Managing golden configurations
A 'golden' configuration is a configuration version that you can use in compliance management as a known valid master version to compare device SmartModel configurations against. You use a golden configuration to generate compliance evaluation XPaths (by associating the configuration's device with a compliance definition) for running against a target device's configuration.
Before you start
You must have 'Golden Configuration Management' user authority in order to create a golden configuration.
About golden configurations
- Globally available golden configurations
- A Golden Configuration that is globally available to all devices, and can be used for compliance-checking the configurations of other devices.
- Device-specific golden configurations
- A Golden Configuration that is locally available (to its own devices only), and restricted to compliance-checking against its own devices' current configuration.
Globally available golden configurations (option 1)
Golden configurations that are globally available for compliance checking are typically used where an ideal device configuration has been verified, and can then be used to compliance-check other target device configurations in the network. This ideal device configuration can be modified with regular expressions in order to allow for expected differences between the golden and target configurations. The modified golden configuration can be loaded into Netcool Configuration Manager using the file-based access method in the Resource Access Document.
With this option, you create a golden configuration compliance definition, which points to a device with a golden configuration. Compliance evaluations are then automatically created based on the commands specified in the golden configuration. These evaluations can be run against other devices by including the compliance definition in compliance rules, policies or processes.
In cases where a range of values is acceptable, you can edit the golden configuration to provide a regular expression, and evaluations are treated as failures only if the values found in the compared configurations do not satisfy the regular expression in the golden configuration.
If an imported configuration contains regex, it has an initial status of 'false'. If it does not contain regex, it has an initial status of 'has regex'.
- Example scenario
- You start with a text file of native configuration settings derived from multiple real device configurations with similar VTMOS.
The only supported mechanism for creating/updating configurations containing golden configuration regular expressions is to add the regular expressions to the golden configuration outside Netcool Configuration Manager, before importing the configurations using the 'file based access' method delivered in the Drivers 20 release. See the Drivers 20 documentation for more information.
Currently 'file based access' method does not support Alcatel OLT devices.
Only Alcatel and Cisco devices are supported for golden configurations with the regex syntax outlined below. Juniper JUNOS supports the older syntax. See the note below for more information.
With Alcatel routers and switches, the content of fields with regular expressions must be surrounded by double quotes.
- Only a SmartModel configuration can be marked as a golden configuration.
- Only target devices with SmartModel configurations can be validated using a golden configuration.
- (Even though the regular expression mark-up shown in the examples here can be defined in the native configuration, the evaluations generated are SmartModel-based).
Configurations that contain regular expressions are subject to the following restrictions:
-
- SmartModel-related right-click actions, such as for 'Edit' of configuration, are disabled, both at the configuration and network resource level (if it is the current configuration).
- Showing 'Modelled View' differences is not supported.
- Command Set Application is not supported.
- The 'Re-discover' action is not available.
- The 'Trigger Config Backup' action is not available.
You can annotate textual command argument values in the native configuration with specific regular expression (regex) mark-up in order to affect the compliance evaluation XPaths that are generated.
- regex content
- A valid regular expression syntax
- valid value
- An example valid value for the argument.
- @@@(valid value)@<regex content>@@@
- The compliance evaluation XPath generated matches a single occurrence of the same command in the
target configuration, where the target command's argument values satisfy the regular expression
supplied in
regex content
. - @@@(valid value).@regex content@@@(non Juniper JUNOS-based network devices)
- The compliance evaluation XPath generated matches multiple occurrences of the same command in
the target configuration where the target command's argument values satisfy the regular expression
supplied in
regex content
. When a match is found it also validates that any children in the golden configuration under the command with the regex are the same in the target configuration. - @@@(valid value)P@<regex content>@@@
- The compliance evaluation XPath generated matches multiple occurrences of the same command in
the target configuration where the target command's argument values satisfy the regular expression
supplied in
regex content
, such as@@@(uplink)@P@uplink.*@@@
to match a text value starting with 'uplink'. When a match is found it will also validate that any siblings in the golden configuration structure under the parent of the command with the regex are the same in the target configuration.
For the two multiple occurrence regex items described above, any non regex argument values at the
same or higher level in a command (relative to the argument with the regex) will be ignored when
generating an evaluation; that is, the regex will be the only filter. For example, in the '@@@(valid
value)P@' mark-up configuration example, the '0/0/0' argument on the xe interfaces will be ignored
when creating an evaluation filtering on the description field starting with 'uplink'. The example
valid value
is removed during the XML generation process.
- The 'P@' mark-up will behave the same as the '.@' mark-up does for non-Juniper JUNOS configurations. This is to allow for differences in how Juniper JUNOS arguments are modeled.
- See the note below for more information.
- Multi-line textual fields, such as ‘banner motd’ argument values
- Juniper JUNOS golden configurations
The older format options are:
- @@@regex content@@@
- @@@.@regex content@@@,
- @@@P@regex content@@@)
Device-specific golden configurations (option 2)
Device-specific golden configurations are locally available and restricted to own devices. They would typically be used where a particular configuration version for a device contains the set of commands for the device that are not expected to be altered.
Compliance checks between the device-specific configuration and the current configuration for a device can be configured by marking a configuration version as ‘device-specific’, and including its device in the scope of a compliance process that contains one of two new ‘device-specific’ pre-defined compliance definitions. (See Creating compliance definitions using a 'device-specific' golden configuration).
Device-specific compliance definitions do not specify any evaluations. Evaluations are generated when compliance process or policy is running (based on the current and device golden configurations of the target device). There are fields with a configuration that would be expected to be different between configuration versions (such as a timestamp or password value). These types of fields are identified in the Driver schema for the device (the field will have a ‘NonComparable’ attribute). A new XML file is now delivered with the Drivers in order to support the ‘NonComparable’ checking, If the file is not present then an updated driver will have to be installed.
To set a configuration
Any configuration containing the '@@@'’ mark-up initially has a value of 'has regex' in the Golden column after import. This value can be modified by the actions below and once it has been set to one of the states below it will not subsequently revert at any stage to 'has regex'.
- Select the Resource Browser in the navigation tree.
- Search for the SmartModel device you want to view.
- Click the Configuration tab, then right-click the selected configuration.
-
Select the Make Golden option. A window opens displaying the details for the selected configuration, and a radio button to select one of the following compliance execution scopes for the configuration:
- Configuration is available to other devices
- Configuration is restricted to this device (device-specific)
If a configuration is already golden, the Make Golden option is disabled.
You can type a description of the change in the Configuration description field. The maximum number of characters is 1,000. The description is shown in the Description column of the Summary table. The Description column is not displayed by default.
- Click Finish to complete the procedure.
The selected configuration is now marked as golden by displaying one of the following statuses:
- golden without regex
- If the scope is available to other devices and the configuration does not contain regex.
- golden
- If the scope is available to other devices and the configuration contains regex.
- device-specific without regex
- If the scope is restricted to this device and the configuration does not contain regex.
- device-specific
- If the scope is restricted to this device and the configuration contains regex.
Also, the configuration icon will have a gold mark in the top right corner. If another configuration for the device was already marked with one of the above four states, then that configuration is now unmarked, and has one of the following values in the Golden column:
- previous golden without regex
- If the scope is available to other devices and the configuration does not contain regex.
- previous golden
- If the scope is available to other devices and the configuration contains regex.
- previous device-specific without regex
- If the scope is restricted to this device and the configuration does not contain regex.
- previous device-specific
- If the scope is restricted to this device and the configuration contains regex.
To remove a golden configuration
You can remove the 'golden' status from a configuration, unless the associated device is included in a compliance golden definition.- Select the Resource Browser in the navigation tree.
- Search for the device you want to view.
- Click the Configuration tab, then right-click the selected configuration. It will have the status of 'golden' or 'golden without regex' in the Golden column, and the configuration icon will have a gold mark in the top right corner.
- Select the Undo Golden option. A window displays the details for the selected configuration.
- Click Finish to complete the procedure.
Possible values for the Golden state
The following table shows all allowed values for the Golden state. A configuration cannot move from one column to another. States can only change within the same column.
-
- SmartModel-related right-click actions, such as for 'Edit' of configuration, are disabled, both at the configuration and network resource level (if it is the current configuration).
- Showing 'Modelled View' differences is not supported.
- Command Set Application is not supported.
- The 'Re-discover' action is not available.
- The 'Trigger Config Backup' action is not available.
Action | Configuration contains regex | Configuration does not contain regex |
---|---|---|
Initial import |
has regex |
false |
Mark golden |
golden |
golden without regex |
Unmark golden |
previous golden |
previous golden without regex |
Mark device specific |
device specific |
device specific without regex |
Unmark device specific |
previous device specific |
previous device specific without regex |