Академический Документы
Профессиональный Документы
Культура Документы
Version 7.2
Version 7.2
This edition applies to version 7, release 2, modification 0 of IBM Tivoli Application Dependency Discovery
Manager (product number 5724-N55) and to all subsequent releases and modifications until otherwise indicated in
new editions.
© Copyright International Business Machines Corporation 2006, 2009.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
About this information
The purpose of this PDF document is to provide the related topics from the IBM®
Tivoli® Application Dependency Discovery Manager information center in a
printable format.
The IBM Tivoli Application Dependency Discovery Manager Troubleshooting Guide and
the troubleshooting topics in the information center include information on the
following items:
v How to identify the source of a software problem
v How to gather diagnostic information, and what information to gather
v Where to get fixes
v Which knowledge bases to search
v How to contact IBM Support
When using the Windows® command line, replace $variable with %variable% for
environment variables, and replace each forward slash (/) with a backslash (\) in
directory paths.
If you are using the bash shell on a Windows system, you can use the UNIX
conventions.
COLLATION_HOME directory
The COLLATION_HOME directory is the directory where TADDM is installed
plus the dist subdirectory.
On operating systems such as AIX® or Linux®, the default location for installing
TADDM is the /opt/IBM/cmdb directory. Therefore, in this case, the
$COLLATION_HOME directory is /opt/IBM/cmdb/dist.
On Windows operating systems, the default location for installing TADDM is the
c:\IBM\cmdb directory. Therefore, in this case, the %COLLATION_HOME%
directory is c:\IBM\cmdb\dist.
iv Administrator's Guide
Contents
About this information . . . . . . . . iii Windows Management Instrumentation (WMI)
Terms used in this information . . . . . . . . iii dependency . . . . . . . . . . . . . 30
Conventions used in this information . . . . . . iv Configuring a federated data source in the TADDM
Operating system-dependent variables and paths iv server . . . . . . . . . . . . . . . . 31
COLLATION_HOME directory . . . . . . . iv Accessing federated data sources using the Domain
Manager . . . . . . . . . . . . . . . 32
Chapter 1. Architecture overview . . . . 1 Backing up data . . . . . . . . . . . . . 33
Restoring data . . . . . . . . . . . . . 33
TADDM server . . . . . . . . . . . . . 2
TADDM Enterprise Domain Server . . . . . . . 3
Chapter 4. Configuring your
Chapter 2. Security overview . . . . . . 5 environment for discovery . . . . . . 35
Permissions. . . . . . . . . . . . . . . 5 Discovery overview . . . . . . . . . . . 35
Enabling data-level security . . . . . . . . 5 Discovery profiles . . . . . . . . . . . . 36
Access collections. . . . . . . . . . . . . 6 Configuring for Level 1 discovery . . . . . . . 37
Creating an access collection . . . . . . . . 6 Configuring for Level 2 discovery . . . . . . . 38
Editing an access collection . . . . . . . . 6 Configuring target computer systems . . . . . 38
Deleting an access collection . . . . . . . . 7 Creating the service account . . . . . . . . 40
Roles . . . . . . . . . . . . . . . . . 7 Secure Shell protocol overview . . . . . . . 41
Creating a role. . . . . . . . . . . . . 8 Configuring System p and System i . . . . . 42
Deleting a role . . . . . . . . . . . . . 8 Configuring for Level 3 discovery . . . . . . . 43
Editing a role . . . . . . . . . . . . . 8 Configuring Web and application servers for
Users . . . . . . . . . . . . . . . . . 9 discovery . . . . . . . . . . . . . . 43
Creating a user . . . . . . . . . . . . 9 Configuring the Microsoft Exchange server . . . 45
Changing a user . . . . . . . . . . . . 9 Configuring VMware servers . . . . . . . 45
Deleting a user . . . . . . . . . . . . 10 Database set up for discovery . . . . . . . 46
User groups . . . . . . . . . . . . . . 10
Creating a user group . . . . . . . . . . 10 Chapter 5. Creating a Discovery Library
Changing a user group . . . . . . . . . 11 store . . . . . . . . . . . . . . . 49
Deleting a user group . . . . . . . . . . 11 Discovery Library Adapters . . . . . . . . . 50
Encryption . . . . . . . . . . . . . . 12 IdML schema . . . . . . . . . . . . . 50
FIPS compliance . . . . . . . . . . . . . 12
Resetting security policies . . . . . . . . . 13 Chapter 6. Tuning guidelines . . . . . 53
Security for the TADDM Enterprise Domain Server 14
Windows operating system tuning. . . . . . . 53
Configuring for LDAP . . . . . . . . . . . 15
Network tuning . . . . . . . . . . . . . 53
Configuring for WebSphere federated repositories 16
Database tuning . . . . . . . . . . . . . 53
Configuring the TADDM server for WebSphere
Both DB2 and Oracle database tuning . . . . . 53
federated repositories . . . . . . . . . . 16
DB2 database tuning . . . . . . . . . . . 54
Configuring for Microsoft Active Directory . . . 18
Oracle database tuning . . . . . . . . . . 57
Securing the authentication channel . . . . . 19
Database performance tuning . . . . . . . . 59
Discovery parameters tuning . . . . . . . . 60
Chapter 3. TADDM set up . . . . . . . 21 Bulk load parameters tuning . . . . . . . . 61
Prerequisites for starting the Product Console . . . 21 IBM parameters tuning for Java Virtual Machine
Deploying the Product Console . . . . . . . . 22 (JVM) . . . . . . . . . . . . . . . . 61
Checking server status. . . . . . . . . . . 23 Sun Java Virtual Machine (JVM) parameters tuning 63
Configuring firewalls between the Product Console Java console GUI Java Virtual Machine (JVM)
and the TADDM server . . . . . . . . . . 23 settings tuning . . . . . . . . . . . . . 63
Configuring firewalls between the Enterprise
Domain Server and the TADDM server . . . . . 24 Chapter 7. Populating the database . . 65
Starting the TADDM server . . . . . . . . . 25
Stopping the TADDM server . . . . . . . . 26
Testing server status . . . . . . . . . . . 27 Chapter 8. Database maintenance . . . 69
Windows setup . . . . . . . . . . . . . 28 Deleting old database records . . . . . . . . 69
Configuring Bitvise WinSSHD . . . . . . . 29 Optimizing DB2 for z/OS performance . . . . . 71
Configuring the Cygwin SSH daemon . . . . 30
Chapter 9. Log file overview . . . . . 73
© Copyright IBM Corp. 2006, 2009 v
Setting the maximum size and maximum number of Viewing bar charts that graph memory usage
IBM log files . . . . . . . . . . . . . . 73 for individual services . . . . . . . . . 107
Suggestions for searching logs . . . . . . . . 74 Viewing the circular gauge chart that graphs
processor usage . . . . . . . . . . . 107
Chapter 10. Server properties in the Viewing circular gauge charts that graph
collation.properties file . . . . . . . 75 processor usage for individual services . . . . 107
Viewing table summary of system availability 108
Properties that you should not change . . . . . 75
Viewing configuration items . . . . . . . . 108
API port settings . . . . . . . . . . . . 76
Viewing total number of configuration item
Commands that might require elevated privilege . . 76
changes in the past week . . . . . . . . 108
Database settings . . . . . . . . . . . . 78
Viewing totals for configuration items . . . . 109
Discovery settings . . . . . . . . . . . . 79
Viewing plot chart of configuration items . . . 109
DNS lookup customization settings . . . . . . 81
Working with the table summary of situation
GUI JVM memory settings . . . . . . . . . 82
events . . . . . . . . . . . . . . . 109
GUI port settings . . . . . . . . . . . . 83
Jini settings . . . . . . . . . . . . . . 83
LDAP settings . . . . . . . . . . . . . 84 Chapter 12. Integration with other
Logging settings . . . . . . . . . . . . . 85 Tivoli products . . . . . . . . . . . 111
Operating system settings . . . . . . . . . 86 Configuring for launch in context. . . . . . . 111
Performance settings . . . . . . . . . . . 86 Views that you can launch from other Tivoli
Reconciliation settings . . . . . . . . . . . 87 applications . . . . . . . . . . . . . 111
Reporting and graph settings . . . . . . . . 88 Specifying the URL to launch TADDM views 111
Secure Shell (SSH) settings . . . . . . . . . 88 Sending change events to external systems . . . 114
Security settings . . . . . . . . . . . . . 89 Configuring TADDM . . . . . . . . . . 114
Sensor settings . . . . . . . . . . . . . 90 Configuring IBM Tivoli Netcool/OMNIbus . . 115
Startup settings . . . . . . . . . . . . . 94 Configuring IBM Tivoli Enterprise Console . . 115
Topology builder settings . . . . . . . . . . 95 Configuring an IBM Tivoli Monitoring data
Topology manager settings . . . . . . . . . 95 provider . . . . . . . . . . . . . . 116
View manager settings. . . . . . . . . . . 96 Creating configuration change situations in IBM
XML performance settings . . . . . . . . . 98 Tivoli Monitoring . . . . . . . . . . . 118
Creating detail links in configuration change
Chapter 11. Self-monitoring tool event reports in IBM Tivoli Monitoring . . . . 118
overview . . . . . . . . . . . . . . 99 Configuring change events for a business
system . . . . . . . . . . . . . . 121
Viewing availability data . . . . . . . . . . 99
Integration with IBM Tivoli Business Service
Viewing error messages . . . . . . . . . 100
Manager . . . . . . . . . . . . . . . 121
Viewing services . . . . . . . . . . . 100
Integration with IBM Tivoli Monitoring . . . . 122
Working with non-operational processes . . . 100
IBM Tivoli Monitoring sensor . . . . . . . 122
Viewing errors . . . . . . . . . . . . . 102
IBM Tivoli Monitoring DLA . . . . . . . 123
Viewing performance data . . . . . . . . . 103
Monitoring Coverage report . . . . . . . 123
Viewing the table summary of response times 103
Change events . . . . . . . . . . . . 124
Viewing the bar chart of current response times 104
Self-monitoring tool . . . . . . . . . . 124
Viewing the plot chart of response times . . . 104
Launch in context . . . . . . . . . . . 124
Working with the table summary of situation
Tivoli Directory Integrator . . . . . . . . . 125
events . . . . . . . . . . . . . . . 104
Viewing the infrastructure data . . . . . . . 106
Viewing the bar chart that graphs an Appendix. Notices . . . . . . . . . 127
information summary . . . . . . . . . 107 Trademarks . . . . . . . . . . . . . . 128
vi Administrator's Guide
Chapter 1. Architecture overview
The Tivoli Application Dependency Discovery Manager (TADDM) provides
automated application dependency mapping and configuration auditing.
For TADDM to deliver the mapping and auditing, it depends on the discovery of
information. Discovery is a multithreaded process and usually occurs on multiple
targets simultaneously. The discovery process produces cross-tier dependency
maps and topological views. The following scenario describes some of the features
of TADDM:
1. The agent-free discovery engine instructs and coordinates the sensors to
determine and collect the identity, attributes, and settings of each application,
system, and network component.
2. The configuration data, dependencies, and change history are stored in the
database, and the topologies are stored in a cache on the TADDM server.
3. The discovered data is displayed as runtime, cross-tier application topologies.
4. TADDM generates reports and additional topological views of the information
stored in the database.
The job of the sensor is to discover configuration items, create model objects, and
persist the model objects to the database. The sensors use protocols that are
specific to the resources that they are designed to discover, for example, JMX,
SNMP, CDP, SSH, and SQL. When possible, a secure connection is used between
the TADDM server and the targets to be discovered. .
Computer system sensors, for example, emulate a user logging into the target and
running standard operating system commands, the output of which are returned to
the TADDM server. The TADDM server analyzes the data returned by the sensors.
Through the analysis, the target resource and the relationships to it are identified.
Enterprize
Domain
Server
Database
TADDM server
A domain is a logical subset of the infrastructure of a company or other
organization. Domains can delineate organizational, functional, or geographical
boundaries. One TADDM server is deployed per domain to discover domain
applications and their supporting infrastructure, configurations, and dependencies.
A single TADDM server can also be referred to as a TADDM Domain Server.
When you use TADDM servers, you use the Product Console and Domain
Manager to set up and view TADDM data. The Product Console is a graphical
Java based application that you use to set up and customize discoveries and view
and analyze configuration information that is collected. The Domain Manager is a
graphical Web application that you use to view enterprise-wide information. You
also use the Domain Manager to administer security.
TADDM is structured to scale to large data centers. A single TADDM server can
support approximately 10 000 physical servers. You can tune TADDM operating
characteristics (for example, discovery engine thread counts and discovery sensor
2 Administrator's Guide
time-outs) and increase the TADDM server or TADDM database resources (for
example, memory and processor) to achieve increased support for infrastructure
discovery and storage.
The TADDM Enterprise Domain Manager synchronizes data from multiple local
TADDM server instances to provide a single, enterprise-wide repository of
information.
The Domain Manager also provides a Web application to administer the local
domain servers and to view the data. It has a query and reporting user interface
(UI) that you can customize and share across the TADDM Enterprise Domain
Manager.
Use the TADDM Domain Manager to add new TADDM Domain Servers and to
view individual domain discovery information.
The following list summarizes the functionality of the TADDM Enterprise Domain
Server:
v Maintains change history
v Provides bulk load and import capabilities
v Provides cross-domain query capability
v Supports a common security framework across domains
v Provides the same API for access to data across domains
The TADDM Enterprise Domain Server does not provide support for the following
items:
v Discovery
v Domains cannot belong to more than one TADDM Enterprise Domain Server
v Nesting of the TADDM Enterprise Domain Server
Permissions
A permission authorizes the user to perform an action or access a specific
configuration item.
Permissions are aggregated into roles, and users are granted permissions by
assigning them roles that have those permissions.
When the product is installed, data-level security is disabled by default, giving all
users Read and Update permissions for any configuration item.
Access collections
An access collection is a set of configuration items that is managed collectively for
security purposes.
Access collections are used to limit the scope of a role. The role applies only to the
access collections that you specify when assigning the role to a user.
Before creating an access collection, run a discovery to ensure that the database of
configuration items is up-to-date.
Before editing an access collection, run a discovery to ensure that the database of
configuration items is up-to-date.
6 Administrator's Guide
About this task
Roles
A role is a set of permissions that can be assigned to a user. Assigning a role
confers specific access capabilities.
You can create additional roles to assign other combinations of permissions. Some
useful suggested combinations are as follows:
Read Permission to read objects in assigned access collections. This is suitable for
an operator role.
Read + Update
Permission to read and update objects in assigned access collections.
Read + Update + Admin
Permission to read and update objects in assigned access collections, and to
create users, roles, and permissions.
When you assign a role to a user, you must specify one or more access collections
for that role. This limits the scope of the role to only those access collections that
are appropriate for that user.
For example, Sarah is responsible for the NT servers and workstations of your
company, so you assign her the supervisor role over an access collection that
contains those systems. Jim is responsible for the Linux systems, so you assign him
the supervisor role for an access collection that contains them. Both users perform
exactly the same operations, and thus are assigned the same role, but have access
to different resources.
If you are using an Enterprise Domain Server and you want to create a role, you
must create the role for each TADDM domain, and then synchronize them with the
Enterprise Domain Server.
Creating a role
If the predefined roles are not sufficient for your needs, you can create a new one
with the permissions that you choose.
Deleting a role
You can delete a role that is no longer needed.
Editing a role
You can edit a role to set its permissions.
8 Administrator's Guide
About this task
Users
In the context of security, a user is a person who is given access to configuration
items.
Users are created in the Domain Manager. User access to configuration items is
defined by the roles and access collections that you assign to that user. You can
change these assignments at any time.
Creating a user
When the file-based registry is used for user management, you can create a new
user and assign roles to that user.
Changing a user
When the file-based registry is used for user management, you can change the
information for an existing user.
In addition to changing the user details (email address, password, and session
timeout), you can also change the access permissions by assigning different roles
and access collections.
Deleting a user
When the file-based registry is used for user management, you can delete a user
that you created.
User groups
In the context of security, a user group consists of several users who have the same
roles or permissions.
User groups are created in the Domain Manager. User group access to
configuration items is defined by the roles and access collections that you assign to
that user group. You can change these assignments at any time.
10 Administrator's Guide
About this task
In addition to adding or removing users in a user group, you can also change the
access permissions by assigning different roles and access collections.
TADDM uses the AES 128 algorithm from the FIPS-compliant IBMJCEFIPS security
provider to encrypt the following items:
v Passwords, including entries in collation.properties and userdata.xml.
v Access list entries stored in the database.
When you install TADDM, an encryption key is generated and passwords are
encrypted using this new encryption key. When migrating to TADDM 7.2 from a
previous release, an encryption key is generated and any existing passwords and
access list entries are migrated to use this new encryption key.
Note: To avoid data loss, keep a backup copy of the encryption key in a separate
location so that it can be restored if a problem occurs with the original copy.
For example:
./changekey.sh /opt/IBM/cmdb/dist administrator taddm
FIPS compliance
You can configure TADDM to operate in a mode that uses FIPS-compliant
algorithms for encryption by setting the FIPSMode property to true in
collation.properties.
When in FIPS mode, TADDM uses the following FIPS 140-2 approved
cryptographic providers:
v IBMJCEFIPS (certificate 376)
v IBMJSSEFIPS (certificate 409)
For more information about certificates 376 and 409, see the National Institute of
Standards and Technology (NIST) Web site, http://csrc.nist.gov/cryptval/140-1/
1401val2004.htm.
FIPS mode can be used with the following types of TADDM discoveries:
v Level 1 discoveries where the TADDM server and discovered systems are any
TADDM-supported platforms.
12 Administrator's Guide
v Level 2 discoveries where the TADDM server is Windows based and Windows
Management Instrumentation (WMI) is used to discover Windows platforms.
v Level 1 and Level 2 discoveries through IBM Tivoli Monitoring, using the
ITMScopeSensor, discovering systems managed by IBM Tivoli Monitoring. The
TADDM server can run on any supported TADDM platform.
Other TADDM discovery types are not supported.
Important: Resetting security policies requires that you delete and recreate all
users, so it should be used with caution.
The security policies are stored in two files. The files are used to initialize the
security policies. The following files are the current working versions:
v AuthorizationPolicy.xml
v AuthorizationRoles.xml
The files are located in different directories depending on which operating system
you are using:
v For the supported Linux, Solaris, AIX, and Linux on System z operating systems,
the files are located in the $COLLATION_HOME/var/policy directory.
v For the supported Windows operating systems, the files are located in the
%COLLATION_HOME%\var\policy directory.
After the security policies are initialized, these files are renamed and stored in the
same directory. The following files have been renamed:
v AuthorizationPolicy.backup.xml
v AuthorizationRoles.backup.xml
Default versions of the files, containing the supplied security policies, are also
located in the same directory. The following files are the default versions:
v DefaultPolicy.xml
v DefaultRoles.xml
If you are using the TADDM file-based registry and a TADDM domain is added to
a TADDM Enterprise Domain Server, you must re-create in the TADDM Enterprise
Domain Server any users that already exist in a domain, including assigned roles
and access that is granted to access collections. If you are using a Lightweight
Directory Access Protocol (LDAP) or WebSphere Federated Repositories user
registry, you must add to the TADDM Enterprise Domain Server the authorization
for any users that access TADDM.
When you add a domain to the TADDM Enterprise Domain Server, authentication
and authorization for the new domain is delegated to the TADDM Enterprise
Domain Server.
Logins to the domain are processed at the TADDM Enterprise Domain Server. In
addition, security manager method calls are processed by the TADDM Enterprise
Domain Server.
The following list summarizes other security information that you need to know to
configure your TADDM Enterprise Domain Server:
v For TADDM to function properly, the TADDM Enterprise Domain Server must
be running. A TADDM domain delegates security operations to the TADDM
Enterprise Domain Server, and this delegation is updated every 2.5 minutes. If 5
minutes pass and this delegation is not updated, the TADDM domain no longer
delegates security operations and proceeds as if no TADDM Enterprise Domain
Server is present. In this situation, TADDM UIs must be restarted to re-establish
the sessions with the Enterprise Domain Server.
v In each of the following situations, a TADDM UI must be restarted to
re-establish sessions with the correct Enterprise Domain Server:
– The domain in which the UI is running is added to an Enterprise Domain
Manager.
– The UI is opened in a domain while that domain is connected to an
Enterprise Domain Manager, but the Enterprise Domain Manager later
becomes unavailable, such as during a restart of the Enterprise Domain
Server or when network problems occur.
v Roles, permissions, and access collections that are stored in the TADDM server
are synchronized from the domain to the TADDM Enterprise Domain Server.
User to role mappings are not synchronized.
v Roles that you created for the domain can be used by the TADDM Enterprise
Domain Server after these objects are synchronized from the domain to the
Enterprise Domain Server.
v Users are not synchronized to the TADDM Enterprise Domain Server.
14 Administrator's Guide
v A central user registry, such as LDAP or a WebSphere Federated Repositories
registry, is the preferred method of authentication for the TADDM Enterprise
Domain Server. Using a central user registry, user passwords are stored in one
location.
v To use Microsoft® Active Directory as the authentication method for TADDM,
you need to configure TADDM to use WebSphere federated repositories and
then configure WebSphere federated repositories to use Active Directory.
v Access collections cannot span domains.
v Synchronization works from the domain to the TADDM Enterprise Domain
Server. Objects that are created in the TADDM Enterprise Domain Server are not
propagated to the domain.
v Create and populate access collections at the domain, and synchronize with the
TADDM Enterprise Domain Server.
v Create roles at the domain, and synchronize with the TADDM Enterprise
Domain Server.
v Authorize users at the TADDM Enterprise Domain Server to provide access to
access collections from multiple domains.
If you have an LDAP registry, you can use the users that are defined in the LDAP
registry without defining new users by configuring for LDAP. When you configure
for LDAP, you must create a user named administrator in your LDAP registry. This
administrator user is allowed to configure access to TADDM and grant other users
access to TADDM objects and services.
To configure an external LDAP server for user authentication, set the following
security-related properties in the collations.properties file:
v com.collation.security.usermanagementmodule
v com.collation.security.auth.ldapAuthenticationEnabled
v com.collation.security.auth.ldapHostName
v com.collation.security.auth.ldapPortNumber
v com.collation.security.auth.ldapBaseDN
v com.collation.security.auth.ldapUserObjectClass
v com.collation.security.auth.ldapUIDNamingAttribute
v com.collation.security.auth.ldapGroupObjectClass
v com.collation.security.auth.ldapGroupNamingAttribute
v com.collation.security.auth.ldapGroupMemberAttribute
v com.collation.security.auth.ldapBindDN
v com.collation.security.auth.ldapBindPassword
If your user registry is Active Directory, you must configure TADDM to use
federated repositories. You must configure TADDM to use WebSphere federated
repositories if you use other Tivoli products in your environment, and you require
single sign-on between TADDM and any of the following products:
v IBM Tivoli Change and Configuration Management Database (CCMDB) 7.1, or
later
v IBM Tivoli Business Service Manager 4.2, or later
v any other Tivoli integrated portal-based application
When configuring for WebSphere federated repositories, you must create a user
named administrator in your federated repositories registry. This administrator user
can configure access and grant other users access to objects and services.
16 Administrator's Guide
v vmm: for a user registry that uses the federated repositories of WebSphere
Application Server
For example, in the $COLLATION_HOME/etc/collation.properties file:
com.collation.security.usermanagementmodule=vmm
3. Specify the WebSphere host name and port in the collation.properties file.
For example:
com.collation.security.auth.websphereHost=localhost
com.collation.security.auth.webspherePort=2809
If you are manually configuring TADDM to use WebSphere federated
repositories, there is a configuration consideration:
v When specifying the WebSphere port in the collations.properties file, use
the following property: com.collation.security.auth.webspherePort. The
WebSphere port should be the bootstrap port for the WebSphere server. For
WebSphere Application Server and the embedded version of WebSphere
Application Server, the default port is 2809. For WebSphere Application
Server Network Deployment, which IBM Tivoli CCMDB uses, the default
port is 9809.
4. Specify the WebSphere administrator user name and password in the
collation.properties file. For example:
com.collation.security.auth.VMMAdminUsername=administrator
com.collation.security.auth.VMMAdminPassword=password
5. Make the following change to the authentication services configuration file:
v For the Linux, Solaris, AIX, and Linux on System z operating systems, the
file is located in the following path: $COLLATION_HOME/etc/
ibmessclientauthncfg.properties.
v For the Windows operating systems, the file is located in the following
path: %COLLATION_HOME%\etc\ibmessclientauthncfg.properties.
In the authnServiceURL property, substitute the fully qualified domain name of
the system your WebSphere instance is installed on and the HTTP port of the
WebSphere instance.
# This is the URL for the Authentication Service
authnServiceURL=http://localhost:9080/TokenService/services/Trust
6. Copy the WebSphere orb.properties and iwsorbutil.jar files into the JRE
used by your TADDM installation. For example in a TADDM Linux
installation, do the following:
a. Copy dist/lib/websphere/6.1/orb.properties to dist/external/
jdk-1.5.0-Linux-i686/jre/lib/.
b. Copy dist/lib/websphere/6.1/iwsorbutil.jar to dist/external/
jdk-1.5.0-Linux-i686/jre/lib/ext/.
7. Specify the WebSphere host name and port in the sas.client.props file:
v For the Linux, Solaris, AIX, and Linux on System z operating systems, file is
located in the following path: $COLLATION_HOME/etc/sas.client.props.
v For the Windows operating systems, file is located in the following path:
%COLLATION_HOME%\etc\sas.client.props, for example:
com.ibm.CORBA.securityServerHost=host1.austin.ibm.com
com.ibm.CORBA.securityServerPort=2809
Important: There are security configurations for Tivoli CCMDB that allow groups
and group memberships to be created and maintained in the Maximo®
user and group applications.
When Tivoli CCMDB is configured for this, TADDM uses its own,
separate repository from Tivoli CCMDB. Users must be created in both
Tivoli CCMDB/Maximo and TADDM.
You can use the users defined in an Active Directory registry, without defining
new users, by configuring TADDM to use WebSphere federated repositories and
then configuring WebSphere federated repositories for Active Directory.
When you configure for Active Directory, you must create a user named
administrator in the Active Directory registry. This administrator user is allowed to
configure access to TADDM and grant other users access to TADDM objects and
services.
18 Administrator's Guide
For more information on configuring TADDM for WebSphere federated
repositories, see “Configuring the TADDM server for WebSphere federated
repositories” on page 16.
2. Configure WebSphere federated repositories for Microsoft Active Directory.
For more information on configuring supported entity types in a federated
repository configuration, see the section called Configuring supported entity
types in a federated repository configuration in the WebSphere Application
Server Information Center.
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/
com.ibm.websphere.nd.doc/info/ae/ae/twim_entitytypes.html
There are two mechanisms by which you can secure communications between an
authentication client and an authentication service:
v SSL
v Client authentication
To configure for SSL between the authentication client and the authentication
server, complete the following steps:
1. In WebSphere, navigate to SSL certificate and key mgmt → Manage endpoint
security configurations → Node1 → Key stores and certificates →
NodeDefaultTrustStore → Signer certificates
2. Export the WebSphere signer certificates to files (for example, signer1.cert and
signer2.cert).
3. Create a truststore and import the WebSphere signer certificates as follows:
C:\eWAS\java\bin>keytool -genkey -alias truststore -keystore truststore.jks
C:\eWAS\java\bin>keytool -import -trustcacerts -alias default
-file signer1.cert -keystore truststore.jks
C:\eWAS\java\bin>keytool -import -trustcacerts -alias dummyserversigner
-file signer2.cert -keystore truststore.jks
4. Copy the truststore.jks file to the TADDM directory. Include the truststore
password and location in the $COLLATION_HOME/collation.properties entries:
com.collation.security.auth.ESSClientTrustStore=/dist/etc/truststore.jks
com.collation.security.auth.ESSClientTrustPwd=password
After WebSphere application security is enabled, you can add the role called
TrustClientRole to the WebSphere administrator user that you specified during the
TADDM installation. This provides added security for the authentication service by
restricting the users that can authenticate to the authentication service to only
those with the TrustClientRole.
20 Administrator's Guide
Chapter 3. TADDM set up
When you set up Tivoli Application Dependency Discovery Manager (TADDM),
you need to meet prerequisites for starting the Product Console, configuring
firewalls, and starting the server.
During the set up, you might also have to stop the server, or need to back up and
restore files. Instructions for completing these tasks are provided in this section.
The Product Console must be run from a system that has the IBM Java 2 Platform
Standard Edition 5.0 or 6.0 available. Attempting to launch and run TADDM with
an unsupported JRE can produce unsatisfactory results.
To determine if you have the correct version of the Java platform, enter the
following command:
java -version
If the Java version is not IBM 1.5 or IBM 1.6, install the Java source from the
TADDM installation media. Instructions are listed below for each type of system
that you are using to run the TADDM Product Console.
v For Windows systems, complete the following steps:
1. Close all open browser windows.
2. From the TADDM installation DVD, copy the TADDM/ibm-java/windows/ibm-
java2–jre-version–win-i386.exe file to the system that you are using to log
into the TADDM Java Client.
3. Run the executable file to install the JRE on the system.
v For Solaris systems, complete the following steps:
1. Close all open browser windows.
2. From the TADDM installation DVD, copy the TADDM/collation/solaris.zip
file to the system that you are using to log into the TADDM Java Client.
3. Extract the dist/external/jdk/jdk-version–SunOS-sparc.zip file from the
solaris.zip file.
4. Extract the jdk-version–SunOS-sparc.zip file.
5. Configure the application type of your browser for ’JNLP File’ (Java Network
Launch Protocol) with the Java Web Start Launcher found in the
jdk-version–SunOS-sparc\jre\bin\javaws directory.
v For AIX systems, complete the following steps:
1. Close all open browser windows.
2. From the TADDM installation DVD, copy the TADDM/collation/aix.zip file
to the system you are using to log into the TADDM Java Client.
22 Administrator's Guide
http://system.company.com:9430
2. Provide users with their user name and password.
3. Specify whether users should use Secure Sockets Layer (SSL).
In cases where SSL is being used, instruct users to save a trust store for the
TADDM server by following the instructions on the Product Console
Installation and Start page. For more information, refer to the Tivoli Application
Dependency Discovery Manager Installation Guide.
Important: You should use SSL for all communication between the Product
Console and the TADDM server.
4. Users need to have the correct version of Java installed on the system that they
are using to view the Product Console.
5. Supply users with the IBM Tivoli Application Dependency Discovery Manager
User’s Guide, which includes information about how to install and start the
Product Console.
Open a Web browser and enter the URL and port number of the system where you
installed the TADDM server.
For example, you could enter something similar to the following URL:
http://system.company.com:9430
A window opens and the Administrator console is displayed on the page. It lists
the components of the TADDM server and their status.
Confirm that the computer running the Product Console is able to establish
connections to the TADDM server on the configured ports.
Table 1 lists the default ports. If you specified different ports during installation,
you must open the ports that you specified.
Table 1. Port configuration
Default port Protocol Use
9430 TCP Initial Web page and
Administrator Console -
Non-SSL
9431 TCP Initial Web page and
Administrator Console over
SSL
9433 TCP RMI Naming Service
9434 TCP Required only for SSL
communication
If all the default ports and the ports that you specified during installation are open
and the Product Console responds with the message of server is not running
when you log in, the TADDM server might be requesting that the client connect to
the wrong location. Complete the following steps:
1. Verify that the host identifies itself as its fully qualified host name.
2. Verify that the forward and reverse DNS mappings for the fully-qualified host
name match.
If this is not possible or practical, override the host name returned to the client
with an IP address. To override the host name returned to the client, change the
following property in the collation.properties file, for example:
com.collation.clientproxy.rmi.server.hostname=192.168.253.128
Table 2 describes the firewall ports you need to open on the Enterprise Domain
Server to enable communication between the Enterprise Domain Server and the
TADDM server.
Table 2. Communication ports used by the firewall
Default
port Description Direction
4160 The port used for communicating unicast discovery Outgoing
information. It is the listening port of the TADDM
database.
9430 The port used for communicating HTTP information. Outgoing
9433 The port used for communicating naming service Outgoing
information.
9435 The port used for communicating RMI information. Outgoing
9540 The port used for communicating security manager Outgoing
information in an enterprise environment.
9550 The port used for communicating topology manager Outgoing
information in an enterprise environment.
19430 The port used for communicating topology manager Outgoing
information.
19431 The port used for communicating change manager Outgoing
information.
19432 The port used for communicating API server information. Outgoing
24 Administrator's Guide
Table 2. Communication ports used by the firewall (continued)
Default
port Description Direction
19433 The port used for communicating user registry Incoming
information.
19434 The port used for communicating reports server Outgoing
information.
19435 The port used for communicating with the Enterprise Outgoing
Domain Server.
In addition, the default Enterprise Domain Server port value of 19435 is set in
$COLLATION_HOME/external/gigaspaces-4.1/policy/reggie.config.
import net.jini.jeri.tcp.TcpServerEndpoint;
import net.jini.jeri.BasicJeriExporter;
import net.jini.jeri.BasicILFactory;
com.sun.jini.reggie {
initialMemberGroups = new String[] { "${INITIAL_LOOKUP_GROUP}" };
persistenceDirectory = "${REGGIE_LOG_FILE}";
Important: A local or remote database server must be started and running before
the TADDM server is started. The TADDM server cannot initialize or
run properly if the database is not available.
Note: On a Windows Server 2008 system with User Account Control turned on,
open the command prompt window with administrator privileges. You
can do this by right-clicking on the Command Prompt icon and then
clicking Run as administrator.
3. Go to the directory where you installed the TADDM server.
4. Use one of the following commands to run the stop script:
v For Linux, Solaris, AIX, and Linux on System z operating systems:
$COLLATION_HOME/bin/control stop
v For Windows operating systems:
%COLLATION_HOME%\bin\control.bat stop
If you installed the TADDM server with root privileges, you can manually stop
the TADDM server by running the following script:
/etc/init.d/collation stop
26 Administrator's Guide
What to do next
Some sensors run in their own special Java Virtual Machine (JVM). When running
a discovery, if you use the control script (./control stop) to stop TADDM, you
might need to manually stop these additional JVMs, which are called local anchors.
If you do not stop the local anchors, unexpected behavior can result. For example,
there might be degraded performance of certain discoveries.
To verify that the process for the local anchor is no longer running, enter the
following command:
% ps -ef |grep -i anchor
This command identifies any local anchor processes that are running. The output
looks like the following code example:
coll 23751 0.0 0.0 6136 428 ? S Jun02 0:00 /bin/sh
local-anchor.sh 8494 <more information here>
After running the command, verify that the process stopped by running the
following command:
% ps -ef |grep -i anchor
TADDM: Running
--------------------------------
Doing a direct discovery requires an SSH server on each Windows target computer.
In addition, direct discovery using SSH requires the .NET 1.1 Framework on each
Windows target. .NET Framework 1.1 is not installed by default on Windows
Server 2000.
The following two properties in the collation.properties file control how Windows
discovery decides whether to use a gateway or SSH to discovery a particular
Windows target.
v com.collation.AllowPrivateGateways=true
The AllowPrivateGateways property controls whether a Windows computer
system can be discovered directly using SSH. If this property is false, then only
Gateway-based discovery can be used.
v com.collation.PreferWindowsSSHOverGateway=false
The PreferWindowsSSHOverGateway property controls which type of discovery
to use if a Windows computer system supports SSH. That is, even if a Windows
computer system supports SSH, this property (when false) uses Gateway-based
discovery. The PreferWindowsSSHOverGateway property is ignored if the
AllowPrivateGateways property is false.
By default, TADDM is configured, based on the default values of these two
properties, com.collation.AllowPrivateGateway and
com.collation.PreferWindowsSSHOverGateway, to only use Gateway-based
discovery.
Whether you use a Windows Gateway with WMI or direct connect with SSH, the
information that is retrieved is identical. You need to decide which method is best
suited for your environment. The following list identifies some things you need to
consider when making this decision:
28 Administrator's Guide
There are prerequisites for discovery using a gateway and WMI:
1. Requires a dedicated Windows Server 2003 computer system to serve as the
gateway.
2. The gateway should be in the same firewall zone as the Windows computers to
be discovered.
3. You must install a supported version of an SSH server on the gateway
computer system.
4. The gateway uses remote WMI to discovery each Windows target. In addition,
a WMI Provider is automatically deployed to each Windows target computer
system during the discovery initialization. The WMI Provider is used to
discover data not included in the core WMI. Enable WMI on the Windows
target computer system to be discovered. By default, on most Windows 2000
and later systems, WMI is enabled.
Note: TADDM supports Bitvise WinSSHD 4.06 through 4.28 and 5.09 or later. If
you use TADDM with a different version of Bitvise, problems might occur.
For gateway-based discovery, the Cygwin SSH daemon must be installed on the
gateway system; for direct SSH discovery, the daemon must be installed on each
Windows system. Your Cygwin installation must include the following packages:
v From the admin category: cygrunsrv (version 1.17–1 or later).
v From the net category: opensshd (version 4.6p 1–1 or later).
30 Administrator's Guide
If the WMI service is restarted, all WMI dependent services that were running
before the restart are also restarted. These restarts are controlled by the following
collation.properties settings:
com.collation.RestartWmiOnAutoDeploy=false
com.collation.RestartWmiOnAutoDeploy.1.2.3.4=false
Restart WMI if a WMI error is encountered during AutoDeploy of the
TADDM WMI Provider.
com.collation.RestartWmiOnFailure=false
com.collation.RestartWmiOnFailure.1.2.3.4=false
Restart WMI if a WMI error is encountered (except during AutoDeploy).
Note: The default value for WMI restart is false. Setting these values to true may
provide more reliable Windows discovery. This must be weighed against the
potential negative impact of a WMI service temporarily being stopped and
restarted.
You can use a text editor to edit an XML file which defines for TADDM how to
locate, connect and authenticate to the remote data source. After the federation
information is defined and the TADDM server restarted, the federated data can be
accessed using the custom query function found in the TADDM Product Console.
If it becomes necessary to federate with federated data sources that are not
accessed using JDBC, then a more advanced federation configuration is needed.
Use the Websphere Federation Server to federate with the non-JDBC data sources.
Important: Ensure that the federated data source that you are configuring is
started and available.
The following example illustrates how to add federated tables using the
lightweight federation capability which is built into TADDM:
1. Navigate to the following directory:
v For Linux, Solaris, AIX, and Linux on System z operating systems,
$COLLATION_HOME/etc/cdm/adapters
v For Windows operating systems, %COLLATION_HOME%\etc\cdm\adapters
2. Copy the existing views.xml file to a backup file. If you need to restore the
original file, use the backup file.
Important:
v Even though the views.xml file contains the comments ″DO NOT
EDIT THIS FILE″, it is safe to edit this file when you have a
backup copy.
To access your federated data source data through the Custom Query item in the
Domain Manager, complete the following steps:
1. Log in to the Domain Manager.
2. From the Analytics tab, select Custom Query.
3. From the Custom Query pane, in the DataSource list, part of the Component
Type section, perform the following steps:
Important: The list of federated data sources in the DataSource list should be
the views that you added to the views.xml file.
a. Select localhost as the TADDM component from which to query. The
Component list is populated with the components that are associated with
localhost.
b. In the Component list, select the component to query from the localhost
DataSource and click Add. The selected component is added to the input
box on the right side of the Component Type section.
c. Select externalAdapter as the federated data source component with which
to federate. The Component list is populated with the components that are
associated with externalAdapter DataSource.
d. In the Component list, select the federated data source component to
federate with from the externalAdapter DataSource and click Add. The
selected component is added to the input box on the right side of the
Component Type section.
4. In the Attributes section of the Custom Query pane, create a query that joins
the TADDM table data with the federated data source data.
32 Administrator's Guide
Important: Any time a join is performed with an federated data source, the
federated data source must be located on the right hand side of the
query. Only the local TADDM components can be specified on the
left hand side of the query.
5. To see the report results, click Run Query.
What to do next
For more information on running queries, see Creating a custom query report in
IBM Tivoli Application Dependency Discovery Manager User’s Guide.
Backing up data
Back up your data on a regular basis so you can recover from a system failure.
To back up files for the TADDM server, save all the files in the directory where
you installed the TADDM server:
v For Linux, Solaris, AIX, and Linux on System z operating systems, the default
path to the directory is /opt/IBM.
v For Windows operating systems, the default path to the directory is C:\opt\IBM.
What to do next
To backup the database files, use the documentation provided by the database
vendor.
Restoring data
Following a system failure, you can restore the configuration, data, and database
files. As a result, you can resume operation from the point of the last backup prior
to the failure.
If the database is affected by the system failure, restore the database files using the
documentation from the database vendor.
34 Administrator's Guide
Chapter 4. Configuring your environment for discovery
Complete these steps to optimize the information that TADDM gathers from your
environment during discoveries.
The specific configuration tasks required depend upon the level of discovery you
need to support in your environment.
What to do next
In addition to configuring your environment for discovery, you must also complete
any required TADDM sensor setup and access list configuration.
For information about how to run a discovery, including defining a scope and
setting a schedule, refer to the Tivoli Application Dependency Discovery Manager
User’s Guide.
Discovery overview
Discovery is a multilevel process that collects configuration information about the
IT infrastructure, including deployed software components, physical servers,
network devices, virtual LANs, and host data that is used in the runtime
environment.
Discovery profiles
You can control what is discovered by using discovery profiles.
By selecting the appropriate profile, you can control the depth of discovery, or
discovery level. There are four discovery profiles. Three of them correspond to
discovery levels, and one is a utilization profile:
Level 1
Level 1 discovery (also called a ″credential-less″ discovery) discovers basic
information about the active computer systems in the environment. This
level of discovery uses the Stack Scan sensor and does not require any
operating-system or application credentials.
Level 1 discovery is very shallow and captures only the host name,
operating system, IP address, fully qualified domain name, and Media
Access control (MAC) address of each discovered interface. (MAC address
discovery is limited to Linux on System z and Windows systems). Level 1
discovery does not discover subnets; for any discovered IP interfaces that
do not belong to an existing subnet discovered during Level 2 or Level 3
discovery, new subnets are created based on the value of the
com.collation.IpNetworkAssignmentAgent.defaultNetmask property in
the collation.properties configuration file.
Level 2
Level 2 discovery captures detailed information about the active computer
systems in the environment, including operating-system details and
shallow application information (depending on the value of the
com.collation.internalTemplatesEnabled property in the
collation.properties configuration file). This level of discovery requires
operating-system credentials.
Level 2 discovery captures application names, as well as computer systems
and ports associated with each running application. If an application has
established a TCP/IP connection to another application, this is captured as
a dependency.
36 Administrator's Guide
Level 3
Level 3 discovery captures information about the entire application
infrastructure, including physical servers, network devices, virtual LANs,
host configuration, deployed software components, application
configuration, and host data used in the environment. This level of
discovery requires application operating-system and application
credentials.
Utilization discovery
Utilization discovery captures utilization information for the host system.
To run a utilization discovery, you must have computer system credentials.
Note: Level 2 and Level 3 discoveries capture more detailed information than
Level 1 discoveries. Therefore, if objects created during a Level 2 or Level 3
discovery match objects previously created by a Level 1 discovery, the Level
1 objects are replaced by the newly created objects. This causes the object
GUIDs to change, so in general, Level 1 data should not be used for
integration with other products.
For detailed information on discovery profiles, see Best practices for Discovery
Profiles and User Scenarios on the TADDM wiki at http://www.ibm.com/
developerworks/wikis/display/tivoliaddm/A+Flexible+Approach+to+Discovery
For instructions about how to use discovery profiles, see the section on Using
discovery profiles in the Tivoli Application Dependency Discovery Manager User’s Guide.
Related tasks
“Configuring for Level 1 discovery”
Some minimal configuration is required for Level 1 discovery (credential-less
discovery), which scans the TCP/IP stack to gather basic information about active
computer systems.
“Configuring for Level 2 discovery” on page 38
In addition to the requirements for Level 1 discovery, Level 2 discovery requires
additional configuration to support discovery of detailed host configuration
information.
“Configuring for Level 3 discovery” on page 43
In addition to the requirements for Level 2 discovery, Level 3 discovery requires
additional configuration to support discovery of application configuration and host
data.
Level 1 discovery uses the Stack Scan sensor. For detailed information about Nmap
and the Stack Scan sensor, see the “Stack Scan sensor” topic in the TADDM Sensor
Reference.
For Level 1 discovery, you must configure the network devices in your
environment that you want the TADDM server to discover. To do this, complete
the following steps:
1. Depending on your SNMP version, record the following information for use
with the TADDM server:
v For SNMP V1 and V2: record the SNMP MIB2 GET COMMUNITY string.
v For SNMP V3: record the SNMP user name and password.
2. Assign permission for MIB2 System, IP, Interfaces, and Extended Interfaces.
Related concepts
“Discovery overview” on page 35
Discovery is a multilevel process that collects configuration information about the
IT infrastructure, including deployed software components, physical servers,
network devices, virtual LANs, and host data that is used in the runtime
environment.
“Discovery profiles” on page 36
You can control what is discovered by using discovery profiles.
The following list shows the minimum requirements that apply to the target
computer systems that you want TADDM to discover:
Secure Shell (SSH)
You can use either OpenSSH, or the vendor-supplied version of SSH that
comes with the operating system. For more information on Windows
operating systems, see “Windows Management Instrumentation (WMI)
dependency” on page 30.
LiSt Open Files (lsof)
To provide complete information on dependencies, install the LiSt Open
Files (lsof) program on all target computer systems according to the
requirements in Table 3 on page 39.
38 Administrator's Guide
Table 3. Requirements for running the lsof program
Operating Requirement for running lsof
system program Where to obtain the lsof program
AIX One of the following v http://ftp.unicamp.br/pub/unix-tools/
requirements must be met: lsof/binaries/aix/
v The setuid (set user ID) access v http://www.ibm.com/developerworks/
right flag must be set for the aix/library/au-lsof.html
lsof program file.
v http://www-03.ibm.com/systems/p/
v The user must be in the system os/aix/linux/toolbox/download.html
and sys groups, which allow
v http://www.bullfreeware.com/
read access to the /dev/mem and
/dev/kmem files.
v The user must use the sudo
command to run the lsof
program.
HPUX One of the following v http://hpux.connect.org.uk/hppd/cgi-
requirements must be met: bin/search?package=&term=/lsof
v The setuid (set user ID) access v http://www.ibm.com/developerworks/
right flag must be set for the aix/library/au-lsof.html
lsof program file.
.
v The user must use the sudo
command to run the lsof
program.
Linux One of the following v http://rhn.redhat.com
requirements must be met:
v The setuid (set user ID) access
right flag must be set for the
lsof program file.
v The user must use the sudo
command to run the lsof
program.
Solaris One of the following v http://sunfreeware.com
requirements must be met:
v The user must be in the sys
group.
v The setgid (set group ID)
access right flag must be set for
the lsof program file.
v The user must use the sudo
command to run the lsof
program.
Tru64 One of the following Refer to the Open Source disc provided
requirements must be met: with the operating system
v The setuid (set user ID) access
right flag must be set for the
lsof program file.
v The user must use the sudo
command to run the lsof
program. For TADDM, the
Tru64 dop command does not
serve the same function that
the sudo command does.
SUNWscpu
(Solaris environment only)
To provide complete information on processes, install the SUNWscpu
(Source Compatibility) package.
For other commands that use sudo, see “Commands that might require elevated
privilege” on page 76.
Related reference
“Commands that might require elevated privilege” on page 76
These properties specify the operating system commands used by TADDM that
might require elevated privilege, root or superuser, to run on the target system.
To simplify the discovery setup, create the same service account on each target
computer system that you want to discover. The service account must allow access
to all resources on the target computer system that TADDM needs to discover.
TADDM requires read-only access to the target computer system. A service account
with non-root privilege can be used. However, some operating system commands
used during discovery might require elevated privilege, root or superuser, in order
to run on the target computer system. There are a couple different strategies that
you can use to allow this elevated privilege. For more information on elevated
privilege, see “Commands that might require elevated privilege” on page 76.
Complete one of the following procedures to create a service account on the target
computer system:
1. For a Linux, Solaris, AIX, and Linux for System z operating system, assume
that the service account name is coll and use the following commands to create
the service account:
# mkdir -p /export/home/coll
# useradd -d /export/home/coll -s /bin/sh \
-c "Service Account" -m coll
# chown -R coll /export/home/coll
2. For a Windows computer system, create a service account that is a member of
the local administrator’s group. This account can be a local account or a
domain account. Because TADDM relies on WMI for discovery, the account
must have access to all WMI objects on the local computer. The service account
must be created on the Windows Gateway and all target Windows computer
systems.
40 Administrator's Guide
Related reference
“Commands that might require elevated privilege” on page 76
These properties specify the operating system commands used by TADDM that
might require elevated privilege, root or superuser, to run on the target system.
Although you can use any of the authentication methods, the SSH2 key-based
login is preferred. The server automatically tries each method in the order listed
previously and uses the first method that works successfully. The TADDM server
then uses the same method with that host for the entire discovery run.
Depending on the version of SSH that you are using, SSH key-based login uses the
keys shown in Table 4:
Table 4. SSH keys
SSH Version/Algorithm Private Key Public Key
Openssh/SSH2/RSA $HOME/.ssh/id_rsa $HOME/.ssh/id_rsa.pub
Openssh/SSH2/DSA $HOME/.ssh/id_dsa $HOME/.ssh/id_dsa.pub
Openssh/SSH1/RSA $HOME/.ssh/identity $HOME/.ssh/identity.pub
Commercial/SSH2/RSA $HOME/.ssh2/id_dss_1024_a $HOME/.ssh2/id_dss_1024_a
.pub
You can also generate a public/private key pair using OpenSSH, version 2. To
generate a public/private key pair using an SSH program other than OpenSSH or
another version of OpenSSH, refer to the SSH documentation. To generate a
public/private key pair using OpenSSH, version 2, complete the following steps:
1. Log in as the owner of the TADDM server.
2. To generate the SSH key, enter the following command:
$ ssh-keygen -t rsa
Accept the command defaults. TADDM supports key pairs with or without a
passphrase
3. On each target computer system where you want to allow for a key-based
login, insert the contents of the id_rsa.pub file into the $HOME/.ssh/
authorized_keys file for the service account. Certain SSH2 implementations
generate the keys in a directory other than $HOME/.ssh. If your SSH
implementation generates the keys in a different directory or with a different
name, copy, link, or move the private key file to the $HOME/.ssh/id_rsa or
$HOME/.ssh/id_dsa directory, depending on the algorithm.
Before you use the Product Console, ensure that all services that are listed under
the Administrator’s Console on the TADDM Launch page have started.
Start the Product Console with Establish a secure (SSL) session option selected
before you set up the access list. This option encrypts all data, including access list
user names and passwords, before the data is transmitted between the Product
Console and the TADDM server.
To set up password authentication with Secure Shell (SSH), complete the following
steps:
1. Start the Product Console. Select the Establish a secure (SSL) session check
box.
2. Add a new access list entry and specify the login name and password. See the
section on Adding a new access list entry in the TADDM User’s Guide for
details.
TADDM discovers the management console using SSH. The discovery scope must
include the IP address of the management console and the Access List must
include an entry of type Computer System with the proper credentials (user name
and password) specified.
In addition to the user credentials, the discovery user must be defined on the
management console with the following minimal permissions:
v Hardware Management Console (HMC)
42 Administrator's Guide
– For an HMC management console, a user based on the hmcoperator role is
needed. For example, create a new role called taddmViewOnly based on the
hmcoperator role. In addition, the following command line tasks must be
assigned to the new role:
Managed System
Needed to use the lshwres and lssyscfg commands
Logical Partition
Needed to use the lshwres, lssyscfg, and viosvrcmd commands.
HMC Configuration
Needed to use the lshmc comand.
v Integrated Virtualization Manager (IVM).
For an IVM management console, a user with the View Only role is needed.
Level 3 discovery uses the Citrix server sensor. For detailed information about the
Citrix server sensor, see the “Citrix server sensor” topic in the TADDM Sensor
Reference.
Related concepts
“Discovery overview” on page 35
Discovery is a multilevel process that collects configuration information about the
IT infrastructure, including deployed software components, physical servers,
network devices, virtual LANs, and host data that is used in the runtime
environment.
“Discovery profiles” on page 36
You can control what is discovered by using discovery profiles.
This section provides the steps for configuring Web and application servers.
The Microsoft IIS server does not require configuration. There are no access
requirements. The user account that is already established on the host is sufficient.
For the Apache Web server, ensure that the TADDM server has read permission to
the Apache configuration files, such as the httpd.conf file.
For the Sun iPlanet Web server, ensure that the TADDM server has read
permission to the iPlanet configuration files.
For Lotus® Domino® servers, ensure that the following requirements of the
TADDM software are met in order to access Domino servers:
v The IIOP server must be running on at least one Domino server for each
Domino domain.
44 Administrator's Guide
v <OracleAppServerHome>/j2ee
v <OracleAppServerHome>/j2ee/home
v <OracleAppServerHome>/opmn
v <OracleAppServerHome>/opmn/lib, where an example of
<OracleAppServerHome> is /home/oracle/product/10.1.3/OracleAS_1
If the Windows service ID for the TADDM service account has sufficient
permissions to discover a Microsoft Exchange server, the sensor will use the
Windows service ID and a separate Microsoft Exchange server access list entry is
not required.
If the Windows service ID for the TADDM service account does not have sufficient
permissions to discover a Microsoft Exchange server, you must complete the
following steps to create a separate Microsoft Exchange server access list:
1. In the Functions pane of the Product Console, click Discovery → Access List to
display the Access List pane.
2. Click Add to display the Access Details pane.
3. In the Component Type list, select Messaging Servers.
4. In the Vendor list, select Microsoft Exchange Server.
5. Click OK. The updated information is displayed in the Access List pane.
To configure VMware servers, versions 2.5x and 3.0 for discovery, set the read-only
permissions for the non-root TADDM service account in the VMware ESX console.
46 Administrator's Guide
3) Enter the Name, User Name, and Password.
d. Click OK to save your information. The Access List pane is displayed with
the new information.
Use the following command to create a Sybase user that is a member of sa-role.
sp_role "grant",sa_role,IBM
Ensure that the Sybase IQ user is a member of DBA. If the Sybase IQ user is not a
member of DBA, the Sybase IQ database-specific information cannot be found.
Typically, the Discovery Library store is located on the TADDM server. If you do
not set up the Discovery Library store on the TADDM server, then you must make
sure the TADDM bulk load program that runs on the TADDM server can access
the Discovery Library store. If using a remote system for the store, there is no
requirement as to the particular computer or operating system that acts as the
Discovery Library store. The computer that hosts the Discovery Library store does
not need to be exclusive. Other applications can run on the same computer that
hosts the Discovery Library store. Each Discovery Library Adapter writes XML
files that contain resource information in a particular XML format called the
Identity Markup Language, or IDML. Any XML file that is written in the IDML
format is commonly referred to as a book. For information on the IDML
specification and additional details on the Discovery Library store, refer to the
Discovery Library Adapter Developer’s Guide.
If you are creating a Discovery Library store and want to set up a TADDM
Domain Database to contain Discovery Library Adapter books, a local drive on the
TADDM Domain Server can be the networked Discovery Library store. This
directory should be defined in the following file on the TADDM Domain Server
where the data is loaded:
v For Linux, Solaris, AIX, and Linux on System z operating systems:
$COLLATION_HOME/etc/bulkload.properties
v For Windows operating systems: %COLLATION_HOME%\etc\bulkload.properties
If you have multiple TADDM Domain Servers, configure the correct bulk loader
program to access the corresponding shared directory. The bulk loader does not
delete XML files from the Discovery Library store. You must maintain the files in
the discovery library store and ensure that there is enough disk space on the server
for the files in the directory. If new XML files are added to the directory frequently,
you should regularly clean up the directory.
If you have a TADDM Enterprise Domain Database environment, you must choose
from the following options:
v If the scope of books matches exactly with each TADDM Domain Server, load
each book into the matching TADDM Domain Server.
v If the scope of books do not match exactly with each TADDM Domain Server,
load all books into the TADDM Enterprise Domain Server.
You can see the Tivoli collection of books that can load the TADDM database with
data from other Tivoli products on the IBM Tivoli Open Process Automation
Library (OPAL) Web site at: http://catalog.lotus.com/wps/portal/tccmd.
DLAs are specific to a particular product, because each product has a distinct
method of accessing the resources from the environment. The configuration and
installation of a DLA is different for every application. A typical DLA is installed
on a system that has access to the data of a particular application. For example, the
DLA for IBM Tivoli Monitoring is installed on a computer that has access to the
IBM Tivoli Monitoring enterprise management system database. All DLAs are run
using the command-line interface and can be scheduled to run using any type of
scheduling program in your environment (for example, cron).
You can create a DLA to extract information from existing products or databases in
your environment. For more information on how to create a Discovery Library
Adapter, refer to the Discovery Library Adapter Developer’s Guide.
IdML schema
The discovery library uses an XML specification called Identification Markup
Language (IdML) to enable data collection. Access to the IdML code is provided
through the discovery library adapters.
50 Administrator's Guide
The XML Schema Definition (XSD) describes the operations that are necessary to
take data about resource and relationship instances from an author and instantiate
it into the repository of a reader. This schema defines the operations that occur on
instances of resources and relationships. To facilitate future model versions and
updates, this schema references an external schema, the Common Data Model, to
define the resource and relationships. All files that are in the Discovery Library
conform to the IdML schema. Books in the Discovery Library that do not validate
against the IdML schema are in error and cannot be used by readers. TADDM is
an example of a reader.
The IdML schema is designed to separate the operations from the model
specification to enable the schema to handle updates to the model specification
without changing the IdML schema. The TADDM reader treats the individual
elements within the operations as a transaction.
There are some differences between IdML files and TADDM XML files. The
following table summarizes the differences.
Table 6. Differences between IdML books and TADDM XML files
IdML books TADDM XML files
IdML is a standard that supports objects TADDM XML files is an application format
defined in the Common Data Model. ACLs, that supports objects defined in the
users, scopes, and schedules are not Common Data Model and TADDM. ACLs,
supported. users, scopes, and schedules are supported.
Operation codes include delta (default), and There are no operation codes. The delta
refresh. behavior is the default.
In-file MSS information is supported. MSS information can be provided through
the command line.
Relationships have to be defined explicitly. Implicit relationships can and must also be
defined.
XML objects are not nested. XML objects are nested.
Virtual, relative IDs are supported. Relative IDs are not supported. Real
Relationships can link configuration items objectGUID is supported. Relationships must
defined with relative IDs. link configuration items identified with
GUID or naming attributes.
Network tuning
The following is a summary guideline for tuning the network:
The network can influence the overall performance of your application, but usually
exposes itself when there is a delay in the following situations:
v The time between when a client system sends a request to the server and when
the server receives this request.
v The time between when the server system sends data back to the client system
and the client system receives the data.
After a system is implemented, the network should be monitored, to assure that its
bandwidth is not being consumed more than 50%.
Database tuning
Tuning the database is critical to the efficient operation of any computer system.
The default database configurations that are provided with the product are
sufficient for proof of concept, proof of technology, and small pilot
implementations of TADDM.
If your organization does not have the skills available to monitor and tune your
database systems, consider contacting IBM Support or another vendor for resources
to perform this important task.
For more information on both DB2 and Oracle database tuning, refer to Database
Performance Tuning on AIX at http://www.redbooks.ibm.com/redbooks/pdfs/
sg245511.pdf.
54 Administrator's Guide
command on your database tables before there is data in them results in
the catalog statistics reflecting 0 rows in the tables. This generally causes
the DB2 optimizer to perform table scans when accessing the tables, and
to not use the available indexes, resulting in poor performance.
b. The DB2 product provides functions to automate database maintenance
using database configuration parameters. You need to evaluate the use of
these parameters in your environment to determine if they fit into your
database maintenance process. In a typical production environment, you
want to control when database maintenance activities occur (for example,
database maintenance activities are typically performed during off-peak
hours to prevent major problems with the database).
The following list describes some of the database configuration
parameters:
– Automatic maintenance (AUTO_MAINT): This parameter is the
parent of all the other automatic maintenance database configuration
parameters (auto_db_backup, auto_tbl_maint, auto_runstats,
auto_stats_prof, auto_prof_upd, and auto_reorg). When this parameter
is disabled, all of its child parameters are also disabled, but their
settings, as recorded in the database configuration file, do not change.
When this parent parameter is enabled, recorded values for its child
parameters take effect. In this way, automatic maintenance can be
enabled or disabled globally.
- The default for DB2 V8 is OFF.
- The default for DB2 V9 is ON.
- (Important) Set this parameter to OFF until you populate your
database tables as previously explained.
UPDATE db cfg for dbname using AUTO_MAINT OFF
– Automatic table maintenance (AUTO_TBL_MAINT): This parameter is
the parent of all table maintenance parameters (auto_runstats,
auto_stats_prof, auto_prof_upd, and auto_reorg). When this parameter
is disabled, all of its child parameters are also disabled, but their
settings, as recorded in the database configuration file, do not change.
When this parent parameter is enabled, recorded values for its child
parameters take effect. In this way, table maintenance can be enabled
or disabled globally.
– Automatic runstats (AUTO_RUNSTATS): This automated table
maintenance parameter enables or disables automatic table runstats
operations for a database. A runstats policy (a defined set of rules or
guidelines) can be used to specify the automated behavior. To be
enabled, this parameter must be set to ON, and its parent parameters
must also be enabled.
c. There is a program in the /dist/bin directory called gen_db_stats.jy.
This program outputs the database commands for either an Oracle or
DB2 database to update the statistics on the TADDM tables. The
following example shows how the program is used:
1) Run the following command:
cd TADDM_install_dir/dist/bin
2) Run the following command, where tmpdir is a directory where this
file can be created:
./gen_db_stats.jy > tmpdir/TADDM_table_stats.sql
3) Copy the file to the database server and run the following command:
db2-tvf tmpdir/TADDM_table_stats.sql
56 Administrator's Guide
The following list includes important DB2 database configuration parameters
that might need to be adjusted, depending on data volumes, usage, and
deployment configuration:
v DBHEAP
v NUM_IOCLEANERS
v NUM_IOSERVERS
v LOCKLIST
3. The following list includes important DB2 database manager parameters that
might need to be adjusted, depending on data volumes, usage, and deployment
configuration:
v ASLHEAPSZ
v INTRA_PARALLEL
v QUERY_HEAP_SZ
v RQRIOBLK
4. Set the following DB2 Registry Variables:
v DB2_PARALLEL_IO
This enables parallel I/O operations.
This is applicable only if your table space containers and hardware are
configured appropriately.
v DB2NTNOCACHE=ON - (Windows only)
v DB2_USE_ALTERNATE_PAGE_CLEANING
5. Database logs:
v Tune the Log File Size (logfilsiz) database configuration parameter so that
you are not creating excessive log files.
v Use Log Retain logging to ensure recoverability of your database.
v Mirror your log files to ensure availability of your database system.
v Modify the size of the database configuration Log Buffer parameter
(logbufsz) based on the volume of activity. This parameter specifies the
amount of the database heap to use as a buffer for log records before writing
these records to disk. Buffering the log records results in more efficient
logging file I/O because the log records are written to disk less frequently,
and more log records are written at a time.
6. Modify the PREFETCHSIZE on the table spaces based on the following
formula. An ideal size is a multiple of the extent size, the number of physical
disks under each container (if a RAID device is used) and the number of table
space containers. The extent size should be fairly small, with a good value
being in the range of 8 - 32 pages. For example, for a table space on a RAID
device with 5 physical disks, 1 container (suggested for RAID devices) and an
EXTENTSIZE of 32, the PREFETCHSIZE should be set to 160 (32 x 5 x 1).
For more information on DB2 database tuning, refer to Database Performance Tuning
on AIX at http://www.redbooks.ibm.com/redbooks/pdfs/sg245511.pdf, Relational
Database Design and Performance Tuning for DB2 Database Servers at
http://catalog.lotus.com/wps/portal/topal/details?catalog.label=1TW10EC02, and
DB2 UDB Version 8 Product Manuals at http://www-01.ibm.com/support/
docview.wss?rs=71&uid=swg27009554.
RUNSTATS command
You can update DB2 statistics using the RUNSTATS command. You should run the
command after any task significantly changes database contents, for example, after
a discovery or bulk load.
In general, you should run the RUNSTATS command once a week. This task can
be completed manually, or using the DB2 facility to automatically enable the
RUNSTATS command.
There is sample script that you can use to enable the RUNSTATS command. You
can use the sample provided to design your own production scripts. Using a
production script that you develop, you can automate the process so that the
RUNSTATS command runs on all of the TADDM database tables with one
command.
For Linux, Solaris, AIX, and Linux on System z operating systems, the example
script is located in the following path: $COLLATION_HOME/bin/
runstatus_db2_catalog.sql
For Windows operating systems, the example script is located in the following
path: %COLLATION_HOME%\bin\runstatus_db2_catalog.sql
The following commands are an example of how you can run the example script:
su - db2 instance owner
db2 connect to cmdb
db2 -stf runstats_db2_catalog.sql
You should develop your own production script to run the RUNSTATS command
for your environment at an appropriate frequency to ensure good database
performance.
Query optimizer
The DB2 query optimizer benefits from having recent statistics for the TADDM
tables. For example, the query optimizer can help estimate how much buffer pool
is available at run time.
For Linux, Solaris, AIX, and Linux on System z operating systems, the example
script is located in the following path: TADDM_install_dir/dist/bin/
gen_db_stats.jy
For Windows operating systems, the example script is located in the following
path: TADDM_install_dir\dist\bin\gen_db_stats.jy
The following commands are an example of how you can run the script:
cd TADDM_install_dir/dist/bin
./gen_db_stats.jy >tmpdir/TADDM_table_stats.sql
When these command have completed, copy the file to the database server and
run the following command:
DB2: db2 -tvf
xOracle: sqlplus
Related tasks
Chapter 8, “Database maintenance,” on page 69
To avoid performance problems, perform database maintenance tasks on a regular
basis.
The two major areas for tuning are attribute discovery rate and storage.
v Attribute discovery rate: This is the area with the most potential for tuning. In
this file, the property with the most impact on performance is the number of
discovery worker threads.
– #Max number of discovery worker threads
com.collation.discover.dwcount=16
By observing a discovery run and comparing the number of in progress sensors
that are in the started stage versus the number of in progress sensors in the
discovered or storing stages, an assessment can be made on whether attribute
discovery is faster or slower than attribute storage for a particular environment.
As with all changes to the collation.properties file, the server must be
restarted for the change to take effect.
v Storage: Storage of the discovery results is the discovery performance bottleneck,
if the number of sensors in the storing state is approximately the value of the
property:
– com.collation.discover.observer.topopumpcount
This property is the number of parallel storage threads. It is one of the main
settings for controlling discovery storage performance and must be adjusted
carefully.
60 Administrator's Guide
For more information on discovery parameters tuning, refer to Tuning Discovery
Performance at http://catalog.lotus.com/wps/portal/topal/
details?catalog.label=1TW10CC0G.
Fragmentation of the Java heap can occur as the number of objects that are
processed increases. There are a number of parameters that you can set to help
reduce fragmentation in the heap.
v A kCluster is an area of storage that is used exclusively for class blocks. It is
large enough to hold 1280 entries. Each class block is 256 bytes long. This
default value is usually too small and can lead to fragmentation of the heap. Set
the kCluster parameter, -Xk, as follows to help reduce fragmentation of the
There are a few additional parameters that can be set that affect Java performance.
To change an existing JVM option to a different value, edit one of the following
files:
v <TADDM_install_dir>/dist/deploy-tomcat/ROOT/WEB-INF/cmdb-context.xml file
v If eCMDB is in use, edit the <TADDM_install_dir>/dist/deploytomcat/ROOT/WEB-
INF/ecmdb-context.xml file.
To edit one of these files to change the settings for one of the TADDM services,
first find the service in the file. The following is an example of the beginning of a
service definition in the XML file:
<bean id="Discover"
class='com.collation.platform.jini.ServiceLifecycle"initmethod="start"
destroy-method="stop">
<property name="serviceName">
<value>Discover</value>
</property>
Within the definition, there are some elements and attributes that control the JVM
arguments. For example:
<property name="jvmArgs">
<value>-Xms8M;-Xmx512M;
-Djava.nio.channels.spi.SelectorProvider=sun.nio.ch.PollSelectorProvider
</value>
</property>
The JVM arguments can be set as a semicolon separated list in the following
element:
<property name="jvmArgs"><value>
62 Administrator's Guide
Sun Java Virtual Machine (JVM) parameters tuning
When using the Sun JVM, make the following changes:
v Implement these changes in the collation.properties file by adding entries in
the JVM Vendor Specific Settings section. For example, to implement these
changes for the Topology server, add the following line:
com.collation.Topology.jvmargs.sun=-XX:+MaxPermSize=128M -XX:+DisableExplicitGC
-X:+UseConcMarkSweepGC -XX:+HeapDumpOnOutOfMemoryError
Note: These guidelines are based on the number of server equivalents (SEs) in
your environment. A server equivalent is a representative unit of Information
Technology (IT) infrastructure, defined as a computer system (with standard
configurations; operating system, network interfaces, storage interfaces)
installed with server software, such as a database (such as DB2 or Oracle), a
Web server (such as Apache or IPlanet) or an application server (such as
WebSphere or WebLogic). An SE also accounts for network, storage and
other subsystems that provide services to the optimal functioning of the
server. Each SE consists of a number of Configuration Items (CIs).
v Small environment (fewer than 1000 SEs):
– com.collation.gui.initial.heap.size=128m
– com.collation.gui.max.heap.size=512m
v Medium environment (1000–2500 SEs):
– com.collation.gui.initial.heap.size=256m
– com.collation.gui.max.heap.size=268m
v Large environment (2500–5000 SEs):
– com.collation.gui.initial.heap.size=512m
– com.collation.gui.max.heap.size=1024m
Important: For more information on scopes and how to set them, see the
section on Setting the discovery scope in the IBM Tivoli Application
Dependency Discovery Manager User’s Guide.
2. Determines if there is a method of establishing a session to the IP device. Tries
to establish a TCP connection on several ports (including 22 and 135) in order
to determine how best to proceed in discovering the host.
3. Tries to establish an SSH connection using credentials from the access list, if an
SSH port was open.
a. Access list entries of type computer system or windows computer system are
tried from the access list, in sequence, until an entry works or the list is
exhausted.
b. If a WMI port was open, an SSH connection is established with a gateway
computer system (provided one can be found for the target). Access list
You can globally disable a sensor even if the sensor has been enabled by a profile.
You can also globally enable a sensor and allow the setting in the profile to work.
For example, if a sensor is globally enabled and the profile enables the sensor, the
sensor runs. If the sensor is globally enabled, but disabled in the profile, the sensor
does not run when the aforementioned profile is selected for discovery.
For the global enabling (and disabling) to work for sensors that have an osgi
directory (/opt/IBM/cmdb/dist/osgi/plugins), the AgentConfigurations in the osgi
directory need to be changed.
For example, for the Db2Sensor, look for these paths to the files:
v /opt/IBM/cmdb/dist/osgi/plugins/
com.ibm.cdb.discover.sensor.app.db.db2_7.1.0/Db2Sensor.xml
v /opt/IBM/cmdb/dist/osgi/plugins/
com.ibm.cdb.discover.sensor.app.db.db2windows_7.1.0/Db2WindowsSensor.xml
When editing the XML files, to enable the sensor, set enabled to true. To disable the
sensor, set enabled to false.
For sensors that do not use the osgi/plugin directory, the configuration
information is stored in the sensor configuration XML file, in the
etc/discover-sensors directory.
Sensor logging
Important: If you do not set this property to true, default logging for all sensors is
put into the $COLLATION_HOME/log/services/DiscoveryManager.log file.
This property separates the logs into the following directory structure:
v $COLLATION_HOME/log/sensors/<runid>/sensorName-IP.log for example:
sensors/20070621131259/SessionSensor-10.199.21.104.log
Important:
v The runid option includes the date of the discovery run and the log
file name includes the sensor name and IP address of the target.
66 Administrator's Guide
v When using this option, the logs are not automatically cleared. This
must be done manually, if required.
To free storage space in TADDM databases, use SQL queries to remove old data
manually from the change_history_table. The following command is an example of
such an SQL query, where the integer 1225515600000 represents the date, 1
November 2008, expressed in the same format as that returned by the
System.currentTimeMillis() Java method, or a number equal to the difference,
measured in milliseconds, between the current time and midnight, 1 January 1970
UTC:
DELETE FROM CHANGE_HISTORY_TABLE
WHERE PERSIST_TIME < 1225515600000 (this is the Java time stamp)
} catch (ParseException e)
{System.out.println("Exception :"+e); }
}
}
In general, remove data that is older than 4 - 6 weeks, but you can adapt this
timeline to the specific change history requirements of your scenario.
Understanding how you use the change history data within your scenario is the
key to determining the right time frame for removing data from the change history
table. For example, if you are using change history data for problem determination
and you want to investigate problems that occurred 5 weeks ago, keep at least 5
weeks of data in change_history_table.
Change history data is also used by other applications. Tivoli Business Service
Manager (TBSM), for example, uses change history records to determine which
data to import from a TADDM installation. Synchronize TBSM more frequently
than the number of weeks of change history data maintained in the change history
table. For example, if you synchronize TBSM weekly, maintain more than one week
of change history data in the TADDM change history table. In other words, make
sure that the period of time between application synchronizations is shorter than
period of time for which you have change history data.
In a single domain TADDM installation, you can make data maintenance decisions
based solely on the data needs for that one TADDM domain. However, with an
enterprise scale configuration, additional considerations apply. You must
coordinate the removal of change history data between the different TADDM
domain databases and the TADDM Enterprise Domain Database, and you need to
remove the data from each individual TADDM Domain Database and from the
TADDM Enterprise Domain Database.
Remove data at the TADDM domain level first, and then remove data at the
enterprise level. Best practice is to maintain the same number of weeks of change
history data in all TADDM Domain Databases. The period for which change
history data is kept in the TADDM Enterprise Domain Database can vary from the
period for which such data is kept at the individual TADDM Domain Databases,
based on needs. After you determine a time frame for data removal that meets the
specific needs of your configuration scenario, it is best to perform the actual
removal of the data just after the occurrence of a synchronization between the
TADDM Domain Databases and the TADDM Enterprise Domain Database.
70 Administrator's Guide
Optimizing DB2 for z/OS performance
Perform these database maintenance steps to avoid performance issues with a DB2
for z/OS® database.
1. Use the Product Console to run a discovery. This populates the domain
database with data.
2. Stop the TADDM server.
3. Generate and run the RUNSTATS control statement for each new database. The
following example assumes the databases are named CMDBA and CMDBB:
SELECT DISTINCT 'RUNSTATS TABLESPACE '||DBNAME||'.'!!TSNAME!!' INDEX(ALL)
SHRLEVEL REFERENCE' FROM SYSIBM.SYSTABLES
WHERE DBNAME IN ('CMDBA', 'CMDBB') ORDER BY 1;
4. Immediately after RUNSTATS is complete, generate and run the UPDATE
control statement for each new database. Run the following statements for the
schemas corresponding to both the primary user ID and the archive user ID:
select
'UPDATE SYSIBM.SYSINDEXES SET FIRSTKEYCARDF=FULLKEYCARDF WHERE NAME =
'||''''||CAST(RTRIM(name) AS VARCHAR(40))||''''||' AND CREATOR =
'||''''||CAST(RTRIM(creator) AS VARCHAR(40))||''''||' AND TBNAME =
'||''''||CAST(RTRIM(tbname) AS VARCHAR(40))||''''||' AND TBCREATOR =
'||''''||CAST(RTRIM(tbcreator) AS VARCHAR(40))||''''||';'
from sysibm.sysindexes a
where tbcreator = 'SYSADM'
AND NAME IN
(SELECT IXNAME
FROM SYSIBM.SYSKEYS B
WHERE A.CREATOR = B.IXCREATOR
AND A.NAME = B.IXNAME
AND COLNAME = 'PK__JDOIDX');
select
'UPDATE SYSIBM.SYSCOLUMNS SET COLCARDF=(SELECT FULLKEYCARDF FROM
SYSIBM.SYSINDEXES WHERE NAME = '||''''||CAST(RTRIM(name)
AS VARCHAR(40))||''''||' AND CREATOR = '||''''||CAST(RTRIM(creator)
AS VARCHAR(40))||''''||' AND TBNAME = '||''''||CAST(RTRIM(tbname)
AS VARCHAR(40))||''''||' AND TBCREATOR = '||''''||CAST(RTRIM(tbcreator)
AS VARCHAR(40))||''''||') WHERE NAME = '||''''||'PK__JDOIDX'||''''||'
AND TBNAME = '||''''||CAST(RTRIM(tbname) AS VARCHAR(40))||''''||'
AND TBCREATOR = '||''''||CAST(RTRIM(tbcreator) AS VARCHAR(40))||''''||';'
from sysibm.sysindexes a
where tbcreator = 'SYSADM'
AND NAME IN
(SELECT IXNAME
FROM SYSIBM.SYSKEYS B
WHERE A.CREATOR = B.IXCREATOR
AND A.NAME = B.IXNAME
AND COLNAME = 'PK__JDOIDX');
72 Administrator's Guide
Chapter 9. Log file overview
The TADDM server creates log files about its operation. This information is helpful
when troubleshooting problems.
You can set the maximum number of log files that the TADDM server creates and
the maximum size of each log file. When the maximum size of a log file is reached,
the TADDM server automatically copies the log file to a new file name with a
unique extension and creates a new log file.
For example, assuming that the maximum number of log files is four, when the
current log file reaches its maximum size, the TADDM server manages the older
log files in the following way:
v The logfile.3 file overwrites logfile.4.
v The logfile.2 file overwrites logfile.3.
v The logfile.1 overwrites logfile.2.
v The logfile file overwrites logfile.1.
v A new logfile is created.
The TADDM server stores log files in the $COLLATION_HOME/log directory, where
COLLATION_HOME is the path where you installed the TADDM server.
Setting the maximum size and maximum number of IBM log files
You can set the maximum number and size of each log file that TADDM creates.
To customize the size and number of log files, complete the following steps:
1. Open the collation.properties file, which is located in the following
directory:
v For Linux, Solaris, AIX, and Linux on System z operating systems,
$COLLATION_HOME/etc
v For Windows operating systems, %COLLATION_HOME%\etc
2. To specify the maximum size of each log file, edit the following property:
com.collation.log.filesize
The default value is 20 MB. You can enter the number of bytes directly, or by
specifying the number of kilobytes or megabytes using KB and MB respectively.
The following examples are valid log file size values:
v 1000000
v 512 KB
v 10 MB
3. To specify the maximum number of log files, edit the following property:
com.collation.log.filecount
The default value is 5.
4. Save and close the collation.properties file.
The changes in the log file settings automatically take effect as a result of
dynamic logging. For more information on dynamic logging, see the IBM
TivoliApplication Dependency Discovery Manager Troubleshooting Guide.
The following list provides suggestions for finding and searching log files:
v In the following directory, the log file names all have lowercase letters (for
example, logfile.log):
– For Linux, Solaris, AIX, and Linux on System z operating systems,
$COLLATION_HOME/log
– For Windows operating systems, %COLLATION_HOME%\log
v In the following directory, the log file names all use the ″mixed case″ convention
(for example, logFile.log):
– For Linux, Solaris, AIX, and Linux on System z operating systems,
$COLLATION_HOME/log/services
– For Windows operating systems, %COLLATION_HOME%\log\services
v For Linux, Solaris, AIX, and Linux on System z operating systems, use the less,
grep, and vi commands for searching logs.
v If you installed Cygwin, you can use the less, grep, and vi command on
Windows systems.
v Start at the end of the file and search backwards.
v Filter the DiscoverManager.log file using the following methods:
– The DiscoverManager.log file can be large. To work with this file:
- Break the file into pieces using the split command, available on UNIX
platforms.
- Use the grep command to look for specific strings, and pipe the results into
another file.
– If the result is verbose and you want additional filtering, use Target or
Thread.
– If you are reviewing the entire file, start by finding the target and sensor that
you are working with. For example, search for IpDeviceSensor-9.3.5.184.
After you search for the target and sensor, use the Find-next function for the
Thread ID. For example, DiscoverWorker-10.
– If you are searching a filtered log and find something you are looking for,
note the time stamp. For example, 2007-08-29 21:42:16,747. Look at the
complete log for the lines near that time stamp.
74 Administrator's Guide
Chapter 10. Server properties in the collation.properties file
The collation.properties file contains properties for the TADDM server, and you
can edit some of these properties.
A non-scoped property means that you cannot restrict the parameters of a property
to be specific to an object. For example, com.collation.ignorepropertyscopes is a
non-scoped property. Another example of a non-scoped property is
com.collation.discover.agent.OracleAgent.searchWindowsRegistry. The default
value is true. You can scope this property by appending either an IP address or a
scope set name to the property statement.
v To append an IP address (129.42.56.212), change the property as follows:
com.collation.discover.agent.OracleAgent.searchWindowsRegistry.129.42.56.212=true
v To append a scope set named scope1, change the property as follows:
com.collation.discover.agent.OracleAgent.searchWindowsRegistry.scope1=true
The following list identifies some of the properties that you should not change:
com.collation.version
Identifies the product version.
com.collation.branch
Identifies the branch of code.
com.collation.buildnumber
Identifies the build number. This number is set by the build process.
com.collation.oalbuildnumber
Identifies the build number for another build process.
com.collation.debugsocketsenabled
This flag is used by IBM Software Support when debugging.
com.collation.debug.optimizeitdir
The path indicates where the Borland OptimizeIt program is installed.
You can edit the properties for API port settings. When you make changes to the
file, you must save the file and restart the server for the change to take effect.
Typically, sudo is used on UNIX and Linux systems to provide privilege escalation.
The following alternatives can be used instead of sudo:
v Enable the setuid access right on the target executable
v Add the discovery service account to the group associated with the target
executable
v Use root for the discovery service account (not preferred)
For each property, sudo can be configured globally, meaning to run the command
with sudo on every operating system target, or restricted to a specific IP address or
scope set.
Important: On each target system for which privilege escalation is needed, sudo
must be configured with the NOPASSWD option. Otherwise, your
discovery hangs until sudo times out.
76 Administrator's Guide
com.collation.discover.agent.command.hastatus.Linux=sudo /opt/VRTSvcs/bin/
hastatus
com.collation.discover.agent.command.haclus.Linux=sudo /opt/VRTSvcs/bin/haclus
com.collation.discover.agent.command.hasys.Linux=sudo /opt/VRTSvcs/bin/hasys
com.collation.discover.agent.command.hares.Linux=sudo /opt/VRTSvcs/bin/hares
com.collation.discover.agent.command.hagrp.Linux=sudo /opt/VRTSvcs/bin/hagrp
com.collation.discover.agent.command.hatype.Linux=sudo /opt/VRTSvcs/bin/hatype
com.collation.discover.agent.command.hauser.Linux=sudo /opt/VRTSvcs/bin/hauser
v These properties are needed to discover Veritas Cluster components.
v To execute these commands without sudo, the TADDM service account
must be a member of the Veritas Admin Group on the target.
com.collation.discover.agent.command.vxdisk=vxdisk
com.collation.discover.agent.command.vxdg=vxdg
com.collation.discover.agent.command.vxprint=vxprint
com.collation.discover.agent.command.vxlicrep=vxlicrep
com.collation.discover.agent.command.vxupgrade=vxupgrade
v These properties discover Veritas standard storage information plus
additional Veritas specific information like disk group, Veritas volumes,
plexes, and subdisks.
com.collation.platform.os.command.ps.SunOS=/usr/ucb/ps axww
com.collation.platform.os.command.psEnv.SunOS=/usr/ucb/ps axwweee
com.collation.platform.os.command.psParent.SunOS=ps -elf -o ruser,pid,ppid,comm
com.collation.platform.os.command.psUsers.SunOS=/usr/ucb/ps auxw
v These properties are needed to discover process information on Solaris
systems.
com.collation.discover.agent.command.lsof.Vmnix=lsof
com.collation.discover.agent.command.lsof.Linux=lsof
com.collation.discover.agent.command.lsof.SunOS.1.2.3.4=sudo lsof
com.collation.discover.agent.command.lsof.Linux.1.2.3.4=sudo lsof
v These properties are needed to discover process/port information.
com.collation.discover.agent.command.dmidecode.Linux=dmidecode
com.collation.discover.agent.command.dmidecode.Linux.1.2.3.4=sudo dmidecode
v These properties are needed to discover manufacturer, model, and serial
number on Linux systems.
com.collation.discover.agent.command.cat.SunOS=cat
com.collation.discover.agent.command.cat.SunOS.1.2.3.4=sudo cat
v This property is used to discover configuration information for a
CheckPoint firewall on Solaris systems.
com.collation.discover.agent.command.interfacesettings.SunOS=sudo ndd
com.collation.discover.agent.command.interfacesettings.Linux=sudo mii-tool
com.collation.discover.agent.command.interfacesettings.SunOS.1.2.3.4=sudo ndd
com.collation.discover.agent.command.interfacesettings.Linux.1.2.3.5=sudo mii-tool
Database settings
The database passwords for both the database user and archive user are stored in
the $COLLATION_HOME/etc/collation.properties file.
Use the following properties to change the passwords on the TADDM server:
com.collation.db.password=password
com.collation.db.archive.password=password
78 Administrator's Guide
To encrypt passwords in the collation.properties file, you must first edit the
database user, or archive the user password using clear text, or both. Then, stop
the TADDM server, and run the encryptprops.sh file or encryptprops.bin file
(located in the $COLLATION_HOME/bin directory). This script encrypts the passwords.
Restart the TADDM server, and the passwords are encrypted in the
collation.properties file.
Discovery settings
You can edit the properties for discovery. When you make changes to the file, you
must save the file and restart the server for the change to take effect.
The following list identifies extra details for the properties for discovery:
com.collation.discover.agent.exchange.command.timeout=600000
Specifies the timeout for the Exchange Server sensor. The default timeout is
600000 milliseconds, which is 10 minutes. If you change the default, make
sure that you specify an integer.
com.collation.discover.agent.usePMACNamingRule=false
Specifies whether to include the primary MAC address as one of the
ComputerSystem naming rules. The default is false, meaning that the
primary MAC address is not to be used as a naming rule. A computer
system can usually be identified by other characteristics like IP address,
manufacturer, model, and serial number. In the majority of environments,
the primary MAC address naming rule is not needed. Also note that the
primary MAC address naming rule is deprecated. Contact IBM support
before setting this property to true.
com.collation.discover.anchor.forceDeployment=true
Specifies if all anchors for the discovered scope are to be deployed during
discovery startup. Valid values are true and false. The default is true. If you
change the default to false, anchors are deployed only if any IP address
from the scope cannot be pinged, or if port 22 cannot be reached on any of
the discovered IP addresses.
com.collation.discover.anchor.lazyDeployment=false
Specifies if files should be copied during anchor deployment, or when
sensor requiring the files is going to be launched. In both cases only
different files are copied. Valid values are true and false. The default is false.
The following example provide some insight to how this property affects
TADDM functionality:
The WebSphere Application Server sensor has dependencies in the
dist/lib/websphere directory that take 130 MB. If the flag is set to false,
this data is copied to the target host when the anchor is deployed. If the
flag is set to true, the data is copied when the WebSphere Application
Server sensor is about to be run on the anchor. If no WebSphere
Application Server sensor is run through the anchor, 130 MB is not sent to
the remote host.
com.collation.discover.DefaultAgentTimeout=600000
Specifies the default timeout for sensors in milliseconds, which is 10
minutes.
The default for all sensors is 10 minutes. The default can be changed. It
can also be specified by individual sensors.
For example,
com.collation.discover.agent.OracleAgent.timeout=1800000
com.collation.gui.showRunningDiscHistory=true
This property can affect the speed at which the user interface is displayed
when a discovery is running. Valid values are true, false, and prompt. The
default is true.
When true is specified, the discovery history events are retrieved. When
false is specified, the discovery history events are not retrieved, and, as a
result, the user interface can be displayed faster when a discovery is
running. When prompt is specified, a prompt asks the user if the discovery
history events should be retrieved.
com.collation.IpNetworkAssignmentAgent.defaultNetmask=ip_start-ip_end/
netmask[, ...]
This property defines how IP addresses discovered during a Level 1
discovery are assigned to generated subnets. A Level 1 discovery does not
discover subnets; instead, IpNetwork objects are generated to contain any
interfaces that are not associated with an existing subnet discovered during
a Level 2 or Level 3 discovery. This configuration property defines which
IpNetwork objects should be created, and how many nodes each subnet
should contain. (It also applies to any interface discovered during a Level 2
or Level 3 discovery that for any reason cannot be assigned to a discovered
subnet.)
The value for this property consists of a single line containing one or more
entries separated by commas. Each entry describes an IP address range in
IPv4 dotted decimal format, along with a subnet mask specified as an
integer between 8 and 31. Discovered interfaces in the specified range are
then placed in created subnets no larger than the size specified by the
subnet mask.
For example, the following value defines two subnet address ranges with
different subnet masks:
9.0.0.0-9.127.255.255/23, 9.128.0.0-9.255.255.255/24
The specified address ranges can overlap. If a discovered IP address
matches more than one defined range, it is assigned to the first matching
subnet as they are listed in the property value.
After you create or change this configuration property and restart the
TADDM server, any subsequent Level 1 discoveries use the defined
subnets. To reassign existing IpInterface objects in the TADDM database,
go to the $COLLATION_HOME/bin directory and run one of the following
commands:
v adjustL1Networks.sh (Linux and UNIX systems)
v adjustL1Networks.bat (Windows systems)
Note: If the value is not specified correctly then the appropriate messages
are displayed only when running the command line utility
adjustL1Networks.sh (Linux and UNIX systems) or
adjustL1Networks.bat (Windows systems). Otherwise the messages
80 Administrator's Guide
are placed in the TopologyBuilder.log file in the
$COLLATION_HOME/log/services directory.
This script reassigns all IpInterface objects discovered during Level 1
discoveries to the appropriate subnets as described in the configuration
property. Any generated IpNetwork object that contains no interfaces is
then deleted from the database. After the script completes, the TADDM
interface might show multiple notifications of changed components
because of the modified objects. You can clear these notifications by
refreshing the window.
Note: Before you use this command, make sure the TADDM server is
running, and that no discovery or bulk load operation is currently in
progress. This script is not supported on the Enterprise Domain
Server.
com.collation.rediscoveryEnabled=false
Valid values are true and false. The default is false. Change the value to true
to enable the rediscovery function. In addition to enabling the rediscovery
function, setting the property to true also ensures information is stored
during the rediscovery.
com.collation.ChangeManager.port=19431
Specifies the firewall port used by the change manager.
The following list identifies extra details for DNS lookup customization settings:
com.collation.platform.os.disableDNSLookups=false
Valid values are true or false. The default is false. If you change the property
to true, name lookups (for example, JAVA and DNS) are disabled for the
TADDM server.
com.collation.platform.os.disableRemoteHostDNSLookups=false
Valid values are true or false. The default is false. If you change the property
to true, name lookups (DNS only) are disabled on remote discovered hosts.
This property forces all name lookups to occur on the TADDM server.
com.collation.platform.os.disableRemoteInterfaceFQDNLookups=true
Valid values are true or false. The default is true. If you change the property
to false, you enable the remote lookup of Internet Protocol (IP) interface
names. Performance can decline if this property is set to true.
com.collation.platform.os.forceDNSLookupForFqdn.1.2.3.4=true
This command specifies whether you should use DNS lookup for
fully-qualified domain names. Valid values are true or false. A value of true
means to use DNS. A value of false means that you should use the Java
Application Program Interface (API) to lookup names as per Network File
System (NFS) and Network Information Service (NIS) settings on the host.
com.collation.platform.os.cacheTTLSuccessfulNameLookups=60
This command is specified in the java.security file to indicate the caching
policy for successful name lookups from the name service. The value is
The following list identifies the default settings in the collation.properties file for
the GUI JVM memory settings:
com.collation.gui.initial.heap.size=128m
Initial heap size for the TADDM user interface.
com.collation.gui.max.heap.size=512m
Maximum heap size for the TADDM user interface.
These settings are appropriate for a small TADDM Domain. For the purposes of
sizing, the following categories of TADDM servers are used (based on server
equivalents):
v Small: up to 1000 server equivalents
v Medium: 1000 - 2500 server equivalents
v Large: 2500 - 5000 server equivalents
Increasing these values for medium and large environments improve performance
for some GUI operations. Some views do not complete properly if there is not
sufficient memory available to TADDM at the time of the action.
82 Administrator's Guide
com.collation.gui.initial.heap.size=256m
com.collation.gui.max.heap.size=768m
The following list identifies extra details for GUI port settings:
com.collation.tomcatshutdownport=9436
This port is used for the Tomcat shutdown command.
com.collation.webport=9430
The HTTP port is used without SSL.
com.collation.websslport=9431
The HTTPS port is used with SSL.
com.collation.commport=9435
The RMI data port to use without SSL.
com.collation.commsslport=9434
The RMI data port to use with SSL.
com.collation.rmiport=9433
The naming service RMI registry port.
com.collation.jndiport=9432
The naming service JNDI lookup port.
Jini settings
The properties for Jini settings must be an integer value.
The LDAP server host name, port number, base distinguished name, bind
distinguished name, and password (required for password-based authentication)
are configurable in the collation.properties file. You can also configure the
specific naming attribute that can be searched for to match the user ID (UID).
The following list identifies some of the properties that you use to configure
LDAP:
com.collation.security.usermanagementmodule=ldap
This property defines the user management module used by the TADDM
server. The valid values are:
v file: for a file-based user registry. This is the default value.
v ldap: for an LDAP user registry
v vmm: for a user registry that uses the federated repositories of
WebSphere Application Server
com.collation.security.auth.ldapAuthenticationEnabled=true
This property defines whether LDAP authentication has been enabled.
com.collation.security.auth.ldapHostName=ldap.ibm.com
This property defines the host name for the LDAP server.
com.collation.security.auth.ldapPortNumber=389
This property defines the port for the LDAP server.
com.collation.security.auth.ldapBaseDN=ou=People,dc=ibm,dc=com
This property defines the LDAP Base Distinguished Name (DN). The
LDAP Base Distinguished Name is the starting point for all LDAP
searches.
com.collation.security.auth.ldapUserObjectClass=person
This property defines the name of the class used to represent users in
LDAP.
com.collation.security.auth.ldapUIDNamingAttribute=cn
This property defines the name of the attribute used for naming users in
LDAP.
com.collation.security.auth.ldapGroupObjectClass=groupofuniquenames
This property defines the class used to represent user groups in LDAP.
84 Administrator's Guide
com.collation.security.auth.ldapGroupNamingAttribute=cn
This property defines the name of the attribute used for naming groups in
LDAP.
com.collation.security.auth.ldapGroupMemberAttribute=uniquemember
This property defines the name of the attribute used to contain the
members of a group in LDAP.
com.collation.security.auth.ldapBindDN=uid=ruser,dc=ibm,dc=com
If simple authentication is used, this property defines the user ID that is
used to authenticate to LDAP.
Important:
v If a value for com.collation.security.ldapBindDN is not
supplied or if the property is commented out,
v an anonymous connection to LDAP is attempted. The
following example shows how the property can be
commented out with the number sign (#):
#com.collation.security.auth.ldapBindDN=uid=ruser,
dc=ibm,dc=com
v If a value is specified for
com.collation.security.auth.ldapBindDN, simple
authentication is used and
v a value for com.collation.security.auth.ldapBindPassword
must also be specified.
com.collation.security.auth.ldapBindPassword=ruser
If simple authentication is used, this property defines the user password
that is used to authenticate to LDAP.
Related tasks
“Configuring for LDAP” on page 15
You can configure an external LDAP server for user authentication.
Logging settings
You can edit the properties for logging. When you make changes to the file, you
must save the file and restart the server for the change to take effect.
The following list identifies extra details about some of the properties that control
logging settings:
com.collation.log.level=INFO
Sets the log level. The default is INFO. The following list identifies other
valid options:
v FATAL
v ERROR
v WARNING
v INFO
v DEBUG (Setting the DEBUG option decreases system performance.)
v TRACE (Setting the TRACE option causes passwords to be logged.)
If com.collation.deploy.dynamic.logging.enabled=true, you do not have to
restart the TADDM server after the logging level is changed. If
com.collation.deploy.dynamic.logging.enabled=false, you must restart the
TADDM server after the logging level is changed.
See the Logging settings section of the IBM Tivoli Application Dependency Discovery
Manager Troubleshooting Guide for more information on the following topics:
v JVMs for which you can set logging locally
v Logging levels
Performance settings
This product is tuned for a 2 processor, 4 GB system. If you have more processors
or memory, you can change the thread settings in the collation.properties file.
86 Administrator's Guide
There is no formula that you can use to determine the optimal values for these
thread counts. Optimal values depend on how sparse your subnets are and how
the firewalls are configured. Here are a few general guidelines:
1. If all of the processors are not saturated during a discovery run, you should
increase the dwcount by a few threads and try again. If you increase this
thread count when your processors are saturated, the sensors start to timeout
and you do not receive complete discover results.
2. If you increase the dwcount by a few threads and continue not to get increased
CPU usage, bump the sccount by 1 and try again.
3. Do not change the ascount.
The following list identifies extra details for the properties for performance:
com.collation.discover.dwcount=16
This property defines how many discover worker thread can be running
simultaneously. It must be an integer value. The default is 16.
com.collation.discover.sccount=2
This property specifies the number of ″seed″ creator threads that are
created. It must be an integer value. The default is 2.
com.collation.discover.ascount=1
This property specifies the number of agent selector threads that are
created. It must be an integer value. The default is 1. Do not change this
property.
com.collation.discover.observer.topopumpcount=16
This property specifies the number of database ″writer″ threads that are
created. These threads are used for persisting discovery results into the
TADDM database. It must be an integer value. The default is 16.
Reconciliation settings
Set the com.collation.reconciliation.enablenewfeatures and the
com.collation.reconciliation.enablepriority properties in the collation.properties
file to true to enable merging, reconciliation plug-ins, and attribute prioritization
features.
If you change the values for these properties, you must restart the server.
The reconciliation features are designed so that you can turn them off in your
environment. For example, you can turn them off if you encounter problems you
suspect are related to the features. For more information about reconciliation and
prioritization, see the Understanding reconciliation and prioritization section in the
IBM Tivoli Application Dependency Discovery Manager User’s Guide.
The following list identifies extra details about some of the properties that control
reporting settings and graphs:
com.collation.domain.pdfreport.enabled=false
Valid values are true or false. The default is false. If you set the value to
true, you can save the Domain Manager reports in the PDF file. This
setting works only for the English language locale.
com.collation.gui.doNotShowGraphs=Business Applications,Application
Infrastructure,Physical Infrastructure
Use this property to not display graphs in the Java user interface. There are
three valid values that you can enter: Business Applications, Application
Infrastructure, and Physical Infrastructure. If you enter more than one value,
use a comma to separate the entries.
com.collation.ReportsServer.port=19434
Specifies the firewall port used by the reports server.
The following list identifies extra details for properties that control SSH settings:
com.collation.SshLogInput=false
Valid values are true or false. The default is false. If you set the value to
true, SSH input is logged.
com.collation.SshPort=22
It must be an integer value. This setting indicates the port the server uses
for all SSH connections.
com.collation.SshSessionCommandTimeout=120000
Must be an integer value. This value indicates the time (in milliseconds)
that is allowed for the SSH command to run. If this property is used from
an agent, the setting for this property should be a lesser value than the
setting for the AgentRunnerTimeout property to be effective.
88 Administrator's Guide
com.collation.SshSessionCopyTimeout=360000
It must be an integer value. This value indicates the time (in milliseconds)
that is allowed to copy a file to a remote system.
com.collation.SshSessionIdleTimeout=240000
It must be an integer value. This value indicates the time (in milliseconds)
that an SSH session can remain inactive.
com.collation.SshSessionInitTimeout=60000
It must be an integer value. This value indicates the time (in milliseconds)
that is allowed to initialize an SSH connection. This time setting should be
a lesser value than all other SSH timeouts.
com.collation.SshWeirdReauthErrorList=Permission denied
This property allows for the retry of the user name and password pairs
that have previously worked during discovery runs. The property is
needed because Windows systems randomly deny valid login attempts.
The property needs to have the Permission denied setting. Do not change
this setting.
com.collation.TaddmToolUseSshInput=false
Valid values are true or false. The default is false. If you set the value to
true, the SSH input is used instead of command line options.
com.collation.WmiInstallProviderTimeout=240000
It must be an integer value. This value indicates the time (in milliseconds)
that is allowed to wait for the WMI InstallProvider script to run.
Security settings
Use these properties to control security settings.
The following list identifies extra details for properties that control security
settings:
com.collation.security.privatetruststore=true
Valid values are true or false. The default is true.
com.collation.security.enablesslforconsole=true
Valid values are true or false. The default is true.
com.collation.security.enabledatalevelsecurity=false
Valid values are true or false. The default is false. To restrict access to
collections of TADDM objects by user or user group, set this value to true.
com.collation.security.enforceSSL=false
Valid values are true or false. The default is false. To disable non-secure
connections and force the use of SSL connections, set this flag to true.
com.collation.security.FIPSMode=false
Valid values are true or false. The default is false. To configure TADDM to
use FIPS-compliant algorithms for encryption, set this flag to true.
com.collation.security.usermanagementmodule=file
There are three options for this property:
v file: for a TADDM file-based user registry
v ldap: for an LDAP user registry
v vmm: for a user registry that uses the federated repositories of
WebSphere Application Server
The default is file.
Sensor settings
Use these properties to control sensor settings.
The following list identifies extra details for properties that control sensor settings:
com.collation.agent.weblogic.protocols=t3,http
By default, this property is disabled and the T3 protocol is used. If you
uncomment this property, you can specify the list of protocols to be used
for the WebLogic sensors. The default property, T3, is used if the property
is disabled or removed from the collation.properties file.
You can add protocols to the entry and separate entries with a comma. For
example:
com.collation.agent.weblogic.protocols=t3,http
The T3 protocol is the first protocol that is tried. If this protocol fails, the
HTTP protocol is used. If you want to use the HTTP protocol to connect to
a WebLogic server instance, you must enable HTTP tunneling for that
instance using the WebLogic console.
The only valid values are t3 and http. If you code an incorrect value, such
as a value with typographical errors, the WebLogic server cannot process
the request properly and might stop.
com.collation.AllowPrivateGateways=true
This property is used by the WindowsComputerSystemSensor sensor.
Valid values are true or false. The default is true. The default allows SSH
connections to Windows systems not listed in the gateway.properties file.
com.collation.discover.agent.Db2WindowsAgent.sshSessionCommandTimeout
=300000
This property is the Windows DB2 discover sensor (Db2WindowsSensor)
command timeout.
It must be an integer value. This value indicates the maximum amount of
time (in milliseconds) that the sensor has to complete.
90 Administrator's Guide
To be effective, the value specified for this property should be greater than
the SshSesssionCommandTimeout property and less than the
DefaultAgentTimeout property. If needed, you can change the
SshSesssionCommandTimeout and DefaultAgentTimeout properties.
The com.collation.SshSessionCommandTimeout property controls the time
needed for the SSH connection and run command on the Windows
gateway.
If this Db2WindowsSensor command timeout property is a lesser value
than the com.collation.SshSessionCommandTimout property, the
com.collation.SshSessionCommandTimout value is used.
Because the Db2WindowsSensor sensor can stop before it finishes
collecting information, the value of the
com.collation.disocver.DefaultAgentTimeout property should be greater
than this Db2WindowsSensor command timeout property.
com.collation.discover.agent.OracleAgent.connectionThreadTimeout=10000
This property is used by the OracleSensor sensor.
It must be an integer value. This value indicates the maximum amount of
time (in milliseconds) allowed to pass before the database connection task
times out. This property is used to control the use of Connector threads
that prevent hung JDBC connections from hanging the sensor. Use with the
com.collation.discover.agent.OracleAgent.useConnectorThreads property.
com.collation.discover.agent.OracleAgent.registrySearchRegexes
=ORA_([^_]+)_AUTOSTART
This property is used by the OracleSensor sensor.
This regular expression property can be a semicolon separated list of
regular expressions applied to Windows registry key names to extract SID
candidates. Extracting the same SID multiple times is not a problem. The
SID is discovered only once.
com.collation.discover.agent.OracleAgent.searchWindowsRegistry=true
This property is used by the OracleSensor sensor. This is a scoped
property.
Valid values are true or false. The default is true. If you change the value
to false, you search the Windows registry keys for Oracle SIDs. You can
append an IP address to make the behavior dependent on the host being
discovered.
com.collation.discover.agent.OracleAgent.suppressPorts
This property is used by the OracleSensor sensor.
This regular expression property can be a comma (,) separated list of ports.
This property stops the connection to ports on the listener.
com.collation.discover.agent.OracleAgent.suppressSIDs
This property is used by the OracleSensor sensor.
This regular expression property can be a comma (,) separated list of SIDs.
This property stops the discovery of SIDs.
com.collation.discover.agent.OracleAgent.useConnectorThreads=true
This property is used by the OracleSensor sensor.
Valid values are true or false. The default is true. This property is used to
control the use of Connector threads that prevent hung JDBC connections
92 Administrator's Guide
property to false, the custom application server seeds for internal
templates is created only when the deep sensor corresponding to the
application fails.
With this feature enabled, the internal templates TADDM uses to start
sensors are used instead to launch CustomAppServerSensors which creates
Objects in TADDM representing the application running on the target.
These CustomAppServerSensors require no credentials. In this discovery
mode, because template matching is only intended to launch a sensor with
a high probability that the sensor being launched is the correct sensor for
the running application, TADDM creates ″generic″ application server types,
such as WebServer and J2EEServer, instead of the more specific types that a
sensor would create, such as ApacheServer or WebSphereServer. The
objectType attribute will be set to the ″best match″ type of the running
application software. Note that if a credentialed sensor and a custom
server both run for the same target during one or more discoveries, the
following limitations apply:
1. Given the different nature of the data discovered without credentials,
objects created by this feature might not reconcile with L3 sensor
created artifacts.
2. Credential free discovery does not create specific classes. For example,
httpd might be Apache or another Web server, and therefore, in
credential-free mode, are only classified as HTTP Servers.
com.collation.oracleapp.root.dir=lib/oracleapp
This property is used by the OracleAppSensor sensor.
If you do not want to discover the Oracle Application Server, ignore this
property. If you want to discover the Oracle Application Server, use this
property to specify the location of the Oracle Application Server root
directory for the TADDM server. An absolute directory path can be
specified. If you use a relative directory path, it must be relative to the
$COLLATION_HOME directory. This directory and all subdirectories must be
accessible to the use under which the TADDM server runs. Oracle
Application Server libraries must be available on the TADDM server under
this directory.
com.collation.platform.os.ignoreLoopbackProcesses=true
Valid values are true and false. The default is true. Do not change this
default. You must set this property to true if you want to discover an
Oracle Application Server or the WebLogic sensors. For example, if the
WeblogicServerVersionSensor sensor tries to start using a local host
address, this property must be set to true.
com.collation.discovery.engine.allow.pooling.local.anchors=true
This property allows multiple sensors that require local anchors to share a
single Java virtual machine (JVM). If this flag is set to false, each sensor
runs in its own JVM. For performance reasons, it is preferred this property
is set to true. Only the WebLogic sensor uses this property.
com.collation.pingagent.ports=xx,yy, ...
By default, this property is used by the PingSensor sensor. It is not defined
in the collation.properties file and has to be manually defined if needed.
Valid values are non-negative, numerical.
To override the default set of ports that the Ping sensor attempts to use,
add this property to the collation.properties file and specify the port
Startup settings
Use these properties to determine whether TADDM monitors server startup.
If enabled, the restartwatcher will monitor the TADDM startup process so that the
TADDM server will restart if it does not start within a certain defined time frame.
The restartwatcher checks for the following conditions:
v All but one of the services has reached started state
v One or more of the services is in stopped state and at least one service has
started
If these conditions persist for a configurable period of time, a restart is requested.
The restartwatcher turns off after the server has started so that it will not interfere
with the service restart configuration options.
94 Administrator's Guide
default value is 240, and the minimum value is 60. Slower systems should
use longer delay times to allow for longer service start times.
The following list identifies extra details for properties that control topology
builder settings:
com.collation.synchronizer.enableTopologyBuild=true
Valid values are true and false. The default is true.
The topology builder runs automatically after a synchronization is
complete. If you set this property to false, topology build does not run
automatically after the synchronization completes. This is most commonly
used if you synchronize from several TADDM servers and manually run
topology build after all of the synchronizations are complete.
com.collation.topobuilder.RuntimeGcUnknownServerRetentionSpan
This property specifies how long (in days) to keep unknown processes. The
default value is 5, and the maximum value is 14. Unknown processes
determine when custom server templates are needed, however, without
regular clean up, the number of unknown processes can build up over
time. This might cause topology performance issues. The following item is
not removed by this processing:
v zOS Address Spaces
The following list identifies extra details for properties that control topology
manager settings:
com.ibm.JdoQuery.FetchBatchSize=50
The batch size is a configurable property and corresponds to the
kodo.FetchBatchSize property. This property represents the number of
rows to fetch at a time when scrolling through a result set of a query run.
The default is 50 rows.
com.collation.topomgr.securityCheck=true
Valid values are true or false. The default is true. Do not change this setting.
com.collation.topomgr.optimisticTransaction=false
Valid values are true or false. The default is false. Do not change this setting.
com.collation.topomgr.lockManager=pessimistic
This property is used only if the
com.collation.topomgr.optimisticTransaction property is set to false. Do not
change this setting.
com.collation.topomgr.readLockLevel=read
This property is used to configure kodo.ReadLockLevel. Do not change this
setting.
com.collation.topomgr.writeLockLevel=write
This property is used to configure kodo.WriteLockLevel. Do not change
this setting.
Chapter 10. Server properties in the collation.properties file 95
com.collation.topomgr.lockTimeout=-1
This property is used to configure kodo.LockTimeout. Do not change this
setting.
com.collation.topomgr.isolationLevel=default
This property is used to set kodo.jdbc.TransactionIsolation. Do not change
this setting.
com.collation.topomgr.generateExplicitRelationship=false
Valid value is false. Do not change the this value. This attribute has been
deprecated.
com.collation.TopologyManager.port=19430
Specifies the firewall port used by the topology manager.
The following list identifies extra details for properties that control view manager
settings:
com.collation.view.cache.optimization.enabled=true
Valid values are true or false. The default is true. If you change the value to
false, view caching is disabled. In general, do not change this setting. If you
change this setting, every request for a view means that the view must be
built and performance can be affected.
An example scenario where caching might be turned off temporarily is
when a number of data loads, object creations, modifications, deletions,
and discovery runs are being planned, and a higher priority is placed on
getting the data in before viewing the data. In this scenario, disabling the
cache prevents the cache from being constantly rebuilt in response to
changes.
com.collation.view.cache.disk=true
Valid values are true or false. The default is true. If you change the value to
false, memory caching is used. Disk caching should always be used in large
environments to avoid out of memory errors.
com.collation.view.cache.disk.path=var/viewmgr
This value identifies the directory of the view cache. The default is
var/viewmgr. If you want to change this value, the path you set has to be a
relative path from the $COLLATION_HOME property.
com.collation.view.maxnodes=500
Must be an integer value. When viewing a topology graph in the Product
Console, this property identifies the maximum number of nodes allowed.
The default is 500.
com.collation.view.accesscontrol.enabled=false
Valid values are true or false. The default is false. If you change the value to
true, the views are ACL aware. If the views are ACL aware, you want a
user that is logged in to view only objects that the user has access to.
When access control for views is enabled, no view caching is enabled.
Performance for large view is affected.
96 Administrator's Guide
com.collation.view.prebuildcache.treeview.physical.enabled=true
Valid values are true or false. The default is true. If you change the value to
false, the Navigation Tree for physical infrastructure is not prebuilt into the
cache. Do not change this setting.
com.collation.view.prebuildcache.treeview.components.enabled=true
Valid values are true or false. The default is true. If you change the value to
false, the Navigation Tree for software components tree is not prebuilt into
the cache. Do not change this setting.
com.collation.view.prebuildcache.treeview.application.enabled=true
Valid values are true or false. The default is true. If you change the value to
false, the Navigation Tree for applications tree is not prebuilt into the cache.
Do not change this setting.
com.collation.view.prebuildcache.treeview.bizservice.enabled=true
Valid values are true or false. The default is true. If you change the value to
false, the Navigation Tree for business services tree is not prebuilt into the
cache. Do not change this setting.
com.collation.view.prebuildcache.graph.appinfrastructure.enabled=true
Valid values are true or false. The default is true. If you change the value to
false, Application Software Infrastructure Topology is not prebuilt into the
cache. If you change the value to false, update the
com.collation.gui.doNotShowGraphs property to not display this graph.
com.collation.view.prebuildcache.graph.physicalinfrastructure.enabled=true
Valid values are true or false. The default is true. If you change the value to
false, Physical Infrastructure Topology is not prebuilt in to the cache. If you
change the value to false, update the com.collation.gui.doNotShowGraphs
property to not display this graph.
com.collation.view.prebuildcache.graph.bizapp.enabled=true
Valid values are true or false. The default is true. If you change the value to
false, Business Application Topology is not prebuilt in to the cache. If you
change the value to false, update the com.collation.gui.doNotShowGraphs
property to not display this graph.
com.collation.view.prebuildcache.treeview.define.application.enabled=true
Valid values are true or false. The default is true. Do not change this setting.
com.collation.view.prebuildcache.treeview.define.bizservice.enabled=true
Valid values are true or false. The default is true. Do not change this setting.
com.collation.view.prebuildcache.treeview.define.appserver.enabled=true
Valid values are true or false. The default is true. Do not change this setting.
com.collation.view.prebuildcache.treeview.define.appserverclusters.enabled=true
Valid values are true or false. The default is true. Do not change this setting.
com.collation.view.prebuildcache.treeview.define.appserverhosts.enabled=true
Valid values are true or false. The default is true. Do not change this setting.
com.collation.view.prebuildcache.treeview.define.appserverclusterserviceshosts.
enabled=true
Valid values are true or false. The default is true. Do not change this setting.
com.collation.change.event.damping.interval.secs=10
It must be an integer value. This value indicates the time interval, in
seconds, that should lapse before the view is rebuilt. When the view is
rebuilt, the change of events is posted.
The following list identifies extra details for properties that control XML
performance settings:
com.collation.platform.xml.gcEnabled=false
Valid values are true or false. The default is false. Do not change the value
to true.
com.collation.platform.xml.showLeafLastMtime=false
Valid values are true or false. The default is false. If you set the value to
true, the last time a leaf object (a configuration item that is not going to be
displayed in the XML because it is too deep in the query) that was
changed is displayed. Displaying the attribute takes time and affects
performance. Instead of changing the value to true, you can increase the
depth of the query.
98 Administrator's Guide
Chapter 11. Self-monitoring tool overview
The TADDM self-monitoring tool provides detailed tracking of performance and
availability of the TADDM server and its component processes. You can view
errors that TADDM has discovered by using the tool with the summaries of
configuration item data that is stored in the database. Before you can use this tool,
you must have IBM Tivoli Monitoring 6.1, or later, installed in your environment.
The self-monitoring tool is instrumented with IBM Tivoli Monitoring 6.1, which
provides visualization of collected availability and performance data. Based on the
data provided by the self-monitoring tool, administrators can create reflexive
actions to counteract availability degradation.
To view the availability data provided by the self-monitoring tool, complete the
following steps:
1. Start the Tivoli Enterprise Portal Server user interface.
2. Go to the IBM Tivoli Monitoring Navigator Physical view. This is the initial
view of the Navigator Physical view:
Enterprise
Operating Platform
The Operating Platform is one or more of the following systems:
v AIX systems
v Linux systems
v Solaris systems
v Windows systems
3. Select the Enterprise icon.
4. Right-click Enterprise, then click Workspace → Tivoli Application Dependency
Discovery Manager Availability. The corresponding workspace opens. The
workspace includes the following information:
v A table that provides a time stamp and message abstract for error messages.
v A table of services with corresponding states.
v A table of processes that are not operational.
v A table that provides database status. The table lists the IBM Tivoli
Monitoring Version 6.x, database agents that monitor the TADDM database
in that host.
5. Click the workspace icon, , next to the Status cell, to load the default
workspace for the database agent. When you load the workspace, you can see
performance metrics for the database.
6. (Optional) To sort the columns of the tables in the workspace, click the column
header. For example, in the Error Messages table, click the LocalTimeStamp
Viewing services
The self-monitoring tool provides services that are related to system availability.
Acknowledged
The event is acknowledged.
Deleted
The situation is deleted.
Problem
The situation is in a problem state.
Expired
The acknowledgement of the event is expired and the event remains
open.
Opened
The situation is running and is now true, which opens an event.
Closed
The situation is running, was true, but is now false.
Reopened
The acknowledgement was removed before it expired, and the event is
still open (reopened).
Started
The situation is started.
- Filter Critical
Click the icon to display only Critical events.
- Filter Warning
Click the icon to display only Warning events.
- Filter Informational
Click the icon to display only Information events.
- Filter Open
Click the icon to display only Open events, including any events that were
reopened (acknowledgement removed) or whose acknowledgement
expired.
- Filter Acknowledged
Click the icon to display only Acknowledged events.
- Console Pause
A workspace control you can use to pause the automatic refresh. Click the
icon to stop automatic refresh temporarily. You can manually refresh the
workspace if you want. Click the Resume Refresh button ( ) to refresh
the workspace and resume automatic refresh.
Following the list of icons, there is text that provides details about filters that are
applied to the contents of the table. For the latest information about changing the
filters, refer to the IBM Tivoli Monitoring User’s Guide.
Viewing errors
The self-monitoring tool provides information about errors that hinder availability
and threaten the system health.
When viewing availability data, there is a table of error messages. To restore the
health of the systems, you need to resolve these errors.
To view the errors that need to be resolved for TADDM, complete the following
steps:
1. Start the Tivoli Enterprise Portal Server user interface.
2. Go to the IBM Tivoli Monitoring Navigator Physical view. This is the initial
view of the Navigator Physical view:
Enterprise
Operating Platform
The Operating Platform is one or more of the following systems:
v AIX systems
v Linux systems
v Solaris systems
v Windows systems
3. Select Enterprise.
4. Right-click Enterprise, then click Workspace → Tivoli Application Dependency
Discovery Manager Health. The corresponding workspace opens and includes
a table of error messages. The table includes the following two columns of
information:
LocalTimeStamp
The time at the portal client when the status of the situation changes.
ErrorMessage
The text of the error message that includes the date and the time
associated with the message.
The table of response times that is provided by the self-monitoring tool includes
four columns of information:
LocalTimeStamp
The time at the portal client when the status of the situation changes.
RealTime
The total amount of time, in seconds, used to complete the transaction.
UserTime
The amount of user processing time, in seconds, used to complete the
transaction.
SystemTime
The amount of system processing time, in seconds, used to complete the
transaction.
The bar chart with current response time graphs includes the following
information:
RealTime
The total amount of time, in seconds, used to complete the transaction.
UserTime
The amount of user processing time, in seconds, used to complete the
transaction.
SystemTime
The amount of system processing time, in seconds, used to complete the
transaction.
The plot chart of response time graph includes the following information:
RealTime
The total amount of time, in seconds, used to complete the transaction.
UserTime
The amount of user processing time, in seconds, used to complete the
transaction.
SystemTime
The amount of system processing time, in seconds, used to complete the
transaction.
The x-axis of the chart graphs the time in 10-second increments. For example, if
data collection begins at 10:22:35 (hh:mm:ss), there are entries along the x-axis for
10:22:35, 10:22:45, and 10:22:55.
- Filter Critical
Click the icon to display only Critical events.
- Filter Warning
Click the icon to display only Warning events.
- Filter Informational
Click the icon to display only Information events.
- Filter Open
Click the icon to display only Open events, including any events that were
reopened (acknowledgement removed) or whose acknowledgement
expired.
- Filter Stopped
Click the icon to display only Stopped situations.
- Filter Problem
Click the icon to display only Problem situations. These are situations that
are in error for some reason.
- Console Pause
A workspace control that you can use to pause the automatic refresh. Click
the icon to stop automatic refresh temporarily. You can manually refresh
the workspace if you want. Click the Resume Refresh button ( ) to
refresh the workspace and to resume automatic refresh.
Following the list of icons, there is text that provides details about filters that are
applied to the contents of the table. For the latest information about changing the
filters, refer to the IBM Tivoli Monitoring User’s Guide.
The self-monitoring tool provides charts and tables with statistics related to the
resource infrastructure. To view infrastructure data, complete the following steps:
1. Start the Tivoli Enterprise Portal Server user interface.
2. Go to the IBM Tivoli Monitoring Navigator Physical view. This is the initial
view of the Navigator Physical view:
Enterprise
Operating Platform
The Operating Platform is one or more of the following systems:
v AIX systems
v Linux systems
v Solaris systems
v Windows systems
3. Select Enterprise.
4. Right-click the Enterprise icon, then click one of the following options:
v For Linux servers: Workspace → Tivoli Application Dependency Discovery
Manager Infrastructure - Linux
v For AIX and Solaris servers: Workspace → Tivoli Application Dependency
Discovery Manager Infrastructure - UNIX
The selected workspace opens. The workspace includes the following
information:
v A bar chart that graphs a summary of system memory usage
v Bar charts that graph the memory usage for individual services
v A circular gauge chart that graphs the processing usage for the system
v Circular gauge charts that graph the processing usage for individual services
The self-monitoring tool provides a bar chart that graphs a summary of system
information. The bar chart with the summary of system information graphs the
following items:
Total Memory (MB)
The total amount of memory available for the resource.
Memory Used (MB)
The amount of memory currently used by the resource.
Memory Free (MB)
The amount of memory not currently used and available for use by the
resource.
The circular gauge chart shows the proportional amount of processing that is being
used. The number displayed below the circular gauge indicates the exact
percentage displayed in the chart.
The circular gauge chart shows the proportional amount of processing that is being
used. The number displayed below the circular gauge indicates the exact
percentage displayed in the chart.
To view the configuration items tracked by the self-monitoring tool, complete the
following steps:
1. Start the Tivoli Enterprise Portal Server user interface.
2. Go to the IBM Tivoli Monitoring Navigator Physical view. This is the initial
view of the Navigator Physical view:
Enterprise
Operating Platform
The Operating Platform is one or more of the following systems:
v AIX systems
v Linux systems
v Solaris systems
v Windows systems
3. Click the Enterprise icon.
4. Right-click the Enterprise icon, then click Workspace → Tivoli Application
Dependency Discovery Manager Configuration Items The workspace opens.
The workspace includes the following information:
v A bar chart that provides the total number of configuration item changes in
the past week
v A bar chart that provides the totals for major configuration items, including,
system items, application items, network items, and storage items
v A plot chart that displays trends over time and among configuration items
v A table with a summary of situation events
5. (Optional) To sort the columns of the tables in the workspace, click the column
header. For example, in the Situation Events Console table, click the
LocalTimestamp column header to sort the messages by the time stamp. If the
messages are already sorted by time stamp, the sort order (ascending or
descending) is reversed.
The bar chart indicates the total number of configuration item changes over the
last seven days. The x-axis of the chart indicates the quantity.
The x-axis of the chart indicates the time in 10-second increments. For example, if
data collection begins at 10:22:35 (hh:mm:ss), there are entries along the x-axis for
10:22:35, 10:22:45, and 10:22:55. The y-axis of the chart indicates the quantity of
items.
- Filter Critical
Click the icon to display only Critical events.
- Filter Warning
Click the icon to display only Warning events.
- Filter Informational
Click the icon to display only Information events.
- Filter Open
Click the icon to display only Open events, including any events that were
reopened (acknowledgement removed) or whose acknowledgement
expired.
- Filter Acknowledged
Click the icon to display only Acknowledged events.
- Filter Stopped
Click the icon to display only Stopped situations.
- Filter Problem
Click the icon to display only Problem situations. These are situations that
are in error for some reason.
- Console Pause
A workspace control that you can use to pause the automatic refresh. Click
the icon to stop automatic refresh temporarily. You can manually refresh
the workspace if you want. Click the Resume Refresh button ( ) to
refresh the workspace and to resume automatic refresh.
Following the list of icons, there is text that provides details about filters that are
applied to the contents of the table. For the latest information about changing the
filters, refer to the IBM Tivoli Monitoring User’s Guide.
110 Administrator's Guide
Chapter 12. Integration with other Tivoli products
For extended capabilities in managing your IT environment, you can integrate the
Tivoli Application Dependency Discovery Manager (TADDM) with other Tivoli
products, including IBM Tivoli Business Service Manager, IBM Tivoli Monitoring,
and event management systems such as IBM Tivoli Enterprise Console® and IBM
Tivoli Netcool/OMNIbus.
In the Product Console and Domain Manager views, you can see more information
for the following component groupings:
v Application infrastructure
v Physical infrastructure
v Business applications
v Collections
v Business services
If both the TADDM server and the application from which TADDM is being
launched are not configured for a single sign-on, a sign-on window is shown.
Before you can view additional information in either the Product Console or the
Domain Manager, you must provide a user name and password.
The following list describes the valid values for each variable in the URL format:
Protocol
The Web protocol to use. Valid values are http or https.
TADDMHostname
The host name for the TADDM server to which you are launching.
TADDMPort
The port number for the TADDM server to which you are launching. The
default value is 9430.
The following examples show how to specify the URL to launch TADDM views:
URL for launching the Product Console, specifying only a GUID
http://home.taddm.com:9430/cdm/servlet/LICServlet?guid=BA2842345F693855A3165A4B5F0D8BDE
URL for launching the Product Console, specifying only a graph name
http://home.taddm.com:9430/cdm/servlet/LICServlet?graph=businessapplications
URL for launching the Product Console, specifying a graph name with GUID
http://home.taddm.com:9430/cdm/servlet/LICServlet?graph=app_software
&guid=213l3jlk120bksdf
URL for launching the Product Console to display the change history view, with
the change history starting 20 days prior to the current date
http://home.taddm.com:9430/cdm/servlet/LICServlet?guid=BA2842345F693855A3165A4B5F0D8BDE
&view=changehistory&days_previous=20
Important: You must only use credentials as part of the URL for launching
in context if you are using a trusted connection because the
user name and password are not encrypted.
To send change events from TADDM, you must have one or more of the following
event-handling systems installed:
v IBM Tivoli Monitoring 6.2.1 Fixpack 2, or later
v IBM Tivoli Enterprise Console version 3.9, or later
v IBM TivoliNetcool/OMNIbus 7.1, or later, including the Event Integration
Framework (EIF) Probe
If you want to send events to IBM Tivoli Netcool/OMNIbus 7.1 and IBM Tivoli
Enterprise Console 3.9 simultaneously, IBM Tivoli Enterprise Console should have
Fix Pack 7, or later, installed. If Fix Pack 6, or earlier, is installed, additional
configuration must be performed.
When a discovery completes, TADDM checks for changes to items being tracked
by external event-handling systems. If any are detected, they are sent, using EIF,
directly to IBM Tivoli Netcool/OMNIbus and/or IBM Tivoli Enterprise Console,
and to IBM Tivoli Monitoring using the Universal Agent.
IBM Tivoli Netcool/OMNIbus and IBM Tivoli Enterprise Console servers process
received events according to their internal rules and display them.
Configuring TADDM
To send change events, you must configure TADDM with information about the
event-handling systems to which you want to send change events.
To enable the sending of change event information, complete the following steps:
1. To enable change events, in the $COLLATION_HOME/etc/collation.properties
file, set the following property: com.ibm.cdb.omp.changeevent.enabled=true
2. To configure which resources are tracked for changes and to which
event-handling systems the events are sent, edit the $COLLATION_HOME/etc/
If you want to send events to IBM Tivoli Netcool/OMNIbus 7.1 and IBM Tivoli
Enterprise Console 3.9 simultaneously, IBM Tivoli Enterprise Console 3.9 Fix Pack
7 or later must be installed. If Fix Pack 6 or earlier is installed, you must use two
instances of the event module script (changeevents.sh on UNIX operating systems
or changeevents.bat on Windows operating systems), with each one loading a
separate EIF JAR file.
The default behavior in IBM Tivoli Netcool/OMNIbus versions prior to Version 7.3
is for all events from an event module to be combined into a single event, with the
Count attribute set to display the number of events that are contained in the
combined event. To modify this behavior, complete the following steps:
1. On the TADDM server, open the following file for editing:
$COLLATION_HOME/etc/omnibus.eif.properties
2. Set the following TADDMEvent_Slot properties property values:
TADDMEvent_Slot_sub_source=$TADDM_GUID
TADDMEvent_Slot_origin=$TADDM_OBJECT_NAME
TADDMEvent_Slot_hostname=$TADDM_OBJECT_NAME
TADDMEvent_Slot_msg='$TADDM_HOST $TADDM_PORT
$TADDM_CLASS_NAME $TADDM_OBJECT_NAME
$TADDM_ATTRIBUTE_NAME
$TADDM_CHANGE_TYPE $TADDM_GUID'
IBM Tivoli Enterprise Console event classes define each type of event. You can
define a TADDM event class if you do not want to use the generic TEC_Notice
class. To define a customized event class, complete the following steps:
1. Using BAROC notation, define a customized event class for TADDM change
events.
TEC_CLASS: TADDMEventClass ISA TEC_Notice
DEFINES {
TADDMEvent_Slot_TADDM_HOST: STRING;
TADDMEvent_Slot_TADDM_PORT: STRING;
TADDMEvent_Slot_TADDM_GUID: STRING;
TADDMEvent_Slot_TADDM_OBJECT_NAME: STRING;
TADDMEvent_Slot_TADDM_CHANGE_TYPE: STRING;
TADDMEvent_Slot_TADDM_CHANGE_TIME: STRING;
TADDMEvent_Slot_TADDM_CLASS_NAME: STRING;
TADDMEvent_Slot_TADDM_ATTRIBUTE_NAME: STRING;
TADDMEvent_Slot_TADDM_OLD_VALUE: STRING;
TADDMEvent_Slot_TADDM_NEW_VALUE: STRING;
severity: default = CRITICAL;
};
END
2. Import the event class into IBM Tivoli Enterprise Console. For information
about how to do this, see the IBM Tivoli Enterprise Console Rule Developer’s
Guide.
3. Update $COLLATION_HOME/tec.eif.properties to reflect the new event class.
To configure an IBM Tivoli Monitoring data provider, complete the following steps:
1. If you are running the Universal Agent on a Windows machine, complete the
following steps:
a. On the Windows machine where the Universal Agent is installed, click Start
→ IBM Tivoli Monitoring → Manage Tivoli Monitoring Services.
b. Right-click the Universal Agent and click Reconfigure.
c. In each of the two Agent Advanced Configuration windows, click OK.
d. To update the Universal Agent initialization file, click Yes. The KUMENV
file is opened in the system text editor.
e. Set the KUMA_STARTUP_DP value to POST:
KUMA_STARTUP_DP=POST
Note: Ensure that you spell the file name, KUMPOST, with uppercase letters,
as shown here.
l. Open a Windows command prompt and navigate to the %ITM_HOME%\TMAITM6
folder.
m. Run the KUMPCON.exe program to validate and import the KUMPOST metafile.
n. In the Manage Tivoli Monitoring Services window, right-click the Universal
Agent, and select Recycle.
2. If you are running the Universal Agent on a UNIX or Linux machine, complete
the following steps:
a. Reconfigure the universal agent using the following command:
itmcmd config – A um
When you are prompted for the data provider, enter POST.
b. In the $ITM_HOME/config directory, make a backup copy of the um.config
file, and then add the following entries to the original copy of the file:
# TADDM POST DP Parameters
KUMP_POST_DP_PORT=7575
KUMP_POST_GROUP_NAME=TADDM
KUMP_POST_APPL_TTL=14400
c. In the $ITM_HOME/interp/um/metafiles directory, create a text file. Enter the
following information in the file:
//APPl CONFIGCHANGE
//NAME dpPost E 3600
//ATTRIBUTES ';'
Post_Time T 16 Caption{Time}
Post_Origin D 32 Caption{Origination}
Post_Ack_Stamp D 28 Caption{Event time stamp}
Comp_Type D 512 Caption{Component type}
Comp_Name D 512 Caption{Component name}
Comp_Guid D 512 Caption{Component GUID}
Change_Type D 512 Caption{Change type}
Chg_Det_Time D 512 Caption{Change detection time}
Chg_Attr D 512 Caption{Changed attribute}
Srv_Addr D 512 Caption{TADDM server}
d. Save the file as KUMPOST.
Results
When configuration change events are received, their component name is checked.
If the component name matches that of the component you have specified in the
situation formula, the configured situation is triggered.
The hoursback parameter specifies the number of hours for which change
events are displayed. For example, setting hoursback to 6 displays all
change events in the previous six hours.
c. In the Location field of the second of the browser panes, type the URL of
the Object Details view in TADDM. When you have typed the URL, do not
press Enter.
http://$taddm_server$:$taddm_port$/cdm/servlet/LICServlet?console=web
&guid=$taddm_guid$
d. To save the new workspace, click File → Save.
To configure the workspace if you are using IBM Tivoli Monitoring 6.2.1, or
later, complete the following steps:
a. Configure the workspace to have one navigator pane and two browser
panes.
b. Click Edit → Properties.
c. In the Browser pane, select the first instance of Getting Started.
d. In the Style pane, select Use Provided Location.
e. Click OK.
f. In the Location field of one of the browser panes, type the URL of the
Change History view in TADDM. When you have typed the URL, do not
press Enter.
http://$taddm_server$:$taddm_port$/cdm/servlet/LICServlet?
view=changehistory&hoursback=10000&console=web&guid=$taddm_guid$
The hoursback parameter specifies the number of hours for which change
events are displayed. For example, setting hoursback to 6 displays all
change events in the previous six hours.
If you have active events in your change event report, a link icon is displayed next
to each table row. To move to the target workspace, click the link icon and select
Show Details. In the table row, values are substituted for symbols. In the
workspace, the Change History and Object Details panels are launched in context.
By default, TADDM does not indicate a business system as changed if one of the
computers it depends on has changed. To enable the sending of change events for
business systems, complete the following steps:
1. Open $COLLATION_HOME/etc/propagationserver.xml in an appropriate editor.
2. In the Computer System section, for the application and business system
relationship elements, set the value of the enabled attribute to true. For
example:
<relationship enabled="true" source="sys.ComputerSystem" attribute="groups"
target="app.Application" targetAttribute="true"
collectionType="app.FunctionalGroup" radius="1"/>
The explicitrel.sh script takes one optional parameter. There are three options
for specifying the parameter:
v If the parameter is not supplied, the program runs in delta mode. In delta mode,
explicit relationships are created only from the data that was added since the
last time the program ran.
If you need to generate explicit relationship data, but do not need to call methods
programmatically, you can run the included explicitrel.sh (explicitrel.bat)
script from the command line.
For the following tasks that you might need to do, the integration capabilities that
you should use are listed.
Table 7. User tasks with corresponding integration capabilities to use
Task Integration capabilities to use
Gain insight into availability by viewing the v “IBM Tivoli Monitoring sensor”
operating system settings, application
v “Launch in context” on page 124
settings, and change history of systems that
are monitored by IBM Tivoli Monitoring.
Ensure that operating systems and IBM DB2 v “IBM Tivoli Monitoring sensor”
databases that are discovered by TADDM
v “Monitoring Coverage report” on page
are monitored for availability.
123
View the availability and performance of v “IBM Tivoli Monitoring DLA” on page
systems that are discovered by TADDM. 123
v “Monitoring Coverage report” on page
123
Monitor a business application for v “IBM Tivoli Monitoring sensor”
configuration changes.
v “Change events” on page 124
v “Launch in context” on page 124
Monitor the availability of TADDM. v “Self-monitoring tool” on page 124
TADDM leverages the Tivoli Monitoring infrastructure in the following two ways:
v By obtaining the list of Tivoli Monitoring endpoints from the Tivoli Enterprise
Portal Server
v By using the Tivoli Monitoring infrastructure to run the CLI commands for the
IBM Tivoli Monitoring sensor on discovery targets and to capture the output of
those commands
The “IBM Tivoli Monitoring sensor” topic in the IBM Tivoli Application Dependency
Discovery Manager Sensor Reference describes the details of configuring the Tivoli
Monitoring sensor and contains troubleshooting information for any known
problems that might occur when deploying or using the sensor.
Instructions for running the DLA are included in the IBM Tivoli Monitoring 6.2.1
documentation that is available at http://publib.boulder.ibm.com/infocenter/
tivihelp/v15r1/index.jsp?topic=/com.ibm.itm.doc_6.2.1/main_win305.htm.
For information about loading the DLA-exported data into TADDM, see the
information about the bulk load program in the IBM Tivoli Application Dependency
Discovery Manager User’s Guide.
For information on troubleshooting the DLA, see “IBM Tivoli Monitoring DLA
problems ” in the IBM Tivoli Application Dependency Discovery Manager
Troubleshooting Guide.
Level 1 discovery using the IBM Tivoli Monitoring sensor enables the Monitoring
Coverage Summary of the Monitoring Coverage report. Loading the IBM Tivoli
Monitoring discovery library adapter (DLA) enables both the Monitoring Coverage
Summary and the Management Software System sections of the Monitoring
Coverage report.
Also see the information about the Monitoring Coverage pane in the IBM Tivoli
Application Dependency Discovery Manager User’s Guide.
Change events
You can configure TADDM to notify IBM Tivoli Monitoring when a change to a
discovered resource is detected.
“Sending change events to external systems” on page 114
You can configure TADDM to notify an external event-handling system when a
change to a discovered resource is detected.
“Configuring TADDM” on page 114
To send change events, you must configure TADDM with information about the
event-handling systems to which you want to send change events.
“Configuring an IBM Tivoli Monitoring data provider” on page 116
You can configure the Universal Agent initialization file to define a new data
provider.
“Configuring change events for a business system” on page 121
You can use the change event functionality to send a change event whenever a
business system is changed.
Self-monitoring tool
The self-monitoring tool of the Tivoli Application Dependency Discovery Manager
(TADDM) provides detailed tracking of performance and availability of the
TADDM server and its component processes. The self-monitoring tool is
instrumented with IBM Tivoli Monitoring 6.x.
Table 8. Topics that contain more information about the self-monitoring tool
Information Location of information
Overview Chapter 11, “Self-monitoring tool overview,” on page
99
Installation instructions, including Installation Guide, “Installing the self-monitoring tool”
troubleshooting the installation of
the tool
Troubleshooting problems during Troubleshooting Guide, “Self-monitoring tool problems”
use of the tool
Launch in context
With launch in context, you can view Tivoli Application Dependency Discovery
Manager (TADDM) data within the Tivoli Enterprise Portal views of IBM Tivoli
Monitoring.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.
All statements regarding IBM’s future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
If you are viewing this information in softcopy form, the photographs and color
illustrations might not be displayed.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at “Copyright and
trademark information” at http://www.ibm.com/legal/copytrade.shtml .
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Other company, product, and service names may be trademarks or service marks
of others.
Printed in USA