3.1 Orchestration Server Object

The highest object in the Explorer Tree is the Orchestration Server Object, sometimes called the Grid Server object because it represents the Orchestration Server acting as the holding place for all of the information used to manage objects for a single computing grid.

The Orchestration Console is version aware. When the console launches or when server discovery is manually run, the console recognizes both current Orchestration Server installations and old installations of discovered servers and displays their icons accordingly. This visual cue helps you to recognize when older Orchestration Servers need to be upgraded.

Figure 3-1 Current and “Old” Server Objects

The tool tip for an Orchestration Server lists its RMI configuration, its IP address, the directory location where the server instance was installed, and its exact version number.

The icons to the right of a current Orchestration Server represent its policies, either those added by default upon server install and configuration, or those added later. A drop-down menu of all associated policies is opened when you right-click a policy icon. From there, you can select a policy to open in the Policy Editor. For more information about policies, see Section 12.1, Policy Object.

When selected, the Server object exposes four tabs where you can further configure its attributes. Further information about these tabs is available in the following sections:

3.1.1 The Orchestration Server Info/Configuration Page

The page that opens under the Info/Configuration tab includes several collapsible sections on the page where you can configure the general information and attributes of the server.

Server/Cluster Panel

If you are using this server in a High Availability environment, the information in this section is populated as a result of the configuration you managed during the High Availability installation. The following items are included in the section:

Server Version: A non-editable field that lists the version of this server in the form <major>.<minor>.<point>.<build_number>. This is the data for the matrix.version fact.

Is Master Server: A check box that is selected if the server is the Master Server in a High Availability cluster configuration.

Master Server Address: Set this value when the Orchestration Server participates in a High Availability cluster.

External Cluster Address: Set this value when the Orchestration Server participates in a High Availability cluster.

Cluster Addresses: Shows the hostname or IP addresses associated with an Orchestration Server when it is in a High Availability configuration.

The button opens the Attribute Element Values dialog box, where you can add, remove, or reorder addresses (element values) in an array of address choices.

For more information about using Cloud Manager Orchestration components in a High Availability environment, see the NetIQ Cloud Manager 2.1.5 Orchestration Server High Availability Configuration Guide.

Data Grid Configuration Panel

This section of the Info/Configuration tab allows for advanced configuration of datagrid related tuning parameters. The properties on the page and their descriptions are listed below.

Data Grid Root: The location of the Orchestration Server datagrid in the file system. For example, you might change this location to use a different file system mount point (recommended when there is considerable datagrid I/O).

Cleanup Interval: The interval at which the Orchestration Server scans User job history files on the datagrid. Job history files older than the owning user’s job history retention time limit (user.datagrid.maxhistory) are deleted.

Cleanup Interval Enabled: Select this check box to set a flag to enable periodic job history cleanup checking. Deselect it to disable the checking.

Default Multicast Rate: Sets the default data rate in bytes per second for multicast operations in which the client has not explicitly set a rate for a particular file transfer.

Max Multicast Rate: The maximum data rate (in bytes per second) that a client can specify for a multicast file transfer.

Selected Interfaces: The interfaces on which multicast file transfers are to be sent. This allows an administrator to limit multicast traffic to specific interfaces (that is, the interfaces where the agents are connected). You can add or delete interfaces by clicking the button.

Available Interfaces: Lists the network interfaces that are available on the local machine for multicasting.

The property is read-only and is provided for your information.

Multicast Metrics Subpanel: This panel lets you monitor multicast data transfer, including:

  • Total Packets Sent: The total number of multicast data packets sent by the file multicaster since the last reset of the counters.

  • Total Packets Resent: The total number of multicast packets resent because of errors since the last counter reset.

  • Total Resend Rate: The total packet resend rate as a percentage since the last counter reset.

  • Current Packets Sent: The total number of multicast packets sent during the current or most recent multicast file transfer.

  • Current Packets Resent: The total number of multicast packets resent because of errors, corruption, or loss during the current or most recent multicast file transfer.

  • Current Resend Rate: The packet resend rate as a percentage of packets sent since the start of the current or most recent multicast file transfer.

  • Current File Size: The file size in bytes for the current or most recent multicast file transfer.

  • Current Bytes Sent: The number of bytes sent so far in the current or most recent multicast file transfer.

  • Current Percent Complete: The completion percentage of the current or most recent multicast file transfer.

  • Skipped (Sparse) Bytes: The number of bytes skipped because of long runs of zeros. These “holes” are skipped in order to reduce file transfer time for large sparse files like VM images.

  • Current Receiver Count: The number of recipient agents for the current or most recent multicast file transfer.

  • Current File Name: The name of the file transferred in the current or most recent multicast file transfer.

The data list includes a check box that is selected if the current multicast transfer is finished. It also includes a Reset Stats button that you can click to clear all of the metrics in order to begin monitoring multicast statistics from a new point in time.

Security/TLS Configuration Panel

This section lets you configure TLS or SSL data encryption for both user and agent connections. There are four different levels of encryption that can be set for both users and nodes. These are described below. The properties in this section also let you configure the TCP/IP socket listener address and port for TLS connections.

TLS On Agent: Allows the encryption level to be set to one of four values, as described (in order of security level) below:

  • Forbid TLS for agents: Only unencrypted connections are allowed for nodes (that is, agents) authenticating to this server. If the agent attempts to initiate encrypted communication, the connection attempt is rejected. This is the least secure of the encryption levels and is only recommended for installations where encryption is forbidden because of legal or policy restrictions, or where the performance benefits of disabling encryption outweigh security concerns.

  • Allow TLS on the agents: default to falling back to unencrypted: Specifies that the server defaults to unencrypted communication, but the agent can optionally enable encryption.

    This is the default setting for the Orchestration Server. More secure installations might require a setting to one of the higher levels below.

  • Allow TLS on the agents; default to TLS encrypted if not configured encrypted: The server defaults to using encryption, but the agent can optionally disable encryption.

  • Make TLS mandatory on the agents: The Orchestration Server rejects any connections that do not establish TLS encryption. This is the most secure encryption level because it ensures that all message communication between the node (that is, an agent) and the server is protected from tampering or interception.

TLS On Client: This setting allows the encryption level to be set to one of four values, as described (in order of security level) below.

  • Forbid TLS for clients: Only unencrypted connections are allowed for users of this server. If the user or client attempts to initiate encrypted communication, the connection attempt is rejected. This is the least secure of the encryption levels and is only recommended for installations where encryption is forbidden because of legal or policy restrictions, or where the performance benefits of disabling encryption outweigh security concerns.

  • Allow TLS on clients; default to falling back to unencrypted: This level specifies that the server defaults to unencrypted communication, but that the user can optionally enable encryption.

    This is the default setting for the Orchestration Server. More secure installations might require a setting to one of the higher levels below.

  • Allow TLS on agents; default to TLS encrypted if not configured encrypted: The server defaults to using encryption, but the user can optionally disable encryption.

  • Make TLS mandatory on the clients: The Orchestration Server rejects any connections that do not establish TLS encryption. This is the most secure encryption level because it ensures that all message communication between the user’s client programs and the server is protected from tampering or interception.

TLS Address: The port number and optional bind address for incoming encrypted connections from users and nodes. The format is hostname:port. For example, 10.10.10.10:8101 causes the server to accept only TLS connections on the address 10.10.10.10 on port 8101. If “*” is used as the hostname, then the Orchestration Server listens on all available network interfaces. The default is *:8101, which causes the Orchestration Server to listen for encrypted sessions on all available interfaces on the system.

Agent/User Session Configuration Panel

When nodes (agents) and users log on to the Orchestration Server, they establish a session context that is used to manage the state of the messaging connection between client and server. This session can be revoked by the administrator, and it can also expire if the connection exceeds its maximum lifetime or idle timeout.

Agent Session Lifetime: The maximum number of seconds that an agent’s session can last before the agent is disconnected and must re-authenticate with the server. A value of -1 means “forever.”

Agent Session Timeout: The idle timeout for agents. If an agent connection remains idle with no message traffic in either direction for this time period (in seconds), the session times out, and the agent is disconnected and must reauthenticate when it is ready to communicate with the server again.

Socket Keeps Agent Sessions Alive: Select this check box to set a flag that causes the server and agent to maintain a keepalive ping in order to detect hung/stalled network connections. This allows the agent to recover from hung connections and to transparently reconnect with the server.

User Session Lifetime: The maximum number of seconds that a user’s session can last before the user is required to re-authenticate with the server. A value of -1 means “forever.”

User Session Timeout: The idle timeout (in seconds) for user sessions. If a user’s session encounters no message traffic or requests in either direction for this amount of time, any connection with user software is closed and the session expires. At this point, the user must re-authenticate.

Socket Keeps User Sessions Alive: Select this check box to set a flag that causes the server and user client to maintain a keepalive ping in order to detect hung/stalled network connections. This allows the agent to recover from hung connections and to transparently reconnect with the server. This setting applies only in situations where you are using custom user client software or certain subcommands of the zos command line utility to maintain a persistent connection.

Audit Database Configuration Panel

This section of the Info/Configuration page lets you configure the connection to a relational database that uses a deployed JDBC driver and connection properties. The PostgreSQL driver is deployed by default.

JDBC Driver Name: Specifies the Java class for the driver.

JDBC Library: Specifies the deployed library that contains the driver.

JDBC Connection URL: Specifies the driver-dependent connection string.

Database Username: Specifies the username for database authentication.

Database Password: Specifies the password to be used for database authentication.

Is Connected: Indicates that the driver is successfully connected.

Connect (button): Click to connect through the current connection settings.

Disconnect (button): Click to disconnect the current connection.

Clear Queue (button): Clear queued records that have not yet been written to the database.

Sentinel Server Configuration Panel

This section of the Info/Configuration page lets you configure the values needed to connect to a deployed Novell Sentinel Event Source Server, where logging events from the Orchestration Server are collected, parsed, and mapped for prioritization and subsequent administrator analysis.

For information about setting up a Sentinel Collector Server in your Orchestration Server environment, see Integrating the Orchestration Server with a Sentinel Collector in the NetIQ Cloud Manager 2.1.5 Orchestration Administrator Reference.

The following fields are available in the Sentinel Server Configuration panel:

Server Hostname: Specify the hostname of the Sentinel Event Source Server where log messages are to be sent.

Server Port Number: Specify the port number on the Sentinel Event Source Server where the Orchestration Server should make its SSL connection.

Is Connected: Selected when the connection between the Orchestration Server and the Sentinel Event Source Server is established.

Log Channels: Lists the log channels from which log messages are to sent to the Sentinel server.

Connect (button): Click to connect to the Sentinel Event Source Server. When the SSL connection is made, the Orchestration Server begins to send its log messages to Sentinel.

Disconnect (button): Click to disconnect the Orchestration Server from the Sentinel server. When the connection ends, log messages are no longer sent to the Sentinel server.

Configure (button): Click to open the Sentinel Log Parameters dialog box. In this dialog box, you can map a log level to one or more log channels. These log channels send log messages to the Sentinel server.

For more information about Orchestration Server log levels, see Orchestration Server Log Levels Mapped to Sentinel Log Levels in the NetIQ Cloud Manager 2.1.5 Orchestration Administrator Reference.

NOTE:To select multiple log channels, press Ctrl while selecting the log channel options you want. You can select only one log level at a time for mapping log channels.

The following table shows the log channels you can choose and the Orchestration Server actions that prompt sending a log message through this channel.

Table 3-1 Log Channels and the Occasions for Sending Messages Through Each

Log Channel Name in the Orchestration Console (Sentinel Server Configuration Panel)

When Are Messages Sent to This Channel?

ActionStatusManager

  • When the status of a Grid action is updated.

Audit

  • When the Grid interacts with the audit database.

  • AuthLDAP
  • AuthZOS
  • AuthenticationManager
  • On grid-wide authentication events.

Broker

  • On job execution.

    • start

    • cancel

  • Event Manager
  • JobManager
  • NodeManager
  • UserManager
  • repositoryManager
  • vbridgeManager
  • vdiskManager
  • vnicManager
  • When a Grid object of the corresponding type is created, deleted, or its health changes to a bad state.

GroupManager

  • When a member is added/removed in a Group.

JobScheduler

  • When the job schedule or the job trigger deployment/undeployment.

MBeanServer

  • When internal Grid Resources are updated.

PolicyManager

  • On policy creation/deletion.

  • On policy association/disassociation with any Grid object.

Sentinel

  • When the Grid interacts with a Novell Sentinel server.

SessionManager

  • On user or Resource login/logout.

VmManager

  • When actions are performed on VMs (provision, migrate, shutdown, clone, etc.). This could be initiated automatically or manually.

  • When authorization fails during VM operation.

  • When provisioning job fails.

computedFact

  • When computed facts are created or updated or deleted.

  • deployer/computedFact
  • deployer/event
  • deployer/facility
  • deployer/jdlLibrary
  • deployer/job
  • deployer/library
  • deployer/metric
  • deployer/policy
  • deployer/properties
  • deployer/schedule
  • deployer/service
  • deployer/trigger
  • deployer/xml
  • When a corresponding resource is deployed to or undeployed from the Grid.

Job Limits Panel

The facts in this section of the page are used in the default constraints to help protect the Orchestration Server from denial-of-service attacks or badly written jobs that might otherwise get stuck in the server queue, consume resources, and cause adverse server performance.

The following fields are available in the job.limits panel:

max.active.jobs: Sets a global default limit on the number of active jobs.

The Orchestration Server uses this value in the start constraint and does not allow more than this number of jobs (including child jobs) to be actively running at the same time. Jobs that exceed this number might be queued. See max.queued.jobs.

max.queued.jobs: Sets a global default limit on the number of queued jobs.

This value is similar to max.active.jobs but it is used in the accept constraint to limit the number of jobs in a queue waiting to be started. Therefore, the maximum jobs that can be present on an Orchestration Server is max.active.jobs + max.queued.jobs. New jobs are not accepted by the server if they exceed this total.

job.finishing.timeout: Sets a global default limit on the timeout for job completion.

This value represents the number of seconds that the Orchestration Server allows a job to execute its job_cancelled_event() (if defined) before forcibly canceling the job. This prevents jobs from potentially hanging during cancellation.

3.1.2 Orchestration Server Authentication Page

The Authentication tab opens a page with several collapsible sections where you can configure various methods for authenticating both users and resources to the Orchestration Server.

Resources Panel

The resources in a Orchestration Server grid are actually Orchestration Agents that authenticate or “register” with the Orchestration Server.

Auto Register Agents: Select this check box if you want the Orchestration Server to automatically register agents when they first connect to the Orchestration Server.

Auto Upgrade Agents: This check box is already selected if you chose to enable the automatic upgrade of Orchestration Agents that communicate with your Orchestration Server. If you did not select this option during upgrade configuration, the check box is not selected.

If you select this check box, the associated Orchestration Agents are upgraded at intervals over a period of approximately five minutes. The upgrade happens without administrator approval.

If you deselect this check box at any time before or during the automatic upgrade, the upgrade process stops. Any agents that are not upgraded continue to be identified as “OLD” and are not useable with the newly upgraded server.

Users Panel

Only authenticated users can log into the Orchestration Server. As an administrator, you can configure this authentication to use an internal user database or to externally authenticate users through an LDAP server.

Auto Register Users: Select this check box if you want the Orchestration Server to automatically register users when they first connect to the Orchestration Server.

Enable LDAP Subpanel

Depending on the selections you make in this subpanel, the following settings are displayed:

Enable LDAP (Check Box): Select this check box if you want the Orchestration Server to authenticate users externally by using an LDAP server. Additional LDAP-related configuration fields are displayed when you select the check box:

Administrators: The Administrators list specifies the group names whose membership includes Orchestration Server administrators as returned by the specified authentication provider. You can add groups to this list by clicking the button to open an array editor dialog box, which allows groups to be added, removed, and reordered. A group must be in the format <provider>:<group|groupnocase>:<groupname>, where the <provider> is either ZOS or LDAP. For example, adding LDAP:groupnocase:XyZ allows users reported by the LDAP server as members of a group xyz, or XYZ, xYz, etc. to authenticate as an administrator. To enforce to case-sensitive matching, use LDAP:group:XyZ instead. Non-case-sensitive matching is needed for Active Directory servers.

Server Type: This drop-down list lets you specify which authentication provider you want to use: Active Directory Service or Generic LDAP Directory Service.

  • If you select Active Directory Service, specify the values in the Settings subpanel only.

  • If you select Generic LDAP Directory Service, specify the values in the Settings subpanel (except Advanced settings) and the values in the Generic Settings subpanel.

Settings Subpanel: Set the values in this subpanel for the ADS authentication provider.

  • Directory Name: The name of the Active Directory Service server.

  • Servers: A list of strings containing server:port entries for a list of servers to be used.

    Each entry can be of one of three forms:

    • <hostname>

    • <hostname>:<port>

    • <hostname>:<port>:<sslport>

    In all cases, <hostname> is a resolvable DNS name or an IP address. If SSL or TLS is in use, the hostname must exactly match the name on the ADS server SSL certificate.

    You can modify this list by clicking the button to open an Attribute Element Values dialog box, where you can add, remove, or change the order of server names.

  • Advanced: The settings in this subpanel are for more selective ADS authentication.

    • SSL: If the accompanying Start TLS check box is not selected and if the ADS server’s SSL certificate has been installed on the Orchestration Server JVM, this option securely connects to the ADS server through SSL encryption.

      The older LDAP protocol (ldaps://) is used for the connection.

    • Start TLS: Selecting this option immediately promotes the connection to SSL encryption by bypassing the older protocol in favor of the LDAPv3 Start TLS extended operation on the non-SSL LDAP port. To use this option, the ADS server’s SSL certificate must be installed on the JVM of the Orchestration Server.

    • Query Account: The account name that is to be used for querying group information on authenticated users.

    • Query Password: The clear text password used to authenticate the query account on the LDAP server.

Generic Settings Subpanel: When you select Generic LDAP Directory Service as the Server Type, the following additional fields are displayed:

  • Base Domain Name: The Root DN of the LDAP server’s directory tree. This must be obtained by the administrator, and is usually in the form of dc=adsroot,dc=novell,dc=com.

  • User Attribute: The attribute on a user’s entry that identifies his or her login account name. For ADS servers, this attribute is sAMAccountName.

  • User Filter: The name of the filter to be used in the lookup for the user’s LDAP distinguished name.

    For ADS, this prefix is cn=Users.

  • User Prefix: The prefix used to define the LDAP subtree within the BaseDN tree that contains user accounts. If you leave this property blank, the Orchestration Server uses the BaseDN.

  • Group Attribute: Specifies the attribute of a group entry describing the login name of that group.

  • Group Filter: A filter to be used in the lookup for group memberships on some LDAP schemas. The filter can use either ${USER_NAME} or ${USER_DN} to substitute that value. For example: memberUid=${USER_NAME}.

  • Group Prefix: The prefix used to define the LDAP subtree within the BaseDN tree that contains group accounts.

    This field is not used for Active Directory authentication.

  • Group DNA Attribute: The directory root where all queries for a user’s group memberships (stored as a list of “member of” attributes on the user’s entry on an ADS server) are to occur.

  • Nested DNA Attribute: The attribute of a group entry where subgroups can be queried.

Authentication Page

As a data center administrator, you often have to provide credentials and certificates as you interact with the different hypervisor technologies, such as the Amazon EC2 or vSphere technologies. The Orchestration Server lets you store this data in a centralized, secure (no clear text passwords are accessible) location in its Credential Manager.

NOTE:The Cloud Manager Orchestration Server uses Triple DES password-based encryption in its Credential Manager to encrypt stored credentials and certificates.

The Credential Manager requires information from the Authentication page of the Orchestration Server object in the Orchestration Console, The page includes the following sections:

Stored Credentials Panel

The Stored Credentials panel displays a list of names of credential sets that you have created. You can create additional credentials if you select Add Credential and fill in the following fields:

  • Name: (Required) The name that you want to use to refer to this credential set.

  • User: (Required) The username with rights to administer objects in this grid.

  • Secret/Password: (Required) The password that authenticates the user.

  • Type: (Optional) A user-defined string that lets similar credentials be put into a category or group. For example, you might have a “type” of credential for the amazon-ec2 provisioning adapter and another type for the vsphere provisioning adapter.

Stored Credentials Password: (Conditional) If you want to change the password element of your stored credentials, click Change and enter the new password.

This password is used to encrypt the stored passwords. By default the password is CHANGE_THIS_PASSPHRASE. We recommend that you select a new password to use for encrypting stored passwords.

Stored Certificates Panel

In order to trust certificates not signed by well-known certificate authorities, the Orchestration Server lets you store certificates that are trusted by Java.

NOTE:Public/Private key pairs can be stored as certificates. This is useful if you need to manage amazon- ec2 key pairs.

The Stored Certificates panel displays a list of stored certificates. These certificates are not mapped to anything other than the name or identifier that you assign. They are not stored in a trust store, but their PEM-encoded representation is encrypted and stored alongside the credentials referred to above. Trust stores are generated on demand and are available to the Orchestration Agents.

Currently, this functionality is used only by the Orchestration vsphere provisioning adapter.

You can create additional trust stores if you select Add Certificate and fill in the following fields:

Identifier: (Required) The name that you want to use to refer to this trust store.

Location: (Required) Where the certificate should be obtained. This can be either a file (one that you can browse to find on the local machine), or an HTTPS server.

Select Browse if you want to select an existing a PEM-encoded certificate file from the local machine.

If you want to provide the actual URL for the certificate, open the drop-down list, select HTTPS, then enter the URL. The HTTPS server address can be entered as:

https://your.server.name

or as

your.server.name

or as

https://your.server.name:<sslport>

With this address, the Orchestration Server retrieves the public server certificate from the server and then stores it in a secure location.

Group: (Optional) A user-defined string used for grouping related certificates. For example, you might have a grouping called “vsphere” when you are managing resources in a multiple-vSphere Server environment.

3.1.3 Orchestration Server Policies Page

The Policies tab opens a page that contains a policy viewer for each of the policies associated with the Server object.

NOTE:You can edit a policy by right-clicking a policy icon, selecting Edit Policy, and clicking the Save button.

3.1.4 Orchestration Server Constraints/Facts Page

The Constraints/Facts tab opens a page that shows all of the effective constraints and facts for the Server object. The Server object has an associated set of facts and constraints that define its properties. By building, deploying, and running jobs on the Orchestration Server, you can individually change the functionality of any system resource by managing an object’s facts and constraints. The Orchestration Server assigns default values to each of the component facts, although they can be changed at any time by the administrator, unless they are read-only. Facts that have mode r/o have read-only values, which can be viewed by using the pencil icon, but changes cannot be made.