Configuration Logged in as Group Manager
Overview
The Group Manager role is responsible for:
-
The configuration of devices that are to be monitored.
-
The day-to-day monitoring of health and statistics down to an individual HSM device level.
Group Managers are able to enroll devices, set group alarm thresholds, and configure group event notifications via email.
Edit Profile page
Both the Administrator and the Group Manager are able to edit their own profiles.
The Edit Profile page is accessed by selecting your User ID located in the upper-right corner of the page.
From this page, you can perform the following actions:
-
Add a description
-
Update the email address
-
Change the password
-
Set the auto-log duration
-
Select a custom date format.
| When selecting a custom date format, you can also select: Use Browser Timezone for Exporting Events. |
When you select a custom date format, the chosen format is associated with your user ID giving each user the option of selecting their preferred format. Once the format has been selected, it is consistently displayed in accordance with your selection.
The only date format that will not change is the date in the User ID line, as shown below:
-
Reset the GUI Persistence Profile.
Managed entities
Logged on as a Group Manager, the Configuration tab displays the following:
Enrolling devices/entities
| To enroll a device/entity, you must be logged on as a Group Manager. For enrolling a device, you must configure SNMPv3 on the device with an authentication algorithm and a privacy algorithm, and use the same algorithms during device enrollment. |
-
Navigate to: Configuration > Managed Entities.
The Manage Entity Settings page opens.
-
Select Enroll Managed Entities
The Entity Enrollment options are displayed.
You can choose to enroll an entity one at a time or you can use a Batch file. The default is set to enroll a Single Entity.
-
Select the required Managed Entity Type from the drop-down menu.
-
Enter Device Details, SNMP Details, and Group Membership details.
Both the Authentication Algorithm and the Privacy Algorithm require a selection from a drop down. Client hosts only support AES Privacy Algorithms. -
Click Enroll Device to complete the enrollment process:
-
Select Yes, test connection to test the connection.
-
If you would like to skip the test, select No, skip Test.
-
If you would like to cancel the data that you just entered, select Cancel Changes.
-
If you choose to test your connection and the test is successful are returned to the Managed Entities page.
If you test the connection and the test is not successful, you will receive an error message. Correct the error condition and re-enter the device information.
-
ATTENTION: Devices/entities can be assigned to multiple groups.
-
A device/entity can be assigned to groups not associated with the current manager role. However, this is a one-way function.
-
In order to make changes or delete a device/entity in a group, the user must be a Group Manager for that group.
-
A device/entity can be associated into multiple groups during enrollment.
-
The same device/entity can be associated to more groups by editing the device.
ATTENTION: All HSMs being monitored must be configured to support SNMPv3 with nShield Monitor.
Option: Enrolling using a batch file
-
From the Entity Enrollment page, select Batch.
The Entity Enrollment page opens.
To see a sample batch file, select Download Sample Batch Enroll File. -
Select either Choose File or Download Sample Batch Enroll File.
-
Enrolling multiple devices at one time requires a comma separated variable (CSV) file containing all the device information and SNMP information.
-
You can create a file without passwords, but you will need to still leave a space where the passwords would go in the file.
Devices can be assigned to multiple groups. A device can be assigned to groups not associated with the current manager role. However, this is a one-way function. In order to make changes or delete a device in a group, the user must be the Group Manager. A device can be associated into multiple groups during enrollment. The same device can be associated to more groups by editing the device. Device/Entity Batch Entry CSV Fields
CSV File Field Name Notes Group Name
Required (string) [multiple groups in square brackets]
Device Host name
Optional if IP address present (string)
Device IP address
Optional if hostname present (IPv4 address - 123.45.67.89)
Device Name
Optional (string)
Description
Optional (string)
Location
Optional (string - cannot use commas to separate city from state)
SNMP User Name
Required (string)
SNMP Authentication Algorithm
Required (one of [MD5 SHA])
SNMP Authentication Password
Required (string)
SNMP Privacy Algorithm
Required (one of [DES AES 3DES AES-192 AES-256])
SNMP Privacy Password
Required (string)
SNMP Port
Optional (string) default is 161
Device type
Optional (string)
Admin Timeout
Optional (string)
Stats Timeout
Optional (string)
-
Each entity must be listed in a single row and all fields must be separated by commas.
-
For the optional fields, if you do not want to specify a value, leave the field blank. Both blank lines and comment lines are ignored.
-
Example with all fields specified:
Group1, Device1, 192.168.18.101, Device 1, Device description 1,Location 1,User1,SHA,authpassword1,DES,privacypassword1 -
Example with optional fields not specified - Note that those field are left empty:
Group2,,192.168.18.102,Device 2, , ,User2,SHA,authpassword2,DES,privacypassword2 -
Example with optional fields not specified - Note that those field are left empty:
Group2,,192.168.18.102,Device 2, , ,User2,SHA,authpassword2,DES,privacypassword2
-
-
After loading the batch file, select Enroll Devices.
-
Select Yes, test connection to test the connection.
-
If you would like to skip the test, select No, skip Test.
-
If you would like to cancel the data that you just entered, select Cancel Changes.
-
If you choose to test your connection and the test is successful, you are returned to the Device Listing page.
If you test the connection and the test is not successful, you will receive an error message. Correct the error condition and re-enter the device information.
-
Deleting enrolled devices
| You can only delete devices from groups that you have been assigned the manager role. When a device is associated with multiple groups, deleting a device from a group removes the association of the device from that group only. The device does not get deleted from other groups that it is associated with. A device gets deleted from nShield Monitor only when it does not have any association with any other group. |
-
Navigate to: Configuration > Managed Entities.
-
Select the checkbox next to the device to be deleted.
Selecting the checkbox at the header level automatically selects all the devices in the Group. -
Select Delete <device>.
Editing enrolled devices
-
Single click on <device name> of the device to be edited.
The Edit Device Details page opens.
The Group Membership window displays two assignments: Member of and Available Group. You are able to toggle membership between the two. -
Enter the changes/make your selections.
-
Select Save Changes.
Starting and stopping device monitoring
-
Navigate to: Configuration > Managed Entities.
The Managed Entity Setting page opens.
-
Select the box associated with the device to have monitoring started/stopped.
New action buttons appear:
The Start Monitoring <device> is a toggle with Stop Monitoring <device>. When the device is being monitored, the Stop Monitor option is available. When the device is not being monitored, the Start Monitor option is available. All selected devices must be either enrolled or unenrolled for the button to be enabled. -
Select <Stop><Start> Monitoring <device/entity>.
Group Alarm Thresholds
The Group Manager role can view and set alarm thresholds.
-
Navigate to: Configuration > Group Alarm Thresholds.
The Group Alarm Thresholds page opens:
-
Select the Group that you would like to set.
-
Use the slide bars to set the thresholds.
-
Set the values in the nShield High Object Count fields based on your preferences.
-
Select Save Thresholds.
Alarms must be enabled to receive alerts and must be programmed for each group you wish to see alerts for.
Utilization overload thresholds have two levels:
-
The first level is a Warning Threshold used to generate a Warning Severity Event.
-
The second level is Critical Threshold used to detect a Critical Severity Event.
When the group utilization overload alarm is enabled, and both thresholds are configured:
-
Every 10 minutes the alert detection will compute the previous 10-minute nShield utilization for each device in the group.
-
If the utilization is over the Critical Threshold, a critical event is generated.
-
If the utilization is less than the Critical Threshold, but over the Warning Threshold, a warning event is generated.
-
Otherwise, there is no alert event.
The Utilization Peak Event provides a warning level threshold if the utilization peaked above a selected percentage during a pre-configured amount of time in minutes.
Both sets of alerts are disabled by default.
Group Event Notification
The group manager role has the capability to view and set group event notification via email.
-
Navigate to: Configuration > Group Event Notification.
-
Select the Group for notification.
The Notification Warning message displays.
-
Select Email Notification Enabled.
-
Select the alert type.
-
Select Save Policy.
| If a device is enrolled in multiple groups, the Group Manager receives event notification emails for all groups to which the device is enrolled and to which the manager has been assigned the Group Manager role. |
Assign SNMP notification policies for groups
Group Managers manage which email addresses are sent notifications when a trap event occurs in the device group. For instructions on how to enable notifications by trap groups, see Assign SNMP Notification Policies for Trap Groups.
To assign Notification Policies for device groups:
-
Navigate to: Configuration > Group Trap Settings.
-
In the Group Name column, select the hyperlink of the device group for which you want to configure email notifications.
-
Select your preferences for the Group Trap Event policy categories and configure the trap emails for the group.
-
To enable email notification, select the Enable Email Notification Enabled option.
-
To specify for which trap events to send email notifications, select the relevant options.
-
Select Save Policy.
The Group Trap Event Notification page is displayed.
-
-
Configure the email notifications.
-
In the Group Name column, select the link of the group for which you want to configure email notifications.
-
Add the email addresses to which the notifications should be sent when a trap event occurs. There is no limit on the number of emails that you can add to the list.
-
Select Save Emails.
-
Assign SNMP Notification Policies for Trap Groups
Group Managers create, edit, and manage trap groups that contain traps and a list of email addresses where notifications are sent when a trap event occurs.
For instructions on how to enable notifications by device groups, see Assign SNMP notification policies for groups.
To assign notification policies for trap groups:
-
Navigate to: Configuration > Trap Settings.
The Trap Configuration page is displayed.
-
Select Add New Trap Group.
The Group Details page is displayed.
-
Enter a name for the new trap group.
-
Select traps from the list of Available traps. For traps supported in nShield Monitor, see Support for nCSNMP traps.
-
Add the email addresses to which the notifications should be sent when a trap event occurs. There is no limit on the number of emails that you can add to the list.
-
Select Create Group.
The Trap Configuration page is displayed.