Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 2 TIBCO Hawk Component Configurations : Hawk WebConsole Configurations

Hawk WebConsole Configurations
The following sections explain various configurations for TIBCO Hawk WebConsole.
Web Server for Hawk WebConsole
By default, TIBCO Hawk installer bundles Apache Tomcat 7.0 web server and deploys TIBCO Hawk WebConsole web-application in it.
If you want to use a different standalone Tomcat server to deploy TIBCO Hawk WebConsole, you need to follow these manual steps:
1.
Copy HAWK_HOME/webconsole/hawkwebconsole.war to <CATALINA_HOME>/webapps/.
2.
If H2 database is used, copy H2 driver jar (h2*.jar) to the lib folder of Tomcat (<CATALINA_HOME>/lib).
3.
If TIBCO Rendezvous is used as the transport, copy the following JAR to the lib folder of Tomcat (<CATALINA_HOME>/lib):
RV_HOME/lib/tibrvj.jar
4.
EMS_HOME/lib/tibrvjms.jar
EMS_HOME/lib/tibjms.jar
EMS_HOME/lib/tibcrypt.jar
EMS_HOME/lib/jms.jar (in case of EMS 6.3) or EMS_HOME/lib/jms-2.0.jar (in case of EMS 8.0)
5.
PATH (Windows)
LD_LIBRARY_PATH (Linux, Solaris)
LIBPATH (AIX)
Basic Configurations
Hawk Domain and Transport
TIBCO Hawk WebConsole can monitor multiple domains configured for different or same transports.
TIBCO Hawk WebConsole can monitor multiple transports at the same time. Each of those transports supports multiple domain configurations.
Domain Transport Configuration File (DomainTransportCfg.xml)
The configuration file used to configure the domains is specified in web.xml under the 'main_servlet' definition.
<init-param>
     <param-name>domain_config_file</param-name>
     <param-value>/DomainTransportCfg.xml</param-value>
</init-param>
This file DomainTransportCfg.xml is available in the HAWK_HOME/webconsole/tomcat/webapps/hawkwebconsole/WEB-INF/conf folder.
It follows the XML schema defined as per DomainTransportCfg.xsd. See the examples in the DomainTransportCfg.xml file for information on how to configure Hawk Domains and their respective transports.You can configure the Hawk domain and their respective transport for the Hawk Web Console. One or more Hawk domains can be managed. You require one DomainTransport section per managed domain. You must uncomment and configure the code for the DomainTransport section for the transport that you want to use and comment all other DomainTransport sections.
For example, the configuration for RV transport domain is as follows:

 
<!-- RV transport domain-->
<hk:DomainTransport>
<hk:HawkDomainName>default</hk:HawkDomainName>
<hk:Transport>
<hk:RVTransportCfg>
<hk:service>7474</hk:service>
<hk:network></hk:network>
<hk:daemon>tcp:7474</hk:daemon>
</hk:RVTransportCfg>
</hk:Transport>
<hk:SecurityPolicy></hk:SecurityPolicy>
</hk:DomainTransport>
Configuring Security for Any Domain
Configure a security policy for each domain independently using the <hk:SecurityPolicy> as shown in the preceding section. For more Information on Security Configuration, refer to Chapter 4, TIBCO Hawk Security Model.
The security policy of a domain is an optional tag. If the <hk:SecurityPolicy> tag is not present in the Domain configuration or is empty, the domain is initialized with no security policy.
Persistence Mode
The WebConsole Server may or may not be configured to use a database. Persistence mode enabled refers to when a database is used for configuration and storage. The WebConsole Server uses the persistence mode by default. You can disable the persistence mode in web.xml. Depending on the selected mode, different aspects of the web applications are configured differently. The following sections cover these configuration options.
The persistence mode can be enabled or disabled in web.xml as shown:
<!-- Hawk webconsole persistence mode -->
<!-- Accepted values are either true or false, default value is true-->
<context-param>
<param-name>persistence_mode</param-name>
<param-value>false</param-value>
</context-param>
Persistence Mode Enabled Settings
With persistence mode enabled, you can save/restore configuration objects and user created dashboards across multiple sessions.
TIBCO Hawk bundles a H2 database (http://www.h2database.com) for data persistence. You may choose to connect to an external database that is JDBC compliant
Configuring an External Database
1.
<Context>
<!-- Configure Hawk Database resource for Persistence mode-->
<Resource name="jdbc/hawkdb"
factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
type="javax.sql.DataSource"
url="jdbc:h2:tcp://localhost/~/hawk"
driverClassName="org.h2.Driver"
username="sa"
password=""
maxActive="100"
maxIdle="20"
initialSize ="10"
defaultAutoCommit ="false"
removeAbandoned="true"
removeAbandonedTimeout="60"
logAbandoned="true"/>
</Context>
2.
<resource-ref>
<description>Hawk Database Connection</description>
<res-ref-name>jdbc/hawkdb</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
Hawk WebConsole Users
Hawk WebConsole can be configured to authenticate Hawk users against the following types of user repositories and these authentication types need to be set in the following section of web.xml.
<!-- Hawk Users Authentication provider type, supported types are FILE or LDAP or DATABASE -->
<context-param>
<param-name>auth_type</param-name>
<param-value>FILE</param-value>
</context-param>
 
Default auth_type is FILE that is, File based user repository is used.
Database (RDBMS) based User Repository
In the DATABASE based configuration, the users and passwords are stored in the database.
To use this configuration, change auth_mode to DATABASE in web.xml:
<context-param>
<param-name>auth_type</param-name>
<param-value>DATABASE</param-value>
</context-param>
To use auth_type as DATABASE, make sure persistence mode is enabled and Database configuration is done appropriately.
The user authentication information is stored in a table called hawk_users.
For example, to add a new user (admin/admin), Administrator needs to run the following SQL script:
INSERT INTO hawk_users (user_name, password) VALUES ('admin', 'admin');
OR
INSERT INTO hawk_users (user_name, password) VALUES ('admin', '232f297a57a5a743894a0e4a801fc3');
LDAP Based User Repository
In the LDAP based configuration, the users and passwords are stored in LDAP/AD.
To use this configuration, change auth_mode to LDAP in web.xml:
<context-param>
<param-name>auth_type</param-name>
<param-value>LDAP</param-value>
</context-param>
 
Configure LDAP properties in web.xml:
<!-- If authentication type is LDAP, configure LDAP properties -->
<context-param>
<param-name>ldap_host</param-name>
<param-value>10.97.107.21</param-value>
</context-param>
<context-param>
<!--If not configured, default port 389-->
<param-name>ldap_port</param-name>
<param-value>389</param-value>
</context-param>
<context-param>
<param-name>ldap_adminDN</param-name>
<param-value>CN=eric,CN=Users,DC=pmqa,DC=com</param-value>
</context-param>
<context-param>
<param-name>ldap_admin_password</param-name>
<param-value>Search123</param-value>
</context-param>
<context-param>
<param-name>ldap_baseDN</param-name>
<param-value>DC=pmqa,DC=com</param-value>
</context-param>
<context-param>
<!--If not configured, default value is 'uid'-->
<param-name>ldap_uid_attr</param-name>
<param-value>cn</param-value>
</context-param>
<context-param>
<!--If not configured, default value is '*' -->
<param-name>ldap_object_class</param-name>
<param-value>*</param-value>
</context-param>
File Based User Repository
In the File based configuration, the users and passwords are stored in the hawkusers.xml file. To configure file based authentication:
1.
Change the auth_mode to FILE in web.xml as follows:
<context-param>
<param-name>auth_type</param-name>
<param-value>FILE</param-value>
</context-param>
2.
Configure the hawkusers.xml file as follows:
<!-- Hawk Users file for FILE based authentication -->
<context-param>
<param-name>hawk_users_file</param-name>
<param-value>/hawk_users.xml</param-value>
</context-param>
Store the Hawk users file in the location HAWK_HOME\webconsole\tomcat\webapps\WEB-INF\conf. It has the following format:
<user username="<username>" password="<MD5 hashed password or Plain text password>" roles="<user role>"/>
Logging
WebConsole uses log4j for application logging. By default, the WebConsole logs are generated under CONFIG_FOLDER/logs/hawkwebconsole.log.
You can modify the default log4j config file WEB-INF/conf/log4j_webconsole.properties or use your own properties file.
You can configure the location of logs using the log4j.appender.RFileApp.File property in the log4j config file (WEB-INF/conf/log4j_webconsole.properties).
For example, the default location of logs is as follows:
log4j.appender.RFileApp.File=C:/ProgramData/HK510v11/tibco/cfgmgmt/hawk/logs/hawkwebconsole.log
You can specify your properties file location in the WEB-INF/web.xml file as follows:
<context-param>
      <param-name>log4j_config_file</param-name>
      <param-value>/log4j_webconsole.properties</param-value>
</context-param>
By default, Tomcat server logs are generated at HAWK_HOME/webconsole/logs.
Authorization
Perform the filtering of agents in the Web Server layer. When enabled, authenticated users can be authorized to access specific domains or agents.
By default, users have access to all configured domains and agents.
To configure the filtering of domains and agents in the User Agent Config file, use one of the following ways:
Use a File Path: add the following entry in web.xml under the 'main_servlet' definition.
<init-param>
<param-name>user_agent_config_file</param-name>
<param-value>/hawk_user_agent_cfg.txt</param-value>
</init-param>
<init-param>
<param-name>user_agent_config_file</param-name>
<param-value>http://<hostname:port>/hawkusers/hawk_user_agent_cfg.
txt</param-value>
</init-param>
Example of hawk_user_agent_cfg.txt is as follows:

 
# This file is used by agent running with "COM.TIBCO.hawk.security.trusted.Trusted" security model.
#
#
# Explanation of Settings:
#
# This file provides authorization or filter level for node/agent for WebConsole application.
# This doesn't include microagent and methods level authorization, even if the microagent and methods are defined, then those are ignored.
# The node column can have a node/agent name or "agent dns domain" or "agent:dns:domain" format.
# Wild card * is supported in both user and node column.
# Access restrictions can be defined for an user by starting record with !
# In case of any conflict in grant and restriction, the restriction has the precedence.
# Examples
# 1. admin has access to all agents/nodes and domains
# 2. user1 has access to agent1 under domain1 with dns dns1.
# 3. user2 has access to all agents/nodes under domain domain2 and any dns.
# 4. user3 has access to agent3 if agent3 doesn't belong to domain3
#
# File format:
#
# user node
# access
# &
# restrictions
#
admin *
user1 "agent1 dns1 domain1"
user2 "* * domain2"
user3 agent3
!user3 "* * domain3"

 
Enabling SSL Authentication for Hawk WebConsole
The WebConsole is hosted inside the Tomcat web container, thus, enable the SSL for the Tomcat Web container to enable the SSL for WebConsole. Follow the steps mentioned in the Tomcat documentation at the following URL to configure SSL in the Tomcat Web container:
https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
Alternatively, you can also follow these steps to quickly enable SSL over HTTP for the Tomcat Web container:
1.
2.
JAVA_HOME\bin\keytool -genkey -alias tomcat -keyalg RSA
3.
4.
The .keystore file with the Certificate is created in the same JDK installation folder.
5.
HAWK_HOME/webconsole/tomcat/conf/server.xml
6.
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="<path of .keystore file>"
keystorePass="hawkwebconsole"
clientAuth="false" sslProtocol="TLS"/>
7.
To verify, type the URL "https://localhost:8443/hawkwebconsole/" in a web browser and press Enter. Web browser should display Hawk WebConsole.
Agent Inventory
The WebConsole Server maintains a record of all newly discovered agents.
If persistence mode is enabled, the agent information is saved in the configured database.
If persistence mode is disabled, the agent information is saved in an xml file, which does not require any configuration. By default, the application stores the agent information under <CATALINA_HOME>/AppData/hawk_agents.xml.
It is possible to bootstrap the application with a predefined set of Hawk Agents by directly adding entries to this file or to the corresponding table in the database.
Global User Preferences
The user preferences at global level can be configured in the WebConsole Server. These preferences are applicable across all users.
The following example shows how the depth of alert/subscription caches in the browser (default=1000) can be set in web.xml:
<!-- Configure the Max limit of the items (Alerts/subscription)to be cached on browser -->
<!-- If not configured, the default limit is 1000 -->
<context-param>
<param-name>browser_item_cache_max</param-name>
<param-value>1000</param-value>
</context-param>
Heat Map Update Frequency
The rendering frequency of heat maps in Hawk WebConsole can be controlled using the following parameters in web.xml:
heatmap_update_type — Specifies if the heatmap can be updated automatically or at the specified time interval. Set the value to one of the following:
auto —Updates heatmap automatically for optimal performance
timer— Gives control to specify the rendering rate using the parameter "heatmap_render_rate"
heatmap_render_rate— Specifies how often the heatmap is updated. Default value 10 seconds. The minimum value is 5 seconds.
Change Notifications
All configuration object changes made via the WebConsole UI are propagated to all connected user sessions. However, the changes made through Hawk Display or any other mechanism is not notified.
Versioning
When the persistence mode is enabled, the objects that are local to a user (that is, the objects that are not yet deployed to an agent) are versioned.
A version check is performed when you try to save a local object. The save operation succeeds only if the version is the latest. Otherwise, you get an exception that asks you to refresh your copy. It can happen only if the same user logs in from two sessions.
For agent deployed objects or common objects, versioning is not maintained. This is because Agents do not support versioning and version based deployment of configuration objects.
WebConsole User Session Persistence
By default, the session persistence is disabled for WebConsole application with Tomcat restart. You can enable or disable the session persistence with Tomcat restart for Hawk WebConsole application. It is configurable in tomcat/webapps/hawkwebconsole/META-INF/context.xml.
To enable session persistent, comment out the below entry in context.xml:
<Manager pathname="" />

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved