Professional Documents
Culture Documents
Version : 2019.02
PDF Generated on : 14 Jun 2019
SMAX 2019.02
Table of Contents
Administer .. 1Administer CDF .. 2Access Kubernetes API server with a bearer token .. 3Add or remove
machines from a cluster .. 4Manage node labels .. 6Change CDF cluster runlevel .. 7Change the
external access hostname for CDF management portal .. 10Change your password .. 11Customize
kubelet parameters ........ 12Edit the hard eviction thresholds of worker nodes ........ 13Customize DNS entries
.. 14Rebind a PV and PVC .. 15Administer IdM .. 18Manage users .. 22Manage groups .. 25Manage
roles .. 27Add a database user and give permissions .. 28Customize password policy .. 30Customize
the management portal login page .. 31Manage authentication .. 35Use certificate to log into the
management portal .. 37Use SAML credentials to log into the management portal .. 44Use OAuth 2
authentication to log into the management portal .. 48Use LDAP credentials to log into the management
portal with SSL .. 52Manage suite metadata .. 56Modify the CDF external database configuration ..
59Security .. 60Authorization .. 62Back up data for a single-master cluster .. 63Data integrity ..
64Encryption .. 65Installation security recommendations .. 66Network and communication .. 67Shut
down a cluster node ... 83CDF backup, restore and disaster recovery ... 84Back up CDF ... 85Restore CDF
.. 90Disaster recovery .. 100Change external IdM database connection for CDF .. 125Back up and
restore IdM .. 126Change persistent volumes after CDF installation .. 127Set up thin pools after CDF
installation .. 128Rename IdM schema .. 129Administer SMAX .. 130Configure the Service Portal mobile
app .. 131Smart Analytics administration .. 132Scale out DAH server .. 133Update Smart Analytics stop
words and synonyms .. 134Update index weight for the Title and Description fields .. 135Perform a full
reindex for Smart Analytics .. 136Localize SMAX by using Openl10n .. 137Customize the login and logout
pages .. 138Replace the certificate for Service Management Automation .. 139Enable tab completion of
the suite namespace .. 140Retrieve suite truststore password .. 141Sync updated suite component
database passwords .. 142Sync updated sysadmin password .. 143Configure SMAX Security .. 144Take
a snapshot of the suite .. 145Back up and restore .. 146SMA disaster recovery (DR) toolkit .. 147SMAX
backup procedure ..... 148SMAX restoration procedure ..... 150Set up a standby environment for restoration
.. 151Scenario 1: the source environment has completely crashed .. 152Scenario 2: only the cluster
nodes have crashed .. 153Change FQDN .. 154Restart the SMA suite .. 155Restart CDF .. 156Restart
the cluster hosts .... 157Enable a firewall in the suite environment .... 158Enable a firewall after installation
.. 162Change internal integration user password .. 163Administer internal PostgreSQL .. 164Balance
cluster resource usage ...... 165Administer the suite ...... 166Tenants ...... 167How to create and edit a tenant
.. 168Customers .. 171How to create and edit a customer .. 172Accounts .. 173How to create an
account .... 174How to edit an account .... 176Users .... 181How to create a user .... 182How to edit a user
.. 184Suite Administration for shared service providers .. 186License pools .. 187How to create and edit
a license pool .. 188Licenses .. 189How to create and edit a license .. 190Assignments ..
192Configurations .. 193Operation history .. 200Access control .. 201How to create and edit an Access
Control List (ACL) .. 202Change the suite-admin password .. 203Administer Service Management ..
204Studio .. 205Fields .. 206Field properties .. 207Create a field .. 209Edit a field .. 211Calculated
fields ... 212Calculated field templates ... 213Generic relationship fields ... 214Cross-record field mapping
.. 215Mapping records created from a change record .. 216Mapping records created from an incident
record .. 219Mapping records created from a problem record .. 223Mapping records created from a
request record .. 225Mapping records created from a service definition record .. 226Mapping records
created from an idea record .. 227Forms .. 228Forms overview .. 229Form properties .. 238Edit a
form .. 241Processes and Rules .. 244Working with processes .. 245Add a phase in a process ..
SMAX 2019.02
246Add a transition in a process ... 247Move a phase or transition in a process ... 248Studio business rules
.. 249Business rule descriptions and tags .. 250Validation rule examples .. 251Action rule examples ..
252Rendering rule examples .. 253Field selection rule examples .. 254REST Execution .. 255Studio -
use case .. 257Add a business rule .. 258Edit, remove, or disable a business rule .. 259Enrichment
rules .. 260Configuration Comparison .. 261Notifications .. 262Expression Language in notifications ..
263Processing rules in notifications .. 264Direct access to Service Management via email .. 265Set up
direct access to Service Management .. 266Set up notification templates for direct access ..
267Automatic request creation ... 268Direct access to Service Management troubleshooting and limitations
.. 269Disable closed records .. 274Approval definitions .. 275Governance approval .. 276How
Governance Level Approval works .. 277Set up Governance Level Approval .. 278Build an approval
definition .. 279Edit an approval definition .. 280Set up approval plan for a custom record type ..
281Import data .. 282Import Data file format .. 283Create a CSV file with UTF-8 encoding from an Excel
file .. 284Export data .. 285Import translations .. 286Import translated Service Catalog definitions ..
287Import translated articles .. 288Custom actions .. 289SLT settings .. 290Authorization ..
291Create and configure custom application and record type .. 292People .. 293Users and contacts ..
294How to create and delete contacts ....... 298How to assign licenses to users ....... 300Roles ....... 301Groups
.. 308Manage entitlement rules .. 311Entitlement rules use case .. 312Encryption domains .. 313Set
up synchronization with LDAP .. 314Locations .. 316Lists .. 318Routing definitions .. 319Service Portal
Administration .. 320Quick Guide to customizing the Service Portal .. 321Configure Service Portal display
theme settings .. 322Configure Service Portal feature settings .. 323Configure Service Portal
configuration settings .. 325Authorize knowledge handling in the Service Portal .. 326User selections in
the Service Portal .. 327Enable users to edit requests in the Service Portal .. 328Application settings ..
329Virtual agent settings .. 330Smart Analytics settings .. 331Data domain segmentation .. 333Data
domains and entitlement rules .. 334Basic automated procedure .. 335Data domain segmentation – use
case .. 336Assign a Primary data domain to a group or user .. 337Assign permission for a data domain to
a role .. 338Assign a record to a data domain .. 339Impact of data domain segmentation ..
340Categories .. 341Create a category .. 343Edit categories .. 344View categories .. 345MT console
for shared service providers .. 346Dev2Prod - Synchronize your development and production tenants ..
347Debug tool .. 348Sample data .. 349Live Support .. 350Live Support and Chat .. 351Configure
Live Support with CTI .. 352Chat capability for the Service Portal .. 353Enable chat capability for the
Service Portal .. 354Configure support agent anonymity .. 356Location-based Live Support .. 357Create
a white label version of Service Management ........ 358Generate report based on PostgreSQL views ........ 359
SMAX 2019.02
Administer
This section describes administration tasks that the IT Administrator and Suite Administer user roles can perform in
ITOM Container Deployment Foundation (CDF) and Service Management Automation (SMA).
● Administer CDF
● Administer SMAX
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 1
SMAX 2019.02
Administer CDF
To perform administrative tasks in ITOM Container Deployment Foundation (CDF), you must have the Administrator
user role.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 2
SMAX 2019.02
The rows of the csv file list the information of different tokens.
The token authentication is disabled by default. You can enable the token authentication with the following steps.
Note
When working with multiple-master node cluster, you must use the same bear token file for every node.
To use the bearer token authentication via an HTTP request, you must pass the value of the bearer token to the
HTTP header.
Note
The bear token must be in character sequence, using no encoding or quoting. For example: A bear token is
31ada4fd-adec-460c-809a-9e56ceb75269. When putting the bear token to an HTTP header, it shows as below:
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 3
SMAX 2019.02
(CDF) Management Portal. From ADMINISTRATION > Nodes, click to add worker node.
6.
Click ADD to deploy the worker node. After a few minutes, click to display the newly added
worker node.
1. From ADMINISTRATION > Nodes, click Delete on the worker node row that you want to delete under the
Operation tab.
2. # Enter the username of the worker node that you want to delete.
3. Choose Password or Key-based as the secret mode.
4. Enter the password or upload a private key file.
5. Click DELETE to confirm the deletion.
Make sure you do not delete any pod while you are adding master nodes and worker nodes or installing the suite,
even when the pod status is "Completed".
For example, you must not delete any pod similar as below:
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 4
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 5
SMAX 2019.02
● To assign a label to a node, drag this label from the Predefined Labelsarea to the node you want to add a label
in the Nodes area.
● To unassign a label, in the Nodes area, click [-] next to the label and node.
● To filter the labels, enter the relevant string or keyword in the Labels box in the table header. The labels with
names that include the relevant string are listed.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 6
SMAX 2019.02
Name:
cdfctl - kubectl for CDF
Version:
2019.02
Commands:
runlevel Apply runlevel changes
metadata Apply metadata changes
Global Options:
--help, -h Print this help list
--version, -v Print the version
--follow, -f Specify if the logs should be streamed
3. Run the ./cdfctl.sh to change the cluster runlevel. For example, change the core and demo1 namespace to UP
runlevel with the following command.
./cdfctl.sh runlevel set -l UP -n core,demo1 -f
You can run the ./cdfctl.sh runlevel --help to view the command options.
On your terminal, it displats as below:
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 7
SMAX 2019.02
Name:
cdfctl runlevel - Manage runlevels
Version:
2019.02
Commands:
show Show current runlevel
set Apply runlevel changes
list Show supported runlevels
Options:
--level, -l Requested runlevel. One of: DOWN, DB, STANDBY, UP or custom values, -l is mandatory
for set
--namespaces, -n One or more namespaces separated by commas to apply the runlevel
Global Options:
--help, -h Print this help list
--version, -v Print the version
--follow, -f Specify if the logs should be streamed
Examples:
./cdfctl.sh runlevel show
./cdfctl.sh runlevel show -n demo1
./cdfctl.sh runlevel list
./cdfctl.sh runlevel set -l DOWN
./cdfctl.sh -f runlevel set -l UP -n demo1
./cdfctl.sh runlevel set -l UP -n core,demo1 -f
After you have changed the CDF cluster runlevel, the related cluster components will be started or stopped.
● If the runlevel of cluster components are lower than the cluster runlevel, those components will be started.
● If the runlevel of cluster components are higher than the cluster runlevel, those components will be stopped.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 8
SMAX 2019.02
Component Runlevel
idm STANDBY
default-db DB
pg-pool DB
dashboard UP
mng-portal UP
suite-installer-frontend UP
cdf-apiserver STANDBY
suite-db DB
suite-conf UP
pg-backup STANDBY
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 9
SMAX 2019.02
You can change the external access host name for CDF management portal after CDF installation. To change the
external access host name, follow the steps below:
You can also upload a new certificate file and private key file and rootCA file through the command option lines
for Ingress services.
4. Go to Management portal > SUITE > Management > License, and then make sure the license links to the
new FQDN.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 10
SMAX 2019.02
Related topics
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 11
SMAX 2019.02
To modify the default values of the kubelet parameters or to add some customized parameters to the kubelet,
follow these steps:
--cluster-dns=10.11.12.13 \
--cluster-domain=cluster.local. \
--kubeconfig=/opt/kubernetes/ssl/native.kubeconfig \
--hostname-override=shc72v1.hpeswlab.net \
--pod-manifest-path=/opt/kubernetes/runconf \
--node-labels=master=true,role=loadbalancer \
--hairpin-mode=hairpin-veth \
--fail-swap-on=false \
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 12
SMAX 2019.02
1. Log on to the worker node for which you want to edit the eviction threshold.
2. Edit the relevant parameter values in the /usr/lib/systemd/system/kubelet.service file.
Run the following command to open the kubelet.service file.
vim /usr/lib/systemd/system/kubelet.service
You can modify the following default threshold, according to your needs. Then save the kubelet.service.
--eviction-hard=memory.available<200Mi,nodefs.available<5%,imagefs.available<5%
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 13
SMAX 2019.02
You can customize DNS entries after CDF installation. To do that you must modify the DNS entries with DNS hosts
configmap file. Follow the steps below:
dns-hosts-key: |
1.2.3.4 myhost.mydomain.com
1.2.3.5 myhost.mydomain2.com
apiVersion: v1
data:
dns-hosts-key: |
1.2.3.4 myhost.mydomain.com
1.2.3.5 myhost.mydomain.com
kind: ConfigMap
metadata:
creationTimestamp: 2018-10-19T05:28:05Z
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 14
SMAX 2019.02
You need rebind all the PVs and PVCs that are unbound.
Perform the steps below to rebind a PV and PVC:
2. Run the following command to save the output file to a file, for example, /tmp/pv-itom-vol.yaml.
kubectl get pv <pv name> -o yaml > {PV file directory}/{file name}
For example:
kubectl get pv itom-vol -o yaml > /tmp/pv-itom-vol.yaml
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 15
SMAX 2019.02
4. Run the following command to save the output file to a file, for example, /tmp/pv-itom-vol-claim.yaml.
kubectl get pvc <pvc name> -o yaml > {output file dirctory/name}
For example:
kubectl get pvc itom-vol-claim -n core -o yaml > /tmp/pv-itom-vol-claim.yaml
6. Go to the path directory where the pv and pvc yaml files are saved. Run the following command to recreate a
PV.
kubectl create -f <pv file name>
For example:
cd /tmp
kubectl create -f pv-itom-vol.yaml
7. Run the following command to check the PV status. Make sure the PV status is available.
kubectl get pv <pv name>
8. Run the following command to recreate PVC.
kubectl create -f <pvc file name>
For example:kubectl create -f pvc-itom-vol-claim.yaml
9. Run the following command to check the PVC status. Make sure the PVC status is bound.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 16
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 17
SMAX 2019.02
Administer IdM
The IdM Administration provides the identity management services for CDF. It helps to manage users, groups of
each user and the Single sign-on (SSO) to allow users using the same user name and password for multiple
applications.
From ADMINISTRATION > IdM Administration, you can access the IdM Administration page.
Click SYSTEM SETTINGS on the top menu to set the configuration for IdM instance which will apply to all
organizations.
To prolong the IdM request token time, and the management session period, set the Request Token Life Time and
Access Token Lifetime tag respectively.
See the details about the basic system settings in the table below.
String
Display Name Description
Name
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 18
SMAX 2019.02
Keystore Default Key Keystore default key name for SAML and
Name WS-Trust.
SAML
Keystore Default Key Keystore default password for SAML and
Password WS-Trust.
SSO Trusted Domains LWSSO multiple domain configuration. Trusted domains in DNS names.
There is a NEED TO RESTART option after each setting, which shows whether the IdM restart is needed to enable
a new setting. To restart IdM, follow the command below:
kubectl get pod -n core|grep idm|cut -f1 -d" "|xargs kubectl delete pod -n core
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 19
SMAX 2019.02
Note
You can switch to the advanced setting with the top right action button . To switch to
Add Organization
1.
From IdM Administration, click on the top right menu to create an organization.
2. Enter the following information for a new organization:
3. Name, Display Name, Integration User and Password
4. Then click Create.
Delete Organization
1.
From IdM Administration, click on the top right menu to delete the organization.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 20
SMAX 2019.02
2. Click action button on the right top the organization that you want to delete.
3. Click DELETE on the window popped out to confirm the organization delete.
Overview:
Click a organization, the overview tab provides the general information of the organization.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 21
SMAX 2019.02
Manage users
Tip
ITOM Container Deployment Foundation (CDF) supports two user roles (or personas): IT Administrator and Suite
Administrator.
To manage users, click ADMINISTRATION > IdM Administration, click the organization name, then click the
Users tab. This page displays user name, the first authentication date, and the last authentication date.
The user management page lists all users in the organization. You can:
●
Add: Click on the top right menu to add a user. Enter the user name, display name and password. Click Add
Attributes to add user attributes. Then click SAVE.
Search: Enter the user name into the search bar, then click the action button to perform the search.
Note
You can choose whether to enter password for a user. Users with password are IdM internal users. Users without
password are from other authentication flow, such as from LDAP, SAML or JAAS. You can add password to those
users from other authentications to create an internal IdM user with the same user name. To delete an internal
user, you can just delete the password.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 22
SMAX 2019.02
Edit or lock: Click a user name, then click the action button on the top right menu to edit a user.
●
You can:
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 23
SMAX 2019.02
Remove: Choose the user you want to delete, then click the action icon on the top right menu, and then
click REMOVE to confirm the deletion.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 24
SMAX 2019.02
Manage groups
To manage groups, click ADMINISTRATION > IdM Administration, click the organization name, then click on
the Group tab. This page displays the group name and the related roles. You can:
●
Add: Click on the top right menu to add a group. Enter the user name, display name and choose the
associated roles from the drop-down box . Then click SAVE. Adding groups helps to manage what roles and
permissions can be assigned to its users.
●
Edit: Choose a group, then click on the top right menu to edit an existing group. You can change the
display name of the group and the associated group rules.
●
Add: Click to add a new group rule. You must enter the following:
❍group name
❍ choose one rule type (LDAP, DATABASE or CALCULATED)
■ For LDAP, you must also enter Group DN and LDAP configuration.
■ For DATABASE, you must enter the associated users.
■ For CALCULATED, you must enter the criteria key, criteria value and choose one match method. Then click
OK.
Choose one combination method.
■ Then click SAVE.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 25
SMAX 2019.02
●
Remove: Click the action button , and then click REMOVE to remove one group
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 26
SMAX 2019.02
Manage roles
To manage roles, click ADMINISTRATION > IdM Administration, click the organization name, then click on the
Roles tab. This page displays the role name, related description and the associated permissions. You can:
●
Add: Click to add a new role. Then enter the role name, role description and the associated permission. Then
click SAVE. Adding roles to a user helps to manage the permissions assigned to users.
●
Edit: Choose a role, then click the action button to edit a group setting. Enter a role name, description of
the role and the associated permission. Click SAVE to save the modification.
●
Remove: Click the action button , and then click REMOVE to remove one role.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 27
SMAX 2019.02
1. To add a new user: from ADMINISTATION > IdM Administration > Users, click the organization. Click
Users, click on the top right menu to add a user. Enter the user name, display name and password. Click
Add Attributes to add user attributes. Then click SAVE.
2. To add the new user to a group via adding group rule:
Click Groups, and then click the group name that you want to add the user into. Click on the top right
menu to edit an existing group. Click under the Associated Group Rules.
Enter the display name for this user. Choose DATABASE as the rule type and enter the new user name in the
Associate users row. Below is an example of adding the new user: test to the Administrators group.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 28
SMAX 2019.02
3. Edit the related permissions via manage the associated roles. Click Roles, choose a role, then click the action
button to edit a group setting. Enter a role name, description of the role and the associated permission.
Click SAVE to save the modification. For example, modify the mngAdminRole.
Note
Groups, roles, and users that are managed in the CDF Management Portal are used for the Management Portal
only. User authentication and authorization for the suite interfaces is managed at the SMA suite side.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 29
SMAX 2019.02
Edit: To edit an existing password policy, change the values for the related parameters. Click SAVE.
Remove: To remove the password policy, click REMOVE.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 30
SMAX 2019.02
You can customize the management portal login page. To customize the management portal login page, you need
to add or edit the related variable values as shown below.
Customization settings
From ADMINISTRATION > IdM Administration > [Organization name] > Customization, the customization
tab allows you to add or edit the generic KeyPair for an organization.
You can click to add more generic key pairs. To modify some generic key pairs, click .
Update the related key pairs according to the related parts shown on the management portal login page in the
figure above.
The table below lists common used generic key paris on the management portal login page.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 31
SMAX 2019.02
Name Description
Family Icon Text Specifies the IdM login icon.
Add Groups Into SSO Cookie Specifies whether enable add groups into SSO cookie.
Add Permissions into SSO Cookie Specifies whether enable add permissions into SSO cookie.
Default Signup Db User Group The default database user group for IDM sign-up users.
Add Roles into SSO Cookie Specifies whether enable add roles into SSO cookie.
Disclaimer Text Specifies whether the portal has the disclaimer text.
Enable Db User Signup Specify whether to enable the database user to sign up into IDM.
Portal Enforce End Date Specifies whether the portal has the enforce end date.
Portal Footer Message Specifies whether the portal has footer message.
Portal Legal Notice URL Specifies whether the portal has legal notice URL.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 32
SMAX 2019.02
Portal Show Confirm Dialog Specifies whether the portal shows the confirm dialog.
Portal Show Legal Notice Specifies whether the portal shows legal notice.
Portal Terms of Use URL Specifies whether the portal terms use URL.
Sign Up Terms Agree Msg Specifies the sign up term agreement message.
To show the messages to a local language, you can add the language suffix from the table below to the key of
Portal Footer Message and Portal Welcome Message. Then add the value in the local language in the value box.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 33
SMAX 2019.02
Language Suffix
Spanish .ar
German .de
English(UK) .en
English(US) .es
French .fr
Italian .it
Japanese .ja
Russian .ru
Swedish .sv
Chinese .zh
Note
To implement the changes for the language localization, you need to log out of the management portal and then
log back into the management portal.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 34
SMAX 2019.02
Manage authentication
You can configure and manage authentication identity servers for the organization. Click to add one of the
following authentication type, then click CREATE to create an new authentication:
● LDAP
● JAAS
● SAML
LDAP: Enter the display name, hostname, port, SSL connection, LDAP attributes, User login settings, and group
settings for the LDAP server. Then click SAVE.
An example:
Display Name: adfsServer1
Hostname: 192.0.2.0
Port: 389
Base DN:dc=adfs,dc=com
User ID(Full DN): cn=adfsadmin,dc=adfs,dc=com
Password: *******
User Name Attributes: mail
User Searchbase: OU=Users
User Search Filter: mail={0}
Search Subtree: [checked]
You can use user name: adfsadmin with password ***** to log into the CDF management portal.
JAAS: Enter display name. login module content, and login module directory. You can choose to select
Reflectable. Then click SAVE.
SAML: Enter the display name, and IDP server URL for the SAML server. Then click SAVE.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 35
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 36
SMAX 2019.02
1. Generate a .pfx file with the User Name Attribute set tp subjectDN. Run the following commands to generate a
username.pfx file.
cd $K8S_HOME/ssl openssl genrsa -out username.key 2048
openssl req -new -key username.key -out username.csr
openssl x509 -req -in username.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out username.crt -
days 500 -sha256
openssl pkcs12 -export -out username.pfx -inkey username.key -in username.crt
Note
Make sure the username is an IdM administrator. Enter the username for Common Name on your terminal. For
example, enter the username for the following part: Common Name (eg, your name or your server's hostname).
Generate a .pfx file with the User Name Attribute set to SAN and the SAN type to UPN with the following steps:
Open your Internet Explorer. From Internet Option > Content > Certificates > Import, import the .pfx file.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 37
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 38
SMAX 2019.02
Note
Make sure the Common Name (CN) in certificate must be the same with the user login name that was configured
in User Login Settings section of LDAP authentication configuration.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 39
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 40
SMAX 2019.02
700px
An example with subjectDN set to SAN and SAN Type set to UPN.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 41
SMAX 2019.02
Add username to administrator group with the following steps. For example, add the username is in Group1 of the
LDAP server.
1. From ADMINISTRATION > IdM Administration, click the organization name > Groups.
2.
Click the Administrators > .
3. Add the group rule from Associated Group Rules > .
4. Choose LDAP for the rule type.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 42
SMAX 2019.02
Go to the CDF management portal login page, and follow the pop-ups to log into the management portal with the
generated certificate.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 43
SMAX 2019.02
To use SAML for the authentication, you need to perform the following steps:
3. Log in to the NFS server. In the example above, the server is: myhost.mycompany.net
Upload the samlKeystore.jks file to <NFS Directory>/suite-install/certificate. Replace <NFS Directory> with
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 44
SMAX 2019.02
the NFS path you get from the previous step. For example: /var/vols/itom/data-volume.
4. Give the samlKeystore.jks file the required permission.
chown <SYSTEM_UID>:<SYSTEM_GID> <NFS Directory>/suite-install/certificate/samlKeystore.jks
chmod 755 <NFS Directory>/suite-install/certificate/samlKeystore.jks
3. Configure the keystore path in IdM.
From ADMINISTRATION > IdM Administration, click the organization. Click SYSTEM SETTINGS on the top
menu and set the following parameters:
❍ Keystore Default Key Name: for example: itom-idm
❍ Keystore Default Key Password: for example,<password for key itom-idm>
❍ Keystore Password: for example, <password for keystore file>
❍ Keystore Path: for example: file:/etc/idm/suite-metadata/certificate/samlKeystore.jks
4. Note
You must restart IdM after updating the keystore path.
In order to enable SAML integration with IDM as SP(Service Provider), You must set up an IDP(Identify Provider)
server for SAML authentication. The IDP server must support SAML2 protocol. The certified IDP servers are:
Take a Microsoft ADFS as the IDP server as an example. For the steps below to configure the ADFS server.
1. Download the IDM SAML metadata as one file. For example, spring_saml_metadata.xml from
https://<external_access_host_FQDN>:5443/idm-service/saml/metadata
2. Import the IDM SAML metadata file to ADFS server and configure the Transform Claim Rule as below:
1. On the ADFS server, click Add Relying Party Trust.
2. Choose a rule type.
3. Configure the claim rule.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 45
SMAX 2019.02
1. From ADMINISTRATION > IdM Administration, click the organization. Click AUTHENTICATION > ,
choose SAML as the authentication type. Click CREATE.
2. Enter the display name for SAML server. Choose one type of the certificate upload method.
IDP Metadata URL: Enter the IDP Metadata URL and upload the certificate. Click UPLOAD to upload the
certificate. Then click SAVE.
IDP Metadata: Click UPLOAD to upload the certificate. Then click SAVE.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 46
SMAX 2019.02
3. Click SAVE.
4. Configure the group rules for the SAML user.
1. From ADMINISTRATION > IdM Administration, click the organization.
2.
Click Groups > Administrator > , click to add a group rule.
1. Enter the management portal URL into your browser, and you will be redirected to the login page of the SAML
IDP login page.
2. Enter your SAML IDP username and password to log in.
3. Then you will be redirected to the CDF management portal.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 47
SMAX 2019.02
To use OAuth2 authentication to log into the management portal, perform the following steps:
From ADMINISTRATION > IdM Administration, click the organization. Click Authentication > ,
choose OAUTH as the authentication type. Click CREATE.
Enter the display name, OAuth type, client ID, client secret, and Base URL for the OAuth setting.
The base URL is the URL provided by the OAuth identity provider. Below is an example:
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 48
SMAX 2019.02
2.
From IdM Administration > Customization, click the Authentication Flow > , enter ,oauth2. The
symbol "," is the separator. Click SAVE.
3. Click SYSTEM SETTINGS on the top main menu. Click Advanced to show the advanced settings. Scroll down
to the bottom line and check the IdM Service URL parameter has already been set to a value. The IdM service
URL is: https://<management portal login URL>:5443/idm-service.
Click Roles > . Enter a role name, displayed name, description of the role and the associated
permission. Set the associated permission as IDM_ADMIN. Click SAVE.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 49
SMAX 2019.02
5. (Optional) Add a group and give the associated roles to the group.
Click Groups > . Enter a group name, displayed name and the associated permission. Set the
associated permission as the role name you set in the previous step. For example, Oauth2. Click SAVE.
From the Associated Group Rules row, click . Enter the group name you created in previous step. For
example, Oauth2. Choose CALCULATED as the rule type, AND as the combination strategy.
From the Criteria row, click '. Enter the criteria key and criteria value, choose a match method to add
users to the group. Then click SAVE.
For example, enter username as the criterial key and admin as the criteria value and choose LIKE for the
match method.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 50
SMAX 2019.02
7. Log out of the management portal and then log into the management portal again. The login page will redirect
you to the NetIQ login page. Enter into the username and password and click Next Step to log in. For example,
you can use admin as the username and the related password.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 51
SMAX 2019.02
LDAP settings
The LDAP settings contains parameters for the LDAP server configuration, LDAP attributes, and user login
information.
Setting Description
LDAP Server Settings
Name of the LDAP configuration. This name cannot be changed when you reconfigure
Display Name
the settings.
Port Port of the LDAP server. LDAP servers typically use port 389 or secure port 636.
The Distinguished Name (DN) of the LDAP entity from which you want to start your user
search.
Base DN
Example: CN=Users,DC=obm,DC=example,DC=com
The Distinguished Name (DN) of a user with search privileges on the LDAP directory
server.
User ID (Full DN)
Example: CN=Administrator,CN=Users,DC=example,DC=com
Property that contains the user's email address (specific to the selected LDAP vendor,
for example MS Active Directory).
User Email
Example: mail
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 52
SMAX 2019.02
Any attribute (for example DN or CN) of the user who is the user's manager.
Manager Identifier
Example: manager
Manager Identifier The value of the identifier. For example, if you specified the DN in the Manager Identifier
Value field, enter dn.
Attribute for the user avatar image. You must specify an LDAP record property name
that exists on the LDAP server.
User Avatar
Example: cn
Specifies the priority of the domain controller. The priority determines the order in which
Priority
clients contact a domain controller.
Referral Search Select to follow LDAP referrals to another server that offers the requested information.
User Search Filter Example: (CDFccountName={0}) The user search filter must include the pattern {0},
which is replaced with the user name entered on login. For example,
(&(CDFAccountName={0})(objectClass=user)).
Search Subtree Select to search the subtree below the base DN (including the base DN level).
Group Settings
LDAP pattern to use when searching for a group list and search for which group the user
belongs to.
Group Search Filter
Example: (&(cn=TS-SA-*)(objectClass=group))
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 53
SMAX 2019.02
You can use LDAP credentials to log in to the management portal with SSL protocol. Perform the following steps:
1. Log in to the CDF management portal with admin credentials to add LDAP configuration.
2. From ADMINISTRATION > IdM Administration, then choose an organization.
3. From Authentication, click to add an authentication type. Choose LDAP from the drop-down box.
4. Enter the display name, host name, port, and SSL connection, and then click SAVE.
5. Create a group and configure the group DN. The following configuration is based on the Active Directory LDAP.
1. From the server where you installed Active Directory LDAP, click Start > Windows PowerShell.
2. Copy the following scripts to the open window, then run it. For example, to create a Group DN:
cn=testuser$suffix,ou=idmtest,dc=adfs,dc=com dsadd ou "ou=idmtest,dc=adfs,dc=com"
$groupsuffix=1
foreach ($suffix in $groupsuffix)
{
dsadd group "cn=testuser$suffix,ou=idmtest,dc=adfs,dc=com"
}
$usersuffix=1
foreach ($suffix in $usersuffix)
{
$username="cn=testuser$suffix,ou=idmtest,dc=adfs,dc=com"
$mobileno="186000" +(10000+$suffix).ToString()
$email = "testuser$suffix@idm.com"
cmd /c "dsadd user $username -disabled no -pwd 1Qazxsw2 -mobile $mobileno -email $email -
acctexpires never"
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 54
SMAX 2019.02
Now you can log in to the management portal with LDAP credentials over SSL.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 55
SMAX 2019.02
To view the existing suite versions, click ADMINISTRATION > Metadata. The open page displays the existing
suite versions.
To upload new suite metadata, click to upload a new suite metadata tar file. Select the new metadata
tar file. Choose to check or uncheck the Overwrite option and click OK to upload.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 56
SMAX 2019.02
The newly added suite versions will be displayed on the Manage Metadata page.
If you do not check the Overwrite option, only the suite version files that are not displayed on the current page
will be added. The versions that are listed both on the current page and in the new metadata file will remain
unchanged.
If you check the Overwrite option, it will only overwrite the version files that have the same name. It will not
overwrite the metadata file. The overwrite includes:
● Replace the existing version files displayed on the Manage Metadata page with the version files listed in the
new metadata.
● Add new version files that are listed in the metadata file but not displayed on the Manage Metadata page.
To refresh the suite version list on the Manage Metadata page, click on the top right
menu.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 57
SMAX 2019.02
To delete a version, go to the row where the version you want to delete. Click , and click OK.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 58
SMAX 2019.02
1. Run the $K8S_HOME/bin/updateExternalDbInfo command to modify the configuration. For example, you run
one of the following commands:
updateExternalDbInfo <-t|--dbtype <DB type>> <-u|--user <username>> <-H|--host <DB host>> <-p|--port
<DB port>> <-d|--dbname <DB name>>
updateExternalDbInfo <-t|--dbtype <DB type>> <-u|--user <username>> <-U|--url <DB connection URL>>
In these commands:
❍ -u|--user Sets the external database username.
❍ -H|--host Sets the external database host.
❍ -p|--port Sets the external database port.
❍ -d|--dbname Sets the external database name.
❍ -t|--dbtype Sets the external database type, optional choices are
("EMBEDDED","EXTERNAL_PG","EXTERNAL_ORA"). The database type must be capitalized.
❍ -h|--help Shows the help.
❍ -U|--url Sets the external database connection URL.
2. For Oracle, use the following format: "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL = TCP)(HOST =
oracle.host.name)(PORT = 1521)) (CONNECT_DATA = (SERVICE_NAME = oracledb)))"
For PostgreSQL, use the following format:jdbc:postgresql://postgres.host.name:5432/dbname
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 59
SMAX 2019.02
Security
ITOM Container Deployment Foundation (CDF) is a container that integrates with other suites. CDF is written in
Java, JavaScript, and Go.
For more information about typical deployment schemes and options, see Get started.
All of these implementations share the same basic out-of-the-box security configuration options:
● In an out-of-the-box installation, Transport Layer Security/Secure Socket Layer (TLS/SSL) security is enabled
between the browser and the CDF server by default.
● In an out-of-the-box installation, CDF requires users to enter username and password credentials to gain access
to the application.
External authentication
Though CDF cannot inherit users’ information and authorization profiles from an external repository, suite users
can use the industry-standard protocols and tools provided by identification management (IDM) integrated into
CDF to get the users' information and authentication profiles. For example, suite users can configure LDAP or
Single Sign-On provided by IDM to get external authentication profiles.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 60
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 61
SMAX 2019.02
Authorization
Authorization model
Access to ITOM Container Deployment Foundation (CDF) resources is authorized based on the following user
settings:
● User name
● Session and inactivity timer timeouts
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 62
SMAX 2019.02
To back up the data in the data directory for a single-master cluster, run the etcdctl backup command.
For example, you run the following commands:
etcdctl backup \
--data-dir %data_dir% \
--backup-dir %backup_data_dir%
You can also use the etcdctl backup command to back up all the exported folders in the NFS server.
The etcdctl backup command rewrites some metadata contained in the backup (specifically, the node ID and
cluster ID), which means that the node will lose its former identity.
In order to recreate a cluster from the backup, you will need to start a new, single-node cluster. The metadata is
rewritten to prevent the new node from inadvertently being joined to an existing cluster.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 63
SMAX 2019.02
Data integrity
The database server is used as a simple data store and is responsible for all persistent storage. While the database
contains definitions describing business logic, no processing other than create, read, update, and delete (CRUD)
operations in response to requests from ITOM Container Deployment Foundation (CDF) is performed on this tier.
Referential integrity is enforced by the application, thereby protecting transactions. In addition, the database
captures a complete audit log of all changes to data.
The data backup procedure is also an integral part of data integrity. As CDF does not provide native backup
capabilities, please consider the following guidelines:
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 64
SMAX 2019.02
Encryption
An IdM server is used for authentication. The IdM server is monitored by a single center policy server, and consists
of a user repository, a policy store, and a web server agent installed over each of the capability's web servers that
communicates with the policy server. The IdM server controls users' access to various organizational resources,
protecting confidential personal and business information from unauthorized users.
For optimal security, we recommend that you either configure a TLS connection between the suite and the IdM
server, or have the suite server and the IdM servers on the same secure internal network segment. Authentication
is performed by the IdM server, and authorization is handled by the capabilities.
ITOM Container Deployment Foundation (CDF) uses TLS/SSL to transmit data between the server and browsers.
To change the default value of the SSL cipher, follow these steps:
1. On the master node, change the ssl-ciphers value in the $K8S_HOME/objectdefs/nginx-ingress.yaml file.
2. Run the following commands to recreate the ingress container:
kubectl delete -f $K8S_HOME/objectdefs/nginx-ingress.yaml
kubectl create -f $K8S_HOME/objectdefs/nginx-ingress.yaml
CDF uses proprietary algorithms to encrypt data that is stored in the database, and uses Micro Focus Identity
Manager (IdM) to manage user passwords.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 65
SMAX 2019.02
For information about supported operating systems, see Support matrix for cloud-based deployment and Support
matrix for on-premises deployment.
By default, the SSH server is configured with a weak cipher and a weak KexAlgorithms on each node. To harden
the SSH server, set the values of KexAlgorithms, Ciphers and MACs in the /etc/ssh/sshd_config file as follows:
● KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
● Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
● MACs hmac-sha2-256
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 66
SMAX 2019.02
Secure topology
ITOM Container Deployment Foundation (CDF) is designed to be part of a secure architecture and to deal with the
security threats to which it could potentially be exposed.
To securely deploy the CDF, we recommend that you use the TLS/SSL communication protocol.
You can specify certificates for ingress service during the CDF installation.
From the page, select your private key, server certificate and root certificate, then click Upload.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 67
SMAX 2019.02
namespace
From the management portal, ADMINISTRATION > Certificate, select certificates and the key files.
Click Update to use the selected certificates and keys.
When these certificates are about to expire, you must renew them.
Note
The renewCert script can only generate a certificate with a validity of 1 year. If you want renew the certificate with
a validity of longer period, perform the steps in Renew certificates after they are expired.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 68
SMAX 2019.02
To renew the certificates before they are expired, follow these steps as root user:
1. Run the following commands to generate new server certificates or client certificates on one master node (first
master node):
cd $K8S_HOME/scripts
./renewCert
2. Enter y to generate new certificates. Your terminal resembles the following:
3. Perform the following steps on the first master node according to whether your cluster nodes have SSH
connection.
❍ When the cluster nodes have SSH connection, perform the following steps.
1. Enter y for the following question:
Do you want to distribute certificates to all the nodes(y/n,Y/N)
y
2. Enter the corresponding number to choose a password mode to connect to the remaining cluster nodes.
Make sure all the remaining cluster nodes use the same user name (root), the same password or the same
private key, or all of them do not need password/key to get connected.
3. Enter the user name and password or private key to connect to the cluster nodes. Then your terminal
resembles the following:
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 69
SMAX 2019.02
----------------------------------------
Do you want to restart kube-service for successful nodes(y/n,Y/N)
3. Back up the certificates under $K8S_HOME/ssl/ to some other directory on all cluster nodes.
4. Copy the certificates from <K8S_HOME>/ssl/new-certs of the first master node to the
<K8S_HOME>/ssl of the corresponding nodes manually. Replace <K8S_HOME> with the directory that
you defined in the install.properties file.
1. Run the following commands on the first master node to view the generated certificates under the
<K8S_HOME>/ssl/new-certs.
cd $K8S_HOME/ssl/new-certs
ls -al
Your terminal resembles the following:
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 70
SMAX 2019.02
2. Copy the corresponding certificates from the first master nodes to the directory <K8S_HOME>/ssl of
corresponding nodes respectively according to the certificate names manually.
❍ For the first master node, run the following commands on the first master node. Replace <master1>
with the host name or IPv4 address of the first master node.
cp $K8S_HOME/ssl/new-certs/<master1>-server.key $K8S_HOME/ssl/<master1>-server.key
cp $K8S_HOME/ssl/new-certs/<master1>-server.crt $K8S_HOME/ssl/<master1>-server.crt
❍ Copy the <master>-server.key and <master>-server.crt files manually from the first master node to
the renaming corresponding master nodes under <K8S_HOME>/ssl.
For example:
■ Copy <K8S_HOME>/ssl/new-certs/192.0.2.3-server.crt to node 192.0.2.3 under
<K8S_HOME>/ssl directory.
■ Copy <K8S_HOME>/ssl/new-certs/192.0.2.3-server.key to node 192.0.2.3 under
<K8S_HOME>/ssl directory.
❍ Copy the <worker>-client.key and <worker>-client.crt files manually from the first master node to
the corresponding worker nodes under <K8S_HOME>/ssl
For example:
■ Copy <K8S_HOME>/ssl/new-certs/192.0.2.2-client.crt to node 192.0.2.2 under <K8S_HOME>/ssl
directory.
■ Copy <K8S_HOME>/ssl/new-certs/192.0.2.2-client.key to node 192.0.2.2 under
<K8S_HOME>/ssl directory.
3. Go to the <K8S_HOME>/ssl directory of the each node. Change the certificates names according to
the following rules. You can run the command: mv [old file name] [new file name]to change the
certificate names. Replace the <hostname> with the host name or IPv4 address of the node.
❍ For master nodes, run the following commands:
mv <hostname>-server.crt server.crt
mv <hostname>-server.key server.key
4. Make sure all the certificates are owned by the user whose SYSTEM_USER_ID is specified in the
install.properties file before installation. By default the SYSTEM_USER_ID is 1999. Run the following
command on all cluster nodes to change the certificate owner to SYSTEM_USER_ID.
❍ Run the following command on the master nodes to change the certificates owner:
chown <SYSTEM_USER_ID>:root ca.crt server.crt server.key
❍ Run the following command on the worker nodes to change the certificates owner:
chown <SYSTEM_USER_ID>:root ca.crt client.crt client.crt
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 71
SMAX 2019.02
5. Run the following command on each node one by one to restart kubernets:
/opt/kubernetes/bin/kube-restart.sh
You can also renew certificates with sudo users before they are expired. Take "cdfinstaller" as the sudo user for
example. Make sure the sudo user's uid is the value you defined for parameter SYSTEM_USER_ID in the
install.properties and the sudo user's gid is the value you defined for parameter SYSTEM_GROUP_ID in the
install.properties. By default, the gid and uid are all set to 1999.
Run the following command to check the sudo user uid, gid, and group: id cdfinstaller
You terminal resembles as below:
id cdfinstaller
uid=1999(cdfinstaller) gid=1999(cdfinstaller)
groups=1999(cdfinstaller)
To renew the certificates before they are expired, perform the following steps :
1. The root user must perform the following steps on all master nodes and worker nodes to grant some
permissions to the sudo user.
1. Log on to the node as the root user.
2. Open the /etc/sudoers file with a supported editor and perform the following steps as the root user.
1. Add the following lines to the end of the file:
● Replace <K8S_HOME> with the values defined in install.properties or from a command line. By default,
K8S_HOME>is /opt/kubernetes.
● Replace <username> with the user name of your sudo user.
2. If you need to add additional commands, append them to the Cmnd_Alias CDFINSTALL line.
3. Locate the secure_path line and make sure that the /sbin, /bin, /usr/sbin, and /usr/bin paths are present, as
shown below: Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin By doing this, the sudo user can
execute the showmount, curl, ifconfig and unzip commands when installing CDF.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 72
SMAX 2019.02
The sudoer file might be overwritsulten by the configuration tools, such as puppet, chef, and ansible.
Make sure the sudoer file contains all the configurations that grant the sudo user access.
2. Log into the master node as a sudo user. For example,"cdfinstaller". Run the following command to generate
new certificates on the first master node.
sudo $K8S_HOME/scripts/renewCert
3. Enter y to generate new certificates. Your terminal resembles the following:
sudo $K8S_HOME/scripts/renewCert
Are you sure to continue? (y,Y/n,N):
y
Start to generate certificates
4. Since you are running the renewCert script with sudo user, the generated certificates cannot be distributed to
all cluster nodes automatically due to the limited permissions sudo user has.
Enter n for the following question:
6. Copy the certificates from $K8S_HOME/ssl/new-certs on the first master node to the $K8S_HOME/ssl of the
corresponding nodes manually. Replace <K8S_HOME> with the directory that you defined in the
install.properties file.
1. Run the following commands on the first master node to copy the generated certificates under the
<K8S_HOME>/ssl/new-certs to /tmp.
sudo cp -r $K8S_HOME/ssl/new-certs /tmp
2. Run the following command on the first master node. Replace <SYSTEM_USER_ID> with the value you
defined in the install.properties. By default, it is 1999.
cd /tmp
sudo chown -R <SYSTEM_USER_ID>:root new-certs
ls -al new-certs
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 73
SMAX 2019.02
3. Copy the corresponding certificates from /tmp of the first master node to /tmp of the remaining nodes
respectively according to the certificates names manually.
■ For the first master node, run the following commands on the first master node. Replace <master1> with
the host name or IPv4 address of the first master node.
cp $K8S_HOME/ssl/new-certs/<master1>-server.key /tmp/<master1>-server.key
cp $K8S_HOME/ssl/new-certs/<master1>-server.crt /tmp/<master1>-server.crt
■ Copy the <master>-server.key and <master>-server.crt files manually from the first master node to the
renaming corresponding master nodes under /tmp.
For example:
● Copy <K8S_HOME>/ssl/new-certs/192.0.2.3-server.crt to node 192.0.2.3 under /tmp directory.
● Copy <K8S_HOME>/ssl/new-certs/192.0.2.3-server.key to node 192.0.2.3 under /tmp directory.
■ Copy the <worker>-client.key and <worker>-client.crt files manually from the first master node to the
corresponding worker nodes under <K8S_HOME>/ssl
For example:
● Copy <K8S_HOME>/ssl/new-certs/192.0.2.2-client.crt to node 192.0.2.2 under /tmp directory.
● Copy <K8S_HOME>/ssl/new-certs/192.0.2.2-client.key to node 192.0.2.2 under /tmp directory.
4. Go to the /tmp directory of the each node. Change the certificates names according to the following rules.
You can run the command: mv [old file name] [new file name]to change the certificate names. Replace the
<hostname> with the host name or IPv4 address of the node.
■ For master nodes, run the following commands:
mv <hostname>-server.crt server.crt
mv <hostname>-server.key server.key
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 74
SMAX 2019.02
2. Run the following command to change the sudo user's permission of directory $K8S_HOME/SSL. Replace
<SYSTEM_USER_ID> with the value you defined in install.properties. By default, it is 1999.
sudo chown -R <SYSTEM_USER_ID>:root $K8S_HOME/ssl/
To renew certificate for AWS deployment, you must follow the steps below.
Perform the following steps on each master node and worker node as root:
1. Log in to the node and go to $K8S_HOME/ssl directory. Back up all the certificates under the $K8S_HOME/ssl
directory.
For example, run the following commands:
cd $K8S_HOME/ssl
cp -r $K8S_HOME/ssl $K8S_HOME/ssl.bak
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 75
SMAX 2019.02
extfile.cnf
❍ For multiple-master node deployment configured with HA_VIRTUAL_IP for HA and host name for the
HA_VIRTUAL_IP, run the following command:
echo
"subjectAltName=IP:<Kubernetes_service_IP>,DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.defau
lt.svc,DNS:kubernetes.default.svc.cluster.local,IP:<NODE_IP>,DNS:<HOSTNAME>,DNS:<HA_VIRTUAL_IP> " >
extfile.cnf
❍ For multiple-master node deployment with LOAD_BALANCER_HOST for HA and IPv4 address for the
LOAD_BALANCER_HOST, run the following command:
echo
"subjectAltName=IP:<Kubernetes_service_IP>,DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.defau
lt.svc,DNS:kubernetes.default.svc.cluster.local,IP:<NODE_IP>,DNS:<HOSTNAME>,IP:<LOAD_BALANCE_HOST>
" > extfile.cnf
❍ For multiple-master node deployment with LOAD_BALANCER_HOST for HA and host name for the
LOAD_BALANCER_HOST, run the following command:
echo
"subjectAltName=IP:<Kubernetes_service_IP>,DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.defau
lt.svc,DNS:kubernetes.default.svc.cluster.local,IP:<NODE_IP>,DNS:<HOSTNAME>,DNS:<LOAD_BALANCE_HOS
T> " > extfile.cnf
■ Replace <Kubernetes_service_IP> with your service IPv4 of Kubernetes. By default it is 172.17.17.1, unless
you have specified SERVICE_CIDR before you install CDF. You can get your Kubernetes service IPv4 address
by running the command: openssl x509 -in $K8S_HOME/ssl/server.crt -noout -text. The first IP in the field
X509v3 Subject Alternative Name is the Kubernetes service IPv4 address.
■ Replace <NODE_IP> with the IPv4 of the current node.
■ Replace <HOSTNAME> with the hostname of the current node.
■ Replace <HA_VIRTUAL_IP> with the IPv4 address or host name you defined for the parameter
HA_VIRTUAL_IP in the install.properties.
■ Replace <LOAD_BALANCER_HOST> with the IPv4 address or host name you defined for the parameter
LOAD_BALANCER_HOST in the install.properties.
❍
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 76
SMAX 2019.02
Security recommendations
We recommend that you add the following iptable rules on the target server.
Target
Ports Service Direction Note Description
server
Master and NFS server port. All cluster nodes should be
111 NFS Mandatory
worker -> NFS able to access this port.
Master and NFS server port. All the cluster nodes should
NFS 2049 NFS Mandatory
worker -> NFS be able to access this port.
Master and NFS server port. All the cluster nodes should
20048 NFS Mandatory
worker -> NFS be able to access this port.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 77
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 78
SMAX 2019.02
Master and
Kubernete port. All the cluster nodes should
worker ->
10250 Kubernetes Mandatory be able to access this port for internal
Master and
communication.
worker
Master and
Kubernetes port. All the cluster nodes should
worker ->
10251 Kubernetes Mandatory be able to access this port for the internal
Master and
communication.
worker
Master and
Kubernetes port. All the cluster nodes should
worker ->
10252 Kubernetes Mandatory be able to access this port for internal
Master and
communication
worker
Master and
Kubernetes port. All the cluster nodes should
worker ->
10256 Kubernetes Mandatory be able to access this port for internal
Master and
communication.
worker
Master and
API server port. All the cluster nodes should
Master worker ->
8443 Kubernetes Mandatory be able to access this port for the client
and Master and
connection.
worker worker
Master and
worker -> All the nodes should be able to access this
5000 local registry Mandatory
Master and node to communicate with the local registry
worker
Example:
Assume that the cluster nodes are: 192.0.2.0, 192.0.2.1, 192.0.2.0. The master node is: 192.0.2.0.
In this example, to add iptable rules to port 8443 on the master node, you run the following commands on the
master node:
iptables -I INPUT 1 -p tcp -m tcp -s 0.0.0.0/0 --dport 8443 -j DROP
iptables -I INPUT 1 -p tcp -s 127.0.0.1 --dport 8443 -j ACCEPT
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 79
SMAX 2019.02
Firewall
To open your firewall, the following ports should be available on the target server.
Source Target
Target Protocol Source Servie Description
port port
TCP Master and Access to portmapper for NFS by
* 111 NFS
NFS worker all nodes.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 80
SMAX 2019.02
Client host,
TCP Access to CDF portal by external
master and * 3000 SuiteFronted
Master HTTPS clients and all nodes.
worker
Client host,
TCP Communicate with the local
master and * 5000 Local registry
HTTPS registry.
worker
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 81
SMAX 2019.02
Replace <port_number_to_check> with the port number that you want to check.
For example:
netstat -antp | grep :111
Related topics
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 82
SMAX 2019.02
If you expect the pods on the node that you are going to shut down are drained to other running nodes before you
stop the node, run the following commands to stop Kubernetes:
cd $K8S_HOME/bin
./kube-stop.sh
If you expect the pods on the node that you are going to shut down are not drained to other running nodes before
you stop the node, run the following commands to stop Kubernetes:
cd $K8S_HOME/bin
./kube-stop.sh -u
Note
If the node is stopped for a long period, the pods on this pods will still be drained to other running pods.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 83
SMAX 2019.02
● Back up CDF
● Restore CDF
● Disaster recovery
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 84
SMAX 2019.02
Back up CDF
To restore CDF, you must back up all the related data in advance.
1. Run the following command to get the value of parameter RUNTIME_CDFDATA_HOME from the base-
configmap on any of the master nodes: kubectl get cm base-configmap -n core -o yaml
2. Run the following commands on each cluster node to back up folders and files on all master nodes and worker
nodes:
export RUNTIME_CDFDATA_HOME=<the value>
tar zcvf k8s_service_backup.tar.gz /usr/lib/systemd/system/kube-proxy.service
/usr/lib/systemd/system/kubelet.service /usr/lib/systemd/system/docker-bootstrap.service
/usr/lib/systemd/system/docker-bootstrap.service.d /usr/lib/systemd/system/docker.service
/usr/lib/systemd/system/docker.service.d
● /usr/lib/systemd/system/kubelet.service
● /usr/lib/systemd/system/kube-proxy.service
● /usr/lib/systemd/system/docker.service
● /usr/lib/systemd/system/docker.service.d/http_proxy.conf
● /usr/lib/systemd/system/docker-bootstrap.service
● /usr/lib/systemd/system/docker-bootstrap.service.d/http_proxy.conf
● All files in folder $K8S_HOME/ except $K8S_HOME/data
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 85
SMAX 2019.02
Note
It is recommended to back up the external database frequently according to the business requirements.
If you used external database (PostgreSQL or Oracle) to install CDF, you need to back up the external database.
Refer to the related database manual for the detailed backup steps.
Use database backup tool to back up suite-db database and idm-db database. The tool is located under
${K8S_HOME}/tools/postgres-backup directory, and the logs are in /tmp/postgres_backup.log.
Note
Make sure the backup service is running with the following command: kubectl get pods -n
{suite_namespaces} --show-all | grep backup.
Perform the following steps to on any one of the master nodes to back up suite-db database and idm-db database.
Note
Follow the same steps below to back up suite-db database solely.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 86
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 87
SMAX 2019.02
"default-postgresql-svc.core": {
"status": "SUCCESS"
},
"suite-db-svc.core": {
"status": "SUCCESS"
}
}
},
"status": "SUCCESS"
}
4. Get the backup data directory with the following command: kubectl get pv -n core | grep db-backup-vol
Then your terminal looks like below:
# cd /nfs/db-backup-vol
# cd pg-data-backup/
# ll
total 0
drwxr-x---. 4 1999 1999 35 May 21 14:43 backupd
drwxr-x---. 2 1999 1999 48 May 21 14:15 log
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 88
SMAX 2019.02
Back up the etcd data when etcd is in running status. Perform the following steps on any one of the master nodes.
Back up the base-configmap file on one of your master nodes, run the following command on the master node:
kubectl get cm base-configmap -n core -o json | $K8S_HOME/bin/jq -r .data > $BACKUP_FOLDER/base-
configmap.bak
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 89
SMAX 2019.02
Restore CDF
Restore the CDF installation depending on the scenarios.
When some files are deleted accidentally, you can restore them by copying them back from the backup folder. For
example: If the file $K8S_HOME/scripts/uploadimages.sh is deleted by accident, you can restore it from the backup
folder.
Note
The restored files must have the same owner and permission with the deleted files.
If you used external database (PostgreSQL or Oracle) to install CDF, you need to restore the external database.
Refer to the related database manual for the detailed restore steps.
Note
Follow the same steps below to restore suite-db database solely.
Perform the following steps to restore suite-db database and embedded database (postgreSQL).
1. Ensure that the itom-pg-backup pod and vault are in running status.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 90
SMAX 2019.02
2. Set CDF cluster into STANDBY level with the following command:
${K8S_HOME}/scripts/cdfctl.sh runlevel set -l STANDBY
4. Get the authorization token with the following command. And copy the token. You will be asked to enter the
authorization token later.
./getRestoreToken
7. Run the restore command: ./db_admin.sh restore -l {backup_Location}. Replace the backup_location in the
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 91
SMAX 2019.02
command with the real backup location you got from the previous step. For example: 2018-08-
15T03:32:12.964ZYou will need to input the authorization token again.
For example:
./db_admin.sh restore -l 2018-08-15T03:32:12.964Z [INFO] 2019-01-17 14:19:05 : Start postgres
database restore ... Please input the authorization: OTNhMDJiYjMtZDcwOC00OTM1LThkMjctMjAxYmViZDUyNDNh
[INFO] 2019-01-17 14:19:11 : Restore location: 2018-08-15T06:19:11.501Z
Check the restore status with the following command:./db_admin.sh status -t restore -l {restore_location}
You will need to input the authorization token again.
8. ./db_admin.sh status -t restore -l 2018-08-15T06:19:11.501Z
Note
The parameters listed in the sections below can be found in base-configmap.bak. Run the following command to
get the parameters:
kubectl get cm base-configmap -n core -o json | jq -r .data > base-configmap.bak
● Replace {THIS_NODE} with the full FQDN hostname of the node where you are running commands.
● Replace <Master_Node1>, <Master_Node2>, <Master_Node3> with the full FQDN hostname of the three master
nodes respectively.
Follow the steps below to restore etc data in single-master node deployment environment.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 92
SMAX 2019.02
Follow the steps below to restore the etcd data in multiple-master node deployment environment.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 93
SMAX 2019.02
advertise-peer-urls https://{Master_Node2}:2380
ETCDCTL_API=3 etcdctl snapshot restore snapshot.db --name {Master_Node3} \ --initial- cluster=
{Master_Node1}=https://{Master_Node1}:2380,{Master_Node2}=https://{Master_Node2}:2380,{M
aster_Node3}=https://{Master_Node3}:2380 \ --initial-cluster-token etcd-cluster-1 --initial-
advertise-peer-urls https://{Master_Node3}:2380
4. Stop etcd container in all the master nodes with the following command:
docker -H unix:///var/run/docker-bootstrap.sock stop etcd_container
5. Move etcdv3 data to ${K8S_HOME}/data/etcd/data with the following commands:
rm -rf {RUNTIME_CDFDATA_HOME}/etcd/data/member (Run this step on all the master nodes one by one)
scp -r {Master_Node1}.etcd/member
root@{Master_Node1}:{RUNTIME_CDFDATA_HOME}/etcd/data/member
scp -r {Master_Node2}.etcd/member
root@{Master_Node2}:{RUNTIME_CDFDATA_HOME}/etcd/data/member
scp -r {Master_Node3}.etcd/member
root@{Master_Node3}:{RUNTIME_CDFDATA_HOME}/etcd/data/member
6. Change permission of etcd data directory in all the master nodes with the following command:
chown -R {USER_ID}:{GROUP_ID} {RUNTIME_CDFDATA_HOME}/etcd/data
7. Start etcd container in all the master nodes with the following command:
$K8S_HOME/scripts/startEtcd.sh -y
8. Restore flannel data with the following command:
ETCDCTL_API=2 etcdctl -endpoint=https://{THIS_NODE}:4001 -ca-file
${K8S_HOME}/ssl/ca.crt -cert-file ${K8S_HOME}/ssl/server.crt -key-file
${K8S_HOME}/ssl/server.key set /coreos.com/network/config "$(cat flannel.data)"
9. Restart flannel in all the master nodes with the following command:
$K8S_HOME/scripts/startFlannel.sh -y
Troubleshooting
If you failed to start etcd container when trying to restore etcd, perform the following steps to restart etcd
container.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 94
SMAX 2019.02
If you failed to start flannel container when trying to restore flannel, perform the following steps to restart flannel
container.
There are two ways to restore NFS server when a NFS server crashed.
Restore NFS server to the original NFS server and path with the following steps.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 95
SMAX 2019.02
Restore data into a new NFS server with the following steps.
1. Follow the steps below to stop the services that are using the PV you want to change. If there are some
dependent services, you need to stop the dependent services first, and then stop the services that use the
PV you want to change.
1. Search for the services that are using the PV you want to change with the following commands.
cd $K8S_HOME/scripts
./volume_admin.sh search <PV_name>
For example, you wan to change PV: itom-vol.
Your terminal looks like below:
2. Save the Replicas numbers of the services to a secure place. You will need these numbers later.
3. Stop the services that are using the PV according to the service type:
● For the Deployment services, run kubectl scale --replicas=0 deployment/<CONSUME> -n
<NAMESPACE>
4. For example: kubectl scale --replicas=0 deployment/idm-n core
● For the StatefulSet services, run kubectl scale --replicas=0 sts/<CONSUME> -n <NAMESPACE>
5. For example: kubectl scale --replicas=0 sts/demo1-app-api -n demo1
● For ReplicaSet services, run kubectl scale --replicas=0 replicaset/<CONSUME> -n <NAMESPACE>
6. For example: kubectl scale --replicas=0 replicaset/mng-portal-59fc97497f -n core
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 96
SMAX 2019.02
2.
3. Create a new NFS exported volume according to Set up an NFS server.
4. Get the PV details you want to change with the following command:
kubectl get pv
You terminal looks like below:
5. Get the detailed information about the PV with the following command:
kubectl get pv <your pv name> -o yaml
You terminal resembles below:
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 97
SMAX 2019.02
apiVersion: v1
kind: PersistentVolumeClaim
name: db-node1-vol
namespace: core
resourceVersion: "1327"
uid: d059c02a-707f-11e8-b28c-005056977856
nfs:
path: /var/vols/itom/dbnode1vol
server: 16.155.194.116
persistentVolumeReclaimPolicy: Retain
status:
phase: Bound
6. Copy the data from the volume you configured for installation to the newly exported volume with the
following command:
cp -rfp <old_Nfs_folder>* <new_Nfs_folder>
For example: cp -rfp /var/vols/itom/demo1/* /var/vols/itom/demo3-backup
7. Run the volume_admin.sh script to change the PV. For example:
./volume_admin.sh reconfigure -v [pv name] -s [nfs server] -p [new nfs path] -t nfs
8. Restart the kubernets services that consume the pv you have changed according to their types:
You need to scale up the corresponding replicas numbers of the related services to the original numbers.
Replace <REPLICAS> with the original replicas numbers.
■ For the Deployment services, run kubectl scale --replicas=<REPLICAS> deployment/<CONSUME> -n
<NAMESPACE>
9. For example: kubectl scale --replicas=2 deployment/idm-n core
■ For the StatefulSet services, run kubectl scale --replicas=<REPLICAS> sts/<CONSUME> -n
<NAMESPACE>
10. For example: kubectl scale --replicas=1 sts/demo1-app-api -n demo1
■ For ReplicaSet services, run kubectl scale --replicas=<REPLICAS> replicaset/<CONSUME> -n
<NAMESPACE>
11. For example: kubectl scale --replicas=1 replicaset/mng-portal-59fc97497f -n core
■ For ReplicationController services, run kubectl scale --replicas=<REPLICAS> rc/<CONSUME> -n
<NAMESPACE>
12. For example: kubectl scale --replicas=1 rc/test -n core
■ Other type of services, run kubectl create -f <PATH>
13. For example: kubectl create -f /opt/kubernetes/objectdefs/yaml_template/output/kube-
registry.yaml
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 98
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 99
SMAX 2019.02
Disaster recovery
When one or multiple worker nodes crashed, all the CDF features could still work normally as the pods in crashed
nodes will be moved to other nodes automatically. You can ignore those crashed worker nodes, and add other
worker nodes through the management portal. You can still see the crashed node when running the command:
kubectl get nodes.
To remove the crashed node from the node list, you can unregister them manually.
When one of the three master nodes crashed, all the services would not be broken. However, the high availability
of the master nodes is lost. To enable high availability, you must add the master node back manually. Make sure
the node you are going to add uses exactly the same IP address and FQDN as the crashed one. Perform the
following steps to add the crashed master node back.
Note
The new extended master node must be installed through the same way as the crashed master node. For
example, if the crashed master node was installed through the IP address, the new extended master node must be
installed through the IP address.
1. Get the parameters below from the base-configmap on any of the the remaining master nodes with the
command: kubectl get cm base-configmap -n core -o yaml
❍ API_SERVER
❍ AUTO_CONFIGURE_FIREWALL
❍ AWS_EIP
❍ AWS_REGION
❍ CLOUD_PROVIDER
❍ DOCKER_HTTP_PROXY
❍ DOCKER_HTTPS_PROXY
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 100
SMAX 2019.02
❍ DOCKER_NO_PROXY
❍ ETCD_ENDPOINT
❍ FAIL_SWAP_ON
❍ FLANNEL_BACKEND_TYPE
❍ DEPLOYMENT_LOG_LOCATION
❍ HA_VIRTUAL_IP
❍ K8S_HOME
❍ KEEPALIVED_NOPREEMPT
❍ KEEPALIVED_VIRTUAL_ROUTER_ID
❍ KUBELET_HOME
❍ LOAD_BALANCER_HOST
❍ MASTER_API_SSL_PORT
❍ MASTER_NODES
❍ POD_CIDR
❍ REGISTRY_ORGNAME
❍ RUNTIME_CDFDATA_HOME
❍ SERVICE_CIDR
❍ SYSTEM_GROUP_ID
❍ SYSTEM_USER_ID
❍ TMP_FOLDER
2. Remove the crashed master node by running ./uninstall.sh or remove the etcd members manually and restart
the node.
❍ When the crashed node still can get started, run the ./uninstall.sh on the master node server.
❍ When the crashed node cannot get started, add a new VM with the same IP or FQDN to install CDF.
Find the crashed etcd member on the the existing nodes and then remove it with the following commands:
#ETCDCTL_API=3 etcdctl --endpoints=https://{HA_VIRTUAL_IP}:4001 --cacert
${K8S_HOME}/ssl/ca.crt --cert ${K8S_HOME}/ssl/server.crt --key ${K8S_HOME}/ssl/server.key
member list # ETCDCTL_API=3 etcdctl --endpoints=https://{HA_VIRTUAL_IP}:4001 --cacert
${K8S_HOME}/ssl/ca.crt --cert ${K8S_HOME}/ssl/server.crt --key ${K8S_HOME}/ssl/server.key
member remove {broken_etcd_member_ID}
3. If you have configured Docker thin pool and Docker bootstrap directories, perform the steps below to
reconfigure Docker thin pool and Docker bootstrap directories.
1. Delete these directories with the following commands:
lvremove /dev/{vg_name}/{lv_name_docker}
lvremove /dev/{vg_name}/{lv_name_docker_meta}
lvremove /dev/{vg_name}/{lv_name_docker-bootstrap}
lvremove /dev/{vg_name}/{lv_name_docker-bootstrap_meta}
For example:
lvremove /dev/docker/thinpool docker
lvremove /dev/docker/thinpoolmeta docker
lvremove /dev/bootstrapdocker/thinpool docker
lvremove /dev/bootstrapdocker/thinpoolmeta docker
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 101
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 102
SMAX 2019.02
# lvs -o+seg_monitor
7. Clear the storage driver directory with the following command if Docker was previously started:
# rm -rf /var/lib/docker/*
8. Monitor the thin pool and volume group free space with the following commands:
# lvs
# lvs -a
# vgs
9. Check logs to see the auto-extension of the thin pool when it hits the threshold:
# journalctl -fu dm-event.service
3. Set up a thin pool for Docker bootstrap with the following steps.
1. Create a physical volume with the following command:
# pvcreate [disk device name]
For example:
# pvcreate /dev/sdc2
The minimum physical volume size is 10 GB.
2. Create a volume group with the following command:
# vgcreate [volume group name] [logical volume name]
For example:
# vgcreate bootstrapdocker /dev/sdc2
3. Create a logical volume for the thinpool and bootstrap with the following command:
# lvcreate [logical volume name] [volume group name]
For example, the data LV is 95% of the 'docker' volume group size (leaving free space allows for auto
expanding of either the data or metadata if space is running low as a temporary stopgap):
# lvcreate --wipesignatures y -n thinpool bootstrapdocker -l 95%VG
# lvcreate --wipesignatures y -n thinpoolmeta bootstrapdocker -l 1%VG
4. Convert the pool to a thin pool with the following command:
# lvconvert -y --zero n -c 512K --thinpool bootstrapdocker/thinpool --poolmetadata
bootstrapdocker/thinpoolmeta
5. (Optional) You can configure the auto extension of the thin pools via an lvm profile.
1. Open the lvm profile with a text editor. For example:
vi /etc/lvm/profile/bootstrapdocker_thinpool.profile
2. Specify the values for parameter thin_pool_autoextend_threshold, and
thin_pool_autoextend_percent, each of which represents a percentage of the space.
For example:
activation {
thin_pool_autoextend_threshold=80
thin_pool_autoextend_percent=20
} Note
The auto extension parameters for the thin pools: thin_pool_autoextend_threshold and
thin_pool_autoextend_percent are defined in /etc/lvm/profile/docker-thinpool.profile.
thin_pool_autoextend_threshold shows the maximum percentage of the thin pool space that can be
used. thin_pool_autoextend_percent shows the percentage of the thin space that will be extended
within the mounted volume group. Auto extending will only work if the enclosing volume group has
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 103
SMAX 2019.02
space for the volume that is enclosed in it. If the volume group was defined and is completely filled with
logical volumes and has no space to extend. Then, you must make space in the volume group by
adding storage or resizing other logical volumes in the group. To extend a volume group, run the
following command:
vgextend [volume group name] [logical volume name]
For example:
vgextend bootstrapdocker /dev/sdc4
3. Apply the lvm profile with the following command:
# lvchange --metadataprofile bootstrapdocker_thinpool bootstrapdocker/thinpool
6. Verify that the lv is monitored with the following command:
# lvs -o+seg_monitor
7. Clear the graph driver directory with the following command if Docker was previously started:
# rm -rf /var/lib/docker/*
8. Monitor the thin pool and volume group free space with the following commands:
# lvs
# lvs -a
# vgs
9. Check logs to see the auto-extension of the thin pool when it hits the threshold:
# journalctl -fu dm-event.service
4. Configure the thin pool paths for each cluster node with the following steps:
1. Find out your thin pool device name with the following commands. The thin pool device name is in the
format:
[volume group name]-[logical volume name]. For example, a VG name is docker and an LV name is
thinpool. Then the thin pool device name is docker-thinpool.
cd /dev/mapper
ll
2. Enter the thin pool device path for the THINPOOL_DEVICE parameter in the install.properties file. The thin
pool device path is /dev/mapper/<thin pool device name>. For example: /dev/mapper/docker-thinpool.
● For the first master node, specify the path of the THINPOOL_DEVICE parameter in the install.properties
file.
3.
● For the second and third master nodes and all worker nodes, you need to specify the path when adding
the nodes on the installation portal.
4.
5. Generate server certificate files on the one of the remaining master nodes under $K8S_HOME/ssl with the
following commands:
Replace IP:{API_SERVER} with DNS:{API_SERVER} in the command below if the API_SERVER is in FQDN
format and then run the command.
# openssl genrsa -out master.key 4096 # openssl req -new -key master.key -subj "/CN={FQDN
or IP of extended master node }" -out master.csr # echo
"subjectAltName=IP:{K8S_DEFAULT_SVC_IP},IP:{API_SERVER},IP:{IP of extended master
node},DNS:{FQDN of extended master
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 104
SMAX 2019.02
node},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.de
fault.svc.cluster.local" > extfile.cnf # openssl x509 -req -sha256 -in master.csr -CA ca.crt -CAkey
ca.key -CAcreateserial -extfile extfile.cnf -out master.crt -days 365 # rm -f extfile.cnf master.csr
6. Copy pre-check.sh under $K8S_HOME/script from one of the remaining master nodes to the temp folder
{TMP_FOLDER} of the extended master node.
7. Copy ca.crt, ca.key, master.crt, master.key and kube-serviceaccount.key under $K8S_HOME/ssl from one of
the remaining master nodes to the temp folder {TMP_FOLDER} of the extended master node.
8. Delete master.crt, master.key on the remaining master node that you copied under $K8S_HOME/ssl.
9. Run pre-check.sh script on the extended master node, Replace --virtual-ip {HA_VIRTUAL_IP} with --load-
balancer-host {LOAD_BALANCER_HOST} option if you configured LOAD_BALANCER_HOST:
# sh pre-check.sh --node-type master --node-host {FQDN or IP of extended master node} --k8s-
home {K8S_HOME} --api-server {API_SERVER} --api-port {MASTER_API_SSL_PORT} --ca-file
{TMP_FOLDER}/ca.crt --cert-file {TMP_FOLDER}/master.crt --key-file {TMP_FOLDER}/master.key
--network-address {NETWORK_ADDRESS} --flannel-backend-type {FLANNEL_BACKEND_TYPE} --
tmp {TMP_FOLDER} --virtual-ip {HA_VIRTUAL_IP} -l {TMP_FOLDER}/pre-check.log --fail-swap-on
{FAIL_SWAP_ON} --runtime-home {RUNTIME_CDFDATA_HOME} --auto-configure-firewall
{AUTO_CONFIGURE_FIREWALL} --user {nonroot username} --thinpool-device {thinpool-device}
--flannel-iface {ipv4 or interface name}
■ You can add option --user <nonroot username> to use non-root user to extend the node.
■ Add option --thinpool-device <thinpool device> to set up the the thin pools for Docker and Docker
bootstrap directories.
■ Add option --flannel-iface <ipv4 or interface name> to set up multiple network interface.
10.
11. Copy CDF build ITOM_Suite_Foundation_Node.tar.gz under $K8S_HOME/zip on the remaining master node to
the temp folder {TMP_FOLDER} of the extended master node.
12. Untar the CDF build on the extended master node with the following command:
# tar -zxvf ITOM_Suite_Foundation_Node.tar.gz
13. Navigate to the ITOM_Suite_Foundation_Node folder on the extended master node with the following
command: cd ITOM_Suite_Foundation_Node
14. Start install master node with the following command, Replace --virtual-ip {HA_VIRTUAL_IP} with --load-
balancer-host {LOAD_BALANCER_HOST} option if you configured LOAD_BALANCER_HOST:
./install --node-type master --node-host {FQDN or IP of extended master node} --master-api-
ssl-port {MASTER_API_SSL_PORT} --ca-file {TMP_FOLDER}/ca.crt --cert-file
{TMP_FOLDER}/master.crt --key-file {TMP_FOLDER}/master.key --k8s-master-ip {API_SERVER}
--extend-masters "{FQDN or IP of extended master node}" --keepalived-nopreempt
{KEEPALIVED_NOPREEMPT} --k8s-home {K8S_HOME} --etcd-endpoint {ETCD_ENDPOINT} --
registry-orgname {REGISTRY_ORGNAME} --system-user-id {SYSTEM_USER_ID} --system-group-
id {SYSTEM_GROUP_ID} --flannel-backend-type {FLANNEL_BACKEND_TYPE} --master-nodes
{MASTER_NODES} --tmp-folder {TMP_FOLDER} --ha-virtual-ip {HA_VIRTUAL_IP} --keepalived-
virtual-router-id {KEEPALIVED_VIRTUAL_ROUTER_ID} --pod-cidr { POD_CIDR } --service-cidr
{SERVICE_CIDR} --fail-swap-on {FAIL_SWAP_ON} --runtime-home {RUNTIME_CDFDATA_HOME} -
-kubelet-home {RUNTIME_CDFDATA_HOME} --deployment-log-location
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 105
SMAX 2019.02
When two of the three master nodes crashed and the third master node runs well, the services could still be
corrupted. However, the data is still there, as one master node still runs well. Follow the steps below to recover the
system manually. Make sure the extended nodes must have exactly the same IPv4 and FQDNs as the crashed
ones.
Note
The newly extended master node must be installed through the same way as the crashed master node. For
example, if the crashed master node was installed through the IP address, the new extended master node must be
installed through the IP address.
1. Store the parameters below from the base-configmap on the remaining master node with the command:
kubectl get cm base-configmap -n core -o yaml before the cluster is crashed.
❍ API_SERVER
❍ AUTO_CONFIGURE_FIREWALL
❍ AWS_EIP
❍ AWS_REGION
❍ CLOUD_PROVIDER
❍ DOCKER_HTTP_PROXY
❍ DOCKER_HTTPS_PROXY
❍ DOCKER_NO_PROXY
❍ ETCD_ENDPOINT
❍ FAIL_SWAP_ON
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 106
SMAX 2019.02
❍ FLANNEL_BACKEND_TYPE
❍ DEPLOYMENT_LOG_LOCATION
❍ HA_VIRTUAL_IP
❍ K8S_HOME
❍ KEEPALIVED_NOPREEMPT
❍ KEEPALIVED_VIRTUAL_ROUTER_ID
❍ KUBELET_HOME
❍ LOAD_BALANCER_HOST
❍ MASTER_API_SSL_PORT
❍ MASTER_NODES
❍ POD_CIDR
❍ REGISTRY_ORGNAME
❍ RUNTIME_CDFDATA_HOME
❍ SERVICE_CIDR
❍ SYSTEM_GROUP_ID
❍ SYSTEM_USER_ID
❍ TMP_FOLDER
2. Add the crashed master nodes back. To do this, log in to the remaining master node, remove the etcd existing
members by force with the following commands:
docker -H unix:///var/run/docker-bootstrap.sock rm -f etcd_container
$K8S_HOME/scripts/startEtcd.sh -y
3. Remove the crashed master nodes by running the ./uninstall.sh on the master node servers and restart the
nodes.
❍ When the crashed nodes are still running, run the ./uninstall.sh on the master node server.
❍ When the crashed nodes are uninstalled, add a new VM with the same IP or FQDN and install CDF.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 107
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 108
SMAX 2019.02
7. Clear the storage driver directory with the following command if Docker was previously started:
# rm -rf /var/lib/docker/*
8. Monitor the thin pool and volume group free space with the following commands:
# lvs
# lvs -a
# vgs
9. Check logs to see the auto-extension of the thin pool when it hits the threshold:
# journalctl -fu dm-event.service
3. Set up a thin pool for Docker bootstrap with the following steps.
1. Create a physical volume with the following command:
# pvcreate [disk device name]
For example:
# pvcreate /dev/sdc2
The minimum physical volume size is 10 GB.
2. Create a volume group with the following command:
# vgcreate [volume group name] [logical volume name]
For example:
# vgcreate bootstrapdocker /dev/sdc2
3. Create a logical volume for the thinpool and bootstrap with the following command:
# lvcreate [logical volume name] [volume group name]
For example, the data LV is 95% of the 'docker' volume group size (leaving free space allows for auto
expanding of either the data or metadata if space is running low as a temporary stopgap):
# lvcreate --wipesignatures y -n thinpool bootstrapdocker -l 95%VG
# lvcreate --wipesignatures y -n thinpoolmeta bootstrapdocker -l 1%VG
4. Convert the pool to a thin pool with the following command:
# lvconvert -y --zero n -c 512K --thinpool bootstrapdocker/thinpool --poolmetadata
bootstrapdocker/thinpoolmeta
5. (Optional) You can configure the auto extension of the thin pools via an lvm profile.
1. Open the lvm profile with a text editor. For example:
vi /etc/lvm/profile/bootstrapdocker_thinpool.profile
2. Specify the values for parameter thin_pool_autoextend_threshold, and
thin_pool_autoextend_percent, each of which represents a percentage of the space.
For example:
activation {
thin_pool_autoextend_threshold=80
thin_pool_autoextend_percent=20
} Note
The auto extension parameters for the thin pools: thin_pool_autoextend_threshold and
thin_pool_autoextend_percent are defined in /etc/lvm/profile/docker-thinpool.profile.
thin_pool_autoextend_threshold shows the maximum percentage of the thin pool space that can
be used. thin_pool_autoextend_percent shows the percentage of the thin space that will be
extended within the mounted volume group. Auto extending will only work if the enclosing volume
group has space for the volume that is enclosed in it. If the volume group was defined and is
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 109
SMAX 2019.02
completely filled with logical volumes and has no space to extend. Then, you must make space in
the volume group by adding storage or resizing other logical volumes in the group. To extend a
volume group, run the following command:
vgextend [volume group name] [logical volume name]
For example:
vgextend bootstrapdocker /dev/sdc4
3. Apply the lvm profile with the following command:
# lvchange --metadataprofile bootstrapdocker_thinpool bootstrapdocker/thinpool
6. Verify that the lv is monitored with the following command:
# lvs -o+seg_monitor
7. Clear the graph driver directory with the following command if Docker was previously started:
# rm -rf /var/lib/docker/*
8. Monitor the thin pool and volume group free space with the following commands:
# lvs
# lvs -a
# vgs
9. Check logs to see the auto-extension of the thin pool when it hits the threshold:
# journalctl -fu dm-event.service
4. Configure the thin pool paths for each cluster node with the following steps:
1. Find out your thin pool device name with the following commands. The thin pool device name is in the
format:
[volume group name]-[logical volume name]. For example, a VG name is docker and an LV name is
thinpool. Then the thin pool device name is docker-thinpool.
cd /dev/mapper
ll
2. Enter the thin pool device path for the THINPOOL_DEVICE parameter in the install.properties file. The
thin pool device path is /dev/mapper/<thin pool device name>. For example: /dev/mapper/docker-
thinpool.
❍ For the first master node, specify the path of the THINPOOL_DEVICE parameter in the
install.properties file.
3.
❍ For the second and third master nodes and all worker nodes, you need to specify the path when
adding the nodes on the installation portal.
4.
5. Generate server certificate files on the remaining master node under $K8S_HOME/ssl with the following
commands:
Replace IP:{API_SERVER} with DNS:{API_SERVER} in the command below if the API_SERVER is in FQDN
format and then run the command.
openssl genrsa -out master.key 4096
openssl req -new -key master.key -subj "/CN={FQDN or IP of extended master node}" -out
master.csr
echo "subjectAltName=IP:{K8S_DEFAULT_SVC_IP},IP:{API_SERVER}, IP:{IP of extended
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 110
SMAX 2019.02
6. Copy pre-check.sh under $K8S_HOME/script from the remaining master node to the temp folder
{TMP_FOLDER} of the extended master node.
7. Copy ca.crt, ca.key, master.crt, master.key and kube-serviceaccount.key under $K8S_HOME/ssl from
existing master node to the temp folder {TMP_FOLDER} of the extended master node.
8. Delete master.crt, master.key on the remaining master node under $K8S_HOME/ssl.
9. Run pre-check.sh script on the extended master node as below, Replace --virtual-ip {HA_VIRTUAL_IP}
with --load-balancer-host {LOAD_BALANCER_HOST} option if you configured
LOAD_BALANCER_HOST:
sh pre-check.sh --node-type master --node-host {FQDN or IP of extended master node} --
k8s-home {K8S_HOME} --api-server {API_SERVER} --api-port {MASTER_API_SSL_PORT} --ca-
file {TMP_FOLDER}/ca.crt --cert-file {TMP_FOLDER}/master.crt --key-file
{TMP_FOLDER}/master.key --network-address {NETWORK_ADDRESS} --flannel-backend-type
{FLANNEL_BACKEND_TYPE} --tmp {TMP_FOLDER} --virtual-ip {HA_VIRTUAL_IP} --fail-swap-on
{FAIL_SWAP_ON} -l {TMP_FOLDER}/pre-check.log --runtime-home
{RUNTIME_CDFDATA_HOME} --auto-configure-firewall {AUTO_CONFIGURE_FIREWALL} --user
{nonroot username} --thinpool-device {thinpool-device} --flannel-iface {ipv4 or interface
name}
● You can add option --user <nonroot username> to use non-root user to extend the node.
● Add option --thinpool-device <thinpool device> to set up the the thin pools for Docker and Docker
bootstrap directories.
● Add option --flannel-iface <ipv4 or interface name> to set up multiple network interface.
10. Copy CDF build ITOM_Suite_Foundation_Node.tar.gz under $K8S_HOME/zip on the remaining master
node to the temp folder {TMP_FOLDER} of the extended master node.
11. Untar the CDF build on the extended master node with the following command:
tar -zxvf ITOM_Suite_Foundation_Node.tar.gz
12. Navigate to the ITOM_Suite_Foundation_Node folder on the extended master node with the following
command: cd ITOM_Suite_Foundation_Node.
13. Start install master node with the following command, Replace --virtual-ip {HA_VIRTUAL_IP} with --load-
balancer-host {LOAD_BALANCER_HOST} option if you configured LOAD_BALANCER_HOST:
./install --node-type master --node-host {FQDN or IP of extended master node} --master-api-
ssl-port {MASTER_API_SSL_PORT} --ca-file {TMP_FOLDER}/ca.crt --cert-file
{TMP_FOLDER}/master.crt --key-file {TMP_FOLDER}/master.key --k8s-master-ip
{API_SERVER} --extend-masters "{FQDN or IP of the last extended master node}" --
keepalived-nopreempt {KEEPALIVED_NOPREEMPT} --k8s-home {K8S_HOME} --etcd-endpoint
{ETCD_ENDPOINT} --registry-orgname {REGISTRY_ORGNAME} --system-user-id
{SYSTEM_USER_ID} --system-group-id {SYSTEM_GROUP_ID} --flannel-backend-type
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 111
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 112
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 113
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 114
SMAX 2019.02
# lvs -o+seg_monitor
7. Clear the graph driver directory with the following command if Docker was previously started:
# rm -rf /var/lib/docker/*
8. Monitor the thin pool and volume group free space with the following commands:
# lvs
# lvs -a
# vgs
9. Check logs to see the auto-extension of the thin pool when it hits the threshold:
# journalctl -fu dm-event.service
4. Configure the thin pool paths for each cluster node with the following steps:
1. Find out your thin pool device name with the following commands. The thin pool device name is in
the format:
[volume group name]-[logical volume name]. For example, a VG name is docker and an LV name is
thinpool. Then the thin pool device name is docker-thinpool.
cd /dev/mapper
ll
2. Enter the thin pool device path for the THINPOOL_DEVICE parameter in the install.properties file. The
thin pool device path is /dev/mapper/<thin pool device name>. For example: /dev/mapper/docker-
thinpool.
■ For the first master node, specify the path of the THINPOOL_DEVICE parameter in the
install.properties file.
3.
■ For the second and third master nodes and all worker nodes, you need to specify the path when
adding the nodes on the installation portal.
4.
5. Generate server certificate files on the remaining master node under $K8S_HOME/ssl with the
following commands:
Replace IP:{API_SERVER} with DNS:{API_SERVER} in the command below if the API_SERVER is in
FQDN format and then run the command.
openssl genrsa -out master.key 4096
openssl req -new -key master.key -subj "/CN={FQDN or IP of extended master node}" -out
master.csr
echo "subjectAltName=IP:{K8S_DEFAULT_SVC_IP},IP:{API_SERVER}, IP:{IP of extended
master node},DNS:{FQDN of extended master
node},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernet
es.default.svc.cluster.local" > extfile.cnf
openssl x509 -req -sha256 -in master.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile
extfile.cnf -out master.crt -days 365
rm -f extfile.cnf master.csr
6. Copy pre-check.sh under $K8S_HOME/script from the remaining master node to the temp folder
{TMP_FOLDER} of the extended master node.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 115
SMAX 2019.02
7. Copy ca.crt, ca.key, master.crt, master.key and kube-serviceaccount.key under $K8S_HOME/ssl from
existing master node to the temp folder {TMP_FOLDER} of the extended master node.
8. Delete master.crt, master.key on the remaining master node under $K8S_HOME/ssl.
9. Run pre-check.sh script on the extended master node as below, Replace --virtual-ip {HA_VIRTUAL_IP}
with --load-balancer-host {LOAD_BALANCER_HOST} option if you configured
LOAD_BALANCER_HOST:
sh pre-check.sh --node-type master --node-host {FQDN or IP of extended master node} --
k8s-home {K8S_HOME} --api-server {API_SERVER} --api-port {MASTER_API_SSL_PORT} --
ca-file {TMP_FOLDER}/ca.crt --cert-file {TMP_FOLDER}/master.crt --key-file
{TMP_FOLDER}/master.key --network-address {NETWORK_ADDRESS} --flannel-backend-
type {FLANNEL_BACKEND_TYPE} --tmp {TMP_FOLDER} --virtual-ip {HA_VIRTUAL_IP} --fail-
swap-on {FAIL_SWAP_ON} -l {TMP_FOLDER}/pre-check.log --runtime-home
{RUNTIME_CDFDATA_HOME} --auto-configure-firewall {AUTO_CONFIGURE_FIREWALL} --
user {nonroot username} --thinpool-device {thinpool-device} --flannel-iface {ipv4 or
interface name}
❍ You can add option --user <nonroot username> to use non-root user to extend the node.
❍ Add option --thinpool-device <thinpool device> to set up the the thin pools for Docker and Docker
bootstrap directories.
❍ Add option --flannel-iface <ipv4 or interface name> to set up multiple network interface.
10.
11. Copy CDF build ITOM_Suite_Foundation_Node.tar.gz under $K8S_HOME/zip on the remaining master
node to the temp folder {TMP_FOLDER} of the extended master node.
12. Untar the CDF build on the extended master node with the following command:
tar -zxvf ITOM_Suite_Foundation_Node.tar.gz
13. Navigate to the ITOM_Suite_Foundation_Node folder on the extended master node with the following
command: cd ITOM_Suite_Foundation_Node.
14. Start installing master node with the following command, Replace --virtual-ip {HA_VIRTUAL_IP} with -
-load-balancer-host {LOAD_BALANCER_HOST} option if you configured LOAD_BALANCER_HOST:
./install --node-type master --node-host {FQDN or IP of extended master node} --master-
api-ssl-port {MASTER_API_SSL_PORT} --ca-file {TMP_FOLDER}/ca.crt --cert-file
{TMP_FOLDER}/master.crt --key-file {TMP_FOLDER}/master.key --k8s-master-ip
{API_SERVER} --extend-masters "{FQDN or IP of the last extended master node}" --
keepalived-nopreempt {KEEPALIVED_NOPREEMPT} --k8s-home {K8S_HOME} --etcd-
endpoint {ETCD_ENDPOINT} --registry-orgname {REGISTRY_ORGNAME} --system-user-id
{SYSTEM_USER_ID} --system-group-id {SYSTEM_GROUP_ID} --flannel-backend-type
{FLANNEL_BACKEND_TYPE} --master-nodes {MASTER_NODES} --tmp-folder
{TMP_FOLDER} --ha-virtual-ip {HA_VIRTUAL_IP} --keepalived-virtual-router-id
{KEEPALIVED_VIRTUAL_ROUTER_ID} --pod-cidr { POD_CIDR } --service-cidr
{SERVICE_CIDR} --fail-swap-on {FAIL_SWAP_ON} --runtime-home
{RUNTIME_CDFDATA_HOME} --kubelet-home {RUNTIME_CDFDATA_HOME} --auto-
configure-firewall {AUTO_CONFIGURE_FIREWALL} --deployment-log-location
{DEPLOYMENT_LOG_LOCATION} --aws-eip {AWS_EIP} --aws-region {AWS_REGION} --
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 116
SMAX 2019.02
Note
Most of the parameters used in the steps below can be found in $BACKUP_FOLDER\base-configmap.bak file.
1. Set a new VM cluster with the same host and configuartion or use the current fresh VM cluster on which CDF
was uninstalled.
2. If you have configured Docker thin pool and Docker bootstrap directories, perform the steps below to
reconfigure Docker thin pool and Docker bootstrap directories.
1. Delete these directories with the following commands:
lvremove /dev/{vg_name}/{lv_name_docker}
lvremove /dev/{vg_name}/{lv_name_docker_meta}
lvremove /dev/{vg_name}/{lv_name_docker-bootstrap}
lvremove /dev/{vg_name}/{lv_name_docker-bootstrap_meta}
For example:
lvremove /dev/docker/thinpool docker
lvremove /dev/docker/thinpoolmeta docker
lvremove /dev/bootstrapdocker/thinpool docker
lvremove /dev/bootstrapdocker/thinpoolmeta docker
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 117
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 118
SMAX 2019.02
# vgs
9. Check logs to see the auto-extension of the thin pool when it hits the threshold:
# journalctl -fu dm-event.service
3. Set up a thin pool for Docker bootstrap with the following steps.
1. Create a physical volume with the following command:
# pvcreate [disk device name]
For example:
# pvcreate /dev/sdc2
The minimum physical volume size is 10 GB.
2. Create a volume group with the following command:
# vgcreate [volume group name] [logical volume name]
For example:
# vgcreate bootstrapdocker /dev/sdc2
3. Create a logical volume for the thinpool and bootstrap with the following command:
# lvcreate [logical volume name] [volume group name]
For example, the data LV is 95% of the 'docker' volume group size (leaving free space allows for auto
expanding of either the data or metadata if space is running low as a temporary stopgap):
# lvcreate --wipesignatures y -n thinpool bootstrapdocker -l 95%VG
# lvcreate --wipesignatures y -n thinpoolmeta bootstrapdocker -l 1%VG
4. Convert the pool to a thin pool with the following command:
# lvconvert -y --zero n -c 512K --thinpool bootstrapdocker/thinpool --poolmetadata
bootstrapdocker/thinpoolmeta
5. (Optional) You can configure the auto extension of the thin pools via an lvm profile.
1. Open the lvm profile with a text editor. For example:
vi /etc/lvm/profile/bootstrapdocker_thinpool.profile
2. Specify the values for parameter thin_pool_autoextend_threshold, and
thin_pool_autoextend_percent, each of which represents a percentage of the space.
For example:
activation {
thin_pool_autoextend_threshold=80
thin_pool_autoextend_percent=20
} Note
The auto extension parameters for the thin pools: thin_pool_autoextend_threshold and
thin_pool_autoextend_percent are defined in /etc/lvm/profile/docker-thinpool.profile.
thin_pool_autoextend_threshold shows the maximum percentage of the thin pool space that can be
used. thin_pool_autoextend_percent shows the percentage of the thin space that will be extended
within the mounted volume group. Auto extending will only work if the enclosing volume group has
space for the volume that is enclosed in it. If the volume group was defined and is completely filled with
logical volumes and has no space to extend. Then, you must make space in the volume group by
adding storage or resizing other logical volumes in the group. To extend a volume group, run the
following command:
vgextend [volume group name] [logical volume name]
For example:
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 119
SMAX 2019.02
2. Enter the thin pool device path for the THINPOOL_DEVICE parameter in the install.properties file. The thin
pool device path is /dev/mapper/<thin pool device name>. For example: /dev/mapper/docker-thinpool.
● For the first master node, specify the path of the THINPOOL_DEVICE parameter in the install.properties
file.
3.
● For the second and third master nodes and all worker nodes, you need to specify the path when adding
the nodes on the installation portal.
4.
5. Restore NFS with previous server and path.
6. Restore files on three cluster nodes. For example, run the following commands:
copy backup files to /opt/backup folder
tar zxvf /opt/backup/k8s_service_backup.tar.gz -C /
tar zxvf /opt/backup/k8s_backup.tar.gz -C /
export K8S_HOME=<your_K8S_HOME>
export HA_VIRTUAL_IP=<your_HA_VIRTUAL_IP>
export USER_ID=<your_user_ID>
export GROUP_ID=<your_user_group_ID>
export RUNTIME_CDFDATA_HOME=<your_RUNTIME_CDFDATA_HOME>
export REGISTRY_ORGNAME=<your_REGISTRY_ORGNAME>
export SUITE_REGISTRY=<your_SUITE_REGISTRY>
echo "export K8S_HOME=${K8S_HOME}">>/etc/profile
echo "export PATH=\$PATH:\${K8S_HOME}/bin">>/etc/profile
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 120
SMAX 2019.02
8. Load docker-boostrap images on three cluster nodes with the following commands:
systemctl start docker-bootstrap.service
docker -H unix:///var/run/docker-bootstrap.sock load -i ${K8S_HOME}/images/master-
bootstrap-docker-images.tgz
docker -H unix:///var/run/docker-bootstrap.sock load -i ${K8S_HOME}/images/worker-
bootstrap-docker-images.tgz
9. Run the following commands on all the three master nodes to prepare a runtime folder if there is no runtime
folder.
create etcd runtime dir: mkdir -p ${RUNTIME_CDFDATA_HOME}/etcd/data
create kubelet runtime dir: mkdir -p ${RUNTIME_CDFDATA_HOME}/kubelet
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 121
SMAX 2019.02
2. Run the following commands on the master node where you restore the etcdv3 data.
scp -r ${Master_Node1}.etcd/member
root@${Master_Node1}:${RUNTIME_CDFDATA_HOME}/etcd/data/member
scp -r ${Master_Node2}.etcd/member
root@${Master_Node2}:${RUNTIME_CDFDATA_HOME}/etcd/data/member
scp -r ${Master_Node3}.etcd/member
root@${Master_Node3}:${RUNTIME_CDFDATA_HOME}/etcd/data/member
5. Change permission of etcd data directory on the three master nodes with the following command:
chown -R ${USER_ID}:${GROUP_ID} ${RUNTIME_CDFDATA_HOME}/etcd/data
11. Start docker-boostrap containers on the three master nodes with the following commands:
■ Start ETCD with the following commands:
12. ${K8S_HOME}/scripts/startEtcd.sh -y
■ Restore flannel data on one master node with the following commands:
13. cd {flannel.data backup file directory}
ETCDCTL_API=2 etcdctl -endpoint=https://${Master_Node1}:4001 -ca-file
${K8S_HOME}/ssl/ca.crt -cert-file ${K8S_HOME}/ssl/server.crt -key-file
${K8S_HOME}/ssl/server.key set /coreos.com/network/config "$(cat flannel.data)"
■ Start fannel, vault on the three master node with the following commands:
14. ${K8S_HOME}/scripts/startFlannel.sh -y
${K8S_HOME}/scripts/startVault.sh -y
15. Load Docker images on all the master nodes with the following commands:
systemctl start docker.service
docker load -i ${K8S_HOME}/images/master-main-docker-k8s-images.tgz;
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 122
SMAX 2019.02
16. Retag two Docker images on all the master nodes with the following commands:
source $K8S_HOME/properties/images/images.properties
masterImageList=("$IMAGE_ITOM_CDF_SUITEFRONTEND" "$IMAGE_ITOM_CDF_APISERVER"
"$IMAGE_ITOM_REGISTRY" "$IMAGE_KUBE_REGISTRY_PROXY"
"$IMAGE_KUBERNETES_VAULT_INIT" "$IMAGE_KUBERNETES_VAULT_RENEW"
"$IMAGE_KUBERNETES_VAULT" "$IMAGE_ITOM_BUSYBOX")
registryURL=${SUITE_REGISTRY}
for image in ${masterImageList[*]};do
imageName=${image%:*}
tag=${image#*:}
if [ "$imageName" = "kubernetes-vault-init" -o "$imageName" = "kubernetes-vault-renew"
];then
docker tag "${registryURL}/${imageName}:${tag}"
"${registryURL}/${REGISTRY_ORGNAME}/${imageName}:${tag}"
docker tag "${registryURL}/${imageName}:${tag}" "${registryURL}/${imageName}:0.5.0"
else
docker tag "${registryURL}/${imageName}:${tag}"
"${registryURL}/${REGISTRY_ORGNAME}/${imageName}:${tag}"
fi
done
17. Create /var/lib/kubelet on all the master nodes with the following commands:
rm -rf /var/lib/kubelet
mkdir -p /var/lib/kubelet
19. If you used HA_VIRTUAL_IP, start keepalived container on the three master nodes with the following
commands. (Skip this step if you use load balancer)
${K8S_HOME}/bin/start_lb.sh
20. Start kube-cluster on all master nodes with the following command:
${K8S_HOME}/bin/kube-start.sh
21. Start kube-cluster on all worker nodes with the following command:
${K8S_HOME}/bin/kube-restart.sh
22. Restore PostgreSQL database data.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 123
SMAX 2019.02
Follow the steps below to restore CDF when the master node crashed in single-master node deployment:
Note
Most of the parameters used in the steps below can be found in $BACKUP_FOLDER\base-configmap.bak file.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 124
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 125
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 126
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 127
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 128
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 129
SMAX 2019.02
Administer SMAX
This section describes administration tasks for the Service Management Automation suite.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 130
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 131
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 132
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 133
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 134
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 135
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 136
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 137
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 138
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 139
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 140
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 141
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 142
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 143
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 144
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 145
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 146
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 147
SMAX 2019.02
Use the following procedure to back up your suite data in your production environment (the "source environment").
Backup tasks The following table lists the backup tasks and the roles that should perform them.
Backup task Role Description
The DR toolkit performs the following backup tasks:
▪ Global NFS volume backup
▪ Smart Analytics backup
DR toolkit backup DR toolkit ▪ Backup of suite configuration in the Kubernetes
configmap. Sensitive data stored in Vault is not backed
up. For example, passwords and the LW-SSO encryption
key.
Back up the external databases Back up the external databases for the suite on a regular basis to ensure your
data is safe. For each database, this normally includes a base backup (full backup) and continuous archiving
backups. The following is a list of databases that you need to back up.
Component User name Databases
maas_admin, maas_template, xservices_ems, xservices_mng,
Service Management maas_admin
xservices_rms, and sxdb
ucmdb Note: This assumes that you are using internal CMS (that is,
CMS in the suite) and using external PostgreSQL for it. If you are using
CMS ucmdb
external CMS or using Oracle for internal CMS, back up the database of
external CMS or back up external Oracle for internal CMS.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 148
SMAX 2019.02
/var/vols/itom/itsma/itsma-itsma-smartanalytics/license/idol
/var/vols/itom/itsma/itsma-itsma-smartanalytics/config
/var/vols/itom/itsma/itsma-itsma-smartanalytics/data/idol/saw/content1
/var/vols/itom/itsma/itsma-itsma-smartanalytics/data/idol/saw/content2
Full
/var/vols/itom/itsma/itsma-itsma-smartanalytics/data/idol/sawarc/content1
IDOL backups are
/var/vols/itom/itsma/itsma-itsma-smartanalytics/data/idol/sawarc/content2
required.
/var/vols/itom/itsma/itsma-itsma-smartanalytics/data/idol/sawmeta/content1
/var/vols/itom/itsma/itsma-itsma-smartanalytics/data/idol/sawmeta/content2
/var/vols/itom/itsma/itsma-itsma-smartanalytics/data/idol/stx/agentstore
/var/vols/itom/itsma/itsma-itsma-smartanalytics/data/idol/stx/category
▪ Big
disk space
required
▪
When the
size of the
data in each
of
attachment
/var/vols/itom/itsma/itsma-itsma-global/share1 /var/vols/itom/itsma/itsma- folders
itsma-global/share2 (share1 and
Attachments
share2)
becomes
huge,
customers
can
consider
performing
incremental
backups.
/var/vols/itom/itsma/itsma-itsma-global/certificate/imported
Certificates
/var/vols/itom/itsma/itsma-itsma-global/certificate/idm
/var/vols/itom/itsma/itsma-itsma-global/certificate/samlmeta
SAML
/var/vols/itom/itsma/itsma-itsma-global/certificate/ca-trust/samlKeystore.jks
/var/vols/itom/itsma/itsma-itsma-global/data/ucmdb /var/vols/itom/itsma/itsma-
UCMDB itsma-global/certificate/ucmdb /var/vols/itom/itsma/itsma-itsma-
global/license/ucmdb
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 149
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 150
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 151
SMAX 2019.02
ucmdb Note: This assumes that you are using internal CMS (that is,
CMS in the suite) and using external PostgreSQL for it. If you are using
CMS ucmdb
external CMS or using Oracle for internal CMS, restore the database of
external CMS or restore Oracle for internal CMS.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 152
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 153
SMAX 2019.02
Change FQDN
Related topics Replace the certificate for Service Management Automation
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 154
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 155
SMAX 2019.02
Restart CDF
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 156
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 157
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 158
SMAX 2019.02
SMTP
TCP Nodes 25/465/587 smtp SMTP server
Server
Ports for outbound connections In general, the inbound rules above should be good enough in terms of security. If
you have a more strict security policy, you can set outbound rules in your firewall according to the following table.
Role Destination Port Service Description
Protocol
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 159
SMAX 2019.02
TCP Nodes 8201 vault Vault port for peer member connection
External
TCP Database Server database database Access database
port
Step 5: Open the other ports on each master, worker, or NFS server The other ports are those that are not
highlighted in the table of ports for inbound connections. These ports are not for k8s internal communications.
Open the required ports on each master, worker, and NFS server. The following are examples of how to open this
kind of ports on a node.
Note You need to run the firewall-cmd --reload command to make your settings take effect. Example 1: On the
NFS server, enable inbound connections from all nodes to the UDP port 111 Run the following commands:
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="<master 1 IP>" port
protocol="udp" port="111" accept"
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="<master 2 IP>" port
protocol="udp" port="111" accept"
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="<master 3 IP>" port
protocol="udp" port="111" accept"
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="<worker 1 IP>" port
protocol="udp" port="111" accept"
...
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="<worker n IP>" port
protocol="udp" port="111" accept" Example 2: On a master node, enable inbound connections from each
client host and all k8s nodes to the TCP port 443 If you want to allow any remote machines to access this port, you
can use the following command:
# firewall-cmd --permanent --zone=public --add-port=443/tcp
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 160
SMAX 2019.02
Otherwise, you can use the following commands to restrict inbound connections to the TCP port 443:
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="<master 1 IP>" port
protocol="tcp" port="443" accept"
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="<master 2 IP>" port
protocol="tcp" port="443" accept"
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="<master 3 IP>" port
protocol="tcp" port="443" accept"
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="<worker 1 IP>" port
protocol="tcp" port="443" accept"
...
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="<worker n IP>" port
protocol="tcp" port="443" accept"
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="<IP address of client
host>" port protocol="tcp" port="443" accept"
Step 6: Open the required ports on the PostgreSQL database server and email server Make sure that the required
ports are open. For details, see the table of ports for inbound connections. Step 7: Verify the firewall settings You
can use one of the following commands to check if a port is open on a host (ports 5443 and 22 are used here for
example):
https:
curl -v -k https://<hostname>:5443
http:
curl -v <hostname>:22
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 161
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 162
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 163
SMAX 2019.02
This section describes administration tasks for the maintenance and operation of the internal PostgreSQL database
that is embedded in the SMA suite. Change the DB passwords for PGHA The internal PostgreSQL database server
contains a database for the following suite components: Autopass, IdM, Smart Analytics, Service Management, and
Suite Administration. PostgreSQL High Availability (PGHA) is enforced for these databases. The following table lists
the database names and database owner user names, as well as their related pods (which need a restart once
their db user password is changed).
▪ maas_admin
▪ maas_template
maas_admin ServiceManagement ▪ xservices_ems
▪ xservices_mng
▪ xservices_rms
▪ bo_ats
▪ bo_config
bo_db_user SuiteAdministration
▪ bo_license
▪ bo_user
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 164
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 165
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 166
SMAX 2019.02
Tenants
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 167
SMAX 2019.02
General tab
Field Description
ID Tenant ID.
Tenant environment:
• Prod
• Test
• Staging
Environment
• Poc
• RND
• Unknown
• DR
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 168
SMAX 2019.02
Login type:
• FEDERATION
• LDAP
• DB If you select a default login type, the system will use the specified login type for
Default login
user authentication. However, users can still use other authentication types by modifying the
type
URL to set AUTH=DB/LDAP/SMAL (for example:
https://<External_Access_Host>/saw/ess?TENANTID=xxxxxxxxx&AUTH=SAML). If you keep
this field empty, the system checks the user by trying all the three login types one by one
until a matching user is found.
The account specified for this tenant. Users that belong to this account can access this
Account
tenant.
Tenant admin. Only tenant with a tenant admin specified can be deployed. The tenant
Tenant admin admin receives an email notification after the tenant is deployed successfully.
The tenant admin is assigned the Tenant Admin role in Service Management automatically.
Last update on The last time that the tenant was updated.
The user name of a Service Manager user account with the following privileges:
• "system administrator" security role
Service Manager username
• "RESTful API" capability word
• Unlimited sessions allowed
Service Manager password The password of the Service Manager user account.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 169
SMAX 2019.02
Chat database password The password for the Chat database account.
ActiveMQ username The ActiveMQ username for integration with Microsoft Skye for Business.
Shared service tab (Only available for SMAX tenant) This tab displays tenant's shared service type.
Shared service type Shared service tab
Standard tenant This tab displays the shared service type
Managed tenant This tab displays the shared service type and its provider tenant.
This tab is used to managed the managed tenants and grant user permissions. For more
Provider tenant
information, see Suite Administration for shared service providers.
Tenant status
Status Description
New The tenant status is New after the tenant is created.
In Provision The tenant status is In Provision when the tenant is being deployed.
For a production, DEV, internal, or trial tenant, the tenant status becomes Active
Active
automatically after the tenant is deployed .
The tenant status becomes Inactive automatically after all licenses loaded to this tenant
Inactive
expire, you can also change the tenant status to Inactive manually.
Pending for The tenant status becomes Pending for removal automatically if the tenant
removal deployment fails.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 170
SMAX 2019.02
Customers
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 171
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 172
SMAX 2019.02
Accounts
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 173
SMAX 2019.02
• LDAP: User credentials are stored in LDAP servers. Users with this
authentication type can log in to Service Management tenants that belong to this
account and UCMDB instance using SSO. Go to LDAP for UCMDB tab in
Configurations to configure the LDAP settings.
This field appears only when Enable suite SSO is Yes.
Note To visit UCMDB from Service Management, users except Tenant Admin need
to be assigned with Allows view service modeling permission in Service
Management.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 174
SMAX 2019.02
Specify the login identifier that DB users use as the login user name:
• Login name
• Email Note
• If you select Email, make sure that the email addresses for users (including
DB user login identifier
all authentication types) in this account are unique. Otherwise, unexpected issues
might occur if two users have the same email.
• If you select Email, you cannot change the login identifier to Login name
after the account is created.
Specify the account tier, this can be used for account rating.
• Bronze
Tier • Silver
• Gold
• Platinum
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 175
SMAX 2019.02
Account type:
▪ Presales
▪ Partner
Account Type
▪ Test
▪ External customer
▪ Internal customer
Account tier:
▪ Bronze
Tier ▪ Silver
▪ Gold
▪ Platinum
Complete the LDAP field mappings as described in the following tables. An initial user sync is triggered after a valid
LDAP connection is added. LDAP server settings
Field Description OpenLDAP Example value
Display
Display name of the server.
name
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 176
SMAX 2019.02
• Group
• Organization Unit Normally,
for Group DN start with CN (e.g.
CN=CSAGroups,DC=adfshp,DC=com),
Group DN
select Group as Goup DN Type; For
Type
for Group DN start with OU (e.g.
OU=Accounts,DC=adfshp,DC=com),
select Organization Unit as Goup
DN Type.
-----BEGIN CERTIFICATE-----
MIIErjCCA5agAwIBAgIQBYAmfwbylVM0jhwYWl7uLjANBgkqhkiG9w0BAQsFADBh
If the Enable SSL checkbox is MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
SSL selected, the SSL public key …………..
public key certificate is required for LDAPS UQ9Qqtb1GX91AJ7i4153TikGgYCdwYkBURD8gSVe8OAco6IfZOYt/TEwii1Ivi1C
connection. qnuUlWpsF1LdQNIdfbW3TSe0BhQa7ifbVIfvPWHYOu3rkg1ZeMo6XRU9B4n5VyJY
RmE=
-----END CERTIFICATE-----
LDAP attributes
OpenLDAP Example
Field Description
value
Mail Email address of the user. mail
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 177
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 178
SMAX 2019.02
When a user logs in, the LDAP directory is queried to find the
user's account. The Search subtree setting controls the depth
of the search under User search base. If you want to search for
Search a matching user in the User search base and all subtrees under
subtree the User search base, make sure the Search subtree checkbox
is selected. If you want to restrict the search for a matching
user to only the User search base, excluding any subtrees,
unselect the Search subtree checkbox.
To bypass the SMAX login page and go directly to the SAML login page You can go directly to the SAML
Login page by appending the AUTH=SAML parameter to the end of the SMAX login page URL.
For example: https://<FQDN>/saw/ess?TENANTID=xxxx&AUTH=SAML To map the attributes between IdP and
BO User The following table shows the attributes mapping between External IdP and BO User.
External IdP Attribute (for reference) BO User Attribute
Login name Name ID
Language language
Location location
Email email
Password Policy tab This tab enables you to configure password policy settings for this account.
Field Description
If this setting is enabled, at least one uppercase letter and one lowercase letter are
Upper and lower case
required.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 179
SMAX 2019.02
Special character If this setting is enabled, at least one special character is required.
If this setting is enabled, users cannot use their previous two passwords when they
History check
change passwords.
If this setting is enabled, the system requires users to change their passwords in a
Expiration check
period of time specified in the Password age (days) field.
Specifies the number of days that a password can be used before a user has to change
Password age (days)
it.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 180
SMAX 2019.02
Users
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 181
SMAX 2019.02
Enter the first name of the user. Less than sign (<) and greater than sign (>) cannot be
First name
used in this field.
Enter the middle name of the user. Less than sign (<) and greater than sign (>) cannot
Middle name
be used in this field.
Enter the last name of the user. Less than sign (<) and greater than sign (>) cannot be
Last name
used in this field.
Enter the full name of the user. Less than sign (<) and greater than sign (>) cannot be
used in this field.
Full name
If no value is entered, the full name is set to the concatenation of first name and last
name.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 182
SMAX 2019.02
This field appears only for a user who is not a suite admin user.
Select the user role:
• Account user: Account user is defined to a specific customer account, this
user can only log in to suite applications such as Service Management.
• Integration user: Integration user is an API user for integration, this user is
defined to a specific customer account.
• Shared service admin: Applicable to provider accounts only.
A shared service admin normally can perform the following tasks in Suite
Administration:
⚬ Manage license and license pool.
⚬ Create and configure accounts and shared service tenants.
⚬ Manage the relationship between shared service agents and shared service
Role tenants.
⚬ Create and manage account user, integration user, shared service admin,
and shared service agent. Shared service admin is assigned with MT Administrator role
in Service Management automatically.
• Shared service agent: Applicable to provider accounts only.
A shared service agent normally can perform the following tasks in Suite Administration:
⚬ Configure managed accounts and tenants assigned to the shared service
agent. To do this, the suite admin user needs to add an Access Control List (ACL) for the
shared service agent first.
⚬ Create and manage account user and integration user. Shared service agent
is assigned with MT Agent role in Service Management automatically. The shared
service agent cannot access the managed Service Management tenant when the
assigned managed tenant is no longer managed by the provider tenant.
The authentication type can only be DB when creating new users via user interface. You
Authentication type can change the authentication type after the user is created. For more information, see
How to edit or delete a user.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 183
SMAX 2019.02
Login name of the user. If the DB user login identifier field is set to Email for this
Login name
account, you do not need to set the Login name field.
ID User ID.
Displays customer UID got from external user repositories such as LDAP, SAML IdP, or
Customer UID other stores.
Applicable to users with LDAP or Federation authentication type only.
Authentication type For information about modifying user authentication type, see Authentication type.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 184
SMAX 2019.02
Last modified time The time that the user was modified.
Status Description
For users created via user interface, the user status is Inactive after the user record is created.
Inactive
Inactive users cannot log in to Service Management Automation.
Active The user status becomes Active automatically when the user changes the password.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 185
SMAX 2019.02
All users who access request data for this managed tenant.
Service Request If role not assigned, then applicable view and/or edit
Manager (recommended) permissions on requests and all related record types (such
as person, group, service) must be assigned to these users.
Managed tenant
All users who access incident data for this managed
Incident Manager tenant. If role not assigned, then applicable view and/or
(recommended) edit permissions on incidents and all related record types
(such as person, group, service) must be assigned to these
users.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 186
SMAX 2019.02
License pools
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 187
SMAX 2019.02
License pool status You can change license pool status between Active and Inactive manually.
Status Description
Active Licenses can be added to an Active license pool.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 188
SMAX 2019.02
Licenses
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 189
SMAX 2019.02
Access type:
▪ Concurrent user: This license is based on the number of simultaneous users
Access type accessing the Service Management.
▪ Named user: Only named user can access Service Management. Tenant admin need
to assign license to users in Service Management.
License edition:
▪ Express: Includes the following Service Management modules:
• Service Portfolio
• Service Catalog
• Time Period
• Service Level
• Vendor
• Change
• Release
• Knowledge
• SACM
• Survey
Edition • Service Request
• Incident
• Problem
• On-Call
▪ Premium: Includes the following Service Management modules besides Express
edition:
• Contract
• Idea & Proposal
• Application Portfolio
• Project & Program
• Software Asset
• Financial
• Procurement
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 190
SMAX 2019.02
Feature version Version get from license file. Only applicable to Production and Evaluation licenses.
License pool Displays the license pool ID if this license is added to a license pool.
License status You can change the license status between Active and Inactive manually when the license is not
added to a license pool.
Status Description
Active Only Active licenses can be added to a license pool.
The license status becomes Retired automatically when the license end date arrives.
Retired ▪ Retired licenses cannot be added to a license pool.
▪ Retired licenses cannot be edited or deleted.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 191
SMAX 2019.02
Assignments
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 192
SMAX 2019.02
Configurations
Configurations management enables you to configure the Service Management Automation suite settings.
Important The suite takes several minutes to restart after you change the configurations. Security tab The
Security tab enables you to configure Lightweight Single Sign-On (LW-SSO) and IdM settings. After installation, the
Security tab contains out-of-the-box values for these settings. Micro Focus recommends that you reconfigure them
with your own values after installation. LW-SSO configuration Lightweight Single Sign-On (LW-SSO) is a Micro
Focus solution that enables a user to log on to one Micro Focus application and gain access to other Micro Focus
applications without being prompted for login credentials. The applications that participate in LW-SSO trust the
initial authentication and require no re-authentication when the user is moving from one application to another.
LW-SSO shares between the applications a token that is signed with the same encryption key that must be
configured in each application. With LW-SSO, once users are logged in to the Service Management Automation
suite, they can access their authorized suite capabilities without re-login. To configure LW-SSO in suite, complete
the following settings.
Field Description
Enter the parent domain of your Service Management Automation installation, all
applications in this domain can participate in LW-SSO. For example, if the suite domain is
Domain
subdomain.domain.com, the domain value should be domain.com; if the suite domain is
sample.subdomain.domain.com, the domain value should be subdomain.domain.com.
A string used for encrypting single sign-on tokens. It must match the encryption string that
is configured in other applications that participate in LW-SSO. For example, UCMDB systems.
Encryption key
The minimum length is 32 characters (letters and numbers). Do not use special characters.
You must modify the Encryption key if you are working on a production environment.
Token
expiration Defines how long (in minutes) an LW-SSO token is valid for. When the specified time has
period elapsed, the LW-SSO token is no longer valid, and a re-login is required.
(minutes)
IdM configuration
Field Description
This is a key for signing IdM tokens when you configure SAML for an "SM integration" tenant. The
Signing key
key must be at least 32 characters long, and contain both letters and numbers.
Email service tab The email service enables the system to send email notifications to any mail server that
supports Simple Mail Transfer Protocol (SMTP) or Exchange Web Services (EWS). Configuring the email service is
mandatory before you can use email related features such as email notifications and survey. To configure the suite
level email service, complete the following settings.
Field Description
Enter the name of the mail server host that is used for sending email notifications. It can
Mail server host
be the IP address, machine name, or DNS name of the mail server.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 193
SMAX 2019.02
Enter the email address identified as email sender. Make sure that this email address is in
Mail from
the allowed reply email list configured in the mail server.
▪ If the mail server requires authentication, turn on this switch and enter the user
Authentication name and password.
required ▪ If the mail server does not require authentication, turn off this switch and keep user
name and password fields blank.
User name Enter the user name of the account used for mail server authentication.
Password Enter the password of the account used for mail server authentication.
If the certificate of your SMTP server is not in the trust store, you need to:
1. On the NFS server, upload the certificate to the <SMA global NFS share
directory>/certificate/source folder.
For example: /var/vols/itom/itsma/itsma-itsma-global/certificate/source.
2. On the master node, restart the itom-bo-config pod and itom-xruntime-
platform pod.
For example:
kubectl get pods -n itsma1 | grep itom-xruntime-platform
itom-xruntime-platform-755f55d699-rg7kk 2/2 Running 0 1h
itom-xruntime-platform-offline-7859f49f78-5qn28 2/2 Running 0 1h
kubectl delete pod -n itsma1 itom-xruntime-platform-755f55d699-rg7kk
kubectl delete pod -n itsma1 itom-xruntime-platform-offline-7859f49f78-5qn28
Enable NTLM (for If your Exchange Server requires domain information for authentication, turn on this switch
EWS only) to enable the Domain field.
Service path (for Enter the EWS service path (for example, EWS/Exchange.asmx) for the full EWS service
EWS only) URL. The full EWS service URL consists of Mail server host and Service path.
Version (for EWS Select the version of Exchange Server. If you are unable to find a match, select the latest
only) version prior to the version of your Exchange Server.
Click Test connection to verify the server connectivity, if the mail server can be connected successfully, click
Save. LDAP for CMS tab This tab includes the LDAP settings that enable LDAP users to log in to the CMS instance
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 194
SMAX 2019.02
and Service Management without re-authentication. Caution The external LDAP server must not contain the
following internal users: sysadmin, admin, UISysadmin, and intgAdmin. The sysadmin user is a super administrator
account, and the rest of the users are used by UCMDB to communicate with the data flow probe, UCMDB Browser,
and Service Management, respectively. LDAP server settings
Field Description OpenLDAP Example value
The fully-qualified domain name (server.domain.com) or IP
Hostname
address of the LDAP server.
Port The port used to connect to the LDAP server (by default, 389). 389
Base distinguished name. The Base DN is the top level of the dc=Service Management
Base DN
LDAP directory that is used as the basis of a search. Automation,dc=com
cn=admin,dc=Service
User ID (Full The fully distinguished name of any user with authentication
Management
DN) rights to the LDAP server.
Automation,dc=com
Password of the User ID. If the LDAP server does not require a
Password User ID or password for authentication, this value can be
omitted.
When a user logs in, the LDAP directory is queried to find the
user's account. The Search subtree setting controls the depth
of the search under User search base. If you want to search for
Search a matching user in the User search base and all subtrees under
subtree the User search base, make sure the Search subtree checkbox
is selected. If you want to restrict the search for a matching
user to only the User search base, excluding any subtrees,
unselect the Search subtree checkbox.
User class Value of objectClass that is used to identify the user. inetOrgPerson
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 195
SMAX 2019.02
User display
The display name of the user. cn
name
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 196
SMAX 2019.02
Group
Description of the group.
description
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 197
SMAX 2019.02
Smart Ticket
smarta-stx-agent-svc 9050 Store agents and profiles
Agentstore
Smart Ticket
smarta-stx-category-svc 9020 Support categorize action for Smart Ticket
Category
Smart Ticket DAH smarta-stx-dah-svc 9060 Support query action for Smart Ticket
Note that some action commands only work with certain Smart Analytics components in the suite. Refer to the
following table for detailed descriptions.
Allowed
Action name Action example Description Allowed port
component
Requests
details of all
components.
Check
whether all
components
View Status http://<Host>:<port>/action=GetStatus are up and all <Host>:<ACI_Port>
running;
checks how
many
documents
are in each
database.
Displays a
log of
requests,
including the
date and
time that a
request was
View Action made, the
http://<Host>:<port>/action=GRL&format=xml all <Host>:<ACI_Port>
History client IP
address that
made the
request, and
the internal
thread that
handled the
action.
Checks the
status of dih smarta-<*>-dih-svc:31370
index
View Index
http://<Host>:<port>/action=indexerGetStatus actions in
Status
the Smart
Analytics content <CONTENT_SERVICE>:10010
index queue.
Displays the
View Root root
Category http://<Host>:<port>/action=CategoryGetHierDetails categories category smarta-stx-category-svc:9020
Detail after
training.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 198
SMAX 2019.02
Creates a
backup that
can be used
to restore
content <CONTENT_SERVICE>:10010
the
component’s
state. You
can use this
Back up
http://<Host>:<port>/action=BackupServer&path=/var/backup action for
Component
the Content,
Category,
components.
The backup
category smarta-stx-category-svc:9020
file is stored
in the path
that you
specified.
Restores the
content of a
Restore content
Content http://<Host>:<port>/action=RestoreServer&filename=/var/ backup/***.zip server that content <CONTENT_SERVICE>:10010
Server was
previously
backed up.
Synchronize
and build
the category
Synchronize
http://<Host>:<MainProxyACIPort>/action=CategorySyncCatDRE after you category smarta-stx-category-svc:9020
Category
restore the
Category
component.
Exports all
the index
documents
for a
database
from the
Smart
Analytics dih smarta-<*>-dih-svc:31371
content
server to a
series of
compressed
files in the
defined
backup
Back up http://<Host>:<indexPort>/DREEXPORTIDX?filename=
directory.
Database c:/BackupFolderName/FilePrefix&DatabaseMatch=<Database_name>&HostDetails=true
This action
backs up
individual
databases. If
you want to
backup all
databases
on a content content <CONTENT_SERVICE>:10011
server, use
the action
Backup
Component
as
mentioned
above.
Restores the
index IDX
exported dih smarta-<*>-dih-svc:31371
before. If no
Restore http://<MainProxyHost>:<IndexPort>/DREADD?FileName= DREDbName
Database /var/backup/***.idx&DREDbName=***&CreateDatabase=True is specified,
use the
dbname of content <CONTENT_SERVICE>:10011
the indexed
file.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 199
SMAX 2019.02
Operation history
You can filter the records by job ID or operation type.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 200
SMAX 2019.02
Access control
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 201
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 202
SMAX 2019.02
The suite-admin user's password expires 90 days after the suite installation. When the password has expired, you
are prompted to change the password at login. Each new password takes effect immediately and will expire in 90
days. This means you are required to change the suite-admin user's password every 90 days. You can also change
the password before it expires, using the Change password option available from My Home. Note: If you find
yourself unable to log in to the Suite Administration interface immediately after a password change, it is probably
because the suite-admin user account is locked out (for example, due to too many invalid login attempts). Wait for
90 minutes so that the user account is unlocked, and then retry.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 203
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 204
SMAX 2019.02
Studio
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 205
SMAX 2019.02
Fields
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 206
SMAX 2019.02
Field properties
The first column of the fields table displays indicator tags for the fields:
When you select a field, its properties appear in the right pane.
Property Description
The name of the field. This field is required.
Caution
▪ The name of out-of-the-box fields is always in upper camel case. For example:
Name
ChangeCausedByRequest. You must follow this naming style.
▪ The names of all custom fields must end with _c. This suffix is added
automatically. You do not need to enter it manually.
If selected, the field is a system field. You may not edit a system field.
System Note You may not select this for a custom field.
The label of the field which Service Management displays in the user interface. This field
Multilingual label
is required.
Logical type The field type. This field is required. For more information, see Logical type details.
If selected, a user may sort the field when it appears in a record list by clicking the
Enable sort
column header.
If selected, the field is encrypted and can only be viewed by members of the selected
Encrypted encryption domain. Only relevant for fields of type MEDIUM_TEXT, LARGE_TEXT, and
RICH_TEXT.
Select the encryption domain used for this field. Only appears when Encrypted is
Encryption domain
selected. For more information on encryption domains, see Encryption domains.
If selected, the value entered in the field must be unique. Note If it is a custom field, this
Enforce uniqueness property does not take effect.
Read only If selected, a user may not change the value of the field.
Tooltip The text that appears when you move the pointer over the field.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 207
SMAX 2019.02
The text that appears when the field is empty. You can use this to give instructions or
Placeholder
reminders to users.
15 (LARGE_TEXT, RICH_TEXT,
9,
RICH_TEXT1 Text Up to 1,000,000 No No and COMPLEX_TYPE
10
combined)
COMPLEX_TYPE2 Text 1,000,000 No No
2
IMAGE Text 2,048 No No 40
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 208
SMAX 2019.02
Create a field
Edit the properties as required.
Property Description
The name of the field. This field is required.
Caution
• The name of out-of-the-box fields is always in upper camel case. For example:
Name ChangeCausedByRequest. You must follow this naming style.
• The names of all custom fields must end with _c. This suffix is added
automatically. You do not need to enter it manually.
If selected, the field is a system field. You may not edit a system field.
System Note You may not select this for a custom field.
The label of the field which Service Management displays in the user interface.
Multilingual label
This field is required.
Logical type The field type. This field is required. For more information, see Logical type details.
If selected, a user may sort the field when it appears in a record list by clicking the
Enable sort
column header.
If selected, the field is encrypted and can only be viewed by members of the selected
Encrypted encryption domain. Only relevant for fields of type MEDIUM_TEXT, LARGE_TEXT, and
RICH_TEXT.
Select the encryption domain used for this field. Only appears when Encrypted is
Encryption domain
selected. For more information on encryption domains, see Encryption domains.
Enforce uniqueness If selected, the value entered in the field must be unique.
Read only If selected, a user may not change the value of the field.
Tooltip The text that appears when you move the pointer over the field.
The text that appears when the field is empty. You can use this to give instructions or
Placeholder
reminders to users.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 209
SMAX 2019.02
Opposite label The display label of the relation field on the target record type.
Logical type This property is read only and can only be MANY2MANY.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 210
SMAX 2019.02
Edit a field
To edit the field, make the required changes to the properties in the right pane.
The label of the field which Service Management displays in the user interface.
This field is required.
Multilingual label Note Changes made to the Multilingual label property take effect as soon as you click
outside of the property, before you click Save.
If selected, a user may sort the field when it appears in a record list by clicking the
Enable sort
column header.
If selected, the field is encrypted and can only be viewed by members of the selected
Encrypted encryption domain. Only relevant for fields of type MEDIUM_TEXT, LARGE_TEXT, and
RICH_TEXT.
Select the encryption domain used for this field. Only appears when Encrypted is
Encryption domain
selected. For more information on encryption domains, see Encryption domains.
Enforce uniqueness If selected, the value entered in the field must be unique.
Read only If selected, a user may not change the value of the field.
Tooltip The text that appears when you move the pointer over the field.
The text that appears when the field is empty. You can use this to give instructions or
Placeholder
reminders to users.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 211
SMAX 2019.02
Calculated fields
Note If you have development and production tenants, all configuration changes must be made on the
development tenant. For more information about synchronizing the tenants, see Dev2Prod - How to synchronize
your development and production tenants.
Logical type details
1
Type Description Maximum length Maximum number of fields per record
INTEGER Numeric - integer - 15
BOOLEAN Boolean - 5
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 212
SMAX 2019.02
You use a calculated field template when you add a calculated field to a record type. The following templates are
available:
Template Parameters Description
Integer. Number of times the value of the selected field
changed.
Note If you use this template for a calculated field, when a
new record is created:
Field value changes
field ▪ If the relevant field is then populated, that is counted
count
as a change.
▪ If the relevant field is not populated, it is not counted
as a change until the field is later populated.
Was record in phase phase Boolean. Whether the record was ever in the selected phase.
Was field assigned Boolean. Whether the selected field was ever populated with
field value
with value the specified value.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 213
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 214
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 215
SMAX 2019.02
The following tables list those fields and associations whose contents are, by default, copied to a record created
from a change record. Change record to new change model
Change record field
Remediation plan
Category
Change type
Description
Emergency
Impact
Implementation plan
Owning group
Owner
Risk
Service
Category
Change type
Description
Emergency
Impact
Implementation plan
Owning group
Owner
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 216
SMAX 2019.02
Risk
Service
Data domains
Impact
Owning group
Service
Urgency
Change model
Category
Justification
Scheduled duration
Scheduled DT duration
Service
Urgency
Approvals (section)
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 217
SMAX 2019.02
Service Service
Description Description
Service Service
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 218
SMAX 2019.02
The following tables list those fields and associations whose contents are, by default, copied to a record created
from an incident record. Incident record to new incident model
Incident record field
Assignee
Assignment group
Case exchange
Category
Completion code
Description
First touch
Impact
Knowledge candidate
Location
Owner
Problem candidate
Service
Solution
Status
Title
Urgency
Assignment group
Case exchange
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 219
SMAX 2019.02
Category
Completion code
Description
First touch
Impact
Knowledge candidate
Location
Owner
Problem candidate
Service
Solution
Status
Title
Urgency
Data domains
Description
Impact
Service
Solution
Title
Urgency
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 220
SMAX 2019.02
Description Description
Impact Impact
Service Service
Solution Solution
Title Title
Urgency Urgency
Description Description
Impact Impact
Service Service
Solution Workaround
Title Title
Urgency Urgency
Description Description
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 221
SMAX 2019.02
Impact Impact
Service Service
Title Title
Urgency Urgency
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 222
SMAX 2019.02
The following tables list those fields and associations whose contents are, by default, copied to a record created
from a problem record. Problem record to new problem template
Problem record field
Category
Deferral code
Estimated cost
Impact
Known error
Owner
Owning group
Priority
Process ID
recorded by
Root cause
Service
Solution
Status
Symptoms
Workaround
Service Service
Solution Description
Symptoms Justification
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 223
SMAX 2019.02
Urgency Urgency
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 224
SMAX 2019.02
The following table list those fields and associations whose contents are, by default, copied to a record created
from a request record. Request record to new incident record
Request record field Incident record field
Category Category
Description Description
Impact Impact
Priority Priority
Requested by Reported by
Service Service
Title Title
Urgency Urgency
Reported by Created by
Description Description
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 225
SMAX 2019.02
The following tables list those fields and associations whose contents are, by default, copied to a record created
from a service definition record. Service definition record to new article or news record
Change record field Article record field
Description Article Content
Title Title
ID Service
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 226
SMAX 2019.02
The following tables list those fields and associations whose contents are, by default, copied to a record created
from an idea record. Idea record to new proposal record
Idea record field Proposal record field
Title Title
Description Description
Created by Reported by
Description Description
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 227
SMAX 2019.02
Forms
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 228
SMAX 2019.02
Forms overview
The following table lists the out-of-the-box forms provided for the different modules, with their uses:
Record type Form Module Description
View full details of an actual
Full ActualService form SACM > Actual Services
service.
New ActualService form SACM > Actual Services Define a new actual service.
Full AssetModel form SACM > Asset Models View full details of an asset model.
New AssetModel form SACM > Asset Models Define a new asset model.
Full Brand form Vendor > Brands View full details of a brand.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 229
SMAX 2019.02
changeInvolvedCisForm Change > Involved CIs tab Define CIs involved in the change.
Change > Plan and execute View, edit and create a task plan
changePlan
tab for a change.
Full Company form Vendor > Vendors View full details of a vendor.
Full CostCenter form Financials > Cost Centers View full details of a cost center.
New CostCenter form Financials > Cost Centers Define a new cost center.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 230
SMAX 2019.02
Full CostType form Financials > Cost Types View full details of a cost type.
New CostType form Financials > Cost Types Define a new cost type.
Cost type
Quick preview of a cost type (right
Preview CostType form Financials > Cost Types
pane).
Full Device form SACM > Devices View full details of a device.
Entitlement Rule New EntitlementRule form People >Entitlement Rules Define a new entitlement rule.
Full FixedAsset form Financials > Fixed Assets View full details of a fixed asset.
New FixedAsset form Financials > Fixed Assets Define a new fixed asset.
Fixed asset
Quick preview of a fixed asset
Preview FixedAsset form Financials > Fixed Assets
(right pane).
Service Catalog
Fulfillment Plan New FulfillmentPlan form Define a new fulfillment plan.
> Fulfillment Plans
Full PersonGroup form People > Groups View full details of a group.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 231
SMAX 2019.02
Full Idea form Idea & Proposal < Ideas View full details of an idea.
New Idea form Idea & Proposal < Ideas Define a new idea.
Idea Submission form Idea & Proposal < Ideas Submit an idea in Service Portal.
Full License form Software Asset > Licenses View full details of a license.
New License form Software Asset > Licenses Define a new license.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 232
SMAX 2019.02
Full LicenseType form Software Asset > Types View full details of a license type.
New LicenseType form Software Asset > Types Define a new license type.
License Type
Quick preview of a license type
Preview LicenseType form Software Asset > Types
(right pane).
Full Offering form Service Catalog > Offerings View full details of an offering.
New Offering form Service Catalog > Offerings Define a new offering.
Full Person form People > People View full details of a person.
problemInvolvedCIsForm Problem > Involved CIs tab Define CIs affected by the problem.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 233
SMAX 2019.02
Record Category New ITProcessRecordCategory form Categories Define a new record category.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 234
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 235
SMAX 2019.02
Full Reservation form SACM > Reservations View full details of a reservation.
Service Portfolio
Service Definition New ServiceDefinition form Define a new service definition.
Management
Full Stockroom form SACM > Stock Management View full details of a stockroom.
New Stockroom form SACM > Stock Management Define a new stockroom.
Stockroom
Quick preview of a stockroom
Preview Stockroom form SACM > Stock Management
(right pane).
Full Subscription form SACM > Subscriptions View full details of a subscription.
System Element New SystemElement form SACM > System Elements Define a new system element.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 236
SMAX 2019.02
▪ <modules that
include Approval plans>
approvalNew Define a new approval.
▪ records > Approval
Definition tab
▪ <modules that
include Approval plans>
approvalFull Edit details of an approval.
▪ records > Approval
Definition tab
Full TimePeriodDefinition form Time Period Management View full details of a time period.
New TimePeriodDefinition form Time Period Management Define a new time period.
Time period
Add an exception to a work
timePeriodDefinitionExceptionForm Time Period Management
schedule definition.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 237
SMAX 2019.02
Form properties
Each form may have one or more of the following types of content: Section A section is a part of a form which may
contain one or more fields or associations. A section has a name and an icon allowing you to expand or hide the
section content. The following table details the different section properties.
Property Description
The name of the section.
Name Caution The name of the section must be in upper camel case. For example: GroupData.
Expanded If selected, on loading the form, the user interface displays this section fully expanded.
Hide header If selected, the section is not visible in the user interface.
Field A form may include Service Management fields. The following table details the different field properties.
Property Description
Name The name of the field.
The label of the field that Service Management displays in the user interface. To edit:
Display
▪ Type the name in the box in the right pane.
name
▪ Click the ellipsis button to select a different language.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 238
SMAX 2019.02
The type of editor available for the user to edit the field contents. For the following field types,
Service Management automatically populates this property as follows:
LARGE_TEXT TextArea
ENUM DropDownList
ENUM_SET MultiDropDownList
BOOLEAN CheckBox
ENTITY_LINK EntityPicker
DOUBLE NumericTextBox
PERCENTAGE Percentage
IMAGE Image
For the following field types, you can select the editor type from the drop-down list:
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 239
SMAX 2019.02
The width of the space available to type in field contents. Service Management automatically
populates this property based on the field type. The available sizes are:
Size
▪ Medium. A field with a size of medium displays in half the width of the form.
▪ Large. A field with a size of large displays in the whole width of the form.
The order of the field in the contents of the form. A field with an index of 1 is first in the form,
and so on. To change the order of the field:
Index
1. Select the field.
2. Click Move up or Move down (as appropriate) in the right pane.
Start on a
If selected, the user interface displays this field at the start of a new line in the form.
new line
The lowest unit of time displayed for a field using the DurationPicker Editor. For example:
Precision ▪ If you select Minutes, the editor displays days, hours, and minutes.
▪ If you select Hours, the editor displays months, days, and hours.
Association A form may include Service Management associations. An association is a named set of related
records, containing one-to-many or many-to-many relationships. Note You may not edit the properties of an
association in the Form Editor. All the properties are read-only. The following table details the different
association properties.
Property Description
Name The name of the association.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 240
SMAX 2019.02
Edit a form
Edit the properties as required.
Property Description
Name The name of the field.
The label of the field that Service Management displays in the user interface.
Display To edit:
name • Type the name in the box in the right pane.
• Click the ellipsis button to select a different language.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 241
SMAX 2019.02
The type of editor available for the user to edit the field contents.
For the following field types, Service Management automatically populates this property as
follows:
LARGE_TEXT TextArea
ENUM DropDownList
ENUM_SET MultiDropDownList
BOOLEAN CheckBox
ENTITY_LINK EntityPicker
DOUBLE NumericTextBox
PERCENTAGE Percentage
IMAGE Image
For the following field types, you can select the editor type from the drop-down list:
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 242
SMAX 2019.02
The width of the space available to type in field contents. Service Management automatically
populates this property based on the field type.
Size The available sizes are:
• Medium. A field with a size of medium displays in half the width of the form.
• Large. A field with a size of large displays in the whole width of the form.
The order of the field in the contents of the form. A field with an index of 1 is first in the form,
and so on.
Index To change the order of the field:
1. Select the field.
2. Click Move up or Move down (as appropriate) in the right pane.
Start on a
If selected, the user interface displays this field at the start of a new line in the form.
new line
The lowest unit of time displayed for a field using the DurationPicker Editor.
For example:
Precision
• If you select Minutes, the editor displays days, hours, and minutes.
• If you select Hours, the editor displays months, days, and hours.
Expanded If selected, on loading the form, the user interface displays this section fully expanded.
Hide header If selected, the section is not visible in the user interface.
Expanded If selected, on loading the form, the user interface displays this section fully expanded.
Hide header If selected, the section is not visible in the user interface.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 243
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 244
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 245
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 246
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 247
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 248
SMAX 2019.02
Process events Rules are defined to be executed in connection with specific events. The event determines when
the rule is executed. In the Rules tab for workflows, processes, metaphases and phases, you can define rules in
connection with the following process events:
Process event Description
The rule is executed before any user changes are applied. Used, for example, to set
Before change
default values.
The rule is executed after the data is updated. Used, for example, to run validation
After change
rules.
The rule is executed after the change is committed. Used, for example, to run
external operations such as sending notifications, updating related records, and so
After applying changes on. The key difference with the After change process event is the order in which
the events are resolved. The order is After change, then changes are committed,
then After applying changes. For more information, see Process events order.
Before removing
The rule is executed before a relationship to another record is removed.
relationship
Before adding
The rule is executed before a relationship to another record is added.
relationship
After adding
The rule is executed after a relationship to another record is added.
relationship
After removing
The rule is executed after a relationship to another record is removed.
relationship
The rule is executed when the Service Level target duration reaches the 0%, 50%,
75%, 90%, or 100% level of the target, as defined by the rule. This process event is
SLT Event relevant for incidents, requests and the customized record types created in Studio
only. For information on defining business rules under the SLT Event process event,
see How to add Service Level Target event business rules.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 249
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 250
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 251
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 252
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 253
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 254
SMAX 2019.02
REST Execution
Execute REST business rule configuration After the On-Premise Bridge Agent is configured with endpoints and
credentials, it is possible to configure and execute the Execute REST business rule. The Execute REST business rule
accepts the following parameters:
Parameter Value
Select an agent ID from the drop-down list. There is one agent for each network domain.
OPB Agent ID Every agent has a default agent ID, but you can override it and use another pre-defined
agent ID.
Select an endpoint from the drop-down list. Every agent has a default endpoint, but you
can override it and use another endpoint of that agent. For example,
OPB Endpoint ID http://www.google.com/mail is the default endpoint for an agent, but the administrator can
configure additional endpoints for the user to select, such as
http://www.google.com/search.
Select the credentials from the drop-down list by their ID. Every endpoint has a default
credentials ID, but you can override it and use another credentials ID of that endpoint. For
Credentials ID
example, the default credentials are user1/pass1 with an ID of 123, but the user wants to
use the credentials tester1/tester1 with the ID of 456 instead.
A dialog box opens with two boxes. For the Header key, enter data as free text. For the
Header value, select one of the following options:
▪ Simple Mode. Enter the required data manually.
Headers ▪ Expression Language. Enter an Expression Language phrase that returns the
required data. Click Add item to add an additional row with boxes for another header. The
REST call request headers provide additional information for the REST call, such as the file
type to be returned.
Enter a field of the current record. Select one of the following options:
▪ Simple Mode. Enter the required field manually.
Output field
▪ Expression Language. Enter an Expression Language phrase that returns the
name
required field. This parameter defines the field where the returned results are stored. For
more information on the available output field types, see the next section.
Enter the prefix text in the box manually. This parameter enables you to set values to be
Task Prefix used in the result fields defined inside a complex type output field. It is not relevant for
textual type output fields.
Click the Expression Language button to toggle between these options. When the button is selected
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 255
SMAX 2019.02
(blue), the field is in Expression Language mode. When it is not selected (white), the field is in Simple mode. For a
full list of Expression Language functions, see Expression Language functions and syntax. Output field types When
selecting the output field, you should select a field of the type that matches the type of results to be returned by
the REST call. The field types are defined for each field in the Fields tab. You can define the output field for the
business rule execution with the following types:
Field type Description
A textual field is defined according to size. The following options are available:
▪ SMALL_TEXT
▪ MEDIUM_TEXT
Textual field ▪ LARGE_TEXT
▪ RICH_TEXT If the defined field size is large enough to contain the full response string, it is
stored in the field as is. If the field size is smaller than the response value, the response value is
truncated to the size of the field.
A user-defined field. You can define the following system fields within the user option to use in
the business rule:
▪ RawOutput_c. A third party response of type string which contains the full JSON
response. Example: {"ExecutionId" : "123", "URL" : "http/:<servername>.port/..."}.
▪ HttpStatusCode_c. A third party HTTP status response of type integer. Example: 400.
To parse the RawOutput_c string, you can define the following custom fields, based on the
above example, to use in the business rule (all of type string):
▪ ExecutionId_c. Parses the execution Id from the raw output string. Example: 123.
▪ URL_c. Parses the URL from the raw output string. Example:
User options
http:/<servername>.port/... Note
▪ Only string result fields are supported in the complex type field (with the exception of the
HttpStatusCode and IsFailed fields).
▪ The custom field name must be identical to the corresponding parameter in the raw
output string (the comparison is case insensitive).
▪ Do not define multiple custom fields with names that differ only by case.
▪ Parameters in the raw output string that contain delimiters are not supported (For
example, vm.name.)
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 256
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 257
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 258
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 259
SMAX 2019.02
Enrichment rules
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 260
SMAX 2019.02
Configuration Comparison
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 261
SMAX 2019.02
Notifications
Select one of the following system notification templates to edit:
Template Description
Used when an authorization code is sent to a user for strong
Authorization code
identity validation
Header and Footer Contains the header and footer that appears in all notifications
New comment added, with anonymous Used when a comment is added, and excludes the IT agent's
agent details name and avatar
Request verification code for encryption Used when a verification code is requested for an encryption
domain domain
Request verification code for strong Used when a verification code is requested for strong identity
identity validation validation
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 262
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 263
SMAX 2019.02
Description Replaces the rule with the avatar for the user identified by the person identifier.
Create URL rule A similar rule creates a URL to reference data. When you embed the URL to the associated record,
the user can easily open that record.
Example <%=create_url(/ess/question/${questionId})%>
Note When you add a URL using the link button, you can edit the text of the link and the URL remains active.
When you add a URL using directly in the text editor, the link cannot be edited. It appears in the message as you
entered it.
Hide record name rule In cases where a user does not have permission to view a record type, this rule hides the
record name from such a user.
Syntax <%=task_parent_name(person Id, entity type, entity Id, entity name)%>
Description Hides the record name if the user does not have permission to view records of that type.
Example
<%=task_parent_name(${:current_recipient.Id},${:entity.ParentEntityType},${:entity.ParentEntityId},${:entity.ParentDisplayLabelKey})%>
Note This rule is intended for use with task notifications only. It is included in such notification templates out-of-
the-box.
Conditional statement rule You can define a rule to display a message only when a condition is satisfied. You can
define a single message, which is displayed only when the condition is true, or two messages, one displayed for a
true condition value and the other for a false condition value.
In Format 1, the message is displayed when the Boolean expression is true. A blank string is
displayed when the Boolean expression is false. In Format 2, the first message is displayed when
Description
the Boolean expression is true. The second message is displayed when the Boolean expression is
false.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 264
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 265
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 266
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 267
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 268
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 269
SMAX 2019.02
The creation of a
request fails
The task to create a because a user does
request via email not have correct
fails. The following permission to create
email notification is a request. By
received: You do not default, the Service
have the necessary Portal User role has
permissions to create permission to create Create the user in Service Management and assign them the
this request via requests. If a user Service Portal User role or the request-creation permission.
email. Please contact cannot create
your system requests, the user
administrator. To may either not be
create a new request, defined in Service
log in to the Service Management or
Portal. does not have the
Service Portal User
role.
Service
The following email Management failed
notification is to process an email If permitted, extend the default token expiration time in the
received: We could action because the email endpoint configuration:
not process this token contained in 1. From the main menu, select Administration >
email because it has the email expired Configuration > Service Portal Settings > Feature
expired. To track or (too many days Settings.
update the request, passed since the 2. In the Specify email validity time frame field, select
log in to the Service user received the the desired time frame.
Portal. email that contains
the action link).
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 270
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 271
SMAX 2019.02
There might be
problems with the
New emails are not
On-Premise Bridge
processed.
email integration
task.
Email integration
tasks run every
30 minutes (at
The integration task
xx:00 and xx:30);
does not start after
therefore, it may None.
configuring the
take up to 30
endpoint.
minutes until the
mail polling task
begins.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 272
SMAX 2019.02
The Enable
request creation
and actions from
email option is not
enabled on the
Requests cannot be Feature Settings
created from inbound page of Service Enable this option.
email. Portal
(Administration >
Configuration >
Service Portal
Settings >
Feature Settings).
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 273
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 274
SMAX 2019.02
Approval definitions
Note Approval definitions are available for article, change, idea, proposal, release, and request record
types.
In some cases, approvals must be granted at certain phases of the workflow before moving on to the next phase.
The following table provides details.
Record type Workflow Phases for approvals Out-of-the-box approval definition name
Article Normal Review Article - Review
The Approval definitions tab is available for the following record types: Article You need to build your own
approval plan. For more information about how to build an approval plan, seeTask plans. Change The approval
phases of the normal and emergency change workflows have pre-defined approval plans. When you create a
change, the approval plan corresponding to the selected change type is selected in the Approval definition field
in the Properties tab for each approval phase:
Change type Approval Phase Built-in approval plan
Approve Plan Normal change - Approve plan
Normal
Approve deployment Normal change - Approve deployment
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 275
SMAX 2019.02
Governance approval
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 276
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 277
SMAX 2019.02
in case of ${entity.Cost>2000}
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 278
SMAX 2019.02
A decision point that uses an Expression Language phrase to determine which path in the approval
Decision
plan to follow.
Joins two or more nodes in the approval plan. Both must be completed before moving on to the next
Join
node in the plan.
To apply the new definition to an approval phase of a Proposal or Request record, select the new approval plan
definition from the drop-down list in the Approval definition field in the following phase:
Record type Approval Phase
Proposal Review
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 279
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 280
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 281
SMAX 2019.02
Import data
The following table displays the different possible statuses for the file import:
Status Description
Not Started Waiting for the server to execute the import job.
All incoming records were processed. There were no failures, but at least one
Finished with warnings
warning.
Finished with failures All incoming records were processed. There was at least one failure.
Success All incoming records were processed without any warnings or errors.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 282
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 283
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 284
SMAX 2019.02
Export data
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 285
SMAX 2019.02
Import translations
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 286
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 287
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 288
SMAX 2019.02
Custom actions
Enter or select the action properties:
Property Description
Name Enter the action name.
Display
Enter the name of the action as it will appear on the action button.
name
If this check box is selected, two hidden fields will be created for this custom action, CustomActionName_c and CustomActionCount_c. The behaviors of these two fields are as
follows:
• When you click this custom action, the value of the CustomActionName_c field is changed to the name of the custom action. This field will be overwritten only when you
click another custom action of the same record type.
• Each time you click this custom action, the value of the CustomActionCount_c field is changed to a random number. These two fields can be utilized when you create
Enable
business rules. For example, you can set a rule with the condition ${current_update.CustomActionCount_c.IsChanged && entity.CustomActionName_c=='<ACTION
workflow
NAME>'}, then the rule will be triggered every time you click the custom action button.
Notes:
• We recommend that you create this type of business rules in the After Change event section.
• The business rule can be set on the Process, Meta-Phase, or Phase level, depending on whether the action is to be always available or only under certain phases.
• The CustomActionName_c and CustomActionCount_c fields cannot be deleted after being created.
Select the position of the action on the record page. The available options are:
Position
• Show as primary. The action appears in the record page toolbar.
in record
• Show as secondary. The action appears in the drop-down menu under More in the record page toolbar.
page
• Do not show. The action does not appear on the record page.
Group in
record Select an action group. The grouped actions are displayed together on the record page.
page
Group in
grid Select an action group. The grouped actions are displayed together on the grid page.
page
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 289
SMAX 2019.02
SLT settings
For each target type, select On to enable the automatic notifications, and select Off to disable them. In the
request record type, the tab displays the following:
Section Targets
• Initial review
Support (IT support requests) • Resolution
• Time in Group
• Fulfillment
Service (IT service requests)
• Time in Group
• Initial review
• Resolution
HR (HR support requests)
• Fulfillment
• Time in Group
ENTITY_LINK Group
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 290
SMAX 2019.02
Authorization
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 291
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 292
SMAX 2019.02
People
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 293
SMAX 2019.02
The Name field is populated by the values entered in the First name and Last name
fields when the person record is created. It can also be edited manually.
Name
Changes made to the First name and Last name fields later, are not reflected in the
Name field.
Gender The gender of the person. Select a value from the drop-down list.
Person type Indicates whether the person is a user or a contact. This field is read-only.
Indicates if the person has VIP status. This field can be used to Indicate to agents that
VIP they are working on a VIP customer. It can also be used in business rules to boost
priorities.
The person's employee status. Select a value from the drop-down list.
The available options are:
⚬ Active
Person status ⚬ Leave of absence
⚬ Retired
⚬ Terminated
⚬ Inactive
The person's UPN. This field is read-only. (It is only editable during creation of a new
person).
Note
⚬ This is the person's primary identifier in Service Management.
User principal name
⚬ When adding people records via Suite Administration, this field is populated
with the login name value from Suite Administration. When adding or editing people
records, this field is mandatory.
Contact information
Field Description
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 294
SMAX 2019.02
Where the person is located. Select a value from the drop-down list.
Examples:
Location
⚬ France/Paris
⚬ EMEA/Spain/Madrid/M1 To manage locations, see Locations.
A temporary location for the person, for visiting purposes. Select a value from the
Temporary location
drop-down list.
Organizational information
Field Description
The person's employment type. Select a value from the drop-down list.
The available options are:
⚬ Full-time
Employment type ⚬ Part-time
⚬ Contractor
⚬ Internal
⚬ External
Manager The person's manager. Select a value from the drop-down list.
Hire date The person's hire date. Click in the box to display a calendar.
Leave date The person's leave date. Click in the box to display a calendar.
The organizational group of which the person is a member, if any. For functional group
information, see the Group membership section for this person.
Note
Organization
⚬ This field is only relevant for users.
⚬ A user can belong to one organizational group, and one or more functional
groups. For more information about group types, see How to create a group.
Personal preferences
Field Description
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 295
SMAX 2019.02
Avatar The person's avatar. Click Upload image to select an image for the avatar.
The language of the person's locale. Select a value from the drop-down list.
The default value is English (U.S.). To set the default language for new users to a different value,
Language edit the relevant business rule.
Note When adding or editing people records, this field is mandatory.
System use definitions Note The System use definitions section is only relevant for users.
Field Description
The roles assigned to the user, if any. Click in the box to display a list of available roles.
Role Note A user can have more than one role.
Select the licenses assigned to the user, if any. Click in the box to display a list of
available licenses. For each license, the license type (Premium Named, Express
Named, Premium Concurrent, or Express Concurrent for use with the MT console)
and the license capacity are displayed.
Note
⚬ A user can have more than one license.
License
⚬ An admin user can assign licenses to users. For each license, a yellow icon
is displayed at the top of the page indicating the number of users assigned that license.
The caption next to the icon indicates the total number of users that can be assigned
that license. For example, 25/100 users indicates that 25 users are assigned the
license, out of a total of 100 possible users.
May generate
If selected, the user has permission to generate verification codes for passcodes for
passcode
other users for strong identity validation for approvals.
verification code
Verification code If selected, the user receives an email when any user requests a verification code for
email recipient his passcode to proceed with a task approval using strong identity validation.
Group membership Note The Group membership section is only relevant for users.
Field Description
The functional groups to which the user belongs, if any. To add a group, click Assign
to group and select the required group(s) in the Add groups dialog box. To delete
a group, select the required group and click the Delete button.
Note
<Add/Remove ⚬ A user can belong to one organizational group, and one or more
groups> functional groups.
For more information about group types, see How to create a group.
⚬ After this field is updated, it may take several minutes before the user
can see information entitled to him by the groups to which he belongs. For more
information, see How to manage entitlement rules.
Responsibilities
Field Description
Area of practice The person's area of practice on the system. Select a value from the drop-down list.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 296
SMAX 2019.02
Locations
Field Description
The person's locations of responsibility.
To add a location, do one of the following:
⚬ Click Add, then select a value from the drop-down list.
⚬ Click the list icon ( ) to display the available locations. Select the
<Add/Remove check box for each location that you want to add. Click OK. To filter the record list,
locations> click the Add filter button. For more information, see Filters.
The selected locations appear in yellow. When you save the person, the locations
are added.
To remove a location, select the location and click Remove. The selected members
appear in strikethrough text. When you save the person, the locations are removed.
Users
Field Description
The person can create a request on behalf of the users defined here.
To add a user, do one of the following:
⚬ Click Add, then select a user to add.
⚬ Click the list icon ( ) to display the available users. Select the check
<Add/Remove users> box for each user that you want to add. Click OK. To filter the record list, click the Add
filter button. For more information, see Filters.
The selected users appear in yellow. When you save the person, the users are added.
To remove a user, select the user and click Remove. The selected users appear in
strikethrough text. When you save the person, the users are removed.
Group members
Field Description
The person can create a request on behalf of the members of the groups defined
here.
To add a group, do one of the following:
⚬ Click Add, then select a group to add.
⚬ Click the list icon ( ) to display the available groups. Select the check
<Add/Remove groups> box for each group that you want to add. Click OK. To filter the record list, click the
Add filter button. For more information, see Filters.
The selected groups appear in yellow. When you save the person, the groups are
added.
To remove a group, select the group and click Remove. The selected groups appear
in strikethrough text. When you save the person, the groups are removed.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 297
SMAX 2019.02
The Name field is populated by the values entered in the First name and Last name
Name
fields. It can also be edited manually.
Mobile phone
The person's mobile phone number.
number
Where the person is located. Select a value from the drop-down list.
Examples:
Location
⚬ France/Paris
⚬ EMEA/Spain/Madrid/M1 To manage locations, see Locations.
Organizational information
Field Description
The person's employee type. Select a value from the drop-down list.
The available options are:
⚬ Full-time
Employment type ⚬ Part-time
⚬ Contractor
⚬ Internal
⚬ External
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 298
SMAX 2019.02
Manager The person's manager. Select a value from the drop-down list.
Company The person's company. Select a value from the drop-down list.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 299
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 300
SMAX 2019.02
Roles
General
Permission Description
Log into the application Login rights are the lowest level of permission granted.
Permission to create public reports Create public dashboard reports and charts.
Permission to create public favorite views Save searches as public views and favorites.
Record Type
Permission Description
View Enables you to view records of the selected record type.
Update Enables you to update records of the selected record type in the grid.
Admin Enables you to update the selected record type in the records module.
Comments Enables you to edit or delete any existing comments on records of the selected record type.
Resources
Permission Description
Create Enables you to create resources.
Knowledge Management
Permission Description
Import articles Retrieve articles from external sources.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 301
SMAX 2019.02
Permission Description
Enables a Service Portal user to post questions in the portal. For more information, see
Ask questions
How to authorize knowledge handling in the Service Portal.
Enables a Service Portal user to respond to questions posted in the portal. For more
Answer questions
information, see How to authorize knowledge handling in the Service Portal.
Moderate user Enables the Knowledge Contributor, Knowledge Publisher, or Knowledge Administrator
questions and to respond to questions posted in the Service Portal, and to review answers for
answers relevance or accuracy. For more information, see How to moderate Q&A.
Live Support
Permission Description
In the Service Portal, only a user with this permission can request an online chat. This
Be able to request chat applies in cases where chat support is otherwise available through the chosen
support offering. If a user does not have this permission, the request chat option is not
displayed.
On-Call Schedule
Permission Description
Be able to access on-call Only a user with this permission can view On-Call Schedule Management. If a
schedule user does not have this permission, the feature is not displayed.
Change Management
Permission Description
Only a user with this permission can initiate an emergency
Can create emergency change
change.
Allows access to the change analytics Only a user with this permission can access the change
module analytics module.
Allows configuration of KPI goals and Only a user with this permission can configure KPI goals and
thresholds thresholds.
Approvals
Permission Description
Grant permission to override approvals for the following record types:
⚬ Request
⚬ Change
Override approvals of ⚬ Article
⚬ Idea
⚬ Proposal
⚬ Release
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 302
SMAX 2019.02
Only a user with this permission can implement the advanced record import
Advanced import
method.
Only a user with this permission can view the Service Modeling link if the
Allows view service modeling
Service Management belongs to a suite SSO enabled account.
On-Premise Bridge
Permission Description
Administrator Grant On-Premise Bridge administration rights to the selected role.
Email Integration Access the Service Portal via email, without logging in.
Analysis
Permission Description
Enable management of Hot Topic Analytics Grant permission to manage the stop list in Hot Topic Analytics.
Tasks
Permission Description
Ability to view all tasks Grant permission to view tasks assigned to all people.
Default roles Service Management has pre-configured roles that are consistent with ITIL v3 recommendations and
naming conventions. Service Management also has custom roles to support various users and modules, including
the On-Premise Bridge, MT Console, and Service Portal. You can assign these roles to end users, modify the
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 303
SMAX 2019.02
permissions associated with a role, or make other changes to meet the requirements of your environment.
Role Description
Creates, updates, and deletes optimization records; creates surveys and
Application Analyst
evaluates survey results for application cloudification.
Application Portfolio Assigns roles for the APM module; defines workflows for applications and
Administrator optimizations.
Application Portfolio Manager Creates and updates application portfolios; runs portfolio analysis.
Asset & Configuration Manager Configuration manager for Service Asset and Configuration Management.
Business Intelligence
Customer role for the Business Intelligence integration.
Integration
Change Coordinator Coordinates all requests for changes throughout their lifecycle.
Default user with login and Service Portal permissions to create and view
Default
requests.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 304
SMAX 2019.02
Incident Manager Manages incident resolution and functions as the escalation focal point.
Has full access to all functional modules, including some configuration rights.
IT User
Has read-only access to foundational data.
Manages the multi tenant (MT) environment for a provider tenant. This is the
MT Administrator only user, along with the Tenant Admin, who has permissions to add users
who can access managed customer data.
Manages and is able to access managed customer data. Only users with this
role can be added to the list of users who can view incident or request data
MT Agent
for a managed customer in the Vendor Management > Managed Customer
tab.
Portfolio Manager Analyzes proposals, defines the workflow, and manages business objectives.
Problem Analyst Investigates and resolves assigned problems and known errors.
Problem Manager Manages problem resolution and functions as the escalation focal point.
Owns programs. Can add content and is responsible for managing related
Program Manager
projects together.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 305
SMAX 2019.02
Project Manager Owns projects. Responsible for managing all aspects of a project's success.
Owns project portfolios. Can add content and is responsible for high-level
Project Portfolio Manager
management.
Self-Service Portal
Manages entitlement rules and the Service Portal user experience.
Administrator
Service Portal end user has permissions to view the Services catalog, search
Self-Service Portal User for knowledge articles, submit questions, and respond to questions
submitted.
Manages the Service Request module and functions as the escalation focal
Service Request Manager
point.
Service Request Process Accountable for all service request-related activities. Functions as the
Owner champion, advocate, and design lead of the Service Request module.
Service Request Task Assignee Completes and closes assigned service request tasks.
Software Manager Manages the life cycle of software assets and license optimization.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 306
SMAX 2019.02
Super user role that has permissions for everything in the application. It is
Tenant Admin
recommended to assign only one tenant admin role per tenant system.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 307
SMAX 2019.02
Groups
Select a Group type from the list of available types:
By default, the group record is displayed with the General tab selected. Click the tab you want to edit or view.
Tab Description
Displays general information about the current group. For more information, see Group
General
details.
Displays the groups related to the current group. For more information, see Group details.
Related groups Note Available for functional groups only.
Displays any relevant conversations about the current record. For more information about
Discussions
discussions, see Discussions.
History Displays changes to the selected record. For more information about history, see History.
General
Field Description
Name The name of the group.
The group status. Select Active or Inactive from the drop-down list.
Note
Group status • Inactive groups do not appear in the drop-down list of groups for the Owning
group field in Change and Problem records.
• New groups are defined as Active by default.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 308
SMAX 2019.02
Area of practice The group's area of practice on the system. Select a value from the drop-down list.
Select an external system from the drop-down list if you want to make this group an
External system
external group. For more information about external systems, see External systems.
Displays only when On-Call Schedule Management is enabled. For more information,
Assignment strategy
see How to set up assignment strategy.
Organizational information
Field Description
The ownership of the group. The available options are:
Ownership • Internal
• Supplier
The supplier company denoted by the ownership. Appears only when Supplier is selected as
Company the ownership.
Select a value from the drop-down list.
Group Members
Field Description
Do one of the following:
• Click Add, then select a person to add as a group member.
• Click the list icon ( ) to display the available people. Select the check
box for each person that you want to add as a group member. Click OK. To filter
the record list, click the Add filter button. For more information, see Filters.
The selected people appear in yellow. When you save the group, the group
<Add/Remove group members are added.
members> To remove a group member, select the member and click Remove. The selected
members appear in strikethrough text. When you save the group, the members are
removed.
By default, a group member's ID, name, and email are displayed. To customize the
view, click Columns, select the item to be displayed, and click Add.
Note The added group members automatically inherit the role and domain
assignments associated with the group.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 309
SMAX 2019.02
Encryption
Field Description
The encryption domains to which the group belongs. For more information on encryption
Encryption domains
domains, see Encryption domains.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 310
SMAX 2019.02
Record (entitlement rule) Los Angeles user Palo Alto user Houston user London user
Category Alpha (USA) Y Y Y N
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 311
SMAX 2019.02
Enter a Name for the entitlement rule, and provide a Description. For example:
Field Type
Name San Diego
Enter a Name for the entitlement rule, and provide a Description. For example:
Field Type
Name United States
Add audiences In Service Management, adding an audience to a category or an offering is how you apply
entitlement rules. One method of implementing the present use case is as follows:
Item Audience
Network Connectivity (Category) United States
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 312
SMAX 2019.02
Encryption domains
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 313
SMAX 2019.02
Endpoint name Type a name for the endpoint. Use only Latin letters and spaces.
Running on agent Select the agent (installed in step 1 of the task) from the drop-down list.
Port Enter the number of the port listened to by the LDAP server. The default is 389.
Enter the credentials used to connect to the LDAP server. The full credentials are those
defined as part of the agent to which the endpoint is connected.
Credentials
On the Microsoft Active Directory server, both Distinguished name and username login
are supported. On the Apache DS server, only Distinguished name login is supported.
Select the interval between successive runs of the integration. The default value is 1
Scheduled day.
integration interval For example, if the current sync finishes at 10:00 AM on Monday, and the Scheduled
sync interval is 1 day, the next sync will run at 10:00 AM on Tuesday.
Select this check box to run the sync using SSL encryption.
Note Encryption is supported using TLS v1.1 and TLS v1.2 for Microsoft Windows 2008
Use SSL Encryption
R2 and above only.
Integration configuration
Starting search
The root directory on the LDAP server where the data is stored.
directory
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 314
SMAX 2019.02
The default filter is based on the selected record type (person or group). You can enter a
custom filter to specify the relevant records for the integration.
Example:
To sync all people from groups 1 and 2 only, enter:
Filter
(&(objectClass=person)(&(group=group1)(group=group2))).
To sync all people in either level 1 or level 3,
enter:(&(objectClass=person)(|(level=level1)(level=level3))).
⚬ Source fields. Enter the corresponding fields from LDAP for the mapping.
You can enter the fields in simple text or an Expression Language phrase.
<Field mappings>
Click the Expression Language button to toggle between these options. When
the button is selected (blue), the field is in Expression Language mode. When it is not
selected (white), the field is in Simple mode. For a full list of Expression Language
functions, see Expression Language functions and syntax.
⚬ Mapping condition. Optionally, enter an Expression Language phrase
defining a condition. The mapping applies only when the condition is satisfied. In each
section, three default fields are provided. Click Add field to add additional field
mappings. Click Remove next to any mapping to remove it.
Important You must include mappings for all fields defined as mandatory for the
selected record type.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 315
SMAX 2019.02
Locations
General details
Field Description
The type of location.
Examples: Country; City; Building; Site; Stockroom
Type
Note Location types are provided out-of-the-box with Service Management. To modify this list, contact Support.
Code A code for the location; this is displayed in all places where the location is consumed.
The parent is the location type that is one level above the location's location type.
Locations types have the following hierarchy:
Parent
Examples:
• A region is the parent of a country.
• A building is the parent of floor and a data center.
Address details
Field Description
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 316
SMAX 2019.02
Other details
Field Description
Photo An image of the location. Click Upload image to select an image.
Business hours Business hours of the locations such as sites, stockrooms, and so on.
If selected, the location is active. Only active locations are visible in out-of-the-box forms. You
Active can configure this behavior by disabling the business rule in the Rendering forms section of
the particular form.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 317
SMAX 2019.02
Lists
The following table summarizes the differences between the two types of lists:
Volatile lists Non-volatile lists
Created when defining a user option inside an offering or
model. In Administration > Configuration > Lists, the Created in Administration > Configuration
> Lists.
User options list icon appears next to volatile lists.
There is no limit on how many lists can be created. There is a limit of 20 lists of this type.
Not included in the configuration data transferred by the Included in the configuration data transferred by
Package Manager. the Package Manager.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 318
SMAX 2019.02
Routing definitions
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 319
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 320
SMAX 2019.02
Click to locate the relevant file and upload it for use in the portal.
Logo Note It is recommended that you use an image file that is already being used in your
company's website.
It is highly recommended that you mix and match the different category background styles. The recommended
ratio is 3:2:1 per the details in this table:
Option 1 Option 2
3 solid color tiles using different colors 3 solid color tiles using different colors
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 321
SMAX 2019.02
Click to display a drop-down list of themes. You may select a previously created
Theme selection
When you update a setting, you can click Preview to display the change. The setting is
only previewed and not saved until you click Save. For more information, see Preview
custom theme.
When you have selected a theme other than the default, click More to display the
following options:
▪ Rename - select to rename the theme.
▪ Delete - select to delete the theme.
▪ Enable - select to enable the theme. Only available for selection when the theme
is disabled.
▪ Disable - select to disable the theme. Only available for selection when the
theme is enabled.
▪ Set as default - select to set the theme as the default. Only available for
selection when the theme is enabled.
You can select which part of the Service Portal user interface the theme settings are
Preview custom
theme
previewed on.
Settings tab Area where you define the settings for the theme.
Audience tab Area where you apply entitlement rules to select the audience for a theme.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 322
SMAX 2019.02
A user may only delegate an approval to a user with whom there is a shared
Shared group membership
group membership.
Portal profile page on first login On the Service Portal, there is a profile page for the user to complete. By default,
this displays automatically when the user logs in for the first time. In the Show portal profile page on first
login field, you can disable this by selecting Off. Virtual agent and email integration Configure need for offerings
in requests On the Service Portal, you can configure whether the user can create a request without a matching
offering. This functionality is affected by whether there is a default offering in Service Request Management. Select
the appropriate option in the Request offering on Service Portal request field, as detailed in the following
table. For more information, see Default offering.
Option Description
The user is unable to create a request for which there is no matching offering.
▪ If there is a default offering, a request with no other matching offering is created
with the default offering.
MANDATORY ▪ If there is no default offering, a request with no matching offering generates a
message to refine the request description, so as to find a matching offering. The
message also includes a link to the offerings catalog, allowing the user to search there for
a matching offering.
The user is able to create a request for which there is no matching offering.
▪ If there is no default offering, a request with no matching offering generates a
message to do one of the following:
OPTIONAL (default)
• Refine the request description, so as to find a matching offering.
• Complete the general request form.
▪ If there is a default offering, the request is created with the default offering.
If there is no matching offering, the user is not prompted to refine his search. Instead, he
IGNORE
is directed to complete the general request form.
The user bypasses virtual support. On seeking help, the user goes directly to the default
SKIP
offering page. If there is no default offering, the user goes to the general Help form page.
The default value for this field is Building. For more information, see Public audience. Enable and configure
followers On the Service Portal, the followers function is enabled by default. In the Enable followers field, you can
disable this function by selecting Off. You can configure the feature by limiting followers. The default configuration
allows all users to be followers. Alternatively, you may select one of the following from the Configuration for
followers drop-down:
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 323
SMAX 2019.02
Selection Description
If the user who created the request has an Employment type of External, and
the Company field is not blank, only the following may be followers:
▪ Users who are in the same Company.
▪ Users whose Company field is blank. If a user who created the request has
Same company an Employment type of other than External, only the following may be
followers:
▪ Users whose Company field is blank. Note The field Company is only
displayed and available if the Employment type of the user is External.
Only users in one of the same groups as the user who created the request may be
Shared group membership
followers.
To change the target translation language, select the appropriate value from the drop-down. Enable new request
tracking page There is now a new and improved request tracking page available for use in the Service Portal. By
default, this new page is not displayed. In the Enable new request tracking page field, you can make the new
page the default by selecting On. The new page will automatically become the default in a future release. Enable
read-only display for closed requests By default, having closed requests display as read-only is disabled. In the
Enable read-only display for closed requests field, you can enable this and make all closed requests read-only
by selecting On. Enable entity picker smart suggestions When enabled, certain pickers in the Request
Management forms provide a list of suggested values at the top of the list based on the context of other fields in a
record, such as the text in the Title and Description. Note: This functionality is enabled by default and we do not
recommend that you turn it to Off unless you have specific reasons. Select category page type On the Service
Portal, when a user clicks on a category tile, a page is displayed with three tabbed sections. You can configure the
default section that is displayed. Select the appropriate option in the Category page type field, as detailed in the
following table.
Option Description
A list of items in the following order:
▪ All news items
FEATURED (Out-of-the-box
▪ Recommended offerings
default)
▪ Popular offerings
▪ Articles There may be up to 30 items in this section.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 324
SMAX 2019.02
Select one or more user roles that are allowed to view the customized tab in Service
Roles
Portal.
Request Select the request metaphases. Only requests in the selected metaphases are displayed
metaphases in the customized tab.
Select the predefined list of columns to be displayed in the customized tab. These
Grid columns
columns may include the customized fields that are added to the Request table.
Download or upload an Excel template for the end users to export the record list from
the customized tab in the Self-Service Portal.
▪ Download:
Click this button to download the existing template.
▪ Upload:
Click this button to upload a customized Excel template. The upload file type must be
*.xlsx.
An IT agent can either create a new template or download the default template and
then upload it again after customization. When creating a new template, an IT agent
needs to define the Field Name in the first row on Sheet1, and then prepare some pre-
configured tables or charts on other sheets of the Excel template.
The Field Name must be the value of the Name field in Request meta data definition. To
access the Request meta data, click Administration > Configuration > Studio.
Select Request in the drop-down list, and then switch to the Fields tab.
Excel Template
Note As described in the Grid columns description above, an IT agent can select some
columns to be displayed in the customized tab. Meanwhile, the selected columns must
be defined in the Excel template as well. If an IT agent selects to display some columns
without defining them in the Excel template, the system cannot export the related
columns.
▪ Revert to default:
Click this button to revert to the default template.
In the default template, all fields names are defined based on the out-of-box data. The
default template also provides some pre-configured tables and charts as examples to
help the end users summarize their data and number of requests.
Note
This button activates only after you have uploaded a customized Excel template.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 325
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 326
SMAX 2019.02
Out-of-the-box, Service Management is configured so that when submitting requests, users in the portal are
restricted as to the devices, infrastructure and peripheral assets, and subscriptions they can select, as follows:
Item Those available for selection
▪ User owns, uses, or has a subscription for.
Devices
▪ Subordinates of the user own, use, or have a subscription for.
▪ Of the user.
Subscriptions
▪ Of the subordinates of the user.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 327
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 328
SMAX 2019.02
Application settings
Enable mail configurations Mail configuration is disabled by default. To enable the configurations, select On and
complete the following settings:
Field Description
Mail protocol Select SMTP or EWS as the mail server type.
Enter the name of the mail server host that is used for sending email notifications.
Mail server host
It can be the IP address, machine name, or DNS name of the mail server.
Mail server port Enter the communications port that the mail server uses.
Enter the email address identified as email sender. Make sure that this email
Mail from
address is in the allowed reply email list configured in the mail server.
▪ If the mail server requires authentication, turn on this switch and enter the
user name and password.
Authentication required
▪ If the mail server does not require authentication, turn off this switch and
keep user name and password fields blank.
User name Enter the user name of the account used for mail server authentication.
Password Enter the password of the account used for mail server authentication.
Enable NTLM (for EWS If your Exchange Server requires domain information for authentication, turn on
only) this switch to enable the Domain field.
Domain (for EWS only) Enter the domain of the account used for mail server authentication.
Enter the EWS service path (for example, EWS/Exchange.asmx) for the full EWS
Service path (for EWS
service URL. The full EWS service URL consists of Mail server host and Service
only)
path.
Select the version of Exchange Server. If you are unable to find a match, select the
Version (for EWS only)
latest version prior to the version of your Exchange Server.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 329
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 330
SMAX 2019.02
(Optional) Specify a sample data query, through which you can decide what kind of data that
you want to use as sample data to teach Smart Analytics to build the intelligence out of your
large data volume. By default, the system uses all HR Requests, Service Requests, or Support
Training Request data as training samples. For example, if you set this query to
sample query MATCH{Close}:PHASEID, the system only uses the closed requests as sample data. In this
example, PHASEID is the IDOL field name, and Close is one of its values.
For more information about how to write a training sample query, see the IDOL
documentation at https://www.microfocus.com/documentation/idol/.
(Optional) Specify a query, through which you can decide what kind of value that Smart
Analytics learns for the Predicted field. For example, if you select Offering in the Predicted
field, you can use this query to define which offering items will be learned by training the
sample data. The system will automatically fill the offering items for a new request according
to its issue description.
Predicted field
By default, this query is empty, which means the predicted result will be only be filtered out
query
by the Entitlement Rule (access right defined by system). For example, if you set this query
to NOTMATCH{Inactive}:STATUS, the system will not return Offering with inactive status
when predicting Offering.
For more information about how to write a predicted field query, see the IDOL
documentation at https://www.microfocus.com/documentation/idol/.
Select a content field from the drop-down list. Smart Ticket will predict and automatically fill
Content fields the predicted field for a new request according to the Content fields settings.
In this release, the only option is description.
Specify the fields, through which Smart Ticket can automatically fill the predicted field
Entitlement according to the requestor's permission definitions.
fields In this release, the system automatically defines the entitlement fields according to the
Predicted field settings.
Click the Configurations tab to update the settings. In addition, you can modify the following settings to optimize
the accuracy of auto suggestion. These settings are tradeoffs between training time and accuracy, which means
higher accuracy is achieved at the cost of longer training time. Listed below are some best practices for these
optimization configurations.
Setting Description
The maximum records to be used as the training samples for each value of the
Training Samples
Predicted field.
Per predicted field
Default: 200
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 331
SMAX 2019.02
The percentage of records out of the total source data that are used to test the trained
Test Data Coverage system.
Default: 5
The percentage of records out of the total source data that a predicted value can
cover. The system will analyze distribution of the existing records, arrange predicted
value by request amount in descending order, and then calculate accumulations. Smart
Ticket will automatically fill the Predicted field value from the top till the accumulation
Source Data reaches the defined Source Data Coverage value.
Coverage Normally higher percentage means higher accuracy, but there is a threshold point.
When the training source data percentage exceeds the threshold, the margin
contribution will be lowered remarkably. The out-of-box value for this configuration is
90%, which is a best number tested in the lab.
Default: 90
Smart Search You can customize the following Smart Search settings to pre-define the possible actions based on
your search conditions and results.
Field Description
The default value is false. If you select this check box, Smart Search automatically adds
quotations to the search criteria. Example usage: If you select this check box and then
Enable Phrase
enter mobile phone in the search box, Smart Search will send out search request with the
Queries
query text of “mobile phone” and then displays the results that exactly match the search
criteria on top of the result list.
The default value is false. If you select this check box, Smart Search interprets special
elements as normal characters instead of a query syntax. These elements include asterisks
(*), question mark (?), colon (:), double quotation marks ("), brackets, boolean, and
proximity operators such as AND, NOT, OR, EOR, XOR, NEAR, DNEAR, WNEAR, BEFORE, and
AFTER. Select this check box to disable wildcards, phrase queries, field restrictions and
Ignore certain
boolean operations. Example usage: If you select this check box and then enter mobile AND
special
phone in the search box, Smart Search displays the search results which contain either
characters
mobile or phone. If you clear this check box and then enter mobile AND phone in the search
box, Smart Search displays the search results which contain both mobile and phone.
Note If you select this check box, the system ignores the setting of Enable phrase
queries and does not add quotations to the query text.
Minimum search
The value must between 0 and 100. Negative numbers or any numbers that are greater
result relevance
than 100 are not allowed. Specifies the minimum percentage of the relevance that the
threshold (0-
search results must have to the query.
100)
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 332
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 333
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 334
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 335
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 336
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 337
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 338
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 339
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 340
SMAX 2019.02
Categories
Service Management allows you to create, edit, and manage categories. Categories provide different groupings of
a record for classification. The following table is an example of how a user might organize categories and
subcategories for his organization.
Category Subcategories
▪ Passwords
• New password
• Forgot password
• Reset password
Access (accounts and passwords) ▪ Accounts and identity
• Network access
• Application access
▪ Privileges and permissions
▪ Other
▪ Instant messaging
Communication and collaboration ▪ Virtual meeting rooms
▪ VoIP
▪ Electrical
• Appliance
• Rack
• Main
Fault • UPS
▪ Network
• Communications
• Internet
▪ Other
▪ Hard drive
▪ Memory
Hardware
▪ Failure
▪ Missing or stolen
▪ Performance degradation
• Continuous
Performance
• Intermittent
▪ System or application unresponsive
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 341
SMAX 2019.02
▪ Application client
▪ Application server
▪ Application functionality
▪ Data
Software
• Data or file corrupted
• Data or file incorrect
• Data or file missing
• Storage limit exceeded
▪ Encryption
▪ Virus and malware protection
Security ▪ Intrusion detection
▪ Security breach
▪ Security event
▪ Desktop support
▪ Laptop support
▪ Tablet support
▪ Mobile support
Personal systems
▪ Printing
▪ Storage
▪ Backup and recovery
▪ Other
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 342
SMAX 2019.02
Create a category
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 343
SMAX 2019.02
Edit categories
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 344
SMAX 2019.02
View categories
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 345
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 346
SMAX 2019.02
Form layout
All Source overwrites target.
definitions
Notification
All Source overwrites target.
templates
Note If there is a problem importing any part of the data, an error message is displayed, and the tenant is
restored to the original configuration. The issues that arise are usually related to conflicts between the two
tenants. To view the errors, click the Details link in the error message. An error report opens detailing each of the
problematic issues. If the whole import fails, click the Details link for more information. The import might fail due
to connection issues, timeout, incorrect import file, and so on.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 347
SMAX 2019.02
Debug tool
The following table describes some of the columns in the debug file which provide important information for each
step of the action:
Column name Description
Timestamp The time of the action.
The type of action. For example, Start condition evaluation or End condition
Workflow action
evaluation.
Duration The duration of the action in milliseconds. Only relevant for ending actions.
Process event The process event under which the business rule is defined.
The full path of the location of the business rule (Record type, process, metaphase,
Rule path
phase).
The source of the business rule. It could be a user-defined rule for the record type, or a
system rule, not editable by the user. Alternatively, it could be a rule defined for the
Business rule source
model on which the record is based, such as a rule defined for an offering which runs on
the requests based on that offering.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 348
SMAX 2019.02
Sample data
The data imported as sample data is indistinguishable from data entered into the system. Once the sample data is
deployed, the button in the Sample Data page becomes disabled. The Tenant Admin receives notification via email
when a new tenant is created. This mail includes a link to the Sample Data page where the data can be deployed
onto the new tenant. Caution If you deploy the sample data, it cannot be undeployed. You can delete individual
pieces of data, such as knowledge articles and records, but you cannot reverse the deploy.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 349
SMAX 2019.02
Live Support
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 350
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 351
SMAX 2019.02
Field Description
The name of the field. You may use any of the following:
▪ Any searchable field taken from the person record. The format is user.<field>. For
example, user.FirstName and user.LastName.
<field name> ▪ The phone number taken from the person record. The field name is user.phone.
If the URL includes user.phone, Service Management tries to match the number of the
incoming phone call with the office and mobile phone numbers held in the person records.
▪ The request record ID number. The format is request.Id.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 352
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 353
SMAX 2019.02
Link the correct Support Request SLT set to the SLA in the Default
target sets section
If not already done:
SLT set is correct 1. Go to the Default target sets section.
2. For Request, click .
3. Select the SLT set you created or chose in the Service Level
Management - Service Level target set section.
Check the SLA configuration. You must ensure that the SLA complies with all of the following:
Requirement Action
In the Service Offerings section, ensure the appropriate offerings are
displayed.
Note To add a offering:
1. From the Main menu, go to Plan > Service Catalog >
Offerings.
SLA includes the appropriate
2. Open the offering you want to include in the SLA.
service offerings.
3. Go to the Agreements section.
4. Select the SLA.
5. Click Save on the toolbar.
Link the correct Service Request SLT set to the SLA in the Default
target sets section
If not already done:
SLT set is correct 1. Go to the Default target sets section.
2. For Request, click .
3. Select the SLT set you created or chose in the Service Level
Management - Service Level target set section.
Check the SLA configuration. You must ensure that the SLA complies with all of the following:
Requirement Action
Do one of the following:
• In the Details section, select the Default agreement
option
SLA is the default, or includes the • In the Services section, ensure the appropriate services are
appropriate services displayed
Note To add a service, click Add, then select an actual service to link
to the SLA.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 354
SMAX 2019.02
Link the correct Support Request SLT set to the SLA in the Default
target sets section.
If not already done:
SLT set is correct 1. Go to the Default target sets section.
2. For Request, click .
3. Select the SLT set you set up in the Service Level
Management - Service Level target set section.
Check the SLA configuration. You must ensure that the SLA complies with all of the following:
Requirement Action
Do one of the following:
• In the Details section, select the Default agreement
option
SLA is the default, or includes the • In the Services section, ensure the appropriate services are
appropriate services displayed
Note To add a service, click Add, then select an actual service to link
to the SLA.
Link the correct Support Request SLT set to the SLA in the Default
target sets section.
If not already done:
SLT set is correct 1. Go to the Default target sets section.
2. For Request, click .
3. Select the SLT set you set up in the Service Level
Management - Service Level target set section.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 355
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 356
SMAX 2019.02
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 357
SMAX 2019.02
• Name
• Logo
Service Portal and Service Management
• Agent interface header label
• Agent interface header logo
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 358
SMAX 2019.02
/* Define the grant_view_access() PL/pgSQL function that creates a new PostgreSQL user named user_<tenantid>
(if it does not already exist) and provides it with read-only access to all the views under the schema
view_<tenantid> */
DECLARE
obj RECORD;
u varchar;
s varchar;
BEGIN
FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag in ('CREATE SCHEMA') AND
object_identity ~ 'view_.*$'
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 359
SMAX 2019.02
LOOP
s := obj.object_identity;
END IF;
EXECUTE format('ALTER DEFAULT PRIVILEGES FOR ROLE maas_admin IN SCHEMA %I GRANT SELECT ON TABLES
TO %I', s, u);
END LOOP;
END;
$$ LANGUAGE plpgsql;
/* Create a new event trigger on the ‘CREATE SCHEMA’ statement that invokes the grant_view_access() callback */
ON ddl_command_end
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 360
SMAX 2019.02
creates a new PostgreSQL user named user_<tenantid-new> with the appropriate permissions. At this point, all
you need to do is set a password for this new user and provide it to the tenant owner for reporting purposes:
ALTER USER user_<tenantid-new> PASSWORD ‘<password>’; Note: With the current implementation, due to user
access control limitations in PostgreSQL, the tenant segregation provided by the above users is not complete. Each
user can see only the data in his/her own tenant views, thus completely avoiding data leak between
tenants. However, a user can see the view names of other tenants. In particular, it is possible to see
the tenantids of other tenants in the farm (but no actual data). This is not a security concern since tenant access
still requires full authentication irrespective of knowledge of another tenantid, but can be a privacy concern in the
case of an MSP.
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 361