SolutionPack for EMC Network Configuration Manager 2.0.3 Summary Sheet – Service Assurance Suite 9.4

Table of Contents

Overview

Learn to install and configure the SolutionPack for EMC Network Configuration Manager (NCM). This SolutionPack, available with the EMC M&R version 6.5uX platform, provides a wide spectrum of reports for NCM Application Servers and Device Servers.

It enables you to quickly determine the inventory and assets, compliance, jobs and all changes being made to any NCM Application, Device, or Combo Server.

Back to Top

Technical specifications

SolutionPack version

2.0.3

Compatible EMC M&R versions

6.5u3 and later

Compatible NCM version

NCM 9.4, Patch 1 and later

Data collection methods

SQL collector

XML collector

Remote Shell collector

Main reports

Change Detail Report
Provides information about configuration change details over a period and lists the differences in configuration between revisions. The msa-user login credentials to NCM EDAA (EMC Data Access API) are required to retrieve and view configuration differences from devices managed by NCM.
Job Reporting
Provides count, distribution, approval and status information about Active and Historical jobs available in NCM. In the reports, you can drill down on Job Status, Tasks, or Actions to view detailed information.
Deployment Topology
Provides information about different Application Servers. Each Application server node displays details about associated Database and Device Servers.
Sites
Provides device-specific information for each site.
Views
Provides device-specific information for each view.
Certificate Monitoring Report
Provides detailed information about certificates, the hosts where they reside, and certificate expiration dates (end dates). These certificates govern the communication between the Application Server and Device Server and between the User Interface and Application Server. You must renew certificates before they expire or NCM will stop functioning.
Change Reports
Provides information about results for Change Approvals, Hardware Changes, Devices with Cut-through and External Changes, Configuration changes, and User changes. In the reports, you can drill down to view detailed information about individual devices, configuration differences with the job and approvers, users who created revisions, and so on.
Device Compliance Reports
Provides information about device compliance in Summary, By Network, By Sites, By Views, and Estate Overview reports.
Standard Compliance Reports
Provides information about PCI DSS 1.1, PCI DSS 1.2, PCI DSS 2.0, DISA STIG 1.1 Compliance Standards available in NCM. In the reports, you can drill down on Policies, Standards, and Tests to view detailed information.

Back to Top

Where to find the latest SolutionPack software

Install the latest core software update for your product suite. SolutionPacks distributed with core software have a 30-day free evaluation period. If you plan to use the software longer than 30 days, you must install a SolutionPack license before the trial period ends.

This 30-day free evaluation only applies to new installations and is not available for upgraded installations. If you upgrade the core software and want to try a new SolutionPack, you must request a license for that SolutionPack by completing a Support Request (SR) form, which is available on the EMC Online Support website at http://support.emc.com.

Back to Top

Installing the SolutionPack for EMC Network Configuration Manager

To view data from Network Configuration Manager, install the SolutionPack for EMC Network Configuration Manager in the EMC M&R platform.

Before you begin

Procedure

  1. Log in to the EMC M&R server with root privileges.
    For example, http://Frontend-hostname:58080/APG
  2. Select Administration.
  3. Select Centralized Management in the Administration tree.
  4. Select SOLUTIONPACK CENTER.
  5. Select the EMC Network Configuration Manager in the Browse and Install SolutionPacks screen.
  6. Read the summary information and click Install.
  7. Select the components to install.
    1. Accept the default name, emc-ncm, in the Instance name field.
    2. Select the EMC M&R server that will host the data collector in the Data collection list box.
    3. Select the EMC M&R server to host the reports in the Reports list box.
    4. Click Next.
  8. Accept the default values for the Data Collection and Alerting on Data Collection panes.
  9. Select the NCM server version in the NCM Version drop-down field in the Server Configuration pane.
  10. Select Device server or Combo Server in the NCM Server Type drop-down field and complete the fields depending on your deployment:
    Deployment Provide information for the following fields
    Device Server Select Device server in the NCM Server Type drop-down field.
    • Fully qualified System IP address or host name
    • System root user account and password
    • NCM System administrator user name (for example, sysadmin) and password. The NCM System credentials are required for certificate monitoring reports.
    Distributed deployment Select Combo Server for a distributed NCM server in the NCM Server Type drop-down field.

    For the Application Server,

    • Fully qualified System IP address or host name
    • System root user account and password
    • NCM System administrator user name (for example, sysadmin) and password. The NCM System credentials are required for certificate monitoring reports.

    To collect Database Server information, you also need:

    • NCM database IP address or host name
    • NCM database port number or accept the default port 5435
    • NCM database name in EMC M&R in the NCM instance name field or accept the default name
    • NCM database password

    Use the + icon to add one or more Device or Combo Servers.

    Application Server Select Combo Server in the NCM Server Type drop-down field.

    Complete the fields for the Application Server and Database Server as described for a distributed deployment.

  11. Optional, select the Configure collector advanced settings checkbox to configure the polling interval for data collection and also to configure the collection of different types of data, or accept the defaults.
    1. Set the polling interval from 300 to 2678400 seconds in the Polling period for DB and System data collection field or accept the default 900.
      The M&R polling interval determines the frequency of data collection. For example, the default 900 means that once in every 15 minutes, polling occurs and new raw values are collected.
    2. If you do not want the data to be collected, clear the selected checkbox for Compliance data, Jobs data, or Inventory data. The latest data collection will not occur for or be updated in:
      • Compliance reports like Standard Compliance Reports, Device Compliance Reports
      • Jobs reports like Active Job Report and Historical Job Reports
      • All inventory-related reports like database, interface reports
  12. Click Next on the Data Collection pane.
  13. In the Reports section, select the gateway and the administration web-service instance or accept the default values.
  14. Select Install to install the SolutionPack.

After you finish

Allow four to five polling cycles to pass before viewing reports.

Back to Top

Setting the IP address of the EMC M&R server

After you install the SolutionPack for EMC Network Configuration Manager, you must configure the IP address of the EMC M&R server in the NCM Application Server. If the EMC M&R IP address was already set during the NCM installation, skip this task.

Procedure

Follow these steps to set the IP address of the EMC M&R server in the NCM Application Server:
Operating system Steps
Linux
  1. Open the <Product directory>/db/controldb/data/pg_hba.conf file for editing.
  2. Add this line at the end of the pg_hba.conf file: host all all <EMC M&R IP address>/32 md5
  3. Save and exit the pg_hba.conf file.
  4. Type service controldb restart to restart the controldb service.
Windows
  1. Open the <Product directory>/db/controldb/data/pg_hba.conf file for editing.
  2. Add this line at the end of the pg_hba.conf file: host all all <EMC M&R IP address>/32 md5
  3. Save and exit the pg_hba.conf file.
  4. Navigate to Start > Administrative Tools > Services > NCM_Controldb to restart the controldb service.
Back to Top

Setting the collector heap memory size in the EMC M&R UI

Use the EMC M&R UI to set the collector heap memory size to run the SolutionPack reports. Since the SolutionPack for EMC Network Configuration Manager collects data from a large number of devices, you may need to increase the collector heap memory to a suitable level.

Before you begin

To determine the collector heap memory size for a network, use the latest ViPR SRM Deployment Planner (for example, ViPR SRM 3.6 SP2):

  1. Download the ViPR SRM Deployment Planner from the EMC Online Support website.
  2. For additional details about determining configuration size, refer to ViPR SRM Performance and Scalability Guidelines or EMC Service Assurance Suite SolutionPack Performance and Scalability Guidelines available on the EMC Online Support website.

Procedure

  1. Log in to EMC M&R with root privileges.
    For example, http://Frontend-hostname:58080/APG
  2. Go to Administration > Centralized Management > Logical Overview > Collecting > Collector-Manager::emc-ncm-<host-id>
  3. Expand Configuration Files.
  4. Scroll to the conf/unix-services.properties file or the conf/win-services.properties file.
  5. Edit the conf/unix-services.properties or conf/win-services.properties file by setting the collector heap memory value in the memory.max parameter.
    Set the value based on the Planner tool sizing information.
  6. Click Save.
  7. Click Restart in the Service Status pane to restart the collector-manager service.
Back to Top

Configuring Certificate Monitoring reports with NCM server running 9.4.0.1

Additional steps are required for the Certificate Monitoring reports to work on the NCM server running version 9.4 Patch 1 software. You must add the certificate from the voyencessl.keystore file in the NCM server to the keystore file in the EMC M&R server. If not, the logs show a certificate and communication error and the Certificate Monitoring reports are empty.

Before you begin

Install version 9.4 patch 1 software on the NCM server.

You do not need this procedure if you have installed the SolutionPack for Network Configuration Manager (NCM) version 2.0.3 and have installed NCM server 9.4 Patch 2. Instead, follow the instructions for Configuring Certificate Monitoring reports with NCM server running 9.4.0.2

Procedure

  1. Log in to the NCM host and run the command:
    #source /etc/voyence.conf
  2. Run the command as one line:
    $JAVA_HOME/bin/keytool -export -keystore $VOYENCE_HOME/conf/voyencessl.keystore -alias selfsigned -file <filename1>
  3. When prompted for a password, leave it blank and click Enter.
  4. Run the command as one line:
    $JAVA_HOME/bin/keytool -export -keystore $VOYENCE_HOME/conf/voyencessl.keystore -alias selfsigned-ip -file <filename2>
  5. When prompted for a password, leave it blank and click Enter.
  6. Copy <filename1> and <filename2> from the NCM server to the EMC M&R server.
  7. On the EMC M&R server, run:
    <EMC M&R_JAVA LOC>/bin/keytool -import -keystore <EMC M&R_JAVA LOC>/lib/security/cacerts -file <path/filename1> -alias selfsigned1
    Examples of <EMC M&R_JAVA LOC> are /opt/APG/Java/Sun-JRE/8.0u25 for Linux and C:\Program Files\APG\Java\Sun-JRE\8.0u25 for Windows.
  8. Type changeit for the password.
  9. Run the command:
    <EMC M&R_JAVA_LOC>/bin/keytool -import -keystore <EMC M&R_JAVA LOC>/lib/security/cacerts -file <path/filename2> -alias selfsigned2
  10. Type changeit for the password.
  11. Go to the <EMC_M&R_install>/bin directory and run the following command to restart all of the services:
    ./manage-modules service restart all
Back to Top

Configuring Certificate Monitoring reports with NCM server running 9.4.0.2

Additional steps are required for the Certificate Monitoring reports to work on the NCM server running version 9.4 Patch 2 software. These steps are required for accessing the WS API in NCM used by the Certificate Monitoring reports. Otherwise, the logs show certificate and communication errors and the Certificate Monitoring reports are empty.

Before you begin

Install version 9.4 patch 2 software on the NCM server. If you are using a third-party certificate, follow the procedures in

Configuring Certificate Monitoring reports with NCM server running 9.4.0.2 - third-party certificate installed

Procedure

  1. Log in to the NCM host and copy "$VOYENCE_HOME/conf/bundle.p12" to the EMC M&R destination machine where the WS API client is configured (for example, /opt).
  2. On the destination machine, type the following command as one line and press Enter:
    $APG_HOME/Java/Sun-JRE/8.0u31/bin>keytool -changealias -keystore "/opt/bundle.p12" -alias 1 -destalias newalias -storetype pkcs12
  3. Enter the keystore password.
    Type the PassPhrase entered during the NCM server installation.
  4. On the destination machine, type the following command as one line and press Enter.
     $JAVA_HOME/bin>keytool -importkeystore -srckeystore "/opt/bundle.p12" -destkeystore "$APG_HOME/Java/Sun-JRE/8.0u31/lib/security/cacerts" -srcstoretype pkcs12
  5. Enter the destination keystore password: changeit
  6. Enter the source keystore password.
    Type the PassPhrase entered during the NCM server installation.
    These results should display:
    Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled.
  7. Go to the <EMC_M&R_install>/bin directory and run the following command to restart all of the services:
    ./manage-modules service restart all
    The following exception message should no longer display in the collector logs (APG/Collecting/Collector-Manager/emc-ncm/logs):
    javax.net.ssl.SSLHandshakeException:
    sun.security.validator.ValidatorException: PKIX path building
    failed: sun.security.provider.certpath.SunCertPathBuilderException:
    unable to find valid certification path to requested
    target at
    sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
Back to Top

Configuring Certificate Monitoring reports with NCM server running 9.4.0.2 - third-party certificate installed

Additional steps are required for the Certificate Monitoring reports to work on the NCM server running version 9.4 Patch 2 software. These steps are required for accessing the WS API in NCM used by the Certificate Monitoring reports. Otherwise, the logs show certificate and communication errors and the Certificate Monitoring reports are empty.

Before you begin

Install version 9.4 patch 2 software on the NCM server. If you are not using a third-party certificate, follow the procedures in

Configuring Certificate Monitoring reports with NCM server running 9.4.0.2

Procedure

  1. Log in to the NCM host and copy "$VOYENCE_HOME/conf/server.p12" to the EMC M&R destination machine where the WS API client is configured (for example, /opt).
    server.p12 will be generated when installing the third-party certificate using the SSL utility for NCM 9.4.0.2.
  2. On the destination machine, type the following command as one line and press Enter:
    $APG_HOME/Java/Sun-JRE/8.0u31/bin>keytool -changealias -keystore "/opt/server.p12" -alias 1 -destalias newalias -storetype pkcs12
  3. Enter the keystore password.
    Use the same password given during certificate installation.
  4. On the destination machine, type the following command as one line and press Enter.
     $JAVA_HOME/bin>keytool -importkeystore -srckeystore "/opt/server.p12" -destkeystore "$APG_HOME/Java/Sun-JRE/8.0u31/lib/security/cacerts" -srcstoretype pkcs12
  5. Enter the EMC M&R destination keystore password: changeit
  6. Enter the source keystore password.
    Use the source keystore password given during certificate installation.
    These results should display:
    Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled.
  7. Go to the <EMC_M&R_install>/bin directory and run the following command to restart all of the services:
    ./manage-modules service restart all
    The following exception message should no longer display in the collector logs (APG/Collecting/Collector-Manager/emc-ncm/logs):
    javax.net.ssl.SSLHandshakeException:
    sun.security.validator.ValidatorException: PKIX path building
    failed: sun.security.provider.certpath.SunCertPathBuilderException:
    unable to find valid certification path to requested
    target at
    sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
Back to Top

Configuring access to Change Detail Reports

The first time you attempt to view a Change Detail Report, you will see a certificate warning message. To resolve the message and view the report, you need to accept the certificate and authenticate the msa-user account credentials to the NCM EDAA server. Depending on your browser, perform the steps in these troubleshooting topics to configure access to all Change Detail Reports:

The Change Detail Reports contain the configuration differences and audit trails for devices managed by NCM. These reports require access to an external URL. The external web application is hosted on the NCM EDAA (also called MSA) Tomcat server in your NCM deployment. The default user name is msa-user and the default password is sysadmin. To allow authentication to this application, a CAS authentication server is deployed along with ncm-msa service. When you try to access the Change Detail Reports, the UI prompts you for the username and password.

If needed, use this procedure to change the NCM EDAA password: Changing the NCM EDAA password to access Change Detail Reports

Back to Top

Changing the NCM EDAA password to access Change Detail Reports

To change the NCM EDAA password, you must do so from the NCM server where the NCM EDAA Tomcat server resides. For a distributed NCM server deployment, you need to change the password in the Application Server host.

Procedure

  1. Run [Product_directory]/tools/password-change.pl.
  2. Select the option [C]hange Single Password.
  3. Select msa-user from the list of users and enter the new password.
  4. Restart the vcmaster service by typing:
    service vcmaster restart
Back to Top

Confirming report creation

After you install a SolutionPack, you can view its reports.

To view the reports:

Procedure

  1. Go to User Interface > Report Library.
  2. Click the SolutionPack to view its reports.

Results

It may take up to an hour to display all relevant information in these reports.

Back to Top

Troubleshooting

Report display problems

Back to Top

Troubleshooting Change Detail Report certificate errors in Chrome

A certificate error displays when connecting to the Change Detail Report from EMC M&R in the SolutionPack for EMC Network Configuration Manager.

Note Image
Firefox is the recommended browser for viewing reports in the EMC M&R SolutionPack. If the problems with Chrome persist, try using a different browser.

The steps may vary slightly depending on your browser version.

Procedure

  1. On the report that generates the SSL error message, right-click and select View frame source.
  2. In the View Frame Source tab, click Advanced.
  3. Click Proceed to <Server name/IP address>.
  4. Wait for the content to load.
  5. Go back to the report, right-click and select Reload frame.
  6. In the EMC Smarts Network Configuration Manager authentication pane, log in to the NCM EMC Data Access API (EDAA) with the msa-user account credentials (defaults: msa-user/sysadmin).
    The report displays in the frame.
Back to Top

Troubleshooting Change Detail Report certificate errors in Firefox

A certificate error displays when connecting to the Change Detail Report from EMC M&R in the SolutionPack for EMC Network Configuration Manager.

The steps may vary slightly depending on your browser version.

Procedure

  1. On the report that generates the This Connection is Untrusted error message, right-click and select This Frame > Open Frame in New Tab.
  2. Click I understand the Risks.
  3. Click Add Exception.
  4. Click Confirm Security Exception.
  5. Go back to the report, right-click and select This Frame > Reload Frame.
  6. In the EMC Smarts Network Configuration Manager authentication pane, log in to the NCM EMC Data Access API (EDAA) with the msa-user account credentials (defaults: msa-user/sysadmin).
    The report displays in the frame.
Back to Top

Troubleshooting Change Detail Report certificate errors in Internet Explorer

A certificate error displays when connecting to the Change Detail Report from EMC M&R in the SolutionPack for EMC Network Configuration Manager.

Note Image
Firefox is the recommended browser for viewing reports in the EMC M&R SolutionPack. If the problems with Internet Explorer persist, try using a different browser.

The steps may vary slightly depending on your browser version.

Procedure

  1. On the report that generates the Content was blocked error message, click Show Content.
  2. Click Proceed to the Page.
  3. Click the certificate error and select View Certificate.
  4. Follow the prompts to save the certificate under Trusted Root Certificates.
  5. Log in to the EMC M&R server (defaults: admin/changeme).
  6. Go back to the report.
  7. In the EMC Smarts Network Configuration Manager authentication pane, log in to the NCM EMC Data Access API (EDAA) with the msa-user account credentials (defaults: msa-user/sysadmin).
    The report displays in the frame.
Back to Top

What to do if data does not appear in any reports

Procedure

  1. After the completion of at least three collection cycles, verify if data is populating into the reports. If there is still no data in the reports, continue to the next step.
  2. Run the scheduled task to import data into reports. If there is still no data in the reports, continue to the next step.
  3. To view the log files for errors, go to Centralized Management and click Logical Overview > Collecting > Collector-Manager::<instance name> > Log Files.
Back to Top

Running a scheduled task to import data into reports

After you push a new configuration into a collector, a scheduled task runs and populates the reports with new data. You can manually run the scheduled task to import the data more quickly.

Before you begin

Allow at least three polling cycles to pass before manually running the scheduled task.

Procedure

  1. Click Administration.
  2. Click Centralized Management.
  3. Expand Scheduled Tasks.
  4. Click Database.
  5. Select the import-properties-Default task.
  6. Click Run Now.
  7. Confirm success in running the task in the Last Result and Last Result Time columns.
Back to Top

What to do if data does not appear in some reports

Procedure

  1. Run the scheduled task to import data into reports. If there is still no data in the reports, continue to step 2.
  2. Search for the metric in the database.
  3. To view the log files for errors, go to Centralized Management and click Logical Overview > Collecting > Collector-Manager::<instance name> > Log Files.
Back to Top

Searching for metrics in the database

You can verify that a metric is being collected and used for reporting when you search and find the metric in the database.

Procedure

  1. Go to the Administration page.
  2. Under Modules, click Management of Database Metrics.
  3. On the Metric Selection page, create the filter, type the number of results, and select the properties to display for the metric.
    For example, to list up to 100 results of the Capacity metric with the properties of device and IP, type name=='Capacity' in the Filter field, 100 in the Maximum results field, and select device and IP for the Properties to show.
  4. Click Query.
    A list of the metric results appears. If nothing displays, the metric is not being collected.
Back to Top

Viewing collector errors in the Collector-Manager log files

Review the Collector-Manager log files to troubleshoot problems with data collection.

Procedure

  1. Click Administration.
  2. Click Centralized Management > Logical Overview.
  3. Expand Collecting.
  4. Click the Collector-Manager for your collector instance.
    Collector-Manager::<Collector-Manager instance> - <host_ID>
  5. Expand Log Files and click the View File icon to review the error messages.
Back to Top

Troubleshooting a broken connection between NCM and EMC M&R

You can analyze the SolutionPack for EMC Network Configuration Manager logs in EMC M&R to troubleshoot a broken connection.

Procedure

  1. Log in to the EMC M&R server.
  2. Go to the /opt/APG/Collecting/Collector-Manager/<ncm_instance_name>/logs directory to view the log files.
    For Linux, navigate to your emc-ncm instance and check the log files, /opt/APG/Collecting/Collector-Manager/<emc-ncm-instance-name>/logs/collecting-0-0.log
    For Windows, navigate to C:\Program Files\APG\Collecting\Collector-Manager\<emc-ncm-instance-name>\logs\collecting-0-0.log
Back to Top