Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Prime Home Operations and Maintenance Guide 6.5

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco Prime Home Operations and Maintenance Guide 6.5

Chapter Title

Application Configuration and Control

Results

Updated:
November 14, 2016

Chapter: Application Configuration and Control

Application Configuration and Control

Application Setup Conventions

Prime Home application is deployed on 2 main layers – the Connection Layer and the Service Layer. Each layer consists of a different set of processes that implements the application business logic. Each of these processes has init scripts under /etc/init.d directory configured to start on system boot. All Prime Home application processes, except the DB layer that runs Oracle, run under the “panorama” user. In both Connection and Service Layers, Prime Home is installed under the $PANORAMA_HOME folder.

Connection Layer (Processes)

The Connection Layer includes the following processes:

  • Prime Home business logic, running on top of JBoss AS. It is installed in $PANORAMA_HOME/acs folder

  • Prime Home internal http/https reverse proxy and ssl termination (nginx). It is installed in the$PANORAMA_HOME/nginx folder.

  • Application Watchdog (pwatch) that is monitoring the Prime Home Connection Layer application status. It is installed in the $PANORAMA_HOME/scripts/pwatch folder.

Service Layer (Processes)

The Service Layer includes the following processes:

  • Prime Home business logic, running on top of Apache Tomcat. It is installed in the $PANORAMA_HOME/portal folder.

  • Prime Home message broker, running on top of Apache ActiveMQ. It is installed in the $PANORAMA_HOME/activemq folder.

  • Prime Home application watchdog (pwatch) that is monitoring the Service Layer application status. It is installed in the $PANORAMA_HOME/scripts/pwatch folder.

CMHS (Processes)

CMHS includes the following processes:

  • CMHS business logic, running on top of Netty. Netty is a NIO client server framework, which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as a TCP socket server. CMHS is installed in the $CMHS_HOME folder.
  • Ruby god process which is used to monitor CMHS process

Download Server (Processes)

Download Server uses http/https reverse proxy and ssl termination (nginx). It is installed in the$PANORAMA_HOME/nginx folder.

Log Upload Server (Processes)

LUS includes the following processes:

  • LUS business logic, running on top of Netty. Netty is a NIO client server framework, which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as a TCP socket server. LUS is installed in the $LUS_HOME folder.
  • Ruby god process which is used to monitor LUS process.

Configuration Overview

Prime Home can be configured via 3 main options:

  • Prime Home Portal - used to configure the GUI pages and portlets; define layout and look & feel, and configure authorization and authentication settings (for example, LDAP integration)

  • Configuration files used to configure the different business logic components within Prime Home, such as, Database connection, Cross-Layer connectivity, Notification Services and integration with external servers (for example, Household topology synchronization)

  • Prime Home database using the Configuration Manager utility

    Prime Home configuration files (application level configuration) are kept in the $PANORAMA_HOME/etc folder of each server.

    This section lists the main modules that can be configured via configuration files, and a general overview of what can be configured on each module.

    The table in File based configurations lists the exact configuration properties available for each module and what the possible values are for each configuration property.

    The sections below specify how to configure particular settings on selected features.

Household Topology Synchronization Configuration (optional flow)

The Household Topology synchronization process is used to load the Cross Device Alerts groups and synchronize the topology with the Cross Device Alerts engine. For further information regarding this process, see Appendix C.

The following configuration options are available:

  • To disable / enable notification sending for a particular target type for the entire module:

    Edit the <module_name>.Notifications.default.<appender_type> = true/false

    For example: CrossDeviceAlerts.Notifications.default.snmp=true will enable sending SNMP traps for all cross device alerts.

  • To disable / enable notification sending for a particular target type on a particular alert:

    Edit the <module_name>.Notifications.<alarm id> property with the list of required target types.

    For example: CrossDeviceAlerts.Notifications.11.snmp=false will disable sending SNMP for APP_STORE_FAILURE alert


Note

The list of supported alarm IDs is listed in PANORAMA-COMMON-MIB file, on the notificationAlarmId entity.

Notification Service Configuration

Prime Home includes a notification service as a central point for distributing events and notifications from Prime Home to external systems, such as: Cross Device Alerts, performance measurements threshold crossing, system events (server up/down), etc.

Notification Targets Configuration

Prime Home provides the administrator with the ability to configure the list of targets (AKA: appenders) that will receive notifications from the system.

Currently 2 types of notification target types are supported: SNMP and Syslog.

On each notification target type, it is possible to configure a specific notification type, meaning N snmp listener / Syslog server that Prime Home will send notifications to. Each appender is configured separately. The parameters of each appender are built according to the following format: Default.<type>.<appender-name>.<parameter>, where:

  • <type> = snmp / Syslog

  • <appender-name> = the name of the appender. (Default: local1)

  • <parameter> = the specific parameter name

To configure the default SNMP target: specify the IP / Port / Community for the properties carrying the following prefix: Default.snmp.local1.

To configure the default Syslog target, specify host / port for properties carrying the following prefix: Default.syslog.local1.

To configure additional SNMP/ Syslog targets, add new entries replacing the “default” with a customer appender, e.g.:Default.snmp.mySnmpAppender.

Controlling Notification Generation

Prime Home lets you control what kind of alerts will be sent to each target type. This is achieved by configuring a respective flag on each alerting module. The following modules currently send external notifications:

  • CrossDeviceAlerts – for cross device alerts generation

  • HHT - for household topology failure notifications

  • NotificationService – general notifications, like heartbeat (keep-alive) trap

The following configuration options are available:

To disable / enable notification sending for a particular target type for the entire module:

Edit the <module_name>.Notifications.default.<appender_type> = true/false

For example, CrossDeviceAlerts.Notifications.default.snmp=true will enable SNMP traps sending for all cross device alerts.

To disable / enable notification sending for a particular target type on a particular alert:

Edit the <module_name>.Notifications.<alarm id> property with the list of required target types

For example, CrossDeviceAlerts.Notifications.11.snmp=false will disable SNMP sending for APP_STORE_FAILURE alert.


Note

The list of supported alarm IDs is listed in PANORAMA-COMMON-MIB file, on the notificationAlarmId entity.

Start Prime Home Services

Procedure
    Step 1   If you are logged in as a root user start all the Prime Home services by using the command: 
    service primehome start
    Step 2   If you are logged in as a Panorama user, start all the Prime Home services by using the command: 
    $PANORAMA_HOME/init/primehome start
    Step 3   Alternatively, you can start each component separately as detailed below.
    Step 4   To start Prime Home services on the Connection Layer:
    1. Open an SSH connection to the required Connection Layer server.
    2. Change the user to "Panorama" if you are not already. 
      su - panorama
    3. Start the register service using this command: 
      $PANORAMA_HOME/init/register start
    4. Start the acs service using this command: 
      $PANORAMA_HOME/init/acs start
    5. Start the nginx service using this command: 
      $PANORAMA_HOME/init/nginx start
    Step 5   To start Prime Home services on the Service Layer:
    1. Open an SSH connection to the required Service Layer server.
    2. Change the user to "Panorama" if you are not already. 
      su - panorama
    3. Start the register service using this command: 
      $PANORAMA_HOME/init/register start
    4. Start the ActiveMQ service using this command: 
      $PANORAMA_HOME/init/activemq start
    5. Start the tomcat service using this command: 
      $PANORAMA_HOME/init/tomcat start
    6. Start the nginx service using this command: 
      $PANORAMA_HOME/init/nginx start
    Step 6   Start CMHS and LUS as ciscorms user using this command: 
    sudo service god start
    Step 7   Start Download Server using this command: 
    <ds_nginx_location>/init/nginx start

    Stop Prime Home Services

    Procedure
      Step 1   If you are logged in as a root user stop all the Prime Home services by using the command: 
      service primehome stop
      Step 2   If you are logged in as a Panorama user, stop all the Prime Home services by using the command: 
      $PANORAMA_HOME/init/primehome stop
      Step 3   Alternatively, you can stop each component separately as detailed below:
      Step 4   To stop Prime Home services on the Connection Layer:
      1. Open an SSH connection to the required Connection Layer server.
      2. Change the user to "Panorama" if you are not already. 
        su - panorama
      3. Stop the register service using this command: 
        $PANORAMA_HOME/init/register stop
      4. Stop the acs service using this command: 
        $PANORAMA_HOME/init/acs stop
      5. Stop the nginx service using this command: 
        $PANORAMA_HOME/init/nginx stop
      Step 5   To stop Prime Home services on the Service Layer:
      1. Open an SSH connection to the required Service Layer server.
      2. Change the user to "Panorama" if you are not already. 
        su - panorama
      3. Stop the register service using this command: 
        $PANORAMA_HOME/init/register stop
      4. Stop the ActiveMQ service using this command: 
        $PANORAMA_HOME/init/activemq stop
      5. Stop the tomcat service using this command: 
        $PANORAMA_HOME/init/tomcat stop
      6. Stop the nginx service using this command: 
        $PANORAMA_HOME/init/nginx stop
      Step 6   Stop CMHS and LUS as ciscorms user using this command: 
      sudo service god stop
      Step 7   Stop Download Server using this command: 
      <ds_nginx_location>/init/nginx stop

      Check Status of Prime Home Services

      Procedure
        Step 1   If you are logged in as a root user check the status of the Prime Home services by using the command: 
        service primehome status
        Step 2   If you are logged in as a Panorama user, check the status of the Prime Home services by using the command: 
        $PANORAMA_HOME/init/primehome status
        Step 3   Alternatively, you can check the status of each component separately as detailed below.
        Step 4   To check the status of the Prime Home services on the Connection Layer:
        1. Open an SSH connection to the required Connection Layer server.
        2. Change the user to "Panorama" if you are not already. 
          su - panorama
        3. Check the status of the acs service using this command: 
          $PANORAMA_HOME/init/acs status
        4. Check the status of the nginx service using this command: 
          $PANORAMA_HOME/init/nginx status
        Step 5   To check the status of the Prime Home services on the Service Layer:
        1. Open an SSH connection to the required Service Layer server.
        2. Change the user to "Panorama" if you are not already. 
          su - panorama
        3. Check the status of the ActiveMQ service using this command: 
          $PANORAMA_HOME/init/activemq status
        4. Check the status of the tomcat service using this command: 
          $PANORAMA_HOME/init/tomcat status
        5. Check the status of the nginx service using this command: 
          $PANORAMA_HOME/init/nginx status
        Step 6   Check the status of CMHS and LUS as ciscorms user using this command: 
        sudo service god status
        Step 7   Check the status of the Download Server using this command: 
        <ds_nginx_location>/init/nginx status

        Pwatch for Prime Home

        pwatch is the Application Watchdog responsible for monitoring different Prime Home components (tomcat, activemq, acs, nginx, etc). Once Prime Home has been installed and configured and all the Prime Home applications have been started, the administrator needs to enable pwatch.

        The administrator must be logged in as $primehome_user.

        • To enable pwatch, run the following script: 

          $PANORAMA_HOME/scripts/pwatch/pwatch monitor
        • To disable pwatch, run the following scripts: 
          $PANORAMA_HOME/scripts/pwatch/pwatch unmonitor

        Note

        During a maintenance window, monitoring by pwatch should be disabled. Otherwise, pwatch will try to bring up the application once it has been stopped.

        Workflow - If an application is down, pwatch restarts the service using the init scripts located at "$PANORAMA_HOME/init". On next invocation of pwatch script by cron job, pwatch script checks if the application is up or not. If not, it prints a message at services.log. pwatch repeats this monitoring for a maximum number of times (configured as the value of the property "<service_name>_monitor_delay" in pwatch.conf). If the application doesn't come up in that time period, pwatch disables that application. This event is also logged in services.log.

        Configuration file for pwatch is configured at $PANORAMA_HOME/etc/pwatch.conf.

        Log files generated by pwatch can be monitored at $PANORAMA_HOME/var/log/services/services.log

        Pwatch for Consul and Vault

        pwatch_consul is the Application Watchdog responsible for monitoring Consul and Vault. Once Consul and Vault has been installed and configured the administrator needs to enable pwatch_consul.

        The administrator must be logged in as $primehome_user.

        • To enable pwatch_consul, run the following command: 

          $consul_home/pwatch/pwatch_consul monitor
        • To disable pwatch_consul, run the following command: 
          $consul_home/pwatch/pwatch_consul unmonitor

        Note

        During a maintenance window, monitoring by pwatch_consul should be disabled. Otherwise, pwatch_consul will try to bring up the application once it has been stopped.

        Workflow - If an application is down, pwatch_consul restarts the service using the init scripts located at "$consul_home/init". On next invocation of pwatch_consul script by cron job, pwatch_consul script checks if the application is up or not. If not, it prints a message at services.log. pwatch_consul repeats this monitoring for a maximum number of times (configured as the value of the property "<service_name>_monitor_delay" in pwatch_consul.conf). If the application doesn't come up in that time period, pwatch_consul disables itself. This event is also logged in services.log.

        Configuration file for pwatch_consul is located at $consul_home/conf/pwatch_consul.conf.

        Log files generated by pwatch_consul can be monitored at $consul_home/var/log/services.log

        Access Controls

        Upon successful authentication, Prime Home provides personalized tools to its users (e.g., CSR). In order to achieve that, Prime Home maintains various entities such as Permissions, Roles and Group matching table. The following figure describes the relationship between these entities:

        Figure 1. Authorization Management Entities Diagram

        Groups and users are maintained in the LDAP server - the fact that users can be grouped together allows the various applications to define and apply rules easily and effectively. Prime Home maintains a table that maps these groups to roles which define the permissions/privileges that the relevant user will have while accessing the system. The permissions define the capabilities that the associated users (e.g. john@Cisco.com) have (View CPE properties, reboot a CPE, etc).

        When accessing the Web Interface, users are prompted with a login page where they enter the user-name (e.g. e-mail address) and password. Prime Home uses these credentials to authenticate the user against the LDAP server and retrieve both the users’ groups’ membership and selected user details. These user groups are used by Prime Home to find the role which defines the user permissions to access the various functionalities.

        Assigning Permissions to Roles

        Permissions control the types of operations a user is permitted to perform. Prime Home consists of a pre-defined list of permissions for each entity in the system, such as: Portlet, Action in a portlet etc.

        Permissions are associated with Roles. Each Role consists of a set of permissions that define the Roles’ capabilities. Each user will be granted permissions according to the list of Permissions associated with his Role.

        To define the set of Permissions each Role is granted to, do the following:

        1. Log in to Prime Home as a system administrator.

        2. Navigate to the Administration tab.

        3. Click on the Roles page in the navigation menu. The following screen will open:

          Figure 2. Roles Portlet



        4. Click on the required Role.

        5. Click on the Define Permissions tab.

        6. In the Add Permission menu, select the required Portlet.

        7. Assign the required permission to the Role for the selected Portlet by checking the check box.

        Associating Roles with User Groups

        Each user in Prime Home should be associated with a User Group. This association is acquired from the LDAP server that the system is configured to work with.

        Since Permissions are defined via the Role entity, you need to define each User Group and its corresponding Role entity.

        To configure the Roles for each User Group

        1. Log in to Prime Home as a system administrator.

        2. Navigate to the Administration tab, open the Roles page and select a Role as described above.

        3. Select Assign Members > User Groups > Available.

        4. Check the required User Group and click on Update Associations.

        Was this Document Helpful?

        FeedbackFeedback

        Contact Cisco