name. A Lookup button lets you test thecommunication.Note that you may specify multiple servers in this field, each separatedwith a space. The first entry will act as a primary server, while the othersact as secondary servers (taking over if the primary server goes down).Note that logins may take more time if a secondary server has takenover.Server Type: Choose a LDAP server type. Currently two server types aresupported: Active Directory and eDirectory.Authentication Sequence: This option lets you specify that when a userlogs in, if the hub should try LDAP login or Nimsoft Login first. Forexample, if you select Nimsoft > LDAP, this means that, try the givencredentials as Nimsoft user first, if that do not succeed, pass on to LDAPserver.Use SSL: Tick this option if you want to use SSL during LDAPcommunication. Most LDAP servers are configured to use SSL.User and Password: You must specify a user name and a password to beused by the HUB when accessing the LDAP server to retrieveinformation.In Active Directory, the user can be specified as an ordinary user name(as shown on the illustration above).In eDirectory, the user must be specified as a path to the user in LDAP onthe format CN=yyy,O=xxx, where CN is the user name and O is theorganization.Group Container (DN): Specify a group container in LDAP to definewhere in the LDAP structure to search for groups. Clicking the Testbutton lets you check if the container is valid.User Container (DN): Finally specify a user container in LDAP to definemore specifically where in the LDAP structure to search for users.Chapter 1: hub x 21

hub ConfigurationFieldsDescriptionNimsoftProxy HubThis option allows you to specify a Nimsoft probe address for a given hubyou wish to login through.Proxy Hub: The drop down list is empty by default. Click the Refresh iconnext to the drop down list to perform a "gethubs" probe request on thehub you are configuring, which will populate the drop down list with thehubs it knows about.Proxy Retries: Specify the number of retries to perform in case ofcommunication errors (network errors)Authentication Sequence: This option lets you specify that when a userlogs in, if the hub should try LDAP login or Nimsoft Login first. Forexample, if you select Nimsoft > LDAP, this means that , try the givencredentials as Nimsoft user first, if that do not succeed, pass on to LDAPserver.Proxy Timeout: Specify the time (in seconds per attempt) after whichthe proxy will be timed outNote: Nimsoft Proxy hub functionality is This is platform independentand is available in hubs 5.41 and later.22 hub Guide

hub ConfigurationThe Hubs tabChapter 1: hub x 23

hub ConfigurationThis tab lists all known Hubs, and the information in the list is displayed with differentcolors:■■■Hubs within the same Domain as the Hub you are currently logged on have a bluecolor.A hub that has not checked in lately has a red color, meaning that the Hub probablyis currently not running.All others are black.The list contains the following information about each of the Hubs:■■■■■■■■■The Domain the Hub is attached to.The Hub’s name.The Hub’s software version.The last time the Hubs were updated.The Hub’s IP address and port number.IndicatorsEach of the hubs in the list also has an indicator with the following color codes:GreenThe Hub is running.RedThe Hub is currently not running.YellowThe status for this Hub is unknown (your Hub does not know if the Hub with theyellow indicator is running or not).Right-clicking in the window opens a small menu with four options:■■Alive CheckRechecks the status of the selected Hub.Response CheckChecks the response time (connect – reconnect), no transfer) between your Huband the one selected in the list.24 hub Guide

hub Configuration■Transfer CheckTransfers data from your Hub to the one selected in the list and checks the transferrate.■RemoveRemoves the selected Hub from the Hubs address list. The Hub may show up later ifit is running.The Robots tabChapter 1: hub x 25

hub ConfigurationThe Robot tab lists all Robots controlled by the Hub, including the following informationabout each of the Robots:■■■■■■■The Robot’s name.The Robot’s type (Regular or Passive mode)The Robot’s IP address.The Robot’s software version.When the Robot was created.The last time the Robot was updated.Which Operating system the Robot is running.Inactive Robot setupIn addition, the tab contains a drop-down list, where you can set the severity level ofthe alarm issued if one of the Robots in the list becomes unavailable.Right-clicking in the window opens a small menu with three options:■■■■■■■■■RestartRestarts the selected Robot.CheckChecks the selected Robot.RemoveRemoves the selected Robot from the Hubs address list. The Robot may show uplater if it is running.Add Passive RobotOpens the dialog for adding a passive Robot.Edit Passive RobotOpens the dialog for editing the selected passive Robot.Remove Passive RobotRemoves the selected passive Robot. If the Robot has been changed to Regularmode, the Robot will automatically be re-added to the list.26 hub Guide

hub ConfigurationThe Name Services tabA Hub knows the IP address and port number of all probes started by the Robots that itcontrols. The Robots are responsible for reporting all changes in configuration andprobe state to its Hub. When a client (GUI or probe) wants to send a request to a probeit must first ask the local Hub for the address, if the target probe is on another Hub therequest is forwarded to that Hub. The client can continue with the request to the probeif the name-lookup succeeds.Static HubsThe Hubs discover each other by sending out broadcast (UDP) messages. Hubsseparated by routers and firewalls are normally unable to discover other Hubs by thismechanism. You may, however, configure the Hub with a static route to these Hubs.Chapter 1: hub x 27

hub ConfigurationNote the Synchronize option in the New Static Hub dialog.If this option is not checked, your Hub will not send status info to the static hub.Your Hub will still receive status info from the static Hub, unless you disable theSynchronize option on that Hub as well.This is typically used in order to reduce network traffic when your network runs on atelephone line or ISDN.NOTE: Do not use Static Hubs if setting up a tunnel!Network AliasSet up Network Alias in order to tell the local Hub the return address on requests from aremote Nat’ed Hub.■ On Hub A, you must set up the From address and the To address for Hub B.■ On Hub B, you must set up the From address and the To address for Hub A.When Hub B sends a request to Hub A, the request will contain Hub B’s From address.Hub A then knows that Hub B’s To address must be used when returning a request toHub B.28 hub Guide

hub ConfigurationThe Queues tabThis tab lists all defined message queues.Clicking one of them (or clicking the Edit button) opens the queue dialog box, enablingyou to view or edit the queue properties. Clicking the New button lets you define newqueues.Chapter 1: hub x 29

hub ConfigurationIn short, a queue is a holding area for messages passing through the Hub. The queuesmay be temporary or they may be defined as permanent queues. The permanentqueues will survive a Hub restart and is meant for service probes that need to pick up allmessages regardless of whether the service probe is running or not. The temporaryqueue on the other hand, is cleared during restarts (typically for events to GUIs, such asthe Infrastructure Manager)Permanent queues are most often tagged with a describing name related to the task it isconnected to. E.g., the permanent queue called NAS is attached to the NAS (NimsoftAlarm Server). It is possible to set up a permanent queue from one Hub to another bydefining it as a post type queue with the full Nimsoft Address of the other Hub. Allqueues defined under the Queues tab are permanent queues.■■■Post queue, sends a directed stream of messages to the destination hub.Attach queue, creates a permanent queue for any client to attach to.Get queue, gets messages from a permanent attach queue on another hub.The queue defined below (called get-hub-4) is defined as a get queue, gettingmessages from the queue xprone-attach defined on the hub/HubTest/wm-hub-4/vm-hub-4/hub.FieldActiveNameDescriptionSelecting the Activate option activates the queue. This will also bereflected in the queue list under the Queues tab. Note that you mayalso activate/deactivate the queues in the list.A unique and descriptive name of the queue. The parameter isoptional.30 hub Guide

hub ConfigurationFieldTypeAddressDescriptionType of queue (one of the following three types):Post queueSends a directed stream of messages to the destination hub.Attach queueCreates a permanent queue for any client to attach to.Get queueGets messages from a permanent queue on another hub.The Nimsoft address of the source or target hub, applies for get andpost queues only. Can be selected from the drop-down list.Chapter 1: hub x 31

hub ConfigurationFieldQueue/SubjectDescriptionThis field is named Queue if a get queue is defined. This defines aqueue on another hub to get messages from.The field is named Subject if an attach or a post queue is defined.Only messages with the specified subject will be directed into thequeue. * means all subjects.All Nimsoft messages contain a Subject ID. This is a text stringclassifying the message for all components on the Nimsoft, allowingthem to subscribe to some messages and ignore others. Allmessages with the same subject should also have identical datastructure.alarmAlarm messages sent by probes are messages with the subjectalarm.alarm_newWhen an alarm message is received and its footprint is notpreviously recorded, an alarm_new message is generated.alarm_updateWhen an alarm message is received and its footprint already exists,an alarm_update message is generated.alarm_closeWhenever a client closes (acknowledges) an alarm it will beremoved from the currently active alarms, and an alarm_closemessage will be generated.alarm_assignWhenever a client closes (acknowledges) an alarm it will beremoved from the currently active alarms, and an alarm_assignmessage will be generated.alarm_statsThe NAS will generate statistical event messages, alarm_stats,containing the summary information (on severity level) for all openalarms.QOS_DEFINITIONWhen a QoS definition is defined, an QOS_DEFINITION message isgenerated.QOS_MESSAGEQoS messagse sent will have the subject "QOS_MESSAGE".Example:To send all alarm messages to another Hub, you should create aqueue, type post and subject alarm.32 hub Guide

hub ConfigurationFieldBulk sizeDescriptionThe parameter defines how many messages that should betransferred simultaneously (in one bulk). The only time you need tochange this value from '' is when you see that the queuegrows and never shrinks to zero (see Subscribers Queues on theStatus tab). This indicates that the Hub has problems delivering themessages to the target Hub fast enough. The reason for thisbehaviour could be that the number of QoS messages delivered tothe Hub from the Robots has increased a lot (See Statistics buttonon the General tab) or that the latency is too high and slows downthe deliveries (See Response Check, right-clicking a Hub in the Hubslist).Chapter 1: hub x 33

hub ConfigurationThe Tunnels tabNote: This tab will be disabled unless the Enable Tunnelling option is checked on theGeneral tab of the Hub configuration GUI.Most companies today have one or more firewalls in their network, both internallybetween different networks and externally against a DMZ or Internet. Networkadministrators are often reluctant to open a firewall for a lot of IP addresses and portsin order to make it possible for Management applications to work. This makes it difficultto administrate and monitor the whole network from a central location.The solution is to set up a tunnel between two Hubs that is separated by a Firewall. TheTunnel sets up a VPN-like (Virtual Private Network) connection between the two Hubsand enables all Nimsoft requests and messages to be routed over the Tunnel anddispatched on the other side. This routing will be transparent to all the users withinNimsoft. The only requirement for setting up a Tunnel is that one of the Firewalls opensfor connection to the target Hub on one port.Security is the main issue when opening a Firewall for external connections. The Tunnelis implemented using the SSL (Secure Socket Layer) protocol, which is currently the mostwidely deployed security protocol today (e.g., it is the protocol behind Secure HTTP(HTTPS)). The security is handled in two ways; certificates to authenticate the Client andencryption to secure the network traffic (e.g. over Internet):Authorization and AuthenticationThe tunnel provides authorization and authentication by using certificates. Both theClient and the Server need valid certificates issued by the same CA (CertificateAuthority) in order to set up a connection. In the case of setting up a tunnel, themachine receiving the connection (the Server) is its own CA and will only acceptcertificates issued by itself.EncryptionThe encryption settings spans from None to High. No encryption means that the trafficis still authenticated and is therefore recommended for Tunnels within LAN’s and WANs.You should be careful when selecting higher encryption level since this will be moreresource intensive for the machines at both ends of the tunnel.NOTE: Do not use Static Hubs if setting up a tunnel!34 hub Guide

hub ConfigurationFieldsServerConfiguration tabActiveCommon nameExpire datePortSecurity settingsDescriptionConfiguration tasks under this tab are for server (listening) side ofthe tunnel.Checking this option activates the tunnel server.The IP address of the Hub computer on the server side.When the server certificate expires.The port that the tunnel server is listening on. This is the port thatyou have to open in your router or firewall for incomingconnections.Can be set to one of the predefined settings: None, Low, Mediumor High, or you can select Custom, where you define your ownsecurity setting. For custom definition: Seehttp://www.openssl.org/docs/apps/ciphers.htmlNote: High gives the highest degree of encryption, but slows thedata traffic a lot. Normally None will be sufficient, where data isnot encrypted, but still authenticated.Start/Stop button Starts or stops the tunnel server.Server buttonCA buttonShow the server certificate.Show the CA certificate.Chapter 1: hub x 35

hub ConfigurationFieldsNew buttonDelete buttonView buttonClientConfiguration tabDescriptionClicking this button opens the Client Certificate Setup dialog. Hereyou can create certificates for the clients from whom you will openfor access. When creating the certificate, you must set a password.This password, the certificate (encrypted text) and the server’s portnumber must be sent to the client site.Clicking this button deletes the selected client certificate.Show the selected client certificate.The configuration tasks under this tab are for the client(connecting) side of the tunnel.36 hub Guide

hub ConfigurationFieldsDescriptionThe fields in the window are:ServerThe tunnel server’s IP address.PortThe tunnel server’s port number.HeartbeatKeep-alive message interval.DescriptionThe description of the tunnel connection.New buttonEdit buttonDelete buttonOpens the New Tunnel Connection dialog. Here you create a newTunnel connection to the server that has generated the certificate.ActiveActivates the defined tunnel connection.Check Server CommonNameUncheck this option to disable the Server IP address check onconnection (see Setting up a Tunnel in a NATed Network).DescriptionGive a short description of the tunnel connection in this field.Server IPThe IP address of the server on the server end of the tunnel.PasswordThe password you have received with your certificate from theserver side.Server PortThe communication port on the server on the server side.Keep-alive intervalSmall data packets are sent at the specified interval to avoid thatthe firewall cuts idle connections.CertificateThe field in which you paste the received certificate.To be used when you want to edit the selected server connection.To be used when you want to delete the selected serverconnection.Certificate button Show the selected client certificate.Access ListChapter 1: hub x 37

hub ConfigurationFieldsDescriptionThis tab allows you to set access rules for the tunnels defined. Bydefault, all Nimsoft requests and messages can be routed over theTunnel and dispatched on the other side. This routing will betransparent to all the users within Nimsoft.Using the Access List, you can define a set of rules restricting theaccess privileges for defined Nimsoft Addresses/Commands/Users.The Access List must be defined on the Hub on the target side ofthe tunnel. Also, see the description below this table.Edit RuleAddModifyRemoveUse this field to define the access rules.You can select between three different types of rules:Accept, enabling for access for the specified NimsoftAddress/Command/User.Gives a rule to give access to a Nimsoft component (target, such asa probe, robot or hub) to execute one or more specific commandsfor one or more users.Deny, denying access for the specified NimsoftAddress/Command/User.Gives a rule to deny access to a Nimsoft component (target, suchas a probe, robot or hub) to execute one or more specificcommands for one or more users.Log, logging all requests through the tunnel with informationrecorded when the access list is being processed.This is normally used for debugging purposes when testingcommands against targets before setting them up as access ordeny rules. The result can be viewed in the hub log file before yourdeny or accept rules.Three criteria are used when defining rules, and a rule is triggeredbased on match on all three criteria:Name, which is the name of a Hub, Robot or a Probe.These are listed in the Navigation Pane of the InfrastructureManager.Command, if you want to specify a specific command to allow ordeny. The command-set vary from probe to probe. Right-clicking aprobe, selecting CTRL+P opens the Probe utility window where youcan find the command-set for the probe.User, allowing or denying access for specific users.Note that regular expression is allowed.Clicking this button adds the current contents of the Rule fieldsinto the list of rules (a new rule will be added).You can modify a defined rule by selecting a rule in the list of rules,edit the Rule fields and then click the Modify button.Clicking this button deletes the selected rule.38 hub Guide

hub ConfigurationFieldsMove Up / MoveDownDescriptionUse these buttons to change the order of the rules in the list.Note that the order of the rules defined is very important. The firstrule in the list will be processed first, and the processing will stopon the first rule that matches all three criteria.Advanced tabThis tab contains three tunnel related alarm messages:- Client could not Connect to Server- Server has Disconnected from Client- Client has Disconnected from ServerYou are allowed to override the default severity settings for thealarm messages (or turn them off). Note that modifications do nottake effect until the Hub is restarted.Ignore first probeport settingsfrom controllerFirst Tunnel PortTunnel is HangingTimeoutIt is not necessary to select this option if only one tunnel is defined,as this tunnel automatically will be assigned the port numberspecified as First probe port number on the Setup > Advanced tabon the controller probe.If more than one tunnel is defined, you should select this option,and the option First Tunnel Port (see below) will be activated.If more than one tunnel (see above), you should specify the firstport in the range of ports to be used by the tunnels (do NOT usethe same range as the controllers first probe port! – see above).If leaving this field blank, random ports will be assigned by theOperating system.Clients will be assigned ports from the configured port range andwill keep that port as long as the hub is running.Servers assign ports from the configured port number; adding 1 foreach new client connection. The server does not know how manyclients that will connect and keeps no state on clients that hasdisconnected, and must therefore use next port that it knows isavailable. From hub version 3.53, the hub resets the counter andstarts all over if there are no active clients.The hub continuously checks if one or more of the active tunnelsare hanging. No new connections can be established throughtunnels that are hanging.If one or more tunnels are hanging, the hub attempts to restart thetunnel(s). If no success, the hub performs a restart after thespecified number of seconds.Chapter 1: hub x 39

hub ConfigurationFieldsDefault ClientConnection PoolSizeDescriptionThis setting lets you control the size of the tunnel session pool.The session pool is symmetric, meaning inbound and outboundconnections have separate pools of same size.So setting the value to 30 will create 60 connections between theclient and the server.The default is 5, which is sufficient if you only use the tunnel forNimsoft management, but if you are running Enterprise Console orsome other application and is fetching data through the tunnel youshould turn the value up.The optimal value on Windows is about 30, if the value is set tohigh the performance has a tendency to drop.SSL Session Cache Use Server CacheEnable caching of SSL Sessions (reuse previous session credentials).This will speed up the connection time between the client and theserver a lot, assuming the client has enabled 'Use Client Cache'.Server Cache Timeout.Defines how long the cached sessions are valid for reuse by theclient.Server Cache Size.Defines how many sessions that can be stored in the cache. Whenthe cache is full, the oldest sessions will be thrown out when newconnections are established.Use Client CacheEnable caching of SSL Sessions (reuse previous session credentialsif still valid).40 hub Guide

hub ConfigurationUsing the Access List tabNote the Access List tab, allowing you to set access rules for the tunnels defined. ATunnel sets up a VPN-like (Virtual Private Network) connection between two Hubsseparated by a firewall. By default, all Nimsoft requests and messages can be routedover the Tunnel and dispatched on the other side. This routing will be transparent to allthe users within Nimsoft.Using the Access List, you can define a set of rules restricting the access privileges fordefined Nimsoft Addresses/Commands/User combinations. The Access List must bedefined on the Hub on the target side of the tunnel.Note that you may use Regular Expression when defining the access rules.Note: The order of the rules defined is very important. In the example below, theadministrator user on all nodes will be able to access the target Hub through the tunnel(according to the first rule defined), while all other users are denied access.If you swap the two rules, placing the Deny rule first, all users, including administratorare denied access.Note that the default action when no rule matches is Deny.Chapter 1: hub x 41

hub ConfigurationClick the Apply button to activate the list when finished.Tip:Note the two different approaches when setting up access lists:■■When making a restrictive list, start with a few Accept rules, and finally make aDeny rule denying access for all others.When making a less restrictive list, start with a few Deny rules, and finally make anAccept rule, giving access for all others.Setting up a CAClick the Active option on the Server Configuration tab to open the Certificate AuthoritySetup dialog.Here you define the Certificate Authority (CA), on which all the Client Certificates youare going to define are based on. It also generates the Server Certificate, using theinformation defined in the CA (Organization, password etc.):Who (Optional):Organization, Organization unit and e-mail address of your organization.Where (Optional):Country, state and community of your organization.Authentication:Common Name: The name of the CA.Expire days: For how long the CA is valid.Password: Password for the authentication.If clicking the CA button after the certificate is created, it is disabled and read-only.42 hub Guide

hub ConfigurationThe Status tabThis tab contains various status information about the queues, subjects and tunnelsdefined.FieldsDescriptionSubscribers/QueuesSubjectsThis tab displays a list with status information on allsubscribers/Queues on this Hub. The fields in the list are:NameThe name of the queue.TypeThe subscriber type.QueuedThe number of messages, which are currently waiting to betransferred. Unless you use message spooling, this numbershould be 0 in normal operation as long as the subscriber isalive.SentThe number of messages sent.Subject/QueueName of the queue or subject that the subscriber subscribes to.IDAn identifier for the connected probe or program.EstablishedThe date and time when the Hub was connected to thesubscriber.AddressThe address of the subscriber.ConnectionThe address of the subscriber’s network connection.The Subjects tab shows a count of all messages, which has beentransferred since the last (re)start, grouped by the subject-ID.Chapter 1: hub x 43

hub ConfigurationFieldsTunnel StatusDescriptionThe upper list shows all tunnels that the Hub is running. Thefields in the list are:Peer HubThe IP-address of the tunnel’s peer.StartedThe initial tunnel connection time.LastThe time of the last connection through the tunnel.Connection stats (ms)This column shows the statistics for theminimum/average/maximum time taken to setup the tunnelconnection.A low minimum value could indicate a low bandwidth.A high minimum value and a high average value could indicatepacket loss.ConnectionsThe number of connections made.Traffic in/outThe amount of data received/sent through the tunnel.If clicking one of the tunnels, all its connections will be shown inthe lower list.The fields in the list are:StateThe state of the connection (idle or active).StartedWhen the connection was started.LastThe time of the last transfer.InAmount of data received.OutAmount of data sentAddressThe Nimsoft address of the target of the request.CommandThe command executed on the target of the connection.44 hub Guide

hub ConfigurationFieldsTunnel statisticsDescriptionThis tab lists some tunnel statistics, such as Server start time,When the last connection was received and some SSL statistics.The statistics can be seen for the server or for each of theclients (can be selected from the drop-down list).Setting up a tunnelDecide in which direction the connection should be made. This decides which sideshould be set up as a Server in the Tunnel configuration.Note: The Tunnel Client refers to the machine, which initiates the setup of the tunnel.The Tunnel Server refers to the machine, which accepts the attempt to setup the tunnel.The following tasks must be performed in order to establish a tunnel:On the server side:■■The server must be configured as a Certificate Authority in order to be allowed toissue certificates. This is done by clicking the Active option on the ServerConfiguration tab (see figure below).A server certificate will also automatically be created.A client certificate must be created.On the client side:■The client certificate must be installed on the client side.On the Hub on the Server side:Setting up the Server1. Open the hub configuration tool on the Hub computer by double-clicking the HubProbe in Infrastructure Manager.Check the Enable Tunnelling option on the General tab.2. Go to the Tunnels > Server Configuration tab and check the Active option.Chapter 1: hub x 45

hub ConfigurationThe Certificate Authority (CA) Setup dialog appears.46 hub Guide

hub ConfigurationFill in organization and address information, give the CA a name, select a passwordand specify expire days (number of days before the server certificate expires).Click the OK button to finish this dialog.The CA and the Server Certificate is now generated.1. Select one of the predefined security settings None, Low, Medium or High, or youcan select Custom, where you define your own security setting.For a custom definition: See http://www.openssl.org/docs/apps/ciphers.html.2. Click the Apply button in order to start the Server.Chapter 1: hub x 47

hub ConfigurationCreating Client certificate(s)1. Click the New button in the Issued Certificates field. The Client Certificate dialogappears.48 hub Guide

hub ConfigurationFill in organization and address information, fill in the IP-address of the hub on theclient side in the Common name field (Note that regular expression or patternmatching may be used), select a password and specify expire days (number of daysbefore the client certificate expires).Click the OK button.2. Click the view button in the Issued Certificates field, and the Certificate Informationpops up. Click the Copy button, and the certificate is now copied to the clipboard.Now, open up a text editor (such as Notepad) and paste the certificate into a newblank file. Save the file to a floppy, USB, or network drive where the Tunnel clientcan access it.Exit Notepad and click the OK button to exit the Certificate Information dialog box.3. Click the Apply button and click on Yes when asked to restart the probe.On the Hub on the Client side:1. Open the hub configuration tool on the Hub computer by double-clicking the HubProbe in Infrastructure Manager.Check the Enable Tunnelling option on the General tab.2. Go to the Tunnels > Client Configuration tab.3. Click the New button, and the New Tunnel Connection dialog pops up.Chapter 1: hub x 49

hub Configuration4. Fill in the IP address of the Hub on the server side, the password used whengenerating the certificate, and copy the Certificate from the file into the Certificatefield. Ensure that the Active Tunnel option is checked and click the OK button toclose the dialog.5. Click the Apply button to activate the Client.The Tunnel should now be up and running!Setting up a Tunnel in a NATed networkNetworks that use NAT (Network Address Translation) affect how a Tunnel isconfigured.Some of the possibilities are described in the three scenarios below.You should be aware that when a Tunnel is configured, it replaces the Static Hub andNAT setup in the Hub configuration.Client address is NATedThe Client certificate must be issued to (CommonName) the IP address that is visible tothe Server, in this case 10.2.1.111, not 193.71.55.111.Server address is NATed50 hub Guide

Advanced Configuration SettingsThe Client must uncheck the ‘Check Server CommonName’ option in the Tunnel ClientSetup Window. The reason for this is that the Server certificate has 10.1.1.1 asCommonName, not 202.1.1.1 that is what the Client sees.Server and Client addresses are NATedCombine the two methods described above. The Client certificate must be issued to(CommonName) the IP address that is visible to the Server (10.2.1.111) and the Clientmust uncheck the ‘Check Server CommonName’ option in the Tunnel Client SetupWindow.Advanced Configuration SettingsThe following configuration settings can be used to solve the problems described below.This is done by defining the parameters as keys in the Hub Raw Configuration tool,launched by + right-clicking the Hub in the Infrastructure Manager. Selecting RawConfigure. The keys must be defined in the hub section.Chapter 1: hub x 51

Advanced Configuration SettingsWhen the hub has too many subscriptions/queues the performance of the hub candecrease. The following parameters can be used to alarm if this should happen.subscriber_max_thresholdSpecify the number of subscribers before sending an alarm.subscriber_max_severitySpecify the severity of the alarm above.The following parameters can be set to alarm when a queue in the hub starts growing.queue_growth_severitySpecify the severity of the queue growth alarm.queue_growth_sizeSpecify the size of the queue growth alarm.queue_connect_severitySpecify the severity of queue connect failures.The following parameters can be set to force the restart of the hub, if any tunnel ishanging and not being able to reconnect.tunnel_hang_timeoutSpecify the time before a tunnel is flagged as hanging.tunnel_hang_retriesSpecify the number of times the tunnel will try to reconnect before the hub is restarted.The httpd probe provides a simple http (Hyper Text Transfer Protocol Daemon) serverthat can be used to share information across the intranet.Advanced LDAP ConfigurationKeys in the /LDAP/server sectionBelow you will find tree keys that may be added to the HUB configuration file if you donot want to use the default parameters. These keys will be read by the Hub LDAPengine, and will have an impact on how the Hub communicates with the LDAP protocol.use_ssl52 hub Guide

Advanced Configuration SettingsIf you want to use SSL, you don’t need to add this key. This key accepts the two strings:yes or no. Default is yes if the key is not supplied. This instructs the Hub LDAP library toturn on / off SSL during LDAP communication. A valid SSL certificate must be installed onyour LDAP server.Ports that will be used are 389 for normal LDAP connection, 636 for SSL connections.Currently, these cannot be changed.TimeoutThis key accepts a numerical value indicating the number of seconds to spend on eachLDAP operation, whether it be searching or binding (authentication) operations. Thedefault value is 10 seconds if the key is not provided.codepageThis key will allow the user to change which codepage to use when translatingcharacters from UTF-8 encoding to ANSI, which is what the Hub and all other Nimsoftparts use internally. Text is coming from the LDAP library as UTF-8 encoded characters.Since Nimsoft products do not have true Unicode support, all characters will beattempted translated into ANSI using this codepage.If you do not want to use the default codepages (see below), you must add this key.On Windows platforms, the codepage must be a number representing the codepage youwish to use. See this page for a list of codepages:http://msdn.microsoft.com/en-us/library/ms776446(VS.85).aspxhttp://msdn.microsoft.com/en-us/library/ms776446(vs.85).aspxOn Windows, the Hub LDAP library will use MultibyteToWideChar andWideCharToMultiByte functions to translate to and from ANSI/UTF-8. These functionstake a codepage as a parameter.On all other platforms, the Hub LDAP library will use iconv functions. Ref:http://www.gnu.org/software/libiconv/ http://www.gnu.org/software/libiconv/The codepage key is not shipped with the Hub configuration file.The default value if none is specified is:codepage value OS Description28591 WINDOWS ISO 8859-1 Latin 1; Western European (ISO)ISO-8859-1 UNIX ISO 8859-1 Latin 1; Western European (ISO)Chapter 1: hub x 53

Advanced Configuration SettingsOn Windows platforms, it is a numerical value.On Linux, it is a text string which can be passed into iconv_open function.54 hub Guide

GlossaryGlossary 55