Managing system parameters

System-wide parameters are centrally administered in the System Parameters page (Edit System Parameters in 20.02 and earlier versions). To view the system parameters, go to Admin > System Admin > System Parameters.

To edit a system parameter, click Edit on the System Parameters page, change its value, and click Save.

If a parameter is not checked, the feature is disabled. When you change a setting and click Save, the changes take effect immediately.

The system parameters are listed by their subsection.

Security section (local mode user authentication)

The local mode user authentication portion of the Security section has the following parameters:

  • Disable Inactive User Accounts: (Optional) Select to specify when to disable user accounts after so many days of inactivity. A user account is disabled in the system only when the user tries to log on after the defined inactivity period. Default is 90 days. Range is 5 to 90 days.
  • Enable Requiring Users to Change Passwords After(Optional) Select to specify the maximum age of user passwords; once a password is old by the specified number of days, the user needs to change it on the next logon. Default is 90 days. Range is 14 to 90 days.
  • Enable Prohibiting Users from Reusing Last Passwords(Optional) Select to specify how many entries are in each user's password history, containing the N most recent passwords. When user changes his password, he will not be allowed to reuse any that appears in his history. Default is 10. Range is from 1 to 10 passwords.

  • Minimum Password Length: Specify the minimum number of characters in a password; longer passwords are usually more secure. Range is from 6 to 255 characters. 

    Important

    The default Minimum Password Length is 8 characters. 

  • Increased Password Strength:
    • Password Cannot Share User Name String(Optional) Select to force passwords to be more secure by not allowing passwords and user names to share the same character strings. Change to this parameter is enforced at the next password change, not on existing passwords.
    • Password Must Contain a Lower-Case Letter(Optional) Select to force passwords to be more secure by ensuring that the password includes at least one lower case letter.
    • Password Must Contain an Upper-Case Letter(Optional) Select to force passwords to be more secure by ensuring that the password includes at least one upper case letter.
    • Password Must Contain a Number(Optional) Select to force passwords to be more secure by ensuring that the password includes at least one decimal digit.
    • Password Must Contain a Special Character(Optional) Select to force passwords to be more secure by ensuring that the password includes at least one special character.
  • Timeout User Sessions After MinutesSpecify when to automatically terminate a user session after the specified minutes of inactivity. Default is 30 minutes. Range is 10 to 720 minutes. Change to this parameter affects new logons only, not any user already logged on.
  • Enable Timeout for Telnet/SSH Sessions: (Optional) Select to specifiy when to automatically terminate an interactive Telnet/SSH Session after the specified minutes of inactivity. Range is 2 to 720 minutes. When not checked, Telnet/SSH Sessions use the Timeout User Session After parameter. Change to this parameter affects new Telnet/SSH Sessions only, not any session already open. The timeout applies only to the GUI-based popup window; it does not apply to sessions opened via the SSH proxy. The SSH proxy uses only the Timeout User Sessions After parameter.
  • Access Control Lists:
    • Enable Static Group Access Control Lists: (Optional) Select to allow fine-grained access control to groups and devices within groups. This access must be set up on the Network tab. See Managing-static-groups.
    • Enable Rule Set Access Control Lists: (Optional) Select to restrict rule sets for view/edit/delete rights by user roles.
    • Enable Template Access Control Lists: (Optional) Select to restrict templates for view/edit/delete rights by user roles.
  • Disable Auto Device Security Profile: (Optional) Select to disable the Auto Device Security Profile.


Back to top

Security section (external mode user authentication)

The external user authentication (Microsoft Active Directory, OpenLDAP, RADIUS, or TACACS+) portion of the Security section has the following parameters:

  • Disable Inactive User Accounts: (Optional) Select to specify when to disable a local user account after so many days of inactivity. A user account is disabled in the system only when the user tries to log on after the defined inactivity period. Default is 90 days. Range is 5 to 90 days.
  • Automatically Add New Users As: (Optional) Select to specify a default role for new users. If a user authenticates to an Active Directory, OpenLDAP, RADIUS or TACACS+ and the user account does not exist in the TrueSight Network Automation system, you can elect to automatically create the account in the Network Automation system for the selected role. If this feature is disabled, you cannot log on. Default is disabled.
  • Timeout User Session After MinutesSpecify when to automatically terminate a user session after the specified minutes of inactivity. Default is 30 minutes. Range is 10 to 720 minutes. Change to this parameter affects new logons only, not any user already logged on.
  • Enable Timeout for Telnet/SSH Sessions After: (Optional) Select to specifiy when to automatically terminate an interactive Telnet/SSH Session after the specified minutes of inactivity. Range is 2 to 720 minutes. When not checked, Telnet/SSH Sessions use the Timeout User Session After parameter. Change to this parameter affects new Telnet/SSH Sessions only, not any session already open. The timeout applies only to the GUI-based popup window; it does not apply to sessions opened via the SSH proxy. The SSH proxy uses only the Timeout User Sessions After parameter.
  • Access Control Lists
    • Enable Static Group Access Control Lists: (Optional) Select to allow fine-grained access control to groups and devices within groups. This access must be set up on the Network tab. See Managing-static-groups.
    • Enable Rule Set Access Control Lists: (Optional) Select to restrict rule sets for view/edit/delete rights by user roles.
    • Enable Template Access Control Lists: (Optional) Select to restrict templates for view/edit/delete rights by user roles.
  • Disable Auto Device Security Profile: (Optional) Select to disable the Auto Device Security Profile.

Back to top

Site section

The Site section has the following parameters:

  • Site URL: Specify the URL of the site, up to 255 characters.
  • Site Name: (Optional) Specify the site name, up to 40 characters. This name is displayed in the upper right of the web user interface.
    If the Site Name field is left blank, the default is the Network Automation application server host name and IP address separated by a slash ( / ) symbol.
  • Site Description: (Optional) Specify a plain-language description of the site, up to 255 characters.
    This parameter initially is blank. You can change it to any meaningful description.

Back to top

Network section

The Network section has the following parameters:

  • SMTP Gateway: Specify the host name or IP address of the mail server for routing email notifications. If SMTP is not running on the server, you must change this value to a valid SMTP server for email notifications to work.
  • SMTP Server PortSpecify the port number of the mail server. The default value is 25. 
  • Encryption Type: Select one of the following options to specify whether email notifications need to be encrypted if the mail server supports encryption:
    • No Encryption
    • SSL/TLS
    • StartTLS
  • Enable SMTP Server Authentication: Select this option and specify the user name and password, in case authentication is required by the SMTP mail server:
    • SMTP Server Username
    • SMTP Server Password
  • From Email Address: Specify the From address for email messages generated by Network Automation, including job approvals, policy notifications, and emailed reports. The default is postmaster@localhost.
  • Reply To Email Address: Specify the Reply To address for email messages generated by Network Automation, including job approvals, policy notifications, and emailed reports. The default is postmaster@localhost.

Back to top

Device section

The Device section has the following parameters:

  • Timeout in Seconds for Establishing Device Connection: Specify the timeout, in seconds, when trying to connect to a device to perform a configuration operation. Default is 60 seconds. Range is 15 to 1800 seconds.
  • Timeout in Seconds for Re-Establishing Device Connection After a Reboot: Specify the timeout, in seconds, when trying to re-establish a connection following a reboot. Default is 480 seconds. Range is 60 to 3600 seconds.
  • Timeout in Seconds for Device Script File Transfers: Specify the timeout, in seconds, when waiting for a response to a device Snapshot, Deploy to Stored, or Deploy to Active action. Default is 120 seconds. Range is 5 to 1800 seconds.
  • Timeout in Seconds for Device OS Image File Transfers: Specify the timeout, in seconds, to wait for an image file transfer to complete. Default is 420 seconds (that is, 7 minutes). Range is 5 to 172800 seconds. Some recommendations when establishing the system-wide timeout for image file transfers:
    • The larger the image, the longer the timeout should be. If you plan to transfer images as large as 45MB, the timeout should be no less than 900 seconds (that is, 15 minutes).
    • If you have stacked switches, you must allow time for the master to load all its switches; multiply the normal expected timeout by the number of stacked switches.
    • The speed of the network between the server and the device affects how long file transfers can take. You should account for your slowest WAN connection.
  • Device Action Login Stagger: Specify the time, in seconds, that Network Automation should pause between device accesses, while starting up a span action on a realm, group, or multiple devices. This reduces the risk of overwhelming a shared external authentication server at the beginning of the span action with too many concurrent device login requests. By staggering the logins, the authentication server is better able to service all the requests and the span action is more likely to succeed. Default value of this parameter is 1. Range is 0 to 60, where 0 disables the stagger.
  • Number of Devices Displayed By SSH Proxy When Press Tab: (Optional) Specify the number of entries that must be displayed by the SSH Proxy when the Tab key is used for auto-completion of device names. Default is 10. Range is 10 to 250 entries.

  • Enable Debug Trace in Device Communication Transcripts: Select to enable logging of low-level debug statements in the job transcripts for all device command/response interactions. For security purposes, login passwords are {HIDDEN} in the transcript. When this parameter is enabled, span actions run slower. Therefore, only enable this parameter as directed by BMC technical support. When enabled, additional lines starting with the prefix DEBUG: are added to the transcript output corresponding to the processing details of each <prompt><command>, and <response> XML tag from the device adapter being executed. You can override the value of this parameter on a per-job basis. For more information, see Creating-a-generic-job.

    Warning

    Enable Debug Trace in Communication Transcript is a debug tool. BMC recommends that you enable it only when you are actively troubleshooting a device interaction issue. Leaving this setting on over long periods increases the size of the Network Automation database hugely.

  • Enable Retry Using Auto on Device Login Failures: (Optional) Select to have Network Automation revert to Auto in an attempt to find a working access mode (for example, Telnet, SSH2) or DSP should a failure occur during device log on.
  • Perform Compliance Violation Check After Any Span Actions: (Optional) Select to have Network Automation audit the compliance of configuration changes against a device's assigned and enabled rule sets for each span action. At any time, you can also audit a network span for compliance to assigned rule sets using the Network > Refresh Device Status action.
  • Perform Configuration Attribute Profiling After Any Span Actions: (Optional) Select to have Network Automation match the Running configuration file against assigned Configuration Attribute Profiles for each span action to update the device inventory and perform required auto-grouping. At any time, you can also force profiling a network span based on assigned profiles using the Network > Refresh Device Status action.
  • (Applicable only for versions 20.02 and 20.02.01) Use Secondary NAT Address For Devices: (Optional) Select to use the secondary NAT address instead of the primary NAT address to be used by the device to access the device agent or proxy file server. If secondary NAT address is disabled, primary NAT address is used. Starting from version 20.02.02, this parameter can be configured at the device agent level. 
  • Enable Event Logging for the Successful Snapshot Action After a Failure: (Optional) Select to log an event when a snapshot action succeeds after failing as part of a previous job run. The Events page shows an Info type of event when the snapshot action succeeds. By default, this parameter is disabled.

Back to top

 Job section

The Job section has the following parameters:

  • Use Device Security Profile as Source of Device Login Username/Password for Jobs: Specify whether Network Automation should use the device's assigned Device Security Profile (DSP) or require the user to enter the device's user name and password when a job (for example, Deploy to Active or Deploy OS Image) is submitted.

    Note

    All Snapshot jobs and policy jobs use DSP regardless of whether other credentials are provided  or not .

  • Enable Job Approval for Selected Actions: (Optional) Select to enable job approval for all actions requiring network operations and/or BMC Remedy Change Management approvals. You also must define the job approval types, including BMC Remedy Change Management approval, under Admin > Job Approval Types. Job approvals are not required for these passive actions: Snapshot, Assign Target, Log Event, Send Email, Send Trap. You can set a tag (requiresApproval) in a Custom Action script designating if approval is required.
  • Enable Requiring User to Enter Change ID for Jobs: (Optional) Select to require the user to make an entry in the Change ID field on the job when the job contains one or more of the selected span actions.

Note

When BMC Remedy Change Management is enabled, be sure you require an entry in the Change ID field for all actions that are subject to BMC Remedy Change Management approval.

Other components 

The Other components section has the following parameters:

  • Daily Rule Activation/Deactivation Hour: Specify the time at which the system should automatically find violations in newly activated compliance rules and clear violations in newly deactivated compliance rules. Default is 12:00 midnight.
  • Default Violation Severity For New Rules: Define the default severity to be displayed in the Violation Severity list, hence to be assigned to a new rule when adding it via the Add Rule page. By default, Info is displayed in the list and assigned to a new rule.
  • Display Discrepancy and Compliance Violation Details Dashboard: Select to display the Discrepancy and Compliance Violation Details dashboard on the Dashboard page. By default, this option is not selected and the dashboard does not appear on the Dashboard page.

Back to top

Purging section 

The Purging section has the following parameters:

  • Purge Events After: Specify how many days of events are stored before purging events. Default is 90 days. Range is 7 to 366 days.
  • Purge Completed Jobs After: Specify how many days before deleting a completed job. Default is 90 days. Range is 7 to 366 days. Note that the job's creation date/time is the base for computing its age.
  • Enable Separate Purge of User-Initiated Jobs After: (Optional) Select to specify how many days before deleting a completed job that was initiated by a user. Default is not to use a separate age for these jobs. Range is 7 to 366 days.
    When this parameter is enabled, jobs that were originated by a user are purged using this age; jobs originated by a policy or by the Network Automation system are purged using the value in the Purge Completed Jobs After parameter. When this field is disabled (the default setting), all jobs purge using the value in the Purge Completed Jobs After parameter.
  • Purge Dormant Policies After: Specify how many days before deleting a dormant policy. Default is 90 days. Range is 30 to 366 days.
  • Purge Generated Reports After: Specify how many days before a stored report or stored exported report is deleted (based on its completion date and time), to help reduce stale report data. Default is 1 day. Range is 1 to 14 days.

Note

If you set the values of these parameters to the maximum value (366 days), you might face performance issues because large number of events, jobs, or policies will be stored before they are purged.

Back to top

Export and import section

The Export/Import section has the following parameters:

  • Exported Configuration Filename: (Optional) Specify the default export file name for each configuration file.
    Options for specifying the configuration file name:

    The [confluence_table-plus] macro is a standalone macro and it cannot be used inline. Click on this message for details.
    Example: ${device.name}:{config.timestamp}.cfg generates the filename:
    ATL-cisco1720-01: 07/21/05 15:29:31.cfg

  • Zipped Exported Configuration Filename: (Optional) Specify the .zip file name.
    Options for specifying the .zip file name:

  • Maximum Number of Details in Exported Reports: (Optional) When exporting a Summary report that includes Details, this is the maximum number of records for which details should be  included in the exported report. This parameter is used to control the overall size of the report and memory usage in the Network Automation system. For example, if you export with Details a Change Summary Report with 150 rows in the table, details only for the first 100 records are included in the exported report. By default, details only for the 100 records are included. Range is 1 to 9999 detail records.
  • Enable OS Image Filename Filtering(Optional) Specify whether to restrict OS image files to those that meet file naming criteria. When enabled, you must enter one or more regular expressions for matching on the file names. Then, choose to match as a whitelist (where a file name must match at least one of the entered regular expressions in order to be accepted) or a blacklist (where a file name must not match any of the regular expressions in order to be accepted). For example, to restrict OS image files to those with a .bin extension, enable filtering, choose Whitelist, and enter .*\.bin into the patterns. The file name matching is case insensitive. When this parameter is enabled, the filtering affects the images you can save into the OS image library and the image files you can deploy via the Deploy OS Image action.

Back to top

Auto-grouping section

The Auto-Grouping section has the following parameters:

  • Enable Vendor Auto-Grouping: (Optional) Select to enable auto-grouping by vendor. If this option is enabled, specify the auto-group prefix. For example, using Vendor as the prefix for auto-grouping by vendor results in auto-groups named as follows: Vendor.CiscoVendor.ExtremeVendor.Foundry, and so on.
  • Enable Device Type Auto-Grouping: (Optional) Select to enable auto-grouping by device type. If this option is enabled, specify the auto-group prefix.
  • Enable Device Category Auto-Grouping: (Optional) Select to enable auto-grouping by device category. If this option is enabled, specify the auto-group prefix.
  • Enable Model Auto-Grouping: (Optional) Select to enable auto-grouping by device model. If this option is enabled, specify the auto-group prefix.
  • Enable OS Image Name Auto-Grouping: (Optional) Select to enable auto-grouping by OS Image name. If this option is enabled, specify the auto-group prefix.
  • Enable OS Major/Minor Release Auto-Grouping: (Optional) Select to enable auto-grouping by OS major or minor release. If this option is enabled, specify the auto-group prefix.

Note

When you disable any auto-grouping parameter, all the devices in that auto-group no longer remain member of that group. However, the emptied auto-groups are not deleted automatically from the realms unless you stop and then start the web server service. At system startup, Network Automation automatically deletes any empty unreferenced auto-groups. If an auto-group is in use, it is not deleted.

Back to top

Tracking the auto-grouping process state by events

The following events are triggered to indicate the state of the auto-grouping process:

  • Component side effects queued for execution
  • Device side effects started; caused by system parameters change
  • Component side effects completed
Recommendation

For large databases (5K+ devices), BMC recommends that you add auto-groups one at a time and wait for the completion event between the addition of groups. If the completion event does not appear in 24 hours, disable, and then reenable the auto-group.

Back to top

External integrations section

Note

You cannot integrate with the following products during installation. Therefore, you need to enable the required system parameters to integrate.

  • Universal Description, Discovery, and Integration (UDDI) Registry in BMC Atrium Core
  • TrueSight Orchestration
  • BMC CMDB

The External Integrations section has the following parameters:

  • Enable Web Services Registry Integration: (Optional): Selecting this option does the following:
    • Registers the TrueSight Network Automation web services in the Web Service registry. This enables other web service based integrations (such as a customized web services client) to dynamically obtain endpoint information for those services from the registry.

    • Network Automation dynamically obtains endpoint information from the registry for other systems that integrate using web services, such as BMC Atrium CMDB and TrueSight Orchestration.

      Note

      The web services registry is installed as part of the BMC Atrium Core installer version 7.6.

    • Web Services Registry Base URL: The base URL for registry web services in the format: protocol://hostname:port/uddi/services.
      For example, http://myregistry:8080/uddi/services would be the base URL if http://myregistry:8080/uddi/services/inquiry?wsdl is a WSDL URL.
    • Web Services Registry Username: The user name for accessing the web services registry. This user must have permission to add and delete registered web services.
    • Web Services Registry Password: The password associated with the above user name for accessing the registry.
    • Web Services Registry Confirm Password: Confirm the password for accessing the registry.
    • Enable Optional Service Registration Information: Select this option if you want to add additional details that are associated with TrueSight Network Automation web services registered in the web services registry.
      • Web Services Registry Description: Description of the server
      • Web Services Registry Geography: Region or location of the server
      • Web Services Registry Organization: Organization or business unit that owns the server
      • Web Services Registry Quality of Service: These optional details are typically used for disambiguation if a site has deployed multiple
      • TrueSight Network Automation
      •  application servers. For example, Geography can be used to identify which region an application server manages.
        Any client programs written to consume TrueSight Network Automation web services can use the optional details to route their web service requests to the appropriate application server.
  • Enable TrueSight Orchestration Integration: (Optional) Select to enable integration with the TrueSight Orchestration.
    • Web Services Registry Endpoint URL (Required only if you have not enabled the web services registry integration): Specify the endpoint URL of your TrueSight Orchestration web service in the following format: protocol://hostName:port/baocdp/orca?wsdl
      For example, http://myserver:8080/baocdp/orca?wsdl.
    • TrueSight Orchestration User Name: The user name for accessing the TrueSight Orchestration system. User must have privileges to run the associated Network Automation workflows.
    • TrueSight Orchestration Password: The password associated with the above user name for accessing the TrueSight Orchestration system.
    • TrueSight Orchestration Confirm Password: Confirm the password for accessing the TrueSight Orchestration system.
    • TrueSight Orchestration Grid Name: Name of the TrueSight Orchestration grid on which the Network Automation workflows are running.
    • Enable Continuous Compliance for Network Automation: (Optional) Select to enable integration with the BMC Remedy ITSM continuous compliance workflows.
      • External Change Manager Username for Jobs Created by Policies: User name assigned to the Requested By field in the Remedy change ticket for jobs that were created by a non-user (for example, the system or a policy). Auto-Remediate policies that require Remedy approval uses this Remedy user name when the TrueSight Orchestration creates a change ticket.
  • Enable CMDB Integration: Select this option to enable device imports from BMC Atrium CMDB:

    • Web Services Registry Endpoint URL: (Required only if you have not enabled the web services registry integration) Enter the endpoint URL of the BMC Atrium CMDB web service in the form: http://<AtriumWebServicesServer>:<Port>/cmdbws/server/cmdbws or https://<AtriumWebServicesServer>:<port>/cmdbws/server/cmdbws.

      Example

      http://cmdb-server:8080/cmdbws/server/cmdbws

    • CMDB Username: The user name for accessing BMC Atrium CMDB.
    • CMDB Password: The password associated with the above username for accessing the web services registry.
    • CMDB Confirm Password: Confirm the password for accessing BMC Atrium CMDB.

  • Enable OAuth Integration(optional) Select this option if you want to enable SAML 2.0 authentication for non-GUI based interfaces, such as REST APIs, SOAP services, and SSH Proxy. 

    Note

    For information about the prerequisites needed to support SSO for non-GUI based interfaces, see Enabling SSO for REST API and SSH Proxy CLI.

    Enter values for the following parameters, which you can obtain from the IdP server after registering TrueSight Network Automation on the IdP server as an OAuth application: 

    • Token Service Endpoint URL: The URL for authenticating TrueSight Network Automation users to an OAuth server when the users log into the system via non-interactive means (SSH proxy or web services). For example,  https://myserver.ssoview.com/oauth2/default/v1/token.
    • Client ID: The client ID, a public identifier for applications, is created when TrueSight Network Automation is registered with OAuth. For example, .0oaxy254GryAFtz
    • Client Secret: The client secret, a secret known only to the applications and the authorization servers, is created when TrueSight Network Automation is registered with OAuth. For example, 8vrwTWvw5Wtu8Sunt.
    • Scope: One or more scope values indicating which parts of a user's account the application can access. For example, offline_access.
    • Perform One-Time Validation of OAuth Parameters: Select this option if you want to validate the OAuth server information.
      • Temporary Username: User name for which you want to authenticate. This user name will not be stored in the database. It is just for validation purpose. For example, jjacob@try.com.
      • Temporary Password: Password for the temporary user. This password will not be stored in the database. It is just for validation purpose.

Back to top

Related topic

Configuring-system-wide-attributes

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*