Hub IM GUI Reference

To access the Infrastructure Manager hub configuration GUI, select the hub then either:
uimpga-ga
To access the Infrastructure Manager hub configuration GUI, select the hub then either:
  • Right-click the hub and select 
    Configure
    .
  • Expand the robot, and double-click the hub probe.
This article describes the tabs, fields, and options available in the Infrastructure Manager hub configuration GUI.
This article is for probe versions 7.9 or later. 
General Tab
The
General
tab contains basic hub information:
  • Hub information
    • Hub name
    • Domain
      - to which the hub belongs
    • Hub IP
      address
    • Hub address
      - UIM format:
      /domain/hub_name/robot_name/hub
    • Version
      - number and distribution date of the hub probe
    • Uptime
      - length of time from the last restart
    • Modify
      - open
      Edit Hub Address
      . Edit the hub name and the domain name. If these parameters are modified, the hub controller probe restarts.
  • License information
    - A hub maintains the licenses for all the connected robots.
    • When the license is invalid:
      • The message flow from the hub to the service probes and other subscribers stops
      • The messages from the robot spoolers stop
    • The license key contains the following fields:
      • Licenses in use
        - the number of robots that are connected to the hub, and the number of robots the license allows.
      • Expire date
        - when the license expires. An asterisk (*) indicates an unlimited license.
      • Owner
        - The owner of the license
    • Modify
      open
      Edit License
      . License keys are provided by CA and must be entered exactly.
  • Log in Settings for this hub
    • Normal (login allowed)
      - allow users to log in to the hub from any robot.
    • Local machine only
      - allow normal logins from the hub server. Attempts to log in from remote robots are refused
    • No login
      - disable local or remote login to the hub.
  • Log Level
    - specify the level of detail that is written to the log file. To reduce the disk usage, log at a low level. Increase the logging level for debugging.
  • Log Size
    - the size of the log file. Default, 1024 KB
  • Advanced
    - view and configure advanced options for the hub
    • Enable tunneling
      - activate the
      Tunnel
      configuration tab. To disable tunnels, clear the option, and click
      Apply
      .
    • Disable IP validation
      - use this option with Network Address Translation (NAT). See, Setting up a Tunnel in a NAT Environment.
    • Statistics
      - display the traffic statistics for the hub for the previous 12 hours
      The graph shows the number of messages that are sent and received per minute, and the number of requests. Specify a time period in the
      Period
      section. Click
      Get
      to update the values.
      See, Checking Traffic Statistics.
    • Monitor
      - display the current hub traffic. See, Monitoring the Message Flow.
    • View Log
      - display the contents of the hub log file. Use the log settings to set the level of detail. The
      Log Viewer
      window contains:
      • File
        - save or print the file
      • Edit
        - copy the contents and search in the log file
      • Actions
        - limit the output in the window, and highlight text or dates within the log file
      • Start
        and
        Stop
        - start and stop the log file updates
    • Settings
      - open
      Hub Advanced Settings
      See, Hub Advanced Settings.
Hub Advanced Settings
General,  Settings
The
Hub Advanced Settings
dialog contains three sections:
Hub Advanced Settings (2)
  • The
    Broadcast On
    section is not applicable for secure hub (9.10S).
  • The
    SSL
    tab is not applicable for secure hub (9.10S).
General Advanced Settings
The
General
tab
  • Broadcast On
    - Hubs use a UDP broadcast to tell other hubs that they are alive. Use the option to turn the broadcast on and off. You can specify the hub broadcast address. Default,
    255.255.255.255
    The
    Broadcast On
    section is not applicable for secure hub (9.10S).
  • Hub Settings
    • Hub Request Timeout
        - the timeout value for hub communication requests. Default, 30 seconds
    • Hub Update Interval
      - the interval at which the hub sends status information to the other hubs. Default, 600 seconds
  • Queue Settings
    • Reconnect Interval
      - the interval at which a disconnected queue is reconnected. Default, 180 seconds
    • Disconnect passive queues
      - the interval at which passive queues (no messages) are disconnected. Default, 180 seconds
    • Post Reply Timeout
      - the length of time a hub waits for a reply to a message. If no response is received within this interval, a timeout occurs.
    • Alarm on queue size
      - the size of the queue file (in MB) on the hub. If the queue exceeds this threshold, an alarm is sent. Default, 10 MB
  • Lock Out Time
    The hub implements extra security measures to avoid leaving the system vulnerable to brute-force password guessing.
    If the number of consecutive login failures from a user or an IP address reaches the
    Lock After Fails
    value, login is blocked until the
    Lock Out Time
    expires.
    These changes are not persistent. The changes do not survive a hub restart.
  • Origin -
    where a message comes from. QoS messages from probes are tagged with a name to identify the origin of the data. By default, the origin is the name of the parent hub of the probe.
  • To override the origin value:
    • Change the value. The new value is used for hub-managed QoS messages.
    • Set the origin at the robot level. Use
      Setup, Advanced
      in the
      controller
      configuration GUI.
  • Audit Settings for Robots
    - specify the recording of important events, such as starting and stopping the robot. The setting is used for all hub robots. Select one of the following options:
    • Override: audit off
    • Override: audit on
    • Use audit settings from robot
SSL Advanced Settings
Hub, Settings, SSL
The
SSL
tab is not applicable for secure hub (9.10S).
Use the
SSL
tab to configure the hub SSL mode. The SSL mode specifies the communication mode for hub-managed components. The SSL mode is primarily used for robot-to-hub communication. When hubs are
not
connected by tunnels, the SSL mode controls hub-to-hub communications.
The hub controls SSL settings for UIM components. The hub propagates SSL settings to the robots. The robots propagate SSL settings to the probes. SSL settings are specific to each hub. Set the SSL mode on each hub.
:  Hub v7.80 supports the TLS protocol by using TLS cipher suites for tunnels between hubs, and hub-to-robot SSL settings.
  • To restrict tunnel communication to TLS cipher suites, upgrade the hubs to v7.80. Select a cipher suite that resolves to TLS.
  • To use TLS with hubs that are at v7.71 and earlier, use a cipher suite resolving to TLS
    and
    SSLv3.
  • To use a TLS cipher suite for hub-to-robot SSL settings, use a cipher suite resolving to TLS
    and
    SSLv3.
Restart the tunnel server and tunnel clients when:
  • The tunnel server cipher suite is changed
  • The tunnel server hub is reverted to a prior release and the tunnel clients are using a TLS cipher suite
  • Mode
    provides three options:
    • Normal
      SSL mode 0 — Unencrypted The
      OpenSSL
      transport layer is not used
    • Compatibility mode
      SSL mode 1 — The hub and robot to communicate without encryption or with
      OpenSSL
      encryption. Components first attempt to use SSL. If a request is not acknowledged, the component sends unencrypted requests.
    • SSL Only
      SSL mode 2 —
      OpenSSL
      encryption only
  • Cipher Type
    specifies the Cipher Suite that is used by the
    OpenSSL
    library.
LDAP Advanced Settings
Configuration options for LDAP:
  • Direct LDAP
    Configure the hub to forward login requests to an LDAP server. Users log in to the UIM console with LDAP credentials. Users belonging to different groups in LDAP can be assigned to different
    UIM Access Control Lists
    (ACLs).
    Due to the limited availability of the LDAP library, Direct LDAP is only available on Linux and Windows hubs. Native LDAP is not supported on Solaris.
    LDAP authentication includes:
    • Server Name
      - Configure the hub to point to a specific LDAP server, using IP address or host name. Use
      Lookup
      to test the communication. If you use a nonstandard port for the hub, use
      hostname:port
      to specify the LDAP server.
      You can specify multiple LDAP servers in this field. Separate each server with a space. The first entry is the primary LDAP server. More entries are secondary servers, which are used when the primary server is unavailable. If a nonprimary server is used, logins can take more time.
    • Server Type -
      two LDAP server types are supported:
      Active Directory
      and
      eDirectory
    • Authentication Sequence -
      the hub authentication sequence If you select
      Nimsoft, LDAP
      ,
      the user is verified against
      Nimsoft
      user credentials first. If verification fails, the hub attempts to verify using the LDAP server.
    • Use SSL
      - use SSL for LDAP communication. Most LDAP servers are configured to use SSL.
    • User and Password -
      the user name and password that is needed for querying the LDAP server
      Active Directory
      - the user is specified as an ordinary user name
      eDirectory
      - the user is specified as a path to the user in the format 
      CN=yyy,O=xxx
      . CN is the user name, and O is the organization.
    • Group Container (DN) -
      a group container in LDAP which defines where, in the LDAP hierarchy, to search for groups. Click
      Test
      to verify that the container is valid.
    • User Container (DN) -
      a user container in LDAP which defines more specifically where to search for users in the LDAP structure.
    • Nimsoft Proxy Hub
      - The hub can be configured to specify a UIM probe address for login.
    • Proxy Hub -
      The drop-down list is empty by default. Click
      Refresh
      next to the drop-down list to perform a
      gethubs
      probe request on the hub. The drop-down list is populated with a list of known hubs.
    • Proxy Retries -
      the number of retries to perform when there are communication errors.
    • Authentication Sequence -
      if you select
      Nimsoft, LDAP
      ,
      the user is verified against
      Nimsoft
      user credentials first. If the authentication fails, the hub tries to verify the credentials using LDAP server credentials.
    • Proxy Timeout -
      the time (in seconds) before the proxy is timed out.
Hubs Tab
The hubs tab lists all the known hubs, and displays information in different colors.
  • Blue
    - The hub is in the same domain as the hub you are currently logged in to.
  • Black
    - The hub is outside the current domain.
  • Red
    - The hub status is unknown. Typically, red is displayed when the hub is not running.
The Hubs tab
The hub list contains the following information about each hub:
  • Status indicator
    :
    • Green
      - running
    • Red
      - not running
    • Yellow
      - status unknown
  • Domain
  • Hub
    name
  • Version
    of the hub probe
  • Updated
    : shows when the hub was last updated
  • IP
    address for the hub
  • Port
    number for the hub
Right-clicking in the window displays four options:
  • Alive Check
    rechecks the status of the selected hub.
  • Response Check
    checks the response time (connect - reconnect, no transfer) between your hub and the one selected in the list.
  • Transfer Check
    transfers data from your hub to the selected hub, then checks the transfer rate.
  • Remove
    removes the selected hub from the hubs address list. If the hub is running, it can appear later.
Robots Tab
The
Robot
tab lets you set the alarm level for robots and displays robot information.
Inactive Robot Setup
- If one of the robots that are listed is unavailable, set the severity level of the alarm that is issued.
  • Registered Robots
    displays the following information for each robot:
  • Name
  • Type
    - regular or passive
  • IP
    address
  • Version
    of the robot software
  • Created
    - when the robot was installed
  • Last Update
    - when the software was last updated
  • Operating system
    of the robot host system
The Robots tab
Right-click in the window to open a menu with the following options:
  • Restart
    - reread the configuration file for the selected robot
    • The robot is
      not
      restarted. If you change the robot configuration, restart the robot.
  • Check
    - checks the communication with the selected robot
  • Remove
    - the selected active or passive robot is removed from the list An active robot can show up later because active robots periodically request that the hub add them to the Registered Robots list.
  • Add Passive Robot
    - open the dialog to add a passive robot
Name Services Tab
The
Name Services
tab is renamed to
Network Aliases
for secure hub (9.10S). Therefore, the
Static Hubs
section is not applicable for secure hub (9.10S).
A hub knows the IP address and port number of the probes started by the robots that it controls. The robots are responsible for reporting configuration changes and probe state to the hub. When a client sends a request to a probe, it asks the local hub for the address. If the target probe is on another hub, the request is forwarded to that hub. If the name lookup succeeds, the client sends the request to the probe.
  • Static Hubs
    The hubs discover each other by sending out broadcast (UDP) messages. Hubs that are separated by routers and firewalls are typically unable to discover other hubs with UDP. In this situation, you can configure a static route to the hubs.
    The Name Services tab
    Note the
    Synchronize
    option in the
    New Static Hub
    dialog. If the synchronize option is selected, the parent hub sends status information to the static hub. The parent hub receives status information from the static hub, unless you also disable the
    Synchronize
    option on the static hub. You can disable the synchronize option to reduce network traffic.
    Do not connect hubs with both a tunnel and a static route. In some situations, data is transmitted over the insecure static route rather than over the secure tunnel. If you create a tunnel between two hubs, delete any existing static routes.
  • Network Alias -
    the return address of a remote NAT hub
    • On
      hub A
      , set up the From address and the To address for
      hub B
      .
    • On
      hub B
      , set up the From address and the To address for
      hub A
      .
    When
    hub B
    sends a request to
    hub A
    , the request contains the
    hub B
    From address
    .
    Hub A
    uses the
    hub B
    To address
    to return a request to
    hub B
    .
Queues Tab
The
Queues
tab lists the defined message queues.
  • Queues that are automatically created
  • Queues that you manually create
For example, to send alarms from a nonprimary hub to the primary hub, create an attach queue,
nas,
with the subject
alarm
to forward alarms.
To edit a message queue, double-click the message queue, or select the message queue and click
Edit
.
To define a new queue, click
New
.
The Queues tab
A queue is a holding area for messages passing through the hub. Queues are
temporary
or
permanent:
  • Permanent queue
    - content survives a hub restart
    • Permanent queues are used by service probes to receive all messages. If the service probe is not running, the messages are held in the queue. When the probe starts, the messages are delivered.
  • Temporary queue
    - content is cleared during restarts
    • Temporary queues are typically used for events that are sent to management consoles.
All queues that are defined on the
Queues
tab are permanent queues. Permanent queues have a name that is related to their purpose. The permanent queue,
NAS
, is attached to the Nimsoft Alarm Server (NAS).
You can create a permanent queue between two hubs. Define the queue as a
post
type queue. Use the full UIM address of the other hub.
  • A
    Post
    queue sends a directed stream of messages to the destination hub.
  • An
    Attach
    queue creates a permanent queue for a client
    Get
    queue to attach to.
  • A
    Get
    queue receives messages from a permanent
    Attach
    queue on another hub.
For example, the following queue, named get-hub-4, is defined as a
Get
queue.
  • get-hub-4 receives messages from the
    Attach
    queue
    xprone-attach
  • xprone-attach
    is defined on the remote hub
    /HubTest/wm-hub-4/vm-hub-4/hub
    .
The Queues tab (2)
The
New Queue
dialog contains the following fields:
  • Active
    - Select this option to activate the queue. The active state is reflected in the queue list under the
    Queues
    tab. You can activate and deactivate queues using the queue list.
  • Name
    (Required) - a unique and descriptive identifier for the queue.
  • Type
    (Required)
    • Post
      - send a directed stream of messages to the destination hub
    • Attach -
      a permanent queue that a remote get queue attaches to
    • Get
      - receives messages from a remote attach queue
  • Address
    - the UIM address of the source or target hub
    • Get and post queues only
    • Select the UIM address from the drop-down list
  • Queue
    (Applies to
    get
    queues) - specify the remote attach queue to receive messages from
  • Subject
    (Applies to
    attach
    or
    post
    queues) - specify the message subjects to send to the queue
    • Use an asterisk (*) as the subject to send all the messages
All UIM messages contain a
Subject ID
that classifies the message on the message bus. Components use Subject IDs to subscribe to some messages and ignore others. All messages with the same Subject ID have the same data structure.
Tunnels Tab
Select the
Enable Tunneling
option on the
hub, General
tab to enable the
Tunnels
tab.
  • Authorization and Authentication
    Tunnels use certificates to provide authorization and authentication. The client and the server require valid certificates from the same Certificate Authority (CA). The tunnel server is the CA, and only accepts certificates it issues.
  • Security Settings
    Use security settings to specify the level of encryption for a tunnel. The encryption settings range from
    None
    to
    Custom
    . When
    None
    is selected, the traffic is authenticated, and is not encrypted. No encryption is safe for tunnels within LANs and WANs. Higher encryption levels require greater resources.
Delete existing static hubs in
Name Services
when you are using tunnels.
The Tunnels tab
The tunnels tab contains four sections:
Server Configuration
Use the server configuration tab to configure the listening side of a tunnel.
  • Active
    - activate the tunnel server
    • When
      Active
      is selected, the
      Certificate Authority Setup
      dialog opens. See, Setting up a Tunnel.
  • Common name -
    the IP address of the tunnel server hub
  • Expire date
    - the date the server certificate expires
  • Port
    - the port that the tunnel server is listening on Open this port in your router or firewall for incoming connections.
  • Security settings
    - select
    None
    ,
    Low
    ,
    Medium, High,
    or
    Custom
    . Use the Custom setting to define the security protocol. See,
  • Start
    and
    Stop
    - start and stop the tunnel server
  • Server
    - display the server details and the server certificate
  • CA
    - display the CA details and CA certificate
  • New
    - open the
    Client Certificate Setup
    dialog. You can create certificates for the clients you open for access. Supply a certificate password. The client requires the password, the certificate (encrypted text), and the server port number.
  • Delete
    - delete the selected client certificate
  • View
    - display the selected client certificate
Client Configuration
Use the client configuration tab to configure the connecting side of a tunnel.
  • Server
    - tunnel server IP address or hostname
  • Port
    - tunnel server port number
  • Heartbeat
    - Keep-alive message interval
  • Description
    - description of the tunnel connection
  • New
    - Open
    New Tunnel Connection
    You can create a new tunnel connection to the server that has generated the certificate.
    • Active Tunnel
      - Activate the tunnel connection
    • Check Server CommonName
      - Clear this option to disable the Server IP address verification (see, Setting up a Tunnel in a NAT Environment).
    • Description
      - description of the tunnel connection
    • Server
      - IP address of the tunnel server
    • Password
      - the password that you received with the server certificate
    • Server Port
      - the server communication port Default,
      48003
    • Keep-alive interval
      - small data packets are sent at the specified interval
    • Certificate
      - paste the client certificate in this field See, Creating Client Certificates for more information.
  • Edit
    - edit the selected server connection
  • Delete
    - delete the selected server connection
  • Certificate
    - display the selected client certificate
Access List
By default, all requests and messages are routed through the tunnel. The routing is transparent to CA UIM users.
Use the Access List to set access rules for tunnels. Define the rules to restrict the access privileges for UIM addresses, commands, and users. Access Lists are defined on the tunnel client hub.
Access list rules:
  • Accept
    rules enable access. Set up rules to grant access to probes, robots, and hubs, and to execute specific commands for users.
  • Deny rules
    disallow access for the specified addresses, commands, or users.
  • Log
    rules log all requests through the tunnel. Use log rules for testing. View the results in the hub log file.
  • Use
    Edit Rule
    to add, modify, or delete access rules. Access rules consist of four criteria. When all four criteria are met, the rule is triggered.
    • Source IP
      is the name of the source hub, robot, or probe.
    • Destination Address
      is the address of the target hub, robot, or probe.
    • Probe Command
      is the specific command to allow or deny. The command set varies by probe. To view a command set, open the Probe Utility.
    • User
      is the user to allow or deny access.
    Note:
    Regular expressions are allowed.
  • The rules table displays the rules that you have created. The order of the rules is important. The first rule in the list is processed first. Processing stops on the first rule that matches all four criteria.
    Use the
    Move Up
    and
    Move Down
    buttons to change the order of the rules in the list.
Advanced
Use the advanced tab to assign the first tunnel port, establish the hang timeout, and configure the SSL session cache.
  • Ignore first probe port settings from controller
    The first tunnel is automatically assigned the port number in
    First Probe Port Number
    on the
    Setup, Advanced
    tab in the
    controller
    configuration.
    If more than one tunnel is defined, select this option to enable the
    First Tunnel Port
    field.
  • First Tunnel Port
    For more than one tunnel, you can specify the first port in the range of ports to be used.
    When this field is blank, the operating system assigns random ports.
    Clients are assigned ports from the configured port range, and keep the port as long as the hub is running.
    Servers assign ports from the configured port number and increase for each new client connection. If there are no active clients, the hub resets the counter.
  • Tunnel is Hanging Timeout
    The hub continuously checks if one or more of the active tunnels are hanging. No new connections can be established through tunnels that are hanging.
    If a tunnel is hanging, the hub attempts to restart the tunnel. If the restart fails, the hub performs a restart after the specified number of seconds.
  • SSL Session Cache
    • Use Server Cache
      enables caching of SSL sessions, and reuse of session credentials. If
      Use Client Cache
      is enabled on the client,
      Use Server Cache
      speeds up the connection time.
    • Server Cache Timeout
      defines how long the cached sessions are valid for reuse by the client.
    • Server Cache Size
      defines how many sessions can be stored in the cache. When the cache is full, the oldest sessions are deleted as new connections are established.
    • Use Client Cache
      enables caching of SSL sessions on the client hub.
Status Tab
This tab contains four subsections that provide status information about the queues, subjects, and tunnels you have defined.
  • Subscribers/Queues
    displays a list with status information about all subscribers and queues on the hub. You can view the messages that the hub forwards. Use the status to assist with debugging and load monitoring for the hub. The fields in the list are:
    • Name
      of the queue
    • Type
      of subscriber
    • Queued
      shows the number of messages waiting to be transferred. If you do not use spooling, this number is typically 0, for as long as the subscriber is alive.
    • Sent
      shows the number of sent messages
    • Bulk Size
      is the maximum number of messages that are sent at once
    • Subject/Queue
      is the name of the queue or subject that the subscriber subscribes to
    • ID
      for the connected probe or program
    • Established
      shows when the hub connected to the subscriber
    • Address
      of the subscriber
    • Connection
      is the address of the subscriber network connection
  • Subjects
    a count of messages by subject from the last restart
  • Tunnel Status
    displays two windows. The upper window, which shows all tunnels that the hub is running, provides this information:
    • Peer Hub
      is the IP address or hostname of the tunnel peer
    • Started
      shows the initial tunnel connection time
    • Last
      shows the time of the last connection through the tunnel
    • Connection stats (ms)
      are the statistics for the time that is taken to set up the tunnel connection
      • A low minimum value can indicate a low bandwidth
      • A high minimum value and a high average value can indicate packet loss
    • Connections
      shows the number of connections made
    • Traffic in/out
      shows the amount of data that is received and sent through the tunnel
    When you select a tunnel in the upper window, the connections appear in the lower window:
    • State
      of the connection (idle or active)
    • Start
      time of the connection
    • Last
      transfer time
    • In
      and
      Out
      show the amount of data that is received or sent
    • Address
      is the hostname of the target of the request
    • Command
      specifies the command that is executed on the target of the connection
  • Tunnel Statistics
    has statistics on SSL and on various events (such as server start time and when the last connection was received). Use the drop-down list to select the server or client to view.