Configuring Hawk WebConsole

Copyright © Cloud Software Group, Inc. All Rights Reserved

Chapter 2 Configuring TIBCO Hawk Components : Configuring Hawk WebConsole

Configuring Hawk WebConsole

The following sections explain various configurations for TIBCO Hawk WebConsole.

Web Server for Hawk WebConsole

By default, TIBCO Hawk installer bundles Apache Tomcat 7.0 web server and deploys TIBCO Hawk WebConsole web-application in it. All the required libraries for TIBCO DataGrid and persistence are already available at appropriate locations.

If you want to use a different standalone Tomcat server to deploy TIBCO Hawk WebConsole, you need to follow these manual steps:

1.

Copy HAWK_HOME/webconsole/hawkwebconsole.war to <CATALINA_HOME>/webapps/.

2.

If TIBCO DataGrid is used as the transport, copy the jar (as-common.jar) to the lib folder of Tomcat (<CATALINA_HOME>/lib)

3.

If H2 database is used, copy H2 driver jar (h2*.jar) to the lib folder of Tomcat (<CATALINA_HOME>/lib).

4.

If TIBCO Rendezvous is used as the transport, copy the following JAR to the lib folder of Tomcat (<CATALINA_HOME>/lib):

−

RV_HOME/lib/tibrvj.jar

5.

If TIBCO Enterprise Message Service is used as the transport, copy the following JARs to lib folder of Tomcat (<CATALINA_HOME>/lib):

−

EMS_HOME/lib/tibrvjms.jar

−

EMS_HOME/lib/tibjms.jar

−

EMS_HOME/lib/TIBCrypt.jar

−

EMS_HOME/lib/jms.jar (in case of EMS 6.3) or EMS_HOME/lib/jms-2.0.jar (in case of EMS 8.0)

6.

Make sure that TIBCO DataGrid, TIBCO EMS (when required) and TIBCO Rendezvous shared libraries are in

−

PATH (Windows)

−

LD_LIBRARY_PATH (Linux, Solaris)

−

SHLIB_PATH (HP-UX)

−

LIBPATH (AIX)

−

DYLD_LIBRARY_PATH (MacOS)

If you want to use any web server other than Tomcat, then you need to copy the above mentioned libraries (JAR/WAR) into appropriate locations specific to the web server.

Basic Configurations

Hawk Domain and Transport

TIBCO Hawk WebConsole can monitor multiple domains configured for different or same transports.

The monitored domain names must be unique within and across different transport types.

TIBCO Hawk WebConsole can monitor multiple transports at the same time. Each of those transports supports multiple domain configurations.

Domain Transport Configuration File (DomainTransportCfg.xml)

The configuration file used to configure the domains is specified in web.xml under the 'main_servlet' definition.

<init-param>

     <param-name>domain_config_file</param-name>

     <param-value>/DomainTransportCfg.xml</param-value>

</init-param>

This file DomainTransportCfg.xml is available in the HAWK_HOME/webconsole/tomcat/webapps/hawkwebconsole/WEB-INF/conf folder.

It follows the xml schema defined as per DomainTransportCfg.xsd as explained in TIBCO Hawk WebConsole User’s Guide. Also, refer to the following examples on how to configure Hawk Domains and their respective transports. One or more Hawk domains can be managed. You require one DomainTransport section per managed domain as follows.

For example, the configuration for RV transport domain (default) is as follows:



<hk:DomainTransport>

<hk:HawkDomainName>default</hk:HawkDomainName>

<hk:Transport>

<hk:RVTransportCfg>

<hk:service>7474</hk:service>

<hk:network></hk:network>

<hk:daemon>tcp:7474</hk:daemon>

</hk:RVTransportCfg>

</hk:Transport>

<hk:SecurityPolicy></hk:SecurityPolicy>

</hk:DomainTransport>

Configuring Security for Any Domain

Configure a security policy for each domain independently using the <hk:SecurityPolicy> as shown in the preceding section. For more Information on Security Configuration, refer to Chapter 4, TIBCO Hawk Security Model.

The security policy of a domain is an optional tag. If the <hk:SecurityPolicy> tag is not present in the Domain configuration or is empty, the domain is initialized with no security policy.

Persistence Mode

The WebConsole Server may or may not be configured to use a database. Persistence mode enabled refers to when a database is used for configuration and storage. The WebConsole Server uses the persistence mode by default. You can disable the persistence mode in web.xml. Depending on the selected mode, different aspects of the web applications are configured differently. The following sections cover these configuration options.

The persistence mode can be enabled or disabled in web.xml as shown:





<context-param>

<param-name>persistence_mode</param-name>

<param-value>false</param-value>

</context-param>

Persistence Mode Enabled Settings

With persistence mode enabled, you can save/restore configuration objects and user created dashboards across multiple sessions.

The above functionality is not available when the persistence mode is disabled.

TIBCO Hawk bundles a H2 database (http://www.h2database.com) for data persistence. You may choose to connect to an external database that is JDBC compliant

Configuring an External Database

1.

Define database resource in the hawkwebconsole web application's META-INF/context.xml as follows:

<Context>



<Resource name="jdbc/hawkdb"

factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"

type="javax.sql.DataSource"

url="jdbc:h2:tcp://localhost/~/hawk"

driverClassName="org.h2.Driver"

username="sa"

password=""

maxActive="100"

maxIdle="20"

initialSize ="10"

defaultAutoCommit ="false"

removeAbandoned="true"

removeAbandonedTimeout="60"

logAbandoned="true"/>

</Context>

2.

Define the resource reference in its web.xml as follows:

<resource-ref>

<description>Hawk Database Connection</description>

<res-ref-name>jdbc/hawkdb</res-ref-name>

<res-type>javax.sql.DataSource</res-type>

<res-auth>Container</res-auth>

</resource-ref>

Hawk WebConsole Users

Hawk WebConsole can be configured to authenticate Hawk users against the following types of user repositories and these authentication types need to be set in the following section of web.xml.



<context-param>

<param-name>auth_type</param-name>

<param-value>FILE</param-value>

</context-param>

Default auth_type is FILE, that is, File based user repository is used.

Database (RDBMS) based User Repository

In the DATABASE based configuration, the users and passwords are stored in the database.

To use this configuration, change auth_mode to DATABASE in web.xml:

<context-param>

<param-name>auth_type</param-name>

<param-value>DATABASE</param-value>

</context-param>

To use auth_type as DATABASE, make sure persistence mode is enabled and Database configuration is done appropriately.

The user authentication information is stored in a table called hawk_users.

For example, to add a new user (admin/admin), Administrator needs to run the following SQL script:

INSERT INTO hawk_users (user_name, password) VALUES ('admin', 'admin');

OR

INSERT INTO hawk_users (user_name, password) VALUES ('admin', '232f297a57a5a743894a0e4a801fc3');

The password can be in plain text or MD5 hashed.

LDAP Based User Repository

In the LDAP based configuration, the users and passwords are stored in LDAP/AD.

To use this configuration, change auth_mode to LDAP in web.xml:

<context-param>

<param-name>auth_type</param-name>

<param-value>LDAP</param-value>

</context-param>

Configure LDAP properties in web.xml:



<context-param>

<param-name>ldap_host</param-name>

<param-value>10.97.107.21</param-value>

</context-param>

<context-param>



<param-name>ldap_port</param-name>

<param-value>389</param-value>

</context-param>

<context-param>

<param-name>ldap_adminDN</param-name>

<param-value>CN=eric,CN=Users,DC=pmqa,DC=com</param-value>

</context-param>

<context-param>

<param-name>ldap_admin_password</param-name>

<param-value>Search123</param-value>

</context-param>

<context-param>

<param-name>ldap_baseDN</param-name>

<param-value>DC=pmqa,DC=com</param-value>

</context-param>

<context-param>



<param-name>ldap_uid_attr</param-name>

<param-value>cn</param-value>

</context-param>

<context-param>



<param-name>ldap_object_class</param-name>

<param-value>*</param-value>

</context-param>

File Based User Repository

In the File based configuration, the users and passwords are stored in the hawkusers.xml file. To configure file based authentication:

1.

Change the auth_mode to FILE in web.xml as follows:

<context-param>

<param-name>auth_type</param-name>

<param-value>FILE</param-value>

</context-param>

2.

Configure the hawkusers.xml file as follows:



<context-param>

<param-name>hawk_users_file</param-name>

<param-value>/hawk_users.xml</param-value>

</context-param>

Store the Hawk users file in the location HAWK_HOME\webconsole\tomcat\webapps\WEB-INF\conf. It has the following format:

<user username="<username>" password="<MD5 hashed password or Plain text password>" roles="<user role>"/>

Logging

WebConsole uses log4j for application logging. By default, the WebConsole logs are generated under CONFIG_FOLDER/logs/hawkwebconsole.log.

You can modify the default log4j config file WEB-INF/conf/log4j_webconsole.properties or use your own properties file.

You can configure the location of logs using the log4j.appender.RFileApp.File property in the log4j config file (WEB-INF/conf/log4j_webconsole.properties).

For example, the default location of logs is as follows:

log4j.appender.RFileApp.File=C:/ProgramData/HK510v11/tibco/cfgmgmt/hawk/logs/hawkwebconsole.log

You can specify your properties file location in the WEB-INF/web.xml file as follows:

<context-param>

      <param-name>log4j_config_file</param-name>

      <param-value>/log4j_webconsole.properties</param-value>

</context-param>

By default, Tomcat server logs are generated at HAWK_HOME/webconsole/logs.

Authorization

Perform the filtering of agents in the WebServer layer. When enabled, authenticated users can be authorized to access specific domains or agents.

By default, users have access to all configured domains and agents.

To configure the filtering of domains and agents in the User Agent Config file, use one of the following ways:

•

Use a File Path: add the following entry in web.xml under the 'main_servlet' definition.

<init-param>

<param-name>user_agent_config_file</param-name>

<param-value>/hawk_user_agent_cfg.txt</param-value>

</init-param>

•

Use a URL: an example of configuring domain filtering with a URL is as follows:

<init-param>

<param-name>user_agent_config_file</param-name>

<param-value>http://<hostname:port>/hawkusers/hawk_user_agent_cfg.

txt</param-value>

</init-param>

Example of hawk_user_agent_cfg.txt is as follows:

# This file is used by agent running with "COM.TIBCO.hawk.security.trusted.Trusted" security model.

#

#

# Explanation of Settings:

#

# This file provides authorization or filter level for node/agent for WebConsole application.

# This doesn't include microagent and methods level authorization, even if the microagent and methods are defined, then those will be ignored.

# The node column can have a node/agent name or "agent dns domain" or "agent:dns:domain" format.

# Wild card * is supported in both user and node column.

# Access restrictions can be defined for an user by starting record with !

# In case of any conflict in grant and restriction, the restriction will have the precedence.

# Examples

# 1. admin will have access to all agents/nodes and domains

# 2. user1 will have access to agent1 under domain1 with dns dns1.

# 3. user2 will have access to all agents/nodes under domain domain2 and any dns.

# 4. user3 will have access to agent3 if agent3 doesn't belong to domain3

#

# File format:

#

# user node

# access

# &

# restrictions

#

admin *

user1 "agent1 dns1 domain1"

user2 "* * domain2"

user3 agent3

!user3 "* * domain3"

Enabling SSL Authentication for Hawk WebConsole

The WebConsole is hosted inside the Tomcat web container, thus, enable the SSL for the Tomcat Web container to enable the SSL for WebConsole. Follow the steps mentioned in the Tomcat documentation at the following URL to configure SSL in the Tomcat Web container:

https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

Alternatively, you can also follow these steps to quickly enable SSL over HTTP for the Tomcat Web container:

1.

Open the command prompt and navigate to the JDK Installation folder.

2.

Run the following command to create a keystore file to store the server's private key and self-signed certificate:

JAVA_HOME\bin\keytool -genkey -alias tomcat -keyalg RSA

3.

When prompted, specify the password string, for example, "hawkwebconsole". The password could be any string, the same password needs to be specified in the server.xml configuration file (see step 6).

4.

When prompted, specify general information about the certificate, such as company, contact name, and so on. This information helps users to validate the authenticity of the certificate, as this information is displayed to users who attempt to access a secure page in your application.

The .keystore file with the Certificate is created in the same JDK installation folder.

5.

Now, browse to the configuration folder of Hawk WebConsole and open server.xml for editing.

HAWK_HOME/webconsole/tomcat/conf/server.xml

6.

Enter the following information under the Catalina service tag <Service name="Catalina">:

<Connector protocol="org.apache.coyote.http11.Http11Protocol"

port="8443" maxThreads="200"

scheme="https" secure="true" SSLEnabled="true"

keystoreFile="<path of .keystore file>"

keystorePass="hawkwebconsole"

clientAuth="false" sslProtocol="TLS"/>

7.

Save the file and restart Hawk WebConsole.

To verify, type the URL "https://localhost:8443/hawkwebconsole/" in a web browser and press Enter. Web browser should display Hawk WebConsole.

Agent Inventory

The WebConsole Server maintains a record of all newly discovered agents.

•

Upon restart of the WebConsole Server, these agents status initially appears as "Offline"

•

During the discovery process, if an agent is discovered, the status changes to "Alive".

If persistence mode is enabled, the agent information is saved in the configured database.

If persistence mode is disabled, the agent information is saved in an xml file, which does not require any configuration. By default, the application stores the agent information under <CATALINA_HOME>/AppData/hawk_agents.xml.

It is possible to bootstrap the application with a predefined set of Hawk Agents by directly adding entries to this file or to the corresponding table in the database.

Global User Preferences

The user preferences at global level can be configured in the WebConsole Server. These preferences are applicable across all users.

The following example shows how the depth of alert/subscription caches in the browser (default=1000) can be set in web.xml:





<context-param>

<param-name>browser_item_cache_max</param-name>

<param-value>1000</param-value>

</context-param>

HeatMap Update Frequency

The rendering frequency of heatmaps in Hawk WebConsole can be controlled using the following parameters in web.xml:

heatmap_update_type — Specifies if the heatmap can be updated automatically or at the specified time interval. Set the value to one of the following:

−

auto —Updates heatmap automatically for optimal performance

−

timer— Gives control to specify the rendering rate using the parameter "heatmap_render_rate"

−

heatmap_render_rate— Specifies how often the heatmap is updated. Default value 10 seconds. The minimum value is 5 seconds.

Change Notifications

All configuration object changes made via the WebConsole UI are propagated to all connected user sessions. However, the changes made through Hawk Display or any other mechanism is not notified.

Versioning

When the persistence mode is enabled, the objects that are local to a user (that is, the objects that are not yet deployed to an agent) are versioned.

A version check is performed when you try to save a local object. The save operation succeeds only if the version is the latest. Otherwise, you get an exception that asks you to refresh your copy. It can happen only if the same user logs in from two sessions.

For agent deployed objects or common objects, versioning is not maintained. This is because Agents do not support versioning and version based deployment of configuration objects.

WebConsole User Session Persistence

By default, the session persistence is disabled for WebConsole application with Tomcat restart. You can enable or disable the session persistence with Tomcat restart for Hawk WebConsole application. It is configurable in tomcat/webapps/hawkwebconsole/META-INF/context.xml.

To enable session persistent, comment out the below entry in context.xml:

<Manager pathname="" />

The above configuration for user session persistence is specific to Tomcat. If you are deploying Hawk WebConsole on any other web server, follow equivalent steps for that web server.