User Guide

OneDDI 3.7.1

Introduction
Accessing the User Interface
Working with the User Interface
Change My Password
Vision
ReDNS
IPMeye
SerialEyes
Settings

Introduction

The VendorN Ltd OneDDI product (OneDDI) is a centralised software application which hosts several modules. The Vision module provides long-term access to DNS activity history. The ReDNS module allows service owners to control their DNS records. The IPMeye module provides centralised remote power management and console access using the IPMI protocol. The SerialEyes module provides centralised remote physical serial port access via non-dedicated hardware.

This document details all the features provided by the OneDDI Web User Interface (WebUI).

Accessing the User Interface

The OneDDI WebUI is provided by the OneDDI server. By default the application is available using HTTPS using TCP port 443 and can be accessed using the following URL:

https://<ip-address-or-hostname>

Once the WebUI has initially loaded the Login page will be displayed.

NOTE If replication has been configured by an administrator, and the instance being connected to is not an active peer, the user will be redirected to the active peer as per the replication configuration.

Above the login form on the Login page a configurable Message of the Day (MOTD) will be displayed.

Below the MOTD the login form will be displayed, where a username and password can be entered to login.

A product administrator will confirm the credentials to use when accessing the WebUI. Once these have been entered, and authentication was successful, the first licensed module the user has permissions to access will be displayed.

NOTE If a specific WebUI page has been requested that page will be displayed following successful login.

Working with the User Interface

After successful login to the first licensed module the user has permissions to access will be displayed. At the top of each page a menu bar will be displayed. This will have links to the main features of the application, and menu containing product help and the production administration links.

The menu bar is mostly self-explanatory, the product is generally split into the following areas:

Vision - View DNS activity history, events and live DNS queries
ReDNS - Manage services, service records and BCP jobs, and swap records
IPMeye - Manage devices, view device consoles and control power using the IPMI protocol
SerialEyes - Connect to a device’s physical serial port over the network
Settings - Manage users, groups, Active Directory authentication, redundancy, license, and view the OneDDI audit log

Displayed furthest to the right in the menu bar will be a user action menu containing links for Change my password, Access API guide, Access user guide, Access support, and Logout. Refer to the Change My Password section for details on the Change my password dialog.

Below the menu bar the page content area is displayed, this will be different for each page. The remaining sections in this document detail all of the pages and features available in the WebUI.

Change My Password

The Change my password dialog can be accessed by selecting the Change my password link displayed in the user action menu displayed in the top menu bar.

Each user can change their own password using the Change my password dialog once authenticated.

The following fields are displayed in this page:

Current password - For a password to be changed, a user must specify their current password
New password - Specify a new password for the currently authenticated user
Repeat password - Enter the new password again to confirm

OneDDI is configured with a password complexity policy. A description of the currently configured policy will be displayed. The following is the default policy description:

Password must be at least 8 characters and contain at least 1 upper case letter, 1 lower case letter, 1 number and 1 of '!@#$%^&*'

Upon clicking the SAVE button the password will be changed immediately.

Vision

History

Devices

Working with Devices

DNS activity history for devices can be viewed in the Vision / History / Devices page by clicking the Vision link displayed in the top menu bar, selecting the History link displayed in the dropdown menu and then clicking the DEVICES tab.

The Vision / History / Devices page will display a table of all devices ever seen by a OneDDI sensor in the DNS activity sent to them by DNS servers. The following columns are displayed in the table for each device:

Network view - Name of the network view the DNS server relates to
Device group - Name of device group found to have matched the devices IP address, if no device group was matched this field will be empty
Device IP - IP address of the device, if a DNS server has been defined in Vision with the devices IP address a DNS server icon will be displayed to the right of the device IP address and upon hovering over the icon the name of the matched DNS server(s) will be displayed
Unique queries - Total number of unique queries the device has made
DNS servers - Total number of DNS servers the device has queried, upon hovering over this column a tooltip will be displayed which contains a table of the DNS servers identifying the Name, First seen, Last seen, Seen count and Last 24 hours seen count
First seen - Timestamp the device was first seen
Last seen - Timestamp the device was last seen
Seen count - Total number of queries seen for the device
Last 24 hours seen count - Total number of queries seen for the device in the last 24 hours - a small chart is also displayed to provide a query profile overview which can be compared with other devices

A search control is displayed to the top right of the table. The value which can be entered in the search control is dependant on which search filter type is selected as follows - the filter type can be changed by clicking it and selecting a different one from the dropdown menu displayed:

Device IP/network - IP address, network or partial IP address, if a partial IP address is specified without a network length the length will be inferred from the provided IP address part, i.e. 192.168 will result in 192.168.0.0/16 and 192.168.68.0 will result in 192.168.68.0/32
Query name ends with - If a device has made a DNS query which ends in the specified string the device will be included in the result
Query name equals - If a device has made a DNS query which exactly equals the specified string the device will be included in the result
Query name matches domain - If a device has made a DNS query which ends in the specified domain the device will be included in the result, e.g. test.com matches www.test.com but not exampletest.com
Record data equals - If a device has made a DNS query which pointed to a record (including a CNAME chain) where the record data exactly equals the specified string the device will be included in the result

NOTE All searching is case-insensitive.

To the right of the search control is a filter icon. When clicked an EDIT FILTER dialog is displayed where more search options can be specified. In this dialog a Field, Filter type and value must be specified. Additionally, the Filter mode dropdown can be used to invert the filter. When multiple filters are specified an implicit logical AND is applied and all filters must match for an item to be displayed. Additionally, items can be filtered by network view and device group using the headers of these columns in the table.

The table can be sorted by most columns clicking the “[asc]” or “[desc]” link displayed next to a column header.

The button SAVE SEARCH will be displayed to the top left of the table unless viewing a saved search, in which case the DUPLICATE SEARCH and SAVE CHANGES buttons will be displayed. Upon clicking the SAVE SEARCH or DUPLICATE SEARCH buttons the Add a saved search dialog will be displayed. See the Vision / Saved Searches / Add a Saved Search section for details on this dialog and adding saved searches.

If viewing a saved search and the search configuration has been changed the SAVE CHANGES button will be enabled. Upon clicking this button, the Save configuration changes dialog will be displayed, simply click the SAVE button to save the changes.

The link VIEW DEVICE will be displayed to the right of each device. Upon clicking this link the View Device page will be displayed for the device. See the Vision / History / Devices / View Device section for details on this page and viewing devices.

The dropdown EXPORT TO CSV will be displayed to the top left of the table. Upon clicking this the EXPORT ALL SEARCH RESULTS TO CSV and EXPORT ENTIRE DEVICE HISTORY DATABASE TO CSV links will be displayed.

Upon clicking the EXPORT ALL SEARCH RESULTS TO CSV link all items in the search result will be exported to a CSV file and downloaded. Upon clicking the EXPORT ENTIRE DEVICE HISTORY DATABASE TO CSV link all devices in the Vision Database will be exported to a CSV file and downloaded regardless of search criteria. In both cases the resulting file will have the following fields:

Network view - Name of the network view the DNS server relates to
Device group - Name of device group found to have matched the devices IP address, if no device group was matched this field will be empty
Device IP - IP address of the device
Unique queries - Total number of unique queries the device has made
DNS servers - List of each DNS server the device has queried, each DNS server included is separated by a semi-colon and will include the DNS servers name, first seen, last seen, seen count and last 24 hours seen count separated by a | character
First seen - Timestamp the device was first seen
Last seen - Timestamp the device was last seen
Seen count - Total number of queries seen for the device
Last 24 hours seen count - Total number of queries seen for the device in the last 24 hours

View Device

Detailed information about a devices DNS activity history can be accessed by clicking the VIEW DEVICE link displayed to the right of a device under the Vision / History / Devices page.

The View device page contains a single DNS map section which is divided into two parts, a DNS map graph part and a DNS map context part. The DNS map graph identifies the following relationships linked to the device:

DNS servers the device has queried - DNS server name, seen count and last 24 hours seen count is displayed
The device - Network view name, device group name, seen count and last 24 hours seen count is displayed
DNS records and queries which resolved to the devices IP address

The SHOW HELP button can be used to show detailed help of how to interact with the graph and what is displayed in each DNS map graph.

The DNS map context will display the devices network view, device group and IP address at the top. Below this the following is displayed for the device:

First seen - Timestamp of when the device was first seen
Last seen - Timestamp of when the device was first seen
Seen count - Total number of queries seen for the device
Unique queries - Total number of unique queries seen for the device

Below this a chart is displayed which identifies the queries by hour for the device for the last 24 hours.

Below the chart several tabs are displayed. For some tabs, more detail can be accessed by clicking the EXPAND VIEW button displayed to the right of the tab names. The QUERIES tab contains a list of all the unique queries ever seen for the device, this tab contains the same table data as the Vision / History / Queries page. The SIBLING DEVICES tab contains a list of devices which are on the same /24 network - this can be adjusted to a network of a different size - this tab contains the same table data as the Vision / History / Devices page. The DNS SERVERS tab contains a list of the DNS servers the device has been seen on.

Queries

Working with Queries

DNS activity history for queries can be viewed in the Vision / History / Queries page by clicking the Vision link displayed in the top menu bar, selecting the History link displayed in the dropdown menu and then clicking the QUERIES tab.

The Vision / History / Queries page will display a table of all queries ever seen by a OneDDI sensor in the DNS activity sent to them by DNS servers. The following columns are displayed in the table for each query:

Query name - Name of the query
Query types - Query types ever seen being used to lookup the query name, upon hovering over this column a tooltip will be displayed which contains a table of the query types identifying the Name, First seen, Last seen and Seen count
Response codes - Response codes ever seen in a response to a lookup for the query name, upon hovering over this column a tooltip will be displayed which contains a table of the response codes identifying the Name, First seen, Last seen and Seen count
Unique queries - Total number of unique devices which have looked up the query name
DNS servers - Total number of DNS servers the query has been seen on, upon hovering over this column a tooltip will be displayed which contains a table of the DNS servers identifying the Name, First seen, Last seen, Seen count and Last 24 hours seen count
First seen - Timestamp the query was first seen
Last seen - Timestamp the query was last seen
Seen count - Total number of queries seen for the query
Last 24 hours seen count - Total number of queries seen for the query in the last 24 hours - a small chart is also displayed to provide a query profile overview which can be compared with other queries

Query name ends with - If a queries name ends with the specified string it will be included in the result
Query name equals - If a queries name exactly equals the specified string it will be included in the result
Query name matches domain - If a queries name ends in the specified domain it will be included in the result, e.g. test.com matches www.test.com but not exampletest.com
Record data equals - If a queries name pointed to a record (including via a CNAME chain) where the record data exactly equals the specified string the query will be included in the result

NOTE All searching is case-insensitive.

The table can be sorted by most columns clicking the “[asc]” or “[desc]” link displayed next to a column header.

The link VIEW QUERY will be displayed to the right of each query. Upon clicking this link the View Query page will be displayed for the query. See the Vision / History / Queries / View Query section for details on this page and viewing queries.

The dropdown EXPORT TO CSV will be displayed to the top left of the table. Upon clicking this the EXPORT ALL SEARCH RESULTS TO CSV and EXPORT ENTIRE QUERY HISTORY DATABASE TO CSV links will be displayed.

Upon clicking the EXPORT ALL SEARCH RESULTS TO CSV link all items in the search result will be exported to a CSV file and downloaded. Upon clicking the EXPORT ENTIRE QUERY HISTORY DATABASE TO CSV link all queries in the Vision Database will be exported to a CSV file and downloaded regardless of search criteria. In both cases the resulting file will have the following fields:

Query name - Name of the query
Query types - List of each query type ever seen being used to lookup the query name, each query type included is separated by a semi-colon and will include the query types name, first seen, last seen and seen count separated by a | character
Response codes - List of each response code ever seen in a response to a lookup for the query name, each response code included is separated by a semi-colon and will include the response codes name, first seen, last seen and seen count separated by a | character
Unique devices - Total number of unique devices which have looked up the query name
DNS servers - List of each DNS server the query has been seen on, each DNS server included is separated by a semi-colon and will include the DNS servers name, first seen, last seen, seen count and last 24 hours seen count separated by a | character
First seen - Timestamp the query was first seen
Last seen - Timestamp the query was last seen
Seen count - Total number of queries seen for the query
Last 24 hours seen count - Total number of queries seen for the query in the last 24 hours

View Queries

Detailed information about a queries DNS activity history can be accessed by clicking the VIEW QUERY link displayed to the right of a query under the Vision / History / Queries page.

The View query page contains a single DNS map section which is divided into two parts, a DNS map graph part and a DNS map context part. The DNS map graph identifies the following relationships linked to the query:

The query - Seen count and last 24 hours seen count is displayed
Records which the query resolves to
Other queries relating to the records displayed

The SHOW HELP button can be used to show detailed help of how to interact with the graph and what is displayed in each DNS map graph.

The DNS map context will display the queries name at the top. Below this the following is displayed for the query:

First seen - Timestamp of when the query was first seen
Last seen - Timestamp of when the query was first seen
Seen count - Total number of queries seen for the query
Unique devices - Total number of unique devices seen for the query

Below this a chart is displayed which identifies the queries by hour for the query for the last 24 hours.

Below the chart several tabs are displayed. For some tabs, more detail can be accessed by clicking the EXPAND VIEW button displayed to the right of the tab names. The DEVICES tab contains a list of all devices which have directly looked up the query name, this tab contains the same data as the Vision / History / Devices page. The RECORDS tab contains a list of all records the query name directly resolves to, this tab contains the same data as the Vision / History / Records page. The QUERY TYPES tab contains a list of the query types seen for the query along with the response codes seen for them. The RESPONSE CODES tab contains a list of the response codes seen for a query along with the query types seen for them. The DNS SERVERS tab contains a list of the DNS servers the record has been seen on.

Records

Working with Records

DNS activity history for records can be viewed in the Vision / History / Records page by clicking the Vision link displayed in the top menu bar, selecting the History link displayed in the dropdown menu and then clicking the RECORDS tab.

The Vision / History / Records page will display a table of all records ever seen by a OneDDI sensor in the DNS activity sent to them by DNS servers. The following columns are displayed in the table for each record:

Record name - Name of the record
Record types - Class and type of the record
Record data - Record data in a readable format
DNS servers - Total number of DNS servers the record has been seen on, upon hovering over this column a tooltip will be displayed which contains a table of the DNS servers identifying the Name, First seen, Last seen, Seen count and Last 24 hours seen count
First seen - Timestamp the record was first seen
Last seen - Timestamp the record was last seen
Seen count - Total number of queries seen for the record
Last 24 hours seen count - Total number of queries seen for the record in the last 24 hours - a small chart is also displayed to provide a query profile overview which can be compared with other records

Record name ends with - If a records name ends with the specified string it will be included in the result
Record name equals - If a records name exactly equals the specified string it will be included in the result
Record name matches domain - If a records name ends in the specified domain it will be included in the result, e.g. test.com matches www.test.com but not exampletest.com
Record data ends with - If a records data ends with the specified string it will be included in the result
Record data equals - If a records data exactly equals the specified string it will be included in the result
Record data matches domain - If a records data ends in the specified domain it will be included in the result, e.g. test.com matches www.test.com but not exampletest.com
Record data matches IP/network - If a records type is A or AAAA and its data matches an IP address, network or partial IP address it will be included in the result, if a partial IP address is specified without a network length the length will be inferred from the provided IP address part, i.e. 192.168 will result in 192.168.0.0/16 and 192.168.68.0 will result in 192.168.68.0/32

NOTE All searching is case-insensitive.

The table can be sorted by most columns clicking the “[asc]” or “[desc]” link displayed next to a column header.

The link VIEW RECORD will be displayed to the right of each record. Upon clicking this link the View Record page will be displayed for the record. See the Vision / History / Records / View Records section for details on this page and viewing records.

The dropdown EXPORT TO CSV will be displayed to the top left of the table. Upon clicking this the EXPORT ALL SEARCH RESULTS TO CSV and EXPORT ENTIRE RECORD HISTORY DATABASE TO CSV links will be displayed.

Upon clicking the EXPORT ALL SEARCH RESULTS TO CSV link all items in the search result will be exported to a CSV file and downloaded. Upon clicking the EXPORT ENTIRE RECORD HISTORY DATABASE TO CSV link all records in the Vision Database will be exported to a CSV file and downloaded regardless of search criteria. In both cases the resulting file will have the following fields:

Record name - Name of the record
Record types - Class and type of the record
Record data - Record data in a readable format
DNS servers - List of each DNS server the record has been seen on, each DNS server included is separated by a semi-colon and will include the DNS servers name, first seen, last seen, seen count and last 24 hours seen count separated by a | character
First seen - Timestamp the record was first seen
Last seen - Timestamp the record was last seen
Seen count - Total number of queries seen for the record
Last 24 hours seen count - Total number of queries seen for the record in the last 24 hours

View Records

Detailed information about a records DNS activity history can be accessed by clicking the VIEW RECORD link displayed to the right of a record under the Vision / History / Records page.

The View record page contains a single DNS map section which is divided into two parts, a DNS map graph part and a DNS map context part. The DNS map graph identifies the following relationships linked to the record:

The record - Seen count and last 24 hours seen count is displayed
Records which link to the record - i.e. CNAME changes
Queries relating to the records displayed

The SHOW HELP button can be used to show detailed help of how to interact with the graph and what is displayed in each DNS map graph.

The DNS map context will display the records name, class, type and data at the top. Below this the following is displayed for the record:

First seen - Timestamp of when the record was first seen
Last seen - Timestamp of when the record was first seen
Seen count - Total number of queries seen for the record

Below this a chart is displayed which identifies the queries by hour for the record for the last 24 hours.

Below the chart several tabs are displayed. For some tabs, more detail can be accessed by clicking the EXPAND VIEW button displayed to the right of the tab names. The QUERIES tab contains a list of all queries which resolved to the record - this includes queries which resolved via other records like CNAME chains, this tab contains the same data as the Vision / History / Queries page. The DEVICES tab contains a list of all devices which have looked up a query which resolved to the record - this includes queries which resolved via other records like CNAME chains, this tab contains the same data as the Vision / History / Devices page. The SIBLING RECORDS tab contains a list of all records which have the same record name, this tab contains the same data as the Vision / History / Records page. The DNS SERVERS tab contains a list of the DNS servers the record has been seen on.

Events

Global Events

Global DNS activity events can be viewed under the Vision / Events / Global Events page by clicking the Vision link displayed in the top menu bar, selecting the Events link displayed in the dropdown menu and clicking the GLOBAL EVENTS tab.

The Vision / Events / Global Events page will display a table of the latest global events (up to 100,000 by default). The following columns are displayed in the table for each event:

Event timestamp - Date and time the event was created, e.g. 15 minutes ago, hovering over the timestamp will display the ISO timestamp of the event, e.g. 2024-01-01T00:00:00Z
Event type - The type of event, e.g. new-domain or new-ipv4
Event target - Dependant on the event type, e.g. for new-domain a second-level DNS domain, for new-ipv4 a dotted quad IPv4 address and for new-ipv6 an IPv6 address in compressed form
Related device IP - IP address of the device for which the event was first seen
Related query name - Query name for which the event was first seen

A search control is displayed to the top right of the table. Values in the search field will be matched against the event target, related device IP or related query name fields. Additionally, events can be filtered by event type using the header of the event type column in the table.

The link VIEW LIVE QUERIES is displayed to the right of each event. Upon clicking this link the Vision / Live Queries page will be displayed with a filter pre-applied to identify DNS activity relating to the event.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of events, and to control how many are displayed in a single page.

The link EXPORT TO CSV will be displayed to the top of the left of the table. Upon clicking this link all audit entries will be exported to a CSV file and downloaded. The CSV file will contain the same fields as the table.

Device Group Events

Device group DNS activity events can be viewed under the Vision / Events / Device Group Events page by clicking the Vision link displayed in the top menu bar, selecting the Events link displayed in the dropdown menu and clicking the DEVICE GROUP EVENTS tab.

The Vision / Events / Device Group Events page will display a table of the latest device group events (up to 100,000 by default). The following columns are displayed in the table for each event:

Event timestamp - Date and time the event was created, e.g. 15 minutes ago, hovering over the timestamp will display the ISO timestamp of the event, e.g. 2024-01-01T00:00:00Z
Network view - Name of the network view the related device group is associated with
Device group - Name of the device group the event is associated with
Event type - The type of event, e.g. new-domain or new-ipv4
Event target - Dependant on the event type, e.g. for new-domain a second-level DNS domain, for new-ipv4 a dotted quad IPv4 address and for new-ipv6 an IPv6 address in compressed form
Related device IP - IP address of the device for which the event was first seen
Related query name - Query name for which the event was first seen

A search control is displayed to the top right of the table. Values in the search field will be matched against the event target, related device IP or related query name fields. Additionally, events can be filtered by network view, device group and event type using the headers of these columns in the table.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of events, and to control how many are displayed in a single page.

Live Queries

The latest DNS queries and responses processed by all OneDDI sensors can be viewed in the Vision / Live Queries page by clicking the Vision link displayed in the top menu bar and selecting the Live Queries link displayed in the dropdown menu.

NOTE DNS queries and responses are currently ordered in the table by the time at which they were received from DNS servers. Users cannot assume that messages are in time order, especially when comparing between DNS servers.

The Vision / Live Queries page will display a table of the latest DNS queries and responses processed by all OneDDI sensors. The following columns are displayed in the table for each DNS query and response seen:

Timestamp - Timestamp the DNS message was received by the DNS server
DNS server - Name of the DNS server the message relates to
Network view - Name of the network view the DNS server relates to
Device group - Name of device group found to have matched the devices IP address, if no device group was matched this field will be empty
Device IP - IP address of the device which sent the DNS query, if a DNS server has been defined in Vision with the devices IP address a DNS server icon will be displayed to the right of the device IP address and upon hovering over the icon the name of the matched DNS server(s) will be displayed
Query name - Query name from the DNS message, a coloured square will be displayed to the left of the query name, each query name with the same query base domain (i.e. the same second-level domain) will have the same colour, the colour assigned is random and can be different across page loads, the coloured square can be used to quickly scan the table for query names for the same query base domain
Query class / type - Query class and type from the DNS message
Message type - If the message is a query, Q followed by recursive or iterative depending on if this is a recursirve query and the IP address the DNS query was sent to, else this is a response, in which case R followed by the response code and the number of response records in the response

FQDN contains - Activity is searched by looking for DNS messages where the query name or response record name contains the specified string
FQDN equals - Activity is searched by looking for DNS messages where the query name or response record name equals the specified string
IP equals - Activity is searched by looking for DNS messages where the IP address of the related device or response record data for A or AAAA records equals the specified IPv4 or IPv6 address
IP matches network - Activity is searched by looking for DNS messages where the IP address of the related device or response record data for A or AAAA records falls within the specified network

NOTE All searching is case-insensitive.

The latest DNS query dataset is high dynamic and can change very quickly. Instead of paging controls a LOAD MORE ITEMS link is displayed to the bottom of the table. This allows more pages of results to be loaded without the user losing their point in time and possibly losing the current results.

Displayed to the right of each item is an expand toggle icon. When click a panel is expanded below the item to show more details. The following is displayed in this panel:

DNS MESSAGE PROPERTIES - The following properties about the DNS query or response:
- Message timestamp - Timestamp in ISO format of when the DNS message was received by the DNS server
- DNS server - Name of the DNS server the activity relates to
- Message type - Either query or response
- Message protocol - One of doh (DNS over HTTP), dot (DNS over TLS), tcp or udp
- Query base domain - Second-level domain, if available, for the query name in the DNS message
- Recursive query - yes if the recursion desired flag was set in the DNS message, else no
RESPONSE RESOURCE RECORDS - A table containing the resource records found in the answer section for DNS query responses

The link EXPORT DISPLAYED TO CSV will be displayed to the top left of the table. Upon clicking this link all items will be exported to a CSV file and downloaded, with the resulting file having the following fields:

Timestamp - Timestamp the DNS message was received by the DNS server
DNS server - Name of the DNS server the message relates to
Network view - Name of the network view the device group relates to, if no device group was matched this field will be empty
Device group - Name of device group found to have matched the devices IP address, if no device group was matched this field will be empty
Device IP - IP address of the device
Server IP_ - IP address the DNS message was sent to
Query name - Query name in the DNS message
Query class - Query class in the DNS message
Query type - Query type in the DNS message
Query base domain - Second-level domain, if available, for the query name in the DNS message
Message type - Either query or response
Message protocol - One of doh (DNS over HTTP), dot (DNS over TLS), tcp or udp
Response code - Response code from the DNS message
Response records - If available, each response record is displayed in this field separated by a semi-colon, each records name, TTL, class, type and data is separated by a space

Saved Searches

Working with Saved Searches

Saved searches are viewed and managed under the Vision / Saved Searches page.

The Vision / Saved Searches page will display a table of all defined saved searches. If the logged in user has been assigned permissions to manage saved searches then all saved searches, even ones not owned by the user will be displayed, otherwise only ones owned by the user or shared by other users will be displayed.

The following columns are displayed in the table for each saved search:

Actions - Several clickable icons are displayed to edit and delete a saved search, the edit and delete icons will be disabled if the logged in user is not the owner of the saved search or the user has not been assigned permissions to manage saved searches
Name - Name assigned to the save search
Search type - One of device-history, query-history, record-history or live-queries
Is shared - If the saved search is shared with other users a green tick icon will be displayed, otherwise a grey block icon will be displayed

A search control is displayed to the top right of the table. Values in the search field will be matched against a saved searches name.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of saved searches, and to control how many are displayed in a single page.

The button ADD A SAVED SEARCH will be displayed to the top left of the table. If a user has NOT been assigned permission to manage saved searches, this button will be disabled. Upon clicking this button, the Add a saved search dialog will be displayed. See the Vision / Saved Searches / Add a Saved Search section for details on this dialog and adding saved searches.

The link VIEW DATA will be displayed to the right of each saved search. Upon clicking this link the Vision / History / [history type] page will be displayed for the search type with the saved search configuration applied.

Upon hovering over a row in the table edit saved search and delete saved search buttons will be displayed to the left. If the logged in user is not the owner of a search or the user has NOT been assigned permission to manage saved searches the edit saved search and delete saved search buttons will be disabled.

Upon clicking the edit saved search button, the Edit saved search dialog will be displayed. See the Vision / Saved Searches / Edit a Saved Search section for details on this dialog and editing a saved search.

Upon clicking the delete saved search button the Delete saved search dialog will be displayed. See the Vision / Saved Searches / Delete a Saved Search section for details on this dialog and deleting a saved search.

Add a Saved Search

Saved searches are added using the Add a saved search dialog. This can be accessed by clicking the ADD A SAVED SEARCH button displayed in the Vision / Saved Searches page, the DUPLICATE SEARCH when viewing the data for an existing saved search, or SAVE SEARCH when viewing the Vision / History / [history type] page.

This dialog contains the following inputs:

Name - Name assigned to the search
Search type - One of device-history, query-history, record-history or live-queries
Select to indicate the saved search can be viewed by others - If selected all users will be able to use the saved search, otherwise only the logged in user or users assigned permissions to manage saved searches will be able to use the search

Once all required attributes have been specified the ADD button will be enabled, and once clicked the saved search will be added.

Edit a Saved Search

Saved searches are edited using the Edit a saved search dialog. This can be accessed by clicking the ADD A SAVED SEARCH button displayed in the Vision / Saved Searches page, the DUPLICATE SEARCH when viewing the data for an existing saved search, or SAVE SEARCH when viewing the Vision / History / [history type] page.

This dialog contains the following inputs:

Name - Name assigned to the search
Search type - One of device-history, query-history, record-history or live-queries
Select to indicate the saved search can be viewed by others - If selected all users will be able to use the saved search, otherwise only the logged in user or users assigned permissions to manage saved searches will be able to use the search

Click the SAVE button to save changes to the saved search.

Delete a Saved Search

NOTE This is a destructive operation which cannot be undone.

Saved searches are deleted using the Delete saved search dialog. This can be accessed by clicking the delete saved search button displayed to the left when hovering over a saved search in the Vision / Saved Searches page. If a user has NOT been assigned permission to manage saved searches, this button will be disabled.

The delete dialog prompts whether the saved search should be deleted. Note that no data is deleted, only the saved search and its configuration.

Click the DELETE button to confirm the saved search should be deleted, after which the saved search will be deleted.

Device Groups

Working with Device Groups

Device groups are viewed and managed under the Vision / Device Groups page by clicking the Vision link displayed in the top menu bar and selecting the Device Groups link displayed in the dropdown menu.

A device group is a set of networks which identify a set of related devices and the configuration for event montoring, history tracking and activity forwarding for the DNS messages to and from those devices.

Devices can overlap, in this case the device group with the most specific network will be used. A device group cannot contain the same network and length as one configured on another device group in the same network view. To configure a single host on a device group configure a /32 network for the IP address.

A default device group does not have any networks configured. Any device not found to be covered by the networks configured on other device groups for the same network view will be associated with the default device group (if configured).

There is no requirement to create device groups for every part of the network. Device groups are a way to prioritise certain networks and devices. Most customers will create a default device group and then a handful of device groups for critical networks and devices.

The Vision / Device Groups page will display a table of all defined device groups.

The following columns are displayed in the table for each device group:

Actions - Clickable icons to manage each item
Name - Name used to refer to the device group
Network view - Network view the device group is associated with
Is default - The a device group is the default device group for the network view a green tick will be displayed
No. networks - Number of networks configured on the device group
Event monitoring - If event monitoring is not active a grey block icon will be displayed, otherwise a green tick will be displayed to indicating event monitoring is active and a list of the event types being monitored will be displayed, hovering over an event type will show a tooltip to indicate what is being monitored
History tracking - If history tracking is not active a grey block icon will be displayed, otherwise a green tick will be displayed to indicating history tracking is active
Activity forwarding - If activity forwarding is not active a grey block icon will be displayed, otherwise a green tick will be displayed to indicating activity forwarding is active and a summary of the configuration will be displayed

A search control is displayed to the top right of the table. Values in the search field will be matched against a device groups name or configured networks.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of device groups, and to control how many are displayed in a single page.

The button ADD A DEVICE GROUP will be displayed to the top left of the table. Upon clicking this button, the Add Device Grouup dialog will be displayed. See the Vision / Device Groups / Add a Device Group section for details on this dialog and adding device groups.

Upon hovering over a row in the table edit device group and delete device group buttons will be displayed to the left.

Upon clicking the edit device group button, the Edit device group dialog will be displayed. See the Vision / Device Groups / Edit a Device Group section for details on this dialog and editing a device groups.

Upon clicking the delete device group button, the Delete device group dialog will be displayed. See the Vision / Device Groups / Delete a Device Group section for details on this dialog and deleting a device group.

Add a Device Group

Device groups are added using the Add a device group dialog. This can be accessed by clicking the ADD A DEVICE GROUP button displayed in the Vision / Device Groups page.

This dialog contains several tabs. The DEVICE GROUP tab contains the following inputs:

Name - Used to refer to the device group
Network view - Network view the device group should be associated with
Select to indicate this is the default device group for the specified network view - If selected, any device not matching the networks configured on any other device group assigned to the same network view will be assiociated with this device group
Networks - Comma, space or newline separated list of networks in the format 192.168.68.0/24, devices failling within the networks will be associated with the device group

The EVENT MONITORING tab contains the following inputs:

If the Select to activate DNS activity monitoring for devices matching this device group is selected then DNS activity events will be created for devices matching the device group. Supported event types are as follows:

New domain - Look for second-level domains not seen before in the query name or response record name fields of DNS messages
New IPv4 address - Look for IP addresses not seen before in response records of DNS messages
New IPv6 address - Look for IP addresses not seen before in response records of DNS messages

The following options are available for each type:

Is active - If not selected the event will not be monitored
Device group events - By default the event will be monitored globally, that is for example, if a domain has already been seen by another device group which has the same monitoring enabled it will not create another event, if this property is selected a device group event will also be created if the event has never been seen by any other device in the same device group regardless of the global event status
Send to SIEM - If selected, a message will be sent from the OneDDI Master server to its configured SIEM connector when the event is created

A DNS message filter can be specified to match DNS messages. If configured, only messages matching the filter will be used for event monitoring.

The HISTORY TRACKING tab contains a single input for Select to activate DNS activity tracking for devices matching this device group. If selected, DNS activity history will be tracked for devices matching the device group. This will include devices, queries and records and the queries made by the devices.

A DNS message filter can be specified to match DNS messages. If configured, only messages matching the filter will be used for activity tracking.

The ACTIVITY FORWARDING tab will contains the following inputs:

If the Select to activate DNS activity forwarding for devices matching this device group is selected then DNS messages will be forward to a sensors configured SIEM connector for devices matching the device group. In this case the remaining options in this tab will be enabled.

DNS activity can be forwarded in a non-aggregated or aggregated way.

In the non-aggregated way every DNS message (i.e. both queries and responses) will be forwarded. In this case the Forward all DNS query and response messages parameter will be selected. While the all DNS messages will be forward, the Select to use the same format as aggregated DNS query and response messages parameter can be used to forward these messages using the same format as the aggregated way. This allows the messages to be viewed and used alongside the aggregated messages.

In the aggregated way DNS messages are tracked as “aggregation sessions” where each DNS query and response is uniquely identified and tracked over a window of time, with updates being sent to a sensors SIEM connector after each aggregation update interval. Several parameters are used to determine how aggregation sessions are tracked as follows:

Aggregation update interval - How often in seconds updates should be sent to a sensors SIEM connector
Select to forward an update at the start of an aggregation session identifying the first DNS message - This option allows updates to be seen in the SIEM as soon as an aggregation session is started, i.e. when a query or response is first seen, if selected an initial aggregation update is sent as soon as the DNS message which caused the session to be created is seen, if not selected, the first update will not be sent to the SIEM until after the aggregation update interval
Aggregation scope - Either device, in which case an aggregation session is maintained on a per device basis (i.e. if two devices, even from the same device group, perform the same query this is two sessions), or device-group, in which case an aggregation session is maintained on a per device group basis (i.e. if two devices from the same device group perform the same query this is one session), if device-group is selected the following two options can be used to maintain access to per device statistics:
- Select to include the number of unique IP addresses a DNS message was seen for - This includes a count in the updates to the SIEM which indicates how many unique IP addresses were seen for the past aggregation window for the query or response
- Select to include the unique IP addresses, and their seen counts, a DNS message was seen for - This includes a list of IP addresses in the updates to the SIEM which indicates each unique IP address seen for the past aggregation window for the query or response and the seen count for each IP address

In both non-aggregated and aggregated cases, the format of the messages is dictated by the SIEM connector, i.e. using either csv or json (example messages can be accessed when adding/editing SIEM connectors).

A DNS message filter can be specified to match DNS messages. If configured, only messages matching the filter will be used for activity forwarding.

Once all required attributes have been specified the ADD button will be enabled, and once clicked the device group will be added.

Edit a Device Group

Device groups are edited using the Edit Device Group dialog. This can be accessed by clicking the edit device group button displayed to the left when hovering over a device group in the Vision / Device Groups page.

This dialog contains several tabs. The DEVICE GROUP tab contains the following inputs:

Name - Used to refer to the device group
Network view - Network view the device group should be associated with
Select to indicate this is the default device group for the specified network view - If selected, any device not matching the networks configured on any other device group assigned to the same network view will be assiociated with this device group
Networks - Comma, space or newline separated list of networks in the format 192.168.68.0/24, devices failling within the networks will be associated with the device group

The EVENT MONITORING tab contains the following inputs:

New domain - Look for second-level domains not seen before in the query name or response record name fields of DNS messages
New IPv4 address - Look for IP addresses not seen before in response records of DNS messages
New IPv6 address - Look for IP addresses not seen before in response records of DNS messages

The following options are available for each type:

Is active - If not selected the event will not be monitored
Device group events - By default the event will be monitored globally, that is for example, if a domain has already been seen by another device group which has the same monitoring enabled it will not create another event, if this property is selected a device group event will also be created if the event has never been seen by any other device in the same device group regardless of the global event status
Send to SIEM - If selected, a message will be sent from the OneDDI Master server to its configured SIEM connector when the event is created

A DNS message filter can be specified to match DNS messages. If configured, only messages matching the filter will be used for event monitoring.

A DNS message filter can be specified to match DNS messages. If configured, only messages matching the filter will be used for activity tracking.

The ACTIVITY FORWARDING tab will contains the following inputs:

DNS activity can be forwarded in a non-aggregated or aggregated way.

Aggregation update interval - How often in seconds updates should be sent to a sensors SIEM connector
Select to forward an update at the start of an aggregation session identifying the first DNS message - This option allows updates to be seen in the SIEM as soon as an aggregation session is started, i.e. when a query or response is first seen, if selected an initial aggregation update is sent as soon as the DNS message which caused the session to be created is seen, if not selected, the first update will not be sent to the SIEM until after the aggregation update interval
Aggregation scope - Either device, in which case an aggregation session is maintained on a per device basis (i.e. if two devices, even from the same device group, perform the same query this is two sessions), or device-group, in which case an aggregation session is maintained on a per device group basis (i.e. if two devices from the same device group perform the same query this is one session), if device-group is selected the following two options can be used to maintain access to per device statistics:
- Select to include the number of unique IP addresses a DNS message was seen for - This includes a count in the updates to the SIEM which indicates how many unique IP addresses were seen for the past aggregation window for the query or response
- Select to include the unique IP addresses, and their seen counts, a DNS message was seen for - This includes a list of IP addresses in the updates to the SIEM which indicates each unique IP address seen for the past aggregation window for the query or response and the seen count for each IP address

A DNS message filter can be specified to match DNS messages. If configured, only messages matching the filter will be used for activity forwarding.

Click the SAVE button to save changes to the device group.

Delete a Device Group

NOTE This is a destructive operation which cannot be undone.

Device groups are deleted using the Delete Device Group dialog. This can be accessed by clicking the delete button displayed to the left when hovering over a device group in the Vision / Device Groups page.

The delete dialog prompts whether the device group should be deleted.

Click the DELETE button to confirm the device group should be deleted, after which the device group will be deleted.

Network

Sensors

Working with Sensors

Sensors are viewed and managed under the Vision / Network / Sensors page by clicking the Vision link displayed in the top menu bar, selecting the Network link displayed in the dropdown menu and then selecting the SENSORS tab.

The Vision / Network / Sensors page will display a table of all defined sensors.

The following columns are displayed in the table for each sensor:

Actions - Clickable icons to manage each item
Name - Name used to refer to the sensor
IP address - IP address used to communicate with the sensor
Network view - Name of the network view the sensor is associated with
SIEM connector - Name of the SIEM connector the sensor will use to forward DNS activity messages if it is configured to do so for a device group
Status - If the sensor is not active, a grey tick icon will be displayed along with a message indicating the sensor is not active, otherwise, a green tick or red error icon will be displayed depending on the connectivity status of the sensor, if the sensor status is green then the sensor version will also be displayed

A search control is displayed to the top right of the table. Values in the search field will be matched against a sensors name or IP address.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of sensors, and to control how many are displayed in a single page.

The button ADD A SENSOR will be displayed to the top left of the table. Upon clicking this button, the Add Sensor dialog will be displayed. See the Vision / Network / Sensors / Add a Sensor section for details on this dialog and adding sensors.

The button SYNCHRONISE SENSORS will be displayed to the top left of the table. Upon clicking this button, the Synchronise Sensors dialog will be displayed. See the Vision / Network / Sensors / Synchronise Sensors section for details on this dialog and synchronising sensors.

The link VIEW ACTIVITY UPDATE HISTORY will also be displayed to the top left of the table. Upon clicking this link, the Activity update history page will be displayed. See the Vision / Network / Sensors / View Activity Update History section for details on this page.

The link VIEW SENSOR will be displayed to the right of each sensor. Upon clicking this link the View sensor page will be displayed for the sensor. See the Vision / Network / Sensors / View Sensor section for details on this page and viewing sensors.

Upon hovering over a row in the table edit sensor, delete sensor and synchronise sensor buttons will be displayed to the left.

Upon clicking the edit sensor button, the Edit Sensor dialog will be displayed. See the Vision / Network / Sensors / Edit a Sensor section for details on this dialog and editing a sensor.

Upon clicking the delete sensor button, the Delete Sensor dialog will be displayed. See the Vision / Network / Sensors / Delete a Sensor section for details on this dialog and deleting a sensor.

Upon clicking the synchronise sensor button, the Synchronise Sensors dialog will be displayed but for the one sensor. See the Vision / Network / Sensors / Synchronise Sensors section for details on this dialog and synchronising a sensor.

Synchronise Sensors

Sensors are synchronised using the Synchronise sensor dialog.

To synchronise a single sensor, this can be accessed by clicking the synchronise button displayed to the left when hovering over a sensor in the Vision / Network / Sensors page, or displayed to the right of a sensors name at the top of the Vision / Network / Sensors / View Sensor page.

To synchronise all sensors, this can be accessed by clicking the SYNCHRONISE SENSORS button displayed at the top left of the sensors table in the Vision / Network / Sensors page.

Sensors collect data for a network view which is assigned when adding or editing network views or sensors. Network views, device groups and other data is automatically synchronised with sensors when they are modified.

This dialog is used to force a check to be performed so that a sensor will verify they have an up to date copy of their cached data, synchronising it if it has changed.

Click the SYNCHRONISE NOW button to confirm the sensor/sensors should be synchronised, after which a request to synchronise will be made and the dialog closed. The synchronisation process will continue in the background. If there are any issues with this process, details can be accessed in the View Sensor page.

View Activity Update History

The activity update history for all sensors can be viewed under the Activity Update History page by clicking the VIEW ACTIVITY UPDATE HISTORY link displayed at the top left of the sensors table in the Vision / Network / Sensors page.

Sensors track DNS activity history and periodically saves this data to files, queueing them to be sent to the OneDDI Master server. The OneDDI Master server then downloads the activity history update files and processes the updates into its Vision Database. Each file downloaded is recorded in the activity update history. If there is an error in processing a file it will be displayed in this table.

NOTE When viewing activity update history some numbers may not seem to correlate. For example, a file may contain 1000 items but have 500 added and only 400 updated items. Likewise, when added together the added plus updated numbers may be higher than the number of items in the file. This is expected since the OneDDI Master may decide not to perform certain updates, or perform additional updates, depending on the other contents of the file or the existing items already in the Vision Database.

The following columns are displayed in the table for each activity update file:

Actions - Clickable icons to manage each item
Timestamp - A string specifying when the activity update file was created on the sensor, e.g. 2 hours ago, hovering over this field will result in a tooltip being displayed which shows the date and time in ISO format
ID - A unique ID used to refer to the file
Sensor - Name of the sensor which generated the activity update file
Size - Both compressed and uncompressed size of the file, activity update files are stored and transferred in a compressed form
No. items - Total number of updates in the file
No. processed - Contains the number of items processed from the file
No. added - Contains the number of items processed which resulted in adding a new item to the Vision Database
No. updated - Contains the number of items processed which resulted in updating an existing item in the Vision Database
Processing time - Total number of seconds spent processing the file
Processing status - If the file has not been processed, a grey tick icon along with a message indicaing the file is being processed, otherwise, either a green tick or red error icon is displayed along with a message indicating the processing status of the file

A search control is displayed to the top right of the table. Values in the search field will be matched against a files ID or processing status.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of activity update files, and to control how many are displayed in a single page.

The link EXPORT TO CSV will be displayed to the top of the left of the table. Upon clicking this link all activity update files will be exported to a CSV file and downloaded, with the resulting CSV file having the following fields:

Timestamp - Date and time in ISO format for when the activity update file was created on the sensor
ID - A unique ID used to refer to the file
Sensor - Name of the sensor which generated the activity update file
Compressed size - Compressed size of the file in bytes
Uncompressed size - Uncompressed size of the file in bytes
No. items - Total number of updates in the file
No. processed - Contains the number of items processed from the file
No. added - Contains the number of items processed which resulted in adding a new item to the Vision Database
No. updated - Contains the number of items processed which resulted in updating an existing item in the Vision Database
Processing milliseconds - Total number of milliseconds spent processing the file
Processing state - Either processing, error or complete
Processing message - Message relevant to the processing state of the file

Add a Sensor

Sensors are added using the Add a Sensor dialog. This can be accessed by clicking the ADD A SENSOR button displayed in the Vision / Network / Sensors page.

The Add a Sensor dialog displays a four step wizard which guides a user through adding a sensor. Before a sensor can be added its unique connection key must be obtained. This key is stored in the /opt/oneddi-sensor/config/http-connection.key file once the sensor has been installed. When the sensor is added to the OneDDI user interface this connection key will be changed automatically.

Step 1 in the dialog, the Start page, provides a brief overview of what will be performed to add a sensor.

Click the NEXT button to continue to step 2, the Configure page. In this page the Name, IP address and Port used to communicate with the sensor must be specified. An optional Network view can be selected, which can also be configured later when editing sensors and network views, can also be specified along with a SIEM connector the sensor should use to forward DNS activity messages if configured to do so on device groups.

Click the NEXT button to continue to step 3, the Verify page. In this page the Connector key obtained during sensor installation must be specified. Once specified, click the VERIFY CONFIGURATION button to verify communication with the sensor and the connection key. Once successful, the ADD and ADD & VIEW buttons will be enabled.

Click the ADD and ADD & VIEW button to add the sensor after which the dialog will close.

View Sensor

Detailed information about sensor health can be accessed by clicking the VIEW SENSOR link displayed to the right of a sensors name under the Vision / Network / Sensors page.

The View sensor page is divided into several sections.

At the top of the View sensor page the name, IP address, port and connection status of the sensor is displayed. Additionally, edit sensor, delete sensor and synchronise sensor buttons will be displayed to the right.

The SUMMARY section provides several icons indicating the health of several sensor communication points. When an icon is coloured green the item is healthy, when it is coloured red the item is unhealthy and a message will be displayed to indicate the problem. The following items are displayed:

Network view - Whether a network view is assigned to the sensor, if one is assigned its name will be displayed
Network view synchronised - Last time network view configuration was synchronised with the sensor
Device group synchronised - Last time device group configuration was synchronised with the sensor
DNS servers synchronised - Last time DNS server configuration was synchronised with the sensor
SIEM connectors synchronised - Last time SIEM connector configuration was synchronised with the sensor
Activity update processing status - An indication of whether activity update files are being processed from the sensors queue, the link VIEW ACTIVITY UPDATE QUEUE will be displayed, upon clicking this the DNS activity update queue page will be displayed for the sensor, see the Vision / Network / Sensors / View Activity Update Queue section for more details about this page

The SENSOR LOG section displays a table containing (by default) the most recent 10,000 log messages generated by the sensor.

The following columns are displayed in the table for each service:

Timestamp - Date and time the log message was generated
Level - Either info, warn or error
Source - Name of the sensor component which generated the log message
Message - The log message text

A search control is displayed to the top right of the table. Values in the search field will be matched against a log messages level, source or message.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of log messages, and to control how many are displayed in a single page.

The link EXPORT TO CSV will be displayed to the top of the left of the log message table. Upon clicking this link all sensor log messages will be exported to a CSV file and downloaded, with the resulting CSV file having the following fields:

Timestamp - Date and time the log message was generated
Level - Either info, warn or error
Source - Name of the sensor component which generated the log message
Message - The log message text

View Activity Update Queue

The activity update queue for a sensor can be viewed under the Activity Update Queue page by clicking the VIEW ACTIVITY UPDATE QUEUE link displayed under the SUMMARY section in the Vision / Network / Sensors / View Sensor page.

Sensors track DNS activity history and periodically saves this data to files, queueing them to be sent to the OneDDI Master server. The acivity update queue contains all files waiting to be collected by the OneDDI Master server.

The following columns are displayed in the table for each activity update file:

Actions - Clickable icons to manage each item
Timestamp - A timestamp indicating when the activity update file was created
ID - A unique ID used to refer to the file
No. items - Total number of updates in the file
Compressed size - Compressed size of the file
Uncompressed size - Uncompressed size of the file

A search control is displayed to the top right of the table. Values in the search field will be matched against a files ID.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of activity update files, and to control how many are displayed in a single page.

Edit a Sensor

Sensors are edited using the Edit Sensor dialog. This can be accessed by clicking the edit sensor button displayed to the left when hovering over a sensor in the Vision / Network / Sensors page.

This dialog contains several tabs. The SENSOR tab contains the following inputs:

Name - Used to refer to the sensor
Network view - Network view the sensor should be associated with
SIEM connector - The SIEM connector the sensor should use to forward DNS activity messages if it is configured to do so for a device group
Select to make the sensor active - If marked as active the sensor will be used when searching live DNS queries under the Vision / Live queries page and DNS activity history and event udpates will be processed from the sensor, otherwise the OneDDI Master will not connect to the sensor

The CONNECTION tab contains the following inputs:

IP address - IP address used to communicate with the sensor
Port - HTTPS port used to communicate with the sensor
Connection key - Shared secret used to connect with the sensor, if left blank the existing key will not be overwritten

Click the SAVE button to save changes to the sensor.

Delete a Sensor

NOTE This is a destructive operation which cannot be undone. History and event data is not affected when deleting sensors.

Sensors are deleted using the Delete sensor dialog. This can be accessed by clicking the delete button displayed to the left when hovering over a sensor in the Vision / Network / Sensors page, or displayed to the right of a sensors name at the top of the Vision / Network / Sensors / View Sensor page.

The delete dialog prompts whether the sensor should be deleted.

Click the DELETE button to confirm the sensor should be deleted, after which the sensor will be deleted.

Network Views

Working with Network Views

Network views are viewed and managed under the Vision / Network / Network views page by clicking the Vision link displayed in the top menu bar, selecting the Network link displayed in the dropdown menu and then selecting the NETWORK VIEWS tab.

The Vision / Network / Network views page will display a table of all defined network views.

The following columns are displayed in the table for each network view:

Actions - Clickable icons to manage each item
Name - Name used to refer to the network view
No. device groups - Number of devices groups assigned to the network view
No. sensors - Number of sensors assigned to the network view
No. DNS servers - Number of DNS servers assigned to the network view

A search control is displayed to the top right of the table. Values in the search field will be matched against a network views name.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of network views, and to control how many are displayed in a single page.

The button ADD A NETWORK VIEW will be displayed to the top left of the table. Upon clicking this button, the Add Network View dialog will be displayed. See the Vision / Network / Network Views / Add a Network View section for details on this dialog and adding network views.

Upon hovering over a row in the table edit network view and delete network view button will be displayed to the left.

Upon clicking the edit network view button, the Edit Network view dialog will be displayed. See the Vision / Network / Network Views / Edit a Network view section for details on this dialog and editing a network view.

Upon clicking the delete network view button, the Delete Network view dialog will be displayed. See the Vision / Network / Network Views / Delete a Network View section for details on this dialog and deleting a network view.

Add a Network View

Network views are added using the Add a network view dialog. This can be accessed by clicking the ADD A NETWORK VIEW button displayed in the Vision / Network / Network Views page.

This dialog contains following inputs:

Name - Used to refer to the network view
Selected sensors - The selected sensors will collect data for the network view, a sensor can only collect data for a single network view, if a sensor is already associated with another network view it must be unassociated before it can be associated with this network view

Once all required attributes have been specified the ADD button will be enabled, and once clicked the network view will be added.

Edit a Network View

Network views are edited using the Edit network view dialog. This can be accessed by clicking the edit network view button displayed to the left when hovering over a network view in the Vision / Network / Network Views page.

This dialog contains following inputs:

Name - Used to refer to the network view
Selected sensors - The selected sensors will collect data for the network view, a sensor can only collect data for a single network view, if a sensor is already associated with another network view it must be unassociated before it can be associated with this network view

Click the SAVE button to save changes to the network view.

Delete a Network View

NOTE This is a destructive operation which cannot be undone. History and event data related to the network view will not be accessible once it has been deleted.

Network views are deleted using the Delete network view dialog. This can be accessed by clicking the delete button displayed to the left when hovering over a network view in the Vision / Network / Network Views page.

The delete dialog prompts whether the network view should be deleted.

Click the DELETE button to confirm the network view should be deleted, after which the network view will be deleted.

DNS Servers

Working with DNS Servers

DNS servers are viewed and managed under the Vision / Network / DNS servers page by clicking the Vision link displayed in the top menu bar, selecting the Network link displayed in the dropdown menu and then selecting the DNS SERVERS tab.

The Vision / Network / DNS servers page will display a table of all defined DNS servers.

The following columns are displayed in the table for each DNS server:

Actions - Clickable icons to manage each item
Name - Name used to refer to the DNS server
Network view - Network view the DNS server is associated with
IP addresses - IP addresses used to identify the DNS server in DNS activity, this is also used as an access control list when a DNS server connectors to a sensor assigned the same network view, i.e. sensors assigned the same network view will permit the DNS server to connect from any of the IP addresses configured here if data collection has been made active
Retired? - If a DNS server has been marked as retired, a retired icon will be displayed in this column
Data collection - If data collection is active, a green tick will be displayed along with the data collection method selected
Data collection status - If data collection is active, the status of data collection is displayed for the DNS server for each active sensor

A search control is displayed to the top right of the table. Values in the search field will be matched against a DNS servers name.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of DNS servers, and to control how many are displayed in a single page.

The button ADD A DNS SERVER will be displayed to the top left of the table. Upon clicking this button, the Add DNS Server dialog will be displayed. See the Vision / Network / DNS Servers / Add a DNS Server section for details on this dialog and adding DNS servers.

Upon hovering over a row in the table edit DNS server and delete DNS server button will be displayed to the left.

Upon clicking the edit DNS server button, the Edit DNS server dialog will be displayed. See the Vision / Network / DNS Servers / Edit a DNS server section for details on this dialog and editing a DNS server.

Upon clicking the delete DNS server button, the Delete DNS server dialog will be displayed. See the Vision / Network / DNS Servers / Delete a DNS Server section for details on this dialog and deleting a DNS server.

Add a DNS Server

DNS servers are added using the Add a DNS server dialog. This can be accessed by clicking the ADD A DNS SERVER button displayed in the Vision / Network / DNS Servers page.

This dialog contains several tabs. The DNS SERVER tab contains the following inputs:

Name - Used to refer to the DNS server
Network view - Network view the DNS server should be associated with
IP addresses - Comma separated list of IP addresses configured on the DNS server’s network interfaces, when processing DNS activity data these IP addresses will be used to determine if the activity is inter-DNS server activity, if the DNS server listens on multiple IP addresses but only communicates using one of them then only that one needs to be specified
Select to indicate the DNS server has been retired - If a DNS server has been marked as retired the retired icon will be displayed along side it when viewing some items such as history data, this has no affect on data collection and no data will be deleted

The DATA COLLECTION tab contains the following inputs:

Select to activate data collection for the DNS server - If selected the sensor will permit connections from the DNS server and process DNS activity messages it sends according to the selected data collection method
Data collection method - Select the method which is used to collect DNS activity data for the DNS server, depending on which is selected the following additional configuration parameters are then displayed:
- bind-syslog
  - Select to secure the Syslog connection using TLS - If selected connections from the DNS server will use TLS
  - Timezone - A timezone must be specified due to no timezone information being present in the input data
- bluecat-http
  - dnstap message types - A list of the dnstap message types to read DNS activity data from
  - Select to use HTTPS - If selected HTTPS will be used, otherwise plain HTTP will be used
- dnstap
  - dnstap message types - A list of the dnstap message types to read DNS activity data from
- infoblox-data-connector
  - Timezone - A timezone must be specified due to no timezone information being present in the input data
- infoblox-syslog
  - Select to secure the Syslog connection using TLS - If selected connections from the DNS server will use TLS
  - Timezone - A timezone must be specified due to no timezone information being present in the input data
- windows-agent - There are no additional parameters for this method
Select to ignore inter-DNS server activity - DNS activity can be duplicated when DNS servers forward queries to other DNS servers, if both DNS servers are sending DNS activity data to a OneDDI Sensor this paramter can be used to indicate that the duplicated inter-DNS server activity should not be processed, this is determined by correlating device IP addresses in DNS activity with the IP addresses configured on all DNS servers
Select to use only DNS response activity for data collection - To enhance the performance of data collection a DNS server can be configured to forward only DNS response activity, in this case this paramter can be used so that query names, timestamps and other items are taken from DNS response activity instead of DNS query activity

Once all required attributes have been specified the ADD button will be enabled, and once clicked the DNS server will be added.

Edit a DNS Server

DNS servers are edited using the Edit DNS server dialog. This can be accessed by clicking the edit DNS server button displayed to the left when hovering over a DNS server in the Vision / Network / DNS Servers page.

This dialog contains several tabs. The DNS SERVER tab contains the following inputs:

Name - Used to refer to the DNS server
Network view - Network view the DNS server should be associated with
IP addresses - Comma separated list of IP addresses configured on the DNS server’s network interfaces, when processing DNS activity data these IP addresses will be used to determine if the activity is inter-DNS server activity, if the DNS server listens on multiple IP addresses but only communicates using one of them then only that one needs to be specified
Select to indicate the DNS server has been retired - If a DNS server has been marked as retired the retired icon will be displayed along side it when viewing some items such as history data, this has no affect on data collection and no data will be deleted

The DATA COLLECTION tab contains the following inputs:

Select to activate data collection for the DNS server - If selected the sensor will permit connections from the DNS server and process DNS activity messages it sends according to the selected data collection method
Data collection method - Select the method which is used to collect DNS activity data for the DNS server, depending on which is selected the following additional configuration parameters are then displayed:
- bind-syslog
  - Select to secure the Syslog connection using TLS - If selected connections from the DNS server will use TLS
  - Timezone - A timezone must be specified due to no timezone information being present in the input data
- bluecat-http
  - dnstap message types - A list of the dnstap message types to read DNS activity data from
  - Select to use HTTPS - If selected HTTPS will be used, otherwise plain HTTP will be used
- dnstap
  - dnstap message types - A list of the dnstap message types to read DNS activity data from
- infoblox-data-connector
  - Timezone - A timezone must be specified due to no timezone information being present in the input data
- infoblox-syslog
  - Select to secure the Syslog connection using TLS - If selected connections from the DNS server will use TLS
  - Timezone - A timezone must be specified due to no timezone information being present in the input data
- windows-agent - There are no additional parameters for this method
Select to ignore inter-DNS server activity - DNS activity can be duplicated when DNS servers forward queries to other DNS servers, if both DNS servers are sending DNS activity data to a OneDDI Sensor this paramter can be used to indicate that the duplicated inter-DNS server activity should not be processed, this is determined by correlating device IP addresses in DNS activity with the IP addresses configured on all DNS servers
Select to use only DNS response activity for data collection - To enhance the performance of data collection a DNS server can be configured to forward only DNS response activity, in this case this paramter can be used so that query names, timestamps and other items are taken from DNS response activity instead of DNS query activity

Click the SAVE button to save changes to the DNS server.

Delete a DNS Server

NOTE This is a destructive operation which cannot be undone. History and event data related to the DNS server will not be accessible once it has been deleted.

DNS servers are deleted using the Delete DNS server dialog. This can be accessed by clicking the delete button displayed to the left when hovering over a DNS server in the Vision / Network / DNS Servers page.

The delete dialog prompts whether the DNS server should be deleted.

Click the DELETE button to confirm the DNS server should be deleted, after which the DNS server will be deleted.

SIEM Connectors

Working with SIEM Connectors

SIEM connectors are viewed and managed under the Vision / Network / SIEM connectors page by clicking the Vision link displayed in the top menu bar, selecting the Network link displayed in the dropdown menu and then selecting the SIEM CONNECTORS tab.

The Vision / Network / SIEM connectors page will display a table of all defined SIEM connectors.

The following columns are displayed in the table for each SIEM connector:

Actions - Clickable icons to manage each item
Name - Name used to refer to the SIEM connector
Used by master - If the SIEM connector is being used by the OneDDI master server there will be a green check in this column, only one SIEM connector can be used by the OneDDI master server
No. sensors - Indicates the number of sensors which have been associated with the SIEM connector
Message format - This will be either csv or json
Targets - A list of the target IP addresses configured for the SIEM connector

A search control is displayed to the top right of the table. Values in the search field will be matched against a SIEM connectors name.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of SIEM connectors, and to control how many are displayed in a single page.

The button ADD A SIEM CONNECTOR will be displayed to the top left of the table. Upon clicking this button, the Add SIEM Connector dialog will be displayed. See the Vision / Network / SIEM Connectors / Add a SIEM Connector section for details on this dialog and adding SIEM connectors.

Upon hovering over a row in the table edit SIEM connector and delete SIEM connector buttons will be displayed to the left.

Upon clicking the edit SIEM connector button, the Edit SIEM connector dialog will be displayed. See the Vision / Network / SIEM Connectors / Edit a SIEM Connector section for details on this dialog and editing a SIEM connector.

Upon clicking the delete SIEM connector button, the Delete SIEM connector dialog will be displayed. See the Vision / Network / SIEM Connectors / Delete a SIEM Connector section for details on this dialog and deleting a SIEM connector.

Add a SIEM Connector

SIEM connectors are added using the Add a SIEM connector dialog. This can be accessed by clicking the ADD A SIEM CONNECTOR button displayed in the Vision / Network / SIEM Connectors page.

This dialog contains several tabs. The SIEM CONNECTOR tab contains the following inputs:

Name - Used to refer to the SIEM connector
Message format - Select either csv or json, click the DOWNLOAD EXAMPLE MESSAGES button to see the format of each of these messages
Select if this SIEM connector should be used by the OneDDI master server - If this is selected and it is also selected on another SIEM connector already, it will be unselected on the other SIEM connector

The TARGETS tab contains inputs to specify targets to send messages. At least one target IP address and TCP port must be specified, optionally selecting Select to use TLS to use TLS when connecting. Use the ADD ANOTHER TARGET button to add more targets.

The SENSORS tab is where the sensors assigned to the SIEM connector can be selected by clicking the EDIT SELECTED SENSORS button.

Once all required attributes have been specified the ADD button will be enabled, and once clicked the SIEM connector will be added.

Edit a SIEM Connector

SIEM connectors are edited using the Edit SIEM connector dialog. This can be accessed by clicking the edit SIEM connector button displayed to the left when hovering over a SIEM connector in the Vision / Network / SIEM Connectors page.

This dialog contains several tabs. The SIEM CONNECTOR tab contains the following inputs:

Name - Used to refer to the SIEM connector
Message format - Select either csv or json, click the DOWNLOAD EXAMPLE MESSAGES button to see the format of each of these messages
Select if this SIEM connector should be used by the OneDDI master server - If this is selected and it is also selected on another SIEM connector already, it will be unselected on the other SIEM connector

The SENSORS tab is where the sensors assigned to the SIEM connector can be selected by clicking the EDIT SELECTED SENSORS button.

Click the SAVE button to save changes to the SIEM connector.

Delete a SIEM Connector

NOTE This is a destructive operation which cannot be undone.

SIEM connectors are deleted using the Delete SIEM connector dialog. This can be accessed by clicking the delete button displayed to the left when hovering over a SIEM connector in the Vision / Network / SIEM Connectors page.

The delete dialog prompts whether the SIEM connector should be deleted.

Click the DELETE button to confirm the SIEM connector should be deleted, after which the SIEM connector will be deleted.

ReDNS

Services

Working with Services

Services are viewed and managed under the ReDNS / Services page by clicking the ReDNS link displayed in the top menu bar and clicking the Services link.

The ReDNS / Services page will display a table of all defined services.

The following columns are displayed in the table for each service:

Actions - Clickable icons to manage each item
Service FQDN - The service Fully Qualified Domain Name, e.g. www.vendorn.com
Connector - Name of the underlying platform which hosts the service DNS records, for example Internal Infoblox Grid
DNS view - The DNS view in the underlying platform the DNS service records are managed in
Service group - Assigned service group, this is used to filter for groups of services
Description - A description provided when the service was created
Active records - A list of the target IP addresses and FQDN’s of all service records which are currently active for the service

A search control is displayed to the top right of the table. Values in the search field will be matched against a services Service FQDN, DNS view, description or active records. Additionally, services can be filtered by service group using the header of the service group column in the table.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of services, and to control how many are displayed in a single page.

The button ADD A SERVICE will be displayed to the top left of the table. If the currently authenticated user has NOT been assigned permission to manage services, this button will be disabled. Upon clicking this button, the Add a service dialog will be displayed. See the ReDNS / Services / Add a Service section for details on this dialog and adding services.

The link EXPORT TO CSV will be displayed to the top of the left of the table. Upon clicking this link all services will be exported to a CSV file and downloaded. See the ReDNS / Services / Export to CSV section for details on exporting services.

The link VIEW SERVICE will be displayed to the right of each service. Upon clicking this link the View service page will be displayed for the service. See the ReDNS / Services / View service section for details on this page and viewing services.

Upon hovering over a row in the table edit service, delete service and edit service permissions buttons will be displayed to the left. If the currently authenticated user has NOT been assigned permission to manage services the edit service and delete service buttons will be disabled, and the edit service permissions button is replaced with a view service permissions button.

Upon clicking the edit service button, the Edit service dialog will be displayed. See the ReDNS / Services / Edit a Service section for details on this dialog and editing a service.

Upon clicking the delete service button the Delete service dialog will be displayed. See the ReDNS / Services / Delete a Service section for details on this dialog and deleting a service.

Upon clicking the view or edit service permissions button the Edit service permissions or View service permissions dialog will be displayed depending on whether a user has been assigned permissions to manage services. See the ReDNS / Services / Services Permissions section for details on this dialog and service permissions.

Add a Service

Services are added using the Add a service dialog. This can be accessed by clicking the ADD A SERVICE button displayed in the ReDNS / Services page. If the currently authenticated user NOT been assigned permission to manage services, this button will be disabled.

This dialog contains the following inputs:

Infoblox connector - Select which Infoblox connector which will be used to manage DNS service records, this is required
Infoblox DNS view - Specify the DNS view the DNS service records are to be managed under in the underlying Infoblox platform, this is required, e.g. default
Service FQDN - Specify the Fully Qualified Domain Name for the service, this is the DNS name used to connect to the service, e.g. www.vendorn.com
Service group - An optional service group to associate the service with, this can be used to filter for groups of related services
Description - An optional description for the service

Once all required attributes have been specified the ADD button will be enabled, and once clicked the service will be added.

Import Services

Service are imported using the Import service records dialog. This can be accessed by clicking the IMPORT SERVICE RECORDS button displayed in the ReDNS / Service Records page. If the currently authenticated user NOT been assigned permission to manage services this button will be disabled.

During import, when a service record is added, if the service specified for the service record does not exist it will be automatically created before the service record is added. This means that a service record must be imported to be able to import a service.

See the ReDNS / Service Records / Import Service Records section for more details on this dialog and importing service records.

Export to CSV

Services are exported to CSV using the EXPORT TO CSV link displayed in the ReDNS / Services page. Upon clicking this link all services will be exported to a CSV file and downloaded, with the resulting CSV file having the following fields:

Service FQDN - Fully Qualified Domain Name of the service, i.e. svc1.vendorn.com.
Connector - Name of the connector the service is associated with, i.e. Internal Grid.
DNS view - The DNS view the DNS service records are managed under, i.e. default
Service group - If associated, the service group associated to the service
Description - Description given to the service, i.e. Public service
Active records - A list of the target IP addresses and FQDN’s of all service records which are currently active for the service

Services Permissions

Service permissions are viewed and edited using the View service permissions and Edit service permissions dialogs. These can be accessed by clicking the view service permissions or edit service permissions buttons displayed to the left when hovering over a service in the ReDNS / Service page, or displayed to the right of a services Service FQDN at the top of the View service page. If the currently authenticated user has NOT been assigned permission to manage services the view service permissions button will be accessible otherwise the edit service permissions button will be accessible.

The View service permissions dialog displays all the groups which are permitted to swap the active service records for as service.

Note that this permission does not allow management of the service. A user must be associated with a group which has the manage-services permission assigned to be able to manage services. Permissions assigned at the service level are to swap the active service records of a service only, which includes changing service TTL’s.

The Edit service permissions dialog also displays all the groups which are permitted to swap the active service records for as service. Additionally, an EDIT SELECTED GROUPS button is displayed to permit selecting and deselecting which groups should be assigned the permission, after which the SAVE button can be used to save the selected permissions.

View Service

Detailed information about a service and its service record state can be accessed by clicking the VIEW SERVICE link displayed to the right of a service under the ReDNS / Services and ReDNS / Service Records pages.

The View service page is divided into multiple sections.

At the top of the View service page the services Service FQDN, Infoblox connector, Infoblox DNS view, service group and description are displayed. Additionally, an edit service, delete service and edit service permissions buttons will be displayed to the right. If the currently authenticated user has NOT been assigned permission to manage services the edit service and delete service buttons will be disabled, and the view service permissions button will be displayed in place of the edit service permissions button.

The SERVICE STATUS section displays how many of the services configured service records are active, and when the service was last actioned - i.e. the last time service records were swapped or service TTL’s changed. A SWAP ACTIVE SERVICE RECORDS button is displayed to the bottom of the panel. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, this button will be disabled. Upon clicking this button, the Swap active service records dialog will be displayed. See the ReDNS / Services / Swap Active Service Records section for details on this dialog and swapping the active service records for a service. A VIEW SWAP HISTORY link will also be displayed to the bottom of the panel, when clicked the Swap history page will be displayed for the service. See the ReDNS / Services / Swap History section for details on this page. If no swap has occurred yet, then No data available will be displayed in the panel.

The BCP JOBS section displays a list of BCP jobs which have the service configured. Displayed to the right of each BCP job is a VIEW BCP JOB link, and when clicked the View BCP job page will be displayed for a BCP job. See the View BCP job page for details on this page.

The SERVICE RECORDS section displays a table containing the service records configured for the service and whether they are currently active in the underlying platform.

The following columns are displayed in the table for each service:

Actions - Clickable icons to manage each item
Record type - The type of DNS record used to manage the service record in the underlying platform, e.g. a-record or cname-record
Target - Depending on the target specified this will be either a Fully Qualified Domain Name or an IP address, this is what the Service FQDN resolves to when the service record is active in the underlying platform
TTL - The TTL to use when managing service records in the underlying platform, this field is summarised into a string, e.g. 1 hour, hovering over the field displays the number TTL in seconds, if the service record is configured not to override the DNS zone default TTL this will be the string Use DNS zone default
Is active - A green tick is displayed when the service is active in the underlying platform, otherwise a grey in-active icon is displayed
Swap action - A summary of what record will be added/renamed during the next swap of the service record

When a service record is active the service FQDN will be displayed to the left of the service record in the table in green. This is to indicate the service FQDN currently resolves to the service records specified target.

A search control is displayed to the top right of the table. Values in the search field will be matched against a service records record type or target.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of service records, and to control how many are displayed in a single page.

The button ADD A SERVICE RECORD will be displayed to the top left of the table. If the currently authenticated user has NOT been assigned permission to manage services this button will be disabled. Upon clicking this button, the Add a service record dialog will be displayed. See the ReDNS / Services / Add a Service Record section for details on this dialog and adding service records.

The button CHECK SERVICE HEALTH will also be displayed to the top left of the table. Upon clicking this button, the Check service health dialog will be displayed. See the ReDNS / Services / Check Service Health section for details on this dialog and performing service health checks.

The button CHANGE SERVICE TTL’S will also be displayed to the top left of the table. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, this button will be disabled. Upon clicking this button, the Change service TTL’s dialog will be displayed. See the ReDNS / Services / Change Service TTL’s section for details on this dialog and changing service TTL’s.

Upon hovering over a row in the table edit service record and delete service record buttons will be displayed to the left. If the currently authenticated user has NOT been assigned permission to manage services these buttons will be disabled.

Upon clicking the edit service record button, the Edit service record dialog will be displayed. See the ReDNS / Services / Edit a Service Record section for details on this dialog and editing a service record.

Upon clicking the delete service record button the Delete service record dialog will be displayed. See the ReDNS / Services / Delete a Service Record section for details on this dialog and deleting a service record.

Add a Service Record

Services records are added using the Add a service record dialog. This can be accessed by clicking the ADD A SERVICE RECORD button displayed in the ReDNS / Services / View service page for a service. If the currently authenticated user has NOT been assigned permission to manage services, this button will be disabled.

This dialog contains several tabs. The RECORD tab contains the following inputs:

Record type - Select from one of the following record types:
- a-record - Use a DNS A resource record in the underlying platform to manage the service record
- cname-record - Use a DNS CNAME resource record in the underlying platform to manage the service record
- host-alias - Use an alias on a host object in the underlying platform to manage the service record
- host-object - Use a host object in the underlying platform to manage the service record
Target IP address for the A record - If the Record type was specified as a-record the IP address must be specified, when the record is active the Service FQDN will resolve to the value specified
Target FQDN for the CNAME record - If the Record type was specified as cname-record a Fully Qualified Domain Name must be specified, when the service record is active the Service FQDN will resolve to the value specified
Target FQDN for the host alias - If the Record type was specified as host-alias the Fully Qualified Domain Name of the host object must be specified, when the service record is active the Service FQDN will resolve to the value specified
Target FQDN for the host object - If the Record type was specified as host-object the IP address for a host object must be specified, if a host object has multiple IP addresses configured in the underlying platform only one of the configured addresses should be specified, when the record is active the Service FQDN will resolve to the value specified
Select to specify that the A records corresponding PTR record is also updated during a swap - When the Record type field is specified as a-record this field is displayed, if selected, the A records corresponding PTR record will be added, deleted or renamed when the A record is modified depending on what swap action is specified in the Swap action field
Select to specify that this record is currently active - Select to specify if the service is in an active state in the underlying platform, i.e. the Service FQDN current resolves to the target specified and is using the specified Record type
Swap action - Select either Create the record when it is active and delete when in-active from the underlying platform, or to Rename the record when in-active to a specified in-active FQDN in the underlying platform
In-active FQDN - If Swap action is specified as Rename the record when in-active to a specified in-active FQDN this field will be enabled and required and must contain the Fully Qualified Domain Name the service record will be renamed to in the underlying platform when it is not active

The TTL tab contains the following inputs:

Override the DNS zone default TTL - Select to enable the TTL (in seconds) input and specify a TTL for the service record
TTL (in seconds) - Specify a Time To Live for the service record, this is required, numbers in the range of 0 to 2147483647 can be specified, this field will be disabled unless the Select to override the DNS zone default TTL field is selected
Use the DNS zone default TTL - Select to indicate the service record should inherit the DNS zone default TTL

Once all required attributes have been specified the ADD button will be enabled, and once clicked the service record will be added.

Edit a Service Record

Service records are edited using the Edit service record dialog. This can be accessed by clicking the edit service record button displayed to the left when hovering over a service record in the ReDNS / Services / View service page for a service. If the currently authenticated user NOT been assigned permission to manage services, this button will be disabled.

This dialog contains several tabs. The RECORD tab contains the following inputs:

Record type - Select from one of the following record types:
- a-record - Use a DNS A resource record in the underlying platform to manage the service record
- cname-record - Use a DNS CNAME resource record in the underlying platform to manage the service record
- host-alias - Use an alias on a host object in the underlying platform to manage the service record
- host-object - Use a host object in the underlying platform to manage the service record
Target IP address for the A record - If the Record type was specified as a-record the IP address must be specified, when the record is active the Service FQDN will resolve to the value specified
Target FQDN for the CNAME record - If the Record type was specified as cname-record a Fully Qualified Domain Name must be specified, when the service record is active the Service FQDN will resolve to the value specified
Target FQDN for the host alias - If the Record type was specified as host-alias the Fully Qualified Domain Name of the host object must be specified, when the service record is active the Service FQDN will resolve to the value specified
Target FQDN for the host object - If the Record type was specified as host-object the IP address for a host object must be specified, if a host object has multiple IP addresses configured in the underlying platform only one of the configured addresses should be specified, when the record is active the Service FQDN will resolve to the value specified
Select to specify that the A records corresponding PTR record is also updated during a swap - When the Record type field is specified as a-record this field is displayed, if selected, the A records corresponding PTR record will be added, deleted or renamed when the A record is modified depending on what swap action is specified in the Swap action field
Select to specify that this record is currently active - Select to specify if the service is in an active state in the underlying platform, i.e. the Service FQDN current resolves to the target specified and is using the specified Record type
Swap action - Select either Create the record when it is active and delete when in-active from the underlying platform, or to Rename the record when in-active to a specified in-active FQDN in the underlying platform
In-active FQDN - If Swap action is specified as Rename the record when in-active to a specified in-active FQDN this field will be enabled and required and must contain the Fully Qualified Domain Name the service record will be renamed to in the underlying platform when it is not active

The TTL tab contains the following inputs:

Override the DNS zone default TTL - Select to enable the TTL (in seconds) input and specify a TTL for the service record
TTL (in seconds) - Specify a Time To Live for the service record, this is required, numbers in the range of 0 to 2147483647 can be specified, this field will be disabled unless the Select to override the DNS zone default TTL field is selected
Use the DNS zone default TTL - Select to indicate the service record should inherit the DNS zone default TTL

Click the SAVE button to save changes to the service record.

Delete a Service Record

NOTE This is a destructive operation which cannot be undone.

Service records are deleted using the Delete service record dialog. This can be accessed by clicking the delete service record button displayed to the left when hovering over a service record in the ReDNS / Services / View service page for a service. If the currently authenticated user NOT been assigned permission to manage services, this button will be disabled.

The delete dialog prompts whether the service record should be deleted.

Click the DELETE button to confirm the service record should be deleted, after which the service record will be deleted.

Check Service Health

The health of a service and its configured service records can be checked using the Check service health dialog. This can be accessed by clicking the CHECK SERVICE HEALTH button displayed in the ReDNS / Services / View service page for a service.

During a service health check the underlying platform will be queried to understand the current state of the service and its service records. The service health check will attempt to identify issues which would prevent the successful swap of any of the configured service records. The service health check will also attempt to identify service records not configured in OneDDI.

Click the START SERVICE HEALTH CHECK button to perform the health check.

A progress bar is displayed and updated as the health check progresses. As issues are identified they will be displayed. Once the health check is complete, if no errors were found the progress bar will be coloured green and indicate that no issues were found. Otherwise the progress bar will be coloured red and indicate at least one issue was found.

For each issue found either an amber triangle or a red warning circle is displayed. Amber should be addressed, but they would not prevent the service from being successfully swapped. Red items are likely to prevent a service from being swapped successfully, and should be addressed.

Each issue identifies an issue with either one of the configured service records for a service, or the services Service FQDN itself. The exact item is displayed along with details of the issue. The following is an example issue:

Item: Service record with record type ‘a-record’ and target ‘1.1.1.1’
Issue: No A record was found in Infoblox for svc1.vendorn.com which points to 1.1.1.1. The service record is set as active in OneDDI but the A record does not exist in Infoblox.

In the above error an issue was identified with the service record which is configured with the record type of a-record and the target IP address of 1.1.1.1.. The service record is marked as active in OneDDI, but when consulting the underlying Infoblox platform no A record could be found for the Service FQDN of svc1.vendorn.com which resolved to 1.1.1.1.

This issue would prevent a successful swap of the service and would have to be addressed.

Change Service TTL’s

The TTL’s for all service records for a service can be changed using the Change service TTL’s dialog. This can be accessed by clicking the CHANGE SERVICE TTL’S button displayed in the SERVICE RECORDS panel in the ReDNS / Services / View service page for a service. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, this button will be disabled. Either permission is required to change service TTL’s.

The Change service TTL’s dialog displays a three step wizard which guides a user through specifying new TTL configuration, reviewing the changes which will be made, and then executing each change while displaying progress.

Upon entering the wizard step 1, the New TTL configuration page, is displayed. This step can be used to specify the new TTL configuration. Two radio button options are presented, one must be selected. The first Configure all service records to use the following TTL allows a TTL to be specified in seconds with several pre-sets provided for quick selection. The second Remove the existing TTL configuration and use the DNS zone default TTL results in the existing TTL configuration being removed and the service records inheriting the DNS zone defaults TTL.

Once the new TTL configuration has been specified the NEXT button can be clicked to move on to step 2, the Review actions page. This page presents what changes will be made to the underlying platform to change service TTL’s. A table is displayed consisting of one row per service record, with the following columns:

Record type - The record type for the service record
Target - A Fully Qualified Domain Name or IP address depending on what record type the service record is configured for
New TTL - The TTL which the service record will be reconfigured to use, e.g. 1 hour, hovering over this field will result in a tooltip being displayed which shows the TTL in seconds, if the service record is configured to use the DNS zone default TTL this will be the string Use DNS zone default

Once the actions have been reviewed, the select field Select to continue if an error occurs processing an action can be selected to indicate if an error occurs processing a service record it should not prevent the TTL changes from running to completion, an attempt will be made to change the TTL’s of all service records in this case. Otherwise, if not selected, the TTL change will stop at the first error.

Once a comment has been entered in the required Comment field the CHANGE NOW button can be clicked after which step 3, the Process actions page will be displayed and the TTL change will start.

During the TTL change each action is processed and a progress bar updated. Once complete, if the TTL change was successful the progress bar will turn green and indicate the TTL change completed successfully. Otherwise the progress bar will turn red and indicate at least one error occurred.

A results table will also be displayed containing all the service records actioned and the outcome. If an error occurred actioning a service record the error will be displayed in the results table alongside the corresponding service record.

Once the TTL change is complete click the CLOSE button to close the dialog.

Swap Active Service Records

The active service records for a service can be swapped using the Swap active service records dialog. This can be accessed by clicking the SWAP ACTIVE SERVICE RECORDS button displayed in the SERVICE STATUS panel in the ReDNS / Services / View service page for a service. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, this button will be disabled.

The Swap active service records dialog displays a three step wizard which guides a user through selecting which service records should be active, reviewing the changes which will be made, and then executing each change while displaying progress.

Upon entering the wizard step 1, the Edit service records page, is displayed. This step can be used to select which service records should be active following the swap. The step is prepopulated with the service records currently active for the service. An EDIT SELECTED SERVICE RECORDS button is displayed to the bottom, which can be used to add and remove selected service records from the list.

Once the require service records have been selected the NEXT button can be clicked to move on to step 2, the Review actions page. This page presents what changes will be made to the underlying platform during the swap. A table is displayed with the following columns:

Action - Either activate indicating the service record is added or renamed so that the Service FQDN resolves to the service record following the swap, deactivate indicating the service record is deleted or renamed so that the Service FQDN no longer resolves to the service record following the swap, or unchanged indicating the service is already active and does not require activating
Record type - The record type for the service record
Target - A Fully Qualified Domain Name or IP address depending on what record type the service record is configured for
Swap action - A summary of what record will be added/renamed during the swap of the service record

Once the actions have been reviewed, the select field Select to continue if an error occurs processing an action can be selected to indicate if an error occurs processing a service record it should not prevent the swap from running to completion, attempting to swap all records. Otherwise, if not selected, the swap will stop at the first error.

Once a comment has been entered in the required Comment field the SWAP NOW button can be clicked after which step 3, the Process actions page will be displayed and the swap will start.

During the swap each action is processed and a progress bar updated. Once complete, if the swap was successful the progress bar will turn green and indicate the swap completed successfully. Otherwise the progress bar will turn red and indicate at least one error occurred.

Once the swap is complete click the CLOSE button to close the dialog.

Swap History

The swap history for a service can be viewed under the Swap history page by clicking the VIEW SWAP HISTORY link displayed in the SERVICE STATUS panel in the ReDNS / Services / View service page for a service.

Each time a service record is activated or deactivated a swap audit event is recorded and associated with the service. In addition when service TTL’s are changed an audit event is also recorded. The Swap history page displays a table of the audit events for a specific service.

The following columns are displayed in the table for each audit event:

Timestamp - A string specifying when the swap occurred, e.g. 2 hours ago, hovering over this field will result in a tooltip being displayed which shows the date and time in ISO format
Username - The name of the user who performed the service record swap
Action - Either activate, deactivate or change-ttl depending on what the audit event is for
Record type - The service records configured record type at the time the swap occurred
Target - The service records configured target at the time the swap occurred
TTL - The service records configured TTL at the time the swap occurred as a string, e.g. 1 hour, hovering over this field will result in a tooltip being displayed which shows the TTL in seconds, if the service record is configured not to override the DNS zone default TTL at the time the service record was swapped this will be the string Use DNS zone default
Action summary - Contains a description of the action, e.g. Create marketplace.internal -> 1.1.1.1 or Change TTL for marketplace.internal -> 2.2.2.2
Comment - The comment entered by the user when the swap was performed

A search control is displayed to the top right of the table. Values in the search field will be matched against all displayed fields excluding the timestamp field.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of swap audit events, and to control how many are displayed in a single page.

Edit a Service

Services are edited using the Edit service dialog. This can be accessed by clicking the edit service button displayed to the left when hovering over a service in the ReDNS / Services page, or displayed to the right of a service’s FQDN at the top of the ReDNS / Services / View service page. If the currently authenticated user NOT been assigned permission to manage services, this button will be disabled.

This dialog contains the following inputs:

Infoblox connector - Select which Infoblox connector which will be used to manage DNS service records, this is required
Infoblox DNS view - Specify the DNS view the DNS service records are to be managed under in the underlying Infoblox platform, this is required, e.g. default
Service FQDN - Specify the Fully Qualified Domain Name for the service, this is the DNS name used to connect to the service, e.g. www.vendorn.com
Service group - An optional service group to associate the service with, this can be used to filter for groups of related services
Description - An optional description for the service

Click the SAVE button to save changes to the service.

Delete a Service

NOTE This is a destructive operation which cannot be undone.

Services are deleted using the Delete service dialog. This can be accessed by clicking the delete service button displayed to the left when hovering over a service in the ReDNS / Services page, or displayed to the right of a service’s FQDN at the top of the ReDNS / Services / View service page. If the currently authenticated user NOT been assigned permission to manage services, this button will be disabled.

The delete dialog prompts whether the service should be deleted.

Click the DELETE button to confirm the service should be deleted, after which the service will be deleted.

Services Records

Working with Services Records

Services records are viewed and managed under the ReDNS / Services / View service page by clicking the VIEW SERVICE link displayed to the right of a service in the ReDNS / Services page, or under the ReDNS / Service Records which can be accessed by clicking the ReDNS link in the top menu bar and clicking the Services records link.

The ReDNS / Service Records page will display a table of all defined services.

The following columns are displayed in the table for each service record:

Actions - Clickable icons to manage each item
Service FQDN - The Fully Qualified Domain Name, e.g. www.vendorn.com, for the service the service record relates to
Connector - Name of the underlying platform which hosts the service DNS records, for example Internal Infoblox Grid
DNS view - The DNS view in the underlying platform the DNS service records are managed in
Service group - Assigned service group for the service the service record relates to, this is used to filter for groups of services
Record type - The type of DNS record used to manage the service record in the underlying platform, e.g. a-record or cname-record
Target - Depending on the target specified this will be either a Fully Qualified Domain Name or an IP address, this is what the Service FQDN resolves to when the service record is active in the underlying platform
TTL - The TTL to use when managing service records in the underlying platform, this field is summarised into a string, e.g. 1 hour, hovering over the field displays the number TTL in seconds, if the service record is configured not to override the DNS zone default TTL this will be the string Use DNS zone default
Is active - A green tick is displayed when the service is active in the underlying platform, otherwise a grey in-active icon is displayed
Swap action - A summary of what record will be added/renamed during the next swap of the service record

A search control is displayed to the top right of the table. Values in the search field will be matched against a services Service FQDN, DNS view, record type or target. Additionally, services records can be filtered by service group using the header of the service group column in the table.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of services, and to control how many are displayed in a single page.

The button IMPORT SERVICE RECORDS will be displayed to the top of the left of the table. If the currently authenticated user has NOT been assigned permission to manage services this button will be disabled. Upon clicking this button, the Import service records dialog will be displayed. See the ReDNS / Service records / Import Service Records section for details on this dialog and importing service records.

The link EXPORT TO CSV will be displayed to the top of the left of the table. Upon clicking this link, all service records will be exported to a CSV file and downloaded. See the ReDNS / Services Records / Export to CSV section for details on exporting service records.

The link VIEW SERVICE will be displayed to the right of each service record. Upon clicking this link, the View service page will be displayed for the service the service record relates to. See the ReDNS / Services / View service section for details on this page and viewing services.

Upon hovering over a row in the table edit service record, and delete service record buttons will be displayed to the left. If the currently authenticated user has NOT been assigned permission to manage services, the edit service record and delete service record buttons will be disabled.

Upon clicking the delete service record button, the Delete service record dialog will be displayed. See the ReDNS / Services / Delete a Service Record section for details on this dialog and deleting a service record.

Import Service Records

Service records are imported using the Import service records dialog. This can be accessed by clicking the IMPORT SERVICE RECORDS button displayed in the ReDNS / Service Records page, which can be accessed by clicking the ReDNS link in the top menu bar and clicking the Services records link. If the currently authenticated user NOT been assigned permission to manage services, this button will be disabled.

Services are also imported using the Import service records dialog. During import, when a service record is added, if the service specified for the service record does not exist it will be automatically created before the service record is added. This means that a service record must be imported to be able to import a service.

In this dialog a CSV import file must be specified which contains the service records to be imported. The CSV import file should define one service record per line using the following fields:

FQDN,Connector,DNS view,Service group,Description,Record type,Target,Override zone TTL,TTL,Swap action,In-active FQDN,Is active

The FQDN, Connector, Service group, DNS view and Description fields identify the corresponding service the service record is to be associated with. If the service already exists, the Service group and Description fields can be left blank. If the service does not yet exist it will be automatically created during import, therefore the first instance of the service in the CSV import file should have a value in the Service group and Description fields to set the service group and description for the automatically created service.

The remaining fields are required as follows:

Record type - Select from one of the following record types:
- a-record - Use a DNS A resource record in the underlying platform to manage the service record
- cname-record - Use a DNS CNAME resource record in the underlying platform to manage the service record
- host-alias - Use an alias on a host object in the underlying platform to manage the service record
- host-object - Use a host object in the underlying platform to manage the service record
Target - If the Record type was specified as a-record the IP address must be specified, if the Record type was specified as cname-record a Fully Qualified Domain Name must be specified, if the Record type was specified as host-alias the Fully Qualified Domain Name of the host object must be specified, if the Record type was specified as host-object the IP address for a host object must be specified, if a host object has multiple IP addresses configured in the underlying platform only one of the configured addresses should be specified
Manage PTR record - This field is ignored unless the Record type field has the value a-record, specify yes if the A records corresponding PTR record will be added, deleted or renamed when the A record is modified depending on what swap action is specified in the Swap action field
Override zone TTL - Specify yes to use the value specified in the TTL field for the DNS service records TTL, or no to use the DNS zones default TTL
TTL - If the Override zone TTL field is not yes then this field is ignored, otherwise specify the TTL in seconds for the DNS service record
Swap action - Specify either to delete the service record from the underling platform when it is in-active (later adding again when it is made active), or whether to retain the service record but rename it to the specified In-active FQDN by specifying rename for this field
In-active FQDN - If Swap action is specified as delete this field will be ignored, otherwise the field is required and must contain the Fully Qualified Domain Name the service record will be renamed to in the underlying platform when it is not active
Is active - Specify yes if the service is in an active state in the underlying platform, i.e. the service FQDN currently resolves to the target specified and is using the specified Record type

If the CSV import file contains a header row as its first row, ensure the Select to skip the first row in the CSV import file if it contains headers field is selected to ignore the first row.

An example CSV import file can also be downloaded using the DOWNLOAD EXAMPLE CSV IMPORT FILE link which can be used as a starting point for a CSV import.

Once the CSV import file has been specified the VERIFY button can be clicked. A check will be performed to ensure an existing service record for the specified record type and target does not already exist. If an existing service record is found an error will be displayed.

Once successfully verified the IMPORT button can be clicked. Once clicked all service records will be added along with any services which are to be automatically created.

Export to CSV

Service records are exported to CSV using the EXPORT TO CSV link displayed in the ReDNS / Service Records page. Upon clicking this link all service records for all services will be exported to a CSV file and downloaded, with the resulting CSV file having the following fields:

Service FQDN - Fully Qualified Domain Name of the service, i.e. svc1.vendorn.com.
Connector - Name of the connector the service is associated with, i.e. Internal Grid.
DNS view - The DNS view the DNS service records are managed under, i.e. default
Service group - Service group associated with the service, i.e. Network Apps
Description - Description given to the service, i.e. Public service
Record type - Specifies the record type which can be one of a-record, cname-record, host-alias or host-object
Target - Either a Fully Qualified Domain Name or an IP address depending on the value for the Record type field
Override zone TTL - Either yes to indicate the TTL field contains the TTL used for the service record, or no to indicate the DNS zone default TTL will be used for the service record
TTL - If the Override zone TTL field is yes this field contains the TTL used for the service record, otherwise this field contains the value 0
Swap action - Either delete to indicate service records are added and deleted when they are made active and in-active, or rename to indicate service records are renamed from and to the Fully Qualified Domain Name specified in the In-active FQDN field when they are made active and in-active
In-active FQDN - If the Swap action field is rename this field contains the Fully Qualified Domain Name used by the service record when it is in-active
Is active - Either yes to indicate the services Fully Qualified Domain Name currently resolves to the service record, otherwise this field will be no

Note when exporting service records, when a service has more than one service record the service will appear multiple times, once for each line - which will contain a service record.

BCP jobs

Working with BCP Jobs

BCP jobs are viewed and managed under the ReDNS / BCP Jobs page by clicking the ReDNS link displayed in the top menu bar and clicking the BCP jobs link.

The ReDNS / BCP Jobs page will display a table of all defined BCP jobs.

The following columns are displayed in the table for each BCP job:

Actions - Clickable icons to manage each item
Name - Name given to the BCP job
Include TTL change - If the BCP job is planned, and will include pre/post actions to change service TTL’s, this field will include a green tick to indicate this is enabled
No. services - The number of services which have been added to the job
Service groups - A list of all the service groups associated with the services which have been added to the BCP job
Progress - An indicator of the progress of all BCP actions for all services, this includes pre-BCP TTL change, failover, failback and post-BCP TTL change

A search control is displayed to the top right of the table. Values in the search field will be matched against the name and service groups fields.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of BCP jobs, and to control how many are displayed in a single page.

The button ADD A BCP JOB will be displayed to the top left of the table. If the currently authenticated user has NOT been assigned permission to manage BCP jobs, this button will be disabled. Upon clicking this button, the Add a BCP job dialog will be displayed. See the ReDNS / BCP Jobs / Add a BCP Job section for details on this dialog and adding BCP jobs.

The link VIEW BCP JOB will be displayed to the right of each BCP job. Upon clicking this link the View BCP job page will be displayed for the BCP job. See the ReDNS / BCP Jobs / View BCP Job section for details on this page and viewing BCP jobs.

Upon hovering over a row in the table edit BCP job and delete BCP job buttons will be displayed to the left. If the currently authenticated user has NOT been assigned permission to manage BCP jobs the edit BCP job and delete BCP job buttons will be disabled.

Upon clicking the edit BCP job button, the Edit BCP job dialog will be displayed. See the ReDNS / BCP Jobs / Edit a BCP Job section for details on this dialog and editing a BCP job.

Upon clicking the delete BCP job button the Delete BCP job dialog will be displayed. See the ReDNS / BCP Jobs / Delete a BCP Job section for details on this dialog and deleting a BCP job.

Add a BCP Job

BCP jobs are added using the Add a BCP job dialog. This can be accessed by clicking the ADD A BCP JOB button displayed in the ReDNS / BCP Jobs page. If the currently authenticated user NOT been assigned permission to manage BCP jobs this button will be disabled.

This dialog contains the following inputs:

Name - The name assigned to the BCP job
Select to include a pre-BCP TTL change action and a post-BCP TTL change action for the BCP job - Select this box to include a pre/post BCP action to change service TTL’s

Once all required attributes have been specified the ADD button will be enabled, and once clicked the BCP job will be added.

View BCP Job

Detailed information about a BCP job, its configuration and its progress can be accessed by clicking the VIEW BCP JOB link displayed to the right of a BCP job under the ReDNS / BCP jobs page.

The View BCP job page is divided into multiple sections.

At the top of the View BCP job page the BCP jobs name, no. services associated to the BCP job, and the failover/failback configuration status of all associated services are displayed. Additionally, an edit BCP job and delete BCP job button is be displayed to the right of the BCP job name. If the currently authenticated user has NOT been assigned permission to manage BCP jobs the edit BCP job and delete BCP job button will be disabled.

The PROGRESS section displays the progress for each action which will be performed for the BCP job for all services. If the BCP job has been configured to include a pre/post BCP TTL change action the progress section is divided into four sections, one for the pre-BCP TTL change, one for failover, one for failback and one for post-BCP TTL change. Otherwise the progress section is divided into two sections, one for failover and one for failback. In both cases each section displays a progress indicator of which services have had the related action completed.

The SERVICES section displays a table containing the services added to the BCP job, along with the progress for each BCP action for each service.

The following columns are displayed in the table for each service:

Actions - Clickable icons to manage each item
Service FQDN - FQDN of the associated service
Connector - Connector the service is associated with
DNS view - DNS view the service is configured with
Service group - Service group associated with the service
Progress - Four coloured icons are displayed to indicate the progress of each BCP action for the service, one for pre-BCP TTL change, one for failover, one for failback and one for post-BCP TTL change, if the BCP job is not configured to include a pre/post BCP TTL change action then only two coloured icons will be displayed, if the action has been completed the icon will be coloured green, other it will be colour grey to indicate it not been completed yet
Failover service records - The list of targets configured on the service records which will be made active then the failover action is completed for the service
Failback service records - The list of targets configured on the service records which will be made active then the failback action is completed for the service

For the progress column, if an action has not yet been completed it can be clicked to display the Mark action as completed dialog. See the ReDNS / BCP Jobs / Mark BCP Action as Complete section for more details on skipping an action by marking it as already completed.

A search control is displayed to the top right of the table. Values in the search field will be matched against the service FQDN, DNS view, failover service records and the failback service records fields.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of services, and to control how many are displayed in a single page.

The button ADD SERVICES will be displayed to the top left of the table. Upon clicking this button, the Add BCP job services dialog will be displayed. See the ReDNS / BCP Jobs / Add BCP Job Services section for details on this dialog and adding services to a BCP job.

Upon hovering over a row in the table a configure service for failover and failback button will be displayed to the left. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, this button will be disabled. Either permission is required to configure the service for failover and failback for the BCP job. Upon clicking this button, the Configure service for BCP job dialog will be displayed. See the ReDNS / BCP Jobs / Configure a Service for Failover and Failback section for details on this dialog.

A checkbox is displayed to the left of each row in the services table. This can be used to select multiple services. Once at least one service is selected the ACTION SERVICES button displayed to the top of the table will be enabled. This menu contains actions to perform for BCP events, and to manage services. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, the checkbox for the service will be disabled. Either permission is required to perform any of the actions under the ACTION SERVICES menu.

The DELETE SERVICES link under the MANAGE SERVICES section in the ACTION SERVICES menu can be used to delete services from the BCP job. Clicking this link will result in the Delete BCP job services dialog being displayed. See the ReDNS / BCP Jobs / Delete BCP Job Services section for details on this dialog.

The CHECK SERVICE HEALTH link under the MANAGE SERVICES section in the ACTION SERVICES menu can be used to check the health of services associated with the BCP job. Clicking this link will result in the Check service health dialog being displayed. See the ReDNS / BCP Jobs / Check Service Health section for details on this dialog.

The CHANGE SERVICE TTL’S link under the PRE-BCP ACTIONS section in the ACTION SERVICES menu can be used to change the TTL’s of one or more services, for example to reduce the TTL’s ahead of a planned BCP event. Clicking this link will result in the Change service TTL’s (pre-BCP) dialog being displayed. See the ReDNS / BCP Jobs / Change Service TTL’s (pre-BCP) section for details on this dialog. This link will be disabled if the failover action has been completed for one of the selected services already.

The FAILOVER SERVICES link under the BCP ACTIONS section in the ACTION SERVICES menu can be used to failover one or more services. Clicking this link will result in the Failover services dialog being displayed. See the ReDNS / BCP Jobs / Failover Services section for details on this dialog. This link will be disabled if the failover action has been completed for one of the selected services already.

The FAILBACK SERVICES link under the BCP ACTIONS section in the ACTION SERVICES menu can be used to failback one or more services. Clicking this link will result in the Failback services dialog being displayed. See the ReDNS / BCP Jobs / Failback Services section for details on this dialog. This link will be disabled if the failback action has been completed for one of the selected services already, or the failover action has not been completed for one of the selected services yet.

The CHANGE SERVICE TTL’S link under the POST-BCP ACTIONS_ section in the ACTION SERVICES menu can be used to change the TTL’s of one or more services, for example to increase the TTL’s following a planned BCP event. Clicking this link will result in the Change service TTL’s (post-BCP) dialog being displayed. See the ReDNS / BCP Jobs / Change Service TTL’s (post-BCP) section for details on this dialog. This link will be disabled if the failover action has not yet been completed for one of the selected services.

The link EXPORT TO CSV will be displayed to the top of the left of the table. Upon clicking this link all services assigned to the BCP job will be exported to a CSV file and downloaded. See the ReDNS / BCP Jobs / Export to CSV section for details on exporting services.

Add BCP Job Services

Services are added to a BCP job using the Add BCP job services dialog. This can be accessed by clicking the ADD SERVICES button displayed in the View BCP job page for a BCP job.

This dialog will display a table of available services. Available services are ones which are not currently associated with the BCP job, and services the currently authenticated user has permissions to swap (either the currently authenticated user is part of a group with permissions to manage services, or is associated with a group that is specified in the services permissions).

The following columns are displayed in the table:

Service FQDN - FQDN of the associated service
Connector - Connector the service is associated with
DNS view - DNS view the service is configured with
Service group - Service group associated with the service

A search control is displayed to the top of the table. Values in the search field will be matched against a services Service FQDN or DNS view. Additionally, services can be filtered by service group using the header of the service group column in the table.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of services, and to control how many are displayed in a single page.

A checkbox is displayed to the left of each service, the checkbox of the services which should be added to the BCP job should be checked, then the ADD button should be clicked, after which the services will be added to the BCP job.

Delete BCP Job Services

Services are deleted from a BCP job by clicking the DELETE SERVICES link under the MANAGE SERVICES section of the ACTION SERVICES menu displayed in the SERVICES panel in the View BCP job page for a BCP job, once the services checkboxes have been checked. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, the services checkbox will not be enabled. Either permission is required to perform health checks for a service using this feature.

The Delete BCP job services dialog will display a table of the services which are to be deleted from the BCP job. The following columns are displayed in the table:

Service FQDN - FQDN of the associated service
Connector - Connector the service is associated with
DNS view - DNS view the service is configured with
Service group - Service group associated with the service

Click the DELETE to delete the services from the BCP job, after which the services will be deleted from the BCP job.

Configure a Service for Failover and Failback

Services are configured for failover and failback using the Configure service for BCP job dialog. This can be accessed by clicking the configure button displayed to the left when hovering over a service in the View BCP job page for a service. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, this button will be disabled. Either permission is required to configure the service for failover and failback.

This dialog contains two tabs. The FAILOVER SERVICE RECORDS tab contains the service records which should be made active when the failover action is performed for the service. The EDIT SELECTED SERVICE RECORDS button can be used to add or remove service records from the list.

The FAILBACK SERVICE RECORDS tab contains the service records which should be made active when the failback action is performed for the service. The EDIT SELECTED SERVICE RECORDS button can be used to add or remove service records from the list.

Click the SAVE button to save changes to the failover and failback configuration.

Import BCP Job Services

Services can be imported to a BCP job using the Import BCP job services dialog. This can be accessed by clicking the IMPORT SERVICES button displayed in the View BCP Job page.

In this dialog a CSV import file must be specified which contains the services to be imported to the BCP job. The CSV import file should define one services per line using the following fields:

FQDN,Connector,DNS view,Service group,Failover service records,Failback service records

All fields are required, excluding the service group field which is included to be compatible with the BCP job service CSV export format, as follows:

FQDN - Identifies the FQDN of the service which should be added to the BCP job
Connector - Identifies the connector for the service
DNS view - Identifies the DNS view for the service
Service group - This field is ignored, and is included to be compatible with the BCP job service CSV export format
Failover service records - A space separated list of targets which identifies the service records defined on the service which should be made active when the failover action is performed for the service
Failback service records - A space separated list of targets which identifies the service records defined on the service which should be made active when the failback action is performed for the service

If the CSV import file contains a header row as its first row, ensure the Select to skip the first row in the CSV import file if it contains headers field is selected to ignore the first row.

An example CSV import file can also be downloaded using the DOWNLOAD EXAMPLE CSV IMPORT FILE link which can be used as a starting point for a CSV import.

Once the CSV import file has been specified the VERIFY button can be clicked. A check will be performed to ensure the services and service records specified exist and that the services don’t already exist on the BCP job. If an issue is identified an error will be displayed.

Once successfully verified the IMPORT button can be clicked. Once clicked all services will be added to the BCP job.

Export to CSV

The services associated with a BCP job are exported to CSV using the EXPORT TO CSV link displayed in the ReDNS / BCP jobs / View BCP job_ page. Upon clicking this link all services associated with the BCP job will be exported to a CSV file and downloaded, with the resulting CSV file having the following fields:

Service FQDN - FQDN of the associated service
Connector - Connector the service is associated with
DNS view - DNS view the service is configured with
Service group - Service group associated with the service
Failover service records - The list of targets configured on the service records which will be made active then the failover action is completed for the service, multiple targets will be separated with spaces
Failback service records - The list of targets configured on the service records which will be made active then the failback action is completed for the service, multiple targets will be separated with spaces

Check Service Health

The health of multiple services can be changed using the Check search health dialog. This can be accessed by clicking the CHECK SERVICE HEALTH link under the MANAGE SERVICES section of the ACTION SERVICES menu displayed in the SERVICES panel in the View BCP job page for a BCP job, once the services checkbox has been checked. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, the services checkbox will not be enabled. Either permission is required to perform health checks for a service using this feature.

During a service health check the underlying platform will be queried to understand the current state of a service. The service health check will attempt to identify issues which would prevent the successful swap of any of the configured service records for each service.

Click the START SERVICE HEALTH CHECK button to perform the health check.

A table will be also be displayed listing all the services which will be checked, with the following columns:

Service FQDN - The services Fully Qualified Domain Name
Connector - The connector the service is associated with
DNS view - The DNS view the service is configured with
Status - If no issues were identified complete will be displayed, otherwise failed with error: At least one issue has been detected! will be displayed and an toggle expand icon will be displayed which once clicked will display the errors identified for a service

Item: Service record with record type ‘a-record’ and target ‘1.1.1.1’
Issue: No A record was found in Infoblox for svc1.vendorn.com which points to 1.1.1.1. The service record is set as active in OneDDI but the A record does not exist in Infoblox.

This issue would prevent a successful swap of the service and would have to be addressed.

Change Service TTL’s (pre-BCP)

Before the failover action is completed for one or more services the TTL’s for the services can be changed using the Change service TTL’s (pre-BCP) dialog. This can be accessed by clicking the CHANGE SERVICE TTL’S link under the PRE-BCP ACTIONS section of the ACTION SERVICES menu displayed in the SERVICES panel in the ReDNS / BCP Job / View BCP job page for a service, once the services checkboxes have been checked. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, the services checkbox will not be enabled. Either permission is required to change service TTL’s.

The Change service TTL’s (pre-BCP) dialog displays a three step wizard which guides a user through specifying new TTL configuration, reviewing the changes which will be made, and then executing each change while displaying progress.

Upon entering the wizard step 1, the New TTL configuration page, is displayed. This step can be used to specify the new TTL configuration. Two radio button options are presented, one must be selected. The first Configure all services to use the following TTL allows a TTL to be specified in seconds with several pre-sets provided for quick selection. The second Remove the existing TTL configuration and use the DNS zone default TTL results in the existing TTL configuration being removed and the services inheriting the DNS zone defaults TTL.

Service FQDN - The services Fully Qualified Domain Name
Connector - The connector the service is associated with
DNS view - The DNS view the service is configured with
New TTL - The TTL which the service will be reconfigured to use, e.g. 1 hour, hovering over this field will result in a tooltip being displayed which shows the TTL in seconds, if the service is configured to use the DNS zone default TTL this will be the string Use DNS zone default

Once the actions have been reviewed, the select field Select to continue if an error occurs processing an action can be selected to indicate if an error occurs processing a service it should not prevent the TTL changes from running to completion, an attempt will be made to change the TTL’s of all services in this case. Otherwise, if not selected, the TTL change will stop at the first error.

Once a comment has been entered in the required Comment field the CHANGE NOW button can be clicked after which step 3, the Process actions page will be displayed and the TTL change will start.

A results table will also be displayed containing all the services actioned and the outcome. If an error occurred actioning a service the error will be displayed in the results table alongside the corresponding service.

Once the TTL change is complete click the CLOSE button to close the dialog.

Failover Services

The failover action can be completed for one or more services using the Failover services dialog. This can be accessed by clicking the FAILOVER SERVICES link under the BCP ACTIONS section of the ACTION SERVICES menu displayed in the SERVICES panel in the ReDNS / BCP Job / View BCP job page for a service, once the services checkboxes have been checked. If failover has already been completed for one of the selected services this link will be disabled. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, the services checkbox will not be enabled. Either permission is required to failover services.

The Failover services dialog displays a two step wizard which allows a user to review the changes which will be made, and then executing each change while displaying progress.

Upon entering the wizard step 1, the Review actions page, is displayed. This page presents which services the failover action will be performed for. A table is displayed consisting of one row per service, with the following columns:

Service FQDN - The services Fully Qualified Domain Name
Connector - The connector the service is associated with
DNS view - The DNS view the service is configured with
Service group - The service group associated with the service

Once the actions have been reviewed, the select field Select to continue if an error occurs processing an action can be selected to indicate if an error occurs processing a service it should not prevent the failover from running to completion, an attempt will be made to failover all services in this case. Otherwise, if not selected, failover will stop at the first error.

Once a comment has been entered in the required Comment field the FAILOVER NOW button can be clicked after which step 2, the Process actions page will be displayed and failover will start.

During failover each action is processed and a progress bar updated. Once complete, if failover was successful the progress bar will turn green and indicate the failover completed successfully. Otherwise the progress bar will turn red and indicate at least one error occurred.

Once failover is complete click the CLOSE button to close the dialog.

Failback Services

The failback action can be completed for one or more services using the Failback services dialog. This can be accessed by clicking the FAILBACK SERVICES link under the BCP ACTIONS section of the ACTION SERVICES menu displayed in the SERVICES panel in the ReDNS / BCP Job / View BCP job page for a service, once the services checkboxes have been checked. If failover has NOT yet been completed for one of the selected services this link will be disabled. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, the services checkbox will not be enabled. Either permission is required to failback services.

The Failback services dialog displays a two step wizard which allows a user to review the changes which will be made, and then executing each change while displaying progress.

Upon entering the wizard step 1, the Review actions page, is displayed. This page presents which services the failback action will be performed for. A table is displayed consisting of one row per service, with the following columns:

Service FQDN - The services Fully Qualified Domain Name
Connector - The connector the service is associated with
DNS view - The DNS view the service is configured with
Service group - The service group associated with the service

Once the actions have been reviewed, the select field Select to continue if an error occurs processing an action can be selected to indicate if an error occurs processing a service it should not prevent the failback from running to completion, an attempt will be made to failback all services in this case. Otherwise, if not selected, failback will stop at the first error.

Once a comment has been entered in the required Comment field the FAILBACK NOW button can be clicked after which step 2, the Process actions page will be displayed and failback will start.

During failback each action is processed and a progress bar updated. Once complete, if failback was successful the progress bar will turn green and indicate the failback completed successfully. Otherwise the progress bar will turn red and indicate at least one error occurred.

Once failback is complete click the CLOSE button to close the dialog.

Change Service TTL’s (post-BCP)

Once the failover action has been completed for one or more services the TTL’s for the services can be changed using the Change service TTL’s (post-BCP) dialog. This can be accessed by clicking the CHANGE SERVICE TTL’S link under the POST-BCP ACTIONS section of the ACTION SERVICES menu displayed in the SERVICES panel in the ReDNS / BCP Job / View BCP job page for a service, once the services checkboxes have been checked. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, the services checkbox will not be enabled. Either permission is required to change service TTL’s.

The Change service TTL’s (post-BCP) dialog displays a three step wizard which guides a user through specifying new TTL configuration, reviewing the changes which will be made, and then executing each change while displaying progress. Upon entering the wizard step 1, the New TTL configuration page, is displayed. This step can be used to specify the new TTL configuration.

Before the new TTL configuration can be specified one of two radio buttons need to be selected. The Revert service TTL's to their previous values where possible can be selected to indicate that the TTL’s in use by each service before they were changed using the change service TTL’s pre-BCP action should be used. Otherwise, to specify that all services must use a specified TTL, ignoring any TTL they may have been configured before failover, by selecting the Ignore the previous TTL values for all selected services and use the TTL configuration below. If none of the selected services have had their TTL’s changed before failover, these two radio buttons will not be displayed.

Two radio button options are then presented to specify new TTL configuration, one must be selected. The first Configure all services to use the following TTL allows a TTL to be specified in seconds with several pre-sets provided for quick selection. The second Remove the existing TTL configuration and use the DNS zone default TTL results in the existing TTL configuration being removed and the services inheriting the DNS zone defaults TTL.

Service FQDN - The services Fully Qualified Domain Name
Connector - The connector the service is associated with
DNS view - The DNS view the service is configured with
New TTL - The TTL which the service will be reconfigured to use, e.g. 1 hour, hovering over this field will result in a tooltip being displayed which shows the TTL in seconds, if the service is configured to use the DNS zone default TTL this will be the string Use DNS zone default, if it was specified to use previous TTL’s if available in step 1, and the a previous TTL is available, the TTL will be displayed along with (previous TTL), i.e. an hour (previous TTL)

Once the actions have been reviewed, the select field Select to continue if an error occurs processing an action can be selected to indicate if an error occurs processing a service it should not prevent the TTL changes from running to completion, an attempt will be made to change the TTL’s of all services in this case. Otherwise, if not selected, the TTL change will stop at the first error.

Once a comment has been entered in the required Comment field the CHANGE NOW button can be clicked after which step 3, the Process actions page will be displayed and the TTL change will start.

Once the TTL change is complete click the CLOSE button to close the dialog.

Mark BCP Action as Complete

A specific BCP action for a specific service can be skipped and mark as completed using the Mark action as completed dialog. This can be accessed by clicking the specific action icon displayed in the progress column for the service in the View BCP job page. If the currently authenticated user has NOT been assigned permission to manage services, or is not associated with a group that is specified in the services permissions, this button will be disabled. Either permission is required to mark BCP actions as complete for a service.

The mark complete dialog prompts whether the specified BCP action should be marked as completed for the service.

Click the APPLY button to confirm the specified BCP action should be marked as completed for the service, after which it will be marked as completed.

Reset BCP Job Progress

NOTE This is a destructive operation which cannot be undone.

BCP jobs can be reused. The current progress for a fully, or partially, completed BCP job can be reset using the Reset BCP job progress dialog. This can be accessed by clicking the reset BCP job progress button displayed to the right of a BCP job name at the top of the ReDNS / BCP Jobs / View BCP job page. If the currently authenticated user NOT been assigned permission to manage BCP jobs this button will be disabled.

The reset progress dialog prompts whether BCP job progress should be reset.

Click the RESET button to confirm BCP job progress should be reset, after which BCP job progress will be reset.

Edit a BCP Job

BCP jobs are edited using the Edit BCP job dialog. This can be accessed by clicking the edit BCP job button displayed to the left when hovering over a service in the ReDNS / BCP jobs page, or displayed to the right of a BCP job name at the top of the View BCP job page. If the currently authenticated user NOT been assigned permission to manage BCP jobs this button will be disabled.

This dialog contains the following inputs:

Name - The name assigned to the BCP job
Select to include a pre-BCP TTL change action and a post-BCP TTL change action for the BCP job - Select this box to include a pre/post BCP action to change service TTL’s, this field cannot be changed if one or more BCP job actions have been performed for a service

Click the SAVE button to save changes to the BCP.

Delete a BCP Job

NOTE This is a destructive operation which cannot be undone.

BCP jobs are deleted using the Delete BCP job dialog. This can be accessed by clicking the delete BCP job button displayed to the left when hovering over a BCP job in the ReDNS / BCP Jobs page, or displayed to the right of a BCP jobs name at the top of the ReDNS / BCP jobs / View BCP job page. If the currently authenticated user NOT been assigned permission to manage BCP jobs this button will be disabled.

The delete dialog prompts whether the BCP job should be deleted.

Click the DELETE button to confirm the BCP job should be deleted, after which the BCP job will be deleted.

Connectors

Working with Connectors

Connectors are viewed and managed under the ReDNS / Connectors page by clicking the ReDNS link displayed in the top menu bar and selecting the Connectors link displayed in the dropdown menu.

If the currently authenticated user NOT been assigned permission to manage or view connectors they will not be permitted access to this page.

The ReDNS / Connectors page will display a table of all defined connectors.

OneDDI supports connectors for the BlueCat Address Manager and Infoblox NIOS DDI platforms. An Infoblox connector manages the data for one Infoblox NIOS Grid. A BlueCat connector manages the data for one Configuration within one BlueCat Address Manager. Where data must be managed for two Configurations in a single BlueCat Address Manager instance then two BlueCat connectors must be created.

The following columns are displayed in the table for each connector:

Actions - Clickable icons to manage each item
Name - Name used to refer to the connector
Type - This will be either bluecat or infoblox
Management servers - Two fields are displayed, one for each DDI management server configured, if only one is configured then second host not configured will be displayed in the second field, the management server currently being used (based on the configuration of the connector) will be highlighted in green
Configuration - The following fields will be displayed in this column:
- port - TCP port used to connect to make HTTP requests to the configured management servers
- configuration name - If this connector is a BlueCat connector then the name of the BlueCat Configuration under which data is being managed will be displayed

A search control is displayed to the top right of the table. Values in the search field will be matched against a connectors name or any of the key/value configuration items.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of connectors, and to control how many are displayed in a single page.

The button ADD A CONNECTOR will be displayed to the top left of the table. Upon clicking this button, the Add Connector dialog will be displayed. See the ReDNS / Connectors / Add a Connector section for details on this dialog and adding connectors.

Upon hovering over a row in the table edit connector and delete connector buttons will be displayed to the left.

Upon clicking the edit connector button, the Edit connector dialog will be displayed. See the ReDNS / Connectors / Edit a Connector section for details on this dialog and editing a connector.

Upon clicking the delete connector button, the Delete connector dialog will be displayed. See the ReDNS / Connectors / Delete a Connector section for details on this dialog and deleting a connector.

Add a Connector

Connectors are added using the Add a connector dialog. This can be accessed by clicking the ADD A CONNECTOR button displayed in the ReDNS / Connectors page.

This dialog contains several tabs. The CONNECTOR tab contains the following inputs:

Name - Used to refer to the connector, this is required, there are no restrictions on this field
Connector type - Select either bluecat or infoblox depending on the required type
First management server - IPv4 address or FQDN of an Infoblox Grid Master or active BlueCat Address Manager, this is required, e.g. gm.vendorn.com
Second management server - IPv4 address or FQDN of an Infoblox Grid Master candidate or a standby BlueCat Address Manager, this is optional, e.g. gmc.vendorn.com
Select to use the second management server - If Second management server is specified this field will be enabled, select the item to specify when the Second management server should be used to connect to Infoblox or BlueCat, e.g. because the First management server is offline
API version - This field is displayed for Infoblox connectors, this contains a string specifying the version of the Infoblox API to use, this is required and defaults to 2.10.
Configuration name - Name of the BlueCat Address Manager Configuration under which data will be managed, a connector must be created for each BlueCat Configuration in which OneDDI will manage services regardless if they are on the same BlueCat Address Manager
HTTPS port - The TCP port to use when connecting to Infoblox or BlueCat, this is required and defaults to 443

Once all required attributes have been specified the TEST CONNECTIVITY button will be enabled, and once clicked some data is acquired from the first management server, and second management server if specified to verify network connector. The results from each check will be displayed.

The CREDENTIALS tab contains the following inputs:

Username - Username to use when connecting to Infoblox or BlueCat to read and write data
Password - Password for Username

NOTE For Infoblox, the specified user must have permission to read/write A records, CNAME records, Hosts and their Aliases. Additionally, the user must also have permission to read/write all IPv4 networks (this permission is required to manage the previous object types using the Infoblox API).

NOTE For BlueCat, the specified user must have read permission to the DNS views and DNS zones for which services will be managed, and full access to be able to create and delete Generic, Alias and Host Records. Additionally, the user must have the appropriate permissions so that changes are dynamically updated on DNS servers.

Once all required attributes have been specified the ADD button will be enabled, and once clicked the connector will be added.

Edit a Connector

Connectors are edited using the Edit connector dialog. This can be accessed by clicking the edit connector button displayed to the left when hovering over a connector in the ReDNS / Connectors page.

This dialog contains several tabs. The CONNECTOR tab contains the following inputs:

Name - Used to refer to the connector, this is required, there are no restrictions on this field
Connector type - Select either bluecat or infoblox depending on the required type
First management server - IPv4 address or FQDN of an Infoblox Grid Master or active BlueCat Address Manager, this is required, e.g. gm.vendorn.com
Second management server - IPv4 address or FQDN of an Infoblox Grid Master candidate or a standby BlueCat Address Manager, this is optional, e.g. gmc.vendorn.com
Select to use the second management server - If Second management server is specified this field will be enabled, select the item to specify when the Second management server should be used to connect to Infoblox or BlueCat, e.g. because the First management server is offline
API version - This field is displayed for Infoblox connectors, this contains a string specifying the version of the Infoblox API to use, this is required and defaults to 2.10.
Configuration name - Name of the BlueCat Address Manager Configuration under which data will be managed, a connector must be created for each BlueCat Configuration in which OneDDI will manage services regardless if they are on the same BlueCat Address Manager
HTTPS port - The TCP port to use when connecting to Infoblox or BlueCat, this is required and defaults to 443

The CREDENTIALS tab contains the following inputs:

Username - Username to use when connecting to Infoblox or BlueCat to read and write data
Password - Password for Username

Click the SAVE button to save changes to the connector.

Delete a Connector

NOTE This is a destructive operation which cannot be undone.

Connectors are deleted using the Delete Connector dialog. This can be accessed by clicking the delete button displayed to the left when hovering over a connector in the ReDNS / Connectors page.

The delete dialog prompts whether the connector should be deleted.

Click the DELETE button to confirm the connector should be deleted, after which the connector will be deleted.

IPMeye

Working with Devices

Devices are viewed and managed under the IPMeye page by clicking the IPMeye link displayed in the top menu bar.

The IPMeye page will display a table of all defined devices.

The following columns are displayed in the table for each device:

Actions - Clickable icons to manage each item
Name - Name of the device, e.g. ibdevice1
IP address - IPv4 address for the device, e.g. 10.0.0.1
Port - UDP port to use when communicating with the device using IPMI, i.e. 623
Status - A coloured icon and message indicating the IPMI connection status of the device, OneDDI performs an IPMI ping of each device every 60 seconds, if a IPMI response was received a green icon will be displayed along with the message “IPMI ping successful”, otherwise a red icon will be displayed along with a message indicating the reason for error

A search control is displayed to the top right of the table. Values in the search field will be matched against a devices name.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of devices, and to control how many are displayed in a single page.

The button ADD A DEVICE will be displayed to the top left of the table. If the currently authenticated user has NOT been assigned permission to manage devices this button will be disabled. Upon clicking this button, the Add a device dialog will be displayed. See the IPMeye / Add a Device section for details on this dialog and adding devices.

The button IMPORT DEVICES will be displayed to the top of the left of the table. If the currently authenticated user has NOT been assigned permission to manage devices this button will be disabled. Upon clicking this button, the Import devices dialog will be displayed. See the IPMeye / Import Devices section for details on this dialog and importing devices.

The link EXPORT TO CSV will be displayed to the top of the left of the table. Upon clicking this link, all devices will be exported to a CSV file and downloaded. See the IPMeye / Export to CSV section for details on exporting devices.

The link IPMI CONSOLE will be displayed to the right of each device. Upon clicking this link, the IPMI console page will be displayed for the device. See the IPMeye / IPMI Console section for details on this page and viewing a devices console.

If a SerialEyes module license is installed, the link SERIAL CONSOLE will be displayed to the right of each device. Upon clicking this link, the SerialEyes page will be displayed with the IP address and port fields populated from the device. See the SerialEyes / Connect to a Device section for details on this page.

Upon hovering over a row in the table edit device and delete device buttons will be displayed to the left. If the currently authenticated user has NOT been assigned permission to manage devices these buttons will be disabled.

Upon clicking the edit device button the Edit device dialog will be displayed. See the IPMeye / Edit a Device section for details on this dialog and editing a device.

Upon clicking the delete device button the Delete device dialog will be displayed. See the IPMeye / Delete a Device section for details on this dialog and deleting a device.

Add a Device

Devices are added using the Add a device dialog. This can be accessed by clicking the ADD A DEVICE button displayed in the IPMeye page. If the currently authenticated user NOT been assigned permission to manage devices this button will be disabled.

This dialog contains the following inputs:

Name - Name used to refer to the device in OneDDI, this is required, e.g. “ibdevice1”
IP address - IP address used to communicate with the device using the IPMI protocol, this is required, e.g. 10.0.0.1
Port - UDP port to use when communicating with the device using IPMI, this is required, e.g. 623
IPMI username - IPMI operator level username used to communicate with the device using the IPMI protocol, this is optional, if either this or the IPMI password field is not specified users will be prompted for IPMI credentials when required
IPMI password - Password for the user specified in the IPMI username field, this is optional, if either this or the IPMI username field is not specified users will be prompted for IPMI credentials when required

Once all required attributes have been specified the ADD button will be enabled, and once clicked the device will be added.

Import Devices

Devices are imported using the Import devices dialog. This can be accessed by clicking the IMPORT DEVICES button displayed in the IPMeye page. If the currently authenticated user NOT been assigned permission to manage devices this button will be disabled.

In this dialog a CSV import file must be specified which contains the devices to be imported. The CSV import file should define one device per line using the following fields:

Name,IP address,Port,IPMI username,IPMI password

The IPMI username and IPMI password fields are optional, and if not specified users will be prompted for IPMI credentials when required. The Port field is also optional, and if not specified the default IPMI port 623 will be used.

If the CSV import file contains a header row as its first row, ensure the Select to skip the first row in the CSV import file if it contains headers field is selected to ignore the first row.

An example CSV import file can also be downloaded using the DOWNLOAD EXAMPLE CSV IMPORT FILE link which can be used as a starting point for a CSV import.

Once the CSV import file has been specified the VERIFY button can be clicked. A check will be performed to ensure an existing device using the same name or IP address does not already exist. If an existing device is found an error will be displayed.

Once successfully verified the IMPORT button can be clicked. Once clicked all devices will be added.

Export to CSV

Devices are exported to CSV using the EXPORT TO CSV link displayed in the IPMeye page.

Upon clicking this link all devices are exported to CSV and downloaded, with the resulting CSV file having the following fields:

Name - Name of the device, i.e. device1.
IP address - IP address used to connect to the device, i.e. 10.0.0.1.
Port - IPMI port to use to connect to the device, i.e. 623.

IPMI Console

A devices IPMI console can be accessed by clicking the IPMI CONSOLE link displayed to the right of a device under the IPMeye page.

Devices can be pre-configured with IPMI credentials so that OneDDI users do not have to obtain and work with IPMI credentials. If a devices IPMI credentials have not been pre-configured the user will be prompted for an IPMI username and password each time the IPMI console page is navigated to.

The IPMI console page is divided into multiple sections.

At the top of the IPMI console page the devices name, IP address, port and its IPMI connection status is displayed. Additionally, an edit device and delete device button will be displayed to the right. If the currently authenticated user has NOT been assigned permission to manage devices these buttons will be disabled.

The SYSTEM POWER section displays the current power status. If system power this field is colour green, otherwise the field is coloured black. A CONTROL POWER button is displayed to the right of the power status. If the currently authenticated user has NOT been assigned permission to control device power this button will be disabled. Upon clicking this button, the Control power dialog will be displayed. See the IPMeye / Control Power section for details on this dialog and controlling device power.

The IPMI COMMANDS section displays the ISSUE AN IPMI COMMAND button. Upon clicking this button, the Issue an IPMI command dialog will be displayed. See the IPMeye / Issue an IPMI Command section for details on this dialog and issuing IPMI commands.

The IPMI CONSOLE section displays the devices serial console. Upon navigating to this page, and no user including the current user is connected to it already, an attempt will automatically be made to connect to the devices serial console. If a user including the current user is already connected to the devices serial console a message will be displayed indicating this, and no attempt will be made to connect to it.

Following a successful connect to the devices serial console the DISCONNECT button will be displayed to the bottom of the serial console. Upon clicking this button the current open connection will be closed.

When not connected to a devices serial console the CONNECT button will be displayed to the bottom of the serial console. Upon clicking this button an attempt will be made to connect to the devices serial console.

A circular download button is displayed to the bottom right of the console. When clicked the content currently displayed in the console will be exported to a text file and downloaded.

Serial console output is displayed in real-time, any text sent to the devices connected serial console will be displayed as it is read. To send input to the serial console, simply enter text as you would in a typical console. If the currently authenticated user has NOT been assigned permission to control the devices IPMI console the user will not be permitted to interact with the console, only view its output.

After a period of inactivity, the connection to the serial console will automatically be closed.

Control Power

Device power can be controlled using the Control power dialog. This can be accessed by clicking the CONTROL POWER button displayed under the SYSTEM POWER section when viewing a devices console.

One of the following commands can be selected from the Power command input:

power-on - If system power is off it will be switched on.
power-off - If system power is on it will be switched off - this will result in a loss of power and the installed operating system will NOT be given the opportunity to perform a so called “clean shutdown”.
power-reset - If the system power is on a power-off style command will first be issued. Next a power-on style command will be issued.
acpi-shutdown - An ACPI event is issued to the installed operating system after which the operating system should perform a so called “clean shutdown”. This is different to a power-off command in that the system will maintain power until the operating system has completed the shutdown.

Once the desired power command is selected click the SEND COMMAND button, after which the selected command will be issued to the device. Following this it will take up to a minute for the system power to reflect the desired state.

Issue an IPMI Command

Pre-determined IPMI commands can be issued using the Issue an IPMI command dialog. This can be accessed by clicking the ISSUE AN IPMI COMMAND button displayed under the IPMI COMMANDS section when viewing a devices console.

One of the following commands can be selected from the IPMI command input:

chassis-status - Display some physical state parameters, e.g. power fault state, drive fault state and fan fault state.
system-event-log-list - Display the Baseboard Management Controllers (BMCs) system event log, this includes items such as power off/down events.
sensor-list - Display all hardware sensors and their current values, e.g. CPU temperature and fan speed.

Once the desired IPMI command is selected click the SEND COMMAND button, after which the selected command will be issued to the device. The resulting output will be displayed in the dialog.

Edit a Device

Devices are edited using the Edit a device dialog. This can be accessed by clicking the edit device button displayed to the left when hovering over a device in the IPMeye page, or displayed to the right of a devices IP address at the top of the IPMI console page. If the currently authenticated user NOT been assigned permission to manage devices this button will be disabled.

This dialog contains the following inputs:

Name - Name used to refer to the device in OneDDI, this is required, e.g. “ibdevice1”
IP address - IP address used to communicate with the device using the IPMI protocol, this is required, e.g. 10.0.0.1
Port - UDP port to use when communicating with the device using IPMI, this is required, e.g. 623
Delete configured IPMI credentials - A select input displayed if IPMI credentials are configured for the device, enable the select input to clear the credentials, this will result in users be prompted for IPMI credentials when required
IPMI username - IPMI operator level username used to communicate with the device using the IPMI protocol, this is optional, if either this or the IPMI password field is not specified users will be prompted for IPMI credentials when required, if IPMI credentials are already configured leaving the fields blank will leave the existing credentials unchanged
IPMI password - Password for the user specified in the IPMI username field, this is optional, if either this or the IPMI username field is not specified users will be prompted for IPMI credentials when required, if IPMI credentials are already configured leaving the fields blank will leave the existing credentials unchanged

Click the SAVE button to save changes to the device.

Delete a Device

NOTE This is a destructive operation which cannot be undone.

Devices are deleted using the Delete a device dialog. This can be accessed by clicking the delete device button displayed to the left when hovering over a device in the IPMeye page, or displayed to the right of a devices IP address at the top of the IPMI console page. If the currently authenticated user NOT been assigned permission to manage devices this button will be disabled.

The delete dialog prompts whether the device should be deleted.

Click the DELETE button to confirm the device should be deleted, after which the device will be deleted.

SerialEyes

How it Works

Typically, a physical console server is used when connecting to a device’s physical serial port over the network. The console server would have a permanent physical connection to the device and a specific TCP port reserved such that protocols such as SSH or telnet would be used to connect to the physical console servers IP address using the device specific port. This would then provide access to the device’s physical serial port.

With SerialEyes no permanent physical console connection is required. Instead SerialEyes provides an on-demand connection by using a laptop, a bootable USB drive, and the OneDDI UI. The laptop acts as a secure conduit to OneDDI, allowing only specific users to connect to the devices serial port. A serial cable connects the laptop to a devices physical serial port, the laptop is booted from the USB drive which has the SerialEyes ISO image written to it, and then OneDDI is configured with the IP address and port that SerialEyes is now listening on.

When booting from the SerialEyes bootable USB drive the drive can contain a device specific SerialEyes configuration file which contains, among other items, the IP address on which it should listen for incoming connections. Alternatively, the parameters in the configuration file can be left unset. This will result in SerialEyes prompting for them on each boot. This allows a single USB drive to be used as a utility, along with a laptop, without having to plug the USB drive into another device to copy over a device specific configuration file each time SerialEyes is used.

The IP address used by SerialEyes can be any unused IP address, and is specified at connect time. For convenience, a devices existing IP address could be used, i.e. a management IP address, so long as the device is not using this IP address when SerialEyes is booted.

For example, for devices which support IPMI, the ethernet cable can be removed from the devices IPMI ethernet port and used along with the devices IPMI IP address and port. Once the device has been accessed and configured, the IPMI ethernet cable can be re-plugged back into the devices IPMI ethernet port. This provides seamless experience for deploying new devices, RMA and device re-initialisation scenarios.

SerialEyes uses a UDP port to listen for incoming connections, and by default uses UDP port 623, which is the default IPMI port. The IPMeye module in OneDDI will detect when a SerialEyes instance is using the IPMI IP address configured for a device in OneDDI and will display a status of “SerialEyes instance detected” under the IPMeye page.

To use SerialEyes two resources are required. One is an on-site engineer who has physical access to the device and will physically plug into the device’s physical serial port. The second is a OneDDI user who will access the devices physical serial port remotely using the SerialEyes features in OneDDI and will typically be someone with knowledge of the device and software it runs - i.e. the on-site engineer does not need any product specific knowledge for each device they are connecting SerialEyes to.

Connect to Device

Connecting to a device using SerialEyes is accessed under the SerialEyes page by clicking the SerialEyes link displayed in the top menu bar.

When navigating to the SerialEyes page a three-step wizard is displayed which provides guidance on connecting SerialEyes to a device.

If a device was previously connected to and the page reloaded this page will be displayed again, in which case, simply enter the IP address, UDP port and connection key previously specified when creating a SerialEyes configuration file. Then click the VERIFY CONNECTIVITY button to view the devices serial port.

If the on-site engineer will enter SerialEyes configuration parameters when booting SerialEyes from the USB drive (e.g. IP address, UDP port, subnet mask, default gateway and connection key), there is no need to click the CREATE A SERIALEYES CONFIGURATION FILE button. In this case, simply enter the IP address, UDP port and connection key that will be used by SerialEyes.

Otherwise, click the CREATE A SERIALEYES CONFIGURATION FILE button after which the Create a SerialEyes Configuration File dialog will be displayed. In this dialog enter the parameters which will be used by SerialEyes when it is booted and click the CREATE AND DOWNLOAD button. Note that while a default connection key is suggested it is not required to use this key, and in fact the key can be anything the user wishes. However, it is advised that a different key be used each time SerialEyes is booted to improve security.

Next, an on-site engineer should be provided either a SerialEyes configuration file or the IP address, UDP and connection key specified in OneDDI. For the latter, the on-site engineer will also need to know the subnet mask and default gateway which SerialEyes should use on boot.

The on-site engineer should then follow the Connect SerialEyes Guide to use the SerialEyes configuration file, or parameters, to boot SerialEyes using the USB drive and laptop. This guide will identify how the on-site engineer can know that SerialEyes is booted and ready for connections.

Once the on-site engineer has confirmed SerialEyes is ready, click the VERIFY CONNECTIVITY button and after a successful check the SerialEyes / Serial Console page will be displayed.

Serial Console

The Serial console page is displayed following a successful connectivity check by clicking the VERIFY CONNECTIVITY button under the SerialEyes / Connect to Device page.

At the top of the Serial console page the IP address and UDP port used to connect to a device are displayed, along with the serial port connection status.

The SERIAL CONSOLE section displays the devices serial console. Upon navigating to this page, the CONNECT TO SERIAL PORT dialog will be displayed. The desired serial port and parameters should be selected and the CONNECT button clicked.

Following a successful connect to the specified serial port the DISCONNECT button will be displayed to the bottom of the serial console. Upon clicking this button, the serial port will be closed.

When not connected to a devices serial port the CONNECT TO SERIAL PORT button will be displayed to the bottom of the serial console again.

A circular download button is displayed to the bottom right of the console. When clicked the content currently displayed in the console will be exported to a text file and downloaded.

Serial console output is displayed in real-time, any text sent to the devices connected serial port will be displayed as it is read. To send input to the serial port, simply enter text as you would in a typical console. If the currently authenticated user has NOT been assigned permission to control the SerialEyes serial console the user will not be permitted to interact with the console, only view its output.

Settings

Users

Working with Users

Users are viewed and managed under the Settings / Users page by clicking the Settings link displayed in the top menu bar and selecting the Users link displayed in the dropdown menu.

If the currently authenticated user NOT been assigned permission to manage or view users they will not be permitted access to this page.

NOTE All users are equal, including the default admin user. User permissions are determined based on a users’ assigned groups and the permissions configured in all those groups.

The Settings / Users page will display a table of all defined users.

The following columns are displayed in the table for each user:

Actions - Clickable icons to manage each item
Username - Username used to access OneDDI
Is active - If the user is active, i.e. permitted to access the WebUI a tick icon will be displayed, otherwise a disabled icon is displayed

A search control is displayed to the top right of the table. Values in the search field will be matched against a user’s username.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of users, and to control how many aredisplayed in a single page.

The button ADD A USER will be displayed to the top left of the table. Upon clicking this button, the Add a user dialog will be displayed. See the Settings / Add a User section for details on this dialog and adding users.

Upon hovering over a row in the table edit user and delete user buttons will be displayed to the left.

Upon clicking the edit user button, the Edit user dialog will be displayed. See the Settings / Users / Edit a User section for details on this dialog and editing a user.

Upon clicking the delete user button, the Delete user dialog will be displayed. See the Settings / Users / Delete a User section for details on this dialog and deleting a user.

Add a User

Users are added using the Add a user dialog. This can be accessed by clicking the ADD A USER button displayed in the Settings / Users page.

This dialog contains several tabs. The USER tab contains the following inputs:

Username - Username used to access OneDDI, this is required, there are no restrictions on this field
Password - Password for Username, this is required, there are no restrictions on this field
Select to make the user active - If this select input is enabled the user will be permitted to access the WebUI, otherwise they will be in-active and not permitted to access the WebUI

Below these inputs a GROUPS tab will be displayed where groups the user is associated with can be configured. The EDIT SELECTED GROUPS button can used change the current selection.

Once all required attributes have been specified the ADD button will be enabled, and once clicked the user will be added.

Edit a User

Users are edited using the Edit a user dialog. This can be accessed by clicking the edit user button displayed to the left when hovering over n user in the Settings / Users page.

This dialog contains several tabs. The USER tab contains the following inputs:

Username - Username used to access OneDDI, this is required, there are no restrictions on this field
Password - Password for Username, this is optional, there are no restrictions on this field, if this field is left blank the user’s current password is left unchanged
Select to make the user active - If this select input is enabled the user will be permitted to access the WebUI, otherwise they will be in-active and not permitted to access the WebUI

Below these inputs a GROUPS tab will be displayed where groups the user is associated with can be configured. The EDIT SELECTED GROUPS button can used change the current selection.

Click the SAVE button to save changes to the user.

Delete a User

NOTE This is a destructive operation which cannot be undone.

Users are deleted using the Delete a user dialog. This can be accessed by clicking the delete user button displayed to the left when hovering over a user in the Settings / Users page.

The delete dialog prompts whether the user should be deleted.

Click the DELETE button to confirm the user should be deleted, after which the user will be deleted.

Groups

Working with Groups

Groups are viewed and managed under the Settings / Groups page by clicking the Settings link displayed in the top menu bar and selecting the Groups link displayed in the dropdown menu.

If the currently authenticated user NOT been assigned permission to manage or view groups they will not be permitted access to this page.

The Settings / Groups page will display a table of all defined groups.

The following columns are displayed in the table for each group:

Actions - Clickable icons to manage each item
Name - Name used to refer to the group
Permissions - A list of permissions defined for each group

A search control is displayed to the top right of the table. Values in the search field will be matched against a group’s name.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of groups, and to control how many are displayed in a single page.

The button ADD A GROUP will be displayed to the top left of the table. Upon clicking this button, the Add a group dialog will be displayed. See the Settings / Add a Group section for details on this dialog and adding groups.

Upon hovering over a row in the table edit group and delete group buttons will be displayed to the left.

Upon clicking the edit group button, the Edit group dialog will be displayed. See the Settings / Groups / Edit a Group section for details on this dialog and editing a group.

Upon clicking the delete group button, the Delete group dialog will be displayed. See the Settings / Groups / Delete a Group section for details on this dialog and deleting a group.

Available Permissions

By default, a group is configured to permit read-only access to every module by using the following permission set:

view-ipmeye
view-redns
view-serialeyes
view-vision

The following is a list of all the permissions which can be assigned to a group:

Global OneDDI application permissions:
- Read access:
  - view-ad-authentication - Enable read access to AD authentication management
  - view-audit-log - Enable read access to the audit log
  - view-groups - Enable read access to group management
  - view-license - Enable read access to license management
  - view-redundancy - Enable read access to redundancy management
  - view-users - Enable read access to user management
- Read/write access:
  - manage-ad-authentication - Enable the management of Active Directory authentication
  - manage-groups - Enable the management of groups
  - manage-license - Enable license management
  - manage-redundancy - Enable the management of replication and failover
  - manage-users - Enable the management of users
Vision module permissions:
- Read access:
  - view-vision - Enable read access to all features
- Read/write access:
  - manage-device-groups - Enable read access to device group management
  - manage-dns-servers - Enable read access to DNS server management
  - manage-network-views - Enable read access to network view management
  - manage-saved-searches - Enable read access to saved search management
  - manage-sensors - Enable read access to sensor management
  - manage-siem-connectors - Enable read access to SIEM connector management
ReDNS module permissions:
- Read access:
  - view-connectors - Enable read access to connector management
  - view-redns - Enable read access to all features
- Read/write access:
  - manage-bcp-jobs - Enable the management of BCP jobs
  - manage-connectors - Enable the management of connectors
  - manage-services - Enable the management of services
IPMeye module permissions:
- Read access:
  - view-ipmeye - Enable read access to the
- Read/write access:
  - control-device-ipmi-console - Enable the use of the console
  - control-device-ipmi-power - Enable the control of devices power
  - manage-devices - Enable the management of devices
SerialEyes module permissions:
- Read access:
  - view-serialeyes - Enable read access to all features
- Read/write access:
  - control-serialeyes-console - Enable the use of the console

Add a Group

Groups are added using the Add a group dialog. This can be accessed by clicking the ADD A GROUP button displayed in the Settings / Groups page.

This dialog contains several tabs. The GROUP tab contains the following inputs:

Name - Name used to refer to the group, this is required, there are no restrictions on this field

Using the PERMISSIONS tab, permissions which users associated with the group should inherit can be configured. The EDIT SELECTED PERMISSIONS button can used change the current selection. See the Settings / Groups / Available Permissions section to see what permissions are available.

Using the USERS tab, users which should be associated with the group can be configured. The EDIT SELECTED USERS button can used change the current selection.

Using the SERVICES tab, services which users associated with the group should be permitted to swap the active service records for can be configured. The EDIT SELECTED SERVICES button can used change the current selection.

Once all required attributes have been specified the ADD button will be enabled, and once clicked the group will be added.

Edit a Group

Groups are edited using the Edit a group dialog. This can be accessed by clicking the edit group button displayed to the left when hovering over a group in the Settings / Groups page.

This dialog contains several tabs. The GROUP tab contains the following inputs:

Name - Name used to refer to the group, this is required, there are no restrictions on this field

Using the USERS tab, users which should be associated with the group can be configured. The EDIT SELECTED USERS button can used change the current selection.

Click the SAVE button to save changes to the group.

Delete a Group

NOTE This is a destructive operation which cannot be undone.

Groups are deleted using the Delete a group dialog. This can be accessed by clicking the delete group button displayed to the left when hovering over a group in the Settings / Groups page.

The delete dialog prompts whether the group should be deleted.

Click the DELETE button to confirm the group should be deleted, after which the group will be deleted.

AD Authentication

Working with AD Domains

The Active Directory (AD) domains used for AD authentication are viewed and managed under the Settings / AD Authentication page by clicking the Settings link displayed in the top menu bar and selecting the_AD Authentication_ link displayed in the dropdown menu.

If the currently authenticated user NOT been assigned permission to manage or view AD authentication, they will not be permitted access to this page.

Once configured, a user from a configured AD domain can access the WebUI by appending the domains DNS name to their username during authentication. For example, the user stephen in the AD domain vendorn.com would specify stephen@vendorn.com for their username at the OneDDI login page.

Following successful authentication, the users’ assigned AD groups will be matched with the names of the groups defined in OneDDI. If at least one group is not matched, then the user will not be permitted to access OneDDI - resulting in an invalid username/password type error.

Once authenticated, and the users’ groups discovered, the user will inherit the permissions from the matched OneDDI groups.

The Settings / AD Authentication page will display a table of all defined AD domains.

The following columns are displayed in the table for each user:

Actions - Clickable icons to manage each item
DNS name - The DNS name for the AD domain, this is the domain users will append to their username for authentication, e.g. vendorn.com for the username stephen@vendorn.com
Domain Controllers - A list of Domain Controllers (DCs) that will be used for authentication, this will be displayed as configured, e.g. 192.168.1.28 192.168.1.29:1234

A search control is displayed to the top right of the table. Values in the search field will be matched against an AD domains DNS name.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of AD domains, and to control how many are displayed in a single page.

The button ADD AN AD DOMAIN will be displayed to the top left of the table. Upon clicking this button, the Add an AD domain dialog will be displayed. See the Settings / AD Authentication / Add an AD domain section for details on this dialog and adding AD domains.

Upon hovering over a row in the table edit AD domain and delete AD domain buttons will be displayed to the left.

Upon clicking the edit AD domain button, the Edit AD domain dialog will be displayed. See the Settings / AD Authentication / Edit an AD domain section for details on this dialog and editing an AD domain.

Upon clicking the delete AD domain button, the Delete AD domain dialog will be displayed. See the Settings / AD Authentication / Delete an AD domain section for details on this dialog and deleting an AD domain.

Add an AD domain

AD domains are added using the Add an AD domain dialog. This can be accessed by clicking the ADD AN AD DOMAIN button displayed in the Settings / AD Authentication page.

This dialog contains the following inputs:

DNS name - The DNS name for the AD domain, this is the domain users will append to their username for authentication, e.g. vendorn.com for the username stephen@vendorn.com
Domain Controllers - Comma separated list of DCs to use for authentication. LDAP over TLS will always be used when connecting to a DC. The default TCP port 636 can be overridden by appending :<port> e.g. ad1.internal or ad2.internal:636.

Once all required attributes have been specified the TEST DOMAIN CONTROLLERS button will be enabled, and once clicked a TLS connection will be opened to each specified DC to verify the connection to each. The results from each check will be displayed.

Once all required attributes have been specified the ADD button will be enabled, and once clicked the AD domain will be added.

Edit an AD Domain

AD domains are edited using the Edit an AD Domain dialog. This can be accessed by clicking the edit AD domain button displayed to the left when hovering over an AD domain in the Settings / AD Authentication page.

This dialog contains the following inputs:

DNS name - The DNS name for the AD domain, this is the domain users will append to their username for authentication, e.g. vendorn.com for the username stephen@vendorn.com
Domain Controllers - Comma separated list of DCs to use for authentication. LDAP over TLS will always be used when connecting to a DC. The default TCP port 636 can be overridden by appending :<port> e.g. ad1.internal or ad2.internal:636.

Once all required attributes have been specified the TEST DOMAIN CONTROLLERS button will be enabled, and once clicked a TLS connection will be opened toeach specified DC to verify the connection to each. The results from each check will be displayed.

Click the SAVE button to save changes to the AD domain.

Delete an AD Domain

NOTE This is a destructive operation which cannot be undone.

AD domains are deleted using the Delete an AD Domain dialog. This can be accessed by clicking the delete AD domain button displayed to the left when hovering over an AD domain in the Settings / AD Authentication page.

The delete dialog prompts whether the AD domain should be deleted.

Click the DELETE button to confirm the AD domain should be deleted, after which the AD domain will be deleted.

Redundancy

Replication Operation & Management

Two OneDDI instances are required to form a replication pair. One instance is active and replicates changes to the other standby instance. Once configured a standby instance will connect to its configured peer, the active instance, to receive and apply replication changes to its database.

The entire contents of the OneDDI database is replicated. The OneDDI database is divided into two different databases. The Master Database contains all application data with the exception of the DNS activity history data tracked by the OneDDI Vision module. DNS activity history data is stored in the second database, the Vision Database.

The following items, which are not stored in OneDDI database, are not replicated - these are specific to each OneDDI instance:

The product license
All configuration files - i.e. all files under the /opt/oneddi/config directory on the OneDDI server

Replication utilises the HTTPS connection already provided by the OneDDI server. The standby peer will connect to the active peer and wait for replication changes, i.e. the connection will remain open and ready for further replication changes.

All changes, regardless of whether the standby peer is connected to the active peer or not, are queued for replication. For the Master Database, if the standby peer is connected, the change is immediately sent to it and removed from the replication change queue. If the standby is not connected, replication changes will remain in the replication queue until the standby next connects to the active peer, after which it will request and process all changes in the replication queue. Changes to the Vision Database are replicated periodically based on a administrator specified frequency.

Replication configuration is stored in the /opt/oneddi/config/replication.json file on the OneDDI server. On both the active and standby instances this file includes the following:

If replication is configured or not
What role the local instance is configured to be, i.e. active or standby
The IP address and port of its peer

An encrypted connection key is also found in this file. This key is used by both the active and standby peers to authenticate their communication. This key is sensitive and should not be transferred off the hosts in any way, or even copied out of this file.

In addition to using the connection key to authenticate communication, the peer IP address configured in the above file is used to implement an IP access control list for all replication communication to an instance. Any connections not from the peer IP address configured, or the loopback address 127.0.0.1, will be automatically closed and rejected.

There are two methods by which replication can be managed. If the active peer is available, the Settings / Redundancy page in the WebUI of the active peer can be used to perform the following:

Configure replication on the active and standby peers - i.e. create a replication relationship between the two
Deconfigure replication on both the active and standby peers - i.e. break the replication relationship between the two making then independent instances
Failover from the active to the standby peer, i.e. switching their roles
Force the standby peer to synchronise it’s database with the active instance
View replication status, i.e. see if the standby peer is connected to the active peer and is processing replication changes

If the active peer is not available and replication needs to be failed over to the standby peer, or replication must be deconfigured on the standby peer, the replication command must be used. The replication command and its usage are provided under the Redundancy / Replication section in the Admin Guide.

Working with Replication

Replication is managed under the Settings / Redundancy page by clicking the Settings link displayed in the top menu bar and selecting the Redundancy link displayed in the dropdown menu.

If the currently authenticated user NOT been assigned permission to view or manage redundancy, they will not be permitted access to this page.

If replication has not been configured the button CONFIGURE REPLICATION will be displayed. Upon clicking this button, the Configure replication dialog will be displayed. See the Settings / Redundancy / Configure Replication section for details on configuring replication.

If replication has been configured four sections of information will be displayed to show replication configuration status and health.

The Configuration section will identify the IP address and HTTPS ports of the active and standby peers. The DECONFIGURE REPLICATION button will also be displayed. Upon clicking this button, the Deconfigure Replication dialog will be displayed. See the Settings / Redundancy / Deconfigure Replication section for details on deconfiguring replication.

The Standby peer status section displays the overall health of the standby peer and if it is processing all replication changes. The FAILOVER TO STANDBY PEER button will be displayed underneath this information. If the standby peer is not connected to the active peer this button will be disabled. Upon clicking this button, the Failover to standby peer dialog will be displayed. See the Settings / Redundancy / Failover to Standby Peer section for details on failing over to the standby peer.

The Master database section displays the Master Database health of the standby peer and how many replication changes are queued. The SYNCHRONISE STANDBY PEER MASTER DATABASE button will be displayed underneath this information. If the standby peer is not connected to the active peer this button will be disabled. Upon clicking this button, the Synchronise standby peer master database dialog will be displayed. See the Settings / Redundancy / Synchronise Standby Peer Master Database section for details on synchronising the Master Database to standby peer database.

The Vision database section displays the Vision Database health of the standby peer and when a synchronisation will next take place. The SYNCHRONISE STANDBY PEER VISION DATABASE button will be displayed underneath this information. If the standby peer is not connected to the active peer this button will be disabled. Upon clicking this button, the Synchronise standby peer vision database dialog will be displayed. See the Settings / Redundancy / Synchronise Standby Peer Vision Database section for details on synchronising the Vision Database to standby peer database.

Configure Replication

Replication to another OneDDI instance can be performed using the Configure replication dialog which is accessed by clicking the CONFIGURE REPLICATION button displayed in the Settings / Redundancy page. If replication is already configured this button will not be displayed.

Two OneDDI instances are required to form a replication pair. One instance will be active and will replicate changes to the other standby peer. Both instances should be up and accessible and both should have their OneDDI product licenses installed.

The following actions will be taken to configure replication:

Configure the local instance to be the active peer
Configure the standby peer for replication
Force the standby peer to replace its database with a copy of the database from the local instance

Once configured the standby instance will connect to the active instance to receive replication changes.

The Configure replication dialog displays a six step wizard which guides a user through configuring the active and standby peers, verifying replication can be configured on both, and then executing the required changes to configure replication on both the active and standby peers.

Step 1 in the dialog, the Start page, provides a brief overview of what will be performed to configure replication.

Click the NEXT button to continue to step 2, the Standby peer page. In this page the IP address and HTTPS port of the standby peer must be entered. The IP address can be any configured on the standby peer and the HTTPS port must be the port the WebUI is accessible via. Additionally, once configured, when users access the standby peer they will be redirected to the active peer using the IP address and HTTPS port of the active peer which will be entered in the next step of the wizard. This can be overridden by entering a URL in the Standby redirect URL field.

Click the NEXT button to continue to step 3, the Active peer page. In this page the IP address and HTTPS port of the active peer must be entered. These parameters are used to configure the IP address and HTTPS port the standby peer should use to connect to the active peer. The IP address can be any configured IP address on the active peer and the HTTPS port must be port the WebUI is accessible via. By default, the IP address and port the WebUI is currently being access through will be suggested. Additionally, once configured, when users access the active peer after a failover to the standby peer is performed (mean it is now the standby peer) they will be redirected to the active peer using the IP address and HTTPS port of the standby peer configured in the previous step of the wizard. This can be overridden by entering a URL in the Standby redirect URL field.

Click the NEXT button to continue to step 4, the Configure page. Changes to the OneDDI Master database are replicated between peers in real-time. Due to its potentially large size, and the high volume of updates it can receive, the OneDDI Vision database is periodically synchronised between peers. In this page the frequency with which changes to the Vision Database should replicated to the standby peer is configured.

Click the NEXT button to continue to step 5, the Verify page. In this page the username and password for a user which currently exists on the standby peer must be entered. The specified user must be associated with a group which has the manage-redundancy permission assigned. The user will be used to verify replication can be configured, that connectivity between the active and standby peers is working (in both directions), and once APPLY NOW is clicked, it will also be used to configure replication on the standby peer. Click the VERIFY CONFIGURATION button to contact to the standby peer and verify replication can be configured. Any errors discovered during verification will be displayed. Once verification is successful the APPLY NOW button will be enabled.

Click the APPLY NOW button to configure replication on both the active and standby peers. After replication has been configured the Configure replication dialog will then be closed.

Failover to Standby Peer

If replication has been configured, failover to a standby peer can be performed using the Failover to standby peer dialog which is accessed by clicking the FAILOVER TO STANDBY PEER button displayed in the Settings / Redundancy page. If the standby peer is not connected to the active peer this button will be disabled.

If failover to a standby peer must be performed when the active peer is not available, i.e. during a disaster recovery scenario, the replication command must be used since the WebUI cannot be accessed on standby instances. In this case refer to the Redundancy / Replication section in the Admin Guide.

The following actions will be taken to failover to the standby peer:

Set the standby peer to be active
Set the active peer to be standby
Redirect logged in users to the new active peer

Following failover, the new standby peer will synchronise its database with the new active peer.

To failover to the standby peer simply click the FAILOVER button. Once failover is complete the WebUI is redirected to the newly active peer.

Deconfigure Replication

Replication can be deconfigured using the Deconfigure replication dialog which is accessed by clicking the DECONFIGURE REPLICATION button displayed in the Settings / Redundancy page.

If the peer which needs to be deconfigured is the standby peer, the replication command must be used since the WebUI cannot be accessed on standby instances. In this case refer to the Redundancy / Replication section in the Admin Guide.

The following actions will be taken to deconfigure replication:

If the Vision module is being used, mark all sensors in the standby peers database as in-active
Deconfigure replication on the standby peer if specified below
Deconfigure replication on the active peer

If the Select to also deconfigure replication on the standby peer select is selected, replication will be deconfigured on the standby peer, otherwise the standby peer will not be deconfigured - this is useful if the standby peer is unreacahable.

Once deconfigured both active and standby peers will be standalone instances and have their own independent copy of the current database.

To deconfigure replication simply click the DECONFIGURE button. Once deconfigured the Deconfigure replication dialog will then be closed.

Synchronise Standby Peer Master Database

If replication has been configured, the Master Database for a standby peer can be synchronised on demand using the Synchronise standby peer master database dialog which is accessed by clicking the SYNCHRONISE STANDBY PEER VISION DATABASE button displayed in the Settings / Redundancy page. If the standby peer is not connected to the active peer this button will be disabled.

Under exceptional circumstances the standby peer Master Database may become out-of-sync with the active peer. In this case the standby peer will attempt to perform a full Master Database synchronisation itself, but if this fails it can no longer accept replication changes from the active peer, and a message will be displayed under the Master database section in the Settings / Redundancy page indicating an attempt to apply a change failed.

Users can attempt to resolve this problem by synchronising the standby peer’s Master Database. This will overwrite the standby peer Master Database with a copy of the Master Database from the active peer, essentially removing any issues being reported at that point.

To synchronise the peer Master Database simply click the SYNCHRONISE button. The standby peer Master Database will then be synchronised, and once complete, the Synchronise standby peer master database will then be closed.

Synchronise Standby Peer Vision Database

If replication has been configured, the Vision Database for a standby peer can be synchronised on demand using the Synchronise standby peer vision database dialog which is accessed by clicking the SYNCHRONISE STANDBY PEER VISION DATABASE button displayed in the Settings / Redundancy page. If the standby peer is not connected to the active peer this button will be disabled.

Under exceptional circumstances the standby peer Vision Database may become out-of-sync with the active peer. In this case the standby peer will attempt to perform a full Vision Database synchronisation itself, but if this fails it can no longer accept replication changes from the active peer, and a message will be displayed under the Vision database section in the Settings / Redundancy page indicating an attempt to apply a change failed.

Users can attempt to resolve this problem by synchronising the standby peer’s Vision Database. This will overwrite the standby peer Vision Database with a copy of the Vision Database from the active peer, essentially removing any issues being reported at that point.

To synchronise the peer Vision Database simply click the SYNCHRONISE button. The standby peer Vision Database will then be synchronised, and once complete, the Synchronise standby peer vision database will then be closed.

License

The product license can be viewed under the Settings / License page by clicking the Settings link displayed in the top menu bar and selecting the License link displayed in the dropdown menu.

If the currently authenticated user NOT been assigned permission to manage or view the product license, they will not be permitted access to this page.

A product license has several attributes which specify for example when it was created and to which customer it was issued. Along with these attributes, each license will contain a list of modules which are licensed. Each licensed module has its own valid from and valid to date. This allows customers to evaluate new product modules on their existing installation without it affecting their existing modules.

A complete new license will be issued to add new modules, i.e. only a single license is ever installed with the licensed modules specified by that single license, and this will include any modules being evaluated.

Product licenses are bound to one more IP addresses. When validating a license, the licensed IP addresses will be checked against the locally configured IP addresses and if one is not matched the license will be considered invalid.

If a valid product license has been applied, details of the license will be displayed on the left of this page with the customer the license has been issued to being displayed at the top.

Below the customer name, the following license attributes will be displayed:

License ID - A unique ID associated with the license, e.g. c1055315-bb04-4bca-a507-97414e7c8fec
Created at - The date and time at which the license was created, e.g. 2020-02-01T00:00:00Z / a month ago
Licensed IP addresses - The dotted quad formatted IP addresses which the product license is bound to, e.g. 192.168.1.12 192.168.1.13
License type - This will be either standalone or enterprise, enterprise licenses are unrestricted where standalone licenses have the following restrictions:
- Users can only create one sensor in the Vision module
- Replication cannot be configured or used

To the right of the page a list of licensed modules will be displayed in a table. The following columns will be displayed for each licensed module:

Module - The name of the module, e.g. vision
Valid from - The date and time from which the licensed module can be used, e.g. 2020-02-01T00:00:00Z / a month ago
Valid to - The date and time to which the licensed module can be used, e.g. 2020-03-31T23:59:59Z / in a month
Status - If a license has not yet expired, i.e. the current date and time falls within the Valid from and Valid to fields, a green tick icon and the message Valid will be displayed, if the license has not yet expired but will expire soon relative to the licensed period, an amber exclamation icon and the text Expires soon will be displayed, and if the license has expired a red exclamation icon and the text Expired will be displayed

The button APPLY A LICENSE will be displayed to the bottom of the license detail. Upon clicking this button, the Apply a license dialog will be displayed. See the Settings / Apply a License section for details on this dialog and applying a license.

Apply a License

A product license can be applied using the Apply a license dialog. This can be accessed by clicking the APPLY A LICENSE button displayed in the Settings / Product License page.

This dialog contains the following inputs:

License text - The base64 encoded product license text received from a license request, this is required
Accept the OneDDI End User License Agreement - This select input must be enabled to confirm acceptance of the OneDDI End User License Agreement before the license can be applied

Once all required attributes have been specified click the VERIFY button, after which the license will be verified.

Following successful license verification, the APPLY button will be enabled. Clicking the APPLY button will apply the license and replace the existing product license.

Audit Log

The application audit log can be viewed under the Settings / Audit log page by clicking the Settings link displayed in the top menu bar and selecting the Audit log link displayed in the dropdown menu.

If the currently authenticated user NOT been assigned permission to view the audit log, they will not be permitted access to this page.

All actions performed in the OneDDI WebUI which create side-effects are audited. Audit events are created in the application audit log. In addition, all audit events are recorded to the system log file. Each message uses the following format:

AuditEntry: timestamp=<timestamp> host=<ip-address>:<port> username=<username> action=<action> detail=<json-detail>

The following is an example audit event logged to the system log:

AuditEntry: timestamp=2020-04-01T20:37:29Z host=192.168.68.164:55031 username=stephen action=ConnectDeviceIpmiConsole detail={"id":"953727ab-a2d9-4c11-9370-fb64429a860c","name":"ibdevice1","ipAddress":"86.15.69.51","port":623}

The Settings / Audit log page will display a table of audit events. The following columns are displayed in the table for each event:

Timestamp - Date and time the event was created, next to the times string will be a relative time string
Host - IP address and host from which the HTTP request which triggered the audit entry was received
Username - User who caused the event to be created
Action - What action was being requested, e.g. ConnectDeviceIpmiConsole or AddDevice
Detail - A JSON formatted message detailing the audit event, for example when editing a user, the user’s configuration is logged here, hovering over this field will display a pretty-printed format of this field

A search control is displayed to the top right of the table. Values in the search field will be matched against the host, username, action, or detail fields.

Paging controls are displayed to the bottom right of the table. These can be used to page through the list of events, and to control how many are displayed in a single page.

Contents

User Guide

OneDDI 3.7.1

Introduction

Accessing the User Interface

Working with the User Interface

Change My Password

Vision

History

Devices

Working with Devices

View Device

Queries

Working with Queries

View Queries

Records

Working with Records

View Records

Events

Global Events

Device Group Events

Live Queries

Saved Searches

Working with Saved Searches

Add a Saved Search

Edit a Saved Search

Delete a Saved Search

Device Groups

Working with Device Groups

Add a Device Group

Edit a Device Group

Delete a Device Group

Network

Sensors

Working with Sensors

Synchronise Sensors

View Activity Update History

Add a Sensor

View Sensor

View Activity Update Queue

Edit a Sensor

Delete a Sensor

Network Views

Working with Network Views

Add a Network View

Edit a Network View

Delete a Network View

DNS Servers

Working with DNS Servers

Add a DNS Server

Edit a DNS Server

Delete a DNS Server

SIEM Connectors

Working with SIEM Connectors

Add a SIEM Connector

Edit a SIEM Connector

Delete a SIEM Connector

ReDNS

Services

Working with Services

Add a Service

Import Services

Export to CSV

Services Permissions

View Service

Add a Service Record

Edit a Service Record

Delete a Service Record

Check Service Health

Change Service TTL’s

Swap Active Service Records

Swap History

Edit a Service

Delete a Service

Services Records

Working with Services Records

Import Service Records

Export to CSV

BCP jobs

Working with BCP Jobs