Вы находитесь на странице: 1из 200

PATROL Central Operator Web Edition

Getting Started

Supporting
PATROL Central Web Edition 7.8.10 PATROL Central Operator Web Edition 7.8.10 PATROL Central Administration Web Edition 7.8.10
December 2010

www.bmc.com

Contacting BMC Software


You can access the BMC Software website at http://www.bmc.com. From this website, you can obtain information about the company, its products, corporate offices, special events, and career opportunities.

United States and Canada


Address BMC SOFTWARE INC 2101 CITYWEST BLVD HOUSTON TX 77042-2827 USA Telephone 713 918 8800 or 800 841 2031 Fax 713 918 8000

Outside United States and Canada


Telephone (01) 713 918 8800 Fax (01) 713 918 8000

Copyright 2010 BMC Software, Inc. BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. UNIX is the registered trademark of The Open Group in the US and other countries. The information included in this documentation is the proprietary and confidential information of BMC Software, Inc., its affiliates, or licensors. Your use of this information is subject to the terms and conditions of the applicable End User License agreement for the product and to the proprietary and restricted rights notices included in the product documentation.

Restricted rights legend


U.S. Government Restricted Rights to Computer Software. UNPUBLISHED -- RIGHTS RESERVED UNDER THE COPYRIGHT LAWS OF THE UNITED STATES. Use, duplication, or disclosure of any data and computer software by the U.S. Government is subject to restrictions, as applicable, set forth in FAR Section 52.227-14, DFARS 252.227-7013, DFARS 252.227-7014, DFARS 252.227-7015, and DFARS 252.227-7025, as amended from time to time. Contractor/Manufacturer is BMC SOFTWARE INC, 2101 CITYWEST BLVD, HOUSTON TX 77042-2827, USA. Any contract notices should be sent to this address.

Customer support
You can obtain technical support by using the BMC Software Customer Support website or by contacting Customer Support by telephone or e-mail. To expedite your inquiry, see Before contacting BMC.

Support website
You can obtain technical support from BMC 24 hours a day, 7 days a week at http://www.bmc.com/support. From this website, you can
I I I I I I I I

read overviews about support services and programs that BMC offers find the most current information about BMC products search a database for issues similar to yours and possible solutions order or download product documentation download products and maintenance report an issue or ask a question subscribe to receive proactive e-mail alerts when new product notices are released find worldwide BMC support center locations and contact information, including e-mail addresses, fax numbers, and telephone numbers

Support by telephone or e-mail


In the United States and Canada, if you need technical support and do not have access to the web, call 800 537 1813 or send an e-mail message to customer_support@bmc.com. (In the subject line, enter SupID:<yourSupportContractID>, such as SupID:12345). Outside the United States and Canada, contact your local support center for assistance.

Before contacting BMC


Have the following information available so that Customer Support can begin working on your issue immediately:
I

product information product name product version (release number) license number and password (trial or permanent)

operating system and environment information machine type operating system type, version, and service pack or other maintenance level such as PUT or PTF system hardware configuration serial numbers related software (database, application, and communication) including type, version, and service pack or maintenance level

I I I

sequence of events leading to the issue commands and options that you used messages received (and the time and date that you received them) product error messages messages from the operating system, such as file system full messages from related software

PATROL Central Operator Web Edition Getting Started

Contents
Chapter 1 Components and capabilities 15 16 16 16 17 18 18 22 22 24 25 Components of the console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PATROL Central . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PATROL Central Operator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PATROL Central Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PATROL Central Operator features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How the console fits into PATROL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Accessing online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Where to go from here. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 2 Installing PATROL Central console

Determining which components to install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Verifying system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 PATROL environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Firewall configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Considerations for determining which Web server to use . . . . . . . . . . . . . . . . . . . 29 Determining how to install products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 About the installation utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 About the Distribution Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Required information for installing PATROL Central Operator Web Edition . . . . 33 Installation directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 PATROL 3.x product directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Root login and password (UNIX only). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 PATROL Console Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Web server user name and group (Apache and Tomcat only) . . . . . . . . . . . . . . . . 35 Certificate information (IIS only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Certificate information (Apache and Tomcat only) . . . . . . . . . . . . . . . . . . . . . . . . . 36 RTSERVERS variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Security information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Tomcat shutdown port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Apache-Tomcat protocol version 13 port (IIS and Apache only) . . . . . . . . . . . . . . 39 Prerequisites for installing PATROL Central Operator Web Edition on IIS 7 and 7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 ISAPI Extensions for IIS on Windows Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Enabling IIS to run 32-bit and 64-bit PATROL Central Operator Web Edition 41 Configuring application pool on IIS 7 and 7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Contents 5

Configuring the generic error page on IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Setting SSL port on IIS 7 and 7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Web server HTTP and HTTPS ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 IIS Web site instance (IIS only). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Trimming Apache Web server log files (Apache only) . . . . . . . . . . . . . . . . . . . . . . 47 Installation worksheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 General worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Worksheet for IIS web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Worksheet for Apache web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Worksheet for Tomcat standalone web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Upgrading versus first-time installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Installation procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Installing PATROL Central Operator on Windows . . . . . . . . . . . . . . . . . . . . . . . . . 53 Installing PATROL Central Operator on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Directory structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Backing up and restoring PATROL Central and Console modules . . . . . . . . . . . . . . . 63 Where to go from here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Chapter 3 Monitoring your enterprise with PATROL Central Operator 65

Web browser requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Solaris OS patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 About the Java plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 About accepting the certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Using Internet Explorer version 6 on Windows 2003 . . . . . . . . . . . . . . . . . . . . . . . . 68 Setting up your monitoring environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Accessing PATROL Central . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 The PATROL Central console infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Accessing PATROL Central Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Setting a console timeout value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Customizing the splash screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Creating Your Management Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Connecting to a PATROL Console Server and selecting a management profile . 73 Adding managed systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Loading PATROL KMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Viewing object information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Licensing information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Viewing active user statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Viewing blackout information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Where to go from here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Chapter 4 Administering users of PATROL Central Operator 83

About accounts and groups in the PATROL environment . . . . . . . . . . . . . . . . . . . . . . 85 About accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 About groups and users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 About managed system groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 General considerations for setting up users and groups . . . . . . . . . . . . . . . . . . . . . . . . 88 Example steps for setting up user accounts and groups . . . . . . . . . . . . . . . . . . . . . 89 Example steps for setting up managed system groups . . . . . . . . . . . . . . . . . . . . . . 90
6 Book Title

Example steps for setting up managed system groups to avoid account lockouts . 91 About PATROL Central Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Starting PATROL Central Administration and connecting to a PATROL Console Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Administering aliases and impersonations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 About the user authentication process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Example scenario for a single account for all managed systems . . . . . . . . . . . . . . 95 Example scenario for different accounts according to location . . . . . . . . . . . . . . . 96 Example scenario for different accounts according to application . . . . . . . . . . . . 98 Example scenario for a single account for all managed systems but one . . . . . . . 99 Example scenario for restricted and privileged accounts on several managed systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Administering rights and permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 About assigning rights and permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Predefined groups on the PATROL Console Server . . . . . . . . . . . . . . . . . . . . . . . 103 Rights used in PATROL Central Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Permissions used in PATROL Central Operator . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Using access control lists to manage permissions . . . . . . . . . . . . . . . . . . . . . . . . . 106 Rights and permissions for special users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 How predefined rights and permissions determine group roles . . . . . . . . . . . . . 110 Using the predefined groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Example scenario for granting rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Example scenario for simple sharing of management profiles. . . . . . . . . . . . . . . 114 Example scenario for advanced sharing of management profiles . . . . . . . . . . . . 116 Using ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 About the ACL evaluation process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Using ACLs on managed system groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Using ACLs on KM products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Using ACLs on menu commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Chapter 5 Configuring the PATROL Central Console environment 127 128 128 129 130 131 132 133 134 135 137 140 144 147 149

Starting and stopping related programs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Starting and stopping the RTserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Starting and stopping the PATROL Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Starting and stopping the PATROL Console Server . . . . . . . . . . . . . . . . . . . . . . . Managing services on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Starting and stopping PATROL Central Operator Web Edition . . . . . . . . . . . . . . . Starting and stopping PATROL Central Operator Web Edition on Windows Starting and stopping PATROL Central Operator Web Edition on UNIX . . . Verifying the installation and execution of the Web server and related components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing Tomcat standalone Web server ports. . . . . . . . . . . . . . . . . . . . . . . . . . . Changing Apache web server ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing IIS web server ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing the Java plug-in version after installation . . . . . . . . . . . . . . . . . . . . . . . . . . Where to go from here. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contents

Chapter 6

Information for users of PATROL Console for Microsoft Windows 3.x or PATROL Console for UNIX 3.x 151

Compatibility and functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 PATROL Agent compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 KM compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Developer functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Differences between PATROL 3.x Consoles and PATROL Central Operator. . . . . . 154 Communications with managed systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Session and desktop files versus management profiles . . . . . . . . . . . . . . . . . . . . . 155 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 User administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 User names and passwords for managed systems . . . . . . . . . . . . . . . . . . . . . . . . . 156 Computer name and port number versus managed system name . . . . . . . . . . . 156 Event types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Overrides versus customizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 State change actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 KM version arbitration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Chart history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Location of task icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 KM in the PATROL object namespace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Running menu commands and InfoBox commands . . . . . . . . . . . . . . . . . . . . . . . 159 Migrating console information from PATROL Console for Windows or PATROL Console for UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Appendix A Troubleshooting PATROL Central Operator 161

Common problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Installation problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Web server problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 General usage problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Gathering diagnostic information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Where to find diagnostic information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Installation logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Web server logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Client logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Checking which PATROL Central ports are in use on UNIX . . . . . . . . . . . . . . . . 178 Obtaining version, system, and contact information . . . . . . . . . . . . . . . . . . . . . . . 179 Dealing with web server issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Appendix B Enhancing web server security 181

The Apache web server: keystore password, certificates, and modes . . . . . . . . . . . . 182 About the keystore password and the Apache policy file . . . . . . . . . . . . . . . . . . . 182 Replacing the self-signed certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 About attended and unattended modes for the Apache web server . . . . . . . . . . 183 Appendix C Modifying initialization settings after installation 185

The startup configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 About modifying the startup configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
8 Book Title

What you may modify in the startup.cfg file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Appendix D Index Environment variables 189 191

Contents

10

Book Title

Figures
PATROL Central Operator and the PATROL architecture single-cloud configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 PATROL Central Operator and the PATROL architecture multi-cloud configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Hierarchy of objects in PATROL Central Administration . . . . . . . . . . . . . . . . . . . . . 106

Figures

11

12

<$paratext

Tables
Components to install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 User accounts and groups on PATROL Console Server and managed systems . . . . 85 Example scenarios for managing access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Predefined PATROL groups on the PATROL Console Server . . . . . . . . . . . . . . . . . 103 Predefined right assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Permissions for management profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Permissions for managed systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Permissions for managed system groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Permissions for KMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Abilities of members of the predefined groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Terminology differences between PATROL 3.x Consoles and PATROL Central Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Event types for PATROL 3.x consoles versus PATROL Central Operator . . . . . . . . 157 Summary of where to find diagnostic information . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Tables

13

14

Book Title

Chapter

1
16 16 16 17 18 18 22 22 24

Components and capabilities


This chapter provides an overview of PATROL Central Operator Web Edition. This chapter contains the following topics: Components of the console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PATROL Central . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PATROL Central Operator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PATROL Central Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PATROL Central Operator features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How the console fits into PATROL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Accessing online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Where to go from here. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 1

Components and capabilities

15

Components of the console

Components of the console


The console for PATROL Central Operator Web Edition provides the graphical interface and supporting applications that you use to monitor systems managed by PATROL. This console includes the following components:
I

PATROL Central Web Edition (PATROL Central) is a console that hosts console modules, which provide additional functionality. PATROL Central Operator Web Edition (PATROL Central Operator) is a console module for PATROL Central. It provides the majority of the functionality for monitoring PATROL. PATROL Central Administration Web Edition (PATROL Central Administration) is a console module for PATROL Central. It provides administration of user access to PATROL.

PATROL Central
The Web Edition of PATROL Central provides a single, consistent, web-based interface for the functionality provided by console modules, such as PATROL Central Operator and PATROL Central Administration. The Web Edition of PATROL Central and its console modules are installed on a centralized computer shared by multiple users who access PATROL Central using a web browser. The user must load individual console modules to use their functionality.

PATROL Central Operator


PATROL Central Operator is the console module for the PATROL Central console that you use to monitor PATROL. You can use PATROL Central Operator to
I

view the state of your distributed environment select which managed systems and applications you want to monitor view all the monitored resources in your distributed environment as icons or in lists organize your monitoring environment with shortcuts, custom views, folders, and charts

16

Book Title

PATROL Central Administration

run predefined and user-defined commands and tasks on managed systems customize select properties of PATROL objects, such as the alarm ranges of parameters view, acknowledge, close, and delete PATROL events query for PATROL objects, based on object type and state run commands when a monitored resource changes state retrieve and delete historical data view active user statistics

NOTE
PATROL developer functionality is not supported by PATROL Central Operator. For development functionality, you must use the PATROL Console for Microsoft Windows or PATROL Console for UNIX in developer mode.

PATROL Central Administration


PATROL Central Administration is the console module for the PATROL Central console that you use to administer user access to PATROL. You can use PATROL Central Administration to
I

retrieve and work with any group or user that is known to the PATROL Console Server to which you connect configure the alias and impersonation tables that allow users to connect to managed systems on which they do not have accounts define impersonation tables that are global to all members of a managed system group assign rights, which control access to console functionality, to groups and users allow and deny access to specific objects in PATROL for groups and users use managed system groups to manage ACLs on all managed systems in the group

Chapter 1

Components and capabilities

17

PATROL Central Operator features

PATROL Central Operator features


The Web Edition of PATROL Central Operator is a cross-platform, Web-based console for use with the PATROL 7.x architecture. You can use it to monitor and manage an entire enterprise-wide information system or a collection of workstations, server computers, and single computers.

PATROL 7.x architecture


PATROL Central Operator is part of the PATROL 7.x architecture. It communicates with PATROL Agents through the Real Time server (RTserver) and the PATROL Console Server. The PATROL Console Server acts as a centralized repository for storing PATROL Central Operator data in management profiles and serves as a midlevel tier to deliver data from managed systems to PATROL Central Operator, thereby reducing network traffic. For more information about PATROL Console Server and RTserver, see the PATROL Console Server and RTserver Getting Started.

System monitoring and managing


From PATROL Central Operator, you can view the state of resources, such as managed systems, applications, and parameters that are managed by PATROL. You can also perform basic PATROL operator console functions on those objects, such as parameter customizations, event management, managed system queries, and KM commands.

Custom views
You can create custom views in your management profile. A custom view is a single window that can display multiple objects. For example, you can create a custom view to display the charts of several parameters together.

How the console fits into PATROL


The Web Edition of PATROL Central provides an integrated Web-based interface for its console modules. Both the console infrastructure and console modules are installed on the Web server.

18

Book Title

How the console fits into PATROL

Like other consoles for PATROL, the PATROL Central console (with the PATROL Central Operator and PATROL Central Administration console modules) provides a window into your PATROL environment. Unlike older consoles for PATROL, it does not communicate directly with managed systems. Instead, the console uses a three tier architecture:
I

the managed system tier (PATROL managed nodes) This tier includes the PATROL Agent.

the common services tier (mid-level) This tier includes PATROL Central Web Edition as well as the PATROL Console Server and RTserver, which provide for shared communications and centralized administration.

the console systems tier (end-user consoles, viewers, utilities) This tier includes the web browser clients that connect to PATROL Central Web Edition, as well as any PATROL Central Windows consoles.

Figure 1 on page 20 and Figure 2 on page 21 show the relationship between the Web Edition of PATROL Central console and other PATROL infrastructure components. Almost all of the information that you view in the console ultimately comes from the individual managed systems. However, all communication between the console and the managed systems is facilitated by the PATROL Console Server and Real-Time Server (RTserver) cloud.

NOTE
I

For a more complete understanding of PATROL architecture, see the PATROL Fundamentals online Help. For more information about how the Web Edition of PATROL Central compares to other consoles for PATROL, see the document Choosing a PATROL Console.

Chapter 1

Components and capabilities

19

How the console fits into PATROL

Figure 1

PATROL Central Operator and the PATROL architecture single-cloud configuration

Console Systems

Web browser

Common Services
PATROL Central Web Edition PATROL Central Operator PATROL Central Administration Other console modules RTserver Cloud

PATROL Console Server

Managed Systems
PATROL Agents (all supported versions) Install PATROL solutions (KMs) on each system.

PATROL products and solutions may require additional files installed throughout the infrastructure.

20

Book Title

How the console fits into PATROL

Figure 2

PATROL Central Operator and the PATROL architecture multi-cloud configuration


Web browser

Console Systems

Common Services
PATROL Central Web Edition PATROL Central Operator PATROL Central Administration Other console modules

PATROL Console Server

RTserver Cloud

RTserver Cloud

RTserver Cloud

RTserver Cloud

Managed Systems

PATROL Agents (all supported versions) Install PATROL solutions (KMs) on each system.

PATROL Agents (all supported versions) Install PATROL solutions (KMs) on each system.

PATROL Agents (all supported versions) Install PATROL solutions (KMs) on each system.

PATROL products and solutions may require additional files installed throughout the infrastructure.

Chapter 1

Components and capabilities

21

Related documentation

Related documentation
PATROL Central, PATROL Central Operator, and PATROL Central Administration are supported by the following documents:
I I I I I I I I I I I I I

PATROL Central Operator Web Edition Getting Started Guide PATROL Central Operator Web Edition Release Notes PATROL Central Web Edition online Help PATROL Central Operator Web Edition online Help PATROL Central Administration Web Edition online Help PATROL Fundamentals online Help PATROL Installation Reference Manual PATROL Console Server and RTserver Getting Started Guide PATROL Security Release Notes PATROL Security User Guide PATROL Console Migration Tool Release Notes PATROL Central Console Comparison technical bulletin PATROL Central Infrastructure Best Practices Guide

Like most BMC Software documentation, this book and the documents listed above are available in printed and online formats. Visit the BMC Software Customer Support page at http://www.bmc.com/support_home to request additional printed books or to view online books and notices (such as release notes and technical bulletins). Some product shipments also include the online books on a documentation CD.

NOTE
Online books are formatted as Portable Document Format (PDF) or HTML files. To view, print, or copy PDF books, use the free Acrobat Reader from Adobe Systems. If your product installation does not install the reader, you can obtain the reader at http://www.adobe.com.

Accessing online Help


Online Help provides detailed instructions on how to use the PATROL Central console, PATROL Central Operator, and PATROL Central Administration. It also provides reference information on Knowledge Modules (KMs). The following table describes a variety of methods for accessing online Help.

22

Book Title

Accessing online Help

For help with this topic the PATROL Central Console

Do this 1. From the main menu, choose Help => Help Topics. 2. In the Contents tab, select PATROL Central.

individual console modules, such as PATROL Central Operator or PATROL Central Administration

In the upper-right corner of the PATROL Central interface, click the Help icon and choose the topics for PATROL Central Operator or PATROL Central Administration.
I

dialog boxes fields in a dialog box

Click the Help button on the dialog box that you want help on. Perform one of the following actions: 1. Select the field and press F1. 2. Click the question mark in the corner of the dialog box, then click the field. 3. Right-click the field.

menu and toolbar commands

Perform one of the following actions: 1. Select the filed and press F1. 2. Click the Help button on the PATROL Central toolbar, then click the menu or toolbar command.

PATROL Central and console module pages, including fields

In the toolbar area, click the page help icon.

PATROL Knowledge Modules

In the upper-right corner of the PATROL Central interface, click the Help icon and choose PATROL KM Help.
I

application instances and classes parameters

In the tree view area, right-click the application instance or class and choose Help. In the tree view area, right-click the parameter and choose Help.

Chapter 1

Components and capabilities

23

Where to go from here

Where to go from here


For information about this topic installing PATROL Central Operator monitoring and managing with PATROL Central Operator setting up account and groups, administrating aliases, impersonations, rights, and permissions. configuring other PATROL programs and computers to work with PATROL Central Operator and running the Web server using both PATROL 3.x console and PATROL Central Operator, or moving from a PATROL 3.x console See Chapter 2, Installing PATROL Central console and the PATROL Installation Reference Manual Chapter 3, Monitoring your enterprise with PATROL Central Operator Chapter 4, Administering users of PATROL Central Operator Chapter 5, Configuring the PATROL Central Console environment

Chapter 6, Information for users of PATROL Console for Microsoft Windows 3.x or PATROL Console for UNIX 3.x

Chapter A, Troubleshooting PATROL Central troubleshooting issues related to Operator installing and configuring PATROL Central Operator, Web server problems, and general usage enhancing security for the Apache Web Appendix B, Enhancing web server security server modifying initialization settings using environment variables Appendix C, Modifying initialization settings after installation Appendix D, Environment variables

24

Book Title

Chapter

Installing PATROL Central console


This chapter provides information that you need to install the PATROL Central console, including the PATROL Central Operator and PATROL Central Administration console modules. For more information about how to run the installation program and the differences between types of installations, see the PATROL Installation Reference Manual. This chapter contains the following topics: Determining which components to install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Verifying system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 PATROL environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Firewall configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Considerations for determining which Web server to use . . . . . . . . . . . . . . . . . . . 29 Determining how to install products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 About the installation utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 About the Distribution Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Required information for installing PATROL Central Operator Web Edition . . . . 33 Installation directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 PATROL 3.x product directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Root login and password (UNIX only). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 PATROL Console Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Web server user name and group (Apache and Tomcat only) . . . . . . . . . . . . . . . . 35 Certificate information (IIS only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Certificate information (Apache and Tomcat only) . . . . . . . . . . . . . . . . . . . . . . . . . 36 RTSERVERS variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Security information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Tomcat shutdown port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Apache-Tomcat protocol version 13 port (IIS and Apache only) . . . . . . . . . . . . . . 39 Prerequisites for installing PATROL Central Operator Web Edition on IIS 7 and 7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 ISAPI Extensions for IIS on Windows Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Enabling IIS to run 32-bit and 64-bit PATROL Central Operator Web Edition 41 Configuring application pool on IIS 7 and 7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Chapter 2

Installing PATROL Central console

25

Configuring the generic error page on IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Setting SSL port on IIS 7 and 7.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Web server HTTP and HTTPS ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 IIS Web site instance (IIS only). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Trimming Apache Web server log files (Apache only) . . . . . . . . . . . . . . . . . . . . . . 47 Installation worksheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 General worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Worksheet for IIS web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Worksheet for Apache web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Worksheet for Tomcat standalone web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Upgrading versus first-time installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Installation procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Installing PATROL Central Operator on Windows . . . . . . . . . . . . . . . . . . . . . . . . . 53 Installing PATROL Central Operator on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Directory structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Backing up and restoring PATROL Central and Console modules . . . . . . . . . . . . . . . 63 Where to go from here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

26

Book Title

Determining which components to install

Determining which components to install


Table 1 lists components that must be installed as part of the console. Table 1
Component PATROL Central

Components to install
Comments This component provides the console in which you launch console modules, such as PATROL Central Operator and PATROL Central Administration. It is automatically installed when you install a console module. This is the primary component of PATROL Central Operator. It is a console module for PATROL Central. This component provides administration of user access to PATROL. It is a console module for PATROL Central.

PATROL Central Operator PATROL Central Administration

Verifying system requirements


Before you install the console, ensure that the system requirements documented in the PATROL Central Operator Web Edition Release Notes have been met. These requirements include the requirements for installing PATROL Central, including both the PATROL Central Operator and PATROL Central Administration console modules.

System requirements
The PATROL Central Operator Web Edition Release Notes lists the system requirements for PATROL Central Operator Web Edition. For more information about requirements for different profile sizes, see the PATROL Central Infrastructure Best Practices Guide. You do not need to install any PATROL Central Operator components on client computers. For requirements for client computers, see Web browser requirements on page 66.

Scalability guidelines
Use the following guidelines to determine how many PATROL Central Web servers to use.

Chapter 2

Installing PATROL Central console

27

PATROL environment

Implement one PATROL Central Web server for each location. Implement PATROL Central Web server for approximately every 15 or 20 Web browser clients. This number varies, depending on what the Web browser clients are used for, and the performance burden being placed on the Web server.

TIP
For best performance, especially in a large environment, install PATROL Central and its console modules on a dedicated computer. For information on scalability considerations, see the PATROL Central Infrastructure Best Practices Guide.

PATROL environment
You must have a PATROL environment that includes the following components:
I I I I

PATROL Agent (all supported versions) installed on managed systems PATROL KMs PATROL Console Server 7.7.00 or later RTserver 6.8.20 or later

You can install the console before installing these components; however, you cannot use the console until all the components are installed. You do not have to install these components on the same computer where you install PATROL Central Operator Web Edition. The size of your environment and number of concurrent users determines the number of PATROL Console Servers and RTservers you need. For more information on installing PATROL Console Server and RTserver, see the PATROL Console Server and RTserver Getting Started. For more information on sizing and planning your installation environment, see the PATROL Central Infrastructure Best Practices Guide. For more information on installing the PATROL Agent and PATROL KMs, see the getting started guide for the KM or Solution you are installing.

Firewall configuration information


For information about using firewalls in your PATROL environment, see the PATROL Central Infrastructure Best Practices Guide.

28

Book Title

Considerations for determining which Web server to use

Considerations for determining which Web server to use


The PATROL Central console infrastructure requires a Web server.
Platform Windows Available web servers
I

IIS (version 6.0 (32-bit and 64 bit) for Windows 2003), or version 7.0 (32bit and 64-bit) for windows 2008, or version 7.5 (64-bit) for Windows 2008 R2 with Tomcat servlet container Tomcat version 6.0.26 standalone (not recommended for production environments) Apache version 2.2.6 with Tomcat servlet container Tomcat version 6.0.26 standalone (not recommended for production environments)

UNIX

WARNING
Do not install Tomcat 6.0.26 in standalone mode with PATROL Central Operator - Web Edition version 7.7.00 or later if you are going to install PATROL End-to-End Response Timer. Tomcat prevents PATROL End-to-End Response Timer from working correctly. Instead, install PATROL Central Operator - Web Edition with IIS or Apache integration.

About the Tomcat servlet container


The Tomcat servlet container is installed and used with PATROL Central, regardless of the Web server that you choose. This servlet container runs Java code for PATROL Central.

IIS Web server with Tomcat servlet container (Windows)


If you choose to integrate with Microsoft Internet Information Services (IIS), IIS must already be installed on the computer on which you want to install PATROL Central. The Tomcat servlet container will be installed and used when you install PATROL Central. The installation will add a virtual directory and an ISAPI filter, both named PATROLCentralWebEdition, to the selected IIS Web Site instance. The ISAPI filter redirects execution of Java pages to the Tomcat servlet container.

Chapter 2

Installing PATROL Central console

29

Considerations for determining which Web server to use

IIS must be configured to support HTTPS. For specific instructions, consult your IIS documentation. As part of the process, you configure IIS with either a self-signed or a trusted root certificate from a certificate authority. The certificate is required to enable Secure Sockets Layer (SSL) for the Web server. For more information about certificates, see About certificates on page 31. For more information about obtaining and installing a certificate, see Certificate information (IIS only) on page 35.

Apache Web server with Tomcat servlet container (UNIX)


If you choose to integrate with Apache version 2.2.6, both Apache and the Tomcat servlet container will be installed and used with PATROL Central. A new instance of Apache will be installed, even if there already is an instance of Apache on the computer. If there will be multiple Web servers on the computer, you must make certain that they do not use conflicting ports. For more information, see Web server HTTP and HTTPS ports on page 46. A self-signed certificate is created for you, using information that you enter during the install. However, this certificate is not signed by a trusted root. You might want to replace it with a certificate from a certificate authority. For more information about the information you must provide for the certificate, see Certificate information (Apache and Tomcat only) on page 36.

TIP
For more information about Apache, see the Apache HTTP Server Web site at http://httpd.apache.org or the Apache documentation installed with Apache at http://hostname:port/manual, where hostname is the name of the server, and port is its HTTP port.

Tomcat standalone Web server (Windows or UNIX)


If you choose to use the Tomcat standalone Web server, then Tomcat, including the Tomcat servlet container, will be installed and used with PATROL Central. A new instance of Tomcat will be installed, even if there already is an instance of Tomcat on the computer. If there will be multiple Web servers on the computer, you must make certain that they do not use conflicting ports. For more information, see Web server HTTP and HTTPS ports on page 46. A self-signed certificate is created for you, using information that you enter during the install. This certificate is sufficient for use in a test environment. For more information about the information you must provide for the certificate, see Certificate information (Apache and Tomcat only) on page 36.

30

Book Title

Determining how to install products

NOTE
Good practice recommends that the Tomcat standalone Web server not be used in production environments. The Tomcat standalone Web server is more commonly used as a development server.

TIP
For more information about Tomcat, see the Tomcat Project Web site at http://tomcat.apache.org/or the Tomcat documentation installed with Tomcat at http://hostname:port/tomcat-docs, where hostname is the name of the server, and port is its HTTP port.

About certificates
A Web server requires a digital certificate, which identifies the source of online transactions. This certificate is contained in a keystore for the Web server. Which Web server you use and the level of security you want determine the type of certificate you use. A certificate can be self-signed or provided by a certificate authority. A self-signed certificate provides encryption, which assures the confidentiality of the data across the network, but a certificate provided by a certificate authority provides the browser user with more confidence that the server delivering the certificate is authentic. A certificate authority, also referred to as the certificate signing authority, is a trusted public or private organization that signs certificates using a private key unique to their organization. A certificate is validated by a hierarchy of certificate authorities that approve the certificate. This process is called a chain of trust. The final certificate authority in the chain is called the trusted root certificate authority or trusted root. Web browsers maintain a list of trusted certificate authorities. Not all certificate authorities are listed in a web browser. The list of trusted certificate authorities can differ between browsers and browser versions. Certificates also contain the name of the Web site to ensure that they are not arbitrarily moved. The Web browser will notify the user if the Web site in the certificate does not match the URL being viewed.

Determining how to install products


The products and components covered in this document were designed to be installed by using the BMC Software installation utility or the Distribution Server.

Chapter 2

Installing PATROL Central console

31

About the installation utility

About the installation utility


The BMC Software installation utility runs in a Web browser. You can use the installation utility to perform a local installation or uninstallation. The installation utility includes the following features. For more information, see the PATROL Installation Reference Manual.
I

You can install to remote computers in your environment by creating an installable product image that can be transferred to and installed locally on those computers. You can install to a computer that does not have a Web browser by launching the installation utility from a command line and specifying the -serveronly command line option. This option starts the installation Perl HTTP server on the computer that does not have a browser, and you can then connect to that server using a browser on another computer.

Details for installing products locally are included in this chapter. For details about creating, distributing, and installing installable images, see the PATROL Installation Reference Manual.

About the Distribution Server


The Distribution Server is a BMC Software product for distributing products from a central server to multiple computers. PATROL Central Operator Web Edition is supported by the Distribution Server. For details about using the Distribution Server, see the Distribution Server Getting Started. If you choose to use the Distribution Server, you will need the same product-specific information that is used for installing products locally with the installation utility.

32

Book Title

Required information for installing PATROL Central Operator Web Edition

Required information for installing PATROL Central Operator Web Edition


You need to know the information in this section before installing PATROL Central Operator Web Edition.

Installation directory
The base installation directory is the location where you will install all products that you select. Additional directories will be created under the base installation directory. The installation directory must be the same installation directory that is used by other BMC Software products, such as the PATROL Agent or PATROL Console Server, on the same computer. The default installation directory on Windows is homedrive:\Program Files\BMC Software. The default installation directory on UNIX is /opt/bmc. This directory is stored as the $BMC_ROOT (UNIX) or %BMC_ROOT% (Windows) environment variable.

NOTE
All BMC Software products installed on the same computer must share the same installation directory because the products share the BMC_ROOT environment variable.

NOTE
The installation program creates a sub-directory for PATROL Central under the base installation directory. On Windows, the sub-directory is WebCentral. On UNIX, the subdirectory is webcentral. The installation program creates an OpenSSL binary in the installation directory. This OpenSSL binary needs to be handled manually whenever you upgrade or remove Apache web server.

PATROL 3.x product directory


For an installation on a computer without any existing PATROL 3.x products, the PATROL 3.x product directory is located under the main installation directory. PATROL 3.x products are installed to this directory.

Chapter 2

Installing PATROL Central console

33

Web server

The default for this directory is Patrol3. If there are PATROL 3.x products installed in a different directory, you must specify that directory as the PATROL 3.x product directory.

Web server
You must select which Web server to use. For more information, see Considerations for determining which Web server to use on page 29.

Root login and password (UNIX only)


On UNIX, you must specify the Root login name and password.

PATROL Console Server


Both the PATROL Central console infrastructure and individual console modules use PATROL Console Servers. A PATROL Console Server can serve different purposes for PATROL Central and each console module.
I

PATROL Central uses a PATROL Console Server as a security server to authenticate users. Only users who have accounts known to that PATROL Console Server can use PATROL Central or any of its console modules. Individual console modules can use the same PATROL Console Server as PATROL Central or additional PATROL Console Servers, depending on the console module. For example, in PATROL Central Operator, users can open management profiles on the PATROL Console Server used by PATROL Central or other PATROL Console Servers.

You specify the PATROL Console Server for PATROL Central during the install of PATROL Central. For information about changing this PATROL Console Server after installation, see Appendix C, Modifying initialization settings after installation.

TIP
You identify a PATROL Console Server by name. By default, this name is the host name of the PATROL Console Server; however, a different name can be specified when starting the PATROL Console Server. Do not use the IP address.

34

Book Title

Web server user name and group (Apache and Tomcat only)

You can use additional PATROL Console Servers with individual console modules by including them in the RTserver cloud. For more information, see the PATROL Console Server and RTserver Getting Started. For more information about setting up user accounts on PATROL Console Servers, see General considerations for setting up users and groups on page 88. For more information about the role of the PATROL Console Server, see the PATROL Console Server and RTserver Getting Started.

Web server user name and group (Apache and Tomcat only)
Before you install PATROL Central, you must create an operating system account for the Web server. If you have already installed BMC Software products and created a base installation directory, BMC Software recommends you use the same account to install PATROL Central Web Edition. The installation will ask you for the user name for the account. You must ensure that the account used for installation has write permissions in the base installation directory. On UNIX, you must also be logged on as this account when you run the install. On UNIX, you must also create an operating system group for the Web server account, and the account should belong to only this Web server group for security purposes. The installation will also ask you for the group name. Additionally, the installation will ask you for the HTTPD user name and group. These are used to run the HTTPD child daemons and to protect the files. The HTTPD user name and group must be the same as the user name and group you are using to install PATROL Central Operator Web Edition.

Certificate information (IIS only)


If you choose to integrate with IIS, you must have a self-signed certificate or a trusted root certificate from a certificate authority. The certificate is required to enable Secure Sockets Layer (SSL) for the Web server. For more information, see About certificates on page 31. The general process for obtaining and installing a certificate from a certificate authority for IIS is as follows. For detailed instructions about using IIS, refer to the documentation for that product.

Chapter 2

Installing PATROL Central console

35

Certificate information (Apache and Tomcat only)

1. Use Admin Tools => Internet Services Manager to create a Certificate Signing Request (CSR).

NOTE
When creating the CSR, you must specify a bit length of 1024. This will make the certificate more secure.

IIS creates a CSR in the format filename.txt, and stores it on your system in the specified directory. A typical CSR is shown below:

-----BEGIN NEW CERTIFICATE REQUEST----MIIBpTCCAQ4CAQAwZTefgAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMRAwDgYDVQQHEwdI b3VzdG9uMRUwEwYDVQQKEwxCTUMgU29mdHdhcmUxEjAQBgNVBAsTCXRlY2ggcHViczEM MAoGA1UEAxMDZG9jMabcMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyEsLg33WKokpN A4W+4eeZDxR0F/e6kr3FkdDU54JKZ0nDeXqCHKz+rVM27ahiFksUJvobnZDiZIWpearl izdfHsI37dzTxCCkfNxyzOkd/xfMIFnREq6ktYRt3pg39LDXSC15LiJsDCgA4SG5sTBs DQv5HjITFtS8OzWpf8lQIDAQABoAAwDQYJKoZgeorgeEBQADgYEAV/sb0tY37LvAg2XY LgLz5uKtqLWmkRJJI14pJGCrl+UVBxH/WM9VOVef2TE6lItJX24HWABb0hijsjan25jS H5y0J0z9ZGWDJESE+3lmnopy60DkQkpcQT6v/q+7fzqRn/GziAPjVx6huc/Sw+XMN4sV MZ6uKbrunLQQ0Vcks=-----END NEW CERTIFICATE REQUEST-----

2. Send the CSR text to the certificate authority. Several certificate authority vendors allow you to copy and paste the CSR text to their Web sites. The certificate authority typically generates a signed certificate in the format filename.cer. 3. Obtain the signed certificate from the certificate authority vendor. Several certificate authority vendors allow you to download the signed certificate from their Web sites. 4. Use Internet Services Manager to install the signed certificate.

Certificate information (Apache and Tomcat only)


You must provide the following information for the self-signed certificate created during the installation.

36

Book Title

RTSERVERS variable

NOTE
Commas in any of the fields will be converted to spaces. Commas are used internally as delimiters by the certificate generation tool.

Field keystore password

Description This is the password used to protect the keystore and the certificate. It must be at least eight characters for the Apache Web server or six characters for the Tomcat standalone Web server. This is the name of the Web server, as it will be specified in the URL for accessing the PATROL Central Web site. The Web browser will compare the server domain name in the certificate to the URL used to access the Web server. If they differ, a warning will be displayed by the browser.

server domain name

organization name and organizational unit name city, state, and country

These fields identify your organization. These fields identify the location of your organization.

NOTE
If you choose the Tomcat standalone Web server, due to limitations of the Web server implementation, the keystore password is stored unencrypted in the Tomcat server.xml file. Although this file can be read by only the Web server account, it is vulnerable if that account is compromised. Although BMC Software is not aware of such a vulnerability at present, we recommend that a non-sensitive password be used. BMC Software also recommends that you do not add sensitive certificates to the Tomcat keystore in the event that the password is discovered. The site-specific, self-signed certificate deployed during the product installation is usually sufficient.

RTSERVERS variable
PATROL Central Operator and PATROL Central Administration use the RTSERVERS variable specified during the installation to connect to an RTserver. The format of the RTSERVERS variable is tcp:host:port, in which host is the computer with the RTserver and port is the port number that the RTserver is using. The default value of the RTSERVERS variable is tcp:localhost:2059.

Chapter 2

Installing PATROL Central console

37

Security information

You can use the default value for the RTSERVERS variable if there is an RTserver on the same computer as the console and the RTserver uses the default port of 2059. However, you must update the RTSERVERS variable in the following cases:
I

If you install the console on a different computer from the RTserver, you must specify the host name of the RTserver computer in the RTSERVERS variable. If the RTserver uses a port number other than 2059, you must specify that port number in the RTSERVERS variable.

You must modify the RTSERVERS variable with the correct host name and port number, unless there is a local RTserver for PATROL Central Operator to use. The RTSERVERS variable can be modified by editing the startup.cfg file. See Appendix C, Modifying initialization settings after installation for more information about changing the startup.cfg file. For more information, see the PATROL Console Server and RTserver Getting Started.

Security information
You must set the level of security that you want to use. The recommended level is Basic Security, the default. For more information, see the PATROL Security Release Notes and PATROL Security User Guide.

Tomcat shutdown port


The Tomcat servlet container listens for termination messages on the shutdown port. The port does not need to be visible outside the Web server; however, no other applications can use this port. The default port is 8005. For information about changing this value after installation, see Changing Web server ports after installation on page 137 and Appendix C, Modifying initialization settings after installation.

38

Book Title

Apache-Tomcat protocol version 13 port (IIS and Apache only)

Apache-Tomcat protocol version 13 port (IIS and Apache only)


The Apache-Tomcat protocol version 13 port is used by the IIS and Apache Web servers to communicate with the Tomcat servlet container. The port does not need to be visible outside the Web server; however, no other applications can use this port. The default port is 8009. For information about changing this value after installation, see Changing Web server ports after installation on page 137 and Appendix C, Modifying initialization settings after installation.

Prerequisites for installing PATROL Central Operator Web Edition on IIS 7 and 7.5
Apart from the default role services of IIS 7, you must install the following IIS 7 and 7.5 role services before installing PATROL Central Operator Web Edition.

Common HTTP Features


I

HTTP redirection

Application Development
I

ISAPI extensions ISAPI filters

Management Tools
I

IIS 6 Manage compatibility

Security
I

Client certificate mapping authentication

Chapter 2

Installing PATROL Central console

39

ISAPI Extensions for IIS on Windows Server

IIS Client certificate mapping authentication

NOTE
To run PATROL Central Operator Web Edition on IIS 7 and 7.5, ISAPI.dll must be enabled.

ISAPI Extensions for IIS on Windows Server


You cannot run the PATROL Central Operator - Web Edition on Windows Server unless the IIS ISAPI filter is added.

To add the ISAPI filter on Windows Server 2003


You can add the ISAPI filter in the IIS Manager by completing the following steps:

1 Launch the IIS Manager by choosing Start => Programs => Administrative
Tools => Internet Information Services (IIS) Manager.

2 Navigate to the server that has the web server running. 3 In the left pane of the IIS Manager window, expand the web server host and select
Web Service Extensions.

4 Click Add new Web service extension. 5 In Extension name, enter a name (for example, ISAPI filter). 6 In Required files, click Add and browse to the following file:
%BMC_ROOT%\WebCentral\apache-tomcat\bin\win32\isapi_redirect.dll

7 Select Set extension status to Allowed. 8 Click OK. To add the ISAPI filter on Windows Server 2008 and 2008 R2
To run the PATROL Central Operator - Web Edition on Windows Server 2008 and 2008 R2 IIS ISAPI filter is necessary. You can add the ISAPI filter in the IIS Manager by completing the following steps:

40

Book Title

Enabling IIS to run 32-bit and 64-bit PATROL Central Operator Web Edition

1. Select Internet Information Service(IIS) Manager. 2. Click the Server name. 3. Double-click ISAPI and CGI Restrictions. 4. On the left pane, select Add to add a new ISAPI restriction. 5. For the ISAPI or CGI Path, browse to the following file:
I

For Windows 2008 (32-bit): %BMC_ROOT%\WebCentral\apachetomcat\bin\win32\isapi_redirect.dll

For Windows 2008 (64-bit) and Windows 2008 R2 (64-bit): %BMC_ROOT%\WebCentral\apache-tomcat\bin\win64\isapi_redirect.dll

6. Enter a description (for example, ISAPI filter). 7. Select the Allow extension path to execute check box. 8. Click OK. 9. Select Default Web Site and click Handler Mappings. 10. Enable ISAPI-dll. 11. Click OK.

Enabling IIS to run 32-bit and 64-bit PATROL Central Operator Web Edition
By default, Microsoft Windows 64-bit operating system, PATROL Central Operator Web Edition 7.8.10 and later uses 64-bit ISAPI dll. To run PATROL Central Operator Web Edition 7.8.10, you must perform one of the following steps:
I

Configure IIS on Microsoft Windows 32-bit operating system and use 32-bit ISAPI dll. (You must perform this operation for PATROL Central Operator - Web Edition versions earlier than 7.8.10) Configure IIS on Microsoft Windows 64-bit operating system

If any other service is running on 32-bit IIS, then you can perform one of the following options:
I

Run PATROL Central Operator - Web Edition on 32-bit IIS.


Chapter 2 Installing PATROL Central console 41

Enabling IIS to run 32-bit and 64-bit PATROL Central Operator Web Edition

Stop the services and perform the steps mentioned in To enable IIS to run PATROL Central Operator Web Edition.

To enable IIS to run PATROL Central Operator Web Edition 1 Open a command prompt and navigate to the
%systemdrive%\Inetpub\AdminScripts directory.

2 Type the following command:


(if you are running IIS in 32-bit mode) cscript.exe adsutil.vbs set W3SVC/AppPools/Enable32BitAppOnWin64 "true" (if you are running IIS in 64-bit mode) cscript.exe adsutil.vbs set W3SVC/AppPools/Enable32BitAppOnWin64 "false"

3 Press Enter. 4 Stop and restart the IIS service. 5 Verify that IIS is running in the appropriate mode. 6 Verify that IIS shows the default IIS page. 7 Install the PATROL Central Operator Web Edition product. 8 (for Microsoft Windows 2003) Ensure that the following steps are performed before
starting PATROL Central Operator - Web Edition:

A Right-click the Default Web Site icon and select properties. B Under ISAPI filters tab, select PATROLCentralWebEdition filter, click Edit and
browse to the following file:
(if you are running IIS in 32-bit mode) %BMC_ROOT%\WebCentral\apachetomcat\bin\win32\isapi_redirect.dll (if you are running IIS in 64-bit mode) %BMC_ROOT%\WebCentral\apachetomcat\bin\win64\isapi_redirect.dll

C Click OK. D Click OK. E Right-click PATROLCentralWeb edition and select properties. F In the Virtual Directory tab, for the Local path, browse to the following file:

42

Book Title

Enabling IIS to run 32-bit and 64-bit PATROL Central Operator Web Edition

(if you are running IIS in 32-bit mode) %BMC_ROOT%\WebCentral\apachetomcat\bin\win32\isapi_redirect.dll (if you are running IIS in 64-bit mode) %BMC_ROOT%\WebCentral\apachetomcat\bin\win64\isapi_redirect.dll

G Click OK. H Click OK. 9 (for Microsoft Windows 2008 and 2008 R2) Ensure that the following steps are
performed before starting PATROL Central Operator - Web Edition:

A Click the Server name. B Double-click ISAPI and CGI Restrictions. C On the left pane, select Add to add a new ISAPI restriction. D For the ISAPI or CGI Path, browse to the following file:
(if you are running IIS in 32-bit mode) %BMC_ROOT%\WebCentral\apachetomcat\bin\win32\isapi_redirect.dll (if you are running IIS in 64-bit mode) %BMC_ROOT%\WebCentral\apachetomcat\bin\win64\isapi_redirect.dll

E Enter a description (for example, ISAPI filter). F Select the Allow extension path to execute check box. G Click OK. H Click ISAPI filters. I Select PATROLCentralWebEdition filter, click Edit and browse to the following
file:
(if you are running IIS in 32-bit mode) %BMC_ROOT%\WebCentral\apachetomcat\bin\win32\isapi_redirect.dll (if you are running IIS in 64-bit mode) %BMC_ROOT%\WebCentral\apachetomcat\bin\win64\isapi_redirect.dll

J Click OK. K Click OK.

Chapter 2

Installing PATROL Central console

43

Configuring application pool on IIS 7 and 7.5

L In the left pane of the IIS Manager window, right-click the Default Web Site icon
and select properties.

M Under ISAPI filters tab, select PATROLCentralWebEdition filter, click Edit, and
ensure that the path is
(if you are running IIS in 32-bit mode) %BMC_ROOT%\WebCentral\apachetomcat\bin\win32\isapi_redirect.dll. (if you are running IIS in 64-bit mode) %BMC_ROOT%\WebCentral\apachetomcat\bin\win64\isapi_redirect.dll.

N Change the application pool settings according to the steps mentioned in


Configuring application pool on IIS 7 and 7.5 on page 44

Configuring application pool on IIS 7 and 7.5


You must set the 32-bit application pool to True if the IIS is running on 32-bit operating system. You must set the 32-bit application pool to False if the IIS is running on 64-bit operating system.

To configure a default (32-bit) application pool for 32-bit applications


1. Launch the IIS Manager by choosing Start => Programs => Administrative Tools => Internet Information Services (IIS) Manager. 2. In left pane of the IIS Manager window, expand the web server host to view the Application Pools icon. 3. Click the Application Pools icon to view the Application Pools page. 4. Right-click Default Application Pool and select Advanced Settings. 5. In the Advanced Settings dialog box, set Enable 32-bit Applications to True. 6. Click OK.

To configure a 64-bit application pool for 64-bit applications


1. Launch the IIS Manager by choosing Start => Programs => Administrative Tools => Internet Information Services (IIS) Manager. 2. In left pane of the IIS Manager window, expand the web server host to view the Application Pools icon.

44

Book Title

Configuring the generic error page on IIS

3. Click the Application Pools icon to view the Application Pools page. 4. Right-click Default Application Pool and select Advanced Settings. 5. In the Advanced Settings dialog box, set Enable 32-bit Applications to False. 6. Click OK.

Configuring the generic error page on IIS


1. Navigate to Start => Settings => Control Panel => Administrative Tools => Internet Information Services. 2. Open Internet Information Services and click the tree to find PATROL Central Web Edition. 3. Right-click PCWEB and select Properties. 4. Select Custom Errors. 5. Select the HTTP error for which you want to set a specific error page. 6. For example, to change the 404 error page, select 404. 7. Click Edit Properties and select File from the drop-down list. 8. Type the absolute path of your customized error page. 9. Alternatively, click Browse to locate the file on your computer's hard drive (for example, %PATROL_HOME%\WebCentral\apache-tomcat\webapps\patrol\ Error_Page.html). 10. Click OK. 11. Restart the IIS server.

Setting SSL port on IIS 7 and 7.5


After adding the web server certificate to IIS 7 and 7.5 , specify SSL port bindings by using the following steps:

Chapter 2

Installing PATROL Central console

45

Web server HTTP and HTTPS ports

1. Launch the IIS Manager by choosing Start => Programs => Administrative Tools => Internet Information Services (IIS) Manager. 2. In left pane of the IIS Manager window, expand the Sites folder under the local computer to display the Default Web Site icon. 3. Double-click the Default Web Site icon to expand and display web sites. 4. Under Actions, click Bindings. 5. In the Site Bindings dialog box, click Add. 6. In the Add Site Binding dialog box, select Type as https, enter port (default is 443) and select the Server Certificate from the SSL certificate. 7. Click OK.

Web server HTTP and HTTPS ports


The Web server uses these ports for insecure(HTTP) and secure (HTTPS) communications. If there will be multiple Web servers on the computer, make sure that each Web server uses a different set of ports. If a port is already in use when you run the install, the install will prompt you to specify a different port. The default HTTP port is 80. The default HTTPS port is 443. If you do not use the default HTTP port, users will have to include the port number in the URL for accessing the PATROL Central Web site. For example, if the Web server myserver is using port 8080, view the URL http://myserver:8080/patrol/. For information about changing the HTTPS port after installation, see Changing Web server ports after installation on page 137 and Appendix C, Modifying initialization settings after installation.

IIS Web site instance (IIS only)


IIS can support multiple Web site instances. The install retrieves the list of Web site instances from the IIS metabase. Each Web site instance is identified by both its name and its instance number. You must select which instance you want to use with PATROL Central. The default is the default Web site.

46

Book Title

Trimming Apache Web server log files (Apache only)

Trimming Apache Web server log files (Apache only)


The Apache Web server log files can grow considerably over the course of time. For example, each image load request is logged. The installation installs a utility that truncates the log files for the Apache Web server while the Web server is running, so that they do not grow without limit. This utility can be run periodically as a job in the root crontab. You can choose the maximum log file size. The same maximum size is applied to each log file. The default value is 20 MB. You can choose whether the installer automatically adds the job to the root crontab. If you chose to not add the job to the root crontab, you can add the job manually and adjust the job schedule. For more information, see Apache web server logs on page 176.

Installation worksheets
Use these worksheets to record information for your installation. Complete both the general worksheet and the worksheet for your Web server.
Worksheet General worksheet Worksheet for IIS web server Worksheet for Apache web server Worksheet for Tomcat standalone web server Page page 48 page 49 page 49 page 50

Chapter 2

Installing PATROL Central console

47

General worksheet

General worksheet
Computer name: Which console modules do you want to run on this computer? Which Web server do you want to use?
I I I I I

PATROL Central Operator PATROL Central Administration IIS (Windows) Apache (UNIX) Tomcat standalone (Windows or UNIX)

Information for computers without PATROL 3.x products Where do you want to install BMC Software products? The default is C:\Program Files\BMC Software or /opt/bmc (UNIX). Information for computers with PATROL 3.x products Where are the PATROL 3.x products installed? This will determine where you install new products. If there is a PATROL Agent installed, what is its port number? Security information What security level do you want to use? The default is basic.
I I I I I

basic level 1 level 2 level 3 level 4

PATROL Console Server information What is the name of the PATROL Console Server to use to authenticate users for PATROL Central? (Typically, the name of the PATROL Console Server is the hostname of the computer where the PATROL Console Server is installed.) Tomcat Servlet container Information What is the shutdown port for the Tomcat servlet container? The default is 8005. RTserver information What is the name of the RTserver computer to use? The default is localhost. What is the port number for the RTserver to use? The default is 2059.

48

Book Title

Worksheet for IIS web server

Worksheet for IIS web server


IIS web server Do you have a certificate? (required) What is the IIS Web Site Instance? IIS ports What is the HTTP port? The default is 80. What is the HTTPS port? The default is 443. What is the AJP 13 port? The default is 8009. What is the Shutdown port? The default is 8005.

Worksheet for Apache web server


Apache ports What is the HTTP port? The default is 80. What is the HTTPS port? The default is 443. What is the AJP 13 port? The default is 8009. What is the Shutdown port? The default is 8005. Apache user name and group What is the root login name and password? What is the Apache HTTPD user name? **** The HTTPD user name and group must be the same as the user name and group you are using to install PATROL Central Operator Web Edition.

What is the Apache HTTPD group? Apache log maintenance What is the maximum size for log files? The default is 20 MB. Do you want to automatically add the job to crontab? The default is yes. Apache certificate information What is the keystore password? What is the server domain name? **** yes / no

Chapter 2

Installing PATROL Central console

49

Worksheet for Tomcat standalone web server

What is the organization name? What is the organizational unit name? What is the city? What is the state? What is the country?

Worksheet for Tomcat standalone web server


Tomcat user name and group What is the root login name and password? (UNIX only) What is the Tomcat user name? **** The Tomcat user name and group must be the same as the user name and group you are using to install PATROL Central Operator Web Edition.

What is the Tomcat user group? (UNIX only) Tomcat port What is the HTTP port? The default is 80. What is the HTTPS port? The default is 443. What is the Shutdown port? The default is 8005. Tomcat certificate information What is the keystore password? What is the server domain name? What is the organization name? What is the organizational unit name? What is the city? What is the state? What is the country? ****

WARNING
Do not install Tomcat 6.0.26 in standalone mode with PATROL Central Operator - Web Edition version 7.7.00 or later if you are going to install PATROL End-to-End Response Timer. Tomcat prevents PATROL End-to-End Response Timer from working correctly. Instead, install PATROL Central Operator - Web Edition with IIS or Apache integration.

50

Book Title

Upgrading versus first-time installation

Upgrading versus first-time installation


When upgrading from a previous version of PATROL Central Web Edition to 7.8.10 or later, the installation utility will automatically detect a previous install and migrate the following files:
I I

startup.cfg

Internal datastore

Upgrading from a previous version of PATROL Central Operator Web Edition automatically disables the following console modules:
I I I I

PATROL Central Operator PATROL Central Administration PATROL End-to-End Response Timer PATROL Central Alerts

Upgrading to PATROL Central Operator Web Edition version creates a backup of the entire WebCentral directory, and migrates data from PATROL Central Operator and PATROL Central Administration to the new PATROL Central Web Edition installation. However, upgrading PATROL Central Operator Web Edition does not migrate data for PATROL Central Alerts or PATROL ETE. You must upgrade to new versions of PATROL Central Alerts or PATROL ETE. For more information, see Backing up and restoring PATROL Central and Console modules on page 63. When upgrading PATROL Central Operator Web Edition to 7.8.10 or later, the following user preferences are migrated to the new version. Additionally, you will have the opportunity to change port numbers and names used for the PATROL Console Server, RTserver, and Web servers.
Location of information My Home => Preferences Information migrated
I I I I I

First Name Last Name E-mail Initial Tab Applet Style Default Initial Tab Default Refresh Interval Default Message Timeout Max Number of Sessions Default Console Server Default Management Profile Maximum Number of Rows Allowed Query Results Lifespan

My Home => Admin Options => General

I I I I

My Home => Admin Options => Console Server My Home => Admin Options => Managed system Query

I I I I

Chapter 2

Installing PATROL Central console

51

Upgrading versus first-time installation

Migrating a customized PATROL Central sub-directory


When you installed PATROL Central Operator Web Edition version 7.1.0x, the installation allowed you to customize the name of the PATROL Central subdirectory. When you upgrade to PATROL Central Operator Web Edition 7.7.00 or later, the installation will prompt you for the name of the customized PATROL Central subdirectory. PATROL Central Operator will create a backup of the directory and migrate the data to the directory named as respective version number. For PATROL Central Operator Web Edition 7.7.00 or later, the PATROL Central sub-directory name is WebCentral on Windows and webcentral on UNIX. You cannot customize the PATROL Central sub-directory name in 7.7.00 or later versions.

To upgrade PATROL Central Web Edition to version 7.5.x 1 Create a backup of your existing PATROL Central installation. See Backing up
and restoring PATROL Central and Console modules on page 63 for more information.

1 Ensure that all users are logged off of PATROL Central Web Edition. 2 Shut down the Web server by stopping the PATROL Central Web Edition
service. For more information, see Starting and stopping PATROL Central Operator Web Edition on page 132.

3 If the Web server, PATROL Console Server, and RTserver are installed in the same
%BMC_ROOT% or $BMC_ROOT directory, you must shut down the Console Server and RTserver. For more information, see Starting and stopping the RTserver on page 128, and Starting and stopping the PATROL Console Server on page 130.

4 Run the installation program.


For more information see, Installing PATROL Central Operator on Windows on page 53, or Installing PATROL Central Operator on UNIX on page 57.

52

Book Title

Installation procedures

NOTE
During installation of PATROL Central Operator, you may see references to aborted packages or components in the installation utility status page and the log files. This happens when the installation utility encounters components that have already been installed on the target computer. The message does not indicate a problem with the product installation. Entries in the log files will indicate that the package or component was skipped because it was already installed.

Installation procedures
These procedures describe how to perform a local installation of PATROL Central, including PATROL Central Operator and PATROL Central Administration, on Windows and UNIX.

Installing PATROL Central Operator on Windows


This task describes how to install PATROL Central Operator, including all the components listed in Table 1 on page 27, on Windows. If you install other products or components from a product CD at the same time as PATROL Central Operator Web Edition, you might be asked for additional configuration information for those products or components. For more information about the installation utility, see About the installation utility on page 32.

Before you begin


The following requirements must be met before you can run the installation:
I

The computer must meet the requirements stated in System requirements on page 27. You must know the required information for the installation process. If a PATROL Console Server, RTserver, or PATROL Agent are on the computer, they must be stopped. For more information, see Starting and stopping related programs on page 128. You must be logged on using an account in the Administrators group so that you can install software and modify user rights.

Chapter 2

Installing PATROL Central console

53

Installing PATROL Central Operator on Windows

All of the ports to be used by the Web server are available. If you use pop-up blocker software to prevent pop-up windows from being displayed in your Web browser, you must temporarily disable the software on the computer on which you want to install PATROL Central Operator Web Edition to run the installation utility. The procedures and requirements for disabling popup blocker software vary depending on the software that you are using. Consult the documentation provided with the pop-up blocker software for instructions.

BMC Software recommends having PATROL Console Server and RTserver installed in your environment (not necessarily the same computer) before you install the console. The installation procedures for the IIS and Tomcat Web servers are slightly different.
Procedure Install PATROL Central Operator on Windows with IIS Install PATROL Central Operator on Windows with the Tomcat standalone Web server Page page 54 page 56

To Install PATROL Central Operator on Windows with IIS 1 Confirm that IIS is properly installed and running. Check whether the bit mode of
running IIS is 32 bit or 64 bit.

2 Insert the product CD into the CD drive and run setup.exe. Then click Next to start
the installation program.

3 Review the license agreement. If you accept it, choose Accept. Then click Next. 4 On the Select Installation Option page, choose Install products on this computer now.
Then click Next. For more information about creating an installable image, see the PATROL Installation Reference Manual.

5 On the Specify Installation Directory page, specify the location where you want to
install BMC products. Then click Next.

NOTE
All BMC Software products installed on the same computer must share the same installation directory because the products share the BMC_ROOT environment variable.

For more information about the installation directory, see Installation directory on page 33.

54

Book Title

Installing PATROL Central Operator on Windows

6 On the Select Products and Components to Install page, expand the PATROL Central Web Edition folder and then select both PATROL Central Operator - Web Edition for Windows and PATROL Central Web Edition - Core Components for Windows.

7 On the Select Web Server for Windows Platforms page, select Microsoft IIS. Then
click Next.

8 On the Configure PATROL Central - Web Edition page, specify the name of the
PATROL Console Server to be used as the security server. Then click Next.

9 Specify the shutdown port number of the Tomcat servlet container. Also select
whether you want to start the Tomcat servlet container as a service (listed as a Windows service named PATROL Central-WebEdition) after the installation. Then click Next.

WARNING
If you do not select to start the Tomcat servlet container as a service, the PATROL CentralWebEdition service will not appear in the list of services located in the Windows Services dialog.

NOTE
The Tomcat servlet container is installed and used with PATROL Central, regardless of the Web server that you choose. This servlet container runs Java code for PATROL Central.

For more information about the shutdown port number, see Tomcat shutdown port on page 38.

10 On the Configure PATROL Central - Web Edition page, specify the name of the
PATROL Console Server to be used as the security server. Then click Next.

11 On the Select Level of Security page, specify the level of security that you want and
whether or not you want to overwrite your existing security configuration. For more information, see the PATROL Console Server on page 34 and the PATROL Security User Guide. Then click Next.

12 If you specify the Advanced security options option on the Select Level of Security
page, the Select Advanced Level of Security page appears to allow you to specify the advanced level of security. See the PATROL Security User Guide for more information about the security options.

13 Specify the AJP 13 port and the port that is used by Microsoft IIS for HTTPS
connections. Then choose the Web site instance to use. Then click Next.

Chapter 2

Installing PATROL Central console

55

Installing PATROL Central Operator on Windows

For more information, see Apache-Tomcat protocol version 13 port (IIS and Apache only) on page 39, ISAPI Extensions for IIS on Windows Server on page 40, and IIS Web site instance (IIS only) on page 46.

14 On the RTSERVERS Variable Properties page, specify the RTserver to use.


For more information, see RTSERVERS variable on page 37.

15 On the Review Selections and Install page, review your product selections and
configuration information. Click Back to make changes or click Start Install to complete the installation.

16 Watch the Installation Status page to verify that the installation process completes
successfully. When the installation is complete, click Next.

17 On the SUCCESS page, if you want to review the installation log file, click View
Log File. When you are done, click Finish.

To Install PATROL Central Operator on Windows with the Tomcat standalone Web server NOTE
Good practice recommends that the Tomcat standalone Web server not be used in production environments. The Tomcat standalone Web server is more commonly used as a development server.

1 Complete Step 1 through step 7 of To Install PATROL Central Operator on


Windows with IIS on page 54.

2 On the Configure PATROL Central - Web Edition page, specify the name of the
PATROL Console Server to be used as the security server. Then click Next.

3 On the Select Web Server for Windows Platforms page, select Apache Tomcat v6.0.26.
Then click Next.

4 On the Select Level of Security page, specify the level of security that you want and
whether or not you want to overwrite your existing security configuration. For more information, see the PATROL Console Server on page 34 and the PATROL Security User Guide. Then click Next.

5 If you specify the Advanced security options option on the Select Level of Security
page, the Select Advanced Level of Security page appears to allow you to specify the advanced level of security. See the PATROL Security User Guide for more information about the security options.

56

Book Title

Installing PATROL Central Operator on UNIX

6 On the Configure PATROL Central - Web Edition for Tomcat Standalone page, specify
the Tomcat user name and group and the port numbers for HTTP and HTTPS connections. Then click Next.

7 On the Configure PATROL Central - Web Edition Tomcat Certificate page, complete
the fields for the Tomcat certificate.

8 On the RTSERVERS Variable Properties page, enter the variable for the RTServer, using the format protocol:hostname:port. 9 On the Review Selections and Install page, review your product selections and
configuration information. Click Back to make changes or click Start Install to complete the installation.

10 Watch the Installation Status page to verify that the installation process completes
successfully. When the installation is complete, click Next.

11 On the SUCCESS page, if you want to review the installation log file, click View
Log File. When you are done, click Finish.

Installing PATROL Central Operator on UNIX


This task describes how to install PATROL Central Operator, including all the components listed in Table 1 on page 27, on UNIX. If you install other products or components from a product CD at the same time as PATROL Central Operator Web Edition, you might be asked for additional configuration information for those products or components. For more information about the installation utility, see About the installation utility on page 32.

Before you begin


The following requirements must be met before you can run the installation.
I

The computer must meet the requirements stated in System requirements on page 27. You are logged on using the Web server account. For more information, see Web server user name and group (Apache and Tomcat only) on page 35. All of the ports to be used by the Web server are available.

Chapter 2

Installing PATROL Central console

57

Installing PATROL Central Operator on UNIX

If a PATROL Console Server, RTserver, or PATROL Agent are on the computer, they are stopped. For more information, see Starting and stopping related programs on page 128.

BMC Software recommends having PATROL Console Server and RTserver installed in your environment (not necessarily on the same computer) before installing PATROL Central Operator. The installation procedures for the Apache and Tomcat Web servers are slightly different.
Procedure Install PATROL Central Operator on UNIX with Apache install PATROL Central Operator on UNIX with the Tomcat standalone Web server Page page 58 page 60

To Install PATROL Central Operator on UNIX with Apache 1 Insert the product CD into the CD drive, mount the CD drive, and run setup.sh.
Then click Next to start the installation program.

2 Review the license agreement. If you accept it, choose Accept. Then click Next. 3 On the Select Installation Option page, choose Install products on this computer now.
Then click Next. For more information about creating an installable image, see the PATROL Installation Reference Manual.

4 On the Specify Installation Directory page, specify the location where you want to
install BMC Software products. Then click Next. For more information about the installation directory, see Installation directory on page 33.

5 On the Select Products and Components to Install page, expand the PATROL Central Web Edition folder and then select PATROL Central Operator - Web Edition for platform or PATROL Central Web Edition - Core Components for platform, or both.

6 On the Select Web Server for UNIX Platforms page, choose Apache v2.2.6 as the Web
server. Then click Next.

7 On the Provide the System Root Account Properties page, type the Root login name
and password. Then click Next. For more information, see Root login and password (UNIX only) on page 34.

58

Book Title

Installing PATROL Central Operator on UNIX

8 On the Configure PATROL Central - Web Edition page, specify the name of the
PATROL Console Server to be used as the security server. Then click Next.

9 In the Configure PATROL Central - Web Edition Tomcat page, specify the shutdown
port number on which the Tomcat servlet container will listen for termination messages and whether or not you want to start the Tomcat service automatically after the installation. For more information, see Tomcat shutdown port on page 38.

10 On the Select Level of Security page, select the level of security that you want to use.
Then click Next. For more information, see Security information on page 38.

11 If you chose the Advanced security options, complete the security information.
Then click Next. For more information, see Security information on page 38.

12 In the Configure PATROL Central - Web Edition Tomcat logs, specify the size for
Tomcat log file. In the Configure PATROL Central - Web Edition Tomcat/Apache Integration page, specify the AJP 13 as the port number. On the Configure Apache Certificate page, complete the fields for the Apache certificate. On the Apache HTTP Server Parameters page, specify the HTTPD user name and group and the port numbers for HTTP and HTTPS connections. Then click Next,

13 If a PATROL Agent was previously installed on the system to which you are
installing, on the Confirm BMC Product Startup Information page, you can provide the Agent port number and whether you want it to be restarted automatically.

14 On the RTSERVERS Variable Properties page, specify the RTserver to use. Then
click Next. For more information, see RTSERVERS variable on page 37.

15 On the Review Selections and Install page, review your product selections and
configuration information. Click Back to make changes or click Start Install to complete the installation.

16 Watch the Installation Status page to verify that the installation process completes
successfully. When the installation is complete, click Next.

Chapter 2

Installing PATROL Central console

59

Installing PATROL Central Operator on UNIX

17 On the SUCCESS page, if you want to review the installation log file, click View Log
File. When you are done, click Finish.

To install PATROL Central Operator on UNIX with the Tomcat standalone Web server NOTE
Good practice recommends that the Tomcat standalone Web server not be used in production environments. The Tomcat standalone Web server is more commonly used as a development server.

1 Complete Step 1 through step 5 of To Install PATROL Central Operator on UNIX


with Apache on page 58.

2 On the Select Web Server for UNIX Platforms page, choose Apache Tomcat v6.0.26.
Then click Next.

3 On the Provide the System Root Account Properties page, type the Root login name
and password. Then click Next. For more information, see Root login and password (UNIX only) on page 34.

4 On the Configure PATROL Central - Web Edition page, specify the name of the
PATROL Console Server to be used as the security server. Then click Next.

5 In the Configure PATROL Central - Web Edition Tomcat page, specify the shutdown
port number on which the Tomcat servlet container will listen for termination messages and whether or not you want to start the Tomcat service automatically after the installation. In the Configure PATROL Central - Web Edition Tomcat logs, specify the size for Tomcat log file. For more information, see Tomcat shutdown port on page 38.

6 On the Select Level of Security page, select the level of security that you want to use.
Then click Next. For more information, see Security information on page 38.

7 If you chose the Advanced security options, complete the security information.
Then click Next. For more information, see Security information on page 38.

8 On the Configure PATROL Central - Web Edition for Tomcat Standalone page, specify
the Tomcat user name and group and the port numbers for HTTP and HTTPS connections. Then click Next.
60 Book Title

Directory structure

The Tomcat user name and group must be the same as the user name and group of the operating system account you are using to install PATROL Central Operator Web Edition. For more information, see Web server user name and group (Apache and Tomcat only) on page 35 and Web server HTTP and HTTPS ports on page 46.

9 On the Configure PATROL Central - Web Edition Tomcat Certificate page, specify the
self-signed certificate information. Then click Next. For more information, see Certificate information (Apache and Tomcat only) on page 36.

10 On the RTSERVERS Variable Properties page, specify the RTserver to use. Then
click Next. For more information, see RTSERVERS variable on page 37.

11 On the Review Selections and Install page, review your product selections and
configuration information. Click Back to make changes or click Start Install to complete the installation.

12 Watch the Installation Status page to verify that the installation process completes
successfully. When the installation is complete, click Next.

13 On the SUCCESS page, if you want to review the installation log file, click View Log
File. When you are done, click Finish.

Directory structure
The following table describes the directories used by PATROL Central.
Directory %BMC_ROOT% (Windows) Description This directory is where BMC Software products are installed. The BMC_ROOT environment variable is shared by all PATROL Central components that are installed on the same computer. This directory contains common components that are shared by multiple PATROL 7.x products, such as security files. This directory contains information about which components and products are installed.

$BMC_ROOT (UNIX)

%BMC_ROOT%\common (Windows)

$BMC_ROOT/common (UNIX)
%BMC_ROOT%\Install (Windows)

$BMC_ROOT/Install (UNIX)

Chapter 2

Installing PATROL Central console

61

Directory structure

Directory %BMC_ROOT%\Uninstall (Windows)

Description This directory contains files for uninstalling components and products. This directory is where PATROL Central is installed. This directory is where the Tomcat servlet container (and Tomcat Web server) are installed. This directory contains binary files.

$BMC_ROOT/Uninstall (UNIX)
%BMC_ROOT%\WebCentral (Windows)

$BMC_ROOT/webcentral (UNIX)
%BMC_ROOT%\WebCentral\apache-tomcat (Windows)

$BMC_ROOT/webcentral/apache-tomcat (UNIX)
%BMC_ROOT%\WebCentral\apache-tomcat\bin (Windows)

$BMC_ROOT/webcentral/apache-tomcat/bin (UNIX)
%BMC_ROOT%\WebCentral\apache-tomcat\logs (Windows) This directory contains Tomcat log files.

$BMC_ROOT/webcentral/apache-tomcat/logs (UNIX)
%BMC_ROOT%\WebCentral\apache-tomcat\ webapps\patrol\WEB-INF (Windows) This directory contains configuration files.

$BMC_ROOT/webcentral/apache-tomcat/webapps/ patrol/WEB-INF (UNIX)


%BMC_ROOT%\WebCentral\apache-tomcat\conf (Windows) This directory contains configuration files.

$BMC_ROOT/webcentral/apache-tomcat/conf (UNIX)
%BMC_ROOT%\WebCentral\apache-tomcat\ webapps\patrol\WEB-INF\log (Windows) This directory contains PATROL Central Web Edition log files.

$BMC_ROOT/webcentral/apache-tomcat/webapps/ patrol/WEB-INF/log(UNIX)

62

Book Title

Backing up and restoring PATROL Central and Console modules

Backing up and restoring PATROL Central and Console modules


PATROL Central and the PATROL Central Operator and PATROL Central Administration console modules maintain preferences and administrative settings in a datastore. To back up the datastore, back up the following files in the $BMC_ROOT/webcentral/apache-tomcat/webapps/patrol/WEB-INF directory:
I I I I

wc.backup wc.data wc.properties wc.script

The PATROL Central Operator and PATROL Central Administration console modules also store data on the PATROL Console Server. For information about the data stored on PATROL Console Server, see the PATROL Console Server and RTserver Getting Started. To restore PATROL Central and the PATROL Central Operator and PATROL Central Administration console modules, reinstall them, and replace the backed-up versions of the datastore files.

WARNING
When restoring PATROL Central and the PATROL Central Operator and PATROL Central Administration console modules, reinstall all of the console modules that were originally installed, and only those console modules. If you reinstall a different set of console modules, and then restore the datastore files, the PATROL Central Web page will not display the correct tabs. You can install or uninstall other console modules after restoring the datastore files.

TIP
To make reinstalling easier, record the answers to installation questions on the installation worksheets. See Installation worksheets on page 47. Also record any changes made to the startup configuration file. See Appendix C, Modifying initialization settings after installation.

Where to go from here


Before you can monitor and manage with PATROL Central Operator, other PATROL programs, computers, and the Web server must be running and configured to work with PATROL Central Operator. For more information, see Chapter 5, Configuring the PATROL Central Console environment.

Chapter 2

Installing PATROL Central console

63

Where to go from here

64

Book Title

Chapter

Monitoring your enterprise with PATROL Central Operator


3

This chapter contains information for monitoring your enterprise with the Web Edition of PATROL Central Operator.

NOTE
Before you can use PATROL Central Operator, several related programs in the PATROL environment must be running. Usually these programs are running by default; however, if they are not, see Starting and stopping related programs on page 128.

This chapter contains the following topics: Web browser requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Solaris OS patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About the Java plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About accepting the certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Internet Explorer version 6 on Windows 2003 . . . . . . . . . . . . . . . . . . . . . . . Setting up your monitoring environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Accessing PATROL Central . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The PATROL Central console infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Accessing PATROL Central Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting a console timeout value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Customizing the splash screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating Your Management Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connecting to a PATROL Console Server and selecting a management profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding managed systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Loading PATROL KMs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing object information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Licensing information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing active user statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing blackout information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Where to go from here. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 66 66 68 68 68 69 69 70 71 72 72 73 74 76 77 77 77 79 81

Chapter 3 Monitoring your enterprise with PATROL Central Operator

65

Web browser requirements

Web browser requirements


You do not need to install any PATROL components on client computers. Users access PATROL Central and its console modules through a Web browser on the client computer. Ensure that you use one of the Web browsers listed in the PATROL Central Operator Web Edition Release Notes. The Web browser also must use Java plug-in (JRE) version 1.6.0_20 or later installed on the client computer. PATROL Central Operator was certified using JRE, see About the Java plug-in on page 66 for more information. Using versions other than those listed in the Web browser requirements table may cause problems in PATROL Central Operator.

Solaris OS patches
The latest patches for Solaris must also be installed, including the J2SE patch cluster for your version of Solaris. These patches can be retrieved from the Solaris maintenance Web site at http://sunsolve.sun.com.

WARNING
The patches are necessary to address multiple problems that can range from subtle usage problems to crashes.

About the Java plug-in


PATROL Central requires at least Java plug-in (JRE) version JRE 1.6.0_20 installed on the client computer. You can change the JRE version, but using versions other than those listed in the Web Browser Requirements table on page 66 may cause problems in PATROL Central Operator. The Java plug-in is used to implement dynamic clientside features such as live state updates and charts.

About installing the Java plug-in


The Java plug-in must be installed on the client computer in order to use PATROL Central.

66

Book Title

About the Java plug-in

On Internet Explorer, if the Java plug-in is not already installed on the client computer when you first access the PATROL Central Web site, PATROL Central will attempt to automatically download JRE version JRE 1.6.0_20 from the Web server and install it. If it cannot be automatically downloaded, a page with a link for downloading it from the Web server is displayed. On UNIX, if the Java plug-in is not installed, a page with a link for downloading JRE version JRE 1.6.0_20 from the Web server is displayed.

TIP
If you must manually install the Java plug-in, click the link to download the Java plug-in and follow the instructions on the page to ensure that you install the appropriate version for PATROL Central.

Avoiding conflicts with other desktop applications


Some of your desktop applications might use a different version of the Java plug-in from the version used by PATROL Central, which can cause problems if each application does not use its corresponding version of the Java plug-in. For example, if an existing application uses an older version of the Java plug-in, you might experience problems with that application after you install the Java plug-in for PATROL Central. Similarly, if you later install an application that uses a different version of the Java plug-in from PATROL Central, you might experience problems with PATROL Central.

Avoiding conflicts when using Internet Explorer


To avoid these problems when using Internet Explorer, perform the following steps:

1 From the Internet Explorer menu, choose Tools => Internet Options. 2 Click the Advanced tab. 3 Scroll to the Java (Sun) section. 4 Clear the Use Java 2 v1.6.0_20 for <applet> (requires restart) check box. 5 Click OK.

Chapter 3 Monitoring your enterprise with PATROL Central Operator

67

About accepting the certificate

About accepting the certificate


Internet Explorer, Mozilla, and Firefox contain a list of prominent certificate authorities. If the certificate on the Web server is not signed by one of these certificate authorities, or another certificate authority known to the Web browser on the client computer, the Web browser will notify you when you access the PATROL Central Web page. For example, if the Web server uses the default self-signed certificate on Apache, the Web browser will notify you. You must accept the certificate in order to use PATROL Central. You can accept the certificate for all sessions by installing the certificate or you can choose to accept it for just the current session. If you install the certificate, you will not be prompted to accept the certificate again. How you accept or install the certificate depends on the Web browser.

Using Internet Explorer version 6 on Windows 2003


If you are using IE 6 on a Windows 2003 machine, after you enter the PATROL Central Operator URL, IE will display a blank web page. This is caused by Windows 2003 applying a high security level by default. For more information, see The PATROL Central web page is blank on Internet Explorer on page 171.

Setting up your monitoring environment


To begin monitoring your environment with PATROL Central Operator, you must complete the following process: 1. Start and log on to the PATROL Central console infrastructure. 2. Connect to the PATROL Console Server and select or create a management profile. 3. Add the managed systems that you want to monitor. 4. Load the PATROL KMs that you want to monitor.

TIP
If you currently use the PATROL Console for Windows or the PATROL Console for UNIX, see Chapter 6, Information for users of PATROL Console for Microsoft Windows 3.x or PATROL Console for UNIX 3.x for a list of differences between the PATROL 3.x architecture and the PATROL 7.x architecture.

68

Book Title

Accessing PATROL Central

Accessing PATROL Central


This task describes how to access PATROL Central by using your Web browser.

To access PATROL Central 1 Start your Web browser application. 2 In the Address or Location field, enter the following URL, where hostname is
typically the name of the computer on which the Web server for PATROL Central is running.
http://hostname/patrol

If the Web server is not using the default port for HTTP, include the port number in the URL. For example, if the Web server myserver is using port 8080, view the URL http://myserver:8080/patrol. If the Java plug-in is not installed on the client computer, see About the Java plugin on page 66 for more information. If the Web browser notifies you that it does not recognize the certificate for the Web server, see About accepting the certificate on page 68 for more information. You are prompted to log on to your security server.

3 Type your user name and password for the security server and click OK.
The home page for PATROL Central is displayed.

The PATROL Central console infrastructure


The interface provided by the Web Edition of the PATROL Central is composed of the major areas in the following table:
Area Description

navigation The navigation area is located at the top of the PATROL Central interface. The area navigation area is composed of the console module tabs, subtabs, and toolbar items. For each console module installed, one or more tabs, representing an area of functionality, are added to the navigation area. list or tree view area The list or tree view area is located on the left side of the PATROL Central interface. This area may display a list or tree view of objects.

Chapter 3 Monitoring your enterprise with PATROL Central Operator

69

Accessing PATROL Central Operator

Area results area

Description The results area is typically located on the right side of the PATROL Central interface. The results area displays information as you browse the tabs or select objects from the list or tree view area.

status area The status area is located on the lower right corner of the PATROL Central interface. The status area provides information about your connection to PATROL Console Servers, RTservers, and system messages from PATROL Central Operator, as well as other console modules.

Accessing PATROL Central Operator


This task describes how to access PATROL Central Operator.

Before you begin


You must have accessed PATROL Central and logged on to your security server. See page 69.

To access PATROL Central Operator


In the navigation area, click the Operator tab. The PATROL Central Operator general tasks page is displayed. If this is the first time that you have accessed PATROL Central Operator, the Open Management Profile wizard is displayed. The wizard will help you to connect to a PATROL Console Server, and to choose an existing management profile or set up a new one. For more information, see Connecting to a PATROL Console Server and selecting a management profile on page 73. The next time you access PATROL Central Operator, the last management profile that you used will automatically be opened. At any time, you can navigate from within PATROL Central Operator back to the General Tasks page by clicking the General Tasks icon in the navigation area.

70

Book Title

Setting a console timeout value

Setting a console timeout value


The PATROL Central console keeps track of the activities of the connected console server. The console provides a timeout function that you can use to help manage the console server instances and improve the security. The PATROL Central console timeout monitors request made to the console server, and if you do not interact with it for a specified period, the PATROL Central console disconnects from the console server and displays a message that says that the system was disconnected or connection with the console server timed out. The PATROL Central Administration console module can connect to different console servers with different timeout values, and it handles each console server according to its own setting.

To set a timeout value 1 Stop the PATROL Console Server. 2 Open the acfg_cserver_ConsoleServerID.mof file, located in the
%PATROL_ROOT%\config\cserver directory on the computer where the console

server is installed.

3 Locate the sessionIdleTimeout variable: //sessionIdleTimeout=0;. 4 Delete the comment tag (//) preceding the sessionIdleTimeout variable. 5 Assign a timeout value in milliseconds to the sessionIdleTimeout variable (for
example, sessionIdleTimeout = 15000 sets a 15-second timeout).

6 Save and close the file. 7 Restart the PATROL Console Server. NOTE
If the value for timeout is not specified or set to zero; it is considered as no timeout.

Chapter 3 Monitoring your enterprise with PATROL Central Operator

71

Customizing the splash screen

Customizing the splash screen


You can display your company logo and associated proprietary information on the PATROL Central console and its components. To do so, you customize the splash screen, as described in the following procedure.

NOTE
You can use a customized splash screen only in English versions of the product.

To customize and display your splash screen 1 In the %BMC_ROOT%\webcentral\apache-tomcat\webapps\patrol\images


directory, create a folder for your local language. (for example, for US English the folder should be en_US)

2 In the local-language folder, create and save a GIF file named custom_splash.gif.
The complete directory structure is as follows:
%BMC_ROOT%\webcentral\apachetomcat\webapps\patrol\images\en_US\custom_splash.gif

NOTE
For the graphic file, BMC recommends that you specify a width of 1300 pixels and a height of 1300 pixels. The folder name (en_US) and graphic file name (custom_splash.gif) are case sensitive.

Creating Your Management Profile


A management profile is a view of your PATROL environment that is stored on the PATROL Console Server and accessed by using PATROL Central Operator. A management profile contains the following information:
I I I

any managed systems (PATROL Agents) that you have added any Knowledge Modules (KMs) that you have loaded other miscellaneous preferences and settings

Any changes you make to your management profile are saved automatically as you make them. You do not need to manually save changes to your management profile.

72

Book Title

Connecting to a PATROL Console Server and selecting a management profile

Once you select a management profile, that management profile will be opened by default the next time you start PATROL Central Operator on the same computer. Because management profiles are stored on the PATROL Console Server, you can access your management profile from any computer that is running PATROL Central Operator by connecting to the same PATROL Console Server. This section contains the following topics:
Topic Connecting to a PATROL Console Server and selecting a management profile Adding managed systems Loading PATROL KMs Reference page 73 page 74 page 76

NOTE
If you use the PATROL Console for Windows, the PATROL Console for UNIX, or both, a management profile contains information similar to a desktop file. For more information, see Chapter 6, Information for users of PATROL Console for Microsoft Windows 3.x or PATROL Console for UNIX 3.x.

Connecting to a PATROL Console Server and selecting a management profile


This procedure describes how to run the Open Management Profile wizard to connect to a PATROL Console Server and to create or select a management profile. The first time that you access PATROL Central Operator, the Open Management Profile wizard is displayed for you to specify which PATROL Console Server and management profile you want to use. The next time that you start PATROL Central Operator, it will automatically connect to the last PATROL Console Server and management profile that you used. You can also change PATROL Console Servers or management profiles at any time.

Before you begin


You must have performed the following tasks. 1. Accessed PATROL Central. See page 69. 2. Accessed the PATROL Central Operator General Tasks page. See page 70.

Chapter 3 Monitoring your enterprise with PATROL Central Operator

73

Adding managed systems

To run the Open Management Profile wizard 1 On the PATROL Central Operator General Tasks page, click Open Management
Profile.

The Console Server Service Name page of the Open Management Profile wizard is displayed.

2 From the Service Name drop-down list, choose the PATROL Console Server to use.
Then click Next.

3 The Management Profile Name page of the Open Management Profile wizard is
displayed.

4 Perform one of the following actions:


I

Type a name for a new management profile and click Next. Select an existing management profile and click Next.

NOTE
If you select an existing management profile that is currently opened by another user in read-write mode, you can choose to open it as read-only. If you open it as read-only, you will not be able to make any changes, such as adding managed systems or loading KMs or save the temporary changes permanently. If you have the right to create a new profile, you can save the changes made in a read-only profile by using Save Management Profile As option. However, you can create temporary objects such as folders, charts, custom views and shortcuts in a read-only management profile. This feature is controlled by the Allow user to make temporary changes in read-only profile access right of PATROL Console Server. For more information about read-only management profiles, see the PATROL Central Operator Web Edition online Help.

5 Click Finish.
PATROL Central Operator connects to the PATROL Console Server and opens the management profile.

Adding managed systems


This procedure describes how to add managed systems to your management profile by using the Add Managed Systems wizard. After you connect to a PATROL Console Server, you must specify which managed systems (computers running the PATROL Agent software) you want to monitor. You can also add new managed systems at any time.

74

Book Title

Adding managed systems

Before you begin


You must have performed the following tasks. 1. Accessed PATROL Central. See page 69. 2. Accessed the PATROL Central Operator General Tasks page. See page 70. 3. Connected to the PATROL Console Server and selected a management profile. See page 73.

To add managed systems 1 On the PATROL Central Operator General Tasks page, click Add Managed Systems.
The Selecting Managed Systems page of the Add Managed Systems wizard is displayed.

TIP
To select multiple managed systems, hold down the Ctrl key, and click each item you want to select. To select a range of managed systems, click the first one, then hold down the Shift key as you click the last one in the range. To select all managed systems, press Ctrl+a.

2 From the list of discovered systems, choose the systems that you want to monitor. 3 (optional) To filter the managed systems that are displayed, type a filter in the box
below the list and click Apply Filter.

NOTE
The filter does not support a wildcard search.

4 Specify whether you want to automatically load any preloaded knowledge


modules. Then click Next.

NOTE
Depending on how user accounts are set up on the PATROL Console Server and the individual managed systems, you might be prompted for a username and password for some managed systems. For more information, see General considerations for setting up users and groups on page 88.

A confirmation page is displayed.

5 Click Finish to close the wizard.


Chapter 3 Monitoring your enterprise with PATROL Central Operator 75

Loading PATROL KMs

The managed systems are displayed in the tree view and added to your management profile.

Loading PATROL KMs


This procedure describes how to load KMs by using the Load Knowledge Modules wizard. You do not need to use this wizard if all of the following conditions apply:
I

The managed system is configured for preloaded KMs You only want to see the KMs that are preloaded on the PATROL Agent The Load Knowledge Modules Marked as Preloaded on Selected Managed Systems option in the Managed System Selection page of the Add Managed Systems wizard is enabled for the managed system in the management profile.

Before you begin


You must have performed the following tasks. 1. Accessed PATROL Central. See page 69. 2. Accessed the PATROL Central Operator General Tasks page. See page 70. 3. Connected to the PATROL Console Server and select a management profile. See page 73. 4. Added the managed systems that you want to monitor. See page 74.

To load KM(s) 1 On the PATROL Central Operator General Tasks page, click Load Knowledge
Modules.

The Selecting Managed Systems page of the Loading Knowledge Modules wizard is displayed.

2 From the list of available managed systems, select the managed systems on which
to load PATROL KMs. Then click Next.

3 The list of available KMs is displayed. 4 Select the PATROL KMs that you want to load. Then click Next.
76 Book Title

Viewing object information

A confirmation message is displayed.

5 Click Finish to close the wizard.


Any PATROL KMs that were not already loaded on their respective managed systems are loaded. The PATROL KMs are displayed in the tree view area and added to your management profile.

Viewing object information


You can view the following information:
I I I

Licensing information on page 77 Viewing active user statistics on page 77 Viewing blackout information on page 79

Licensing information
BMC Software now provides a utility to help you track product usage and maintain product license compliance in your environment. If you have already installed version 7.7.00 of PATROL Central Operator - Web Edition, the utility is available. To use the reporting utility, see Viewing active user statistics on page 77.

Viewing active user statistics


This procedure describes how to view the statistics of active users using the Active User Statistics feature.

TIP
If the Read and Write permissions for a profile are revoked for a particular user, then the user cannot view the details of the sessions using that profile in the View Active User Statistics and View Management Profile Statistics dialog boxes. However, the user can view the number of concurrent sessions using that profile.

Chapter 3 Monitoring your enterprise with PATROL Central Operator

77

Viewing active user statistics

Before you begin


You must have performed the following tasks: 1. Accessed PATROL Central. See page 69. 2. Accessed the PATROL Central Operator General Tasks page. See page 70. 3. Connected to the PATROL Console Server and selected management profile. See page 73.

To view active user statistics 1 On the PATROL Central Operator General Tasks page, click Active User Statistic.
The Active User Statistics page is displayed. The Active User Statistics page contains the following read-only fields:
Field Console Server Name Concurrent Sessions Maximum Concurrent Sessions Allowed Description name of the Console Server number of current PATROL Central Operator users who have a profile open maximum number of concurrent PATROL Central Operator connections allowed as defined in the Console Server The value of this field is set by the Console Server configuration variable Acfg 7 1 0 Console Server::maxProfilesOpen. Maximum Concurrent Sessions Observed maximum number of concurrent PATROL Central Operator connections observed

NOTE
The information displayed in the Active User Statistics page is configured by the Console Server. The user statistics are displayed only if the PATROL Central Operator uses the Console Server 7.7.00 or later and the management profile is not opened in a read-only mode. If the PATROL Central Operator connects to a Console Server 7.7.00 or earlier, the fields on the Active User Statistics page have value as 'Unavailable' and the Reset button is also inactive.

2 To reset the value of the Maximum Concurrent Sessions Observed field to the value
of Concurrent Sessions field, click Reset.

78

Book Title

Viewing blackout information

NOTE
By default, only the users belonging to the patadm group can use the reset feature for the Maximum Concurrent Sessions Observed field. The reset feature is controlled by the access right Allow reset of Maximum Number of Concurrent Console Sessions.

Viewing blackout information


You can view blackouts for various PATROL objects such as parameters, application instances, or application classes using the PATROL Central Operator console. To configure a blackout you need to use any one of the following utilities:
I I I I

pconfig wpconfig for Microsoft Windows xpconfig for UNIX PATROL Configuration Manager

For more information about setting and configuring blackouts, refer BMC PATROL Agent Reference Manual.

NOTE
You will be able to view the blackout icons ( ) only for those objects for which blackout has been applied after you started the PATROL Central Operator.

This procedure describes how to view the blackout information.

To view blackout information


1. Right-click on PATROL object (parameter, application instance, or application class) for which blackout is applied. 2. Click InfoBox. 3. You can view Blackout Message, Blackout Start Time and Blackout Remaining Duration. Blackout Message: is INFO_MSG which has been set while configuration of blackout. This message is used for the BlackoutStart and BlackoutStop events. Blackout Start Time: is in mm-dd-yyyy hh:min format. Blackout Remaining Duration: is the time left for the object in blackout state.

Chapter 3 Monitoring your enterprise with PATROL Central Operator

79

Viewing blackout information

If blackout is not set or if blackout is over, these fields will be blank in the InfoBox of particular object.

NOTE
You must use PATROL Agent 3.8.00 or later for blackout support.

You must consider the following points:


I

If Console Server or RTServer is restarted when blackout is running, you might expect delay for change in the blackout icon and blackout information to be populated. If blackout is applied at parent level, state change will be propagated in downward direction, that means, child objects will show the parent icon but blackout information will be displayed at parent level only. For example, if blackout is applied at application instance, all parameters under this application instance will have same icon (blackout state) as of that application instance but blackout information (Blackout Message, Blackout Start Time, and Blackout Remaining Duration) will be displayed only in the InfoBox of application instance. For parameters, in InfoBox, you would not be able to see any Blackout Message and Blackout Remaining Duration will be displayed as 0h 0m 0s.

Child object blackout will have precedence over parent object blackout. For example, if TYPE_ALARM blackout is applied to application instance and TYPE_COLLECTION blackout is applied to one of the parameter of the same application instance, the parameter will display the icon for TYPE_COLLECTION blackout.

For some blackout types (for example, TYPE ALARM and TYPE EVENT), the blackout icon might be removed though the blackout is still active depending upon the change in state of object. Though the icon is changed the blackout information can be still viewed from InfoBox.

NOTE
If a blackout is present on parent level (for example, application instance), the same blackout is also applicable for its child objects (parameters). This can be confirmed from the info box information which has the blackout information. If any blackout is set for __ANYAPPL__ this becomes visible where some of application instances are shown in blackout but the parameters do not show blackout icon. In this case the blackout information can be confirmed from the parent blackout information.

80

Book Title

Where to go from here

Where to go from here


For information about this topic monitoring with PATROL Central Operator using the PATROL Central console infrastructure administering users how PATROL works using both PATROL 3.x and PATROL Central Operator, or moving from a PATROL 3.x console See PATROL Central Operator Web Edition online Help PATROL Central Web Edition online Help PATROL Central Administration Web Edition online Help PATROL Fundamentals online Help Chapter 6, Information for users of PATROL Console for Microsoft Windows 3.x or PATROL Console for UNIX 3.x

Chapter 3 Monitoring your enterprise with PATROL Central Operator

81

Where to go from here

82

Book Title

Chapter

Administering users of PATROL Central Operator


4

The PATROL architecture requires that you set up operating system user accounts and groups for the PATROL Console Server and managed systems. This chapter contains the following topics: About accounts and groups in the PATROL environment . . . . . . . . . . . . . . . . . . . . . . 85 About accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 About groups and users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 About managed system groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 General considerations for setting up users and groups . . . . . . . . . . . . . . . . . . . . . . . . 88 Example steps for setting up user accounts and groups . . . . . . . . . . . . . . . . . . . . . 89 Example steps for setting up managed system groups . . . . . . . . . . . . . . . . . . . . . . 90 Example steps for setting up managed system groups to avoid account lockouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 About PATROL Central Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Starting PATROL Central Administration and connecting to a PATROL Console Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Administering aliases and impersonations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 About the user authentication process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Example scenario for a single account for all managed systems . . . . . . . . . . . . . . 95 Example scenario for different accounts according to location . . . . . . . . . . . . . . . 96 Example scenario for different accounts according to application . . . . . . . . . . . . 98 Example scenario for a single account for all managed systems but one . . . . . . . 99 Example scenario for restricted and privileged accounts on several managed systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Administering rights and permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 About assigning rights and permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Predefined groups on the PATROL Console Server . . . . . . . . . . . . . . . . . . . . . . . 103 Rights used in PATROL Central Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Permissions used in PATROL Central Operator . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Using access control lists to manage permissions . . . . . . . . . . . . . . . . . . . . . . . . . 106 Rights and permissions for special users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 How predefined rights and permissions determine group roles . . . . . . . . . . . . . 110
Chapter 4 Administering users of PATROL Central Operator 83

Using the predefined groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Example scenario for granting rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Example scenario for simple sharing of management profiles . . . . . . . . . . . . . . . 114 Example scenario for advanced sharing of management profiles . . . . . . . . . . . . 116 Using ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 About the ACL evaluation process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Using ACLs on managed system groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Using ACLs on KM products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Using ACLs on menu commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

84

Book Title

About accounts and groups in the PATROL environment

About accounts and groups in the PATROL environment


The PATROL architecture uses operating system groups and users on the PATROL Console Server and managed systems for the following:
I

establishing user's identity throughout PATROL (authentication and impersonation) For more information, see Administering aliases and impersonations on page 93.

controlling which functionality users can access (rights) and which objects users can access (permissions) For more information, see Administering rights and permissions on page 101.

identifying the groups to which the user belongs For more information, see About accounts on page 86.

identifying managed system groups that contain a collection of managed host systems For more information, see About managed system groups on page 87.

Table 2 shows how user accounts and groups are used on different computers. Table 2
Computer PATROL Central Web Edition

User accounts and groups on PATROL Console Server and managed systems
User accounts User accounts on a specified PATROL Console Server are used to control who can log on to PATROL Central Web Edition and who can perform administration functions. User accounts on the PATROL Console Server are used to control rights and permissions and to identify users. Groups Groups on a specified PATROL Console Server are used to control who can log on to PATROL Central Web Edition and who can perform administration functions.
I

PATROL Console Server

User groups on the PATROL Console Server are used to control rights and permissions. Managed system groups define collections of host systems to manage rights, permissions, impersonation tables, and access control lists (ACLs) on a group basis.

Managed System

User accounts on managed systems are used to identify users.

not used

Chapter 4 Administering users of PATROL Central Operator

85

About accounts

About accounts
When a user connects to the PATROL Console Server from a console, the user logs on with an operating system account that the PATROL Console Server knows. The PATROL Console Server uses the operating system account to identify the user, the groups to which the user belongs, the PATROL rights and permissions the user has, and the accounts used to authenticate the user with each managed system in a given profile. The PATROL Console Server passes on the user account information or an alias to a user account to the managed system groups so that the managed systems can also identify the user. The user account can be a local or domain account. You set up user accounts in the operating system for each computer. You set up the impersonation table for aliases in the PATROL Console Server with PATROL Central Administration. For more information, see About PATROL Central Administration on page 92.

About groups and users


The PATROL Console Server uses groups to the control rights and permissions of the users who belong to a group. The PATROL Console Server may also use groups to determine the accounts used to authenticate the user with each managed system in a given profile. All users inherit permissions from the group to which they belong. Administrators can use groups in the following manner.
I

Administrators can grant all members of a group a permission. However, individual members can be denied the permission, even though the permission is granted to the group. Administrators can grant additional permissions to individual group members provided the group to which the user belongs is not denied those permissions. Administrators can deny all members of a group a permission. If a group is denied a permission, individual members cannot be granted the permission by any other means. Administrators can define the same accounts used to authenticate the user with one or more managed systems for all members of a particular group.

86

Book Title

About managed system groups

About managed system groups


To facilitate the management of numerous host systems, especially in large-scale environments, you can group collections of host systems into managed system groups. This optional feature enables PATROL Console Server to manage the permissions and impersonation tables entries for these managed systems on a group basis.

TIP
Note that managed system groups are groups of managed systems that you define using PATROL Central Operator Web Edition. These groups are different from the groups of users discussed in About groups and users on page 86, which are defined by the operating system that hosts the PATROL Console Server.

The following guidelines apply to using managed system groups:


I

There are no restrictions on the number of managed system groups you can create managed systems you can assign to a managed system group groups to which individual managed systems may belong.

You cannot nest managed system groups. Read and write permissions control access to managed system group configuration and definition tasks; write permission controls who may modify managed system group definitions. You can assign read and write permissions to the top-level managed system group container to apply to all managed system groups and to the individual managed system group objects. The more specific permission supersedes the more general. For example, if a server in a managed system group has individually specified permissions, the permissions for the individual managed system prevail over the permissions for the managed system group. You do not have to make changes to the impersonation table or rights defined for the group when you add or remove managed systems from a managed system group or rename a group. In setting up an impersonation table, specify the name of the managed system group in place of the managed-node service name. Because the entries in an impersonation table are evaluated in a top-down order, you should arrange the order of these entries based on your needs.

Chapter 4 Administering users of PATROL Central Operator

87

General considerations for setting up users and groups

General considerations for setting up users and groups


You can use various strategies for setting up user accounts and groups on the PATROL Console Server and managed systems. How you set them up depends on how you answer the following questions:
I

Do you want to use local accounts or domain accounts? If you use domain accounts that are known to both the PATROL Console Server and managed systems, you do not have to use the impersonation table. If you use local accounts for managed systems, you might have to create aliases to those accounts in the impersonation table in the PATROL Console Server.

Do you want to create multiple accounts in the operating system for each managed system? If you want multiple users to share the same account on a managed system, you can create aliases to that account in the impersonation table in the PATROL Console Server.

Do you want users to be able to access managed systems that they do not have accounts on? If so, you will have to set up user accounts on the managed systems and then create aliases to them in the impersonation table in the PATROL Console Server.

Do you administer a large environment and prefer to manage impersonations, aliases, rights, permissions, and ACLs for a collection of host systems instead of managing these tasks on a host-by-host basis? If so, you should set up managed system groups. You can then apply aliases, rights, permissions, and ACLs to a managed system group which contains the host systems that belong to the managed system group.

88

Book Title

Example steps for setting up user accounts and groups

Example steps for setting up user accounts and groups


The following steps describe one method of setting up user accounts and groups: 1. In the operating system of the PATROL Console Server, create an account for each user and add each account to the appropriate group or groups listed in Predefined groups on the PATROL Console Server on page 103. These user accounts can be local accounts or domain accounts. 2. In the operating system of each managed system, create one or more operating system accounts for use by PATROL. 3. (optional) In PATROL Central Administration, set up the impersonation table to provide alias accounts on the PATROL Console Server to accounts on the managed systems. If you do not set up the impersonation table, you will have to manually enter a user name and password for each managed system as you connect to it. 4. (optional) Create management profiles in PATROL Central Operator and share them with other users by using PATROL Central Administration. Depending on the group membership of individual users, you might have to manually share management profiles with some users.

TIP
If you use multiple PATROL Console Servers, set up the impersonation table on each PATROL Console Server separately. Only the impersonation table on the corresponding PATROL Console Server is used. For example, suppose a user logs on to PATROL Central with an account on the PATROL Console Server used by PATROL Central, then, in PATROL Central Operator, opens a management profile on a different PATROL Console Server. When the user tries to access a managed system in the management profile, the impersonation table on only the second PATROL Console Server is used.

Chapter 4 Administering users of PATROL Central Operator

89

Example steps for setting up managed system groups

Example steps for setting up managed system groups


The following steps describe one method of setting up managed system groups: 1. In PATROL Central Administration, create one or more managed system groups by using one of the following methods. A. Access the Managed System Groups tree view by clicking Administration => Managed System Groups tabs. Right-click the Managed System Groups folder and select Create Managed System Group to launch the Add Managed System Group wizard. B. Access the Managed System Group results pane by clicking Administration => Managed System Groups tabs. Click the Create Managed System Group button to launch the Add Managed System Group wizard. 2. Complete the Add Managed System Group wizard to select the available managed systems that you want to add to the managed system group. 3. (optional) In PATROL Central Administration, set up the impersonation table to provide alias accounts for the managed system groups. 4. (optional) Create ACLs that you can use to control the managed system groups or managed systems within a group. ACLs are used to determine if a user has permission to see a particular host or a particular Knowledge Module (KM) on a host. (The default permissions for a managed system group grant read access to all users.) 5. (optional) Use the ACLs to tailor permissions for managed system groups. For example, you can
I I I

exclude some groups from seeing certain servers restrict a particular user from a specific machine in a group limit a particular user to just one specific machine in a group

90

Book Title

Example steps for setting up managed system groups to avoid account lockouts

Example steps for setting up managed system groups to avoid account lockouts
A lockout scenario occurs when a user has the same user name and different passwords for different domains and the host systems in the domains are part of a management profile. During the authentication process, the PATROL Console Server sends the first set of credentials (user name and password) to all managed systems, resulting in account lockouts on other domains where the password is not valid. The following steps describe the required configuration settings to avoid possible account lockout scenarios: 1. Start the PATROL Console Server with the mlmAuthOrder variable set to 2. To set the mlmAuthOrder variable to 2, navigate to the <PATROL ROOT>/config/cserver directory and edit the acfg_cserver_<cserver id>.mof file. 2. On the computer hosting PATROL Central Web, make the following changes in the $BMC_HOME/webcentral/apache-tomcat/webapps/patrol/WEB-INF/wc.script file: Replace INSERT INTO NAMEDVALUE
VALUES(8,'__global__',10,'com.bmc.webconsole.core.allowasyncauthen tication,'false' ,13) with INSERT INTO NAMEDVALUE VALUES(8,'__global__',10,'com.bmc.webconsole.core.allowasyncauthen tication','true',13).

3. On the computer hosting PATROL Central Web, make the following changes in the $BMC_HOME/webcentral/apache-tomcat/webapps/patrol/WEBINF/core/register.xml file: Replace <namedValue
id="com.bmc.webconsole.core.allowAsyncAuthentication" value=false"> with <namedValue id="com.bmc.webconsole.core.allowAsyncAuthentication" value="true">

4. In PATROL Central Administration, set up a Managed System Group with a name that begins with the DOMAIN_ prefix, followed by the domain name. You can add managed systems from that domain to create a managed system group. For information about managed system groups, see Example steps for setting up managed system groups on page 90. For example, for the SRV1 domain, you can specify the name of the Managed System Group as DOMAIN_SRV1.

Chapter 4 Administering users of PATROL Central Operator

91

About PATROL Central Administration

NOTE
The DOMAIN_ prefix of a Managed System Group is case-sensitive. A managed system group with the DOMAIN_ prefix restricts successfully authenticated credentials to only those managed systems which are members of that particular managed system group, hence avoiding the account lockout issue.

Ensure that all entries in the impersonation table of the PATROL Console Server are valid.

WARNING
To avoid account lockouts, the managed system group is created based on the domain. Consider an example wherein a managed system outside the domain is added to the managed system group that already contains n number of managed systems. If the first authentication pop-up comes for the managed system outside the domain, it results in n number of popups, one for each managed system in the managed system group. Hence, you need to be cautious while adding managed systems to the managed system group.

About PATROL Central Administration


PATROL Central Administration is a console module that works within the PATROL Central console to control user access to PATROL. You use PATROL Central Administration in the following cases:
I

You want to set up impersonation tables so that users do not have to enter account information for managed systems. For more information, see Administering aliases and impersonations on page 93.

You want to control rights and permissions using groups other than the predefined groups, or the default rights and permissions for those groups do not fit your needs. For more information, see Administering rights and permissions on page 101.

You want to place collections of managed systems in managed system groups to define impersonation tables that are global to all members of a managed system group and to manage ACLs for all managed systems in that group. For more information, see Example scenario for a single account for all managed systems but one on page 99.

92

Book Title

Starting PATROL Central Administration and connecting to a PATROL Console Server

Starting PATROL Central Administration and connecting to a PATROL Console Server


This procedure describes how to start the Web Edition of PATROL Central Administration and connect to a PATROL Console Server.

To start PATROL Central Administration 1 Start the PATROL Central console.


See Accessing PATROL Central on page 69.

2 Click the Administration tab in the PATROL Central Web Edition banner area. To connect PATROL Central Administration to a PATROL Console Server
From the Service drop-down list, select the PATROL Console Server to which you want to connect.

Administering aliases and impersonations


The PATROL architecture uses operating system accounts on each managed system and an impersonation table in the PATROL Console Server to control access to each managed system. Accounts can be local accounts or domain accounts. Users can access a managed system only in the following situations:
I

The user logs on to the PATROL Console Server with a domain account that is also known to the managed system. The user logs on to the PATROL Console Server with a local account, and the managed system has an account with an identical user name and password. The user has an account on the managed system and enters the user name and password when connecting to the managed system. The impersonation table in the PATROL Console Server is set up to provide an alias for the user to a user account on the managed system. The impersonation table in the PATROL Console Server is set up to provide an alias for the managed system group to which the user belongs.

Chapter 4 Administering users of PATROL Central Operator

93

About the user authentication process

The user can connect to any managed system if the impersonation table in the PATROL Console Server is set up to provide an alias for the managed system group to which the user belongs and the user is not otherwise restricted from connecting to the managed system.

You set up user accounts in the operating system for the managed system. You set up user accounts and groups in the operating system for the PATROL Console Server. You set up the impersonation table in the PATROL Console Server with PATROL Central Administration. You created one or more optional managed system groups to administer aliases and impersonation for the managed host systems in the groups. For more information, see the PATROL Central Administration online Help.

About the user authentication process


The process of establishing a user's identity to PATROL is called authentication. Each PATROL program that you access in PATROL's layered architecture must authenticate your identity. For example, when you use PATROL Central Operator, both the PATROL Console Server and the PATROL Agent must authenticate your identity. A PATROL program, such as PATROL Console Server or PATROL Agent, can only authenticate users with valid operating system user accounts that it recognizes.

How Impersonation Tables Work


To allow a user to access PATROL Agents that do not recognize the user's account, the PATROL Console Server provides PATROL Agents with account information on behalf of the user. If a PATROL Agent does not recognize the original account of the user, the PATROL Console Server consults an impersonation table that maps users or a managed system group to alias accounts that are recognized by PATROL Agents. The PATROL Console Server then provides the PATROL Agent with the alias account that is configured for the user or the managed system group. For example, the authentication process for a user of PATROL Central Operator is as follows: 1. First, the user logs on to the PATROL Console Server, providing an account known to the PATROL Console Server. The PATROL Console Server authenticates this account. This account is the console account. 2. The PATROL Console Server provides the PATROL Agent with the user's account. If the PATROL Agent recognizes the user's account, the authentication process is successfully completed.

94

Book Title

Example scenario for a single account for all managed systems

3. If the PATROL Agent does not recognize the console account, the PATROL Console Server consults its impersonation table for an alias account for the user or the user group to which the user belongs. The impersonation table lookup is based on the PATROL Agents name and managed system group membership. 4. If there is an alias account for the user or managed system group to which the user belongs, the PATROL Console Server provides it to the PATROL Agent. If the PATROL Agent recognizes the alias account, the authentication process is successfully completed. 5. If there is no alias account, or if the PATROL Agent does not recognize the alias account, the user is prompted for an account to use. 6. If the PATROL Agent recognizes the account the user enters, the authentication process is successfully completed. Otherwise, the user cannot access the PATROL Agent. The process outlined illustrates the default impersonation process. You can configure the order in which accounts are selected for impersonation. For more information about configuring the account order for authenticating to PATROL Agents, see the PATROL Console Server and RTserver Getting Started guide. Table 3 lists the example scenarios provided for managing access.

Table 3

Example scenarios for managing access


See the example page 95 page 96 page 98 page 99 page 100

To manage access for this topic A single account for all managed systems Different accounts according to location Different accounts according to application A single account for all managed system but one Restricted and privileged accounts on several managed systems

Example scenario for a single account for all managed systems


This example describes a solution to granting all PATROL users access to all managed systems, when those managed systems use the same user name and password.

Chapter 4 Administering users of PATROL Central Operator

95

Example scenario for different accounts according to location

NOTE
This example scenario provides the general tasks. For detailed instructions for a specific task, see the PATROL Central Administration online Help.

Scenario
You have several managed systems that all have a local account with the same user name and password. You want all users to be able to access all of the managed systems.

Solution
1. Create a single alias for the local account.
Alias patrol_all User name patrol Password ****

2. Add a single row in the impersonation table, using wildcards for the user and the service name.
User/Group User/Group name Service type User * Managed System Service name * Alias patrol_all

NOTE
I

You can still control which users and groups can access specific managed systems by setting permissions for those managed system. Alternatively, you can create a managed system group and add all of the systems to the managed system group.

Example scenario for different accounts according to location


This example describes a solution to granting all PATROL users access to all managed systems, when different managed systems have different user names and passwords, according to location.

96

Book Title

Example scenario for different accounts according to location

NOTE
This example scenario provides the general tasks. For detailed instructions for a specific task, see the PATROL Central Administration online Help.

Scenario
You have several managed systems in different locations. You create a managed system group for each location such that each managed system group contains all of the managed systems in that location. All of the managed systems have a local account with the same user name. However, each location uses a different password. You want all users to be able to access all of the managed systems.

Solution
1. Create an alias for each user name and password combination.
Alias patrol_location_1 patrol_location_2 User name patrol patrol Password **** ****

2. Add a row in the impersonation table for each location, using pattern matching on the service name.
User/Group User/Group name Service type User User * * Service name Alias patrol_location_1 patrol_location_2

Managed System Group LOCATION1 Managed System Group LOCATION2

NOTE
You can still control which users and groups can access specific managed systems by setting permissions for those managed system.

Chapter 4 Administering users of PATROL Central Operator

97

Example scenario for different accounts according to application

Example scenario for different accounts according to application


This example describes a solution to granting all PATROL users access to all managed systems, when different managed systems use different accounts for different applications.

NOTE
This example scenario provides the general tasks. For detailed instructions for a specific task, see the PATROL Central Administration online Help.

Scenario
You have several managed systems that host five different applications. You create a managed system group for each application such that each managed system group contains all of the managed systems with that application. All of the managed systems with the same application use the same account. The accounts for two of the applications happen to be the same. The accounts for the other three applications are different. You want all users to be able to access all of the managed systems.

Solution
1. Create four aliases for each unique user name and password combination.
Alias patrol_app1_and_app2 patrol_app3 patrol_app4 patrol_app5 User name patrol patrol patrol patrol Password **** **** **** ****

2. Add a row in the impersonation table for each application, using the corresponding managed system group name.

98

Book Title

Example scenario for a single account for all managed systems but one

User/Group User/Group name User User User User User * * * * *

Service type Managed System Group Managed System Group Managed System Group Managed System Group Managed System Group

Service name

Alias

APPLCATION1 patrol_app1_and_app2 APPLCATION2 patrol_app1_and_app2 APPLCATION3 patrol_app3 APPLCATION4 patrol_app4 APPLCATION5 patrol_app5

NOTE
I I

You can also use pattern matching to combine rows for app1 and app2. You can still control which users and groups can access specific managed systems by setting permissions for those managed system.

Example scenario for a single account for all managed systems but one
This example describes a solution to granting all PATROL users access to all managed systems, when all managed systems have the same user name and password, except one.

NOTE
This example scenario provides the general tasks. For step instructions for a specific task, see the PATROL Central Administration online Help.

Scenario
You have several managed systems. All of the managed systems have a local account with the same user name and password, except for one special system. You want only one special user to be able to access the special system. You want all users, including the special user, to be able to access all of the other managed systems.

Chapter 4 Administering users of PATROL Central Operator

99

Example scenario for restricted and privileged accounts on several managed systems

Solution
1. Create two aliases: one for the account on the special system, and another for the shared user name and password.
Alias patrol_special patrol_regular User name patrolspecial patrol Password **** ****

2. Add two rows to the impersonation table: one for the special managed system, and another for all the other managed systems.
User/Group User/Group name Service type User User SpecialUser * Managed System Managed System Service name SpecialAgent * Alias patrol_special patrol_regular

Make sure that the row for the special user is before the row for all users. Otherwise, the PATROL Console Server will find the alias patrol_regular, and never use the patrol_special alias.

NOTE
Instead of controlling access to the special managed system in the impersonation table, you can apply the alias to all users and control which users and groups can access the special managed system by setting permissions for it.

Example scenario for restricted and privileged accounts on several managed systems
This example describes a solution to granting PATROL users in one group access to a one account on all managed systems and PATROL users in other groups access to a another account on all managed systems, when all managed systems have two types of accounts: a restricted account and a privileged account.

NOTE
This example scenario provides the general tasks. For step instructions for a specific task, see the PATROL Central Administration online Help.

100

Book Title

Administering rights and permissions

Scenario
You have several managed systems. All of the managed systems have two types of accounts: a restricted account and a privileged account. You want only users in the patadm group to connect to the managed systems using the privileged account, and you want users in the patop, patpop, and patwatch groups to connect to the managed systems using the restricted account.

Solution
1. Create two aliases: one for the restricted account, and another for the privileged account.
Alias patrol_restricted patrol_privileged User name patrolrestricted patrolprivileged Password **** ****

2. Add four rows to the impersonation table: one for each group.
User/Group User/Group name Service type Group Group Group Group patadm patop patpop patwatch Managed System Managed System Managed System Managed System Service name * * * * Alias patrol_privileged patrol_restricted patrol_restricted patrol_restricted

NOTE
Instead of controlling access to the special managed system in the impersonation table, you can apply the alias to all users and control which users and groups can access the special managed system by setting permissions for it.

Administering rights and permissions


NOTE
The terminology for rights and privileges has changed in this release. The term rights in previous releases has been replaced with permissions in this release. The term privileges in previous releases has been replaced with rights in this release.

Chapter 4

Administering users of PATROL Central Operator

101

About assigning rights and permissions

The PATROL architecture uses operating system user accounts and groups on the PATROL Console Server to control rights and permissions for PATROL. A right allows a user to access specific console functionality. A permission allows a user to access specific PATROL objects. It is the combination of rights and permissions that determine what any user can accomplish or access in the PATROL world. A PATROL user cannot access functionality or objects without both the appropriate rights and permissions. You administer rights and permissions by using PATROL Central Administration. However, the information is stored on the PATROL Console Server. Types of permissions for managed systems are as follows:
I

Read permission allows you to view objects under the KM or load the KM, if you have the associated rights. Administrators who want to restrict users to specific host groups can remove the read permissions on managed systems. Write permission allows you to add or remove agents to or from a managed system. Create permission allows you to add a managed system to a domain by creating a domain member object as a child of a domain object. Destroy permission allows you to remove a managed system from a domain by deleting the corresponding domain member object. Subscribe permission allows you to connect to an agent.

About assigning rights and permissions


There are four basic methods of assigning rights and permissions to a user:
I

In the operating system for the PATROL Console Server, put the user into an existing group that already has the desired rights and permissions. This method is usually the easiest method. The existing group can be one of the predefined groups (see Predefined groups on the PATROL Console Server on page 103) or a group that has been previously assigned specific rights and permissions.

Use PATROL Central Administration to assign the desired rights and permissions to a new or existing group. Then, in the operating system for the PATROL Console Server, put the user into that group.

102

Book Title

Predefined groups on the PATROL Console Server

Use PATROL Central Administration to create managed system groups that assign the desired rights and permissions to all managed systems that are in the group. Use this option to facilitate management of many managed systems in a large-scale environment. Use PATROL Central Administration to assign the user the desired rights and permissions directly.

NOTE
I I

Accounts can be local accounts or domain accounts. Users inherit the rights and permissions of the groups to which they belong, including nested groups. Usually, it is easier to add users to the appropriate groups in the operating system than to administer rights and permissions directly. Managed systems inherit the rights and permissions of the managed system groups to which they belong. The entire list of potential KM products installed on the Console Server is listed under Managed System Groups, even though the precise KM Product may not have been loaded onto any agent in a managed system group. This allows you to preconfigure rights on a particular managed system group prior to deploying the KM product to that managed system group.

For more information about using PATROL Central Administration, see the PATROL Central Administration online Help.

Predefined groups on the PATROL Console Server


The PATROL Console Server installation process includes the creation of the operating system groups listed in the table below. These predefined groups are initially assigned PATROL rights and permissions according to a typical set of roles that apply to PATROL users. These groups are created as a convenience for PATROL security administrators. Table 4
Group patop patpop patwatch patadm patscadm

Predefined PATROL groups on the PATROL Console Server


Description standard PATROL operators power operators operators who can only watch console objects standard PATROL administrators PATROL administrators who can configure security in the PATROL Central Administration console module

Chapter 4

Administering users of PATROL Central Operator

103

Rights used in PATROL Central Operator

Rights used in PATROL Central Operator


Rights are used to protect console functionality. Table 5 lists the rights relating to PATROL Central Operator that are assigned to the predefined PATROL groups during installation of the PATROL Console Server. Note that other rights that do not relate to PATROL Central Operator might also be assigned to the PATROL groups. Table 5 Predefined right assignments (Part 1 of 2)
patscadm patwatch x x x patadm patpop

Assigned right Ability to access the extended namespace (e.g. access remote members namespace) via the domain-be Ability to run commands on remote agents Ability to start domain-wide operations Acknowledge event Add, delete, connect and disconnect managed systems Administer PATROL Central Web Edition Alerts: create views for active alertsbb serverb
b aa

x x x x x x x x x x x x x x x x x x x x x x x x x x x

x x x x x x x x x

x x x x x

Alerts: setup connections to PEM Allow Maximum Computers per

Alerts: view and operate active alerts

x x

Profilecc

Allow the owner of the Management Profile to assign/modify the ACL for that profilec Allow the user to initiate online backupsc Allow the user to query all events w/o limiting to loaded Knowledge Modules Clear parameter history Close event Create and destroy management profile Create, modify and delete state-change actions Create, modify and destroy event filters Create, modify and destroy managed system query filters Create, modify and destroy user-defined objects Delete event Display event manager window Display managed system query window End-to-End: administer End-to-End: view and
ee dd

x x x x x x x x x x x x x x x x x x x

operatee

Execute admin KM commands Execute commands in system output window

104

Book Title

patop

Rights used in PATROL Central Operator

Table 5

Predefined right assignments (Part 2 of 2)


patscadm x x x x x x 105 patwatch x patadm patpop

Assigned right Execute KM commands Force closing of the management profile that is in use Load and unload KM packages Log on Override attributes of KM objects Read contents of system output window Set debug level Shutdown Snooze all objects Update, suspend and resume parameter executions Allow reset of Maximum Number of Concurrent Console Sessionsf Allow operators to save managed-node credentials in the impersonation table Allow the user to make temporary changes to read-only profilesg
a b c d e f g c

x x x x x x x servicec x x x x x x x

x x x x x x

x x x x

Set default account for the

x x

x x

This right is available if you use PATROL Central Operator Web Edition. This right is available if you use PATROL Central Alerts Web Edition. This right is introduced in version 7.5.00 of PATROL Console Server. User-defined objects include folders, charts, custom views, and shortcuts to other objects. This right only applies if you use PATROL End-to-End Response Timer. This right is introduced in version 7.7.00 of PATROL Console Server. This right is introduced in version 7.7.50 of PATROL Console Server.

Chapter 4

Administering users of PATROL Central Operator

patop

Permissions used in PATROL Central Operator

Permissions used in PATROL Central Operator


Permissions are used to control access to objects. Objects are arranged under the Permissions folder in PATROL Central Administration according to the following hierarchy: Figure 3
I I

Hierarchy of objects in PATROL Central Administration


Knowledge Modules
I

PATROL KM name managed system group name


I I

Managed System Groups


I

KM name

Managed Systems
I

managed system name


I

KM name

Management Profiles
I

management profile name

ACLs on the objects in the hierarchy determine which groups and users have which access permissions for which objects. For more information about how permissions are inherited and wildcard objects, see the PATROL Central Administration online Help.

Using access control lists to manage permissions


This example illustrates how the entries in an ACL are used to determine whether a permission is granted or denied. The following table is a simplified version of the ACL view in the user interface.
User or group GroupA GroupB User1 Permission Setting read read read deny allow allow Description All members of the group are denied the read permission, even if it is allowed for a different group or a specific member. All members of the group are allowed the read permission. It is granted, unless it is otherwise denied. The user is allowed the read permission. It is granted unless it is denied to a group or managed system group to which the user belongs.

106

Book Title

Using access control lists to manage permissions

User or group User2 User3

Permission Setting read read deny

Description The user is denied the read permission, even if it is allowed for the group or managed system group to which the user belongs.

inherit from The user inherits permissions from the groups to which the user group belongs.

Assuming that users belong to the groups listed below, the following table shows whether the permission is granted or denied for each user.

User User1 User2 User3 User4 User5

Group membership GroupA GroupB GroupA and GroupB none GroupB

Permission granted or Reason denied denied denied denied denied granted Although the permission is allowed for the user, it is

explicitly denied to the group.


Although the permission is allowed for the group, it is explicitly denied to the user. Although the permission is allowed for one group, it is explicitly denied to the other group. The user does not belong to a group for which the permission is allowed. The permission is allowed to the group and not denied to the user or any other groups to which the user belongs.

What permissions mean for different objects


Table 6 on page 107, Table 7, Table 8, and Table 9 on page 108 describe how permissions apply to management profiles, managed systems, managed system groups, and KMs. Table 6
Permission Read Allowed Write Allowed Description Users can open the management profile as read-only or for read/write. Users can also delete the management profile or force it closed, if they have the associated rights. Users can open the management profile as read-only, but not for read/write. Users cannot open the management profile.

Permissions for management profiles

Allowed Denied

Denied N/A

Chapter 4

Administering users of PATROL Central Operator

107

Using access control lists to manage permissions

Table 7
Read permission Allowed Denied

Permissions for managed systems


Description Users can view the managed system and add it to a management profile, if they have the associated rights. Users cannot add the managed system to a management profile. If a management profile already contains the managed system, the managed system is displayed as unreachable.

Table 8
Read permission Allowed

Permissions for managed system groups


Description Users can view objects under the KM or load the KM, if they have the associated rights. Administrators who want to restrict users to specific host groups can remove the read permissions on managed system groups. Users cannot load the KM. If a management profile already contains the KM, objects under that KM are not displayed.

Denied

Table 9
Read permission Allowed Denied

Permissions for KMs


Description Users can view objects under the KM or load the KM, if they have the associated rights. Users cannot load the KM. If a management profile already contains the KM, objects under that KM are not displayed.

However, a management profile to which a Operating System group is not assigned, will disappear from the Administration view following the next PATROL console server logon. Also, when a management profile to which a Operating System groups is assigned is deleted, you must restart the PATROL console server.

108

Book Title

Rights and permissions for special users

Predefined permissions for management profiles


One predefined ACL is created on the PATROL\Management Profiles folder at the installation of the PATROL Console Server. This ACL is used to restrict access to management profiles used in PATROL Central Operator and is used by all management profiles by default. This ACL grants the following permissions:
I

All members of the patadm group are granted both the read and write permissions. All members of the patpop and patscadm groups are granted the read permission.

Predefined permissions for managed systems, managed system groups, and KMs
No ACLs are created for managed systems, managed system groups, or KMs at the installation of the PATROL Console Server, so all groups and users have all permissions for them. However, users still need to be able to authenticate to the managed systems in order to gain access (see Administering aliases and impersonations on page 93).

Rights and permissions for special users


There are two exceptions that the PATROL Console Server makes when determining who has what rights and permissions.
I

The user who creates an object, such as a management profile, is considered the owner of the object and always has full permissions to it, regardless of any ACLs that indicate differently. The owner of a management profile also has the ability to grant access to that profile from within PATROL Console Server without having patscadm rights. (However, the owner of an object still needs the appropriate rights to perform a specific action on the object.) The PATROL Console Server account, which is specified when the PATROL Console Server is installed, always has all rights and permissions. Even if this account is removed from all groups and all rights and permissions are revoked from it in PATROL Central Administration, it still has full access.

Chapter 4

Administering users of PATROL Central Operator

109

How predefined rights and permissions determine group roles

How predefined rights and permissions determine group roles


PATROL security administrators allow or deny rights in ACLs for objects. By default, only one ACL created at installation of the PATROL Console Server. This ACL serves to restrict access to management profiles used in PATROL Central Operator. It exists in the PATROL\Management Profiles folder, as seen in PATROL Central Administration. Table 10 describes how the predefined permissions and rights affect the default abilities of the members of the predefined PATROL groups. Table 10
Group patadm

Abilities of members of the predefined groups (Part 1 of 2)


Access to management profiles
I

Comments Users in this group are the PATROL administrators. These users have rights to do everything, from executing admin KM commands to shutting down the PATROL Console Server. However, these users cannot use PATROL Central Administration unless they are also members of patscadm or log on as the PATROL Console Server account (See Rights and permissions for special users on page 109).

Members of this group can create, view, modify, and delete management profiles created by any user. When choosing a management profile in PATROL Central Operator, a patadm member can see all the management profiles stored on the PATROL Console Server. Admin users can also configure the read permission for users and managed system groups for KM products and the applications and instances for the KM product. Members of this group can create, view, modify, and delete their own management profiles. They can also open, in read-only mode, management profiles created by other users. When choosing a management profile in PATROL Central Operator, a patpop member can see all the management profiles stored on the PATROL Console Server.

patpop

Users in this group are capable of doing almost as much as a PATROL administrator. In general, anyone who needs to manage all management profiles or solve problems that do not require shutting down the PATROL Console Server or running admin KM commands belongs in this group. For example, a DBA who not only needs to monitor databases, but also would like to run commands from the system output window and set up appropriate state change actions should be placed in this group.

110

Book Title

Using the predefined groups

Table 10
Group patop

Abilities of members of the predefined groups (Part 2 of 2)


Access to management profiles
I

Comments Users in this group are ordinary operators with no administrative abilities. They can create and use their own management profiles, event filters, and managed system queries. However, they cannot modify parameter execution, close events, modify state change actions, or execute commands in the system output window.

Members of this group can create, view, modify, and delete their own management profiles. However, they cannot access management profiles created by other users. When choosing a management profile in PATROL Central Operator, a patop member can see only the management profiles that he or she created.

patwatch

Members of this group cannot create, open, Users in this group are highly restricted. They modify, or delete any management profiles. cannot even open a management profile until specifically granted access by a PATROL When prompted to choose a management security administrator using PATROL Central Administration. Once they do have access to a profile in PATROL Central Operator, a management profile, they can only view objects patwatch member will not see any and events. management profiles on the PATROL Console Server, except those for which For example, suppose a member of patadm sets access has been specifically granted. up a management profile for a patwatch member to view. A member of patscadm would have to use PATROL Central Administration to create an ACL on the management profile that grants read access to the patwatch group. Members of this group cannot create, modify, or delete any management profiles. However, they can open, in read-only mode, any management profile created by any user. When choosing a management profile in PATROL Central Operator, a patscadm member can see all the management profiles stored on the PATROL Console Server. Users in the patscadm group have only the permissions and rights to use PATROL Central Administration. Although users could assign the group additional permissions and rights, it is better practices to add the users to other groups, such as patadm, instead.

patscadm

Using the predefined groups


If the roles set up by the predefined groups are sufficient for the PATROL security administrators, they can simply add the operating system users to the predefined groups. In this scenario, users can belong to multiple PATROL groups; however, they must belong to at least one of the predefined groups to use PATROL.

Chapter 4

Administering users of PATROL Central Operator

111

Example scenario for granting rights

If the roles set up by the predefined groups are not sufficient for the PATROL security administrators, they can modify or delete the rights and permissions associated with these groups as they see fit. They can also assign rights and permissions to other operating system groups or users as needed. Individuals must still have the appropriate rights and permissions to use PATROL, either by belonging to a group with the rights and permissions, or by having the rights and permissions directly. For more information on assigning rights and permissions, see the PATROL Central Administration Help.

Example scenario for granting rights


This example describes several different solutions to granting additional rights to users.

NOTE
This example scenario provides the general tasks. For step instructions for a specific task, see the PATROL Central Administration online Help.

Scenario
Most of the PATROL operators are in the patop group, since the predefined right and permissions for that group are the closest match for what they need to do. However, they also need to have full control over PATROL events, but members of patop cannot close or delete events by default.

Solution 1: Modifying the patop group


The PATROL security administrator uses PATROL Central Administration to grant the required extra rights to the patop group.

Solution 2: Granting rights individually


The PATROL security administrator uses PATROL Central Administration to grant the required extra rights to each individual user who needs them. This method is not recommended in organizations with many users or high turnover. If any users are added to or removed from patop in the future, the PATROL security administrator will also have to modify the rights individually.

112

Book Title

Example scenario for granting rights

Solution 3: Replacing the patop group


1. The PATROL security administrator creates a new group in the operating system, such as pateventops. 2. Then the PATROL security administrator uses PATROL Central Administration to assign this new group the same rights and permissions as the patop group, plus the additional event rights. 3. Finally, the PATROL security administrator moves the users from the patop group to the new pateventops group in the operating system. 4. Since the patop group is no longer used, it can be removed.

Solution 4: Adding a new group (variation 1)


1. The PATROL security administrator creates a new group in the operating system, such as patevents. 2. Then the PATROL security administrator uses PATROL Central Administration to assign this new group only the additional event rights. 3. Finally, the PATROL security administrator adds the users from the patop group to the new patevents group in the operating system, so that they are members of both groups. Because the users are members of both groups, they have all the necessary rights. The rights from both groups are additive. Note that users should not be members of only the patevents group, or they will not have the other necessary rights and permissions to use PATROL.

Solution 5: Adding a new group (variation 2)


1. The PATROL security administrator creates a new group in the operating system, such as pateventsops, and makes it a nested member of the patop group. 2. Then the PATROL security administrator uses PATROL Central Administration to assign this new group only the additional event rights. 3. Finally, the PATROL security administrator moves the users from the patop group to the new pateventsops group in the operating system.

Chapter 4

Administering users of PATROL Central Operator

113

Example scenario for simple sharing of management profiles

Because the pateventsops group is a nested member of the patop group, its members have all the rights and permissions of the patop group, as well as the additional event rights. Users can be members of the pateventsops group, without being members of the patop group directly. However, because the patop group is still used, it should not be removed.

Solution 6: Granting rights across a managed system group


1. The PATROL security administrator creates a managed system group such as patmsgeventops. 2. The PATROL security administrator adds the managed systems whose users need the additional event rights to the patmsgeventops managed system group. 3. The PATROL security administrator uses PATROL Central Administration to assign this new managed system group only the additional event rights. 4. The users in the patop group will have their predefined rights and permissions and the additional rights assigned to members on the patmsgeventops managed system group. This method is recommended if the patop users on many managed systems in a large-scale environment need these additional rights.

Example scenario for simple sharing of management profiles


This example describes a solution to sharing different management profiles with different users.

NOTE
This example scenario provides the general tasks. For step instructions for a specific task, see the PATROL Central Administration online Help.

Scenario
An organization needs to monitor computers in two different locations: location_A and location_B. One set of contractors take shifts watching the computers in location_A, and another set of contractors take shifts watching the computers in location_B. There is a single PATROL administrator for all locations.

114

Book Title

Example scenario for simple sharing of management profiles

Creating management profiles


The PATROL administrator creates two management profiles: one for location_A and another for location_B. Each management profile contains just the computers and KMs for its location. All of the contractors for location_A will use the management profile for location_A. All of the contractors for location_B will use the management profile for location_B.

Creating users and groups on the PATROL Console Server


The PATROL administrator creates two user groups on the PATROL Console Server: one for location_A and another for location_B. He puts both of the new groups in the predefined patop group. The PATROL administrator also creates user accounts for each of the contractors. He puts each new account in the appropriate group for that contractors location.

Setting permissions for the management profiles


The PATROL administrator creates an ACL for the management profile for location_A. In the ACL, he duplicates the permissions in the ACL on the PATROL/Management Profiles folder. Then, he also allows members of the location_A group to have read access.
Permissions Group location_A location_B patadm patpop patop patwatch patscadm Read allow inherit from group allow allow inherit from group inherit from group allow Write inherit from group inherit from group allow inherit from group inherit from group inherit from group inherit from group

The PATROL administrator repeats the process for the management profile for location_B, except that he allows members of the location_B group to have read access.

Chapter 4

Administering users of PATROL Central Operator

115

Example scenario for advanced sharing of management profiles

Summary
Each contractor can log on to the PATROL Console Server and open the management profile for his or her location, but not the management profile for the other location, through his or her membership in the groups for the locations. Each contractor has the basic rights to perform most non-administrative console functionality through his or her nested membership in the patop group.

Example scenario for advanced sharing of management profiles


This example describes a solution to sharing different management profiles with different users.

NOTE
This example scenario provides the general tasks. For step instructions for a specific task, see the PATROL Central Administration online Help.

Scenario
An organization needs to monitor four computers. Two of them are database servers (DB1 and DB2), and two are mail servers (Mail1 and Mail2). There are a total of five users to monitor these systems:
User John Jill Jim Jane Jack Role for database servers Role for mail servers

PATROL administrator & administrator PATROL administrator for database servers Johns backup operator for database servers none none administrator for mail servers none operator for mail servers intern for mail servers

Adding users to the predefined groups


After installation of the PATROL Console Server is complete, John decides that the predefined groups fit the roles for his users. He places the users in the predefined groups in the operating system as follows, based on their roles:

116

Book Title

Example scenario for advanced sharing of management profiles

User John Jill Jim Jane Jack

Groups patadm, patscadm patpop, patscadm patop patop patwatch

Setting up and sharing a management profile for the database servers


As the administrator for the database servers, John wants to set up a management profile for monitoring the database servers. As a member of patadm, John has the rights and permissions to set up a management profile. He uses PATROL Central Operator to create a management profile called Databases for the database servers. He adds the database servers (DB1 and DB2), loads the appropriate PATROL Knowledge Modules (KMs), and creates some custom views, event filters, and managed system queries. By default, the ACL on the PATROL/Management Profiles folder controls who has access to the Databases management profile, because the management profile does not have its own ACL. The management profile inherits the ACL of the PATROL/Management Profiles folder. According to that ACL, members of patpop and patscadm, such as Jill, can open the management profile in read-only mode. Members of patadm, and the owner John, have full access to it. No one else has access to the management profile. John wants Jim to be able to open the management profile in read-only mode. (Although Jim could create his own management profile, John wants him to use the same one as everyone else.) John wants everyone else to maintain the same access that they currently have. To change the access to the management profile, John uses PATROL Central Administration to create an ACL for the Databases management profile. Creating an ACL for the Databases management profile means that the ACL on the PATROL/Management Profiles folder is no longer inherited. So, all permissions for the Databases management profile must be specified in the ACL for the Databases management profile. In the ACL for the Databases management profile, John duplicates the permissions in the ACL on the PATROL/Management Profiles folder. Then John also allows Jim to have read access to the Databases management profile in the ACL. The following table summarizes who has access to the management profile and why.

Chapter 4

Administering users of PATROL Central Operator

117

Example scenario for advanced sharing of management profiles

User / Group John (user) Jill (user) Jim (user) patadm (group) patpop (group) patscadm (group)

Access full (read and write) read read full (read and write) read read

Reason owner & membership in patadm membership in patpop group allowed in ACL allowed in ACL allowed in ACL allowed in ACL

Setting up and sharing a management profile for the mail servers


As the administrator for the mail servers, Jill wants to set up a management profile for monitoring the mail servers. As a member of patpop, Jill has the rights and permissions to set up a management profile. She uses PATROL Central Operator to create a management profile called Mail for the mail servers. She adds the mail servers (Mail1 and Mail2), loads the appropriate PATROL Knowledge Modules (KMs), and creates some custom views, event filters, and managed system queries. As with the Databases management profile, by default, the Mail management profile inherits the ACL on the PATROL/Management Profiles folder. According to that ACL, members of patpop and patscadm can open the management profile in read-only mode. Members of patadm (such as John), and the owner Jill, have full access to it. No one else has access to the management profile. Jill wants Jane and the interns, such as Jack, in the patwatch group to be able to open the management profile in read-only mode. (Although Jane could create her own management profile, Jill wants her to use the same one as everyone else.) Jill wants everyone else to maintain the same access that they currently have. As John created an ACL for the Databases management profile, Jill uses PATROL Central Administration to create an ACL for the Mail management profile. In the ACL for the Mail management profile, Jill duplicates the permissions in the ACL on the PATROL/Management Profiles folder. Then Jill also allows Jane and the patwatch group to have read access to the Mail management profile in the ACL. The following table summarizes who has access to the management profile and why.
User / Group John (user) Jill (user) Jane (user) Jack (user) patadm (group) Access full (read and write) full (read and write) read read full (read and write) Reason membership in patadm owner and membership in patpop group allowed in ACL membership in patwatch group allowed in ACL

118

Book Title

Using ACLs

User / Group patpop (group) patwatch (group) patscadm (group)

Access read read read

Reason allowed in ACL allowed in ACL allowed in ACL

Using ACLs
The following examples show how you can use ACLs to control permissions for
I I I

managed system groups KMs users

About the ACL evaluation process


The high-level evaluation process for using ACLs is as follows: 1. When a user attempts to open a management profile, the PATROL Console Server decides whether the user is allowed to open the management profile and in what mode (read/write or read-only). 2. The PATROL Console Server evaluates the managed systems in the management profile and determines which managed systems the user is allowed to see. 3. For each managed system the user is allowed to see, the PATROL Console Server determines which KM products and application classes the user is allowed to see. 4. For each KM application the user is allowed to see, the PATROL Console Server determines which menu items the user is allowed to see.

Evaluation process for ACLs on managed systems


The PATROL Console Server enforces the following evaluation process when evaluating ACLs for individual managed systems:

Chapter 4

Administering users of PATROL Central Operator

119

About the ACL evaluation process

1. The PATROL Console Server first checks whether the user is allowed to access the managed system by looking for an ACL on /PATROL/Managed Systems/managedSystemName. 2. The PATROL Console Server then checks whether the user is allowed to access any of the managed system groups that contain the managed system by looking for an ACL on all values of /PATROL/Managed System Groups/managedSystemGroupName, where managedSystemGroupName contains the managed system in question.

NOTE
The user does not need access to all managed system groups that contain the PATROL Agent. If the user has access to at least one of the managed system groups that contain the PATROL Agent, then the PATROL Console Server passes the check. This check only fails if the user is denied access to all managed system groups that contain the PATROL Agent.

3. If the managed system is not a member of any managed system group, then the PATROL Console Server checks for an ACL on /PATROL/Managed System Groups. If any of the checks fail, the PATROL Console Server does not perform any of the remaining evaluation checks, and the user is not allowed access to the managed system.

NOTE
The default ACLs shipped with PATROL Console Server 7.7.00 and later versions include an ACL on /PATROL/Managed System Groups which allows all users to see all PATROL Agents. As an administrator, you can choose to remove this default ACL if you wish to restrict users to only PATROL Agents defined in specific management profiles.

Evaluation process for ACLs on KM products


If there are ACLs on the same KM product in more than one place, the PATROL Console Server enforces the following evaluation process when evaluating ACLs based on KM products: 1. The PATROL Console Server first checks whether the user is allowed to access the KM product by looking for an ACL on /PATROL/Knowledge Modules/kmProductName. 2. The PATROL Console Server then checks whether the user is allowed to access the KM product on any of the managed system groups that contain the managed system by looking for an ACL on /PATROL/Managed System Groups/ managedSystemGroupName/kmProductName.

120

Book Title

Using ACLs on managed system groups

NOTE
The user does not need access to the KM product on all managed system groups. If the user has access to the KM product for at least one of the managed system groups that contains the PATROL Agent, then the PATROL Console Server passes the check. This check only fails if the user is denied access to all managed system groups that contain the PATROL Agent and the KM product.

3. If the user is allowed access to the KM product, then the PATROL Console Server evaluates access for individual application classes on the managed system by looking for ACLs on /PATROL/Managed Systems/managedSystemName/ applicationClassName.

NOTE
The entire evaluation process only applies to KM products that have been developed according to the BMC Software KM certification guidelines. If the KM was not developed in accordance with these guidelines, then only step 3 in the evaluation process is performed since only certified KMs include the necessary information to associate individual application classes with KM product names.

Using ACLs on managed system groups


The default permissions on managed system groups grant read access to all users. As an administrator, you may want to remove the Read permission to restrict operators to specific managed system groups.

Before you begin


The following example shows how the administrator, csscadmn, can use an ACL to remove the Read permission from certain managed system groups for certain operators.

To set permissions for a managed system group in an access control list 1 Start PATROL Central. 2 Connect to the Console Server using the csscadm account. 3 In the navigation area, select the Administration tab and Permissions subtab. 4 Expand the Managed Systems group folder and select the subfolder for the
managed system group for which you want to set permissions.

Chapter 4

Administering users of PATROL Central Operator

121

Using ACLs on KM products

5 In the results pane, remove any existing access control list by selecting Inherit
permissions from parent object.

6 Select Allow or deny permissions to the following groups and users. 7 Click Add Groups... and locate the group for which you want to deny Read
permission.

8 Click OK. The user group is added to the list in the results pane. 9 In the results pane, select the user group you just added and select Denied from the
Read dropdown menu.

10 Click Apply Changes.

Using ACLs on KM products


You can use ACLs to grant or deny permissions on the basis of a complete KM product, not just an application class of the KM product. For example, a PATROL Console Server administrator can designate users who can load the PATROL KM for Microsoft Windows Operating System product or the PATROL KM for UNIX product compared with using ACL only to set permissions on applications classes of those particular products.

Before you begin


The following example shows how the administrator, csscadmn, can use an ACL to specify user named permission to see the PATROL Performance Monitor Wizard KM. This example assumes the PATROL Performance Monitor Wizard KM is installed on the Console Server 7.5 or later version computer and that two users, csop1 and csop2, are active users.

To set permissions for a Knowledge Module in an access control list 1 Start PATROL Central. 2 Load the Operator console module, and connect to the Console Server using the
csscadm account.

3 Use the management profile you created in the previous scenario for Using ACLs
on menu commands on page 124.

4 Load the Administration console module and connect to the Console Server using
the csscadm account.

122

Book Title

Using ACLs on KM products

5 In the navigation area, select the Administration tab and Permissions subtab. 6 Expand the Knowledge Module group folder and click the PATROL Perform
Wizard folder to open the Permissions for PATROL Knowledge Module for Perform Wizard results pane.

NOTE
The KM products displayed in the navigation tree are based on the KM resource files that have been installed on the PATROL Console Server using the Common Services option. If you have not installed KM products on the PATROL Console Server using the Common Services option, then you will not see any KM products listed in the navigation pane. When you install the KM product, make sure you select the Common Services option in the Select System Roles page of the installation.

7 In the results pane, remove any existing access control list by selecting Inherit
permissions from parent object.

8 Click Add Users... and locate the csop2 user. (Do not select csop1.) 9 Select the csop2 user to add it to the list of users to be added. 10 Click OK to add the user. 11 In the Permissions for PATROL Knowledge Module for Perform Wizard results
pane, select Allow from the Read dropdown menu.

12 Click Apply Changes.


With this setting, only csop2 will see the Performance Perfumed Wizard and the WMI Wizard, which are components of the PATROL Perform Wizard KM. All other users will not be able to see the wizards.

Chapter 4

Administering users of PATROL Central Operator

123

Using ACLs on menu commands

Using ACLs on menu commands


You can use ACLs to grant or deny permissions to a user or a group of users to invoke a menu command for a specific KM application instance. For example, a user may have permission to execute a certain menu command on a test system instance but not on the production system instance running on the same managed system computer.

NOTE
Some KMs define menu items that appear on the computer object in a management profile. For PATROL Agent versions earlier than 3.6.50, there is no way to restrict access to these menu items with ACLs on KM products. Starting with PATROL Agents 3.6.50 or later, users who do not have access to a particular KM product will not see that product's menu items on computer objects in a management profile.

Before you begin


The following example shows how the administrator, csscadmn, can use an ACL to deny one user named permission to use the Create New Object menu command but still make the menu command available to another user. This example assumes the KM products of interest are installed on the Console Server 7.5 or later version computer and that two users, csop1 and csop2, are active users.

To set menu permissions in an access control list 1 Start PATROL Central. 2 Load the Operator console module, and connect to the Console Server using the
csscadm account.

3 If a management profile has not yet been created, create management profile
profile1 and load the KM products, such as NT_LOAD.kml.

4 Load the Administration console module and connect to the Console Server using
the csscadm account.

5 In the navigation area, select the Administration tab and Permissions subtab.
You will see the Knowledge Module, Managed System Groups, and Managed Systems folders. These are all the objects in which a menu command ACL can be created.

6 In the navigation tree, expand the Managed Systems folder.

124

Book Title

Using ACLs on menu commands

7 Expand a managed system folder, such as, PATROL_AGENT_agent1_3181, and


locate a KM, such as NT_SERVICES, on which you want to set permissions for menu commands.

8 Right-click the NT_SERVICES folder, choose Add object not listed, and type
__menus__.

Note: use double underscores before and after menus. The __menus__ folder is created under NT_SERVICES.

9 Right-click the __menus__ folder, choose Add object not listed, and type Configure
Service Monitoring, which is the menu command to which you are denying all

users access. The Configure Service Monitoring folder is now created under __menus__.

10 Click the Configure Service Monitoring folder to bring up the Permissions results
pane.

11 Click Add Users... and locate the csop1 user. (Do not select csop2.) 12 Select the csop1 user to add it to the list of users to be added. 13 Click OK to add the user. 14 In the Permissions results pane, select Denied from the Read dropdown menu. 15 Click Apply Changes.
With this setting, csop1 and any other regular Console Server user will not be able to use the Configure Service Monitoring menu command on PATROL Agent agent1. Only csop2 will have access to this menu command on agent1. With this setting, when the user for csop1 account connects to agent1, the Configure Service Monitoring command will not be available on the Knowledge Module Commands menu. However, when the user for csop2 account connects to agent1, the command will be available.

Chapter 4

Administering users of PATROL Central Operator

125

Using ACLs on menu commands

126

Book Title

Chapter

Configuring the PATROL Central Console environment


5

This chapter provides information for PATROL administrators about configuring the PATROL environment for PATROL Central Operator and starting programs, including the Web server. This chapter discusses the following topics: Starting and stopping related programs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Starting and stopping the RTserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Starting and stopping the PATROL Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Starting and stopping the PATROL Console Server . . . . . . . . . . . . . . . . . . . . . . . Managing services on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Starting and stopping PATROL Central Operator Web Edition . . . . . . . . . . . . . . . Starting and stopping PATROL Central Operator Web Edition on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Starting and stopping PATROL Central Operator Web Edition on UNIX . . . Verifying the installation and execution of the Web server and related components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing Web server ports after installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing Tomcat standalone Web server ports. . . . . . . . . . . . . . . . . . . . . . . . . . . Changing Apache web server ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing IIS web server ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing the Java plug-in version after installation . . . . . . . . . . . . . . . . . . . . . . . . . . Where to go from here. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 128 129 130 131 132 133 134 135 137 137 140 144 147 149

Chapter 5

Configuring the PATROL Central Console environment

127

Starting and stopping related programs

Starting and stopping related programs


This section contains the basic steps for starting stopping the following related programs in the PATROL 7.x architecture and verifying that they are running:
I I I

RTserver PATROL Agent PATROL Console Server

Starting and stopping the RTserver


By default, the RTserver is started automatically as a service when you install it. However, you can start it manually. This task describes how to start the RTserver on both Windows and UNIX and verify that it is running.

NOTE
For more information on starting the RTserver, see the PATROL Console Server and RTserver Getting Started.

Execution of RTserver on Windows


Start, stop, or verify the execution of the SmartSockets RTserver service. For more information, see Managing services on Windows on page 131.

To manually start the RTserver on UNIX 1 Change to the $BMC_ROOT/common/smartsockets directory. 2 Enter the following command:
./start_rtserver.sh

To verify that RTserver Is running on UNIX 1 Enter the following command:


ps -ef | grep rtserver

2 Look for the rtserver process.

128

Book Title

Starting and stopping the PATROL Agent

To stop RTserver on UNIX 1 Change to the $BMC_ROOT/common/smartsockets directory. 2 Enter the following command:
./stop_rtserver.sh

Starting and stopping the PATROL Agent


By default, the PATROL Agent is started automatically as a service when you install it. However, you can start it manually. This task describes how to start the PATROL Agent on both Windows and UNIX and verify that it is running.

NOTE
For more information on starting the PATROL Agent, see the PATROL Agent Reference Manual. You must enable the PATROL Agent to communicate with the RTserver before you can use PATROL Central Operator to monitor it. For more information, see PATROL Console Server and RTserver Getting Started.

Execution of the PATROL Agent on Windows


Start, stop, or verify the execution of the PatrolAgent service. For more information, see Managing services on Windows on page 131.

To manually start the PATROL Agent on UNIX 1 Change to the $BMC_ROOT/Patrol3 directory. 2 Enter the following command:
./PatrolAgent

To verify that patrol agent is running on UNIX 1 Enter the following command:
ps -ef | grep PatrolAgent

2 Look for the PatrolAgent process.

Chapter 5

Configuring the PATROL Central Console environment

129

Starting and stopping the PATROL Console Server

To stop the PATROL Agent on UNIX 1 Type the following at the command line:
ps -ef | grep PatrolAgent

2 Identify the process ID number of the PATROL Agent that you would like to shut
down from the list.

3 Type the following command, where process_ID_number is the process ID number


of the PATROL Agent.
kill process_ID_number

Starting and stopping the PATROL Console Server


By default, the PATROL Console Server is started automatically as a service when you install it. However, you can start it manually. This task describes how to start PATROL Console Server on both Windows and UNIX and verify that it is running.

NOTE
For more information on starting PATROL Console Server, see the PATROL Console Server and RTserver Getting Started.

Execution of the PATROL Console Server on Windows


Start, stop, or verify the execution of the PATROL Console Server service. For more information, see Managing services on Windows on page 131.

To manually start the PATROL Console Server on UNIX 1 Change to the $PATROL_ROOT directory. 2 Enter the following command:
./start_cserver.sh

130

Book Title

Managing services on Windows

To verify that PATROL Console Server Is running on UNIX 1 Enter the following:
ps -ef | grep cserver

2 Look for the cserver process. To stop the PATROL Console Server on UNIX 1 Change to the $PATROL_ROOT directory. 2 Enter the following command:
./stop_cserver.sh

Managing services on Windows


On Windows, you use the Services dialog box to start, stop, and verify the execution of services.

To open the Services dialog box on Windows 2003 1 For Windows 2003, choose Start => Control Panel => Administrative Tools. 2 Click the Services icon. To open the Services dialog box on Windows 2008 and 2008 R2 1 For Windows 2008 and 2008 R2, choose Start => Administrative Tools. 2 Click the Services icon. To start a service 1 Open the Services dialog box. 2 Select the name of the service. 3 Choose Action => Properties, then click Start.

Chapter 5

Configuring the PATROL Central Console environment

131

Starting and stopping PATROL Central Operator Web Edition

To verify that a service is running 1 Open the Services dialog box. 2 Look at the status of the service. To stop a service 1 Open the Services dialog box. 2 Select the name of the service.
4. Choose Action => Properties, then click Stop.

Starting and stopping PATROL Central Operator Web Edition


This section contains the basic steps for starting, stopping, and verifying the execution of PATROL Central Operator Web Edition, the Web servers, and the Tomcat servlet container. The procedure to start and stop PATROL Central Operator Web Edition will depend on the following choices:
I

the operating system on the computer where PATROL Central Operator Web Edition resides the web server with which you integrate PATROL Central Operator Web Edition if you are using Windows, whether you elected during installation to start the Tomcat servlet container as a service

NOTE
These procedures refer to the webcentral sub-directory of $BMC_ROOT. This directory is WebCentral on Windows, and webcentral on UNIX. For more information see, Installation directory on page 33.

132

Book Title

Starting and stopping PATROL Central Operator Web Edition on Windows

Starting and stopping PATROL Central Operator Web Edition on Windows


This task describes how to start PATROL Central Operator Web Edition on Windows when installed with the IIS or Tomcat standalone Web servers. When installing PATROL Central Operator Web Edition on Windows, you can elect to either start the Tomcat servlet container as a service, or to start it manually. When starting PATROL Central Web Edition, the Web server and the Tomcat servlet container are also started.

Starting and stopping PATROL Central Operator Web Edition when installed with IIS
This task describes how to start PATROL Central Operator Web Edition and the Tomcat servlet container. You must start the Tomcat servlet container and IIS separately.

To start PATROL Central Operator if you installed it as a service


When you installed PATROL Central Operator, if you did not elect to start the Tomcat servlet container as a service, the PATROLCentral-WebEdition service will not appear in the list of services located in the Windows Services dialog. If the PATROLCentral-WebEdition service does not appear in the list of services, you can manually start the Tomcat servlet container. Start, stop, or verify the execution of the PATROLCentral-WebEdition service. For more information, see Managing services on Windows on page 131.

To manually start PATROL Central Operator if you installed it as a command line application
Run %BMC_ROOT%\WebCentral\apache-tomcat\bin\pwcstart.bat.

To start IIS
For information on starting, stopping, and verifying the execution of IIS, see the documentation for that product.

Chapter 5

Configuring the PATROL Central Console environment

133

Starting and stopping PATROL Central Operator Web Edition on UNIX

Starting and stopping PATROL Central Operator Web Edition when installed with Tomcat standalone on Windows
This task describes how to start PATROL Central Operator Web Edition, the Tomcat standalone Web server, and the Tomcat servlet container on Windows. You run the Tomcat standalone Web server and Tomcat servlet container together.

To start PATROL Central Operator if you installed it as a service


When you installed PATROL Central Operator Web Edition, if you did not elect to start the Tomcat servlet container as a service, the PATROLCentral-WebEdition service will not appear in the list of services located in the Windows Services dialog. If the PATROLCentral-WebEdition service does not appear in the list of services, you can manually start the Tomcat servlet container. Start, stop, or verify the execution of the PATROLCentral-WebEdition service. For more information, see Managing services on Windows on page 131.

To manually start PATROL Central Operator if you installed it as a command line application
Run %BMC_ROOT%\WebCentral\apache-tomcat\bin\pwcstart.bat.

NOTE
By default, service type for PATROLCentral Web Edition service would be Automatic. However, if you changed it to Manual during other PATROL component installation, the service would be restarted ignoring the service type.

Starting and stopping PATROL Central Operator Web Edition on UNIX


This task describes how to start PATROL Central Operator Web Edition on UNIX when installed with the Apache or Tomcat standalone Web servers. Starting PATROL Central Operator Web Edition will also start the Web server, and the Tomcat servlet container.

134

Book Title

Verifying the installation and execution of the Web server and related components

Starting and stopping PATROL Central Operator Web Edition when installed with Apache or Tomcat standalone
You control the execution of PATROL Central Operator Web Edition, the Apache or Tomcat standalone Web servers, and the Tomcat servlet container together. This task describes how to start and stop them.

To start or stop PATROL Central Operator on UNIX 1 Change to the root user. 2 Change to the $BMC_ROOT/webcentral/bin directory. 3 Enter the ./pwcctl command, followed by the appropriate command line option
from the table below.
Option start stop status Description This option starts the Web server. This option stops the Web server. This option checks the status of the ports used by the Web server.

Verifying the installation and execution of the Web server and related components
You can verify that the Web Server, Tomcat servlet container, RTserver, and PATROL Console Server are running by viewing the URLs in the table below. In the URL to view, hostname is the name of the Web site. Typically, this is the name of the computer on which the Web server for PATROL Central is running. If the Web server is not using the default port for HTTP, include the port number in the URL. For example, if the Web server myserver is using port 8080, view the URL http://myserver:8080.
What to verify URL to view Comments If the default page for the Web server is displayed, the Web server is running.

Is the Web server running? http://hostname

Chapter 5

Configuring the PATROL Central Console environment

135

Verifying the installation and execution of the Web server and related components

What to verify Is HTTPS active for the Web server? Is the Tomcat servlet container running? Are the RTserver and PATROL Console Server available?

URL to view https://hostname http://hostname/patrol

Comments If the default page for the Web server is displayed, HTTPS is active. If the PATROL Central page is displayed, the Tomcat servlet container is running. Check the RTserver and PATROL Console Server status by clicking the expand button on the login dialog.

136

Book Title

Changing Tomcat standalone Web server ports

Changing Web server ports after installation There are many reasons why you may want to change the default port numbers after installation. You may want to change the Web server port numbers because of possible firewall restrictions or an existing web server may use the PATROL Central Operator default Web server ports. This section provides instructions to change the IIS, Apache and Tomcat standalone Web server port numbers after installation of PATROL Central Operator Web Edition. In all cases, the Tomcat servlet container is installed and used with the Web servers. For more information about the default Web server ports that are used by PATROL Central Operator Web Edition, see Required information for installing PATROL Central Operator Web Edition on page 33.

Before you begin


I

Ensure all users all logged off of PATROL Central Web Edition Shut down PATROL Central Web Edition. For more information, see Starting and stopping PATROL Central Operator Web Edition on page 132.

Changing Tomcat standalone Web server ports


If you are using the Tomcat standalone Web server, then Tomcat, including the Tomcat servlet container, are installed and used with PATROL Central Operator Web Edition. For more information about running PATROL Central Operator with Tomcat standalone, see Considerations for determining which Web server to use on page 29. You must complete the following steps and change port numbers in the following files:
I I I I I

shut down PATROL Central change the pwcctl file change the server.xml file change the startup.cfg file restart PATROL Central

To shut down PATROL Central Web Edition


For instructions, see Starting and stopping PATROL Central Operator Web Edition on page 132.
Chapter 5 Configuring the PATROL Central Console environment 137

Changing Tomcat standalone Web server ports

To change the pwcctl File


You must be logged in as the user who installed PATROL Central Web Edition. If you change the port number values in this file, make sure you change the value to match it in the other files listed in this procedure.

1 Backup the pwcctl file, which is located in the following directory:


$BMC_ROOT/webcentral/apache-tomcat/bin/pwcctl

2 Open the pwcctl file. 3 Change the HTTP_PORT value from the default port number value (shown as 80
using bold text in the following example) to the new port number.

4 Change the HTTPS_PORT value (shown as 443 using bold text in the following
example) to the new port number.

5 Change the SHUTDOWN_PORT value (shown as 8005 using bold text in the
following example) to the new port number.
HTTP_PORT=80 HTTPS_PORT=443 SHUTDOWN_PORT=8005

To change the server.xml file


If you change the port number values in this file, make sure you change the value to match it in the other files listed in this procedure.

1 Backup the server.xml file located in the following directory:


$BMC_ROOT/webcentral/apache-tomcat/conf/server.xml

2 Open the server.xml file. 3 Change the Shutdown value (shown as 8005 using bold text in the following
example) from the default to the new port number.
<Server port="8005" shutdown="SHUTDOWN" debug="0"> ... ...

4 Change the non-SSL HTTP Connector value (shown as 80 using bold text in the
following example) to the new port number.

138

Book Title

Changing Tomcat standalone Web server ports

5 Change the redirect port value (shown as 443 using bold text in the following
example) from the default to the new port number.
<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8080 --> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="80" minProcessors="5" maxProcessors="75" enableLookups="true" redirectPort="443" acceptCount="100" debug="0" connectionTimeout="20000" useURIValidationHack="false" disableUploadTimeout="true"/>

6 Change the SSL HTTP Connector value (shown as 443 using bold text in the
following example) to the new port number.
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="100" debug="0" scheme="https" secure="true" useURIValidationHack="false" disableUploadTimeout="true">

To change the startup.cfg File


If you change the port number values in this file, make sure you change the value to match it in the other files listed in this procedure.

1 Backup the startup.cfg file located in the following directory:


$BMC_ROOT/webcentral/apache-tomcat/webapps/patrol/WEB-INF/ startup.cfg

2 Open the startup.cfg file. 3 Change the httpsPort value from the default port number value (shown as 443
using bold text in the following example) to the new port number.
# # # # # # # HTTPS Port This is the port used for HTTPS by the web server, whether it be IIS, Apache, Tomcat standalone, or another server. The port is communicated to the browser so that it can use HTTPS for secure communication.

httpsPort=443

For more information about the startup.cfg file, see Appendix C, Modifying initialization settings after installation.

Chapter 5

Configuring the PATROL Central Console environment

139

Changing Apache web server ports

To restart PATROL Central Web Edition


For instructions, see Starting and stopping PATROL Central Operator Web Edition on page 132.

Changing Apache web server ports


If you using the Apache Web server, both Apache and the Tomcat servlet container are installed and used with PATROL Central Operator Web Edition. For more information about running PATROL Central Operator with Apache, see Considerations for determining which Web server to use on page 29. You must complete the following steps and change port numbers in the following files:
I I I I I I I

shut down PATROL Central change the pwcctl.sh file change the workers.properties file change the server.xml file change the startup.cfg file change the httpd.conf file restart PATROL Central

To shut down PATROL Central Web Edition


For instructions, see Starting and stopping PATROL Central Operator Web Edition on page 132.

To change the pwcctl file


You must be logged in as the user who installed PATROL Central Web Edition. If you change the port number values in this file, make sure you change the value to match it in the other files listed in this procedure.

1 Backup the pwcctl file located in the following directory:


$BMC_ROOT/webcentral/bin/pwcctl

2 Open the pwcctl file. 3 Change the HTTP_PORT value from the default port number value (shown as 80
using bold text in the following example) to the new port number.

140

Book Title

Changing Apache web server ports

4 Change the HTTPS_PORT value (shown as 443 using bold text in the following
example) to the new port number.

5 Change the AJP13_PORT value (shown as 8009 using bold text in the following
example) to the new port number.

6 Change the SHUTDOWN_PORT value (shown as 8005 using bold text in the
following example) to the new port number.
HTTP_PORT=80 HTTPS_PORT=443 AJP13_PORT=8009 SHUTDOWN_PORT=8005

To change the workers.properties file


If you change the port number values in this file, make sure you change the value to match it in the other files listed in this procedure.

1 Backup the workers.properties file located in the following directory:


$BMC_ROOT/webcentral/apache-tomcat/conf/workers.properties

2 Open the workers.properties file. 3 Change the worker.ajp13.port value (shown as 8009 using bold text in the following
example) to the new port number.
# Defining a worker named ajp13 and of type ajp13 # Note that the name and the type do not have to # match. # worker.ajp13.port=8009

To change the server.xml file


If you change the port number values in this file, make sure you change the value to match it in the other files listed in this procedure.

1 Backup the server.xml file located in the following directory:


$BMC_ROOT/webcentral/apache-tomcat/conf/server.xml

2 Open the server.xml file. 3 Change the Shutdown value (shown as 8005 using bold text in the following
example) from the default to the new port number.

Chapter 5

Configuring the PATROL Central Console environment

141

Changing Apache web server ports

<Server port="8005" shutdown="SHUTDOWN" debug="0"> ... ...

4 Change the AJP Connector value (shown using 8009 bold text in the following
example) to the new port number.
<!-- Define an AJP 1.3 Connector on port 8009 --> <Connector className="org.apache.ajp.tomcat4.Ajp13Connector" port="8009" minProcessors="5" maxProcessors="75" acceptCount="10" debug="0"/>

To change the startup.cfg file


If you change the port number values in this file, make sure you change the value to match it in the other files listed in this procedure.

1 Backup the startup.cfg file located in the following directory:


$BMC_ROOT/webcentral/apache-tomcat/webapps/patrol/WEB-INF/
startup.cfg

2 Open the startup.cfg file. 3 Change the httpsPort value from the default port number value (shown as 443
using bold text in the following example) to the new port number.
# # # # # # # HTTPS Port This is the port used for HTTPS by the web server, whether it be IIS, Apache, Tomcat standalone, or another server. The port is communicated to the browser so that it can use HTTPS for secure communication.

httpsPort=443

For more information about the startup.cfg file, see Appendix C, Modifying initialization settings after installation.

142

Book Title

Changing Apache web server ports

To change the httpd.conf file


If you change the port number values in this file, make sure you change the value to match it in the other files listed in this procedure.

1 Backup the httpd.conf file located in the following directory:


$BMC_ROOT/common/apache/apache.2/operating_system/conf

In the directory above, operating_system represents the operating system on which Apache is installed. For example, if Apache is installed on Linux, the directory is
$BMC_ROOT/common/apache/apache.2/linux-2-4-x86-nptl/conf.

2 Open the httpd.conf file. 3 Change the HTTPD value (shown as 80 using bold text in the following example)
from the default to the new port number.
# Port: The port to which the standalone server # listens. For ports < 1023, you will need httpd to # be run as root initially. # Port 80

4 Change the SSL HTTP value (shown as 80 using bold text in the following
example) to the new port number.

5 Change the SSL HTTPS value (shown as 443 using bold text in the following
example) to the new port number.
## ## ## ## SSL Support When we also provide SSL we have to listen to the standard HTTP port (see above) and to the HTTPS port

<IfDefine SSL> Listen 80 Listen 443 </IfDefine>

6 Change the SSL VirtualHost _default value (shown as 443 using bold text in the
following example) to the new port number.
## SSL Virtual Host Context <VirtualHost _default_:443>

Chapter 5

Configuring the PATROL Central Console environment

143

Changing IIS web server ports

To restart PATROL Central Web Edition


For instructions, see Starting and stopping PATROL Central Operator Web Edition on page 132.

Changing IIS web server ports


If you using the IIS Web server, both IIS and the Tomcat servlet container are installed and used with PATROL Central Operator Web Edition. For more information about running PATROL Central Operator with IIS, see Considerations for determining which Web server to use on page 29. Use Internet Services Manager to change the port values in IIS. For information about changing the default web server ports in IIS, see the documentation for that product. You must complete the following steps and change port numbers in the following files:
I I I I I I

shut down PATROL Central change port numbers in IIS change the workers.properties file change the server.xml file change the startup.cfg file restart PATROL Central

To shut down PATROL Central Web Edition


For instructions, see Starting and stopping PATROL Central Operator Web Edition on page 132.

To change port numbers in IIS


Use Internet Services Manager to change the port values in IIS. For information about changing the default web server ports in IIS, see the documentation for that product.

To change the workers.properties file


If you change the port number values in this file, make sure you change the value to match it in the other files listed in this procedure.

1 Backup the workers.properties file located in the following directory:


$BMC_ROOT/webcentral/apache-tomcat/conf/workers.properties

144

Book Title

Changing IIS web server ports

2 Open the workers.properties file. 3 Change the worker.ajp13.port value (shown as 8009 using bold text in the following
example) to the new port number.
# Defining a worker named ajp13 and of type ajp13 # Note that the name and the type do not have to # match. # worker.ajp13.port=8009

To change the server.xml file


If you change the port number values in this file, make sure you change the value to match it in the other files listed in this procedure.

1 Backup the server.xml file located in the following directory:


$BMC_ROOT/webcentral/apache-tomcat/conf/server.xml

2 Open the server.xml file. 3 Change the Shutdown value (shown as 8005 using bold text in the following
example) from the default to the new port number.
<Server port="8005" shutdown="SHUTDOWN" debug="0"> ... ...

4 Change the non-SSL HTTP Connector value (shown as 80 using bold text in the
following example) to the new port number.

5 Change the redirect port value (shown as 443 using bold text in the following
example) from the default to the new port number.
<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8080 --> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="80" minProcessors="5" maxProcessors="75" enableLookups="true" redirectPort="443" acceptCount="100" debug="0" connectionTimeout="20000" useURIValidationHack="false" disableUploadTimeout="true"/>

Chapter 5

Configuring the PATROL Central Console environment

145

Changing IIS web server ports

6 Change the SSL HTTP Connector value (shown as 443 using bold text in the
following example) to the new port number.
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="100" debug="0" scheme="https" secure="true" useURIValidationHack="false" disableUploadTimeout="true">

7 Change the AJP Connector value (shown using 8009 bold text in the following
example) to the new port number.
<!-- Define an AJP 1.3 Connector on port 8009 --> <Connector className="org.apache.ajp.tomcat4.Ajp13Connector" port="8009" minProcessors="5" maxProcessors="75" acceptCount="10" debug="0"/>

To change the startup.cfg file


If you change the port number values in this file, make sure you change the value to match it in the other files listed in this procedure.

1 Backup the startup.cfg file located in the following directory:


$BMC_ROOT/webcentral/apache-tomcat/webapps/patrol/WEB-INF/ startup.cfg

2 Open the startup.cfg file. 3 Change the httpsPort value from the default port number value (shown as 443
using bold text in the following example) to the new port number.
# # # # # # # HTTPS Port This is the port used for HTTPS by the web server, whether it be IIS, Apache, Tomcat standalone, or another server. The port is communicated to the browser so that it can use HTTPS for secure communication.

httpsPort=443

For more information about the startup.cfg file, see Appendix C, Modifying initialization settings after installation.

146

Book Title

Changing the Java plug-in version after installation

To restart PATROL Central Web Edition


For instructions, see Starting and stopping PATROL Central Operator Web Edition on page 132.

Changing the Java plug-in version after installation


PATROL Central Operator Web Edition 7.8.10 version is installed and certified with jre 1.6.0_20 and supports any higher version. Multiple versions of the JRE can coexist on the same client computer. This task describes how to change the JRE on the client computer after installation. For more information, see About the Java plug-in on page 66.

NOTE
Using versions other than those listed in the Web Browser Requirements table on page page 66, may cause problems in PATROL Central Operator.

WARNING
You can change the JRE version on the client computer only. Do not change the JRE version on the computer where you have installed PATROL Central Web Edition.

To change Java plug-in version on Windows 1 Download the desired version of the JRE from the following URL:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

2 Download and follow the instructions provided on the JRE download page to
install the new JRE.

3 Close all browser windows. 4 Open the Windows Control Panel by selecting Start => Settings = > Control Panel. 5 Double-click the Java Plug-in icon to open the Java Control Panel.

Chapter 5

Configuring the PATROL Central Console environment

147

Changing the Java plug-in version after installation

6 From the Advanced tab, select the desired JRE version from the Java Runtime
Environment drop down list. The default is the last JRE version installed.

7 Select Apply, and Close the Java Console. To change Java plug-in version on RedHat Linux 1 Download the desired version of the JRE from the following URL:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

2 Download and follow the instructions provided on the JRE download page to
install the new JRE.

3 Execute the following commands.


chmod +x j2re-<version>-linux-i586.bin ./j2re-<version>-linux-i586.bin

4 Close all browser windows. 5 Login as root and change the directory to MOZILLA_HOME/plugins or
FIREFOX_HOME/plugins.

6 Check for either a link to the libjavaplugin_oji.so library or whether the library file
exists in the plugins directory.

A If a link to the libjavaplugin_oji.so library already exists in the directory, remove


the link using the following command:
rm libjavaplugin_oji.so

B If the libjavaplugin_oji.so library file resides in the plugins directory, back up the
library using the following command:
mv libjavaplugin_oji.so bak_libjavaplugin_oji.so

7 Create a soft link to the new plug-in using the following command:
ln -s <JRE>/plugin/i386/ns610-gcc32/libjavaplugin_oji.so libjavaplugin_oji.so

148

Book Title

Where to go from here

To change Java plug-in version on UNIX 1 Download the desired version of the JRE from the following URL:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

2 Download and follow the instructions provided on the JRE download page to
install the new JRE.

3 Execute the following commands:


chmod +x j2re-<version>-solaris*.sh ./j2re-<version>-solaris*.sh

4 Close all browser windows. 5 Login as root and change the directory to MOZILLA_HOME/plugins or
FIREFOX_HOME/plugins.

6 Check for either a link to the libjavaplugin_oji.so library or whether the library file
exists in the plugins directory.

A If a link to the libjavaplugin_oji.so library already exists in the directory, remove


the link using the following command:
rm libjavaplugin_oji.so

B If the libjavaplugin_oji.so library file resides in the plugins directory, back up the
library using the following command:
mv libjavaplugin_oji.so bak_libjavaplugin_oji.so

7 Create a soft link to the new plug-in using the following command:
ln -s <JRE>/plugin/sparc/ns610/libjavaplugin_oji.so libjavaplugin_oji.so

Where to go from here


For information about this topic monitoring and managing with PATROL Central Operator using both PATROL 3.x console and PATROL Central Operator, or moving from a PATROL 3.x console See Chapter 3, Monitoring your enterprise with PATROL Central Operator Chapter 6, Information for users of PATROL Console for Microsoft Windows 3.x or PATROL Console for UNIX 3.x

Chapter 5

Configuring the PATROL Central Console environment

149

Where to go from here

150

Book Title

Chapter

Information for users of PATROL Console for Microsoft Windows 3.x or PATROL Console for UNIX 3.x
6

This chapter contains information for PATROL Central console users who are familiar with, or will also use, a 3.x version of PATROL Console for Microsoft Windows or PATROL Console for UNIX.

NOTE
A PATROL 3.x console refers to a 3.x version of PATROL Console for Microsoft Windows or PATROL Console for UNIX. Also, because most of the information related to moving from a PATROL 3.x console applies to both the Windows and Web Editions of PATROL Central Operator, this chapter addresses both editions. Unless otherwise noted, the information in this chapter applies to both the Windows and Web Editions of PATROL Central Operator.

This chapter contains the following topics: Compatibility and functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PATROL Agent compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . KM compatibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Developer functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Differences between PATROL 3.x Consoles and PATROL Central Operator . . . . . Communications with managed systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Session and desktop files versus management profiles. . . . . . . . . . . . . . . . . . . . . Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User names and passwords for managed systems. . . . . . . . . . . . . . . . . . . . . . . . . Computer name and port number versus managed system name . . . . . . . . . . . Event types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overrides versus customizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . State change actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 153 153 153 154 155 155 155 156 156 156 157 157 157

Chapter 6 Information for users of PATROL Console for Microsoft Windows 3.x or PATROL Console for UNIX 3.x 151

KM version arbitration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Chart history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Location of task icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 KM in the PATROL object namespace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Running menu commands and InfoBox commands . . . . . . . . . . . . . . . . . . . . . . . 159 Migrating console information from PATROL Console for Windows or PATROL Console for UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

152

Book Title

Compatibility and functionality

Compatibility and functionality


This section describes important facts that you need to know before moving from a PATROL 3.x console to PATROL Central Operator.

TIP
You can use both PATROL 3.x consoles and PATROL Central in the same PATROL environment.

PATROL Agent compatibility


To use PATROL Central Operator, you must use the three tier architecture for PATROL, which requires any of the supported version of PATROL Agent version.

KM compatibility
PATROL Central Operator is compatible with currently supported KMs. You can continue to use the same KMs that you used with a PATROL 3.x console. However, if a KM requires files (such as online Help, icons or executable files) on the PATROL Console Server or the console computer, features that use those files will not work until the files are installed in the appropriate locations. Also, menu commands that contain %MODES%local are disabled in the Web Edition of PATROL Central Operator because it is not possible to run an external command on the local machine which is hosting the web browser.

Developer functionality
The PATROL Central console currently has no console module with KM developer functionality. To develop new KMs or make major changes to a KM, continue using a PATROL 3.x console. There are also several methods for customizing parameter thresholds and alarm ranges. For example, you can use the PATROL Knowledge Module for Event Management to customize the KMs then use PATROL Configuration Manager to apply those changes to multiple PATROL Agents, or you can customize KM objects and multiple instances of a parameter in PATROL Central Operator Microsoft Windows Edition. For more information about the PATROL KM for Event
Chapter 6 Information for users of PATROL Console for Microsoft Windows 3.x or PATROL Console for UNIX 3.x 153

Differences between PATROL 3.x Consoles and PATROL Central Operator

Management and PATROL Configuration Manager, see the PATROL Knowledge Module for Event Management User Guide and the PATROL Configuration Manager User Guide. For more information on customizing KM objects in PATROL Central Operator Microsoft Windows Edition, see the online Help.

Differences between PATROL 3.x Consoles and PATROL Central Operator


This section describes the primary differences between PATROL Console for Microsoft Windows and PATROL Console for UNIX (PATROL 3.x consoles) and PATROL Central Operator. Many of the differences come from differences between the PATROL 3.x consoles and PATROL Central Operator using different infrastructure architectures. For a description of the PATROL architecture, see the PATROL Fundamentals online Help.
Difference Communications with managed systems Session and desktop files versus management profiles Terminology User administration User names and passwords for managed systems Computer name and port number versus managed system name Event types Overrides versus customizations State change actions KM version arbitration Chart history Location of task icons KM in the PATROL object namespace Running menu commands and InfoBox commands Migrating console information from PATROL Console for Windows or PATROL Console for UNIX Reference page 155 page 155 page 155 page 156 page 156 page 156 page 157 page 157 page 157 page 158 page 158 page 158 page 158 page 159 page 159

154

Book Title

Communications with managed systems

Communications with managed systems


PATROL 3.x consoles communicate directly with managed systems. PATROL Central Operator uses an RTserver cloud and PATROL Console Server to communicate with managed systems.

Session and desktop files versus management profiles


PATROL 3.x consoles store console information, such as which managed systems and PATROL KMs are loaded, in session and desktop files. These files are stored on the console computer and can be accessed from only that computer. PATROL Central Operator stores console information in a management profile on the PATROL Console Server. A management profile can be accessed from any installation of PATROL Central Operator with access to that PATROL Console Server. Also, changes to your management profile are saved automatically as you make them. For instructions on migrating a desktop file to a management profile, see PATROL Console Migration Tool Release Notes.

Terminology
Table 11 lists terms that are different between PATROL 3.x consoles and PATROL Central Operator. Table 11 Terminology differences between PATROL 3.x Consoles and PATROL Central Operator
PATROL Central Operator term Comments managed system managed system query critical (state) A managed system is a computer that is running the PATROL Agent software. This change corresponds to the change from agent to managed system. The alarm state in PATROL 3.x architecture is the critical state in PATROL 7.x architecture. However, the term alarm is still used when referring to undesirable situations without indicating a specific object state, as in alarm ranges, snoozing an alarm, or responding to an alarm.

PATROL 3.x consoles term agent, host agent query alarm (state)

QuickQuery

Simple Managed System This change corresponds to the change from agent Query to managed system.

Chapter 6 Information for users of PATROL Console for Microsoft Windows 3.x or PATROL Console for UNIX 3.x 155

User administration

User administration
For PATROL 3.x consoles, a users access to functionality is controlled by the patrol.conf and ptrlroles.txt files and by the ptrldev and patroldev groups, as well as the mode of the console (developer or operator). For PATROL Central Operator, a users access to functionality is controlled by rights and permissions set for groups and users in PATROL Central Administration.

User names and passwords for managed systems


For PATROL 3.x consoles, user names and passwords for managed systems are stored on the console computer in the desktop and session files. After you enter the account information once, you do not have to enter it again when you open that desktop or session. However, if you use a different console, you must re-enter the account information. For PATROL Central Operator, user names and passwords for managed systems are not stored in the management profile (the corresponding item for a desktop or session file). If you enter account information in PATROL Central Operator, it is not remembered the next time you open the PATROL Central Operator console. However, an administrator can set up aliases and impersonations on the PATROL Console Server using PATROL Central Administration. If the aliases and impersonations are set up correctly, you can open any management profile without being challenged for account information.

Computer name and port number versus managed system name


When specifying a managed system (computer) in PATROL 3.x consoles, you provide both a computer name and a port number as two fields. When specifying a managed system in PATROL Central Operator, you select the managed system name. By default, the name of a managed system is a combination of the computer name and the port number that the PATROL Agent uses. For example, if the computer name is starfish and the PATROL Agent is running on the default port of 3181, then the name of the managed system is starfish_3181.

156

Book Title

Event types

Event types
Table 12 lists the event types in PATROL 3.x consoles and the equivalent event types in PATROL Central Operator. Table 12 Event types for PATROL 3.x consoles versus PATROL Central Operator
Event type in PATROL Central Operator info

Event type in PATROL 3.x consoles info state change error warning alarm

warning critical

Overrides versus customizations


In PATROL 3.x consoles, changes that you make to an object, such as changes to the alarm ranges of a parameter, are called overrides. In PATROL Central Operator, these changes are called customizations. For more information, see the PATROL Agent Reference Manual and the PATROL Central Operator Microsoft Windows Edition online Help.

State change actions


A state change action is a set of commands that are executed on the console (or PATROL Console Server) computer when an object changes state. In PATROL 3.x consoles, a state change action is stored as part of a PATROL KM and is executed on only the console computer. State change actions can be defined globally and locally at the managed system and application instance levels. In the Windows Edition of PATROL Central Operator, state change actions are stored in the management profile. State change actions can be defined for any parameter, application instance, application class, managed system, and folder; but they cannot be defined globally. First, you save the actual commands as an action method. Then you assign action methods to individual objects and states. State change actions can execute on either the console computer or the PATROL Console Server. They are executed only when the corresponding management profile is open. State change actions stored in a PATROL KM are not executed in PATROL Central Operator.

Chapter 6 Information for users of PATROL Console for Microsoft Windows 3.x or PATROL Console for UNIX 3.x 157

KM version arbitration

KM version arbitration
For PATROL 3.x consoles, KMs are stored on both the managed system running the PATROL Agent and on the console computer. How the PATROL Agent and PATROL 3.x console reconcile different versions of a single KM is called KM version arbitration. For specific information on KM version arbitration, see PATROL Console for Unix User Guide or PATROL Console for Microsoft Windows Unix User Guide, Volume 1.

Chart history
In PATROL 3.x consoles, history is shown in a separate window from the main chart. In PATROL Central Operator, history is shown in the same window as the chart. You do not have to open a separate window to view historical data. The title of the chart displays the current history range.

Location of task icons


In PATROL 3.x consoles, icons for tasks are shown at the same level of the hierarchy as the object from which the task was run. In PATROL Central Operator, icons for tasks are all shown under the Tasks folder.

KM in the PATROL object namespace


For PATROL 3.x consoles, the PATROL object namespace includes three levels: application class, application instance, and parameter. For PATROL Central Operator, the PATROL object namespace now includes a level for the KM. This level is above the application class level in the hierarchy. For a supported version of PATROL Agent version, the KM level is automatically created for each loaded application class. The name of the KM is the same as the name of the corresponding application class. For example, in the runtime path of the Windows Operating System object, rt/NT_OS/NT_OS/NT_OS, the first NT_OS refers to the KM, the second NT_OS refers to the application class, and the third NT_OS refers to the application instance.

158

Book Title

Running menu commands and InfoBox commands

This KM level is displayed in InfoBoxes (the runtime path item) and Event Manager (the event origin attribute). It is used in managed system queries and event filters. However, it is not displayed in the navigation pane and is not supported in PSL statements. When referring to a PATROL object in PSL commands, you must continue to use its PATROL 3.x path without the KM level.

Running menu commands and InfoBox commands


In PATROL 3.x consoles, menu commands and InfoBox commands are stored in the KM on the console computer. When the user selects a menu command or opens an InfoBox, the console prompts the user for the value of any console macros, and determines where the command should be run: on the console or the PATROL Agent. Then the console either sends the command to the PATROL Agent for execution or executes the command itself. The PATROL Agent does not use the menu commands or InfoBox commands in its own copy of the KM. For PATROL Central Operator, menu commands and InfoBox commands are still stored in the KM. However, since the KM no longer exists on the console, the menu commands and InfoBox commands in the PATROL Agent are used. Also, local menu commands are disabled in the Web Edition of PATROL Central Operator. When the user selects a menu command or opens an InfoBox, the PATROL Agent tells the console to prompt the user for the value of any console macros and determines where the command should be run. Then the PATROL Agent either executes the command or sends it to the console for execution, if appropriate.

Migrating console information from PATROL Console for Windows or PATROL Console for UNIX
You can migrate console information from PATROL Console for Windows and PATROL Console for UNIX to a management profile for PATROL Central Operator. After you migrate the console information to a management profile, you can then use the management profile with the Web Edition of PATROL Central Operator. See the PATROL Console Migration Tool Release Notes for more information about how to migrate console information.

Chapter 6 Information for users of PATROL Console for Microsoft Windows 3.x or PATROL Console for UNIX 3.x 159

Migrating console information from PATROL Console for Windows or PATROL Console for UNIX

160

Book Title

Appendix

Troubleshooting PATROL Central Operator


A

This appendix provides troubleshooting information on installing and configuring PATROL Central, PATROL Central Operator, and PATROL Central Administration. For more troubleshooting information, see the PATROL Central Operator Web Edition online Help, PATROL Console Server and RTserver Getting Started, and PATROL Installation Reference Manual. This appendix contains the following topics: Common problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installation problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web server problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . General usage problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Gathering diagnostic information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Where to find diagnostic information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installation logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web server logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Client logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Checking which PATROL Central ports are in use on UNIX. . . . . . . . . . . . . . . . Obtaining version, system, and contact information . . . . . . . . . . . . . . . . . . . . . . . Dealing with web server issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 162 163 165 174 174 175 175 178 178 179 179

Appendix A Troubleshooting PATROL Central Operator

161

Common problems

Common problems
This section contains troubleshooting information for the following common problems.
Problem type Installation problems Web server problems General usage problems Page page 162 page 163 page 165

Installation problems
This section describes known issues and workarounds for issues that can occur when installing PATROL products.

References to aborted packages or components during installation


During installation of PATROL Central Operator, you may see references to aborted packages or components in the installation utility status page and the log files. This happens when the installation utility encounters components that have already been installed on the target computer. The message does not indicate a problem with the product installation. Entries in the log files will indicate that the package or component was skipped because it was already installed.

Installing additional console module on UNIX


If you install additional console modules after you have installed the Web server and the installation utility detects port conflicts during the installation, you must stop the Web server and the servlet container to complete the installation.

Exiting applications and stopping processes on Windows


Before installing or uninstalling PATROL Central on Windows, exit all applications, and ensure that the following processes are not running:
I I I

any Java processes (Java.exe and Javaw.exe) the Service Control Manager the Internet Services Manager (if you choose to integrate with IIS)

162

PATROL Central Operator Web Edition Getting Started

Web server problems

Uninstalling products on Windows platforms


Problem: When you uninstall all PATROL products, the installation utility does not remove all product files. You must perform an additional task using specific control files after you uninstall all products to remove the remaining product files. For more information, see the PATROL Installation Reference Manual.

Solution:

Uninstalling products on UNIX platforms


Problem: On UNIX, uninstalling PATROL Central does not remove the $BMC_ROOT/webcentral/bin directory. Manually remove the directory and files after the uninstall completes or stop the Web server before uninstalling.

Solution:

Uninstalling PATROL KM Help files or console module


If you uninstall a console module or PATROL KM Help files, you must restart the Web server and the servlet container after the uninstall.

Uninstalling products on UNIX platforms


Problem: It is not possible to completely remove the Operator module during uninstall of PATROL Central Operator - Web Edition. No workaround.

Solution:

Web server problems


This section contains troubleshooting information for the following problems.

Web server may not release all ports after PATROL Central is stopped on UNIX platforms
Problem: Using the ./pwcctl stop command to shut down PATROL Central may not release all the ports for the Tomcat or Apache processes.

Appendix A Troubleshooting PATROL Central Operator

163

Web server problems

Solution:

Perform the following steps as root:

1 Wait approximately 30 seconds then enter the following command to see if the
ports have been released:
./pwcctl status

2 If the ports have not been released, enter the following commands to get the
process ids for the processes associated with the open ports:
ps -elf | grep java ps -elf | grep httpd

3 Terminate the processes found in step 2 by entering the following command:


kill process id

The web server will not start


You are not able to access PATROL Central by using your Web browser.
Explanation Some of the required ports are not available. For example, if you have just stopped the Web server, it might not have released the ports yet. The Tomcat servlet container or Tomcat Web server was terminated incorrectly or ran out of disk space, causing the wc.* files in the WEB-INF directory to be set to zero length Solution Make sure that no processes are using the ports. See Checking which PATROL Central ports are in use on UNIX on page 178. If you just stopped the Web server, wait for it to release the ports.

Copy the files from the $BMC_ROOT/webcentral/apachetomcat/webapps/patrol/WEB-INF/backup directory to the $BMC_ROOT/webcentral/apachetomcat/webapps/patrol/WEB-INF directory.

Saving user preferences on Windows web servers


Problem: User preferences are saved using the current user account. In PATROL Central, the account name is case sensitive, so the same Windows account may have multiple preferences defined, depending on the case of the account name that you used to log on to PATROL Central. Enter the account name the same way each time you log on to PATROL Central.

Solution:

164

PATROL Central Operator Web Edition Getting Started

General usage problems

On Solaris, the web server dies at startup


Problem: Solution: The latest Solaris patches are not applied. Apply the latest patches for Solaris. See the PATROL Central Operator Web Edition Release Notes for information about Solaris patches.

General usage problems


This section contains troubleshooting information for problems that may occur while using PATROL Central Operator Web Edition.

Dragging a user-defined chart or folder to a gauge, text, or stoplight parameter


Problem: If you drag a user-defined chart or folder to a gauge, text, or stoplight parameter, the chart or folder disappears. You cannot recover the user-defined chart or folder. Do not drag a user-defined chart or folder to a gauge, text, or stoplight parameter.

Solution:

Suspending parameter through attribute setting in Customizations dialog box


Problem: If you suspend a parameter by selecting the Suspend attribute in the Customizations dialog box, you cannot use the Task => Resume menu command to resume the parameter. Suspend and resume the parameter by right-clicking it and choosing
Task => Suspend or Resume.

Solution:

Event Manager default filter does not work properly if Event Manager taskpad is open
Problem: If you specify an event filter as the default filter, then load a different filter and close the Event Manager while the Event Manager taskpad is displayed, the Event Manager will access events from the current filter instead of the default filter. Ensure that the Event Manager taskpad page is not displayed before you access the default event filter.

Solution:

Appendix A Troubleshooting PATROL Central Operator

165

General usage problems

Event Filter Properties dialog box text entry field does not work properly
Problem: On the Event Filter Properties dialog box, the Limit number of events displayed per Managed System text entry field does not work properly. If you type a new value into the field, the new value is not accepted. Instead, the default value is retained. Use the spin control to specify a new value.

Solution:

Parameters for multi-line charts do not displayed properly in custom views


Problem: If you create a multi-line chart outside of a custom view, and you add the chart object to a custom view, the chart parameter list does not display correctly. Viewing the chart after it is created displays the parameters correctly. To see the correct parameter list for the multi-line chart, add the parameters to the chart within the Custom View wizard.

Solution:

Dragging and dropping parameters into custom view objects within the tree view
Problem: You cannot drag and drop a parameter into a custom view object within a tree view. The symbol is not displayed when you attempt to perform this action. Do not drag and drop parameters into the custom view object within the tree view. Instead, in the tree view area, right-click the custom view object and choose Edit to add parameters to the custom view.

Solution:

Creating custom views with similar multi-line charts


Problem: If you create a custom view with multi-line charts and two cells within the view have the same parameter names, the second cell will not display any data. Change the default title of the multi-line chart in one of the cells so that the names are unique for each cell.

Solution:

Graphs autoscale within a custom view


Problem: If you create a custom view and add a graph to the view, the Y axis will autoscale based on the minimum and maximum values for the data displayed in the graph but no data is lost.

166

PATROL Central Operator Web Edition Getting Started

General usage problems

Solution:

No workaround

Selection of rows is not persistent for managed system query


Problem: When you execute a managed system query and the query returns more than one page of results, if you select objects on one page, then click Next or Back, the objects will no longer be selected. Perform one of the following actions:
I

Solution:

Set the default number of lines per page so that the results are displayed on one page. For each page in the results pane, add the results to a folder or chart.

For more information, see the PATROL Central Operator Web Edition Help.

Exporting charts and graphs is not supported


Problem: You cannot export charts and graphs as images or copy them to the clipboard to use in other applications. Double click the title of the chart or graph to open it in a separate window and create a screen capture of the window; for example, on Windows platforms, use Alt + Print Scrn. You can then paste the image into a document or image editor.

Solution:

Incorrect profile name is displayed in the Open Management Profile wizard


Problem: When you use the Open Management Profile wizard to change to a new management profile, the previous profile name is still displayed on the Finish page of the wizard. Click Back then Next to display the new profile name.

Solution:

After initial connection to a management profile or on start-up of PATROL Central Operator, text parameters and gauges are not immediately displayed in custom views
Problem: If you create a custom view and add a text parameter or gauge, when you open a management profile or log off and log back on to PATROL Central Operator and open the custom view, the items are not immediately displayed.

Appendix A Troubleshooting PATROL Central Operator

167

General usage problems

Solution:

No workaround

Shortcuts to parameters cannot be added to custom views


Problem: A shortcut to a parameter will not be visible while creating a custom view in the Create Custom View wizard. Add the parameter itself to the custom view, instead of the shortcut.

Solution:

Adding a disconnected managed system to a folder


Problem: You cannot add a disconnected managed system to a folder from the Query results page. Make sure that the managed system is connected before adding it to the folder or move the specified managed system from the tree view to the folder.

Solution:

Changes to a managed system query are not recognized immediately


Problem: When you edit a query from the Managed System Query Results page, you must load the query again to view the changes. If you attempt to edit the query again before reloading it, your changes will not be present. Reload the query after making changes.

Solution:

Multiple objects with the same name


Problem: You can have multiple objects (shortcuts, folders, custom views, and charts) with the same name at the same level of the hierarchy in a management profile. For example, if two managed systems have the same parameter, you can create shortcuts to each instance of the parameter, then move the shortcuts to the same folder. You can copy an item of the same name to another level of the hierarchy. The copied item will not overwrite or be prepended or appended to the existing item. Each item is unique. No workaround

Solution:

168

PATROL Central Operator Web Edition Getting Started

General usage problems

Adding objects from the managed system query results page to a folder or chart
Problem: You cannot add objects from the Managed System Query Results page to a userdefined folder or chart that is not directly under the PATROL Main Map. Userdefined folders and charts that are not directly under the PATROL Main Map are not displayed in the list of existing folders and charts. Move the folder or chart directly under the PATROL Main Map, add the object to the folder or chart, then move the folder or chart back to its original location. You can also drag a single object in the tree view area to the folder or chart.

Solution:

Output for a task being redirected to the system output window


Problem: Normally the output from a task, such as a task started from a KM command or a user initiated PSL or OS task, is displayed in the window for the task. However, if two tasks are running and you delete the first task, any future output for the second task is redirected to the system output window. This issue is most visible when the task takes a long time to execute, the task is interactive, or you repeat the task. If the output for a task is missing from its task window, look in the system output window. You can also avoid this issue by waiting for all tasks to complete before deleting any of them.

Solution:

Granting write access to management profiles


Problem: If you use PATROL Central Administration to grant the write right for a management profile to a group or user that does not have the Create and destroy management profile right, those users cannot open that management profile for read/write (versus read-only). If those users attempt to open the management profile for read/write, all users become locked out of the management profile until the PATROL Console Server is restarted. By default, only the patadm, patpop, and patop groups have the Create and destroy management profile right. Solution: If you use PATROL Central Administration to allow the write right for a management profile to a group or user, also make sure that the group or user has the Create and destroy management profile right. If users are locked out of a management profile due to this issue, restart the PATROL Console Server to unlock it.

Appendix A Troubleshooting PATROL Central Operator

169

General usage problems

Deleting aliases in impersonation tables


Problem: You can delete an alias even though it has been added to an impersonation table. The impersonation connected to that alias will not work. Recreate the alias or remove the entry from the impersonation table.

Solution:

Multiple sessions of PATROL Central Administration


Problem: PATROL Central Administration retrieves its data from the PATROL Console Server. If there are multiple sessions of PATROL Central Administration connected to the same PATROL Console Server, changes made in one session are not automatically reflected in the other sessions. To see changes made in other sessions, reload the page.

Solution:

Shortcut keys and function keys are not supported


Problem: Solution: Browser-defined shortcut keys and function keys are not supported in this release. Do not use shortcut or function keys.

The PATROL Central web page is not available


The following conditions may cause the PATROL Central Web page to be unavailable.
Explanation The Web server is not running. Solution Start the Web server (IIS, Apache, or Tomcat standalone). For IIS, you must also start the Tomcat servlet container separately. For more information see Starting and stopping PATROL Central Operator Web Edition on page 132. Inform users to include the port number in the URL. For example, if the Web server myserver is using port 8080, view the URL http://myserver:8080. Install a valid security certificate. For more information, see Certificate information (IIS only) on page 35.

The Web server is using a different port from the default. On IIS, the security certificate is not properly installed or it has expired.

170

PATROL Central Operator Web Edition Getting Started

General usage problems

The PATROL Central web page is blank on Internet Explorer


Problem: If you are using IE 6 on a Windows 2003 machine, after you enter the PATROL Central Operator URL, IE may display a blank web page. This is caused by Windows 2003 applying a high security level by default. You can the solve this problem by using either of these two methods:

Solution:

To add the PATROL Central Operator URL to the trusted sites list in IE
I I I

From the IE Tools menu, select Internet Options => Security. Select Trusted Sites and click Add Add the PATROL Central Operator URL to the list of trusted sites and click OK.

To set the security level for trusted sites


I I

From the IE Tools menu, select Internet Options => Security. Select Trusted Sites and move the slider down for a lower level of security

The RTserver or PATROL Console Server is not responding


The following conditions may cause a lack of response from the RTserver or PATROL Console Server.
Explanation The RTserver or PATROL Console Server is not running. Solution Make sure that the RTserver and PATROL Console Server are running. For more information, see the PATROL Console Server and RTserver Getting Started. If you must start the RTserver, wait for PATROL Central to recognize that the RTserver has been started. Make sure that PATROL Central is using the correct RTserver and PATROL Console Server and that their names are type correctly. Note that the name of the PATROL Console Server might not match the host name. For more information, see the Appendix C, Modifying initialization settings after installation.

PATROL Central might not be using the correct RTserver or PATROL Console Server.

PATROL Central might be using a different RTserver Make sure that PATROL Central and PATROL from the PATROL Console Server. Console Server are using the same RTserver. For more information, see Appendix C, Modifying initialization settings after installation and PATROL Console Server and RTserver Getting Started.

Appendix A Troubleshooting PATROL Central Operator

171

General usage problems

Explanation The PATROL Console Server might not be available on the network.

Solution To determine if the PATROL Console Server computer is available on the network, ping the host name of the computer. Note that the name of the PATROL Console Server is its host name by default; however, a different name can be specified when starting the PATROL Console Server. Also ensure that the RTserver computer and the PATROL Console Server computer can both reach each other on the network. To determine if the RTserver is available on the network, telnet to the RTserver on the appropriate port. Also ensure that the RTserver computer and the Web server computer can both reach each other on the network.

The RTserver might not be available on the network.

Users cannot log on


The following conditions may prevent users from logging on to Product Short.
Explanation HTTPS is not active. Solution

Make sure that HTTPS is active by trying to access https://hostname:port, where hostname is the name of the server, and port is its HTTPS port.
If you are using IIS, make sure that PATROL Central is using the correct HTTPS port for IIS. For more information about setting the HTTPS port, see the Appendix C, Modifying initialization settings after installation.

The user did not accept the certificate for the Web server. The PATROL Console Server is too busy processing requests from other computers to process the log on request. (The Failed to log on to Console Server. Operation Timed Out error message is issued.) The user might be using an incorrect user name or password. The user might not have the necessary rights.

Inform the user to restart the Web browser and accept the certificate when accessing the PATROL Central Web site. Inform users to try to log on again.

Inform the user to use a user name and password for an operating system or domain account on the PATROL Console Server. Grant the necessary rights to the user by placing the user account in the appropriate group on the PATROL Console Server.

172

PATROL Central Operator Web Edition Getting Started

General usage problems

User is unable to log on to a second PATROL Console Server from a management profile
Problem The user receives the error message, "Authentication to the console server failed, cancelled, or timed out. Please click Back to try again or Cancel to exit..." when trying to log on to a second PATROL Console Server from a management profile. Use one of the following methods to display the authentication dialog box.
I

Solution:

Move the dialog box with the error message. The authentication dialog box will appear right after it. Click Back, select the second PATROL Console Server again, and click Next. The Service Authentication dialog box appears to the log on to the second PATROL Console Server.

Users cannot add a managed system


The following conditions may prevent you from adding a managed system group.
Explanation Solution

The PATROL Agent software on the managed system Make sure the PATROL Agent software is running on might not be running, or it might not be using the the managed system and using the correct host name correct RTserver. and port number for the RTserver. For more information, see the PATROL Agent Reference Manual and PATROL Console Server and RTserver Getting Started. The PATROL Agent software on the managed system Make sure the PATROL Agent software is one of the might be a version previous to version 3.5. supported versions. For more information, see the PATROL Agent Reference Manual. The management profile might be read-only. The user might not have the necessary rights. Inform the user to use a management profile that is not read-only. Grant the necessary rights to the user by placing the user account in the appropriate group on the PATROL Console Server.

Users are prompted to log on to a managed system


Problem: Solution: The managed system does not recognize the user as a valid user. Set up the impersonation table for the user in PATROL Central Administration. The user can also log on to the managed system with an account on that system.

Appendix A Troubleshooting PATROL Central Operator

173

Gathering diagnostic information

No online Help exists for a specific KM


The following conditions may cause the online Help to be unavailable.
Explanation The online Help for that KM is not installed with PATROL Central Operator. Solution If you are running a PATROL Console Server prior to version 7.2.36, make sure you install the appropriate online Help with the PATROL Central Operator whenever you install a new KM on a managed system. No action required.

There is no online Help for that KM.

PATROL Central does not prompt for password in attended mode


Problem: On UNIX, at security level 4, attended mode, PATROL Central does not prompt for the keystore location or password when it is started. The startup script uses 'su -' to pass the Tomcat user's environment to the Tomcat process. This includes the X11 variables necessary to display a dialog box. Set your default shell, as specified in etc/passwd, to /bin/sh. If you use a different shell, such as ksh or bash, the environment is not passed so X11 is not available to the Tomcat process.

Solution:

Gathering diagnostic information


This section contains information on gathering diagnostic information for PATROL Central Operator.

Where to find diagnostic information


The following table lists locations where you can find diagnostic information for problems with PATROL Central Operator.

174

PATROL Central Operator Web Edition Getting Started

Installation logs

Table 13
Type Installation

Summary of where to find diagnostic information


Location
I

Description See Installation logs on page 175.

%USERPROFILE%\Application Data\BMCinstall\ (Windows)

home_directory/BMCinstall (UNIX)
See Web server logs on page 175. See Client logs on page 178. By default, the Web Edition of PATROL Central and the console modules, such as PATROL Central Operator, log events in the System Messages dialog box accessible from the status area of the PATROL Central window. These local events are best used for initial diagnosing.

Web server Client Local Events

Various locations Various locations The System Messages dialog box accessed by clicking the message icon at the bottom of the PATROL Central window

Installation logs
One log file is created each time the installer is run. The name of the log file is a combination of the computer name and a time stamp. The location of the file depends on the operating system.
I

On Windows, the log file is located in the %USERPROFILE%\Application


Data\BMCinstall\ directory.

On UNIX, the log file is located in the home_directory/BMCinstall/ directory.

For example, the log file for user patrol on the Windows 2003 server PATROL_1 is located in the C:\Documents and Settings\patrol\Application Data\BMCinstall directory. The name of the log file is PATROL_1-1005340189.log.

Web server logs


Which Web server logs you have depends on the Web server. All Web servers will have Tomcat servlet container logs.

NOTE
This section refers to the webcentral sub-directory of $BMC_ROOT. This directory is WebCentral on Windows, and webcentral on UNIX. For more information see, Installation directory on page 33.

Appendix A Troubleshooting PATROL Central Operator

175

Web server logs

IIS web server logs


The IIS Web server maintains log files and also places messages in the Windows Event log. The logs for IIS are located in the system_dir\LogFiles\w3svcl\ directory. These logs are most useful for monitoring HTTP requests.

Apache web server logs


The Apache Web server maintains the log files in the $BMC_ROOT/common/apache/apache.2/httpd/OS/logs/ directory. The error_log file contains information about port conflicts and startup problems. The Apache Web server log files can grow considerably over the course of time. For example, each image load request is logged. The installation installs a utility to truncate the log files for the Apache Web server while the Web server is running, so that they do not grow without limit. The utility consists of the following files:
I I

the /etc/patrol.d/apache/bmctrimlog executable utility the /etc/patrol.d/apache/bmctrimlog.conf text configuration file

This utility can be run periodically as a job in the root crontab. If you chose to automatically add the job to the root crontab in the installation, the following line is added, which runs the utility every hour on the half-hour.
30 * * * * /etc/patrol.d/apache/bmctrimlog

If you chose to not add the job to the root crontab, you can add the job manually and adjust the job schedule. For more information about cron and crontab, see the man pages for them for your system. To fine-tune the log file management edit the bmctrimlog.conf file. For example, you can set different maximum sizes for each log file. See the comments in the configuration file for more information.

Tomcat web server and servlet container logs


The following logs in the $BMC_ROOT/webcentral/apache-tomcat/logs directory reflect the state of the Tomcat servlet container and its integration with the Web server.

176

PATROL Central Operator Web Edition Getting Started

Web server logs

Web server all all all IIS Apache Apache and Tomcat standalone (UNIX)

File localhost_log.year-monthdate.txta

Description standard output log file for Tomcat Web server

localhost_examples_log.yea example Web applications log file r-month-date.txta localhost_access_log.yearmonth-date.txta isapi.log mod_jk.log jvm.stdout access log file for Tomcat Web server This file contains messages created by the Apache Tomcat Protocol 13 (AJP13) ISAPI filter. This file contains messages created by the Apache Tomcat Protocol 13 (AJP13) Apache module. This file contains the standard output of the Tomcat java process. It is usually the most useful log to look at initially.

IIS and Tomcat stdout.log Standalone (Windows)

This file contains the Tomcat java process standard output messages when Tomcat is run as a service. If Tomcat is run from a command window, all output is sent to that window.

IIS and Tomcat stderr.log Standalone (Windows)

This file contains the Tomcat java process standard error output messages when Tomcat is run as a service. If Tomcat is run from a command window, all output is sent to that window.

The level of verbosity in these logs is controlled by settings in the $BMC_ROOT/webcentral/apachetomcat/conf/server.xml file

The following logs in the $BMC_ROOT/webcentral/apachetomcat/webapps/patrol/WEB-INF/log/ directory contain information for the Tomcat servlet container.
File jcosjni.log
a

Description log file for jcosjni These files are error log files for PATROL Central. The log pwc1.log is always the most recent.

pwc1.loga pwc2.log pwc3.log pwc4.log pwc5.log


a

The level of verbosity in these logs is controlled by the $BMC_ROOT/webcentral/apachetomcat/webapps/patrol/WEB-INF/ globalDebug.cfg file.

Appendix A Troubleshooting PATROL Central Operator

177

Client logs

On Windows, if you run the Tomcat Web server as a service, it also places messages into the Windows Event log.

Client logs
The location of client logs depends on the platform of the client.

Windows client logs


On Windows, the Java plug-in also has its own error messages and trace file. To view error messages related to the Java plug-in, double-click the java console icon in the system tray. On Windows 2003, the Java plug-in trace file is saved to the
Document and Settings\username\Application Data\Sun\Java\Deployment\log\plugin150_08.trace file.

UNIX client logs


On UNIX, the Java plug-in trace log contains trace output from the plug-in. It is contained in the home directory of the user. The typical file name is plugin142_07.trace.

Checking which PATROL Central ports are in use on UNIX


This task describes how to check whether the ports used by the PATROL Central Web server are in use on UNIX.

To check which ports are in use on UNIX 1 Change to the root user. 2 In a command window, change to the $BMC_ROOT/webcentral/bin directory. 3 Enter the following command:
./pwcctl status

178

PATROL Central Operator Web Edition Getting Started

Obtaining version, system, and contact information

Obtaining version, system, and contact information


This task describes how to obtain version, system, and contact information for PATROL Central.

To obtain version, system and contact information 1 Start your Web browser and log on to PATROL Central. 2 In the navigation area, click the Home tab, then the About sub-tab. 3 Click one of the following links in the list area:
I I I

Version Information System Information Contact Information

Dealing with web server issues


For assistance with Web server issues, see the documentation for your Web server.
Web server IIS Apache Documentation See the IIS documentation. See the following:
I

the Apache documentation installed with Apache at http://hostname:port/manual, where hostname is the name of the server, and port is its HTTP port. the Apache HTTP Server Web site at http://httpd.apache.org.

Tomcat standalone

See the following


I

the Tomcat documentation installed with Tomcat at http://hostname:port/tomcat-docs, where hostname is the name of the server, and port is its HTTP port. the Tomcat Project Web site at http://tomcat.apache.org/

NOTE
The documentation for the Web server and the documentation for PATROL Central differ in some areas. For example, in how you start the Web server. In these cases, follow the documentation for PATROL Central.

Appendix A Troubleshooting PATROL Central Operator

179

Dealing with web server issues

180

PATROL Central Operator Web Edition Getting Started

Appendix

B
182 182 182 183

Enhancing web server security


Historically, Web servers have been vulnerable to back-door attacks. Unusual URLs, combined with weaknesses in the handling of them, may allow unauthorized users to execute commands on behalf of the Web server account. This section discusses optional tasks that you can do to minimize potential damage. The Apache web server: keystore password, certificates, and modes . . . . . . . . . . . . About the keystore password and the Apache policy file. . . . . . . . . . . . . . . . . . . Replacing the self-signed certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About attended and unattended modes for the Apache web server. . . . . . . . . .

Appendix B

Enhancing web server security

181

The Apache web server: keystore password, certificates, and modes

The Apache web server: keystore password, certificates, and modes


This section discusses how the keystore password is saved and the implications of this implementation. It also explains how to replace the self-signed certificate and use the attended and unattended modes.

About the keystore password and the Apache policy file


Apache needs the password for the keystore when it starts up so that it can access its keystore containing its private key. This private key is used together with the corresponding certificate to perform encrypted communications. You specify the keystore password in the installation. By default, this password is stored encrypted in the /etc/patrol.d/security_policy_v3.0/site.plc policy file. Apache is configured to automatically retrieve the password from this policy file.

NOTE
Apache operates outside the PATROL Security context. The site.plc policy file is used only to store and retrieve the keystore password. Other information stored in the file is not used. For more information about policy files, see the PATROL Security User Guide.

If you obtain a new certificate from a certificate authority, you might also have to generate a new private key and keystore. If the new keystore is protected by a different password from the one specified in the installation, you must also update the Apache policy file.

Replacing the self-signed certificate


This task describes how to replace the self-signed certificate created at installation with a certificate from a certificate authority.

1 Obtain the certificate from a certificate authority. 2 Install the new certificate.
See your certificate authority for detailed instructions.

3 If the certificate uses a private key with a different password from the previous
keystore password, use the plc_password utility to update the password for the site.plc policy file to the new password.
182 PATROL Central Operator - Web Edition Getting Started

About attended and unattended modes for the Apache web server

NOTE
The plc_password utility is documented in the PATROL Security User Guide.

4 Restart the Apache Web server.

About attended and unattended modes for the Apache web server
By default, Apache runs in unattended mode. It automatically retrieves the keystore password from the Apache policy file. However you can configure it for attended mode. In attended mode, an administrator must manually enter to the keystore password when starting Apache, and the Apache policy file is no longer used. The keystore password for starting Apache is specified during the installation. It is not the default password specified in the PATROL Security User Guide. To convert Apache to attended mode, use the SSLPassPhraseDialog directive in the httpd.conf file. For more information, see the SSL documentation included with the Apache documentation at http://hostname:port/manual/mod/mod_ssl, where hostname is the name of the server, and port is its HTTP port. Do not use the plc_password utility that is documented in the PATROL Security User Guide to switch Apache to unattended or attended mode. That method does not apply to starting the Apache Web server.

Appendix B

Enhancing web server security

183

About attended and unattended modes for the Apache web server

184

PATROL Central Operator - Web Edition Getting Started

Appendix

Modifying initialization settings after installation


C

You configure initialization settings during the installation of PATROL Central Operator. However, you can change some of those settings after installation by editing the startup configuration file. This appendix discusses the following topics: The startup configuration file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 About modifying the startup configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 What you may modify in the startup.cfg file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Appendix C

Modifying initialization settings after installation

185

The startup configuration file

The startup configuration file


The startup configuration file, startup.cfg, resides in $BMC_ROOT/webcentral/apachetomcat/webapps/patrol/WEB-INF.

NOTE
This path refers to the webcentral sub-directory of $BMC_ROOT. This directory is WebCentral on Windows, and webcentral on UNIX. For more information see, Installation directory on page 33.

About modifying the startup configuration file


The startup configuration file is a flat text file. When you modify the file, observe the following rules:
I

Place each assignment statement alone on a single line. Each assignment statement must be of the format token = value with no commas, semi-colons, or other special characters Precede any comments with a # in the first position of the line.

NOTE
You must restart the Tomcat servlet container for any changes to the startup configuration file to take effect. For the Apache and Tomcat standalone servers, this also involves restarting the Web server.

186

PATROL Central Operator - Web Edition Getting Started

What you may modify in the startup.cfg file

What you may modify in the startup.cfg file


The following table lists the entries in the in the startup configuration file that you may modify.
Entry RTserver securityService Description This entry specifies the RTserver to use. For more information, see RTSERVERS variable on page 37. This entry specifies the PATROL Console Server that is used as a security server for PATROL Central. For more information, see PATROL Console Server on page 34. This entry specifies the HTTPS port for the Web server. For more information, see Web server HTTP and HTTPS ports on page 46 or ISAPI Extensions for IIS on Windows Server on page 40. This entry is used to cache users login credentials as the default login credentials. If you set the caching flag in the startup.cfg file, the next time you login to a PATROL Console Server using PATROL Central Operator Web Edition, your login credentials are cached as the default. This means, when you login to PATROL Central Operator, your user name and password credentials are saved. If you try to open a management profile on a different PATROL Console Server, and if your credentials are valid for the new console server, PATROL Central Operator will not prompt you to enter your login user name and password. To cache login credentials, stop the PATROL Central Operator Web Edition process, open the startup.cfg file and remove the comment character from the first position in the cacheLoginCredentials line. You must be running the PATROL Console version 7.7.00 or above to use this functionality.

httpsPort

cacheLoginCredentials

TIP
If you used the installation worksheets (See Installation worksheets on page 47), record any changes to these entries on the worksheets.

WARNING
Do not modify any other settings in the startup configuration file. They are for use by BMC Software technical support only.

Appendix C

Modifying initialization settings after installation

187

What you may modify in the startup.cfg file

188

PATROL Central Operator - Web Edition Getting Started

Appendix

Environment variables
This appendix lists the environment variables used by PATROL Central Operator. The values of these variables are assigned at installation.
Environment variable BMC_ROOT How variable is used points to the location where BMC Software products are installed. This directory is stored as the $BMC_ROOT or %BMC_ROOT% environment variable depending whether the operating system is UNIX or Windows respectively. points to the location where PATROL 7.x components, including PATROL Central Operator, are installed. This directory is stored as the $PATROL_ROOT or %PATROL_ROOT% environment variable depending whether the operating system is UNIX or Windows respectively.

PATROL_ROOT

The BMC_ROOT environment variable is shared by all PATROL Central components that are installed on the same computer.

Appendix D

Environment variables

189

190

PATROL Central Operator - Web Edition Getting Started

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Index
Symbols
$BMC_ROOT 31, 173 $PATROL_ROOT 173 Apache Web server (continued) installation worksheet 40 logs 160 port 37 user name and group 33 arbitration 142 architecture multi-cloud configuration 19 single-cloud configuration 18 assigning permissions 87 rights 87 authentication process 78

A
about accounts 72 accounts and groups in PATROL environment 71 Distribution Server 30 groups and users 72 installation utility 30 managed system groups 73 PATROL Central Administration 15, 76 accessing online Help 20 accounts about 72 for groups in PATROL environment 71 restricted and privileged 85 web server 33 ACLs evaluation on KMs 105 evaluation process, managed systems 104 setting up KM permissions 107 setting up managed system group permissions 106 setting up menu permissions 109 using on KM products 107 using on managed system groups 106 using on menu commands 108 using to manage permissions 91 action methods 141 adding managed systems 64 administering aliases 78 impersonations 78 rights and permissions 86 Administrators 72 agent query 139 AJP v13 port 36 alarm ranges 141 alarm state versus critical state 139 alias accounts 76 Apache Web server considerations 28 execution of 118

B
BMC Software, contacting 2

C
caching login credentials 171 certificate about 29 accepting or installing in Web browser 58 considerations for Apache Web server 28 considerations for IIS Web server 28 considerations for Tomcat standalone Web server 29 obtaining for IIS Web server 33 specifying info for Apache Web server 34 specifying info for Tomcat standalone Web servers 34 chart history 142 compatibility KMs and PATROL Central Operator 137 PATROL Agent and PATROL Central Operator 137 components PATROL Central 25 PATROL Central Administration 25 PATROL Central Operator 25 configuring timeout value 61 console functionality, protection by rights 89 infrastructure 14

Index

191

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
console (continued) migrating to new version 42 migration 135 migration from 3.x versions 143 module 14 console information, migrating 143 creating management profiles 62 critical state versus alarm state 139 custom views 16 customer support 3 customizations versus overrides 141 customizing splash screen 61 examples (continued) single account for all managed systems but one 84 user accounts and groups, creating 75

F
features of PATROL Central Operator 14, 16 finding diagnostic information 158 firewall configuration 27

G
group permissions 72 group roles, determining 94 groups 33 Apache Web server group 33 general guidelines 74 operating system 71 PATROL 3.x 140 predefined 88 setting up 69, 71 Tomcat standalone Web server group 33, 51 using predefined 96 guidelines, setting up groups and users 74

D
default impersonation process 79 deny group permissions 72 desktop files 139 determining group roles 94 developer functionality 137 diagnostic information, finding 158 differences between PATROL 3.x versions 138 directory structure 52 Distribution Server, support for PATROL Central Operator 30 documentation manuals, availability 20 related documents 20

H
Help, accessing 20 host 139 HTTP and HTTPS (Apache and Tomcat standalone Web servers) ports 37 HTTP port specifying for Apache Web server 37 specifying for Tomcat standalone Web server 37 HTTPD 33 HTTPS port changing 171 specifying for Apache Web server 37 specifying for IIS Web server 37 specifying for Tomcat standalone Web server 37

E
environment firewall configuration 27 planning for installation 26 environment variables $BMC_ROOT 173 $PATROL_ROOT 173 %BMC_ROOT% 173 %PATROL_ROOT% 173 RTSERVERS, about 35 evaluation process, enforcement on managed systems 104 event types 141 examples advanced sharing of management profiles 100 different accounts according to application 82 different accounts according to location 81 granting rights 97 managed system groups, creating 76 restricted and privileged accounts on several managed systems 85 setting up managed system groups 76 setting up user accounts and groups 75 simple sharing of management profiles 99 single account for all managed systems 80

I
IIS Web server considerations 28 installation worksheet 40 logs 160 port 37 Web site instance 37 impersonation process, default 79 impersonation table entries for managed systems 73 for aliases 72

192

Book Title

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
impersonation table (continued) lookup based on PATROL Agent name and managed system group membership 79 pattern matching 82 impersonations, administering 78 InfoBox commands 143 installable components 25 installation 23 directory 31 logs 159 PATROL Agent and KMs 27 pop-up blocker software 45 procedure 44 procedure for Windows 44, 48 troubleshooting 146 upgrading to new version 42 utility, about 30 verifying 119 worksheets 38 internal datastore 42 managed systems (continued) architecture 17 creating ACLs to control groups 76 creating groups for each location 81 defining groups with PATROL Central Operator -Web Edition 73 groups and alias accounts 76 name 140 passwords for 140 permissions for 93 predefined permissions 94 scenarios for granting user access 8285 tailoring permissions for groups 76 term 139 user names for 140 management profiles about 62 creating 62 permissions for 92 selecting 63 using ACLs 107 versus desktop files 139 managing access, example scenarios 80 manuals, availability 20 menu commands running 143 using ACLs on 108 migrating to new version 42 monitoring with PATROL Central Operator 55 multi-cloud configuration 19

J
Java Plugin 56

K
KMs loading 65 management profile and 62 permissions for 93 permissions in ACLs 107 preloaded on PATROL Agent 65 using ACLs on 107

O
object hierarchy 91 online Help, accessing 20 operating system accounts and PATROL 72 operating systems supported versions 25 overrides versus customizations 141

L
loading KMs 65 login credentials, caching 171

M
managed system groups about 73 aliases and impersonation 78 permissions for 93 permissions in ACLs 106 setting up 76 using ACLs on 106 managed system query 139 managed systems account information 140 adding 64 adding to management profile 64

P
passwords, caching 171 passwords, for managed systems 140 patadm 88 patop 88 patpop 88 PATROL 3.x differences between versions and PATROL Central Operator 138 directory 31 PATROL 7.x environment 26 versus PATROL 3.x 138

Index

193

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
PATROL Agent execution on Windows 113 starting on Unix 113 stopping on Unix 114 verifying execution on Unix 113 PATROL Agents adding to management profile 64 console compatibility 137 installing 27 managed system versus 139 management profile and 62 version requirement 26 PATROL architecture multi-cloud configuration 19 single-cloud configuration 18 PATROL Central accessing 59 installation 44 interface 59 troubleshooting 149 PATROL Central Administration about 15, 76 alias accounts for managed system groups 76 architecture 18 help on using 20 object hierarchy 91 starting 77 troubleshooting 149 when to use 76 PATROL Central Console help on using 20 PATROL Central Operator versus 14 PATROL Central Operator accessing 60 architecture 1819 components 25 configuring environment for 111 differences with PATROL 3.x 138 features 14, 16 help on using 20 installing 23 management profile 62 monitoring with 55 overview 13 PATROL Central versus 14 permissions 91 rights 89 system requirements 25 troubleshooting 145, 149 PATROL Central sub-directory 31 PATROL Console for Microsoft Windows, migrating from 135 PATROL Console for Unix 135 PATROL Console Server about 32 architecture 17 changing PATROL Central security server 171 PATROL Console Server (continued) connecting to 63 execution on Windows 114 impersonation table 78 managing permissions 73 PATROL Central security server 32 PATROL environment 26 predefined groups 88 starting on Unix 114 stopping on Unix 115 user accounts and groups 86 verifying execution on Unix 115 verifying installation 119 PATROL Console Server user accounts 72 PATROL consoles, their role 17 PATROL environment, accounts for groups 71 PATROL Knowledge Modules console compatibility 137 installing 27 version arbitration 142 PATROL namespace 142 PATROL End-to-End Response Timer, Tomcat warning 27, 41 patroldev group 140 patroles.txt file 140 patscadm 88 pattern matching, impersonation table 82 patwatch 88 permission definition 86 permissions administering 86 assigning 87 defining accounts for all group members 72 deny to group members 72 for KMs 93 for managed system groups 93 for managed systems 93 for management profiles 92 for special users 94 group 72 group members 72 managing using ACLs 91 managing with PATROL Console Server 73 used in PATROL Central Operator 91 pop-up blocker software 45 port number 140 ports AJP v13 36 changing after installation 120 checking use of 162 HTTP and HTTPS (Apache and Tomcat standalone Web servers) 37 HTTPS (IIS Web server) port 37 Tomcat shutdown 36

194

Book Title

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
predefined groups 88 groups, using 96 rights assignment 89 predefined permissions 94 problems, common 146 product support 3 ptrldev group 140 setting up (continued) managed system groups 76 menu permissions in ACLs 109 user accounts and groups 75 simple managed system query 139 single-cloud configuration 18 special users, rights and permissions 94 splash screen customization 61 startup configuration file 170 modifying 170 startup.cfg 42, 170 modifying 170 state change actions 141 support, customer 3 system requirements 25

Q
QuickQuery 139

R
required installation information 31 right definition 86 rights administering 86 assigning 87 assignment 89 for special users 94 used in PATROL Central Operator 89 rights protection 89 RTserver architecture 17 changing 171 execution on Windows 112 PATROL environment 26 starting on Unix 112 stopping on Unix 113 verifying execution on Unix 112 verifying installation 119 RTSERVERS environment variable 35

T
task icons 142 technical support 3 terminology 139 test URLs 119 timeout configuration 61 Tomcat port 37 Tomcat servlet container execution on Windows 117 logs 160 verifying installation 119 Tomcat shutdown port 36 Tomcat standalone Web server considerations 28 installation worksheet 41 logs 160 Web server user name and group 33 Tomcat standalone Web server group 51 Tomcat Web server execution of 118 starting 118 stopping 118 troubleshooting 145 installation 146 PATROL Central 149 web server 147

S
scenarios for granting user access different accounts for application 82 restricted and privileged accounts 85 shared user names and passwords 84 security enhancing for Web server 165 Web server 165 security level default 39 setting 36 services starting 115 stopping 115 session files 139 setting up KM permissions in ACLs 107 managed system group permissions in ACLs 106

U
upgrading to new version 42 URLs test 119 user administration 140 authentication process 78 names, for managed systems 140

Index

195

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
user accounts about 72 Apache Web server account 33 general guidelines 74 setting up 69, 71, 75 Tomcat standalone Web server account 33 user permissions 72 using predefined groups 96

W
Web browser logs 162 requirements 56 Web server 33 account 33 Apache 28 choices 27 IIS 28 log files 159 starting 116 stopping 116 supported versions 25 Tomcat standalone 28 verifying execution of 119 verifying installation 119 web server troubleshooting 147 Web server security enhancing 165 Web server user name and group 33 webcentral directory 31 worksheets Apache Web server 40 general 39 IIS Web server 40 installation 38 Tomcat standalone Web server 41

196

Book Title

Third-Party Product Terms


The following terms apply to third-party products that are included with or in a BMC Software product as described in the BMC Software, Inc., License Agreement that is applicable to the BMC Software product.

The Apache Software License, Version 1.1


This product includes the Apache software product found at www.apache.org and the Apache software product is distributed to us pursuant to the following terms and conditions: Copyright (c) 2000 The Apache Software Foundation. All rights reserved. 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The end-user documentation included with the redistribution if any, must include the following acknowledgement: "This product includes software developed by the Apache Software Foundation (http://www.apache.org/)." Alternately, this acknowledgement may appear in the software itself, if and wherever such third-party acknowledgement normally appear. 4. The names "Apache", and "Apache Software Foundation" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact apache@apache.org. 5. Products derived from this software may not be called "Apache", nor may "Apache" appear in their name without prior written permission of the Apache Group. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Hypersonic SQL Group License


Copyright (c) 2001-2002, The HSQL Development Group All rights reserved. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer, including earlier license statements (above) and comply with all above license conditions. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution, including earlier license statements (above) and comply with all above license conditions. Neither the name of the HSQL Development Group nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL HSQL DEVELOPMENT GROUP, HSQLDB.ORG, OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The Metakit License


The following X/MIT-style license applies to all files in the Metakit distribution: Copyright (c) 1996-2005 Jean-Claude Wippler Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Sun Microsystems, Inc. Binary Code License Agreement


1. LICENSE TO USE. Sun grants you a non-exclusive and non-transferable license for the internal use only of the accompanying software and documentation and any error corrections provided by Sun (collectively "Software"), by the number of users and the class of computer hardware for which the corresponding fee has been paid. 2. RESTRICTIONS. Software is confidential and copyrighted. Title to Software and all associated intellectual property rights is retained by Sun and/or its licensors. Except as specifically authorized in any Supplemental License Terms, you may not make copies of Software, other than a single copy of Software for archival purposes. Unless enforcement is prohibited by applicable law, you may not modify, decompile, or reverse engineer Software. Licensee acknowledges that Licensed Software is not designed or intended for use in the design, construction, operation or maintenance of any nuclear facility. Sun Microsystems, Inc. disclaims any express or implied warranty of fitness for such uses. No right, title or interest in or to any trademark, service mark, logo or trade name of Sun or its licensors is granted under this Agreement. 3. LIMITED WARRANTY. Sun warrants to you that for a period of ninety (90) days from the date of purchase, as evidenced by a copy of the receipt, the media on which Software is furnished (if any) will be free of defects in materials and workmanship under normal use. Except for the foregoing, Software is provided "AS IS". Your exclusive remedy and Sun's entire liability under this limited warranty will be at Sun's option to replace Software media or refund the fee paid for Software. 4. DISCLAIMER OF WARRANTY. UNLESS SPECIFIED IN THIS AGREEMENT, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT THESE DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. 5. LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED TO THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event will Sun's liability to you, whether in contract, tort (including negligence), or otherwise, exceed the amount paid by you for Software under this Agreement. The foregoing limitations will apply even if the above stated warranty fails of its essential purpose. 6. Termination. This Agreement is effective until terminated. You may terminate this Agreement at any time by destroying all copies of Software. This Agreement will terminate immediately without notice from Sun if you fail to comply with any provision of this Agreement. Upon Termination, you must destroy all copies of Software. 7. Export Regulations. All Software and technical data delivered under this Agreement are subject to US export control laws and may be subject to export or import regulations in other countries. You agree to comply strictly with all such laws and regulations and acknowledge that you have the responsibility to obtain such licenses to export, re-export, or import as may be required after delivery to you. 8. U.S. Government Restricted Rights. If Software is being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), then the Government's rights in Software and accompanying documentation will be only as set forth in this Agreement; this is in accordance with 48 CFR 227.7201 through 227.7202-4 (for Department of Defense (DOD) acquisitions) and with 48 CFR 2.101 and 12.212 (for non-DOD acquisitions). 9. Governing Law. Any action related to this Agreement will be governed by California law and controlling U.S. federal law. No choice of law rules of any jurisdiction will apply. 10. Severability. If any provision of this Agreement is held to be unenforceable, this Agreement will remain in effect with the provision omitted, unless omission would frustrate the intent of the parties, in which case this Agreement will immediately terminate. 11. Integration. This Agreement is the entire agreement between you and Sun relating to its subject matter. It supersedes all prior or contemporaneous oral or written communications, proposals, representations and warranties and prevails over any conflicting or additional terms of any quote, order, acknowledgment, or other communication between the parties relating to its subject matter during the term of this Agreement. No modification of this Agreement will be binding, unless in writing and signed by an authorized representative of each party. JAVA(TM) INTERFACE CLASSES JAVA API FOR XML-BASED RPC API CLASS FILES, VERSION 1.1 SUPPLEMENTAL LICENSE TERMS These supplemental license terms ("Supplemental Terms") add to or modify the terms of the Binary Code License Agreement (collectively, the "Agreement"). Capitalized terms not defined in these Supplemental Terms shall have the same meanings ascribed to them in the Agreement. These Supplemental Terms shall supersede any inconsistent or conflicting terms in the Agreement, or in any license contained within the Software. 1. Software Internal Use and Development License Grant. Subject to the terms and conditions of this Agreement, including, but not limited to Section 3 (Java(TM) Technology Restrictions) of these Supplemental Terms, Sun grants you a non-exclusive, non-transferable, limited license to reproduce internally and use internally the binary form of the Software, complete and unmodified, for the sole purpose of designing, developing and testing your Java applets and applications ("Programs"). 2. License to Distribute Software. In addition to the license granted in Section 1 (Software Internal Use and Development License Grant) of these Supplemental Terms, subject to the terms and conditions of this Agreement, including but not limited to Section 3 (Java Technology Restrictions), Sun grants you a non-exclusive, non-transferable, limited license to reproduce and distribute the Software in binary form only, provided that you (i) distribute the Software complete and unmodified and only bundled as part of your Programs, (ii) do not distribute additional software intended to replace any component(s) of the Software, (iii) do not remove or alter any proprietary legends or notices contained in the Software, (iv) only distribute the Software subject to a license agreement that protects Sun's interests consistent with the terms contained in this Agreement, and (v) agree to defend and indemnify Sun and its licensors from and against any damages, costs, liabilities, settlement amounts and/or expenses. 3. Java Technology Restrictions. You may not modify the Java Platform Interface ("JPI", identified as classes contained within the "java" package or any subpackages of the "java" package), by creating additional classes within the JPI or otherwise causing the addition to or modification of the classes in the JPI. In the event that you create an additional class and associated API(s) which (i) extends the functionality of the Java Platform, and (ii) is exposed to third party software developers for the purpose of developing additional software which invokes such additional API, you must promptly publish broadly an accurate specification for such API for free use by all developers. You may not create, or authorize your licensees to create additional classes, interfaces, or subpackages that are in any way identified as "java", "javax", "sun" or similar convention as specified by Sun in any naming convention designation. 4. Trademarks and Logos. You acknowledge and agree as between you and Sun that Sun owns the SUN, SOLARIS, JAVA, JINI, FORTE, and iPLANET trademarks and all SUN, SOLARIS, JAVA, JINI, FORTE, and iPLANET-related trademarks, service marks, logos and other brand designations ("Sun Marks"), and you agree to comply with the Sun Trademark and Logo Usage Requirements currently located at http://www.sun.com/policies/trademarks. Any use you make of the Sun Marks inures to Sun's benefit.

5. Source Code. Software may contain source code that is provided solely for reference purposes pursuant to the terms of this Agreement. Source code may not be redistributed unless expressly provided for in this Agreement. 6. Termination for Infringement. Either party may terminate this Agreement immediately should any Software become, or in either party's opinion be likely to become, the subject of a claim of infringement of any intellectual property right. For inquiries please contact: Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, California 95054 (LFI# 136499/Form ID# 011801)

zlib.h
This BMC product includes the zlib software product and is distributed to us pursuant to the following terms and conditions: Copyright (C) 1995-2004 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Jean-loup Gailly jloup@gzip.org Mark Adler madler@alumni.caltech.edu

Notes

*183673* *183673* *183673* *183673*


*183673*