No.3 Summer 2005 Creating an Inventory Schedule in 30 ...€¦ · No.3 Summer 2005 IBM Tivoli...
Transcript of No.3 Summer 2005 Creating an Inventory Schedule in 30 ...€¦ · No.3 Summer 2005 IBM Tivoli...
No.3 Summer 2005
IBM Tivoli Inventory is an excellent toolfor gathering hardware and softwareinformation but keeping the data up todate can prove difficult withoutspending considerable time performingmanual distributions or writing largesuites of scripts.
Even if you opt for one of these options,
reporting the success rate of the scans
can start to be extremely time consuming,
especially where the number of endpoints
runs in to the thousands.
However using Odyssey 3.1 the setup,
maintenance and subsequent reporting of
the scans can actually now be extremely
simple. The configuration I created for this
article took less than 30 minutes, hence
the title.
Resource GroupsA new concept in Odyssey 3.1 is the
Resource Group. This is a virtual set of
systems that is only populated at
execution, allowing for wild cards and
lookups to be performed to create the
target list. In the case of an inventory scan
it is likely that with a large number of
systems you will have unique policies for
different types of systems. For example
you might choose to scan workstations at
a less frequent interval to servers or scan
Unix systems differently to Windows
systems.
In the example I have used for this article
I have created a Resource Group called
Workstations that creates a virtual list of
systems beginning with wrk (^wrk.*) and
excludes all systems containing dev in the
name however you can use any script you
want to populate the list. Another option
might be to always choose the thirty
oldest systems to be scanned.
Even if your policy is to scan all of your
endpoints every day, a resource group will
still be needed to ensure that if an
endpoint is updated, added or removed
the scan list is always accurate. This is not
always the case with a conventional
ProfileManager based subscription list.
WizardsThe Odyssey Wizards are powerful tools
that perform multiple parallel actions on
large numbers of resources such as
Endpoints or Users. The processing can be
automatically throttled and queued to
ensure that the Tivoli environment does not
get overloaded.
There are a range of customisable action
types such as command execution, Tivoli
tasks, HTTP interactions, perl and shell
script execution and remote actions. For
News in a Minute
Is Configuration ManagementDatabase important to your organisation?
Role mining: a quick route toRole Based Access Control
IBM Tivoli Education – News
Tips for writing ResourceModels using VBA Script
Inside3
4
5
7
8
continued on p2
Defining a Resource Group
An Active Inventory Schedule
Creating an Inventory Schedulein 30 minutes by Simon Barnes
Scheduling Using Resource Groups
Message Broker No.3 Summer 2005
2
this scenario I have chosen to run three
actions:
1. An action to test the age of the last scan
is older that 7 days. This is slightly
modified version of the standard
Odyssey action called Last Scan Agewhich reports the last scan age in days.
This action could alternatively be
incorporated into the Resource Group.
2. A test to ensure the endpoint is running.
This is supplied as a standard action
called Status. This ensures any system
that is targeted is up and running.
3. An Inventory Distribution Action. This
action type allows you to choose any
existing InventoryConfig profile, the
batch size of the distribution (i.e. how
many systems you want to distribute to
at once) and a delay between
distributions. You can also configure
retries but in this instance I have not
done this.
These three actions are joined together to
form an Action group called ScheduledWorkstation Scan.
SchedulerNew in version 3.1 is the Odyssey
scheduler. This does not use either the
Operating System or IBM Tivoli Schedulers
and therefore allows complete
independence from underlying tools to
schedule actions. For this example I have
used it to schedule the defined resource
group so that at a selected interval it runs
the chosen Scheduled Workstation Scanaction group. As shown below I have
chosen to schedule a workstation scan
every 1 week.
By simply pressing OK the Inventory
schedule will be created. There is no longer
a need for scripts or manual intervention.
Viewing a Running orCompleted Session
During the Wizard’s execution, or after it
has finished, you may wish to check the
progress of the scan. Without Odyssey
this would mean command line interaction
but with it you can view and sort each
target to find what state it is in.
ReportingOnce the scheduled routine has been
created the temptation would then be to
forget about it and hope that it is
successful. Using Odyssey it is simple to
report on the success or failure of any
Wizard session. Not only do you have the
sortable table view shown on page 1, but
also on completion each wizard creates a
Inventory Report
Last Scan Inventory Report
web-based report that will show a
summary of the success and failure rate.
Lastly in addition to the standard reports
it is possible to click on any column in
Odyssey and create a Pie Chart Summary.
This is particularly useful for the
Inventory Scan as it can be used on the
Last Scan Age Column to create a neat
summary of the age of all endpoint scans.
If you would like to evaluate Odyssey 3.1or take a look at some of its otherpowerful features it offers go to the website athttp://www.orb-data.com/Odyssey
Alternatively if you would like furtherinformation on this or any aspect ofOdyssey please contact Julia Knight on+44 (0)1753 705015 or [email protected]
Message Broker No.3 Summer 2005
3
Computer Associates is to cutanother 5 percent of its workforcedespite having announcedsignificantly increased annualrevenue estimates in July.The company, which is emerging fromcivil and criminal inquiries into itsaccounting, said that cutting the extrajobs on top of the 800 reductionsannounced in September will generatesavings of $75m a year. New CEO, JohnSwainson, who replaced former chiefexecutive Sanjay Kumar when he wasindicted on securities fraud charges said,"CA is very much a work in process."
The world's largest video rentalchain Blockbuster has suffered afall in profits due to increasedcompetition from fast-growingonline rental specialists such asNetflix.Blockbuster's shares fell 11% after itrevealed the disappointing figures. Thecompany are putting some of the revenueloss to the scrapping of late fees at halfits US stores and some other regionshowever in the UK they still apply.Blockbuster insisted it would be able to
recoup the income from late fees fromextra business and would return toprofitability in 2006. "As the decline instore-based video rental industrycontinues, stores will have to close," saidchief executive John Antioco.
Apple has broken with 20 years ofsingle-button tradition andunveiled a mouse that has a 360-degree scroll ball and fourprogrammable buttons.Two of the buttons are programmabletouch sensors, whilst pressing the scrollball and squeezing its sides can activatethe other two buttons. For people whostill want the old single button mouse,Apple states that while the device hasmulti-button functionality, it can alsowork in single-button mode. It’s priced at£35 and has already started shipping.
About 1,500 jobs will be lost afterthe UK's largest computer makerGranville Technology Group, whichproduces Tiny and Time PCs, wentinto administration and closed its80 shops.The Lancashire based company has beenmaking monthly losses of up to £2m
News in a Minutesince the start of the year. All directors ofthe company, except its non-executivechairman, left ahead of theannouncement. Customers, especiallythose who have paid for goods but areyet to receive their goods, face aworrying few weeks. AdministratorsGrant Thornton said they will maintain acustomer support operation and plan tomake a further announcement soon. TheGMB union said the job cuts were"devastating”.
A South Korean man has died afterreportedly playing an onlinecomputer game for 50 hours.The 28-year-old man started playingStarcraft on 3 August and only paused togo to the toilet, said the police. "Wepresume the cause of death was heartfailure stemming from exhaustion”.Online gaming in South Korea isextremely popular thanks to its fast andwidespread broadband network. Gamesare televised and professional playersare treated and paid, like sports stars.Professional gamers there attract hugesums in sponsorship and can make morethan $100,000 a year.
Orb Data Launches New Web SiteAfter months of development, we arepleased to say, the new Orb Data website is now up and running athttp://www.orb-data.com.
It's now bigger and better than ever, with
specific sections devoted to Enterprise
Systems Management, Security
Management, Service Management and
Infrastructure.
The ever popular technical section has
been expanded to include a new FAQ
section. Here you'll find 200 or so
frequently asked questions, not only
about ESM related subjects but also
databases, security and others. We hope
you find the new site useful and visit it
regularly in the future.
To use the new technical section you will
have to reregister at:
http://www.orb-data.com/register
Message Broker No.3 Summer 2005
4
Is a Configuration Management Databaseimportant to your organisation? by Steve Lawrence
There has been a lot of interest recentlyfrom analysts and vendors alike, inproducts that meet the need toimplement a Configuration ManagementDatabase (CMDB) as described in theITIL (IT Infrastructure Library)framework.
The question is, are you, the potentialcustomers for such a product, as excitedabout the CMDB as the analysts think youshould be, and if not, then why not?
Even if your answer to this question is anemphatic “No”, you should read on, asyou may change your mind…
Before we address the question, it isimportant to be clear about what a CMDBreally is, as defined by ITIL. There are aconfusing number of offerings in themarketplace, most of which fail to meetmore than a sub-set of ITIL’s description ofa CMDB.
The CMDB should hold details of, andrelationships between, all Service andSystem components (e.g. Hardware,Software, Network Infrastructureetc.).
Most Inventory or Asset databases canmeet the need to record details ofindividual systems, with informationpertaining to their configuration. However,these do not in themselves meet ITIL’sCMDB definition, as they are typicallyunable to define and maintain therelationships between systems and otherCIs (Configuration Items) that make up aBusiness Service.
It is the ability to view IT assets in thecontext of the Service and users that theysupport which is pivotal in the fulladoption of the ITIL process framework.Without this, it is incredibly difficult tounderstand the business impact, and thusthe relative priority, of issues or changesto your IT Estate.
The CMDB should also hold details ofthe following records, which areproduced as a result of ServiceManagement processes, together withtheir relationships to system
components
• Incidents
• Problems
• Known Errors
• Changes
• Releases
• Service Level Agreements
The accurate recording of these details ina CMDB will significantly improve theeffectiveness of the ITIL Processimplementation in an organisation. Forexample, when a Service Desk Analystrecords an Incident against a system, theywill immediately be able to see theBusiness Services that are affected by theissue.
This helps in determining the relativepriority of incoming incidents, and thusthe way in which IT staff allocate theireffort. Furthermore, associated SLAs forthe Service will determine the targetresponse time for each incident.
The CMDB can also be used to storecorporate data about employees,locations, business units, suppliers,maintenance agreements, andlicenses.
By recording corporate information aboutorganisational structure and employees, itbecomes possible to rapidly establish theuser community affected by Incidents,Problems, or Changes etc. This is becausewe can not only determine the BusinessService impacted by a system, but alsothe users of that Service, and the SLAdetermining maintenance windows,service restoration targets, etc.
Details of suppliers and maintenanceagreements that are in effect will allowreasonable expectations of 3rd partyperformance to be set, and facilitateverification that SLAs can be met withinthe terms of Underpinning Contracts.
Finally, ITIL recommends that adefinitive software anddocumentation library is alsomaintained within the CMDB, andsubjected to formal change control.
Returning to the question posed at thebeginning of this article – is a CMDBimportant to your organisation? – I wouldsuggest that consideration of the benefitsidentified above should lead to the answer“Yes”.
Clearly many organisations do not have acomprehensive CMDB as described byITIL, and yet they are able to function, butdo they do so efficiently?
Most companies have a sub-set of theinformation required, possibly inproprietary databases, spreadsheets, oreven manual records, so there isrecognition that this information isvaluable
However, to truly release the power andefficiency promised by ITIL, theinformation needs to be accurate,comprehensive, up-to-date, andintegrated with the processes.
It is therefore impractical, if notimpossible, to reach this goal withoutsoftware tools to help you, and thereinlies the rub. There is a multitude ofproducts available: Inventory tools, AssetManagement tools, Helpdesk tools, andsome of them are even positioned asCMDB solutions.
But, ask yourself if they deliver thecapabilities described in this article, and ifthey do not, how can they be a CMDB inmore than name?
Orb Data has chosen to partner withFrontRange Solutions to provide a ServiceDesk solution (ITSM) that includes aCMDB component to meet therequirements of ITIL.
We believe that by integrating thissolution with IBM Tivoli ESM technology,we can help our customers to take asignificant step towards adoption of thefull ITIL framework
For further details of our offering in thisarea, please contact Steve Lawrence(Business Development Manager) [email protected].
Message Broker No.3 Summer 2005
5
Role mining: a quick route to Role BasedAccess Control by Colin Miles
The value of rolesRole Based Access Control (RBAC)systems provide an efficient andeffective method for controlling accessto corporate resources.
By enforcing security according to a well
defined and closely managed set of logical
role definitions, organisations can
discover a number of associated benefits.
These include:
• The complexity and cost of day-to-day
security administration can be reduced.
• An improved auditing capability can be
delivered in order to help meet
regulatory requirements.
• Business processes can be streamlined
to align with logical role functions.
• Security can be provided for an ever
growing number of employees, business
partners & customers much more easily
(without a corresponding exponential
growth in the number of required access
rights)
The basis of an RBAC control model is
simple. A user is assigned to one or more
roles according to his/her position or level
of responsibility within the enterprise.
Access rights to all IT resources are then
assigned at a role level. The process of
role assignment thereby automatically
confers the correct access privileges upon
the user. For many organisations however
this simple model represents an elusive
utopia as defining a comprehensive and
accurate set of role definitions for their
business in the first place can be a
deceptively complex task.
The problem – howare roles defined?
Often system access patterns for an
organisation have evolved over a long
period of time without any clearly defined
structure or policy helping to determine
just “who” gets access to “what”. When
each new system or application is
integrated into the overall infrastructure
security may be deployed on an ad-hoc
basis leading to an increasingly confused
overall picture over time. In such cases
assignment of access privileges for a new
employee, business partner or customer
can often be determined by bad practice
methods such as ‘copying’ the account
settings of users who are perceived to be
similar to the new user. Such methods
quickly propagate inaccuracies across
systems and can introduce worrying
security flaws.
The challenge for organisations therefore
is to derive new role definitions by making
sense of access patterns across all of their
systems. One solution to this is to
undertake a full role engineering project
by committing to an in-depth analysis of
business processes. Experience has
shown that such projects are
painstakingly complex and laborious (with
a high dependency on manual methods),
and can take months to complete. For
example, consider that such a project will
need to address a huge range of
organisational factors and often will
require engaging sys admins, managers
and other stakeholders across all
departments within the organisation.
Furthermore, it is important not to forget
that organisational role definitions are not
static. Over time infrastructure changes,
organisation shuffles or shifting business
pressures are all likely to require that role
definitions are revisited and reworked
where necessary.
Role mining withEurekify Sage
An alternative solution to the challenge of
role engineering is to start with the
assumption that the definition of roles in
the organisation already exist in the
underlying privileges that are deployed
across the systems. With this assumption
it then becomes a case of extracting and
refining this information to derive a role
model for ongoing use.
The Sage product from Eurekify offers a
unique tool in this respect. Using Sage it
is possible to analyse existing user access
patterns from any number of systems, and
through automated pattern matching
algorithms reverse-engineer the roles
that are required by the business. Sage
works by importing user and access
information from any number of existing
enterprise systems (either through out-of-
continued on p6Data flow : role mining with Eurekify Sage
Message Broker No.3 Summer 2005
6
the-box interfaces or via an easily
customised bespoke process) and then
combining and analysing the data to carry
out a “bottom up” discovery of roles. This
process can be repeated many times with
search and pattern parameters amended
by the administrator on each pass as
required. By this iterative process Sage
allows for role definitions to be discovered
and refined to evolve a best fit logical role
set that is closely tied to both the
organisations current access rights as well
as future requirements.
All Sage operations are carried out via a
separate configuration database that
allows all analysis to be conducted “off-
line” without impacting any productive
systems. Once a satisfactory role
definition has been derived using Sage
options exist for importing role data back
to the source systems for operational use.
Role set definitions may also prove
invaluable as an accompanying step to a
user provisioning or full Identity
Management implementation. In such
projects it is often the case that the
adoption of an RBAC model, whilst not an
essential first step, still allows for the
maximum benefit from the new solution to
be derived.
As well as role mining Sage functionality
also provides the ability for organisations
to:
• map existing privileges to new roles
• detect out-of-pattern role members
• reveal privilege ‘collectors’ and other
exceptions or deviations from expected
usage
• detect duplicate roles or privileges
• audit existing (known) role definitions
SummaryAn accurate set of role definitions for the
enterprise can be an invaluable asset
when it comes to providing secure IT
services. Using a role mining tool such as
Eurekify Sage allows roles to be mined
from existing enterprise data much more
quickly and with greater accuracy than by
comparable manual methods. This in turn
helps provide a speedier route to ROI on
IT deployments across the enterprise.
Sage Survey –understanding rolesin 5 days Orb Data is currently offeringcustomers the opportunity to run a 5day mini-project to better understandrole definitions within theirorganisation. The project utilisesEurekify Sage to analyse currentaccess privileges from selectedsystems with the aim to:
• explore current privileges and runinvestigative queries
• identify & quantify excessive andout-of-pattern privileges
• identity & quantify duplicate &overlapping group definitions
• “reverse” engineer a set of roledefinitions from existing patterns
• assess the needs and build a casefor a full RBAC or IdentityManagement project
To find out more about how our SageSurvey can help your organisationimprove your ability to control accessto IT resources please contact us [email protected].
Do you monitor the health of your Tivoli solution?
Orb Data has developed a package of ITM Resource Models which monitor and report on the health of a Tivoli Infrastructure.This solution helps you to identify and resolve problems with your TMR, TEC and Gateways before these issues impactfunctionality.
TMR ServerOserv_Status checks if the object dispatcher is running.Epmgr_Status reports if the endpoint manager has failed or hung.TMR_Hanging_Methods monitors for a hanging object.
GatewaysGateway_Status monitors the gateway to check if it is down, hung or if there is a problem with the oserv. It additionallymonitors for the number of jobs waiting to run.
TECTEC_Status checks that the Event Server is running. TEC_Stats monitors the status of the TEC for:
• Queued_Events• Waiting_Events • Parse_Failed events
TEC_LastEvent sends an alert if an event has not been received in a given number of minutes.
DatabaseRIM_Status checks that any database can be connected to via RIM.
For a limited period, we are offering this resource model pack free of charge to customers who take advantage of our TivoliAudit offering. To find out more, visit http://www.orb-data.com/ESMReview. Alternatively you can buy this pack directly bycontacting [email protected]
Message Broker No.3 Summer 2005
7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
September
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
October
November
Odyssey 3.1 Operations (Half Day)
Odyssey 3.1 Advanced Users
Tivoli Management Framework 4.1 and 4.1.1 Update
IBM Tivoli Monitoring 5.1.2
Resource Model Development
IBM Tivoli Configuration Manager 4.2.1 - Introduction for Users
IBM Tivoli Configuration Manager 4.2.1 - Software Package Editor
IBM Tivoli Configuration Manager 4.2.1 - Administration & Troubleshooting (2 Days)
IBM Tivoli Education - News
Orb Data has introduced two new
classroom-based training courses to
coincide with the release of version 3.1 of
its software product, Odyssey. The first
new course is a half-day class teaching
the basic aspects of Odyssey’s use to aid
the operation of a Tivoli Management
Environment (TME). The second course is
aimed at Advanced Users wishing to
harness the full power of Odyssey to help
simplify the support and administration of
their TME’s.
For more information, bookinginstructions and other courses visithttp://www.orb-data.com/TrainingCourses.
August
• Managing DistributionOperations
• Linking ESM functions tobusiness value
• ITIL and best practice – learningfrom others mistakes
• News in a Minute• Security – Why wait to comply?• Increasing the reliability of your
Tivoli Environment?• Technical Corner: Using Tracing
in Resource Models
Issue 2Issue 1
Did you miss a previous issue?
Don’t worry, you can download them here: http://www.orb-data.com/message-broker
• Companies Spend to Solve theIdentity Conundrum
• ‘Just in Case’ Computing• News in a Minute• Data, data everywhere - Orb
Data Reporting Application• Hotfix Deployment Comes of Age• Technical Corner: Rules Based
on Time
If you have any comments or would like to subscribe or change your details please email [email protected].
A full schedule of all our courses is below.
Message Broker No.3 Summer 2005
8
IntroductionThe default language for authoringResource Models that only run on aWindows platform is VBA script. This is aneasy language to grasp and learning itshould not prove difficult for a TivoliAdministrator familiar with PERL or ShellScripting. However, there are few quirkspeculiar to VBA and this article intends tohighlight some of these, as well show howcommon tasks can best be performed in aVBA Script.
Option KeywordBy default VBA Script allows variables tobe defined on an improvised basis. Forexample, the following code defines twovariables, explicit and improv:
It is worth noting that these variables arenot the same: explict is an Integer andso can only store integer values; improv –like all undeclared variables – has theVariant data type meaning that it can storeany type of data.
Whilst not needing to explicitly definevariables can be convenient, it can lead toproblems in more complex ResourceModels. Consider the following loop:
Due to the typo in the code, this loop willrun forever. The compiler encounterscoumt and assumes that this is a newvariable to be defined meaning thatcount is never incremented. Suchproblems can be very difficult to identifyas the successful compilation “hides” themistake in the code.
It is possible to force the compiler to onlyallow explicitly defined variables, whichwill prevent problems like these. To do so,add the statement Option Explicit atthe top of the VBA source.
There are other options that can be usedin this way. One – Option Base – can be
used to change the index of the firstelement of an array from 0 to 1. However,it is recommended that this option isnever used to ensure consistency in thecode for all custom Resource Models.
String ComparisonsAnother use of Option alters the waystring comparisons are performed. Bydefault string comparisons in Visual Basicare case sensitive, which is to say:
will evaluate to False. SpecifyingOption Compare Text at the top of thecode makes string comparison caseinsensitive, causing the above expressionto become True. It is also possible toperform a particular type of stringcomparison at any time using theStrComp function:
The relevant values for compareOptionare:
The values return by StrComp are asfollows:
So StrComp is likely to be used in a waysimilar to the following:
More String ParsingThere are several more string parsingfunctions available in Visual Basic. Thefollowing code and accompanying table isan example of some:
From the above it is clear that Left,Right, and Mid are used to extractsubstrings for a string value. It is worthnoting that, unlike PERL for example, thefirst character in a string has an index of 1not 0.
Split behaves similarly to the PERLsplit function but the specified delimiteris a fixed string and not a regularexpression. In this case the first elementof the array returned does have an indexof 0 (unless changed by Option Base asdiscussed above).
Static VariablesOften it is desirable to store values so thatthey can be compared between cycles of aResource Model. A simple way to do thisis to use Static variables available inVBA Script.
As VBA is not an object-oriented languageStatic does not refer to object classes orinstances. Instead it means something farsimpler: a Static variable maintains itsvalue between different calls of a sub-routine. So for example, a delta for thechange in a monitored value betweencycles can be simply calculated using thefollowing code:
It is also possible to add the Statickeyword to a Function or Sub definition,which will make all the values of all theprocedure’s local variables preservedbetween calls. This is to be used withcaution as it can easily produceunintended results.
Dim explict As Integerexplict = 3improv = 4
Dim words As String
Dim stringArray() As String
words = "The quick brown foxjumps over the lazy dog."
stringArray = Split(words," ")
count = 0
While count < 5MsgBox "Count is " & countcount = coumt + 1
Wend
"STRING" = "string"
result = StrComp(string1,string2,compareOption)
If StrComp(value,hostname,vbTextCompare) = 0 Then
'Send EventEnd If
'value already contains thiscycle's value
Static oldValue As Double
Dim delta As Double
delta = value – oldValue
oldValue = value
Published by Orb Data Limited, Royal Albert House, Sheet Street, Windsor, Berkshire, SL4 1BE Telephone: +44 (0) 1753 705015IBM and Tivoli are trademarks of International Business Machines Corporation in the United States, other countries, or both.
C0nstant Value Meaning
vbUseComp -1 Compare the string using theareOption method specified by Option
Compare
vbBinary 0 Do a case sensitive comparisonCompare
vbText 1 Do a case insensitive Compare comparison
Case Return value
string1 = string2 0
string1 < string2 -1
string1 > string2 1
string1 = Nullor string2 = Null Null
Expression Value
Left(words,9) The quick
Mid(words,11,9) brown fox
Right(words,4) dog.
stringArray(0) The
stringArray(3) fox
Tips for writing Resource Models using VBA Scriptby David Webb