SN Secexcer

V7.
Uempty
cover
IBM Training
IBM Tivoli Netcool

Configuration Manager 6.4
Advanced Features
Student Exercises
Course code TOS41 ERC 1.0
May 2013
E
T
T
All files and material for this course (TOS41, IBM Tivoli Netcool Configuration Manager 6.4 Advanced Features) are IBM
copyright property covered by the following copyright notice.
Copyright IBM Corp. 2013. All Rights Reserved.
US Government Users Restricted Rights: Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the
web at Copyright and trademark information at www.ibm.com/legal/copytrade.shtml.
Trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the
Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries,
or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the
U.S. Patent and Trademark Office.
E
T
T
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used
under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and
other countries.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the
completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or
implied. In addition, this information is based on IBMs current product plans and strategy, which are subject to change by IBM without
notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other
materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations
from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM
software.
References in this publication to IBM products, programs, or services do not imply that they will be available in all countries in which IBM
operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBMs sole discretion
based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by
you will result in any specific sales, revenue growth, savings or other results.
Contents
1 Network Service Manager exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Exercise 1. Reviewing VLAN command sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Exercise 2. Importing the data center switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Exercise 3. Giving group rights to use the NSM interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Exercise 4. Submitting GET calls to the interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Exercise 5. Reviewing a service template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Exercise 6. Installing the service template into NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Exercise 7. Running the service definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Exercise 8. Removing the service definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
E
T
T
2 Native command sets with JavaScript exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Exercise setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Starting the network simulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercise 1. Enabling Java packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercise 2. Synchronizing devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercise 3. Creating a simple JavaScript native command set . . . . . . . . . . . . . . . . . . . . . . . . .
Exercise 4. Adding logging messages to JavaScript and capturing errors . . . . . . . . . . . . . . . .
Creating an error when applying commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Capturing JavaScript errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Capturing specific JavaScript error and stopping command processing . . . . . . . . . . . . . . . . .
Exercise 5. Using system commands in scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49
49
51
54
56
66
69
70
73
78
3 JavaScript compliance exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Exercise setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Starting the network simulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Exercise 1. JavaScript parameter example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Exercise 2. Enabling Java packages and classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Exercise 3. Creating the script parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Exercise 4. Using the script parameter in a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Exercise 5. Running the new policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Exercise 6. Optional exercise: external database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
4 Driver management exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Exercise 1. Verifying current drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Copyright IBM Corp. 2013
Student Exercises
iii
Contents
Exercise 2. Installing and upgrading drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Exercise 3. Verifying the new drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Exercise 4. Using the updated drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
5 Offline device management exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Exercise 1. Importing offline devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
........................................................................
Exercise 2. Testing offline devices for policy compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercise 3. Working with offline devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
149
162
162
170
E
T
T
iv
IBM Tivoli Netcool Configuration Manager 6.4 Advanced Features
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Network Service Manager exercises

In these exercises, you use the following two virtual machines (VMs) that are running on VMware
workstation:
TOS41: This VM has the IBM Tivoli Netcool Network Manager suite of software installed.
This software includes the Tivoli Netcool/OMNIbus, Tivoli Network Manager, Tivoli Netcool
Configuration Manager, and Tivoli Integrated Portal. This VM is also running the DB2 database
software to support these servers.
GNS3: This VM has simulation software for creating virtual routers that are like physical routers
on a network. You can use Tivoli Netcool Configuration Manager to log in and manage these
virtual devices as though they were actual devices on the network.
E
T
T
Use the following procedure to start the virtual images:
1. Start VMware workstation by double-clicking the VMware Workstation icon on the desktop of
the host operating system.
2. Click File > Open in VMware workstation.
1 Network Service Manager exercises
3. Find the file named Clone of ISJ07.vmx. Select the file and click Open.
E
T
T
4. Click Power on this virtual machine.
V7.0
Uempty
5. After the server starts, log in with the user name netcool and password object00.
6. Open a terminal window. Right-click the desktop and click Open In Terminal.
E
T
T
Student Exercises
7. Start the TNCM server with the following command:

itncm.sh start
E
T
T
Note: You might get an Unable to communicate with Database message from the GUI. If that
happens, wait about 10 seconds and try the itncm.sh command again.
V7.0
Uempty
8. Start the second virtual machine that hosts a lab of virtual routers. From VMware Workstation,
click File > Open.
9. Find the file named SLES11SP1-32.vmx. Select the file, and click Open.
E
T
T
Student Exercises
10. Start the GNS3 image. Click Power on this virtual machine.
E
T
T
11. After the virtual machine starts, log in with the user name root and password object00.
12. On the desktop, double-click the NSMDataCenter-lab icon to start the GNS3 simulator.
This action opens the GNS3 user interface with a predefined lab that is used in these exercises.
13. Click the green start button in the GNS3 toolbar to start the simulation.
V7.0
Uempty
The dots under each router turn from red to green.
E
T
T
The images are now ready for you to begin the lab exercises.
14. Return to the TOS41 virtual machine.
Student Exercises

Introduction
Introduction
In any cloud solution that is enabled in the data center, the services that are provided must have
access to the network. Deploying these solutions means that information must traverse the network
from client to server in a secure manner such that unauthorized users are prevented from
accessing resources. To secure these resources, the physical and virtual network devices must be
configured to enable this segmentation. The automation of these cloud services for quick
establishment and tear-down must include elements to configure these network devices as part of
the overall business process.
In the following lab exercises, you learn about the Network Service Manager (NSM.) NSM is feature
of the Tivoli Netcool Configuration Manager that extends the current Java application programming
interface (API) with a REST (representation state transfer) interface that uses HTTP as its
underlying architecture. This interface allows the use of GET, POST, and DELETE actions by using
HTTP URI (universal resource identifiers) and XML documents as inputs and outputs. NSM allows
a northbound application to use simple HTTP calls to retrieve device and realm information,
synchronize and retrieve configuration data from a device, and run services to change its state.
E
T
T
To introduce you to the NSM solution, you use a REST plug-in to Mozilla Firefox to submit GET,
POST, and DELETE requests to the interface. In a true integration, the northbound application
software handles these requests and data manipulation tasks.
In these lab exercises, you are like a northbound application that is part of a cloud provisioning
solution. This solution is automating the creation and removal of virtual machines from a series of
V7.0
Introduction
Uempty
ESX servers. Review the following the diagram and bullet points for information about the solution.
You use the NSM interface to automate the provisioning of the physical switch in the data center.
VM3
VM1
VM2
VM1
ESX Server 3
VM2
ESX Server 2
VM1
ESX Server 1
99
78
99
34
78
22
VLANS
E
T
T
Port-channel 1
Port-channel 2
Port-channel 3
PHYSICAL SWITCH
There are three ESX servers in the data center rack. Each ESX server has four physical network
interface cards (NIC) to support the many virtual servers that are hosted on each physical server. In
this rack is a physical switch. By using a logical grouping of four ports from each server into a
port-channel, you share the bandwidth across all four of those ports. There is a one-to-one
relationship between the port-channel number and ESX server number.
As new virtual machines are added and removed; for example, adding VM1 on ESX Server 3, the
physical switch is configured to add a VLAN to support the new customer. For example, VLAN 22 is
created and added to Port-Channel 3.
Important: You must be familiar with the Tivoli Netcool Configuration Management software.
You must understand command sets and how to run them.
Student Exercises

Exercise 1. Reviewing VLAN command sets

An NSM service typically involves running one or more command sets on a device to add or delete
commands to enable or disable a feature. In this instance, you are using the following two
command sets to add and delete customer VLANs:
VLANAddCustomer: This command set adds a VLAN interface with the appropriate VLAN-ID
and network subnet, and adds this VLAN-ID to the appropriate port-channel interface.
VLANDeleteCustomer: This command set removes the VLAN interface and VLAN-ID from the
appropriate port-channel interface.
These two command sets eventually are associated to a service that can both create and delete the
customer VLAN from the switch.
E
T
T
To complete this exercise, perform the following steps:

1. Ensure that you are in the TOS41 virtual machine.
2. Log in to the Tivoli Netcool Configuration Manager application by double-clicking the ITNCM
Base icon.
3. When the login window opens, enter the user name engineer and the password object00.
Click Login.
10

V7.0
Uempty
4. In the Resource Browser, browse to the ITNCM > DataCenter > ServiceCommandSets realm
and select it. The realm has six command sets.
5. Right-click the VLANAddCustomer command set and select Edit. This action opens the
command set and displays the commands that are submitted to the device.
E
T
T
6. Review the text in the command set and note the items that are shown in the following example.
Close the editor after you complete your review.

Student Exercises
11

The following strings are parameters that you must define at run time:
$CUSTOMER-VLAN-ID$ = a VLAN ID number 1 - 1001
$CUSTOMER-NAME$ = a description to add to the interface
$IP-ADDRESS$ = the gateway address for the devices in the VLAN
$SUBNET-MASK$ = the subnet mask for the devices in the VLAN
$CHANNEL-NUMBER$ = the port-channel to add to the VLAN to
The command set creates a VLAN interface with a customer-specific VLAN-ID, a description,
and network information. It also adds this new VLAN to the correct port-channel interface based
on which ESX Server the virtual server is defined on.
E
T
T
7. Right-click VLANDeleteCustomer and select Edit. This action opens the command set and
displays the commands that are submitted to the device.
8. Review the text in the command set and note the items that are shown in the following example.
Close the editor after you complete your review.
12

V7.0
Exercise 2. Importing the data center switch
Uempty
The command set has similar parameters to the previous command set. This command set
removes the VLAN from the specified port-channel interface. It also deletes the specific VLAN
interface by deleting its subcommands and then the interface itself.
E
T
T

In the lab setup, you started the NSMDataCenter lab, which consists of the three ESX servers that
are connected to a Cisco IOS switch. In this exercise, you import this device into TNCM.
1. Ensure that you are logged in to the TNCM GUI as the engineer user.
2. Select the ITNCM > DataCenter realm.

Student Exercises
13

3. Select Tools > Discover from the main menu.
4. In the Enter Network Resource window, enter the host name DC-RACK01-SWITCH. Click
Next.
E
T
T
14

V7.0
Uempty
5. Leave the default settings on the Password Override, Execution Priority, and Schedule
Work by clicking Next on each window. Enter a description in the Describe Work pane and
click Finish.
E
T
T
6. Select the Work Currently Executing queue and monitor the progress of the unit of work.
The execution creates two units of work: Run Autodiscovery and Import Configuration. Select
the Work That is Finished queue to see the completed units of work. Switching between these

Student Exercises
15

views refreshes the display. Two completed units of work are in the Work That is Finished
queue. These units of work must be green before you start the next exercise.
E
T
T
16

V7.0
Exercise 3. Giving group rights to use the NSM interface
Uempty
Exercise 3. Giving group rights to use the NSM

interface
To use the NSM interface, the TNCM group that a user belongs to must have the correct activities
added to its capabilities. The following two activities are available for NSM use:
Service Management: With this activity, a group can access the NSM interface and submit
GET/POST/DELETE requests. This activity means that a user can select a service template
and run it against a device to either create or delete a service (that is, run one or more
command sets against it.)
Service Template Management: With this activity, a group can manage the templates that
define services. A template is an XML file that defines the parameters and command sets that
are run on a target device. With this privilege, a user can load the XML file into the database so
that the file can then be accessed and run on a device.
E
T
T
1. In the TOS41 VM, open the Firefox browser, type the following web location, and press Enter:
http://omnihost:7001
A Netcool Configuration Manager window opens.

Student Exercises
17

Exercise 3. Giving group rights to use the NSM interface
2. Enter the user name administrator and the password object00, and click Login.
E
T
T
3. Select the Account Management profile.
4. Select the engineering group.
18

V7.0
Exercise 4. Submitting GET calls to the interface
Uempty
5. Click the Activities tab.
6. Move the Service Management and Service Template Management activities from the
Activities list to the Authorized To list.
E
T
T
7. Click Save to save the changes to the group. You might have to scroll down to see the Save
button.

In this exercise, you use a REST utility that is available for Mozilla Firefox. You use this utility to
submit various calls to the Network Service Manager. The calls that you make to the client are like
calls from a northbound application. The steps in this exercise help you understand the nature of
the calls that are submitted to the interface and its responses.
Student Exercises
19

Note: In the NSM interface, you can select realms, devices, and services. You use only a small
subset of these calls in these examples. To see the complete list of supported commands, go to
the Tivoli Documentation Central web page at the following address:
https://www.ibm.com/developerworks/wikis/display/tivolidoccentral/Home
Find Tivoli Netcool Configuration Manager, and select the latest version 6.4 documentation. Under
the subtopic Reference, you find the Network Services Manager REST API Reference. In the
Understanding the Network Service Manager URIs section, you find the details of all the calls
that you can make to the NSM interface.
Note: To find the REST plug-in that is used for these exercises, search the Internet for
RESTClient.
E
T
T
Perform the following steps to complete this exercise:
1. Switch to the GNS3 VM to access the newer version of Firefox that is required for this lab.
20

V7.0
Uempty
2. Open Mozilla Firefox by double-clicking its icon on the GNS3 desktop.
3. To access the REST utility, click the small red icon in the upper right of the Firefox browser. A
new tab opens inside the browser.
E
T
T
Authentication credentials are associated with the HTTP calls that are made to the NSM interface.
These credentials are used to access the server.
4. Add authentication credentials by selecting Authentication > Basic Authentication.
You are prompted for a user name and password.

5. Enter the user name engineer and the password object00.

Student Exercises
21

6. Select the check box to Remember me and click Okay.

You are now ready to submit GET calls to the interface.
E
T
T
7. Use the NSM to retrieve a listing of realms by performing the following steps:
a. Ensure that the method is set to GET. Type into the URL field the following text and click
SEND:
http://omnihost:7001/nsm/realm
At the bottom of the Firefox window, (you might need to scroll down) is a response from the
server. The Response Headers tab is displayed, and a Status Code of 200 OK means the
22

V7.0
Uempty
server did not have an error.
E
T
T
b. Click the Response Body (RAW) tab and note the information that the NSM service
returns. The response is an XML document.
c. Click the Response Body (Highlight) tab and view a structured view of the XML data that
is returned from NSM. Review its contents. This data is a listing of all the realms that the

Student Exercises
23

user name engineer has the rights to view.
E
T
T
8. Retrieve a listing of devices by performing the following steps:
a. To retrieve the devices that the user engineer can access, type the following address in the
URL field and click SEND:
http://omnihost:7001/nsm/device
24

V7.0
Uempty
b. On the Response Body (Highlight) tab in the browser, scroll down and find the host
DC-RACK01-SWITCH that you imported. Note the ID for the device and record it for later
use.
E
T
T
Important: The ID number that is associated to the device is created at import time. Note this ID
because you use it later to submit a service against this device.
c. Type the following address in the URL field, and click SEND:
http://omnihost:7001/nsm/device/<ID>
d. View the data in the Response Body (Highlight) tab. Scroll down and notice the following
pieces of information that are returned from the NSM server:
Vendor, Type, Model, and Operating System of the device

Student Exercises
25

The realm that the device exists in

When and who last modified the device
E
T
T
9. Retrieve details about a device by performing the following steps:
a. To retrieve the current native configuration of a device, type the following address in the
URL field and click SEND:
http://omnihost:7001/nsm/device/<ID>/currentnativeconfiguration
26

V7.0
Uempty
b. View the data in the Response Body (Highlight) tab. Scroll down and view the device
configuration.
E
T
T
10. Retrieve available services by performing the following steps:
a. To retrieve all available services on the server, enter the following address in the URL field
and click SEND:
http://omnihost:7001/nsm/servicetemplate
b. Notice the two service templates that are returned when you view the results in the
Response Body (Highlight) tab.
Service templates can be vendor-specific and might be applicable only to certain types of devices.

Student Exercises
27

Exercise 5. Reviewing a service template
c. Type the following address in the URL field to return the templates that can be applied to the
DC-RACK01-SWITCH:
http://omnihost:7001/nsm/servicetemplate/deviceid/<ID>
d. Notice in the Response Body (Highlight) tab that only one of the two service templates is
returned. Only one is returned because the other template is designed for a different vendor.
E
T
T

Now, you are familiar with basic NSM calls to retrieve realms, devices, and templates. Next, you
add a service to the implementation. In this exercise, you review a service definition for creating a
customer VLAN, and associate it to the correct port-channel interface that is attached to the
physical ESX server.
A service definition is an XML document that defines the following properties:
A series of parameters: These parameters are initialized when an external application

instantiates the service template. These parameters are typically used as inputs into either
command sets or extractions.
A set of one or more implementations, where each implementation has the following
components:
28
Rules that define the vendor, type, model, and operating system that it can be applied to
A series of one or more command sets or extractions that are applied to a device to
CREATE or DELETE a service

V7.0
Uempty
Note: An extraction is a tool that searches the configuration of a device and retrieves data based
on the defined search criteria.
1. In the TOS41 virtual machine, open a terminal and enter the following command:
cd /home/netcool/nsm
E
T
T
2. Open the CISCO_VLAN_MANAGEMENT.xml file with the following command:

gedit CISCO_VLAN_MANAGEMENT.xml

Student Exercises
29

In the gedit window, you see the XML file that defines a service template.
E
T
T
3. Review this document to understand its structure. Perform the following steps:
a. Note the name and description of the service template.
30

V7.0
Uempty
b. Note the five parameters that are defined. These parameter names align with the two native
command sets that were reviewed earlier.
E
T
T
c. Scroll down and note the <implementations> portion of the XML tree. Ensure that there is
a single implementation and that it has a rule that filters on Cisco / Router / * / *.
Below the rules is the <serviceOperations> tree with a CREATE and a DELETE operation.
Each operation calls a different command set.

Student Exercises
31

d. Notice the parameters that are passed to each command set.
E
T
T
4. Close the gedit window by clicking the X in the upper right.
Note: After reviewing this XML file, you see how the service template links to command sets.
When this service is enabled in the next step, you use it to CREATE a service. By creating a
service, you run a command set to add VLAN commands to a device. Later, you DELETE that
service. This action runs a different command set to remove the specific VLAN information that
was added to create the service.
32

V7.0
Exercise 6. Installing the service template into NSM
Uempty
Exercise 6. Installing the service template into

NSM
After you create the service definition, you must install it in the NSM database. This insertion makes
the service template available for external applications to use. The template is installed with a
command-line utility that is available on the TNCM presentation server.
1. From a terminal window on the TOS41 virtual machine, enter the following command:
cd /opt/IBM/tivoli/netcool/ncm/bin/nsm
E
T
T
2. Display a listing of the files in this directory with the following command:
ls -la
You use the command-line utility nsmadmin.sh to run several actions that manage service
templates. The following actions are included:
Installing, copying, and deleting service templates
Disabling a service template to prevent its use
Exporting service templates to an XML file

Student Exercises
33

Exercise 6. Installing the service template into NSM
3. Install the VLAN_MANAGEMENT service template that was reviewed in Exercise 5,

"Reviewing a service template". Install it by using the following command:
./nsmadmin.sh command=create
filename=/home/netcool/nsm/CISCO_VLAN_MANAGEMENT.xml username=engineer
password=object00
E
T
T
The template is installed, and now has an ID number.

4. Note the service template ID number for later use.
34

V7.0
Exercise 7. Running the service definition
Uempty
5. Switch to the GNS3 virtual machine and use the RestClient to check the newly installed service
template. Enter the following URL and note the ID of the VLAN_MANAGEMENT service
template:
http://omnihost:7001/nsm/servicetemplate
6. View the Response Body (Highlight) tab. Note the VLAN_MANAGEMENT service template
and its associated ID number. Note the ID number. This value is used in Exercise 7, "Running
the service definition".
E
T
T

With the service now installed, you can run this service against a device. In the scenario at the
beginning of this lab, you are like a northbound application that is automating a cloud provisioning
solution. As the northbound application, you resemble a piece of software that is responsible for
configuring a network switch. You use this new service template to give the customer access to the
newly created cloud server by providing network access to the new server. To enable this server,
you must know which ESX server the virtual machine is being provisioned on. A preexisting

Student Exercises
35

numbering scheme aligns the ESX server number to the correct port-channel number on the switch
in the data center.
VM1
VM2
VM1
99
78
99
34
78
22
Server/Port-channel number
VM3
ESX Server 3
VM2
ESX Server 2
VM1
ESX Server 1
VLANS
E
T
T
Port-channel 1
Port-channel 2
Port-channel 3
PHYSICAL SWITCH
In this exercise, you CREATE a new service for a new customer and then DELETE that service
when it is no longer needed. To activate a service with the Network Service Manager, you need the
following information, which you noted in Exercise 6, "Installing the service template into NSM",
Step 6:
The Service Template ID
The Device ID
The values for the parameter data that you submit to the template
To create the service, you must go to the Mozilla browser that is in the GNS3 virtual machine.
1. Switch to the GNS3 VM. Open the Firefox browser, and start the RESTClient interface if it is not
already available.
36

V7.0
Uempty
Next, you retrieve a copy of the service template that aligns with the device that you want to apply it
to. Then, you can see which parameter values are required for creating your service.
2. Enter the following address into the URL field of the RESTClient and click SEND:
http://omnihost:7001/nsm/servicetemplate/<service-ID>/deviceid/<device-id>
In the Response Body (Highlight) tab, you see the template ID, device ID, and a list of all the
relevant parameters that are required to submit a service. This list is useful information when
you initially design your application to interact with NSM.
E
T
T
You use the previous template information to now POST (or create) a service. A POST statement
was saved in the RESTClient to prevent potential typing errors. To POST a service, you tell NSM
that you want to create a service and then define a body statement. The body statement is the
template that you retrieved with the defined parameter values. You must place parameter values in
the XML document where there are no defined values.

Student Exercises
37

3. Click the Favorite Requests menu in the RESTClient, and select Add Customer VLAN.
You can now see that the following information was added to the interface:
38
The method is set to POST.
The URL is pointing to service.
A header indicates the format of the body information.
A body reflects the previous template and includes values for the parameters.
E
T
T

V7.0
Uempty
4. Modify the template ID and the deviceID values to reflect the IDs that you noted in Exercise 6,
"Installing the service template into NSM", Step 6.
You can now submit the service to NSM.

5. Click Send.
6. Note the response that you receive in Response Body (Highlight). It has a service ID number
associated with it. You can use this ID to track its execution.
E
T
T
7. Change the Method to GET, and add the service ID to the URL. Click Send.

Student Exercises
39

8. Note the result in the Response Body (Highlight). The NSM interface reports the status of the
command set application. Occasionally, resend the same GET command until you receive a
success message.
E
T
T
9. Switch to the TOS41 virtual machine and look at the work in the Work That is Finished queue
for the engineer user. Note the two new units of work. You might have to refresh the window if
you are already in that view.
40

V7.0
Uempty
10. Right-click the unit of work that is the Request Type Service and click Log.
11. Note the details in the log about the creation and execution of the service.
E
T
T
Student Exercises
41

12. Browse to the DC-RACK01-SWITCH, select it, and look at the Configurations tab. Note the
new configuration that is associated with the device.
13. Press the Ctrl key and select both configurations. Right-click them and select Show
Differences.
E
T
T
42

V7.0
Uempty
14. Select Native View when prompted. Click Finish.
15. Note the changes to the configuration with the application of the new service.
E
T
T
Student Exercises
43

Exercise 8. Removing the service definition

In this exercise, you remove the service that you added to the device. You remove the definition by
referencing the service ID number that you received when the service was applied. You do not
need a body to delete a service. NSM caches the parameter information in the database when the
service is created. It uses that information to submit the correct values to the command set to
delete the service.
1. Return to the GNS3 virtual machine. In the RESTClient, you have the GET statement for
retrieving the status of the service that you created. Ensure that the service ID is the same.
E
T
T
2. To remove the service, change the Method from GET to DELETE.
3. Delete the data that is in the body, and click SEND.
44

V7.0
Uempty
On the Response Body (Highlight), you see that the status is Deleting.
4. Return to the TOS41 virtual machine. As the engineer user, look at the Work Currently
Executing queue to notice the Service unit of work and a new Native Command Set
execution. Refresh this queue until the units of work finish.
E
T
T
5. Browse to the DC-RACK01-SWITCH device and review the configurations.

A new configuration is added, including the naming convention for the configurations.

Student Exercises
45

6. Compare the Imported Configuration with the Native command set Modified Configuration
(VLANDeleteCustomer) by selecting the two configurations, right-clicking them, and selecting
Show Differences.
E
T
T
7. When prompted, select Native View and click Finish.
The configuration is restored to its previous state (that is, there are no differences).
8. Close the differences window.
46

V7.0
Uempty
E
T
T
Student Exercises
47
Native command sets with JavaScript

exercises
In these exercises, you use JavaScript in the configuration change templates in IBM Tivoli Netcool
Configuration Manager. Three main JavaScript classes are supported in this release of the
software.
After you complete these exercises, you should be able to perform these tasks:
Describe where JavaScript is used in the configuration change workflow
E
T
T
Describe the limitations of the JavaScript classes
Build simple command sets that use the included JavaScript classes
JavaScript is used with native command sets inside IBM Tivoli Netcool Configuration Manager.
There are two different types of native command sets:
Configuration Change: This type of native command set uses the standard configuration
change workflow that is configured by the resource access document. By default, this workflow
includes checking the configuration with the database, applying the change, and then retrieving
the final configuration to store in the database as the new current configuration for the device.
Interrogative: This native command set type assumes that you seek only the retrieval of
information from the device and want to append that data to the Unit of Work log. It does not
check the configuration before it is applied, nor does it retrieve it after the change is applied.
The main focus of these exercises is to use the JavaScript classes that are developed for IBM Tivoli
Netcool Configuration Manager.
Important: You create several JavaScript command sets in the exercises for this chapter. The
content for each of these scripts is saved in text files in the
/home/netcool/ClassFiles/JavaExamples/ directory of the TOS41 image.
48
V7.0
2 Native command sets with JavaScript exercises
Exercise setup
Uempty
Exercise setup
These exercises use a different network simulation. Use the following steps to open the
TNCMTraining-lab1.net simulation.
Starting the network simulator

1. In the GNS3 virtual machine, close the NSMDataCenter-lab window.
a. Click the GNS3 tab.
E
T
T
b. Close the NSMDataCenter-lab window. If you are prompted to save the current topology,
click No.

Student Exercises
49

Exercise setup
2. Double-click the TNCMTraining-lab1 icon on the desktop.
A lab is displayed in the GNS3 interface that has three routers that are connected to a single
switch.
E
T
T
3. Start the virtual lab by clicking the green arrow at the top of the GNS3 window.
50

V7.0
Exercise 1. Enabling Java packages
Uempty
The red nodes turn to green when the routers start. After the nodes turn green, they begin their
initialization process and are available for use in about one minute. The simulator is now ready
to use.
E
T
T
In this exercise, you configure IBM Tivoli Netcool Configuration Manager to allow the Java
packages and classes that the script example uses. These security features enable the use of Java
classes and packages for use in JavaScript. There are two separate properties where you define a
comma-delimited list of allowed packages and classes. When you run JavaScript and a Java class
or package is accessed, it checks to see whether the classes or packages are allowed. If they are
not, an error is generated and noted in the task log.

Student Exercises
51

To complete this exercise, perform the following tasks:

1. Log in to the IBM Tivoli Netcool Configuration Manager user interface.
a. Double-click the ITNCM Base icon on the desktop.
b. Enter the user name shemp and the password object00.
E
T
T
2. Allow the java.lang package.
a. Click Systems Manager in the navigation menu on the left.
52

V7.0
Uempty
b. Click Tools > System Properties at the top of the user interface window.
E
T
T
c. Scroll down to the Scripting - Packages allowed in a script property. Enter java.lang into
the Value field. Click Update.
d. Click Close in the System Properties window.

Student Exercises
53

Exercise 2. Synchronizing devices

In this exercise, you verify that the devices that you work with are synchronized with the database.
1. In the Resource Browser, find the ITNCM > edge-network > customer_AA realm. Use the Ctrl
key to select all three devices. Right-click the devices and click Synchronize. These devices
are used for the remaining exercises.
E
T
T
A Configuration Synchronization wizard opens. In the Select Network Resources window, you
see that all thee devices are selected in the right pane.
2. Click Next.
3. Accept the default values in the Configure Failure window. Click Next.
4. Accept the default values in the Password Override window. Click Next.
5. Accept the default values in the Execution Priority window. Click Next.
54

V7.0
Uempty
6. Select Synchronize from Network Resource to ITNCM in the Configuration Synchronization

window. Click Next.
7. Leave the Schedule Work option set to the default value of Immediate. Click Next.
8. Type a description in the Describe Work field. Click Finish.
9. Close the confirmation window and browse to the Work Currently Executing queue in the
Queue Manager. Click the refresh icon every 10 - 20 seconds to refresh the view. After the unit
of work is no longer in the Work Currently Executing queue, select Work That is Finished
and verify that it completed successfully.
E
T
T

Student Exercises
55

Exercise 3. Creating a simple JavaScript native command set
Important: The unit of work must complete successfully before you can proceed to the following
exercises. If it is not successful, try the following options:
If the unit of work returns with a partial success and one or two of the devices failed to
synchronize, requeue the unit of work and try it again before further troubleshooting.
Ensure that the GNS3 virtual machine has the GNS3 application running and the lab is started.
If the GNS3 application is running, go to the TOS41 virtual machine and manually telnet to one
of the routers. Open a terminal session and telnet to 10.191.101.71. If you get a Cisco login
prompt, then the IBM Tivoli Netcool Configuration Manager server can connect to the routers.
Investigate the unit of work log by right-clicking it and viewing the log.
If you cannot connect to the router from the TOS41 image, then either the host operating
system was not placed in promiscuous mode or the interfaces are incorrectly configured.
E
T
T
Exercise 3. Creating a simple JavaScript native

command set
In this exercise, you use the execute() function, which encapsulates the JavaScript that is used in
the native command set. It must return a true or false value to the configuration manager workflow.
A return value of false causes the unit of work to fail. If a return value is not explicitly defined, the
default result is true.
You also learn about the DeviceInterface class. This particular class has the following three
methods that can be called in the script:
public void setLogger(ScriptLogger logger): You do not typically call this method, because
the workflow script processor calls it, passing in the ScriptLogger instance.
public String send(String command): This method sends a command to the target device
through the comms driver for that particular VTMOS. It returns the response from the device.
public String send(String command, String respRegExp): This method sends a command
to the target device and extracts a string from the device response that is based upon the
regular expression respRegExp.
56

V7.0
Uempty
This exercise uses the send method to apply a trivial change to a Cisco router and review its
results. Perform the following steps:
1. Create a native command set in the customer_AA realm. Select the customer_AA realm, and
then click File > New > Native Command Set.
2. Enter the following values in the Name, and the Vendor, Type, Model, and OS (VTMOS) fields.
E
T
T
3. After the native command set is created, right-click it and select Edit.
After the native command set opens, you must determine the type of native command set to create.
Because you apply a change to the device, you must select Configuration Change, which is the

Student Exercises
57

default value. This type of native command set ensures that configurations are checked before the
change, and synchronized after it.
Begin defining the JavaScript. A key aspect of defining this type of native command set is using the
//#js tag in the first line of the native command set. This tag indicates to IBM Tivoli Netcool
Configuration Manager that the following text is JavaScript and not device syntax.
4. Type //#js.
E
T
T
5. Define the execute() function. You must pass into the execute function the scriptLogger,
deviceInterface, systemInterface classes. Type the following characters:
//#js
function execute(scriptLogger,deviceInterface,systemInterface){
return true;
}
Notice the location of the curly brackets and the parentheses. Another important aspect of this
function is that it returns true. The workflow requires that the execute function returns a true or
false response.
Note: The three classes scriptLogger, deviceInterface, and systemInterface must all be
passed in to the execute() function in the correct order as part of the Java implementation. This
implementation is the one that you are currently using for scripting. Each class is described in
upcoming exercises.
58

V7.0
Uempty
In this next step, you define the commands that are submitted to the device. You use the
deviceInterface.send method to submit strings to the device that the native command set is
applied to.
6. Add the following commands to the native command set and save it. You can also cut and paste
commands into the native command set.
//#js
deviceInterface.send("config t");
deviceInterface.send("int FastEthernet1/0");
deviceInterface.send("desc This is an Interface Description");
deviceInterface.send("\x1A");
return true;
}
When you are done, close the command set.
E
T
T
Important: Even though you use a Configuration Change native command set type, the
workflow does not place you into the configuration mode automatically. You must explicitly enter
and exit the configuration mode for the workflow to run correctly. Notice the config t step to place
you into the Cisco configuration mode and the \x1A step, which exits the configuration mode. The
\x1A is the ASCII characters for a CTRL-Z, which for a Cisco device, exits you completely from
configuration mode.

Student Exercises
59

7. Run this command set against the AA-03-ROUTER-3640 router. Select both the command set
and the device while you press the Ctrl key. Select both items, right-click them, and select
Apply Native Command Set.
E
T
T
The Apply Native Command Set wizard opens.
8. Because you selected both a device and the command set (conveniently because they are in
the same realm), you can click Next in each window of the wizard until you reach the Describe
Work window. Type a description in the window and click Finished.
9. Browse to the Work Currently Executing queue and monitor the unit of work progress by
clicking the refresh icon until the unit of work leaves the queue. When it is done, select the
Work That is Finished queue. Determine that the unit of work is successful.
10. Select the completed unit of work and right-click it. Click Log.
60

V7.0
Uempty
11. Double-click the device to view the Work log. Scroll down past halfway and notice the log
messages. Each command and its results are highlighted in the following example. The last
command, which was the CTRL-Z character, is not recorded.
E
T
T
Note: If the script failed, a Mozilla error is captured in the unit of work log. If that is the case,
carefully check the syntax that you typed into the command set. Verify that you have curly
brackets and parentheses in the correct locations. Also, carefully check that the quotation marks in
the commands are of the correct type. Rerun the command set if there are problems.

Student Exercises
61

12. As a final check, open the current configuration of the device that the unit of work was
processed on and look at the description on the FastEthernet 1/0 interface.
E
T
T
In the next step, you add parameter markup to the native command set.
13. Return to the native command set that was created, right-click it, and select Edit.
62

V7.0
Uempty
14. When the command set editor opens, use the $ delimiters that are used in a typical native
command set to denote a parameter. The description parameter has a default argument that is
defined with the equal sign (=) character. Save your changes to this command set.
//#js
deviceInterface.send("config t");
deviceInterface.send("int $int_type$ $int_number$");
deviceInterface.send("desc $int_description=This is a description$");
deviceInterface.send("\x1A");
return true;
}
E
T
T
15. Select the newly saved native command set and the device AA-03-ROUTER-3640 with the Ctrl
key. Select both items, right-click them, and select Apply Native Command Set. This time, you
are prompted to enter parameters. Click Next when you reach the first Enter Parameters
window.

Student Exercises
63

16. Enter the following values. Ensure that the spelling of the parameter values is correct.
int_number = 0/0
int_type = FastEthernet
int_description = <enter any text>
E
T
T
17. Click Next through the remaining windows of the wizard and submit the Unit of Work. The
parameters are replaced by the user-supplied data before the JavaScript is processed. Browse
to the Work That is Finished or Work Currently Executing queue and refresh the view until
64

V7.0
Uempty
the unit of work is finished. Review the log and verify that the commands are processed
successfully. Review the current configuration on AA-03-ROUTER-3640 to note the changes.
E
T
T
Student Exercises
65

Exercise 4. Adding logging messages to JavaScript and capturing errors
Exercise 4. Adding logging messages to

JavaScript and capturing errors
In this exercise, you learn about the ScriptLogger class. The ScriptLogger interface contains the
following two useful public methods:
public void info(String msg): The msg argument is entered into the unit of work log.
public void error(String msg, Exception e): The msg argument is entered into the unit of
work log; however, the error method requires a Java Exception type, not a JavaScript error
type. To use the error method, you must either catch a Java exception in your script or you
must create a Java exception from a JavaScript error.
The concept of an error in JavaScript is an important topic and must be reviewed in the white paper
titled, IBM Tivoli Netcool Configuration Manager: Scripting Native Command Sets. This exercise is
a synopsis of what is covered in that document. The errors that are captured in the JavaScript do
not generate errors in the Unit of Work as you might expect.
E
T
T
Perform the following steps:
1. Create a copy of the JavaScript-add-description command set. Select the

JavaScript-add-description command set, and click Edit > Copy Command Set.
2. Right-click the copy of the command set and click Rename. Enter
JavaScript-add-description-with-logging as the name.
66

V7.0
Uempty
3. Edit this copied command set with the new commands noted in the following example. You
added a variable that called cmdResp because the deviceInterface.send method returns a
response from the device. You associate that response to the cmdResp variable and then
include it in the unit of work log. You can cut and paste the following commands into the native
command set. Save these changes.
//#js
var cmdResp = "";
scriptLogger.info("------ Begin the JavaScript Execution ------")
cmdResp = deviceInterface.send("config t");
scriptLogger.info("+++++The response from the device is: " + cmdResp +
"+++++");
cmdResp = deviceInterface.send("int $int_type$ $int_number$");
scriptLogger.info("+++++The response from the device is:" + cmdResp +
"+++++");
cmdResp = deviceInterface.send("desc $int_description=This is a
description$");
"+++++");
cmdResp = deviceInterface.send("\x1A");
"+++++");
scriptLogger.info("------ End the JavaScript Execution ------")
return true;
}
E
T
T

Student Exercises
67

4. Select the new native command set and the device AA-01-ROUTER-3640. Right-click them
and select Apply Native Command Set. When you are prompted for parameter values, enter
the following text:
int_number = 1/0
int_type = FastEthernet
int_description = This is a logging description
5. Complete the final steps to submit the unit of work. Follow its progress in the Queue Manager.
6. When the unit of work is complete, review the unit of work log and note the following changes
that are highlighted in this example. As you can see, the responses that the scriptLogger
captures (the strings between the +++++ marks) contain both what is sent to the device and
what is returned.
E
T
T
68

V7.0
Uempty Creating
an error when applying commands
7. Rerun the native command set to cause an intentional failure. Select the AA-01-ROUTER-3640
router and the command set. Right-click them and select Apply Native Command Set. When
you are prompted to fill out the parameters, use the following values:
int_number = 1/0
int_type = Serial
int_description = This is a description that will fail
8. Complete the final steps to submit the unit of work. Follow its progress in the Queue Manager.
The device does not have a serial interface and cannot configure a description on one.
9. After the unit of work is complete, review the unit of work log and notice the error that the invalid
command causes.
E
T
T
Student Exercises
69

The key idea is that errors inside a JavaScript call do not pass into the unit of work and task log.
Capturing JavaScript errors

10. To capture the JavaScript error and ensure that the task understands why to fail the unit of
work, you must return a false value after you get an error in the script. When you use a try-catch
block, the error in the JavaScript can be acted upon. Create a copy of the
JavaScript-add-description-with-logging native command set and rename the copy to
JavaScript-add-description-with-try-catch.
E
T
T
70

V7.0
Uempty
11. Edit it by using the following script:

//#js
var cmdResp = "";
try {
scriptLogger.info("------ Begin the JavaScript Execution ------");
"+++++");
"+++++");
description$");
"+++++");
"+++++");
scriptLogger.info("------ End the JavaScript Execution ------");
return true;
} catch(e) {
scriptLogger.info("Error occurred sending commands to devices");
return false;
}
i}
E
T
T

Student Exercises
71

12. Apply the JavaScript-add-description-with-try-catch native command set on the

AA-01-ROUTER-3640 router with the values that cause the configuration change to fail. When
prompted to fill out the parameters, use the following values:
int_number = 1/0
int_type = Serial
13. When the unit of work is complete, notice that the unit of work was a failure. Review the unit of
work log and look at the error that the invalid command causes. Look at the scriptLogger
message that was added when the JavaScript error was captured.
E
T
T
72

V7.0
Uempty Capturing
specific JavaScript error and stopping

command processing
This final error-handling script addresses interesting behavior. The previous script contains a
try-catch block that is intended to return false when an error occurs while communicating with the
device. However, the interactions between the script and the error detection in the underlying
comms handler do not have the results that you might expect. For instance, if a nonexistent
interface is specified (for example, int Serial 1/0), the script does not exit immediately. A user might
expect it to exit as a direct result of errors that are returned from the device (for example, the error
string Invalid). However, the script exited because of a side effect of the comms handler
processing of errors. The script tries to process CLI commands that are not valid for the current
state of the device (for example, putting a description on an interface even though you are not in the
interface submenu).
E
T
T
Student Exercises
73

To improve error detection, you use the behavior that causes the deviceInterface.send method to
return an empty string upon encountering a device error. For example, in the previous unit of work,
nothing was returned when the int Serial 1/0 command was sent to the device.
E
T
T
14. Using the empty string response, you check each command application to see whether it was
successful. If not successful, immediately drop it into the catch block. Create a copy of the
JavaScript-add-description-with-try-catch native command set and rename it to
JavaScript-add-description-with-error-checks. Edit it by using the following script. Note the
following aspects of this script:
74
Notice IF/THROW statements with command-specific error statements.
The cmdResp is reset to null after each successful command application.
This script uses the other scriptLogger method called error. To use the error method, a Java
error type instead of JavaScript error type must be defined. That method is the reason for

V7.0
Uempty
importing the java.langException class and casting the JavaScript error into a Java error
inside the catch block.
//#js
importClass(java.lang.Exception);
var cmdResp = "";
try {
"+++++");
if (cmdResp == "") {
throw (new Error("Device response was empty, possible config t
error"));
}
cmdResp = null;
"+++++");
throw (new Error("Device response was empty, possible interface
error"));
}
cmdResp = null;
description$");
"+++++");
throw (new Error("Device response was empty, possible description
error"));
}
cmdResp = null;
"+++++");
throw (new Error("Device response was empty, possible exit error"));
}
return true;
} catch(e) {
E
T
T

Student Exercises
75

var excep = new java.lang.Exception(e.message);

scriptLogger.error("Error occurred sending script commands to device",
excep);
return false;
}
}
E
T
T
15. Apply the JavaScript-add-description-with-error-checks native command set on the
AA-01-ROUTER-3640 router with values that cause the unit of work to fail. When prompted to
fill out the parameters, use the following values:
int_number = 1/0
int_type = Serial
When the unit of work is complete, the unit of work failed.
76

V7.0
Uempty
16. Review the unit of work log and note the error that is caused by the invalid command and the
error message that it generated.
E
T
T
Student Exercises
77

Exercise 5. Using system commands in scripts

In this exercise, you learn about the SystemInterface class. The SystemInterface class contains
the following three public methods of interest:
public void setLogger(ScriptLogger logger): You do not typically call this method, because
the workflow script processor calls it, passing in the ScriptLogger instance.
public void executeSystemCommand(String shellName, String shellArgs, String
command): This method runs the command on the operating system of the worker server with
the specified shell, shell arguments, and command. Then, the method returns the response.
public void executeSystemCommand(String shellName, String shellArgs, String
command, String responseRegExp): This method is the same as the previous method,
except that a regular expression is used to extract and return a string from the system
command response.
E
T
T
This exercise uses the executeSystemCommand method to process a ping statement for testing
the assignment of loopback addresses on individual routers. The concept is that a loopback
address is applied to a router. Before applying the change, the address is pinged to see whether it
is already assigned to another device. If the ping is successful, then the command set script is
failed. This example also uses the responseRegExp argument to search for a specific string in the
response.
1. Create a simple script that pings an IP address four times. Name the script ping-script.sh and
save it in the /home/netcool/ClassFiles/Scripts/ directory. Change permissions on the file to
allow the script to be executable.
a. Change to the /home/netcool/ClassFiles/Scripts/ directory.
cd /home/netcool/ClassFiles/Scripts/
b. Use vi to create a text file named ping-script.sh.
vi ping-script.sh
c. Add the following lines in the file. Save and quit the file.
#!/bin/sh
/bin/ping -c 4 $1
d. Change permissions on the ping-script.sh file to allow the script to be executable.
chmod 777 ping-script.sh
78

V7.0
Uempty
2. Run the checksum tool to calculate the checksum value.

a. Run the following command. Note the value of the checksum.
icosutil CalculateChecksum ping-script.sh
Checksum is: 0ac2c6ece0c0a16bfbfa0a9425aba2873e8e9a0281e88049067e28554e1ede86
b. Open the file named ping-script.sh.chksum with the more command. Notice that the
value of the checksum is saved in this file.
more ping-script.sh.chksum
0ac2c6ece0c0a16bfbfa0a9425aba2873e8e9a0281e88049067e28554e1ede86
3. Create a native command set in the same realm named JavaScript-add-loopback by copying
and renaming one of the existing native command sets. In this native command set, you send to
the worker server operating system the command to ping a particular IP address (which is a
parameter in this example.) You use the same try-catch block that was used in the previous
exercise. Copy and paste the script into the command set. Replace the checksum value in the
E
T
T
Student Exercises
79

script with the checksum value that you received from the tool. Some lines in the example are
wrapped to fit the page. Use the following script:
//#js
function execute(scriptAuditLogger,deviceInterface,systemInterface){
var cmdResp = "";
try {
scriptAuditLogger.info("------ Begin the JavaScript Execution ------");
cmdResp = systemInterface.executeSystemCommand("/bin/sh",
"-c",
"/home/netcool/ClassFiles/Scripts/ping-script.sh $ip-address=10.191.101.73$",
"0ac2c6ece0c0a16bfbfa0a9425aba2873e8e9a0281e88049067e28554e1ede86");
scriptAuditLogger.info("\n------ BEGIN OUTPUT OF SYSTEM COMMAND ------\n\n"
+ cmdResp +
"\n ------ END OUTPUT OF SYSTEM COMMAND ------\n");
scriptAuditLogger.info("------ End the JavaScript Execution ------");
return true;
} catch(e) {
scriptAuditLogger.error("Error occurred sending script commands to
device", excep);
scriptAuditLogger.info("------ End the JavaScript Execution with Error
------");
return false;
}
}
E
T
T
80

V7.0
Uempty
E
T
T
Notice the arguments that are in the executeSystemCommand method. The first argument is
the shell to use for the system command, and the second argument is for the shell. The third
argument is the command to be processed on the worker server, and the fourth is the
checksum value. The command runs as the user who started the IBM Tivoli Netcool
Configuration Manager server processes (typically icosuser or netcool). Also, note the lines that
make the unit of work log more readable. Save the command set when you finish.
4. Apply the JavaScript-add-loopback native command set to the AA-03-ROUTER-3640 by
using the default loopback-IP address. When the unit of work is finished, note the unit of work
log and the ping results.

Student Exercises
81

5. Determine how the command set responds to the ping results. In this example, if a ping is
successful, then the IP address is in use and makes it an unacceptable address for a loopback.
If you receive a successful ping, then the script must exit at that point and not move forward
with the creation of the loopback interface. The successful response from the device is as
follows:
PING 10.191.101.73 (10.191.101.73) 56(84) bytes
64 bytes from 10.191.101.73: icmp_seq=1 ttl=255
of data.
time=4.98
time=7.91
time=6.26
time=4.13
ms
ms
ms
ms
--- 10.191.101.73 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 3012ms
rtt min/avg/max/mdev = 4.133/5.823/7.911/1.424 ms
E
T
T
If you search through this text, you can see the number of packets received. If the number of
packets is 1 - 4 (because only four packets are sent), then a device responded to the ping.
However, this action assumes that IP address is pingable. Two other situations when the IP
address is not pingable are as follows:
PING 192.168.10.55 (192.168.10.55) 56(84) bytes of data.
--- 192.168.10.55 ping statistics --4 packets transmitted, 0 received, 100% packet loss, time 3000ms
and
icosuser@itncm:~> ping -c 4 192.168.12.17

PING 192.168.12.17 (192.168.12.17) 56(84)
From 10.191.101.52 icmp_seq=2 Destination
bytes of data.
Host Unreachable
Host Unreachable
Host Unreachable
--- 192.168.12.17 ping statistics --4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2999ms
pipe 3
Both of these situations responded with 0 received.
In this situation, you design the search to look for 1 or more packets received. Using this idea, you
can generate the following regular expression to search through the returned text:
([1-4] received)
If this regular expression matches the data that is returned from the system command, then the unit
of work task must be failed immediately.
82

V7.0
Uempty
Important: Your responsibility is to determine all realistic failure scenarios and have the script
account for them.
6. Modify the JavaScript-add-loopback native command set to include the regular expression
argument for the executeSystemCommand method.
//#js
var cmdResp = "";
try {
cmdResp = systemInterface.executeSystemCommand("/bin/bash","-c",
"/bin/ping -c 4 $loopback-IP=192.168.10.17$","([1-4] received)");
scriptLogger.info("\n+++++ Begin system response ++++++\n"
+ cmdResp +
"\n+++++ End system response +++++");
return true;
} catch(e) {
scriptLogger.error("Error occurred sending script commands to device",
excep);
scriptLogger.info("------ End the JavaScript Execution with Error
------");
return false;
}
}
E
T
T
7. After modifying the JavaScript-add-loopback native command set, apply it on the

AA-03-ROUTER-3640 device. Apply it twice: once with the default loopback-IP address
10.191.101.73, and the second time with a loopback-IP address of 10.191.101.199. This

Student Exercises
83

second address does not return a ping. After they are both complete, review the unit of work
logs.
E
T
T
As you can see with these two logs, if a match is made with the system output, the match is
captured in the log. However, if no match is made, a null is returned.
Using these two different results, you can use an IF block to apply the loopback interface when a
null is returned from the executeSystemCommand. If a non-null result is returned, then the unit of
work fails with a message that the IP address is in use. The script in Step 8 uses this IF block.
84

V7.0
Uempty
8. Modify the JavaScript-add-loopback native command set with the following script. Notice that
this script is like the examples in previous exercises. Copy and paste the following script into
the command set:
//#js
function execute(scriptAuditLogger,deviceInterface,systemInterface){
var cmdResp = "";
try {
scriptAuditLogger.info("------ Begin the JavaScript Execution ------");
cmdResp = systemInterface.executeSystemCommand("/bin/sh",
"-c",
"/home/netcool/ClassFiles/Scripts/ping-script.sh $ip-address=10.191.101.73$",
"([1-4] received)",
E
T
T
"0ac2c6ece0c0a16bfbfa0a9425aba2873e8e9a0281e88049067e28554e1ede86");
scriptAuditLogger.info("\n------ BEGIN OUTPUT OF SYSTEM COMMAND ------\n\n"
+ cmdResp +
"\n ------ END OUTPUT OF SYSTEM COMMAND ------\n");
if (cmdResp == null) {
throw (new Error("Device response was empty, possible config t
error"));
}
cmdResp = null;
cmdResp = deviceInterface.send("int loopback 0");
throw (new Error("Device response was empty, possible interface
error"));
}
cmdResp = null;
cmdResp = deviceInterface.send("ip address
$ip-address=10.191.101.73$ $subnet-mask=255.255.255.255$");
throw (new Error("Device response was empty, possible ip address
error"));
}
cmdResp = null;
Student Exercises
85

throw (new Error("Device response was empty, possible exit

error"));
}
cmdResp = null;
cmdResp = deviceInterface.send("copy run start\r\r");
throw (new Error("Device response was empty, possible copy run
start error"));
}
}
else {
throw (new Error("The ping of Loopback IP
$ip-address=10.191.101.73$ shows it is in use"));
}
scriptAuditLogger.info("\n+++++ Successfully applied Loopback 0
interface +++++\n");
scriptAuditLogger.info("------ End the JavaScript Execution ------");
return true;
} catch(e) {
scriptAuditLogger.error("Error occurred during scripting operations",
excep);
scriptAuditLogger.info("------ End the JavaScript Execution with Error
-i-----");
return false;
}
}
E
T
T
Note: This script includes a copy run start command after exiting the configuration mode. This
step is required because the JavaScript process preempts typical configuration change application
steps that include the saving of the running configuration. The script includes two carriage returns
to indicate that the command is interactive. Submitting a copy run start command verifies
whether the startup configuration can be overwritten.
86

V7.0
Uempty
9. Apply the newly edited JavaScript-add-loopback native command set to the

AA-03-ROUTER-3640 router. The AA-01-ROUTER-3640 and AA-02-ROUTER-3640 already
have loopback interfaces that are defined on IP addresses of 192.168.10.23 and
192.168.10.17. Apply the command set twice. First, use the parameters (which are the default
values):
loopback-IP = 192.168.10.17
subnet-mask = 255.255.255.255
Apply it again with these parameters:
loopback-IP = 192.168.10.55
subnet-mask = 255.255.255.255
The first unit of work fails because the IP address is in use on AA-02-ROUTER-3640.
E
T
T
Student Exercises
87

The second unit of work is successful because IP address 192.168.10.55 is not in use.
E
T
T
88

V7.0
Uempty
10. Review the device configuration of AA-03-ROUTER-3640 after the second unit of work is
finished. The loopback interface is configured with an IP address.
E
T
T
Student Exercises
89
JavaScript compliance exercises

These exercises demonstrate how to use JavaScript in IBM Tivoli Netcool Configuration Manager
compliance policies. You can use JavaScript as a tool to help determine whether a managed device
meets compliance policy.
You can use JavaScript for compliance policies in these objects:
Parameterization: You use JavaScript to create one or more parameter values that can be
used in a definition. The JavaScript has access to both internal and external data structures.
For example, the JavaScript can interrogate an external data source to retrieve values that are
used in a definition.
E
T
T
Definitions: A definition can use JavaScript to determine whether a device is compliant or not.
Like a traditional definition that interrogates a configuration either through regular expressions
or XPaths, the JavaScript definition returns a true or false based on its analysis of the device.
The analysis is not limited to the configuration of a device but can use external data sources to
ensure compliance.
In these lab exercises, you develop these JavaScript structures. You do not learn how to use
JavaScript; you use an external testing utility for easier JavaScript development.
90
V7.0
3 JavaScript compliance exercises
Exercise setup
Uempty
Exercise setup
These exercises use a different network simulation. Use the following steps to open the
RouterSim-lab1.net simulation.
Starting the network simulator

1. In the GNS3 virtual machine, close the TNCMTraining-lab1.net lab window.
a. Click the GNS3 tab.
E
T
T
Student Exercises
91

Exercise setup
b. Close the TNCMTraining-lab1.net window. If you are prompted to save the current topology,
click No.
E
T
T
2. Double-click the RouterSim-lab1 icon on the desktop.
92

V7.0
Exercise setup
Uempty
A lab is displayed in the GNS3 interface that is simulating 15 routers.
E
T
T
3. Start the virtual lab by clicking the green arrow at the top of the GNS3 window. The red nodes
turn to green when the routers start. After the nodes turn green, they begin their initialization
process and are available for use in about one minute. The simulator is now ready to use.

Student Exercises
93

Exercise 1. JavaScript parameter example

In this exercise, you use JavaScript to create a Compliance Manager script parameter. When you
develop policy structures in Compliance Manager, one of the objects that you create is a definition.
A definition is a data structure that analyzes a section of text and determines whether the data in
the text meets specific criteria. A definition returns the Boolean value of either True or False. A
definition typically contains one or more regular expressions or XPaths. XPaths are used for
definitions that search an XML representation of a configuration. These regular expressions and
XPaths are used to make the true or false determination. Often, the definition is generic and can be
used in one or more domains (for example, customers, networks, or organizations). You can also
use parameters for portions of the data that the definition uses.
Compliance Manager defines a series of parameter types that can be used inside a definition. The
following parameter types are used in compliance definitions:
E
T
T
Local parameter: A local parameter is one that is local to a running process. A local parameter
can have only one value. When a policy has a local parameter defined, the value can be
different for every process that has that policy defined in it. For example, the syslog server
policy has different values between core and edge networks. If there is a core process and
edge process that is configured in Compliance Manager, each parameter can be addressed
differently.
Global parameter: A global parameter is a value that is defined for a policy realm. A global
parameter can have only one value. It is a system-level value and cannot be different between
two running processes. It is also associated to a policy realm. When policy realms are used to
distinguish between customers, you can employ security so that customers can view only their
own parameter values.
Group parameter: A group parameter shares many of the features of a global parameter; that
is, it is a system-level value that is associated to specific policy realms. However, it can have
one or more values that are associated to it. Because it is a list of one or more values, an
evaluation in a definition can be tried one or more times. In this case, the evaluation criteria
supports Match All, Match Any, Match None, Match One, or Match Specific Number. The group
parameter has a user-defined list of values that can change only by modification from an
authorized user.
Extraction: An extraction is somewhat like a group parameter in that it can have one or more
values. An extraction can have a set of matching criteria like the group parameter. However, an
extraction is a parameter that obtains a list of values by analyzing text data and extracting one
or more values from that text with search criteria. It gets its list of values at execution time, and
the list of values might change between each device that is analyzed. The extraction is limited
to evaluating either the configuration of the device (native or modeled) or show commands
from the device.
94

V7.0
Uempty
Script parameter: A JavaScript parameter is like an extraction parameter in the following ways:
It can return one or more values.
It can use the Match All, Match Any, Match None, Match One, or Match Specific Number
criteria when implemented in an evaluation.
The list of values it generates is defined at run time when a policy analyzes the device.
It is defined at the system level and is associated to a policy realm.
The JavaScript parameter is unique in that it has the flexibility to access both internal and
external resources that are associated with the device being analyzed. With JavaScript, you
can access both external databases and applications, and internal data like the device
configuration. A JavaScript parameter returns either a single item or a list of items.
A JavaScript parameter has these requirements:
The function must be called calculate.
The function must return either a single value or an ArrayList of values (not an array).
E
T
T
In this exercise, you compare the loopback address that is configured in the device configuration
with the address in a database of record. The database of record is a table that has management
data for each device, like the following example.
You use a JavaScript parameter to access this database and retrieve the defined loopback
address. You then use that value to compare it against the loopback addresses that are configured
on the device. If the database entry does not match the device configuration, then the device is
considered noncompliant. The script that you use in the parameter is created for you.
1. View the contents of the script to understand how it works.
a. Change to the /home/netcool/ClassFiles/JavaExamples directory.
cd /home/netcool/ClassFiles/JavaExamples

Student Exercises
95

b. Open the file named databaseLoopbackAddressValue.js with the more command.

more databaseLoopbackAddressValue.js
2. Look at the contents of the file. Notice the following sections of the script. This simple script
begins by setting up the required classes to connect to the database. Next, it makes an SQL
query to the database to retrieve the loopback address for the device that is in the database of
record, which is DEVICE_MGT_INFORMATION. It uses the helper method
helper.getDeviceName() to obtain the network resource name from IBM Tivoli Netcool
Configuration Manager, and uses the name to find the correct row in the database. It fetches
E
T
T
96

V7.0
Uempty
the loopback address from that row and saves it in the loopbackIP variable. This loopback
address is used in the compliance evaluation. Finally, the script closes output streams.
function calculate(helper){
//importClass(java.util.Properties);
importClass(java.sql.Connection);
importClass(java.sql.DriverManager);
importClass(java.sql.Statement);
//importClass(java.net.URLClassLoader);
//importClass(java.lang.ClassLoader);
//importClass(java.net.URL);
importClass(java.lang.Class);
//importClass(java.lang.Thread);
//importClass(java.util.ArrayList);
//importClass(java.util.AbstractCollection);
importClass(Packages.com.ibm.db2.jcc.DB2Driver);
E
T
T
var loopbackIP = "";
var dbUrl="jdbc:db2://omnihost:50001/MGMT_IPS";
var user = "db2inst1";
var pw = "object00";
// Load the driver
Class.forName("com.ibm.db2.jcc.DB2Driver");
// Create the connection using the IBM Data Server Driver for JDBC and SQLJ
con = DriverManager.getConnection (dbUrl, user, pw);
// Commit changes manually
con.setAutoCommit(false);
// Create the Statement
stmt = con.createStatement();
var hostname = helper.getDeviceName();
resultSet = stmt.executeQuery("SELECT LOOPBACK FROM DEVICE_MGT_INFORMATION
WHERE HOSTNAME = " + "'" + hostname + "'");
while (resultSet.next()) {
loopbackIP = resultSet.getString("LOOPBACK");
}
{
return loopbackIP;
Student Exercises
97

Exercise 2. Enabling Java packages and classes
// Close the ResultSet

rs.close();
// Close the Statement
stmt.close();
// Connection must be on a unit-of-work boundary to allow close
con.commit();
// Close the connection
con.close();
}
}
E
T
T

In this exercise, you configure IBM Tivoli Netcool Configuration Manager to use the Java packages
and classes in the script example. These security features enable the use of Java classes and
packages for use in a script. In two separate properties, you define a comma-delimited list of
allowed packages and classes. When a script is run and a Java class or package is accessed, the
script checks to see whether the classes or packages are allowed. If they are not, an error is
generated and noted in the task log.
1. Log in to the IBM Tivoli Netcool Configuration Manager user interface.
a. Double-click the ITNCM Base icon on the desktop.
98

V7.0
Uempty
2. Allow the following packages. The java.lang package might exist because of a preceding
exercise.
java.sql
java.io
java.lang
com.ibm.db2.jcc
java.util
com.ibm.db2.jcc.t4
com.ibm.db2.jcc.am
To allow the packages, you perform the following steps:

a. Click Systems Manager in the navigation menu on the left.
E
T
T
Student Exercises
99

b. Click Tools > System Properties at the top of the user interface window.
E
T
T
c. Scroll down to the Scripting - Packages allowed in a script property. Enter the following
package names, separated by a comma, into the Value field. Click Update and leave the
System properties window open.
java.sql,java.io,java.lang,com.ibm.db2.jcc,java.util,com.ibm.db2.jcc.t4,com.ibm.db2.j
cc.am
100

V7.0
Exercise 3. Creating the script parameter
Uempty
3. Allow the com.ibm.db2.jcc.t4.b Java class:

a. Find the Scripting - Classes allowed in a script property. Enter the com.ibm.db2.jcc.t4.b
class into the Value field. Click Update.
b. Click Close.
E
T
T

In this part of the exercise, you take the JavaScript content that you reviewed and implement it in
the Compliance Manager. In this example, you use JavaScript to create a script parameter. Later,
you use this script parameter in a compliance policy.
1. Log in to the Tivoli Netcool Compliance Manager application by double-clicking the ITNCM
Compliance icon on the desktop.

Student Exercises
101

2. When the login window opens, enter the user name shemp and the password object00. Click
Login.
3. Create a script parameter with the JavaScript content in the

/home/netcool/ClassFiles/JavaExamples/databaseLoopbackAddressValue.js file.
a. Click Parameters > Parameter Administration at the top of the user interface. This action
opens the Parameter Administration window.
E
T
T
102

V7.0
Uempty
b. Click the Script Parameters tab in the Parameter Administration window. Click New.
E
T
T
c. Use the following values in the Add Script Parameter window:

Name: mgtLoopbackAddress
Description: This is the Address in the DEVICE_MGT_INFORMATION database for a

specific device
Realm: USISA

Student Exercises
103

Script Editor: JavaScript from the following file:

/home/netcool/ClassFiles/JavaExamples/databaseLoopbackAddressValue.js
Cut and paste the JavaScript from the file into the Script Editor field. Open the script
with the gedit command, and copy and paste it from there.
gedit
/home/netcool/ClassFiles/JavaExamples/databaseLoopbackAddressValue.js
E
T
T
d. Click Validate Syntax to ensure that the script content is correctly formatted. Verify that you
see the following message. Click OK to close the message.
104

V7.0
Exercise 4. Using the script parameter in a policy
Uempty
e. Click OK to close the Add Script Parameter window.
E
T
T
4. Click the X in the upper right to close the Parameter Administration window. Leave the user
interface open.
Exercise 4. Using the script parameter in a

policy
In this exercise, you use the script parameter in a definition. This definition becomes part of a policy
when it is used in a rule. The script parameter obtains a loopback IP address from a database. You
compare that IP address with a loopback address in the configuration and ensure that there is a

Student Exercises
105

match. You are not concerned which loopback interface has the address; only that one is
configured. You use a modeled definition in this exercise to ensure that the address is configured.
1. To create a modeled definition, click Create > Definition in the user interface.
2. After the Definition wizard opens, add the following data to the fields:
E
T
T
Name: check for correct loopback IP
Description: This definition checks the configuration for a loopback IP that matches the
DEVICE_MGT_INFORMATION database address
3. Select Create Compliance Definition using SmartModel. Click Next.
106

V7.0
Uempty
4. Select a Vendor, Type, Model, and OS (VTMOS) of cisco, router, 3640, *12.4* (scroll to the
bottom of the list). Click Retrieve Model. Notice that the command schema for this specific
device is presented.
E
T
T
In these steps, you build the command or commands that you are searching for in the configuration.
You use this schema to help build an XPath. XPath is the industry standard tool for searching XML
documents, which is the format of a modeled configuration.
5. Scroll down to the interface node in this tree and open the folder. Scroll down this list of
interfaces and open the Loopback* node. The interfaces are in alphabetical order.

Student Exercises
107

6. Scroll down in the Loopback* node and open the ip folder.
7. In the ip node, select address* and click Add Evaluation.
E
T
T
A new window opens where you can add details to the Loopback interface arguments. There
are three arguments available:
configuration/interface/Loopback/ip/address/ARG.001: This argument is the IP address

of a particular Loopback interface.
configuration/interface/Loopback/ip/address/ARG.002: This argument is the subnet

mask of a particular Loopback interface.
configuration/interface/Loopback/ARG.001: This argument is the interface number of a

particular Loopback interface.
You are interested only in entering a variable into the IP address field.
108

V7.0
Uempty
8. Select the configuration/interface/Loopback/ip/address/ARG.001 argument. In the lower

half of the window, you can define the value or variable that you want to place in that argument.
Insert the JavaScript parameter that you created. Place the cursor in the argument field.
E
T
T
9. Insert the script parameter into the Argument field. Select Script Parameter from the list and
click Insert Parameter.

Student Exercises
109

10. Select the mgtLoopbackAddress parameter that you created earlier. Click OK.
The parameter is added to the Argument field.

11. Click Update and ensure that the Argument list is modified. After it is updated, click Next.
E
T
T
Important:
110
Ensure that you click Update before you click Next.

V7.0
Uempty
12. Modify the Test Conditions so that the Match Criteria is set to Match Any. Click Finish. You
return to the main Definition window and view your evaluation in the Evaluation List. After
noting the format, click Next.
E
T
T
13. Save the definition in the USISA policy realm, and click Finish.

Student Exercises
111

Your new definition is displayed in the Definitions list.
E
T
T
Note: In the previous step, you created a modeled definition. You could have created a CLI
definition. However, a modeled definition is preferred here because of the ease of relating the
JavaScript parameter and its IP address to a loopback interface. Because the XPath that was
created had a loopback address type defined in it, you are assured that only loopback interfaces
are analyzed. You must encode extra steps in a CLI definition to ensure that you check only
loopback addresses. Also, you selected Match Any for the Test Conditions. This criteria is selected
because devices can have multiple loopback interfaces defined. For this analysis, having one of
the loopback interfaces with the correct address is sufficient.
After you create the definition, you create a rule. The rule is where you determine whether the
device is compliant or noncompliant based on the search results of the definition.
14. Create a rule by selecting Create > Rule.
112

V7.0
Uempty
15. When the rule wizard starts, provide a name and a description for the rule.
Name: enable correct loopback address
Description: Ensure the loopback address on device matches that in

DEVICE_MGT_INFORMATION database
Also, you can select filters that ensure that the rule is applied only to the correct vendor, type,
model, and operating system. In this case, select Cisco as the vendor. Click Next.
E
T
T
16. Build a logic diagram that determines the state of the device when the definition returns a true
or false from its search. Drag the Start icon onto the worksheet. Drag the Definition icon onto

Student Exercises
113

the worksheet. You are prompted to select a definition. Select the check for correct loopback
IP definition, and click OK.
E
T
T
17. Drag the Compliant icon and place it to the right of the Definition icon, because a definition
that returns true means that the device is compliant. Drag the Non Compliant icon onto the
worksheet and place it under the Definition icon. In the Select Action window, select No
Action. Click OK.
18. Connect all these objects together to define the logic flow when the definition returns a true or
false answer. Click the white dot from the Start icon and connect it to the top dot on the
Definition icon. Click the T dot on the Definition icon and connect it to the dot on the
114

V7.0
Uempty
Compliant icon. Connect the F dot on the Definition icon to the No Action dot. After you
complete the three connections, click Next.
E
T
T
19. To save the rule, select USISA and click Finish. You see the new rule.

Student Exercises
115

20. To complete the policy structure, you must create a policy and associate the rule to it. Create a
policy by selecting Create > Policy.
The Policy wizard opens.

21. In the Enter Policy Details window, perform the following steps:
a. Provide a name and a description.
E
T
T
Name: enable correct loopback address
Description: Ensure the loopback address on device matches that in

DEVICE_MGT_INFORMATION database
Leave the other fields and values with their default settings.
116

V7.0
Uempty
b. Find the recently created rule in the USISA realm and associate it to this policy.
c. Click Next.
E
T
T
You can configure compliance to send emails and notifications if devices are noncompliant.
22. For this exercise, keep the default of No Action and click Next.

Student Exercises
117

Exercise 5. Running the new policy
23. Save the policy in the USISA policy realm and click Finish.
E
T
T

In this exercise, you run the policy to test the script parameter.
1. Run the enable correct loopback address policy.
a. Click the Execution tab. Click the By Policy object. Click the USISA realm.
118

V7.0
Uempty
b. Click the enable correct loopback address policy. Click Execute. This action starts a
wizard.
c. Click Next on the first window of the wizard.
E
T
T
Student Exercises
119

d. Select By Realm. Click Routers to highlight it, and use the arrow icon to add the Routers
realm to the right window. Click Next.
E
T
T
e. Click No when you are prompted to view parameters.
120

V7.0
Uempty
f.
Click Finish.
E
T
T
The Results tab is displayed.
2. Click the Refresh button until the Process Execution Summary state is Finished.

Student Exercises
121

3. View the results of the compliance policy evaluation.

a. Click the Finished policy result. Notice at the bottom of the window that 13 of the devices
passed the policy and two of them failed.
E
T
T
b. Double-click the results at the bottom of the window. This action takes you to detailed
results.
122

V7.0
Uempty
c. Look at the list of devices that passed or failed. Double-click one of the devices that passed.
E
T
T
d. Look at the detailed results for the device at the bottom of the window. Click the Evaluation
1 object. Notice that the script parameter returned the loopback address from the database.
The device is compliant because the same loopback address is in the device configuration.

Student Exercises
123

e. Double-click one of the devices that failed. Click the Evaluation 1 object. Notice that the
script parameter returned the loopback address from the database. The device is not
compliant because that loopback address is not in the device configuration.
E
T
T
4. Exit the compliance manager user interface.
124

V7.0
Exercise 6. Optional exercise: external database
Uempty

This exercise uses a simple external database. If you are interested in looking at the database that
contains the loopback addresses, follow these steps:
1. Open a terminal window and switch to the db2inst1 user with the password object00. Start the
DB2 Control Center user interface.
a. Right-click the desktop and click Open in Terminal.
E
T
T
b. Run the following command to switch to the db2inst1 user. When you are prompted for the
password, type object00.
su - db2inst1
Password:
c. Run the following command to start the DB2 Control Center user interface:
db2cc &

Student Exercises
125

d. Select the Advanced view and click OK.
E
T
T
2. Browse to the MGMT_IPS database. Look at the DEVICE_MGT_INFORMATION table.

a. Expand All Databases. Expand MGMT_IPS.
126

V7.0
Uempty
b. Click Tables. Double-click the DEVICE_MGT_INFORMATION table.
This simple table has two columns.
E
T
T
3. Exit the DB2 Control Center user interface.

Student Exercises
127
Driver management exercises

In this chapter, you learn to verify current drivers, install and upgrade drivers, verify the new drivers,
and use the updated drivers.
Exercise 1. Verifying current drivers
E
T
T
In this exercise, you look at the device management drivers that are installed in your environment.
You verify what is installed before you upgrade these drivers. After you install new drivers in a later
exercise, you look at these drivers again to confirm that they are updated.
1. Verify that the following drivers do not exist:
Cisco Nexus 7000 series switch 4.x
Cisco CRSx Router 4.x
Juniper qfabric Switch 12.x
Perform the following steps to verify the existence of the drivers:
a. Log in to the IBM Tivoli Netcool Configuration Manager user interface. Double-click the
ITNCM Base icon on the desktop.
c. Click Systems Manager > Drivers.
128
V7.0
4 Driver management exercises
Uempty
This action shows a list of all installed drivers.
E
T
T
d. Click the Model column to sort the drivers by the device model that they apply to. Scroll
down to the Cisco Nexus switch models. Notice that you have drivers for the 1000 and 4000
series switches, but you do not have drivers for the 7000 series switch.
e. Scroll down to the Cisco CRS series routers. Notice that you have drivers for Cisco CRSx
routers version 3.3.x, but you do not have drivers for version 4.x.
f.
Click the Vendor column to sort the drivers by the vendor that they apply to. Scroll down to
the Juniper devices. Notice that you do not have drivers for Juniper qfabric switches. The

Student Exercises
129

qfabric model is listed between the NSxx and the Srx models if it is present.
2. Verify the version and support level for the following drivers:
Cisco 3600 Series Routers, operating system version 12.2
Perform the following steps to verify the version and support level:
E
T
T
a. Middle-click the columns at the top of the user interface window. Click Support Level to add
that column to the list.
b. Drag the Support Level column next to the Version column.
130

V7.0
Uempty
c. Click the Model column to sort the drivers by the device model that they apply to. Scroll
down to the Cisco 36xx model routers. Look at the driver version and support level for Cisco
36xx routers with operating system version C36xx-12.4. Notice the driver version
20120910.201211 and the SmartModel support level. This version changes after the driver
upgrade.
d. Look at the driver version and support level for Cisco 36xx routers with operating system
version C3600-IK903S-M-12.2. Notice the driver version 20120910.201211 and the
SmartModel support level. This version changes after the driver upgrade.
E
T
T
e. Scroll down to the Cisco 72xx model routers. Look at the driver version and support level for
Cisco 72xx routers with operating system version C7200-IK9S-M-12.3-12a. Notice the
driver version 20120910.201211 and the SmartModel support level. This version changes
after the driver upgrade.

Student Exercises
131

3. Look at the driver checksum value on all IBM Tivoli Netcool Configuration Manager servers.
After you install new drivers in a later exercise, you look at this checksum value again to see
that it changed.
a. Click Systems Manager > Servers. This action shows a list of all IBM Tivoli Netcool
Configuration Manager servers.
E
T
T
b. Middle-click the columns at the top of the user interface window. Click Driver Checksum to
add that column to the list.
c. Drag the Driver Checksum column next to the Server Id column. Look at the value of the
driver checksum for the GUI server and the worker server. Notice the current value. Notice
that the values match on both servers. After you install new drivers in a later exercise, you
look at this checksum value again to see that it changed.
132

V7.0
Exercise 2. Installing and upgrading drivers
Uempty
4. Look at the devices in the USISA > Routers realm. Notice the icons that represent the devices.
a. Click Resource Browser > ITNCM > USISA > Routers.
E
T
T
b. Look at the icons that represent the devices. You look at these devices again after you
install new drivers.
5. Exit the user interface.

In this exercise, you install new drivers and upgrade existing drivers. You install new drivers for the
following devices. You install these devices with a package of multiple drivers.
Student Exercises
133


You upgrade drivers for the following devices. You upgrade these drivers with individual driver
installers.
To install and upgrade the drivers, perform the following steps:
1. Open a terminal window as the netcool user. Stop the IBM Tivoli Netcool Configuration Manager
presentation and worker servers.
a. Right-click the desktop and click Open in Terminal.
E
T
T
b. Run the following command. Wait a few moments for the servers to stop.
itncm.sh stop
2. Install the new drivers with a package of multiple drivers. This package is for complex devices,
such as large routers and switches. This action installs new drivers for Cisco Nexus 7000 series
switches, Cisco CRS routers version 4.x, and Juniper qfabric switches.
a. Change to the /home/netcool/ClassFiles/Drivers17/ComplexPackage/ directory. Run the
following command:
cd /home/netcool/ClassFiles/Drivers17/ComplexPackage
b. Decompress the ITNCMSmartModelComplex.tar file.
tar -xvf ITNCMSmartModelComplex.tar
c. Run the following command to start the installation program:
sh ./Disk1/InstData/ITNCMDrivers.bin LAX_VM
/opt/IBM/tivoli/netcool/ncm/jre/bin/java -i console
134

V7.0
Uempty
d. Press Enter to continue.

PRESS <ENTER> TO CONTINUE:
e. Type 1 to accept the agreement.
Press Enter to continue viewing the license agreement, or enter "1" to accept
the agreement, "2" to decline it, "3" to print it, or "99" to go back to the
previous screen.: 1
f.
Press Enter to accept the default path for installation.

ENTER AN ABSOLUTE PATH, OR PRESS <ENTER> TO ACCEPT THE DEFAULT
g. Type 1 for All Devices. Press Enter.

Please choose the Install Set to be installed by this installer.
123->4-
All Devices
Cisco Devices
Juniper Devices
Exit Installer
E
T
T
5- Customize...
ENTER THE NUMBER FOR THE INSTALL SET, OR PRESS <ENTER> TO ACCEPT THE DEFAULT
: 1
h. Press Enter to continue after you review the Pre-Installation Summary. The installation
takes approximately 8 - 12 minutes.
i.
Exit the installer. Press Enter.
PRESS <ENTER> TO EXIT THE INSTALLER:
3. Change to the /home/netcool/Drivers17/IndividualCiscoDrivers/ directory. List the contents

of this directory. Three different installers in this directory install three different drivers.
cd /home/netcool/ClassFiles/Drivers17/IndividualCiscoDrivers
ls
CiscoRouter36xxC3600IK903SM122.bin CiscoRouter72xxC7200IK9SM12312a.bin
CiscoRouter36xxC36xx124.bin
4. Install the individual driver for Cisco 3600 series routers that run operating system version 12.2.
This action upgrades the existing drivers to a more recent version.
a. Run the following command to start the installation program:
sh ./CiscoRouter36xxC3600IK903SM122.bin LAX_VM
Student Exercises
135

b. Press Enter to continue.

c. Type 1 to accept the agreement.
previous screen.: 1
d. Press Enter to accept the default path for installation.
e. Press Enter to continue after you review the Pre-Installation Summary. The installation
f.

E
T
T
sh ./CiscoRouter36xxC36xx124.bin LAX_VM
previous screen.: 1

f.

sh ./CiscoRouter72xxC7200IK9SM12312a.bin LAX_VM
136

V7.0
Exercise 3. Verifying the new drivers
Uempty

previous screen.: 1
f.

E
T
T
7. Start the IBM Tivoli Netcool Configuration Manager presentation and worker servers. Run the
following command. Wait a few moments for the servers to start.
itncm.sh start
8. Upgrade the support level of the new drivers to SmartModel support. Run the following
commands:
cd /opt/IBM/tivoli/netcool/ncm/drivers/bin/
./SmartModelUpgrade.sh -all
In this exercise, you look at the new drivers that you installed and the drivers that you upgraded.
1. Verify that the following drivers are now present in your environment:

Student Exercises
137

Perform the following steps to verify the installed or upgraded drivers:

a. Log in to the IBM Tivoli Netcool Configuration Manager user interface. Double-click the
ITNCM Base icon on the desktop.
E
T
T
c. Click Systems Manager > Drivers.
138

V7.0
Uempty
d. Add the Support Level column if it is not already present. Middle-click the columns at the top
of the user interface window. Click Support Level to add that column to the list.
e. Drag the Support Level column next to the Version column.
f.
E
T
T
Click the Model column to sort the drivers by the device model that they apply to. Scroll
down to the Cisco Nexus switch models. You now have drivers for Cisco Nexus 7000 series
switches. They are at the SmartModel support level.
g. Scroll down to the Cisco CRS series routers. You now have drivers for Cisco CRSx routers
version 4.x. They are at the SmartModel support level.

Student Exercises
139

h. Click the Vendor column to sort the drivers by the vendor that they apply to. Scroll down to
the Juniper devices. You now have drivers for Juniper qfabric switches. They are at the
SmartModel support level.
2. Verify the version and support level for the following drivers:
E
T
T
a. Click the Model column to sort the drivers by the device model that they apply to. Scroll
down to the Cisco 36xx model routers. Look at the driver version and support level for Cisco
36xx routers with operating system version C36xx-12.4. Notice the new driver version
20130223.62211 and the SmartModel support level. The older version of the driver is also
present.
b. Look at the driver version and support level for Cisco 36xx routers with operating system
version C3600-IK903S-M-12.2. Notice the new driver version 20130223.62211 and the
SmartModel support level. The older version of the driver is also present.
c. Scroll down to the Cisco 72xx model routers. Look at the driver version and support level for
Cisco 72xx routers with operating system version C7200-IK9S-M-12.3-12a. Notice the new
140

V7.0
Uempty
driver version 20130223.62211 and the SmartModel support level. The older version of the
driver is also present.
3. Look at the driver checksum value on all IBM Tivoli Netcool Configuration Manager servers.
After you installed new drivers, this checksum value changed.
a. Click Systems Manager > Servers.
E
T
T
b. Add the Driver Checksum column if it is not there. Middle-click the columns at the top of the
user interface window. Click Driver Checksum to add that column to the list.

Student Exercises
141

Exercise 4. Using the updated drivers
c. Drag the Driver Checksum column next to the Server Id column. Look at the value of the
driver checksum for the GUI server and the worker server. The current value is different
from when you looked at in a previous exercise; the values match on both servers.

In this exercise, you assign the newer version of the following drivers to managed devices:
E
T
T

Perform the following steps to assign the newer version:
1. Look at the devices in the USISA > Routers realm. The icons that represent the devices
changed.
a. Click Resource Browser > ITNCM > USISA > Routers.
142

V7.0
Uempty
b. Look at the icons that represent the devices. These icons now have an orange arrow beside
them. The orange arrow means that there is a more recent driver version available for the
device.
E
T
T
2. Update the driver that these devices are using.
a. Press and hold the Shift key to select all the devices. Right-click the devices and click
Driver Update. This actions starts a wizard.

Student Exercises
143

b. Click Next in the first window of the wizard.
E
T
T
c. Select Current Config. Click Next.
144

V7.0
Uempty
d. Type Updating drivers as the description. Click Finish.
E
T
T
e. Click Close to exit the wizard.
f.
Wait a few moments for the driver update to finish. Click the Refresh button.

Student Exercises
145

The orange arrows are removed from the device icons because they are now using the
most recent driver available.
E
T
T
146

V7.0
Uempty
E
T
T
Student Exercises
147
Offline device management exercises

IBM Tivoli Netcool Configuration Manager is used to manage the configuration of network devices
and to check those devices to determine whether they are compliant with industry and corporate
standards for security, services, and customer requirements. Traditionally, you discover and import
the configuration of a device into the IBM Tivoli Netcool Configuration Manager database by directly
connecting to the device with a remote terminal session and interrogating it for configuration data.
An alternative method of discovering and importing device data is offline configuration
management. With this method, you can use IBM Tivoli Netcool Configuration Manager to work
with devices that it cannot connect to. Offline device management is useful in many cases,
including the following scenarios:
E
T
T
When IBM Tivoli Netcool Configuration Manager has no connectivity to devices in an isolated
network segment
For testing compliance policies in a development environment, when the development instance
of IBM Tivoli Netcool Configuration Manager is isolated from the production network
For product demonstrations where no actual devices are available to test with
In this lab, you use the new offline configuration management feature of IBM Tivoli Netcool
Configuration Manager. You import a series of plain text file device configurations into IBM Tivoli
Netcool Configuration Manager and use the compliance manager to analyze the configurations for
violations of industry standard security policies. You also use offline management tools to export
actual devices into offline file sets and clone actual devices into offline devices.
148
V7.0
5 Offline device management exercises
Exercise 1. Importing offline devices
Uempty

To work with an offline device, you start with two plain text files. The first file must contain the
running configuration of the device. The second file must contain the output of several commands
that describe the hardware of the device.
In this exercise, you use the demoDeviceImport.sh tool to convert four sets of text files into four
offline devices. You then view these new offline devices in IBM Tivoli Netcool Configuration
Manager.
1. Open the following tools as the user shemp.
Open the IBM Tivoli Netcool Configuration Manager client. This client is the user interface
for the IBM Tivoli Netcool Configuration Manager. You use this tool to work with network
device configurations.
Open the IBM Tivoli Netcool Configuration Manager compliance client. This client is used to
test network devices for policy compliance. You use this tool to inspect network devices and
calculate a compliance score that is based on the results.
E
T
T
To open the tools, perform the following steps:
a. Log in to the Tivoli Netcool Configuration Manager application by double-clicking the ITNCM
Base icon on the desktop.
b. When the login window opens, enter the user name shemp and the password object00.
Click Login.
c. Log in to the Tivoli Netcool Compliance Manager application by double-clicking the ITNCM
Compliance icon on the desktop.

Student Exercises
149

d. When the login window opens, enter the user name shemp and the password object00.
Click Login.
2. Look at the actual devices that are managed by IBM Tivoli Netcool Configuration Manager.
Devices are saved in realms, which are folders that store IBM Tivoli Netcool Configuration
Manager objects.
a. In the IBM Tivoli Netcool Configuration Manager client, click Resource Browser > ITNCM >
USISA > Routers. Look at the devices in this realm. IBM Tivoli Netcool Configuration
Manager connected to these devices and directly imported their configurations.
E
T
T
150

V7.0
Uempty
b. Click Resource Browser > ITNCM > Offline-Devices. This realm is empty. You use this
realm when you discover and import the offline devices.
E
T
T
3. Look at the text files to see what is imported. You discover and import devices and their
configurations from plain text files. These text files were obtained from live devices.
a. Open a terminal window if there is not one already open. Right-click the desktop and click
Open in Terminal.
b. Change to the /opt/IBM/tivoli/netcool/ncm/offline/ directory. Enter the following

command:
cd /opt/IBM/tivoli/netcool/ncm/offline/

Student Exercises
151

c. List the contents of this directory. Look at the name of the four subdirectories. Each of the
four subdirectories represents a device.
ls
access02.dfw.usisa.gov
access04.tpa.usisa.gov
cust304.dfw.usisa.gov
cust55.tpa.usisa.gov
d. Change to the /opt/IBM/tivoli/netcool/ncm/offline/access02.dfw.usisa.gov directory. List
the contents of this directory. The text inside of these two files contains the running
configuration of the access02.dfw.usisa.gov device and other details about the hardware of
the device.
cd access02.dfw.usisa.gov
ls
show_running-config.txt show_version.txt
E
T
T
152

V7.0
Uempty
e. Open the file named show_running-config.txt with vi. Look at the contents of this file and
notice the configuration of this device. Close the file after you finish.
vi show_running-config.txt
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname access02.dfw.usisa.gov
!
boot-start-marker
boot-end-marker
...
snmp-server enable traps cnpd
snmp-server enable traps stun
snmp-server enable traps dlsw
snmp-server enable traps bstun
snmp-server enable traps pppoe
snmp-server enable traps ipmobile
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps voice poor-qov
snmp-server enable traps dnis
snmp-server host 10.191.100.1 version 2c public
snmp-server host 10.191.101.50 public
snmp-server host 10.191.100.1 v2c
!
gatekeeper
shutdown
!
E
T
T

Student Exercises
153

line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
end
f.
Open the file named show_version.txt with vi. Look at the contents of this file and notice
that it contains the output of several commands, including the command show version.
E
T
T
154

V7.0
Uempty
Close the file after you finish.

vi show_version.txt
show version
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-JK9O3S-M), Version 12.3(18), RELEASE SOFTWARE
(fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Wed 15-Mar-06 19:16 by dchih
Image text-base: 0x60008AF4, data-base: 0x622B8000
ROM: ROMMON Emulation Microcode
BOOTLDR: 7200 Software (C7200-JK9O3S-M), Version 12.3(18), RELEASE SOFTWARE
(fc3)
...
access02.dfw.usisa.gov#show diag
Slot 0:
Fast-ethernet on C7200 I/O card with MII or RJ45 Port adapter, 1 port
Port adapter is analyzed
Port adapter insertion time 01:15:14 ago
EEPROM contents at hardware discovery:
Hardware revision 1.14
Board revision A0
Serial number
4294967295
Part number
73-2956-02
FRU Part Number: C7200-IO-FE-MII/RJ45=
...
access02.dfw.usisa.gov#show interface
FastEthernet0/0 is administratively down, line protocol is down
Hardware is DEC21140, address is ca00.12b1.0000 (bia ca00.12b1.0000)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output ...
access02.dfw.usisa.gov#show ip interface brief
Interface
IP-Address
OK? Method Status
Protocol
FastEthernet0/0
unassigned
YES NVRAM administratively down
E
T
T

Student Exercises
155

down
POS1/0
10.10.1.9
POS2/0
10.10.1.6
...
access02.dfw.usisa.gov#show vlan
YES NVRAM up
YES NVRAM up
up
up
No Virtual LANs configured.

access02.dfw.usisa.gov#show file system
File Systems:
Size(b)
129016
-
Free(b)
123394
-
Type Flags Prefixes

opaque
rw
system:
opaque
rw
null:
network
rw
tftp:
nvram
rw
nvram:
disk
rw
disk0:
disk
rw
disk1:
flash
rw
slot0: flash:
flash
rw
slot1:
flash
rw
bootflash:
network
rw
rcp:
network
rw
pram:
E
T
T
...
access02.dfw.usisa.gov#show snmp
Chassis: 4279256517
Contact: Tivoli
Location: Paris
722 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
...
4. Import the four offline devices with the demoDeviceImport.sh tool. You must run this tool four
times, one time for each device.
a. Change to the /opt/IBM/tivoli/netcool/ncm/ directory.
cd /opt/IBM/tivoli/netcool/ncm
b. Run the following four commands with the following parameters:
User name
Password
156

V7.0
Uempty
Realm where the offline device is created

Host name of the device you want to import
E
T
T
Student Exercises
157

The output of the commands is included in the following example. Ignore any errors about
logging.
bin/utils/demoDeviceImport.sh -l shemp -p object00 -r ITNCM/Offline-Devices
-hostname access02.dfw.usisa.gov
INSTALL_DIR=/opt/IBM/tivoli/netcool/ncm
MODE: import
REALM ITNCM/Offline-Devices
Connecting to NCM Presentation server
log4j:WARN No appenders could be found for logger
(org.apache.axis.i18n.ProjectResourceBundle).
log4j:WARN Please initialize the log4j system properly.
Beginning import operation
Importing device access02.dfw.usisa.gov to realm ITNCM/Offline-Devices
Using the following properties for import operation:
- offlinedirectory
=offline
- showversionfilename =show_version.txt
- showrunningfilename =show_running-config.txt
Importing device with the following VTMOS:
- Vendor=Cisco
- Type=Router
- Model=7206VXR
- OS= 12.3(18)
Importing device access02.dfw.usisa.gov
Submitted Import UOW 34 for device: access02.dfw.usisa.gov
Import operation complete
E
T
T

-hostname access04.tpa.usisa.gov
MODE: import
Importing device access04.tpa.usisa.gov to realm ITNCM/Offline-Devices
- offlinedirectory
=offline
158

V7.0
Uempty
- Vendor=Cisco
- Type=Router
- Model=7206VXR
- OS= 12.3(18)
Importing device access04.tpa.usisa.gov
Submitted Import UOW 35 for device: access04.tpa.usisa.gov

-hostname cust304.dfw.usisa.gov
E
T
T
MODE: import
Importing device cust304.dfw.usisa.gov to realm ITNCM/Offline-Devices
- offlinedirectory
=offline
- Vendor=Cisco
- Type=Router
- Model=3640
- OS= 12.2(32)
Importing device cust304.dfw.usisa.gov
Submitted Import UOW 36 for device: cust304.dfw.usisa.gov

-hostname cust55.tpa.usisa.gov

Student Exercises
159

MODE: import
Importing device cust55.tpa.usisa.gov to realm ITNCM/Offline-Devices
- offlinedirectory
=offline
- Vendor=Cisco
- Type=Router
- Model=3640
- OS= 12.2(32)
Importing device cust55.tpa.usisa.gov
Submitted Import UOW 37 for device: cust55.tpa.usisa.gov
E
T
T
5. Return to the IBM Tivoli Netcool Configuration Manager client and view the imported devices.
a. Click Resource Browser > ITNCM > Offline-Devices. Click the Refresh button. The four
devices were imported.
160

V7.0
Uempty
b. Right-click the access02.dfw.usisa.gov device, and click View Native Commands.
E
T
T
c. View the device configuration. Close the configuration window after you finish. Take time to
look at the other four devices and verify that they were imported correctly.

Student Exercises
161

Exercise 2. Testing offline devices for policy compliance
d. Click the access02.dfw.usisa.gov device. Click the Hardware tab. View the details of the
device that were imported from the show_version.txt file. Take time to look at the other
four devices and verify that they were imported correctly. After you finish, leave the IBM
Tivoli Netcool Configuration Manager client open.
E
T
T
Exercise 2. Testing offline devices for policy

compliance
The best use case for offline devices is to use them when you test compliance policies. Offline
devices are read-only. You cannot make configuration changes to offline devices because their
configuration is only a plain text file. However, you can read and analyze the configuration of an
offline device. This read-only access means that you can use offline devices as the target of
compliance policies because the IBM Tivoli Netcool Configuration Manager compliance feature
needs only to read and analyze configuration data. You can run these policies without any
connectivity to the actual devices.
162

V7.0
Uempty
In this exercise, you run four compliance policies to determine whether the offline devices that you
previously created are compliant. You also run a report to see an overall compliance score for these
new offline devices.
1. Start the Tivoli Integrated Portal server.
a. Return to the terminal window. Run the following command. Wait a few moments for the
Tivoli Integrated Portal server to start.
itnm_start tip
b. Verify that the server is running with the following command.
itnm_status tip
Tivoli Integrated Portal:
Server
RUNNING PID=2034
c. Open the Firefox browser. Double-click the Firefox icon on the desktop.
E
T
T
d. Type the following web location and press Enter.
https://omnihost:16311/ibm/console/logon.jsp
e. Log in to the Tivoli Integrated Portal with the user name shemp and the password object00.
Leave the Tivoli Integrated Portal open.

Student Exercises
163

2. Open the IBM Tivoli Netcool Configuration Manager compliance client. Look at the policies in
the Offline_Device_Compliance process.
a. Click the Policy Definitions tab. Click Processes.
E
T
T
b. Expand the USISA folder. Expand the Offline_Device_Compliance process. This process
contains the following four policies:
3.1.09 and 10 disable SNMP community public and private: This policy tests
whether the community strings public and private are configured on the device. These
strings are too simple, and if they are found, the device is not compliant.
3.1.38 disable ip http server: This policy tests whether the http server is enabled on a
device. This http server feature uses clear text passwords and is not secure. If this
feature is enabled on the device, it is not compliant.
3.1.59-2 disable logging console: This policy tests whether log messages are printed
to the device console terminal. This type of logging can make the console terminal of the
device difficult to use. If console logging is enabled on the device, it is not compliant.
3.1.73 and 74 disable directed broadcast: This policy tests whether the device has
interfaces that are configured to use directed broadcasts. Interfaces that allow directed
164

V7.0
Uempty
broadcasts can be used for denial-of-service attacks. If an interface is configured to use

directed broadcasts, then the device is not compliant.
E
T
T
3. Run the Offline_Device_Compliance process to test for compliance on the four offline
devices.
a. Click the Execution tab. Click By Process. Click the USISA folder.
b. Click the process that is named Offline_Device_Compliance. Click Execute.

Student Exercises
165

c. Click Yes.
The Results tab is displayed.

d. Wait for the process to finish running. Click the Refresh button until the state of the process
is Finished.
E
T
T
e. After the process is finished, select it and notice the results for each of the policies. The
offline devices either failed or passed these policies.
166

V7.0
Uempty
f.
Select the policy that is named 3.1.38 disable ip http server. Click the Details button.
g. Notice which devices passed or failed the 3.1.38 disable ip http server policy. Next, you run
a report that shows overall compliance score for these devices.
E
T
T
4. Run a report that shows compliance scores and summaries for these offline devices.
a. Return to the Tivoli Integrated Portal. Click Reporting > Common Reporting.

Student Exercises
167

b. Click ITNCM Reports.
E
T
T
c. Click Policy Compliance Score and Summary.
168

V7.0
Uempty
d. Select only the ITNCM/Offline-Devices realm. Click Select all in the list of policies. Click
Finish to run the report.
E
T
T
e. Scroll down and view the report. These devices have low compliance scores because none
of them were compliant with the 3.1.09 and 10 disable SNMP community public and

Student Exercises
169

Exercise 3. Working with offline devices
private policy. This policy has a much higher weight in the score than the other policies.
After you finish, take some time to run other policy compliance reports.
E
T
T

In this exercise, you use two command-line tools to work with offline devices. The first tool is
demoDeviceExport.sh. This tool exports information about a managed device into plain text files
that describe the device. This tool is useful if you want to export real devices to text files that can be
imported into a test environment.
The second tool is demoDeviceCreator.sh. This tool clones a managed device into an identical
device that has a different host name. This tool is useful if you want to create many test devices in
your environment.
1. Use the demoDeviceExport.sh tool to export two devices to plain text files. You must run this
tool two times, one time for each device. The devices that you export are named
170

V7.0
Uempty
WAS-usisa.gov and BRU-CPE-bma.gov. These devices are in the ITNCM/USISA/Routers

realm.
b. Run the following two commands with the following parameters:
User name
Password
The realm that contains the device you want to export
Host name of the device you want to export
E
T
T
Student Exercises
171

logging.
bin/utils/demoDeviceExport.sh -l shemp -p object00 -r ITNCM/USISA/Routers
-hostname WAS-usisa.gov
MODE: export
REALM ITNCM/USISA/Routers
Beginning export operation
Exporting device WAS-usisa.gov from realm ITNCM/USISA/Routers
Using the following properties for export operation:
- offlinedirectory
=offline
Retrieving configuration info for device
Writing running config to
offline/export/WAS-usisa.gov/show_running-config.txt
Writing show version output to offline/export/WAS-usisa.gov/show_version.txt
Export operation complete
E
T
T
bin/utils/demoDeviceExport.sh -l shemp -p object00 -r ITNCM/USISA/Routers

-hostname BRU-CPE-bma.gov
MODE: export
Beginning export operation
Exporting device BRU-CPE-bma.gov from realm ITNCM/USISA/Routers
Using the following properties for export operation:
- offlinedirectory
=offline
Retrieving configuration info for device
172

V7.0
Uempty
Writing running config to

offline/export/BRU-CPE-bma.gov/show_running-config.txt
Writing show version output to
offline/export/BRU-CPE-bma.gov/show_version.txt
Export operation complete
2. Look at the files that the demoDeviceExport.sh tool created.
a. Change to the /opt/IBM/tivoli/netcool/ncm/offline/ directory. List the contents of this
directory. A new subdirectory is named export. The demoDeviceExport.sh tool created this
subdirectory.
cd /opt/IBM/tivoli/netcool/ncm/offline/
ls
access02.dfw.usisa.gov access04.tpa.usisa.govcust304.dfw.usisa.gov
cust55.tpa.usisa.gov export
E
T
T
b. Change to the /opt/IBM/tivoli/netcool/ncm/offline/export/ directory. List the contents of

this directory. Two new subdirectories are named for the two devices that you exported:
WAS-usisa.gov and BRU-CPE-bma.gov.
cd /opt/IBM/tivoli/netcool/ncm/offline/export/
ls
BRU-CPE-bma.gov WAS-usisa.gov
c. List the contents of the WAS-usisa.gov and BRU-CPE-bma.gov directories. Each directory
has two text files: one that contains the running configuration and one that contains the
output of several commands, including the command show version.
ls -R
.:
BRU-CPE-bma.gov WAS-usisa.gov
./BRU-CPE-bma.gov:
./WAS-usisa.gov:
3. Use the demoDeviceCreator.sh tool to clone two devices into offline devices. You must run this
tool two times, one time for each device. The devices that you clone are named LON-usisa.gov
and MOS-usisa.gov. These devices are in the ITNCM/USISA/Routers realm. Name the clones
of these devices LON-usisa.gov-clone and MOS-usisa.gov-clone. Create them in the
ITNCM/Offline-Devices realm.
Student Exercises
173

b. Run the following two commands with the following parameters:

User name
Password
The realm that contains the device you want to export
Host name of the device you want to export
The realm that you want to create the clone in
The host name of the cloned device
E
T
T
174

V7.0
Uempty
logging.
bin/utils/demoDeviceCreator.sh -l shemp -p object00 -r ITNCM/USISA/Routers
-hostname LON-usisa.gov -clonerealm ITNCM/Offline-Devices -clonehostname
LON-usisa.gov-clone
MODE: clone
CLONEREALM ITNCM/Offline-Devices
Beginning clone operation
Cloning device LON-usisa.gov in realm ITNCM/USISA/Routers
Clone will be created as LON-usisa.gov-clone in realm ITNCM/Offline-Devices
Importing device LON-usisa.gov-clone
Submitted Import UOW 38 for device: LON-usisa.gov-clone
Clone operation complete
E
T
T
bin/utils/demoDeviceCreator.sh -l shemp -p object00 -r ITNCM/USISA/Routers

-hostname MOS-usisa.gov -clonerealm ITNCM/Offline-Devices -clonehostname
MOS-usisa.gov-clone
MODE: clone
CLONEREALM ITNCM/Offline-Devices
Beginning clone operation
Cloning device MOS-usisa.gov in realm ITNCM/USISA/Routers
Clone will be created as MOS-usisa.gov-clone in realm ITNCM/Offline-Devices
Importing device MOS-usisa.gov-clone
Submitted Import UOW 39 for device: MOS-usisa.gov-clone
Clone operation complete

Student Exercises
175

c. Return to the IBM Tivoli Netcool Configuration Manager client. Click Resource Browser >
ITNCM > Offline-Devices. Click the Refresh button. Verify that the two new cloned devices
were created.
E
T
T
176

V7.0
More
about Tivoli
Back pa
Uempty
You can find the latest information about IBM Tivoli education offerings online at the following location:
www.ibm.com/software/tivoli/education/
Also, if you have any questions about education offerings, send an email to the appropriate alias for your
region:
Americas: tivamedu@us.ibm.com
Asia Pacific: tivtrainingap@au1.ibm.com
EMEA: tived@uk.ibm.com
Tivoli user groups
You can get even more out of Tivoli software by participating in one of the 91 independently run Tivoli User
Groups around the world. Learn about online and in-person Tivoli User Group opportunities near you at
www.tivoli-ug.org.
Certification
E
T
T
All IBM certifications are based on job roles. They focus on a job a person must do with a product, not just
the products features and functions. Online certification paths are available to guide you through the
process for achieving certification in many IBM Tivoli areas. See ibm.com/tivoli/education for more
information.
Special offer for having taken this course: Now through 31 December 2013: For having completed this
course, you are entitled to a 15% discount on your next examination at any Thomson Prometric testing
center worldwide. Use this special promotion code when registering online or by telephone to receive the
discount: 15CSWR. (This offer might be withdrawn. Check with the testing center.)
E
T
T
Authorized
ibm.com/training
Training

SN Secexcer

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SN Secexcer

Uploaded by

Copyright:

Available Formats

V7.

IBM Tivoli Netcool

2 Native command sets with JavaScript exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

3 JavaScript compliance exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

4 Driver management exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Exercise 2. Installing and upgrading drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

5 Offline device management exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

IBM Tivoli Netcool Configuration Manager 6.4 Advanced Features

Copyright IBM Corp. 2013

Network Service Manager exercises

Use the following procedure to start the virtual images:

2. Click File > Open in VMware workstation.

Copyright IBM Corp. 2013

1 Network Service Manager exercises

4. Click Power on this virtual machine.

IBM Tivoli Netcool Configuration Manager 6.4 Advanced Features

Copyright IBM Corp. 2013

1 Network Service Manager exercises

7. Start the TNCM server with the following command:

IBM Tivoli Netcool Configuration Manager 6.4 Advanced Features

Copyright IBM Corp. 2013

Copyright IBM Corp. 2013

1 Network Service Manager exercises

IBM Tivoli Netcool Configuration Manager 6.4 Advanced Features

Copyright IBM Corp. 2013

The dots under each router turn from red to green.

Copyright IBM Corp. 2013

1 Network Service Manager exercises

IBM Tivoli Netcool Configuration Manager 6.4 Advanced Features

Copyright IBM Corp. 2013

Copyright IBM Corp. 2013

1 Network Service Manager exercises

Exercise 1. Reviewing VLAN command sets

To complete this exercise, perform the following steps:

IBM Tivoli Netcool Configuration Manager 6.4 Advanced Features

Copyright IBM Corp. 2013

1 Network Service Manager exercises

IBM Tivoli Netcool Configuration Manager 6.4 Advanced Features

Exercise 2. Importing the data center switch

Copyright IBM Corp. 2013

1 Network Service Manager exercises

3. Select Tools > Discover from the main menu.

IBM Tivoli Netcool Configuration Manager 6.4 Advanced Features

Copyright IBM Corp. 2013

1 Network Service Manager exercises

IBM Tivoli Netcool Configuration Manager 6.4 Advanced Features

Exercise 3. Giving group rights to use the NSM

To complete this exercise, perform the following steps:

A Netcool Configuration Manager window opens.

Copyright IBM Corp. 2013

1 Network Service Manager exercises

3. Select the Account Management profile.

4. Select the engineering group.

IBM Tivoli Netcool Configuration Manager 6.4 Advanced Features

5. Click the Activities tab.

Exercise 4. Submitting GET calls to the interface

1 Network Service Manager exercises

Perform the following steps to complete this exercise:

IBM Tivoli Netcool Configuration Manager 6.4 Advanced Features

2. Open Mozilla Firefox by double-clicking its icon on the GNS3 desktop.

You are prompted for a user name and password.

Copyright IBM Corp. 2013

1 Network Service Manager exercises

6. Select the check box to Remember me and click Okay.