Note regarding security recommendations
Preparing for configuration
Configuration is the last stage of building the Entuity server. You can run the Configure wizard at any time after server installation to change the configuration, but Entuity must be shut down before doing so.
The Configure wizard is only available on Windows. You can navigate between the pages in the configuration process at any time using the Back and Next buttons. You can re-run configuration by navigating to the Entuity install directory.
Important Notes:
- The Configure wizard requires administrator privileges.
- The Control Panel Services App in Windows must be closed down before running configure, because this app can lock Windows Services such that they cannot be edited.
- Entuity checks the host identifier by running hostident. On Windows environments, this requires the Windows Management Information service to be running.
- If you are configuring Entuity on the server for the first time, a prompt for each directory is displayed if it does not already exist. Click Yes on each confirmation window throughout the configure process to create the new directories.
Running the Configure wizard
When the Entuity Server installation wizard reaches 100%, click Run Configure.
An administrative access permission window is displayed. Click Yes if you want to allow configure permission to carry out tasks such as installing the required services, otherwise, click No.
Windows Registry Setting
The next page of the Configure wizard, the Windows Registry Setting page, allows you to confirm the server's registry settings. This setting extends the allowable ephemeral port range to be the maximum allowed, this is necessary to allow Entuity to communicate with large numbers of devices. Click Next.
If the registry key value MaxUserPort is not set to 0x0000FFFE (65534), you might encounter issues with Entuity system performance.
- Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- Type: REG_DWORD
- Value: 0x000fffe (65534)
Choose Config Folders
On the Choose Config Folders page, set the location of the following folders and then click Next:
Directory |
Description |
|---|---|
| Database directory | folder for the Entuity database. By default this is entuity_home/database/data. |
| Database Backup directory | folder for the database backup. By default this is entuity_home/database/backup. |
| Log directory | folder to where Entuity writes all of its associated log files. By default this is entuity_home/log. |
To choose a location other than the default, click Browse under the corresponding installation directory to select a different directory. If you want to clear your custom selection and choose the default, click the Restore Default Location button. Then click Next.
License File Location
On the License File Location page, you can select the license file to use in the Select the license file to use field. By default, this is the 30 day evaluation license: entuity_home/etc/license.30day.eval.dat. Click Browse to select the license file you want to use, and click Next. The Configure wizard validates the license file, which might take 30 seconds. If the license does not exist or is invalid, an error message is displayed.
Note, you can't complete the Entuity configuration without a valid Entuity license.
The License File Location page also displays the host identifier of the Entuity server. The host identifier is required by Entuity to generate a valid license. Entuity checks the host identifier by running hostident. In Windows environments, this requires the Windows Management Information service to be running. If the service is not running, the Configure wizard fails to complete.
Integrated Flow Analyzer
On the Integrated Flow Analyzer page, specify if you want to enable Integrated Flow Analyzer. Integrated Flow Analyzer capability lets you collect and analyze flow records.
Note, you do not need to enable Integrated Flow Analyzer to run Entuity and it can be enabled at a later time.
Select one of the following, and then click Next:
- Yes - configure a server that acts as both a polling and flow collector server (all-in-one Server).
- No - configure a server that acts only as a polling server, also referred to as a Standard Server. This is the default selection.
SurePath Agent
On the next page, SurePath Agent, choose whether to enable the SurePath agent on the server, and click Next:
- Selecting Yes configures the server as both a polling server and a SurePath agent (all-in-one Server).
- Selecting No configures the server as only a polling server (standard Server). This is the default.
Entuity Agent Applications
If you plan to use Entuity Agents to monitor Server devices, Storage devices, or locally monitor the OS of the server the Agent is installed on, select Yes on the Entuity Agent Applications page, and then click Next. Doing so deploys applications that can be used by the Entuity Agents registered to the server.
If you don't plan to use Entuity Agents for monitoring of devices, select No, and then click Next.
Module Selection Panel
On the next page (Module Selection Panel), select which modules you want to use with Entuity, and then click Next.
Note, a number of modules considered optional in earlier versions of Entuity are now enabled by default. See this article for a list of the modules that are enabled by default.
Note, some modules listed on the Module Selection Panel page require additional licensing.
You can select these modules:
- Cisco IP SLA
- Cisco Unified Communications Manager
- Configuration Management
- Green IT Support
- IP Address Management
- QoS Module
Configuration Management
The Configuration Management module is enabled by default in Entuity. From the next page in the wizard, the Configuration Management page, you can determine the details of the Transfer Server. Please see this article for further help and information on setting and running transfer servers in Entuity. If you are not going to use Configuration Management in Entuity, don't make any selections on this page, and click Next.
If you are going to use Configuration Management in Entuity, specify the details of the Transfer Server, and then click Next. In Configuration Monitor, your network devices send configurations to the Transfer Server. Ensure that the transfer server IP is an address to which your devices are able to route to that is configured on the Entuity Server.
The Transfer Server attributes are as follows:
| Attribute | Description |
| Transfer Server IP Address | Lists the IP addresses on the Entuity server. From this drop-down field, select the IP address you want to use with the TFTP and/or FTP servers used in retrieving device configurations. |
| Transfer Directory | Browse for, and select, the directory on the Entuity server to which the TFTP and/or FTP server writes retrieved device configurations. By default this is entuity_home/cm_transfer. You must separately configure the TFTP or FTP server to use this directory, for example, through the TFTP server initialization file. |
| Archive Directory | Browse for, and select, the device-specific sub-directory on the Entuity server to which successfully retrieved device configurations are moved from the Transfer Directory. By default, this is entuity_home/cm_archive. |
| Firmware Directory | Browse for, and select, the directory on the Entuity server where the firmware repository will be populated. By default this is entuity_home\etc\firmware. |
Note, when Entuity is configured for external authentication, update the [lcm] section of the entuity.cfg file to resolve the error, 'No permission to execute this task', when running Configuration Management (Config Mgmt). Edit the entuity.cfg file to add the specified user as a member of the local admins group:
[lcm]
defaultAdminUser=newAdmin
SMTP Server Configuration
On the next page, SMTP Server Configuration, set up the details for SMTP Server configuration, and then click Next. This SMTP Server configuration enables Entuity to forward events, incidents, and reports in an email.
Note, your email server admin will need to whitelist the IP address of the Entuity server so that it can send emails.
Note, as of Entuity v21.0 GA and Entuity v20.0 P05, email sender domains are validated for accuracy. This means that the ‘emailFrom’ field configured in Entuity must now be valid, and must not contain illegal characters, as defined in the RFC 1034.
The SMTP configuration attributes are as follows:
| Attribute | Description |
|---|---|
| SMTP Server Hostname | enter a list of SMTP servers, separated by semi-colons. You can also specify the port number used by servers, e.g: 10.44.2.6;10.44.2.7:25 |
| SMTP Username | username used with the server. When you enter a username, you must also enter a password in the SMTP Password field below. If you do not use a username, you can leave the SMTP Username field blank. |
| SMTP Password | password used with the username entered in the SMTP Username field above. A password is only required when a username is entered above. |
| Show password in plain text | select the check box if you want the SMTP password to be displayed. By default, the password is represented by asterisks. |
| Sender | default sender email address. You can configure spam filter programs to permit emails from this account. The default account name is Entuity@EntuityServer, where 'Entuity' identifies the product and 'EntuityServer' is the hostname of the Entuity server. |
| Subject | default subject line included with any email. When an email is sent, '${eventDescr}' is replaced with the event description and '${eventStr}' is replaced with the object name for the which the event was raised. |
Server Configuration
On the next page, Server Configuration, set up the Entuity server configuration, and then click Next.
The server configuration attributes are as follows:
| Attribute | Description | |
|---|---|---|
| Server | Hostname | hostname of the Entuity server. This must be resolvable in DNS. |
| SSL Security Options | Use SSL Communication | select to activate SSL to secure sessions between your Entuity server and browsers using TLS v1.2. This is not mandatory, and is only normally required for highly secure environments. Enter the Certificate File, Private Key, and optionally the CA Certificate file in the fields in this section. Your security team will provide these to you. Entuity recommends that these files are installed in entuity_home/etc. |
| Certificate File | browse for this file. | |
| Key File | browse for this file. | |
| CA Certificate File (optional) | browse for this file. | |
| Redirect HTTP to HTTPS | select if you want the Entuity web server to automatically redirect wrongly entered HTTP URLs to HTTPS. | |
| Database Password | Change Database Root Password | tick to enter a new root password for the database in the field below. You would normally only change the database root password when required by a security team/department. It is recommended to record this setting, because it might be needed by Entuity Support. |
| Root Password | enter new root password if the above box is ticked. | |
| Re-type Password | reenter new root password. | |
| Database Validation | Check and Repair | tick to check and repair the database. This is recommended if you are upgrading or re-running configure. If the Entuity database fails the validation, check that configuration stops. |
| Quick Check | default. Select when there is an existing database but no mysql.error.log (this is usually the case when running an Entuity upgrade). With this option, configure runs dbcheck -F to run a fast check for tables that were not properly closed. | |
| Full Check | select to run an extended database check. With this option, configure runs dbcheck -E. dbcheck runs a full key lookup for all keys for each row, to ensure that the table is 100% consistent. This check is more thorough and takes longer than the Quick Check. | |
Ports Configuration
On the next page, Ports Configuration, choose whether to use default port numbers or custom TCP ports for a number of services, such as the web server and Tomcat. If you choose to modify the port numbers, configure will display additional pages through which you can amend the default TCP port numbers of Entuity processes. configure will warn you if any of these ports are in use and will allow you to select an alternative. Click Next.
If you choose to modify the port numbers, the Configure wizard displays the current list of ports. Port numbers with a green background are valid, while port numbers with a red background indicate a port conflict that requires attention. Enter new port numbers directly into the text field, and click Test to verify the port is available, or click Suggest to identify the next available port number. Excluding Web Port, port numbers must be in the range 1025 to 65535. The port settings are as follows, and once you have specified the port settings click Next:
| Attribute | Description |
|---|---|
| Database Port | IP port on which you want the database server mysql to listen. The default is port 3306. |
| Web Port | IP port on which you want the web server httpd to listen. The defaults are port 80 for non-secure access and port 443 for SSL. |
| Event Request Listener Port | IP port on which you want the event management process to listen for incoming requests to events from subscribed third party integrations. The default is port 19193. |
| Event Receiver Port | IP port on which you want the event management process to listen for incoming requests for events, e.g. system events, trap-based events, syslog events. The default is port 19194. |
| Ticker Port | IP port on which you want the ticker process to monitor its client ports' activity. The default is port 20202. |
| Tomcat Port | IP port used by the Tomcat application server. The default is port 8080. |
| Tomcat Admin Port | IP port used to access and manage the Tomcat application server. The default is port 8005. |
| Flow Port | IP port on which Entuity Integrated Flow Analyzer receives flow information from devices sending NetFlow, NetStream or JFlow packets. This flow collector port is configurable through configure and flowcfg.properties. Entuity IFA collects IPFIX flow data on port 2055 and sFlow data on port 6343. These collector ports are not configurable. Therefore, you must ensure routers using these flow technologies are configured to send data to the appropriate ports, otherwise IFA will not recognize nor collect the data. |
| Flow Management Port | IP port used to manage (e.g. stop) the flow collector process. The default is port 12121. |
Message Broker Configuration
On the Message Broker Configuration page, click Next to accept the default user name, password, and port to use with the Message Broker feature.
Alternatively, enter a different user name and password to use with Message Broker, and enter a Message Broker port number. Before clicking Next, verify that the port can be used with Message Broker by clicking Test. If the port is available, the Message Broker Port field is displayed with a green background. If port conflicts exist, the Message Broker Port field is displayed with a red background. You can click Suggest to populate the field with the next available port number.
Summary
The next page is the Summary page. If you are happy with the configuration settings, click Configure. To abandon the configuration, click Cancel. To move back through the Configuration wizard pages and adjust your settings, click Back. Once the configuration is completed, a confirmation message is displayed at the bottom of the screen. Click Finish to close the Configure wizard.
The first time you complete the Entuity configuration, make an initial backup of the server, and then start Entuity.
Note regarding security recommendations:
See this article for security recommendations regarding the default Entuity v19.0 (and below) install configuration.
Comments
0 comments
Please sign in to leave a comment.