8.1 Using NetIQ iMonitor

NetIQ iMonitor provides cross-platform monitoring and diagnostic capability to all servers in your eDirectory tree. This utility lets you monitor your servers from any location on your network where a Web browser is available.

iMonitor lets you look at the eDirectory environment in depth on a partition, replica, or server basis. You can also examine what tasks are taking place, when they are happening, what their results are, and how long they are taking.

iMonitor provides a Web-based alternative or replacement for many of the NetIQ traditional server-based eDirectory tools such as DSBrowse, DSTrace, DSDiag, and the diagnostic features available in DSRepair. Because of this, iMonitor’s features are primarily server focused, meaning that they focus on the health of individual eDirectory agents (running instances of the directory service) rather than the entire eDirectory tree.

iMonitor provides the following features:

  • eDirectory health summary

    • Synchronization information

    • Known servers

    • Agent configuration

  • eDirectory health checks

  • Hyperlinked DS Trace

  • Agent configuration

  • Agent activity and verb statistics

  • Reports

  • Agent information

  • Error information

  • Object/schema browser

  • NetIQ Identity Manager monitor

  • Search

  • Partition list

  • Agent process status

  • Background process schedule

  • DSRepair

  • Connection monitor

The information you can view in iMonitor is based the following factors:

  • The identity you have established

    Your identity's eDirectory rights are applied to every request you make in iMonitor. For example, you must log in as the Administrator of the server or a console operator on the server where you are trying to access the DSRepair page.

  • The eDirectory agent version you are monitoring

    Newer versions of NDS and eDirectory will have features and options that older versions do not.

The information you view in iMonitor immediately shows what is happening on your server.

This chapter gives information on the following topics:

8.1.1 System Requirements

To use iMonitor you need

  • NetIQ eDirectory 8.7.1 or later

  • A supported Web browser, including Microsoft Internet Explorer or Firefox

Platforms

The iMonitor utility runs on the following platforms:

  • Windows 2000 and 2003 Server (No SSL)

  • Linux

For Windows, iMonitor loads automatically when eDirectory runs. On Linux, iMonitor can be loaded using the ndsimonitor -l command. It can also be loaded automatically by adding [ndsimonitor] in the /etc/opt/novell/eDirectory/conf/ndsimon.conf file before starting the eDirectory Server.

The iMonitor utility runs on the following Web browsers:

  • Microsoft IE 10 & above

  • Firefox* 40 & above

eDirectory Versions That Can Be Monitored

You can use iMonitor to monitor the following versions of NDS and eDirectory:

  • All versions of NDS and eDirectory for Windows

  • All versions of NDS and eDirectory for Linux

8.1.2 Accessing iMonitor

  1. Ensure that the iMonitor executable is running on the eDirectory server.

  2. Open your Web browser.

  3. In the address (URL) field, enter

    http://server's_TCPIP_address:httpstack_port/nds

    for example:

    http://137.65.135.150:8028/nds

    DNS names can be used anywhere a server's IP or IPX address or distinguished name could be used in iMonitor. For example, when you have configured DNS, then 

    http://prv-gromit.provo.novell.com/nds?server=prv-igloo.provo.novell.com

    is equivalent to

    http://prv-gromit.provo.novell.com/nds?server=IP_or_IPX address

    or

    http://prv-gromit.provo.novell.com/nds?server=/cn=prv-igloo,ou=ds,ou=dev,o=novell,t=novell_inc

    If an eDirectory HTTPS stack is available, you can use iMonitor through HTTPS.

  4. Specify a user name, context, and password. For example, login cn=admin.o=novell

    To have access to all of the features, log in as Administrator with the fully distinguished name, or as an administrator equivalent.

  5. Click Login.

8.1.3 iMonitor Architecture

Anatomy of an iMonitor Page

Each iMonitor page is divided into four frames or sections: the Navigator frame, the Assistant frame, the Data frame, and the Replica frame.

Figure 8-1 iMonitor Frames

Navigator Frame: Located across the top of the page. This frame shows the server name where the data is being read from, your identity, and the icons you can click to link to other screens, including online help, login, server portal, and other iMonitor pages.

Assistant Frame: Located at the left side of the page. This frame contains additional navigational aids, such as links to other pages, items that help you navigate data in the Data frame, or other items to assist you with obtaining or interpreting the data on a given page.

Data Frame: Shows the detailed information about your servers that you request by clicking one of the links listed above. This is the only page you will see if your Web browser does not support frames.

Replica Frame: Lets you determine which replica you are currently viewing and provides links to view the same information from another replica or server’s point of view. This frame appears only when you view pages where another replica of the requested data exists or where another replica might have a different view of the information being presented in the Data frame.

Modes of Operation

NetIQ iMonitor can be used in two different modes of operation: Direct mode and Proxy mode. No configuration changes are necessary to move between these modes. NetIQ iMonitor automatically moves between these modes, but you should understand them in order to successfully and easily navigate the eDirectory tree.

Figure 8-2 Modes of Operation

Direct Mode: Use this mode when your Web browser is pointed directly at an address or DNS name on a machine running the iMonitor executable and reading information only on that machine's local eDirectory DIB.

Some iMonitor features are server-centric and are available only to the iMonitor running on that machine. These features use local API sets that cannot be accessed remotely. Server-centric features in iMonitor include the DSTrace, DSRepair, and Background Process Schedule pages. When using Direct mode, all iMonitor features will be available on that machine.

Key features of Direct mode:

  • Full server-centric feature set

  • Reduced network bandwidth (faster access)

  • Access by proxy still available for all versions of eDirectory

Proxy Mode: Use this mode when your Web browser is pointed at an iMonitor running on one machine, but is gathering information from another machine. Because iMonitor uses traditional eDirectory non-server-centric protocols for non-server-centric features, all previous versions of eDirectory beginning with NDS 6.x can be monitored and diagnosed. However, server-centric features use APIs that cannot be accessed remotely.

If you are in Proxy mode and want to switch to Direct mode for a different server, you can do so as long as the server has a version of eDirectory in which iMonitor has shipped. If the server you are gathering information on by proxy has iMonitor running, you will see an additional icon button in the Navigator frame. When you move the mouse pointer over the icon, you will see a link to the remote iMonitor on the remote server. If the server you are gathering information on by proxy is an earlier version of eDirectory, no additional icon is shown and you will always need to gather information on that server by proxy until it is upgraded to a version of eDirectory that includes iMonitor.

Key features of Proxy mode:

  • Not every server in the tree must be running iMonitor in order to use most iMonitor features

  • Only one server must be upgraded

  • There is a single point of access for dial-in

  • You can access iMonitor over a slower speed link while iMonitor accesses eDirectory information over higher speed links

  • Previous NDS version information is accessible

  • Server-centric features are available only where iMonitor is installed

iMonitor Features Available on Every Page

You can link to the Agent Summary, Agent Information, Agent Configuration, Trace Configuration, DSRepair, Reports, and Search pages from any iMonitor page by using the icons in the Navigator frame. You can also log in or link to the NetIQ Support Web page from any iMonitor page.

Login/Logout: The Login button is available if you are not logged in. A Logout button, which closes your browser window, is displayed if you are logged in. Unless all browser windows are closed, your iMonitor session remains open, and you will not need to log in again. You can see your login status on any page by looking at Identity in the Navigator frame.

Support Connection Link: The NetIQ logo in the upper right corner is a link to the NetIQ Support Connection Web page. This provides a direct link to the NetIQ Web site for current server patch kits, updates, and product-specific support.

Configuration Files

Configuration files are included with iMonitor to allow you to change or set default behavior or values in the utility.

The configuration files are text files containing configuration parameter tags together with their desired values. These files are located in the same directory as the iMonitor executable (which is usually in the same location as the NetIQ eDirectory executables) on Windows, and in the /etc directory on Linux.

ndsimon

The ndsimon configuration file lets you modify trace file settings, control access to the server, set the maximum number of object to be displayed when listing a container or displaying search results, and specify the number of minutes of inactivity allowed before a connection is logged out.

Server

Configuration File

Windows

install directory\novell\NDS\ndsimon.ini

Linux

/etc/opt/novell/eDirectory/conf/ndsimon.conf

There are two groups of parameters that you can set in the ndsimon configuration file.

  • Parameters that apply to how the iMonitor executable itself runs

    When the iMonitor executable loads, it will attempt to listen on the traditional HTTP port 80. If that port is in use, it will back off to port 8028. If that port is in use, iMonitor will then back off again, increasing the port by 2 (8010, 8012, etc.) up to 8078.

    Where SSL is configured and available, a similar bind pattern is attempted. First, port 81 is tried, and then 8009, 8011, 8013, etc.

    This allows iMonitor to coexist with a Web server running on the same server. However, on some platforms, iMonitor might load before the installed Web server does, or you might want iMonitor to bind to a port of your choice. Both regular and SSL ports can be configured using the HttpPort and the HttpsPort parameters respectively.

  • Parameters that apply to specific features or pages

    The configuration file that ships with iMonitor contains samples of the parameters that can be modified. These parameters are preceded by a pound sign (#). This indicates that they are commented out or not used when iMonitor parses the configuration file. For the shipping configuration file, iMonitor uses all internally bound default values for these parameters. To enable any of these parameters or to add any parameters, simply delete the # character from the beginning of the line.

ndsimonhealth

The ndsimonhealth configuration file lets you modify default settings for the Agent Health page. You can enable or disable Agent Health options, set reporting levels and ranges for options, and set server reporting levels.

Server

Configuration File

Windows

install directory\novell\NDS\ndsimonhealth.ini

Linux

/etc/opt/novell/eDirectory/conf/ndsimonhealth.conf

There are three types of options you can set in the ndsimonhealth configuration file.

  • Enable/disable only options

    To disable an option, remove the pound sign (#) from in front of the option and replace any levels listed after the colon (:) with OFF. To set reporting levels of these options, remove the # character from in front of the option and add a reporting level after the colon. Valid levels are WARN, MARGINAL, and SUSPECT. For these options, you can input only one reporting level.

  • General options that take a range of settings

    These options can be enabled and disabled or have their reporting level set, as well as the ranges for those reporting levels.

    To set the reporting level for any of these options, use the option name followed by -active: and the reporting levels you want. For example, to set time_delta active, add the following line to the configuration file: 

    time_delta-active: WARN

    To set time_delta inactive, add the following line to the configuration file:

    time_delta-active: OFF

    When entering ranges, the specified range is the range that this reporting level should not be displayed for.

    See the time_delta example below for an example of how to set an option to be active for all three reporting levels and how to set the ranges. In this example, anything not in the range -2 to 2 is at least marginal, anything not in the range -5 to 5 is at least suspect, and anything not in the range -10 to 10 is a warning.

    time_delta-active: WARN | SUSPECT | MARGINAL
time_delta-Min_Warn:      -10
time_delta-Min_Suspect:    -5
time_delta-Min_Marginal:   -2
time_delta-Max_Marginal:    2
time_delta-Max_Suspect:     5
time_delta-Max_Warn:        10

    For help on any of these options, enter the following URL in iMonitor:

    http://XXX.XXX.XXX.XXX:PORT/nds/help?hbase=/nds/health/OPTION_NAME

    XXX.XXX.XXX.XXX:PORT is the IP address and port where iMonitor can be reached, and OPTION_NAME is the name of the option you want help on (for example, time_delta).

    To view the currently set levels and ranges, use your browser to go to the health page that contains the option you are interested in, then add the following to the end of the URL line in the browser:

    &op=setup

  • Options that need custom or complex settings

    There are three different server reporting levels that can be set:

    • WARN detects servers running a version of eDirectory that should be upgraded as soon as possible.

    • SUSPECT detects servers running a version of eDirectory that should be noted for upgrade.

    • MARGINAL detects servers running a version of eDirectory that is not current.

    These options set the reporting level if the server version falls within the specified range.

8.1.4 iMonitor Features

This section provides brief descriptions of iMonitor features.

Online help is provided in each section of iMonitor for more detailed information about each feature and function.

Viewing eDirectory Server Health

From the Agent Summary page, you can view the health of your eDirectory servers, including synchronization information, agent process status, and the total servers known to your database.

  1. In iMonitor, click Agent Summary Agent Summary button.

  2. Choose from the following options:

    Agent Synchronization Summary lets you view the number and types of replicas you have and the length of time since they have been successfully synchronized. You can also view the number of errors for each replica type. If there is only one replica or partition to view, the heading is Partition Synchronization Status.

    If the Agent Synchronization Summary doesn’t appear, there are no replicas you can view based on your identity.

    Servers Known to Database Totals lets you view the type and count of servers known to your database, and whether they are up or down.

    Agent Process Status Totals let you view the status of processes without the administrator's intervention that run on an agent. When there is a problem or piece of information, a status is recorded. The table increases or decreases, depending on the number of recorded statuses.

Viewing Partition Synchronization Status

From the Agent Synchronization page you can view the synchronization status of your partitions. You can filter the information by selecting from the options listed in the Assistant frame on the left side of the page.

  1. In iMonitor, click Agent Synchronization in the Assistant frame.

  2. Choose from the following options:

    Partition Synchronization Status lets you view the partition, number of errors, last successful synchronization, and maximum ring delta.

    Partition lets you view the links to each partition's Replica Synchronization page.

    Last Successful Sync lets you view the amount of time since all replicas of an individual partition were successfully able to synchronize from the server.

    Maximum Ring Delta shows the amount of data that might not be successfully synchronized to all the replicas in the ring. For example, if a user has changed his login script within the past 30 minutes, and the maximum ring delta has a 45-minute allocation, the user's login might not be successfully synchronized, and he might get the previous login script when he attempts to log in. If, however, the user changed his login script more than 45 minutes ago, he should get the new login script consistently from all replicas.

    If Unknown is listed under Maximum Ring Delta, it means the transitive synchronized vector is inconsistent and the maximum ring delta cannot be calculated due to replica/partition operations occurring, or some other problem.

Viewing Obituary Process Status and Change Cache Count

To view the obituary process status and the change cache count of a given partition, navigate to the partition root object of that partition. Data is displayed for three different types of obituaries:

  • OBIT_DEAD: created when an object is deleted.

  • OBIT_NEWRDN: created when an object is renamed.

  • OBIT_MOVED: created when an object is moved from one location to another.

When the objects are processed, they can be in four different distinct states. They move from ISSUED state to PURGEABLE state, then finally get purged. Following are the four distinct states:

  • ISSUED

  • NOTIFIED

  • OK_TO_PURGE

  • PURGEABLE

There are 12 different distinct combinations for a given object. Following are the distinct combinations:

  • OBIT_DEAD_ISSUED

  • OBIT_DEAD_NOTIFIED

  • OBIT_DEAD_OK_TO_PURGE

  • OBIT_DEAD_PURGEABLE

  • OBIT_NEWRDN_ISSUED

  • OBIT_NEWRDN_NOTIFIED

  • OBIT_NEWRDN_OK_TO_PURGE

  • OBIT_NEWRDN_PURGEABLE

  • OBIT_MOVED_ISSUED

  • OBIT_MOVED_NOTIFIED

  • OBIT_MOVED_OK_TO_PURGE

  • OBIT_MOVED_PURGEABLE

A number is displayed against each of these combinations, which denotes the total number of objects that are in a particular state at the end of the last obituary processing cycle.

The change cache count displays the number of objects present in the change cache of the partition in the current server. The following figure shows the obit count and the change cache count for a particular partition root object of that partition.

Figure 8-3 Obit and Change Cache Count Information

Viewing Server Connection Information

From the Agent Information page you can view the connection information for your server.

  1. In iMonitor, click Agent Information in the Assistant frame.

  2. Choose from the following options:

    Ping Info shows that iMonitor has attempted an IP ping to the set of addresses being advertised for the server. Success is as indicated.

    DNS Name shows that iMonitor has attempted to do an address reversal on IP addresses supported by the server and is indicating the associated DNS name.

    Depending on the transport, configuration, and platform you are running on, you might not see this information.

    Connection Information lets you view connection information for the server, including the server referral, time delta, Root Most Master, and replica depth.

    Depending on the transport, configuration, and platform you are running on, you might not see this information.

    Server Referral lets you view the set of addresses by which your server can be reached.

    Time Synchronized indicates that synthetic or future time is not being used unless a replica's last-issued time stamp is greater than the current time.

    eDirectory believes time is synchronized well enough to issue time stamps based on the server's current time. The time synchronization protocol might or might not currently be in a synchronized state.

    Time Delta lets you view the difference in time between iMonitor and the remote server in seconds. A negative integer indicates that iMonitor's time is ahead of the server's time. A positive integer indicates that iMonitor's time is slower than the server.

    Root Most Master specifies that the replica that is highest or closest to the root of the naming tree is a master replica.

    Replica Depth lets you view the depth of the rootmost replica (the number of levels between the rootmost replica and the root of the tree).

Viewing Known Servers

From the Known Servers List, you can view the list of servers known to the database of the source server. You can filter the list to show all servers known to the database or to show all servers in the replica ring. If a server has an icon next to it, the server participates in a replica ring.

  1. In iMonitor, click Known Servers in the Assistant frame.

  2. Choose from the following options:

    Entry ID lists the identifier on the local server for an object. Entry IDs cannot be used across servers.

    NDS Revision lists the eDirectory build number or version being cached or stored on the server that you are communicating with.

    Status shows whether the server is up, down, or unknown. If the status shows as unknown, this means that this server has never needed to communicate with the server being shown as unknown.

    Last Updated shows the last time this server attempted to communicate with the server and found out it was down. If this column is not showing, all servers are currently up.

Viewing Replica Information

From the Partitions page, you can view information about the replicas on the server you are communicating with. You can filter the page by selecting from the options in the Assistant frame on the left side of the page.

Server Partition Information let you view information about the server's partition, including the entry ID, replica state, purge time, and last modification time.

Partition let you view information about the partition Tree object on the server.

Purge Time indicates the time when you can remove previously deleted data from the database because all replicas have seen the deletion.

Last Modification Time lets you view the last-issued time stamp of data written to the database for the replica. This lets you see if time is in the future and if synthetic time is being used.

Replica Synchronization lets you view the Replica Synchronization Summary page that refers to the partition. The Replica Synchronization page shows information about the partition synchronization status and replica status. You can also view lists of partitions and replicas.

Controlling and Configuring the DS Agent

From the Agent Configuration page, you can control and configure the DS Agent. The functionality you have on this page will depend on the rights of the current identity and the version of eDirectory you are looking at.

  1. In iMonitor, click Agent Configuration Agent Configuration button.

  2. Choose from the following options:

    • Agent Information let you view the connection information for your server.

    • Partitions lets you view the replicas on the server you are communicating with.

    • Replication Filters lets you view the replication filters configured for the specified eDirectory agent. NDS eDirectory 8.5 (build version 85.xx) was the first eDirectory version to implement a feature known as Filtered Replicas. See Filtered Replicas for more information on what Filtered Replicas are, why they are used, and how to configure them.

    • Agent Triggers initiate certain background processes. These triggers are equivalent to using the SET DSTRACE=*option command.

    • Background Process Settings modify the interval at which certain background processes run. These settings are equivalent to the SET DSTRACE=!option command.

    • Agent Synchronization lets you disable or enable inbound or outbound synchronization. You can specify in hours the amount of time you want synchronization disabled.

    • Database Cache lets you configure the amount of database cache used by the DS database engine. Various cache statistics are also provided to assist you in determining whether you have an appropriate amount of cache available. Having an inadequate amount of cache might severely impact your system’s performance.

    • Login Settings allows you you to specify whether eDirectory updates login attributes when users log in. The following options control how eDirectory responds when a user logs in:

      • Login Update Delay specifies the amount of time (in seconds) between updates. For example, if one or more users log in during the delay, eDirectory adds any changes to a queue. When the delay is over, eDirectory applies all queued changes.

      • Login Update Disable Interval specifies an interval of time (in seconds) during which the login attributes for a specific user will not be updated. A typical interval is 3600 seconds (1 hour). For example, when a user logs in for the first time at 8:00 AM, eDirectory updates attributes, and the interval starts. If the user logs in again before 9:00 AM, eDirectory does not update the attributes. The default is 0, which means no disable interval is set.

Configuring Trace Settings

To access information on the Trace Configuration page, you must be the equivalent of Administrator of the server or a console operator. You are prompted to enter your user name and password so your credentials can be verified before you can access information on this page.

From the Trace Configuration page, you can set trace settings. NetIQ iMonitor's DSTrace is a server-centric feature. That is, it can be initiated only on a server where iMonitor is running. If you need to access this feature on another server, you must switch to the iMonitor running on that server.

  1. In iMonitor, click Trace Configuration Trace Configuration button.

  2. Choose from the following options:

    • Update lets you submit changes to Trace Options and Trace Line Prefixes. If DSTrace is off, click Trace On to turn it on. If DSTrace is already on, click Update to submit changes to the current trace.

    • Trace On/Off turns DSTrace on or off. The button text changes based on the current DSTrace state. If DSTrace is on, the button text will read Trace Off. Clicking it toggles DSTrace between off and on. When DSTrace is off, clicking Trace On is equivalent to clicking Update.

    • Trace Line Prefixes lets you choose which pieces of data are added to the beginning of any trace line.

    • DS Trace Options apply to the events on the local DS Agent where the trace is initiated. The options show errors, potential problems, and other information about eDirectory on your local server. Turning on DS Trace options can increase CPU utilization and might reduce your system’s performance. Therefore, DS Trace should generally be used for diagnostic purposes, not as a standard practice. These options are a more convenient equivalent of the SET DSTRACE=+option command.

    • Event Configuration lists the eDirectory and NMAS event options you can enable or disable for monitoring in DSTrace. The event system generates events for local activities such as adding objects, deleting objects, and modifying attribute values. For each type of event, a structure is returned that contains information specific to that type of event.

    • Trace History lets you view a list of previous trace runs. Each previous trace log is identified by the period of time during which the trace data was being gathered.

    • Trace Triggers let you view the trace flags that must be set in order to display the specified DS Agent information in DSTrace. These triggers might write large quantities of information to trace. Generally, we recommend that these triggers be enabled only when instructed by NetIQ Support.

  3. Click Trace On to turn DS Trace on and submit any changes.

  4. Click Trace button or Trace Live to view DS Trace in iMonitor.

Viewing Process Status Information

From the Agent Process Status page, you can view background process status errors and more information about each error that occurred. You can filter the information on this page by selecting from the options listed in the Assistant frame on the left side of the page.

In iMonitor, click Agent Process Status in the Assistant frame. Background process statuses that are currently reported include the following:

  • Schema synchronization

  • Obituary processing

  • External reference/DRL

  • Limber

  • Repair

Viewing Agent Activity

From the Agent Activity page, you can determine traffic patterns and potential system bottlenecks. You can use this page to view the verbs and requests that are currently being handled by eDirectory. You can also see which of those requests are attempting to obtain DIB locks in order to write to the database and how many of those requests are waiting to obtain a DIB lock.

If you are viewing a server running NetIQ eDirectory 8.6 or later, you will also see a list of partitions and the servers that participate in the replica ring with the server specified in the Navigator frame. With the introduction of NetIQ eDirectory 8.6, synchronization is no longer single threaded. Any eDirectory 8.6 or later version server might outbound multiple partitions simultaneously to one or more replication partners. For this reason, the synchronization activity page was created so you can more easily monitor this parallel synchronization strategy.

  1. In iMonitor, click Agent Activity in the Assistant frame.

  2. Choose from the following options:

    • Verb Activity and Statistics lets you view a running count of all verbs called and requests made since eDirectory was last initialized. These pages also shows how many of those requests are currently active and the minimum, maximum, and average times (shown in milliseconds) that it takes to process those requests.

    • Synchronization Current and Schedule lists different times that inbound and outbound synchronization occurred. If inbound or outbound synchronization is currently taking place, you see an icon indicating that the process is active, when that cycle was started, and which server it is occurring with.

      If inbound and outbound synchronization is disabled, you see an icon indicating that fact and when it is scheduled to be re-enabled. For outbound synchronization, the next scheduled time is also shown.

    • Events lets you view a list of the currently active events, statistics for event handlers and a summary of event statistics, and the current event rights functions that have been called.

    • Background Process Schedule lets you view the background processes that are scheduled, what their current state is, and when they are scheduled to run again.

Viewing Traffic Patterns

From the Verb Statistics page, you can determine traffic patterns and potential system bottlenecks. You can use this page to view a running count of all verbs called and requests made since eDirectory was last initialized. This page also shows how many of those requests are currently active and the minimum, maximum, and average times (in milliseconds) it takes to process those requests. Background process, bindery, and standard eDirectory requests are tracked.

If you view this page on an older version of eDirectory, you might not see as much information as if you are running eDirectory 8.5 or later.

Viewing Background Processes

From the Background Process Schedule page, you can view the background processes that are scheduled, what their current state is, and when they are scheduled to run again. NetIQ iMonitor's Background Process Schedule is a server-centric feature. That is, it can only be viewed on a server where iMonitor is running. If you need to access the background process schedule on another server, you must switch to the iMonitor running on that server. As you upgrade more servers to eDirectory 8.5 or later versions, iMonitor's server-centric features will be more available to you. Other server-centric features include the DSTrace and DSRepair pages.

To access information on the Background Process Schedule page, you must be the equivalent of Administrator of the server or a console operator. You are prompted to log in so your credentials can be verified before you can access information on this page.

Configuring Background Processes

To decrease how long background process cycles run, administrators can configure one of the following Background Process Delay Settings policies on the Background Process Settings window in iMonitor:

  • CPU

  • Hard Limit

  • Purger Delay

To configure the background process:

  1. Log into iMonitor.

  2. Go to Agent Configuration > Background process settings.

  3. Scroll down to the Background Process Delay Settings section and set the delay interval to any value from 0 through 100 milliseconds.

    By default, the Hard Limit policy is enabled with all the three processes sleeping for 100 milliseconds.

    or

    Select the CPU Policy and configure as appropriate.

    By default, the Maximum CPU utilization % parameter is set to 80% and Maximum Delay Limit is set to 100 milliseconds.

  4. In the Purger Interval field, enter the delay interval.

    By default, it is set to 30 minutes. You can change it depending on your requirement.

Viewing eDirectory Server Errors

From the Error Index page, you can view information about the errors found on your eDirectory servers. The errors are separated into two fields: eDirectory-specific errors and other errors that might be of interest. Each error listed is hyperlinked to a description that contains an explanation, possible cause, and troubleshooting actions.

  1. In iMonitor, click Error Index in the Assistant frame.

    From the Error Index page you can link to the latest NetIQ documentation on errors, technical information, and white papers.

Viewing DSRepair Information

From the DSRepair page, you can view problems and back up or clean up your DIB sets. NetIQ iMonitor's DSRepair is a server-centric feature. That is, it can be initiated only on a server where iMonitor is running. If you need to access the DSRepair information on another server, you must switch to the iMonitor running on that server. As you upgrade more servers to later versions of eDirectory, iMonitor's server-centric features will be more available to you. Other server-centric features include the DSTrace and Background Process Schedule pages.

To access information on this page, you must be the equivalent of Administrator of the server or a console operator. You are prompted to log in so your credentials can be verified before you can access information on this page.

  1. In iMonitor, click DSRepair DS Repair button.

  2. Choose from the following options:

    • Downloads lets you retrieve repair-related files from the file server. You will not be able to access dsrepair.log if the DSRepair utility is running or you have initiated a repair from the DSRepair page in iMonitor until the operation is finished.

    • Delete Old DIB Sets lets you delete an old DIB set by clicking the red X.

      WARNING:This action is irreversible. When you select this option, the old DIB set will be purged from the file system.

    • DS Repair Advanced Switches lets you fix problems, check for problems, or create a backup of your database. You will not need to enter information in the Support Options field unless you are directed to do so by NetIQ Support.

  3. Click Start Repair to run DS Repair on this server.

Viewing Agent Health Information

From the Agent Health page, you can view health information about the specified eDirectory agent and the partitions and replica rings it participates in.

  1. In iMonitor, click Agent Health in the Assistant frame.

  2. Click the links to view detailed information.

Browsing Objects in Your Tree

From the Browse page, you can browse any object in your tree. The Navigation bar at the top of the page lets you know what server the object you are viewing is on, and the path to the object. The Replica frame on the left of the page lets you view or access the same object on any real partition. Click any underlined object on the page to view more information about an object. You can also click any portion of the name in the Navigator frame to browse up the tree.

The information displayed on this page depends on the eDirectory rights you are logged in with, the type of object you are browsing, and the version of NDS or eDirectory you are running. This page displays XRef objects if you are logged in with Supervisor rights. You can use the replica list to jump to a real copy of the replica. If you are browsing for objects in dynamic groups, the time stamp will not be displayed for the dynamic members.

Replica Synchronization displays the synchronization status of the replica that contains this object.

Entry Synchronization shows which attributes need to be synchronized from this server’s point of view.

Connection Information indicates where iMonitor got the information for this object.

Entry Information displays the names, flags, base class, modification time stamp, and summary of connection information for the object.

Send Entry to All Replicas resends this entry’s attributes to all other replicas. This process could take some time if the object has many attribute values. This does not make all other copies of the object identical. It simply allows the other replicas to reconsider each attribute.

Send All (visible only if the object being browsed is a partition root and the Advanced Mode Option is enabled) resends all entries in this partition to all the servers holding replicas of the partition. This does not make all copies of the objects being sent identical. It simply allows the other replicas to reconsider each object and its attributes.

Viewing Entries for Synchronization or Purging

From the Change Cache page, you can view a list of entries that this server needs to consider for synchronization or purging. This option is available only if the server you are accessing is running eDirectory 8.6 or later and the object you are viewing is a partition root. You must have Supervisor rights to the eDirectory server to view this page.

Entry Synchronization lets you determine why an entry needs to be synchronized.

NOTE:iMonitor only lists a limited number of objects in the Change Cache page. If you want to view all objects in the change cache, either for a specific partition or for all partitions on a server, you can run a Change Cache Dump Report in the Reports page. See Configuring and Viewing Reports for more information about configuring and running reports in iMonitor.

Viewing NetIQ Identity Manager Details

From the DirXML Summary page, you can view a list of any DirXML drivers running on your server, the status of each driver, any pending associations, and driver details.

  1. In iMonitor, click DirXML Summary DirXML Summary button.

  2. Choose from the following options:

    Status displays the current state of the specified driver. Possible states include stopped, starting, running, shut down, pending, and getting schema.

    Start Option displays the current startup option specified for the selected driver.

    Pending displays the number of associations that have not yet been made.

    Driver Details Icon displays subscriber and publisher details, XML rules, filters, and pending association lists for DirXML drivers running on your server. Details on the first 50 pending objects are also displayed on this page. The XML rule details provided on this page can be used to determine what to look for in the pending objects to allow their creation to proceed for the specified DirXML driver.

Viewing the Synchronization Status of a Replica

From the Replica Synchronization page, you can view the synchronization status of a replica.

  1. In iMonitor, click Agent Synchronization in the Assistant frame.

  2. Click Replica Synchronization for the partition you want to view.

  3. Use the links on this page and in the navigation bar on the left to access other partitions and jump through your replica ring.

Configuring and Viewing Reports

From the Reports page, you can view and delete reports run directly on this server. Some reports might take a long time to run and can be resource intensive.

Scheduled reports run without authenticating as a user, using the [Public] identity. Any reports you run directly are run as your identity. All report data is stored on the server from which you run the report. iMonitor stores report data in the following directories by default, depending on the operating system:

Platform

Directory

Windows

C:\Novell\NDS\ndsimon\dsreports\

Linux

/var/opt/novell/eDirectory/data/dsreports

The Report Config page lets you view a list of preconfigured, custom, and scheduled reports. Use this page to modify and run reports and to create custom reports for iMonitor pages. The following table lists preconfigured reports included with iMonitor.

Report

Description

Server Information

Walks the entire tree, communicates with every NCP server it can find, and reports any errors it finds. Use this report to diagnose time synchronization and limber problems, or to find out if the current server is able to communicate with all other servers from this server’s perspective. If selected in the Configuration page, this server can also generate NDS Agent Health information for every server in the tree.

Obituary Listing

Lists all obituaries on this server.

Object Statistics

Evaluates the objects in a given scope, then generates lists of objects matching the requested criteria. These criteria include such things as future time, unknown objects, renamed objects, counts of base classes, containers, alias, and external references.

Change Cache Dump

Lists all the objects in the change cache for the selected partition or for all partitions on the server. This report also generates an XML dump of the objects in the change cache, along with attributes and values that need to be synchronized across servers. The report provides information for analyzing all objects in the change cache.

NOTE:iMonitor stores change cache dumps in the same directory as the actual Change Cache Dump Report, as listed in the previous table.

Service Advertising

Lists all directories and servers known to the current server through SLP or SAP.

Agent Health

Gathers health information for the current server.

Value Count

Generates a list of objects with attribute, which have value count more than a value you specify.

Viewing and Deleting Reports

  1. In iMonitor, click Reports Reports button.

  2. Click Delete Report icon to delete a report or View Report icon to view a report.

Running a Report

  1. In iMonitor, click Reports > Report Config.

  2. Click Run Report icon to run a report.

Configuring or Scheduling a Report

  1. In iMonitor, click Reports > Report Config.

  2. Click Configure Report icon to configure and schedule a report.

  3. Select any options you want, then click Save Defaults to save the options you selected.

  4. (Optional) Configure the report to run either periodically or at a later time.

    1. Specify a frequency, start time, and start day.

    2. Click Schedule.

  5. Click Run Report to start the report.

Creating a Custom Report

Custom reports let you launch any iMonitor page as a report.

  1. In iMonitor, click Reports > Report Config.

  2. In the Runable Report list, click Configure Report icon Custom Reports.

  3. Enter a name for the report, then enter the URL for the iMonitor page you want to launch as a report.

    When running a custom report, enter the URL as follows:

    /nds/required page

  4. In the Saved reports field, specify the number of versions of the report you want to keep or retain.

  5. (Optional) Click Save to save the report.

  6. (Optional) Configure the report to run either periodically or at a later time.

    1. Specify a frequency, start time, and start day.

    2. Click Schedule.

  7. Click Run Report to start the report.

Viewing Schema, Class, and Attribute Definitions

From the Schema page, you can view your schema, class, and attribute definitions. You can view the schema that is loaded on your tree, with any extensions that have been made, and information specific to your particular schema, such as any changes or extensions you’ve made to the schema.

  1. In iMonitor, click Schema in the Assistant frame.

  2. Choose from the following options:

    Synchronization List lists the servers that this server will synchronize with. This option is available only for servers running NDS eDirectory 8.5 or later. You must have Supervisor rights on the server to view this information.

    Schema Root displays information about the schema replica closest to the root of the tee in this context.

    Each eDirectory server stores a replica of the schema in its entirety. The schema replica is stored separately from the partitions that contain directory objects. Changes to any one schema replica are propagated to the other replicas. You can perform modifications to the schema only through a server that stores a writable replica of the root partition. Servers storing read-only replicas of the root partition can read but not modify schema information.

    Attribute Definitions lists the name of each attribute, the syntax that the attribute value will be in, and the constraints that the attribute operates under. Use the navigation frame on the left to browse for and access individual attributes.

    Class Definitions lists the name of each class, its rules, and its attributes. Use the navigation frame on the left to browse for and access individual attributes.

Searching for Objects

From the Search page, you can search objects based on a variety of query options and filters. The search query options and filters are grouped in two levels of search request forms: basic and advanced. The basic search request form is designed for average users of eDirectory and simple searches. The advanced search request form is designed for advanced users and complicated searches. Currently, only server-level search is supported.

All the search options and filters in the four sections are conjunctive. Blank fields (except the Relative Distinguished Name) will be ignored. Use the Ctrl key to deselect an item or select more than one item on the multilists. Deselected multilists will also be ignored.

  1. In NetIQ iMonitor, click Search Search button.

  2. Choose from the following options:

    • Scope Options lets you specify the scope of the search.

    • Entry Filters lets you specify search query filters related to the entry information.

    • Attribute and Value Filters lets you specify search query filters related to the attributes and values.

    • Display Options lets you specify options which control the display format of the search results.

      NOTE:The Display Options settings are only available if you click Advanced to view all Advanced Search options.

  3. Click the Help button at the bottom of the search request form to see brief help information added to the form itself.

    Click Reload or Refresh to clear the help information.

Using the Stream Viewer

From the Stream Viewer page, you can view the current stream in any of the following formats:

  • Plain text

  • HTML

  • GIF

  • JPEG

  • BMP

  • WAV

  • Hex Dump

  • Other

If you have stream attributes that you consistently want to view in a particular format, you can use the Stream Viewer to select default display settings.

NDS Stream Attribute Setup changes the default display format for streams in your browser. It is up to your browser to display the stream correctly, so it might not always apply the settings you have selected.

You must be authenticated to the server to apply any changes you have made to the default settings. Your changes are stored in streams.ini (for Windows servers) or streams.conf (for Linux server), so you can also manually edit the default settings.

Clone DIB Set

This option creates a complete DIB fileset duplicate of an eDirectory database stored on a single server (the source server). The DIB Clone must be taken from the source server that holds all the master replicas in the tree. The clone can then be placed on another server (the target server). When the target server initiates eDirectory, it loads the DIB fileset, contacts the master replica of the server object, resolves its name, then synchronizes any changes to the DIB fileset made after the clone was created.

The clone of an eDirectory DIB set should only be placed on a server running the same operating system as the server the clone was created on. For example, if you want to restore a cloned DIB fileset to a Linux server, create the clone on a Linux server and not on a Windows server.

Although the back end for this feature was shipped with eDirectory 8.7, it was not supported until eDirectory 8.7.1 running iMonitor 2.4 or later. This option does not apply to any version of NetIQ eDirectory or NDS prior to 8.7.

Figure 8-4 Clone DIB Set Page in iMonitor

This section includes the following information:

Clone DIB Set Use Cases

Clone DIB Set provides the following use cases:

  • Create a new server with partitions already in an “on” state.

    Advantages include the following:

    • All servers in the ring do not need to be up and running to add a new server to the replica ring.

    • A new server will automatically have all partitions with no synchronization necessary.

    • Quicker up time.

  • Disaster recovery

    Advantages

    Disadvantages

    • Only need one copy of the partition to succeed.

    • Less down time on large servers with multiple partitions.

    • Must have at least one good copy of the partitions in question.

    • Won't handle any SSL or security backups.

    • Does not handle the file system.

  • Backup and restore

    Advantages

    Disadvantages

    • Quicker up time, especially on large scale databases.

    • Only adds core eDirectory. LDAP, SNMP, SSL, etc. are not installed or configured.

    • Will not get the latest changes. Only a snapshot is taken. Roll forward logs are not executed.

    Because of the listed disadvantages, we do not recommend using Clone DIB Set for backup and restore purposes.

Creating a Clone

A clone DIB fileset can be created with the originating server either online or offline. The offline method requires eDirectory to be brought down. In the online mode, eDirectory is up and not locked.

WARNING:Do not use the Dibclone utility on an Identity Management server to clone another server, because this generates unnecessary TAO files on the cloned server.

Online Method

  1. Load the ndsclone module on the source server.

    Platform

    To Extend the Schema

    Windows

    In NDSCons.exe, select dsclone.dll, then click Start.

    Linux

    Add an ndsclone entry to the ndsmodules.conf file, then use the http://IP address:port/dhost page to load the Directory Clone Agent.

    NOTE:The ndsclone module can also be loaded using the ndstrace -c "load ndsclone" command.

  2. Disable the inbound sync from iMonitor agent configuration page before starting the clone DIB process on the source server.

  3. Create the clone DIB fileset.

    1. Run Clone DIB Configuration in iMonitor.

      Click Agent Configuration > Clone DIB Set > Create New Clone.

    2. Specify the fully qualified name of the target server and the file path where the cloned DIB files will be placed, then check the Create Clone Object and the Clone DIB Online boxes.

      The NCP Server name (Clone Object) of the target server must match the target server name.

    3. Click Submit.

      The NDS Clone object is created and the DIB fileset is copied to the specified destination.

  4. Install and configure eDirectory on the target server and bring down the server.

  5. Copy the DIB directory containing the cloned DIB fileset to the target server.

    Additionally, on Linux system, copy the /etc/opt/novell/eDirectory/conf/nds.conf file from the source server to the target server and update the following references to the target server:

    • Change the IP Address for the following parameters

      • n4u.server.interfaces

      • http.server.interfaces

      • https.server.interfaces

    • Provide the NCP Server Name which is created in step 3b in the n4u.nds.server-name parameter

    • Provide the Preferred Server Name in n4u.nds.preferred-server parameter. Usually the host name of the target server is considered as the preferred server name.

  6. Remove the nicisdi.key from /var/opt/novell/nici/0 and /var/opt/novell/nici/0/backup on the target server.

  7. Now start the target server and run the ndsconfig upgrade command.

    NOTE:On Windows, You need to run the EConfig.ps1 command to upgrade the eDirectory server using the silent installer. While upgrading, you need to mention the tree name, server name and admin credential of the cloned DIB in the upgrade.ni response file. You must also mention the existing server IP containing the IP of other servers in the tree. For more information, see Unattended Upgrade of eDirectory on Windows in the NetIQ eDirectory Installation Guide.

  8. Ensure that master replica of the target Server object is running eDirectory and is available. When eDirectory initializes on the target server, it communicates with the master replica where the final naming of the target server is resolved.

  9. Make sure that the replica attribute value of the target server is synched with all the servers. Once the attribute changes are available on all servers, reenable the inbound sync on the source server. The inbound sync can be enabled either through the iMonitor agent configuration page or through DSTrace.

  10. To complete the eDirectory configuration, see Completing the eDirectory Configuration.

Offline Method

  1. Create the clone DIB fileset.

    1. Run Clone DIB Configuration in iMonitor.

      Click Agent Configuration > Clone DIB Set > Create New Clone.

    2. Specify the fully qualified name of the target server, check the Create Clone Object box, then uncheck the Clone DIB Online box.

      The NCP Server name of the target server must match the target server name.

    3. Click Submit.

      The NDS clone object is created, the DIB is locked in the source server, and an error reports that eDirectory is locked.

  2. Install and configure eDirectory on the target server and bring down the server.

  3. Manually copy the *.nds, nds*, and nds.rfl/*.* files from the source server’s DIB directory to a destination or media on the target server convenient for moving the set to the target server's DIB directory. Additionally, on Linux system, transfer the /etc/opt/novell/eDirectory/conf/nds.conf file to the target server and update the following references to the target server:

    • Change the IP Address for the following parameters

      • n4u.server.interfaces

      • http.server.interfaces

      • https.server.interfaces

    • Provide the NCP Server Name which is created in step 1b in the n4u.nds.server-name parameter

    • Provide the Preferred Server Name in n4u.nds.preferred-server parameter. Usually the host name of the target server is considered as the preferred server name.

  4. Remove the nicisdi.key from /var/opt/novell/nici/0 and /var/opt/novell/nici/0/backup on the target server.

  5. Export NDSD_DISABLE_INBOUND=Y environment variable, then start ndsd to disable the inbound sync on the source server.

  6. Restart eDirectory on the source server.

    If eDirectory is restarted on the source server before the files are copied, this clone is invalid. The new NCP Server object must then be deleted and the clone must be recreated.

  7. Now start the target server and run the ndsconfig upgrade command.

    NOTE:On Windows, You need to run the eDirectory Setup file. You also need to select and login to the eDirectory tree while the Setup file is being run to upgrade your eDirectory server.

  8. Make sure that the replica attribute value of the target server is synched with all the servers. Once the attribute changes are available on all servers, reenable the inbound sync on the source server. The inbound sync can be enabled either through the iMonitor agent configuration page or through DSTrace.

  9. Install eDirectory and start the server on the target server, with the DIB directory containing the cloned DIB fileset.

    Ensure that master replica of the new target server object is running eDirectory and is available. When eDirectory initializes on the target server, it communicates with the master replica where the final naming of the target server is resolved.

  10. To complete the eDirectory configuration, see Completing the eDirectory Configuration.

Completing the eDirectory Configuration

SDIKEY

  1. Bring down eDirectory on the target server.

  2. Move or rename the /var/opt/novell/nici/0/nicisdi.key and the /var/opt/novell/nici/0/backup/nicisdi.key file on file system of the target server.

    Platform

    Directory

    Windows

    C:\Windows\SysWOW64\novell\nici\nicisdi.key

    Linux

    /var/opt/novell/nici/0/nicisdi.key

    /var/opt/novell/nici/0/backup/nicisdi.key

  3. Start eDirectory on the target server.

Configuring SAS, LDAP, HTTP, and SNMP Services

Linux: You can configure SAS, LDAP, SNMP, and HTTP services in one operation by entering the following command at the command line:

ndsconfig upgrade [-a admin FDN]

Windows: Run the eDirectory installer and complete the configuration of SAS, LDAP, SNMP, and HTTP services.

After completing the configuration, HTTP listens on ports 80 and 443 by default. eDirectory stores the HTTP port configuration on the HTTP server object. If required, you can change the port configuration as an administrator user.

For configuring the services individually, refer the following tables:

SAS

Platform

Command or Tool

Windows

Create SAS Service object and Certificates by using iManager.
LDAP

Platform

Command or Tool

Windows

Create LDAP Server and Group Objects by using iManager.
SNMP

Platform

Command or Tool

Windows

rundll32 snmpinst, snmpinst -c createobj -a userFDN -p password -h hostname_or_IP_address

8.1.5 Ensuring Secure iMonitor Operations

Securing access to your iMonitor environment involves the following protective steps:

  1. Use a firewall and provide VPN access (this also applies to NetIQ iManager and any other Web-based service that should have restricted access).

  2. Whether a firewall is in place or not, limit the type of access allowed through iMonitor to further protect against Denial of Service (DoS) attacks.

    Although substantial efforts have been made to ensure that iMonitor validates the data it receives via URL requests, it is nearly impossible to guarantee that every conceivable invalid input is rejected. To reduce the risk of DoS attacks via invalid URLs, there are three levels of access that can be controlled through iMonitor’s configuration file using the LockMask: option.

    Access Level

    Description

    0

    Require no authentication before iMonitor processes URLs. In this case, the eDirectory rights of the [Public] identity are applied to any request, and information displayed by iMonitor is restricted to the rights of the [Public] user. However, because no authentication is required to send URLs to iMonitor, iMonitor might be vulnerable to DoS attacks that are based on sending garbage in the URL.

    1 (Default)

    Before iMonitor processes URLs, require successful authentication as some eDirectory identity. In this case, the eDirectory rights of that identity are applied to any request and are, therefore, restricted by those rights. The same DoS vulnerability as level 0 exists, except the attack must be launched by someone who has actually authenticated to the server. Until a successful authentication occurs, the response to any iMonitor URL request is a login dialog box, so iMonitor should be impervious to attacks by unauthenticated users when it is configured in this state.

    2

    Before iMonitor processes URLs, require successful authentication as an eDirectory identity that has supervisor equivalency on the server that iMonitor is authenticating to. The same DoS vulnerability as level 1 exists, except the attack must now be launched by someone who has actually authenticated as a supervisor of the server. Until a successful authentication occurs, the response to any iMonitor URL request is a login dialog box, so iMonitor should be impervious to attacks by unauthenticated users and non-supervisor authenticated users when it is configured in this state.

    Level 1 is the default because many administrators do not have supervisory access to every server in the tree but might need to use the iMonitor service on a server that their servers interact with.

    NOTE:There are several features of iMonitor, such as Repair and Trace, that require supervisor equivalency to access regardless of the LockMask setting.

8.1.6 Configuring HTTP Server Object

An eDirectory installation creates an HTTP server object. The default configuration for HTTP Services is located in the directory on this object. However, you can modify the default configuration by using NetIQ iManager. The HTTP server object represents server-specific configuration data.

The following are the attributes on the HTTP server object:

  • httpDefaultTLSPort: Indicates the secure port at which HTTP the server listens.

  • httpDefaultClearPort: Indicates the clear text port at which HTTP the server listens.

  • httpAuthRequiresTLS: Indicates whether the request coming through the clear text port need to be redirected to a secure port.

  • httpTraceLevel: Indicates the debug level of HTTP server in DSTrace.

  • httpKeyMaterialObject: Holds the DN of the certificate object which the HTTP server needs to use when handling the secure connection. To configure iMonitor interfaces in Suite B mode, enable the desired Suite B mode by setting the value of httpBindRestrictions to the Suite B mode and then associate an appropriate ECDSA server certificate to httpKeyMaterialObject.By default, httpkeyMaterialObject is set to use the RSA certificate.

  • httpSessionTimeout: Indicates the timeout of the HTTP sessions. The default value is 900 seconds.

  • httpKeepAliveRequestTimeout: Indicates the keep alive timeout of each HTTP request. The default value is 15 seconds.

  • httpRequestTimeout: Indicates the timeout of each HTTP request. The default value is 300 seconds.

  • httpIOBufferSize: Indicates the input and output buffer size of the HTTP server. The default value is 8192 bytes.

  • httpThreadsPerCPU: Indicates the HTTP threads that has to be spawned per CPU. The default value is 2 threads.

  • httpHostServerDN: Holds the DN of the NCP server object to which it is associated with.

  • httpBindRestrictions: Allows you to set the cipher encryption level.

    • RSA: You can use the following values to restrict the cipher usage:

      • 0 - accept HIGH, MEDIUM, LOW and EXPORT ciphers

      • 1 - accept HIGH, MEDIUM, and LOW ciphers only

      • 2 - accept HIGH and MEDIUM ciphers only

      • 3 - accept HIGH ciphers only

      The default value is 3.

    • ECDSA 256: You can use the following value to restrict the cipher usage:

      • 4 - allows a 128-bit cipher or a 256-bit cipher

    • ECDSA 384: You can use the following values to restrict the cipher usage:

      • 5 - allows a 128-bit cipher or a 256-bit cipher

      • 6 - allows a 256-bit cipher

    For ECDSA certificates, eDirectory allows only Suite B ciphers.

    To configure LDAP and httpstk interfaces in Suite B mode, log in to iManager with administrator rights and enable one of the Suite B modes and then associate an appropriate ECDSA server certificate to these interfaces. You need to do this for every eDirectory server using the server's LDAP and httpstk configuration objects such as ldapServer and httpServer. Before turning on Suite B mode, ensure that all LDAP clients, LDAP browsers, and web browsers in the eDirectory environment support TLS 1.2 and EC certificates.

8.1.7 Setting HTTP Stack Parameters Using ndsconfig

The following are the HTTP stack parameters using ndsconfig:

  • http.server.interfaces: Holds the clear text interface at which the HTTP server listens. This is set during a new instance configuration by ndsconfig.

  • http.server.request-io-buffer-size: Indicates the input and output buffer size of the HTTP server. The detault value is 8192 bytes.

  • http.server.request_timeout-seconds: Indicates the timeout of each HTTP request. The default value is 300 seconds.

  • http.server.keep-timeout-seconds: Indicates the keep alive timeout of each HTTP request. The default value is 15 seconds.

  • http.server.threads-per-processor: Indicates the HTTP threads that has to be spawned per CPU. The default value is 2 threads.

  • http.server.session-exp-seconds: Indicates the time out of the HTTP sessions. The default value is 900 seconds.

  • http.server.trace-level: Indicates the debugging level of HTTP stack in DSTrace. The default level is 2.

  • http.server.clear-port: Indicates the clear text port at which HTTP server listens.

  • http.server.tls-port: Indicates the secure port at which the HTTP server listens.

  • http.server.auth-req-tls: Indicates whether the requests coming through clear text port need to be redirected to secure port.

  • https.server.interfaces: Holds the secure interface at which the HTTP server listens. This is set during new instance configuration by ndsconfig.

  • https.server.cached-cert-dn: Holds the DN of the certificate object, which the HTTP server needs to use while handling the secure connection.