Hub IM GUI Reference
To access the Infrastructure Manager hub configuration GUI, select the hub then either:
To access the Infrastructure Manager hub configuration GUI, select the hub then either:
- Right-click the hub and selectConfigure.
- Expand the robot, and double-click the hub probe.
This article describes the tabs, fields, and options available in the Infrastructure Manager hub configuration GUI.
This article is for probe versions 7.9 or later.
Generaltab contains basic hub information:
- Hub information
- Hub name
- Domain- to which the hub belongs
- Hub IPaddress
- Hub address- UIM format:/domain/hub_name/robot_name/hub
- Version- number and distribution date of the hub probe
- Uptime- length of time from the last restart
- Modify- openEdit Hub Address. Edit the hub name and the domain name. If these parameters are modified, the hub controller probe restarts.
- License information- A hub maintains the licenses for all the connected robots.
- When the license is invalid:
- The message flow from the hub to the service probes and other subscribers stops
- The messages from the robot spoolers stop
- The license key contains the following fields:
- Licenses in use- the number of robots that are connected to the hub, and the number of robots the license allows.
- Expire date- when the license expires. An asterisk (*) indicates an unlimited license.
- Owner- The owner of the license
- ModifyopenEdit License. License keys are provided by CA and must be entered exactly.
- Log in Settings for this hub
- Normal (login allowed)- allow users to log in to the hub from any robot.
- Local machine only- allow normal logins from the hub server. Attempts to log in from remote robots are refused
- No login- disable local or remote login to the hub.
- Log Level- specify the level of detail that is written to the log file. To reduce the disk usage, log at a low level. Increase the logging level for debugging.
- Log Size- the size of the log file. Default, 1024 KB
- Advanced- view and configure advanced options for the hub
- Enable tunneling- activate theTunnelconfiguration tab. To disable tunnels, clear the option, and clickApply.
- Disable IP validation- use this option with Network Address Translation (NAT). See, Setting up a Tunnel in a NAT Environment.
- Statistics- display the traffic statistics for the hub for the previous 12 hoursThe graph shows the number of messages that are sent and received per minute, and the number of requests. Specify a time period in thePeriodsection. ClickGetto update the values.See, Checking Traffic Statistics.
- Monitor- display the current hub traffic. See, Monitoring the Message Flow.
- View Log- display the contents of the hub log file. Use the log settings to set the level of detail. TheLog Viewerwindow contains:
- File- save or print the file
- Edit- copy the contents and search in the log file
- Actions- limit the output in the window, and highlight text or dates within the log file
- StartandStop- start and stop the log file updates
- Settings- openHub Advanced SettingsSee, Hub Advanced Settings.
Hub Advanced Settings
Hub Advanced Settingsdialog contains three sections:
- TheBroadcast Onsection is not applicable for secure hub (9.10S).
- TheSSLtab is not applicable for secure hub (9.10S).
General Advanced Settings
- Broadcast On- Hubs use a UDP broadcast to tell other hubs that they are alive. Use the option to turn the broadcast on and off. You can specify the hub broadcast address. Default,255.255.255.255TheBroadcast Onsection is not applicable for secure hub (9.10S).
- Hub Settings
- Hub Request Timeout- the timeout value for hub communication requests. Default, 30 seconds
- Hub Update Interval- the interval at which the hub sends status information to the other hubs. Default, 600 seconds
- Queue Settings
- Reconnect Interval- the interval at which a disconnected queue is reconnected. Default, 180 seconds
- Disconnect passive queues- the interval at which passive queues (no messages) are disconnected. Default, 180 seconds
- Post Reply Timeout- the length of time a hub waits for a reply to a message. If no response is received within this interval, a timeout occurs.
- Alarm on queue size- the size of the queue file (in MB) on the hub. If the queue exceeds this threshold, an alarm is sent. Default, 10 MB
- Lock Out TimeThe hub implements extra security measures to avoid leaving the system vulnerable to brute-force password guessing.If the number of consecutive login failures from a user or an IP address reaches theLock After Failsvalue, login is blocked until theLock Out Timeexpires.These changes are not persistent. The changes do not survive a hub restart.
- Origin -where a message comes from. QoS messages from probes are tagged with a name to identify the origin of the data. By default, the origin is the name of the parent hub of the probe.
- To override the origin value:
- Change the value. The new value is used for hub-managed QoS messages.
- Set the origin at the robot level. UseSetup, Advancedin thecontrollerconfiguration GUI.
- Audit Settings for Robots- specify the recording of important events, such as starting and stopping the robot. The setting is used for all hub robots. Select one of the following options:
- Override: audit off
- Override: audit on
- Use audit settings from robot
SSL Advanced Settings
Hub, Settings, SSL
SSLtab is not applicable for secure hub (9.10S).
SSLtab to configure the hub SSL mode. The SSL mode specifies the communication mode for hub-managed components. The SSL mode is primarily used for robot-to-hub communication. When hubs are
notconnected by tunnels, the SSL mode controls hub-to-hub communications.
The hub controls SSL settings for UIM components. The hub propagates SSL settings to the robots. The robots propagate SSL settings to the probes. SSL settings are specific to each hub. Set the SSL mode on each hub.
: Hub v7.80 supports the TLS protocol by using TLS cipher suites for tunnels between hubs, and hub-to-robot SSL settings.
- To restrict tunnel communication to TLS cipher suites, upgrade the hubs to v7.80. Select a cipher suite that resolves to TLS.
- To use TLS with hubs that are at v7.71 and earlier, use a cipher suite resolving to TLSandSSLv3.
- To use a TLS cipher suite for hub-to-robot SSL settings, use a cipher suite resolving to TLSandSSLv3.
Restart the tunnel server and tunnel clients when:
- The tunnel server cipher suite is changed
- The tunnel server hub is reverted to a prior release and the tunnel clients are using a TLS cipher suite
- Modeprovides three options:
- NormalSSL mode 0 — Unencrypted TheOpenSSLtransport layer is not used
- Compatibility modeSSL mode 1 — The hub and robot to communicate without encryption or withOpenSSLencryption. Components first attempt to use SSL. If a request is not acknowledged, the component sends unencrypted requests.
- SSL OnlySSL mode 2 —OpenSSLencryption only
- Cipher Typespecifies the Cipher Suite that is used by theOpenSSLlibrary.
LDAP Advanced Settings
Configuration options for LDAP:
- Direct LDAPConfigure the hub to forward login requests to an LDAP server. Users log in to the UIM console with LDAP credentials. Users belonging to different groups in LDAP can be assigned to differentUIM Access Control Lists(ACLs).Due to the limited availability of the LDAP library, Direct LDAP is only available on Linux and Windows hubs. Native LDAP is not supported on Solaris.LDAP authentication includes:
- Server Name- Configure the hub to point to a specific LDAP server, using IP address or host name. UseLookupto test the communication. If you use a nonstandard port for the hub, usehostname:portto specify the LDAP server.You can specify multiple LDAP servers in this field. Separate each server with a space. The first entry is the primary LDAP server. More entries are secondary servers, which are used when the primary server is unavailable. If a nonprimary server is used, logins can take more time.
- Server Type -two LDAP server types are supported:Active DirectoryeDirectory
- Authentication Sequence -the hub authentication sequence If you selectNimsoft, LDAP,Nimsoftuser credentials first. If verification fails, the hub attempts to verify using the LDAP server.
- Use SSL- use SSL for LDAP communication. Most LDAP servers are configured to use SSL.
- User and Password -the user name and password that is needed for querying the LDAP serverActive Directory- the user is specified as an ordinary user nameeDirectory- the user is specified as a path to the user in the formatCN=yyy,O=xxx. CN is the user name, and O is the organization.
- Group Container (DN) -a group container in LDAP which defines where, in the LDAP hierarchy, to search for groups. ClickTestto verify that the container is valid.
- User Container (DN) -a user container in LDAP which defines more specifically where to search for users in the LDAP structure.
- Nimsoft Proxy Hub- The hub can be configured to specify a UIM probe address for login.
- Proxy Hub -The drop-down list is empty by default. ClickRefreshnext to the drop-down list to perform agethubsprobe request on the hub. The drop-down list is populated with a list of known hubs.
- Proxy Retries -the number of retries to perform when there are communication errors.
- Authentication Sequence -if you selectNimsoft, LDAP,Nimsoftuser credentials first. If the authentication fails, the hub tries to verify the credentials using LDAP server credentials.
- Proxy Timeout -the time (in seconds) before the proxy is timed out.
The hubs tab lists all the known hubs, and displays information in different colors.
- Blue- The hub is in the same domain as the hub you are currently logged in to.
- Black- The hub is outside the current domain.
- Red- The hub status is unknown. Typically, red is displayed when the hub is not running.
The hub list contains the following information about each hub:
- Status indicator:
- Green- running
- Red- not running
- Yellow- status unknown
- Versionof the hub probe
- Updated: shows when the hub was last updated
- IPaddress for the hub
- Portnumber for the hub
Right-clicking in the window displays four options:
- Alive Checkrechecks the status of the selected hub.
- Response Checkchecks the response time (connect - reconnect, no transfer) between your hub and the one selected in the list.
- Transfer Checktransfers data from your hub to the selected hub, then checks the transfer rate.
- Removeremoves the selected hub from the hubs address list. If the hub is running, it can appear later.
Robottab lets you set the alarm level for robots and displays robot information.
Inactive Robot Setup- If one of the robots that are listed is unavailable, set the severity level of the alarm that is issued.
- Registered Robotsdisplays the following information for each robot:
- Type- regular or passive
- Versionof the robot software
- Created- when the robot was installed
- Last Update- when the software was last updated
- Operating systemof the robot host system
Right-click in the window to open a menu with the following options:
- Restart- reread the configuration file for the selected robot
- The robot isnotrestarted. If you change the robot configuration, restart the robot.
- Check- checks the communication with the selected robot
- Remove- the selected active or passive robot is removed from the list An active robot can show up later because active robots periodically request that the hub add them to the Registered Robots list.
- Add Passive Robot- open the dialog to add a passive robot
Name Services Tab
Name Servicestab is renamed to
Network Aliasesfor secure hub (9.10S). Therefore, the
Static Hubssection is not applicable for secure hub (9.10S).
A hub knows the IP address and port number of the probes started by the robots that it controls. The robots are responsible for reporting configuration changes and probe state to the hub. When a client sends a request to a probe, it asks the local hub for the address. If the target probe is on another hub, the request is forwarded to that hub. If the name lookup succeeds, the client sends the request to the probe.
- Static HubsThe hubs discover each other by sending out broadcast (UDP) messages. Hubs that are separated by routers and firewalls are typically unable to discover other hubs with UDP. In this situation, you can configure a static route to the hubs.Note theSynchronizeoption in theNew Static Hubdialog. If the synchronize option is selected, the parent hub sends status information to the static hub. The parent hub receives status information from the static hub, unless you also disable theSynchronizeoption on the static hub. You can disable the synchronize option to reduce network traffic.Do not connect hubs with both a tunnel and a static route. In some situations, data is transmitted over the insecure static route rather than over the secure tunnel. If you create a tunnel between two hubs, delete any existing static routes.
- Network Alias -the return address of a remote NAT hub
hub Bsends a request tohub A, the request contains thehub BFrom address.Hub Auses thehub BTo addressto return a request tohub B.
- Onhub A, set up the From address and the To address forhub B.
- Onhub B, set up the From address and the To address forhub A.
Queuestab lists the defined message queues.
- Queues that are automatically created
- Queues that you manually create
For example, to send alarms from a nonprimary hub to the primary hub, create an attach queue,
nas,with the subject
alarmto forward alarms.
To edit a message queue, double-click the message queue, or select the message queue and click
To define a new queue, click
A queue is a holding area for messages passing through the hub. Queues are
- Permanent queue- content survives a hub restart
- Permanent queues are used by service probes to receive all messages. If the service probe is not running, the messages are held in the queue. When the probe starts, the messages are delivered.
- Temporary queue- content is cleared during restarts
- Temporary queues are typically used for events that are sent to management consoles.
All queues that are defined on the
Queuestab are permanent queues. Permanent queues have a name that is related to their purpose. The permanent queue,
NAS, is attached to the Nimsoft Alarm Server (NAS).
You can create a permanent queue between two hubs. Define the queue as a
posttype queue. Use the full UIM address of the other hub.
- APostqueue sends a directed stream of messages to the destination hub.
- AnAttachqueue creates a permanent queue for a clientGetqueue to attach to.
- AGetqueue receives messages from a permanentAttachqueue on another hub.
For example, the following queue, named get-hub-4, is defined as a
- get-hub-4 receives messages from theAttachqueuexprone-attach
- xprone-attachis defined on the remote hub/HubTest/wm-hub-4/vm-hub-4/hub.
New Queuedialog contains the following fields:
- Active- Select this option to activate the queue. The active state is reflected in the queue list under theQueuestab. You can activate and deactivate queues using the queue list.
- Name(Required) - a unique and descriptive identifier for the queue.
- Post- send a directed stream of messages to the destination hub
- Attach -a permanent queue that a remote get queue attaches to
- Get- receives messages from a remote attach queue
- Address- the UIM address of the source or target hub
- Get and post queues only
- Select the UIM address from the drop-down list
- Queue(Applies togetqueues) - specify the remote attach queue to receive messages from
- Subject(Applies toattachorpostqueues) - specify the message subjects to send to the queue
- Use an asterisk (*) as the subject to send all the messages
All UIM messages contain a
Subject IDthat classifies the message on the message bus. Components use Subject IDs to subscribe to some messages and ignore others. All messages with the same Subject ID have the same data structure.
Enable Tunnelingoption on the
hub, Generaltab to enable the
- Authorization and AuthenticationTunnels use certificates to provide authorization and authentication. The client and the server require valid certificates from the same Certificate Authority (CA). The tunnel server is the CA, and only accepts certificates it issues.
- Security SettingsUse security settings to specify the level of encryption for a tunnel. The encryption settings range fromNonetoCustom. WhenNoneis selected, the traffic is authenticated, and is not encrypted. No encryption is safe for tunnels within LANs and WANs. Higher encryption levels require greater resources.
Delete existing static hubs in
Name Serviceswhen you are using tunnels.
The tunnels tab contains four sections:
Use the server configuration tab to configure the listening side of a tunnel.
- Active- activate the tunnel server
- WhenActiveis selected, theCertificate Authority Setupdialog opens. See, Setting up a Tunnel.
- Common name -the IP address of the tunnel server hub
- Expire date- the date the server certificate expires
- Port- the port that the tunnel server is listening on Open this port in your router or firewall for incoming connections.
- Security settings- selectNone,Low,Medium, High,orCustom. Use the Custom setting to define the security protocol. See,
- StartandStop- start and stop the tunnel server
- Server- display the server details and the server certificate
- CA- display the CA details and CA certificate
- New- open theClient Certificate Setupdialog. You can create certificates for the clients you open for access. Supply a certificate password. The client requires the password, the certificate (encrypted text), and the server port number.
- Delete- delete the selected client certificate
- View- display the selected client certificate
Use the client configuration tab to configure the connecting side of a tunnel.
- Server- tunnel server IP address or hostname
- Port- tunnel server port number
- Heartbeat- Keep-alive message interval
- Description- description of the tunnel connection
- New- OpenNew Tunnel ConnectionYou can create a new tunnel connection to the server that has generated the certificate.
- Active Tunnel- Activate the tunnel connection
- Check Server CommonName- Clear this option to disable the Server IP address verification (see, Setting up a Tunnel in a NAT Environment).
- Description- description of the tunnel connection
- Server- IP address of the tunnel server
- Password- the password that you received with the server certificate
- Server Port- the server communication port Default,48003
- Keep-alive interval- small data packets are sent at the specified interval
- Certificate- paste the client certificate in this field See, Creating Client Certificates for more information.
- Edit- edit the selected server connection
- Delete- delete the selected server connection
- Certificate- display the selected client certificate
By default, all requests and messages are routed through the tunnel. The routing is transparent to CA UIM users.
Use the Access List to set access rules for tunnels. Define the rules to restrict the access privileges for UIM addresses, commands, and users. Access Lists are defined on the tunnel client hub.
Access list rules:
- Acceptrules enable access. Set up rules to grant access to probes, robots, and hubs, and to execute specific commands for users.
- Deny rulesdisallow access for the specified addresses, commands, or users.
- Logrules log all requests through the tunnel. Use log rules for testing. View the results in the hub log file.
- UseEdit Ruleto add, modify, or delete access rules. Access rules consist of four criteria. When all four criteria are met, the rule is triggered.
Note:Regular expressions are allowed.
- Source IPis the name of the source hub, robot, or probe.
- Destination Addressis the address of the target hub, robot, or probe.
- Probe Commandis the specific command to allow or deny. The command set varies by probe. To view a command set, open the Probe Utility.
- Useris the user to allow or deny access.
- The rules table displays the rules that you have created. The order of the rules is important. The first rule in the list is processed first. Processing stops on the first rule that matches all four criteria.Use theMove UpandMove Downbuttons to change the order of the rules in the list.
Use the advanced tab to assign the first tunnel port, establish the hang timeout, and configure the SSL session cache.
- Ignore first probe port settings from controllerThe first tunnel is automatically assigned the port number inFirst Probe Port Numberon theSetup, Advancedtab in thecontrollerconfiguration.If more than one tunnel is defined, select this option to enable theFirst Tunnel Portfield.
- First Tunnel PortFor more than one tunnel, you can specify the first port in the range of ports to be used.When this field is blank, the operating system assigns random ports.Clients are assigned ports from the configured port range, and keep the port as long as the hub is running.Servers assign ports from the configured port number and increase for each new client connection. If there are no active clients, the hub resets the counter.
- Tunnel is Hanging TimeoutThe hub continuously checks if one or more of the active tunnels are hanging. No new connections can be established through tunnels that are hanging.If a tunnel is hanging, the hub attempts to restart the tunnel. If the restart fails, the hub performs a restart after the specified number of seconds.
- SSL Session Cache
- Use Server Cacheenables caching of SSL sessions, and reuse of session credentials. IfUse Client Cacheis enabled on the client,Use Server Cachespeeds up the connection time.
- Server Cache Timeoutdefines how long the cached sessions are valid for reuse by the client.
- Server Cache Sizedefines how many sessions can be stored in the cache. When the cache is full, the oldest sessions are deleted as new connections are established.
- Use Client Cacheenables caching of SSL sessions on the client hub.
This tab contains four subsections that provide status information about the queues, subjects, and tunnels you have defined.
- Subscribers/Queuesdisplays a list with status information about all subscribers and queues on the hub. You can view the messages that the hub forwards. Use the status to assist with debugging and load monitoring for the hub. The fields in the list are:
- Nameof the queue
- Typeof subscriber
- Queuedshows the number of messages waiting to be transferred. If you do not use spooling, this number is typically 0, for as long as the subscriber is alive.
- Sentshows the number of sent messages
- Bulk Sizeis the maximum number of messages that are sent at once
- Subject/Queueis the name of the queue or subject that the subscriber subscribes to
- IDfor the connected probe or program
- Establishedshows when the hub connected to the subscriber
- Addressof the subscriber
- Connectionis the address of the subscriber network connection
- Subjectsa count of messages by subject from the last restart
- Tunnel Statusdisplays two windows. The upper window, which shows all tunnels that the hub is running, provides this information:
- Peer Hubis the IP address or hostname of the tunnel peer
- Startedshows the initial tunnel connection time
- Lastshows the time of the last connection through the tunnel
- Connection stats (ms)are the statistics for the time that is taken to set up the tunnel connection
- A low minimum value can indicate a low bandwidth
- A high minimum value and a high average value can indicate packet loss
- Connectionsshows the number of connections made
- Traffic in/outshows the amount of data that is received and sent through the tunnel
- Stateof the connection (idle or active)
- Starttime of the connection
- Lasttransfer time
- InandOutshow the amount of data that is received or sent
- Addressis the hostname of the target of the request
- Commandspecifies the command that is executed on the target of the connection
- Tunnel Statisticshas statistics on SSL and on various events (such as server start time and when the last connection was received). Use the drop-down list to select the server or client to view.