The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Prime Home application is deployed on 2 main layers – the Connection Layer and the Service Layer. Each layer consists of a different set of processes that implements the application business logic. Each of these processes has init scripts under /etc/init.d directory configured to start on system boot. All Prime Home application processes, except the DB layer that runs Oracle, run under the “panorama” user. In both Connection and Service Layers, Prime Home is installed under the $PANORAMA_HOME folder.
The Connection Layer includes the following processes:
Prime Home business logic, running on top of JBoss AS. It is installed in $PANORAMA_HOME/acs folder
Prime Home internal http/https reverse proxy and ssl termination (nginx). It is installed in the$PANORAMA_HOME/nginx folder.
Application Watchdog (pwatch) that is monitoring the Prime Home Connection Layer application status. It is installed in the $PANORAMA_HOME/scripts/pwatch folder.
The Service Layer includes the following processes:
Prime Home business logic, running on top of Apache Tomcat. It is installed in the $PANORAMA_HOME/portal folder.
Prime Home message broker, running on top of Apache ActiveMQ. It is installed in the $PANORAMA_HOME/activemq folder.
Prime Home application watchdog (pwatch) that is monitoring the Service Layer application status. It is installed in the $PANORAMA_HOME/scripts/pwatch folder.
CMHS includes the following processes:
Download Server uses http/https reverse proxy and ssl termination (nginx). It is installed in the$PANORAMA_HOME/nginx folder.
LUS includes the following processes:
Prime Home can be configured via 3 main options:
Prime Home Portal - used to configure the GUI pages and portlets; define layout and look & feel, and configure authorization and authentication settings (for example, LDAP integration)
Configuration files used to configure the different business logic components within Prime Home, such as, Database connection, Cross-Layer connectivity, Notification Services and integration with external servers (for example, Household topology synchronization)
Prime Home database using the Configuration Manager utility
Prime Home configuration files (application level configuration) are kept in the $PANORAMA_HOME/etc folder of each server.
This section lists the main modules that can be configured via configuration files, and a general overview of what can be configured on each module.
The table in File based configurations lists the exact configuration properties available for each module and what the possible values are for each configuration property.
The sections below specify how to configure particular settings on selected features.
The Household Topology synchronization process is used to load the Cross Device Alerts groups and synchronize the topology with the Cross Device Alerts engine. For further information regarding this process, see Appendix C.
The following configuration options are available:
To disable / enable notification sending for a particular target type for the entire module:
Edit the <module_name>.Notifications.default.<appender_type> = true/false
For example: CrossDeviceAlerts.Notifications.default.snmp=true will enable sending SNMP traps for all cross device alerts.
To disable / enable notification sending for a particular target type on a particular alert:
Edit the <module_name>.Notifications.<alarm id> property with the list of required target types.
For example: CrossDeviceAlerts.Notifications.11.snmp=false will disable sending SNMP for APP_STORE_FAILURE alert
![]() Note | The list of supported alarm IDs is listed in PANORAMA-COMMON-MIB file, on the notificationAlarmId entity. |
Prime Home includes a notification service as a central point for distributing events and notifications from Prime Home to external systems, such as: Cross Device Alerts, performance measurements threshold crossing, system events (server up/down), etc.
Prime Home provides the administrator with the ability to configure the list of targets (AKA: appenders) that will receive notifications from the system.
Currently 2 types of notification target types are supported: SNMP and Syslog.
On each notification target type, it is possible to configure a specific notification type, meaning N snmp listener / Syslog server that Prime Home will send notifications to. Each appender is configured separately. The parameters of each appender are built according to the following format: Default.<type>.<appender-name>.<parameter>, where:
<type> = snmp / Syslog
<appender-name> = the name of the appender. (Default: local1)
<parameter> = the specific parameter name
To configure the default SNMP target: specify the IP / Port / Community for the properties carrying the following prefix: Default.snmp.local1.
To configure the default Syslog target, specify host / port for properties carrying the following prefix: Default.syslog.local1.
To configure additional SNMP/ Syslog targets, add new entries replacing the “default” with a customer appender, e.g.:Default.snmp.mySnmpAppender.
Prime Home lets you control what kind of alerts will be sent to each target type. This is achieved by configuring a respective flag on each alerting module. The following modules currently send external notifications:
CrossDeviceAlerts – for cross device alerts generation
HHT - for household topology failure notifications
NotificationService – general notifications, like heartbeat (keep-alive) trap
The following configuration options are available:
To disable / enable notification sending for a particular target type for the entire module:
Edit the <module_name>.Notifications.default.<appender_type> = true/false
For example, CrossDeviceAlerts.Notifications.default.snmp=true will enable SNMP traps sending for all cross device alerts.
To disable / enable notification sending for a particular target type on a particular alert:
Edit the <module_name>.Notifications.<alarm id> property with the list of required target types
For example, CrossDeviceAlerts.Notifications.11.snmp=false will disable SNMP sending for APP_STORE_FAILURE alert.
![]() Note | The list of supported alarm IDs is listed in PANORAMA-COMMON-MIB file, on the notificationAlarmId entity. |
pwatch is the Application Watchdog responsible for monitoring different Prime Home components (tomcat, activemq, acs, nginx, etc). Once Prime Home has been installed and configured and all the Prime Home applications have been started, the administrator needs to enable pwatch.
The administrator must be logged in as $primehome_user.
To enable pwatch, run the following script:
$PANORAMA_HOME/scripts/pwatch/pwatch monitor
$PANORAMA_HOME/scripts/pwatch/pwatch unmonitor
![]() Note | During a maintenance window, monitoring by pwatch should be disabled. Otherwise, pwatch will try to bring up the application once it has been stopped. |
Workflow - If an application is down, pwatch restarts the service using the init scripts located at "$PANORAMA_HOME/init". On next invocation of pwatch script by cron job, pwatch script checks if the application is up or not. If not, it prints a message at services.log. pwatch repeats this monitoring for a maximum number of times (configured as the value of the property "<service_name>_monitor_delay" in pwatch.conf). If the application doesn't come up in that time period, pwatch disables that application. This event is also logged in services.log.
Configuration file for pwatch is configured at $PANORAMA_HOME/etc/pwatch.conf.
Log files generated by pwatch can be monitored at $PANORAMA_HOME/var/log/services/services.log
pwatch_consul is the Application Watchdog responsible for monitoring Consul and Vault. Once Consul and Vault has been installed and configured the administrator needs to enable pwatch_consul.
The administrator must be logged in as $primehome_user.
To enable pwatch_consul, run the following command:
$consul_home/pwatch/pwatch_consul monitor
$consul_home/pwatch/pwatch_consul unmonitor
![]() Note | During a maintenance window, monitoring by pwatch_consul should be disabled. Otherwise, pwatch_consul will try to bring up the application once it has been stopped. |
Workflow - If an application is down, pwatch_consul restarts the service using the init scripts located at "$consul_home/init". On next invocation of pwatch_consul script by cron job, pwatch_consul script checks if the application is up or not. If not, it prints a message at services.log. pwatch_consul repeats this monitoring for a maximum number of times (configured as the value of the property "<service_name>_monitor_delay" in pwatch_consul.conf). If the application doesn't come up in that time period, pwatch_consul disables itself. This event is also logged in services.log.
Configuration file for pwatch_consul is located at $consul_home/conf/pwatch_consul.conf.
Log files generated by pwatch_consul can be monitored at $consul_home/var/log/services.log
Upon successful authentication, Prime Home provides personalized tools to its users (e.g., CSR). In order to achieve that, Prime Home maintains various entities such as Permissions, Roles and Group matching table. The following figure describes the relationship between these entities:
Groups and users are maintained in the LDAP server - the fact that users can be grouped together allows the various applications to define and apply rules easily and effectively. Prime Home maintains a table that maps these groups to roles which define the permissions/privileges that the relevant user will have while accessing the system. The permissions define the capabilities that the associated users (e.g. john@Cisco.com) have (View CPE properties, reboot a CPE, etc).
When accessing the Web Interface, users are prompted with a login page where they enter the user-name (e.g. e-mail address) and password. Prime Home uses these credentials to authenticate the user against the LDAP server and retrieve both the users’ groups’ membership and selected user details. These user groups are used by Prime Home to find the role which defines the user permissions to access the various functionalities.
Permissions control the types of operations a user is permitted to perform. Prime Home consists of a pre-defined list of permissions for each entity in the system, such as: Portlet, Action in a portlet etc.
Permissions are associated with Roles. Each Role consists of a set of permissions that define the Roles’ capabilities. Each user will be granted permissions according to the list of Permissions associated with his Role.
To define the set of Permissions each Role is granted to, do the following:
Log in to Prime Home as a system administrator.
Navigate to the Administration tab.
Click on the Roles page in the navigation menu. The following screen will open:
Click on the required Role.
Click on the Define Permissions tab.
In the Add Permission menu, select the required Portlet.
Assign the required permission to the Role for the selected Portlet by checking the check box.
Each user in Prime Home should be associated with a User Group. This association is acquired from the LDAP server that the system is configured to work with.
Since Permissions are defined via the Role entity, you need to define each User Group and its corresponding Role entity.
To configure the Roles for each User Group