nfa_inventory AC Configuration

Contents
uimpga-ga
nfa_inventory_AC
Contents
Prerequisites
Prior to deploying the nfa_inventory probe, review the following points:
  • You are running CA Unified Infrastructure Management (CA UIM) 8.4 or later.
  • You are running CA Network Flow Analysis (CA NFA) 9.3.3 or later.
  • The nq_services probe v1.2 is installed on the same hub as trellis (to support multi-tenancy in CA NFA).
  • The SNMP Collector v2.1 or above is installed.
  • The robot on which the nfa_inventory probe is deployed has http access (port 80/TCP) to the CA NFA console.
  • The wasp probe on the UMP host has http access (port 80/TCP) to the CA NFA console.
  • The current versions of CA NFA, UDM, Discovery Server, and wasp probe must all be in the same CA UIM domain.
Configuration Overview
At a high level, configuring the probe consists of the following actions:
v1.2 nfa_inventory Configuration
v1.2 nfa_inventory Configuration
  1. Configure routers to send NetFlow to CA NFA.
  2. Configure?the nfa_inventory probe to connect to the CA NFA console (by specifying the IP Address).
  3. Configure snmpcollector so that all snmpcollector instances and CA NFA have the same origin.
  4. Configure Single Sign-On (SSO) for USM and CA NFA.
Configure Probe Connections
After you install the probe, you must configure the probe setup using the CA UIM admin console.
  1. In the
    Add NFA Console
    dialog, complete the following fields:
    • NFA Console Name
      - The name of the CA NFA console.
    • NFA Console Hostname or IP Address
      - The IP Address of the CA NFA console.
      If you enable SSL, then ensure that the
      NFA Console Hostname
      matches the common name on the self-signed certificate.
    • Alarm Message
      - The level of alarm message sent to CA UIM if it experiences an error communicating with CA NFA.
    • Active
      - Whether the probe is active or not.
    • Port
      - Specifies the port to connect to the NFA server.
    • Use SSL
      - Enables the probe to securely connect to the NFA server.
      Before you enable this option, ensure that you have imported the self-signed certificate that is generated from the NFA Console.
  2. Click
    Submit
    .Click
    Save
    , then click
    Reload
    .
  3. If the nfa_inventory probe is on a non-wasp hub, add the
    /ump_common/nfa_inventory
    key to the
    wasp
    config using Raw Configure in the Admin Console.The value of the
    nfa_inventory
    key should be the bus address (/
    domain
    /
    hub
    /
    robot
    /nfa_inventory) for the nfa_inventory probe.
Configure snmpcollector
To keep from having duplicate devices in USM, the discovery_agent, snmpcollector, and nfa_inventory probes need to:
  • Be installed on the same robot, or
  • Have the robots that they are installed on be part of the same origin.
If they are installed on separate robots, verify that they share origin by doing the following:
  1. In Infrastructure Manager, double-click the hub that you want to copy the origin from (the hub with snmpcollector).
  2. On the
    General
    tab, in the
    Advanced
    area, click
    Settings
    .
  3. Copy the contents of the
    Origin
    field.
  4. Click
    OK
    to close the
    Hub Advanced Settings
    dialog box.
  5. In Infrastructure Manager, double-click the hub where nfa_inventory is installed.
  6. On the
    General
    tab, in the
    Advanced
    area, click
    Settings
    .
  7. Paste the origin that you copied from snmpcollector into the
    Origin
    field.
  8. Click
    OK
    .
More information:
Configure Single Sign-On (SSO) for USM and CA NFA
To facilitate SSO, the nfa_inventory probe sends inventory to CA UIM every 15 minutes.
  • If you have SSO without LDAP or SAML2, create the same users in CA NFA as are in the USM portal.
  • If you have LDAP only (no SAML2), configure CA NFA and USM to use the same LDAP server.
  • If you have SAML2, configure CA NFA and USM to use the same SAML2 provider.
Implement CA NFA SAML2 Support
  1. Login to the CA NFA console server.
  2. Open
    <drive>:\CA\NFA\Portal\SSO\webapps\sso\configuration\saml.properties
    with a text editor.
  3. Add the following entries (where
    ip
    is the IP address of the CA NFA console and
    hostname
    is the hostname of the CA NFA console server):
    saml.sp.metadata.hostname=<
    ip
    /
    hostname
    > saml.sp.metadata.entityId=<
    ip
    /
    hostname
    > saml.sp.metadata.organizationName=<
    org_name
    > saml.sp.metadata.contactPerson=<
    contact_person
    > saml.sp.metadata.email=<email_address>
  4. Save the
    saml.properties
    file.
  5. Execute the SSO configuration tool,
    ssoConfig.exe
    , from a CA NFA server command prompt:
    1. <drive>:\CA\NFA\Portal\SSO\bin\ssoConfig.exe
      1. Click
        2
        for
        CA Network Flow Analysis
        .
      2. Click
        2
        for
        SAML2 Authentication
        .
      3. Click
        2
        for
        Local Override
        .
      4. Enter
        2
        for
        Clone Default User Accounts
        . Change the value to
        user
        .
      5. Enter
        4
        for
        SAML2 Auto-Reauthentication Enabled
        . Change the value to 1.
      6. Enter
        5
        for
        SAML2 Auto-Reauthentication Time Period
        . Change the value to 5.
      7. Enter
        6
        for
        SAML2 IDP Session Timeout
        . Change the value to 10.
      8. Enter
        b
        to go back.
      9. Enter
        b
        to go back again.
      10. Enter
        6
        to
        Export SAML2 Service Provider Metadata
        . Provide a valid path and file name. The file type must be
        xml
        , for example:
        c:\temp\saml2SPmetadata.xml
      11. Enter
        q
        to quit the SSO configuration tool.
    2. Send the metadata file that you saved in step 5.a.x to your SAML2 service provider.
    3. Open
      <drive>:\CA\NFA\Portal\SSO\webapps\sso\configuration\saml.properties
      with a text editor.
      1. Update the
        saml.idp.metadata.file
        property with the full path and file name of the metadata xml file you created in step 5.a.x.
      2. Update the
        saml.idp.sessionTimeout
        property with the IDP session timeout value you selected in step 5.a.vii (10).
    4. Save the
      saml.properties
      file.
Multi-tenancy for CA NFA
Origin enrichment is implemented in CA UIM to enable multi-tenancy in CA NFA. Previously, only bus users could drill-out from CA UIM to CA NFA. With nfa_inventory probe v1.3, bus users
and
account contact users can drill-out to CA NFA based on the rights that are granted to them in CA UIM. The nfa_inventory probe updates CA NFA based on information that is obtained from CA UIM. All users must have ACL permissions to drill-out to CA NFA.
  • For each CA UIM account, CA NFA creates a permission set.
  • CA NFA permission sets have access to interface groups.
  • Interface groups correspond to a unique CA UIM origin in the CA UIM account.
  • For each CA UIM ACL, a corresponding CA NFA role is created with rights that correspond to the CA UIM ACL permissions.
    • CA UIM adds the CA NFA rights that are prefixed with
      NFA
      to facilitate the mapping.
  • CA NFA user accounts are created which correspond to CA UIM account contact users. The CA NFA user account has access to the CA NFA permission set corresponding to the CA UIM account.
  • A CA NFA role is created which corresponds to the CA UIM ACLs.
  • Note that bus users have access to all tenants in CA NFA.
The following parameters may be used to modify settings using Raw Configure (in the Admin Console):
  • interfaceMappingDelay - the time in minutes after an inventory update to perform the mapping of interface groups to origins. The minimum value is 1, the maximum value is 15, and the default value is 5.
  • interfaceMappingBatchSize - The number of interfaces to request origins for in a batch. The minimum value is 1, the maximum value is 20000, and the default value is 1000.
View CA NFA Interface Information in UMP
  1. From the UMP user interface, click a device that is sending NetFlow information to CA NFA.
  2. Click
    Interfaces
    .
  3. Select an interface from which the device is receiving NetFlow information.
  4. Select a graph or table of CA NFA information:
    • Stacked Protocol Trend - In
    • Stacked Protocol Trend - Out
    • Top Hosts
    • Top Conversations
  5. Position the mouse near the top right-hand corner of the table or graph you selected, and the
    drill-out
    icon appears. Click the
    drill-out
    icon to be redirected to CA NFA.
    • When Single Sign-on (SSO) is configured properly, you will not be prompted to login to CA NFA.
To access advanced information about the interface, click the
Advanced
tab on the UMP interface page. The following tables and graphs are sourced from CA NFA:
  • Stacked ToS Trend - In
  • Stacked ToS Trend - Out
  • Top Hosts per ToS
  • Top Conversations per ToS
When you drill out from UMP to one of the CA NFA Type of Service (ToS) tables (
Top Hosts per ToS
or
Top Conversations per ToS
), you are redirected to the CA NFA ToS page. The CA NFA ToS page lists the different ToS names under the
ToS Summary Table
. Click a ToS name to access a page showing all of the graphs and tables for that ToS name.