×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Important

   

This version of the product has reached end of support. The documentation is available for your convenience. However, you must be logged in to access it. You will not be able to leave comments.
TrueSight Network Automation 8.9 ... Administering Managing system-wide parameters

Managing system parameters

System-wide parameters are centrally administered in the Edit System Parameters page. You can open the Edit System Parameters page by navigating to Admin > System Admin > System Parameters.

If a parameter is not checked, the feature is disabled. When you change a setting and click Save, the changes take effect immediately.

The system parameters are listed by their subsection.

Starting with version 8.9.01, the parameters in all these sections (except the External Integrations section) are present on the Details tab. The parameters in the External Integrations section are moved to a separate tab, External Integrations.

Security section (local mode user authentication)

The local mode user authentication portion of the Security section has the following parameters:

  • Disable inactive accounts after: (Optional) Select to specify when to disable user accounts after so many days of inactivity. A user account is disabled in the system only when the user tries to log on after the defined inactivity period. Default is 90 days. Range is 5 to 90 days.

  • Require Users to Change Passwords After(Optional) Select to specify the maximum age of user passwords; once a password is old by the specified number of days, the user needs to change it on the next logon. Default is 90 days. Range is 14 to 90 days.

  • Prohibit Users from Reusing Last(Optional) Select to specify how many entries are in each user's password history, containing the N most recent passwords. When user changes his password, he will not be allowed to reuse any that appears in his history. Default is 10. Range is from 1 to 10 passwords.

  • Minimum Password Length: Specify the minimum number of characters in a password; longer passwords are usually more secure. Range is from 6 to 255 characters.

  • Cannot Share User Name String:(Optional) Select to force passwords to be more secure by not allowing passwords and user names to share the same character strings. Change to this parameter is enforced at the next password change, not on existing passwords.

  • Must Contain a Lower-Case Letter(Optional) Select to force passwords to be more secure by ensuring that the password includes at least one lower case letter.

  • Must Contain an Upper-Case Letter(Optional) Select to force passwords to be more secure by ensuring that the password includes at least one upper case letter.

  • Must Contain a Number(Optional) Select to force passwords to be more secure by ensuring that the password includes at least one decimal digit.

  • Must Contain a Special Character(Optional) Select to force passwords to be more secure by ensuring that the password includes at least one special character.

  • Timeout User Session AfterSpecify when to automatically terminate a user session after the specified minutes of inactivity. Default is 30 minutes. Range is 10 to 720 minutes. Change to this parameter affects new logons only, not any user already logged on.

  • Timeout Telnet/SSH Sessions After: (Optional) Select to specifiy when to automatically terminate an interactive Telnet/SSH Session after the specified minutes of inactivity. Range is 2 to 720 minutes. When not checked, Telnet/SSH Sessions use the Timeout User Session After parameter. Change to this parameter affects new Telnet/SSH Sessions only, not any session already open. The timeout applies only to the GUI-based popup window; it does not apply to sessions opened via the SSH proxy. The SSH proxy uses only the Timeout User Sessions After parameter.
  • Enable Static Group Access Control Lists: (Optional) Select to allow fine-grained access control to groups and devices within groups. This access must be set up on the Network tab. See Managing static groups.
  • Enable Rule Set Access Control Lists: (Optional) Select to restrict rule sets for view/edit/delete rights by user roles.
  • Enable Template Access Control Lists: (Optional) Select to restrict templates for view/edit/delete rights by user roles.
  • Disable Auto Device Security Profile: (Optional) Select to disable the Auto Device Security Profile.


Back to top

Security section (external mode user authentication)

The external user authentication (Microsoft Active Directory, OpenLDAP, RADIUS, or TACACS+) portion of the Security section has the following parameters:

  • Disable inactive accounts after: (Optional) Select to specify when to disable a local user account after so many days of inactivity. A user account is disabled in the system only when the user tries to log on after the defined inactivity period. Default is 90 days. Range is 5 to 90 days.
  • Automatically Add New Users As: (Optional) Select to specify a default role for new users. If a user authenticates to an Active Directory, OpenLDAP, RADIUS or TACACS+ and the user account does not exist in the TrueSight Network Automation system, you can elect to automatically create the account in the TrueSight Network Automation system for the selected role. If this feature is disabled, you cannot log on. Default is disabled.
  • Timeout User Session AfterSpecify when to automatically terminate a user session after the specified minutes of inactivity. Default is 30 minutes. Range is 10 to 720 minutes. Change to this parameter affects new logons only, not any user already logged on.
  • Timeout Telnet/SSH Sessions After: (Optional) Select to specifiy when to automatically terminate an interactive Telnet/SSH Session after the specified minutes of inactivity. Range is 2 to 720 minutes. When not checked, Telnet/SSH Sessions use the Timeout User Session After parameter. Change to this parameter affects new Telnet/SSH Sessions only, not any session already open. The timeout applies only to the GUI-based popup window; it does not apply to sessions opened via the SSH proxy. The SSH proxy uses only the Timeout User Sessions After parameter.
  • Enable Static Group Access Control Lists: (Optional) Select to allow fine-grained access control to groups and devices within groups. This access must be set up on the Network tab. See Managing static groups.
  • Enable Rule Set Access Control Lists: (Optional) Select to restrict rule sets for view/edit/delete rights by user roles.

  • Enable Template Access Control Lists: (Optional) Select to restrict templates for view/edit/delete rights by user roles.

  • Disable Auto Device Security Profile: (Optional) Select to disable the Auto Device Security Profile.

Back to top

Site section

The Site section has the following parameters:

  • Site URL: Specify the URL of the site, up to 255 characters.
  • Site Name: (Optional) Specify the site name, up to 40 characters. This name is displayed in the upper right of the web user interface.
    If the Site Name field is left blank, the default is the TrueSight Network Automation application server host name and IP address separated by a slash ( / ) symbol.
  • Site Description: (Optional) Specify a plain-language description of the site, up to 255 characters.
    This parameter initially is blank. You can change it to any meaningful description.

Back to top

Network section

The Network section has the following parameters:

  • SMTP Gateway: Specify the host name or IP address of the mail server for routing email notifications. If SMTP is not running on the server, you must change this value to a valid SMTP server for email notifications to work.
  • From Email Address: Specify the From address for email messages generated by TrueSight Network Automation, including job approvals, policy notifications, and emailed reports. The default is postmaster@localhost.
  • Reply to Email Address: Specify the Reply To address for email messages generated by TrueSight Network Automation, including job approvals, policy notifications, and emailed reports. The default is postmaster@localhost.

Back to top

Device section

The Device section has the following parameters:

  • Timeout for Establishing Connection: Specify the timeout, in seconds, when trying to connect to a device to perform a configuration operation. Default is 60 seconds. Range is 15 to 1800 seconds.
  • Timeout for Re-establishing Connection After a Reboot: Specify the timeout, in seconds, when trying to re-establish a connection following a reboot. Default is 480 seconds. Range is 60 to 3600 seconds.
  • Timeout for Script File Transfers: Specify the timeout, in seconds, when waiting for a response to a device Snapshot, Deploy to Stored, or Deploy to Active action. Default is 120 seconds. Range is 5 to 1800 seconds.
  • Timeout for Image File Transfers: Specify the timeout, in seconds, to wait for an image file transfer to complete. Default is 420 seconds (that is, 7 minutes). Range is 5 to 172800 seconds. Some recommendations when establishing the system-wide timeout for image file transfers:
    • The larger the image, the longer the timeout should be. If you plan to transfer images as large as 45MB, the timeout should be no less than 900 seconds (that is, 15 minutes).
    • If you have stacked switches, you must allow time for the master to load all its switches; multiply the normal expected timeout by the number of stacked switches.
    • The speed of the network between the server and the device affects how long file transfers can take. You should account for your slowest WAN connection.
  • Device Action Login Stagger: Specify the time, in seconds, that TrueSight Network Automation should pause between device accesses, while starting up a span action on a realm, group, or multiple devices. This reduces the risk of overwhelming a shared external authentication server at the beginning of the span action with too many concurrent device login requests. By staggering the logins, the authentication server is better able to service all the requests and the span action is more likely to succeed. Default value of this parameter is 1. Range is 0 to 60, where 0 disables the stagger.
  • Number of Devices Displayed By SSH Proxy When Press Tab: (Optional) Specify the number of entries that must be displayed by the SSH Proxy when the Tab key is used for auto-completion of device names. Default is 10. Range is 10 to 250 entries.

  • Include Debug Trace in Communication Transcripts: Select to enable logging of low-level debug statements in the job transcripts for all device command/response interactions. For security purposes, login passwords are {HIDDEN} in the transcript. When this parameter is enabled, span actions run slower. Therefore, only enable this parameter as directed by BMC technical support. When enabled, additional lines starting with the prefix DEBUG: are added to the transcript output corresponding to the processing details of each <prompt><command>, and <response> XML tag from the device adapter being executed. You can override the value of this parameter on a per-job basis. For more information, see Creating a generic job.

    Warning

    Include Debug Trace in Communication Transcript is a debug tool. BMC recommends that you enable it only when you are actively troubleshooting a device interaction issue. Leaving this setting on over long periods increases the size of the TrueSight Network Automation database hugely.

  • Retry Using Auto on Login Failures: (Optional) Select to have TrueSight Network Automation revert to Auto in an attempt to find a working access mode (for example, Telnet, SSH2) or DSP should a failure occur during device log on.
  • Perform Compliance Violations Check after Any Span Actions: (Optional) Select to have TrueSight Network Automation audit the compliance of configuration changes against a device's assigned and enabled rule sets for each span action. At any time, you can also audit a network span for compliance to assigned rule sets using the Network > Refresh Device Status action.
  • Perform Configuration Attribute Profiling after Any Span Actions: (Optional) Select to have TrueSight Network Automation match the Running configuration file against assigned Configuration Attribute Profiles for each span action to update the device inventory and perform required auto-grouping. At any time, you can also force profiling a network span based on assigned profiles using the Network > Refresh Device Status action.

Back to top

 Job section

The Job section has the following parameters:

  • Source of Device Login Username/Password for Jobs: Specify whether TrueSight Network Automation should use the device's assigned Device Security Profile (DSP) or require the user to enter the device's user name and password when a job (for example, Deploy to Active or Deploy OS Image) is submitted.

    Note

    All Snapshot jobs and policy jobs use DSP regardless of whether other credentials are provided  or not .

  • Enable Job Approval for Actions: (Optional) Select to enable job approval for all actions requiring network operations and/or BMC Remedy Change Management approvals. You also must define the job approval types, including BMC Remedy Change Management approval, under Admin > Job Approval Types. Job approvals are not required for these passive actions: Snapshot, Assign Target, Log Event, Send Email, Send Trap. You can set a tag (requiresApproval) in a Custom Action script designating if approval is required.
  • Require User to Enter Change ID for Jobs: (Optional) Select to require the user to make an entry in the Change ID field on the job when the job contains one or more of the selected span actions.

Note

When BMC Remedy Change Management is enabled, be sure you require an entry in the Change ID field for all actions that are subject to BMC Remedy Change Management approval.

Back to top

Other components 

The Other components section has the following parameters:

  • Perform Daily Rule Activation/Deactivation At: Specify the time at which the system should automatically find violations in newly activated compliance rules and clear violations in newly deactivated compliance rules. Default is 12:00 midnight.
  • NEW IN 8.9.04.001 Default Violation Severity For New Rules: Define the default severity to be displayed in the Violation Severity list, hence to be assigned to a new rule when adding it via the Add Rule page. By default, Info is displayed in the list and assigned to a new rule.

Purging section 

The Purging section has the following parameters:

  • Purge Events After: Specify how many days of events are stored before purging events. Default is 90 days. Range is 7 to 366 days.
  • Purge Completed Jobs After: Specify how many days before deleting a completed job. Default is 90 days. Range is 7 to 366 days. Note that the job's creation date/time is the base for computing its age.
  • Separately Purge User-Initiated Jobs After: (Optional) Select to specify how many days before deleting a completed job that was initiated by a user. Default is not to use a separate age for these jobs. Range is 7 to 366 days.
    When this parameter is enabled, jobs that were originated by a user are purged using this age; jobs originated by a policy or by the TrueSight Network Automation system are purged using the value in the Purge Completed Jobs After parameter. When this field is disabled (the default setting), all jobs purge using the value in the Purge Completed Jobs After parameter.
  • Purge Dormant Policies After: Specify how many days before deleting a dormant policy. Default is 90 days. Range is 30 to 366 days.
  • Purge Generated Reports After: Specify how many days before a stored report or stored exported report is deleted (based on its completion date and time), to help reduce stale report data. Default is 1 day. Range is 1 to 14 days.

Note

If you set the values of these parameters to the maximum value (366 days), you might face performance issues because large number of events, jobs, or policies will be stored before they are purged.

Back to top

Export and import section

The Export/Import section has the following parameters:

  • Exported Configuration Filename: (Optional) Specify the default export file name for each configuration file.
    Options for specifying the configuration file name:

    Parameter

    Description

    ${device.name}

    Name field from the device record

    ${device.host}

    Host Name/IP Address field from the device record

    ${config.timestamp}

    Date/Time of the selected configuration to export

    ${config.trail}

    Append Running or Startup to the file name

    ${localhostAddress}

    Local host IP address

    ${localhostFullName}

    Local host full name

    ${localhostName}

    Local host name

    Example: ${device.name}:{config.timestamp}.cfg generates the filename:
    ATL-cisco1720-01: 07/21/05 15:29:31.cfg

  • Zipped Exported Configuration Filename: (Optional) Specify the .zip file name.
    Options for specifying the .zip file name:

    Parameter

    Description

    ${config.trail}

    Append Running or Startup to the file name

    ${current.date}

    Current date

    ${current.time}

    Current time

    ${localhostAddress}

    Local host IP address

    ${localhostFullName}

    Local host full name

    ${localhostName}

    Local host name

  • Maximum Number of Details in Exported Reports: (Optional) When exporting a Summary report that includes Details, this is the maximum number of records for which details should be  included in the exported report. This parameter is used to control the overall size of the report and memory usage in the TrueSight Network Automation system. For example, if you export with Details a Change Summary Report with 150 rows in the table, details only for the first 100 records are included in the exported report. By default, details only for the 100 records are included. Range is 1 to 9999 detail records.

Back to top

Auto-grouping section

The Auto-Grouping section has the following parameters:

  • Vendor Auto Grouping, Using Prefix: (Optional) Select to enable auto-grouping by vendor. If this option is enabled, specify the auto-group prefix. For example, using Vendor as the prefix for auto-grouping by vendor results in auto-groups named as follows: Vendor.CiscoVendor.ExtremeVendor.Foundry, and so on.
  • Device Type Auto Grouping, Using Prefix: (Optional) Select to enable auto-grouping by device type. If this option is enabled, specify the auto-group prefix.
  • Device Category Auto Grouping, Using Prefix: (Optional) Select to enable auto-grouping by device category. If this option is enabled, specify the auto-group prefix.
  • Model Auto Grouping, Using Prefix: (Optional) Select to enable auto-grouping by device model. If this option is enabled, specify the auto-group prefix.
  • OS Image Name Auto Grouping, Using Prefix: (Optional) Select to enable auto-grouping by OS Image name. If this option is enabled, specify the auto-group prefix.
  • OS Major/Minor Release Auto Grouping, Using Prefix: (Optional) Select to enable auto-grouping by OS major or minor release. If this option is enabled, specify the auto-group prefix.

Note

When you disable any auto-grouping parameter, all the devices in that auto-group no longer remain member of that group. However, the emptied auto-groups are not deleted automatically from the realms unless you stop and then start the web server service. At system startup, TrueSight Network Automation automatically deletes any empty unreferenced auto-groups. If an auto-group is in use, it is not deleted.

Back to top

Tracking the auto-grouping process state by events


The following events are triggered to indicate the state of the auto-grouping process:

  • Component side effects queued for execution
  • Device side effects started; caused by system parameters change
  • Component side effects completed

Recommendation

For large databases (5K+ devices), BMC recommends that you add auto-groups one at a time and wait for the completion event between the addition of groups. If the completion event does not appear in 24 hours, disable, and then reenable the auto-group.

Back to top

External integrations section

Note

Starting with version 8.9.01, the parameters in this section have been moved to a separate tab, External Integrations.

The External Integrations section has the following parameters:

  • Enable Web Services Registry Integration: (Optional): Selecting this option does the following:

    • Registers the TrueSight Network Automation web services in the Web Service registry. This enables other web service based integrations (such as a customized web services client) to dynamically obtain endpoint information for those services from the registry.

    • TrueSight Network Automation dynamically obtains endpoint information from the registry for other systems that integrate using web services, such as BMC Atrium CMDB and TrueSight Orchestration.

      Note

      The web services registry is installed as part of the BMC Atrium Core installer version 7.6.

    • Web services base URL: The base URL for registry web services in the format: protocol://hostname:port/uddi/services.
      For example, http://myregistry:8080/uddi/services would be the base URL if http://myregistry:8080/uddi/services/inquiry?wsdl is a WSDL URL.
    • User name: The user name for accessing the web services registry. This user must have permission to add and delete registered web services.
    • Password: The password associated with the above user name for accessing the registry.
    • Confirm Password: Confirm the password for accessing the registry.
    • Optional Service Registration Information: Select this option if you want to add additional details that are associated with TrueSight Network Automation web services registered in the web services registry.
      • Description: Description of the server
      • Geography: Region or location of the server
      • Organization: Organization or business unit that owns the server
      • Quality of Service: These optional details are typically used for disambiguation if a site has deployed multiple TrueSight Network Automation application servers. For example, Geography can be used to identify which region an application server manages.
        Any client programs written to consume TrueSight Network Automation web services can use the optional details to route their web service requests to the appropriate application server.

  • Enable TrueSight Orchestration Integration: (Optional) Select to enable integration with the TrueSight Orchestration.

    • Web Service Endpoint URL (Required only if you have not enabled the web services registry integration): Specify the endpoint URL of your TrueSight Orchestration web service in the following format: protocol://hostName:port/baocdp/orca?wsdl 
      For example,  http://myserver:8080/baocdp/orca?wsdl .
    • User name: The user name for accessing the TrueSight Orchestration system. User must have privileges to run the associated TrueSight Network Automation workflows.
    • Password: The password associated with the above user name for accessing the TrueSight Orchestration system.
    • Confirm Password: Confirm the password for accessing the TrueSight Orchestration system.
    • Grid Name: Name of the TrueSight Orchestration grid on which the TrueSight Network Automation workflows are running.
    • Enable Continuous Compliance for Network Automation: (Optional) Select to enable integration with the BMC Remedy ITSM continuous compliance workflows.
      • Remedy Username for Jobs created by Policies: User name assigned to the Requested By field in the Remedy change ticket for jobs that were created by a non-user (for example, the system or a policy). Auto-Remediate policies that require Remedy approval uses this Remedy user name when the TrueSight Orchestration creates a change ticket.

  • Enable CMDB Integration: Select this option to enable device imports from BMC Atrium CMDB:

    • Web Service Endpoint URL: (Required only if you have not enabled the web services registry integration) Enter the endpoint URL of the BMC Atrium CMDB web service in the form: http://<AtriumWebServicesServer>:<Port>/cmdbws/server/cmdbws or https://<AtriumWebServicesServer>:<port>/cmdbws/server/cmdbws.

      Example

      http://cmdb-server:8080/cmdbws/server/cmdbws

    • Username: The user name for accessing BMC Atrium CMDB.
    • Password: The password associated with the above username for accessing the web services registry.
    • Confirm Password: Confirm the password for accessing BMC Atrium CMDB.

  • NEW IN 8.9.04Enable OAuth Integration(optional) Select this option if you want to enable Single Sign-On (SSO) authentication for non-GUI based interfaces, such as REST APIs, SOAP services, and SSH Proxy. 

    Note

    For information about the prerequisites needed to support SSO for non-GUI based interfaces, see Supporting SSO for non-GUI based interfaces.

    Enter values for the following parameters, which you can obtain from the IdP server after registering TrueSight Network Automation on the IdP server as an OAuth application: 

    • Token Service Endpoint URL: The URL for authenticating TrueSight Network Automation users to an OAuth server when the users log into the system via non-interactive means (SSH proxy or web services). For example,  https://myserver.ssoview.com/oauth2/default/v1/token.
    • Client ID: The client ID, a public identifier for applications, is created when TrueSight Network Automation is registered with OAuth. For example, .0oaxy254GryAFtz
    • Client Secret: The client secret, a secret known only to the applications and the authorization servers, is created when TrueSight Network Automation is registered with OAuth. For example, 8vrwTWvw5Wtu8Sunt.
    • Scope: One or more scope values indicating which parts of a user's account the application can access. For example, offline_access.

    • Perform One-Time Validation of OAuth Parameters: Select this option if you want to validate the OAuth server information.

      • Temporary Username: User name for which you want to authenticate. This user name will not be stored in the database. It is just for validation purpose. For example, jjacob@try.com.
      • Temporary Password: Password for the temporary user. This password will not be stored in the database. It is just for validation purpose.

Back to top

Related topic

Configuring system-wide attributes

Was this page helpful? Yes No Submitting... Thank you
Last modified by Sulekha Gulati on Sep 23, 2019
purging acl external_integration profile email template parameter export system_parameters task access auto_group rule_set device job site import security

Comments

Log in or register to comment.

Understanding system files modified or created during installation
Managing global substitution parameters
© Copyright 2013 - 2019 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.