SMAX 2019.02 Administer

SMAX
Version : 2019.02
PDF Generated on : 14 Jun 2019
SMAX 2019.02
Table of Contents
Administer .. 1Administer CDF .. 2Access Kubernetes API server with a bearer token .. 3Add or remove
machines from a cluster .. 4Manage node labels .. 6Change CDF cluster runlevel .. 7Change the
external access hostname for CDF management portal .. 10Change your password .. 11Customize
kubelet parameters ........ 12Edit the hard eviction thresholds of worker nodes ........ 13Customize DNS entries
.. 14Rebind a PV and PVC .. 15Administer IdM .. 18Manage users .. 22Manage groups .. 25Manage
roles .. 27Add a database user and give permissions .. 28Customize password policy .. 30Customize
the management portal login page .. 31Manage authentication .. 35Use certificate to log into the
management portal .. 37Use SAML credentials to log into the management portal .. 44Use OAuth 2
authentication to log into the management portal .. 48Use LDAP credentials to log into the management
portal with SSL .. 52Manage suite metadata .. 56Modify the CDF external database configuration ..
59Security .. 60Authorization .. 62Back up data for a single-master cluster .. 63Data integrity ..
64Encryption .. 65Installation security recommendations .. 66Network and communication .. 67Shut
down a cluster node ... 83CDF backup, restore and disaster recovery ... 84Back up CDF ... 85Restore CDF
.. 90Disaster recovery .. 100Change external IdM database connection for CDF .. 125Back up and
restore IdM .. 126Change persistent volumes after CDF installation .. 127Set up thin pools after CDF
installation .. 128Rename IdM schema .. 129Administer SMAX .. 130Configure the Service Portal mobile
app .. 131Smart Analytics administration .. 132Scale out DAH server .. 133Update Smart Analytics stop
words and synonyms .. 134Update index weight for the Title and Description fields .. 135Perform a full
reindex for Smart Analytics .. 136Localize SMAX by using Openl10n .. 137Customize the login and logout
pages .. 138Replace the certificate for Service Management Automation .. 139Enable tab completion of
the suite namespace .. 140Retrieve suite truststore password .. 141Sync updated suite component
database passwords .. 142Sync updated sysadmin password .. 143Configure SMAX Security .. 144Take
a snapshot of the suite .. 145Back up and restore .. 146SMA disaster recovery (DR) toolkit .. 147SMAX
backup procedure ..... 148SMAX restoration procedure ..... 150Set up a standby environment for restoration
.. 151Scenario 1: the source environment has completely crashed .. 152Scenario 2: only the cluster
nodes have crashed .. 153Change FQDN .. 154Restart the SMA suite .. 155Restart CDF .. 156Restart
the cluster hosts .... 157Enable a firewall in the suite environment .... 158Enable a firewall after installation
.. 162Change internal integration user password .. 163Administer internal PostgreSQL .. 164Balance
cluster resource usage ...... 165Administer the suite ...... 166Tenants ...... 167How to create and edit a tenant
.. 168Customers .. 171How to create and edit a customer .. 172Accounts .. 173How to create an
account .... 174How to edit an account .... 176Users .... 181How to create a user .... 182How to edit a user
.. 184Suite Administration for shared service providers .. 186License pools .. 187How to create and edit
a license pool .. 188Licenses .. 189How to create and edit a license .. 190Assignments ..
192Configurations .. 193Operation history .. 200Access control .. 201How to create and edit an Access
Control List (ACL) .. 202Change the suite-admin password .. 203Administer Service Management ..
204Studio .. 205Fields .. 206Field properties .. 207Create a field .. 209Edit a field .. 211Calculated
fields ... 212Calculated field templates ... 213Generic relationship fields ... 214Cross-record field mapping
.. 215Mapping records created from a change record .. 216Mapping records created from an incident
record .. 219Mapping records created from a problem record .. 223Mapping records created from a
request record .. 225Mapping records created from a service definition record .. 226Mapping records
created from an idea record .. 227Forms .. 228Forms overview .. 229Form properties .. 238Edit a
form .. 241Processes and Rules .. 244Working with processes .. 245Add a phase in a process ..
SMAX 2019.02
246Add a transition in a process ... 247Move a phase or transition in a process ... 248Studio business rules
.. 249Business rule descriptions and tags .. 250Validation rule examples .. 251Action rule examples ..
252Rendering rule examples .. 253Field selection rule examples .. 254REST Execution .. 255Studio -
use case .. 257Add a business rule .. 258Edit, remove, or disable a business rule .. 259Enrichment
rules .. 260Configuration Comparison .. 261Notifications .. 262Expression Language in notifications ..
263Processing rules in notifications .. 264Direct access to Service Management via email .. 265Set up
direct access to Service Management .. 266Set up notification templates for direct access ..
267Automatic request creation ... 268Direct access to Service Management troubleshooting and limitations
.. 269Disable closed records .. 274Approval definitions .. 275Governance approval .. 276How
Governance Level Approval works .. 277Set up Governance Level Approval .. 278Build an approval
definition .. 279Edit an approval definition .. 280Set up approval plan for a custom record type ..
281Import data .. 282Import Data file format .. 283Create a CSV file with UTF-8 encoding from an Excel
file .. 284Export data .. 285Import translations .. 286Import translated Service Catalog definitions ..
287Import translated articles .. 288Custom actions .. 289SLT settings .. 290Authorization ..
291Create and configure custom application and record type .. 292People .. 293Users and contacts ..
294How to create and delete contacts ....... 298How to assign licenses to users ....... 300Roles ....... 301Groups
.. 308Manage entitlement rules .. 311Entitlement rules use case .. 312Encryption domains .. 313Set
up synchronization with LDAP .. 314Locations .. 316Lists .. 318Routing definitions .. 319Service Portal
Administration .. 320Quick Guide to customizing the Service Portal .. 321Configure Service Portal display
theme settings .. 322Configure Service Portal feature settings .. 323Configure Service Portal
configuration settings .. 325Authorize knowledge handling in the Service Portal .. 326User selections in
the Service Portal .. 327Enable users to edit requests in the Service Portal .. 328Application settings ..
329Virtual agent settings .. 330Smart Analytics settings .. 331Data domain segmentation .. 333Data
domains and entitlement rules .. 334Basic automated procedure .. 335Data domain segmentation – use
case .. 336Assign a Primary data domain to a group or user .. 337Assign permission for a data domain to
a role .. 338Assign a record to a data domain .. 339Impact of data domain segmentation ..
340Categories .. 341Create a category .. 343Edit categories .. 344View categories .. 345MT console
for shared service providers .. 346Dev2Prod - Synchronize your development and production tenants ..
347Debug tool .. 348Sample data .. 349Live Support .. 350Live Support and Chat .. 351Configure
Live Support with CTI .. 352Chat capability for the Service Portal .. 353Enable chat capability for the
Service Portal .. 354Configure support agent anonymity .. 356Location-based Live Support .. 357Create
a white label version of Service Management ........ 358Generate report based on PostgreSQL views ........ 359
SMAX 2019.02
Administer
This section describes administration tasks that the IT Administrator and Suite Administer user roles can perform in
ITOM Container Deployment Foundation (CDF) and Service Management Automation (SMA).
● Administer CDF
● Administer SMAX
This PDF was generated for your convenience. For the latest documentation, always see https://docs.microfocus.com Page 1
SMAX 2019.02
Administer CDF
To perform administrative tasks in ITOM Container Deployment Foundation (CDF), you must have the Administrator
user role.
SMAX 2019.02
Access Kubernetes API server with a bearer token

A bearer token file for accessing Kubernetes API is a csv file with at minimum 3 columns: token, user name, user
uid. You can add more groups when needed by adding extra columns and double quoting the group names, for
example, "group1".
The rows of the csv file list the information of different tokens.
The token authentication is disabled by default. You can enable the token authentication with the following steps.
1. Run the following commands:

cd {K8S_HOME}/runconf
vim kube-apiserver.yaml
2. Add the specified token directory to the --token-auth-file opinion line.
For example --token-auth-file=<your token directory>/token
3. Restart kubelet with the following commands
cd {K8S_HOME}/bin
./kube-restart.sh
Note
When working with multiple-master node cluster, you must use the same bear token file for every node.
To use the bearer token authentication via an HTTP request, you must pass the value of the bearer token to the
HTTP header.
Note
The bear token must be in character sequence, using no encoding or quoting. For example: A bear token is
31ada4fd-adec-460c-809a-9e56ceb75269. When putting the bear token to an HTTP header, it shows as below:
Authorization: Bearer 31ada4fd-adec-460c-809a-9e56ceb75269
SMAX 2019.02
Add or remove machines from a cluster

Administrators can add or remove specific machines from an existing Kubernetes cluster.
Add nodes to a cluster

To add more machines to a cluster, install more worker nodes on the ITOM Container Deployment Foundation
(CDF) Management Portal. From ADMINISTRATION > Nodes, click to add worker node.
1. Choose a type from the drop-down box.

2. Enter the hostname or IPv4 address of the worker node.
Note
You can enter the default master node hostname. However, if you want to use a customized hostname, make
sure the hostname follows one of the hostname rules defined in Host Naming Rules and RFC Documents. The
hostname must only resolve to an IPv4 address. If it resolves to both an IPv4 address and an IPv6 address,
contact the IT admin to delete the resolved IPv6 address, or enter the IPv4 address instead.
3. Enter a user name.
4. Choose a password type: Password or Key-based. Then enter password or upload a private key file.
5. (Optional) Enter the ThinPool Device path and Flannel IFace if you have multiple active network interfaces. Note
You must set up thin pools for every cluster node that needs to use thin pools. Caution
We do not recommend skipping resource checking. Please be aware that skipping resource checking may lead
to installation failure.
6.
Click ADD to deploy the worker node. After a few minutes, click to display the newly added
worker node.
Remove worker nodes from the management portal

To remove a worker node from the management portal, perform the following steps:
1. From ADMINISTRATION > Nodes, click Delete on the worker node row that you want to delete under the
Operation tab.
2. # Enter the username of the worker node that you want to delete.
3. Choose Password or Key-based as the secret mode.
4. Enter the password or upload a private key file.
5. Click DELETE to confirm the deletion.
Make sure you do not delete any pod while you are adding master nodes and worker nodes or installing the suite,
even when the pod status is "Completed".
For example, you must not delete any pod similar as below:
SMAX 2019.02
NAMESPACE NAME READY STATUS

RESTARTS AGE IP NODE NOMINATED NODE
READINESS GATES
core cdf-add-node-1555502049787 0/1
Completed 0 8h 192.16.0.1
master1.mycompany.com <none> <none>
After the installation , if you use command kubectl delete pod <pod name> to delete the pods in “Completed”
status, all the historical logging information associated with the execution of this pod will be deleted as well.
SMAX 2019.02
Manage node labels
Manage node labels
● To assign a label to a node, drag this label from the Predefined Labelsarea to the node you want to add a label
in the Nodes area.
● To unassign a label, in the Nodes area, click [-] next to the label and node.
● To filter the labels, enter the relevant string or keyword in the Labels box in the table header. The labels with
names that include the relevant string are listed.
SMAX 2019.02
Change CDF cluster runlevel

CDF handles service runtime state using the controller annotations. CDF has 4 predefined runlevels. They are:
DOWN, DB, STANDBY, and UP (from low level to high level).
Change the CDF cluster runlevel

Follow the steps below to change the cluster runlevels:
1. Run the following command to go to the cdfctl.sh directory:

cd ${K8S_HOME}/scripts
2. Run the following command to get the general use of the script.
./cdfctl.sh --help
You terminal looks like below:
[root@shcAliceCOS72v1 scripts]# ./cdfctl.sh --help
Usage: cdfctl [Global options] Command [command options] [arguments...]
Name:
cdfctl - kubectl for CDF
Version:
2019.02
Commands:
runlevel Apply runlevel changes
metadata Apply metadata changes
Global Options:
--help, -h Print this help list
--version, -v Print the version
--follow, -f Specify if the logs should be streamed
3. Run the ./cdfctl.sh to change the cluster runlevel. For example, change the core and demo1 namespace to UP
runlevel with the following command.
./cdfctl.sh runlevel set -l UP -n core,demo1 -f
You can run the ./cdfctl.sh runlevel --help to view the command options.
On your terminal, it displats as below:
[root@shcAliceCOS72v1 scripts]# ./cdfctl.sh runlevel --help

Usage: cdfctl [Global options] runlevel [Command options] [arguments...]
SMAX 2019.02
Name:
cdfctl runlevel - Manage runlevels
Version:
2019.02
Commands:
show Show current runlevel
set Apply runlevel changes
list Show supported runlevels
Options:
--level, -l Requested runlevel. One of: DOWN, DB, STANDBY, UP or custom values, -l is mandatory
for set
--namespaces, -n One or more namespaces separated by commas to apply the runlevel
Global Options:
--help, -h Print this help list
--version, -v Print the version
--follow, -f Specify if the logs should be streamed
Examples:
./cdfctl.sh runlevel show
./cdfctl.sh runlevel show -n demo1
./cdfctl.sh runlevel list
./cdfctl.sh runlevel set -l DOWN
./cdfctl.sh -f runlevel set -l UP -n demo1
./cdfctl.sh runlevel set -l UP -n core,demo1 -f
Cluster components will be started or stopped
After you have changed the CDF cluster runlevel, the related cluster components will be started or stopped.
● If the runlevel of cluster components are lower than the cluster runlevel, those components will be started.
● If the runlevel of cluster components are higher than the cluster runlevel, those components will be stopped.
Below are the defined runlevels of CDF components.
SMAX 2019.02
Component Runlevel
idm STANDBY
default-db DB
pg-pool DB
dashboard UP
mng-portal UP
suite-installer-frontend UP
cdf-apiserver STANDBY
suite-db DB
suite-conf UP
pg-backup STANDBY
SMAX 2019.02
Change the external access hostname for CDF

management portal
You can change the external access host name for CDF management portal after CDF installation. To change the
external access host name, follow the steps below:
1. Log in to one of the master nodes.

2. Run the following commands:
cd <K8S_HOME>/scripts
./replaceExternalAccessHost.sh -c <certificate_path> -k <key_path> -n <hostname>
Where:
❍ Replace <certificate_path> with the new certificate path.
❍ Replace <key_path> with the new private key path.
❍ Replace <hostname> with the new external access host name.
3. You can also view more options of the command.
Run command:
./replaceExternalAccessHost.sh -h
Your terminal looks like below:
Usage: ./replaceExternalAccessHost.sh [-c|--cert <path>] [-k|--key <path>] [-n|--host <hostname>]
-c|--cert new certificate file.

-k|--key new private key file.
-t|--cacert new rootCA file.
-n|--host new external access host.
-u|--user administrator username.
-p|--password administrator password.
-h|--help show help.
You can also upload a new certificate file and private key file and rootCA file through the command option lines
for Ingress services.
4. Go to Management portal > SUITE > Management > License, and then make sure the license links to the
new FQDN.
SMAX 2019.02
Change your password

To change your password, follow these steps:
1. Click ADMINISTRATION > IdM Administration

2. Click the organization name, then click on the Users tab.
3. Click the specific user from the user list.
4.
Click the action button on the top right menu of the user.
5. On the open page, scroll down to the USER ATTRIBUTES section and click RESET PASSWORD to reset the
password.
6. Enter a new password, and confirm the new password.
The password should meet the password policy if you have set one password policy in the IdM Administration.
7. Click SAVE to save the new password.
8. Click SAVE to save this change.
Related topics
● Customize password policy
SMAX 2019.02
Customize kubelet parameters
To modify the default values of the kubelet parameters or to add some customized parameters to the kubelet,
follow these steps:
1. Log on to any of the cluster node.

2. Edit or add the parameters in the kubelet.service file in the /usr/lib/systemd/system directory.
For example: change the cluster DNS to 10.11.12.13 and turn fail-swap-on to false. The kubelet.service looks as
below:
--cluster-dns=10.11.12.13 \
--cluster-domain=cluster.local. \
--kubeconfig=/opt/kubernetes/ssl/native.kubeconfig \
--hostname-override=shc72v1.hpeswlab.net \
--pod-manifest-path=/opt/kubernetes/runconf \
--node-labels=master=true,role=loadbalancer \
--hairpin-mode=hairpin-veth \
--fail-swap-on=false \
3. Run the following commands to restart the kubelet:

systemctl daemon-reload systemctl restart kubelet
SMAX 2019.02
Edit the hard eviction thresholds of worker nodes

ITOM Container Deployment Foundation (CDF) uses a hard eviction policy for worker nodes. When a hard eviction
threshold is met, Kubernetes ends the pod immediately. The eviction can also delete dead pods, dead containers,
and unused images when the disk space reaches the thresholds.
To edit the hard eviction threshold, follow these steps:
1. Log on to the worker node for which you want to edit the eviction threshold.
2. Edit the relevant parameter values in the /usr/lib/systemd/system/kubelet.service file.
Run the following command to open the kubelet.service file.
vim /usr/lib/systemd/system/kubelet.service
You can modify the following default threshold, according to your needs. Then save the kubelet.service.
--eviction-hard=memory.available<200Mi,nodefs.available<5%,imagefs.available<5%
3. Run the following commands to enable the new thresholds:

systemctl daemon-reload
systemctl restart kubelet
SMAX 2019.02
Customize DNS entries
You can customize DNS entries after CDF installation. To do that you must modify the DNS entries with DNS hosts
configmap file. Follow the steps below:
1. Run the following command to edit the configmap file.

kubectl edit cm dns-hosts-configmap -n core
Your terminal looks as below:
apiVersion: v1
data:
dns-hosts-key: ""
kind: ConfigMap
metadata:
creationTimestamp: 2018-10-19T05:28:05Z
name: dns-hosts-configmap
namespace: core
2. Update the DNS entries and save the file.

For example, add the following DNS entries:
dns-hosts-key: |
1.2.3.4 myhost.mydomain.com
1.2.3.5 myhost.mydomain2.com
3. Your terminal looks like below:
apiVersion: v1
data:
dns-hosts-key: |
kind: ConfigMap
metadata:
SMAX 2019.02
Rebind a PV and PVC
You need rebind all the PVs and PVCs that are unbound.
Perform the steps below to rebind a PV and PVC:
1. Run the following command to get the detailed PV information.

kubectl get pv <pv name> -o yaml
For example: kubectl get pv itom-vol -o yaml
[root@sh72v1]# kubectl get pv itom-vol -o yaml

aapiVersion: v1
kind: PersistentVolume
metadata:
labels:
pv_pvc_label: namespacecoreTest
name: itom-vol
spec:
accessModes:
- ReadWriteMany
capacity:
storage: 5Gi
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: itom-vol-claim
namespace: core
nfs:
path: /var/vols/itom/claim
server: myhost.mycompany.com
persistentVolumeReclaimPolicy: Retain
2. Run the following command to save the output file to a file, for example, /tmp/pv-itom-vol.yaml.
kubectl get pv <pv name> -o yaml > {PV file directory}/{file name}
For example:
kubectl get pv itom-vol -o yaml > /tmp/pv-itom-vol.yaml
3. Run the following command to get the PVC information:

kubectl get pvc <pvc name> -o yaml -n <namespace>
SMAX 2019.02
For example: kubectl get pvc itom-vol-claim -o yaml -n core

apiVersion: v1
metadata:
labels:
name: itom-vol-claim
namespace: core
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
selector:
matchLabels:
4. Run the following command to save the output file to a file, for example, /tmp/pv-itom-vol-claim.yaml.
kubectl get pvc <pvc name> -o yaml > {output file dirctory/name}
For example:
kubectl get pvc itom-vol-claim -n core -o yaml > /tmp/pv-itom-vol-claim.yaml
5. Run the following commands to delete the PV and PVC.

kubectl delete pvc <pvc name> -n <namespace> --force
kubectl delete pv <pv name> --force
For example:
kubectl delete pvc itom-vol-claim -n core --force
kubectl delete pv itom-vol --force
6. Go to the path directory where the pv and pvc yaml files are saved. Run the following command to recreate a
PV.
kubectl create -f <pv file name>
For example:
cd /tmp
kubectl create -f pv-itom-vol.yaml
7. Run the following command to check the PV status. Make sure the PV status is available.
kubectl get pv <pv name>
8. Run the following command to recreate PVC.
kubectl create -f <pvc file name>
For example:kubectl create -f pvc-itom-vol-claim.yaml
9. Run the following command to check the PVC status. Make sure the PVC status is bound.
SMAX 2019.02
kubectl get pvc -n <namespace>

10. Run the following command to restart Kubernetes:
$K8S_HOME/bin/kube-restart.sh
SMAX 2019.02
Administer IdM
The IdM Administration provides the identity management services for CDF. It helps to manage users, groups of
each user and the Single sign-on (SSO) to allow users using the same user name and password for multiple
applications.
From ADMINISTRATION > IdM Administration, you can access the IdM Administration page.
Click SYSTEM SETTINGS on the top menu to set the configuration for IdM instance which will apply to all
organizations.
To prolong the IdM request token time, and the management session period, set the Request Token Life Time and
Access Token Lifetime tag respectively.
See the details about the basic system settings in the table below.
String
Display Name Description
Name
SMAX 2019.02
The key for the encryption of the LW-SSO. This is the

shared secret of all servers procted by LW-SSO and connected to the
Initial String same authentication point server. The initial string must be the same for
all the servers in the systems. The minimum length of the initial string is
HPSSO 32 bits.
The domain name is required. The HPSSO 1.0 version

Creation Domain supports a single domain. All the servers using HPSSO must have the
same domain. And the domain should be denoted in this tag.
Keys used to calculate the message digest to validate the

Encrypted signing key
message integrity.
IdM token life time in minutes. Users can change the

TOKEN Access Token Lifetime
Access token lifetime to prolong the life time of management portal.
Request Token Life

IdM request token life time in minutes.
Time
The entity ID of the IdM's SAML metadata will be based on

Entity Base URL
this URL.
Keystore Path Keystore path for SAML and WS-Trust.
Keystore Default Key Keystore default key name for SAML and
Name WS-Trust.
SAML
Keystore Default Key Keystore default password for SAML and
Password WS-Trust.
Keystore Password Keystore password for SAML and WS-Trust.
Keystore Provider Keystore provider for SAML and WS-Trust.
Keystore Type Keystore type for SAML and WS-Trust.
Extended attributes Properties for LDAP configuration.

LDAP
Nested Group Level LDAP nested group level
Creation Domain The LWSSO creation attribute domain
Key for encryption/decryption of the LWSSO token. This is the shared

secret of all servers protected by LWSSO and connected to the same
authentication point server. Therefore, it must be identical in all
LWSSO Initial String
configurations of all servers in the system. By default, users must
configure a valid key string that contains at least one number and one
alphabet. The minimum strength is 32 characters.
SSO Trusted Domains LWSSO multiple domain configuration. Trusted domains in DNS names.
There is a NEED TO RESTART option after each setting, which shows whether the IdM restart is needed to enable
a new setting. To restart IdM, follow the command below:
kubectl get pod -n core|grep idm|cut -f1 -d" "|xargs kubectl delete pod -n core
SMAX 2019.02
Note
You can switch to the advanced setting with the top right action button . To switch to
the basic setting, drag the action button to basic.
Add Organization
1.
From IdM Administration, click on the top right menu to create an organization.
2. Enter the following information for a new organization:
3. Name, Display Name, Integration User and Password
4. Then click Create.
Delete Organization
1.
From IdM Administration, click on the top right menu to delete the organization.
SMAX 2019.02
2. Click action button on the right top the organization that you want to delete.
3. Click DELETE on the window popped out to confirm the organization delete.
Overview:
Click a organization, the overview tab provides the general information of the organization.
SMAX 2019.02
Manage users
Tip
ITOM Container Deployment Foundation (CDF) supports two user roles (or personas): IT Administrator and Suite
Administrator.
To manage users, click ADMINISTRATION > IdM Administration, click the organization name, then click the
Users tab. This page displays user name, the first authentication date, and the last authentication date.
The user management page lists all users in the organization. You can:
●
Add: Click on the top right menu to add a user. Enter the user name, display name and password. Click Add
Attributes to add user attributes. Then click SAVE.
Search: Enter the user name into the search bar, then click the action button to perform the search.
Note
You can choose whether to enter password for a user. Users with password are IdM internal users. Users without
password are from other authentication flow, such as from LDAP, SAML or JAAS. You can add password to those
users from other authentications to create an internal IdM user with the same user name. To delete an internal
user, you can just delete the password.
SMAX 2019.02
Edit or lock: Click a user name, then click the action button on the top right menu to edit a user.
●
You can:
SMAX 2019.02
● Change the display name

● Choose to lock the user
● Add/edit/delete the user attributes
Remove: Choose the user you want to delete, then click the action icon on the top right menu, and then
click REMOVE to confirm the deletion.
Change a user's password
To change a user's password, see Change your password page.
SMAX 2019.02
Manage groups
To manage groups, click ADMINISTRATION > IdM Administration, click the organization name, then click on
the Group tab. This page displays the group name and the related roles. You can:
●
Add: Click on the top right menu to add a group. Enter the user name, display name and choose the
associated roles from the drop-down box . Then click SAVE. Adding groups helps to manage what roles and
permissions can be assigned to its users.
●
Edit: Choose a group, then click on the top right menu to edit an existing group. You can change the
display name of the group and the associated group rules.
You can manage the associated group roles:
●
Add: Click to add a new group rule. You must enter the following:
❍group name
❍ choose one rule type (LDAP, DATABASE or CALCULATED)
■ For LDAP, you must also enter Group DN and LDAP configuration.
■ For DATABASE, you must enter the associated users.
■ For CALCULATED, you must enter the criteria key, criteria value and choose one match method. Then click
OK.
Choose one combination method.
■ Then click SAVE.
SMAX 2019.02
Edit: Click the action button to edit a group rule.

❍
Remove: Click the action button ,and then click REMOVE to remove one group rule.
●
Remove: Click the action button , and then click REMOVE to remove one group
SMAX 2019.02
Manage roles
To manage roles, click ADMINISTRATION > IdM Administration, click the organization name, then click on the
Roles tab. This page displays the role name, related description and the associated permissions. You can:
●
Add: Click to add a new role. Then enter the role name, role description and the associated permission. Then
click SAVE. Adding roles to a user helps to manage the permissions assigned to users.
●
Edit: Choose a role, then click the action button to edit a group setting. Enter a role name, description of
the role and the associated permission. Click SAVE to save the modification.
●
Remove: Click the action button , and then click REMOVE to remove one role.
SMAX 2019.02
Add a database user and give permissions

To add a new user and grant permissions to a new user, perform the following steps:
1. To add a new user: from ADMINISTATION > IdM Administration > Users, click the organization. Click
Users, click on the top right menu to add a user. Enter the user name, display name and password. Click
Add Attributes to add user attributes. Then click SAVE.
2. To add the new user to a group via adding group rule:
Click Groups, and then click the group name that you want to add the user into. Click on the top right
menu to edit an existing group. Click under the Associated Group Rules.
Enter the display name for this user. Choose DATABASE as the rule type and enter the new user name in the
Associate users row. Below is an example of adding the new user: test to the Administrators group.
SMAX 2019.02
3. Edit the related permissions via manage the associated roles. Click Roles, choose a role, then click the action
button to edit a group setting. Enter a role name, description of the role and the associated permission.
Click SAVE to save the modification. For example, modify the mngAdminRole.
Note
Groups, roles, and users that are managed in the CDF Management Portal are used for the Management Portal
only. User authentication and authorization for the suite interfaces is managed at the SMA suite side.
SMAX 2019.02
Customize password policy

You can customize your password policy for the organizations.
Add: To add a password policy if there is no value for the password parameters. Enter the password policy name,
lockout check time, length check time, expiration check time and other check. Then click SAVE.
Edit: To edit an existing password policy, change the values for the related parameters. Click SAVE.
Remove: To remove the password policy, click REMOVE.
SMAX 2019.02
Customize the management portal login page
Customize the management portal login page
You can customize the management portal login page. To customize the management portal login page, you need
to add or edit the related variable values as shown below.
Customization settings
From ADMINISTRATION > IdM Administration > [Organization name] > Customization, the customization
tab allows you to add or edit the generic KeyPair for an organization.
You can click to add more generic key pairs. To modify some generic key pairs, click .
Update the related key pairs according to the related parts shown on the management portal login page in the
figure above.
The table below lists common used generic key paris on the management portal login page.
SMAX 2019.02
Name Description
Family Icon Text Specifies the IdM login icon.
Add Groups Into SSO Cookie Specifies whether enable add groups into SSO cookie.
Add Permissions into SSO Cookie Specifies whether enable add permissions into SSO cookie.
Background Image URL Specifies the background image URL
Default Signup Db User Group The default database user group for IDM sign-up users.
Add Roles into SSO Cookie Specifies whether enable add roles into SSO cookie.
Disclaimer Text Specifies whether the portal has the disclaimer text.
Enable Db User Signup Specify whether to enable the database user to sign up into IDM.
Order Recipient Enabled Specifies whether the recipient is in order.
Featured Category Specifies whether the category is featured.
Specifies the authentication flow. For example, seeded, database_user,

Authentication Flow
ldap, ad, jaas, aml, cac, and iwa.
Specifies whether the portal support multiple languages.

Languages
Portal Title.de Specifies the portal title in German
Portal Title.en Specifies the portal title in English.
Portal Title.zh-cn Specifies the portal title in Chinese.
Portal End Date Period Specifies the portal end date.
Portal Enforce End Date Specifies whether the portal has the enforce end date.
Portal Footer Message Specifies whether the portal has footer message.
Portal Legal Notice URL Specifies whether the portal has legal notice URL.
SMAX 2019.02
Portal Show Confirm Dialog Specifies whether the portal shows the confirm dialog.
Portal Show Legal Notice Specifies whether the portal shows legal notice.
Specifies whether the portal shows the terms of use.

Portal Show Terms Of Use
Portal Terms of Use URL Specifies whether the portal terms use URL.
Sign Up Terms URL Specifies the URL for sign-up terms.
Sign Up Instruction Specifies the sign-up instruction.
Sign Up Welcome Msg Specifies the sign-up welcome message.
Sign Up Terms Agree Msg Specifies the sign up term agreement message.
Enable Order Recipient Specifies whether to enable the order recipient.
Authentication Flow Specifies the database authentication flow.
Portal Welcome Message Specifies the portal welcome message.
Security Level Specifies the security level of your metadata.
Login Theme Specifies the login theme.
Family Name Specifies the family name.
Theme Name Specifies the theme name of your metadata.
You can do the following operations to the KeyPair parameters :
● Add: Click Add to add a new KeyPair parameter.

●
Edit: Click the action button to edit a KeyPair parameter. Enter the value of the Key and click Save to save
the modification.
●
Remove: Click the action button and then click Remove to remove one KeyPair.
Customization for Localization
To show the messages to a local language, you can add the language suffix from the table below to the key of
Portal Footer Message and Portal Welcome Message. Then add the value in the local language in the value box.
SMAX 2019.02
Language Suffix
Spanish .ar
German .de
English(UK) .en
English(US) .es
French .fr
Italian .it
Japanese .ja
Russian .ru
Swedish .sv
Chinese .zh
Note
To implement the changes for the language localization, you need to log out of the management portal and then
log back into the management portal.
SMAX 2019.02
Manage authentication
You can configure and manage authentication identity servers for the organization. Click to add one of the
following authentication type, then click CREATE to create an new authentication:
● LDAP
● JAAS
● SAML
LDAP: Enter the display name, hostname, port, SSL connection, LDAP attributes, User login settings, and group
settings for the LDAP server. Then click SAVE.
An example:
Display Name: adfsServer1
Hostname: 192.0.2.0
Port: 389
Base DN:dc=adfs,dc=com
User ID(Full DN): cn=adfsadmin,dc=adfs,dc=com
Password: *******
User Name Attributes: mail
User Searchbase: OU=Users
User Search Filter: mail={0}
Search Subtree: [checked]
You can use user name: adfsadmin with password ***** to log into the CDF management portal.
JAAS: Enter display name. login module content, and login module directory. You can choose to select
Reflectable. Then click SAVE.
SAML: Enter the display name, and IDP server URL for the SAML server. Then click SAVE.
SMAX 2019.02
SMAX 2019.02
Use certificate to log into the management portal

You log into the management portal with a certificate. Perform the following tasks to log in with a certificate.
Sign a certificate with CDF CA
1. Generate a .pfx file with the User Name Attribute set tp subjectDN. Run the following commands to generate a
username.pfx file.
cd $K8S_HOME/ssl openssl genrsa -out username.key 2048
openssl req -new -key username.key -out username.csr
openssl x509 -req -in username.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out username.crt -
days 500 -sha256
openssl pkcs12 -export -out username.pfx -inkey username.key -in username.crt
Note
Make sure the username is an IdM administrator. Enter the username for Common Name on your terminal. For
example, enter the username for the following part: Common Name (eg, your name or your server's hostname).
Generate a .pfx file with the User Name Attribute set to SAN and the SAN type to UPN with the following steps:
1. Create a file: sanext.conf under /tmp directory.

2. Enter the following line into the sanext.conf and then save the file. For example:
subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:<user2>
3. Run the following commands to generate a username.pfx file.
cd $K8S_HOME/ssl openssl genrsa -out username.key 2048
openssl req -new -key username.key -out username.csr
openssl x509 -req -extfile /tmp/sanext.conf -extensions SAN -days 365 -in username.csr -CA
ca.crt -CAkey ca.key -CAcreateserial -out username.crt
openssl pkcs12 -export -out username.pfx -inkey username.key -in username.crt
Import the .pfx file to your browser
Open your Internet Explorer. From Internet Option > Content > Certificates > Import, import the .pfx file.
SMAX 2019.02
SMAX 2019.02
Create LDAP authentication configuration in IdM
1. From ADMINISTRATION > IdM Administratio, click an organization.

2. From AUTHENTICATION , click on the top menu.
3. Choose LDAP from the drop-down list, and then click CREATE to set the settings for LDAP server.
Note
Make sure the Common Name (CN) in certificate must be the same with the user login name that was configured
in User Login Settings section of LDAP authentication configuration.
SMAX 2019.02
SMAX 2019.02
Configure the certificate in IdM
1. From ADMINISTRATION > IdM Administration, click the organization name.

2. From AUTHENTICATION > > CERTIFICATE, click CREATE to set up the certificate authentication
settings.
3. Drag the generated .pfx file into the Root Certificate box and then click UPLOAD.
An example with the certificate attribute set to subjectDN.
700px
An example with subjectDN set to SAN and SAN Type set to UPN.
SMAX 2019.02
Add a group rule
Add username to administrator group with the following steps. For example, add the username is in Group1 of the
LDAP server.
1. From ADMINISTRATION > IdM Administration, click the organization name > Groups.
2.
Click the Administrators > .
3. Add the group rule from Associated Group Rules > .
4. Choose LDAP for the rule type.
SMAX 2019.02
Log in with the generated certificate
Go to the CDF management portal login page, and follow the pop-ups to log into the management portal with the
generated certificate.
SMAX 2019.02
Use SAML credentials to log into the

management portal
To use SAML for the authentication, you need to perform the following steps:
1. Enable IdM as SAML service provider

2. Configure an IDP server
3. Configure the SAML server settings in IdM
4. Log into the management portal with SAML authentication
Enable IdM as SAML service provider
1. Generate a keystore file.

Below is an example of using Java "keytool" to generate a keystore. Run the following command to generate a
.jks file:
keytool -genkey -alias itom-idm -keypass <password for key itom-idm> -keyalg RSA -keysize 2048 -
validity 365 -keystore ./samlKeystore.jks -storepass <password for keystore file> -dname
"CN=<external access FQDN>, OU=itom, O=MF, L=SH, ST=SH, C=CN"
2. Upload your samlKeystore.jks file to the persist volume "itom-vol".

1. Log in to one of CDF master node servers with SSH.
2. Run the following command to get the mounted NFS directory.
kubectl get pv -oyaml itom-vol
Your terminal resembles as below:
~]# kubectl get pv -oyaml itom-vol
apiVersion: v1
…
''' nfs:'''
''' path: /var/vols/itom/data-volume'''
server: myhost.mycompany.net
volumeMode: Filesystem
3. Log in to the NFS server. In the example above, the server is: myhost.mycompany.net
Upload the samlKeystore.jks file to <NFS Directory>/suite-install/certificate. Replace <NFS Directory> with
SMAX 2019.02
the NFS path you get from the previous step. For example: /var/vols/itom/data-volume.
4. Give the samlKeystore.jks file the required permission.
chown <SYSTEM_UID>:<SYSTEM_GID> <NFS Directory>/suite-install/certificate/samlKeystore.jks
chmod 755 <NFS Directory>/suite-install/certificate/samlKeystore.jks
3. Configure the keystore path in IdM.
From ADMINISTRATION > IdM Administration, click the organization. Click SYSTEM SETTINGS on the top
menu and set the following parameters:
❍ Keystore Default Key Name: for example: itom-idm
❍ Keystore Default Key Password: for example,<password for key itom-idm>
❍ Keystore Password: for example, <password for keystore file>
❍ Keystore Path: for example: file:/etc/idm/suite-metadata/certificate/samlKeystore.jks
4. Note
You must restart IdM after updating the keystore path.
Configure an IDP server
In order to enable SAML integration with IDM as SP(Service Provider), You must set up an IDP(Identify Provider)
server for SAML authentication. The IDP server must support SAML2 protocol. The certified IDP servers are:
● Microsoft ADFS 3.0 or higher

● Oracle Identity and Access Management 12 or higher
● Ping Federate 9.1 or higher
● Shibboleth 3.2 or higher
Take a Microsoft ADFS as the IDP server as an example. For the steps below to configure the ADFS server.
1. Download the IDM SAML metadata as one file. For example, spring_saml_metadata.xml from
https://<external_access_host_FQDN>:5443/idm-service/saml/metadata
2. Import the IDM SAML metadata file to ADFS server and configure the Transform Claim Rule as below:
1. On the ADFS server, click Add Relying Party Trust.
2. Choose a rule type.
3. Configure the claim rule.
SMAX 2019.02
Configure the SAML server settings in IdM
1. From ADMINISTRATION > IdM Administration, click the organization. Click AUTHENTICATION > ,
choose SAML as the authentication type. Click CREATE.
2. Enter the display name for SAML server. Choose one type of the certificate upload method.
IDP Metadata URL: Enter the IDP Metadata URL and upload the certificate. Click UPLOAD to upload the
certificate. Then click SAVE.
IDP Metadata: Click UPLOAD to upload the certificate. Then click SAVE.
3. Add saml to IdM authentication flow.

1. From ADMINISTRATION > IdM Administration, click the organization.
2.
Click Customization > Authentication Flow > , add saml to the value.
SMAX 2019.02
3. Click SAVE.
4. Configure the group rules for the SAML user.
1. From ADMINISTRATION > IdM Administration, click the organization.
2.
Click Groups > Administrator > , click to add a group rule.
Log into the management portal with SAML

authentication
1. Enter the management portal URL into your browser, and you will be redirected to the login page of the SAML
IDP login page.
2. Enter your SAML IDP username and password to log in.
3. Then you will be redirected to the CDF management portal.
SMAX 2019.02
Use OAuth 2 authentication to log into the

management portal
To use OAuth2 authentication to log into the management portal, perform the following steps:
1. Create an OAuth authentication.
From ADMINISTRATION > IdM Administration, click the organization. Click Authentication > ,
choose OAUTH as the authentication type. Click CREATE.
Enter the display name, OAuth type, client ID, client secret, and Base URL for the OAuth setting.
The base URL is the URL provided by the OAuth identity provider. Below is an example:
SMAX 2019.02
2.
From IdM Administration > Customization, click the Authentication Flow > , enter ,oauth2. The
symbol "," is the separator. Click SAVE.
3. Click SYSTEM SETTINGS on the top main menu. Click Advanced to show the advanced settings. Scroll down
to the bottom line and check the IdM Service URL parameter has already been set to a value. The IdM service
URL is: https://<management portal login URL>:5443/idm-service.
4. (Optional) Add a role and give the role associate permission.
Click Roles > . Enter a role name, displayed name, description of the role and the associated
permission. Set the associated permission as IDM_ADMIN. Click SAVE.
SMAX 2019.02
5. (Optional) Add a group and give the associated roles to the group.
Click Groups > . Enter a group name, displayed name and the associated permission. Set the
associated permission as the role name you set in the previous step. For example, Oauth2. Click SAVE.
6. (Optional) Add associated group rules.
From the Associated Group Rules row, click . Enter the group name you created in previous step. For
example, Oauth2. Choose CALCULATED as the rule type, AND as the combination strategy.
From the Criteria row, click '. Enter the criteria key and criteria value, choose a match method to add
users to the group. Then click SAVE.
For example, enter username as the criterial key and admin as the criteria value and choose LIKE for the
match method.
SMAX 2019.02
7. Log out of the management portal and then log into the management portal again. The login page will redirect
you to the NetIQ login page. Enter into the username and password and click Next Step to log in. For example,
you can use admin as the username and the related password.
SMAX 2019.02
Use LDAP credentials to log into the

management portal with SSL
LDAP settings
The LDAP settings contains parameters for the LDAP server configuration, LDAP attributes, and user login
information.
Setting Description
LDAP Server Settings
Name of the LDAP configuration. This name cannot be changed when you reconfigure
Display Name
the settings.
Fully-qualified domain name or IP address of the LDAP server.

Hostname
Example: 192.0.2.24
Port Port of the LDAP server. LDAP servers typically use port 389 or secure port 636.
SSL Connection Select SSL Connection if an LDAPS URL is specified.
The Distinguished Name (DN) of the LDAP entity from which you want to start your user
search.
Base DN
Example: CN=Users,DC=obm,DC=example,DC=com
The Distinguished Name (DN) of a user with search privileges on the LDAP directory
server.
User ID (Full DN)
Example: CN=Administrator,CN=Users,DC=example,DC=com
Password Password of the specified user ID.
LDAP Server Settings
Full name to be included in the user search.

Full Name
Example: cn
Property that contains the user's email address (specific to the selected LDAP vendor,
for example MS Active Directory).
User Email
Example: mail
SMAX 2019.02
List of comma-separated LDAP attributes to find groups in a user profile.

Group Membership
Example: member,uniqueMember
Any attribute (for example DN or CN) of the user who is the user's manager.
Manager Identifier
Example: manager
Manager Identifier The value of the identifier. For example, if you specified the DN in the Manager Identifier
Value field, enter dn.
Attribute for the user avatar image. You must specify an LDAP record property name
that exists on the LDAP server.
User Avatar
Example: cn
Specifies the priority of the domain controller. The priority determines the order in which
Priority
clients contact a domain controller.
Referral Search Select to follow LDAP referrals to another server that offers the requested information.
User Login Settings
Name of field that contains the user name.

User Name
Attributes
Example: CDFAccountName
Parameters to indicate which attributes are to be included in the user search.

User Searchbase
Example: CN=Users
LDAP pattern to use when searching for a user account.
User Search Filter Example: (CDFccountName={0}) The user search filter must include the pattern {0},
which is replaced with the user name entered on login. For example,
(&(CDFAccountName={0})(objectClass=user)).
Search Subtree Select to search the subtree below the base DN (including the base DN level).
Group Settings
Parameters to indicate which attributes are to be included in the group search.

Group Search Base
Example: ou=Groups,dc=example,dc=net
LDAP pattern to use when searching for a group list and search for which group the user
belongs to.
Group Search Filter
Example: (&(cn=TS-SA-*)(objectClass=group))
SMAX 2019.02
Use LDAP credentials to log into the management

portal with SSL protocol
You can use LDAP credentials to log in to the management portal with SSL protocol. Perform the following steps:
1. Log in to the CDF management portal with admin credentials to add LDAP configuration.
2. From ADMINISTRATION > IdM Administration, then choose an organization.
3. From Authentication, click to add an authentication type. Choose LDAP from the drop-down box.
4. Enter the display name, host name, port, and SSL connection, and then click SAVE.
5. Create a group and configure the group DN. The following configuration is based on the Active Directory LDAP.
1. From the server where you installed Active Directory LDAP, click Start > Windows PowerShell.
2. Copy the following scripts to the open window, then run it. For example, to create a Group DN:
cn=testuser$suffix,ou=idmtest,dc=adfs,dc=com dsadd ou "ou=idmtest,dc=adfs,dc=com"
$groupsuffix=1
foreach ($suffix in $groupsuffix)
{
dsadd group "cn=testuser$suffix,ou=idmtest,dc=adfs,dc=com"
}
$usersuffix=1
foreach ($suffix in $usersuffix)
{
$username="cn=testuser$suffix,ou=idmtest,dc=adfs,dc=com"
$mobileno="186000" +(10000+$suffix).ToString()
$email = "testuser$suffix@idm.com"
cmd /c "dsadd user $username -disabled no -pwd 1Qazxsw2 -mobile $mobileno -email $email -
acctexpires never"
foreach ($currentGroupSuffix in $groupsuffix) {

if ( ($suffix % $currentGroupSuffix) -eq 0) {
$groupname="cn=testuser" +$currentGroupSuffix
+",ou=idmtest,dc=adfs,dc=com"
cmd /c "dsmod group $groupname -addmbr $username"
}
6. Configure the Administrations group to add associated group rules. Click SAVE for the group rule.
SMAX 2019.02
Now you can log in to the management portal with LDAP credentials over SSL.
SMAX 2019.02
Manage suite metadata

To manage suite Metadata, click ADMINISTRATION > Metadata. You can:
● View the existing suite versions

● Upload new suite metadata and overwrite the existing suite versions
● Delete existing suite versions
View the existing suite versions
To view the existing suite versions, click ADMINISTRATION > Metadata. The open page displays the existing
suite versions.
Upload new suite metadata
To upload new suite metadata, click to upload a new suite metadata tar file. Select the new metadata
tar file. Choose to check or uncheck the Overwrite option and click OK to upload.
SMAX 2019.02
The newly added suite versions will be displayed on the Manage Metadata page.
If you do not check the Overwrite option, only the suite version files that are not displayed on the current page
will be added. The versions that are listed both on the current page and in the new metadata file will remain
unchanged.
If you check the Overwrite option, it will only overwrite the version files that have the same name. It will not
overwrite the metadata file. The overwrite includes:
● Replace the existing version files displayed on the Manage Metadata page with the version files listed in the
new metadata.
● Add new version files that are listed in the metadata file but not displayed on the Manage Metadata page.
Refresh the suite metadata
To refresh the suite version list on the Manage Metadata page, click on the top right
menu.
Delete existing suite versions
SMAX 2019.02
To delete a version, go to the row where the version you want to delete. Click , and click OK.
SMAX 2019.02
Modify the CDF external database configuration
To modify the external database configuration, follow these steps:
1. Run the $K8S_HOME/bin/updateExternalDbInfo command to modify the configuration. For example, you run
one of the following commands:
updateExternalDbInfo <-t|--dbtype <DB type>> <-u|--user <username>> <-H|--host <DB host>> <-p|--port
<DB port>> <-d|--dbname <DB name>>
updateExternalDbInfo <-t|--dbtype <DB type>> <-u|--user <username>> <-U|--url <DB connection URL>>
In these commands:
❍ -u|--user Sets the external database username.
❍ -H|--host Sets the external database host.
❍ -p|--port Sets the external database port.
❍ -d|--dbname Sets the external database name.
❍ -t|--dbtype Sets the external database type, optional choices are
("EMBEDDED","EXTERNAL_PG","EXTERNAL_ORA"). The database type must be capitalized.
❍ -h|--help Shows the help.
❍ -U|--url Sets the external database connection URL.
2. For Oracle, use the following format: "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL = TCP)(HOST =
oracle.host.name)(PORT = 1521)) (CONNECT_DATA = (SERVICE_NAME = oracledb)))"
For PostgreSQL, use the following format:jdbc:postgresql://postgres.host.name:5432/dbname
3. Run the following commands to recreate the IdM pod:
kubectl delete -f $K8S_HOME/objectdefs/idm.yaml
kubectl create -f $K8S_HOME/objectdefs/idm.yaml
SMAX 2019.02
Security
Technical system landscape
ITOM Container Deployment Foundation (CDF) is a container that integrates with other suites. CDF is written in
Java, JavaScript, and Go.
For more information about typical deployment schemes and options, see Get started.
Security in CDF configurations
CDF configurations may be deployed in the following three modes:
● Single node mode

● Distributed mode 1 (one master node and multiple worker nodes)
● Distributed mode 2 (multiple master nodes and multiple worker nodes)
All of these implementations share the same basic out-of-the-box security configuration options:
● In an out-of-the-box installation, Transport Layer Security/Secure Socket Layer (TLS/SSL) security is enabled
between the browser and the CDF server by default.
● In an out-of-the-box installation, CDF requires users to enter username and password credentials to gain access
to the application.
External authentication
Though CDF cannot inherit users’ information and authorization profiles from an external repository, suite users
can use the industry-standard protocols and tools provided by identification management (IDM) integrated into
CDF to get the users' information and authentication profiles. For example, suite users can configure LDAP or
Single Sign-On provided by IDM to get external authentication profiles.
SMAX 2019.02
Common security considerations
CDF can only be deployed on supported operating systems.

we recommend that you follow vendor-provided best practices and security hardening guides for each of the third-
party components in your CDF deployment. This includes Docker, Kubernetes, Vault, Nginx, and NFS.
SMAX 2019.02
Authorization
Authorization model
Access to ITOM Container Deployment Foundation (CDF) resources is authorized based on the following user
settings:
● User name
● Session and inactivity timer timeouts
SMAX 2019.02
Back up data for a single-master cluster
To back up the data in the data directory for a single-master cluster, run the etcdctl backup command.
For example, you run the following commands:
etcdctl backup \
--data-dir %data_dir% \
--backup-dir %backup_data_dir%
You can also use the etcdctl backup command to back up all the exported folders in the NFS server.
The etcdctl backup command rewrites some metadata contained in the backup (specifically, the node ID and
cluster ID), which means that the node will lose its former identity.
In order to recreate a cluster from the backup, you will need to start a new, single-node cluster. The metadata is
rewritten to prevent the new node from inadvertently being joined to an existing cluster.
SMAX 2019.02
Data integrity
The database server is used as a simple data store and is responsible for all persistent storage. While the database
contains definitions describing business logic, no processing other than create, read, update, and delete (CRUD)
operations in response to requests from ITOM Container Deployment Foundation (CDF) is performed on this tier.
Referential integrity is enforced by the application, thereby protecting transactions. In addition, the database
captures a complete audit log of all changes to data.
The data backup procedure is also an integral part of data integrity. As CDF does not provide native backup
capabilities, please consider the following guidelines:
● Database backup is especially important before critical actions such as upgrades.

● Backup files should be stored according to industry best practices to avoid unauthorized access.
● As database backup can be a resource intensive process, we strongly recommend that you avoid running backup
operations during peak demand times.
SMAX 2019.02
Encryption
TLS/SSL data transmission
An IdM server is used for authentication. The IdM server is monitored by a single center policy server, and consists
of a user repository, a policy store, and a web server agent installed over each of the capability's web servers that
communicates with the policy server. The IdM server controls users' access to various organizational resources,
protecting confidential personal and business information from unauthorized users.
For optimal security, we recommend that you either configure a TLS connection between the suite and the IdM
server, or have the suite server and the IdM servers on the same secure internal network segment. Authentication
is performed by the IdM server, and authorization is handled by the capabilities.
ITOM Container Deployment Foundation (CDF) uses TLS/SSL to transmit data between the server and browsers.
To change the default value of the SSL cipher, follow these steps:
1. On the master node, change the ssl-ciphers value in the $K8S_HOME/objectdefs/nginx-ingress.yaml file.
2. Run the following commands to recreate the ingress container:
kubectl delete -f $K8S_HOME/objectdefs/nginx-ingress.yaml
kubectl create -f $K8S_HOME/objectdefs/nginx-ingress.yaml
Encryption of stored database fields
CDF uses proprietary algorithms to encrypt data that is stored in the database, and uses Micro Focus Identity
Manager (IdM) to manage user passwords.
SMAX 2019.02
Installation security recommendations
Supported operating systems
For information about supported operating systems, see Support matrix for cloud-based deployment and Support
matrix for on-premises deployment.
Harden SSH on the operating system
By default, the SSH server is configured with a weak cipher and a weak KexAlgorithms on each node. To harden
the SSH server, set the values of KexAlgorithms, Ciphers and MACs in the /etc/ssh/sshd_config file as follows:
● KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
● Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
● MACs hmac-sha2-256
Database security recommendations
Refer to the PostgreSQL website for PostgreSQL database security solutions.
Application server security recommendations
● Always change the default passwords.

● Always use the minimal possible permissions when installing and running CDF (You must install and run root
permissions using the sudo command).
SMAX 2019.02
Network and communication
Secure topology
ITOM Container Deployment Foundation (CDF) is designed to be part of a secure architecture and to deal with the
security threats to which it could potentially be exposed.
To securely deploy the CDF, we recommend that you use the TLS/SSL communication protocol.
Import custom certificates for ingress service in core

namespace
You can specify certificates for ingress service during the CDF installation.
From the page, select your private key, server certificate and root certificate, then click Upload.
Update the certificates for ingress service in core
SMAX 2019.02
namespace
From the management portal, ADMINISTRATION > Certificate, select certificates and the key files.
Click Update to use the selected certificates and keys.
Renew the client.crt, client.key, server.crt, and

server.key certificates
When these certificates are about to expire, you must renew them.
Note
The renewCert script can only generate a certificate with a validity of 1 year. If you want renew the certificate with
a validity of longer period, perform the steps in Renew certificates after they are expired.
SMAX 2019.02
Renew certificates before they are expired with root user
To renew the certificates before they are expired, follow these steps as root user:
1. Run the following commands to generate new server certificates or client certificates on one master node (first
master node):
cd $K8S_HOME/scripts
./renewCert
2. Enter y to generate new certificates. Your terminal resembles the following:
[root@shv1 scripts]# ./renewCert

Are you sure to continue? (y,Y/n,N):
y
Start to generate certificates
Generate certificates successfully
-----------------------------------------
3. Perform the following steps on the first master node according to whether your cluster nodes have SSH
connection.
❍ When the cluster nodes have SSH connection, perform the following steps.
1. Enter y for the following question:
Do you want to distribute certificates to all the nodes(y/n,Y/N)
y
2. Enter the corresponding number to choose a password mode to connect to the remaining cluster nodes.
Make sure all the remaining cluster nodes use the same user name (root), the same password or the same
private key, or all of them do not need password/key to get connected.
3. Enter the user name and password or private key to connect to the cluster nodes. Then your terminal
resembles the following:
Please input node user for 192.0.2.0

root
Please input node password for 192.0.2.0
Connecting...
[Successful connection nodes]:
192.0.2.1
192.0.2.2
192.0.2.3
192.0.2.4
Start to distribute certificates
SMAX 2019.02
Distribute certificates to 192.0.2.1 successfully

[Successful distribution nodes]:
192.0.2.1
192.0.2.2
192.0.2.3
192.0.2.4
----------------------------------------
Do you want to restart kube-service for successful nodes(y/n,Y/N)
4. Enter y to restart the kube-service.

❍ When your nodes do not have SSH connection, perform the following steps:
1. Enter n for the following question:
2. Your terminal resembles the following:

n
Finished! You can distribute the certificates under /opt/kubernetes/ssl/new-certs manually.

After that, please run /opt/kubernetes/bin/kube-restart.sh one each node one by one to make the
certificates take effect.
3. Back up the certificates under $K8S_HOME/ssl/ to some other directory on all cluster nodes.
4. Copy the certificates from <K8S_HOME>/ssl/new-certs of the first master node to the
<K8S_HOME>/ssl of the corresponding nodes manually. Replace <K8S_HOME> with the directory that
you defined in the install.properties file.
1. Run the following commands on the first master node to view the generated certificates under the
<K8S_HOME>/ssl/new-certs.
cd $K8S_HOME/ssl/new-certs
ls -al
Your terminal resembles the following:
-r-------- 1 root root 1631 Mar 18 00:33 192.0.2.1-server.crt

-r-------- 1 root root 1679 Mar 18 00:33 192.0.2.1-server.key
-r-------- 1 root root 1460 Mar 18 00:33 192.0.2.2-client.crt
-r-------- 1 root root 1675 Mar 18 00:33 192.0.2.2-client.key
SMAX 2019.02

2. Copy the corresponding certificates from the first master nodes to the directory <K8S_HOME>/ssl of
corresponding nodes respectively according to the certificate names manually.
❍ For the first master node, run the following commands on the first master node. Replace <master1>
with the host name or IPv4 address of the first master node.
cp $K8S_HOME/ssl/new-certs/<master1>-server.key $K8S_HOME/ssl/<master1>-server.key
cp $K8S_HOME/ssl/new-certs/<master1>-server.crt $K8S_HOME/ssl/<master1>-server.crt
❍ Copy the <master>-server.key and <master>-server.crt files manually from the first master node to
the renaming corresponding master nodes under <K8S_HOME>/ssl.
For example:
■ Copy <K8S_HOME>/ssl/new-certs/192.0.2.3-server.crt to node 192.0.2.3 under
<K8S_HOME>/ssl directory.
■ Copy <K8S_HOME>/ssl/new-certs/192.0.2.3-server.key to node 192.0.2.3 under
❍ Copy the <worker>-client.key and <worker>-client.crt files manually from the first master node to
the corresponding worker nodes under <K8S_HOME>/ssl
For example:
■ Copy <K8S_HOME>/ssl/new-certs/192.0.2.2-client.crt to node 192.0.2.2 under <K8S_HOME>/ssl
directory.
■ Copy <K8S_HOME>/ssl/new-certs/192.0.2.2-client.key to node 192.0.2.2 under
3. Go to the <K8S_HOME>/ssl directory of the each node. Change the certificates names according to
the following rules. You can run the command: mv [old file name] [new file name]to change the
certificate names. Replace the <hostname> with the host name or IPv4 address of the node.
❍ For master nodes, run the following commands:
mv <hostname>-server.crt server.crt
mv <hostname>-server.key server.key
❍ For worker nodes, run the following commands:

mv <hostname>-client.crt client.crt
mv <hostname>-client.key client.key
4. Make sure all the certificates are owned by the user whose SYSTEM_USER_ID is specified in the
install.properties file before installation. By default the SYSTEM_USER_ID is 1999. Run the following
command on all cluster nodes to change the certificate owner to SYSTEM_USER_ID.
❍ Run the following command on the master nodes to change the certificates owner:
chown <SYSTEM_USER_ID>:root ca.crt server.crt server.key
❍ Run the following command on the worker nodes to change the certificates owner:
chown <SYSTEM_USER_ID>:root ca.crt client.crt client.crt
SMAX 2019.02
5. Run the following command on each node one by one to restart kubernets:
/opt/kubernetes/bin/kube-restart.sh
Renew certificates before they are expired with sudo user
You can also renew certificates with sudo users before they are expired. Take "cdfinstaller" as the sudo user for
example. Make sure the sudo user's uid is the value you defined for parameter SYSTEM_USER_ID in the
install.properties and the sudo user's gid is the value you defined for parameter SYSTEM_GROUP_ID in the
install.properties. By default, the gid and uid are all set to 1999.
Run the following command to check the sudo user uid, gid, and group: id cdfinstaller
You terminal resembles as below:
id cdfinstaller
uid=1999(cdfinstaller) gid=1999(cdfinstaller)
groups=1999(cdfinstaller)
To renew the certificates before they are expired, perform the following steps :
1. The root user must perform the following steps on all master nodes and worker nodes to grant some
permissions to the sudo user.
1. Log on to the node as the root user.
2. Open the /etc/sudoers file with a supported editor and perform the following steps as the root user.
1. Add the following lines to the end of the file:
Cmnd_Alias CDFINSTALL =<K8S_HOME>/bin/kube-stop.sh,<K8S_HOME>/bin/kube-

restart.sh,<K8S_HOME>/scripts/renewCert, /bin/cp, /usr/bin/kubectl, /usr/bin/docker,
/usr/bin/mkdir,/bin/rm, /bin/su, /bin/chmod, /bin/tar,/bin/mv,/usr/bin/cp
<username> ALL=NOPASSWD: CDFINSTALL
Defaults:<username> !requiretty
Defaults:cdfinstaller env_keep += "K8S_HOME", !requiretty
Defaults:root !requiretty
● Replace <K8S_HOME> with the values defined in install.properties or from a command line. By default,
K8S_HOME>is /opt/kubernetes.
● Replace <username> with the user name of your sudo user.
2. If you need to add additional commands, append them to the Cmnd_Alias CDFINSTALL line.
3. Locate the secure_path line and make sure that the /sbin, /bin, /usr/sbin, and /usr/bin paths are present, as
shown below: Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin By doing this, the sudo user can
execute the showmount, curl, ifconfig and unzip commands when installing CDF.
SMAX 2019.02
The sudoer file might be overwritsulten by the configuration tools, such as puppet, chef, and ansible.
Make sure the sudoer file contains all the configurations that grant the sudo user access.
2. Log into the master node as a sudo user. For example,"cdfinstaller". Run the following command to generate
new certificates on the first master node.
sudo $K8S_HOME/scripts/renewCert
3. Enter y to generate new certificates. Your terminal resembles the following:
sudo $K8S_HOME/scripts/renewCert
Are you sure to continue? (y,Y/n,N):
y
Start to generate certificates
Generate certificates successfully

-----------------------------------------
4. Since you are running the renewCert script with sudo user, the generated certificates cannot be distributed to
all cluster nodes automatically due to the limited permissions sudo user has.
Enter n for the following question:
5. Your terminal resembles the following:

n
Finished! You can distribute the certificates under /opt/kubernetes/ssl/new-certs manually.

After that, please run /opt/kubernetes/bin/kube-restart.sh one each node one by one to make the certificates
take effect.
6. Copy the certificates from $K8S_HOME/ssl/new-certs on the first master node to the $K8S_HOME/ssl of the
corresponding nodes manually. Replace <K8S_HOME> with the directory that you defined in the
install.properties file.
1. Run the following commands on the first master node to copy the generated certificates under the
<K8S_HOME>/ssl/new-certs to /tmp.
sudo cp -r $K8S_HOME/ssl/new-certs /tmp
2. Run the following command on the first master node. Replace <SYSTEM_USER_ID> with the value you
defined in the install.properties. By default, it is 1999.
cd /tmp
sudo chown -R <SYSTEM_USER_ID>:root new-certs
ls -al new-certs
SMAX 2019.02
Your terminal resembles the following:
-r-------- 1 1999 root 1631 Mar 18 00:33 192.0.2.1-server.crt

-r-------- 1 1999 root 1679 Mar 18 00:33 192.0.2.1-server.key
-r-------- 1 1999 root 1460 Mar 18 00:33 192.0.2.2-client.crt
-r-------- 1 1999 root 1675 Mar 18 00:33 192.0.2.2-client.key
3. Copy the corresponding certificates from /tmp of the first master node to /tmp of the remaining nodes
respectively according to the certificates names manually.
■ For the first master node, run the following commands on the first master node. Replace <master1> with
the host name or IPv4 address of the first master node.
cp $K8S_HOME/ssl/new-certs/<master1>-server.key /tmp/<master1>-server.key
cp $K8S_HOME/ssl/new-certs/<master1>-server.crt /tmp/<master1>-server.crt
■ Copy the <master>-server.key and <master>-server.crt files manually from the first master node to the
renaming corresponding master nodes under /tmp.
For example:
● Copy <K8S_HOME>/ssl/new-certs/192.0.2.3-server.crt to node 192.0.2.3 under /tmp directory.
● Copy <K8S_HOME>/ssl/new-certs/192.0.2.3-server.key to node 192.0.2.3 under /tmp directory.
■ Copy the <worker>-client.key and <worker>-client.crt files manually from the first master node to the
corresponding worker nodes under <K8S_HOME>/ssl
For example:
● Copy <K8S_HOME>/ssl/new-certs/192.0.2.2-client.crt to node 192.0.2.2 under /tmp directory.
● Copy <K8S_HOME>/ssl/new-certs/192.0.2.2-client.key to node 192.0.2.2 under /tmp directory.
4. Go to the /tmp directory of the each node. Change the certificates names according to the following rules.
You can run the command: mv [old file name] [new file name]to change the certificate names. Replace the
<hostname> with the host name or IPv4 address of the node.
■ For master nodes, run the following commands:
mv <hostname>-server.crt server.crt
mv <hostname>-server.key server.key
■ For worker nodes, run the following commands:

mv <hostname>-client.crt client.crt
mv <hostname>-client.key client.key
5. Run the following commands on all the cluster nodes.

1. Run the following command to stop kubernetes service.
cd /tmp sudo $K8S_HOME/bin/kube-stop.sh
SMAX 2019.02
2. Run the following command to change the sudo user's permission of directory $K8S_HOME/SSL. Replace
<SYSTEM_USER_ID> with the value you defined in install.properties. By default, it is 1999.
sudo chown -R <SYSTEM_USER_ID>:root $K8S_HOME/ssl/
3. Back up the certificates under $K8S_HOME/ssl/ to some other directory.

4. Copy the newly generated certificates from /tmp to $K8S_HOME/ssl/.
5. Run the following command to restore the previous $K8S_HOME/ssl/ directory permission. Replace
<SYSTEM_USER_ID> with the value you defined in install.properties. By default, it is 1999.
sudo chown -R <SYSTEM_USER_ID>:root $K8S_HOME/ssl/
6. After you have updated the certificates on all cluster nodes,run the following command on each node one by
one:
sudo $K8S_HOME/bin/kube-restart.sh
Renew certificates after they are expired as root user
To renew certificate for AWS deployment, you must follow the steps below.
Perform the following steps on each master node and worker node as root:
1. Log in to the node and go to $K8S_HOME/ssl directory. Back up all the certificates under the $K8S_HOME/ssl
directory.
For example, run the following commands:
cd $K8S_HOME/ssl
cp -r $K8S_HOME/ssl $K8S_HOME/ssl.bak
2. Run the following command according to your node type:

For master nodes:
openssl req -new -key server.key -subj "/CN=<HOSTNAME>" -out server.csr
For worker nodes:
openssl req -new -key client.key -subj "/CN=<HOSTNAME>" -out client.csr
Replace <HOSTNAME> with the host name of the current node.
3. Run the following command according to your deployment mode.
❍ For single-master node deployment:
echo
"subjectAltName=IP:<Kubernetes_service_IP>,DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.defau
lt.svc,DNS:kubernetes.default.svc.cluster.local,IP:<NODE_IP>,DNS:<HOSTNAME> " > extfile.cnf
❍ For multiple-master node deployment configured with HA_VIRTUAL_IP for HA and IPv4 address for the
HA_VIRTUAL_IP, run the following command:
echo
lt.svc,DNS:kubernetes.default.svc.cluster.local,IP:<NODE_IP>,DNS:<HOSTNAME>,IP:<HA_VIRTUAL_IP> " >
SMAX 2019.02
extfile.cnf
❍ For multiple-master node deployment configured with HA_VIRTUAL_IP for HA and host name for the
HA_VIRTUAL_IP, run the following command:
echo
lt.svc,DNS:kubernetes.default.svc.cluster.local,IP:<NODE_IP>,DNS:<HOSTNAME>,DNS:<HA_VIRTUAL_IP> " >
extfile.cnf
❍ For multiple-master node deployment with LOAD_BALANCER_HOST for HA and IPv4 address for the
LOAD_BALANCER_HOST, run the following command:
echo
lt.svc,DNS:kubernetes.default.svc.cluster.local,IP:<NODE_IP>,DNS:<HOSTNAME>,IP:<LOAD_BALANCE_HOST>
" > extfile.cnf
❍ For multiple-master node deployment with LOAD_BALANCER_HOST for HA and host name for the
LOAD_BALANCER_HOST, run the following command:
echo
lt.svc,DNS:kubernetes.default.svc.cluster.local,IP:<NODE_IP>,DNS:<HOSTNAME>,DNS:<LOAD_BALANCE_HOS
T> " > extfile.cnf
■ Replace <Kubernetes_service_IP> with your service IPv4 of Kubernetes. By default it is 172.17.17.1, unless
you have specified SERVICE_CIDR before you install CDF. You can get your Kubernetes service IPv4 address
by running the command: openssl x509 -in $K8S_HOME/ssl/server.crt -noout -text. The first IP in the field
X509v3 Subject Alternative Name is the Kubernetes service IPv4 address.
■ Replace <NODE_IP> with the IPv4 of the current node.
■ Replace <HOSTNAME> with the hostname of the current node.
■ Replace <HA_VIRTUAL_IP> with the IPv4 address or host name you defined for the parameter
HA_VIRTUAL_IP in the install.properties.
■ Replace <LOAD_BALANCER_HOST> with the IPv4 address or host name you defined for the parameter
LOAD_BALANCER_HOST in the install.properties.
❍
4. Perform the following steps according to the node type:

❍ For master nodes, run the following command:
openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out
server.crt -days <validity period>
For example:
openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out
server.crt -days 3650
❍ For worker nodes:
■ Copy ca.key from the $K8S_HOME/ssl directory of any master node to all the worker nodes.
SMAX 2019.02
■ Run the following command:

openssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out
client.crt -days <validity period>
For example:
openssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out
client.crt -days 3650
❍ Replace the <validity period> with your new certificate validity period in the unit of days. For example, if you
want to renew the certificate with a validity of 10 years, replace <validity period> with 3650.
5. Make sure the certificates including ca.crt, server.crt and server.key or ca.crt, client.crt and client.key. And all
the certificates are owned by the user SYSTEM_USER_ID which is specified in the install.properties file before
installation. The default SYSTEM_USER_ID is 1999. You can run the following command to change the owner.
❍ For master nodes:chown <SYSTEM_USER_ID>:root ca.crt server.crt server.key
❍ For worker nodes:chown <SYSTEM_USER_ID>:root ca.crt client.crt client.key
6. Run the following command to restart kube-service.
$K8S_HOME/bin/kube-restart.sh
Security recommendations
We recommend that you add the following iptable rules on the target server.
Target
Ports Service Direction Note Description
server
Master and NFS server port. All cluster nodes should be
111 NFS Mandatory
worker -> NFS able to access this port.
Master and NFS server port. All the cluster nodes should
NFS 2049 NFS Mandatory
worker -> NFS be able to access this port.
Master and NFS server port. All the cluster nodes should
20048 NFS Mandatory
worker -> NFS be able to access this port.
SMAX 2019.02
Etcd service port. All the master nodes

Master <->
2380 Etcd Mandatory should be able to access this port for the
Master
etcd cluster communication.
Master and Etcd service port. All the cluster nodes

4001 Etcd worker -> Mandatory should be able to access this port for the
Master client connection.
Master
Master and Vault port. All the cluster nodes should be
8200 Vault worker -> Mandatory able to access this port for the client
Master connection.
Master and Vault port. All the cluster nodes should be

8201 Vault worker -> Mandatory able to access this port for peer member
Master connection.
SMAX 2019.02
Master and
Kubernete port. All the cluster nodes should
worker ->
10250 Kubernetes Mandatory be able to access this port for internal
Master and
communication.
worker
Master and
Kubernetes port. All the cluster nodes should
worker ->
10251 Kubernetes Mandatory be able to access this port for the internal
Master and
communication.
worker
Master and
worker ->
Master and
communication
worker
Master and
worker ->
Master and
communication.
worker
Master and
API server port. All the cluster nodes should
Master worker ->
8443 Kubernetes Mandatory be able to access this port for the client
and Master and
connection.
worker worker
All clients -> The port is exposed on ingress node. All

5443 MngPortal Mandatory
Ingress node clients should be able to access this port.
The port is exposed on ingress node. All

All clients->
5444 MngPortal Mandatory nodes should be able to this port when using
Ingress node
2-way certificate authentication.
Master and
worker -> All the nodes should be able to access this
5000 local registry Mandatory
Master and node to communicate with the local registry
worker
All clients-> The port is exposed on the ingress node. All

3000 SuiteFronted Mandatory
Ingress Node clients should be able to access this port.
All cluster nodes should be able to access

Master and
this port. This port is for communication
worker ->
8472 Kubernetes Optional between worker nodes and master nodes
Master and
when you have configured the parameter
worker
FLANNEL_BACKEND_TYPE to vxlan.
Example:
Assume that the cluster nodes are: 192.0.2.0, 192.0.2.1, 192.0.2.0. The master node is: 192.0.2.0.
In this example, to add iptable rules to port 8443 on the master node, you run the following commands on the
master node:
iptables -I INPUT 1 -p tcp -m tcp -s 0.0.0.0/0 --dport 8443 -j DROP
iptables -I INPUT 1 -p tcp -s 127.0.0.1 --dport 8443 -j ACCEPT
SMAX 2019.02

iptables -I INPUT 1 -p tcp -s 192.0.2.2--dport 8443 -j ACCEPT
Firewall
To open your firewall, the following ports should be available on the target server.
Source Target
Target Protocol Source Servie Description
port port
TCP Master and Access to portmapper for NFS by
* 111 NFS
NFS worker all nodes.
UDP Master and Access to portmapper for NFS by

* 111 NFS
NFS
TCP Master and Access to NFS server by all nodes
* 2049 NFS
NFS worker .
TCP Master and Access to portmapper for NFS by

* 20048 NFS
SMAX 2019.02
TCP Etcd service port for etcd cluster

Master * 2380 Etcd
HTTPS communication
TCP Master and Etcd service port for etcd cluster

* 4001 Etcd
HTTPS worker communication from client.
TCP Access to Vault port for client

Master * 8200 Vault
HTTPS connection by all nodes.
TCP Access to Vault port for client

Master * 8201 Vault
HTTPS connection by all nodes.
TCP Access to API server port for

Master * 8443 Kubernetes
HTTPS client connection by all nodes.
Client host,
TCP Access to CDF portal by external
master and * 3000 SuiteFronted
Master HTTPS clients and all nodes.
worker
Client host,
TCP Communicate with the local
master and * 5000 Local registry
HTTPS registry.
worker
Client host, CDF Access to CDF management

TCP
master and * 5443 Management portal by external clients and
HTTPS
worker Portal cluster nodes.
Access to CDF management

Client host, CDF
TCP portal by external clients and
master and * 5444 Management
HTTPS cluster nodes using 2-way
worker Portal
certificate authentication.
TCP Kubernete port for internal

Masters * 8472 Kubernetes
HTTPS communication
TCP Master and Kubernete port for internal

* 10250 Kubernetes
HTTPS worker communication

* 10251 Kubernetes
Master HTTPS worker communication
and
worker TCP Master and Kubernete port for internal
* 10252 Kubernetes

* 10256 Kubernetes
During installation, need

TCP outbound access to download
TBD Master * TBD TBD
HTTPS docker images - depends on
method of download.
To check whether a port is in use, run the following command:

netstat -antp | grep <port_number_to_check>
SMAX 2019.02
Replace <port_number_to_check> with the port number that you want to check.
For example:
netstat -antp | grep :111
Related topics
Enable a firewall in the suite environment
SMAX 2019.02
Shut down a cluster node
Pods drained to other nodes
If you expect the pods on the node that you are going to shut down are drained to other running nodes before you
stop the node, run the following commands to stop Kubernetes:
cd $K8S_HOME/bin
./kube-stop.sh
Pods not drained to other nodes
If you expect the pods on the node that you are going to shut down are not drained to other running nodes before
you stop the node, run the following commands to stop Kubernetes:
cd $K8S_HOME/bin
./kube-stop.sh -u
Note
If the node is stopped for a long period, the pods on this pods will still be drained to other running pods.
SMAX 2019.02
CDF backup, restore and disaster recovery
● Back up CDF
● Restore CDF
● Disaster recovery
SMAX 2019.02
Back up CDF
Back up CDF installation files
To restore CDF, you must back up all the related data in advance.
1. Run the following command to get the value of parameter RUNTIME_CDFDATA_HOME from the base-
configmap on any of the master nodes: kubectl get cm base-configmap -n core -o yaml
2. Run the following commands on each cluster node to back up folders and files on all master nodes and worker
nodes:
export RUNTIME_CDFDATA_HOME=<the value>
tar zcvf k8s_service_backup.tar.gz /usr/lib/systemd/system/kube-proxy.service
/usr/lib/systemd/system/kubelet.service /usr/lib/systemd/system/docker-bootstrap.service
/usr/lib/systemd/system/docker-bootstrap.service.d /usr/lib/systemd/system/docker.service
/usr/lib/systemd/system/docker.service.d
tar zcvf k8s_backup.tar.gz ${K8S_HOME} --exclude ${RUNTIME_CDFDATA_HOME} --exclude data/docker-

bootstrap --exclude data/docker --exclude log --exclude data/etcd/data/member --exclude data/fluentd
cp ~/.kube/config kube-config
Files and folders that have been backed up include:
● /usr/lib/systemd/system/kubelet.service
● /usr/lib/systemd/system/kube-proxy.service
● /usr/lib/systemd/system/docker.service
● /usr/lib/systemd/system/docker.service.d/http_proxy.conf
● /usr/lib/systemd/system/docker-bootstrap.service
● /usr/lib/systemd/system/docker-bootstrap.service.d/http_proxy.conf
● All files in folder $K8S_HOME/ except $K8S_HOME/data
SMAX 2019.02
Back up CDF database data
Back up the external database with the following steps:
Note
It is recommended to back up the external database frequently according to the business requirements.
Back up external database
If you used external database (PostgreSQL or Oracle) to install CDF, you need to back up the external database.
Refer to the related database manual for the detailed backup steps.
Back up suite-db and idm-db (default PostgreSQL)
Use database backup tool to back up suite-db database and idm-db database. The tool is located under
${K8S_HOME}/tools/postgres-backup directory, and the logs are in /tmp/postgres_backup.log.
Note
Make sure the backup service is running with the following command: kubectl get pods -n
{suite_namespaces} --show-all | grep backup.
Perform the following steps to on any one of the master nodes to back up suite-db database and idm-db database.
Note
Follow the same steps below to back up suite-db database solely.
1. Go to the database backup directory with the following command:

cd ${K8S_HOME}/tools/postgres-backup Get the authorization token with the following command. And
copy the token. You will be asked to enter this token later.
./getRestoreToken
2. Run the following command to back up the database. You will be asked to enter the authorization token.
./db_admin.sh backup
You screen looks like below:
SMAX 2019.02
/opt/kubernetes/tools/postgres-backup> ./db_admin.sh backup

[INFO] 2018-08-15 13:38:31 : Start postgres database backup ...
Please input the authorization: OTZmMGVlMmYtMThmZi00NDg2LTk1NjgtMWFmMTUwZTdiMmJi
[INFO] 2018-08-15 13:38:43 : Backup location: 2018-08-15T05:38:43.686Z
3. Run the following command to check the backup status.

./db_admin.sh status -l {backup location} -t backup
For example: ./db_admin.sh status -l 2018-08-15T05:38:43.686Z -t backup
You will be asked to input the authorization. Your terminal looks like below:
[root@apitestsingle postgres-backup]# cd ${K8S_HOME}/tools/postgres-backup

[root@apitestsingle postgres-backup]# ./getRestoreToken
Authorizatoin is : MWRkYWI0OWUtYWY3MC00OTRlLTlmN2ItZTk5NThkYTBkMWI2
[root@apitestsingle postgres-backup]# ./db_admin.sh backup
[INFO] 2018-08-15 16:21:51 : Start postgres database backup ...
Please input the authorization: MWRkYWI0OWUtYWY3MC00OTRlLTlmN2ItZTk5NThkYTBkMWI2
[INFO] 2018-08-15 16:21:58 : Backup location: 2018-08-15T05:38:43.686Z
[root@apitestsingle postgres-backup]# ./db_admin.sh status -l 2018-07-17T08:22:27.634Z -t backup
[INFO] 2018-08-15 16:28:45 : Fetching database backup/restore status ...
Please input the authorization: MWRkYWI0OWUtYWY3MC00OTRlLTlmN2ItZTk5NThkYTBkMWI2
[INFO] 2018-08-15 16:28:51 :
{
"_links": {
"self": {
"href": "/backupd/api/v1/backups/2018-08-15T05:38:43.686Z",
"class": "entity"
},
"restore": {
"href": "/backupd/api/v1/backups/2018-08-15T05:38:43.686Z/restore",
"title": "restore",
"class": "entity"
}
},
"version": "1",
"user": "admin",
"mode": "full",
"applications": {
"itom-demo": {
"postgres-svc.demo1": {
"status": "SUCCESS"
}
},
"itom-core": {
SMAX 2019.02
"default-postgresql-svc.core": {
"status": "SUCCESS"
},
"suite-db-svc.core": {
"status": "SUCCESS"
}
}
},
"status": "SUCCESS"
}
4. Get the backup data directory with the following command: kubectl get pv -n core | grep db-backup-vol
Then your terminal looks like below:
# kubectl get pv -n core | grep db-backup-vol

demo-XXXXX-db-backup-vol 1Mi RWX Retain Bound demo1/db-backup-vol
1h
kubectl get pv demo-XXXXX-db-backup-vol -n core -o json | $K8S_HOME/bin/jq -r .spec.nfs.server
yourNFS.mycomany.com
kubectl get pv demo-XXXXX-db-backup-vol -n core -o json | $K8S_HOME/bin/jq -r .spec.nfs.path
/nfs/db-backup-vol
5. In the example, the backup path is /nfs/db-backup-vol. The server is myhost.mycomany.comt.

6. Get the log folder with the following commands:
cd <backup directory>
cd pg-data-backup
ll
Your termial looks like below:
# cd /nfs/db-backup-vol
# cd pg-data-backup/
# ll
total 0
drwxr-x---. 4 1999 1999 35 May 21 14:43 backupd
drwxr-x---. 2 1999 1999 48 May 21 14:15 log
SMAX 2019.02
Back up etcd data
Back up the etcd data when etcd is in running status. Perform the following steps on any one of the master nodes.
1. Run the following command to back up etcdv3 data.

ETCDCTL_API=3 etcdctl --endpoints https://{ETCD_ENDPOINT}:4001 --cacert
${K8S_HOME}/ssl/ca.crt --cert ${K8S_HOME}/ssl/server.crt --key ${K8S_HOME}/ssl/server.key
snapshot save snapshot.db
2. Run the following command to back up the fannel data.
ETCDCTL_API=2 etcdctl -endpoint https://{ETCD_ENDPOINT}:4001 -ca-file ${K8S_HOME}/ssl/ca.crt -
cert-file ${K8S_HOME}/ssl/server.crt -key-file ${K8S_HOME}/ssl/server.key get
/coreos.com/network/config > flannel.data
Back up data in exported NFS folders
Back up the NFS exported core volume. For example: /var/vols/itom/core.
Back up base-configmap on master node
Back up the base-configmap file on one of your master nodes, run the following command on the master node:
kubectl get cm base-configmap -n core -o json | $K8S_HOME/bin/jq -r .data > $BACKUP_FOLDER/base-
configmap.bak
SMAX 2019.02
Restore CDF
Restore the CDF installation depending on the scenarios.
Restore files which are deleted accidentally
When some files are deleted accidentally, you can restore them by copying them back from the backup folder. For
example: If the file $K8S_HOME/scripts/uploadimages.sh is deleted by accident, you can restore it from the backup
folder.
Note
The restored files must have the same owner and permission with the deleted files.
Restore external database
If you used external database (PostgreSQL or Oracle) to install CDF, you need to restore the external database.
Refer to the related database manual for the detailed restore steps.
Restore suite-db database and embedded database

(postgreSQL)
Note
Follow the same steps below to restore suite-db database solely.
Perform the following steps to restore suite-db database and embedded database (postgreSQL).
1. Ensure that the itom-pg-backup pod and vault are in running status.
SMAX 2019.02
2. Set CDF cluster into STANDBY level with the following command:
${K8S_HOME}/scripts/cdfctl.sh runlevel set -l STANDBY
3. Enter in postgres-backup directory with the following command:

cd ${K8S_HOME}/tools/postgres-backup
4. Get the authorization token with the following command. And copy the token. You will be asked to enter the
authorization token later.
./getRestoreToken
5. Get the backup location list with the following command:

./db_admin.sh status -t backup
6. Enter the token for the question: "Please input the authorization."
Your screen will look like below:
/opt/kubernetes/tools/postgres-backup> ./db_admin.sh status -t backup

[INFO] 2018-08-15 12:53:11 : Fetching database backup/restore status ...
Please input the authorization: OTZmMGVlMmYtMThmZi00NDg2LTk1NjgtMWFmMTUwZTdiMmJi
[INFO] 2018-08-15 12:53:35 :
{
"_links": {
"self": {
"href": "/backupd/api/v1/backups",
"class": "collection"
},
"items": [
{
"title": "2018-08-15T03:30:57.774Z"
},
{
"title": "2018-08-15T03:32:05.790Z"
},
{
"title": "2018-08-15T03:32:12.964Z"
}
]
}
}
7. Run the restore command: ./db_admin.sh restore -l {backup_Location}. Replace the backup_location in the
SMAX 2019.02
command with the real backup location you got from the previous step. For example: 2018-08-
15T03:32:12.964ZYou will need to input the authorization token again.
For example:
./db_admin.sh restore -l 2018-08-15T03:32:12.964Z [INFO] 2019-01-17 14:19:05 : Start postgres
database restore ... Please input the authorization: OTNhMDJiYjMtZDcwOC00OTM1LThkMjctMjAxYmViZDUyNDNh
[INFO] 2019-01-17 14:19:11 : Restore location: 2018-08-15T06:19:11.501Z
Check the restore status with the following command：./db_admin.sh status -t restore -l {restore_location}
You will need to input the authorization token again.
8. ./db_admin.sh status -t restore -l 2018-08-15T06:19:11.501Z
9. Set CDF cluster into UP level with the following command:

${K8S_HOME}/scripts/cdfctl.sh runlevel set -l UP
Restore etcd data
Restore etcd data according to your deployment.
Note
The parameters listed in the sections below can be found in base-configmap.bak. Run the following command to
get the parameters:
kubectl get cm base-configmap -n core -o json | jq -r .data > base-configmap.bak
● Replace {THIS_NODE} with the full FQDN hostname of the node where you are running commands.
● Replace <Master_Node1>, <Master_Node2>, <Master_Node3> with the full FQDN hostname of the three master
nodes respectively.
In a single-master node deployment
Follow the steps below to restore etc data in single-master node deployment environment.
1. Get etcd data directory permission with the following command:

ls -l {RUNTIME_CDFDATA_HOME}/etcd/data
SMAX 2019.02
2. Restore etcdv3 data with the following command:

ETCDCTL_API=3 etcdctl snapshot restore snapshot.db --name {THIS_NODE} --initial-
cluster={THIS_NODE}=https://{THIS_NODE}:2380 --initial-cluster-token etcd-cluster-1 --initial-
advertise-peer-urls https://{THIS_NODE}:2380
3. Stop etcd container with the following command:

docker -H unix:///var/run/docker-bootstrap.sock stop etcd_container
4. Move etcdv3 data to ${K8S_HOME}/data/etcd/data with the following commands:

rm -rf {RUNTIME_CDFDATA_HOME}/etcd/data/member
/bin/cp -r {THIS_NODE}.etcd/member {RUNTIME_CDFDATA_HOME}/etcd/data/member
5. Change permission of etcd data directory with the following command:

chown -R {USER_ID}:{GROUP_ID} {RUNTIME_CDFDATA_HOME}/etcd/data
6. Start etcd container with the following command: $K8S_HOME/scripts/startEtcd.sh -y
7. Restore flannel data with the following command:
ETCDCTL_API=2 etcdctl -endpoint=https://{THIS_NODE}:4001 -ca-file ${K8S_HOME}/ssl/ca.crt -
cert-file
${K8S_HOME}/ssl/server.crt -key-file
${K8S_HOME}/ssl/server.key set /coreos.com/network/config "$(cat flannel.data)"
8. Restart flannel with the following command:

K8S_HOME/scripts/startFlannel.sh -y
In a multiple-master node deployment
Follow the steps below to restore the etcd data in multiple-master node deployment environment.
1. Log into one of master nodes which has snapshot.db file.

2. Get etcd data directory permission with the following command:
ls -l {RUNTIME_CDFDATA_HOME}/etcd/data
3. Restore etcdv3 data with the following commands:

ETCDCTL_API=3 etcdctl snapshot restore snapshot.db --name {Master_Node1} \ --initial- cluster=
{Master_Node1}=https://{Master_Node1}:2380,{Master_Node2}=https://{Master_Node2}:2380,{M
aster_Node3}=https://{Master_Node3}:2380 \ --initial-cluster-token etcd-cluster-1 --initial-
advertise-peer-urls https://{Master_Node1}:2380
ETCDCTL_API=3 etcdctl snapshot restore snapshot.db --name {Master_Node2} \ --initial-
cluster={Master_Node1}=https://{Master_Node1}:2380,{Master_Node2}=https://{Master_Node2}:
2380,{Master_Node3}=https://{Master_Node3}:2380 \ --initial-cluster-token etcd-cluster-1 --initial-
SMAX 2019.02
ETCDCTL_API=3 etcdctl snapshot restore snapshot.db --name {Master_Node3} \ --initial- cluster=
{Master_Node1}=https://{Master_Node1}:2380,{Master_Node2}=https://{Master_Node2}:2380,{M
aster_Node3}=https://{Master_Node3}:2380 \ --initial-cluster-token etcd-cluster-1 --initial-
4. Stop etcd container in all the master nodes with the following command:
5. Move etcdv3 data to ${K8S_HOME}/data/etcd/data with the following commands:
rm -rf {RUNTIME_CDFDATA_HOME}/etcd/data/member (Run this step on all the master nodes one by one)
scp -r {Master_Node1}.etcd/member
root@{Master_Node1}:{RUNTIME_CDFDATA_HOME}/etcd/data/member
6. Change permission of etcd data directory in all the master nodes with the following command:
chown -R {USER_ID}:{GROUP_ID} {RUNTIME_CDFDATA_HOME}/etcd/data
7. Start etcd container in all the master nodes with the following command:
$K8S_HOME/scripts/startEtcd.sh -y
8. Restore flannel data with the following command:
ETCDCTL_API=2 etcdctl -endpoint=https://{THIS_NODE}:4001 -ca-file
${K8S_HOME}/ssl/ca.crt -cert-file ${K8S_HOME}/ssl/server.crt -key-file
9. Restart flannel in all the master nodes with the following command:
$K8S_HOME/scripts/startFlannel.sh -y
Troubleshooting
If you failed to start etcd container when trying to restore etcd, perform the following steps to restart etcd
container.
1. Run the following command to stop etcd container.

SMAX 2019.02
2. Run the following command to remove etcd container.

docker -H unix:///var/run/docker-bootstrap.sock rm etcd_container
3. Run the following command to restart etcd container.

If you failed to start flannel container when trying to restore flannel, perform the following steps to restart flannel
container.
1. Run the following command to stop flannel container.

docker -H unix:///var/run/docker-bootstrap.sock stop kube_flannel
2. Run the following command to remove etcd container.

docker -H unix:///var/run/docker-bootstrap.sock rm kube_flannel
3. Run the following command to restart etcd container.

$K8S_HOME/scripts/startFlannel.sh -y
Restore NFS server
There are two ways to restore NFS server when a NFS server crashed.
● Restore NFS server to the original NFS server and path.

● Restore NFS server to a new NFS server.
Restore NFS server to the orignal NFS server and path
Restore NFS server to the original NFS server and path with the following steps.
1. Back up NFS server data regularly.

2. Use the same hostname or IPv4 and directory to set a new NFS server on a new node to replace the old NFS
server and directory.
3. Restore the NFS data into the new NFS server path.
SMAX 2019.02
Restore old NFS to a new NFS server
Restore data into a new NFS server with the following steps.
1. Back up NFS server data regularly.

2. Set up new NFS paths and restore the NFS data from old path to new path. You need to change the persistent
volume path with new NFS paths one by one with the following steps. Note
You can only change the server and path for the persistent volume claims(PVC).
After changing the persistent volume(PV) information, you must restart Kubernetes. Follow the steps below to
change the PV after CDF has been installed successfully.
1. Follow the steps below to stop the services that are using the PV you want to change. If there are some
dependent services, you need to stop the dependent services first, and then stop the services that use the
PV you want to change.
1. Search for the services that are using the PV you want to change with the following commands.
./volume_admin.sh search <PV_name>
For example, you wan to change PV: itom-vol.
[root@shcCent scripts]# ./volume_admin.sh search itom-vol

NAMESPACE KIND CONSUME REPLICAS PATH
core DaemonSet kube-registry <none>
/opt/kubernetes/objectdefs/yaml_template/output/kube-registry.yaml
core Deployment idm 2 <none>
core Deployment mng-portal 1 <none>
core Deployment suite-conf-pod-demo 1 <none>
core Deployment suite-db 1 <none>
core Deployment suite-installer-frontend 1 <none>
core Pod itom-cdf-image-utils <none>
/opt/kubernetes/objectdefs/yaml_template/output/itom-cdf-image-utils.yaml
2. Save the Replicas numbers of the services to a secure place. You will need these numbers later.
3. Stop the services that are using the PV according to the service type:
● For the Deployment services, run kubectl scale --replicas=0 deployment/<CONSUME> -n
<NAMESPACE>
4. For example: kubectl scale --replicas=0 deployment/idm-n core
● For the StatefulSet services, run kubectl scale --replicas=0 sts/<CONSUME> -n <NAMESPACE>
5. For example: kubectl scale --replicas=0 sts/demo1-app-api -n demo1
● For ReplicaSet services, run kubectl scale --replicas=0 replicaset/<CONSUME> -n <NAMESPACE>
6. For example: kubectl scale --replicas=0 replicaset/mng-portal-59fc97497f -n core
SMAX 2019.02
For ReplicationController services, run kubectl scale --replicas=0 rc/<CONSUME> -n <NAMESPACE>

7. For example: kubectl scale --replicas=0 rc/test -n core
● Other type of services, run kubectl delete -f <PATH>
8. For example: kubectl delete -f /opt/kubernetes/objectdefs/yaml_template/output/kube-
registry.yaml
2.
3. Create a new NFS exported volume according to Set up an NFS server.
4. Get the PV details you want to change with the following command:
kubectl get pv
You terminal looks like below:
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS

REASON AGE
db-node1 5Gi RWX Retain Bound core/db-node1-vol 9d
db-node2 5Gi RWX Retain Bound core/db-node2-vol 9d
itom-vol 5Gi RWX Retain Bound core/itom-vol-claim 9d
5. Get the detailed information about the PV with the following command:
kubectl get pv <your pv name> -o yaml
You terminal resembles below:
# kubectl get pv db-node1 -o yaml

apiVersion: v1
metadata:
annotations:
pv.kubernetes.io/bound-by-controller: "yes"
labels:
pv_pvc_label: 1ks12
name: db-node1
resourceVersion: "1329"
selfLink: /api/v1/persistentvolumes/db-node1
uid: d058a19c-707f-11e8-b28c-005056977856
spec:
accessModes:
- ReadWriteMany
capacity:
storage: 5Gi
claimRef:
SMAX 2019.02
apiVersion: v1
name: db-node1-vol
namespace: core
resourceVersion: "1327"
uid: d059c02a-707f-11e8-b28c-005056977856
nfs:
path: /var/vols/itom/dbnode1vol
server: 16.155.194.116
status:
phase: Bound
6. Copy the data from the volume you configured for installation to the newly exported volume with the
following command:
cp -rfp <old_Nfs_folder>* <new_Nfs_folder>
For example: cp -rfp /var/vols/itom/demo1/* /var/vols/itom/demo3-backup
7. Run the volume_admin.sh script to change the PV. For example:
./volume_admin.sh reconfigure -v [pv name] -s [nfs server] -p [new nfs path] -t nfs
8. Restart the kubernets services that consume the pv you have changed according to their types:
You need to scale up the corresponding replicas numbers of the related services to the original numbers.
Replace <REPLICAS> with the original replicas numbers.
■ For the Deployment services, run kubectl scale --replicas=<REPLICAS> deployment/<CONSUME> -n
<NAMESPACE>
9. For example: kubectl scale --replicas=2 deployment/idm-n core
■ For the StatefulSet services, run kubectl scale --replicas=<REPLICAS> sts/<CONSUME> -n
<NAMESPACE>
10. For example: kubectl scale --replicas=1 sts/demo1-app-api -n demo1
■ For ReplicaSet services, run kubectl scale --replicas=<REPLICAS> replicaset/<CONSUME> -n
<NAMESPACE>
11. For example: kubectl scale --replicas=1 replicaset/mng-portal-59fc97497f -n core
■ For ReplicationController services, run kubectl scale --replicas=<REPLICAS> rc/<CONSUME> -n
<NAMESPACE>
12. For example: kubectl scale --replicas=1 rc/test -n core
■ Other type of services, run kubectl create -f <PATH>
13. For example: kubectl create -f /opt/kubernetes/objectdefs/yaml_template/output/kube-
registry.yaml
14. Check the result with the following command:

kubectl get pv <your pv name> -o yaml
SMAX 2019.02
SMAX 2019.02
Disaster recovery
Restore CDF when one or multiple worker nodes

crashed
When one or multiple worker nodes crashed, all the CDF features could still work normally as the pods in crashed
nodes will be moved to other nodes automatically. You can ignore those crashed worker nodes, and add other
worker nodes through the management portal. You can still see the crashed node when running the command:
kubectl get nodes.
To remove the crashed node from the node list, you can unregister them manually.
Restore CDF when one of the three master nodes

crashed
When one of the three master nodes crashed, all the services would not be broken. However, the high availability
of the master nodes is lost. To enable high availability, you must add the master node back manually. Make sure
the node you are going to add uses exactly the same IP address and FQDN as the crashed one. Perform the
following steps to add the crashed master node back.
Note
The new extended master node must be installed through the same way as the crashed master node. For
example, if the crashed master node was installed through the IP address, the new extended master node must be
installed through the IP address.
1. Get the parameters below from the base-configmap on any of the the remaining master nodes with the
command: kubectl get cm base-configmap -n core -o yaml
❍ API_SERVER
❍ AUTO_CONFIGURE_FIREWALL
❍ AWS_EIP
❍ AWS_REGION
❍ CLOUD_PROVIDER
❍ DOCKER_HTTP_PROXY
❍ DOCKER_HTTPS_PROXY
SMAX 2019.02
❍ DOCKER_NO_PROXY
❍ ETCD_ENDPOINT
❍ FAIL_SWAP_ON
❍ FLANNEL_BACKEND_TYPE
❍ DEPLOYMENT_LOG_LOCATION
❍ HA_VIRTUAL_IP
❍ K8S_HOME
❍ KEEPALIVED_NOPREEMPT
❍ KEEPALIVED_VIRTUAL_ROUTER_ID
❍ KUBELET_HOME
❍ LOAD_BALANCER_HOST
❍ MASTER_API_SSL_PORT
❍ MASTER_NODES
❍ POD_CIDR
❍ REGISTRY_ORGNAME
❍ RUNTIME_CDFDATA_HOME
❍ SERVICE_CIDR
❍ SYSTEM_GROUP_ID
❍ SYSTEM_USER_ID
❍ TMP_FOLDER
2. Remove the crashed master node by running ./uninstall.sh or remove the etcd members manually and restart
the node.
❍ When the crashed node still can get started, run the ./uninstall.sh on the master node server.
❍ When the crashed node cannot get started, add a new VM with the same IP or FQDN to install CDF.
Find the crashed etcd member on the the existing nodes and then remove it with the following commands:
#ETCDCTL_API=3 etcdctl --endpoints=https://{HA_VIRTUAL_IP}:4001 --cacert
member list # ETCDCTL_API=3 etcdctl --endpoints=https://{HA_VIRTUAL_IP}:4001 --cacert
member remove {broken_etcd_member_ID}
3. If you have configured Docker thin pool and Docker bootstrap directories, perform the steps below to
reconfigure Docker thin pool and Docker bootstrap directories.
1. Delete these directories with the following commands:
lvremove /dev/{vg_name}/{lv_name_docker}
lvremove /dev/{vg_name}/{lv_name_docker_meta}
lvremove /dev/{vg_name}/{lv_name_docker-bootstrap}
lvremove /dev/{vg_name}/{lv_name_docker-bootstrap_meta}
For example:
lvremove /dev/docker/thinpool docker
lvremove /dev/docker/thinpoolmeta docker
lvremove /dev/bootstrapdocker/thinpool docker
lvremove /dev/bootstrapdocker/thinpoolmeta docker
SMAX 2019.02
2. Set up a thin pool for Docker with the following steps:

1. Create a physical volume with the following command:
# pvcreate [physical device name]
For example:
# pvcreate /dev/sdc1
The minimum physical volume size is 80 GB.
2. Create a volume group with the following command:
# vgcreate [volume group name] [logical volume name]
For example:
# vgcreate docker /dev/sdc1
3. Create a logical volume for the thin pool and bootstrap with the following command:
# lvcreate [logical volume name] [volume group name]
For example, the data LV is 95% of the 'docker' volume group size (leaving free space allows for auto
expanding of either the data or metadata if space is running low as a temporary stopgap):
# lvcreate --wipesignatures y -n thinpool docker -l 95%VG
# lvcreate --wipesignatures y -n thinpoolmeta docker -l 1%VG
4. Convert the pool to a thin pool with the following command:
# lvconvert -y --zero n -c 512K --thinpool docker/thinpool --poolmetadata docker/thinpoolmeta
5. (Optional) You can configure the auto extension of the thin pools via an lvm profile.
1. Open the lvm profile with a text editor. For example:
# vi /etc/lvm/profile/docker-thinpool.profile
2. Specify a value for parameter thin_pool_autoextend_threshold, and
thin_pool_autoextend_percent, each of which represents a percentage of the space.
For example:
activation {
thin_pool_autoextend_threshold=80
thin_pool_autoextend_percent=20
} Note
The auto extension parameters for the thin pools (thin_pool_autoextend_threshold and
thin_pool_autoextend_percent) are defined in /etc/lvm/profile/docker-thinpool.profile. The
thin_pool_autoextend_threshold parameter shows the maximum percentage of the thin pool space
that can be used, and the thin_pool_autoextend_percent parameter shows the percentage of the
thin pool space that will be extended within the mounted volume group. Auto extension will work only if
the enclosing volume group has space for the volume that is enclosed in it. If the volume group was
defined and is completely filled with logical volumes and has no space to extend, you must make space
in the volume group by adding storage or resizing other logical volumes in the group. To extend a
volume group, run the following command:
vgextend [volume group name] [logical volume name]
For example:
vgextend docker /dev/sdc3
3. Apply the lvm profile with the following command:
# lvchange --metadataprofile docker-thinpool docker/thinpool
6. Verify that the lv is monitored with the following command:
SMAX 2019.02
# lvs -o+seg_monitor
7. Clear the storage driver directory with the following command if Docker was previously started:
# rm -rf /var/lib/docker/*
8. Monitor the thin pool and volume group free space with the following commands:
# lvs
# lvs -a
# vgs
9. Check logs to see the auto-extension of the thin pool when it hits the threshold:
# journalctl -fu dm-event.service
3. Set up a thin pool for Docker bootstrap with the following steps.
# pvcreate [disk device name]
For example:
For example:
# vgcreate bootstrapdocker /dev/sdc2
3. Create a logical volume for the thinpool and bootstrap with the following command:
# lvcreate --wipesignatures y -n thinpool bootstrapdocker -l 95%VG
# lvcreate --wipesignatures y -n thinpoolmeta bootstrapdocker -l 1%VG
# lvconvert -y --zero n -c 512K --thinpool bootstrapdocker/thinpool --poolmetadata
bootstrapdocker/thinpoolmeta
vi /etc/lvm/profile/bootstrapdocker_thinpool.profile
2. Specify the values for parameter thin_pool_autoextend_threshold, and
For example:
activation {
} Note
The auto extension parameters for the thin pools: thin_pool_autoextend_threshold and
thin_pool_autoextend_percent are defined in /etc/lvm/profile/docker-thinpool.profile.
thin_pool_autoextend_threshold shows the maximum percentage of the thin pool space that can be
used. thin_pool_autoextend_percent shows the percentage of the thin space that will be extended
within the mounted volume group. Auto extending will only work if the enclosing volume group has
SMAX 2019.02
space for the volume that is enclosed in it. If the volume group was defined and is completely filled with
logical volumes and has no space to extend. Then, you must make space in the volume group by
adding storage or resizing other logical volumes in the group. To extend a volume group, run the
following command:
For example:
vgextend bootstrapdocker /dev/sdc4
# lvchange --metadataprofile bootstrapdocker_thinpool bootstrapdocker/thinpool
7. Clear the graph driver directory with the following command if Docker was previously started:
# lvs
# lvs -a
# vgs
4. Configure the thin pool paths for each cluster node with the following steps:
1. Find out your thin pool device name with the following commands. The thin pool device name is in the
format:
[volume group name]-[logical volume name]. For example, a VG name is docker and an LV name is
thinpool. Then the thin pool device name is docker-thinpool.
cd /dev/mapper
ll
2. Enter the thin pool device path for the THINPOOL_DEVICE parameter in the install.properties file. The thin
pool device path is /dev/mapper/<thin pool device name>. For example: /dev/mapper/docker-thinpool.
● For the first master node, specify the path of the THINPOOL_DEVICE parameter in the install.properties
file.
3.
● For the second and third master nodes and all worker nodes, you need to specify the path when adding
the nodes on the installation portal.
4.
5. Generate server certificate files on the one of the remaining master nodes under $K8S_HOME/ssl with the
following commands:
Replace IP:{API_SERVER} with DNS:{API_SERVER} in the command below if the API_SERVER is in FQDN
format and then run the command.
# openssl genrsa -out master.key 4096 # openssl req -new -key master.key -subj "/CN={FQDN
or IP of extended master node }" -out master.csr # echo
"subjectAltName=IP:{K8S_DEFAULT_SVC_IP},IP:{API_SERVER},IP:{IP of extended master
node},DNS:{FQDN of extended master
SMAX 2019.02
node},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.de
fault.svc.cluster.local" > extfile.cnf # openssl x509 -req -sha256 -in master.csr -CA ca.crt -CAkey
ca.key -CAcreateserial -extfile extfile.cnf -out master.crt -days 365 # rm -f extfile.cnf master.csr
6. Copy pre-check.sh under $K8S_HOME/script from one of the remaining master nodes to the temp folder
{TMP_FOLDER} of the extended master node.
7. Copy ca.crt, ca.key, master.crt, master.key and kube-serviceaccount.key under $K8S_HOME/ssl from one of
the remaining master nodes to the temp folder {TMP_FOLDER} of the extended master node.
8. Delete master.crt, master.key on the remaining master node that you copied under $K8S_HOME/ssl.
9. Run pre-check.sh script on the extended master node, Replace --virtual-ip {HA_VIRTUAL_IP} with --load-
balancer-host {LOAD_BALANCER_HOST} option if you configured LOAD_BALANCER_HOST:
# sh pre-check.sh --node-type master --node-host {FQDN or IP of extended master node} --k8s-
home {K8S_HOME} --api-server {API_SERVER} --api-port {MASTER_API_SSL_PORT} --ca-file
{TMP_FOLDER}/ca.crt --cert-file {TMP_FOLDER}/master.crt --key-file {TMP_FOLDER}/master.key
--network-address {NETWORK_ADDRESS} --flannel-backend-type {FLANNEL_BACKEND_TYPE} --
tmp {TMP_FOLDER} --virtual-ip {HA_VIRTUAL_IP} -l {TMP_FOLDER}/pre-check.log --fail-swap-on
{FAIL_SWAP_ON} --runtime-home {RUNTIME_CDFDATA_HOME} --auto-configure-firewall
{AUTO_CONFIGURE_FIREWALL} --user {nonroot username} --thinpool-device {thinpool-device}
--flannel-iface {ipv4 or interface name}
■ You can add option --user <nonroot username> to use non-root user to extend the node.
■ Add option --thinpool-device <thinpool device> to set up the the thin pools for Docker and Docker
bootstrap directories.
■ Add option --flannel-iface <ipv4 or interface name> to set up multiple network interface.
10.
11. Copy CDF build ITOM_Suite_Foundation_Node.tar.gz under $K8S_HOME/zip on the remaining master node to
the temp folder {TMP_FOLDER} of the extended master node.
12. Untar the CDF build on the extended master node with the following command:
# tar -zxvf ITOM_Suite_Foundation_Node.tar.gz
13. Navigate to the ITOM_Suite_Foundation_Node folder on the extended master node with the following
command: cd ITOM_Suite_Foundation_Node
14. Start install master node with the following command, Replace --virtual-ip {HA_VIRTUAL_IP} with --load-
./install --node-type master --node-host {FQDN or IP of extended master node} --master-api-
ssl-port {MASTER_API_SSL_PORT} --ca-file {TMP_FOLDER}/ca.crt --cert-file
{TMP_FOLDER}/master.crt --key-file {TMP_FOLDER}/master.key --k8s-master-ip {API_SERVER}
--extend-masters "{FQDN or IP of extended master node}" --keepalived-nopreempt
{KEEPALIVED_NOPREEMPT} --k8s-home {K8S_HOME} --etcd-endpoint {ETCD_ENDPOINT} --
registry-orgname {REGISTRY_ORGNAME} --system-user-id {SYSTEM_USER_ID} --system-group-
id {SYSTEM_GROUP_ID} --flannel-backend-type {FLANNEL_BACKEND_TYPE} --master-nodes
{MASTER_NODES} --tmp-folder {TMP_FOLDER} --ha-virtual-ip {HA_VIRTUAL_IP} --keepalived-
virtual-router-id {KEEPALIVED_VIRTUAL_ROUTER_ID} --pod-cidr { POD_CIDR } --service-cidr
{SERVICE_CIDR} --fail-swap-on {FAIL_SWAP_ON} --runtime-home {RUNTIME_CDFDATA_HOME} -
-kubelet-home {RUNTIME_CDFDATA_HOME} --deployment-log-location
SMAX 2019.02
{DEPLOYMENT_LOG_LOCATION} --auto-configure-firewall {AUTO_CONFIGURE_FIREWALL} --aws-

eip {AWS_EIP} --aws-region {AWS_REGION} --thinpool-device {thinpool-device} --flannel-iface
{ipv4 or interface name} --docker-http-proxy {DOCKER_HTTP_PROXY} --docker-https-proxy
{DOCKER_HTTPS_PROXY } --docker-no-proxy {DOCKER_NO_PROXY}
■ Add option --thinpool-device <thinpool device> to set up the the thin pools for Docker and Docker
■ Add option --flannel-iface <ipv4 or interface name> to set up multiple network interface.
■ Add option --aws-eip {AWS_EIP} and --aws-region {AWS_REGION} if install on AWS cloud provider and
provide HA_VIRTUAL_IP instead of LOAD_BALANCE_HOST.
■ Add option --docker-http-proxy or --docker-https-proxy to set up the HTTPS/HTTP proxy.
■ Add option --docker-no-proxy {DOCKER_NO_PROXY} to specifies the IPv4 addresses, FQDNs, domain names
that do not need the proxy for Docker.
Restore CDF when two of the three master nodes

crashed
When two of the three master nodes crashed and the third master node runs well, the services could still be
corrupted. However, the data is still there, as one master node still runs well. Follow the steps below to recover the
system manually. Make sure the extended nodes must have exactly the same IPv4 and FQDNs as the crashed
ones.
Note
The newly extended master node must be installed through the same way as the crashed master node. For
example, if the crashed master node was installed through the IP address, the new extended master node must be
installed through the IP address.
1. Store the parameters below from the base-configmap on the remaining master node with the command:
kubectl get cm base-configmap -n core -o yaml before the cluster is crashed.
❍ API_SERVER
❍ AUTO_CONFIGURE_FIREWALL
❍ AWS_EIP
❍ AWS_REGION
❍ CLOUD_PROVIDER
❍ DOCKER_HTTP_PROXY
❍ DOCKER_HTTPS_PROXY
❍ DOCKER_NO_PROXY
❍ ETCD_ENDPOINT
❍ FAIL_SWAP_ON
SMAX 2019.02
❍ FLANNEL_BACKEND_TYPE
❍ DEPLOYMENT_LOG_LOCATION
❍ HA_VIRTUAL_IP
❍ K8S_HOME
❍ KEEPALIVED_NOPREEMPT
❍ KEEPALIVED_VIRTUAL_ROUTER_ID
❍ KUBELET_HOME
❍ LOAD_BALANCER_HOST
❍ MASTER_API_SSL_PORT
❍ MASTER_NODES
❍ POD_CIDR
❍ REGISTRY_ORGNAME
❍ RUNTIME_CDFDATA_HOME
❍ SERVICE_CIDR
❍ SYSTEM_GROUP_ID
❍ SYSTEM_USER_ID
❍ TMP_FOLDER
2. Add the crashed master nodes back. To do this, log in to the remaining master node, remove the etcd existing
members by force with the following commands:
docker -H unix:///var/run/docker-bootstrap.sock rm -f etcd_container
3. Remove the crashed master nodes by running the ./uninstall.sh on the master node servers and restart the
nodes.
❍ When the crashed nodes are still running, run the ./uninstall.sh on the master node server.
❍ When the crashed nodes are uninstalled, add a new VM with the same IP or FQDN and install CDF.
4. Perform the following steps on the first extended master node.

For example:

SMAX 2019.02

For example:
For example:
# lvconvert -y --zero n -c 512K --thinpool docker/thinpool --poolmetadata
docker/thinpoolmeta
For example:
activation {
} Note
thin_pool_autoextend_threshold parameter shows the maximum percentage of the thin pool
space that can be used, and the thin_pool_autoextend_percent parameter shows the percentage
of the thin pool space that will be extended within the mounted volume group. Auto extension will
work only if the enclosing volume group has space for the volume that is enclosed in it. If the volume
group was defined and is completely filled with logical volumes and has no space to extend, you
must make space in the volume group by adding storage or resizing other logical volumes in the
group. To extend a volume group, run the following command:
For example:
SMAX 2019.02
# lvs
# lvs -a
# vgs
For example:
For example:
For example:
activation {
} Note
thin_pool_autoextend_threshold shows the maximum percentage of the thin pool space that can
be used. thin_pool_autoextend_percent shows the percentage of the thin space that will be
extended within the mounted volume group. Auto extending will only work if the enclosing volume
group has space for the volume that is enclosed in it. If the volume group was defined and is
SMAX 2019.02
completely filled with logical volumes and has no space to extend. Then, you must make space in
the volume group by adding storage or resizing other logical volumes in the group. To extend a
For example:
# lvs
# lvs -a
# vgs
format:
cd /dev/mapper
ll
2. Enter the thin pool device path for the THINPOOL_DEVICE parameter in the install.properties file. The
thin pool device path is /dev/mapper/<thin pool device name>. For example: /dev/mapper/docker-
thinpool.
❍ For the first master node, specify the path of the THINPOOL_DEVICE parameter in the
3.
❍ For the second and third master nodes and all worker nodes, you need to specify the path when
adding the nodes on the installation portal.
4.
5. Generate server certificate files on the remaining master node under $K8S_HOME/ssl with the following
commands:
Replace IP:{API_SERVER} with DNS:{API_SERVER} in the command below if the API_SERVER is in FQDN
format and then run the command.
openssl genrsa -out master.key 4096
openssl req -new -key master.key -subj "/CN={FQDN or IP of extended master node}" -out
master.csr
echo "subjectAltName=IP:{K8S_DEFAULT_SVC_IP},IP:{API_SERVER}, IP:{IP of extended
SMAX 2019.02
master node},DNS:{FQDN of extended master

node},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes
.default.svc.cluster.local" > extfile.cnf
openssl x509 -req -sha256 -in master.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile
extfile.cnf -out master.crt -days 365
rm -f extfile.cnf master.csr
6. Copy pre-check.sh under $K8S_HOME/script from the remaining master node to the temp folder
7. Copy ca.crt, ca.key, master.crt, master.key and kube-serviceaccount.key under $K8S_HOME/ssl from
existing master node to the temp folder {TMP_FOLDER} of the extended master node.
8. Delete master.crt, master.key on the remaining master node under $K8S_HOME/ssl.
9. Run pre-check.sh script on the extended master node as below, Replace --virtual-ip {HA_VIRTUAL_IP}
with --load-balancer-host {LOAD_BALANCER_HOST} option if you configured
LOAD_BALANCER_HOST:
sh pre-check.sh --node-type master --node-host {FQDN or IP of extended master node} --
k8s-home {K8S_HOME} --api-server {API_SERVER} --api-port {MASTER_API_SSL_PORT} --ca-
file {TMP_FOLDER}/ca.crt --cert-file {TMP_FOLDER}/master.crt --key-file
{TMP_FOLDER}/master.key --network-address {NETWORK_ADDRESS} --flannel-backend-type
{FLANNEL_BACKEND_TYPE} --tmp {TMP_FOLDER} --virtual-ip {HA_VIRTUAL_IP} --fail-swap-on
{FAIL_SWAP_ON} -l {TMP_FOLDER}/pre-check.log --runtime-home
{RUNTIME_CDFDATA_HOME} --auto-configure-firewall {AUTO_CONFIGURE_FIREWALL} --user
{nonroot username} --thinpool-device {thinpool-device} --flannel-iface {ipv4 or interface
name}
● You can add option --user <nonroot username> to use non-root user to extend the node.
● Add option --thinpool-device <thinpool device> to set up the the thin pools for Docker and Docker
● Add option --flannel-iface <ipv4 or interface name> to set up multiple network interface.
10. Copy CDF build ITOM_Suite_Foundation_Node.tar.gz under $K8S_HOME/zip on the remaining master
node to the temp folder {TMP_FOLDER} of the extended master node.
tar -zxvf ITOM_Suite_Foundation_Node.tar.gz
command: cd ITOM_Suite_Foundation_Node.
13. Start install master node with the following command, Replace --virtual-ip {HA_VIRTUAL_IP} with --load-
./install --node-type master --node-host {FQDN or IP of extended master node} --master-api-
ssl-port {MASTER_API_SSL_PORT} --ca-file {TMP_FOLDER}/ca.crt --cert-file
{TMP_FOLDER}/master.crt --key-file {TMP_FOLDER}/master.key --k8s-master-ip
{API_SERVER} --extend-masters "{FQDN or IP of the last extended master node}" --
keepalived-nopreempt {KEEPALIVED_NOPREEMPT} --k8s-home {K8S_HOME} --etcd-endpoint
{ETCD_ENDPOINT} --registry-orgname {REGISTRY_ORGNAME} --system-user-id
{SYSTEM_USER_ID} --system-group-id {SYSTEM_GROUP_ID} --flannel-backend-type
SMAX 2019.02
{FLANNEL_BACKEND_TYPE} --master-nodes {MASTER_NODES} --tmp-folder {TMP_FOLDER} --

ha-virtual-ip {HA_VIRTUAL_IP} --keepalived-virtual-router-id
{KEEPALIVED_VIRTUAL_ROUTER_ID} --pod-cidr { POD_CIDR } --service-cidr {SERVICE_CIDR} --
fail-swap-on {FAIL_SWAP_ON} --runtime-home {RUNTIME_CDFDATA_HOME} --kubelet-home
{RUNTIME_CDFDATA_HOME} --auto-configure-firewall {AUTO_CONFIGURE_FIREWALL} --
deployment-log-location {DEPLOYMENT_LOG_LOCATION} --aws-eip {AWS_EIP} --aws-region
{AWS_REGION} --thinpool-device {thinpool-device} --flannel-iface {ipv4 or interface name} -
-docker-http-proxy {DOCKER_HTTP_PROXY} --docker-https-proxy {DOCKER_HTTPS_PROXY } -
-docker-no-proxy {DOCKER_NO_PROXY}
● Add option --thinpool-device <thinpool device> to set up the the thin pools for Docker and Docker
● Add option --flannel-iface <ipv4 or interface name> to set up multiple network interface.
● Add option --aws-eip {AWS_EIP} and --aws-region {AWS_REGION} if install on AWS cloud provider and
● Add option --docker-http-proxy or --docker-https-proxy to set up the HTTPS/HTTP proxy.
● Add option --docker-no-proxy {DOCKER_NO_PROXY} to specifies the IPv4 addresses, FQDNs, domain
names that do not need the proxy for Docker.
14.
2. Perform the following steps on the second extended master node.
For example:

For example:
For example:
SMAX 2019.02

# lvconvert -y --zero n -c 512K --thinpool docker/thinpool --poolmetadata
docker/thinpoolmeta
For example:
activation {
} Note
thin_pool_autoextend_threshold parameter shows the maximum percentage of the thin pool
space that can be used, and the thin_pool_autoextend_percent parameter shows the
percentage of the thin pool space that will be extended within the mounted volume group. Auto
extension will work only if the enclosing volume group has space for the volume that is enclosed
in it. If the volume group was defined and is completely filled with logical volumes and has no
space to extend, you must make space in the volume group by adding storage or resizing other
logical volumes in the group. To extend a volume group, run the following command:
For example:
# lvs
# lvs -a
# vgs
SMAX 2019.02

For example:
For example:
For example:
activation {
} Note
thin_pool_autoextend_threshold shows the maximum percentage of the thin pool space that
can be used. thin_pool_autoextend_percent shows the percentage of the thin space that will
be extended within the mounted volume group. Auto extending will only work if the enclosing
volume group has space for the volume that is enclosed in it. If the volume group was defined and
is completely filled with logical volumes and has no space to extend. Then, you must make space
For example:
SMAX 2019.02
# lvs
# lvs -a
# vgs
1. Find out your thin pool device name with the following commands. The thin pool device name is in
the format:
cd /dev/mapper
ll
2. Enter the thin pool device path for the THINPOOL_DEVICE parameter in the install.properties file. The
thin pool device path is /dev/mapper/<thin pool device name>. For example: /dev/mapper/docker-
thinpool.
■ For the first master node, specify the path of the THINPOOL_DEVICE parameter in the
3.
■ For the second and third master nodes and all worker nodes, you need to specify the path when
adding the nodes on the installation portal.
4.
5. Generate server certificate files on the remaining master node under $K8S_HOME/ssl with the
following commands:
Replace IP:{API_SERVER} with DNS:{API_SERVER} in the command below if the API_SERVER is in
FQDN format and then run the command.
openssl genrsa -out master.key 4096
openssl req -new -key master.key -subj "/CN={FQDN or IP of extended master node}" -out
master.csr
echo "subjectAltName=IP:{K8S_DEFAULT_SVC_IP},IP:{API_SERVER}, IP:{IP of extended
master node},DNS:{FQDN of extended master
node},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernet
es.default.svc.cluster.local" > extfile.cnf
openssl x509 -req -sha256 -in master.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile
extfile.cnf -out master.crt -days 365
rm -f extfile.cnf master.csr
6. Copy pre-check.sh under $K8S_HOME/script from the remaining master node to the temp folder
SMAX 2019.02
7. Copy ca.crt, ca.key, master.crt, master.key and kube-serviceaccount.key under $K8S_HOME/ssl from
existing master node to the temp folder {TMP_FOLDER} of the extended master node.
8. Delete master.crt, master.key on the remaining master node under $K8S_HOME/ssl.
9. Run pre-check.sh script on the extended master node as below, Replace --virtual-ip {HA_VIRTUAL_IP}
with --load-balancer-host {LOAD_BALANCER_HOST} option if you configured
LOAD_BALANCER_HOST:
sh pre-check.sh --node-type master --node-host {FQDN or IP of extended master node} --
k8s-home {K8S_HOME} --api-server {API_SERVER} --api-port {MASTER_API_SSL_PORT} --
ca-file {TMP_FOLDER}/ca.crt --cert-file {TMP_FOLDER}/master.crt --key-file
{TMP_FOLDER}/master.key --network-address {NETWORK_ADDRESS} --flannel-backend-
type {FLANNEL_BACKEND_TYPE} --tmp {TMP_FOLDER} --virtual-ip {HA_VIRTUAL_IP} --fail-
swap-on {FAIL_SWAP_ON} -l {TMP_FOLDER}/pre-check.log --runtime-home
{RUNTIME_CDFDATA_HOME} --auto-configure-firewall {AUTO_CONFIGURE_FIREWALL} --
user {nonroot username} --thinpool-device {thinpool-device} --flannel-iface {ipv4 or
interface name}
❍ You can add option --user <nonroot username> to use non-root user to extend the node.
❍ Add option --thinpool-device <thinpool device> to set up the the thin pools for Docker and Docker
❍ Add option --flannel-iface <ipv4 or interface name> to set up multiple network interface.
10.
11. Copy CDF build ITOM_Suite_Foundation_Node.tar.gz under $K8S_HOME/zip on the remaining master
node to the temp folder {TMP_FOLDER} of the extended master node.
tar -zxvf ITOM_Suite_Foundation_Node.tar.gz
command: cd ITOM_Suite_Foundation_Node.
14. Start installing master node with the following command, Replace --virtual-ip {HA_VIRTUAL_IP} with -
-load-balancer-host {LOAD_BALANCER_HOST} option if you configured LOAD_BALANCER_HOST:
./install --node-type master --node-host {FQDN or IP of extended master node} --master-
api-ssl-port {MASTER_API_SSL_PORT} --ca-file {TMP_FOLDER}/ca.crt --cert-file
{TMP_FOLDER}/master.crt --key-file {TMP_FOLDER}/master.key --k8s-master-ip
{API_SERVER} --extend-masters "{FQDN or IP of the last extended master node}" --
keepalived-nopreempt {KEEPALIVED_NOPREEMPT} --k8s-home {K8S_HOME} --etcd-
endpoint {ETCD_ENDPOINT} --registry-orgname {REGISTRY_ORGNAME} --system-user-id
{SYSTEM_USER_ID} --system-group-id {SYSTEM_GROUP_ID} --flannel-backend-type
{FLANNEL_BACKEND_TYPE} --master-nodes {MASTER_NODES} --tmp-folder
{TMP_FOLDER} --ha-virtual-ip {HA_VIRTUAL_IP} --keepalived-virtual-router-id
{KEEPALIVED_VIRTUAL_ROUTER_ID} --pod-cidr { POD_CIDR } --service-cidr
{SERVICE_CIDR} --fail-swap-on {FAIL_SWAP_ON} --runtime-home
{RUNTIME_CDFDATA_HOME} --kubelet-home {RUNTIME_CDFDATA_HOME} --auto-
configure-firewall {AUTO_CONFIGURE_FIREWALL} --deployment-log-location
{DEPLOYMENT_LOG_LOCATION} --aws-eip {AWS_EIP} --aws-region {AWS_REGION} --
SMAX 2019.02
thinpool-device {thinpool-device} --flannel-iface {ipv4 or interface name} --docker-http-

proxy {DOCKER_HTTP_PROXY} --docker-https-proxy {DOCKER_HTTPS_PROXY } --docker-
no-proxy {DOCKER_NO_PROXY}
❍ Add option --thinpool-device <thinpool device> to set up the the thin pools for Docker and Docker
❍ Add option --flannel-iface <ipv4 or interface name> to set up multiple network interface.
❍ Add option --aws-eip {AWS_EIP} and --aws-region {AWS_REGION} if install on AWS cloud provider and
❍ Add option --docker-http-proxy or --docker-https-proxy to set up the HTTPS/HTTP proxy.
❍ Add option --docker-no-proxy {DOCKER_NO_PROXY} to specifies the IPv4 addresses, FQDNs, domain
names that do not need the proxy for Docker.
Restore CDF when all master nodes crashed

Follow thes steps below to restore CDF when all master nodes crashed:
Note
Most of the parameters used in the steps below can be found in $BACKUP_FOLDER\base-configmap.bak file.
1. Set a new VM cluster with the same host and configuartion or use the current fresh VM cluster on which CDF
was uninstalled.
For example:

For example:
SMAX 2019.02

For example:
# lvconvert -y --zero n -c 512K --thinpool docker/thinpool --poolmetadata docker/thinpoolmeta
For example:
activation {
} Note
thin_pool_autoextend_threshold parameter shows the maximum percentage of the thin pool space
that can be used, and the thin_pool_autoextend_percent parameter shows the percentage of the
thin pool space that will be extended within the mounted volume group. Auto extension will work only if
the enclosing volume group has space for the volume that is enclosed in it. If the volume group was
defined and is completely filled with logical volumes and has no space to extend, you must make space
For example:
# lvs
# lvs -a
SMAX 2019.02
# vgs
For example:
For example:
For example:
activation {
} Note
thin_pool_autoextend_threshold shows the maximum percentage of the thin pool space that can be
used. thin_pool_autoextend_percent shows the percentage of the thin space that will be extended
within the mounted volume group. Auto extending will only work if the enclosing volume group has
space for the volume that is enclosed in it. If the volume group was defined and is completely filled with
logical volumes and has no space to extend. Then, you must make space in the volume group by
adding storage or resizing other logical volumes in the group. To extend a volume group, run the
following command:
For example:
SMAX 2019.02

# lvs
# lvs -a
# vgs
format:
cd /dev/mapper
ll
2. Enter the thin pool device path for the THINPOOL_DEVICE parameter in the install.properties file. The thin
pool device path is /dev/mapper/<thin pool device name>. For example: /dev/mapper/docker-thinpool.
● For the first master node, specify the path of the THINPOOL_DEVICE parameter in the install.properties
file.
3.
● For the second and third master nodes and all worker nodes, you need to specify the path when adding
the nodes on the installation portal.
4.
5. Restore NFS with previous server and path.
6. Restore files on three cluster nodes. For example, run the following commands:
copy backup files to /opt/backup folder
tar zxvf /opt/backup/k8s_service_backup.tar.gz -C /
tar zxvf /opt/backup/k8s_backup.tar.gz -C /
export K8S_HOME=<your_K8S_HOME>
export HA_VIRTUAL_IP=<your_HA_VIRTUAL_IP>
export USER_ID=<your_user_ID>
export GROUP_ID=<your_user_group_ID>
export RUNTIME_CDFDATA_HOME=<your_RUNTIME_CDFDATA_HOME>
export REGISTRY_ORGNAME=<your_REGISTRY_ORGNAME>
export SUITE_REGISTRY=<your_SUITE_REGISTRY>
echo "export K8S_HOME=${K8S_HOME}">>/etc/profile
echo "export PATH=\$PATH:\${K8S_HOME}/bin">>/etc/profile
SMAX 2019.02
echo "export ETCDCTL_API=3">>/etc/profile

source /etc/profile
Note
If CDF was installed by loadbalance, enter the loadbalance IP for HA_VIRTUAL_IP.
7. Link files on three master nodes with the following commands:
ln -sf ${K8S_HOME}/bin/docker /usr/bin/docker;
ln -sf ${K8S_HOME}/bin/dockerd /usr/bin/dockerd;
ln -sf ${K8S_HOME}/bin/docker-containerd /usr/bin/docker-containerd;
ln -sf ${K8S_HOME}/bin/docker-containerd-ctr /usr/bin/docker-containerd-ctr;
ln -sf ${K8S_HOME}/bin/docker-containerd-shim /usr/bin/docker-containerd-shim;
ln -sf ${K8S_HOME}/bin/docker-runc /usr/bin/docker-runc;
ln -sf ${K8S_HOME}/bin/docker-proxy /usr/bin/docker-proxy;
ln -sf ${K8S_HOME}/bin/docker-init /usr/bin/docker-init;
ln -sf ${K8S_HOME}/bin/kubectl /usr/bin/kubectl;
ln -sf ${K8S_HOME}/bin/kube-proxy /usr/bin/kube-proxy;
ln -sf ${K8S_HOME}/bin/vault /usr/bin/vault;
ln -sf ${K8S_HOME}/bin/kubelet /usr/bin/kubelet;
ln -sf ${K8S_HOME}/bin/etcdctl /usr/bin/etcdctl;
8. Load docker-boostrap images on three cluster nodes with the following commands:
systemctl start docker-bootstrap.service
docker -H unix:///var/run/docker-bootstrap.sock load -i ${K8S_HOME}/images/master-
bootstrap-docker-images.tgz
docker -H unix:///var/run/docker-bootstrap.sock load -i ${K8S_HOME}/images/worker-
bootstrap-docker-images.tgz
9. Run the following commands on all the three master nodes to prepare a runtime folder if there is no runtime
folder.
create etcd runtime dir: mkdir -p ${RUNTIME_CDFDATA_HOME}/etcd/data
create kubelet runtime dir: mkdir -p ${RUNTIME_CDFDATA_HOME}/kubelet
10. Restore ETCD data with the following steps:

1. Export parameters on three master nodes with the following commands(Please input IP if this VM is
installed by IP. Please input full FQDN if this VM is installed by FQDN):
export Master_Node1=<Mater_Node_1>
2. Log in to one of master nodes that has snapshot.db file.

3. Restore etcdv3 data with the following commands:
ETCDCTL_API=3 etcdctl snapshot restore snapshot.db --name ${Master_Node1} \
--initial-
cluster=${Master_Node1}=https://${Master_Node1}:2380,${Master_Node2}=https://${Maste
r_Node2}:2380,${Master_Node3}=https://${Master_Node3}:2380 \
SMAX 2019.02
--initial-cluster-token etcd-cluster-1 --initial-advertise-peer-urls https://${Master_Node1}:2380

--initial-

--initial-
4. Move etcdv3 data to ${K8S_HOME}/data/etcd/data with the following steps.

1. Run the following command on all the three master nodes one by one:
rm -rf ${RUNTIME_CDFDATA_HOME}/etcd/data/member
2. Run the following commands on the master node where you restore the etcdv3 data.
scp -r ${Master_Node1}.etcd/member
root@${Master_Node1}:${RUNTIME_CDFDATA_HOME}/etcd/data/member
5. Change permission of etcd data directory on the three master nodes with the following command:
chown -R ${USER_ID}:${GROUP_ID} ${RUNTIME_CDFDATA_HOME}/etcd/data
11. Start docker-boostrap containers on the three master nodes with the following commands:
■ Start ETCD with the following commands:
12. ${K8S_HOME}/scripts/startEtcd.sh -y
■ Restore flannel data on one master node with the following commands:
13. cd {flannel.data backup file directory}
ETCDCTL_API=2 etcdctl -endpoint=https://${Master_Node1}:4001 -ca-file
${K8S_HOME}/ssl/ca.crt -cert-file ${K8S_HOME}/ssl/server.crt -key-file
■ Start fannel, vault on the three master node with the following commands:
14. ${K8S_HOME}/scripts/startFlannel.sh -y
${K8S_HOME}/scripts/startVault.sh -y
15. Load Docker images on all the master nodes with the following commands:
systemctl start docker.service
docker load -i ${K8S_HOME}/images/master-main-docker-k8s-images.tgz;
SMAX 2019.02
docker load -i ${K8S_HOME}/images/master-main-docker-images.tgz;

docker load -i ${K8S_HOME}/images/worker-main-docker-k8s-images.tgz;
docker load -i ${K8S_HOME}/images/worker-main-docker-images.tgz;
16. Retag two Docker images on all the master nodes with the following commands:
source $K8S_HOME/properties/images/images.properties
masterImageList=("$IMAGE_ITOM_CDF_SUITEFRONTEND" "$IMAGE_ITOM_CDF_APISERVER"
"$IMAGE_ITOM_REGISTRY" "$IMAGE_KUBE_REGISTRY_PROXY"
"$IMAGE_KUBERNETES_VAULT_INIT" "$IMAGE_KUBERNETES_VAULT_RENEW"
"$IMAGE_KUBERNETES_VAULT" "$IMAGE_ITOM_BUSYBOX")
registryURL=${SUITE_REGISTRY}
for image in ${masterImageList[*]};do
imageName=${image%:*}
tag=${image#*:}
if [ "$imageName" = "kubernetes-vault-init" -o "$imageName" = "kubernetes-vault-renew"
];then
docker tag "${registryURL}/${imageName}:${tag}"
"${registryURL}/${REGISTRY_ORGNAME}/${imageName}:${tag}"
docker tag "${registryURL}/${imageName}:${tag}" "${registryURL}/${imageName}:0.5.0"
else
docker tag "${registryURL}/${imageName}:${tag}"
"${registryURL}/${REGISTRY_ORGNAME}/${imageName}:${tag}"
fi
done
17. Create /var/lib/kubelet on all the master nodes with the following commands:
rm -rf /var/lib/kubelet
mkdir -p /var/lib/kubelet
18. Restore kubeconfig file on all master nodes

cp -f kube-config ~/.kube/config
19. If you used HA_VIRTUAL_IP, start keepalived container on the three master nodes with the following
commands. (Skip this step if you use load balancer)
${K8S_HOME}/bin/start_lb.sh
20. Start kube-cluster on all master nodes with the following command:
${K8S_HOME}/bin/kube-start.sh
21. Start kube-cluster on all worker nodes with the following command:
${K8S_HOME}/bin/kube-restart.sh
22. Restore PostgreSQL database data.
SMAX 2019.02
Restore CDF when the master node crashed in single-

master node deployment
Follow the steps below to restore CDF when the master node crashed in single-master node deployment:
Note
Most of the parameters used in the steps below can be found in $BACKUP_FOLDER\base-configmap.bak file.
Execute kube-restart.sh on all worker nodes with the following command:

${K8S_HOME}/bin/kube-restart.sh -y
SMAX 2019.02
Change external IdM database connection for CDF
SMAX 2019.02
Back up and restore IdM
SMAX 2019.02
Change persistent volumes after CDF installation
SMAX 2019.02
Set up thin pools after CDF installation
SMAX 2019.02
Rename IdM schema "public"
SMAX 2019.02
Administer SMAX
This section describes administration tasks for the Service Management Automation suite.
SMAX 2019.02
Configure the Service Portal mobile app
SMAX 2019.02
Smart Analytics administration
SMAX 2019.02
Scale out DAH server
SMAX 2019.02
Update Smart Analytics stop words and synonyms
SMAX 2019.02
Update index weight for the Title and Description fields
SMAX 2019.02
Perform a full reindex for Smart Analytics
SMAX 2019.02
Localize SMAX by using Openl10n
SMAX 2019.02
Customize the login and logout pages
SMAX 2019.02
Replace the certificate for Service Management Automation
SMAX 2019.02
Enable tab completion of the suite namespace
SMAX 2019.02
Retrieve suite truststore password
SMAX 2019.02
Sync updated suite component database passwords

Use a Python script (action_change_db_pwd.py) included in the itom-sma-operation-tool-2019.02-xx.tar.gz file,
which you can download from the Micro Focus ITOM Marketplace to sync the new password to the suite if you
change the database password for a suite component. Run the appropriate command to sync the new password for
each component.
Component database Command
IdM python action_change_db_pwd.py -d Idm
Service Management python action_change_db_pwd.py -d ServiceManagement
Suite Administration python action_change_db_pwd.py -d SuiteAdministration
CMS python action_change_db_pwd.py -d UCMDB
Smart Analytics python action_change_db_pwd.py -d SmartAnalytics
Autopass python action_change_db_pwd.py -d Autopass
SMAX 2019.02
Sync updated sysadmin password
SMAX 2019.02
Configure SMAX Security
SMAX 2019.02
Take a snapshot of the suite
SMAX 2019.02
Back up and restore
SMAX 2019.02
SMA disaster recovery (DR) toolkit

Folders needed for the DR toolkit When running the toolkit, you need to specify a number of folders as described
previously. The following table summarizes these folders and provides their example values used in the
documentation.
Example value in the
Folder name Description Needed for
documentation
The parent directory that you use when creating
DR-TOOL-PATH /opt/sma/ N/A
the DR folders (/bin, /output, /tmp, and /log).
A temporary directory to store backup data of

the source environment: During backup:
▪ The dr_dispatcher.py script backs up
suite data to this folder;
▪ The storage_dispatcher.py script
generates a backup package (sma-dr-YYYY-MM-
DD-HH-MM-SS.tar.gz) from the backup data in
this folder and saves the package to a
▪
BACKUP_PATH folder. During restoration:
dr_dispatcher.py
▪ You copy the backup package (sma-dr-
TEMP_PATH /opt/sma/tmp ▪
YYYY-MM-DD-HH-MM-SS.tar.gz) from the source
storage_dispatcher.py
environment to the BACKUP_PATH folder in the
target environment;
▪ The storage_dispatcher.py script
uncompresses the backup package (sma-dr-
YYYY-MM-DD-HH-MM-SS.tar.gz) from the
BACKUP_PATH folder in the target environment
to this folder;
▪ The dr_dispatcher.py script restores suite
data from this folder.
The folder in which the backup package is

BACKUP_PATH /opt/sma/output
stored (also called "Backup repository")
storage_dispatcher.py
A local folder on the master node that is
mounted to the remote global NFS volume path.
NFS_PATH /opt/sma/nfs dr_dispatcher.py
The dr_dispatcher.py script can access the
global NFS volume data from this folder.
A local folder on the master node that is

mounted to the remote Smart Analytics NFS
IDOL_PATH volume path. The dr_dispatcher.py script can /opt/sma/smartanalytics-nfs dr_dispatcher.py
access the Smart Analytics NFS volume data
from this folder.
SMAX 2019.02
SMAX backup procedure
Use the following procedure to back up your suite data in your production environment (the "source environment").
Backup tasks The following table lists the backup tasks and the roles that should perform them.
Backup task Role Description
The DR toolkit performs the following backup tasks:
▪ Global NFS volume backup
▪ Smart Analytics backup
DR toolkit backup DR toolkit ▪ Backup of suite configuration in the Kubernetes
configmap. Sensitive data stored in Vault is not backed
up. For example, passwords and the LW-SSO encryption
key.
DB backup Database administrator PostgreSQL base backup plus incremental backups
Sensitive data backup -

Suite administrator Private key, and certificate files
Secret
Sensitive data backup -

Suite administrator Passwords, and LW-SSO encryption key
Vault
Back up the external databases Back up the external databases for the suite on a regular basis to ensure your
data is safe. For each database, this normally includes a base backup (full backup) and continuous archiving
backups. The following is a list of databases that you need to back up.
Component User name Databases
maas_admin, maas_template, xservices_ems, xservices_mng,
Service Management maas_admin
xservices_rms, and sxdb
Suite Administration bo_db_user bo_ats, bo_user, bo_config, and bo_license
Smart Analytics smarta smartadb
ucmdb Note: This assumes that you are using internal CMS (that is,
CMS in the suite) and using external PostgreSQL for it. If you are using
CMS ucmdb
external CMS or using Oracle for internal CMS, back up the database of
external CMS or back up external Oracle for internal CMS.
IdM idm idm
Autopass autopass autopassdb
Item Folder (sample path) Note
SMAX 2019.02
/var/vols/itom/itsma/itsma-itsma-smartanalytics/license/idol
/var/vols/itom/itsma/itsma-itsma-smartanalytics/config
/var/vols/itom/itsma/itsma-itsma-smartanalytics/data/idol/saw/content1
/var/vols/itom/itsma/itsma-itsma-smartanalytics/data/idol/saw/content2
Full
/var/vols/itom/itsma/itsma-itsma-smartanalytics/data/idol/sawarc/content1
IDOL backups are
/var/vols/itom/itsma/itsma-itsma-smartanalytics/data/idol/sawarc/content2
required.
/var/vols/itom/itsma/itsma-itsma-smartanalytics/data/idol/sawmeta/content1
/var/vols/itom/itsma/itsma-itsma-smartanalytics/data/idol/sawmeta/content2
/var/vols/itom/itsma/itsma-itsma-smartanalytics/data/idol/stx/agentstore
/var/vols/itom/itsma/itsma-itsma-smartanalytics/data/idol/stx/category
▪ Big
disk space
required
▪
When the
size of the
data in each
of
attachment
/var/vols/itom/itsma/itsma-itsma-global/share1 /var/vols/itom/itsma/itsma- folders
itsma-global/share2 (share1 and
Attachments
share2)
becomes
huge,
customers
can
consider
performing
incremental
backups.
/var/vols/itom/itsma/itsma-itsma-global/certificate/imported
Certificates
/var/vols/itom/itsma/itsma-itsma-global/certificate/idm
IDM MD5 /var/vols/itom/itsma/itsma-itsma-global/data/idm
/var/vols/itom/itsma/itsma-itsma-global/certificate/samlmeta
SAML
/var/vols/itom/itsma/itsma-itsma-global/certificate/ca-trust/samlKeystore.jks
/var/vols/itom/itsma/itsma-itsma-global/data/ucmdb /var/vols/itom/itsma/itsma-
UCMDB itsma-global/certificate/ucmdb /var/vols/itom/itsma/itsma-itsma-
global/license/ucmdb
For more information, see Configurations.
SMAX 2019.02
SMAX restoration procedure
SMAX 2019.02
Set up a standby environment for restoration
SMAX 2019.02
Scenario 1: the source environment has completely crashed

Step 1. Stop the target suite environment Run the following commands on one master node to stop the system:
./cdfctl.sh runlevel set –l DOWN –n <namespace>
For example:
cd /opt/kubernetes/scripts
./cdfctl.sh runlevel set –l DOWN –n itsma1 Step 2. Restore the databases The purpose of this step is to make
sure your database server in the target environment is ready for use. In this scenario, the old database server has
crashed. You need to restore the databases from a database backup of the source environment. For detailed
instructions, refer to your database documentation:
The following is a list of databases that you need to restore.
Component User name Databases
maas_admin, maas_template, xservices_ems, xservices_mng,
Service Management maas_admin
xservices_rms, and sxdb
Suite Administration bo_db_user bo_ats, bo_user, bo_config, and bo_license
Smart Analytics smarta smartadb
ucmdb Note: This assumes that you are using internal CMS (that is,
CMS in the suite) and using external PostgreSQL for it. If you are using
CMS ucmdb
external CMS or using Oracle for internal CMS, restore the database of
external CMS or restore Oracle for internal CMS.
IdM idm idm
Autopass autopass autopassdb
SMAX 2019.02
Scenario 2: only the cluster nodes have crashed
SMAX 2019.02
Change FQDN
Related topics Replace the certificate for Service Management Automation
SMAX 2019.02
Restart the SMA suite
SMAX 2019.02
Restart CDF
SMAX 2019.02
Restart the cluster hosts
SMAX 2019.02
Enable a firewall in the suite environment

Ports for inbound connections If you need to enable a firewall in your suite environment, make sure that the
following ports are open in your firewall settings as inbound rules. Note The ports that are highlighted are for k8s
internal communications only, and are referred to as "internal ports" in this document.
Role Protocol Source Port Service Description
Nodes (& NLB Etcd service port for client

TCP 4001 etcd
for AWS) connection
Nodes (& NLB Etcd service port for etcd

TCP 2380 etcd
for AWS) cluster communication
Nodes (& NLB

TCP 8200 vault Vault port for client connection
for AWS)
Vault port for peer member

TCP Nodes 8201 vault
connection
Nodes (& NLB API server port for internal

TCP 8443 kubernetes
for AWS) communication
Kubernete port for internal

TCP Nodes 10250 kubernetes
communication

communication
Master Kubernete port for internal

communication

communication
Access to the installation portal

TCP Client host 3000 Installation
by external clients
portal
Client host & CDF Access to the CDF management
TCP 5443
Nodes management portal by external clients
portal
Client host & Access to SMA portal by
TCP 443 SMA portal
Nodes external clients
SSH access to nodes by

Client host & external clients During the
TCP 22 ssh
Master installation, need to open port
22 from the first master
Flannel port for internal

UDP Nodes 8472 Flannel
communication
SMAX 2019.02
Kubernetes port for internal

communication

communication

communication
Worker Kubernetes port for internal

communication
SSH access to nodes by

Client host & external clients During the
TCP 22 ssh
Master installation, need to access from
first master node on port 22
Flannel port for internal

UDP Nodes 8472 Flannel
communication
UDP Nodes 111 portmapper Access to portmapper for nfs
TCP Nodes 111 portmapper Access to portmapper for nfs

NFS
TCP Nodes 2049 nfs Access to nfs for all nodes
NFS Server port access by all

TCP Nodes 20048 nfs mountd
nodes
External Access to the postgres server

Postgres TCP Nodes postgres
database port by all nodes
SMTP
TCP Nodes 25/465/587 smtp SMTP server
Server
Ports for outbound connections In general, the inbound rules above should be good enough in terms of security. If
you have a more strict security policy, you can set outbound rules in your firewall according to the following table.
Role Destination Port Service Description
Protocol
SMAX 2019.02
Nodes (& NLB

TCP 4001 etcd Etcd service port for client connection
for AWS)
Master (& NLB

TCP 2380 etcd Etcd service port for etcd cluster communication
for AWS)
Nodes (& NLB

TCP 8200 vault Vault port for client connection
for AWS)
TCP Nodes 8201 vault Vault port for peer member connection
Nodes (& NLB

TCP 8443 kubernetes API server port for internal communication
for AWS)
TCP Nodes 10250 kubernetes Kubernete port for internal communication

Master
Client host &
& TCP 22 ssh SSH access to nodes by external clients During the installation, need to access to all the nodes
Nodes
Worker
CDF
Client host &
TCP 5443 management Access to the CDF management portal by external clients
Nodes
portal
Client host &

TCP 443 SMA portal Access to SMA portal by external clients
Nodes
External
TCP Database Server database database Access database
port
TCP NFS/EFS 2049 NFS Access NFS
UDP Nodes 8472 Flannel Flannel port for internal communication
TCP SMTP Server smtp Connect to smtp server

25/465/587
*.google.com & To use google notification. For more details:
TCP 5228-5230 Notification
*.googleapis.com https://firebase.google.com/docs/cloud-messaging/concept-options#messaging_ports_and_your_firewall
Step 5: Open the other ports on each master, worker, or NFS server The other ports are those that are not
highlighted in the table of ports for inbound connections. These ports are not for k8s internal communications.
Open the required ports on each master, worker, and NFS server. The following are examples of how to open this
kind of ports on a node.
Note You need to run the firewall-cmd --reload command to make your settings take effect. Example 1: On the
NFS server, enable inbound connections from all nodes to the UDP port 111 Run the following commands:
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="<master 1 IP>" port
protocol="udp" port="111" accept"
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="<worker 1 IP>" port
...
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="<worker n IP>" port
protocol="udp" port="111" accept" Example 2: On a master node, enable inbound connections from each
client host and all k8s nodes to the TCP port 443 If you want to allow any remote machines to access this port, you
can use the following command:
# firewall-cmd --permanent --zone=public --add-port=443/tcp
SMAX 2019.02
Otherwise, you can use the following commands to restrict inbound connections to the TCP port 443:
protocol="tcp" port="443" accept"
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="<worker 1 IP>" port
...
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="<worker n IP>" port
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="<IP address of client
host>" port protocol="tcp" port="443" accept"
Step 6: Open the required ports on the PostgreSQL database server and email server Make sure that the required
ports are open. For details, see the table of ports for inbound connections. Step 7: Verify the firewall settings You
can use one of the following commands to check if a port is open on a host (ports 5443 and 22 are used here for
example):
https:
curl -v -k https://<hostname>:5443
http:
curl -v <hostname>:22
SMAX 2019.02
Enable a firewall after installation

== Related topics == Enable a firewall in the suite environment
SMAX 2019.02
Change internal integration user password
SMAX 2019.02
Administer internal PostgreSQL
This section describes administration tasks for the maintenance and operation of the internal PostgreSQL database
that is embedded in the SMA suite. Change the DB passwords for PGHA The internal PostgreSQL database server
contains a database for the following suite components: Autopass, IdM, Smart Analytics, Service Management, and
Suite Administration. PostgreSQL High Availability (PGHA) is enforced for these databases. The following table lists
the database names and database owner user names, as well as their related pods (which need a restart once
their db user password is changed).
DB user name Service name DB name
autopass Autopass autopassdb
idm Idm idm
smarta SmartAnalytics smartadb
▪ maas_admin
▪ maas_template
maas_admin ServiceManagement ▪ xservices_ems
▪ xservices_mng
▪ xservices_rms
▪ bo_ats
▪ bo_config
bo_db_user SuiteAdministration
▪ bo_license
▪ bo_user
SMAX 2019.02
Balance cluster resource usage
SMAX 2019.02
Administer the suite
SMAX 2019.02
Tenants
SMAX 2019.02
How to create and edit a tenant

In the New tenant dialog box, provide all requested information. This dialog box requests values for the basic
attributes.
Field Description
Select the backend type of the tenant:
Backend type • SMAX
• Service Manager
Name Enter the tenant name.
Select the tenant type:

• Production: This tenant is an official production environment. Only
production licenses can be assigned to production tenants.
• DEV: This tenant is used to make all configuration changes. Only trial and
non-production licenses can be assigned to DEV tenants.
Type
• Internal: This tenant can be used for internal demo. Only evaluation
licenses can be assigned to internal tenants.
• Trial: This tenant is used for trial with limited duration and capacity. Only
trial licenses can be assigned to Trial tenants.
For more information about licenses, see Licenses.
Select the shared service type:

• Provider: Provider tenants can manage the business data of managed
tenants.
Shared service type (Not • Managed: Managed tenants are client tenants hosted by shared service
available for SM tenant) providers, the service cases are managed by shared service agents in provider
tenant.
• Standard: Standard tenants are ordinary tenants and are irrelevant to
shared service.
General tab
Field Description
ID Tenant ID.
Name Tenant name.
URL The URL to access this tenant.
Type Tenant type.
Tenant environment:
• Prod
• Test
• Staging
Environment
• Poc
• RND
• Unknown
• DR
Backend type The backend type of the tenant.
SMAX 2019.02
Login type:
• FEDERATION
• LDAP
• DB If you select a default login type, the system will use the specified login type for
Default login
user authentication. However, users can still use other authentication types by modifying the
type
URL to set AUTH=DB/LDAP/SMAL (for example:
https://<External_Access_Host>/saw/ess?TENANTID=xxxxxxxxx&AUTH=SAML). If you keep
this field empty, the system checks the user by trying all the three login types one by one
until a matching user is found.
Defines which users of the account can access this tenant.

• If this switch is on, all users of the account can access the tenant.
• If this switch is off, only specified users of the account can access the tenant. Go to
Public service
Users tab to specify the users.
Note After you change this setting, make sure to click Hard sync user on the toolbar.
The account specified for this tenant. Users that belong to this account can access this
Account
tenant.
Tenant admin. Only tenant with a tenant admin specified can be deployed. The tenant
Tenant admin admin receives an email notification after the tenant is deployed successfully.
The tenant admin is assigned the Tenant Admin role in Service Management automatically.
Owner Tenant owner.
Created by The user who created the tenant.
Description The description that captures the details of the tenant.
Creation time The time that the tenant was created.
Activate date The date that the tenant was activated.
Last update on The last time that the tenant was updated.
Service Manager Settings tab (Only available for the SM tenant)

Field Description
The application version of the external Service Manager. Note In this release,
Service Manager SMAX supports Service Manager 9.60, 9.61, and 9.62. You can see Service
application version Manager 9.41 in the UI but it is not supported in this release.
The Service Manager URL in this format: http(s)://<Service Manager server

Service Manager URL FQDN>:<port> (do not use the IP address). For
example, http://mysmserver.com:13080 or https://mysmserver.com:13443.
The user name of a Service Manager user account with the following privileges:
• "system administrator" security role
Service Manager username
• "RESTful API" capability word
• Unlimited sessions allowed
Service Manager password The password of the Service Manager user account.
SMAX 2019.02
The URL of the external Smart analytics server. For

Smart Analytics server URL
example: http(s)://myidolserver.com:9000
Chat database type Chat database type: SQL Server or Oracle.
Chat database host/IP Chat database host name or IP address.
Chat database port Chat database port.
Chat database name Chat database name.
Chat database account The Chat database user name.
Chat database password The password for the Chat database account.
ActiveMQ username The ActiveMQ username for integration with Microsoft Skye for Business.
ActiveMQ password The password of the ActiveMQ user.
Chat enabled Specify if Chat is enabled or not.
Shared service tab (Only available for SMAX tenant) This tab displays tenant's shared service type.
Shared service type Shared service tab
Standard tenant This tab displays the shared service type
Managed tenant This tab displays the shared service type and its provider tenant.
This tab is used to managed the managed tenants and grant user permissions. For more
Provider tenant
information, see Suite Administration for shared service providers.
Tenant status
Status Description
New The tenant status is New after the tenant is created.
In Provision The tenant status is In Provision when the tenant is being deployed.
For a production, DEV, internal, or trial tenant, the tenant status becomes Active
Active
automatically after the tenant is deployed .
The tenant status becomes Inactive automatically after all licenses loaded to this tenant
Inactive
expire, you can also change the tenant status to Inactive manually.
Pending for The tenant status becomes Pending for removal automatically if the tenant
removal deployment fails.
SMAX 2019.02
Customers
SMAX 2019.02
How to create and edit a customer

General tab
Field Description
ID Customer ID.
Full Name Full name of the customer.
Short Name Short name of the customer.
Contact Contact information of the customer.
Phone Phone of the customer.
Email Email of the customer.
Description Description of the customer.
SMAX 2019.02
Accounts
SMAX 2019.02
How to create an account

In the New account dialog box, provide all requested information. This dialog box requests values for the basic
attributes.
Field Description
Suite Single Sign-On (SSO) enables the users to use single identity and password to
log in to all connected suite applications. If Enable suite SSO is Yes, the configured
authentications of this account are shared by all connected suite applications. For
example, if you create a suite SSO enabled account and specify LDAP as the
Enable suite SSO authentication type, this LDAP connection configuration is shared by all connected
suite applications.
You can only specify one account to enable suite SSO.
This field is displayed only when UCMDB is installed in the suite and no account is
enabled suite SSO.
Specify the authentication type.

• SAML: User credentials are stored in federated identity providers using
SAML protocol. Users with this authentication type can log in to Service Management
tenants that belong to this account and UCMDB instance using SSO. Go to
Authentication tab to configure the SAML settings.
Note:
To log in to UCMDB with the user credentials of SAML, perform the following steps:
1. Before enable suite SSO and configure SAML authentication, create a

user in UCMDB with the same login name of the user in SAML.
2. Configure admin role and right for this user in UCMDB.
3. Enable suite SSO and configure SAML authentication type. Now this user
can log in to Service Portal and UCMDB with SSO.
Authentication type
4. For the other users without admin role, they need to log in to Service
Portal first, and then the user with admin role can configure role and right for them
in UCMDB.
• LDAP: User credentials are stored in LDAP servers. Users with this
authentication type can log in to Service Management tenants that belong to this
account and UCMDB instance using SSO. Go to LDAP for UCMDB tab in
Configurations to configure the LDAP settings.
This field appears only when Enable suite SSO is Yes.
Note To visit UCMDB from Service Management, users except Tenant Admin need
to be assigned with Allows view service modeling permission in Service
Management.
Select the shared service type:

• Provider: A provider account can be assigned to a provider tenant only.
Shared service type
• Managed: A managed account can be assigned to a managed tenant only.
• Standard: A standard account can be assigned to a standard tenant only.
Enter 3 characters consisting of uppercase letters or numbers to identify the

Shared service managed tenant. This code needs to be unique and appears in the MT Console as the
customer code prefix to all incidents and requests belonging to this managed tenant.
This field appears only for the managed accounts.
Name Enter the account name.
SMAX 2019.02
Specify an account type:

• Presales: This type can be used by sales team for marketing purpose.
• Partner: This type can be used by your partner.
Account Type
• Test: This type can be used for customization, development, or testing.
• External customer: This type can be used by your external customer.
• Internal customer: This type can be used by your internal customer.
Specify the login identifier that DB users use as the login user name:
• Login name
• Email Note
• If you select Email, make sure that the email addresses for users (including
DB user login identifier
all authentication types) in this account are unique. Otherwise, unexpected issues
might occur if two users have the same email.
• If you select Email, you cannot change the login identifier to Login name
after the account is created.
Customer Specify the parent customer.
Owner Specify the account owner.
Specify the account tier, this can be used for account rating.
• Bronze
Tier • Silver
• Gold
• Platinum
On boarding date Specify the on boarding date of the account.
Specify the region of the account:

• APJ
Region
• EMEA
• AMS
SMAX 2019.02
How to edit an account

Account details General tab
Field Description
ID Account ID.
Shared service type:

▪ Provider
Shared service type
▪ Managed
▪ Standard
Name Account name.
Account type:
▪ Presales
▪ Partner
Account Type
▪ Test
▪ External customer
▪ Internal customer
Login identifier for DB users:

▪ Login name
▪ Email Note
DB user login identifier ▪ This field is read-only if you already select Email as the login identifier.
▪ If you change the login identifier from Login name to Email, make sure that
the email addresses for users (including all authentication types) in this account are
unique. Otherwise, unexpected issues might occur if two users have the same email.
Customer Parent customer.
Account tier:
▪ Bronze
Tier ▪ Silver
▪ Gold
▪ Platinum
Owner Owner of the account.
Region Region of the account.
Country Country of the account.
State State of the account.
City City of the account.
On boarding date On boarding date of the account.
Description The description that captures the details of the account.
Complete the LDAP field mappings as described in the following tables. An initial user sync is triggered after a valid
LDAP connection is added. LDAP server settings
Field Description OpenLDAP Example value
Display
Display name of the server.
name
SMAX 2019.02
The fully-qualified domain name

Hostname (server.domain.com) or IP address of
the LDAP server.
The port used to connect to the LDAP

Port 389
server (by default, 389).
Base distinguished name. The Base

DN is the top level of the LDAP
Base DN dc=Service Management Automation,dc=com
directory that is used as the basis of a
search.
Base distinguished name for the

Group object. The Group Base DN is
Group DN the top level of the LDAP directory ou=groups,dc=Service Management Automation,dc=com
that is used as the basis of a search
for the Group object.
• Group
• Organization Unit Normally,
for Group DN start with CN (e.g.
CN=CSAGroups,DC=adfshp,DC=com),
Group DN
select Group as Goup DN Type; For
Type
for Group DN start with OU (e.g.
OU=Accounts,DC=adfshp,DC=com),
select Organization Unit as Goup
DN Type.
The fully distinguished name of any

User ID
user with authentication rights to the cn=admin,dc=Service Management Automation,dc=com
(Full DN)
LDAP server.
Password of the User ID. If the LDAP

server does not require a User ID or
Password
password for authentication, this
value can be omitted.
If your LDAP server is configured to

Enable
require LDAPS (LDAP over SSL), select
SSL
the Enable SSL checkbox.
-----BEGIN CERTIFICATE-----
MIIErjCCA5agAwIBAgIQBYAmfwbylVM0jhwYWl7uLjANBgkqhkiG9w0BAQsFADBh
If the Enable SSL checkbox is MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
SSL selected, the SSL public key …………..
public key certificate is required for LDAPS UQ9Qqtb1GX91AJ7i4153TikGgYCdwYkBURD8gSVe8OAco6IfZOYt/TEwii1Ivi1C
connection. qnuUlWpsF1LdQNIdfbW3TSe0BhQa7ifbVIfvPWHYOu3rkg1ZeMo6XRU9B4n5VyJY
RmE=
-----END CERTIFICATE-----
LDAP attributes
OpenLDAP Example
Field Description
value
Mail Email address of the user. mail
The fully-qualified domain name (server.domain.com) or IP

Login name
address of the LDAP server.
First name First name of the user. givenName
Family name Family name of the user.
Middle name Middle name of the user.
Office phone number Office phone number of the user.
SMAX 2019.02
Home phone number Home phone number of the user.
Mobile phone number Mobile phone number of the user.
Zip code Zip code of the user.
Language Language of the user.
Location Location of the user.
Customer unique Id Unique ID. employeeNumber
The name of the attribute(s) of a group object that identifies

a user as belonging to the group. If multiple attributes
member,
Group membership convey group membership, the attribute names should be
uniqueMember
separated by a comma. If no name is entered, default values
are used.
The name of the attribute of a user object that identifies the

Manager identifier manager
manager of the user.
The name of the attribute of a user object that describes the

value of the Manager Identifier's attribute. For example, if
the value of the Manager Identifier attribute is a
Manager identifier distinguished name (such as cn=John Smith, ou=People,
dn
value o=xyz.com) then the value of this field could be dn
(distinguished name). Or, if the Manager Identifier is an
email address (such as admin@xyz.com) then the value of
this field could be email.
User login settings

The name of the attribute of a user object, which is a unique
field to identify a user. This field does not represent the user
User name entered by the user when logging in. The value for this
uid
name field can be determined by looking at one or more user objects
in the LDAP directory to determine which attribute consistently
contains a unique user name.
Specifies the location in the directory from which the LDAP

User
search begins.
search OU=idmtest,DC=adfshp,DC=com
The value of User search base must start with OU. See
base
Example value for reference.
Specifies the general form of the LDAP query used to identify

users during login. This field defines the login identifier that a
user needs to use for login. It must include the pattern
User
{expression}, which represents the user name entered by the
search
user when logging in, for example, {0}.
filter
The filter uses the following example:
(&(objectclass=person)(cn={0}). If you want to log in by
email, use the following filter as an example: (mai={0}).
SMAX 2019.02
When a user logs in, the LDAP directory is queried to find the
user's account. The Search subtree setting controls the depth
of the search under User search base. If you want to search for
Search a matching user in the User search base and all subtrees under
subtree the User search base, make sure the Search subtree checkbox
is selected. If you want to restrict the search for a matching
user to only the User search base, excluding any subtrees,
unselect the Search subtree checkbox.
Complete the following SAML server settings.

Field Description
Display name Display name for this configuration.
Enter this URL: /samlmeta/<external IdP metadata.xml> For example:

Server URL
/samlmeta/metadata_external_idp.xml
To bypass the SMAX login page and go directly to the SAML login page You can go directly to the SAML
Login page by appending the AUTH=SAML parameter to the end of the SMAX login page URL.
For example: https://<FQDN>/saw/ess?TENANTID=xxxx&AUTH=SAML To map the attributes between IdP and
BO User The following table shows the attributes mapping between External IdP and BO User.
External IdP Attribute (for reference) BO User Attribute
Login name Name ID
First name firstName
Middle name middleName
Last name familyName
Full name fullName
Office phone number officePhoneNumber
Home phone number homePhoneNumber
Mobile phone number mobilePhoneNumber
Language language
Location location
Zip code zipCode
Email email
Password Policy tab This tab enables you to configure password policy settings for this account.
Field Description
If this setting is enabled, at least one uppercase letter and one lowercase letter are
Upper and lower case
required.
Numerical If this setting is enabled, at least one numerical digit is required.
SMAX 2019.02
Special character If this setting is enabled, at least one special character is required.
If this setting is enabled, users cannot use their previous two passwords when they
History check
change passwords.
Minimum length Specifies the minimum length of a password.
Maximum length Specifies the maximum length of a password.
If this setting is enabled, the system requires users to change their passwords in a
Expiration check
period of time specified in the Password age (days) field.
Specifies the number of days that a password can be used before a user has to change
Password age (days)
it.
SMAX 2019.02
Users
SMAX 2019.02
How to create a user

In the New User dialog box, provide all requested information. This dialog box requests values for the basic
attributes.
Field Description
Enter the login name of the user. Less than sign (<) and greater than sign (>) cannot be
used in this field.
Note
Login name • The login name for Integration user must be unique in the suite instance.
• The login name cannot be changed after the user is created.
• If the DB user login identifier field is set to Email for this account, you do
not need to set the Login name field.
Enter the first name of the user. Less than sign (<) and greater than sign (>) cannot be
First name
used in this field.
Enter the middle name of the user. Less than sign (<) and greater than sign (>) cannot
Middle name
be used in this field.
Enter the last name of the user. Less than sign (<) and greater than sign (>) cannot be
Last name
used in this field.
Enter the full name of the user. Less than sign (<) and greater than sign (>) cannot be
used in this field.
Full name
If no value is entered, the full name is set to the concatenation of first name and last
name.
Specify whether this user is a suite admin user.

• If a suite admin user is not attached a tenant, this user can only log in to Suite
Administration. By default, this user has the Self-Service user role if this user is attached
Suite admin user to a specific tenant.
• Only suite admin user can access CONFIGURATION, OPERATION HISTORY,
and ACCESS CONTROL
• For a user that is not suite admin user, you need to specify an account and role.
Specify a parent account.

This field appears only for a user who is not a suite admin user.
Account
Note The account cannot be changed after the user is created.
SMAX 2019.02
This field appears only for a user who is not a suite admin user.
Select the user role:
• Account user: Account user is defined to a specific customer account, this
user can only log in to suite applications such as Service Management.
• Integration user: Integration user is an API user for integration, this user is
defined to a specific customer account.
• Shared service admin: Applicable to provider accounts only.
A shared service admin normally can perform the following tasks in Suite
Administration:
⚬ Manage license and license pool.
⚬ Create and configure accounts and shared service tenants.
⚬ Manage the relationship between shared service agents and shared service
Role tenants.
⚬ Create and manage account user, integration user, shared service admin,
and shared service agent. Shared service admin is assigned with MT Administrator role
in Service Management automatically.
• Shared service agent: Applicable to provider accounts only.
A shared service agent normally can perform the following tasks in Suite Administration:
⚬ Configure managed accounts and tenants assigned to the shared service
agent. To do this, the suite admin user needs to add an Access Control List (ACL) for the
shared service agent first.
⚬ Create and manage account user and integration user. Shared service agent
is assigned with MT Agent role in Service Management automatically. The shared
service agent cannot access the managed Service Management tenant when the
assigned managed tenant is no longer managed by the provider tenant.
Language Select a language.
Enter the email of the user.

Note If the DB user login identifier field is set to Email for this account, the email
Email must be unique for users (including all authentication types) in this account. The value of
this field can be modified to support user login by using their latest email.
The authentication type can only be DB when creating new users via user interface. You
Authentication type can change the authentication type after the user is created. For more information, see
How to edit or delete a user.
SMAX 2019.02
How to edit a user

General tab
Field Description
You can set a user to be locked.
• The locked user cannot be edited or deleted.
Locked • The locked user cannot log in to authorized Service Management Automation
applications.
• Profile of the locked user is not synced to suite applications.
Login name of the user. If the DB user login identifier field is set to Email for this
Login name
account, you do not need to set the Login name field.
ID User ID.
Displays customer UID got from external user repositories such as LDAP, SAML IdP, or
Customer UID other stores.
Applicable to users with LDAP or Federation authentication type only.
First name First name of the user.
Last name Last name of the user.
Middle name Middle name of the user.
Full name Full name of the user.
Email of the user.

If the DB user login identifier field is set to Email for this account, the email must
be unique for users (including all authentication types) in this account. The value of
this field can be modified to support user login by using their latest email.
Email
If you see the email is "<username>@dummy.com" for a LDAP/SAML user, possibly
the user's actual email has not been synchronized to Suite Administration yet, or you
have LDAP/SAML users with the same email. Check your system log for more
information.
Authentication type For information about modifying user authentication type, see Authentication type.
Account Parent account.
Role User role.
User type User type.
Language User language.
Home phone number Home phone number of the user.
Mobile phone number Mobile phone number of the user.
Zip code Zip code of the user.
External ID External ID of the user.
Description The description that captures the details of the user.
SMAX 2019.02
Creation time The time that the user was created.
Last modified time The time that the user was modified.
Status Description
For users created via user interface, the user status is Inactive after the user record is created.
Inactive
Inactive users cannot log in to Service Management Automation.
Active The user status becomes Active automatically when the user changes the password.
SMAX 2019.02
Suite Administration for shared service providers

The proper permissions must be configured on both the provider tenant and the managed tenants for users to be
able to view or edit managed tenant records.
Service
Roles in Service
Management Applied to
Management
tenant installation
Admin only. Users with this role can add MT agent to the
MT Administrator
managed tenants. Shared service admin created in
Provider tenant
MT Agent All users who access managed tenant records.
All users who access request data for this managed tenant.
Service Request If role not assigned, then applicable view and/or edit
Manager (recommended) permissions on requests and all related record types (such
as person, group, service) must be assigned to these users.
Managed tenant
All users who access incident data for this managed
Incident Manager tenant. If role not assigned, then applicable view and/or
(recommended) edit permissions on incidents and all related record types
(such as person, group, service) must be assigned to these
users.
SMAX 2019.02
License pools
SMAX 2019.02
How to create and edit a license pool

General tab
Field Description
ID License pool ID.
Name License pool name.
Description Description of the license pool.
License pool status You can change license pool status between Active and Inactive manually.
Status Description
Active Licenses can be added to an Active license pool.
Inactive Licenses cannot be added to an Inactive license pool.
SMAX 2019.02
Licenses
SMAX 2019.02
How to create and edit a license

License details
Field Description
ID License ID.
Displays the license mode Values include:

▪ Trial
Mode ▪ Production
▪ Evaluation
▪ Non-Production
Name Full name of the customer.
Access type:
▪ Concurrent user: This license is based on the number of simultaneous users
Access type accessing the Service Management.
▪ Named user: Only named user can access Service Management. Tenant admin need
to assign license to users in Service Management.
License edition:
▪ Express: Includes the following Service Management modules:
• Service Portfolio
• Service Catalog
• Time Period
• Service Level
• Vendor
• Change
• Release
• Knowledge
• SACM
• Survey
Edition • Service Request
• Incident
• Problem
• On-Call
▪ Premium: Includes the following Service Management modules besides Express
edition:
• Contract
• Idea & Proposal
• Application Portfolio
• Project & Program
• Software Asset
• Financial
• Procurement
Start date Start date of the license.
End date of the license.

End date Note The maximum duration for a trial license is 90 days.
Capacity Capacity of the license.
Product number Identifier of the product activated by license.
SMAX 2019.02
Feature Determines the licensable feature.
Feature version Version get from license file. Only applicable to Production and Evaluation licenses.
License pool Displays the license pool ID if this license is added to a license pool.
Description Description of the license.
License status You can change the license status between Active and Inactive manually when the license is not
added to a license pool.
Status Description
Active Only Active licenses can be added to a license pool.
Inactive Inactive licenses cannot be added to a license pool.
The license status becomes Retired automatically when the license end date arrives.
Retired ▪ Retired licenses cannot be added to a license pool.
▪ Retired licenses cannot be edited or deleted.
SMAX 2019.02
Assignments
SMAX 2019.02
Configurations
Configurations management enables you to configure the Service Management Automation suite settings.
Important The suite takes several minutes to restart after you change the configurations. Security tab The
Security tab enables you to configure Lightweight Single Sign-On (LW-SSO) and IdM settings. After installation, the
Security tab contains out-of-the-box values for these settings. Micro Focus recommends that you reconfigure them
with your own values after installation. LW-SSO configuration Lightweight Single Sign-On (LW-SSO) is a Micro
Focus solution that enables a user to log on to one Micro Focus application and gain access to other Micro Focus
applications without being prompted for login credentials. The applications that participate in LW-SSO trust the
initial authentication and require no re-authentication when the user is moving from one application to another.
LW-SSO shares between the applications a token that is signed with the same encryption key that must be
configured in each application. With LW-SSO, once users are logged in to the Service Management Automation
suite, they can access their authorized suite capabilities without re-login. To configure LW-SSO in suite, complete
the following settings.
Field Description
Enter the parent domain of your Service Management Automation installation, all
applications in this domain can participate in LW-SSO. For example, if the suite domain is
Domain
subdomain.domain.com, the domain value should be domain.com; if the suite domain is
sample.subdomain.domain.com, the domain value should be subdomain.domain.com.
A string used for encrypting single sign-on tokens. It must match the encryption string that
is configured in other applications that participate in LW-SSO. For example, UCMDB systems.
Encryption key
The minimum length is 32 characters (letters and numbers). Do not use special characters.
You must modify the Encryption key if you are working on a production environment.
Token
expiration Defines how long (in minutes) an LW-SSO token is valid for. When the specified time has
period elapsed, the LW-SSO token is no longer valid, and a re-login is required.
(minutes)
IdM configuration
Field Description
This is a key for signing IdM tokens when you configure SAML for an "SM integration" tenant. The
Signing key
key must be at least 32 characters long, and contain both letters and numbers.
Email service tab The email service enables the system to send email notifications to any mail server that
supports Simple Mail Transfer Protocol (SMTP) or Exchange Web Services (EWS). Configuring the email service is
mandatory before you can use email related features such as email notifications and survey. To configure the suite
level email service, complete the following settings.
Field Description
Enter the name of the mail server host that is used for sending email notifications. It can
Mail server host
be the IP address, machine name, or DNS name of the mail server.
Mail protocol Select SMTP or EWS as the mail server type.
SMTP server port

Enter the communications port that the SMTP mail server uses.
(for SMTP only)
SMAX 2019.02
Enter the email address identified as email sender. Make sure that this email address is in
Mail from
the allowed reply email list configured in the mail server.
▪ If the mail server requires authentication, turn on this switch and enter the user
Authentication name and password.
required ▪ If the mail server does not require authentication, turn off this switch and keep user
name and password fields blank.
User name Enter the user name of the account used for mail server authentication.
Password Enter the password of the account used for mail server authentication.
Select a certificate used by SMTP server.

▪ Enable TLS
▪ Enable SSL
▪ Plain Important Enable TSL is strongly recommended. By selecting Enable SSL or
Plain instead of Enable TSL, you are disabling or bypassing security features, thereby
exposing the system to increased security risks. By using this option, you understand and
agree to assume all associated risks and hold Micro Focus harmless for the same. In case
the certificate is changed to Enable SSL or Plain, Micro Focus encourages the customer
to add relevant protection measures to protect against risks associated with the selected
certificate, which is not provided by Micro Focus. By not implementing relevant protection
measures you may be exposing the system to increased security risks. You understand
and agree to assume all associated risks and hold Micro Focus harmless for the same. It
remains at all times the Customer’s sole responsibility to assess its own regulatory and
business requirements. Micro Focus does not represent or warrant that its products comply
Certificate (for
with any specific legal or regulatory standards applicable to Customer in conducting
SMTP only)
Customer's business.
If the certificate of your SMTP server is not in the trust store, you need to:
1. On the NFS server, upload the certificate to the <SMA global NFS share
directory>/certificate/source folder.
For example: /var/vols/itom/itsma/itsma-itsma-global/certificate/source.
2. On the master node, restart the itom-bo-config pod and itom-xruntime-
platform pod.
For example:
kubectl get pods -n itsma1 | grep itom-xruntime-platform
itom-xruntime-platform-755f55d699-rg7kk 2/2 Running 0 1h
itom-xruntime-platform-offline-7859f49f78-5qn28 2/2 Running 0 1h
kubectl delete pod -n itsma1 itom-xruntime-platform-755f55d699-rg7kk
kubectl delete pod -n itsma1 itom-xruntime-platform-offline-7859f49f78-5qn28
Enable NTLM (for If your Exchange Server requires domain information for authentication, turn on this switch
EWS only) to enable the Domain field.
Domain (for EWS

Enter the domain of the account used for mail server authentication.
only)
Service path (for Enter the EWS service path (for example, EWS/Exchange.asmx) for the full EWS service
EWS only) URL. The full EWS service URL consists of Mail server host and Service path.
Version (for EWS Select the version of Exchange Server. If you are unable to find a match, select the latest
only) version prior to the version of your Exchange Server.
Click Test connection to verify the server connectivity, if the mail server can be connected successfully, click
Save. LDAP for CMS tab This tab includes the LDAP settings that enable LDAP users to log in to the CMS instance
SMAX 2019.02
and Service Management without re-authentication. Caution The external LDAP server must not contain the
following internal users: sysadmin, admin, UISysadmin, and intgAdmin. The sysadmin user is a super administrator
account, and the rest of the users are used by UCMDB to communicate with the data flow probe, UCMDB Browser,
and Service Management, respectively. LDAP server settings
The fully-qualified domain name (server.domain.com) or IP
Hostname
address of the LDAP server.
Port The port used to connect to the LDAP server (by default, 389). 389
Base distinguished name. The Base DN is the top level of the dc=Service Management
Base DN
LDAP directory that is used as the basis of a search. Automation,dc=com
cn=admin,dc=Service
User ID (Full The fully distinguished name of any user with authentication
Management
DN) rights to the LDAP server.
Automation,dc=com
Password of the User ID. If the LDAP server does not require a
Password User ID or password for authentication, this value can be
omitted.
If your LDAP server is configured to require ldaps (LDAP over

Enable SSL
SSL), select the Enable SSL checkbox.
When a user logs in, the LDAP directory is queried to find the
user's account. The Search subtree setting controls the depth
of the search under User search base. If you want to search for
Search a matching user in the User search base and all subtrees under
subtree the User search base, make sure the Search subtree checkbox
is selected. If you want to restrict the search for a matching
user to only the User search base, excluding any subtrees,
unselect the Search subtree checkbox.
LDAP user settings

Email Email address of the user. mail
First name First name of the user. givenName
Last name Family name of the user.
Phone Phone number of the user.
The LDAP attribute whose value is the URL to a user

User avatar avatar image that is displayed for the logged-in user. If no jpegPhoto
avatar is specified, a default avatar image is used.
Base distinguished name for the User object. The User

User base
Base DN is the top level of the LDAP directory that is used ou=people,dc=itsma,dc=com
DN
as the basis of a search for the User object.
User class Value of objectClass that is used to identify the user. inetOrgPerson
SMAX 2019.02
Specifies the general form of the LDAP query used to

identify users during login. It must include the pattern
User filter {0}, which represents the user name entered by the user (objectclass=inetOrgPerson)
when logging in. The filter must use the following format:
(&(objectclass=*)(cn=falcon))
User display
The display name of the user. cn
name
User The name of the attribute of a user object that identifies

manager
manager ID the manager of the user.
The name of the attribute of a user object that describes

the value of the Manager Identifier's attribute. For
example, if the value of the Manager Identifier attribute is
User
a distinguished name (such as cn=John Smith, ou=People,
manager ID dn
o=xyz.com) then the value of this field could be dn
value
(distinguished name). Or, if the Manager Identifier is an
email address (such as admin@xyz.com) then the value of
this field could be email.
modifyTimestamp (for OpenLDAP)

User last The LDAP attribute that stores the timestamp when an
whenChanged (for Active
modified object was last updated.
Directory)
LDAP group settings

Base distinguished name for the
Group object. The Group Base DN is
ou=groups,dc=Service Management
Group DN the top level of the LDAP directory
Automation,dc=com
that is used as the basis of a search
for the Group object.
Value of objectClass that is used to

Group class groupOfUniqueNames
identify the Group object.
Specifies the general form of the

LDAP query used to identify user
Group base
groups during login. It must use a (objectclass=groupOfUniqueNames)
filter
standard search filter syntax for
your LDAP server.
Base distinguished name. The Base

DN is the top level of the LDAP
Group name
directory that is used as the basis
of a search.
The name of the attribute(s) of a

group object that identifies a user
as belonging to the group. If
Group multiple attributes convey group
member, uniqueMember
membership membership, the attribute names
should be separated by a comma. If
no name is entered, default values
are used.
SMAX 2019.02
A group which has admin

privileges. This is a group which
Admin group cn=administrators,ou=groups,dc=itsma,dc=com
you could assign to some LDAP
users and manage the LDAP.
Group
Description of the group.
description
Double-click a Smart Analytics component in the Service Management Components list.

Name Host Port Component description
Stores indexed records latest 3 month for
XService Content 1 smarta-saw-con-1-svc 10010 Service Management Automation X Smart
Search
Stores indexed records latest 3 month for

XService Content 2 smarta-saw-con-2-svc 10010 Service Management Automation X Smart
Search
Supports query records latest 3 month for

XService DAH smarta-saw-dah-svc 9060 Service Management Automation X Smart
Search
Supports index record latest 3 month for

XService DIH smarta-saw-dih-svc 31370 Service Management Automation X Smart
Search
Stores indexed records older than 3 month for

XService Archive
smarta-sawarc-con-1-svc 10010 Service Management Automation X Smart
Content 1
Search
Stores indexed records older than 3 month for

XService Archive
smarta-sawarc-con-2-svc 10010 Service Management Automation X Smart
Content 2
Search
Supports query records older than 3 month for

XService Archive DAH smarta-sawarc-dah-svc 9060 Service Management Automation X Smart
Search
Supports index records older than 3 month for

XService Archive DIH smarta-sawarc-dih-svc 31370 Service Management Automation X Smart
Search
XService Metadata Stores indexed metadata for Service

smarta-sawmeta-con-1-svc 10010
Content 1 Management Automation X Smart Search
XService Metadata Stores indexed metadata for Service

smarta-sawmeta-con-2-svc 10010
Content 2 Management Automation X Smart Search
XService Metadata Supports query metadata records for Service

smarta-sawmeta-dah-svc 9060
DAH Management Automation X Smart Search
XService Metadata Supports index metadata records for Service

smarta-sawmeta-dih-svc 31370
DIH Management Automation X Smart Search
SMAX 2019.02
Smart Ticket
smarta-stx-agent-svc 9050 Store agents and profiles
Agentstore
Smart Ticket
smarta-stx-category-svc 9020 Support categorize action for Smart Ticket
Category
Smart Ticket DAH smarta-stx-dah-svc 9060 Support query action for Smart Ticket
Smart Ticket Image

smarta-stx-imgsvr-svc 18000 Analyzes and extracts content in image
Server
Note that some action commands only work with certain Smart Analytics components in the suite. Refer to the
following table for detailed descriptions.
Allowed
Action name Action example Description Allowed port
component
Requests
details of all
components.
Check
whether all
components
View Status http://<Host>:<port>/action=GetStatus are up and all <Host>:<ACI_Port>
running;
checks how
many
documents
are in each
database.
Displays a
log of
requests,
including the
date and
time that a
request was
View Action made, the
http://<Host>:<port>/action=GRL&format=xml all <Host>:<ACI_Port>
History client IP
address that
made the
request, and
the internal
thread that
handled the
action.
Checks the
status of dih smarta-<*>-dih-svc:31370
index
View Index
http://<Host>:<port>/action=indexerGetStatus actions in
Status
the Smart
Analytics content <CONTENT_SERVICE>:10010
index queue.
Displays the
View Root root
Category http://<Host>:<port>/action=CategoryGetHierDetails categories category smarta-stx-category-svc:9020
Detail after
training.
SMAX 2019.02
Creates a
backup that
can be used
to restore
content <CONTENT_SERVICE>:10010
the
component’s
state. You
can use this
Back up
http://<Host>:<port>/action=BackupServer&path=/var/backup action for
Component
the Content,
Category,
components.
The backup
category smarta-stx-category-svc:9020
file is stored
in the path
that you
specified.
Restores the
content of a
Restore content
Content http://<Host>:<port>/action=RestoreServer&filename=/var/ backup/***.zip server that content <CONTENT_SERVICE>:10010
Server was
previously
backed up.
Synchronize
and build
the category
Synchronize
http://<Host>:<MainProxyACIPort>/action=CategorySyncCatDRE after you category smarta-stx-category-svc:9020
Category
restore the
Category
component.
Exports all
the index
documents
for a
database
from the
Smart
Analytics dih smarta-<*>-dih-svc:31371
content
server to a
series of
compressed
files in the
defined
backup
Back up http://<Host>:<indexPort>/DREEXPORTIDX?filename=
directory.
Database c:/BackupFolderName/FilePrefix&DatabaseMatch=<Database_name>&HostDetails=true
This action
backs up
individual
databases. If
you want to
backup all
databases
on a content content <CONTENT_SERVICE>:10011
server, use
the action
Backup
Component
as
mentioned
above.
Restores the
index IDX
exported dih smarta-<*>-dih-svc:31371
before. If no
Restore http://<MainProxyHost>:<IndexPort>/DREADD?FileName= DREDbName
Database /var/backup/***.idx&DREDbName=***&CreateDatabase=True is specified,
use the
dbname of content <CONTENT_SERVICE>:10011
the indexed
file.
SMAX 2019.02
Operation history
You can filter the records by job ID or operation type.
SMAX 2019.02
Access control
SMAX 2019.02
How to create and edit an Access Control List (ACL)
SMAX 2019.02
Change the suite-admin password
The suite-admin user's password expires 90 days after the suite installation. When the password has expired, you
are prompted to change the password at login. Each new password takes effect immediately and will expire in 90
days. This means you are required to change the suite-admin user's password every 90 days. You can also change
the password before it expires, using the Change password option available from My Home. Note: If you find
yourself unable to log in to the Suite Administration interface immediately after a password change, it is probably
because the suite-admin user account is locked out (for example, due to too many invalid login attempts). Wait for
90 minutes so that the user account is unlocked, and then retry.
SMAX 2019.02
Administer Service Management
SMAX 2019.02
Studio
SMAX 2019.02
Fields
SMAX 2019.02
Field properties
The first column of the fields table displays indicator tags for the fields:
Analytic field. Can be added to analytic reports.
Operational field. Can be added to operational reports.
When you select a field, its properties appear in the right pane.
Property Description
The name of the field. This field is required.
Caution
▪ The name of out-of-the-box fields is always in upper camel case. For example:
Name
ChangeCausedByRequest. You must follow this naming style.
▪ The names of all custom fields must end with _c. This suffix is added
automatically. You do not need to enter it manually.
Domain This property is read-only.
If selected, the field is a system field. You may not edit a system field.
System Note You may not select this for a custom field.
The label of the field which Service Management displays in the user interface. This field
Multilingual label
is required.
Logical type The field type. This field is required. For more information, see Logical type details.
If selected, a user may sort the field when it appears in a record list by clicking the
Enable sort
column header.
If selected, a user may filter and report using this field.

Enable search Note A maximum of 2 fields per record may be defined as searchable.
If selected, the field is encrypted and can only be viewed by members of the selected
Encrypted encryption domain. Only relevant for fields of type MEDIUM_TEXT, LARGE_TEXT, and
RICH_TEXT.
Select the encryption domain used for this field. Only appears when Encrypted is
Encryption domain
selected. For more information on encryption domains, see Encryption domains.
If selected, the value entered in the field must be unique. Note If it is a custom field, this
Enforce uniqueness property does not take effect.
Required If selected, this is a required field for the record.
Read only If selected, a user may not change the value of the field.
Hidden If selected, the field is visible only in the Fields Editor.
Tooltip The text that appears when you move the pointer over the field.
SMAX 2019.02
The text that appears when the field is empty. You can use this to give instructions or
Placeholder
reminders to users.
Logical type details

Maximum number of fields
Type Description Maximum length Search5 Sort6
per record1
SMALL_TEXT Text 140 Yes Yes
9
MEDIUM_TEXT Text 500 No Yes 40 (SMALL_TEXT,
MEDIUM_TEXT, EMAIL, and
EMAIL Text 254 No Yes URL combined)
URL Text 2,048 No No
BOOLEAN Boolean - Yes Yes 19
LARGE_TEXT Text Up to 1,000,0009, No No

10
15 (LARGE_TEXT, RICH_TEXT,
9,
RICH_TEXT1 Text Up to 1,000,000 No No and COMPLEX_TYPE
10
combined)
COMPLEX_TYPE2 Text 1,000,000 No No
2
IMAGE Text 2,048 No No 40
INTEGER Numeric - integer - Yes Yes 8
DOUBLE Numeric - double - Yes Yes

8 (DOUBLE and PERCENTAGE
combined)
PERCENTAGE Numeric - double - Yes Yes
DATE Date - Yes Yes

8 (DATE and DATE_TIME
combined)
DATE_TIME Date and time - Yes Yes
ENUM3 Enumeration value - Yes Yes 10
ENUM_SET8 Enumeration values - Yes Yes 0
ENTITY_LINK4 Record reference - Yes Yes 12
SMAX 2019.02
Create a field
Edit the properties as required.
The name of the field. This field is required.
Caution
• The name of out-of-the-box fields is always in upper camel case. For example:
Name ChangeCausedByRequest. You must follow this naming style.
• The names of all custom fields must end with _c. This suffix is added
automatically. You do not need to enter it manually.
If selected, the field is a system field. You may not edit a system field.
System Note You may not select this for a custom field.
The label of the field which Service Management displays in the user interface.
Multilingual label
This field is required.
Logical type The field type. This field is required. For more information, see Logical type details.
Enable sort
column header.

RICH_TEXT.
Encryption domain
Enforce uniqueness If selected, the value entered in the field must be unique.
Required If selected, this is a required field for the record.
Placeholder
reminders to users.

Name The name of the relation field.
Multilingual label The display label of the relation field.
SMAX 2019.02
Opposite label The display label of the relation field on the target record type.
Logical type This property is read only and can only be MANY2MANY.
The target entity (record type) of the relation.

Note If the source record type is an out-of-the-box record type, only a custom record type
Target Entity
can be selected.
SMAX 2019.02
Edit a field
To edit the field, make the required changes to the properties in the right pane.
Name This property is read-only.
System This property is read-only.
The label of the field which Service Management displays in the user interface.
This field is required.
Multilingual label Note Changes made to the Multilingual label property take effect as soon as you click
outside of the property, before you click Save.
Logical type The field type. This property is read-only.
Enable sort
column header.

RICH_TEXT.
Encryption domain
Enforce uniqueness If selected, the value entered in the field must be unique.
Required This property is read-only.
Placeholder
reminders to users.
SMAX 2019.02
Calculated fields
Note If you have development and production tenants, all configuration changes must be made on the
development tenant. For more information about synchronizing the tenants, see Dev2Prod - How to synchronize
your development and production tenants.
Logical type details
1
Type Description Maximum length Maximum number of fields per record
INTEGER Numeric - integer - 15
MEDIUM_TEXT Text 5002 5
BOOLEAN Boolean - 5
SMAX 2019.02
Calculated field templates
You use a calculated field template when you add a calculated field to a record type. The following templates are
available:
Template Parameters Description
Integer. Number of times the value of the selected field
changed.
Note If you use this template for a calculated field, when a
new record is created:
Field value changes
field ▪ If the relevant field is then populated, that is counted
count
as a change.
▪ If the relevant field is not populated, it is not counted
as a change until the field is later populated.
Was record in phase phase Boolean. Whether the record was ever in the selected phase.
Was field assigned Boolean. Whether the selected field was ever populated with
field value
with value the specified value.
Total time the record was in a selected phase.

Note If the record is in the selected phase more than once,
Phase duration phase the phase duration is the total accumulated time spent in the
phase.
Total time between the following:

▪ The record entering (or exiting) the first specified phase,
and
▪ The record entering (or exiting) the second specified
Duration between
entered/exited phase.
phases
phase Note Where the record enters (or exits) the second specified
phase more than once, the time is measured to the last entry
or exit,
Total time between the following:

▪ First selected field changing to (or from) a value, and
▪ Another selected field changing to (or from) a value.
Duration between
field to/from value Note Where the second field changes to (or from) a value
events
more than once, the time is measured to the first change to
(or from) a value, as appropriate.
SMAX 2019.02
Generic relationship fields
SMAX 2019.02
Cross-record field mapping
SMAX 2019.02
Mapping records created from a change record
The following tables list those fields and associations whose contents are, by default, copied to a record created
from a change record. Change record to new change model
Change record field
Remediation plan
Build and test required
Category
Change type
Description
Emergency
Impact
Implementation plan
Owning group
Owner
Reason for change
Risk
Service
Change record to new change template

Change record field
Remediation plan
Build and test required
Category
Change type
Description
Emergency
Impact
Implementation plan
Owning group
Owner
Reason for change
SMAX 2019.02
Risk
Service
Change record to new change record

Change record field
Category
Data domains
Device affected by change
Impact
Owning group
Service
System element affected by change
Urgency
Change record cloned to new change record

Change record field or section
Description
Change model
Category
Reason for change
Justification
Scheduled duration
Scheduled DT duration
Service
Involved CIs (section)
Urgency
Plan and execute (section)
Approvals (section)
Change record to new incident record

Change record field Incident record field
Category Category
SMAX 2019.02
Data domains Data domains
Device affected by change Device affected by incident
System element affected by change System element affected by incident
Service Service
Change record to new knowledge article record

Change record field Article record field
Title Title
Description Article Content
Actual service.Containment Service
Change record to new news article record

Title Title
Scheduled DT start Event from
Scheduled DT end Event until
Change record to new release record

Change record field Release record field
Title Title
Description Description
Service Service
SMAX 2019.02
Mapping records created from an incident record
from an incident record. Incident record to new incident model
Incident record field
Assignee
Assignment group
Case exchange
Case exchange external operation
Category
Completion code
Description
First touch
Impact
Knowledge candidate
Location
Major incident team
Owner
Problem candidate
Service
Service desk group
Solution
Status
Title
Urgency
Incident record to new incident template

Assignee
Assignment group
Case exchange
Case exchange external operation
SMAX 2019.02
Category
Completion code
Description
First touch
Impact
Knowledge candidate
Location
Major incident team
Owner
Problem candidate
Service
Service desk group
Solution
Status
Title
Urgency
Incident record to new incident record

Category
Data domains
Description
Device affected by incident
Impact
Service
Solution
System element affected by incident
Title
Urgency
Incident record to new change record
SMAX 2019.02
Incident record field Change record field

Category Category
Device affected by incident Device affected by change
Impact Impact
Service Service
Solution Solution
System element affected by incident System element affected by change
Title Title
Urgency Urgency
Incident record to new problem record

Incident record field Problem record field
Category Category
Device affected by incident Device affected by problem
Impact Impact
Service Service
Solution Workaround
System element affected by incident System element affected by problem
Title Title
Urgency Urgency
Incident record to new request record

Incident record field Request record field
Category Category
Device affected by incident Device affected by request
SMAX 2019.02
Impact Impact
Service Service
System element affected by incident System element affected by request
Title Title
Urgency Urgency
Incident record to new knowledge article record

Incident record field Article record field
Title Title
Resolution Article Content
Incident record to new news article record

Incident record field Article record field
Title Title
Incident create time Event from
Expected resolution time Event until
SMAX 2019.02
Mapping records created from a problem record
from a problem record. Problem record to new problem template
Problem record field
Category
Deferral code
Estimated cost
Estimated person days
Impact
Known error
Owner
Owning group
Priority
Process ID
recorded by
Root cause
Service
Solution
Status
Symptoms
Workaround
Problem record to new change record

Problem record field Change record field
Category Category
Device affected by problem Device affected by change
Service Service
Solution Description
Symptoms Justification
System element affected by problem System element affected by change
SMAX 2019.02
Urgency Urgency
Problem record to new knowledge article record

Problem record field Article record field
Title Title
Workaround + Root cause + Solution Article Content
Problem record to new news article record

Problem record field Article record field
Title Title
Problem create time Event from
SMAX 2019.02
Mapping records created from a request record
The following table list those fields and associations whose contents are, by default, copied to a record created
from a request record. Request record to new incident record
Request record field Incident record field
Category Category
Device affected by request Device affected by incident
Expected resolution time Expected resolution time
Help desk group Service desk group
Impact Impact
Priority Priority
Report location Location
Requested by Reported by
Service Service
System element affected by request System element affected by incident
Title Title
Urgency Urgency
Request record to new article record

Request record field Article record field
Title Title
Solution Article Content
Request record to new idea record

Idea record field Change record field
Title Title
Reported by Created by
SMAX 2019.02
Mapping records created from a service definition record
from a service definition record. Service definition record to new article or news record
Title Title
ID Service
SMAX 2019.02
Mapping records created from an idea record
from an idea record. Idea record to new proposal record
Idea record field Proposal record field
Title Title
Idea record to new change record

Idea record field Change record field
Title Title
Created by Reported by
SMAX 2019.02
Forms
SMAX 2019.02
Forms overview
The following table lists the out-of-the-box forms provided for the different modules, with their uses:
Record type Form Module Description
View full details of an actual
Full ActualService form SACM > Actual Services
service.
New ActualService form SACM > Actual Services Define a new actual service.
Actual Service Quick preview of an actual service

Preview ActualService form SACM > Actual Services
(right pane).
Preview of the service as displayed

portalPreview SACM > Actual Services in the Service Portal: portal menu
> Assets and Services.
Service Level > Service View full details of a service level

Full Agreement form
Level Agreements agreement.
Service Level > Service Define a new service level

Agreement New Agreement form
Level Agreements agreement.
Service Level > Service Quick preview of a service level

Preview Agreement form
Level Agreements agreement (right pane).
Full Article form Knowledge View full details of an article.
New Article form Knowledge Define a new article.

Article
Quick preview of an article (right
Preview Article form Knowledge
pane).
Full AssetModel form SACM > Asset Models View full details of an asset model.
New AssetModel form SACM > Asset Models Define a new asset model.
Asset Model Define a new asset model through

newAssetModelWithoutParentModel SACM > Asset Models
the tree view.
Quick preview of an asset model

Preview AssetModel form SACM > Asset Models
(right pane).
Full Brand form Vendor > Brands View full details of a brand.
New Brand form Vendor > Brands Define a new brand.

Brand
Quick preview of a brand (right
Preview Brand form Vendor > Brands
pane).
SMAX 2019.02
Full Change form Change View full details of a change.
New Change form Change Define a new change.
Quick preview of a change (right

Preview Change form Change
pane).
View and edit scheduled and

changeSchedule form Change
Change actual times for a change.
changeInvolvedCisForm Change > Involved CIs tab Define CIs involved in the change.
Preview of a change in the change

previewCalendar Change > Calendar
calendar.
Change > Plan and execute View, edit and create a task plan
changePlan
tab for a change.
Full Company form Vendor > Vendors View full details of a vendor.
New Company form Vendor > Vendors Define a new vendor.

Company
Quick preview of a vendor (right
Preview Company form Vendor > Vendors
pane).
Define a new contract and view full

details of a contract for each
contract type:
▪ Lease schedule
▪ License
▪ Maintenance
<Contract forms> Contract
▪ Master agreement
▪ Master lease
▪ Non-disclosure agreement
▪ Purchase
▪ Service
▪ Warranty
Contract
Define and view full details of a
Full Contract form Contract custom contract (not one of the
out-of- the-box types).
New Contract form Contract Deprectaed.
Preview of the search result on the

Preview Contract form Contract
Contract Management page.
Quick preview of a contract (right

Preview Grid form Contract
pane).
Full CostCenter form Financials > Cost Centers View full details of a cost center.
New CostCenter form Financials > Cost Centers Define a new cost center.
Cost center Define a new cost center that has

NewCostCenterWithoutParentModel Financials > Cost Centers
no parent model.
Quick preview of a cost center

Preview CostCenter form Financials > Cost Centers
(right pane).
SMAX 2019.02
Full CostType form Financials > Cost Types View full details of a cost type.
New CostType form Financials > Cost Types Define a new cost type.
Cost type
Quick preview of a cost type (right
Preview CostType form Financials > Cost Types
pane).
Full Device form SACM > Devices View full details of a device.
New Device form SACM > Devices Define a new device.
Quick preview of a device (right

Preview Device form SACM > Devices
pane).
Edit the details of a device in the

hardware form SACM > Devices
Hardware tab.

Device software form SACM > Devices
Software tab.

network form SACM > Devices
Network tab.

financial form SACM > Devices
Finance tab.
Preview of the device as displayed

portalPreview SACM > Devices in the Service Portal: portal menu
> Assets and Services.
View full details of an entitlement

Full EntitlementRule form People >Entitlement Rules
rule.
Entitlement Rule New EntitlementRule form People >Entitlement Rules Define a new entitlement rule.
Quick preview of an entitlement

Preview EntitlementRule form People >Entitlement Rules
rule (right pane).
Full FixedAsset form Financials > Fixed Assets View full details of a fixed asset.
New FixedAsset form Financials > Fixed Assets Define a new fixed asset.
Fixed asset
Quick preview of a fixed asset
Preview FixedAsset form Financials > Fixed Assets
(right pane).
Service Catalog View full details of a fulfillment

Full FulfillmentPlan form
> Fulfillment Plans plan.
Service Catalog
Fulfillment Plan New FulfillmentPlan form Define a new fulfillment plan.
> Fulfillment Plans
Service Catalog Quick preview of a fulfillment plan

Preview FulfillmentPlan form
> Fulfillment Plans (right pane).
Full PersonGroup form People > Groups View full details of a group.
New PersonGroup form People > Groups Define a new group.
Group Quick preview of a group (right

Preview PersonGroup form People > Groups
pane).
View realted groups in the Related

relatedGroups People > Groups
groups tab.
SMAX 2019.02
Full Idea form Idea & Proposal < Ideas View full details of an idea.
New Idea form Idea & Proposal < Ideas Define a new idea.
Quick preview of an idea (right

Preview Idea form Idea & Proposal < Ideas
pane).
Idea
View ideas related to the current
Related Ideas form Idea & Proposal < Ideas
idea.
Idea Submission form Idea & Proposal < Ideas Submit an idea in Service Portal.
Provide additional information

Idea SubmissionAdditional form Idea & Proposal < Ideas
when submitting an idea.
Full Incident form Incident View full details of an incident.
New Incident form Incident Define a new incident.
Quick preview of an incident (right

Preview Incident form Incident
pane).
Define CIs investigated by the

incidentInvolvedCIsForm Incident > Involved CIs tab
incident.
Used for the resolution section by

Incident
the controller that implements the
incidentResolutionForm Incident
Knowledge Management Find
Solution feature.
Used for viewing the details of an

kmPreview Incident
incident in the Search widget.
Used when viewing incident

templates. Only fields that can be
template Incident
applied by a template are on this
form.
SACM > Infrastructure View full details of an

Full InfrastructurePeripheral form
& Peripheral infrastructure & peripheral record.
SACM > Infrastructure Define a new infrastructure

New InfrastructurePeripheral form
& Peripheral & peripheral record.
SACM > Infrastructure Quick preview of an infrastructure

Preview InfrastructurePeripheral form
Infrastructure & Peripheral & peripheral record (right pane).
& Peripheral
SACM > Infrastructure Finance tab of an infrastructure
financialForm
& Peripheral & peripheral record.
Preview of the infrastructure &

SACM > Infrastructure peripheral record as displayed in
portalPreview
& Peripheral the Service Portal: portal menu >
Assets and Services.
Full License form Software Asset > Licenses View full details of a license.
New License form Software Asset > Licenses Define a new license.
License Quick preview of a license (right

Preview License form Software Asset > Licenses
pane).
Edit the details of a license in the

financial form Software Asset > Licenses
Finance tab.
SMAX 2019.02
Full LicenseType form Software Asset > Types View full details of a license type.
New LicenseType form Software Asset > Types Define a new license type.
License Type
Quick preview of a license type
Preview LicenseType form Software Asset > Types
(right pane).
Full Location form Locations View full details of a location.
New Location form Locations Define a new location.

Location
Quick preview of a location (right
Preview Location form Locations
pane).
Change > Models/Incident View full details of a change model

Full Model form
> Models or incident model.
Change > Models/Incident Define a new change model or

Model New Model form
> Models incident model.
Change > Models/Incident Quick preview of a change model

Preview Model form
> Models or incident model (right pane).
Full Offering form Service Catalog > Offerings View full details of an offering.
New Offering form Service Catalog > Offerings Define a new offering.
Offering Quick preview of an offering (right

Preview Offering form Service Catalog > Offerings
pane).
Service Catalog > Offerings Select a fulfillment plan for an

Offering Fulfillment Plan
>User options tab offering.
Full Person form People > People View full details of a person.
New Person form People > People Define a new person.
Quick preview of an person (right

Preview Person form People > People
pane).
Person
Edit the Request on behalf tab of a
personOnBehalf People > People
person record.
Edit the Responsibilities tab of a

personResponsibility People > People
person record.
Full Problem form Problem Management View full details of a problem.
New Problem form Problem Management Define a new problem.

Problem
Quick preview of a problem (right
Preview Problem form Problem Management
pane)
problemInvolvedCIsForm Problem > Involved CIs tab Define CIs affected by the problem.
Idea & Proposal <

Full Proposal form View full details of a proposal.
Proposals
Idea & Proposal <

Proposal New Proposal form Define a new proposal.
Proposals
Idea & Proposal < Quick preview of a proposal (right

Preview Proposal form
Proposals pane).
SMAX 2019.02
View full details of a record

Full ITProcessRecordCategory form Categories
category.
Record Category New ITProcessRecordCategory form Categories Define a new record category.
Quick preview of a record category

Preview ITProcessRecordCategory form Categories
(right pane).
SMAX 2019.02
Service Request >

New Request form Define a new request.
Requests
Define a new request (if Smart

Service Request >
smartTicket Ticket is enabled in Application
Requests
settings).
Service Request >

Full Request form View full details of a request
Requests
Service Request > Quick preview of a request (right

Preview Request form
Requests pane).
CartRequest Service Portal View shopping cart title
Service Request >

requestInvolvedCisForm Involved CIs tab of Request page.
Requests
Service Catalog > Offerings Define request and user option

defaults
> Default values tab default values for an offering.
Service Request > View full details of a request -

onlyResolution
Requests Resolution section.
Service Request > View full details of a request - main

without Resolution
Requests section (other than the Resolution).
Service Portal > select a Provide the business justification

serviceRequest
service offering for a service offering request.
Request Service Portal > select an Provide the business justification

supportRequest
IT support offering for an IT support offering request.
Service Portal > select a Service Portalrequest tracking

custom
support or service offering page.
Service Portal > no offering

generalRequest Define a new request.
selected
Service Portal > select an Provide the business justification

hrRequest
HR support offering for an HR support offering request.
kmPreview Run a search Display search results for requests.
Service Request > Live Define a new request in live

Live Support New Request
Support support.
Service Request > Live

Live Support Edit Request Edit a request in live support.
Support

ctiRequestDescription Deprecated.
Support

ctiNewRequestResolution Deprecated.
Support

ctiNewRequest Deprecated.
Support

ctiClosure Deprecated.
Support
SMAX 2019.02
Full Reservation form SACM > Reservations View full details of a reservation.
New Reservation form SACM > Reservations Define a new reservation.

Reservation
Quick preview of a reservation
Preview Reservation form SACM > Reservations
(right pane).
SACM > Service View full details of a service

Full ServiceComponent form
Components component.
Service SACM > Service

New ServiceComponent form Define a new service component.
Component Components
SACM > Service Quick preview of a service

Preview ServiceComponent form
Components component (right pane).
Service Portfolio View full details of a service

Full ServiceDefinition form
Management definition.
Service Portfolio
Service Definition New ServiceDefinition form Define a new service definition.
Management
Service Portfolio Quick preview of a service

Preview ServiceDefinition form
Management definition (right pane).
Full Stockroom form SACM > Stock Management View full details of a stockroom.
New Stockroom form SACM > Stock Management Define a new stockroom.
Stockroom
Quick preview of a stockroom
Preview Stockroom form SACM > Stock Management
(right pane).
Full Subscription form SACM > Subscriptions View full details of a subscription.
Quick preview of a subscription

Preview Subscription form SACM > Subscriptions
(right pane).
Display request that initiated the

Subscriptions subscriptionRelatedRecords SACM > Subscriptions
subscription.
Preview of the subscription record

as displayed in the Service
portalPreview SACM > Subscriptions
Portal: portal menu > Assets
and Services.
View full details of a system

Full SystemElement form SACM > System Elements
element.
System Element New SystemElement form SACM > System Elements Define a new system element.
Quick preview of a system element

Preview SystemElement form SACM > System Elements
(right pane).
Service Level > Service View full details of a service level

Full TargetSet form
Level Target Sets target set.
Target set
Service Level > Service Define a new service level target
New TargetSet form
Level Target Sets set.
SMAX 2019.02
▪ <modules that
include Approval plans>
approvalNew Define a new approval.
▪ records > Approval
Definition tab
▪ <modules that
include Approval plans>
approvalFull Edit details of an approval.
▪ records > Approval
Definition tab
Task Quick preview of an approval (right

approvalPreview Approvals
pane).
Quick preview of a task (right

taskPreview Tasks
pane).
<modules that include Task Edit details of a manual or

Full task form
plans> automated task.
<modules that include Task Define a new manual or automated

New task form
plans> task.
Full TimePeriodDefinition form Time Period Management View full details of a time period.
New TimePeriodDefinition form Time Period Management Define a new time period.
Time period
Add an exception to a work
timePeriodDefinitionExceptionForm Time Period Management
schedule definition.
SMAX 2019.02
Form properties
Each form may have one or more of the following types of content: Section A section is a part of a form which may
contain one or more fields or associations. A section has a name and an icon allowing you to expand or hide the
section content. The following table details the different section properties.
The name of the section.
Name Caution The name of the section must be in upper camel case. For example: GroupData.
The display name of the section. To edit:

Header ▪ Type the name in the box in the right pane.
▪ Click the ellipsis to select a different language.
Expanded If selected, on loading the form, the user interface displays this section fully expanded.
Hide header If selected, the section is not visible in the user interface.
Field A form may include Service Management fields. The following table details the different field properties.
Name The name of the field.
The label of the field that Service Management displays in the user interface. To edit:
Display
▪ Type the name in the box in the right pane.
name
▪ Click the ellipsis button to select a different language.
Type The field type. This is read-only.
SMAX 2019.02
The type of editor available for the user to edit the field contents. For the following field types,
Service Management automatically populates this property as follows:
Field type Editor

SMALL_TEXT TextBox
LARGE_TEXT TextArea
ENUM DropDownList
ENUM_SET MultiDropDownList
BOOLEAN CheckBox
ENTITY_LINK EntityPicker
DOUBLE NumericTextBox
PERCENTAGE Percentage
IMAGE Image
For the following field types, you can select the editor type from the drop-down list:
Editor Field type Editor options

▪ TextBox. Text is displayed on a single line.
MEDIUM_TEXT
▪ TextArea. Text is displayed on multiple lines.
▪ RichEditor. Text can be displayed in HTML.

RICH_TEXT
▪ TextArea. Text is displayed in plain text.
▪ DatePicker. Select a date from the calendar.

DATE
▪ DateTimePicker. Select a date and time from the calendar.
▪ DurationPicker. Select a duration from the drop-down list.

▪ IntegerTextBox. Enter an integer. Note The value range for
INTEGER
INTEGER field type is -2147483647 to 2147483647.

URL ▪ Link. Text is displayed on a single line. Click URL button to open a
browser window.
▪ DatePicker. Select a date from the calendar.

DATE_TIME
▪ DateTimePicker. Select a date and time from the calendar.

EMAIL ▪ Email. Text is displayed on a single line. Click Email button to open
a new email message.
SMAX 2019.02
The width of the space available to type in field contents. Service Management automatically
populates this property based on the field type. The available sizes are:
Size
▪ Medium. A field with a size of medium displays in half the width of the form.
▪ Large. A field with a size of large displays in the whole width of the form.
The order of the field in the contents of the form. A field with an index of 1 is first in the form,
and so on. To change the order of the field:
Index
1. Select the field.
2. Click Move up or Move down (as appropriate) in the right pane.
Start on a
If selected, the user interface displays this field at the start of a new line in the form.
new line
The lowest unit of time displayed for a field using the DurationPicker Editor. For example:
Precision ▪ If you select Minutes, the editor displays days, hours, and minutes.
▪ If you select Hours, the editor displays months, days, and hours.
Association A form may include Service Management associations. An association is a named set of related
records, containing one-to-many or many-to-many relationships. Note You may not edit the properties of an
association in the Form Editor. All the properties are read-only. The following table details the different
association properties.
Name The name of the association.
Type The association type.
Size The width of the space available to display the association.
Index The order of the association in the contents of the form.
SMAX 2019.02
Edit a form
Name The name of the field.
The label of the field that Service Management displays in the user interface.
Display To edit:
name • Type the name in the box in the right pane.
• Click the ellipsis button to select a different language.
Type The field type. This is read-only.
SMAX 2019.02
The type of editor available for the user to edit the field contents.
For the following field types, Service Management automatically populates this property as
follows:
Field type Editor

SMALL_TEXT TextBox
LARGE_TEXT TextArea
ENUM DropDownList
ENUM_SET MultiDropDownList
BOOLEAN CheckBox
ENTITY_LINK EntityPicker
DOUBLE NumericTextBox
PERCENTAGE Percentage
IMAGE Image
For the following field types, you can select the editor type from the drop-down list:
Editor Field type Editor options

• TextBox. Text is displayed on a single line.
MEDIUM_TEXT
• TextArea. Text is displayed on multiple lines.
• RichEditor. Text can be displayed in HTML.

RICH_TEXT
• TextArea. Text is displayed in plain text.
• DatePicker. Select a date from the calendar.

DATE
• DateTimePicker. Select a date and time from the calendar.
• DurationPicker. Select a duration from the drop-down list.

• IntegerTextBox. Enter an integer. Note The value range for
INTEGER
INTEGER field type is -2147483647 to 2147483647.

URL • Link. Text is displayed on a single line. Click URL button to open
a browser window.
• DatePicker. Select a date from the calendar.

DATE_TIME
• DateTimePicker. Select a date and time from the calendar.

EMAIL • Email. Text is displayed on a single line. Click Email button to
open a new email message.
SMAX 2019.02
The width of the space available to type in field contents. Service Management automatically
populates this property based on the field type.
Size The available sizes are:
• Medium. A field with a size of medium displays in half the width of the form.
• Large. A field with a size of large displays in the whole width of the form.
The order of the field in the contents of the form. A field with an index of 1 is first in the form,
and so on.
Index To change the order of the field:
1. Select the field.
2. Click Move up or Move down (as appropriate) in the right pane.
Start on a
If selected, the user interface displays this field at the start of a new line in the form.
new line
The lowest unit of time displayed for a field using the DurationPicker Editor.
For example:
Precision
• If you select Minutes, the editor displays days, hours, and minutes.
• If you select Hours, the editor displays months, days, and hours.
Edit the section properties as required.

The display name of the section.

To edit:
Header
• Type the name in the box in the right pane.
• Click the ellipsis to select a different language.
Edit the section properties as required.

The display name of the section.

To edit:
Header
• Type the name in the box in the right pane.
• Click the ellipsis to select a different language.
SMAX 2019.02
Processes and Rules
SMAX 2019.02
Working with processes
SMAX 2019.02
Add a phase in a process
SMAX 2019.02
Add a transition in a process
SMAX 2019.02
Move a phase or transition in a process
SMAX 2019.02
Studio business rules
Process events Rules are defined to be executed in connection with specific events. The event determines when
the rule is executed. In the Rules tab for workflows, processes, metaphases and phases, you can define rules in
connection with the following process events:
Process event Description
The rule is executed before any user changes are applied. Used, for example, to set
Before change
default values.
The rule is executed after the data is updated. Used, for example, to run validation
After change
rules.
Rendering forms The rule is executed when a form is opened.
The rule is executed after the change is committed. Used, for example, to run
external operations such as sending notifications, updating related records, and so
After applying changes on. The key difference with the After change process event is the order in which
the events are resolved. The order is After change, then changes are committed,
then After applying changes. For more information, see Process events order.
Entering The rule is executed when entering the selected phase.
Leaving The rule is executed when leaving the selected phase.
Before deleting The rule is executed before the record is deleted.
Before removing
The rule is executed before a relationship to another record is removed.
relationship
Before adding
The rule is executed before a relationship to another record is added.
relationship
After adding
The rule is executed after a relationship to another record is added.
relationship
After removing
The rule is executed after a relationship to another record is removed.
relationship
Per schedule The rule is executed according to the specified schedule.
The rule is executed when the Service Level target duration reaches the 0%, 50%,
75%, 90%, or 100% level of the target, as defined by the rule. This process event is
SLT Event relevant for incidents, requests and the customized record types created in Studio
only. For information on defining business rules under the SLT Event process event,
see How to add Service Level Target event business rules.
SMAX 2019.02
Business rule descriptions and tags
SMAX 2019.02
Validation rule examples
SMAX 2019.02
Action rule examples
SMAX 2019.02
Rendering rule examples
SMAX 2019.02
Field selection rule examples
SMAX 2019.02
REST Execution
Execute REST business rule configuration After the On-Premise Bridge Agent is configured with endpoints and
credentials, it is possible to configure and execute the Execute REST business rule. The Execute REST business rule
accepts the following parameters:
Parameter Value
Select an agent ID from the drop-down list. There is one agent for each network domain.
OPB Agent ID Every agent has a default agent ID, but you can override it and use another pre-defined
agent ID.
Select an endpoint from the drop-down list. Every agent has a default endpoint, but you
can override it and use another endpoint of that agent. For example,
OPB Endpoint ID http://www.google.com/mail is the default endpoint for an agent, but the administrator can
configure additional endpoints for the user to select, such as
http://www.google.com/search.
Select the credentials from the drop-down list by their ID. Every endpoint has a default
credentials ID, but you can override it and use another credentials ID of that endpoint. For
Credentials ID
example, the default credentials are user1/pass1 with an ID of 123, but the user wants to
use the credentials tester1/tester1 with the ID of 456 instead.
Select one of the following options:

▪ Simple Mode. Enter the required value manually.
▪ Expression Language. Enter an Expression Language phrase that returns the
Uri Suffix
required value. The prefix of the URL is taken from the endpoint. This parameter is the
suffix of the URL. The concatenated expression forms the URL of the REST call. This
parameter must be HTTP encoded.
Web Method Select a method from the drop-down list (POST/PUT/GET/DELETE).
Select one of the following options:

▪ Simple Mode. Enter the required data manually.
Body ▪ Expression Language. Enter an Expression Language phrase that returns the
required data. This is the body that will be used in the REST call request to the remote
server. The Body parameter is only relevant if POST or PUT is selected as the web method.
A dialog box opens with two boxes. For the Header key, enter data as free text. For the
Header value, select one of the following options:
▪ Simple Mode. Enter the required data manually.
Headers ▪ Expression Language. Enter an Expression Language phrase that returns the
required data. Click Add item to add an additional row with boxes for another header. The
REST call request headers provide additional information for the REST call, such as the file
type to be returned.
Enter a field of the current record. Select one of the following options:
▪ Simple Mode. Enter the required field manually.
Output field
▪ Expression Language. Enter an Expression Language phrase that returns the
name
required field. This parameter defines the field where the returned results are stored. For
more information on the available output field types, see the next section.
Enter the prefix text in the box manually. This parameter enables you to set values to be
Task Prefix used in the result fields defined inside a complex type output field. It is not relevant for
textual type output fields.
Click the Expression Language button to toggle between these options. When the button is selected
SMAX 2019.02
(blue), the field is in Expression Language mode. When it is not selected (white), the field is in Simple mode. For a
full list of Expression Language functions, see Expression Language functions and syntax. Output field types When
selecting the output field, you should select a field of the type that matches the type of results to be returned by
the REST call. The field types are defined for each field in the Fields tab. You can define the output field for the
business rule execution with the following types:
Field type Description
A textual field is defined according to size. The following options are available:
▪ SMALL_TEXT
▪ MEDIUM_TEXT
Textual field ▪ LARGE_TEXT
▪ RICH_TEXT If the defined field size is large enough to contain the full response string, it is
stored in the field as is. If the field size is smaller than the response value, the response value is
truncated to the size of the field.
A user-defined field. You can define the following system fields within the user option to use in
the business rule:
▪ RawOutput_c. A third party response of type string which contains the full JSON
response. Example: {"ExecutionId" : "123", "URL" : "http/:<servername>.port/..."}.
▪ HttpStatusCode_c. A third party HTTP status response of type integer. Example: 400.
To parse the RawOutput_c string, you can define the following custom fields, based on the
above example, to use in the business rule (all of type string):
▪ ExecutionId_c. Parses the execution Id from the raw output string. Example: 123.
▪ URL_c. Parses the URL from the raw output string. Example:
User options
http:/<servername>.port/... Note
▪ Only string result fields are supported in the complex type field (with the exception of the
HttpStatusCode and IsFailed fields).
▪ The custom field name must be identical to the corresponding parameter in the raw
output string (the comparison is case insensitive).
▪ Do not define multiple custom fields with names that differ only by case.
▪ Parameters in the raw output string that contain delimiters are not supported (For
example, vm.name.)
SMAX 2019.02
Studio - use case
SMAX 2019.02
Add a business rule
SMAX 2019.02
Edit, remove, or disable a business rule
SMAX 2019.02
Enrichment rules
SMAX 2019.02
Configuration Comparison
SMAX 2019.02
Notifications
Select one of the following system notification templates to edit:
Template Description
Used when an authorization code is sent to a user for strong
Authorization code
identity validation
Comment modified Used when a comment is updated
Conversation invitation Used when a user is invited to join a conversation
Conversation post modified Used when a post in a conversation is updated
Used when the ID for the selected template cannot be found in

Default template for records
the system
Header and Footer Contains the header and footer that appears in all notifications
New answer added Used when a new Q&A answer is added
New comment added Used when a comment is added
New comment added, with anonymous Used when a comment is added, and excludes the IT agent's
agent details name and avatar
New conversation post added Used when a post is added to a conversation
New question posted Used when a new Q&A question is asked
Request verification code for encryption Used when a verification code is requested for an encryption
domain domain
Request verification code for strong Used when a verification code is requested for strong identity
identity validation validation
SMAX 2019.02
Expression Language in notifications
SMAX 2019.02
Processing rules in notifications

Avatar rule When the avatar rule runs, Service Management uses a person identifier (personId) to locate the linked
avatar for that user. For example, you would insert ${:current_user.Id} to identify the email sender. The avatar
becomes a parameter in the rule. Service Management can locate and attach the avatar image file to the message.
The HTML image reference in the notification causes the actual avatar image to appear in the formatted email
message.
Syntax <%=avatar(person id)%>
Description Replaces the rule with the avatar for the user identified by the person identifier.
Examples <%=avatar(${:current_user.Id})%> <%=avatar(${questionOwner})%>
Create URL rule A similar rule creates a URL to reference data. When you embed the URL to the associated record,
the user can easily open that record.
Syntax <%=create_url(relative url)%>
Description Replaces a relative URL with a full URL to a record.
Example <%=create_url(/ess/question/${questionId})%>
Note When you add a URL using the link button, you can edit the text of the link and the URL remains active.
When you add a URL using directly in the text editor, the link cannot be edited. It appears in the message as you
entered it.
Hide record name rule In cases where a user does not have permission to view a record type, this rule hides the
record name from such a user.
Syntax <%=task_parent_name(person Id, entity type, entity Id, entity name)%>
Description Hides the record name if the user does not have permission to view records of that type.
Example
<%=task_parent_name(${:current_recipient.Id},${:entity.ParentEntityType},${:entity.ParentEntityId},${:entity.ParentDisplayLabelKey})%>
Note This rule is intended for use with task notifications only. It is included in such notification templates out-of-
the-box.
Conditional statement rule You can define a rule to display a message only when a condition is satisfied. You can
define a single message, which is displayed only when the condition is true, or two messages, one displayed for a
true condition value and the other for a false condition value.
Format 1:<%=conditional_statement(<Boolean expression>, 'Message')%> Format 2:

Syntax
<%=conditional_statement(<Boolean expression>, 'Message_true', 'Message_false')%>
In Format 1, the message is displayed when the Boolean expression is true. A blank string is
displayed when the Boolean expression is false. In Format 2, the first message is displayed when
Description
the Boolean expression is true. The second message is displayed when the Boolean expression is
false.
Example <%=conditional_statement(${:entity.Priority=='HighPriority'}, 'High priority record')%>
SMAX 2019.02
Direct access to Service Management via email
SMAX 2019.02
Set up direct access to Service Management
SMAX 2019.02
Set up notification templates for direct access
SMAX 2019.02
Automatic request creation
SMAX 2019.02
Direct access to Service Management troubleshooting and limitations

The following issues may arise when using direct access to Service Management via email. Be advised that in
certain cases, the user may receive an email indicating that an error occurred:
Issue Cause Solution
Direct access to
Service Management
is not working. The
Set the tenant setting to enable direct access to On:
following email
1. From the main menu, select Administration >
notification is The tenant setting
Configuration > Service Portal Settings > Feature
received: Requesting to enable direct
Settings.
support using email access is set to Off.
2. In the Enable request creation and actions from
is currently disabled.
email field, select On.
To create a new
request, log in to the
Service Portal.
The following email

notification is
received: We could
Make sure the user's email domain (for example,
not process your
microfocus.com) is defined in the endpoint:
email because the The user's email
1. From the main menu, select Administration >
email address does domain is not
Utilities > Integration > Endpoints > Configure >
not belong to an defined as a
Advanced connection configuration > Authorized email
authorized email permitted domain.
domains.
domain. To create,
2. Enter the user's email domain.
track, or update a
Service Portal.
The task to create a

request via email
fails. The following
email notification is
received: We could
not create your
Fine-tune the request creation process: Make sure all users
request because we
The creation of a have an entitled default offering and that the default offering
need more
request fails due to consists of default values for all mandatory request fields, OR
information, which
validation errors. that a request that has only a title and description can be
may be system-
created.
related. For details,
contact your system
administrator. To
create a new request,
log in to the Service
Portal.
SMAX 2019.02
The creation of a
request fails
The task to create a because a user does
request via email not have correct
fails. The following permission to create
email notification is a request. By
received: You do not default, the Service
have the necessary Portal User role has
permissions to create permission to create Create the user in Service Management and assign them the
this request via requests. If a user Service Portal User role or the request-creation permission.
email. Please contact cannot create
your system requests, the user
administrator. To may either not be
create a new request, defined in Service
log in to the Service Management or
Portal. does not have the
Service Portal User
role.
A user cannot This occurs when a

perform an action in user attempts to
an email. The execute an action
following email from an email when
notification is the record is no
received: We could longer in the correct Review the request and verify that it is in a phase where it can
not process the email lifecycle phase. For be updated.
for request #123456 example: a user
<title>. To track or marks a comment
update the request, as a solution after
log in to the Service the request has
Portal. been closed.
Service
The following email Management failed
notification is to process an email If permitted, extend the default token expiration time in the
received: We could action because the email endpoint configuration:
not process this token contained in 1. From the main menu, select Administration >
email because it has the email expired Configuration > Service Portal Settings > Feature
expired. To track or (too many days Settings.
update the request, passed since the 2. In the Specify email validity time frame field, select
log in to the Service user received the the desired time frame.
Portal. email that contains
the action link).
The following email Service

notification is Management failed
received: We could to process an email
not process the email action because the
because the action token contained in
None.
has already been the email was
performed. To track already used (the
or update the user already
request, log in to the performed the
Service Portal. action).
SMAX 2019.02
The following email

notification is
received: .We could
not process your Service
email. The email's Management failed
security token may to process an email Make sure that the bottom part of the incoming email that
have been altered. action because the contains the security token is not changed. Contact Support if
Try to send it again token is invalid or the problem persists for multiple users.
by clicking the same may have been
action link/button. To altered.
track or update the
Service Portal.
The following email

notification is
received: We could
not process your
email. You may not
be a registered
Service Management
Automation user.
A user with the
Contact your system Make sure the user's email address is correctly specified in the
sender's email
administrator. To People module in Service Management (Main menu >
address was not
verify that you are a Administration > Master Data > People). Contact Support
found in Service
registered user, try to if the problem persists for multiple users.
Management.
log in to the Service
Portal. If you are a
user, make sure to
use the same email
address that is listed
for you in the system
when you send
emails.
The following email

notification is
received: We could
not process your
email. The sender’s
The sender of the
email address does
email and the user
not match the email
in the email's token
address of the user
do not match. This None. Contact Support if the problem persists for multiple
who received the
might occur if a user users.
original email. Emails
forwarded the email
that were forwarded
containing a token
from other email
to someone else.
addresses cannot be
processed. To create,
track, or update a
Service Portal.
SMAX 2019.02
The following email

notification is
received: We could
not process your
email because the The email received
email address does from the email Check the support inbox to see if any of the received emails
not belong to an server might be were corrupted.
authorized email corrupted.
domain. To create,
track, or update a
Service Portal.
In the endpoint configuration dialog box, check if the last

SyncEmailTask failed. If so, check the
\\<OPB_folder>\product\log\email-
integration\email-integration.log and
\\<OPB_folder>\product\log\controller\controller.log files.
The new task will start at the next cycle (at xx:00 or xx:30).
There might be
problems with the
New emails are not
On-Premise Bridge
processed.
email integration
task.
Email integration
tasks run every
30 minutes (at
The integration task
xx:00 and xx:30);
does not start after
therefore, it may None.
configuring the
take up to 30
endpoint.
minutes until the
mail polling task
begins.
The user changed the The new

email integration configuration will be
To apply the configuration immediately, click Stop and then
configuration but the applied after a
Start in the endpoint toolbar.
changes are not maximum of 30
applied immediately. minutes.
SMAX 2019.02
The Enable
request creation
and actions from
email option is not
enabled on the
Requests cannot be Feature Settings
created from inbound page of Service Enable this option.
email. Portal
(Administration >
Configuration >
Service Portal
Settings >
Feature Settings).
Email tasks continued

to fail with task
timeout and the
email was still in the The OPB agent Restart the OPB agent manually. A request should be created
inbox. As a result, no needs a restart. from the inbound email.
request was created
from the inbound
email.
Related topics Direct access to Service Management via email
SMAX 2019.02
Disable closed records

Caution You must take care if you add several business rules using this template. The rules are implemented in
the (top to bottom) order listed on the Processes and Rules page for the record type. For example, if you add a
business rule that enables editing of a particular field in the Close phase, and then a business rule that restricts
editing of fields in the Close phase, the restrict rule will supersede. To achieve the desired effect, the restrict rule
should be before the enable rule
For more information, see Edit requests in the Service Portal and Restrict/allow editing of fields.
SMAX 2019.02
Approval definitions
Note Approval definitions are available for article, change, idea, proposal, release, and request record
types.
In some cases, approvals must be granted at certain phases of the workflow before moving on to the next phase.
The following table provides details.
Record type Workflow Phases for approvals Out-of-the-box approval definition name
Article Normal Review Article - Review
Change Emergency ECAB Emergency Change - ECAB
Approve plan Approve Normal Change – Approve Plan Normal Change –

Change Normal
deployment Approve Deployment
Idea Idea flow Review Normal Idea – Approve Plan
Proposal Proposal flow Review Normal Proposal – Approve Plan
Release Normal Approve deployment Release – Approve Deployment
Request IT Service Approve Governance Approval
The Approval definitions tab is available for the following record types: Article You need to build your own
approval plan. For more information about how to build an approval plan, seeTask plans. Change The approval
phases of the normal and emergency change workflows have pre-defined approval plans. When you create a
change, the approval plan corresponding to the selected change type is selected in the Approval definition field
in the Properties tab for each approval phase:
Change type Approval Phase Built-in approval plan
Approve Plan Normal change - Approve plan
Normal
Approve deployment Normal change - Approve deployment
Emergency ECAB Emergency Change – ECAB
Standard No approval phase N/A
SMAX 2019.02
Governance approval
SMAX 2019.02
How Governance Level Approval works
SMAX 2019.02
Set up Governance Level Approval

Type a suitable title and a value for the in case of field. For example:
Field Type
Title Exceeds threshold
in case of ${entity.Cost>2000}
Type a suitable title, and select a strategy. For example:

Field Type or select
Title Cost center manager approval
Strategy One must approve
SMAX 2019.02
Build an approval definition

Build the approval plan definition as described in How to build a task/approval plan, using the following elements:
Step Description
Requires one or more users to grant an approval before the workflow can move on to the next
Approval
phase.
A decision point that uses an Expression Language phrase to determine which path in the approval
Decision
plan to follow.
Joins two or more nodes in the approval plan. Both must be completed before moving on to the next
Join
node in the plan.
Path to Creates a path between two nodes in the plan.
To apply the new definition to an approval phase of a Proposal or Request record, select the new approval plan
definition from the drop-down list in the Approval definition field in the following phase:
Record type Approval Phase
Proposal Review
Service request Approve

Request
Cart request Approve
SMAX 2019.02
Edit an approval definition
SMAX 2019.02
Set up approval plan for a custom record type
SMAX 2019.02
Import data
The following table displays the different possible statuses for the file import:
Status Description
Not Started Waiting for the server to execute the import job.
Running The import job is running.
All incoming records were processed. There were no failures, but at least one
Finished with warnings
warning.
Finished with failures All incoming records were processed. There was at least one failure.
Success All incoming records were processed without any warnings or errors.
Abort Unknown error. If you receive this error, contact Support.
SMAX 2019.02
Import Data file format
SMAX 2019.02
Create a CSV file with UTF-8 encoding from an Excel file

You can open this CSV file in Excel to verify the data.
SMAX 2019.02
Export data
SMAX 2019.02
Import translations
SMAX 2019.02
Import translated Service Catalog definitions
SMAX 2019.02
Import translated articles
SMAX 2019.02
Custom actions
Enter or select the action properties:
Name Enter the action name.
Display
Enter the name of the action as it will appear on the action button.
name
The following options are supported:

• URL. Enter the URL of the action. Any valid URL can be entered.
You can also include parameters in the URL. For example:
http://google.com?${entity.Name}
where ${entity.Name} is an Expression Language phrase denoting the name of the record.
• Email. You can configure a Send email action using the mailto: protocol. For example:
mailto://${entity.RequestedByPerson.Email}?subject=#SR${entity.Id}-
${entity.DisplayLabel}&cc=${entity.RequestedForPerson.Email}&body=${entity.Id}:${entity.DisplayLabel}
where ${entity.DisplayLabel} is an Expression Language phrase denoting the name of the record. When the user clicks the Send email action, the email client opens a new
message with the email address of the recipient and the subject field automatically filled in with the defined values.
• Microsoft Skype for Business. You can configure a Skype for Business session using the SIP: protocol. For example:
sip:${entity.Owner.Email}
When the user clicks the action, the Skype for Business client opens a session with the defined person.
Note
URL
• The Expression Language phrase can only reference fields of the record (${entity}). You cannot reference the current_user in the phrase.
• Only fields of the following types may be included in the Expression language phrase:
⚬ SMALL_TEXT
⚬ MEDIUM_TEXT
⚬ LARGE_TEXT
⚬ INTEGER
⚬ DOUBLE
⚬ BOOLEAN
⚬ DATE
⚬ DATE_TIME
⚬ ENUM
⚬ ENTITY_LINK
⚬ EMAIL
If this check box is selected, two hidden fields will be created for this custom action, CustomActionName_c and CustomActionCount_c. The behaviors of these two fields are as
follows:
• When you click this custom action, the value of the CustomActionName_c field is changed to the name of the custom action. This field will be overwritten only when you
click another custom action of the same record type.
• Each time you click this custom action, the value of the CustomActionCount_c field is changed to a random number. These two fields can be utilized when you create
Enable
business rules. For example, you can set a rule with the condition ${current_update.CustomActionCount_c.IsChanged && entity.CustomActionName_c=='<ACTION
workflow
NAME>'}, then the rule will be triggered every time you click the custom action button.
Notes:
• We recommend that you create this type of business rules in the After Change event section.
• The business rule can be set on the Process, Meta-Phase, or Phase level, depending on whether the action is to be always available or only under certain phases.
• The CustomActionName_c and CustomActionCount_c fields cannot be deleted after being created.
Icon Select an icon from the drop-down list.
Select the position of the action on the record page. The available options are:
Position
• Show as primary. The action appears in the record page toolbar.
in record
• Show as secondary. The action appears in the drop-down menu under More in the record page toolbar.
page
• Do not show. The action does not appear on the record page.
Group in
record Select an action group. The grouped actions are displayed together on the record page.
page
Select the position of the action on the grid page.

The available options are:
• Show as primary. The action appears in the grid page toolbar.
Position
• Show as secondary. The action appears in the drop-down menu under More in the grid page toolbar.
in grid
• Do not show. The action does not appear on the grid page. Note If you include a record field as a URL parameter, the parameter value is only added to the URL if that
page
field appears as a column of the grid. If the field does not appear as a grid column, the custom action will open the URL without the parameter value. Click Columns and select
the required field to set it to appear in the grid.
Group in
grid Select an action group. The grouped actions are displayed together on the grid page.
page
SMAX 2019.02
SLT settings
For each target type, select On to enable the automatic notifications, and select Off to disable them. In the
request record type, the tab displays the following:
Section Targets
• Initial review
Support (IT support requests) • Resolution
• Time in Group
• Fulfillment
Service (IT service requests)
• Time in Group
• Initial review
• Resolution
HR (HR support requests)
• Fulfillment
• Time in Group
In the incident record type, the tab displays the following:

Section Targets
• Initial review
Support • Resolution
• Time in Group
Add three fields referenced to Actual Service, Group, and Priority.

Logical type Reference to
ENTITY_LINK Actual Service
ENTITY_LINK Group
ENUM Priority - SawPriority
SMAX 2019.02
Authorization
SMAX 2019.02
Create and configure custom application and record type

Refer to Forms for more information about how to define forms. Configure processes and rules of the record type
After a record type is created, processes and business rules must be defined for the record type before you can
activate the record type. Refer to Processes and Rules for more information about how to define processes and
rules. Activate the application and record type After the workflow and forms are configured, you can go back to
the Menu tab of the Studio, click Activate in the drop-down list of the record type. The application will show up on
the main menu. Note You may also want to set up more behaviors for the custom record type through the other
features of the Studio. See Studio for more information.
SMAX 2019.02
People
SMAX 2019.02
Users and contacts

General
Field Description
Prefix The prefix of the person. Select a value from the drop-down list.
The first name of the person.

Note The value of this field is automatically synchronized with the value in Suite
First name
Administration. When adding or editing people records, this field is mandatory.
Middle name The middle name of the person.
The last name of the person.

Last name
The Name field is populated by the values entered in the First name and Last name
fields when the person record is created. It can also be edited manually.
Name
Changes made to the First name and Last name fields later, are not reflected in the
Name field.
Employee Id The person's employee ID number.
Gender The gender of the person. Select a value from the drop-down list.
Person type Indicates whether the person is a user or a contact. This field is read-only.
Indicates if the person has VIP status. This field can be used to Indicate to agents that
VIP they are working on a VIP customer. It can also be used in business rules to boost
priorities.
Description Other information about the person.
The person's employee status. Select a value from the drop-down list.
⚬ Active
Person status ⚬ Leave of absence
⚬ Retired
⚬ Terminated
⚬ Inactive
The person's UPN. This field is read-only. (It is only editable during creation of a new
person).
Note
⚬ This is the person's primary identifier in Service Management.
User principal name
⚬ When adding people records via Suite Administration, this field is populated
with the login name value from Suite Administration. When adding or editing people
records, this field is mandatory.
Distinguished name The person's LDAP distinguished name.
Contact information
Field Description
SMAX 2019.02
The person's email address.

Email
The person's office phone number.

Office phone number
Administration.
Mobile phone number The person's mobile phone number.
Home phone number The person's home phone number.
Where the person is located. Select a value from the drop-down list.
Examples:
Location
⚬ France/Paris
⚬ EMEA/Spain/Madrid/M1 To manage locations, see Locations.
Home location The person's home address.
A temporary location for the person, for visiting purposes. Select a value from the
Temporary location
drop-down list.
Organizational information
Field Description
The person's employment type. Select a value from the drop-down list.
⚬ Full-time
Employment type ⚬ Part-time
⚬ Contractor
⚬ Internal
⚬ External
The person's title. The title can be job- or organization-related.

Title
Examples: Process Owner, Manager, Agent
Manager The person's manager. Select a value from the drop-down list.
Hire date The person's hire date. Click in the box to display a calendar.
Leave date The person's leave date. Click in the box to display a calendar.
Cost center The cost center at which the person is employed.
The organizational group of which the person is a member, if any. For functional group
information, see the Group membership section for this person.
Note
Organization
⚬ This field is only relevant for users.
⚬ A user can belong to one organizational group, and one or more functional
groups. For more information about group types, see How to create a group.
Personal preferences
Field Description
SMAX 2019.02
Avatar The person's avatar. Click Upload image to select an image for the avatar.
The language of the person's locale. Select a value from the drop-down list.
The default value is English (U.S.). To set the default language for new users to a different value,
Language edit the relevant business rule.
Note When adding or editing people records, this field is mandatory.
System use definitions Note The System use definitions section is only relevant for users.
Field Description
The roles assigned to the user, if any. Click in the box to display a list of available roles.
Role Note A user can have more than one role.
Select the licenses assigned to the user, if any. Click in the box to display a list of
available licenses. For each license, the license type (Premium Named, Express
Named, Premium Concurrent, or Express Concurrent for use with the MT console)
and the license capacity are displayed.
Note
⚬ A user can have more than one license.
License
⚬ An admin user can assign licenses to users. For each license, a yellow icon
is displayed at the top of the page indicating the number of users assigned that license.
The caption next to the icon indicates the total number of users that can be assigned
that license. For example, 25/100 users indicates that 25 users are assigned the
license, out of a total of 100 possible users.
May generate
If selected, the user has permission to generate verification codes for passcodes for
passcode
other users for strong identity validation for approvals.
verification code
Verification code If selected, the user receives an email when any user requests a verification code for
email recipient his passcode to proceed with a task approval using strong identity validation.
Group membership Note The Group membership section is only relevant for users.
Field Description
The functional groups to which the user belongs, if any. To add a group, click Assign
to group and select the required group(s) in the Add groups dialog box. To delete
a group, select the required group and click the Delete button.
Note
<Add/Remove ⚬ A user can belong to one organizational group, and one or more
groups> functional groups.
For more information about group types, see How to create a group.
⚬ After this field is updated, it may take several minutes before the user
can see information entitled to him by the groups to which he belongs. For more
information, see How to manage entitlement rules.
Responsibilities
Field Description
Area of practice The person's area of practice on the system. Select a value from the drop-down list.
SMAX 2019.02
Locations
Field Description
The person's locations of responsibility.
To add a location, do one of the following:
⚬ Click Add, then select a value from the drop-down list.
⚬ Click the list icon ( ) to display the available locations. Select the
<Add/Remove check box for each location that you want to add. Click OK. To filter the record list,
locations> click the Add filter button. For more information, see Filters.
The selected locations appear in yellow. When you save the person, the locations
are added.
To remove a location, select the location and click Remove. The selected members
appear in strikethrough text. When you save the person, the locations are removed.
Users
Field Description
The person can create a request on behalf of the users defined here.
To add a user, do one of the following:
⚬ Click Add, then select a user to add.
⚬ Click the list icon ( ) to display the available users. Select the check
<Add/Remove users> box for each user that you want to add. Click OK. To filter the record list, click the Add
filter button. For more information, see Filters.
The selected users appear in yellow. When you save the person, the users are added.
To remove a user, select the user and click Remove. The selected users appear in
strikethrough text. When you save the person, the users are removed.
Group members
Field Description
The person can create a request on behalf of the members of the groups defined
here.
To add a group, do one of the following:
⚬ Click Add, then select a group to add.
⚬ Click the list icon ( ) to display the available groups. Select the check
<Add/Remove groups> box for each group that you want to add. Click OK. To filter the record list, click the
Add filter button. For more information, see Filters.
The selected groups appear in yellow. When you save the person, the groups are
added.
To remove a group, select the group and click Remove. The selected groups appear
in strikethrough text. When you save the person, the groups are removed.
SMAX 2019.02
How to create and delete contacts

New person information
Field Description
The first name of the person.
First name
The last name of the person.

Last name
The Name field is populated by the values entered in the First name and Last name
Name
fields. It can also be edited manually.
The person's email address.

Email
The person's UPN (email address).

Note
⚬ This is the person's primary identifier in Service Management.
User principal
⚬ When adding people records via Suite Administration, this field is populated
name
with the login name value from Suite Administration. When adding or editing people
records, this field is mandatory.
⚬ After the value for this field is set, it becomes a read-only field.
Employee Id The person's employee Id.
The person's office phone number.

Office phone Note The value of this field is automatically synchronized with the value in Suite
number Administration.
Mobile phone
The person's mobile phone number.
number
Where the person is located. Select a value from the drop-down list.
Examples:
Location
⚬ France/Paris
⚬ EMEA/Spain/Madrid/M1 To manage locations, see Locations.
Field Description
The person's employee type. Select a value from the drop-down list.
⚬ Full-time
Employment type ⚬ Part-time
⚬ Contractor
⚬ Internal
⚬ External
SMAX 2019.02
The person's title. The title can be job- or organization-related.

Title
Examples: Process Owner, Manager, Agent
Manager The person's manager. Select a value from the drop-down list.
Company The person's company. Select a value from the drop-down list.
SMAX 2019.02
How to assign licenses to users

License usage report You can access an Excel report displaying the license usage for the current license at
different times over the past month. Hover over the license icon and click the link in the tooltip to download the
report. The report displays the actual number of users using this license and the total capacity of the license at
specific times. The times are preset and the license information is automatically recorded according to the
schedule. Related topics Users and contacts
SMAX 2019.02
Roles
General
Permission Description
Log into the application Login rights are the lowest level of permission granted.
Access to application administration modules Permission to view administrative areas.
Encryption domain administrator Permission to create encryption domains.
Permission to create public reports Create public dashboard reports and charts.
Permission to create public favorite views Save searches as public views and favorites.
Record Type
View Enables you to view records of the selected record type.
Delete Enables you to delete records of the selected record type.
Update Enables you to update records of the selected record type in the grid.
Admin Enables you to update the selected record type in the records module.
Create Enables you to create records of the selected record type.
Comments Enables you to edit or delete any existing comments on records of the selected record type.
Resources
Create Enables you to create resources.
Delete Enables you to delete resources.
View Enables you to view resources.
Update Enables you to update resources.
Knowledge Management
Import articles Retrieve articles from external sources.
Enable self-service users to access knowledge

Publish articles to the Service Portal
articles.
Update articles that are currently published in the

Make changes to published articles.
Service Portal
Hide articles that are currently published in the Service

Remove published articles.
Portal
Questions & Answers
SMAX 2019.02
Enables a Service Portal user to post questions in the portal. For more information, see
Ask questions
How to authorize knowledge handling in the Service Portal.
Enables a Service Portal user to respond to questions posted in the portal. For more
Answer questions
information, see How to authorize knowledge handling in the Service Portal.
Moderate user Enables the Knowledge Contributor, Knowledge Publisher, or Knowledge Administrator
questions and to respond to questions posted in the Service Portal, and to review answers for
answers relevance or accuracy. For more information, see How to moderate Q&A.
Live Support
In the Service Portal, only a user with this permission can request an online chat. This
Be able to request chat applies in cases where chat support is otherwise available through the chosen
support offering. If a user does not have this permission, the request chat option is not
displayed.
On-Call Schedule
Be able to access on-call Only a user with this permission can view On-Call Schedule Management. If a
schedule user does not have this permission, the feature is not displayed.
Change Management
Only a user with this permission can initiate an emergency
Can create emergency change
change.
Allows access to the change analytics Only a user with this permission can access the change
module analytics module.
Allows configuration of KPI goals and Only a user with this permission can configure KPI goals and
thresholds thresholds.
Service Portal administration

Only a user with this permission can change the Service
Customize the look and feel of the Service Portal
Portal.
Approvals
Grant permission to override approvals for the following record types:
⚬ Request
⚬ Change
Override approvals of ⚬ Article
⚬ Idea
⚬ Proposal
⚬ Release
SMAX 2019.02
Service Asset and Configuration Management (SACM)

Grant Service Asset and Configuration Management administration rights to the
Administrator
selected role.
Only a user with this permission can implement the advanced record import
Advanced import
method.
Only a user with this permission can view the Service Modeling link if the
Allows view service modeling
Service Management belongs to a suite SSO enabled account.
On-Premise Bridge
Administrator Grant On-Premise Bridge administration rights to the selected role.
You can grant or remove access rights to complete endpoint tasks.

Endpoint Description
Access the Universal Configuration Management Database
UCMDB 10.20 and later
(UCMDB) repository.
Submit knowledge articles for indexing to make them easily

Knowledge Indexing
accessible to Service Portal end users.
Email Integration Access the Service Portal via email, without logging in.
Rest Executor 1.0 Access the REST API.
Operations Orchestration 10.02 and later Integrate with Operations Orchestration.
Send Service Management ideas and proposals to Project and

PPM Outbound Integration
Portfolio Management (PPM).
Optimize scenarios in the Project and Program Management

PPM Optimization Solver
module.
LDAP Integration Access an LDAP server.
Analysis
Enable management of Hot Topic Analytics Grant permission to manage the stop list in Hot Topic Analytics.
Tasks
Ability to view all tasks Grant permission to view tasks assigned to all people.
Default roles Service Management has pre-configured roles that are consistent with ITIL v3 recommendations and
naming conventions. Service Management also has custom roles to support various users and modules, including
the On-Premise Bridge, MT Console, and Service Portal. You can assign these roles to end users, modify the
SMAX 2019.02
permissions associated with a role, or make other changes to meet the requirements of your environment.
Role Description
Creates, updates, and deletes optimization records; creates surveys and
Application Analyst
evaluates survey results for application cloudification.
Application Owner Creates, updates, and deletes applications and roadmaps.
Application Portfolio Assigns roles for the APM module; defines workflows for applications and
Administrator optimizations.
Application Portfolio Manager Creates and updates application portfolios; runs portfolio analysis.
Asset & Configuration

Configuration administrator for Service Asset and Configuration Management.
Administrator
Asset & Configuration Manager Configuration manager for Service Asset and Configuration Management.
Business Intelligence
Customer role for the Business Intelligence integration.
Integration
Catalog Administrator Administrator of the Service Catalog.
Change Approver Evaluates and authorizes (or disapproves) changes.
Change Assignee Responsible for assigned change.
Change Coordinator Coordinates all requests for changes throughout their lifecycle.
Change Manager Manages changes and functions as the point of escalation.
Change Owner Reviews and manages assigned changes.
Accountable for all change-related activities. Functions as the champion,

Change Process Owner
advocate, and design lead of the change module.
Change Requestor Submits requests for changes.
Change Task Assignee Closes assigned change tasks.
Contract Manager Manages external vendors and contracts with vendors.
Default user with login and Service Portal permissions to create and view
Default
requests.
Creates public views.

Tip This is a very granular role, granting permission to a single area.
Combining it with another role that already has the same permission would
Favorite Views Owner be redundant. But you can use it to add this permission to someone who has
another role that does not grant the permission to create public views,
without altering that other role.
Manages financial aspects of the assets, including devices, licenses, and

Financial Manager
infrastructure and peripheral assets.
SMAX 2019.02
Can view the following on the Service Portal:

▪ Available services
▪ News and knowledge articles
Guest
▪ Questions that have been submitted Note Cannot submit nor answer
questions.
Idea Administrator Configuration administrator for Idea Management.
Idea Reviewer Reviews, categorizes, and approves/rejects ideas.
Incident Analyst Investigates and resolves assigned incidents.
Incident Coordinator Coordinates resolution and closure of incidents.
Incident Manager Manages incident resolution and functions as the escalation focal point.
Accountable for all incident-related activities. Functions as the champion,

Incident Process Owner
advocate, and design lead of the incident module.
Has full access to all functional modules, including some configuration rights.
IT User
Has read-only access to foundational data.
Has all permissions assigned to manage Knowledge Management article

Knowledge Administrator
publication.
Creates, edits, and reviews knowledge articles for an internal or external

Knowledge Contributor
audience.
Knowledge Publisher Publishes knowledge articles to an internal or external audience.
Manages the multi tenant (MT) environment for a provider tenant. This is the
MT Administrator only user, along with the Tenant Admin, who has permissions to add users
who can access managed customer data.
Manages and is able to access managed customer data. Only users with this
role can be added to the list of users who can view incident or request data
MT Agent
for a managed customer in the Vendor Management > Managed Customer
tab.
OPB Remote Agent Integrates On-Premise Bridge internal processes.
Portfolio Manager Analyzes proposals, defines the workflow, and manages business objectives.
Problem Analyst Investigates and resolves assigned problems and known errors.
Problem Coordinator Coordinates problem records through their lifecycle.
Problem Manager Manages problem resolution and functions as the escalation focal point.
Accountable for all problem-related activities. Functions as the champion,

Problem Process Owner
advocate, and design lead of the problem module.
Problem Task Assignee Closes assigned problem tasks.
Owns programs. Can add content and is responsible for managing related
Program Manager
projects together.
SMAX 2019.02
Project Manager Owns projects. Responsible for managing all aspects of a project's success.
Owns project portfolios. Can add content and is responsible for high-level
Project Portfolio Manager
management.
Proposal Administrator Creates approval definitions for proposals.
Proposal Creator Creates, publishes, and abandons proposals.
Proposal Reviewer Reviews, categorizes, and approves/rejects proposals.
Release Coordinator Coordinates release records through their lifecycle.
Accountable for all release related activities. Functions as the champion,

Release Process Owner
advocate, and design lead of the release module.
Reports Publisher Configures charts and graphs for reporting.
Request Approver Business approver for a request.
Resource Manager Creates and edit resources types.
SACM Integration Customer role for external integrations.
Self-Service Portal
Manages entitlement rules and the Service Portal user experience.
Administrator
Service Portal end user has permissions to view the Services catalog, search
Self-Service Portal User for knowledge articles, submit questions, and respond to questions
submitted.
Negotiates Service Level Agreements and manages Service Level

Service Level Manager
Management processes.
Service Request Agent Assignee who fulfills service requests.
Service Request Coordinator Assigns and coordinates service requests.
Manages the Service Request module and functions as the escalation focal
Service Request Manager
point.
Service Request Process Accountable for all service request-related activities. Functions as the
Owner champion, advocate, and design lead of the Service Request module.
Service Request Task Assignee Completes and closes assigned service request tasks.
Software Manager Manages the life cycle of software assets and license optimization.
Stockroom Admin Manages stockrooms and their content.
Can approve tasks without strong identity validation.

Strong Identity Validation
Note This role is not relevant for users with the Tenant Admin role.
Bypass
Survey Editor Creates and manages surveys.
SMAX 2019.02
Super user role that has permissions for everything in the application. It is
Tenant Admin
recommended to assign only one tenant admin role per tenant system.
Interfaces with external third-party support representatives for incident

Vendor Liaison
resolution.
SMAX 2019.02
Groups
Select a Group type from the list of available types:
Group members belong to the same organizational unit within a company.

Example: Marketing; R&D
Organizational
Note A person cannot be a member of more than one organizational group.
Group members provide a similar function or service.

Functional
Example: Help Desk; Human Resources
By default, the group record is displayed with the General tab selected. Click the tab you want to edit or view.
Tab Description
Displays general information about the current group. For more information, see Group
General
details.
Displays the groups related to the current group. For more information, see Group details.
Related groups Note Available for functional groups only.
Displays any relevant conversations about the current record. For more information about
Discussions
discussions, see Discussions.
History Displays changes to the selected record. For more information about history, see History.
General
Field Description
Name The name of the group.
The UPN of the group.

User principal name Note This field is read-only.
The group type. The following options are available:
Group members belong to the same organizational unit within a

company.
Example: Marketing; R&D
Organizational
Note A person cannot be a member of more than one
organizational group.
Group type
Group members provide a similar function or service.

Functional
Example: Help Desk; Human Resources
Note This field is read-only.
The group status. Select Active or Inactive from the drop-down list.
Note
Group status • Inactive groups do not appear in the drop-down list of groups for the Owning
group field in Change and Problem records.
• New groups are defined as Active by default.
SMAX 2019.02
Email The email address of the group.
Language The language of the group.
The owner of the group.

Note When you add a person as the Group owner, he is automatically added as a
Owner
group member.
The backup owner of the group.

Note When you add a person as the backup Group owner, he is automatically added as
Group owner backup
a group member.
Area of practice The group's area of practice on the system. Select a value from the drop-down list.
Select an external system from the drop-down list if you want to make this group an
External system
external group. For more information about external systems, see External systems.
Displays only when On-Call Schedule Management is enabled. For more information,
Assignment strategy
see How to set up assignment strategy.
Field Description
The ownership of the group. The available options are:
Ownership • Internal
• Supplier
Cost center The Cost center to which the group belongs.
The supplier company denoted by the ownership. Appears only when Supplier is selected as
Company the ownership.
Select a value from the drop-down list.
Group Members
Field Description
Do one of the following:
• Click Add, then select a person to add as a group member.
• Click the list icon ( ) to display the available people. Select the check
box for each person that you want to add as a group member. Click OK. To filter
the record list, click the Add filter button. For more information, see Filters.
The selected people appear in yellow. When you save the group, the group
<Add/Remove group members are added.
members> To remove a group member, select the member and click Remove. The selected
members appear in strikethrough text. When you save the group, the members are
removed.
By default, a group member's ID, name, and email are displayed. To customize the
view, click Columns, select the item to be displayed, and click Add.
Note The added group members automatically inherit the role and domain
assignments associated with the group.
SMAX 2019.02
System use definitions

Field Description
The roles assigned to the group, if any. Click in the box to display a list of available roles. Select
the required roles to assign to the group.
Group roles
Note A group can have more than one role.
Encryption
Field Description
The encryption domains to which the group belongs. For more information on encryption
Encryption domains
domains, see Encryption domains.
Commonly assigned groups

Field Description
You can save a list of the groups to which you often reassign tickets.
To add or remove related groups, do one of the following:
• Click Add, then select a group to add as a related group.
• Click the list icon ( ) to display the available groups. Select the check
box for each group that you want to add. Click OK. To filter the record list, click
<Add/Remove related the Add filter button. For more information, see Filters.
groups> The selected related groups appear in yellow. When you save the current group,
the related groups are added.
To remove a related group, select the group and click Remove. The selected
groups appear in strikethrough text. When you save the current group, the
selected related groups are removed.
By default, a group's ID and name are displayed. To customize the view, click
Columns, select the item to be displayed, and click Add.
SMAX 2019.02
Manage entitlement rules
Record (entitlement rule) Los Angeles user Palo Alto user Houston user London user
Category Alpha (USA) Y Y Y N
Service definition SD (California) Y Y N N
Offering ONE (Los Angeles) Y N N N
Offering TWO (Palo Alto) N Y N N
Offering THREE (none) Y Y N N
SMAX 2019.02
Entitlement rules use case

Management wants to use entitlements to limit the offerings Service Portal users see, based on their locations. As
the Service Management administrator, you need to configure entitlement rules for the following:
Category Offering Detroit New York San Diego
Network Connectivity Create network login X X X
Applications Grant access to Salesforce X
Applications Installation of Adobe Photoshop X
Phone and Mobile Order new mobile subscription X
Applications Request PC phone service X X
Enter a Name for the entitlement rule, and provide a Description. For example:
Field Type
Name San Diego
Description Visible only to users located in San Diego
Enter a Name for the entitlement rule, and provide a Description. For example:
Field Type
Name United States
Description Visible only to users located in the United States
Add audiences In Service Management, adding an audience to a category or an offering is how you apply
entitlement rules. One method of implementing the present use case is as follows:
Item Audience
Network Connectivity (Category) United States
Grant access to Salesforce (Offering) New York
Installation of Adobe Photoshop (Offering) San Diego
Order new mobile subscription (Offering) Detroit
Request PC phone service (Offering) Detroit New York
SMAX 2019.02
Encryption domains
SMAX 2019.02
Set up synchronization with LDAP

Enter the endpoint details.
Field Description
Endpoint type Select LDAP integration.
Endpoint name Type a name for the endpoint. Use only Latin letters and spaces.
Running on agent Select the agent (installed in step 1 of the task) from the drop-down list.
Enter the endpoint details.

Field Description
Connection configuration
The name of the endpoint.

Endpoint name Note This field is read-only.
Host name Enter the name or IP address of the LDAP server.
Port Enter the number of the port listened to by the LDAP server. The default is 389.
Enter the credentials used to connect to the LDAP server. The full credentials are those
defined as part of the agent to which the endpoint is connected.
Credentials
On the Microsoft Active Directory server, both Distinguished name and username login
are supported. On the Apache DS server, only Distinguished name login is supported.
Select the interval between successive runs of the integration. The default value is 1
Scheduled day.
integration interval For example, if the current sync finishes at 10:00 AM on Monday, and the Scheduled
sync interval is 1 day, the next sync will run at 10:00 AM on Tuesday.
Select this check box to run the sync using SSL encryption.
Note Encryption is supported using TLS v1.1 and TLS v1.2 for Microsoft Windows 2008
Use SSL Encryption
R2 and above only.
Integration configuration
The supported LDAP server types are:

⚬ Microsoft Active Directory 2008
LDAP Server type
⚬ Microsoft Active Directory 2012
⚬ Apache DS 2.0
Starting search
The root directory on the LDAP server where the data is stored.
directory
Record to record mapping
Target record Select Person or Group.
Source record Enter the corresponding record type from LDAP.
SMAX 2019.02
The default filter is based on the selected record type (person or group). You can enter a
custom filter to specify the relevant records for the integration.
Example:
To sync all people from groups 1 and 2 only, enter:
Filter
(&(objectClass=person)(&(group=group1)(group=group2))).
To sync all people in either level 1 or level 3,
enter:(&(objectClass=person)(|(level=level1)(level=level3))).
In each section, complete the following:

⚬ Target fields. Select the record fields from Service Management to be
mapped.
If you select a field of type Enum, click the arrow button next to Map values. Select the
target values from the drop-down list and enter the source values from LDAP. Click Add
map value to add additional value mappings.
Note It is possible to map multiple source values to the same target value.
⚬ Source fields. Enter the corresponding fields from LDAP for the mapping.
You can enter the fields in simple text or an Expression Language phrase.
<Field mappings>
Click the Expression Language button to toggle between these options. When
the button is selected (blue), the field is in Expression Language mode. When it is not
selected (white), the field is in Simple mode. For a full list of Expression Language
functions, see Expression Language functions and syntax.
⚬ Mapping condition. Optionally, enter an Expression Language phrase
defining a condition. The mapping applies only when the condition is satisfied. In each
section, three default fields are provided. Click Add field to add additional field
mappings. Click Remove next to any mapping to remove it.
Important You must include mappings for all fields defined as mandatory for the
selected record type.
SMAX 2019.02
Locations
General details
Field Description
The type of location.
Examples: Country; City; Building; Site; Stockroom
Type
Note Location types are provided out-of-the-box with Service Management. To modify this list, contact Support.
Name The name of the location.
Code A code for the location; this is displayed in all places where the location is consumed.
The parent is the location type that is one level above the location's location type.
Locations types have the following hierarchy:
Parent
Examples:
• A region is the parent of a country.
• A building is the parent of floor and a data center.
Supervisor of the location.

Supervisor
Example: The supervisor of a stockroom or a building.
Address details
Field Description
SMAX 2019.02
Street The name of the street of the location.
Full street address A full street address of the location.
Post office box The full post office box address.
City/State/Country The city, state, and country of the location.
Postal code The postal code.
Exact location The coordinates of the location.
Other details
Field Description
Photo An image of the location. Click Upload image to select an image.
Indicates an external location.

Examples:
External
• A device can be assigned to an external site.
• A backup/disaster recovery site might be in an external location.
Business hours Business hours of the locations such as sites, stockrooms, and so on.
If selected, the location is active. Only active locations are visible in out-of-the-box forms. You
Active can configure this behavior by disabling the business rule in the Rendering forms section of
the particular form.
SMAX 2019.02
Lists
The following table summarizes the differences between the two types of lists:
Volatile lists Non-volatile lists
Created when defining a user option inside an offering or
model. In Administration > Configuration > Lists, the Created in Administration > Configuration
> Lists.
User options list icon appears next to volatile lists.
Can be reused when defining a new user option

Can be reused when defining a new user option of type List
of type List in other offerings or models as well
in other offerings or models but not for a field of type
as for a field of type ENUM defined in a record
ENUM defined in a record type.
type.
There is no limit on how many lists can be created. There is a limit of 20 lists of this type.
Can include up to 250 items. Can include up to 25 items.
Can be ordered alphabetically or ordinally (user-defined

Order is automatically ordinal (user-defined).
order).
Not included in the configuration data transferred by the Included in the configuration data transferred by
Package Manager. the Package Manager.
SMAX 2019.02
Routing definitions
SMAX 2019.02
Service Portal Administration
SMAX 2019.02
Quick Guide to customizing the Service Portal

Design header In the Settings tab, Header section, do the following:
Field Action
If your company name is not part of your company logo, type in the name. Otherwise, ensure
Name
this field is blank.
Click to locate the relevant file and upload it for use in the portal.
Logo Note It is recommended that you use an image file that is already being used in your
company's website.
Select a color that complements the logo.

Note Generally, it is recommended to keep the white background. It is clean and easy on the
Background
eyes and enables easy detection of an end user’s personal area icon on the top right.
It is highly recommended that you mix and match the different category background styles. The recommended
ratio is 3:2:1 per the details in this table:
Option 1 Option 2
3 solid color tiles using different colors 3 solid color tiles using different colors
2 default color tiles which are usually a darker color –

2 background images
same as the portal sidebar
1 default color tile which is usually a darker color –

1 background image
same as the portal sidebar
SMAX 2019.02
Configure Service Portal display theme settings

Service Management provides a default display theme for the Service Portal. You can create a custom display
theme to suit your company's look and feel. For a quick guide describing the basic settings for the portal, see Quick
guide to customizing the Service Portal. Theme Settings page user interface From the main menu, select
Administration > Configuration > Service Portal Settings > Theme Settings.
Interface item Description
The theme for the Service Portal that is displayed. By default, the out-of-the-box
Standard (default) theme settings are displayed.
Theme
Click to display a drop-down list of themes. You may select a previously created
Theme selection
theme, or create a theme.
When you update a setting, you can click Preview to display the change. The setting is
only previewed and not saved until you click Save. For more information, see Preview
custom theme.
When you have selected a theme other than the default, click More to display the
following options:
▪ Rename - select to rename the theme.
▪ Delete - select to delete the theme.
▪ Enable - select to enable the theme. Only available for selection when the theme
is disabled.
▪ Disable - select to disable the theme. Only available for selection when the
theme is enabled.
▪ Set as default - select to set the theme as the default. Only available for
selection when the theme is enabled.
You can select which part of the Service Portal user interface the theme settings are
Preview custom
theme
previewed on.
Settings tab Area where you define the settings for the theme.
Audience tab Area where you apply entitlement rules to select the audience for a theme.
SMAX 2019.02
Configure Service Portal feature settings

In addition, you can configure the Approval delegation feature. The default configuration allows delegation to all
users. Alternatively, you may select one of the following from the Allowed delegations drop-down:
Selection Description
If a user has an Employment type of External, and the Company field is not
blank, that user may delegate only to the following:
▪ A user who is in the same Company.
▪ A user whose Company field is blank. If a user has an Employment type
Same company
of other than External, that user may delegate only to the following:
▪ A user whose Company field is blank. Note The field Company is only
displayed and available if the Employment type of the user is External.
A user may only delegate an approval to a user with whom there is a shared
Shared group membership
group membership.
Portal profile page on first login On the Service Portal, there is a profile page for the user to complete. By default,
this displays automatically when the user logs in for the first time. In the Show portal profile page on first
login field, you can disable this by selecting Off. Virtual agent and email integration Configure need for offerings
in requests On the Service Portal, you can configure whether the user can create a request without a matching
offering. This functionality is affected by whether there is a default offering in Service Request Management. Select
the appropriate option in the Request offering on Service Portal request field, as detailed in the following
table. For more information, see Default offering.
Option Description
The user is unable to create a request for which there is no matching offering.
▪ If there is a default offering, a request with no other matching offering is created
with the default offering.
MANDATORY ▪ If there is no default offering, a request with no matching offering generates a
message to refine the request description, so as to find a matching offering. The
message also includes a link to the offerings catalog, allowing the user to search there for
a matching offering.
The user is able to create a request for which there is no matching offering.
▪ If there is no default offering, a request with no matching offering generates a
message to do one of the following:
OPTIONAL (default)
• Refine the request description, so as to find a matching offering.
• Complete the general request form.
▪ If there is a default offering, the request is created with the default offering.
If there is no matching offering, the user is not prompted to refine his search. Instead, he
IGNORE
is directed to complete the general request form.
The user bypasses virtual support. On seeking help, the user goes directly to the default
SKIP
offering page. If there is no default offering, the user goes to the general Help form page.
The default value for this field is Building. For more information, see Public audience. Enable and configure
followers On the Service Portal, the followers function is enabled by default. In the Enable followers field, you can
disable this function by selecting Off. You can configure the feature by limiting followers. The default configuration
allows all users to be followers. Alternatively, you may select one of the following from the Configuration for
followers drop-down:
SMAX 2019.02
Selection Description
If the user who created the request has an Employment type of External, and
the Company field is not blank, only the following may be followers:
▪ Users who are in the same Company.
▪ Users whose Company field is blank. If a user who created the request has
Same company an Employment type of other than External, only the following may be
followers:
▪ Users whose Company field is blank. Note The field Company is only
displayed and available if the Employment type of the user is External.
Only users in one of the same groups as the user who created the request may be
Shared group membership
followers.
To change the target translation language, select the appropriate value from the drop-down. Enable new request
tracking page There is now a new and improved request tracking page available for use in the Service Portal. By
default, this new page is not displayed. In the Enable new request tracking page field, you can make the new
page the default by selecting On. The new page will automatically become the default in a future release. Enable
read-only display for closed requests By default, having closed requests display as read-only is disabled. In the
Enable read-only display for closed requests field, you can enable this and make all closed requests read-only
by selecting On. Enable entity picker smart suggestions When enabled, certain pickers in the Request
Management forms provide a list of suggested values at the top of the list based on the context of other fields in a
record, such as the text in the Title and Description. Note: This functionality is enabled by default and we do not
recommend that you turn it to Off unless you have specific reasons. Select category page type On the Service
Portal, when a user clicks on a category tile, a page is displayed with three tabbed sections. You can configure the
default section that is displayed. Select the appropriate option in the Category page type field, as detailed in the
following table.
Option Description
A list of items in the following order:
▪ All news items
FEATURED (Out-of-the-box
▪ Recommended offerings
default)
▪ Popular offerings
▪ Articles There may be up to 30 items in this section.
A list of offerings in the following order:

▪ Recommended offerings
OFFERINGS
▪ Popular offerings There may be up to 20 items on each page of this
section.
A list of articles in the following order:

▪ Recommended articles
ARTICLES
▪ Other articles There may be up to 20 items on each page of this
section.
SMAX 2019.02
Configure Service Portal configuration settings

Enable customized tab By selecting On in the Enable customized tab field, you can add a customized tab to
track the requests that are requested to the same company. You can select the appropriate options, as detailed in
the following table.
Option Description
Customized tab Type the name of the customized tab. This field supports localization. You can click the
name ellipsis icon and add a localized name to the corresponding field.
Select one or more user roles that are allowed to view the customized tab in Service
Roles
Portal.
Request Select the request metaphases. Only requests in the selected metaphases are displayed
metaphases in the customized tab.
Select the predefined list of columns to be displayed in the customized tab. These
Grid columns
columns may include the customized fields that are added to the Request table.
Download or upload an Excel template for the end users to export the record list from
the customized tab in the Self-Service Portal.
▪ Download:
Click this button to download the existing template.
▪ Upload:
Click this button to upload a customized Excel template. The upload file type must be
*.xlsx.
An IT agent can either create a new template or download the default template and
then upload it again after customization. When creating a new template, an IT agent
needs to define the Field Name in the first row on Sheet1, and then prepare some pre-
configured tables or charts on other sheets of the Excel template.
The Field Name must be the value of the Name field in Request meta data definition. To
access the Request meta data, click Administration > Configuration > Studio.
Select Request in the drop-down list, and then switch to the Fields tab.
Excel Template
Note As described in the Grid columns description above, an IT agent can select some
columns to be displayed in the customized tab. Meanwhile, the selected columns must
be defined in the Excel template as well. If an IT agent selects to display some columns
without defining them in the Excel template, the system cannot export the related
columns.
▪ Revert to default:
Click this button to revert to the default template.
In the default template, all fields names are defined based on the out-of-box data. The
default template also provides some pre-configured tables and charts as examples to
help the end users summarize their data and number of requests.
Note
This button activates only after you have uploaded a customized Excel template.
SMAX 2019.02
Authorize knowledge handling in the Service Portal
SMAX 2019.02
User selections in the Service Portal
Out-of-the-box, Service Management is configured so that when submitting requests, users in the portal are
restricted as to the devices, infrastructure and peripheral assets, and subscriptions they can select, as follows:
Item Those available for selection
▪ User owns, uses, or has a subscription for.
Devices
▪ Subordinates of the user own, use, or have a subscription for.
▪ User owns, uses, or has a subscription for.

Infrastructure & peripheral assets
▪ Subordinates of the user own, use, or have a subscription for.
▪ Of the user.
Subscriptions
▪ Of the subordinates of the user.
SMAX 2019.02
Enable users to edit requests in the Service Portal
SMAX 2019.02
Application settings
Enable mail configurations Mail configuration is disabled by default. To enable the configurations, select On and
complete the following settings:
Field Description
Mail protocol Select SMTP or EWS as the mail server type.
Enter the name of the mail server host that is used for sending email notifications.
Mail server host
It can be the IP address, machine name, or DNS name of the mail server.
Mail server port Enter the communications port that the mail server uses.
Enter the email address identified as email sender. Make sure that this email
Mail from
address is in the allowed reply email list configured in the mail server.
▪ If the mail server requires authentication, turn on this switch and enter the
user name and password.
Authentication required
▪ If the mail server does not require authentication, turn off this switch and
keep user name and password fields blank.
User name Enter the user name of the account used for mail server authentication.
Password Enter the password of the account used for mail server authentication.
Select a certificate used by SMTP server.

▪ Plain
Certificate (for SMTP ▪ Enable SSL
only) ▪ Enable TLS If a self-signed SSL/TLS certificate is used, the suite
administrator need to upload the certificate to the <ITSMA global NFS share
directory>/certificate/source folder. See Configurations for details.
Enable NTLM (for EWS If your Exchange Server requires domain information for authentication, turn on
only) this switch to enable the Domain field.
Domain (for EWS only) Enter the domain of the account used for mail server authentication.
Enter the EWS service path (for example, EWS/Exchange.asmx) for the full EWS
Service path (for EWS
service URL. The full EWS service URL consists of Mail server host and Service
only)
path.
Select the version of Exchange Server. If you are unable to find a match, select the
Version (for EWS only)
latest version prior to the version of your Exchange Server.
SMAX 2019.02
Virtual agent settings

You can download Virtual Agent 2019.02 from Micro Focus ITOM Marketplace. For more information about how
to administer the SMA Virtual Agent, refer to the PDF document that is included in this package. Caution This
alpha package supports English only, and is recommended for demonstration or test environments only. Do not
deploy this package in a production environment.
SMAX 2019.02
Smart Analytics settings

Complete the following settings:
Field Description
Select a module name from the drop-down list.
Module name
In this release, the only option is Request.
Select a predicted field from the drop-down list.

In this release, the options are: Offering, ActualService, ITProcessRecordCategory, and
PersonGroup.
Note If you select PersonGroup as the predicted field and want the system to
Predicted field
automatically fill a value for the Assignment Group field in a Smart Ticket, you must tailor the
corresponding form and business rules. See the Tailor form and business rules for Assignment
Group prediction section for detailed instructions.
(Optional) Specify a sample data query, through which you can decide what kind of data that
you want to use as sample data to teach Smart Analytics to build the intelligence out of your
large data volume. By default, the system uses all HR Requests, Service Requests, or Support
Training Request data as training samples. For example, if you set this query to
sample query MATCH{Close}:PHASEID, the system only uses the closed requests as sample data. In this
example, PHASEID is the IDOL field name, and Close is one of its values.
For more information about how to write a training sample query, see the IDOL
documentation at https://www.microfocus.com/documentation/idol/.
(Optional) Specify a query, through which you can decide what kind of value that Smart
Analytics learns for the Predicted field. For example, if you select Offering in the Predicted
field, you can use this query to define which offering items will be learned by training the
sample data. The system will automatically fill the offering items for a new request according
to its issue description.
Predicted field
By default, this query is empty, which means the predicted result will be only be filtered out
query
by the Entitlement Rule (access right defined by system). For example, if you set this query
to NOTMATCH{Inactive}:STATUS, the system will not return Offering with inactive status
when predicting Offering.
For more information about how to write a predicted field query, see the IDOL
documentation at https://www.microfocus.com/documentation/idol/.
Select a content field from the drop-down list. Smart Ticket will predict and automatically fill
Content fields the predicted field for a new request according to the Content fields settings.
In this release, the only option is description.
Specify the fields, through which Smart Ticket can automatically fill the predicted field
Entitlement according to the requestor's permission definitions.
fields In this release, the system automatically defines the entitlement fields according to the
Predicted field settings.
Click the Configurations tab to update the settings. In addition, you can modify the following settings to optimize
the accuracy of auto suggestion. These settings are tradeoffs between training time and accuracy, which means
higher accuracy is achieved at the cost of longer training time. Listed below are some best practices for these
optimization configurations.
Setting Description
The maximum records to be used as the training samples for each value of the
Training Samples
Predicted field.
Per predicted field
Default: 200
SMAX 2019.02
The percentage of records out of the total source data that are used to test the trained
Test Data Coverage system.
Default: 5
The percentage of records out of the total source data that a predicted value can
cover. The system will analyze distribution of the existing records, arrange predicted
value by request amount in descending order, and then calculate accumulations. Smart
Ticket will automatically fill the Predicted field value from the top till the accumulation
Source Data reaches the defined Source Data Coverage value.
Coverage Normally higher percentage means higher accuracy, but there is a threshold point.
When the training source data percentage exceeds the threshold, the margin
contribution will be lowered remarkably. The out-of-box value for this configuration is
90%, which is a best number tested in the lab.
Default: 90
Smart Search You can customize the following Smart Search settings to pre-define the possible actions based on
your search conditions and results.
Field Description
The default value is false. If you select this check box, Smart Search automatically adds
quotations to the search criteria. Example usage: If you select this check box and then
Enable Phrase
enter mobile phone in the search box, Smart Search will send out search request with the
Queries
query text of “mobile phone” and then displays the results that exactly match the search
criteria on top of the result list.
The default value is false. If you select this check box, Smart Search interprets special
elements as normal characters instead of a query syntax. These elements include asterisks
(*), question mark (?), colon (:), double quotation marks ("), brackets, boolean, and
proximity operators such as AND, NOT, OR, EOR, XOR, NEAR, DNEAR, WNEAR, BEFORE, and
AFTER. Select this check box to disable wildcards, phrase queries, field restrictions and
Ignore certain
boolean operations. Example usage: If you select this check box and then enter mobile AND
special
phone in the search box, Smart Search displays the search results which contain either
characters
mobile or phone. If you clear this check box and then enter mobile AND phone in the search
box, Smart Search displays the search results which contain both mobile and phone.
Note If you select this check box, the system ignores the setting of Enable phrase
queries and does not add quotations to the query text.
Minimum search
The value must between 0 and 100. Negative numbers or any numbers that are greater
result relevance
than 100 are not allowed. Specifies the minimum percentage of the relevance that the
threshold (0-
search results must have to the query.
100)
SMAX 2019.02
Data domain segmentation
SMAX 2019.02
Data domains and entitlement rules
SMAX 2019.02
Basic automated procedure
SMAX 2019.02
Data domain segmentation – use case
SMAX 2019.02
Assign a Primary data domain to a group or user
SMAX 2019.02
Assign permission for a data domain to a role
SMAX 2019.02
Assign a record to a data domain
SMAX 2019.02
Impact of data domain segmentation
SMAX 2019.02
Categories
Service Management allows you to create, edit, and manage categories. Categories provide different groupings of
a record for classification. The following table is an example of how a user might organize categories and
subcategories for his organization.
Category Subcategories
▪ Passwords
• New password
• Forgot password
• Reset password
Access (accounts and passwords) ▪ Accounts and identity
• Network access
• Application access
▪ Privileges and permissions
▪ Other
▪ Instant messaging
Communication and collaboration ▪ Virtual meeting rooms
▪ VoIP
▪ Electrical
• Appliance
• Rack
• Main
Fault • UPS
▪ Network
• Communications
• Internet
▪ Other
▪ Hard drive
▪ Memory
Hardware
▪ Failure
▪ Missing or stolen
▪ Wired internet access

▪ Wireless internet access
▪ Firewall
▪ VPN
Network
▪ DNS
▪ Configuration
▪ Connection
▪ Other
▪ Performance degradation
• Continuous
Performance
• Intermittent
▪ System or application unresponsive
SMAX 2019.02
▪ Application client
▪ Application server
▪ Application functionality
▪ Data
Software
• Data or file corrupted
• Data or file incorrect
• Data or file missing
• Storage limit exceeded
▪ Encryption
▪ Virus and malware protection
Security ▪ Intrusion detection
▪ Security breach
▪ Security event
▪ Desktop support
▪ Laptop support
▪ Tablet support
▪ Mobile support
Personal systems
▪ Printing
▪ Storage
▪ Backup and recovery
▪ Other
SMAX 2019.02
Create a category
SMAX 2019.02
Edit categories
SMAX 2019.02
View categories
SMAX 2019.02
MT console for shared service providers
SMAX 2019.02
Dev2Prod - Synchronize your development and production tenants
Data Inconsistency in If inconsistent

Enable sort Source overwrites target
Read only Source overwrites target
Hidden Source overwrites target
Logical type Causes import process to fail

User-defined fields in
records
Reference Causes import process to fail
Enable search Causes import process to fail
Enforce uniqueness Causes import process to fail
Required Causes import process to fail
Target contains list value

that does not exist in
Causes import process to fail
source (list value in source
Lists
removed)
List value order Causes import process to fail
List values Value icon Source overwrites target
Source overwrites target. This may cause

inconsistencies in data in case the new workflow is
inconsistent with existing data. For example, if a new
Workflow definitions All
validation rule was added to enforce a field’s value to be
set (mandatory field), all records whose value for that
field is empty, might return an error when updated.
Form layout
All Source overwrites target.
definitions
Notification
All Source overwrites target.
templates
Roles All Source overwrites target.
Custom actions All Source overwrites target.
Resource bundles All Source overwrites target.
Note If there is a problem importing any part of the data, an error message is displayed, and the tenant is
restored to the original configuration. The issues that arise are usually related to conflicts between the two
tenants. To view the errors, click the Details link in the error message. An error report opens detailing each of the
problematic issues. If the whole import fails, click the Details link for more information. The import might fail due
to connection issues, timeout, incorrect import file, and so on.
SMAX 2019.02
Debug tool
The following table describes some of the columns in the debug file which provide important information for each
step of the action:
Column name Description
Timestamp The time of the action.
▪ DEBUG for regular actions.

Severity ▪ ERROR for actions resulting in an error.
▪ PERFORMANCE for a row measuring performance results for an action.
▪ Workflow for steps involving workflow components.

Component
▪ Expression Language for steps involving Expression Language.
Message Description of the action.
The type of action. For example, Start condition evaluation or End condition
Workflow action
evaluation.
Duration The duration of the action in milliseconds. Only relevant for ending actions.
Process event The process event under which the business rule is defined.
The full path of the location of the business rule (Record type, process, metaphase,
Rule path
phase).
The source of the business rule. It could be a user-defined rule for the record type, or a
system rule, not editable by the user. Alternatively, it could be a rule defined for the
Business rule source
model on which the record is based, such as a rule defined for an offering which runs on
the requests based on that offering.
▪ CREATE for creation of a record.

Operation ▪ UPDATE for editing an existing record.
▪ DELETE for deletion of an existing record.
SMAX 2019.02
Sample data
The data imported as sample data is indistinguishable from data entered into the system. Once the sample data is
deployed, the button in the Sample Data page becomes disabled. The Tenant Admin receives notification via email
when a new tenant is created. This mail includes a link to the Sample Data page where the data can be deployed
onto the new tenant. Caution If you deploy the sample data, it cannot be undeployed. You can delete individual
pieces of data, such as knowledge articles and records, but you cannot reverse the deploy.
SMAX 2019.02
Live Support
SMAX 2019.02
Live Support and Chat
SMAX 2019.02
Configure Live Support with CTI
Field Description
The name of the field. You may use any of the following:
▪ Any searchable field taken from the person record. The format is user.<field>. For
example, user.FirstName and user.LastName.
<field name> ▪ The phone number taken from the person record. The field name is user.phone.
If the URL includes user.phone, Service Management tries to match the number of the
incoming phone call with the office and mobile phone numbers held in the person records.
▪ The request record ID number. The format is request.Id.
<field value> The value of the field in the record.
SMAX 2019.02
Chat capability for the Service Portal
SMAX 2019.02
Enable chat capability for the Service Portal

Check the SLA configuration. You must ensure that the SLA complies with all of the following:
Requirement Action
• In the Details section, select the Default agreement option
• In the Services section, ensure the appropriate services are
SLA is the default, or includes the
displayed
appropriate services
Note To add a service, click Add, then select an actual service to link
to the SLA.
Link the correct Support Request SLT set to the SLA in the Default
target sets section
If not already done:
SLT set is correct 1. Go to the Default target sets section.
2. For Request, click .
3. Select the SLT set you created or chose in the Service Level
Management - Service Level target set section.
Requirement Action
In the Service Offerings section, ensure the appropriate offerings are
displayed.
Note To add a offering:
1. From the Main menu, go to Plan > Service Catalog >
Offerings.
SLA includes the appropriate
2. Open the offering you want to include in the SLA.
service offerings.
3. Go to the Agreements section.
4. Select the SLA.
5. Click Save on the toolbar.
Link the correct Service Request SLT set to the SLA in the Default
target sets section
3. Select the SLT set you created or chose in the Service Level
Requirement Action
• In the Details section, select the Default agreement
option
SLA is the default, or includes the • In the Services section, ensure the appropriate services are
appropriate services displayed
to the SLA.
SMAX 2019.02
target sets section.
3. Select the SLT set you set up in the Service Level
Requirement Action
• In the Details section, select the Default agreement
option
SLA is the default, or includes the • In the Services section, ensure the appropriate services are
appropriate services displayed
to the SLA.
target sets section.
3. Select the SLT set you set up in the Service Level
SMAX 2019.02
Configure support agent anonymity
SMAX 2019.02
Location-based Live Support
SMAX 2019.02
Create a white label version of Service Management

Adjust the following settings as required:
White label parts Settings
• Name
Only the Service Portal
• Logo
• Name
• Logo
Service Portal and Service Management
• Agent interface header label
• Agent interface header logo
• Agent interface header label

Service Management
• Agent interface header logo
SMAX 2019.02
Generate report based on PostgreSQL views

If you have not created any tenants in your farm, you can simply use the second process, which should take care
of all your needs. Otherwise, you need to run both processes. Create PostgreSQL users for existing tenants If
you have existing tenants in your farm, connect to the PostgreSQL
database ”xservices_ems” using the user ”postgres,” and then execute the following SQL statements for each
existing tenant:
/* For each existing tenant in the farm <tenantid-i> i = 1…n do */
CREATE USER user_<tenantid-i> WITH PASSWORD '<password>';
GRANT USAGE ON SCHEMA view_<tenantid-i> TO user_<tenantid-i>;
GRANT SELECT ON ALL TABLES IN SCHEMA view_<tenantid-i> TO user_<tenantid-i>;
At this point, you have created a user named user_<tenantid-i> with a corresponding password for each
tenant <tenantid-i>. You can provide the user to a tenant owner for reporting purposes. Create/update
PostgreSQL users for new tenants and refreshed tenants The following procedure automates the process
of the user creation for each new tenant to be added to the farm. It also takes care of view refreshes
(see the PostgreSQL view generation section). Connect to PostgreSQL
database ”xservices_ems” using the user ”postgres,” who must be a super user, and then execute the following
SQL statements only once:
/* Grant some additional permissions to special users ‘postgres’ and ‘maas_admin’ */
GRANT maas_admin to postgres;
ALTER USER maas_admin CREATEROLE;
/* Define the grant_view_access() PL/pgSQL function that creates a new PostgreSQL user named user_<tenantid>
(if it does not already exist) and provides it with read-only access to all the views under the schema
view_<tenantid> */
CREATE FUNCTION grant_view_access() RETURNS event_trigger AS $$
DECLARE
obj RECORD;
u varchar;
s varchar;
BEGIN
FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag in ('CREATE SCHEMA') AND
object_identity ~ 'view_.*$'
SMAX 2019.02
LOOP
s := obj.object_identity;
u := regexp_replace(s, 'view', 'user');
IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = u) THEN
EXECUTE format('CREATE USER %I NOINHERIT', u);
END IF;
EXECUTE format('GRANT USAGE ON SCHEMA %I TO %I', s, u);
EXECUTE format('GRANT SELECT ON ALL TABLES IN SCHEMA %I TO %I', s, u);
EXECUTE format('ALTER DEFAULT PRIVILEGES FOR ROLE maas_admin IN SCHEMA %I GRANT SELECT ON TABLES
TO %I', s, u);
END LOOP;
END;
$$ LANGUAGE plpgsql;
/* Create a new event trigger on the ‘CREATE SCHEMA’ statement that invokes the grant_view_access() callback */
CREATE EVENT TRIGGER create_schema_trigger
ON ddl_command_end
WHEN TAG IN ('CREATE SCHEMA')
EXECUTE PROCEDURE grant_view_access();

After these SQL statements are run, any new tenant <tenantid-new> that gets added to the farm automatically
SMAX 2019.02
creates a new PostgreSQL user named user_<tenantid-new> with the appropriate permissions. At this point, all
you need to do is set a password for this new user and provide it to the tenant owner for reporting purposes:
ALTER USER user_<tenantid-new> PASSWORD ‘<password>’; Note: With the current implementation, due to user
access control limitations in PostgreSQL, the tenant segregation provided by the above users is not complete. Each
user can see only the data in his/her own tenant views, thus completely avoiding data leak between
tenants. However, a user can see the view names of other tenants. In particular, it is possible to see
the tenantids of other tenants in the farm (but no actual data). This is not a security concern since tenant access
still requires full authentication irrespective of knowledge of another tenantid, but can be a privacy concern in the
case of an MSP.

SMAX 2019.02 Administer

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SMAX 2019.02 Administer

Uploaded by

Copyright:

Available Formats

SMAX

Access Kubernetes API server with a bearer token

1. Run the following commands:

Authorization: Bearer 31ada4fd-adec-460c-809a-9e56ceb75269

Add or remove machines from a cluster

Add nodes to a cluster

1. Choose a type from the drop-down box.

Remove worker nodes from the management portal

NAMESPACE NAME READY STATUS

Manage node labels

Manage node labels

Change CDF cluster runlevel

Change the CDF cluster runlevel

1. Run the following command to go to the cdfctl.sh directory:

[root@shcAliceCOS72v1 scripts]# ./cdfctl.sh runlevel --help

Cluster components will be started or stopped

Below are the defined runlevels of CDF components.

Change the external access hostname for CDF

1. Log in to one of the master nodes.

-c|--cert new certificate file.

Change your password

1. Click ADMINISTRATION > IdM Administration

● Customize password policy

Customize kubelet parameters

1. Log on to any of the cluster node.

3. Run the following commands to restart the kubelet:

Edit the hard eviction thresholds of worker nodes

3. Run the following commands to enable the new thresholds:

Customize DNS entries

1. Run the following command to edit the configmap file.

2. Update the DNS entries and save the file.

3. Your terminal looks like below:

Rebind a PV and PVC

1. Run the following command to get the detailed PV information.

[root@sh72v1]# kubectl get pv itom-vol -o yaml

3. Run the following command to get the PVC information:

For example: kubectl get pvc itom-vol-claim -o yaml -n core

5. Run the following commands to delete the PV and PVC.

kubectl get pvc -n <namespace>

The key for the encryption of the LW-SSO. This is the

The domain name is required. The HPSSO 1.0 version

Keys used to calculate the message digest to validate the

IdM token life time in minutes. Users can change the

Request Token Life

The entity ID of the IdM's SAML metadata will be based on

Keystore Path Keystore path for SAML and WS-Trust.

Keystore Password Keystore password for SAML and WS-Trust.

Keystore Provider Keystore provider for SAML and WS-Trust.

Keystore Type Keystore type for SAML and WS-Trust.

Extended attributes Properties for LDAP configuration.

Creation Domain The LWSSO creation attribute domain

Key for encryption/decryption of the LWSSO token. This is the shared

the basic setting, drag the action button to basic.

● Change the display name

Change a user's password

To change a user's password, see Change your password page.

You can manage the associated group roles:

Edit: Click the action button to edit a group rule.

Add a database user and give permissions

Customize password policy

Customize the management portal login page

Customize the management portal login page

Background Image URL Specifies the background image URL