secure domain manager -...

Secure Domain Manager

User GuideDocument 5171

NoticeCopyright Notice Copyright © 2002-present by Aprisma Management Technologies, Inc. All rights reserved worldwide. Use, duplication, or disclosure by the United States government is subject to the restrictions set forth in DFARS 252.227-7013(c)(1)(ii) and FAR 52.227-19.

Liability Disclaimer Aprisma Management Technologies, Inc. (“Aprisma”) reserves the right to make changes in specifications and other information contained in this document without prior notice. In all cases, the reader should contact Aprisma to inquire if any changes have been made.

The hardware, firmware, or software described in this manual is subject to change without notice.

IN NO EVENT SHALL APRISMA, ITS EMPLOYEES, OFFICERS, DIRECTORS, AGENTS, OR AFFILIATES BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO THIS MANUAL OR THE INFORMATION CONTAINED IN IT, EVEN IF APRISMA HAS BEEN ADVISED OF, HAS KNOWN, OR SHOULD HAVE KNOWN, THE POSSIBILITY OF SUCH DAMAGES.

Trademark, Service Mark, and Logo Information SPECTRUM, IMT, and the SPECTRUM IMT/VNM logo are registered trademarks of Aprisma Management Technologies, Inc., or its affiliates. APRISMA, APRISMA MANAGEMENT TECHNOLOGIES, the APRISMA MANAGEMENT TECHNOLOGIES logo, MANAGE WHAT MATTERS, DCM, VNM, SpectroGRAPH, SpectroSERVER, Inductive Modeling Technology, Device Communications Manager, SPECTRUM Security Manager, and Virtual Network Machine are unregistered trademarks of Aprisma Management Technologies, Inc., or its affiliates. For a complete list of Aprisma trademarks, service marks, and trade names, go to:

http://www.aprisma.com/support/secure/manuals/trademark-list.htm

All referenced trademarks, service marks, and trade names identified in this document, whether registered or unregistered, are the intellectual property of their respective owners. No rights are granted by Aprisma Management Technologies, Inc., to use such marks, whether by implication, estoppel, or otherwise. If you have comments or concerns about trademark or copyright references, please send an e-mail to [email protected]; we will do our best to help.

Restricted Rights Notice (Applicable to licenses to the United States government only.)This software and/or user documentation is/are provided with RESTRICTED AND LIMITED RIGHTS. Use, duplication, or disclosure by the government is subject to restrictions as set forth in FAR 52.227-14 (June 1987) Alternate III(g)(3) (June 1987), FAR 52.227-19 (June 1987), or DFARS 52.227-7013(c)(1)(ii) (June 1988), and/or in similar or successor clauses in the FAR or DFARS, or in the DOD or NASA FAR Supplement, as applicable. Contractor/manufacturer is Aprisma Management Technologies, Inc. In the event the government seeks to obtain the software pursuant to standard commercial practice, this software agreement, instead of the noted regulatory clauses, shall control the terms of the government's license.

Virus Disclaimer Aprisma makes no representations or warranties to the effect that the licensed software is virus-free. Aprisma has tested its software with current virus-checking technologies. However, because no antivirus system is 100-percent effective, we strongly recommend that you write protect the licensed software and verify (with an antivirus system with which you have confidence) that the licensed software, prior to installation, is virus-free.

Contact Information Aprisma Management Technologies, Inc., 273 Corporate Drive, Portsmouth, NH 03801 USA

Phone: 603.334.2100U.S. toll-free: 877.468.1448Web site: http://www.aprisma.com

http://www.aprisma.com/support/secure/manuals/trademark-list.htm

http://www.aprisma.com

3

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Document Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

SPECTRUM OneClick documentation set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Managing Highly Secure Network Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Operating SPECTRUM in a Highly Secure Network Environment . . . . . . . . . . . . . . . . . . . . 10

The Benefits of Working with Secure Domain Manager . . . . . . . . . . . . . . . . . . . . . . . . . . 11

How Secure Domain Manager Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

What’s Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Chapter 2: Installing and Configuring Secure Domain Manager . . . . . . . . . . . . . . . . . . 15

Installation Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Installing the SDConnector Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Launching the SDConnector Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Command Line Options for SDConnector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Configuring and Launching the SDManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Configuring SDManager to Launch Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Command Line Options for SDManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Creating an SDM Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Configuring SNMP Trap Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

What’s Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Chapter 3: Using Secure Domain Manager with OneClick . . . . . . . . . . . . . . . . . . . . . . 25

Importing the SDM Configuration File in OneClick . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Modeling the Hosts Running SDConnectors in OneClick . . . . . . . . . . . . . . . . . . . . . . . . . 26

Modeling the Devices in Remote Network Regions in OneClick . . . . . . . . . . . . . . . . . . . . . 26

Using OneClick Create Model by IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Using OneClick Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Modeling Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Searches in OneClick . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Pinging Devices Located Behind a Firewall in OneClick . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Secure Domain Manager Model Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

SDConnector Model Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Secure Domain Connector Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4 Secure Domain Manager User Guide

Contents

Chapter 4: Using Secure Domain Manager with SpectroGRAPH . . . . . . . . . . . . . . . . . . 33

Importing the SDM Configuration File in SpectroGRAPH . . . . . . . . . . . . . . . . . . . . . . . . . 33

Modeling the Hosts Running SDConnectors in SpectroGRAPH . . . . . . . . . . . . . . . . . . . . . 34

Modeling the Devices in Remote Network Regions in SpectroGRAPH . . . . . . . . . . . . . . . . . 34

Pinging Devices Located Behind a Firewall in SpectroGRAPH . . . . . . . . . . . . . . . . . . . . . . 35

Using JMib Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Chapter 5: SPECTRUM Fault Isolation in the SDM Environment . . . . . . . . . . . . . . . . . . 37

Model SDConnectors as Host_Devices or Pingables . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

SDConnectors as a Bridge between Regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Appendix A: Using Secure Domain Manager with iAgent ............................................. 39

Appendix B: Configuring a Custom SDManager Listening Port ..................................... 41

Index 43

5

Preface

This guide is intended for users and administrators of the Secure Domain Manager application.

OrganizationThis guide is organized as follows:

• Chapter 1, “Introduction,” on page 9 describes how Secure Domain Manager operates.

• Chapter 2, “Installing and Configuring Secure Domain Manager,” on page 15 provides instructions on how to install and configure the Secure Domain Manager application.

• Chapter 3, “Using Secure Domain Manager with OneClick,” on page 25 provides instructions on using Secure Domain Manager with the OneClick interface.

• Chapter 4, “Using Secure Domain Manager with SpectroGRAPH,” on page 33 provides instructions on using Secure Domain Manager with the SpectroGRAPH interface.

• Chapter 5, “SPECTRUM Fault Isolation in the SDM Environment,” on page 37 provides information on setting up Secure Domain Manager in a way that leverages SPECTRUM fault isolation capabilities.

• Appendix A, “Using Secure Domain Manager with iAgent,” on page 39 describes how to resolve problems running iAgent and Secure Domain Manager on the same host.

• Appendix B, “Configuring a Custom SDManager Listening Port,” on page 41 describes how to change the SDManager port on which SDConnector listens for traps.


Preface

Text ConventionsThe following text conventions are used in this document:

Document FeedbackPlease send feedback regarding SPECTRUM documents to the following e-mail address:

[email protected]

Thank you for helping us improve our documentation.

Element Convention Used Example

Variables

(The user supplies a value for the variable.)

Courier and Italic in angle brackets (<>)

Type the following:

DISPLAY=<workstation name>:0.0 export display

The directory where you installed SPECTRUM

(The user supplies a value for the variable.)

<$SPECROOT> Navigate to:

<$SPECROOT>/app-defaults

Solaris and Windows directory paths

Unless otherwise noted, directory paths are common to both operating systems, with the exception that slashes (/) should be used in Solaris paths, and backslashes (\) should be used in Windows paths.

<$SPECROOT>/app-defaults on Solaris is equivalent to <$SPECROOT>\app-defaults on Windows.

On-screen text Courier The following line displays:

path=”/audit”

User-typed text Courier Type the following path name:

C:\ABC\lib\db

Cross-references Underlined and hypertext-blue See “Document Feedback” on page 6.

References to SPECTRUM documents (title and number)

Italic OneClick Console User Guide (5130)

mailto:[email protected]

SPECTRUM OneClick documentation set

Secure Domain Manager User Guide 7

SPECTRUM OneClick documentation setThe SPECTRUM OneClick documentation set and other SPECTRUM documentation is available online at:

http://www.aprisma.com/support/secure/manuals/

Use this site to download the latest documentation updates and additions. To log on to the OneClick Documentation site, you must supply your contract number and license number.

The following table lists and describes documents in the SPECTRUM OneClick core documentation set:

Title Description

OneClick Installation Guide (5142) Describes how to install and set up SPECTRUM OneClick.

OneClick Administration Guide

(5166)

Describes how to manage SPECTRUM OneClick.

OneClick Console User Guide (5130) Describes how to work with OneClick basic features.

Modeling Your IT Infrastructure Describes how to define and manage models of your infrastructure in OneClick.

Software Release Notice (SRN) Provides late-breaking information not included in the SPECTRUM manuals. We recommend that you review this document before working with SPECTRUM. Typically, the SRN provides information about the latest changes, fixes, known issues, and work-arounds. You can access the SRN from the SPECTRUM product CD or from the SPECTRUM documentation web site.

http://www.aprisma.com/support/secure/manuals/


Preface

9

Chapter 1: Introduction

Managing Highly Secure Network EnvironmentsFirewalls provide much needed security to many network environments. In some network environments, multiple management regions are set up and separated from each other by firewalls. Figure 1-1 illustrates this network environment. Region A is the central region. Regions B and C are remote regions which are connected directly to the central region. Region D is not connected directly to the central region, instead is connected via multiple firewall hops.

Figure 1-1: A Highly Secure Network Environment

Firewalls separating network regions.

A firewall separating network regions.



Operating SPECTRUM in a Highly Secure Network EnvironmentBecause of security issues with SNMP and SNMPv2, network administrators often block SNMP traffic from crossing the firewall by blocking User Datagram Protocol (UDP) ports 161 and 162. Because SNMP is not allowed to traverse these network regions, managing a network with multiple regions is very difficult. Ideally, network administrators would like to open a single “hole” between only two, well-defined hosts in each firewall to allow secure management traffic to flow. Before the release of SPECTRUM’s Secure Domain Manager, using this single “hole” for network management was not possible.

In order for SPECTRUM to manage a highly secure network environment without Secure Domain Manager, network administrators deploy separate SpectroSERVER management/correlation engines in each of the network regions where most of the networks elements managed by SPECTRUM are located.

For example, in the network shown in Figure 1-1, region A would contain the main SpectroSERVER, the SpectroGRAPH client application, the OneClick web server, and SANM-enabled AlarmNotifier for alarm forwarding. The regions B and C would contain a SpectroSERVER responsible for managing the devices in that region. The network administrator would configure the firewalls between the region A and the adjacent regions to allow SPECTRUM server and client connections to be made between regions.

This configuration can cause redundant alarms when a network outage spans network elements that are located in both region A and region B or C. In order to minimize this problem, network administrators can choose to create “proxy models” on the SpectroSERVER in region A for each device that is managed by a SpectroSERVER in region B or C. The network administrator would create a proxy model for each physical connection that exists connecting devices in the adjacent regions to devices the central region. The “real” model would exist on the region B and C SpectroSERVERs. The proxy models would be identical to the “real” models, however they would be configured not to poll the device with SNMP regularly, and the central SpectroSERVER would not receive SNMP traps from the devices.

However, in this scenario SNMP traffic between the regions is still essential. The central SpectroSERVER located in region A must send SNMP requests to the devices in regions B and C during the modeling phase. It may also need to send SNMP requests if there is a network outage that involves the proxied devices. Therefore, network administrators must configure the firewalls between the central SpectroSERVER and the adjacent regions to allow these SNMP requests to the devices for which the central SpectroSERVER has shadow/proxy models.

As you can see, this proxy model solution results in significant configuration effort to create these proxy models within the central SpectroSERVER.

The Benefits of Working with Secure Domain Manager


The Benefits of Working with Secure Domain ManagerSPECTRUM’s Secure Domain Manager enhances SPECTRUM’s SNMPv3 management allowing SPECTRUM to communicate with all SNMP devices (SNMPv1, SNMPv2, and SNMPv3) through a firewall. Secure Domain Manager facilitates the communication between the network regions, enabling you to securely send/receive SNMP and ICMP requests to devices located behind firewalls located in other network regions. Using this mechanism SPECTRUM can communicate without the restrictions discussed in “Operating SPECTRUM in a Highly Secure Network Environment” on page 10.

Important: To maintain optimal SpectroSERVER (SS) modeling capacity, we recommend that the SS/SDM installation has two CPUs, with one dedicated to the SpectroSERVER, and the other dedicated to servicing SDManager functions as described in “Configuring and Launching the SDManager” on page 18. SpectroSERVER modeling capacity is reduced by 40% if SDManager and SS are required to share a single processor to manage infrastructure elements. We also recommend having a host machine dedicated solely to running each SDConnector process as described in “Installing the SDConnector Process” on page 16.

How Secure Domain Manager WorksSecure Domain Manager consists of a local process that runs on the SpectroSERVER called SDManager, and one or more remote proxies called SDConnectors. The SDConnectors replace the SpectroSERVERS in remote network regions (from Figure 1-1, regions B, C, and D), and they run on host machine located in the respective remote region. Figure 1-2 shows the network illustrated in Figure 1-1 with Secure Domain Manager deployed.



Figure 1-2: A Highly Secure Network Environment Using SDM

When the central SpectroSERVER located in region A must communicate with devices located in remote regions, the SpectroSERVER sends the requests to the SDManager. The SDManager converts the request from SNMP to XML and sends the data to the SDConnector located in the same region as the device. If the SDManager and SDConnector(s) have been configured to run with SSL, the XML data is encrypted and sent through the firewall to the SDConnector using SSL over TCP. When the SDConnector receives the data, it converts the information back to SNMP and sends it to the appropriate device. Devices that are located in regions that traverse more than one firewall such as region D are also manageable using this solution. To enable this communication, you must open a hole in each firewall. This hole must allow a well-known pair of hosts in adjacent regions to communicate via TCP.

Note: Devices located in the same region as the SpectroSERVER (region A) are managed without Secure Domain Manager using SNMP. The SpectroGRAPH, OneClick console, SANM-enabled AlarmNotifier, and any other SPECTRUM client applications will only connect to the single remaining SpectroSERVER within the central region.

What’s NextNow that you understand the architectural components of Secure Domain Manager, you are ready to configure Secure Domain Manager and use either OneClick or SpectroGRAPH to manage its operation. Note that OneClick is the primary interface for configuring and running Secure Domain Manager.

What’s Next


Only a subset of the Secure Domain Manager functionality is provided in the SpectroGRAPH interface. The following chapters discuss how to configure and operate Secure Domain Manager:

• “Installing and Configuring Secure Domain Manager” on page 15: This chapter explains how Secure Domain Manager is installed and guides you through configuring Secure Domain Manger to suit the needs of your network environment.

• “Using Secure Domain Manager with OneClick” on page 25: If you are working in the OneClick environment, read this chapter to understand how to manage Secure Domain Manager using that interface.

• “Using Secure Domain Manager with SpectroGRAPH” on page 33: If you are working in the SpectroGRAPH environment, read this chapter to understand how to manage Secure Domain Manager using that interface.

• “SPECTRUM Fault Isolation in the SDM Environment” on page 37 This chapter explains how to model SDConnectors in a way that fully leverages SPECTRUM fault isolation capabilities.

15

Chapter 2: Installing and Configuring Secure Domain Manager

This chapter explains the elements of Secure Domain Manager that are installed on your machine and discusses how to configure these elements to run on the SpectroSERVER and remote hosts on your network.

Installation FilesIf you have purchased the SPECTRUM Secure Domain Manager, the SPECTRUM installation process will install its components on the SpectroSERVER in the < $SPECROOT>/SDM directory. This directory contains the following files and subdirectories:

• Logs — This is a directory that contains output logs that are generated when you import a configuration file to the SpectroSERVER. Details of the work performed, including any errors that occur, are contained in the log file.

• README — This file provides an overview of Secure Domain Manager.

• Windows Executables

- SDManager.exe — The Windows executable that runs the SDManager process on the SpectroSERVER. You will configure this process to start automatically.

- SDConnector.exe.w32 — The Windows executable that runs the SDConnector process. You will copy this executable to host machines in network regions separated from the SpectroSERVER by a firewall.

• Solaris Executables

- SDManager — The 32-bit Solaris executable that runs the SDManager process on the SpectroSERVER. You will configure this process to start automatically.

- SDConnector.so132 — The 32-bit Solaris executable that runs the SDConnector process. You will copy this process to host machines in network regions separated from the SpectroSERVER by a firewall.



• srconf — This directory stores the SRI configuration files and the SSL certificates. Secure Domain Manager uses the following certificates for SSL connections between SDManager and remote SDConnectors.

- snmpricacert.pem — Master CA

- dsspmastercert.pem — SDManager CA

- dsspremotecert.pem — SDConnector CA

• sdm_config.xml.template — You use this template file as a basis for the SDM configuration file.

The following sections explain how to use these files to configure the Secure Domain Manager in your network environment.

Installing the SDConnector ProcessIn order for Secure Domain Manager to enable SPECTRUM to communicate across a firewall, there must be a SDConnector process running on a host machine in each network region separated from the SpectroSERVER by a firewall (see Figure 1-2: A Highly Secure Network Environment Using SDM page 12). It is recommended that you have a host machine dedicated solely to running each SDConnector process.

Note: SDConnector installation system requirements are the same as those for SpectroSERVER-only installations (except for the special requirements for multiple disk configuration). See the SPECTRUM Installation Guide (5136) for details.

The following instructions explain how to place a copy of the SDConnector process on a host machine.

1. Create a directory for the SDConnector process on the host machine. You can choose any name for this directory.

2. Copy the SDConnector from the < $SPECROOT>/SDM directory on the SpectroSERVER to the directory you have created on the host machine.

3. Copy the contents of the entire <$SPECROOT>/SDM/srconf directory to the c:\etc directory (c:\etc\srconf\mgr). The srconf directory contains, among other things, the certificates needed for SSL security.

Note: If you want to put the srconf directory in a location other than the etc directory, you must set the SR_MGR_CONF_DIR variable in the environment in which you are running the SDConnector. SR_MGR_CONF_DIR must be set to the directory in which the srconf\mgr directory exists, e.g., d:\SPECTRUM\SDConnectorInstall\srconf\mgr.

4. To install SDConnector as a Windows service, run SDConnector with the –install option. Installing as a Windows service is optional. When installed as a Windows service, the service’s default name is “SNMP BRASS Remote extension”. The –svcname option can be used to specify a different service name. We recommend using “SPECTRUM SDConnector Service” as the service name.

See “Command Line Options for SDConnector” on page 17 for more information.

Launching the SDConnector Process


Launching the SDConnector ProcessYou launch the SDConnector process from the command line of the host machine using the following syntax:

Unix

<SDConnectorInstallDir> SDConnector <appropriate command line options>

Windows

<SDConnectorInstallDir> SDConnector.exe <appropriate command line options>

Command Line Options for SDConnector

Table 2-1 lists command line options that allow you to run the SDConnector to support various network configurations and varying levels of security.

Table 2-1: Command Line Options for the SDConnector

Option Description

-connect ip:[port] Establish a connection to the SDManager running at IP address <ip> and port <port>. If <port> is not specified, 6844 is assumed. An SDConnector can be connected arbitrarily to many SDManagers.

-accept ip:[port] Listen for connections from an SDManager running on a host at address <ip>, at local port number <port>. If -accept is specified, connections must originate from an IP address specified in an -accept option, otherwise connect attempts will be disregarded. Specifying -listen (see below) overrides this behavior.

Note in both cases, the address range for which requests are to pass through this SDConnector must be specified at the SDManager command line.

An SDConnector can be connected to arbitrarily many SDManagers.

-listen [port] By default, the SDConnector listens at port 6844 for connection requests from any SDManagers. However, if any -connect or -accept options are specified, then the SDConnector no longer listens by default. A port specified in a -listen option trumps a port specified in a -accept option. That is to say, if a port is specified in a -listen option, there will be no verification done of the source IP address for that port.

-nosecure Secure Socket Layers (SSL) is enabled by default. The -nosecure option disables the SSL functionality. If the -nosecure option is used before any -remotconnect or -remoteaccept entries, SSL is disabled for all connections. Otherwise, you can specify the -nosecure option after each -remoteconnect / -remoteaccept entry and it will pertain just to that entry.

If SSL security is requested, the data stream is encrypted, and mutual cryptographic authentication is enforced. If either the SDManager or the SDConnector requests security, then security is mandatory on that connection.

-certdir dir Look in the directory specified by dir for the application certificate and private key and the certificate authority certificate. If not specified the default location will be used (/etc/srconf/mgr on Unix systems or c:\etc\srconf\mgr on Microsoft Windows systems). The certificate and password files will not be accessed if the -nosecure option is specified.



Configuring and Launching the SDManagerFor Secure Domain Manager to enable SPECTRUM to communicate across a firewall, the SDManager process must be running on the SpectroSERVER machine in the main network region (see Figure 1-2 on page 12). It is recommended that you run Secure Domain Manager on a dual-CPU machine, with one CPU dedicated to the SpectroSERVER, and the other dedicated to the SDManager process.

Configuring SDManager to Launch Automatically

You can create a configuration that enables SDManager to launch automatically with the SpectroSERVER. To do this you will need to update the Secure Domain Manager idb file (SDM.idb). SPECTRUM’s processd uses idb files to start SPECTRUM processes and applications automatically. To edit the idb file:

1. Go to the <$SPECROOT>/lib/SPDM/partslist directory and locate the SDM.idb file.

2. Open the file using a text editor. Figure 2-1 shows an example file.

-privpassword pw SPECTRUM assumes that the private password for the application certificate will be encrypted. If the default certificates supplied with the SDM product are used, then -privpassword need not be supplied. Otherwise, supply the private key password here. If the password contains spaces, it must be enclosed in quotation marks (").

Unix only option:

-d Don't daemonize. Ordinarily, the SDConnector will automatically be started as a daemon. Note that failed checks performed after daemonization (for example, the location and readability of certificate files) will not be reported at the command line, but will be reported in the log file. The log file name is rbrassd.log, and will be located by default in /tmp if the log file directory is not overridden using the SR_LOG_DIR environment variable.

Windows only options:

-install Install SDConnector as a Windows service. Any options specified after -install are saved and passed to SDConnector when it is started. When installed as a Windows service, the service's default name is "SNMP BRASS Remote extension". The -svcname option can be used to specify a different service name. We recommend using "SPECTRUM SDConnector Service" as the service name.

-remove Uninstall a previously installed SDConnector service.

-start Start the previously installed SDConnector service.

-stop Stop the previously started SDConnector service.

-install, -remove, -start, and -stop must be the first option specified in the SDConnector command line to be effective.

Table 2-1: Command Line Options for the SDConnector (Continued)

Option Description

Configuring and Launching the SDManager


Figure 2-1: The SDM.idb File

3. Add the commands to configure SDManager to operate in your environment to the end of this file. The complete command set is explained in “Command Line Options for SDManager” on page 21. The following is the typical series of commands to use to launch the SDManager.

-nosecure

-remoteconnect <ip address of SDConnector>

-remoterange <ip range of devices to be managed with SDM>

Note: You must use a separate -remoterange <ip range> option for each subnet you want to manage.

4. (If you are upgrading to SDManager from SNMPv3 proxy) Copy customization configurations for SPECTRUM’s SNMPv3 proxy to SDManager.

If you are upgrading from SPECTRUM’s SNMPv3 proxy to SDManager, the upgrade process saves customized configuration files. You can restore the configurations after the upgrade:

• The SV3P_idb_SDM_user_migrate is saved to the <$SPECROOT>/lib/SPDM/partslist directory. This was the SNMPv3 idb file used to launch the SNMPv3 functionality. If you have customized this file in any way, you must copy the customziations to the SDM.idb file. You can delete the SV3P_idb_SDM_user_migrate file after you have restored the customizations.

• The srconf.SV3P_user_migrate directory is saved to the <$SPECROOT>/SDM directory. This directory contains SRI configuration files and the SSL certificates. If you customized the directory content and you want to restore these settings, copy the customizations to the directory. You can delete the scronf.SV3P_user_migrate directory after you have restored the customizations.

# Processd Install Ticket for Secure Domain ManagerPARTNAME;SDM;APPNAME;Secure Domain Manager;WORKPATH;$SPECROOT/SDM;LOGNAMEPATH;$WORKPATH/SDManager.OUT;ADMINPRIVS;y;AUTORESTART;y;AUTOBOOTSTART;y;#STATEBASED;N;NUMPROCS;1; // one per hostRETRYTIMEOUT;0;TICKETUSER;<user>;RETRYMAX;0;STARTPRIORITY;10;SERVERPROCESS;Y;ENV;SR_MGR_CONF_DIR=$WORKPATH/srconf/mgr;ENV;SR_AGT_CONF_DIR=$WORKPATH/srconf/agt;ARGV;$WORKPATH/SDManager<CSEXE> -c64 -d -secpack -listen 4747 -trapport 4748 -du -notrap_throttle;



5. Stop and restart processd using the following instructions:

Unix

a. Log on as Root.

b. Navigate to SPECTRUM’s /lib/SDPM directory.

c. Stop processd by entering the following command:

processd.pl stop

d. Ensure that all SPECTRUM processes are shut down (otherwise problems with the SpectroSERVER may result).

e. Remove all entries in SPECTRUM’s /lib/SDPM/runtime directory.

f. Restart processd by entering the following command:

processd.pl start

Windows

a. Make sure you are logged on as a member of the Spectrum Users group.

b. Open a Command Prompt.

c. In the Command Prompt window, navigate to SPECTRUM’s /lib/SDPM directory.

d. Stop processd by entering the following command:

perl processd.pl stop

e. Restart processd by entering the following command:

perl processd.pl start

Note: On Windows 2000/NT, the processd.pl <start/stop> commands also stop and start the SPECTRUM processes that run as NT services, i.e. ICMPd, MySQL, and VisiBroker.

For more information on .idb files and processd, see the Distributed SpectorSERVER (2770) guide.

Note: For information on trap-storm handling options you can specify in the SDM.idb file, see “Configuring SNMP Trap Handling” on page 23.

Configuring and Launching the SDManager


Command Line Options for SDManager

Table 2-2 lists command options that can be used when starting the SDManager process. When you are editing the SDM.idb file, choose the appropriate commands from this table to launch SDManager. Note that if you used the -nosecure option to launch one or more of the SDConnector processes, you must specify the same -nosecure option for the corresponding -remoteconnect/-remoteaccept entry on the SDManager command line, or simply specify -nosecure before all -remoteconnect/-remoteaccept entries to disable SSL for all connections.

Table 2-2: Command Line Options for SDManager

Option Description

-remoteconnect (-remc) ip[:port]

Establish a connection to the SDConnector running at IP address <ip> and port <port>. If <port> is not specified, 6844 is assumed.

-remoteaccept (-rema) ip:[port]

Listen for connections from an SDConnector running on host at address <ip>, at local port number <port>.

-remoterange (-remr) ip[/masklen]

Send SNMP/ICMP requests destined for ip/masklen to the most recently specified -remoteconnect or -remoteaccept. IP is a subnet address, and masken is the number of bits in the subnet mask, i.e., if you specify a remoterange of 10.1.1.0/24, any SNMP or ICMP request seen by the SDManager for targets between 10.1.1.1 and 10.1.1.254 will be sent to the address specified in the most recently specified -remoteaccept or -remoteconnect argument.

If used, this option must be specified after a -remoteconnect or -remoteaccept option.

An SDManager can connect arbitrarily to many SDConnectors. If intersecting address ranges are provided, the SDConnector associated with the last specified address range will receive the packet.

-dropunconnected (-du) If an SNMP or ICMP request is to be sent to a remote server that is not currently connected, it will be dropped. The SDManager client will receive a timeout notification.

-nosecure Secure Socket Layers (SSL) is enabled by default. The -nosecure option disables the SSL functionality. If the -nosecure option is used before any -remotconnect or -remoteaccept entries, SSL is disabled for all connections. Otherwise, you can specify the -nosecure option after each -remoteconnect / -remoteaccept entry and it will pertain just to that entry.

If SSL security is requested, the data stream is encrypted, and mutual cryptographic authentication is enforced. If either the SDManager or the SDConnector requests security, then security is mandatory on that connection.

-certdir dir Look in the directory specified by dir for the application certificate and private key, and the certificate authority certificate. If not specified the default location will be used (/etc/srconf/mgr on Unix systems or c:\etc\srconf\mgr on Microsoft Windows systems). The certificate and password files will not be accessed if the -nosecure option is specified.

-privpassword pw SPECTRUM assumes that the private password for the application certificate will be encrypted. If the default certificates supplied with the SDM product are used, then -privpassword need not be supplied. Otherwise, supply the private key password here. If the password contains spaces, it must be enclosed in quotation marks (").



Creating an SDM ConfigurationWhen you install Secure Domain Manager, the installation program creates a file called <$SPECROOT>/SDM/sdm_config.xml.template. You use this template file to create your SDM configuration file, which will reflect the setup of your network.

The configuration file must contain an entry for each remote host running the SDConnector process. The entry must specify the IP address of the host and the IP ranges that the host services.

The following instructions explain how to create the configuration file:

1. Copy a version of <$SPECROOT>/SDM/sdm_config.xml.template with this name:

sdm_config.xml.

2. Open sdm_config.xml using a text editor.

3. Find the root XML element for this file: <distributed-brass-config>. All of the entries that you make must be within the root element of this file, i.e., after the <distributed-brass-config> tag and before the <\distributed-brass-config> tag.

4. Cut the following lines from the file, they are sample entries. Paste these lines into a separate text file to use as a syntax reference.

<remote-server addr="192.168.166.33" >

<remote-range subnet="10.254.13.0" bits="24" />

...

</remote-server>




...

</remote-server>

...

<remote-server addr="5.6.7.8" />

5. Using the syntax shown in the sample entries, create an entry for each remote host running the SDConnector and the IP range (s) it manages. For example, if you have a remote host 192.168.451.23 that manages the IP ranges 10.253.78.0 and 10.253.79.0, you would create the following entry:




</remote-server>

Configuring SNMP Trap Handling


The IP address of the remote host is entered as the value of the addr attribute in the <remote-server> element. Each IP address range that the remote host manages is entered as the value of the subnet attribute in a <remote-range> element. Use the bits attribute in each <remote-range> element to enter the number of bits in the remote range’s subnet mask.

6. Repeat step 5 until you have created an entry for each remote host. Once you have created all of the appropriate entries, save the configuration file.

7. Once you have saved the configuration file, you must import it using OneClick or SpectroGRAPH. You can find instructions on performing this import in “Using Secure Domain Manager with OneClick” on page 25 or “Using Secure Domain Manager with SpectroGRAPH” on page 33.

Configuring SNMP Trap HandlingYou can selectively configure trap handling (or trap filtering) for the SDManager (in the SDM.idb file) and for each SDConnector (from the command line or script) using the options described in Table 2-3. You can also, instead, configure trap handling from a single point, the SpectroSERVER, by disabling trap handling on all Secure Domain Manager components. This allows you to receive all traps from the regions where you have SDConnectors installed. Under some circumstances, however, you might want to configure trap handling for some SDConnectors and not on others. Or you might want to configure trap handling on the SDManager only. Please note that trap handling configurations on Secure Domain Manager components override the SpectroSERVER’s trap handling configuration. How you configure these options is entirely dependent on your particular requirements.

Trap handling configured on the SDManager automatically filters incoming SNMP traps from an agent if the agent generates more than the predefined number of traps per second (-stormrate num option, 10 is the default). The number of seconds to drop SNMP traps received from an agent is the storm time (-stormtime num_sec option, 300 is the default). The SDManager throttles the agent by dropping incoming traps from the agent for the number of seconds specified by the storm time setting after incoming traps exceed the storm rate setting.

Table 2-3: Command Line Options for Trap Handling

Option Description

-notrap_throttle Prevents SDManager from performing notification throttling. This option appears in the SDManager command line (SDM.idb file) by default. This option allows the SpectroSERVER to handle trap storms itself.

-stormrate num Sets the stormrate, which is the rate at which the SDManager filters incoming notifications if one agent generates notifications exceeding the predefined number of notifications per second. The default is 10. This option has no effect if -notrap_throttle is included in the SDM.idb file or included with SDConnector start-up command.

-stormtime num_sec Sets the stormtime, which is the length of time for the SDManager to drop notifications from the agent exceeding the stormrate. The default is 300. This option has no effect if -notrap_throttle is included in the SDM.idb file or included with SDConnector start-up command.



What’s NextOnce you have configured and launched the SDManager and SDConnector processes, you are ready to model and manage the remote connections using either OneClick or SpectroGRAPH. The following chapters explain how to work with each of these interfaces:

• “Using Secure Domain Manager with OneClick” on page 25

• “Using Secure Domain Manager with SpectroGRAPH” on page 33

For information on modeling SDConnectors in a way that fully leverages SPECTRUM fault isolation capabilities, see “SPECTRUM Fault Isolation in the SDM Environment” on page 37.

25

Chapter 3: Using Secure Domain Manager with OneClick

This chapter explains how to setup the OneClick environment to use the Secure Domain Manager.

Importing the SDM Configuration File in OneClickBefore you can begin using OneClick with the Secure Domain Manager, you must import the configuration file you created in “Creating an SDM Configuration” on page 22.

To import the configuration file:

1. Open the OneClick Console and choose Secure Domain Manager in the Navigation Panel as shown in Figure 3-1.

Figure 3-1: Navigation Panel

2. Choose the Information tab in the Component Detail panel.



3. Open the Configuration menu to display the options shown in Figure 3-2.

Figure 3-2: Importing the Configuration

4. Click the Import button.

5. Once the configuration file has imported correctly, the Secure Domain Manager Status in the Configuration menu will be Enabled.

Note: If your configuration file does not import correctly, you may have a syntax error in your file. SPECTRUM will report this error in an output log. Check the <$SPECROOT>/SDM/logs directory for an output log and check the <$SPECROOT>/SS/VNM.out file for error messages. Once you have corrected the syntax error, repeat the import process to correctly import the configuration. The previous XML configuration will remain in effect until the configuration is imported without errors.

Modeling the Hosts Running SDConnectors in OneClickOnce you have imported the configuration, you must begin the modeling process by modeling the host machines running the SDConnector process. Using OneClick’s Model by Type option, you can choose from three different model types to model the host machines:

• If the host machine is running an SNMP agent, you can use the Host_Device model type.

• If the host machine only supports ICMP, you can use the Pingable model type.

If you use either the Host_Device or Pingable model type, you will be able to monitor the status of the host machine, i.e. whether it is up or down.

• You can also choose to model the host machine using the SDConnectorProcess model type. This model type does not allow you to manage the device status (up or down), but does allow you to see the host machine represented in the OneClick Secure Domain Manager model hierarchy and gives you access to the views discussed in “SDConnector Model Information” on page 31.

Modeling the Devices in Remote Network Regions in OneClickOnce you have modeled the SDConnector machines, you must model the network elements that you are managing through a firewall. You can place the modeled elements anywhere in the topology view, they do not have to be placed in a specific container hierarchy. Once you successfully model the devices, SPECTRUM can communicate with them via the SDConnector process.

These network elements can be modeled using OneClick’s Create Model By IP or Discovery functions. The following sections give you instructions on using each of these functions to model the devices in the remote network regions.

Modeling the Devices in Remote Network Regions in OneClick


Using OneClick Create Model by IP

You can use the OneClick Create Model By IP option to manually model each of the devices located behind your firewall(s). Repeat the following procedure for each device.

Note: For complete instructions on modeling devices in OneClick, see the Modeling Your IT Infrastructure (5167) guide.

1. From the Topology view, choose the Model by IP icon to bring up the Model by IP dialog (Figure 3-3).

2. Enter the IP address of the device you want to model.

3. In the Secure Domain Manager Options section, choose the appropriate level of SNMP.

4. Click the Exists in Secure Domain checkbox to enable it. Note that this option is not available unless you have imported the sdm_config.xml configuration file.

5. Choose the IP address of the host running the SDConnector in the network region for the device you are modeling.

6. Click OK.

Figure 3-3: Using Create Model By IP



Using OneClick Discovery

You can use OneClick Discovery to discover and model all devices in a network region with an SDConnector host. Using the procedure outlined below, specify the IP address of the host machine running the SDConnector and Discovery will communicate with the devices via the SDManager and SDConnector processes.

Only one SDConnector can be used for each discovery.

1. From the OneClick Tools menu, launch Discovery.

2. Complete the Discovery Configuration as appropriate for the network region you are modeling. See the Modeling Your IT Infrastructure (5167) guide for complete instructions on using Discovery.

3. Choose the Advanced Options button to bring up the Advanced Options dialog (Figure 3-4).

Figure 3-4: Advanced Discovery Options

4. From the Secure Domain Address field, choose the IP address of the host running the SDConnector in this network region. The Secure Domain Address field will not be enabled unless you have imported the sdm_config.xml configuration file.

5. Click OK to return to the Discovery Configuration.

Searches in OneClick


6. Choose the Discover button to complete the Discovery.

Note: If you have already modeled the host machine running a remote SDConnector process using the SDConnectorProcess model, and you perform a discovery on the network region where the host exists, discovery may create an additional model of the host using the Host_Device or Pingable model. You can delete this duplicate model once it has been created or you can filter this model out of the discovery result set before it is created.

Modeling Results

Once you have finished modeling your devices either via Discovery or manual modeling, you will find all of the devices listed in the Secure Domain Connector Device Table of its corresponding SDConnector host icon. See “SDConnector Model Information” on page 31 for a complete explanation.

Searches in OneClickThere are several built in searches provided with Secure Domain Manager. To access these searches, go to the OneClick Locator tab and choose Secure Domain Manager Searches. The searches shown in Figure 3-5 are available.

Figure 3-5: Secure Domain Manager Searches

Pinging Devices Located Behind a Firewall in OneClickYou can use the Ping menu option to ping devices located behind a firewall. Note that a successful ping will not display the number of bytes returned by the pinged device. The following example shows the result set for a ping request:

Secure reply from 10.254.1.5: icmp_seq=4. time =140. ms

Instead of:

64 bytes from 10.254.1.5: icmp_seq=4. time =140. ms



Secure Domain Manager Model InformationThe Secure Domain Manager model’s Information tab located in the Component Detail panel (Figure ) provides information about the configuration of Secure Domain Manager in your network environment.

The General Information section provides standard information about the Secure Domain Manager model.

The Configuration section is used to import the Secure Domain Manager Configuration (see “Importing the SDM Configuration File in OneClick” on page 25)

The Secure Domain Connector Host process list shows all of the host machines currently running SDConnector processes in remote network regions.

Figure 3-6: Secure Domain Manager Information

SDConnector Model Information


SDConnector Model InformationThe Secure Domain Connector model’s Information tab located in the Component Detail panel (Figure 3-7) provides information about the configuration of Secure Domain Connector in your network environment.

The General Information and the Modeling Information tab provide the standard OneClick information about the device model.

Figure 3-7: SDConnector Information



Secure Domain Connector Information

The Secure Domain Connector section provides two sub-sections, IP Range List (Figure 3-8) and Device Table (Figure 3-9).

The IP Range List shows the IP ranges of the devices that use the selected Secure Domain Connector (SDConnector) to communicate with SPECTRUM.

Figure 3-8: IP Range List

The Device Table lists all of the devices managed by the selected Secure Domain Manager Connector (SDConnector).

Figure 3-9: Device Table

33

Chapter 4: Using Secure Domain Manager with SpectroGRAPH

This chapter explains how to setup the SpectroGRAPH environment to use the Secure Domain Manager.

Importing the SDM Configuration File in SpectroGRAPHBefore you can begin using SpectroGRAPH with the Secure Domain Manager, you must import the configuration file you created in “Creating an SDM Configuration” on page 22.

To import the configuration file:

1. Select the VNM icon and choose Configuration from the Icon Subviews menu.

2. In the Configure/Landscape section of the Landscape Configuration dialog, choose Secure Domain Manager and click OK to launch the Secure Domain Manager Information view shown in Figure 4-1.

3. Click Import New SDM Configuration to import your configuration.

4. Once your configuration has been successfully imported, the Secure Domain Manager Status will read Enabled.

Note: If your configuration file does not import correctly, you may have a syntax error in your file. SPECTRUM will report this error in an output log. Check the <$SPECROOT>/SDM/logs directory for an output log and check the <$SPECROOT>/SS/VNM.out file for error messages. Once you have corrected the syntax error, repeat the import process to correctly import the configuration. The previous XML configuration will remain in effect until the configuration is imported without errors.



Figure 4-1: Secure Domain Manager Information View

Modeling the Hosts Running SDConnectors in SpectroGRAPHOnce you have imported the configuration, you must begin the modeling process by modeling the host machines running the SDConnector process. Using SpectroGRAPH’s Model by Type option, you can choose from three different model types to model the host machines:

• If the host machine is running an SNMP agent, you can use the Host_Device model type.

• If the host machine only supports ICMP, you can use the Pingable model type.

If you use either the Host_Device or Pingable model type, you will be able to monitor the status of the host machine, i.e. whether it is up or down.

• You can also choose to model the host machine using the SDConnectorProcess model type. This model type does not allow you to manage the device status (up or down).

Note: See “What’s Next” on page 12 for modeling recommendations on how to leverage SPECTRUM fault isolation capabilities.

Modeling the Devices in Remote Network Regions in SpectroGRAPH

After you have modeled the SDConnector host machine(s), you must model the network elements that you are managing through a firewall. Once you successfully model the devices, SPECTRUM can communicate via the SDConnector process.

Pinging Devices Located Behind a Firewall in SpectroGRAPH


These network elements can be modeled using SpectroGRAPH’s Model by Type or Model by IP functions. As you model each network element, SPECTRUM will automatically detect the host machine and SDConnector process used to communicate through the firewall.

Pinging Devices Located Behind a Firewall in SpectroGRAPHYou can ping devices located behind a firewall using SpectroGRAPH’s Ping Through Server. To invoke the Ping Through Server command, in the Topology view click on the model of the device you would like to ping and select Icon Subviews > Utilities > Ping Through Server. Note that a successfully ping will not display the number of bytes returned by the pinged device. The following example shows the a result set for a ping request:

Secure reply from 10.254.1.5: icmp_seq=4. time =140. ms

Instead of:

64 bytes from 10.254.1.5: icmp_seq=4. time =140. ms

Using JMib ToolsIf you are working with the JMib Tools functionality and the Secure Domain Manager is installed on the landscape from which JMib Tools was launched, you can choose an SDConnector host IP address to use for device communication. The Secure Domain Manager automatically populates JMib Tools with list of SDConnector host IP addresses that are configured in the SPECTRUM database. When you launch JMib tools from a device icon, the device's IP address and SDConnector address (if any) are automatically selected (Figure 4-2) and displayed in the Criteria for Contacting Device section of the Browser window. All of JMib Tools charting functionality also uses the selected SDConnector.

If Secure Domain Manager is not installed on the machine running JMib tools, the SDConnector option box is not displayed. The only exception to this is if the SpectroSERVER is not running on that machine, i.e. the machine is a SpectroGRAPH only machine. In this case the SDConnector option box is displayed, but a popup dialog displays a message indicating we couldn't determine if SDM was installed.

For more information on using JMib Tools, see the JMib Tools (1426) guide.

Figure 4-2: JMib Tools Browser

37

Chapter 5: SPECTRUM Fault Isolation in the SDM Environment

This chapter describes the preferred method for modeling SDConnectors to leverage SPECTRUM’s fault isolation capabilities.

Model SDConnectors as Host_Devices or PingablesWhen you model SDConnectors, as described in “Modeling the Hosts Running SDConnectors in OneClick” on page 26 and “Modeling the Hosts Running SDConnectors in SpectroGRAPH” on page 34, you can choose one of the following model types:

• SDConnectorProcess

• Host_Device

• Pingable

We recommend that you model the SDConnector host as a Host_Device or Pingable model type to allow SPECTRUM's fault isolation to work correctly in the event that a remote SDConnector process goes down, or the connection to it is lost. This enables SPECTRUM to fully isolate the cause of an outage to the SDConnector host model, virtually eliminating unresolved fault alarms.

SDConnectors as a Bridge between RegionsAlthough the SDConnector host is most likely connected to a switch on the “edge” of a region’s network, logically it is the bridge between the two regions and it must be modeled accordingly. Therefore you should place the SDConnector host between the two devices that are routing traffic between the local and remote regions (Figure 5-1).


Chapter 5: SPECTRUM Fault Isolation in the SDM Environment

Figure 5-1: SDConnector as a Host_Device Model

39

Appendix A: Using Secure Domain Manager with iAgent

You may experience difficulties when trying to run SPECTRUM’s iAgent and the Secure Domain Manager on the same host machine. This problems exists because the SDManager process and a process run by iAgent application called brassd are essentially the same process. Because they are essentially the same program, they attempt to bind to the same ports. These include the SNMP trap port (162), and the asynchronous (6842) and synchronous (6843) BRASS client ports.

In version SPECTRUM version 7.1 SP3 and beyond, SPECTRUM's ICMPd process binds to ports 6842 and 6843 to establish communication. If the iAgent process is started before the SDManager, the iAgent will bind to the necessary ports, and SDManager will not be able to. When ICMPd connects to those ports, it will actually be connecting to the iAgent process instead of SDManager. This will cause unpredictable behavior in ICMPd.

To resolve this problem, you can configure SDManager to in place of the iAgent brassd process and both applications will run without a problem.

1. Stop the brassd process.

• In the Windows environment this process is run as a service called SNMP BRASS Management Multiplexer Agent. Access Windows services on your machine and stop this process.

• In the Unix environment, use the kill command to stop the brassd process.

2. Configure IAgent to run even if the brassd process is not started.

On Windows services menu, set the Startup Type to Manual in the Properties view of the SNMP BRASS Management Multiplexer Agent service.

In the Unix environment, in /opt/Snmpri/CIAgent or /usr/local/Snmpri/CIAgent, respectively, edit the ciagent file so that brassd is commented out as follows:

startprocs()

{

if [ "$1" = "full" ] ; then

$snmpridir/startscripts/EmanateMaster start


Appendix A: Using Secure Domain Manager with iAgent

$snmpridir/startscripts/Mib2agt start

# $snmpridir/startscripts/BrassServer start

...and...

stopprocs()

{

if [ "$1" = "full" ] ; then

$snmpridir/startscripts/EmanateMaster stop

$snmpridir/startscripts/Mib2agt stop

# $snmpridir/startscripts/BrassServer stop

In the Unix environment you must also remove the rc.d soft link that points to /opt/Snmpri/startscripts/BrassServer to fully disable startup of the IAgent brassd on reboot.

3. Stop and restart SDManager by going to the $SPECROOT/lib/SDPM directory and restarting the SPECTRUM processd using following commands:

./processd.pl stop

./processd.pl start

4. Stop and restart the IAgent processes to ensure that brassd does not start up.

• To do this in the Windows environment run shutdown.bat and then startup.bat.

• To do this in the Unix environment, run ciagent -fullstop and then -fullstart.

41

Appendix B: Configuring a Custom SDManager Listening Port

Under some circumstances, the remote domain where the SDConnector is deployed might also be managed by another management entity that is listening on port 162. Therefore it might be necessary to configure the SDConnector to listen on a different port, enabling devices it manages to send traps/updates on that port. Because the SDConnector receives this configuration from the SDManager, the SDManager must be configured to listen on the custom port.

Procedure

To change the listening port:

1. Configure SDManager to listen for traps on the custom port. Example port 11162 is used throughout the procedure.

Add the following line to $SPECROOT/lib/SDPM/partslist/SDM.idb immediately following existing ENV lines.

ENV;SR_TRAP_TEST_PORT=11162;

The SDConnector now listen for traps on port 11162 as configured for the SDManager to which it connects.

2. Change the port that SDManager uses to forward SNMP traps to SpectroSERVER to 162 in the following files:

$SPECROOT/lib/SDPM/partslist/SDM.idb

Change the -trapport 4748 argument to -trapport 162.

/etc/services (Solaris)

C:\WINNT\system32\drivers\etc\services (Windows 2000)

C:\WINDOWS\system32\drivers\etc\services (Windows XP)

Change -unmtrap 4748/udp to sr-unmtrap 162/udp.

3. Make the following change in $SPECROOT/SS/.vnmrc.

Change brass_trap_port=4748 to brass_trap_port=162.


Appendix B: Configuring a Custom SDManager Listening Port

4. Stop SpectroSERVER, and then stop processd to shutdown SDManager.

5. Restart processd, and then restart SpectroSERVER.

43

Index

AAccept, connection requests from

SDManager 17AlarmNotifier, in a secure environment 10Alarms

forwarding 10redundant 10

Automatic SDManager start 18

Bbrassd application 39

CCertificates, SSL connections between

SDManager and SDConnectorsdsspmastercert.pem 16dsspremotecert.pem 16snmpricacert.pem 16srconf directory 16

Command line optionsSDConnector 17SDManager 21

Configuration fileconfiguring remote hosts 22import error log, OneClick 26import error log, SpectroGRAPH 33importing, OneClick 25importing, SpectroGRAPH 33

CPU requirement 11, 16, 18Create Model by IP 26, 27Custom configurations, restoring after

upgrade 19

Custom SDManager listening port 41

DDevice Table 32Discovery 26, 28dsspmastercert.pem 16dsspremotecert.pem 16

FFault isolation 37Firewalls 9

HHost_Device 26, 29, 34Host_Device model type 37

IiAgent, conflicts with SDManager 39ICMP 26, 34ICMPd 20, 39idb file 18Installation

files and directories 15SDConnector 16

IP Range List 32

JJMib Tools 35


Index

MManagement regions 9Model by IP 35Model by Type 26, 35Modeling

devices in remote regions 26, 34host running SDConnectors 26recommended model types 37

Nnotrap throttle 23

OOneClick

import configuration file 26modeling SDConnector host 26searches 29Secure Domain Manager on 25

Output logs 15

PPing Through Server command 35Ping, devices behind firewall 29, 35Pingable 26, 29, 34Pingable model type 37Private password 18, 21processd, stop and start 20Processor requirement 11, 16, 18

RRemote hosts, configuring 22Remote proxies 11

SSDConnector 15, 16, 26

accepting connection requests from SDManager 17

command line options 17connection to the SDManager 17disable start as daemon option 18host machine requirement 16installation 16launching 17

listening for connection requests from SDManager 17

model information 31modeling hosts, OneClick 26modeling hosts, SpectroGRAPH 34remote proxies 11

SDConnector.exe 15SDConnectorProcess model type 26SDM.idb 18sdm_config.xml.template 16, 22SDManager 11, 15

automatic start 18certificates and password files 21command line options 21connection to the SDConnector 21dropped SNMP and ICMP requests 21launching 18listen for SDConnector connections 21model information 30searches 29

SDManager.exe 15Searches 29Secure Socket Layers (SSL)

certificate and password files 17disable 17enabling 17

SNMP to XML conversion 12SNMP traps, managing 23

notrap throttle 23stormrate num 23stormtime num sec 23

snmpricacert.pem 16SNMPv3 proxy, upgrade to SDManager 19SpectroGRAPH

import configuration file 33modelling SDConnector host machines 34

srconf 16srconf.SV3P_user_migrate 19stormrate num 23stormtime num sec 23SV3P_idb_SDM_user_migrate 19

UUpgrading to SDManager from SNMPv3 proxy 19

XXML 12

secure domain manager -...

Documents