Skip to content
CA Unified Infrastructure Management Probes
Documentation powered by DocOps

v1.1 nfa_inventory AC Configuration

Last update June 6, 2016

Contents

Prerequisites

Prior to deploying the nfa_inventory probe, be sure the following requirements are met:

  • You are running CA Unified Infrastructure Management (CA UIM) 8.31 or later.
  • You are running CA Network Flow Analysis (CA NFA) 9.3.2 or later.
  • The nq_services probe v1.0 is installed on the same hub as the ugs probe (to support multi-tenancy in CA NFA).
  • The SNMP Collector v2.1 or above is installed.
  • The robot on which the nfa_inventory probe is deployed has http access (port 80/tcp) to the CA NFA console.
  • The wasp probe on the UMP host has http access (port 80/tcp) to the CA NFA console.
  • The current versions of CA NFA, UDM, Discovery Server, and wasp probe must all be in the same CA UIM domain.

Configuration Overview

At a high level, configuring the probe consists of the following actions:

Configuration Steps

  1. Configure routers to send NetFlow to CA NFA.
  2. Configure the nfa_inventory probe to connect to the CA NFA console (by specifying the IP Address).
  3. Configure snmpcollector so that all snmpcollector instances and CA NFA have the same origin.
  4. Configure Single Sign-on (SSO) for USM and CA NFA.

Configure Probe Connections

After you install the probe, you must configure the probe setup using the CA UIM admin console.

  1. In the Add NFA Console dialog, complete the following fields:
    • NFA Console Name - The name of the CA NFA console.
    • NFA Console Hostname or IP Address - The IP Address of the CA NFA console.
    • Alarm Message - The level of alarm message sent to CA UIM if it experiences an error communicating with CA NFA.
    • Active - Whether the probe is active or not.
  2. Click Submit.
  3. If the nfa_inventory probe is on a non-wasp hub, add the /ump_common/nfa_inventory key to the wasp config using Raw Configure in the Admin Console.
    The value of the nfa_inventory key should be the bus address (/domain/hub/robot/nfa_inventory) for the nfa_inventory probe.

Configure Single Sign-on (SSO) for USM and CA NFA

To facilitate SSO, the nfa_inventory probe sends inventory to CA UIM every 15 minutes.

  • If you have SSO without LDAP or SAML2, create the same users in CA NFA as are in the USM portal.
  • If you have LDAP only (no SAML2), configure CA NFA and USM to use the same LDAP server.
  • If you have SAML2, configure CA NFA and USM to use the same SAML2 provider.

Implement CA NFA SAML2 Support

  1. Login to the CA NFA console server.
  2. Open the file <drive>:\CA\NFA\Portal\SSO\webapps\sso\configuration\saml.properties with a text editor.
  3. Add the following entries (where IP is the IP address of the CA NFA console and hostname is the hostname of the CA NFA console server):
    1. saml.sp.metadata.hostname=<ip/hostname>
    2. saml.sp.metadata.entityId=<ip/hostname>
    3. saml.sp.metadata.organizationName=<org_name>
    4. saml.sp.metadata.contactPerfon=<contact_person>
    5. saml.sp.metadata.email=<email_address>
  4. Save the saml.properties file.
  5. Execute the SSO configuration tool, ssoConfig.exe, from a CA NFA server command prompt:
    1. <drive>:\CA\NFA\Portal\SSO\bin\ssoConfig.exe
      1. Click 2 for CA Network Flow Analysis.
      2. Click 2 for SAML2 Authentication.
      3. Click 2 for Local Override.
      4. Enter 2 for Clone Default User Accounts. Change the value to user.
      5. Enter 4 for SAML2 Auto-Reauthentication Enabled. Change the value to 1.
      6. Enter 5 for SAML2 Auto-Reauthentication Time Period. Change the value to 5.
      7. Enter 6 for SAML2 IDP Session Timeout. Change the value to 10.
      8. Enter b to go back.
      9. Enter b to go back again.
      10. Enter 6 to Export SAML2 Service Provider Metadata. Provide a valid path and file name. The file type must be xml, for example:
        1. c:\temp\saml2SPmetadata.xml
      11. Enter q to quit the SSO configuration tool.
    2. Send the metadata file you saved in step 5.a.x to your SAML2 service provider.
    3. Open the file <drive>:\CA\NFA\Portal\SSO\webapps\sso\configuration\saml.properties with a text editor.
      1. Update the saml.idp.metadata.file property with the full path and file name of the metadata xml file you created in step 5.a.x.
      2. Update the saml.idp.sessionTimeout property with the IDP session timeout value you selected in step 5.a.7 (10). 
    4. Save the saml.properties file.

Multi-tenancy for CA NFA

Origin enrichment is implemented in CA UIM to enable multi-tenancy in CA NFA. Previously, only bus users could drill-out from CA UIM to CA NFA. Beginning with nfa_inventory probe v1.1, bus users and account contact users can drill-out to CA NFA based on the rights granted to them in CA UIM. The nfa_inventory probe updates CA NFA based on information obtained from CA UIM. All users must have ACL permissions to drill-out to CA NFA.

  • For each CA UIM account, CA NFA creates a permission set.
  • CA NFA permission sets have access to interface groups.
  • Interface groups correspond to a unique CA UIM origin in the CA UIM account.
  • For each CA UIM ACL, a corresponding CA NFA role is created with rights that correspond to the CA UIM ACL permissions.
    • CA UIM adds the CA NFA rights prefixed with NFA to facilitate the mapping.
  • CA NFA user accounts are created which correspond to CA UIM account contact users. The CA NFA user account has access to the CA NFA permission set corresponding to the CA UIM account.
  • A CA NFA role is created which corresponds to the CA UIM ACLs. 
  • Note that bus users have access to all tenants in CA NFA.

View CA NFA Interface Information in UMP

  1. From the UMP user interface, click on a device that is sending netflow information to CA NFA.
  2. Click Interfaces.
  3. Select an interface that the device is receiving netflow information from.
  4. Select a graph or table of CA NFA information:
    • Stacked Trend - In
    • Stacked Trend - Out
    • Top 5 Hosts
    • Top 5 Conversations
  5. Position the mouse near the top right-hand corner of the table or graph you selected, and the drill-out icon appears. Click the drill-out icon to be redirected to CA NFA.
    • When Single Sign-on (SSO) is configured properly, you will not be prompted to login to CA NFA.

To access advanced information about the interface, click the Advanced tab on the UMP interface page.

The advanced Interface tab provides the following new tables and graphs which are sourced from CA NFA:

  • Stacked ToS Trend - In
  • Stacked ToS Trend - Out
  • Top Host per ToS
  • Top Conversation per ToS

When you drill out from UMP to one of the CA NFA Type of Service (ToS) tables (Top Host per ToS or Top Conversation per ToS), you are redirected to the CA NFA ToS page. The CA NFA ToS page lists the different ToS names under the ToS Summary Table. Click on a ToS name to access a page showing all of the graphs and tables for that ToS name.

Was this helpful?

Please log in to post comments.