3.1 The Orchestrate Server Object

The highest object in the Explorer Tree is the Orchestrate Server Object, sometimes called the “grid server” object because it represents the PlateSpin Orchestrate Server acting as the holding place for all of the information used to manage objects for a single computing grid.

The PlateSpin Orchestrate Development Client is “version aware.” When the Orchestrate Development Client is launched or when server discovery is manually run, the client recognizes both current PlateSpin Orchestrate installations and old installations of discovered servers and displays their icons accordingly. This visual cue helps you to recognize when older Orchestrate Servers need to be upgraded.

Figure 3-1 Current and “Old” Server Objects

The tooltip for an Orchestrate Server lists its RMI configuration, its IP address, the directory location where the server instance was installed, and its exact version number.

The icons to the right of a current Orchestrate Server represent its policies, either those added by default upon server install and configuration, or those added later. A drop-down menu of all associated policies is opened when you right-click a policy icon. From there, you can select a policy to open in the Policy Editor. For more information about policies, see Section 12.1, The Policy Object.

When selected, the Server Object exposes four tabs where you can further configure its attributes. Further information about these tabs is available in the following sections:

3.1.1 The Orchestrate Server Info/Configuration Page

The page that opens under the Info/Configuration tab includes several collapsible sections on the page where you can configure the general information and attributes of the server.

The Server/Cluster Panel

If you are using this server in a High Availability environment, the information in this section is populated as a result of the configuration you managed during the High Availability installation. The following items are included in the section:

Server Version: A non-editable field that lists the version of this server in the form <major>.<minor>.<point>.<build_number>. This is the data for the fact ”matrix.version”.

Is Master Server: A check box that is not selected if the server is not the Master Server in a High Availability cluster configuration.

Master Server Address: Set this value when the Orchestrate Server participates in a High Availability cluster.

External Cluster Address: Set this value when the Orchestrate Server participates in a High Availability cluster.

Cluster Addresses: Shows the hostname) or IP Addresses associated with an Orchestrate Server when it is in a High Availability configuration.

The button opens the Attribute Element Values dialog box, where you can add, remove, or reorder addresses (element values) in an array of address choices.

For more information about using PlateSpin Orchestrate in a High Availability environment, see the PlateSpin Orchestrate 2.5 High Availability Configuration Guide.

The Data Grid Configuration Panel

This section of the Info/Configuration tab allows for advanced configuration of datagrid related tuning parameters. The properties on the page and their descriptions are listed below.

Data Grid Root: The location of the PlateSpin Orchestrate datagrid in the file system. For example, you might change this location to use a different file system mount point (recommended when there is considerable datagrid I/O).

Cleanup Interval: The interval at which the Orchestrate Server scans User job history files on the datagrid. Job history files older than the owning user’s job history retention time limit (user.datagrid.maxhistory) are deleted.

Cleanup Interval Enabled: Select this check box to set a flag to enable periodic job history cleanup checking. Deselect to disable the checking.

Default Multicast Rate: Sets the default data rate in bytes per second for multicast operations in which the client has not explicitly set a rate for a particular file transfer.

Max Multicast Rate: The maximum data rate( in bytes per second) that a client can specify for a multicast file transfer.

Selected Interfaces: The interfaces on which multicast file transfers are to be sent. This allows an administrator to limit multicast traffic to specific interfaces (that is, the interfaces where the agents are connected). You can add or delete interfaces by clicking the button.

Available Interfaces: Lists the network interfaces that are available on the local machine for multicasting.

NOTE:The property is read-only and is provided for your information.

The Multicast Metrics Subpanel: This panel lets you monitor multicast data transfer, including:

  • Total Packets Sent: The total number of multicast data packets sent by the file multicaster since the last reset of the counters.

  • Total Packets Resent: The total number of multicast packets resent because of errors since the last counter reset.

  • Total Resend Rate: The total packet resend rate as a percentage since the last counter reset.

  • Current Packets Sent: The total number of multicast packets sent during the current or most recent multicast file transfer.

  • Current Packets Resent: The total number of multicast packets resent because of errors, corruption, or loss during the current or most recent multicast file transfer.

  • Current Resend Rate: The packet resend rate as a percentage of packets sent since the start of the current or most recent multicast file transfer.

  • Current File Size: The file size in bytes for the current or most recent multicast file transfer.

  • Current Bytes Sent: The number of bytes sent so far in the current or most recent multicast file transfer.

  • Current Percent Complete: The completion percentage of the current or most recent multicast file transfer.

  • Skipped (Sparse) Bytes: The number of bytes skipped because of long runs of zeros. These “holes” are skipped in order to reduce file transfer time for large sparse files like VM images.

  • Current Receiver Count: The number of recipient agents for the current or most recent multicast file transfer.

  • Current File Name: The name of the file transferred in the current or most recent multicast file transfer.

The data list includes a check box that is selected if the current multicast transfer is finished. It also includes a Reset Stats button that you can select to clear all of the metrics in order to begin monitoring multicast statistics from a new point in time.

The Security/TLS Configuration Panel

This section lets you configure TLS or SSL data encryption for both user and agent connections. There are four different levels of encryption that can be set for both users and nodes. These are described below. The properties in this section also let you configure the TCP/IP socket listener address and port for TLS connections.

TLS On Agent: Allows the encryption level to be set to one of four values, as described (in order of security level) below:

  • Forbid TLS for agents: Only unencrypted connections are allowed for nodes (that is, agents) authenticating to this server. If the agent attempts to initiate encrypted communication, the connection attempt is rejected. This is the least secure of the encryption levels and is only recommended for installations where encryption is forbidden because of legal or policy restrictions, or where the performance benefits of disabling encryption outweigh security concerns.

  • Allow TLS on the agents: default to falling back to unencrypted: Specifies that the server defaults to unencrypted communication, but the agent can optionally enable encryption.

    This is the default setting for the Orchestrate Server. More secure installations might require a setting to one of the higher levels below.

  • Allow TLS on the agents; default to TLS encrypted if not configured encrypted: The server defaults to using encryption, but the agent can optionally disable encryption.

  • Make TLS mandatory on the agents: The Orchestrate Server rejects any connections that do not establish TLS encryption. This is the most secure encryption level because it ensures that all message communication between the node (that is, an agent) and the server is protected from tampering or interception.

TLS On Client: This setting allows the encryption level to be set to one of four values, as described (in order of security level) below.

  • Forbid TLS for clients: Only unencrypted connections are allowed for users of this server. If the user or client attempts to initiate encrypted communication, the connection attempt is rejected. This is the least secure of the encryption levels and is only recommended for installations where encryption is forbidden because of legal or policy restrictions, or where the performance benefits of disabling encryption outweigh security concerns.

  • Allow TLS on clients; default to falling back to unencrypted: This level specifies that the server defaults to unencrypted communication, but that the user can optionally enable encryption.

    This is the default setting for the Orchestrate Server. More secure installations might require a setting to one of the higher levels below.

  • Allow TLS on agents; default to TLS encrypted if not configured encrypted: The server defaults to using encryption, but the user can optionally disable encryption.

  • Make TLS mandatory on the clients: The Orchestrate Server rejects any connections that do not establish TLS encryption. This is the most secure encryption level because it ensures that all message communication between the user’s client programs and the server is protected from tampering or interception.

TLS Address: The port number and optional bind address for incoming encrypted connections from users and nodes. The format is hostname:port. For example, 10.10.10.10:8101 causes the server to accept only TLS connections on the address 10.10.10.10 on port 8101. If “*” is used as the hostname, then the Orchestrate Server listens on all available network interfaces. The default is *:8101, which causes the Orchestrate Server to listen for encrypted sessions on all available interfaces on the system.

The Agent/User Session Configuration Panel

When nodes (agents) and users log on to the Orchestrate Server, they establish a session context that is used to manage the state of the messaging connection between client and server. This session can be revoked by the administrator, and it can also expire if the connection exceeds its maximum lifetime or idle timeout.

Agent Session Lifetime: The maximum number of seconds that an agent’s session can last before the agent is disconnected and must re-authenticate with the server. A value of -1 means “forever.”

Agent Session Timeout: The idle timeout for agents. If an agent connection remains idle with no message traffic in either direction for this time period (in seconds), the session times out, and the agent is disconnected and must reauthenticate when it is ready to communicate with the server again.

Socket Keeps Agent Sessions Alive: Select this check box to set a flag that causes the server and agent to maintain a keep alive ping in order to detect hung/stalled network connections. This allows the agent to recover from hung connections and to transparently reconnect with the server.

User Session Lifetime: The maximum number of seconds that a user’s session can last before the user is required to re-authenticate with the server. A value of -1 means “forever.”

User Session Timeout: The idle timeout (in seconds) for user sessions. If a user’s session encounters no message traffic or requests in either direction for time, then any connection with user software is closed and the session expires. At this point, the user must re-authenticate.

Socket Keeps User Sessions Alive: Select this check box to set a flag that causes the server and user client to maintain a keep alive ping in order to detect hung/stalled network connections. This allows the agent to recover from hung connections and to transparently reconnect an with the server. This setting applies only in situations where you are using custom user client software or certain subcommands of the zos command line utility to maintain a persistent connection.

The Audit Database Configuration Panel

This section of the Info/Configuration page lets you configure the connection to a relational database that uses a deployed JDBC driver and connection properties. The PostgreSQL driver is deployed by default.

JDBC Driver Name: Specifies the Java class for the driver.

JDBC Library: Specifies the deployed library that contains the driver.

JDBC Connection URL: Specifies the driver-dependent connection string.

Database Username: Specifies the username for database authentication.

Database Password: Specifies the password to be used for database authentication.

Is Connected: Indicates that the driver is successfully connected.

Connect (button): Click to connect through the current connection settings.

Disconnect (button): Click to disconnect the current connection.

Clear Queue (button): Clear queued records that have not yet been written to the database.

The Sentinel Server Configuration Panel

This section of the Info/Configuration page lets you configure the values needed to connect to a deployed Novell Sentinel Event Source Server, where logging events from PlateSpin Orchestrate are collected, parsed, and mapped for prioritization and subsequent administrator analysis.

For information about setting up a Sentinel Collector Server in your PlateSpin Orchestrate environment, see Integrating PlateSpin Orchestrate with a Sentinel Collector in the PlateSpin Orchestrate 2.5 Installation and Configuration Guide.

The following fields are available in the Sentinel Server Configuration panel:

Server Hostname: Specify the hostname of the Sentinel Event Source Server where log messages are to be sent.

Server Port Number: Specify the port number on the Sentinel Event Source Server where the PlateSpin Orchestrate Server should make its SSL connection.

Is Connected: Selected when the connection between the PlateSpin Orchestrate Server and the Sentinel Event Source Server is established.

Log Channels: Lists the log channels from which log messages are to sent to the Sentinel server.

Connect (button): Click to connect to the Sentinel Event Source Server. When the SSL connection is made, PlateSpin Orchestrate begins to send its log messages to Sentinel.

Disconnect (button): Click to disconnect the PlateSpin Orchestrate Server from the Sentinel server. When the connection ends, log messages are no longer sent to the Sentinel server.

Configure (button): Click to open the Sentinel Log Parameters dialog box. In this dialog box, you can map a log level to one or more log channels. These log channels send log messages to the Sentinel server.

For more information about PlateSpin Orchestrate log levels, see PlateSpin Orchestrate Log Levels Mapped to Sentinel Log Levels in the PlateSpin Orchestrate 2.5 Installation and Configuration Guide.

NOTE:To select multiple log channels, press Ctrl while selecting the log channel options you want. You can select only one log level at a time for mapping log channels.

The following table shows some of the log channels you can choose from and the PlateSpin Orchestrate actions that trigger sending a log message through this channel.

Table 3-1 Log Channels and the Occasions for Sending Messages Through Each

Log Channel Name in the Development Client (Sentinel Server Configuration Panel)

When Are Messages Sent to This Channel?

ActionStatusManager

  • When the status of a Grid action is updated

Audit

  • When the Grid interacts with the audit database

  • AuthLDAP
  • AuthZOS
  • AuthenticationManager
  • Grid-wide authentication events

Broker

  • Job execution

    • start

    • cancel

  • Event Manager
  • JobManager
  • NodeManager
  • UserManager
  • repositoryManager
  • vbridgeManager
  • vdiskManager
  • vnicManager
  • When a Grid object of the corresponding type is created, deleted, or its health changes to a bad state

GroupManager

  • When a member is added/removed in a Group

JobScheduler

  • Job schedule or job trigger deployment/undeployment

MBeanServer

  • When internal Grid Resources are updated.

PolicyManager

  • Policy creation/deletion

  • Policy association/disassociation with any Grid object

Sentinel

  • When the Grid interacts with a Novell Sentinel server

SessionManager

  • User or Resource login/logout

VmManager

  • Actions are performed on VMs (provision, migrate, shutdown, clone etc.). This could be initiated automatically or manually, by a user.

  • Authorization fails during VM operation

  • When provisioning job fails

computedFact

  • When computed facts are created or updated or deleted

  • deployer/computedFact
  • deployer/event
  • deployer/facility
  • deployer/jdlLibrary
  • deployer/job
  • deployer/library
  • deployer/metric
  • deployer/policy
  • deployer/properties
  • deployer/schedule
  • deployer/service
  • deployer/trigger
  • deployer/xml
  • When a corresponding resource is deployed to or undeployed from the Grid

The Job Limits Panel

The facts in this section of the page are used in the default constraints to help protect the Orchestrate Server from denial-of-service attacks or badly written jobs that might otherwise get stuck in the server queue, consume resources, and cause adverse server performance.

The following fields are available in the job.limits panel:

max.active.jobs: Sets a global default limit on the number of active jobs.

The Orchestrate Server uses this value in the start constraint and does not allow more than this number of jobs (including child jobs) to be actively running at the same time. Jobs that exceed this number might be queued. See max.queued.jobs, below.

max.queued.jobs: Sets a global default limit on the number of queued jobs.

This value is similar to max.active.jobs but it is used in the accept constraint and limits the number of jobs sitting in a queue waiting to be started. Therefore, the maximum jobs that can be present on an Orchestrate Server is max.active.jobs + max.queued.jobs. New jobs are not be accepted by the server if they exceed this total.

job.finishing.timeout: Sets a global default limit on the timeout for job completion.

This value represents the number of seconds that the Orchestrate Server allows a job to execute its job_cancelled_event() (if defined) before forcibly canceling the job. This prevents jobs from potentially hanging during cancellation.

3.1.2 The Orchestrate Server Authentication Page

The Authentication tab opens a page with several collapsible sections where you can configure various methods for authenticating both users and resources to the PlateSpin Orchestrate Server.

The Resources Panel

The resources in a PlateSpin Orchestrate grid are actually PlateSpin Orchestrate Agents that authenticate or “register” with the PlateSpin Orchestrate Server.

Auto Register Agents: Select this check box if you want the PlateSpin Orchestrate Server to automatically register agents when they first connect to the Orchestrate Server.

The Users Panel

Only authenticated users can log into the PlateSpin Orchestrate Server. As an administrator, you can configure this authentication to use an internal user database or to externally authenticate users through an LDAP server.

Auto Register Users: Select this check box if you want the PlateSpin Orchestrate Server to automatically register users when they first connect to the Orchestrate Server.

The Enable LDAP Subpanel

Depending on the selections you make in this subpanel, the following settings are displayed:

The Enable LDAP Check Box: Select this check box if you want the Orchestrate Server to authenticate users externally by using an LDAP server. Additional LDAP-related configuration fields are displayed when you select the check box:

Administrators

The Administrators list specifies the group names whose membership includes PlateSpin Orchestrate administrators as returned by the specified authentication provider. You can add groups to this list by clicking the button to open an array editor dialog box, which allows groups to be added, removed, and reordered. A group must be in the format <provider>:<group|groupnocase>:<groupname>, where the <provider> is either ZOS or LDAP. For example, adding LDAP:groupnocase:XyZ allows users reported by the LDAP server as members of a group xyz, or XYZ, xYz, etc. to authenticate as an administrator. To enforce to case-sensitive matching, use LDAP:group:XyZ instead. Non-case-sensitive matching is needed for Active Directory servers.

Active Directory Service Settings

If you select Active Directory Service in the Server Type drop down list, the following settings are available:

Directory Name: The name of the Active Directory Service server.

Servers: A list of strings containing server:port entries for a list of servers to be used.

Each entry can be of one of three forms:

  • <hostname>

  • <hostname>:<port>

  • <hostname>:<port>:<sslport>

In all cases, <hostname> is a resolvable DNS name or an IP address. If SSL or TLS is in use, the hostname must exactly match the name on the ADS server SSL certificate.

You can modify this list by clicking the button to open an Attribute Element Values dialog box, where you can add, remove, or change the order of server names.

Advanced: The settings in this section are for more selective ADS authentication.

  • SSL: If the accompanying Start TLS check box is not selected and if the ADS server’s SSL certificate has been installed on the PlateSpin Orchestrate Server JVM, this option securely connects to the ADS server through SSL encryption.

    The older LDAP protocol (ldaps://) is used for the connection.

  • Start TLS: Selecting this option immediately promotes the connection to SSL encryption by bypassing the older protocol in favor of the LDAPv3 Start TLS extended operation on the non-SSL LDAP port. To use this option, the ADS server’s SSL certificate must be installed on the JVM of the PlateSpin Orchestrate Server.

  • Query Account: The account name that is to be used for querying group information on authenticated users.

  • Query Password: The clear text password used to authenticate the query account on the LDAP server.

Generic Settings

When you select Generic LDAP Directory Service as the Server Type, the following additional settings are displayed:

Base Domain Name: The Root DN of the LDAP server’s directory tree. This must be obtained by the administrator, and is usually in the form of dc=adsroot,dc=novell,dc=com.

User Attribute: The attribute on a user’s entry that identifies his or her login account name. For ADS servers, this attribute is sAMAccountName.

User Filter: The name of the filter to be used in the lookup for the user’s LDAP distinguished name.

For ADS, this prefix is cn=Users.

User Prefix: The prefix used to define the LDAP subtree within the BaseDN tree that contains user accounts. If you leave this property blank, the Orchestrate Server uses the BaseDN.

Group Attribute: Specifies the attribute of a group entry describing the login name of that group.

Group Filter: A filter to be used in the lookup for group memberships on some LDAP schemas. The filter can use either ${USER_NAME} or ${USER_DN} to substitute that value. For example: memberUid=${USER_NAME}.

Group Prefix: The prefix used to define the LDAP subtree within the BaseDN tree that contains group accounts.

Not used for Active Directory authentication.

Group DNA Attribute: The directory root where all queries for a user’s group memberships (stored as a list of “member of” attributes on the user’s entry on an ADS server) are to occur.

Nested DNA Attribute: The attribute of a group entry where subgroups can be queried.

The Credential Manager

As a data center administrator, you often have to provide credentials and certificates as you interact with the different hypervisor technologies– the Amazon EC2 or vSphere technologies, in particular. PlateSpin Orchestrate lets you store this data in a centralized, secure (no cleartext passwords are accessible) location in its Credential Manager.

NOTE:PlateSpin Orchestrate uses TripleDES password-based encryption in its Credential Manager to encrypt stored credentials and certificates.

The Credential Manager, located in the Authentication page of the Orchestrate Server Grid object in the Development Client, includes the following sections:

The Stored Credentials Panel

The Stored Credentials panel displays a list of names of credential sets that you have created. You can create additional credentials if you select Add Credential and fill in the following fields:

Name: (Required) The name that you want to use to refer to this credential set.

User: (Required) The username with rights to administer objects in this grid.

Secret/Password: (Required) The password that authenticates the user.

Type: (Optional) A user-defined string that lets similar credentials be put into a category or group. For example, you might have a “type” of credential for the amazon-ec2 provisioning adapter and another type for the vsphere provisioning adapter.

Stored Credentials Password: (Conditional) If you want to change the password element of your stored credentials, click Change and enter the new password.

This password is stored as a fact on the Matrix grid object. In the Fact Editor, the fact is listed as matrix.credential.manager.passphrase. It is used to encrypt the stored passwords. By default the password is CHANGE_THIS_PASSWORD. We recommend that you select a new password to use for encrypting stored passwords.

The Stored Certificates Panel

In order to trust certificates not signed by well known certificate authorities, PlateSpin Orchestrate lets you store certificates that are trusted by Java.

NOTE:Public/Private key pairs can be stored as certificates. This is useful if you need to manage amazon- ec2 key pairs.

The Stored Certificates panel displays a list of stored certificates. These certificates are not mapped to anything other than the name or identifier that you assign. They are not stored in a trust store, but their PEM-encoded representation is encrypted and stored alongside the credentials referred to above. Trust stores are generated on demand and are available to the Orchestrate Agents.

You can create additional trust stores if you select Add Certificate and fill in the following fields:

Currently (Orchestrate version 2.5), this functionality is used only by the Orchestrate vsphere provisioning adapter.

Identifier: (Required) The name that you want to use to refer to this trust store.

Location: (Required) Where the certificate should be obtained. This can be either a file (which you can browse to find on the local machine), or as an HTTPS server.

Select Browse if you want to select an existing a PEM-encoded certificate file from the local machine.

If you want to provide the actual URL for the certificate, open the drop-down list, select HTTPS, then enter the URL. The HTTPS server address can be entered as:

https://your.server.name

or as

your.server.name

or as

https://your.server.name:<sslport>

With this address, Orchestrate retrieves the public server certificate from the server and then stores it in a secure location.

Group: (Optional) A user-defined string used for grouping related certificates. For example, you might have a grouping called “vsphere” when you are managing resources in a multiple-vSphere Server environment.

3.1.3 The Orchestrate Server Policies Page

The Policies tab opens a page that contains a policy viewer for each of the policies associated with the Server Object.

NOTE:You can edit a policy by right-clicking a policy icon, selecting Edit Policy, and clicking the save icon.

3.1.4 The Orchestrate Server Constraints/Facts Page

The Constraints/Facts tab opens a page that shows all of the effective constraints and facts for the Server object. The Server object has an associated set of facts and constraints that define its properties. By building, deploying, and running jobs on the PlateSpin Orchestrate Server, you can individually change the functionality of any system resource by managing an object’s facts and constraints. The Orchestrate Server assigns default values to each of the component facts, although they can be changed at any time by the administrator, unless they are read-only. Facts with mode r/o have read-only values, which can be viewed by using the pencil icon, but changes cannot be made.