06-18-2013 11:28 PM
Security - PKI User Authentication
1. NNMi now supports smart card logons including Common Access Card (CAC) and Personal Identity Verification (PIV) cards.
You can configure NNMi to restrict certificates used for logons.
You can configure NNMi to use the following certificate validation methods for Public Key Infrastructure (PKI) user authentication:
* Certificate Revocation Lists (CRLs)
* Online Certificate Status Protocol (OCSP)
2. NNMi now supports the use of subjectAlternativeName (SAN) for principal mapping in PKI user authentication.
3.You can configure NNMi to use Access Control Lists (ACLs) to enable non-root users to run Command Line Interface (CLI) commands. This is useful where CAC is enabled and password credentials are not available for running CLIs.
NNMi now uses NETCONF (RFC 4741 and 4742) communication with some device vendors and models (for example, Juniper Networks QFabric) to supplement the management information collected by SNMP.
SNMP Communication and MIBs
NNMi now supports the discovery of its EngineID using GetBulk and GetNext operations, in addition to SNMP-GET operations (prevously supported).
HP Network Automation (NA)
You can configure the integration between NNMi and NA using two new options:
1. NNMi-NA Integration Level
The default setting enables full integration functionality. The other settings limit integration
functionality for multi-tenancy environments and for architectures in which two or more NNMi
regional managers connect to one NA core.
2. Out Of Service Completion Delay
This delay provides time for a device to recover after NA completes a task that placed that
device out of service
NNMi permits User Accounts assigned to the NNMi Operator Level 2 User Group to run Status Poll and Configuration Poll on nodes to which they have access.
NNMi permits User Accounts assigned to the NNMi Operator Level 2 User Group to edit maps and node groups.
* The trap server now starts sooner and begins capturing traps earlier after restarting NNMi.
* The Incidents View now includes Tenant and NNMi Management Server Columns.
* Remote site unreachable incidents (Management Incident Configuration IslandGroupDown) have been updated to include custom incident attributes (CIA) cia.incidentDurationMs, cia.timeIncidentDetectedMs, and cia.timeIncidentResolvedMs.
SNMP Communication and MIBs
NNMi now supports the discovery of its EngineID, which is used in processing SNMPv3 traps and informs.
Devices can discover NNMi’s EngineID using the standard SNMPv3 EngineID discovery algorithm:
a. A device sends an empty SNMP-GET request to NNMi’s configured trap port (typically port 162).
b. NNMi generates and sends an SNMPv3 report PDU response to the device. NNMi's response
contains NNMi’s EngineID.
NNMi has been enhanced so it no longer shows a "Subnet connection" in a subnet where there are two or more MPLS Provider Edge (PE) interfaces involved.
You can configure NNMi to not consider some firewall and loadbalancer devices as duplicates. Many firewall and loadbalancer devices have duplicated IP addresses, duplicated layer 2 addresses, or both. This is especially true when the device is a virtual instance hosted on a physical device. NNMi often considers such devices to be duplicates of each other when they are not really duplicates. NNMi has a new configuration file in which you can list the sysObjectId values of these nodes. Doing so tells NNMi not to consider such nodes to be duplicates when it finds overlapping IP addresses, layer 2 addresses, or both.
State Poller and Monitoring Configuration
One common way to test network latency is to adjust the ICMP polling frequency and ICMP echo request packet data payload size for a management address being managed by NNMi. NNMi permits you to experiment with different packet sizes to measure the network latency.
A new tab, called "Causal Engine", has been added to System Information window. This tab will display key statistic for the Causal Engine including how far behind it is processing state messages.
Traps sent by a proxy SNMP gateway might not show the original trap address when using NNMi’s default configuration. An administrator can configure NNMi to determine the original trap address.
You can configure NNMi (using PKI) to map certificates to NNMi user accounts.
You can configure cipher suites in $NnmDataDir/shared/nnm/conf/props/nms-jboss.proper
You can configure HP NNMi to permit NNMi incidents to close automatically after the corresponding alert is acknowledged in HP BSM Operations Management SiteScope System Metrics
The SiteScope System Metrics Integration Module now supports the use of the SiteScope 11.20 Dynamic
Disk Space monitor. Metrics collected by this SiteScope monitor and sent to NNMi according to siteScope Data Integration preferences will now be processed correctly in NNMi and made available in NPS just as they had with the older Disk Space Monitor.
Out-of-the-box Support for ProCurve syslog messages
Out-of-the-box support for H3C syslog messages
Command Line Interface Commands
* The nnmsetiospeed.ovpl script permits the user to change the input or output speed on an interface either individually or in batch mode. See the nnmsetiospeed.ovpl reference page, or the UNIX manpage, for more information.
* The nnmloadinterfacegroups.ovpl script provides a command line interface for creating or replacing interface group configurations. See the nnmloadinterfacegroups.ovpl reference page, or the UNIX manpage, for more information.
Check Release notes for more info.