The VendorN Ltd OneDDI product (OneDDI) is a centralised software application which hosts several modules. The Vision module provides long-term access to DNS activity history. The ReDNS module allows service owners to control their DNS records. The IPMeye module provides centralised remote power management and console access using the IPMI protocol. The SerialEyes module provides centralised remote physical serial port access via non-dedicated hardware.
This document details all the features provided by the OneDDI Web User Interface (WebUI).
The OneDDI WebUI is provided by the OneDDI server. By default the application is available using HTTPS using TCP port 443 and can be accessed using the following URL:
https://<ip-address-or-hostname>
Once the WebUI has initially loaded the Login page will be displayed.
NOTE If replication has been configured by an administrator, and the instance being connected to is not an active peer, the user will be redirected to the active peer as per the replication configuration.
Above the login form on the Login page a configurable Message of the Day (MOTD) will be displayed.
Below the MOTD the login form will be displayed, where a username and password can be entered to login.
A product administrator will confirm the credentials to use when accessing the WebUI. Once these have been entered, and authentication was successful, the first licensed module the user has permissions to access will be displayed.
NOTE If a specific WebUI page has been requested that page will be displayed following successful login.
After successful login to the first licensed module the user has permissions to access will be displayed. At the top of each page a menu bar will be displayed. This will have links to the main features of the application, and menu containing product help and the production administration links.
The menu bar is mostly self-explanatory, the product is generally split into the following areas:
Displayed furthest to the right in the menu bar will be a user action menu containing links for Change my password, Access API guide, Access user guide, Access support, and Logout. Refer to the Change My Password section for details on the Change my password dialog.
Below the menu bar the page content area is displayed, this will be different for each page. The remaining sections in this document detail all of the pages and features available in the WebUI.
The Change my password dialog can be accessed by selecting the Change my password link displayed in the user action menu displayed in the top menu bar.
Each user can change their own password using the Change my password dialog once authenticated.
The following fields are displayed in this page:
OneDDI is configured with a password complexity policy. A description of the currently configured policy will be displayed. The following is the default policy description:
Password must be at least 8 characters and contain at least 1 upper case letter, 1 lower case letter, 1 number and 1 of '!@#$%^&*'
Upon clicking the SAVE button the password will be changed immediately.
DNS activity history for devices can be viewed in the Vision / History / Devices page by clicking the Vision link displayed in the top menu bar, selecting the History link displayed in the dropdown menu and then clicking the DEVICES tab.
The Vision / History / Devices page will display a table of all devices ever seen by a OneDDI sensor in the DNS activity sent to them by DNS servers. The following columns are displayed in the table for each device:
A search control is displayed to the top right of the table. The value which can be entered in the search control is dependant on which search filter type is selected as follows - the filter type can be changed by clicking it and selecting a different one from the dropdown menu displayed:
Device IP/network
- IP address, network or partial IP address, if a partial IP address is specified without a network length the length will be inferred from the provided IP address part, i.e. 192.168
will result in 192.168.0.0/16
and 192.168.68.0
will result in 192.168.68.0/32
Query name ends with
- If a device has made a DNS query which ends in the specified string the device will be included in the resultQuery name equals
- If a device has made a DNS query which exactly equals the specified string the device will be included in the resultQuery name matches domain
- If a device has made a DNS query which ends in the specified domain the device will be included in the result, e.g. test.com
matches www.test.com
but not exampletest.com
Record data equals
- If a device has made a DNS query which pointed to a record (including a CNAME chain) where the record data exactly equals the specified string the device will be included in the resultNOTE All searching is case-insensitive.
To the right of the search control is a filter icon. When clicked an EDIT FILTER dialog is displayed where more search options can be specified. In this dialog a Field, Filter type and value must be specified. Additionally, the Filter mode dropdown can be used to invert the filter. When multiple filters are specified an implicit logical AND is applied and all filters must match for an item to be displayed. Additionally, items can be filtered by network view and device group using the headers of these columns in the table.
The table can be sorted by most columns clicking the “[asc]” or “[desc]” link displayed next to a column header.
The button SAVE SEARCH will be displayed to the top left of the table unless viewing a saved search, in which case the DUPLICATE SEARCH and SAVE CHANGES buttons will be displayed. Upon clicking the SAVE SEARCH or DUPLICATE SEARCH buttons the Add a saved search dialog will be displayed. See the Vision / Saved Searches / Add a Saved Search section for details on this dialog and adding saved searches.
If viewing a saved search and the search configuration has been changed the SAVE CHANGES button will be enabled. Upon clicking this button, the Save configuration changes dialog will be displayed, simply click the SAVE button to save the changes.
The link VIEW DEVICE will be displayed to the right of each device. Upon clicking this link the View Device page will be displayed for the device. See the Vision / History / Devices / View Device section for details on this page and viewing devices.
The dropdown EXPORT TO CSV will be displayed to the top left of the table. Upon clicking this the EXPORT ALL SEARCH RESULTS TO CSV and EXPORT ENTIRE DEVICE HISTORY DATABASE TO CSV links will be displayed.
Upon clicking the EXPORT ALL SEARCH RESULTS TO CSV link all items in the search result will be exported to a CSV file and downloaded. Upon clicking the EXPORT ENTIRE DEVICE HISTORY DATABASE TO CSV link all devices in the Vision Database will be exported to a CSV file and downloaded regardless of search criteria. In both cases the resulting file will have the following fields:
|
characterDetailed information about a devices DNS activity history can be accessed by clicking the VIEW DEVICE link displayed to the right of a device under the Vision / History / Devices page.
The View device page contains a single DNS map section which is divided into two parts, a DNS map graph part and a DNS map context part. The DNS map graph identifies the following relationships linked to the device:
The SHOW HELP button can be used to show detailed help of how to interact with the graph and what is displayed in each DNS map graph.
The DNS map context will display the devices network view, device group and IP address at the top. Below this the following is displayed for the device:
Below this a chart is displayed which identifies the queries by hour for the device for the last 24 hours.
Below the chart several tabs are displayed. For some tabs, more detail can be accessed by clicking the EXPAND VIEW button displayed to the right of the tab names. The QUERIES tab contains a list of all the unique queries ever seen for the device, this tab contains the same table data as the Vision / History / Queries page. The SIBLING DEVICES tab contains a list of devices which are on the same /24
network - this can be adjusted to a network of a different size - this tab contains the same table data as the Vision / History / Devices page. The DNS SERVERS tab contains a list of the DNS servers the device has been seen on.
DNS activity history for queries can be viewed in the Vision / History / Queries page by clicking the Vision link displayed in the top menu bar, selecting the History link displayed in the dropdown menu and then clicking the QUERIES tab.
The Vision / History / Queries page will display a table of all queries ever seen by a OneDDI sensor in the DNS activity sent to them by DNS servers. The following columns are displayed in the table for each query:
A search control is displayed to the top right of the table. The value which can be entered in the search control is dependant on which search filter type is selected as follows - the filter type can be changed by clicking it and selecting a different one from the dropdown menu displayed:
Query name ends with
- If a queries name ends with the specified string it will be included in the resultQuery name equals
- If a queries name exactly equals the specified string it will be included in the resultQuery name matches domain
- If a queries name ends in the specified domain it will be included in the result, e.g. test.com
matches www.test.com
but not exampletest.com
Record data equals
- If a queries name pointed to a record (including via a CNAME chain) where the record data exactly equals the specified string the query will be included in the resultNOTE All searching is case-insensitive.
To the right of the search control is a filter icon. When clicked an EDIT FILTER dialog is displayed where more search options can be specified. In this dialog a Field, Filter type and value must be specified. Additionally, the Filter mode dropdown can be used to invert the filter. When multiple filters are specified an implicit logical AND is applied and all filters must match for an item to be displayed.
The table can be sorted by most columns clicking the “[asc]” or “[desc]” link displayed next to a column header.
The button SAVE SEARCH will be displayed to the top left of the table unless viewing a saved search, in which case the DUPLICATE SEARCH and SAVE CHANGES buttons will be displayed. Upon clicking the SAVE SEARCH or DUPLICATE SEARCH buttons the Add a saved search dialog will be displayed. See the Vision / Saved Searches / Add a Saved Search section for details on this dialog and adding saved searches.
If viewing a saved search and the search configuration has been changed the SAVE CHANGES button will be enabled. Upon clicking this button, the Save configuration changes dialog will be displayed, simply click the SAVE button to save the changes.
The link VIEW QUERY will be displayed to the right of each query. Upon clicking this link the View Query page will be displayed for the query. See the Vision / History / Queries / View Query section for details on this page and viewing queries.
The dropdown EXPORT TO CSV will be displayed to the top left of the table. Upon clicking this the EXPORT ALL SEARCH RESULTS TO CSV and EXPORT ENTIRE QUERY HISTORY DATABASE TO CSV links will be displayed.
Upon clicking the EXPORT ALL SEARCH RESULTS TO CSV link all items in the search result will be exported to a CSV file and downloaded. Upon clicking the EXPORT ENTIRE QUERY HISTORY DATABASE TO CSV link all queries in the Vision Database will be exported to a CSV file and downloaded regardless of search criteria. In both cases the resulting file will have the following fields:
|
character|
character|
characterDetailed information about a queries DNS activity history can be accessed by clicking the VIEW QUERY link displayed to the right of a query under the Vision / History / Queries page.
The View query page contains a single DNS map section which is divided into two parts, a DNS map graph part and a DNS map context part. The DNS map graph identifies the following relationships linked to the query:
The SHOW HELP button can be used to show detailed help of how to interact with the graph and what is displayed in each DNS map graph.
The DNS map context will display the queries name at the top. Below this the following is displayed for the query:
Below this a chart is displayed which identifies the queries by hour for the query for the last 24 hours.
Below the chart several tabs are displayed. For some tabs, more detail can be accessed by clicking the EXPAND VIEW button displayed to the right of the tab names. The DEVICES tab contains a list of all devices which have directly looked up the query name, this tab contains the same data as the Vision / History / Devices page. The RECORDS tab contains a list of all records the query name directly resolves to, this tab contains the same data as the Vision / History / Records page. The QUERY TYPES tab contains a list of the query types seen for the query along with the response codes seen for them. The RESPONSE CODES tab contains a list of the response codes seen for a query along with the query types seen for them. The DNS SERVERS tab contains a list of the DNS servers the record has been seen on.
DNS activity history for records can be viewed in the Vision / History / Records page by clicking the Vision link displayed in the top menu bar, selecting the History link displayed in the dropdown menu and then clicking the RECORDS tab.
The Vision / History / Records page will display a table of all records ever seen by a OneDDI sensor in the DNS activity sent to them by DNS servers. The following columns are displayed in the table for each record:
A search control is displayed to the top right of the table. The value which can be entered in the search control is dependant on which search filter type is selected as follows - the filter type can be changed by clicking it and selecting a different one from the dropdown menu displayed:
Record name ends with
- If a records name ends with the specified string it will be included in the resultRecord name equals
- If a records name exactly equals the specified string it will be included in the resultRecord name matches domain
- If a records name ends in the specified domain it will be included in the result, e.g. test.com
matches www.test.com
but not exampletest.com
Record data ends with
- If a records data ends with the specified string it will be included in the resultRecord data equals
- If a records data exactly equals the specified string it will be included in the resultRecord data matches domain
- If a records data ends in the specified domain it will be included in the result, e.g. test.com
matches www.test.com
but not exampletest.com
Record data matches IP/network
- If a records type is A
or AAAA
and its data matches an IP address, network or partial IP address it will be included in the result, if a partial IP address is specified without a network length the length will be inferred from the provided IP address part, i.e. 192.168
will result in 192.168.0.0/16
and 192.168.68.0
will result in 192.168.68.0/32
NOTE All searching is case-insensitive.
To the right of the search control is a filter icon. When clicked an EDIT FILTER dialog is displayed where more search options can be specified. In this dialog a Field, Filter type and value must be specified. Additionally, the Filter mode dropdown can be used to invert the filter. When multiple filters are specified an implicit logical AND is applied and all filters must match for an item to be displayed.
The table can be sorted by most columns clicking the “[asc]” or “[desc]” link displayed next to a column header.
The button SAVE SEARCH will be displayed to the top left of the table unless viewing a saved search, in which case the DUPLICATE SEARCH and SAVE CHANGES buttons will be displayed. Upon clicking the SAVE SEARCH or DUPLICATE SEARCH buttons the Add a saved search dialog will be displayed. See the Vision / Saved Searches / Add a Saved Search section for details on this dialog and adding saved searches.
If viewing a saved search and the search configuration has been changed the SAVE CHANGES button will be enabled. Upon clicking this button, the Save configuration changes dialog will be displayed, simply click the SAVE button to save the changes.
The link VIEW RECORD will be displayed to the right of each record. Upon clicking this link the View Record page will be displayed for the record. See the Vision / History / Records / View Records section for details on this page and viewing records.
The dropdown EXPORT TO CSV will be displayed to the top left of the table. Upon clicking this the EXPORT ALL SEARCH RESULTS TO CSV and EXPORT ENTIRE RECORD HISTORY DATABASE TO CSV links will be displayed.
Upon clicking the EXPORT ALL SEARCH RESULTS TO CSV link all items in the search result will be exported to a CSV file and downloaded. Upon clicking the EXPORT ENTIRE RECORD HISTORY DATABASE TO CSV link all records in the Vision Database will be exported to a CSV file and downloaded regardless of search criteria. In both cases the resulting file will have the following fields:
|
characterDetailed information about a records DNS activity history can be accessed by clicking the VIEW RECORD link displayed to the right of a record under the Vision / History / Records page.
The View record page contains a single DNS map section which is divided into two parts, a DNS map graph part and a DNS map context part. The DNS map graph identifies the following relationships linked to the record:
The SHOW HELP button can be used to show detailed help of how to interact with the graph and what is displayed in each DNS map graph.
The DNS map context will display the records name, class, type and data at the top. Below this the following is displayed for the record:
Below this a chart is displayed which identifies the queries by hour for the record for the last 24 hours.
Below the chart several tabs are displayed. For some tabs, more detail can be accessed by clicking the EXPAND VIEW button displayed to the right of the tab names. The QUERIES tab contains a list of all queries which resolved to the record - this includes queries which resolved via other records like CNAME chains, this tab contains the same data as the Vision / History / Queries page. The DEVICES tab contains a list of all devices which have looked up a query which resolved to the record - this includes queries which resolved via other records like CNAME chains, this tab contains the same data as the Vision / History / Devices page. The SIBLING RECORDS tab contains a list of all records which have the same record name, this tab contains the same data as the Vision / History / Records page. The DNS SERVERS tab contains a list of the DNS servers the record has been seen on.
Global DNS activity events can be viewed under the Vision / Events / Global Events page by clicking the Vision link displayed in the top menu bar, selecting the Events link displayed in the dropdown menu and clicking the GLOBAL EVENTS tab.
The Vision / Events / Global Events page will display a table of the latest global events (up to 100,000 by default). The following columns are displayed in the table for each event:
15 minutes ago
, hovering over the timestamp will display the ISO timestamp of the event, e.g. 2024-01-01T00:00:00Z
new-domain
or new-ipv4
new-domain
a second-level DNS domain, for new-ipv4
a dotted quad IPv4 address and for new-ipv6
an IPv6 address in compressed formA search control is displayed to the top right of the table. Values in the search field will be matched against the event target, related device IP or related query name fields. Additionally, events can be filtered by event type using the header of the event type column in the table.
The link VIEW LIVE QUERIES is displayed to the right of each event. Upon clicking this link the Vision / Live Queries page will be displayed with a filter pre-applied to identify DNS activity relating to the event.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of events, and to control how many are displayed in a single page.
The link EXPORT TO CSV will be displayed to the top of the left of the table. Upon clicking this link all audit entries will be exported to a CSV file and downloaded. The CSV file will contain the same fields as the table.
Device group DNS activity events can be viewed under the Vision / Events / Device Group Events page by clicking the Vision link displayed in the top menu bar, selecting the Events link displayed in the dropdown menu and clicking the DEVICE GROUP EVENTS tab.
The Vision / Events / Device Group Events page will display a table of the latest device group events (up to 100,000 by default). The following columns are displayed in the table for each event:
15 minutes ago
, hovering over the timestamp will display the ISO timestamp of the event, e.g. 2024-01-01T00:00:00Z
new-domain
or new-ipv4
new-domain
a second-level DNS domain, for new-ipv4
a dotted quad IPv4 address and for new-ipv6
an IPv6 address in compressed formA search control is displayed to the top right of the table. Values in the search field will be matched against the event target, related device IP or related query name fields. Additionally, events can be filtered by network view, device group and event type using the headers of these columns in the table.
The link VIEW LIVE QUERIES is displayed to the right of each event. Upon clicking this link the Vision / Live Queries page will be displayed with a filter pre-applied to identify DNS activity relating to the event.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of events, and to control how many are displayed in a single page.
The link EXPORT TO CSV will be displayed to the top of the left of the table. Upon clicking this link all audit entries will be exported to a CSV file and downloaded. The CSV file will contain the same fields as the table.
The latest DNS queries and responses processed by all OneDDI sensors can be viewed in the Vision / Live Queries page by clicking the Vision link displayed in the top menu bar and selecting the Live Queries link displayed in the dropdown menu.
NOTE DNS queries and responses are currently ordered in the table by the time at which they were received from DNS servers. Users cannot assume that messages are in time order, especially when comparing between DNS servers.
The Vision / Live Queries page will display a table of the latest DNS queries and responses processed by all OneDDI sensors. The following columns are displayed in the table for each DNS query and response seen:
Q
followed by recursive
or iterative
depending on if this is a recursirve query and the IP address the DNS query was sent to, else this is a response, in which case R
followed by the response code and the number of response records in the responseA search control is displayed to the top right of the table. The value which can be entered in the search control is dependant on which search filter type is selected as follows - the filter type can be changed by clicking it and selecting a different one from the dropdown menu displayed:
FQDN contains
- Activity is searched by looking for DNS messages where the query name or response record name contains the specified stringFQDN equals
- Activity is searched by looking for DNS messages where the query name or response record name equals the specified stringIP equals
- Activity is searched by looking for DNS messages where the IP address of the related device or response record data for A or AAAA records equals the specified IPv4 or IPv6 addressIP matches network
- Activity is searched by looking for DNS messages where the IP address of the related device or response record data for A or AAAA records falls within the specified networkNOTE All searching is case-insensitive.
To the right of the search control is a filter icon. When clicked an EDIT FILTER dialog is displayed where more search options can be specified. In this dialog a Field, Filter type and value must be specified. Additionally, the Filter mode dropdown can be used to invert the filter. When multiple filters are specified an implicit logical AND is applied and all filters must match for an item to be displayed. Additionally, items can be filtered by network view and device group using the headers of these columns in the table.
The latest DNS query dataset is high dynamic and can change very quickly. Instead of paging controls a LOAD MORE ITEMS link is displayed to the bottom of the table. This allows more pages of results to be loaded without the user losing their point in time and possibly losing the current results.
The button SAVE SEARCH will be displayed to the top left of the table unless viewing a saved search, in which case the DUPLICATE SEARCH and SAVE CHANGES buttons will be displayed. Upon clicking the SAVE SEARCH or DUPLICATE SEARCH buttons the Add a saved search dialog will be displayed. See the Vision / Saved Searches / Add a Saved Search section for details on this dialog and adding saved searches.
If viewing a saved search and the search configuration has been changed the SAVE CHANGES button will be enabled. Upon clicking this button, the Save configuration changes dialog will be displayed, simply click the SAVE button to save the changes.
Displayed to the right of each item is an expand toggle icon. When click a panel is expanded below the item to show more details. The following is displayed in this panel:
query
or response
doh
(DNS over HTTP), dot
(DNS over TLS), tcp
or udp
yes
if the recursion desired flag was set in the DNS message, else no
The link EXPORT DISPLAYED TO CSV will be displayed to the top left of the table. Upon clicking this link all items will be exported to a CSV file and downloaded, with the resulting file having the following fields:
query
or response
doh
(DNS over HTTP), dot
(DNS over TLS), tcp
or udp
Saved searches are viewed and managed under the Vision / Saved Searches page.
The Vision / Saved Searches page will display a table of all defined saved searches. If the logged in user has been assigned permissions to manage saved searches then all saved searches, even ones not owned by the user will be displayed, otherwise only ones owned by the user or shared by other users will be displayed.
The following columns are displayed in the table for each saved search:
device-history
, query-history
, record-history
or live-queries
A search control is displayed to the top right of the table. Values in the search field will be matched against a saved searches name.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of saved searches, and to control how many are displayed in a single page.
The button ADD A SAVED SEARCH will be displayed to the top left of the table. If a user has NOT been assigned permission to manage saved searches, this button will be disabled. Upon clicking this button, the Add a saved search dialog will be displayed. See the Vision / Saved Searches / Add a Saved Search section for details on this dialog and adding saved searches.
The link VIEW DATA will be displayed to the right of each saved search. Upon clicking this link the Vision / History / [history type] page will be displayed for the search type with the saved search configuration applied.
Upon hovering over a row in the table edit saved search and delete saved search buttons will be displayed to the left. If the logged in user is not the owner of a search or the user has NOT been assigned permission to manage saved searches the edit saved search and delete saved search buttons will be disabled.
Upon clicking the edit saved search button, the Edit saved search dialog will be displayed. See the Vision / Saved Searches / Edit a Saved Search section for details on this dialog and editing a saved search.
Upon clicking the delete saved search button the Delete saved search dialog will be displayed. See the Vision / Saved Searches / Delete a Saved Search section for details on this dialog and deleting a saved search.
Saved searches are added using the Add a saved search dialog. This can be accessed by clicking the ADD A SAVED SEARCH button displayed in the Vision / Saved Searches page, the DUPLICATE SEARCH when viewing the data for an existing saved search, or SAVE SEARCH when viewing the Vision / History / [history type] page.
This dialog contains the following inputs:
device-history
, query-history
, record-history
or live-queries
Once all required attributes have been specified the ADD button will be enabled, and once clicked the saved search will be added.
Saved searches are edited using the Edit a saved search dialog. This can be accessed by clicking the ADD A SAVED SEARCH button displayed in the Vision / Saved Searches page, the DUPLICATE SEARCH when viewing the data for an existing saved search, or SAVE SEARCH when viewing the Vision / History / [history type] page.
This dialog contains the following inputs:
device-history
, query-history
, record-history
or live-queries
Click the SAVE button to save changes to the saved search.
NOTE This is a destructive operation which cannot be undone.
Saved searches are deleted using the Delete saved search dialog. This can be accessed by clicking the delete saved search button displayed to the left when hovering over a saved search in the Vision / Saved Searches page. If a user has NOT been assigned permission to manage saved searches, this button will be disabled.
The delete dialog prompts whether the saved search should be deleted. Note that no data is deleted, only the saved search and its configuration.
Click the DELETE button to confirm the saved search should be deleted, after which the saved search will be deleted.
Device groups are viewed and managed under the Vision / Device Groups page by clicking the Vision link displayed in the top menu bar and selecting the Device Groups link displayed in the dropdown menu.
A device group is a set of networks which identify a set of related devices and the configuration for event montoring, history tracking and activity forwarding for the DNS messages to and from those devices.
Devices can overlap, in this case the device group with the most specific network will be used. A device group cannot contain the same network and length as one configured on another device group in the same network view. To configure a single host on a device group configure a /32
network for the IP address.
A default device group does not have any networks configured. Any device not found to be covered by the networks configured on other device groups for the same network view will be associated with the default device group (if configured).
There is no requirement to create device groups for every part of the network. Device groups are a way to prioritise certain networks and devices. Most customers will create a default device group and then a handful of device groups for critical networks and devices.
The Vision / Device Groups page will display a table of all defined device groups.
The following columns are displayed in the table for each device group:
A search control is displayed to the top right of the table. Values in the search field will be matched against a device groups name or configured networks.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of device groups, and to control how many are displayed in a single page.
The button ADD A DEVICE GROUP will be displayed to the top left of the table. Upon clicking this button, the Add Device Grouup dialog will be displayed. See the Vision / Device Groups / Add a Device Group section for details on this dialog and adding device groups.
Upon hovering over a row in the table edit device group and delete device group buttons will be displayed to the left.
Upon clicking the edit device group button, the Edit device group dialog will be displayed. See the Vision / Device Groups / Edit a Device Group section for details on this dialog and editing a device groups.
Upon clicking the delete device group button, the Delete device group dialog will be displayed. See the Vision / Device Groups / Delete a Device Group section for details on this dialog and deleting a device group.
Device groups are added using the Add a device group dialog. This can be accessed by clicking the ADD A DEVICE GROUP button displayed in the Vision / Device Groups page.
This dialog contains several tabs. The DEVICE GROUP tab contains the following inputs:
192.168.68.0/24
, devices failling within the networks will be associated with the device groupThe EVENT MONITORING tab contains the following inputs:
If the Select to activate DNS activity monitoring for devices matching this device group is selected then DNS activity events will be created for devices matching the device group. Supported event types are as follows:
New domain
- Look for second-level domains not seen before in the query name or response record name fields of DNS messagesNew IPv4 address
- Look for IP addresses not seen before in response records of DNS messagesNew IPv6 address
- Look for IP addresses not seen before in response records of DNS messagesThe following options are available for each type:
A DNS message filter can be specified to match DNS messages. If configured, only messages matching the filter will be used for event monitoring.
The HISTORY TRACKING tab contains a single input for Select to activate DNS activity tracking for devices matching this device group. If selected, DNS activity history will be tracked for devices matching the device group. This will include devices, queries and records and the queries made by the devices.
A DNS message filter can be specified to match DNS messages. If configured, only messages matching the filter will be used for activity tracking.
The ACTIVITY FORWARDING tab will contains the following inputs:
If the Select to activate DNS activity forwarding for devices matching this device group is selected then DNS messages will be forward to a sensors configured SIEM connector for devices matching the device group. In this case the remaining options in this tab will be enabled.
DNS activity can be forwarded in a non-aggregated or aggregated way.
In the non-aggregated way every DNS message (i.e. both queries and responses) will be forwarded. In this case the Forward all DNS query and response messages parameter will be selected. While the all DNS messages will be forward, the Select to use the same format as aggregated DNS query and response messages parameter can be used to forward these messages using the same format as the aggregated way. This allows the messages to be viewed and used alongside the aggregated messages.
In the aggregated way DNS messages are tracked as “aggregation sessions” where each DNS query and response is uniquely identified and tracked over a window of time, with updates being sent to a sensors SIEM connector after each aggregation update interval. Several parameters are used to determine how aggregation sessions are tracked as follows:
device
, in which case an aggregation session is maintained on a per device basis (i.e. if two devices, even from the same device group, perform the same query this is two sessions), or device-group
, in which case an aggregation session is maintained on a per device group basis (i.e. if two devices from the same device group perform the same query this is one session), if device-group
is selected the following two options can be used to maintain access to per device statistics:
In both non-aggregated and aggregated cases, the format of the messages is dictated by the SIEM connector, i.e. using either csv
or json
(example messages can be accessed when adding/editing SIEM connectors).
A DNS message filter can be specified to match DNS messages. If configured, only messages matching the filter will be used for activity forwarding.
Once all required attributes have been specified the ADD button will be enabled, and once clicked the device group will be added.
Device groups are edited using the Edit Device Group dialog. This can be accessed by clicking the edit device group button displayed to the left when hovering over a device group in the Vision / Device Groups page.
This dialog contains several tabs. The DEVICE GROUP tab contains the following inputs:
192.168.68.0/24
, devices failling within the networks will be associated with the device groupThe EVENT MONITORING tab contains the following inputs:
If the Select to activate DNS activity monitoring for devices matching this device group is selected then DNS activity events will be created for devices matching the device group. Supported event types are as follows:
New domain
- Look for second-level domains not seen before in the query name or response record name fields of DNS messagesNew IPv4 address
- Look for IP addresses not seen before in response records of DNS messagesNew IPv6 address
- Look for IP addresses not seen before in response records of DNS messagesThe following options are available for each type:
A DNS message filter can be specified to match DNS messages. If configured, only messages matching the filter will be used for event monitoring.
The HISTORY TRACKING tab contains a single input for Select to activate DNS activity tracking for devices matching this device group. If selected, DNS activity history will be tracked for devices matching the device group. This will include devices, queries and records and the queries made by the devices.
A DNS message filter can be specified to match DNS messages. If configured, only messages matching the filter will be used for activity tracking.
The ACTIVITY FORWARDING tab will contains the following inputs:
If the Select to activate DNS activity forwarding for devices matching this device group is selected then DNS messages will be forward to a sensors configured SIEM connector for devices matching the device group. In this case the remaining options in this tab will be enabled.
DNS activity can be forwarded in a non-aggregated or aggregated way.
In the non-aggregated way every DNS message (i.e. both queries and responses) will be forwarded. In this case the Forward all DNS query and response messages parameter will be selected. While the all DNS messages will be forward, the Select to use the same format as aggregated DNS query and response messages parameter can be used to forward these messages using the same format as the aggregated way. This allows the messages to be viewed and used alongside the aggregated messages.
In the aggregated way DNS messages are tracked as “aggregation sessions” where each DNS query and response is uniquely identified and tracked over a window of time, with updates being sent to a sensors SIEM connector after each aggregation update interval. Several parameters are used to determine how aggregation sessions are tracked as follows:
device
, in which case an aggregation session is maintained on a per device basis (i.e. if two devices, even from the same device group, perform the same query this is two sessions), or device-group
, in which case an aggregation session is maintained on a per device group basis (i.e. if two devices from the same device group perform the same query this is one session), if device-group
is selected the following two options can be used to maintain access to per device statistics:
In both non-aggregated and aggregated cases, the format of the messages is dictated by the SIEM connector, i.e. using either csv
or json
(example messages can be accessed when adding/editing SIEM connectors).
A DNS message filter can be specified to match DNS messages. If configured, only messages matching the filter will be used for activity forwarding.
Click the SAVE button to save changes to the device group.
NOTE This is a destructive operation which cannot be undone.
Device groups are deleted using the Delete Device Group dialog. This can be accessed by clicking the delete button displayed to the left when hovering over a device group in the Vision / Device Groups page.
The delete dialog prompts whether the device group should be deleted.
Click the DELETE button to confirm the device group should be deleted, after which the device group will be deleted.
Sensors are viewed and managed under the Vision / Network / Sensors page by clicking the Vision link displayed in the top menu bar, selecting the Network link displayed in the dropdown menu and then selecting the SENSORS tab.
The Vision / Network / Sensors page will display a table of all defined sensors.
The following columns are displayed in the table for each sensor:
A search control is displayed to the top right of the table. Values in the search field will be matched against a sensors name or IP address.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of sensors, and to control how many are displayed in a single page.
The button ADD A SENSOR will be displayed to the top left of the table. Upon clicking this button, the Add Sensor dialog will be displayed. See the Vision / Network / Sensors / Add a Sensor section for details on this dialog and adding sensors.
The button SYNCHRONISE SENSORS will be displayed to the top left of the table. Upon clicking this button, the Synchronise Sensors dialog will be displayed. See the Vision / Network / Sensors / Synchronise Sensors section for details on this dialog and synchronising sensors.
The link VIEW ACTIVITY UPDATE HISTORY will also be displayed to the top left of the table. Upon clicking this link, the Activity update history page will be displayed. See the Vision / Network / Sensors / View Activity Update History section for details on this page.
The link VIEW SENSOR will be displayed to the right of each sensor. Upon clicking this link the View sensor page will be displayed for the sensor. See the Vision / Network / Sensors / View Sensor section for details on this page and viewing sensors.
Upon hovering over a row in the table edit sensor, delete sensor and synchronise sensor buttons will be displayed to the left.
Upon clicking the edit sensor button, the Edit Sensor dialog will be displayed. See the Vision / Network / Sensors / Edit a Sensor section for details on this dialog and editing a sensor.
Upon clicking the delete sensor button, the Delete Sensor dialog will be displayed. See the Vision / Network / Sensors / Delete a Sensor section for details on this dialog and deleting a sensor.
Upon clicking the synchronise sensor button, the Synchronise Sensors dialog will be displayed but for the one sensor. See the Vision / Network / Sensors / Synchronise Sensors section for details on this dialog and synchronising a sensor.
Sensors are synchronised using the Synchronise sensor dialog.
To synchronise a single sensor, this can be accessed by clicking the synchronise button displayed to the left when hovering over a sensor in the Vision / Network / Sensors page, or displayed to the right of a sensors name at the top of the Vision / Network / Sensors / View Sensor page.
To synchronise all sensors, this can be accessed by clicking the SYNCHRONISE SENSORS button displayed at the top left of the sensors table in the Vision / Network / Sensors page.
Sensors collect data for a network view which is assigned when adding or editing network views or sensors. Network views, device groups and other data is automatically synchronised with sensors when they are modified.
This dialog is used to force a check to be performed so that a sensor will verify they have an up to date copy of their cached data, synchronising it if it has changed.
Click the SYNCHRONISE NOW button to confirm the sensor/sensors should be synchronised, after which a request to synchronise will be made and the dialog closed. The synchronisation process will continue in the background. If there are any issues with this process, details can be accessed in the View Sensor page.
The activity update history for all sensors can be viewed under the Activity Update History page by clicking the VIEW ACTIVITY UPDATE HISTORY link displayed at the top left of the sensors table in the Vision / Network / Sensors page.
Sensors track DNS activity history and periodically saves this data to files, queueing them to be sent to the OneDDI Master server. The OneDDI Master server then downloads the activity history update files and processes the updates into its Vision Database. Each file downloaded is recorded in the activity update history. If there is an error in processing a file it will be displayed in this table.
NOTE When viewing activity update history some numbers may not seem to correlate. For example, a file may contain 1000 items but have 500 added and only 400 updated items. Likewise, when added together the added plus updated numbers may be higher than the number of items in the file. This is expected since the OneDDI Master may decide not to perform certain updates, or perform additional updates, depending on the other contents of the file or the existing items already in the Vision Database.
The following columns are displayed in the table for each activity update file:
2 hours ago
, hovering over this field will result in a tooltip being displayed which shows the date and time in ISO formatA search control is displayed to the top right of the table. Values in the search field will be matched against a files ID or processing status.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of activity update files, and to control how many are displayed in a single page.
The link EXPORT TO CSV will be displayed to the top of the left of the table. Upon clicking this link all activity update files will be exported to a CSV file and downloaded, with the resulting CSV file having the following fields:
processing
, error
or complete
Sensors are added using the Add a Sensor dialog. This can be accessed by clicking the ADD A SENSOR button displayed in the Vision / Network / Sensors page.
The Add a Sensor dialog displays a four step wizard which guides a user through adding a sensor. Before a sensor can be added its unique connection key must be obtained. This key is stored in the /opt/oneddi-sensor/config/http-connection.key
file once the sensor has been installed. When the sensor is added to the OneDDI user interface this connection key will be changed automatically.
Step 1 in the dialog, the Start page, provides a brief overview of what will be performed to add a sensor.
Click the NEXT button to continue to step 2, the Configure page. In this page the Name, IP address and Port used to communicate with the sensor must be specified. An optional Network view can be selected, which can also be configured later when editing sensors and network views, can also be specified along with a SIEM connector the sensor should use to forward DNS activity messages if configured to do so on device groups.
Click the NEXT button to continue to step 3, the Verify page. In this page the Connector key obtained during sensor installation must be specified. Once specified, click the VERIFY CONFIGURATION button to verify communication with the sensor and the connection key. Once successful, the ADD and ADD & VIEW buttons will be enabled.
Click the ADD and ADD & VIEW button to add the sensor after which the dialog will close.
Detailed information about sensor health can be accessed by clicking the VIEW SENSOR link displayed to the right of a sensors name under the Vision / Network / Sensors page.
The View sensor page is divided into several sections.
At the top of the View sensor page the name, IP address, port and connection status of the sensor is displayed. Additionally, edit sensor, delete sensor and synchronise sensor buttons will be displayed to the right.
The SUMMARY section provides several icons indicating the health of several sensor communication points. When an icon is coloured green the item is healthy, when it is coloured red the item is unhealthy and a message will be displayed to indicate the problem. The following items are displayed:
The SENSOR LOG section displays a table containing (by default) the most recent 10,000 log messages generated by the sensor.
The following columns are displayed in the table for each service:
info
, warn
or error
A search control is displayed to the top right of the table. Values in the search field will be matched against a log messages level, source or message.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of log messages, and to control how many are displayed in a single page.
The link EXPORT TO CSV will be displayed to the top of the left of the log message table. Upon clicking this link all sensor log messages will be exported to a CSV file and downloaded, with the resulting CSV file having the following fields:
info
, warn
or error
The activity update queue for a sensor can be viewed under the Activity Update Queue page by clicking the VIEW ACTIVITY UPDATE QUEUE link displayed under the SUMMARY section in the Vision / Network / Sensors / View Sensor page.
Sensors track DNS activity history and periodically saves this data to files, queueing them to be sent to the OneDDI Master server. The acivity update queue contains all files waiting to be collected by the OneDDI Master server.
The following columns are displayed in the table for each activity update file:
A search control is displayed to the top right of the table. Values in the search field will be matched against a files ID.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of activity update files, and to control how many are displayed in a single page.
Sensors are edited using the Edit Sensor dialog. This can be accessed by clicking the edit sensor button displayed to the left when hovering over a sensor in the Vision / Network / Sensors page.
This dialog contains several tabs. The SENSOR tab contains the following inputs:
The CONNECTION tab contains the following inputs:
Click the SAVE button to save changes to the sensor.
NOTE This is a destructive operation which cannot be undone. History and event data is not affected when deleting sensors.
Sensors are deleted using the Delete sensor dialog. This can be accessed by clicking the delete button displayed to the left when hovering over a sensor in the Vision / Network / Sensors page, or displayed to the right of a sensors name at the top of the Vision / Network / Sensors / View Sensor page.
The delete dialog prompts whether the sensor should be deleted.
Click the DELETE button to confirm the sensor should be deleted, after which the sensor will be deleted.
Network views are viewed and managed under the Vision / Network / Network views page by clicking the Vision link displayed in the top menu bar, selecting the Network link displayed in the dropdown menu and then selecting the NETWORK VIEWS tab.
The Vision / Network / Network views page will display a table of all defined network views.
The following columns are displayed in the table for each network view:
A search control is displayed to the top right of the table. Values in the search field will be matched against a network views name.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of network views, and to control how many are displayed in a single page.
The button ADD A NETWORK VIEW will be displayed to the top left of the table. Upon clicking this button, the Add Network View dialog will be displayed. See the Vision / Network / Network Views / Add a Network View section for details on this dialog and adding network views.
Upon hovering over a row in the table edit network view and delete network view button will be displayed to the left.
Upon clicking the edit network view button, the Edit Network view dialog will be displayed. See the Vision / Network / Network Views / Edit a Network view section for details on this dialog and editing a network view.
Upon clicking the delete network view button, the Delete Network view dialog will be displayed. See the Vision / Network / Network Views / Delete a Network View section for details on this dialog and deleting a network view.
Network views are added using the Add a network view dialog. This can be accessed by clicking the ADD A NETWORK VIEW button displayed in the Vision / Network / Network Views page.
This dialog contains following inputs:
Once all required attributes have been specified the ADD button will be enabled, and once clicked the network view will be added.
Network views are edited using the Edit network view dialog. This can be accessed by clicking the edit network view button displayed to the left when hovering over a network view in the Vision / Network / Network Views page.
This dialog contains following inputs:
Click the SAVE button to save changes to the network view.
NOTE This is a destructive operation which cannot be undone. History and event data related to the network view will not be accessible once it has been deleted.
Network views are deleted using the Delete network view dialog. This can be accessed by clicking the delete button displayed to the left when hovering over a network view in the Vision / Network / Network Views page.
The delete dialog prompts whether the network view should be deleted.
Click the DELETE button to confirm the network view should be deleted, after which the network view will be deleted.
DNS servers are viewed and managed under the Vision / Network / DNS servers page by clicking the Vision link displayed in the top menu bar, selecting the Network link displayed in the dropdown menu and then selecting the DNS SERVERS tab.
The Vision / Network / DNS servers page will display a table of all defined DNS servers.
The following columns are displayed in the table for each DNS server:
A search control is displayed to the top right of the table. Values in the search field will be matched against a DNS servers name.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of DNS servers, and to control how many are displayed in a single page.
The button ADD A DNS SERVER will be displayed to the top left of the table. Upon clicking this button, the Add DNS Server dialog will be displayed. See the Vision / Network / DNS Servers / Add a DNS Server section for details on this dialog and adding DNS servers.
Upon hovering over a row in the table edit DNS server and delete DNS server button will be displayed to the left.
Upon clicking the edit DNS server button, the Edit DNS server dialog will be displayed. See the Vision / Network / DNS Servers / Edit a DNS server section for details on this dialog and editing a DNS server.
Upon clicking the delete DNS server button, the Delete DNS server dialog will be displayed. See the Vision / Network / DNS Servers / Delete a DNS Server section for details on this dialog and deleting a DNS server.
DNS servers are added using the Add a DNS server dialog. This can be accessed by clicking the ADD A DNS SERVER button displayed in the Vision / Network / DNS Servers page.
This dialog contains several tabs. The DNS SERVER tab contains the following inputs:
The DATA COLLECTION tab contains the following inputs:
bind-syslog
bluecat-http
dnstap
efficient-ip-syslog
infoblox-data-connector
infoblox-syslog
windows-agent
- There are no additional parameters for this methodOnce all required attributes have been specified the ADD button will be enabled, and once clicked the DNS server will be added.
DNS servers are edited using the Edit DNS server dialog. This can be accessed by clicking the edit DNS server button displayed to the left when hovering over a DNS server in the Vision / Network / DNS Servers page.
This dialog contains several tabs. The DNS SERVER tab contains the following inputs:
The DATA COLLECTION tab contains the following inputs:
bind-syslog
bluecat-http
dnstap
efficient-ip-syslog
infoblox-data-connector
infoblox-syslog
windows-agent
- There are no additional parameters for this methodClick the SAVE button to save changes to the DNS server.
NOTE This is a destructive operation which cannot be undone. History and event data related to the DNS server will not be accessible once it has been deleted.
DNS servers are deleted using the Delete DNS server dialog. This can be accessed by clicking the delete button displayed to the left when hovering over a DNS server in the Vision / Network / DNS Servers page.
The delete dialog prompts whether the DNS server should be deleted.
Click the DELETE button to confirm the DNS server should be deleted, after which the DNS server will be deleted.
SIEM connectors are viewed and managed under the Vision / Network / SIEM connectors page by clicking the Vision link displayed in the top menu bar, selecting the Network link displayed in the dropdown menu and then selecting the SIEM CONNECTORS tab.
The Vision / Network / SIEM connectors page will display a table of all defined SIEM connectors.
The following columns are displayed in the table for each SIEM connector:
csv
or json
A search control is displayed to the top right of the table. Values in the search field will be matched against a SIEM connectors name.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of SIEM connectors, and to control how many are displayed in a single page.
The button ADD A SIEM CONNECTOR will be displayed to the top left of the table. Upon clicking this button, the Add SIEM Connector dialog will be displayed. See the Vision / Network / SIEM Connectors / Add a SIEM Connector section for details on this dialog and adding SIEM connectors.
Upon hovering over a row in the table edit SIEM connector and delete SIEM connector buttons will be displayed to the left.
Upon clicking the edit SIEM connector button, the Edit SIEM connector dialog will be displayed. See the Vision / Network / SIEM Connectors / Edit a SIEM Connector section for details on this dialog and editing a SIEM connector.
Upon clicking the delete SIEM connector button, the Delete SIEM connector dialog will be displayed. See the Vision / Network / SIEM Connectors / Delete a SIEM Connector section for details on this dialog and deleting a SIEM connector.
SIEM connectors are added using the Add a SIEM connector dialog. This can be accessed by clicking the ADD A SIEM CONNECTOR button displayed in the Vision / Network / SIEM Connectors page.
This dialog contains several tabs. The SIEM CONNECTOR tab contains the following inputs:
csv
or json
, click the DOWNLOAD EXAMPLE MESSAGES button to see the format of each of these messagesThe TARGETS tab contains inputs to specify targets to send messages. At least one target IP address and TCP port must be specified, optionally selecting Select to use TLS to use TLS when connecting. Use the ADD ANOTHER TARGET button to add more targets.
The SENSORS tab is where the sensors assigned to the SIEM connector can be selected by clicking the EDIT SELECTED SENSORS button.
Once all required attributes have been specified the ADD button will be enabled, and once clicked the SIEM connector will be added.
SIEM connectors are edited using the Edit SIEM connector dialog. This can be accessed by clicking the edit SIEM connector button displayed to the left when hovering over a SIEM connector in the Vision / Network / SIEM Connectors page.
This dialog contains several tabs. The SIEM CONNECTOR tab contains the following inputs:
csv
or json
, click the DOWNLOAD EXAMPLE MESSAGES button to see the format of each of these messagesThe TARGETS tab contains inputs to specify targets to send messages. At least one target IP address and TCP port must be specified, optionally selecting Select to use TLS to use TLS when connecting. Use the ADD ANOTHER TARGET button to add more targets.
The SENSORS tab is where the sensors assigned to the SIEM connector can be selected by clicking the EDIT SELECTED SENSORS button.
Click the SAVE button to save changes to the SIEM connector.
NOTE This is a destructive operation which cannot be undone.
SIEM connectors are deleted using the Delete SIEM connector dialog. This can be accessed by clicking the delete button displayed to the left when hovering over a SIEM connector in the Vision / Network / SIEM Connectors page.
The delete dialog prompts whether the SIEM connector should be deleted.
Click the DELETE button to confirm the SIEM connector should be deleted, after which the SIEM connector will be deleted.
Services are viewed and managed under the ReDNS / Services page by clicking the ReDNS link displayed in the top menu bar and clicking the Services link.
The ReDNS / Services page will display a table of all defined services.
The following columns are displayed in the table for each service:
www.vendorn.com
Internal Infoblox Grid
A search control is displayed to the top right of the table. Values in the search field will be matched against a services Service FQDN, DNS view, description or active records. Additionally, services can be filtered by service group using the header of the service group column in the table.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of services, and to control how many are displayed in a single page.
The button ADD A SERVICE will be displayed to the top left of the table. If the currently authenticated user has NOT been assigned permission to manage services, this button will be disabled. Upon clicking this button, the Add a service dialog will be displayed. See the ReDNS / Services / Add a Service section for details on this dialog and adding services.
The link EXPORT TO CSV will be displayed to the top of the left of the table. Upon clicking this link all services will be exported to a CSV file and downloaded. See the ReDNS / Services / Export to CSV section for details on exporting services.
The link VIEW SERVICE will be displayed to the right of each service. Upon clicking this link the View service page will be displayed for the service. See the ReDNS / Services / View service section for details on this page and viewing services.
Upon hovering over a row in the table edit service, delete service and edit service permissions buttons will be displayed to the left. If the currently authenticated user has NOT been assigned permission to manage services the edit service and delete service buttons will be disabled, and the edit service permissions button is replaced with a view service permissions button.
Upon clicking the edit service button, the Edit service dialog will be displayed. See the ReDNS / Services / Edit a Service section for details on this dialog and editing a service.
Upon clicking the delete service button the Delete service dialog will be displayed. See the ReDNS / Services / Delete a Service section for details on this dialog and deleting a service.
Upon clicking the view or edit service permissions button the Edit service permissions or View service permissions dialog will be displayed depending on whether a user has been assigned permissions to manage services. See the ReDNS / Services / Services Permissions section for details on this dialog and service permissions.
Services are added using the Add a service dialog. This can be accessed by clicking the ADD A SERVICE button displayed in the ReDNS / Services page. If the currently authenticated user NOT been assigned permission to manage services, this button will be disabled.
This dialog contains the following inputs:
default
www.vendorn.com
Once all required attributes have been specified the ADD button will be enabled, and once clicked the service will be added.
Service are imported using the Import service records dialog. This can be accessed by clicking the IMPORT SERVICE RECORDS button displayed in the ReDNS / Service Records page. If the currently authenticated user NOT been assigned permission to manage services this button will be disabled.
During import, when a service record is added, if the service specified for the service record does not exist it will be automatically created before the service record is added. This means that a service record must be imported to be able to import a service.
See the ReDNS / Service Records / Import Service Records section for more details on this dialog and importing service records.
Services are exported to CSV using the EXPORT TO CSV link displayed in the ReDNS / Services page. Upon clicking this link all services will be exported to a CSV file and downloaded, with the resulting CSV file having the following fields:
svc1.vendorn.com
.Internal Grid
.default
Public service
Service permissions are viewed and edited using the View service permissions and Edit service permissions dialogs. These can be accessed by clicking the view service permissions or edit service permissions buttons displayed to the left when hovering over a service in the ReDNS / Service page, or displayed to the right of a services Service FQDN at the top of the View service page. If the currently authenticated user has NOT been assigned permission to manage services the view service permissions button will be accessible otherwise the edit service permissions button will be accessible.
The View service permissions dialog displays all the groups which are permitted to swap the active service records for as service.
Note that this permission does not allow management of the service. A user must be associated with a group which has the manage-services
permission assigned to be able to manage services. Permissions assigned at the service level are to swap the active service records of a service only, which includes changing service TTL’s.
The Edit service permissions dialog also displays all the groups which are permitted to swap the active service records for as service. Additionally, an EDIT SELECTED GROUPS button is displayed to permit selecting and deselecting which groups should be assigned the permission, after which the SAVE button can be used to save the selected permissions.
Detailed information about a service and its service record state can be accessed by clicking the VIEW SERVICE link displayed to the right of a service under the ReDNS / Services and ReDNS / Service Records pages.
The View service page is divided into multiple sections.
At the top of the View service page the services Service FQDN, Infoblox connector, Infoblox DNS view, service group and description are displayed. Additionally, an edit service, delete service and edit service permissions buttons will be displayed to the right. If the currently authenticated user has NOT been assigned permission to manage services the edit service and delete service buttons will be disabled, and the view service permissions button will be displayed in place of the edit service permissions button.
The SERVICE STATUS section displays how many of the services configured service records are active, and when the service was last actioned - i.e. the last time service records were swapped or service TTL’s changed. A SWAP ACTIVE SERVICE RECORDS button is displayed to the bottom of the panel. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, this button will be disabled. Upon clicking this button, the Swap active service records dialog will be displayed. See the ReDNS / Services / Swap Active Service Records section for details on this dialog and swapping the active service records for a service. A VIEW SWAP HISTORY link will also be displayed to the bottom of the panel, when clicked the Swap history page will be displayed for the service. See the ReDNS / Services / Swap History section for details on this page. If no swap has occurred yet, then No data available
will be displayed in the panel.
The BCP JOBS section displays a list of BCP jobs which have the service configured. Displayed to the right of each BCP job is a VIEW BCP JOB link, and when clicked the View BCP job page will be displayed for a BCP job. See the View BCP job page for details on this page.
The SERVICE RECORDS section displays a table containing the service records configured for the service and whether they are currently active in the underlying platform.
The following columns are displayed in the table for each service:
a-record
or cname-record
1 hour
, hovering over the field displays the number TTL in seconds, if the service record is configured not to override the DNS zone default TTL this will be the string Use DNS zone default
When a service record is active the service FQDN will be displayed to the left of the service record in the table in green. This is to indicate the service FQDN currently resolves to the service records specified target.
A search control is displayed to the top right of the table. Values in the search field will be matched against a service records record type or target.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of service records, and to control how many are displayed in a single page.
The button ADD A SERVICE RECORD will be displayed to the top left of the table. If the currently authenticated user has NOT been assigned permission to manage services this button will be disabled. Upon clicking this button, the Add a service record dialog will be displayed. See the ReDNS / Services / Add a Service Record section for details on this dialog and adding service records.
The button CHECK SERVICE HEALTH will also be displayed to the top left of the table. Upon clicking this button, the Check service health dialog will be displayed. See the ReDNS / Services / Check Service Health section for details on this dialog and performing service health checks.
The button CHANGE SERVICE TTL’S will also be displayed to the top left of the table. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, this button will be disabled. Upon clicking this button, the Change service TTL’s dialog will be displayed. See the ReDNS / Services / Change Service TTL’s section for details on this dialog and changing service TTL’s.
Upon hovering over a row in the table edit service record and delete service record buttons will be displayed to the left. If the currently authenticated user has NOT been assigned permission to manage services these buttons will be disabled.
Upon clicking the edit service record button, the Edit service record dialog will be displayed. See the ReDNS / Services / Edit a Service Record section for details on this dialog and editing a service record.
Upon clicking the delete service record button the Delete service record dialog will be displayed. See the ReDNS / Services / Delete a Service Record section for details on this dialog and deleting a service record.
Services records are added using the Add a service record dialog. This can be accessed by clicking the ADD A SERVICE RECORD button displayed in the ReDNS / Services / View service page for a service. If the currently authenticated user has NOT been assigned permission to manage services, this button will be disabled.
This dialog contains several tabs. The RECORD tab contains the following inputs:
a-record
- Use a DNS A resource record in the underlying platform to manage the service recordcname-record
- Use a DNS CNAME resource record in the underlying platform to manage the service recordhost-alias
- Use an alias on a host object in the underlying platform to manage the service recordhost-object
- Use a host object in the underlying platform to manage the service recorda-record
the IP address must be specified, when the record is active the Service FQDN will resolve to the value specifiedcname-record
a Fully Qualified Domain Name must be specified, when the service record is active the Service FQDN will resolve to the value specifiedhost-alias
the Fully Qualified Domain Name of the host object must be specified, when the service record is active the Service FQDN will resolve to the value specifiedhost-object
the IP address for a host object must be specified, if a host object has multiple IP addresses configured in the underlying platform only one of the configured addresses should be specified, when the record is active the Service FQDN will resolve to the value specifieda-record
this field is displayed, if selected, the A records corresponding PTR record will be added, deleted or renamed when the A record is modified depending on what swap action is specified in the Swap action fieldCreate the record when it is active and delete when in-active
from the underlying platform, or to Rename the record when in-active to a specified in-active FQDN
in the underlying platformRename the record when in-active to a specified in-active FQDN
this field will be enabled and required and must contain the Fully Qualified Domain Name the service record will be renamed to in the underlying platform when it is not activeThe TTL tab contains the following inputs:
0
to 2147483647
can be specified, this field will be disabled unless the Select to override the DNS zone default TTL field is selectedOnce all required attributes have been specified the ADD button will be enabled, and once clicked the service record will be added.
Service records are edited using the Edit service record dialog. This can be accessed by clicking the edit service record button displayed to the left when hovering over a service record in the ReDNS / Services / View service page for a service. If the currently authenticated user NOT been assigned permission to manage services, this button will be disabled.
This dialog contains several tabs. The RECORD tab contains the following inputs:
a-record
- Use a DNS A resource record in the underlying platform to manage the service recordcname-record
- Use a DNS CNAME resource record in the underlying platform to manage the service recordhost-alias
- Use an alias on a host object in the underlying platform to manage the service recordhost-object
- Use a host object in the underlying platform to manage the service recorda-record
the IP address must be specified, when the record is active the Service FQDN will resolve to the value specifiedcname-record
a Fully Qualified Domain Name must be specified, when the service record is active the Service FQDN will resolve to the value specifiedhost-alias
the Fully Qualified Domain Name of the host object must be specified, when the service record is active the Service FQDN will resolve to the value specifiedhost-object
the IP address for a host object must be specified, if a host object has multiple IP addresses configured in the underlying platform only one of the configured addresses should be specified, when the record is active the Service FQDN will resolve to the value specifieda-record
this field is displayed, if selected, the A records corresponding PTR record will be added, deleted or renamed when the A record is modified depending on what swap action is specified in the Swap action fieldCreate the record when it is active and delete when in-active
from the underlying platform, or to Rename the record when in-active to a specified in-active FQDN
in the underlying platformRename the record when in-active to a specified in-active FQDN
this field will be enabled and required and must contain the Fully Qualified Domain Name the service record will be renamed to in the underlying platform when it is not activeThe TTL tab contains the following inputs:
0
to 2147483647
can be specified, this field will be disabled unless the Select to override the DNS zone default TTL field is selectedClick the SAVE button to save changes to the service record.
NOTE This is a destructive operation which cannot be undone.
Service records are deleted using the Delete service record dialog. This can be accessed by clicking the delete service record button displayed to the left when hovering over a service record in the ReDNS / Services / View service page for a service. If the currently authenticated user NOT been assigned permission to manage services, this button will be disabled.
The delete dialog prompts whether the service record should be deleted.
Click the DELETE button to confirm the service record should be deleted, after which the service record will be deleted.
The health of a service and its configured service records can be checked using the Check service health dialog. This can be accessed by clicking the CHECK SERVICE HEALTH button displayed in the ReDNS / Services / View service page for a service.
During a service health check the underlying platform will be queried to understand the current state of the service and its service records. The service health check will attempt to identify issues which would prevent the successful swap of any of the configured service records. The service health check will also attempt to identify service records not configured in OneDDI.
Click the START SERVICE HEALTH CHECK button to perform the health check.
A progress bar is displayed and updated as the health check progresses. As issues are identified they will be displayed. Once the health check is complete, if no errors were found the progress bar will be coloured green and indicate that no issues were found. Otherwise the progress bar will be coloured red and indicate at least one issue was found.
For each issue found either an amber triangle or a red warning circle is displayed. Amber should be addressed, but they would not prevent the service from being successfully swapped. Red items are likely to prevent a service from being swapped successfully, and should be addressed.
Each issue identifies an issue with either one of the configured service records for a service, or the services Service FQDN itself. The exact item is displayed along with details of the issue. The following is an example issue:
In the above error an issue was identified with the service record which is configured with the record type of a-record
and the target IP address of 1.1.1.1.
. The service record is marked as active in OneDDI, but when consulting the underlying Infoblox platform no A record could be found for the Service FQDN of svc1.vendorn.com
which resolved to 1.1.1.1
.
This issue would prevent a successful swap of the service and would have to be addressed.
The TTL’s for all service records for a service can be changed using the Change service TTL’s dialog. This can be accessed by clicking the CHANGE SERVICE TTL’S button displayed in the SERVICE RECORDS panel in the ReDNS / Services / View service page for a service. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, this button will be disabled. Either permission is required to change service TTL’s.
The Change service TTL’s dialog displays a three step wizard which guides a user through specifying new TTL configuration, reviewing the changes which will be made, and then executing each change while displaying progress.
Upon entering the wizard step 1, the New TTL configuration page, is displayed. This step can be used to specify the new TTL configuration. Two radio button options are presented, one must be selected. The first Configure all service records to use the following TTL
allows a TTL to be specified in seconds with several pre-sets provided for quick selection. The second Remove the existing TTL configuration and use the DNS zone default TTL
results in the existing TTL configuration being removed and the service records inheriting the DNS zone defaults TTL.
Once the new TTL configuration has been specified the NEXT button can be clicked to move on to step 2, the Review actions page. This page presents what changes will be made to the underlying platform to change service TTL’s. A table is displayed consisting of one row per service record, with the following columns:
Record type
- The record type for the service recordTarget
- A Fully Qualified Domain Name or IP address depending on what record type the service record is configured forNew TTL
- The TTL which the service record will be reconfigured to use, e.g. 1 hour
, hovering over this field will result in a tooltip being displayed which shows the TTL in seconds, if the service record is configured to use the DNS zone default TTL this will be the string Use DNS zone default
Once the actions have been reviewed, the select field Select to continue if an error occurs processing an action can be selected to indicate if an error occurs processing a service record it should not prevent the TTL changes from running to completion, an attempt will be made to change the TTL’s of all service records in this case. Otherwise, if not selected, the TTL change will stop at the first error.
Once a comment has been entered in the required Comment field the CHANGE NOW button can be clicked after which step 3, the Process actions page will be displayed and the TTL change will start.
During the TTL change each action is processed and a progress bar updated. Once complete, if the TTL change was successful the progress bar will turn green and indicate the TTL change completed successfully. Otherwise the progress bar will turn red and indicate at least one error occurred.
A results table will also be displayed containing all the service records actioned and the outcome. If an error occurred actioning a service record the error will be displayed in the results table alongside the corresponding service record.
Once the TTL change is complete click the CLOSE button to close the dialog.
The active service records for a service can be swapped using the Swap active service records dialog. This can be accessed by clicking the SWAP ACTIVE SERVICE RECORDS button displayed in the SERVICE STATUS panel in the ReDNS / Services / View service page for a service. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, this button will be disabled.
The Swap active service records dialog displays a three step wizard which guides a user through selecting which service records should be active, reviewing the changes which will be made, and then executing each change while displaying progress.
Upon entering the wizard step 1, the Edit service records page, is displayed. This step can be used to select which service records should be active following the swap. The step is prepopulated with the service records currently active for the service. An EDIT SELECTED SERVICE RECORDS button is displayed to the bottom, which can be used to add and remove selected service records from the list.
Once the require service records have been selected the NEXT button can be clicked to move on to step 2, the Review actions page. This page presents what changes will be made to the underlying platform during the swap. A table is displayed with the following columns:
Action
- Either activate
indicating the service record is added or renamed so that the Service FQDN resolves to the service record following the swap, deactivate
indicating the service record is deleted or renamed so that the Service FQDN no longer resolves to the service record following the swap, or unchanged
indicating the service is already active and does not require activatingRecord type
- The record type for the service recordTarget
- A Fully Qualified Domain Name or IP address depending on what record type the service record is configured forSwap action
- A summary of what record will be added/renamed during the swap of the service recordOnce the actions have been reviewed, the select field Select to continue if an error occurs processing an action can be selected to indicate if an error occurs processing a service record it should not prevent the swap from running to completion, attempting to swap all records. Otherwise, if not selected, the swap will stop at the first error.
Once a comment has been entered in the required Comment field the SWAP NOW button can be clicked after which step 3, the Process actions page will be displayed and the swap will start.
During the swap each action is processed and a progress bar updated. Once complete, if the swap was successful the progress bar will turn green and indicate the swap completed successfully. Otherwise the progress bar will turn red and indicate at least one error occurred.
A results table will also be displayed containing all the service records actioned and the outcome. If an error occurred actioning a service record the error will be displayed in the results table alongside the corresponding service record.
Once the swap is complete click the CLOSE button to close the dialog.
The swap history for a service can be viewed under the Swap history page by clicking the VIEW SWAP HISTORY link displayed in the SERVICE STATUS panel in the ReDNS / Services / View service page for a service.
Each time a service record is activated or deactivated a swap audit event is recorded and associated with the service. In addition when service TTL’s are changed an audit event is also recorded. The Swap history page displays a table of the audit events for a specific service.
The following columns are displayed in the table for each audit event:
2 hours ago
, hovering over this field will result in a tooltip being displayed which shows the date and time in ISO formatactivate
, deactivate
or change-ttl
depending on what the audit event is for1 hour
, hovering over this field will result in a tooltip being displayed which shows the TTL in seconds, if the service record is configured not to override the DNS zone default TTL at the time the service record was swapped this will be the string Use DNS zone default
Create marketplace.internal -> 1.1.1.1
or Change TTL for marketplace.internal -> 2.2.2.2
A search control is displayed to the top right of the table. Values in the search field will be matched against all displayed fields excluding the timestamp field.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of swap audit events, and to control how many are displayed in a single page.
Services are edited using the Edit service dialog. This can be accessed by clicking the edit service button displayed to the left when hovering over a service in the ReDNS / Services page, or displayed to the right of a service’s FQDN at the top of the ReDNS / Services / View service page. If the currently authenticated user NOT been assigned permission to manage services, this button will be disabled.
This dialog contains the following inputs:
default
www.vendorn.com
Click the SAVE button to save changes to the service.
NOTE This is a destructive operation which cannot be undone.
Services are deleted using the Delete service dialog. This can be accessed by clicking the delete service button displayed to the left when hovering over a service in the ReDNS / Services page, or displayed to the right of a service’s FQDN at the top of the ReDNS / Services / View service page. If the currently authenticated user NOT been assigned permission to manage services, this button will be disabled.
The delete dialog prompts whether the service should be deleted.
Click the DELETE button to confirm the service should be deleted, after which the service will be deleted.
Services records are viewed and managed under the ReDNS / Services / View service page by clicking the VIEW SERVICE link displayed to the right of a service in the ReDNS / Services page, or under the ReDNS / Service Records which can be accessed by clicking the ReDNS link in the top menu bar and clicking the Services records link.
The ReDNS / Service Records page will display a table of all defined services.
The following columns are displayed in the table for each service record:
www.vendorn.com
, for the service the service record relates toInternal Infoblox Grid
A search control is displayed to the top right of the table. Values in the search field will be matched against a services Service FQDN, DNS view, record type or target. Additionally, services records can be filtered by service group using the header of the service group column in the table.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of services, and to control how many are displayed in a single page.
The button IMPORT SERVICE RECORDS will be displayed to the top of the left of the table. If the currently authenticated user has NOT been assigned permission to manage services this button will be disabled. Upon clicking this button, the Import service records dialog will be displayed. See the ReDNS / Service records / Import Service Records section for details on this dialog and importing service records.
The link EXPORT TO CSV will be displayed to the top of the left of the table. Upon clicking this link, all service records will be exported to a CSV file and downloaded. See the ReDNS / Services Records / Export to CSV section for details on exporting service records.
The link VIEW SERVICE will be displayed to the right of each service record. Upon clicking this link, the View service page will be displayed for the service the service record relates to. See the ReDNS / Services / View service section for details on this page and viewing services.
Upon hovering over a row in the table edit service record, and delete service record buttons will be displayed to the left. If the currently authenticated user has NOT been assigned permission to manage services, the edit service record and delete service record buttons will be disabled.
Upon clicking the edit service record button, the Edit service record dialog will be displayed. See the ReDNS / Services / Edit a Service Record section for details on this dialog and editing a service record.
Upon clicking the delete service record button, the Delete service record dialog will be displayed. See the ReDNS / Services / Delete a Service Record section for details on this dialog and deleting a service record.
Service records are imported using the Import service records dialog. This can be accessed by clicking the IMPORT SERVICE RECORDS button displayed in the ReDNS / Service Records page, which can be accessed by clicking the ReDNS link in the top menu bar and clicking the Services records link. If the currently authenticated user NOT been assigned permission to manage services, this button will be disabled.
Services are also imported using the Import service records dialog. During import, when a service record is added, if the service specified for the service record does not exist it will be automatically created before the service record is added. This means that a service record must be imported to be able to import a service.
In this dialog a CSV import file must be specified which contains the service records to be imported. The CSV import file should define one service record per line using the following fields:
FQDN,Connector,DNS view,Service group,Description,Record type,Target,Override zone TTL,TTL,Swap action,In-active FQDN,Is active
The FQDN
, Connector
, Service group
, DNS view
and Description
fields identify the corresponding service the service record is to be associated with. If the service already exists, the Service group
and Description
fields can be left blank. If the service does not yet exist it will be automatically created during import, therefore the first instance of the service in the CSV import file should have a value in the Service group
and Description
fields to set the service group and description for the automatically created service.
The remaining fields are required as follows:
a-record
- Use a DNS A resource record in the underlying platform to manage the service recordcname-record
- Use a DNS CNAME resource record in the underlying platform to manage the service recordhost-alias
- Use an alias on a host object in the underlying platform to manage the service recordhost-object
- Use a host object in the underlying platform to manage the service recorda-record
the IP address must be specified, if the Record type was specified as cname-record
a Fully Qualified Domain Name must be specified, if the Record type was specified as host-alias
the Fully Qualified Domain Name of the host object must be specified, if the Record type was specified as host-object
the IP address for a host object must be specified, if a host object has multiple IP addresses configured in the underlying platform only one of the configured addresses should be specifieda-record
, specify yes
if the A records corresponding PTR record will be added, deleted or renamed when the A record is modified depending on what swap action is specified in the Swap action fieldyes
to use the value specified in the TTL field for the DNS service records TTL, or no
to use the DNS zones default TTLyes
then this field is ignored, otherwise specify the TTL in seconds for the DNS service recorddelete
the service record from the underling platform when it is in-active (later adding again when it is made active), or whether to retain the service record but rename it to the specified In-active FQDN by specifying rename
for this fielddelete
this field will be ignored, otherwise the field is required and must contain the Fully Qualified Domain Name the service record will be renamed to in the underlying platform when it is not activeyes
if the service is in an active state in the underlying platform, i.e. the service FQDN currently resolves to the target specified and is using the specified Record typeIf the CSV import file contains a header row as its first row, ensure the Select to skip the first row in the CSV import file if it contains headers field is selected to ignore the first row.
An example CSV import file can also be downloaded using the DOWNLOAD EXAMPLE CSV IMPORT FILE link which can be used as a starting point for a CSV import.
Once the CSV import file has been specified the VERIFY button can be clicked. A check will be performed to ensure an existing service record for the specified record type and target does not already exist. If an existing service record is found an error will be displayed.
Once successfully verified the IMPORT button can be clicked. Once clicked all service records will be added along with any services which are to be automatically created.
Service records are exported to CSV using the EXPORT TO CSV link displayed in the ReDNS / Service Records page. Upon clicking this link all service records for all services will be exported to a CSV file and downloaded, with the resulting CSV file having the following fields:
svc1.vendorn.com
.Internal Grid
.default
Network Apps
Public service
a-record
, cname-record
, host-alias
or host-object
yes
to indicate the TTL field contains the TTL used for the service record, or no
to indicate the DNS zone default TTL will be used for the service recordyes
this field contains the TTL used for the service record, otherwise this field contains the value 0
delete
to indicate service records are added and deleted when they are made active and in-active, or rename
to indicate service records are renamed from and to the Fully Qualified Domain Name specified in the In-active FQDN field when they are made active and in-activerename
this field contains the Fully Qualified Domain Name used by the service record when it is in-activeyes
to indicate the services Fully Qualified Domain Name currently resolves to the service record, otherwise this field will be no
Note when exporting service records, when a service has more than one service record the service will appear multiple times, once for each line - which will contain a service record.
BCP jobs are viewed and managed under the ReDNS / BCP Jobs page by clicking the ReDNS link displayed in the top menu bar and clicking the BCP jobs link.
The ReDNS / BCP Jobs page will display a table of all defined BCP jobs.
The following columns are displayed in the table for each BCP job:
A search control is displayed to the top right of the table. Values in the search field will be matched against the name and service groups fields.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of BCP jobs, and to control how many are displayed in a single page.
The button ADD A BCP JOB will be displayed to the top left of the table. If the currently authenticated user has NOT been assigned permission to manage BCP jobs, this button will be disabled. Upon clicking this button, the Add a BCP job dialog will be displayed. See the ReDNS / BCP Jobs / Add a BCP Job section for details on this dialog and adding BCP jobs.
The link VIEW BCP JOB will be displayed to the right of each BCP job. Upon clicking this link the View BCP job page will be displayed for the BCP job. See the ReDNS / BCP Jobs / View BCP Job section for details on this page and viewing BCP jobs.
Upon hovering over a row in the table edit BCP job and delete BCP job buttons will be displayed to the left. If the currently authenticated user has NOT been assigned permission to manage BCP jobs the edit BCP job and delete BCP job buttons will be disabled.
Upon clicking the edit BCP job button, the Edit BCP job dialog will be displayed. See the ReDNS / BCP Jobs / Edit a BCP Job section for details on this dialog and editing a BCP job.
Upon clicking the delete BCP job button the Delete BCP job dialog will be displayed. See the ReDNS / BCP Jobs / Delete a BCP Job section for details on this dialog and deleting a BCP job.
BCP jobs are added using the Add a BCP job dialog. This can be accessed by clicking the ADD A BCP JOB button displayed in the ReDNS / BCP Jobs page. If the currently authenticated user NOT been assigned permission to manage BCP jobs this button will be disabled.
This dialog contains the following inputs:
Once all required attributes have been specified the ADD button will be enabled, and once clicked the BCP job will be added.
Detailed information about a BCP job, its configuration and its progress can be accessed by clicking the VIEW BCP JOB link displayed to the right of a BCP job under the ReDNS / BCP jobs page.
The View BCP job page is divided into multiple sections.
At the top of the View BCP job page the BCP jobs name, no. services associated to the BCP job, and the failover/failback configuration status of all associated services are displayed. Additionally, an edit BCP job and delete BCP job button is be displayed to the right of the BCP job name. If the currently authenticated user has NOT been assigned permission to manage BCP jobs the edit BCP job and delete BCP job button will be disabled.
The PROGRESS section displays the progress for each action which will be performed for the BCP job for all services. If the BCP job has been configured to include a pre/post BCP TTL change action the progress section is divided into four sections, one for the pre-BCP TTL change, one for failover, one for failback and one for post-BCP TTL change. Otherwise the progress section is divided into two sections, one for failover and one for failback. In both cases each section displays a progress indicator of which services have had the related action completed.
The SERVICES section displays a table containing the services added to the BCP job, along with the progress for each BCP action for each service.
The following columns are displayed in the table for each service:
For the progress column, if an action has not yet been completed it can be clicked to display the Mark action as completed dialog. See the ReDNS / BCP Jobs / Mark BCP Action as Complete section for more details on skipping an action by marking it as already completed.
A search control is displayed to the top right of the table. Values in the search field will be matched against the service FQDN, DNS view, failover service records and the failback service records fields.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of services, and to control how many are displayed in a single page.
The button ADD SERVICES will be displayed to the top left of the table. Upon clicking this button, the Add BCP job services dialog will be displayed. See the ReDNS / BCP Jobs / Add BCP Job Services section for details on this dialog and adding services to a BCP job.
Upon hovering over a row in the table a configure service for failover and failback button will be displayed to the left. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, this button will be disabled. Either permission is required to configure the service for failover and failback for the BCP job. Upon clicking this button, the Configure service for BCP job dialog will be displayed. See the ReDNS / BCP Jobs / Configure a Service for Failover and Failback section for details on this dialog.
A checkbox is displayed to the left of each row in the services table. This can be used to select multiple services. Once at least one service is selected the ACTION SERVICES button displayed to the top of the table will be enabled. This menu contains actions to perform for BCP events, and to manage services. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, the checkbox for the service will be disabled. Either permission is required to perform any of the actions under the ACTION SERVICES menu.
The DELETE SERVICES link under the MANAGE SERVICES section in the ACTION SERVICES menu can be used to delete services from the BCP job. Clicking this link will result in the Delete BCP job services dialog being displayed. See the ReDNS / BCP Jobs / Delete BCP Job Services section for details on this dialog.
The CHECK SERVICE HEALTH link under the MANAGE SERVICES section in the ACTION SERVICES menu can be used to check the health of services associated with the BCP job. Clicking this link will result in the Check service health dialog being displayed. See the ReDNS / BCP Jobs / Check Service Health section for details on this dialog.
The CHANGE SERVICE TTL’S link under the PRE-BCP ACTIONS section in the ACTION SERVICES menu can be used to change the TTL’s of one or more services, for example to reduce the TTL’s ahead of a planned BCP event. Clicking this link will result in the Change service TTL’s (pre-BCP) dialog being displayed. See the ReDNS / BCP Jobs / Change Service TTL’s (pre-BCP) section for details on this dialog. This link will be disabled if the failover action has been completed for one of the selected services already.
The FAILOVER SERVICES link under the BCP ACTIONS section in the ACTION SERVICES menu can be used to failover one or more services. Clicking this link will result in the Failover services dialog being displayed. See the ReDNS / BCP Jobs / Failover Services section for details on this dialog. This link will be disabled if the failover action has been completed for one of the selected services already.
The FAILBACK SERVICES link under the BCP ACTIONS section in the ACTION SERVICES menu can be used to failback one or more services. Clicking this link will result in the Failback services dialog being displayed. See the ReDNS / BCP Jobs / Failback Services section for details on this dialog. This link will be disabled if the failback action has been completed for one of the selected services already, or the failover action has not been completed for one of the selected services yet.
The CHANGE SERVICE TTL’S link under the POST-BCP ACTIONS_ section in the ACTION SERVICES menu can be used to change the TTL’s of one or more services, for example to increase the TTL’s following a planned BCP event. Clicking this link will result in the Change service TTL’s (post-BCP) dialog being displayed. See the ReDNS / BCP Jobs / Change Service TTL’s (post-BCP) section for details on this dialog. This link will be disabled if the failover action has not yet been completed for one of the selected services.
The link EXPORT TO CSV will be displayed to the top of the left of the table. Upon clicking this link all services assigned to the BCP job will be exported to a CSV file and downloaded. See the ReDNS / BCP Jobs / Export to CSV section for details on exporting services.
Services are added to a BCP job using the Add BCP job services dialog. This can be accessed by clicking the ADD SERVICES button displayed in the View BCP job page for a BCP job.
This dialog will display a table of available services. Available services are ones which are not currently associated with the BCP job, and services the currently authenticated user has permissions to swap (either the currently authenticated user is part of a group with permissions to manage services, or is associated with a group that is specified in the services permissions).
The following columns are displayed in the table:
A search control is displayed to the top of the table. Values in the search field will be matched against a services Service FQDN or DNS view. Additionally, services can be filtered by service group using the header of the service group column in the table.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of services, and to control how many are displayed in a single page.
A checkbox is displayed to the left of each service, the checkbox of the services which should be added to the BCP job should be checked, then the ADD button should be clicked, after which the services will be added to the BCP job.
Services are deleted from a BCP job by clicking the DELETE SERVICES link under the MANAGE SERVICES section of the ACTION SERVICES menu displayed in the SERVICES panel in the View BCP job page for a BCP job, once the services checkboxes have been checked. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, the services checkbox will not be enabled. Either permission is required to perform health checks for a service using this feature.
The Delete BCP job services dialog will display a table of the services which are to be deleted from the BCP job. The following columns are displayed in the table:
Click the DELETE to delete the services from the BCP job, after which the services will be deleted from the BCP job.
Services are configured for failover and failback using the Configure service for BCP job dialog. This can be accessed by clicking the configure button displayed to the left when hovering over a service in the View BCP job page for a service. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, this button will be disabled. Either permission is required to configure the service for failover and failback.
This dialog contains two tabs. The FAILOVER SERVICE RECORDS tab contains the service records which should be made active when the failover action is performed for the service. The EDIT SELECTED SERVICE RECORDS button can be used to add or remove service records from the list.
The FAILBACK SERVICE RECORDS tab contains the service records which should be made active when the failback action is performed for the service. The EDIT SELECTED SERVICE RECORDS button can be used to add or remove service records from the list.
Click the SAVE button to save changes to the failover and failback configuration.
Services can be imported to a BCP job using the Import BCP job services dialog. This can be accessed by clicking the IMPORT SERVICES button displayed in the View BCP Job page.
In this dialog a CSV import file must be specified which contains the services to be imported to the BCP job. The CSV import file should define one services per line using the following fields:
FQDN,Connector,DNS view,Service group,Failover service records,Failback service records
All fields are required, excluding the service group field which is included to be compatible with the BCP job service CSV export format, as follows:
If the CSV import file contains a header row as its first row, ensure the Select to skip the first row in the CSV import file if it contains headers field is selected to ignore the first row.
An example CSV import file can also be downloaded using the DOWNLOAD EXAMPLE CSV IMPORT FILE link which can be used as a starting point for a CSV import.
Once the CSV import file has been specified the VERIFY button can be clicked. A check will be performed to ensure the services and service records specified exist and that the services don’t already exist on the BCP job. If an issue is identified an error will be displayed.
Once successfully verified the IMPORT button can be clicked. Once clicked all services will be added to the BCP job.
The services associated with a BCP job are exported to CSV using the EXPORT TO CSV link displayed in the ReDNS / BCP jobs / View BCP job_ page. Upon clicking this link all services associated with the BCP job will be exported to a CSV file and downloaded, with the resulting CSV file having the following fields:
The health of multiple services can be changed using the Check search health dialog. This can be accessed by clicking the CHECK SERVICE HEALTH link under the MANAGE SERVICES section of the ACTION SERVICES menu displayed in the SERVICES panel in the View BCP job page for a BCP job, once the services checkbox has been checked. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, the services checkbox will not be enabled. Either permission is required to perform health checks for a service using this feature.
During a service health check the underlying platform will be queried to understand the current state of a service. The service health check will attempt to identify issues which would prevent the successful swap of any of the configured service records for each service.
Click the START SERVICE HEALTH CHECK button to perform the health check.
A progress bar is displayed and updated as the health check progresses. As issues are identified they will be displayed. Once the health check is complete, if no errors were found the progress bar will be coloured green and indicate that no issues were found. Otherwise the progress bar will be coloured red and indicate at least one issue was found.
A table will be also be displayed listing all the services which will be checked, with the following columns:
Service FQDN
- The services Fully Qualified Domain NameConnector
- The connector the service is associated withDNS view
- The DNS view the service is configured withStatus
- If no issues were identified complete
will be displayed, otherwise failed with error: At least one issue has been detected!
will be displayed and an toggle expand icon will be displayed which once clicked will display the errors identified for a serviceFor each issue found either an amber triangle or a red warning circle is displayed. Amber should be addressed, but they would not prevent the service from being successfully swapped. Red items are likely to prevent a service from being swapped successfully, and should be addressed.
Each issue identifies an issue with either one of the configured service records for a service, or the services Service FQDN itself. The exact item is displayed along with details of the issue. The following is an example issue:
In the above error an issue was identified with the service record which is configured with the record type of a-record
and the target IP address of 1.1.1.1.
. The service record is marked as active in OneDDI, but when consulting the underlying Infoblox platform no A record could be found for the Service FQDN of svc1.vendorn.com
which resolved to 1.1.1.1
.
This issue would prevent a successful swap of the service and would have to be addressed.
Before the failover action is completed for one or more services the TTL’s for the services can be changed using the Change service TTL’s (pre-BCP) dialog. This can be accessed by clicking the CHANGE SERVICE TTL’S link under the PRE-BCP ACTIONS section of the ACTION SERVICES menu displayed in the SERVICES panel in the ReDNS / BCP Job / View BCP job page for a service, once the services checkboxes have been checked. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, the services checkbox will not be enabled. Either permission is required to change service TTL’s.
The Change service TTL’s (pre-BCP) dialog displays a three step wizard which guides a user through specifying new TTL configuration, reviewing the changes which will be made, and then executing each change while displaying progress.
Upon entering the wizard step 1, the New TTL configuration page, is displayed. This step can be used to specify the new TTL configuration. Two radio button options are presented, one must be selected. The first Configure all services to use the following TTL
allows a TTL to be specified in seconds with several pre-sets provided for quick selection. The second Remove the existing TTL configuration and use the DNS zone default TTL
results in the existing TTL configuration being removed and the services inheriting the DNS zone defaults TTL.
Once the new TTL configuration has been specified the NEXT button can be clicked to move on to step 2, the Review actions page. This page presents what changes will be made to the underlying platform to change service TTL’s. A table is displayed consisting of one row per service, with the following columns:
Service FQDN
- The services Fully Qualified Domain NameConnector
- The connector the service is associated withDNS view
- The DNS view the service is configured withNew TTL
- The TTL which the service will be reconfigured to use, e.g.
1 hour
, hovering over this field will result in a tooltip being displayed which shows the TTL in seconds, if the service is configured to use the DNS zone default TTL this will be the string Use DNS zone default
Once the actions have been reviewed, the select field Select to continue if an error occurs processing an action can be selected to indicate if an error occurs processing a service it should not prevent the TTL changes from running to completion, an attempt will be made to change the TTL’s of all services in this case. Otherwise, if not selected, the TTL change will stop at the first error.
Once a comment has been entered in the required Comment field the CHANGE NOW button can be clicked after which step 3, the Process actions page will be displayed and the TTL change will start.
During the TTL change each action is processed and a progress bar updated. Once complete, if the TTL change was successful the progress bar will turn green and indicate the TTL change completed successfully. Otherwise the progress bar will turn red and indicate at least one error occurred.
A results table will also be displayed containing all the services actioned and the outcome. If an error occurred actioning a service the error will be displayed in the results table alongside the corresponding service.
Once the TTL change is complete click the CLOSE button to close the dialog.
The failover action can be completed for one or more services using the Failover services dialog. This can be accessed by clicking the FAILOVER SERVICES link under the BCP ACTIONS section of the ACTION SERVICES menu displayed in the SERVICES panel in the ReDNS / BCP Job / View BCP job page for a service, once the services checkboxes have been checked. If failover has already been completed for one of the selected services this link will be disabled. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, the services checkbox will not be enabled. Either permission is required to failover services.
The Failover services dialog displays a two step wizard which allows a user to review the changes which will be made, and then executing each change while displaying progress.
Upon entering the wizard step 1, the Review actions page, is displayed. This page presents which services the failover action will be performed for. A table is displayed consisting of one row per service, with the following columns:
Service FQDN
- The services Fully Qualified Domain NameConnector
- The connector the service is associated withDNS view
- The DNS view the service is configured withService group
- The service group associated with the serviceOnce the actions have been reviewed, the select field Select to continue if an error occurs processing an action can be selected to indicate if an error occurs processing a service it should not prevent the failover from running to completion, an attempt will be made to failover all services in this case. Otherwise, if not selected, failover will stop at the first error.
Once a comment has been entered in the required Comment field the FAILOVER NOW button can be clicked after which step 2, the Process actions page will be displayed and failover will start.
During failover each action is processed and a progress bar updated. Once complete, if failover was successful the progress bar will turn green and indicate the failover completed successfully. Otherwise the progress bar will turn red and indicate at least one error occurred.
A results table will also be displayed containing all the services actioned and the outcome. If an error occurred actioning a service the error will be displayed in the results table alongside the corresponding service.
Once failover is complete click the CLOSE button to close the dialog.
The failback action can be completed for one or more services using the Failback services dialog. This can be accessed by clicking the FAILBACK SERVICES link under the BCP ACTIONS section of the ACTION SERVICES menu displayed in the SERVICES panel in the ReDNS / BCP Job / View BCP job page for a service, once the services checkboxes have been checked. If failover has NOT yet been completed for one of the selected services this link will be disabled. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, the services checkbox will not be enabled. Either permission is required to failback services.
The Failback services dialog displays a two step wizard which allows a user to review the changes which will be made, and then executing each change while displaying progress.
Upon entering the wizard step 1, the Review actions page, is displayed. This page presents which services the failback action will be performed for. A table is displayed consisting of one row per service, with the following columns:
Service FQDN
- The services Fully Qualified Domain NameConnector
- The connector the service is associated withDNS view
- The DNS view the service is configured withService group
- The service group associated with the serviceOnce the actions have been reviewed, the select field Select to continue if an error occurs processing an action can be selected to indicate if an error occurs processing a service it should not prevent the failback from running to completion, an attempt will be made to failback all services in this case. Otherwise, if not selected, failback will stop at the first error.
Once a comment has been entered in the required Comment field the FAILBACK NOW button can be clicked after which step 2, the Process actions page will be displayed and failback will start.
During failback each action is processed and a progress bar updated. Once complete, if failback was successful the progress bar will turn green and indicate the failback completed successfully. Otherwise the progress bar will turn red and indicate at least one error occurred.
A results table will also be displayed containing all the services actioned and the outcome. If an error occurred actioning a service the error will be displayed in the results table alongside the corresponding service.
Once failback is complete click the CLOSE button to close the dialog.
Once the failover action has been completed for one or more services the TTL’s for the services can be changed using the Change service TTL’s (post-BCP) dialog. This can be accessed by clicking the CHANGE SERVICE TTL’S link under the POST-BCP ACTIONS section of the ACTION SERVICES menu displayed in the SERVICES panel in the ReDNS / BCP Job / View BCP job page for a service, once the services checkboxes have been checked. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, the services checkbox will not be enabled. Either permission is required to change service TTL’s.
The Change service TTL’s (post-BCP) dialog displays a three step wizard which guides a user through specifying new TTL configuration, reviewing the changes which will be made, and then executing each change while displaying progress. Upon entering the wizard step 1, the New TTL configuration page, is displayed. This step can be used to specify the new TTL configuration.
Before the new TTL configuration can be specified one of two radio buttons need to be selected. The Revert service TTL's to their previous values where possible
can be selected to indicate that the TTL’s in use by each service before they were changed using the change service TTL’s pre-BCP action should be used. Otherwise, to specify that all services must use a specified TTL, ignoring any TTL they may have been configured before failover, by selecting the Ignore the previous TTL values for all selected services and use the TTL configuration below
. If none of the selected services have had their TTL’s changed before failover, these two radio buttons will not be displayed.
Two radio button options are then presented to specify new TTL configuration, one must be selected. The first Configure all services to use the following TTL
allows a TTL to be specified in seconds with several pre-sets provided for quick selection. The second Remove the existing TTL configuration and use the DNS zone default TTL
results in the existing TTL configuration being removed and the services inheriting the DNS zone defaults TTL.
Once the new TTL configuration has been specified the NEXT button can be clicked to move on to step 2, the Review actions page. This page presents what changes will be made to the underlying platform to change service TTL’s. A table is displayed consisting of one row per service, with thefollowing columns:
Service FQDN
- The services Fully Qualified Domain NameConnector
- The connector the service is associated withDNS view
- The DNS view the service is configured withNew TTL
- The TTL which the service will be reconfigured to use, e.g.
1 hour
, hovering over this field will result in a tooltip being displayed which shows the TTL in seconds, if the service is configured to use the DNS zone default TTL this will be the string Use DNS zone default
, if it was specified to use previous TTL’s if available in step 1, and the a previous TTL is available, the TTL will be displayed along with (previous TTL)
, i.e. an hour (previous TTL)
Once the actions have been reviewed, the select field Select to continue if an error occurs processing an action can be selected to indicate if an error occurs processing a service it should not prevent the TTL changes from running to completion, an attempt will be made to change the TTL’s of all services in this case. Otherwise, if not selected, the TTL change will stop at the first error.
Once a comment has been entered in the required Comment field the CHANGE NOW button can be clicked after which step 3, the Process actions page will be displayed and the TTL change will start.
During the TTL change each action is processed and a progress bar updated. Once complete, if the TTL change was successful the progress bar will turn green and indicate the TTL change completed successfully. Otherwise the progress bar will turn red and indicate at least one error occurred.
A results table will also be displayed containing all the services actioned and the outcome. If an error occurred actioning a service the error will be displayed in the results table alongside the corresponding service.
Once the TTL change is complete click the CLOSE button to close the dialog.
A specific BCP action for a specific service can be skipped and mark as completed using the Mark action as completed dialog. This can be accessed by clicking the specific action icon displayed in the progress column for the service in the View BCP job page. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, this button will be disabled. Either permission is required to mark BCP actions as complete for a service.
The mark complete dialog prompts whether the specified BCP action should be marked as completed for the service.
Click the APPLY button to confirm the specified BCP action should be marked as completed for the service, after which it will be marked as completed.
NOTE This is a destructive operation which cannot be undone.
BCP jobs can be reused. The current progress for a fully, or partially, completed BCP job can be reset using the Reset BCP job progress dialog. This can be accessed by clicking the reset BCP job progress button displayed to the right of a BCP job name at the top of the ReDNS / BCP Jobs / View BCP job page. If the currently authenticated user NOT been assigned permission to manage BCP jobs this button will be disabled.
The reset progress dialog prompts whether BCP job progress should be reset.
Click the RESET button to confirm BCP job progress should be reset, after which BCP job progress will be reset.
BCP jobs are edited using the Edit BCP job dialog. This can be accessed by clicking the edit BCP job button displayed to the left when hovering over a service in the ReDNS / BCP jobs page, or displayed to the right of a BCP job name at the top of the View BCP job page. If the currently authenticated user NOT been assigned permission to manage BCP jobs this button will be disabled.
This dialog contains the following inputs:
Click the SAVE button to save changes to the BCP.
NOTE This is a destructive operation which cannot be undone.
BCP jobs are deleted using the Delete BCP job dialog. This can be accessed by clicking the delete BCP job button displayed to the left when hovering over a BCP job in the ReDNS / BCP Jobs page, or displayed to the right of a BCP jobs name at the top of the ReDNS / BCP jobs / View BCP job page. If the currently authenticated user NOT been assigned permission to manage BCP jobs this button will be disabled.
The delete dialog prompts whether the BCP job should be deleted.
Click the DELETE button to confirm the BCP job should be deleted, after which the BCP job will be deleted.
Connectors are viewed and managed under the ReDNS / Connectors page by clicking the ReDNS link displayed in the top menu bar and selecting the Connectors link displayed in the dropdown menu.
If the currently authenticated user NOT been assigned permission to manage or view connectors they will not be permitted access to this page.
The ReDNS / Connectors page will display a table of all defined connectors.
OneDDI supports connectors for the BlueCat Address Manager and Infoblox NIOS DDI platforms. An Infoblox connector manages the data for one Infoblox NIOS Grid. A BlueCat connector manages the data for one Configuration within one BlueCat Address Manager. Where data must be managed for two Configurations in a single BlueCat Address Manager instance then two BlueCat connectors must be created.
The following columns are displayed in the table for each connector:
bluecat
or infoblox
second host not configured
will be displayed in the second field, the management server currently being used (based on the configuration of the connector) will be highlighted in greenA search control is displayed to the top right of the table. Values in the search field will be matched against a connectors name or any of the key/value configuration items.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of connectors, and to control how many are displayed in a single page.
The button ADD A CONNECTOR will be displayed to the top left of the table. Upon clicking this button, the Add Connector dialog will be displayed. See the ReDNS / Connectors / Add a Connector section for details on this dialog and adding connectors.
Upon hovering over a row in the table edit connector and delete connector buttons will be displayed to the left.
Upon clicking the edit connector button, the Edit connector dialog will be displayed. See the ReDNS / Connectors / Edit a Connector section for details on this dialog and editing a connector.
Upon clicking the delete connector button, the Delete connector dialog will be displayed. See the ReDNS / Connectors / Delete a Connector section for details on this dialog and deleting a connector.
Connectors are added using the Add a connector dialog. This can be accessed by clicking the ADD A CONNECTOR button displayed in the ReDNS / Connectors page.
This dialog contains several tabs. The CONNECTOR tab contains the following inputs:
bluecat
or infoblox
depending on the required typegm.vendorn.com
gmc.vendorn.com
2.10
.443
Once all required attributes have been specified the TEST CONNECTIVITY button will be enabled, and once clicked some data is acquired from the first management server, and second management server if specified to verify network connector. The results from each check will be displayed.
The CREDENTIALS tab contains the following inputs:
NOTE For Infoblox, the specified user must have permission to read/write A records, CNAME records, Hosts and their Aliases. Additionally, the user must also have permission to read/write all IPv4 networks (this permission is required to manage the previous object types using the Infoblox API).
NOTE For BlueCat, the specified user must have read permission to the DNS views and DNS zones for which services will be managed, and full access to be able to create and delete Generic, Alias and Host Records. Additionally, the user must have the appropriate permissions so that changes are dynamically updated on DNS servers.
Once all required attributes have been specified the ADD button will be enabled, and once clicked the connector will be added.
Connectors are edited using the Edit connector dialog. This can be accessed by clicking the edit connector button displayed to the left when hovering over a connector in the ReDNS / Connectors page.
This dialog contains several tabs. The CONNECTOR tab contains the following inputs:
bluecat
or infoblox
depending on the required typegm.vendorn.com
gmc.vendorn.com
2.10
.443
Once all required attributes have been specified the TEST CONNECTIVITY button will be enabled, and once clicked some data is acquired from the first management server, and second management server if specified to verify network connector. The results from each check will be displayed.
The CREDENTIALS tab contains the following inputs:
NOTE For Infoblox, the specified user must have permission to read/write A records, CNAME records, Hosts and their Aliases. Additionally, the user must also have permission to read/write all IPv4 networks (this permission is required to manage the previous object types using the Infoblox API).
NOTE For BlueCat, the specified user must have read permission to the DNS views and DNS zones for which services will be managed, and full access to be able to create and delete Generic, Alias and Host Records. Additionally, the user must have the appropriate permissions so that changes are dynamically updated on DNS servers.
Click the SAVE button to save changes to the connector.
NOTE This is a destructive operation which cannot be undone.
Connectors are deleted using the Delete Connector dialog. This can be accessed by clicking the delete button displayed to the left when hovering over a connector in the ReDNS / Connectors page.
The delete dialog prompts whether the connector should be deleted.
Click the DELETE button to confirm the connector should be deleted, after which the connector will be deleted.
Devices are viewed and managed under the IPMeye page by clicking the IPMeye link displayed in the top menu bar.
The IPMeye page will display a table of all defined devices.
The following columns are displayed in the table for each device:
ibdevice1
10.0.0.1
623
A search control is displayed to the top right of the table. Values in the search field will be matched against a devices name.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of devices, and to control how many are displayed in a single page.
The button ADD A DEVICE will be displayed to the top left of the table. If the currently authenticated user has NOT been assigned permission to manage devices this button will be disabled. Upon clicking this button, the Add a device dialog will be displayed. See the IPMeye / Add a Device section for details on this dialog and adding devices.
The button IMPORT DEVICES will be displayed to the top of the left of the table. If the currently authenticated user has NOT been assigned permission to manage devices this button will be disabled. Upon clicking this button, the Import devices dialog will be displayed. See the IPMeye / Import Devices section for details on this dialog and importing devices.
The link EXPORT TO CSV will be displayed to the top of the left of the table. Upon clicking this link, all devices will be exported to a CSV file and downloaded. See the IPMeye / Export to CSV section for details on exporting devices.
The link IPMI CONSOLE will be displayed to the right of each device. Upon clicking this link, the IPMI console page will be displayed for the device. See the IPMeye / IPMI Console section for details on this page and viewing a devices console.
If a SerialEyes module license is installed, the link SERIAL CONSOLE will be displayed to the right of each device. Upon clicking this link, the SerialEyes page will be displayed with the IP address and port fields populated from the device. See the SerialEyes / Connect to a Device section for details on this page.
Upon hovering over a row in the table edit device and delete device buttons will be displayed to the left. If the currently authenticated user has NOT been assigned permission to manage devices these buttons will be disabled.
Upon clicking the edit device button the Edit device dialog will be displayed. See the IPMeye / Edit a Device section for details on this dialog and editing a device.
Upon clicking the delete device button the Delete device dialog will be displayed. See the IPMeye / Delete a Device section for details on this dialog and deleting a device.
Devices are added using the Add a device dialog. This can be accessed by clicking the ADD A DEVICE button displayed in the IPMeye page. If the currently authenticated user NOT been assigned permission to manage devices this button will be disabled.
This dialog contains the following inputs:
10.0.0.1
623
Once all required attributes have been specified the ADD button will be enabled, and once clicked the device will be added.
Devices are imported using the Import devices dialog. This can be accessed by clicking the IMPORT DEVICES button displayed in the IPMeye page. If the currently authenticated user NOT been assigned permission to manage devices this button will be disabled.
In this dialog a CSV import file must be specified which contains the devices to be imported. The CSV import file should define one device per line using the following fields:
Name,IP address,Port,IPMI username,IPMI password
The IPMI username and IPMI password fields are optional, and if not specified users will be prompted for IPMI credentials when required. The Port field is also optional, and if not specified the default IPMI port 623
will be used.
If the CSV import file contains a header row as its first row, ensure the Select to skip the first row in the CSV import file if it contains headers field is selected to ignore the first row.
An example CSV import file can also be downloaded using the DOWNLOAD EXAMPLE CSV IMPORT FILE link which can be used as a starting point for a CSV import.
Once the CSV import file has been specified the VERIFY button can be clicked. A check will be performed to ensure an existing device using the same name or IP address does not already exist. If an existing device is found an error will be displayed.
Once successfully verified the IMPORT button can be clicked. Once clicked all devices will be added.
Devices are exported to CSV using the EXPORT TO CSV link displayed in the IPMeye page.
Upon clicking this link all devices are exported to CSV and downloaded, with the resulting CSV file having the following fields:
Name
- Name of the device, i.e. device1
.IP address
- IP address used to connect to the device, i.e. 10.0.0.1
.Port
- IPMI port to use to connect to the device, i.e. 623
.A devices IPMI console can be accessed by clicking the IPMI CONSOLE link displayed to the right of a device under the IPMeye page.
Devices can be pre-configured with IPMI credentials so that OneDDI users do not have to obtain and work with IPMI credentials. If a devices IPMI credentials have not been pre-configured the user will be prompted for an IPMI username and password each time the IPMI console page is navigated to.
The IPMI console page is divided into multiple sections.
At the top of the IPMI console page the devices name, IP address, port and its IPMI connection status is displayed. Additionally, an edit device and delete device button will be displayed to the right. If the currently authenticated user has NOT been assigned permission to manage devices these buttons will be disabled.
The SYSTEM POWER section displays the current power status. If system power this field is colour green, otherwise the field is coloured black. A CONTROL POWER button is displayed to the right of the power status. If the currently authenticated user has NOT been assigned permission to control device power this button will be disabled. Upon clicking this button, the Control power dialog will be displayed. See the IPMeye / Control Power section for details on this dialog and controlling device power.
The IPMI COMMANDS section displays the ISSUE AN IPMI COMMAND button. Upon clicking this button, the Issue an IPMI command dialog will be displayed. See the IPMeye / Issue an IPMI Command section for details on this dialog and issuing IPMI commands.
The IPMI CONSOLE section displays the devices serial console. Upon navigating to this page, and no user including the current user is connected to it already, an attempt will automatically be made to connect to the devices serial console. If a user including the current user is already connected to the devices serial console a message will be displayed indicating this, and no attempt will be made to connect to it.
Following a successful connect to the devices serial console the DISCONNECT button will be displayed to the bottom of the serial console. Upon clicking this button the current open connection will be closed.
When not connected to a devices serial console the CONNECT button will be displayed to the bottom of the serial console. Upon clicking this button an attempt will be made to connect to the devices serial console.
A circular download button is displayed to the bottom right of the console. When clicked the content currently displayed in the console will be exported to a text file and downloaded.
Serial console output is displayed in real-time, any text sent to the devices connected serial console will be displayed as it is read. To send input to the serial console, simply enter text as you would in a typical console. If the currently authenticated user has NOT been assigned permission to control the devices IPMI console the user will not be permitted to interact with the console, only view its output.
After a period of inactivity, the connection to the serial console will automatically be closed.
Device power can be controlled using the Control power dialog. This can be accessed by clicking the CONTROL POWER button displayed under the SYSTEM POWER section when viewing a devices console.
One of the following commands can be selected from the Power command input:
power-on
- If system power is off it will be switched on.power-off
- If system power is on it will be switched off - this will result in a loss of power and the installed operating system will NOT be given the opportunity to perform a so called “clean shutdown”.power-reset
- If the system power is on a power-off
style command will first be issued. Next a power-on
style command will be issued.acpi-shutdown
- An ACPI event is issued to the installed operating system after which the operating system should perform a so called “clean shutdown”. This is different to a power-off
command in that the system will maintain power until the operating system has completed the shutdown.Once the desired power command is selected click the SEND COMMAND button, after which the selected command will be issued to the device. Following this it will take up to a minute for the system power to reflect the desired state.
Pre-determined IPMI commands can be issued using the Issue an IPMI command dialog. This can be accessed by clicking the ISSUE AN IPMI COMMAND button displayed under the IPMI COMMANDS section when viewing a devices console.
One of the following commands can be selected from the IPMI command input:
chassis-status
- Display some physical state parameters, e.g. power fault state, drive fault state and fan fault state.system-event-log-list
- Display the Baseboard Management Controllers (BMCs) system event log, this includes items such as power off/down events.sensor-list
- Display all hardware sensors and their current values, e.g. CPU temperature and fan speed.Once the desired IPMI command is selected click the SEND COMMAND button, after which the selected command will be issued to the device. The resulting output will be displayed in the dialog.
Devices are edited using the Edit a device dialog. This can be accessed by clicking the edit device button displayed to the left when hovering over a device in the IPMeye page, or displayed to the right of a devices IP address at the top of the IPMI console page. If the currently authenticated user NOT been assigned permission to manage devices this button will be disabled.
This dialog contains the following inputs:
10.0.0.1
623
Click the SAVE button to save changes to the device.
NOTE This is a destructive operation which cannot be undone.
Devices are deleted using the Delete a device dialog. This can be accessed by clicking the delete device button displayed to the left when hovering over a device in the IPMeye page, or displayed to the right of a devices IP address at the top of the IPMI console page. If the currently authenticated user NOT been assigned permission to manage devices this button will be disabled.
The delete dialog prompts whether the device should be deleted.
Click the DELETE button to confirm the device should be deleted, after which the device will be deleted.
Typically, a physical console server is used when connecting to a device’s physical serial port over the network. The console server would have a permanent physical connection to the device and a specific TCP port reserved such that protocols such as SSH or telnet would be used to connect to the physical console servers IP address using the device specific port. This would then provide access to the device’s physical serial port.
With SerialEyes no permanent physical console connection is required. Instead SerialEyes provides an on-demand connection by using a laptop, a bootable USB drive, and the OneDDI UI. The laptop acts as a secure conduit to OneDDI, allowing only specific users to connect to the devices serial port. A serial cable connects the laptop to a devices physical serial port, the laptop is booted from the USB drive which has the SerialEyes ISO image written to it, and then OneDDI is configured with the IP address and port that SerialEyes is now listening on.
When booting from the SerialEyes bootable USB drive the drive can contain a device specific SerialEyes configuration file which contains, among other items, the IP address on which it should listen for incoming connections. Alternatively, the parameters in the configuration file can be left unset. This will result in SerialEyes prompting for them on each boot. This allows a single USB drive to be used as a utility, along with a laptop, without having to plug the USB drive into another device to copy over a device specific configuration file each time SerialEyes is used.
The IP address used by SerialEyes can be any unused IP address, and is specified at connect time. For convenience, a devices existing IP address could be used, i.e. a management IP address, so long as the device is not using this IP address when SerialEyes is booted.
For example, for devices which support IPMI, the ethernet cable can be removed from the devices IPMI ethernet port and used along with the devices IPMI IP address and port. Once the device has been accessed and configured, the IPMI ethernet cable can be re-plugged back into the devices IPMI ethernet port. This provides seamless experience for deploying new devices, RMA and device re-initialisation scenarios.
SerialEyes uses a UDP port to listen for incoming connections, and by default uses UDP port 623, which is the default IPMI port. The IPMeye module in OneDDI will detect when a SerialEyes instance is using the IPMI IP address configured for a device in OneDDI and will display a status of “SerialEyes instance detected” under the IPMeye page.
To use SerialEyes two resources are required. One is an on-site engineer who has physical access to the device and will physically plug into the device’s physical serial port. The second is a OneDDI user who will access the devices physical serial port remotely using the SerialEyes features in OneDDI and will typically be someone with knowledge of the device and software it runs - i.e. the on-site engineer does not need any product specific knowledge for each device they are connecting SerialEyes to.
Connecting to a device using SerialEyes is accessed under the SerialEyes page by clicking the SerialEyes link displayed in the top menu bar.
When navigating to the SerialEyes page a three-step wizard is displayed which provides guidance on connecting SerialEyes to a device.
If a device was previously connected to and the page reloaded this page will be displayed again, in which case, simply enter the IP address, UDP port and connection key previously specified when creating a SerialEyes configuration file. Then click the VERIFY CONNECTIVITY button to view the devices serial port.
If the on-site engineer will enter SerialEyes configuration parameters when booting SerialEyes from the USB drive (e.g. IP address, UDP port, subnet mask, default gateway and connection key), there is no need to click the CREATE A SERIALEYES CONFIGURATION FILE button. In this case, simply enter the IP address, UDP port and connection key that will be used by SerialEyes.
Otherwise, click the CREATE A SERIALEYES CONFIGURATION FILE button after which the Create a SerialEyes Configuration File dialog will be displayed. In this dialog enter the parameters which will be used by SerialEyes when it is booted and click the CREATE AND DOWNLOAD button. Note that while a default connection key is suggested it is not required to use this key, and in fact the key can be anything the user wishes. However, it is advised that a different key be used each time SerialEyes is booted to improve security.
Next, an on-site engineer should be provided either a SerialEyes configuration file or the IP address, UDP and connection key specified in OneDDI. For the latter, the on-site engineer will also need to know the subnet mask and default gateway which SerialEyes should use on boot.
The on-site engineer should then follow the Connect SerialEyes Guide to use the SerialEyes configuration file, or parameters, to boot SerialEyes using the USB drive and laptop. This guide will identify how the on-site engineer can know that SerialEyes is booted and ready for connections.
Once the on-site engineer has confirmed SerialEyes is ready, click the VERIFY CONNECTIVITY button and after a successful check the SerialEyes / Serial Console page will be displayed.
The Serial console page is displayed following a successful connectivity check by clicking the VERIFY CONNECTIVITY button under the SerialEyes / Connect to Device page.
At the top of the Serial console page the IP address and UDP port used to connect to a device are displayed, along with the serial port connection status.
The SERIAL CONSOLE section displays the devices serial console. Upon navigating to this page, the CONNECT TO SERIAL PORT dialog will be displayed. The desired serial port and parameters should be selected and the CONNECT button clicked.
Following a successful connect to the specified serial port the DISCONNECT button will be displayed to the bottom of the serial console. Upon clicking this button, the serial port will be closed.
When not connected to a devices serial port the CONNECT TO SERIAL PORT button will be displayed to the bottom of the serial console again.
A circular download button is displayed to the bottom right of the console. When clicked the content currently displayed in the console will be exported to a text file and downloaded.
Serial console output is displayed in real-time, any text sent to the devices connected serial port will be displayed as it is read. To send input to the serial port, simply enter text as you would in a typical console. If the currently authenticated user has NOT been assigned permission to control the SerialEyes serial console the user will not be permitted to interact with the console, only view its output.
Users are viewed and managed under the Settings / Users page by clicking the Settings link displayed in the top menu bar and selecting the Users link displayed in the dropdown menu.
If the currently authenticated user NOT been assigned permission to manage or view users they will not be permitted access to this page.
NOTE All users are equal, including the default admin
user. User permissions are determined based on a users’ assigned groups and the permissions configured in all those groups.
The Settings / Users page will display a table of all defined users.
The following columns are displayed in the table for each user:
A search control is displayed to the top right of the table. Values in the search field will be matched against a user’s username.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of users, and to control how many aredisplayed in a single page.
The button ADD A USER will be displayed to the top left of the table. Upon clicking this button, the Add a user dialog will be displayed. See the Settings / Add a User section for details on this dialog and adding users.
Upon hovering over a row in the table edit user and delete user buttons will be displayed to the left.
Upon clicking the edit user button, the Edit user dialog will be displayed. See the Settings / Users / Edit a User section for details on this dialog and editing a user.
Upon clicking the delete user button, the Delete user dialog will be displayed. See the Settings / Users / Delete a User section for details on this dialog and deleting a user.
Users are added using the Add a user dialog. This can be accessed by clicking the ADD A USER button displayed in the Settings / Users page.
This dialog contains several tabs. The USER tab contains the following inputs:
Below these inputs a GROUPS tab will be displayed where groups the user is associated with can be configured. The EDIT SELECTED GROUPS button can used change the current selection.
Once all required attributes have been specified the ADD button will be enabled, and once clicked the user will be added.
Users are edited using the Edit a user dialog. This can be accessed by clicking the edit user button displayed to the left when hovering over n user in the Settings / Users page.
This dialog contains several tabs. The USER tab contains the following inputs:
Below these inputs a GROUPS tab will be displayed where groups the user is associated with can be configured. The EDIT SELECTED GROUPS button can used change the current selection.
Click the SAVE button to save changes to the user.
NOTE This is a destructive operation which cannot be undone.
Users are deleted using the Delete a user dialog. This can be accessed by clicking the delete user button displayed to the left when hovering over a user in the Settings / Users page.
The delete dialog prompts whether the user should be deleted.
Click the DELETE button to confirm the user should be deleted, after which the user will be deleted.
Groups are viewed and managed under the Settings / Groups page by clicking the Settings link displayed in the top menu bar and selecting the Groups link displayed in the dropdown menu.
If the currently authenticated user NOT been assigned permission to manage or view groups they will not be permitted access to this page.
The Settings / Groups page will display a table of all defined groups.
The following columns are displayed in the table for each group:
A search control is displayed to the top right of the table. Values in the search field will be matched against a group’s name.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of groups, and to control how many are displayed in a single page.
The button ADD A GROUP will be displayed to the top left of the table. Upon clicking this button, the Add a group dialog will be displayed. See the Settings / Add a Group section for details on this dialog and adding groups.
Upon hovering over a row in the table edit group and delete group buttons will be displayed to the left.
Upon clicking the edit group button, the Edit group dialog will be displayed. See the Settings / Groups / Edit a Group section for details on this dialog and editing a group.
Upon clicking the delete group button, the Delete group dialog will be displayed. See the Settings / Groups / Delete a Group section for details on this dialog and deleting a group.
By default, a group is configured to permit read-only access to every module by using the following permission set:
view-ipmeye
view-redns
view-serialeyes
view-vision
The following is a list of all the permissions which can be assigned to a group:
view-ad-authentication
- Enable read access to AD authentication managementview-audit-log
- Enable read access to the audit logview-groups
- Enable read access to group managementview-license
- Enable read access to license managementview-redundancy
- Enable read access to redundancy managementview-users
- Enable read access to user managementmanage-ad-authentication
- Enable the management of Active Directory authenticationmanage-groups
- Enable the management of groupsmanage-license
- Enable license managementmanage-redundancy
- Enable the management of replication and failovermanage-users
- Enable the management of usersview-vision
- Enable read access to all featuresmanage-device-groups
- Enable read access to device group managementmanage-dns-servers
- Enable read access to DNS server managementmanage-network-views
- Enable read access to network view managementmanage-saved-searches
- Enable read access to saved search managementmanage-sensors
- Enable read access to sensor managementmanage-siem-connectors
- Enable read access to SIEM connector managementview-connectors
- Enable read access to connector managementview-redns
- Enable read access to all featuresmanage-bcp-jobs
- Enable the management of BCP jobsmanage-connectors
- Enable the management of connectorsmanage-services
- Enable the management of servicesview-ipmeye
- Enable read access to thecontrol-device-ipmi-console
- Enable the use of the consolecontrol-device-ipmi-power
- Enable the control of devices powermanage-devices
- Enable the management of devicesview-serialeyes
- Enable read access to all featurescontrol-serialeyes-console
- Enable the use of the consoleGroups are added using the Add a group dialog. This can be accessed by clicking the ADD A GROUP button displayed in the Settings / Groups page.
This dialog contains several tabs. The GROUP tab contains the following inputs:
Using the PERMISSIONS tab, permissions which users associated with the group should inherit can be configured. The EDIT SELECTED PERMISSIONS button can used change the current selection. See the Settings / Groups / Available Permissions section to see what permissions are available.
Using the USERS tab, users which should be associated with the group can be configured. The EDIT SELECTED USERS button can used change the current selection.
Using the SERVICES tab, services which users associated with the group should be permitted to swap the active service records for can be configured. The EDIT SELECTED SERVICES button can used change the current selection.
Once all required attributes have been specified the ADD button will be enabled, and once clicked the group will be added.
Groups are edited using the Edit a group dialog. This can be accessed by clicking the edit group button displayed to the left when hovering over a group in the Settings / Groups page.
This dialog contains several tabs. The GROUP tab contains the following inputs:
Using the PERMISSIONS tab, permissions which users associated with the group should inherit can be configured. The EDIT SELECTED PERMISSIONS button can used change the current selection. See the Settings / Groups / Available Permissions section to see what permissions are available.
Using the USERS tab, users which should be associated with the group can be configured. The EDIT SELECTED USERS button can used change the current selection.
Using the SERVICES tab, services which users associated with the group should be permitted to swap the active service records for can be configured. The EDIT SELECTED SERVICES button can used change the current selection.
Click the SAVE button to save changes to the group.
NOTE This is a destructive operation which cannot be undone.
Groups are deleted using the Delete a group dialog. This can be accessed by clicking the delete group button displayed to the left when hovering over a group in the Settings / Groups page.
The delete dialog prompts whether the group should be deleted.
Click the DELETE button to confirm the group should be deleted, after which the group will be deleted.
The Active Directory (AD) domains used for AD authentication are viewed and managed under the Settings / AD Authentication page by clicking the Settings link displayed in the top menu bar and selecting the_AD Authentication_ link displayed in the dropdown menu.
If the currently authenticated user NOT been assigned permission to manage or view AD authentication, they will not be permitted access to this page.
Once configured, a user from a configured AD domain can access the WebUI by appending the domains DNS name to their username during authentication. For example, the user stephen
in the AD domain vendorn.com
would specify stephen@vendorn.com
for their username at the OneDDI login page.
Following successful authentication, the users’ assigned AD groups will be matched with the names of the groups defined in OneDDI. If at least one group is not matched, then the user will not be permitted to access OneDDI - resulting in an invalid username/password type error.
Once authenticated, and the users’ groups discovered, the user will inherit the permissions from the matched OneDDI groups.
The Settings / AD Authentication page will display a table of all defined AD domains.
The following columns are displayed in the table for each user:
vendorn.com
for the username stephen@vendorn.com
192.168.1.28 192.168.1.29:1234
A search control is displayed to the top right of the table. Values in the search field will be matched against an AD domains DNS name.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of AD domains, and to control how many are displayed in a single page.
The button ADD AN AD DOMAIN will be displayed to the top left of the table. Upon clicking this button, the Add an AD domain dialog will be displayed. See the Settings / AD Authentication / Add an AD domain section for details on this dialog and adding AD domains.
Upon hovering over a row in the table edit AD domain and delete AD domain buttons will be displayed to the left.
Upon clicking the edit AD domain button, the Edit AD domain dialog will be displayed. See the Settings / AD Authentication / Edit an AD domain section for details on this dialog and editing an AD domain.
Upon clicking the delete AD domain button, the Delete AD domain dialog will be displayed. See the Settings / AD Authentication / Delete an AD domain section for details on this dialog and deleting an AD domain.
AD domains are added using the Add an AD domain dialog. This can be accessed by clicking the ADD AN AD DOMAIN button displayed in the Settings / AD Authentication page.
This dialog contains the following inputs:
vendorn.com
for the username stephen@vendorn.com
:<port>
e.g. ad1.internal
or ad2.internal:636
.Once all required attributes have been specified the TEST DOMAIN CONTROLLERS button will be enabled, and once clicked a TLS connection will be opened to each specified DC to verify the connection to each. The results from each check will be displayed.
Once all required attributes have been specified the ADD button will be enabled, and once clicked the AD domain will be added.
AD domains are edited using the Edit an AD Domain dialog. This can be accessed by clicking the edit AD domain button displayed to the left when hovering over an AD domain in the Settings / AD Authentication page.
This dialog contains the following inputs:
vendorn.com
for the username stephen@vendorn.com
:<port>
e.g. ad1.internal
or ad2.internal:636
.Once all required attributes have been specified the TEST DOMAIN CONTROLLERS button will be enabled, and once clicked a TLS connection will be opened toeach specified DC to verify the connection to each. The results from each check will be displayed.
Click the SAVE button to save changes to the AD domain.
NOTE This is a destructive operation which cannot be undone.
AD domains are deleted using the Delete an AD Domain dialog. This can be accessed by clicking the delete AD domain button displayed to the left when hovering over an AD domain in the Settings / AD Authentication page.
The delete dialog prompts whether the AD domain should be deleted.
Click the DELETE button to confirm the AD domain should be deleted, after which the AD domain will be deleted.
Two OneDDI instances are required to form a replication pair. One instance is active and replicates changes to the other standby instance. Once configured a standby instance will connect to its configured peer, the active instance, to receive and apply replication changes to its database.
The entire contents of the OneDDI database is replicated. The OneDDI database is divided into two different databases. The Master Database contains all application data with the exception of the DNS activity history data tracked by the OneDDI Vision module. DNS activity history data is stored in the second database, the Vision Database.
The following items, which are not stored in OneDDI database, are not replicated - these are specific to each OneDDI instance:
/opt/oneddi/config
directory on the OneDDI serverReplication utilises the HTTPS connection already provided by the OneDDI server. The standby peer will connect to the active peer and wait for replication changes, i.e. the connection will remain open and ready for further replication changes.
All changes, regardless of whether the standby peer is connected to the active peer or not, are queued for replication. For the Master Database, if the standby peer is connected, the change is immediately sent to it and removed from the replication change queue. If the standby is not connected, replication changes will remain in the replication queue until the standby next connects to the active peer, after which it will request and process all changes in the replication queue. Changes to the Vision Database are replicated periodically based on a administrator specified frequency.
Replication configuration is stored in the /opt/oneddi/config/replication.json
file on the OneDDI server. On both the active and standby instances this file includes the following:
An encrypted connection key is also found in this file. This key is used by both the active and standby peers to authenticate their communication. This key is sensitive and should not be transferred off the hosts in any way, or even copied out of this file.
In addition to using the connection key to authenticate communication, the peer IP address configured in the above file is used to implement an IP access control list for all replication communication to an instance. Any connections not from the peer IP address configured, or the loopback address 127.0.0.1
, will be automatically closed and rejected.
There are two methods by which replication can be managed. If the active peer is available, the Settings / Redundancy page in the WebUI of the active peer can be used to perform the following:
If the active peer is not available and replication needs to be failed over to the standby peer, or replication must be deconfigured on the standby peer, the replication command must be used. The replication command and its usage are provided under the Redundancy / Replication section in the Admin Guide.
Replication is managed under the Settings / Redundancy page by clicking the Settings link displayed in the top menu bar and selecting the Redundancy link displayed in the dropdown menu.
If the currently authenticated user NOT been assigned permission to view or manage redundancy, they will not be permitted access to this page.
If replication has not been configured the button CONFIGURE REPLICATION will be displayed. Upon clicking this button, the Configure replication dialog will be displayed. See the Settings / Redundancy / Configure Replication section for details on configuring replication.
If replication has been configured four sections of information will be displayed to show replication configuration status and health.
The Configuration section will identify the IP address and HTTPS ports of the active and standby peers. The DECONFIGURE REPLICATION button will also be displayed. Upon clicking this button, the Deconfigure Replication dialog will be displayed. See the Settings / Redundancy / Deconfigure Replication section for details on deconfiguring replication.
The Standby peer status section displays the overall health of the standby peer and if it is processing all replication changes. The FAILOVER TO STANDBY PEER button will be displayed underneath this information. If the standby peer is not connected to the active peer this button will be disabled. Upon clicking this button, the Failover to standby peer dialog will be displayed. See the Settings / Redundancy / Failover to Standby Peer section for details on failing over to the standby peer.
The Master database section displays the Master Database health of the standby peer and how many replication changes are queued. The SYNCHRONISE STANDBY PEER MASTER DATABASE button will be displayed underneath this information. If the standby peer is not connected to the active peer this button will be disabled. Upon clicking this button, the Synchronise standby peer master database dialog will be displayed. See the Settings / Redundancy / Synchronise Standby Peer Master Database section for details on synchronising the Master Database to standby peer database.
The Vision database section displays the Vision Database health of the standby peer and when a synchronisation will next take place. The SYNCHRONISE STANDBY PEER VISION DATABASE button will be displayed underneath this information. If the standby peer is not connected to the active peer this button will be disabled. Upon clicking this button, the Synchronise standby peer vision database dialog will be displayed. See the Settings / Redundancy / Synchronise Standby Peer Vision Database section for details on synchronising the Vision Database to standby peer database.
Replication to another OneDDI instance can be performed using the Configure replication dialog which is accessed by clicking the CONFIGURE REPLICATION button displayed in the Settings / Redundancy page. If replication is already configured this button will not be displayed.
Two OneDDI instances are required to form a replication pair. One instance will be active and will replicate changes to the other standby peer. Both instances should be up and accessible and both should have their OneDDI product licenses installed.
The following actions will be taken to configure replication:
Once configured the standby instance will connect to the active instance to receive replication changes.
The Configure replication dialog displays a six step wizard which guides a user through configuring the active and standby peers, verifying replication can be configured on both, and then executing the required changes to configure replication on both the active and standby peers.
Step 1 in the dialog, the Start page, provides a brief overview of what will be performed to configure replication.
Click the NEXT button to continue to step 2, the Standby peer page. In this page the IP address and HTTPS port of the standby peer must be entered. The IP address can be any configured on the standby peer and the HTTPS port must be the port the WebUI is accessible via. Additionally, once configured, when users access the standby peer they will be redirected to the active peer using the IP address and HTTPS port of the active peer which will be entered in the next step of the wizard. This can be overridden by entering a URL in the Standby redirect URL field.
Click the NEXT button to continue to step 3, the Active peer page. In this page the IP address and HTTPS port of the active peer must be entered. These parameters are used to configure the IP address and HTTPS port the standby peer should use to connect to the active peer. The IP address can be any configured IP address on the active peer and the HTTPS port must be port the WebUI is accessible via. By default, the IP address and port the WebUI is currently being access through will be suggested. Additionally, once configured, when users access the active peer after a failover to the standby peer is performed (mean it is now the standby peer) they will be redirected to the active peer using the IP address and HTTPS port of the standby peer configured in the previous step of the wizard. This can be overridden by entering a URL in the Standby redirect URL field.
Click the NEXT button to continue to step 4, the Configure page. Changes to the OneDDI Master database are replicated between peers in real-time. Due to its potentially large size, and the high volume of updates it can receive, the OneDDI Vision database is periodically synchronised between peers. In this page the frequency with which changes to the Vision Database should replicated to the standby peer is configured.
Click the NEXT button to continue to step 5, the Verify page. In this page the username and password for a user which currently exists on the standby peer must be entered. The specified user must be associated with a group which has the manage-redundancy
permission assigned. The user will be used to verify replication can be configured, that connectivity between the active and standby peers is working (in both directions), and once APPLY NOW is clicked, it will also be used to configure replication on the standby peer. Click the VERIFY CONFIGURATION button to contact to the standby peer and verify replication can be configured. Any errors discovered during verification will be displayed. Once verification is successful the APPLY NOW button will be enabled.
Click the APPLY NOW button to configure replication on both the active and standby peers. After replication has been configured the Configure replication dialog will then be closed.
If replication has been configured, failover to a standby peer can be performed using the Failover to standby peer dialog which is accessed by clicking the FAILOVER TO STANDBY PEER button displayed in the Settings / Redundancy page. If the standby peer is not connected to the active peer this button will be disabled.
If failover to a standby peer must be performed when the active peer is not available, i.e. during a disaster recovery scenario, the replication command must be used since the WebUI cannot be accessed on standby instances. In this case refer to the Redundancy / Replication section in the Admin Guide.
The following actions will be taken to failover to the standby peer:
Following failover, the new standby peer will synchronise its database with the new active peer.
To failover to the standby peer simply click the FAILOVER button. Once failover is complete the WebUI is redirected to the newly active peer.
Replication can be deconfigured using the Deconfigure replication dialog which is accessed by clicking the DECONFIGURE REPLICATION button displayed in the Settings / Redundancy page.
If the peer which needs to be deconfigured is the standby peer, the replication command must be used since the WebUI cannot be accessed on standby instances. In this case refer to the Redundancy / Replication section in the Admin Guide.
The following actions will be taken to deconfigure replication:
If the Select to also deconfigure replication on the standby peer select is selected, replication will be deconfigured on the standby peer, otherwise the standby peer will not be deconfigured - this is useful if the standby peer is unreacahable.
Once deconfigured both active and standby peers will be standalone instances and have their own independent copy of the current database.
To deconfigure replication simply click the DECONFIGURE button. Once deconfigured the Deconfigure replication dialog will then be closed.
If replication has been configured, the Master Database for a standby peer can be synchronised on demand using the Synchronise standby peer master database dialog which is accessed by clicking the SYNCHRONISE STANDBY PEER VISION DATABASE button displayed in the Settings / Redundancy page. If the standby peer is not connected to the active peer this button will be disabled.
Under exceptional circumstances the standby peer Master Database may become out-of-sync with the active peer. In this case the standby peer will attempt to perform a full Master Database synchronisation itself, but if this fails it can no longer accept replication changes from the active peer, and a message will be displayed under the Master database section in the Settings / Redundancy page indicating an attempt to apply a change failed.
Users can attempt to resolve this problem by synchronising the standby peer’s Master Database. This will overwrite the standby peer Master Database with a copy of the Master Database from the active peer, essentially removing any issues being reported at that point.
To synchronise the peer Master Database simply click the SYNCHRONISE button. The standby peer Master Database will then be synchronised, and once complete, the Synchronise standby peer master database will then be closed.
If replication has been configured, the Vision Database for a standby peer can be synchronised on demand using the Synchronise standby peer vision database dialog which is accessed by clicking the SYNCHRONISE STANDBY PEER VISION DATABASE button displayed in the Settings / Redundancy page. If the standby peer is not connected to the active peer this button will be disabled.
Under exceptional circumstances the standby peer Vision Database may become out-of-sync with the active peer. In this case the standby peer will attempt to perform a full Vision Database synchronisation itself, but if this fails it can no longer accept replication changes from the active peer, and a message will be displayed under the Vision database section in the Settings / Redundancy page indicating an attempt to apply a change failed.
Users can attempt to resolve this problem by synchronising the standby peer’s Vision Database. This will overwrite the standby peer Vision Database with a copy of the Vision Database from the active peer, essentially removing any issues being reported at that point.
To synchronise the peer Vision Database simply click the SYNCHRONISE button. The standby peer Vision Database will then be synchronised, and once complete, the Synchronise standby peer vision database will then be closed.
The product license can be viewed under the Settings / License page by clicking the Settings link displayed in the top menu bar and selecting the License link displayed in the dropdown menu.
If the currently authenticated user NOT been assigned permission to manage or view the product license, they will not be permitted access to this page.
A product license has several attributes which specify for example when it was created and to which customer it was issued. Along with these attributes, each license will contain a list of modules which are licensed. Each licensed module has its own valid from and valid to date. This allows customers to evaluate new product modules on their existing installation without it affecting their existing modules.
A complete new license will be issued to add new modules, i.e. only a single license is ever installed with the licensed modules specified by that single license, and this will include any modules being evaluated.
Product licenses are bound to one more IP addresses. When validating a license, the licensed IP addresses will be checked against the locally configured IP addresses and if one is not matched the license will be considered invalid.
If a valid product license has been applied, details of the license will be displayed on the left of this page with the customer the license has been issued to being displayed at the top.
Below the customer name, the following license attributes will be displayed:
c1055315-bb04-4bca-a507-97414e7c8fec
2020-02-01T00:00:00Z / a month ago
192.168.1.12 192.168.1.13
standalone
or enterprise
, enterprise licenses are unrestricted where standalone licenses have the following restrictions:
To the right of the page a list of licensed modules will be displayed in a table. The following columns will be displayed for each licensed module:
vision
2020-02-01T00:00:00Z / a month ago
2020-03-31T23:59:59Z / in a month
Valid
will be displayed, if the license has not yet expired but will expire soon relative to the licensed period, an amber exclamation icon and the text Expires soon
will be displayed, and if the license has expired a red exclamation icon and the text Expired
will be displayedThe button APPLY A LICENSE will be displayed to the bottom of the license detail. Upon clicking this button, the Apply a license dialog will be displayed. See the Settings / Apply a License section for details on this dialog and applying a license.
A product license can be applied using the Apply a license dialog. This can be accessed by clicking the APPLY A LICENSE button displayed in the Settings / Product License page.
This dialog contains the following inputs:
Once all required attributes have been specified click the VERIFY button, after which the license will be verified.
Following successful license verification, the APPLY button will be enabled. Clicking the APPLY button will apply the license and replace the existing product license.
The application audit log can be viewed under the Settings / Audit log page by clicking the Settings link displayed in the top menu bar and selecting the Audit log link displayed in the dropdown menu.
If the currently authenticated user NOT been assigned permission to view the audit log, they will not be permitted access to this page.
All actions performed in the OneDDI WebUI which create side-effects are audited. Audit events are created in the application audit log. In addition, all audit events are recorded to the system log file. Each message uses the following format:
AuditEntry: timestamp=<timestamp> host=<ip-address>:<port> username=<username> action=<action> detail=<json-detail>
The following is an example audit event logged to the system log:
AuditEntry: timestamp=2020-04-01T20:37:29Z host=192.168.68.164:55031 username=stephen action=ConnectDeviceIpmiConsole detail={"id":"953727ab-a2d9-4c11-9370-fb64429a860c","name":"ibdevice1","ipAddress":"86.15.69.51","port":623}
The Settings / Audit log page will display a table of audit events. The following columns are displayed in the table for each event:
ConnectDeviceIpmiConsole
or AddDevice
A search control is displayed to the top right of the table. Values in the search field will be matched against the host, username, action, or detail fields.
Paging controls are displayed to the bottom right of the table. These can be used to page through the list of events, and to control how many are displayed in a single page.
The link EXPORT TO CSV will be displayed to the top of the left of the table. Upon clicking this link all audit entries will be exported to a CSV file and downloaded. The CSV file will contain the same fields as the table.