Chapter 1. Certification overview
4.9 ESDA rule
4
4.1 Properties settings
This section discusses IBM Tivoli Business Service Manager properties settings.
The IBM Tivoli Business Service Manager properties settings files are stored in
$NCHOME/etc/rad. The files have the extension .props. The files discussed are:
RAD_sla.props: Contains various settings regarding IBM Tivoli Business Service Manager status processing.
RAD_server.props: Contains the server processing settings for IBM Tivoli Business Service Manager.
RAD_av.props: Contains settings for the IBM Tivoli Business Service Manager Web interface.
RAD_policylogger.props: Contains settings for the IBM Tivoli Netcool/Impact policies processing.
log4j.properties: Contains logging settings for some IBM Tivoli Business Service Manager components.
There are several specialized settings that may need to be adjusted for managing IBM Tivoli Business Service Manager environment. Table 4-1 lists some of the common changes.
Table 4-1 Property file changes
Purpose File Parameter (for a large service model)
RAD_sla.props impact.sla.maxesdapolicytimesecs=6000
4.2 Maintenance schedule
We discuss the maintenance schedule in the following sections:
4.2.1, “Create and edit maintenance schedule” on page 82
4.2.2, “Deleting a maintenance schedule” on page 84
4.2.3, “Refresh interval” on page 85 IBM Tivoli
4.2.1 Create and edit maintenance schedule
You can edit maintenance schedules using the GUI by performing the following steps:
1. Go to the IBM Tivoli Business Service Manager GUI, select Service
Administration, and select a service. Click the Edit Service tab, as shown in Figure 4-1.
Figure 4-1 Service instance
2. Click New..., and the window shown in Figure 4-2 on page 83 opens.
Figure 4-2 Schedule window
3. Enter a unique schedule name into the Schedule Name box, and select whether you want to set a recurring schedule or an absolute schedule. This example using a Recurring Time Window, as shown in Figure 4-3.
Figure 4-3 Schedule Recurring Time Window
4. You could also create a New Absolute Time Window, as shown in Figure 4-4.
Figure 4-4 Absolute Time Window
5. Click OK to save the new schedule. The schedule is now available in the Maintenance Schedule drop-down menu.
Figure 4-5 View of the maintenance schedule menu
6. Select the schedule and save the instance.
4.2.2 Deleting a maintenance schedule
If you want to delete a maintenance schedule, you must edit the scheduleTime.xml file, which is found under
$NCHOME/guifoundation/webapps/sla/xml/scheduleTime.xml, and is shown in Example 4-1 on page 85. Delete the lines between the timeWindowDefinition tags and restart the IBM Tivoli Business Service Manager server.
Example 4-1 Office_Hours entry in the ScheduleTime.xml file
<timeWindowDefinition name = "Office_Hours">
<timeWindowCombo>
<timeWindow>Monday 06:00 PM - 10:40 PM</timeWindow>
<timeWindow>02 Jun 2009 10:44 PM - 02 Jun 2009 11:44 PM</timeWindow>
</timeWindowCombo>
</timeWindowDefinition>
4.2.3 Refresh interval
The service tree refresh interval controls how frequently the IBM Tivoli Business Service Manager console requests an automatic service tree update from the IBM Tivoli Business Service Manager server. If every client connected to the IBM Tivoli Business Service Manager server is requesting a refresh update every 60 seconds, this could impact the server’s performance when there are a large number of consoles. To help mitigate this impact, you can increase the interval between refreshes. You can also set the refresh rate for other types of service objects in the Service Navigation window, as described in this section.
The RAD_sla.props file under $NCHOME/etc/rad directory contains properties that set a static refresh rate for the following service object trees in the Service Navigation panel:
Service Tree
Template Tree
Service Component Repository (SCR) – Urgent services panel $NCHOME Table 4-2 lists the refresh properties.
Table 4-2 Refresh properties for service objects
Property name Description Default
impact.sla.servicetree.refreshinterval Service Tree refresh interval 60 impact.sla.scr.refreshinterval Service Component Repository Tree refresh interval 300 impact.sla.templatetree.refreshinterval Template Tree refresh interval 60 impact.sla.hotlist.refreshinterval Urgent services list refresh interval 30
4.3 SSL configuration
To secure your communications, you can set up SSL communication between different components of IBM Tivoli Business Service Manager, such as Security Manager, IBM Tivoli Netcool/OMNIbus, and IBM Tivoli Netcool GUI Foundation.
You can set up SSL by performing these steps:
1. Create a directory that will hold all of the key store and certificate files. We choose to use the $NCHOME/security/ssl directory on the Security Manager server.
2. Generate certificates for the Security Manager server using the keytool command:
$NCHOME/platform/<arch>/<java_version>/bin/keytool -genkey -alias sm_svr -keyalg RSA -keypass tbsmadmin -storepass tbsmadmin -keystore keystore.jks
The result of the command is shown in Example 4-2.
Example 4-2 Creating a certificate What is your first and last name?
[Unknown]: TBSM User
What is the name of your organizational unit?
[Unknown]: IBM ITSO
What is the name of your organization?
[Unknown]: IBM
What is the name of your City or Locality?
[Unknown]: Raleigh
What is the name of your State or Province?
[Unknown]: NC
What is the two-letter country code for this unit?
[Unknown]: US
IIs CN=TBSM User, OU=IBM ITSO, O=IBM, L=Raleigh, ST=NC, C=US correct??
(type "yes" or "no") [no]: yes
3. Export the generated certificates to a certificate file using the keytool command:
$NCHOME/platform/<arch>/<java_version>/bin/keytool -export -alias sm_svr -file sm_svr.cer -keystore keystore.jks
The result of the command is shown in Example 4-3 on page 87.
Example 4-3 Entering a password Enter keystore password: tbsmadmin Certificate stored in file <sm_svr.cer>
4. Import the certificate into a certificate store using the keytool command:
$NCHOME/platform/<arch>/<java_version>/bin/keytool -import -v -trustcacerts -alias sm_svr -file sm_svr.cer -keystore cacerts.jks -keypass tbsmadmin -storepass tbsmadmin
The result of the command is shown in Example 4-4.
Example 4-4 Importing a certificate
Owner: CN=TBSM User, OU=IBM ITSO, O=IBM, L=Raleigh, ST=NC, C=US Issuer: CN=TBSM User, OU=IBM ITSO, O=IBM, L=Raleigh, ST=NC, C=US Serial number: 4a2b8d5a
Valid from: Sun Jun 07 11:50:18 CEST 2009 until: Sat Sep 05 11:50:18 CEST 2009
Certificate fingerprints:
MD5: 4F:2F:C6:80:5C:EF:FA:8A:70:47:FE:03:4D:3A:D0:FF
SHA1: BD:38:2D:4A:75:06:5B:A4:4C:CC:60:53:C4:7D:EE:07:4E:4A:47:30 Trust this certificate? [no]: yes
Certificate was added to keystore [Storing cacerts.jks]
5. Generate the Security Manager Client certificate by running the following command:
$NCHOME/platform/<arch>/<java_version>/bin/keytool -genkey -alias sm_clnt -keyalg RSA -keypass tbsmadmin -storepass tbsmadmin
-keystore clntks.jks
The result of the command is shown in Example 4-5.
Example 4-5 Generate certificates What is your first and last name?
[Unknown]: TBSM User
What is the name of your organizational unit?
[Unknown]: IBM ITSO
What is the name of your organization?
[Unknown]: IBM
What is the name of your City or Locality?
[Unknown]: Raleigh
What is the name of your State or Province?
[Unknown]: NC
What is the two-letter country code for this unit?
[Unknown]: US
IIs CN=TBSM User, OU=IBM ITSO, O=IBM, L=Raleigh, ST=NC, C=US correct??
(type "yes" or "no") [no]: yes
6. Export the generated certificates to a certificate file by running the following command:
$NCHOME/platform/<arch>/<java_version>/bin/keytool -export -alias sm_clnt -file sm_clnt.cer -keystore clntks.jks
The result of this command is shown in Example 4-6.
Example 4-6 Keystore password
Enter keystore password: tbsmadmin Certificate stored in file <sm_clnt.cer>
7. Import the certificate into a certificate store by running the following command:
$NCHOME/platform/<arch>/<java_version>/bin/keytool -import -v -trustcacerts -alias sm_clnt -file sm_clnt.cer -keystore cacerts.jks -keypass tbsmadmin -storepass tbsmadmin
The result of the command is shown in Example 4-7 on page 89.
Example 4-7 Importing certificates
Owner: CN=TBSM User, OU=IBM ITSO, O=IBM, L=Raleigh, ST=NC, C=US Issuer: CN=TBSM User, OU=IBM ITSO, O=IBM, L=Raleigh, ST=NC, C=US Serial number: 4a2b8d5a
Valid from: Sun Jun 07 12:20:31 CEST 2009 until: Sat Sep 05 12:20:31 CEST 2009
Certificate fingerprints:
MD5: 4F:2F:C6:80:5C:EF:FA:8A:70:47:FE:03:4D:3A:D0:FF
SHA1: BD:38:2D:4A:75:06:5B:A4:4C:CC:60:53:C4:7D:EE:07:4E:4A:47:30 Trust this certificate? [no]: yes
Certificate was added to keystore [Storing cacerts.jks]
8. Configure the security manager server:
a. Configure the Security Manager SM_server.props file under
$NCHOME/security/etc. You may want to create a backup copy of the file.
b. Find the encrypted password for the string tbsmadmin (the password selected in the previous steps) using the ncsm_crypt command. Issue the command $NCHOME/security/bin/ncsm_crypt tbsmadmin.
c. Edit the SM_server.props file and add the entries shown in Example 4-8.
Use the encrypted hexadecimal string from step b.
Example 4-8 SM_server.props security.protocol=https
d. Configure the SM_servletservice.props file under $NCHOME/security/etc.
You may want to create a backup copy of the file.
Note: To list the contents of cacerts.jks, keystore.jks, and clntks.jks, use the following command:
$NCHOME/platform/<arch>/<java_version>/bin/keytool -v -list -storepass changeit -keypass changeit -keystore cacerts.jks
The file cacerts.jks should have two entries (sm_svr and sm_clnt), and the other two should have one entry each.
e. Edit the SM_servletservice.props file and update and enable the entries, as shown in Example 4-9.
Example 4-9 SM_servletservice.props impact.http.ssl.enable=true
impact.ssl.keystore=/opt/IBM/Netcool/security/ssl/keystore.jks
impact.ssl.keypass=873308F43BA47FC5516E16D38ABF73F04032BBB7FB34F4F47BBC 70377D6C169E
# On AIX, uncomment the following line
#impact.ssl.algorithm=IbmX509
f. Configure the runtime definition:
• In UNIX, edit
$NCHOME/security/platform/<platformtype>/runtime_def_14 and add the option
-Djavax.net.ssl.trustStore=/opt/IBM/Netcool/security/ssl/cacer ts.jks to the VM_FLAGS parameter
• In Windows, run REGEDIT and go to the registry entry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NCS MServer\Parameters. Define a new String value called JVM Option Number n, where n is the next number for the list of JVM options.
Assign the
-Djavax.net.ssl.trustStore=C:\IBM\Netcool\security\etc\ssl\cac erts.jks value to the entry.
9. In the IBM Tivoli Netcool GUI Foundation, perform the following changes:
a. Configure the server.props file under $NCHOME/etc/sm so that there are two versions for easy switching. Edit and add the information shown in Example 4-10.
Example 4-10 server.props
#added for SSL connectivity
b. Configure the RAD_server.props file under $NCHOME/etc/rad so that there are two versions for easy switching. Edit the RAD_server.props file and add the section shown in Example 4-11 on page 91.
Example 4-11 RAD_server.props
c. Configure the server.xml file under $NCHOME/guifoundation/conf, so that there are two versions for easy switching. Edit the server.xml file and change the entries to the ones shown in Example 4-12.
Example 4-12 Server.xml
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443"
d. Ensure that the SSL versions of the configuration files are active and restart the Security Manager. The files are SM_server.props,
SM_servletservice.props, and runtime_def_14 (UNIX).
e. Ensure that the SSL versions of the configuration files (server.props, RAD_server.props, and server.xml) have gone into effect on the IBM Tivoli Business Service Manager GUI Foundation server. Restart the GUI Foundation server.
4.4 Security settings
Security in IBM Tivoli Business Service Manager is managed through users and groups. The users and groups are given specific role(s) to perform their
day-to-day jobs. The existing IBM Tivoli Business Service Manager roles are shown in Table 4-3.
Table 4-3 Security roles
Role name Description
GUI Foundation user Required for all users to use the Web interface GUI Foundation read only
GUI Foundation read write
IBM Tivoli Netcool GUI Foundation roles
GUI Foundation Administrator
RAD User Required for all IBM Tivoli Business Service Manager users
RAD View Raw Events Required to view the ObjectServer event list RAD View AEL/LWEL Required to work with AEL or LEL
RAD Template Admin Roles for template objects RAD Create Template
RAD Edit Template RAD View Template
RAD Instance Admin Roles for instances RAD Create Instance
RAD Edit Instance RAD View Instance
RAD View Impact GUI Access to IBM Tivoli Netcool/Impact GUI RAD SLA Chart View SLA chart view
RAD DataSource Admin Roles for data sources RAD Create DataSource
RAD Edit DataSource RAD View DataSource
Roles in Table 4-3 on page 92 can be assigned directly to the users or given to a user for individual object. Administrator access is needed to delete an object; for example, to delete a service instance, you need the RAD - Instance Admin role.
In the hierarchy of service instances, the following situations apply:
The view and edit roles for instances apply to the child instances; however, they cannot view or edit events that originated from the child instances.
The view and edit roles must be applied to the top level instances. Applying the view or edit roles to an instance that does not appear in the top level would not allow the user to see the instance.
Given an existing service instance and existing user or group, add security permissions to a service instance so that access to view or edit the server instance is restricted, with emphasis on the following steps:
1. Open the Service Administration window, as shown in Figure 4-6.
Figure 4-6 Service Administration
RAD DataFetcher Admin Roles for data fetchers RAD Create DataFetcher
RAD Edit DataFetcher RAD View DataFetcher
RAD Read Only User Assigned to the RADReadOnly group for all users that requires a read only access to IBM Tivoli Business Service Manager
Role name Description
2. Edit the service instance, as shown in Figure 4-7.
Figure 4-7 Service instance
3. Click the Security tab, as shown in Figure 4-8. It shows the roles that are available for each user.
Figure 4-8 Security tab
4. Select the users or groups and their privileges, as shown in Figure 4-9 on page 95.
Figure 4-9 User ID privileges
5. Save the service instance.
4.5 Data sources
Data sources are needed to provide additional information and metrics for a given service object. Assuming that the data source already exists, the following procedure creates a new data source mapping that allows external information to be presented and can affect the status of services in a service model. Perform the following steps:
1. Log in to IBM Tivoli Business Service Manager, switch to Service Administration window, and click the Data tab, as shown in Figure 4-10.
Figure 4-10 Data source
2. Click the button and enter a unique name for the data source, the relational database type, and its connectivity. The database types are:
– ObjectServer – DB2
– Oracle – Informix®
– Sybase – PostgreSQL – MySQL™
– MS-SQL
The window for the PostgreSQL database is shown in Figure 4-11.
Figure 4-11 Data source
The required settings for other databases are described in Table 4-4. The common required parameters are:
– Data Source Name: The name to identify the data source, which can be anything except ObjectServer
– User name (and its password): The authentication to access the database – Hostname: The host name or IP address where the database resides – Port: The specific port from which the database accepts a network
connection
Table 4-4 Data sources properties
3. Test the data source connectivity by using the Test Connection button.
4. Click the Save button and the data source should appear in the data sources list, as shown in Figure 4-12.
Figure 4-12 New data source created
SQL type Property Description
DB2 Database DB2 database name
JDBC type Whether to use JDBC type 4 or type 2
Oracle SID System identifier for the Oracle database instance Informix Server Informix server instance name
Database Informix database name
Sybase Database Sybase database name
PostgreSQL Database PostgreSQL database name
MySQL Database MySQL database name
MS-SQL Database Microsoft SQL server database name
4.6 Data fetcher
To create a new data fetcher, perform the following steps:
1. Log in to IBM Tivoli Business Service Manager and switch to the Service Administration window.
2. Click the Data Fetcher tab, as shown in Figure 4-13.
Figure 4-13 Data Fetcher tab
3. Click the New button and enter a unique name for the data fetcher. The data fetcher uses the data source created in 4.5, “Data sources” on page 95;
select the data source from the drop-down menu. Enter the expression for the SQL query and set up a query interval, as shown in Figure 4-14 on page 99.
Figure 4-14 Data fetcher query
Some of data fetcher options shown in Figure 4-14 are:
– The fetch frequency can be determined as a daily fetch at a predefined time or calculated dynamically based on the previous fetch performance.
The dynamic interval is calculated from:
• The previous fetch time multiplied by the interval multiplier.
• If the result is smaller than the minimum interval, the next fetch will be after the minimum interval.
• If the result is larger than the maximum interval, the next fetch will be after the maximum interval.
To use a specific interval, you can set the minimum and maximum interval to that same number.
– In the data fetcher window, you can add an expression to optimize the data search. Without an expression, the fetched data would be compared with the previously fetched record to make sure that only unprocessed records are loaded. This is inefficient. The expression allows you to use the last record from the previous fetch to be used to add a WHERE SQL clause into the query to optimize the fetch. A good candidate is to use a time stamp or identity column to make sure that the new data fetched is not a duplicate. The last value is represented by a variable with __ (two
underscores). For example, to make sure that the expression has a value of a key column that is larger than the previous one, the expression would be key > ‘__key__’.
4. Click the View button and you can preview the collected data, as shown in Figure 4-15. The data is retrieved using the database query engine component of IBM Tivoli Business Service Manager.
Figure 4-15 Query results
5. The data fetcher will appear in the Data Fetcher list, as shown in Figure 4-16 on page 101.
Figure 4-16 New data fetcher
The data fetcher’s status will appear. Our data fetcher is running and has no errors, as indicated by the green button. The buttons beside the data fetcher are:
– On Demand fetch: Immediately get the data (run the data fetcher query).
– See log: Perform troubleshooting on the data fetcher and SQL query result (the log file is $NCHOME/log/RAD_<data fetcher name>.log).
– Disable data fetcher: Stops the fetch operation.
– Delete the data fetcher.
4.7 Service templates and service instance
This section discusses the service templates and service instances.
4.7.1 Service template
Service templates provides a skeleton for defining service instance objects. A configuring service template lets service objects be created by the auto
discovery rules and defined according to the template. The service model is then shown based on the template that it inherits.
To create a service template, perform the following steps:
1. Log in to IBM Tivoli Business Service Manager and switch to the Service Administration window.
2. Select the Templates tab and click the New button.
3. Enter the template settings using a unique template name, as shown in Figure 4-17 on page 103.
Figure 4-17 Edit Template tab
4. From the templates, you can create the rules that would apply to the current
4. From the templates, you can create the rules that would apply to the current