Configuring the probe and gateway services

The Agile Service Manager probe and gateway containers are installed together with the other core components. Once you have configured these, Agile Service Manager can display resource information generated from Netcool/OMNIbus events.

Before you begin

Probe and gateway configuration overview:
You stop the probe and gateway, and restart Agile Service Manager, after each step:
  1. You apply the $ASM_HOME/integrations/omnibus/*.sql files to the Object Server(s).
  2. You configure your ObjectServer(s) in the $ASM_HOME/intergations/omnibus/omni.dat file (do not add the gateway to this file).
  3. Optionally, you add ObjectServer usernames and passwords.
  4. Optionally, you add an ObjectServer certificate for TLS.
This topic describes these probe and gateway configuration steps in more detail.

The Agile Service Manager integration with an existing Netcool/OMNIbus system requires updates to the schema and automation (triggers) of that system. Agile Service Manager ships with a sample configuration, which a Netcool/OMNIbus administrator can reference to update their system.

The Agile Service Manager integration also requires connectivity information about the Netcool/OMNIbus system, which the Netcool/OMNIbus administrator should provide.

Important: To configure the probe and gateway services, the Agile Service Manager and Netcool/OMNIbus administrators should work together.
Remember: You configure the deployed probe and gateway services after installing the core Agile Service Manager containers (including the probe and gateway containers), but before starting the Agile Service Manager services.
Upgrade note: If you are running an existing Agile Service Manager deployment and have already configured earlier versions of the Event Observer, the XML Gateway and the Netcool/OMNIbus probe for Message Bus, and you intend to use the new services, you should perform the following prerequisite steps:
Prerequisite steps before upgrading the probe:
De-register the probe event sink (while the topology service is running): 
$ASM_HOME/bin/topology_service_probe_deregister.sh --all
Stop and remove the currently configured HTTP probe.
Prerequisite steps before upgrading the gateway:
Stop and remove the currently configured HTTP gateway.
Prerequisite step before upgrading the Event Observer
The Event Observer has been replaced with the new Agile Service Manager status service.
The upgrade process replaces the observer with the status service automatically, and no additional steps are required.

About this task

The probe service receives status from Agile Service Manager, and generates corresponding events in the Netcool/OMNIbus Event Viewer. These events are then fed back to Agile Service Manager via the gateway service, which updates the Agile Service Manager status via the status service with the eventId.

The following diagram depicts how the probe and gateway services work together with the Agile Service Manager status service to keep the event status between Agile Service Manager and Netcool/OMNIbus synchronized.
Specifically, this diagram shows how the data flow from Agile Service Manager status generates Netcool/OMNIbus events. When Netcool/OMNIbus is the source of events, however, the data flow from the Event Observer to the topology service not only updates the status eventId with ServerName/ServerSerial, but generates the status itself.
Restriction: Agile Service Manager is not compatible with the model of multiple ObjectServer pairs in OCP.
The following nco tools are deployed with the gateway container, and are exposed as container scripts in the $ASM_HOME/bin directory. These tools accept the -h or -help options.
nco_aes_crypt.sh
You use this tool to encrypt the ObjectServer username and password.
Important: You have to configure the username and password for the probe and gateway only if the ObjectServer is running in secure mode. See the related link to the Netcool/OMNIbus documentation for more information.
Encryption requires a key file, as named by NOI_KEY_FILE in the $ASM_HOME/integrations/omnibus/secure.env file.
nco_keygen.sh
You use this tool to generate a key file for encrypted usernames and passwords.
The key file is named by NOI_KEY_FILE in the $ASM_HOME/integrations/omnibus/secure.env file and is generated in the $ASM_HOME/security directory.
nco_ping.sh and nco_sql.sh
You use these tools to check access to a given ObjectServer; that is, to check connection status and verify TLS configuration.
The nco_sql.sh tool can also be used to perform SQL queries or apply schemas and trigger changes.
Both tools require the $ASM_HOME/integrations/omnibus/omni.dat file, and, if TLS is configured, the $ASM_HOME/integrations/omnibus/secure.env file.
Examples:
$ nco_ping.sh NCOMS
Thu Sep 17 10:02:57 UTC 2020 No Object Server CA certificate configured for connection to the Object Server
Pinging NCOMS
NCO_PING: Server available.
$ nco_sql.sh -server NCOMS -u asm
Thu Sep 17 10:06:44 UTC 2020 No Object Server CA certificate configured for connection to the Object Server
Accessing NCOMS as user asm
Password:
1> select count(*) from alerts.status;
2> go
 COUNT( * )
 -----------
        3449

(1 row affected)
1> exit
The following configuration files define the connection with Netcool/OMNIbus:
omni.dat
Netcool/OMNIbus connections data file (contains configuration examples)
$ASM_HOME/integrations/omnibus/omni.dat
G_ASM.props
Gateway properties file
$ASM_HOME/integrations/omnibus/kafka/gateway/G_ASM.props
probe.props
Probe properties file
$ASM_HOME/integrations/omnibus/kafka/probe/probe.props
secure.env
Additional secure configuration file (optional)
$ASM_HOME/integrations/omnibus/secure.env
Important: After changing any of the configuration files in the $ASM_HOME/integrations/omnibus directory, you must restart the probe and gateway services before your changes take effect.
Tip: You can use the included test scripts to generate a test event.

Procedure

Configure target ObjectServer schema and triggers

  1. Perform the following updates to the target Netcool/OMNIbus ObjectServers.
    Remember: Work with the Netcool/OMNIbus administrator to apply these changes.
    1. Set the sub-second clearance mechanism.
      Sub-second clearance mechanism
      This mechanism allows the correct clearance of event updates that occur in the same second.
      A new field is added to the alerts.status schema, which works in conjunction with the core Netcool/OMNIbus field @LastOccurrence; @LastOccurrenceUSec.
      This mechanism is set via the Agile Service Manager probe rules file and referred to in an updated generic clear trigger.
    2. Define the Agile Service Manager status events clearance.
      Agile Service Manager specific clearance
      A new Netcool/OMNIbus SQL trigger handles the specific clearance of Agile Service Manager status events.
    Note:
    Examples of these updates are provided with Agile Service Manager and are located in the $ASM_HOME/integrations/omnibus directory.
    asm-alert-fields.sql
    Defines two new fields:
    LastOccurrenceUSec
    Allows sub-second clearing
    AsmStatusId
    Stores the topology service status ID
    Without these fields, the probe and gateway services cannot connect.
    asm-trigger.sql
    Clears up events generated by Agile Service Manager when resources are deleted.
    These events will not be cleared if this trigger has not been applied.
    updated-generic-clear.sql
    Updates generic_clear automation to allow sub-second clearing.
    Warning: The sample updates supplied with Agile Service Manager should not be applied to an existing Netcool/OMNIbus deployment without a review by the Netcool/OMNIbus administrator, as they overwrite core Netcool/OMNIbus functions, which may have been customized in an existing Netcool/OMNIbus system. In this case the Netcool/OMNIbus administrator may need to develop custom updates for this integration.
    Hybrid scenario tip: If Agile Service Manager is deployed on OCP and connecting to an existing Netcool/OMNIbus or NOI system, you can obtain the sample SQL files via the following steps:
    1. Log into the OCP system.
    2. Extract the asm-trigger.sql file:
      oc get configmap asm-noi-gateway-config -o jsonpath="{.data.asm-trigger\.sql}" > asm-trigger.sql
    3. Extract the 'updated-generic-clear.sql file:
      oc get configmap asm-noi-gateway-config -o jsonpath="{.data.updated-generic-clear\.sql }" > updated-generic-clear.sql
    4. Recreate asm-alert-fields.sql:
      echo -e "alter table alerts.status add column AsmStatusId varchar(64);\nalter table alerts.status add column LastOccurrenceUSec int;\ngo\n" > asm-alert-fields.sql
    High availability scenario guidelines: When integrating Agile Service Manager with an existing multi-tiered ObjectServer HA (High Availability) deployment, apply the asm-alert-fields.sql, asm-trigger.sql, and updated-generic-clear.sql scripts to all servers. These scripts are available in $ASM_HOME/integrations/omnibus folder.
    The following example assumes a scenario with two HA aggregation servers and two HA collection servers (the gateway communicating with the aggregation layer and the probe communicating with the collection layer).
    asm-alert-fields.sql
    Apply this script to all ObjectServers.
    This script defines the new LastOccurrenceUSec and AsmStatusId fields, and all gateways synching between ObjectServers must copy these new fields.
    asm-trigger.sql
    Apply this script to both the collection and aggregation layers.
    Both layers require the asm_extra_deduplication trigger deployed by this script to pass data through from observer to probe to collection to aggregation).
    updated-generic-clear.sql
    Apply this script to both the collection and aggregation layers.
    This script updates generic_clear automation and is needed at both collection and aggregation layer to allow sub-second raising and clearing of events from Agile Service Manager observers.

Configure connectivity to the target ObjectServer(s)

Note: Completing this section of the procedure (step 2) is sufficient to create a connection to a single, unsecured ObjectServer. Its location should be provided by the Netcool/OMNIbus administrator.

  1. Define the ObjectServer to which the probe and gateway services connect.
    Important: The default file paths in the probe and gateway properties files should not be altered. These fixed paths identify the files within the containers mounted in the $ASM_HOME/etc configuration files, and do not correspond to the paths on the Agile Service Manager host.
    1. Identify the ObjectServer to which the probe and gateway services connect.
      The ObjectServers must be identified in the $ASM_HOME/integrations/omnibus/omni.dat file. This location is fixed and will be mounted into the nasm-noi-probe and nasm-noi-gateway containers. In the following omni.dat sample a single ObjectServer is identified called 'AGG_P'.
      [AGG_P]
{
   Primary:    1.2.3.4    4100
}
      Further ObjectServers may be configured in this file, for example to support failover or multi-tier systems. See the related link to the Netcool/OMNIbus documentation for more information on editing omni.dat files.
    2. Configure the probe service to connect to the identified ObjectServer.
      The probe service is configured in the $ASM_HOME/integrations/omnibus/kafka/probe/probe.props file. This location is fixed and will be mounted into the nasm-noi-probe container. In the following probe.props sample the ObjectServer is specified by the 'Server' property, and must match the ObjectServer identified in the omni.dat file in the previous step, which in this example is 'AGG_P'.
      Server                          : 'AGG_P'
    3. Configure the gateway service to connect to the identified ObjectServer.
      The gateway service is configured in the $ASM_HOME/integrations/omnibus/kafka/gateway/G_ASM.props file. This location is fixed and will be mounted into the nasm-noi-gateway container. In the following G_ASM.props sample the ObjectServer is specified by the 'Gate.Reader.Server' property, and must match the ObjectServer identified in the omni.dat file.
      Gate.Reader.Server              : 'AGG_P'

Encrypt username and password

Remember: Completing this section of the procedure (steps three to six) is required only if you require ObjectServer authentication, that is, only if the ObjectServer is running in secure mode. For more information see the Running the ObjectServer in secure mode topic in the Netcool/OMNIbus documentation.

  1. Use the nco_keygen.sh tool to generate a key file.
    For example:
    $ASM_HOME/bin/nco_keygen.sh 
Generating key file $ASM_HOME/security/noi_keyfile
  2. Encrypt the username and password using the generated key.
    In this example, the username and password are both asm:
    $ASM_HOME/bin/nco_aes_crypt.sh asm
    Example encrypted output:
    @44:9nx51SfAdcPhyQlmqcqL0OqHanR/wQUnZy943YI+TrQ=@
  3. Add the encrypted username and password to the gateway property file:

    $ASM_HOME/integrations/omnibus/kafka/gateway/G_ASM.props 
    Gate.Reader.Server              : ‘AGG_P'
ConfigCryptoAlg                 : 'AES_FIPS'
ConfigKeyFile                   : '$NCHOME/omnibus/asm/$NOI_KEY_FILE'
Gate.Reader.Username            : '@44:9nx51SfAdcPhyQlmqcqL0OqHanR/wQUnZy943YI+TrQ=@'
Gate.Reader.Password            : '@44:9nx51SfAdcPhyQlmqcqL0OqHanR/wQUnZy943YI+TrQ=@'
  4. Add the encrypted username and password to the probe property file:

    $ASM_HOME/integrations/omnibus/kafka/probe/probe.props
    Server                          : ‘AGG_P'
ConfigCryptoAlg                 : 'AES_FIPS'
ConfigKeyFile                   : '$NCHOME/omnibus/asm/$NOI_KEY_FILE'
AuthUserName                    : '@44:9nx51SfAdcPhyQlmqcqL0OqHanR/wQUnZy943YI+TrQ=@'
AuthPassword                    : '@44:9nx51SfAdcPhyQlmqcqL0OqHanR/wQUnZy943YI+TrQ=@'

Define ObjectServer TLS

Note: Completing this section of the procedure (steps seven and eight) is required only if you require secure TLS communication with the ObjectServer.

  1. Define the Object Server CA certificate by ensuring the following:
    1. The CA certificate file must exist (or copied to) in the $ASM_HOME/security directory.
      Example: 
      cp <previous_location>/aCaCert.crt $ASM_HOME/security/aCaCert.crt
    2. The file is named by NOI_CA_CERTIFICATE in the $ASM_HOME/integrations/omnibus/secure.env file. 
      NOI_CA_CERTIFICATE=aCaCert.crt
  2. Add TLS settings to the configuration files.
    omni.dat
    Required
    [AGG_P]
{
    Primary:    noi-omnibus  ssl  4100
}
    G_ASM.props
    Some configurations may require the gateway Gate.Reader.CommonNames property, 
    Gate.Reader.Server              : ‘AGG_P'
#Gate.Reader.CommonNames        : May be required
    probe.props
    Some configurations may require the probe SSLServerCommonName property.
    Server                          : ‘AGG_P'
#SSLServerCommonName            : May be required
  3. Required: After changing any of the configuration files in the $ASM_HOME/integrations/omnibus directory, you have to restart the probe and gateway services before your changes take effect.

Results

The gateway service is ready to supply Netcool/OMNIbus event data to the Agile Service Manager topology service, and the probe service is ready to receive status from Agile Service Manager, and then pass it on to the Netcool/OMNIbus Event Viewer.
Troubleshooting:

If the probe runs, but the gateway continually restarts, this may be due to the Kafka topic that is required by the gateway not having been created yet.

The topic will be created at startup by the status service (for Agile Service Manager Version 1.1.8 or later), or by the Event Observer (for Agile Service Manager Version 1.1.7 or earlier).

The gateway service will continue to restart until the topic becomes available.

Example

The omni.dat file contains configuration examples:
# Example omni.dat file. Copy your own omni.dat file in here, and configure the 
# probe and gateway to connect to the appropriate object servers in their props files:
#
# - $ASM_HOME/integrations/omnibus/kafka/probe/probe.props 
# - $ASM_HOME/integrations/omnibus/kafka/gateway/G_ASM.props 
#
[AGG_P]
{
    Primary:    noi-omnibus    4100
}

#
# Example failover pair config. The gateway and probe properties would require:
#
# - Probe
# Server: 'AGG_V'
#
# - Gateway
# Gate.Reader.Server: 'AGG_V'
#
[AGG_V]
{
    Primary:    primary-host.example.com    4100
    Backup:     backup-host.example.com     4100
}


#
# Example of connecting the probe and gateway to different layers of a multi-tiered architecture. 
# The gateway and probe properties would require:
#
# - Probe
# Server: 'COL_P'
#
# - Gateway
# Gate.Reader.Server: 'AGG_P'
#
[AGG_P]
{
    Primary:    aggregation-layer-host.example.com    4100
}

[COL_P]
{
    Primary:    collection-layer-host.example.com    4100
}

#
# Example TLS config. The gateway and probe properties could use:
#
# - Probe
# Server: 'TLS_AGG_P'
#
# - Gateway
# Gate.Reader.Server: 'TLS_AGG_P'
#
# or can make use of the gateway Gate.Reader.CommonNames and probe SSLServerCommonName 
# properties
#
# The Object Server CA certificate or key database file + password must be configured 
# in $ASM_HOME/integrations/omnibus/secure.env
#
[TLS_AGG_P]
{
    Primary:    tls-host.example.com  ssl  4100
}
Remember: After changing any Netcool/OMNibus configuration files, such as the omni.dat file as described in this example, you have to restart the probe and gateway services before your changes take effect.

What to do next

Next, you start Agile Service Manager.

Advanced Configuration: A Netcool/OMNIbus administrator can further configure the probe and gateway services by applying custom rules and mapping. Probe and gateway configuration is accessible here:
  • To improve performance and prevent unnecessary events from being displayed in the topology viewer, you can filter out events. You can also pass additional alerts.status fields to Agile Service Manager.
  • Use the following gateway configuration files to apply advanced configuration:
    ${ASM_HOME}/integrations/omnibus/kafka/gateway/row_filter.def
    ${ASM_HOME}/integrations/omnibus/kafka/gateway/field_filter.map
  • Probe rules transform the input into events suitable for the Netcool/OMNIbus alerts.status table. The name of the file must be given as a probe property or command line option (which in this example is 'probe.rules').
  • Use (or copy and edit) the supplied sample probe rules file.
  • Use the following probe configuration file to apply advanced configuration:
    ${ASM_HOME}/integrations/omnibus/kafka/probe/probe.rules

You can review the probe and gateway log files (asm_probe.log and gateway.log). See the related links for more information.

Generating a test event: To validate the probe and gateway configuration, you can use the following test scripts (included in the $ASM_HOME/bin directory). This script creates a resource with status, which then generates an event in the Netcool/OMNIbus ObjectServer via the probe service, which in turn updates the status in Agile Service Manager via the gateway service. 
nco_test_create.sh
nco_test_verify.sh
nco_test_delete.sh
You can print the help text for each of these scripts using the -h command line option.