1 How can I restrict to see only One Console (Operations/Service Mgmt/Enterprise)? The options ‘Enable Operations Console Access Controls,’ ‘Allow EC Display’ under general tab, and 'Enable SLO Access Controls’ under SLO tab can be used to grant/restrict access to only one console.
2 How can I disable the HTTP interface and run BMC ProactiveNet over HTTPS interface?
To disable HTTP interface, configure the Apache configuration file httpd.conf and remove entries for port 80.
3 How can I set up BMC ProactiveNet to use PAM (Pluggable Authentication Modules) to access computer level credentials?
This feature is not available in the current BMC ProactiveNet release.
4 How can I configure the HTML headers to display "Internal FR" label on top of each page?
This is only partially supported. You can only change the logo and/or navigation bar on the HTML page. For details on this, refer Customize logo on the
Operations Console topic.
5 How can I disable the default Pronto account?
To disable the default pronto account, simply delete the account after creating a new account with Administrative privileges.
6 Where does BMC ProactiveNet store user names and passwords?
User names and passwords are stored in the database on BMC ProactiveNet Server. All passwords are kept in encrypted format.
7 Are user names and passwords accessible via regular database access?
Database access to user name and password information is available to only to database users with administrative privileges.
8 How to change the BMC ProactiveNet password policy?
The following entries in pronet.conf file can be used to set Password strength
pronet.login.minLength=6 pronet.login.maxLength=15 pronet.login.numericChars=1
9 Where is the HTTPS/SSL private key stored on BMC ProactiveNet Server?
This information is stored in a file under /usr/pw/apache/conf/, which can be read only by the 'root' (BMC ProactiveNet install User) user. Refer Troubleshooting section for details on working with these keys.
10 How can I print user activity lists?
To view user activity on BMC ProactiveNet, print Access.log ( located in usr/pw/
pronto/logs directory). These files record information related to user logons, logouts, and logon failures.
11 Does BMC ProactiveNet automatically lock user accounts after certain number of failed logon attempts?
BMC ProactiveNet does not lock the user account. However, all logon failures are recorded in ProactiveNet.log. To lock such accounts, you can write a script to delete the account based on the log file entries.
12 How to restrict the agent so that it will only receive connections from a specific IPAddress?
Use the following property in pronet.conf
pronet.apps.agent.authorizedcontrolleraddress=<ipaddress>
13 How to configure agent controller to present a specific IP Address to an agent if server has more than one NIC?
pronet.apps.agentcontroller.useIPForAgentConnection=<ipaddress>
If the server’s computer has got more than one IP (more than one NIC), set this property to IP address that agent controller will present while connecting to the agent
14 Does BMC ProactiveNet automatically log out users after a certain period of inactivity?
By default, inactive users are logged out of the Operations Console after 24 hours. However, BMC ProactiveNet can be customized globally for all users. Use the property pronet.html.globalsession.timeout in pronet.conf file located in usr/pw/
pronto/conf directory to configure this value.
If you change this property, ensure that you set the same log out period in the Tom Cat config file /usr/pw/tomcat/conf/web.xml (line 321).
<session-config>
<session-timeout>1440</session-timeout> </session-config>
Restart the httpd process by running the command 'pw p r httpd'. Note
On restarting the httpd process, all users will be logged out.
15 What encryption method is used for storing password information used by BMC ProactiveNet monitors?
Passwords used by BMC ProactiveNet monitors are protected by Passphrase Based Encryption (PBE) as defined in PKCS#5 version 2.0. This encryption is applied to passwords stored in the BMC ProactiveNet Server database that may be used by a monitor to execute a transaction that requires user authentication.
16 How can I configure BMC ProactiveNet Server to run as non-root?
Run the script 'configNonRoot' to configure an installed BMC ProactiveNet Server to run as a non-root user.
The script prompts for the new HTTP and HTTPS ports to be used by Apache server and performs necessary changes. However, it is important that the initial installation be performed by 'root' user. After conversion to non-root, upgrades can be performed by a non-root user. The Apache and Tomcat components of the server run as user 'nobody'. After running this utility, however, they will run as the designated user.
Note
The server after being changed to run as non-root will have the following limitations:
■ Web interface can no longer be accessed on ports 80 or 443; instead, you must choose alternate ports above 1024 -- you will be prompted for these ports when you run the conversion program "configNonRoot". You can also choose the alternate ports by editing the file /usr/pw/apache/conf/httpd.conf
■ You cannot revert the ownership once you change it to non-root.
■ The local agent also experiences its own limitations in monitoring. More details on this are provided later in this section.
Example
To make BMC ProactiveNet Server run as user "john":
# csh
# source /usr/pronto/bin/.tmcsh # configNonRoot john
Follow the instructions to make BMC ProactiveNet Server run as user "john". The same ConfigNonRoot command can also be run to switch BMC
ProactiveNet Server from one non-root user to another non-root user.
BMC ProactiveNet Server running as a non-root user can be upgraded either by the same non-root user or by root. If upgraded by the same non-root user, the same HTTP(S) ports will be used by the Apache Web Server during upgrade. When BMC ProactiveNet Agent - Linux is run as non-root, the following limitations are applicable:
—Process monitor will not collect data for certain attributes (such as # file descriptors), if process being monitored does not belong to the same user as the agent.
—Ping or Traceroute monitors cannot be run, since these require creation of raw socket (requires root privileges). However, these utilities can be executed from the command line by non-root users only because the sticky bit is set, allowing them to run as root no matter who executes them. —Log File monitor will not work if the user running the agent does not have
read privileges on the log files. The workaround is to assign Read privileges on the particular log file to "all" or to a particular group.
—Disk Performance Monitor will not work since root privileges are required to read the device files.
17 For enhanced security, Apache server can be configured to accept only SSL v3 requests. To accomplish this add the following entry in apache configuration file httpd-ssl.conf.
SSLProtocol +SSLv3 ( Just above the directive SSLEngine on).
SSL communication between BMC ProactiveNet Server and
BMC ProactiveNet Agents
1 Does BMC ProactiveNet include its keystore files as part of the agent and server SSL communication?
Yes, BMC ProactiveNet provides its own keystore files (pnserver.ks and pnagent.ks) as part of the Agent and Server SSL communication. The keystore files are stored under:
■ BMC ProactiveNet Server: /usr/pw/pronto/conf
■ BMC ProactiveNet Agent: <Agent Install Directory>/pw/pronto/conf These files are only available to the root user for Read and Write.
2 Can you replace this keystore certificate with another one?
Yes, you can replace this keystore certificate with your own self-signed certificate.
3 How can I replace the keystore certificate with my own self-signed one? To replace the BMC ProactiveNet certificate:
a Create a new keystore and self-signed certificate with corresponding public/ private keys.
*keytool -genkey -alias agent_<name> -keyalg RSA -validity 365 - keystore agent_<name>.ks
This is the keystore that BMC ProactiveNet Agent uses.
1 Examine the keystore. Notice the entry type is |keyEntry|, which means that this entry has a private key associated with it.
keytool -list -v -keystore agent_<name>
2 Export and examine the self-signed certificate.
*keytool -export -alias agent_<name> -keystore **agent_<name>.ks -rfc - file agent_<name>.cer
3 Import the certificate into a new truststore.
*keytool -import -alias agent_<name>cert -file agent_<name>.cer -keystore pnserver.ks
4 Examine the truststore. Note that the entry |trustedCertEntry| has been created. *keytool -list -v -keystore pnserver.ks
keytool -export -alias pnca -keystore pnserver.ks -rfc -file pnserver.cer keytool -import -alias pnca -file pnserver.cer -keystore agent_<name>.ks
5 Copy agent_<name>.ks to the respective pronto/conf directory of the remote agent computer.
6 Change the following entry in the pronet.conf of the remote agent computer.
pronet.apps.ipc.ssl.context.agent.keystore.filename=pronto/conf/ agent_<name>.ks
7 Change the following entry in the .ks_pass file present in pronet/conf/ directory of the remote computer.
pronet.apps.ipc.ssl.context.agent.keystore.passwd=<password provided during creation of agent_<name>.ks>
8 Restart BMC ProactiveNet Agent using ./startremotepw multiple from the agent's pronto/bin directory.
SSL communication between the agent and agent controller must be successful.