Itential Docs & Guides | Drive Automation for Modern Networks

This guide covers Itential Automation Platform (IAP) configurations along with several common adapter configurations. For more detailed information regarding each adapter's configurable properties, refer to the documentation for that respective adapter.

Note: Itential currently supports the use of MongoDB 4.2.x on all released IAP versions. If you are using an earlier version it is recommended that you upgrade.

Configuration File

The main IAP configuration file is located at /opt/pronghorn/current/properties.json.

The properties.json file contains global configurations. Several adapter-specific configurations must also be integrated into various systems within the customer environment (i.e., LDAP, NSO, etc.).

Encrypting Passwords

The properties.json file will likely contain passwords. As a best practice, use the rule of least privilege any time this file is managed.

Set the file system permissions to user-read.

chmod 0600 /opt/pronghorn/current/properties.json

Change to the following directory.

/opt/pronghorn/current/node_modules/@itential/pronghorn-core/utils

Use the IAP encrypt tool to encrypt sensitive passwords before saving them in the properties.json file.
```
$ node encrypt.js password
Encrypted Password: $ENC93eb9439537ae34196db49409dd0261a8b87218fafd0419
```
Note: The encrypt.js tool will respond with a string that starts with $ENC. Use this string when configuring passwords in the properties.json file.

Store the entire string below in the properties.json file without exposing the password.

"mongoProps": {
    "db": "pronghorn",
    "url": "mongodb://localhost:27017",
    "credentials": {
        "dbAuth": true,
        "user": "pronghorn",
        "passwd": "$ENC82ee8a234a69f15bdb8e05409cda2418878b2f85af"
    }
}

Configuration Properties

Configuration properties for IAP are summarized below.

Application

The application properties are captured by the applicationProps object.

Property Name	Type	Default	Description
`description`	String	Application	The description property.
`directory`	String	`/opt/pronghorn/current/node_modules`	This property provides the location of the `node_modules` directory. This property should generally remain unchanged and be set to the default.

Sample Application Properties

"applicationProps": {
  "description": "Application",
  "directory": "/opt/pronghorn/current/node_modules"
}

Path

The path properties provide the location of customer-installed IAP applications and adapters.

Property Name	Type	Default	Description
`description`	String	File Path Variables	The description property.
`encrypted`	Boolean	`true`	A boolean flag indicating IAP core is encrypted. This should be set to true for all customer installations.

Sample Path Properties

"pathProps": {
  "description": "File Path Variables",
  "sdk_dir": "/opt/pronghorn/pronghorn-applications",
  "encrypted": true
}

UI

The UI properties is captured by the uiProps object. These properties may be used to overwrite certain pages and icons as a part of customer branding.

Property Name	Type	Default	Description
`description`	String	UI	The description property.
`layout`	String	`node_modules/@itential/pronghorn-core/ui/views/layout.jade`	The jade file that governs the overall IAP layout page.
`home`	String	`node_modules/@itential/pronghorn-core/ui/views/home.jade`	The jade file that creates the user's individual home page.
`login`	String	`node_modules/@itential/pronghorn-core/ui/views/login.jade`	The jade file that creates the login page presented to unauthenticated users.
`profile`	String	`node_modules/@itential/pronghorn-core/ui/views/profile.jade`	The jade file that presents the user's profile.
`fav_icon`	String	`node_modules/@itential/pronghorn-core/ui/img/favicon.ico`	The path to a custom-branded icon displayed in the browser's tab and URL bars.

Sample UI Properties

"uiProps": {
  "description": "UI",
  "layout": "node_modules/@itential/pronghorn-core/ui/views/layout.jade",
  "home": "node_modules/@itential/pronghorn-core/ui/views/home.jade",
  "login": "node_modules/@itential/pronghorn-core/ui/views/login.jade",
  "profile": "node_modules/@itential/pronghorn-core/ui/views/profile.jade",
  "fav_icon": "node_modules/@itential/pronghorn-core/ui/img/favicon.ico"
}

Authentication

The authentication properties in authenticationProps allow for optional enforcement of a unique session per user requirement and the assignment of IAP administrator groups.

IAP authorization and authentication relies on an external authentication system; a property exists to specify which group within the external authentication adapter specifies the user with administrative access to IAP.

This property is set within the properties.json file and can contain multiple group names. Every user that is a member of the external group name within the list will be granted IAP administrator access.

Each entry in the administrator list must contain two fields.

Property	Description
`provenance`	The name of the AAA adapter.
`group`	The name of the group returned by the AAA adapter.

Property Name	Type	Default	Description
`description`	String	`audit`	The description property.
`uniqueSession`	Boolean	`false`	When set to true, only one session may be enabled for a given user. If a second session is established for the same user, the original session will be invalidated.
`admins`	Array	`["g1", "g2", ...]`	A list of groups which are authorized to perform user management activities. Members of these groups will be implicitly assigned the `pronghorn_admin` role.
`admins.provenance`	String	`<adapter_name>`	The name of the AAA adapter in which the groups reside.
`admins.group`	String	`pronghorn_admin`	The name of a user group which will have IAP user management capabilities.

Sample Authentication Properties

"authenticationProps": {
  "description": "audit",
  "uniqueSession": false,
  "admins": [{
    "provenance": "local_aaa",
    "group": "pronghorn_admin"
  }]
}

Note: Be sure to configure the AAA adapter in addition to the authenticationProps.

Audit

The audit properties control whether user auditing and broker validation features are enabled. If user auditing is enabled, user actions on the network are stored in the audit_trail MongoDB collection.

If broker validation is enabled, all calls coming into IAP will be validated against a set of JSON schemas to validate if requests are in the proper format.

Note: The broker validation feature is currently in beta mode. You should continue to run with brokerValidation disabled unless Itential Support specifically requests that this feature be enabled.

Property Name	Type	Default	Description
`description`	String	`Audit`	The description property.
`audit`	Boolean	`true`	A boolean flag indicating whether auditing is enabled. This should be set to true for production environments.
`brokerValidation`	Boolean	`true`	A boolean flag indicating whether broker validation is enabled.

Sample Audit Properties

"auditProps": {
  "description": "Audit",
  "audit": true,
  "brokerValidation": false
}

Express

IAP uses the Node.js Express web server to capture incoming requests. The Express properties allow an administrator to configure whether IAP will listen on HTTP and/or HTTPS. The properties also allow an administrator to configure HTTPS keys, certificates, TLS versions, and supported cipher suites.

The private key referenced by express_https.key property should contain one of the following patterns.

Unencrypted Private Key

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

The private key may also be encrypted.

Encrypted Private Key

-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----

Note: If the private key contains the following pattern, the express_https.passphrase should be configured with the passphrase of the private key.

The certificate file referenced by the express_https.cert property should be like the following.

Unencrypted Private Key

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

For more information on the set of cipher suites that are supported by Node.js, see Modifying the Default TLS Cipher Suite.

Property Name	Type	Default
`description`	String	`Express Server`
`cacheControl`	Boolean	`false`
`timeout`	Number	`300000`
`express_http.enable`	Boolean	`true`
`express_http.port`	Number	`3000`
`express_https.enable`	Boolean	`true`
`express_http.port`	Number	`3443`
`express_https.key`	String	`/etc/ssl/keys/pronghorn.key`
`express_https.passphrase`	String
`express_https.cert`	String	`/etc/ssl/keys/pronghorn.cert`
`express_https.secureProtocol`	String	`TLSv1_2_method`
`express_https.ciphers`	String	See Modifying the Default TLS Cipher Suite.
`express_https.client_reneg_limit`	Number	`1`
`express_https.client_reneg_window`	Number	`600`

Sample Express Properties

"expressProps": {
  "description": "Express Server",
  "cacheControl": false,
  "timeout": 300000,
  "express_http": {
    "enable": false,
    "port": 3000
  },
  "express_https": {
    "enable": true,
    "port": 3443,
    "key": "/etc/ssl/keys/pronghorn.key",
    "passphrase": "$ENC82ee8a234a69f15bdb8e05409cda2418878b2f85af",
    "cert": "/etc/ssl/keys/pronghorn.cert",
    "secureProtocol": "TLSv1_2_method",
    "ciphers": "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256",
    "client_reneg_limit": 1,
    "client_reneg_window": 600
  }
}

Logger

The logger properties control where IAP will store its log files, how much space to dedicate to log storage, and the verbosity levels of the log messages that will be stored. IAP supports the following log levels.

Log Level	Description
error	The most severe level. Indicates a problem, such as a prematurely terminated program.
warn	Used for warning conditions. Warn events may or may not indicate a problem.
info	Used for informational messages.
debug	Used only when debugging problems or transactions. Provides detailed information on messages between IAP adapters and external systems.
trace	Trace events have a higher verbosity than debug. Trace events are uncommon.
spam	The least severe level. Spam events have the highest verbosity and are rare.

Production environments should run at either warn or info level. Running production environments in debug or trace levels will likely generate a large amount of log data and place additional load on the server. A production server should only be configured in debug mode at the request of the Itential Support.

IAP provides native support for rotation of the pronghorn.log file. Administrators can define the total allocated storage for logs by configuring the maximum file size and maximum number of files. For example, if the maximum file size is 1 MB and the total number of files is 100, the total space consumed by pronghorn.log files will be 100 MB. Be sure the disk that holds the IAP logs contains enough space for IAP to exercise a full log rotation cycle (100 MB).

The log levels for each application and adapter are configurable at run-time using the IAP UI. When the server is restarted, the log levels for all applications and adapters is returned to the defaults provided by the log_level and console_level properties.

IAP allows for the verbosity of its console logging to be configured. For systemd based operating systems, this console logging is controlled by the system journal. The system journal may contain application life cycle error messages that are not capable of being written to the pronghorn.log file itself. The system journal should be reviewed for errors and warnings during any troubleshooting sessions. The system journal is also written to /var/log/messages on many systems. The storage required to store the system journal and /var/log/messages files should also be considered during the storage planning phases.

Use the following command to monitor the system journal.

journalctl -f

Use the pronghorn.service unit to tail the system journal and filter only IAP messages.

journalctl -f -u pronghorn.service

For more details about configuring the system journal daemon and using the journalctl command, see Using the Journal in the official Red Hat documentation.

Property Name	Type	Default	Description
`description`	String	`Logging`	The description property.
`log_directory`	String	`/var/log/pronghorn`	The directory to store IAP log files.
`log_filename`	String	`pronghorn.log`	The name of the current IAP log file.
`log_max_file_size`	Number	`1048576`	The maximum size of each IAP log file in bytes. Once the maximum file size is reached, the IAP log will be rotated.
`log_max_files`	Number	`100`	The maximum number of log files maintained on the server. Once the maximum number of files is reached, the oldest file will be deleted during log rotation.
`log_timezone_offset`	Number	`0`	The offset from GMT/UTC time that will be used when writing to the log files. Valid values are whole numbers ranging from -12-12 as is listed in List of UTC time offsets.
`log_level`	String	`info`	The verbosity level the server is configured to log messages to the IAP log. This can be one of the following: error, warn, info, debug, trace or spam. As a recommendation, run production servers at info level logging.
`console_level`	String	`warn`	The verbosity level the server is configured to log messages to the system journal or `/var/log/messages`. This can be one of the following: error, warn, info, debug, trace or spam. The verbosity of the IAP log and the system journal may be adjusted independently.

Sample Logger Properties

"loggerProps": {
  "description": "Logging",
  "log_directory": "/var/log/pronghorn",
  "log_filename": "pronghorn.log",
  "log_max_file_size": 1048576,
  "log_max_files": 10,
  "log_timezone_offset": -5,
  "log_level": "info",
  "console_level": "warn"
}

Syslog

The syslog properties allow IAP to send log messages to a local or remote syslog daemon.

Note: Please be aware of the maximum message length supported by the remote syslog receiver. IAP will send messages greater than 1024 bytes. Remote syslog receivers may truncate messages greater than a certain length.

See the following references for more details.

Property Name	Type	Default	Description
`level`	String	`info`	The minimum log level to send to the syslog server. Possible levels are: debug, info, warning, error.
`host`	String	`localhost`	The host running syslogd.
`port`	Number	`514`	The port on the host that syslog is running on. Must be a number in the range 1 - 65535.
`protocol`	String	`udp4`	The network protocol to log over. Can be one of `tcp4`, `udp4`, `unix` or `unix-connect`.
`path`	String	N/A	The path to the syslog dgram socket, e.g., `/dev/log` or `/var/run/syslog` on OS X). If `path` is used, `host`, `port` and `protocol` do not need to be configured.
`pid`	String	`process.pid`	Process identifier (PID) of the process that log messages are coming from.
`facility`	String	`local( )`	Syslog facility to use.
`localhost`	String	`localhost`	Host to indicate that log messages are coming from.
`type`	String	`BSD`	The type of syslog protocol to use. Possible values are `BSD` and `5424`.
`app_name`	String	`process.title`	The name of the application.
`eol`	String	N/A	The end of line character to be added to the end of the message.

Sample Syslog Properties

"loggerProps": {
  "syslog": {
    "level": "warning",
    "host": "localhost",
    "port": 514,
    "protocol": "udp4",
    "facility": "local0",
    "type": "5424"
  }
}

Alarm

The alarm properties allow the administrator to configure the remote SNMP trap destinations the health check alarms will be sent to. Currently, SNMP v1 and SNMP v2 are supported. A list of alarm receivers may be configured for a high-availability solution. IAP will attempt to deliver each alarm to all configured receivers.

As of the date of this publication, the following alarms are supported by IAP.

Alarm	Objects	Description
Pronghorn Running		IAP has successfully started and is currently operational.
Pronghorn System Error	System Error	Reserved for future use.
Adapter Unreachable	Adapter ID, Remote IP Address, Remote Port	An IAP adapter could not establish a connection with its external system.
Adapter Connected	Adapter ID, Remote IP Address, Remote Port	An IAP adapter successfully established a connection with its external system.
Adapter Function Error	Adapter ID, Adapter Function, Adapter Error	Reserved for future use.

The IAP SNMP MIB defining each of the supported alarms is located at /opt/pronghorn/current/snmp/pronghorn.mib.

For a comprehensive list of IAP SNMP MIB, see IAP SNMP MIB in the user guide.

Property Name	Type	Default	Description
`ip`	String	`127.0.0.1`	The IP address of the remote alarm receiver. FQDNs are also supported in this field.
`community`	String	`public`	The SNMP community to apply to the outgoing trap or inform.
`type`	String	`trap`	The type can be configured as either a trap or inform. Traps are delivered without acknowledgement, e.g., `fire-and-forget`. Informs are delivered with an expected acknowledgement.
`properties.transport`	String	`udp4`	The protocol to use to send alarms to this receiver. Valid options are `udp4` and `udp6`.
`properties.trapPort`	Number	`162`	The remote port of this alarm receiver. Must be a number in the range 1 - 65535.
`properties.version`	String	`V2:`	The SNMP version to use when delivering notifications to this alarm receiver. Valid options are `V1` and `V2`.
`properties.retries`	Number	`1`	The number of timeout cycles to wait for an acknowledgement when delivering inform type notifications.
`properties.timeout`	Number	`5000`	The number of seconds to wait for an acknowledgement when delivering inform type notifications.

Sample Alarm Properties

"alarmProps": [{
  "ip" : "127.0.0.1",
  "community" : "public",
  "type" : "trap",
  "properties" : {
    "transport" : "udp4",
    "trapPort" : 162,
    "version" : "V1"
  }
},{
  "ip" : "127.0.0.1",
  "community" : "public",
  "type" : "inform",
  "properties" : {
    "transport" : "udp4",
    "trapPort" : 162,
    "version" : "V2",
    "retries" : 1,
    "timeout" : 5000
  }
}]

Sample Alarm Configuration Option

"alarmProps": {
    "ip": "127.0.0.1",
    "community": "public",
    "properties": {
        "retries": 1,
        "timeout": 5000,
        "transport": "udp4",
        "trapPort": 1162,
        "version": "V1"
    },
    "type": "trap"
}

MongoDB

The MongoDB properties must be configured to connect to a single MongoDB server or a MongoDB replica set. Be sure to align your authentication and encryption settings with the configurations of the MongoDB you are connecting to.

Note: Itential currently supports the use of MongoDB 4.2.x on all released IAP versions. If you are using an earlier version it is recommended that you upgrade.

Property Name	Type	Default	Description
`db`	String	`pronghorn`	The name of the database to connect to.
`url`	String	`mongodb://localhost:27017`	The MongoDB URL to use when connecting to the database.
`credentials.dbAuth`	Boolean	`false`	A boolean flag indicating whether user authentication is enabled.
`credentials.dbAuthSource`	String	The user provided `db` property value.	Specify the database name associated with the user’s credentials. Corresponds to `authSource` in MongoDB connection options.
`credentials.user`	String		The username to use for connections when authentication is enabled.
`credentials.passwd`	String		The password to use for connections when authentication is enabled.
`ssl.enabled`	Boolean	`false`	A boolean flag indicating whether SSL is enabled.
`ssl.sslValidate`	Boolean	`false`	A boolean flag indicating whether the MongoDB server's certificate will be validated.
`ssl.sslCA`	String		Path to the certificate authority PEM (privacy enhanced mail) file that signed the MongoDB certificates.
`ssl.acceptInvalidCerts`	Boolean		A boolean flag indicating whether to validate the MongoDB certificate against the certificate authority PEM file.
`ssl.checkServerIdentity`	Boolean		A boolean flag indicating whether to validate the name of the server configured in the URL against the common name of the certificate the server presents.
`replSet.enabled`	Boolean	`false`	A boolean flag indicating whether we are connecting to a replica set. When connecting to a replica set, the names of the servers and the replica set name must be configured as part of the URL.

Minimal MongoDB Configuration

"mongoProps": {
  "db": "pronghorn",
  "url": "mongodb://localhost:27017"
}

Sample Production Configuration

"mongoProps": {
  "db": "pronghorn",
  "url": "mongodb://mongo01:27017,mongo02:27017,mongo03:27017?rs=rs1",
  "credentials": {
    "dbAuth": true,
    "user": "pronghorn",
    "passwd": "$ENC93f88824437dfe5784c7570f99d7251f878a2284aed6449259"
  },
  "ssl": {
    "enabled": true,
    "sslValidate": true,
    "sslCA": "/etc/ssl/keys/mongo_ca_chain.cert",
    "acceptInvalidCerts": false,
    "checkServerIdentity": true
  },
  "replSet": {
    "enabled": true
  }
}

Redis Properties

The redisProps should be configured to point your IAP instance to a local Redis service.

Property Name	Type	Default	Description
`host`	String	`127.0.0.1`	The IP or hostname of the server running the Redis service.
`port`	Number	`6379`	The port Redis is running on. Must be a number in the range 1 - 65535.
`db`	Number	`0`	The optional Redis database number to connect to (may be any of 0-15).
`password`	String		The optional passphrase protecting access to the Redis database.

Sample Redis Properties

"redisProps": {
  "host": "127.0.0.1",
  "port": 6379,
  "db": 0,
  "password": "$ENC87eb897b507afc1796db49409dd1251c87872e85afd2469e"
}

Redis Adapter Properties

In a shared Redis setup, configuration points to a master/slave group of Redis servers that share token data between IAP cogs. For shared sessions, the Redis adapter should be configured to connect to a set of Redis instances monitored by sentinels.

Property Name	Type	Default	Description
`name`	String	`pronghorn-tokens`	The name of the Redis sentinel group.
`password`	String		The password for the Redis sentinels the adapter is connecting to. When using Redis sentinels the passwords for all the Redis servers must be configured to the same value.
`sentinels`	Array		The list of sentinels to connect to.
`sentinels[x].host`	String		The IP or FQDN of the Redis server.
`sentinels[x].port`	Number	`26379`	The port number of the Redis sentinel. Must be a number in the range 1 - 65535.

Sample Redundant Configuration

{
  "id": "redis",
  "type": "Redis",
  "properties": {
    "name": "pronghorn-tokens",
    "password": "$ENC93f88824437dfe5784c7570f99d7251f878a2284aed6449259"
    "sentinels": [{
      "host": "redis1",
      "port": 26379
    },{
      "host": "redis2",
      "port": 26379
    },{
      "host": "redis3",
      "port": 26379
    }]
  },
  "brokers": [ "persistence" ]
}

Task Worker

These properties affect how often and if tasks are worked. Use these properties to modify the default setup.

Property Name	Type	Default	Description
`tick`	Number	`1500`	How many milliseconds task worker checks for new tasks to work.
`activate`	Boolean	`true`	Task Worker is enabled and determines if tasks should be worked. If false, Task Worker is not enabled and does not check for new tasks.

Sample Task Worker Properties

"taskWorkerProps": {
  "tick": 100,
  "activate": true,
},

Core Adapters

Configuration for the Core adapters in IAP are detailed below.

Adapter Properties

The adapter properties section of the properties.json file will vary depending on the set of adapters that are installed. Each adapter will have a unique id, a type, and a set of type-specific properties.

Property Name	Description
`adapters`	An array of adapter objects.
`adapters[x].id`	A unique identifier for the adapter.
`adapters[x].type`	The type of adapter. This should come from the adapter package. Ensure the adapter package is installed.
`adapters[x].properties`	A set of type-specific properties to configure for each adapter. Refer to the adapter configuration for an example configuration of each module.
`adapters[x].brokers`	The broker(s) to register the adapter with.

Sample Adapter Properties

"adapterProps": {
  "adapters": [
    {
      "id": "adapter-id",
      "type": "adapter-type",
      "properties": {
        ...
      },
      "brokers": [ "brokername" ]
    }
  ]
}

MongoDB Adapter

The MongoDB adapter properties must be configured to connect to either a single MongoDB server or a MongoDB replica set. Be sure to align your authentication and encryption settings with the configurations of the MongoDB. Also, be sure to align the MongoDB adapter properties with the MongoDB properties sections of your IAP configuration file.

Note: Itential currently supports the use of MongoDB 4.2.x on all released IAP versions. If you are using an earlier version it is recommended that you upgrade.

Property Name	Type	Default	Description
`db`	String	`pronghorn`	The name of the database to connect to.
`url`	String	`mongodb://localhost:27017`	The MongoDB URL to use when connecting to the database.
`credentials.dbAuth`	Boolean	`false`	A boolean flag indicating whether user authentication is enabled.
`credentials.user`	String		The username to use for connections when authentication is enabled.
`credentials.passwd`	String		The password to use for connections when authentication is enabled.
`ssl.enabled`	Boolean	`false`	A boolean flag indicating whether SSL is enabled.
`ssl.sslValidate`	Boolean	`false`	A boolean flag indicating whether the MongoDB server's certificate will be validated.
`ssl.sslCA`	String		Path to the certificate authority PEM file that signed the MongoDB certificates.
`ssl.acceptInvalidCerts`	Boolean		A boolean flag indicating whether to validate the MongoDB certificate against the certificate authority PEM file.
`ssl.checkServerIdentity`	Boolean		A boolean flag indicating whether to validate the name of the server configured in the URL against the common name of the certificate the server presents.
`replSet.enabled`	Boolean	`false`	A boolean flag indicating whether we are connecting to a replica set. When connecting to a replica set, the names of the servers and the replica set name must be configured as part of the URL.

Note: Configure the MongoDB adapter to be a member of the persistence broker.

Minimal MongoDB Adapter Configuration

{
  "id": "mongo",
  "type": "MongoDriver",
  "properties": {
    "db": "pronghorn",
    "url": "mongodb://localhost:27017"
  },
  "brokers": [ "persistence" ]
}

Sample Production Configuration

{
  "id": "mongo",
  "type": "MongoDriver",
  "properties": {
    "db": "pronghorn",
    "url": "mongodb://mongo01:27017,mongo02:27017,mongo03:27017?replicaSet=rs1",
    "credentials": {
      "dbAuth": true,
      "user": "pronghorn",
      "passwd": "$ENC93f88824437dfe5784c7570f99d7251f878a2284aed6449259"
    },
    "ssl": {
      "enabled": true,
      "sslValidate": true,
      "sslCA": "/etc/ssl/keys/mongo_ca_chain.cert",
      "acceptInvalidCerts": false,
      "checkServerIdentity": true
    },
    "replSet": {
      "enabled": true
    }
  },
  "brokers": [ "persistence" ]
}

Redis Adapter

The Redis adapter should be configured to connect to a Redis server running on the same node as IAP. The properties for the Redis adapter are described by the Redis client node module.

A full reference can be found on GitHub at ioredis.

Property Name	Type	Default	Description
`host`	String	`127.0.0.1`	The address/hostname of the Redis server.
`port`	Number	`6379`	The port that Redis is using. Must be a number in the range 1 - 65535.
`db`	String	`0`	The number of the Redis database to connect to.
`password`	String		The password for the Redis database you are connecting to.

The default configuration assumes Redis is running on localhost and listening on port 6379. Configure the Redis adapter to be a member of the persistence broker.

Minimal Redis Adapter Configuration

{
  "id": "redis",
  "type": "Redis",
  "properties": {
  },
  "brokers": [ "persistence" ]
}

Sample Production Configuration

{
  "id": "redis",
  "type": "Redis",
  "properties": {
    "host": "127.0.0.1",
    "port": 6379,
    "password": "$ENC93f88824437dfe5784c7570f99d7251f878a2284aed6449259"
  },
  "brokers": [ "persistence" ]
}

Redis Sentinels

The Redis adapter may also be configured to connect to a set of Redis sentinels.

Property Name	Type	Default	Description
`name`	String	`pronghorn-tokens`	The name of the Redis sentinel group.
`password`	String		The password for the Redis sentinels we are connecting to. When using Redis sentinels the passwords for all the Redis servers must be configured to the same value.
`sentinels`	Array		The list of sentinels to connect to.
`sentinels[x].host`	String		The IP or FQDN of the Redis server.
`sentinels[x].port`	Number	`26379`	The port number of the Redis sentinel. Must be a number in the range 1 - 65535.

Sample Redundant Configuration

{
  "id": "redis",
  "type": "Redis",
  "properties": {
    "name": "pronghorn-tokens",
    "password": "$ENC93f88824437dfe5784c7570f99d7251f878a2284aed6449259"
    "sentinels": [{
      "host": "redis1",
      "port": 26379
    },{
      "host": "redis2",
      "port": 26379
    },{
      "host": "redis3",
      "port": 26379
    }]
  },
  "brokers": [ "persistence" ]
}

Email Adapter

The email adapter can be used to deliver email notifications to end users. Currently, notifications are triggered based on job completion or from custom tasks within a workflow.

Property Name	Type	Default	Description
`host`	String	`127.0.0.1`	Hostname or IP address to connect to.
`port`	Number	`587`	The port to connect to (defaults to 587 if `secure` is false, or 465 if `secure` is true). Must be a number in the range 1 - 65535.
`auth.user`	String		The default username to send from.
`auth.pass`	String		The password for the default username.
`authMethod`	String	`PLAIN`	Defines preferred authentication method.
`secure`	Boolean	`false`	Use TLS.
`ignoreTLS`	Boolean		If this is true and `secure` is false then TLS is not used even if the server supports STARTTLS extension.
`requireTLS`	Boolean		If this is true and `secure` is false then the adapter tries to use STARTTLS even if the server does not advertise support for it. If the connection cannot be encrypted then message is not sent.
`tls.isServer`	Boolean		The SSL/TLS protocol is asymmetrical; TLSSockets must know if they are to behave as a server or a client. If true the TLS socket will be instantiated as a server.
`tls.requestCert`	Boolean		If true the server will request a certificate from clients that connect and attempt to verify that certificate.
`tls.rejectUnauthorized`	Boolean		If not false the server will reject any connection which is not authorized with the list of supplied CAs. This option only has an effect if `tls.requestCert` is true.
`tls.requestOCSP`	Boolean		If true specifies that the OCSP status request extension will be added to the client hello and an OCSPResponse event will be emitted on the socket before establishing a secure communication.
`name`	String		Optional hostname of the client used for identifying to the server; defaults to hostname of the machine.
`localAddress`	String		The local interface to bind to for network connections.
`connectionTimeout`	Number		How many milliseconds to wait for the connection to establish.
`greetingTimeout`	Number		How many milliseconds to wait for the greeting after connection is established.
`socketTimeout`	Number		How many milliseconds of inactivity to allow.

Note: Configure the email adapter to be a member of the notification broker.

Sample Minimal Configuration

{
  "id": "email",
  "type": "Email",
  "properties": {
    "host": "127.0.0.1",
    "port": 25,
    "secure": false
  },
  "brokers": [ "notification" ]
}

Sample Production Configuration

{
  "id": "email",
  "type": "Email",
  "properties": {
    "host": "mail.example.com",
    "port": 587,
    "secure": true,
    "authMethod": "PLAIN",
    "auth": {
      "user": "pronghorn",
      "pass": "$ENC93f88824437dfe5784c7570f99d7251f878a2284aed6449259"
    }
  },
  "brokers": [ "notification" ]
}

Authentication Adapters

The authentication adapters required for IAP enablement are discussed below.

LDAP Adapter

LDAP adapter is configured to establish connection with Active Directory and OpenLDAP servers.

For an LDAP based system it becomes important to understand which groups a user belongs to when working on the user information. Especially in systems that implement RBAC, understanding the groups for a user is necessary for the authorization process. Fortunately, LDAP has the support for reverse membership mapping if the user and group objects use certain object classes. By default an OpenLDAP system uses the memberOf overlay; however, this default is overridden by the userMembershipAttribute property.

Note: Configure the LDAP adapter to be a member of the AAA broker. Only one AAA adapter may be configured at a time.

Property Name	Type	Default	Description
`domain`	String	`example.itential.io uid={0},ou=people,o=support,dc=itential,dc=io`	The name of the LDAP domain. This is not necessarily the same as the DNS name of the server.
`url`	String	`ldaps://localhost:636`	URL of the LDAP server. For SSL, use LDAPS Default port is 636. For unencrypted connections (not recommended), use LDAP. Default port is 389.
`bindUsername`	String	`itential@domain cn=itential,ou=services,o=support,dc=itential,dc=io`	The username of the bind account. This administrative account is used to view all groups/users that IAP needs to know about. Utilize `<user@domain>` for Active Directory and `cn=user,dc=example,dc=com` for OpenLDAP.
`bindPassword`	String		If `$ENC` precedes the password, IAP will use it as an encrypted password. Otherwise, the password is stored in plain text.
`baseDN`	String	`dc=itential,dc=io`	The base DN from which the LDAP adapter will search for users and groups. If both `baseUserDN` and `baseGroupDN` are specified, this parameter will have no effect.
`baseUserDN`	String	`ou=people,o=support,dc=itential,dc=io`	The base DN from which the LDAP adapter will search for users. If not provided, `baseDN` is used. This property was introduced in adapter-ldap version 2.11.0.
`baseGroupDN`	String	`ou=groups,o=support,dc=itential,dc=io`	The base DN from which the LDAP adapter will search for groups. If not provided, `baseDN` is used. This property was introduced in adapter-ldap version 2.11.0.
`groupSearchFilter`	String	`(objectClass=groupOfNames)`	Filter for the group search. This property uses the official LDAP Search Filter Syntax.
`userSearchFilter`	String	`sAMAccountName uid`	Filter for the user search. This defines the common name (or other object) that defines users in the LDAP server. For example, most Active Directory implementations use `sAMAccountName` to define users. Utilize `uid` for OpenLDAP.
`userMembershipAttribute`	String	`memberOf`	This field should contain the name of the LDAP attribute on the user object that indicates which group(s) the user is a member of.
`healthCheckInterval`	Number	`5000`	Set interval to ping the LDAP server to ensure connectivity. Measured in milliseconds.
`timeout`	Number	`5000`	Set the default timeout for authentication attempts. Measured in milliseconds.
`connectTimeout`	Number	`5000`	Set the default connection timeout for authentication attempts. Measured in milliseconds.
`idleTimeout`	Number	`5000`	Set the default idle timeout. Measured in milliseconds.
`timeLimit`	Number	`10`	The maximum amount of time the server should take in responding, in seconds. Defaults to 10 seconds. Set to higher values to handle nested group searches. Many servers will ignore this.
`reconnect`	Boolean	`true`	Determine whether or not to attempt a reconnect.
`activeDirectory`	Boolean	`false`	Sets the type of directory service. If true, Active Directory authentication is used. If false, LDAP authentication is used.
`tlsOptions.secureProtocol`	String	`TLSv1_method`	Determine the protocol method to use. The possible values are listed as SSL_METHODS. Use the function names as strings.
`tlsOptions.requestCert`	Boolean	`true`	If true the server will request a certificate from clients that will connect and attempt to verify that certificate.
`tlsOptions.rejectUnauthorized`	Boolean	`true`	If true the server will reject any connection which is not authorized with the list of supplied CAs.
`tlsOptions.ca`	String	`/etc/ssl/keys/openldap_ca.pem`	Path to ca key (in PEM format).
`customGroups`	Array of Strings	`[]`	A list of predefined groups to search for a user and to list user groups. This property should only be used with Active Directory servers; it is not yet compatible with most OpenLDAP schemas.
`OAuthOptions.enabled`	Boolean	`false`	If true the server will obtain an openid-connect token.
`OAuthOptions.host`	String	`auth.example.com`	The hostname of the oauth server.
`OAuthOptions.port`	Number	`443`	The port number of the oauth server.
`OAuthOptions.token_path`	String
`OAuthOptions.client_id`	String	n/a	The client_id associated with the itential server.
`OAuthOptions.client_secret`	String	n/a	The client_secret associated with the itential server.
`OAuthOptions.redirect_url`	String	https://itential.example.com:3443/login	The login url of the itential server.
`OAuthOptions.resource`	String	n/a	An optional resource defined in the oauth server.

Note: OAuthOptions were first introduced in the 2019.1.2 maintenance release.

Active Directory Configuration

Use the following example for Active Directory configuration.

Sample Active Directory Configuration

{
    "id": "ldap",
    "type": "LDAP",
    "properties": {
        "domain": "example.itential.io",
        "url": "ldaps://example.itential.io:636",
        "bindUsername": "itential",
        "bindPassword": "itential-ldap-password",
        "baseDN": "dc=itential,dc=io",
        "baseGroupDN": "ou=groups,o=support,dc=itential,dc=io",
        "baseUserDN": "ou=people,o=support,dc=itential,dc=io",
        "groupSearchFilter": "(objectCategory=Group)",
        "userSearchFilter": "sAMAccountName",
        "userMembershipAttribute": "memberOf",
        "healthCheckInterval": 5000,
        "timeout": 5000,
        "connectTimeout": 5000,
        "idleTimeout": 5000,
        "timeLimit": 10,
        "reconnect": true,
        "activeDirectory": true,
        "tlsOptions": {
            "secureProtocol": "TLSv1_method",
            "requestCert": true,
            "rejectUnauthorized": true,
            "ca": "/etc/ssl/keys/activedirectory_ca.pem"
        },
        "customGroups" : [
         "Group1",
         "Group2"
        ]
    },
    "brokers": [ "aaa" ]
}

OpenLDAP Configuration

Use the following example for OpenLDAP configuration. The hostname in the URL must match the common name of the LDAP server certificate.

Sample OpenLDAP Configuration

{
    "id": "ldap",
    "type": "LDAP",
    "properties": {
        "domain": "uid={0},ou=people,o=support,dc=itential,dc=io",
        "url": "ldaps://example.pronghorn.io:636",
        "bindUsername": "cn=itential,ou=services,o=support,dc=itential,dc=io",
        "bindPassword": "itential-user-password",
        "baseDN": "dc=itential,dc=io",
        "baseGroupDN": "ou=groups,o=support,dc=itential,dc=io",
        "baseUserDN": "ou=people,o=support,dc=itential,dc=io",
        "groupSearchFilter": "(objectClass=groupOfNames)",
        "userSearchFilter": "uid",
        "userMembershipAttribute": "memberOf",
        "healthCheckInterval": 5000,
        "timeout": 5000,
        "connectTimeout": 5000,
        "idleTimeout": 5000,
        "timeLimit": 10,
        "reconnect": true,
        "activeDirectory": false,
        "tlsOptions": {
            "secureProtocol": "TLSv1_method",
            "requestCert": true,
            "rejectUnauthorized": true,
            "ca": "/etc/ssl/keys/openldap_ca.pem"
        }
    },
    "brokers": [ "aaa" ]
}

LDAP/OAuth Configuration

Use the following example for hybrid LDAP/OAuth configuration. The hostname in the URL must match the common name of the LDAP server certificate.

Note: OAuthOptions were first introduced in the 2019.1.2 maintenance release.

Sample LDAP/OAuth Configuration

{
    "id": "ldap",
    "type": "LDAP",
    "domain": "uid={0},ou=people,o=support,dc=itential,dc=io",
    "url": "ldaps://example.pronghorn.io:636",
    "bindUsername": "cn=itential,ou=services,o=support,dc=itential,dc=io",
    "bindPassword": "itential-user-password",
    "baseDN": "dc=itential,dc=io",
    "baseGroupDN": "ou=groups,o=support,dc=itential,dc=io",
    "baseUserDN": "ou=people,o=support,dc=itential,dc=io",
    "groupSearchFilter": "(objectClass=groupOfNames)",
    "userSearchFilter": "uid",
    "userMembershipAttribute": "memberOf",
    "healthCheckInterval": 5000,
    "timeout": 5000,
    "connectTimeout": 5000,
    "idleTimeout": 5000,
    "timeLimit": 10,
    "reconnect": true,
    "activeDirectory": false,
    "tlsOptions": {
        "secureProtocol": "TLSv1_method",
        "requestCert": true,
        "rejectUnauthorized": true,
        "ca": "/etc/ssl/keys/openldap_ca.pem"
    },
    "OAuthOptions": {
        "enabled": true,
        "host": "auth.example.com",
        "port": 443,
        "token_path": "/auth/realms/support.itential.io/protocol/openid-connect/token",
        "client_id": "itential",
        "client_secret": "...",
        "redirect_url": "https://itential.support.itential.io:8443/login",
        "resource": "Default Resource"
    }
    },
    "brokers": [ "aaa" ],
    "groups": []
}

Radius Adapter

There are several key points to know:

Supports simple Access-Request → Access-Accept/Reject transactions.
Supports Access-Request → Access-Challenge → Access Accept/Reject transactions.
The challenge mechanism needs to be configured by the Radius Server Administrator.
The groups.json includes the groups that will be created in the database; these groups are used during the Radius Authentication process.
All the groups configured in groups.json will be validated against the groups returned from the Access-Accept response of the RADIUS server.
The group is captured by looking inside the Attribute Value Pairs -> Vendor Specific(26) of the response.

Access Challenge:

During an Access-Challenge scenario the user will be prompted to resubmit the credentials.
The prompt will be generated, leveraging the Attribute Value Pairs -> Reply Message of the Access-Challenge Request.

Note: The Radius Adapter was first introduced in the 2019.1.2 maintenance release.

Sample Radius Configuration

{
    "id" : "radius",
    "type" : "RADIUS",
    "properties" : {
        "host" : "10.0.0.1",
        "port" : 1812,
        "secret" : "****"
    },
    "brokers": [aaa],
    "groups": []
}

Sample groups.json

{
  "groups": [
    {
      "name": "radius_user",
      "group": "radius_user"
    }
  ]
}

Local AAA Adapter

The Local AAA adapter may be used in lab and development environments to locally authenticate users against a MongoDB collection inside the local AAA database.

Configure the LDAP adapter to be a member of the AAA broker. Only one AAA adapter may be configured at a time.

The Local AAA adapter no longer uses the persistence broker and you can point local AAA to any MongoDB database you choose. You must add the database configuration property, as shown in the example below.

Sample Local AAA Configuration

{
  "id": "Local AAA",
  "type": "local_aaa",
  "properties": {
    "database": {
      "db": "LocalAAA",
      "url": "mongodb://127.0.0.1:27017",
      "credentials": {
        "dbAuth": false
      }
    }
  },
  "brokers": [ "aaa" ]
}

Note: If you are using dbAuth, then make sure that the username which Local AAA adapter is using is created inside the same database you set in db property.

Add Users and Groups

To add more users for testing and development, you can create and import a new user JSON document.

Encrypt the user password using bcrypt-cli to create a hash.

$ bcrypt-cli password 10
$2a$10$5KXKzv9Ech1w2nOSSPWCMuaqOS6aFCpKZV6IzfaYRRgN/xkwXYso2

Be sure to create group documents for each group referenced by the accounts. After each group is created, configure the group from the Authorization menu by logging in as the IAP administrator.

Sample User Account Document (Local AAA User)

$ mongo db01/pronghorn --ssl -u pronghorn -p
MongoDB shell version v3.6.6
Enter password:
connecting to: mongodb://db01:27017/ph6
MongoDB server version: 3.6.6
$ use LocalAAA
switched to db LocalAAA
$ db.accounts.find();
{
    "_id": ObjectId("5b6f9fc3fe38e3bd73795d4d"),
    "username" : "admin@pronghorn",
    "activeTenant" : "*",
    "firstname" : "admin",
    "groups" : [ "pronghorn_admin" ],
    "password" : "$2a$10$5KXKzv9Ech1w2nOSSPWCMuaqOS6aFCpKZV6IzfaYRRgN/xkwXYso2",
    "tenants": []
}

Sample Group Document (Local AAA Group)

$ mongo db01/pronghorn --ssl -u pronghorn -p
MongoDB shell version v3.6.6
Enter password:
connecting to: mongodb://db01:27017/ph6
MongoDB server version: 3.6.6
$ use LocalAAA
switched to db LocalAAA
$ db.groups.find();
{
    "_id": ObjectId("5b6f9fc3fe38e3bd73795d56"),
    "name": "pronghorn_users",
    "group": "pronghorn_admin"
}

Database Indexes

IAP requires indexes to be created in the MongoDB collections for optimal performance. The following applications contain database index scripts that must be applied.

app-device_management
app-firewall
app-form_builder
app-golden_config
app-mop
app-service_catalog
app-workflow_engine

This section will describe the required indexes for all the applications in the IAP portfolio. If an app is not installed on your system, no indexes are required; just skip the instructions to load the indexes for that application and continue with the next application in the list.

Most of the index scripts are delivered as MongoDB scripts and should be run using the mongo command line. If you have the mongo client installed on the IAP server, you can run these commands on the IAP server. If you do not have the mongo client installed on the IAP server, copy the scripts to the MongoDB server and create the indexes from there.

Note: Itential currently supports the use of MongoDB 4.2.x on all released IAP versions. If you are using an earlier version it is recommended that you upgrade.

The first five index scripts will run using the mongo command line.

/opt/itential/current/node_modules/@itential/app-device_management/database/scripts/create_indexes.js
/opt/itential/current/node_modules/@itential/app-firewall/database/scripts/create_indexes.js
/opt/itential/current/node_modules/@itential/app-form_builder/database/scripts/create_indexes.js
/opt/itential/current/node_modules/@itential/app-golden_config/database/scripts/create_indexes.js
/opt/itential/current/node_modules/@itential/app-mop/database/scripts/create_indexes.js
/opt/itential/current/node_modules/@itential/app-service_catalog/database/scripts/create_indexes.js

If your IAP is configured to connect to a MongoDB database other than pronghorn, you will need to edit the following line in each of these scripts. Replace the pronghorn string with the name of the database IAP is connecting to.

Change Database Name

const pDB = db.getSiblingDB('pronghorn');

The final set of scripts for the workflow engine will be applied using the npm run index command.

/opt/itential/current/node_modules/@itential/app-workflow_engine/database/scripts/ensureJobIndexes.js
/opt/itential/current/node_modules/@itential/app-workflow_engine/database/scripts/ensureTaskIndexes.js
/opt/itential/current/node_modules/@itential/app-workflow_engine/database/scripts/ensureWorkflowIndexes.js

The Workflow Engine scripts are built on top of Node.js and read the database connection parameters from IAP's properties.json file. This script must to be run from the IAP server itself.

Device Manager

Create the Device Manager indexes using the following command as a reference. You will need to replace the mongo command-line options with values that will let you authenticate against your MongoDB database. If your database is named something other than pronghorn, remember to edit the script to change the database name before the script is executed.

Example

$ cd /opt/itential/current/node_modules/@itential/app-device_management/database/scripts
$ mongo mongo01.zone1.itential.io:27017/pronghorn --ssl -u pronghorn create_indexes.js
MongoDB shell version v3.4.18
Enter password:
connecting to: mongodb://mongo01.zone1.itential.io:27017/pronghorn
MongoDB server version: 3.4.18
{
    "createdCollectionAutomatically" : false,
    "numIndexesBefore" : 1,
    "numIndexesAfter" : 2,
    "ok" : 1
}
{
    "createdCollectionAutomatically" : false,
    "numIndexesBefore" : 2,
    "numIndexesAfter" : 3,
    "ok" : 1
}

Firewall

Create the Firewall indexes using the following command as a reference. You will need to replace the mongo command-line options with values that will let you authenticate against your MongoDB database. If your database is named something other than pronghorn, remember to edit the script to change the database name before the script is executed.

Example

$ cd /opt/itential/current/node_modules/@itential/app-firewall/database/scripts
$ mongo mongo01.zone1.itential.io:27017/pronghorn --ssl -u pronghorn create_indexes.js
MongoDB shell version v3.4.18
Enter password:
connecting to: mongodb://mongo01.zone1.itential.io:27017/pronghorn
MongoDB server version: 3.4.18
{
    "createdCollectionAutomatically" : false,
    "numIndexesBefore" : 1,
    "numIndexesAfter" : 2,
    "ok" : 1
}
{
    "createdCollectionAutomatically" : false,
    "numIndexesBefore" : 2,
    "numIndexesAfter" : 3,
    "ok" : 1
}
{
    "createdCollectionAutomatically" : false,
    "numIndexesBefore" : 3,
    "numIndexesAfter" : 4,
    "ok" : 1
}
{
    "createdCollectionAutomatically" : false,
    "numIndexesBefore" : 4,
    "numIndexesAfter" : 5,
    "ok" : 1
}
{
    "createdCollectionAutomatically" : false,
    "numIndexesBefore" : 5,
    "numIndexesAfter" : 6,
    "ok" : 1
}
{
    "createdCollectionAutomatically" : false,
    "numIndexesBefore" : 6,
    "numIndexesAfter" : 7,
    "ok" : 1
}
{
    "createdCollectionAutomatically" : false,
    "numIndexesBefore" : 7,
    "numIndexesAfter" : 8,
    "ok" : 1
}
{
    "createdCollectionAutomatically" : false,
    "numIndexesBefore" : 8,
    "numIndexesAfter" : 9,
    "ok" : 1
}
{
    "createdCollectionAutomatically" : false,
    "numIndexesBefore" : 9,
    "numIndexesAfter" : 10,
    "ok" : 1
}

Form Builder

Create the Form Builder indexes using the following command as a reference. You will need to replace the mongo command-line options with values that will let you authenticate against your MongoDB database. If your database is named something other than pronghorn, remember to edit the script to change the database name before the script is executed.

Example

$ cd /opt/itential/current/node_modules/@itential/app-form_builder/database/scripts
$ mongo mongo01.zone1.itential.io:27017/pronghorn --ssl -u pronghorn create_indexes.js
MongoDB shell version v3.4.18
Enter password:
connecting to: mongodb://mongo01.zone1.itential.io:27017/pronghorn
MongoDB server version: 3.4.18
{
    "createdCollectionAutomatically" : false,
    "numIndexesBefore" : 1,
    "numIndexesAfter" : 2,
    "ok" : 1
}

Golden Config

Create the Golden Config indexes using the following command as a reference. You will need to replace the mongo command-line options with values that will let you authenticate against your MongoDB database. If your database is named something other than pronghorn, remember to edit the script to change the database name before the script is executed.

Example

$ cd /opt/itential/current/node_modules/@itential/app-golden_config/database/scripts
$ mongo mongo01.zone1.itential.io:27017/pronghorn --ssl -u pronghorn create_indexes.js
MongoDB shell version v3.4.18
Enter password:
connecting to: mongodb://mongo01.zone1.itential.io:27017/pronghorn
MongoDB server version: 3.4.18
{
    "createdCollectionAutomatically" : false,
    "numIndexesBefore" : 1,
    "numIndexesAfter" : 2,
    "ok" : 1
}

MOP

Create the MOP indexes using the following command as a reference. You will need to replace the mongo command-line options with values that will let you authenticate against your MongoDB database. If your database is named something other than pronghorn, remember to edit the script to change the database name before the script is executed.

Example

$ cd /opt/itential/current/node_modules/@itential/app-mop/database/scripts
$ mongo mongo01.zone1.itential.io:27017/pronghorn --ssl -u pronghorn create_indexes.js
MongoDB shell version v3.4.18
Enter password:
connecting to: mongodb://mongo01.zone1.itential.io:27017/pronghorn
MongoDB server version: 3.4.18
{
    "createdCollectionAutomatically" : false,
    "numIndexesBefore" : 1,
    "numIndexesAfter" : 2,
    "ok" : 1
}

Service Catalog

Create the Service Catalog indexes using the following command as a reference. You will need to replace the mongo command-line options with values that will let you authenticate against your MongoDB database. If your database is named something other than pronghorn, remember to edit the script to change the database name before the script is executed.

Example

$ cd /opt/itential/current/node_modules/@itential/app-service_catalog/database/scripts
$ mongo mongo01.zone1.itential.io:27017/pronghorn --ssl -u pronghorn create_indexes.js
MongoDB shell version v3.4.18
Enter password:
connecting to: mongodb://mongo01.zone1.itential.io:27017/pronghorn
MongoDB server version: 3.4.18
{
    "createdCollectionAutomatically" : false,
    "numIndexesBefore" : 1,
    "numIndexesAfter" : 2,
    "ok" : 1
}
{
    "createdCollectionAutomatically" : false,
    "numIndexesBefore" : 2,
    "numIndexesAfter" : 3,
    "ok" : 1
}

Workflow Engine

The final set of indexes for the Workflow Engine application may be applied using the following npm script.

Example

$ cd /opt/itential/current/node_modules/@itential/app-workflow_engine
$ npm run index

> @itential/app-workflow_engine@4.16.6 index /opt/itential/current/node_modules/@itential/app-workflow_engine
>  node database/scripts/ensureWorkflowIndexes.js; node database/scripts/ensureJobIndexes.js; node database/scripts/ensureTaskIndexes.js

Retrieving properties.json file...
Found properties!

Converting Mongo Properties (mongoProps) to Node Mongo Driver schema...
Properties converted!

Connecting to Database...
Db.prototype.authenticate method will no longer be available in the next major release 3.x as MongoDB 3.6 will only allow auth against users in the admin db and will no longer allow multiple credentials on a socket. Please authenticate using MongoClient.connect with auth credentials.
Connection established!

Retrieving indexes from collection workflows...
Indexes retrieved!

Verifying Indexes...
Indexes verified!

Creating Indexes...
Indexes created...

Index reconciliation complete!

Retrieving properties.json file...
Found properties!

Converting Mongo Properties (mongoProps) to Node Mongo Driver schema...
Properties converted!

Connecting to Database...
Db.prototype.authenticate method will no longer be available in the next major release 3.x as MongoDB 3.6 will only allow auth against users in the admin db and will no longer allow multiple credentials on a socket. Please authenticate using MongoClient.connect with auth credentials.
Connection established!

Retrieving indexes from collection jobs...
Indexes retrieved!

Verifying Indexes...
Indexes verified!

Creating Indexes...
Indexes created...

 Index reconciliation complete!

Retrieving properties.json file...
Found properties!

Converting Mongo Properties (mongoProps) to Node Mongo Driver schema...
Properties converted!

Connecting to Database...
Db.prototype.authenticate method will no longer be available in the next major release 3.x as MongoDB 3.6 will only allow auth against users in the admin db and will no longer allow multiple credentials on a socket. Please authenticate using MongoClient.connect with auth credentials.
Connection established!

Retrieving indexes from collection tasks...
Indexes retrieved!

Verifying Indexes...
Indexes verified!

Creating Indexes...
Indexes created...

 Index reconciliation complete!

Verify Workflow Engine Indexes

After the Workflow Engine scripts have completed, run the following commands on MongoDB to verify the indexes have been created.

Commands

db.jobs.getIndexes()
db.tasks.getIndexes()
db.workflows.getIndexes()

Example

$ mongo mongo01.zone1.itential.io:27017/pronghorn --ssl -u pronghorn
MongoDB shell version v3.4.18
Enter password:
connecting to: mongodb://mongo01.zone1.itential.io:27017/pronghorn
MongoDB server version: 3.4.18
rs0:PRIMARY> db.jobs.getIndexes()

[{
    "v": 2,
    "key": {
      "_id": 1
    },
    "name": "_id_",
    "ns": "pronghorn.jobs"
  },
  {
    "v": 2,
    "key": {
      "name": 1,
      "type": 1,
      "groups": 1,
      "status": 1,
      "metrics.start_time": -1,
      "metrics.progress": 1,
      "metrics.user": 1
    },
    "name": "name_1_type_1_groups_1_status_1_metrics.start_time_-1_metrics.progress_1_metrics.user_1",
    "ns": "pronghorn.jobs",
    "background": true
  },
  {
    "v": 2,
    "key": {
      "name": 1,
      "type": 1,
      "watchers": 1,
      "status": 1,
      "metrics.start_time": -1,
      "metrics.progress": 1,
      "metrics.user": 1
    },
    "name": "name_1_type_1_watchers_1_status_1_metrics.start_time_-1_metrics.progress_1_metrics.user_1",
    "ns": "pronghorn.jobs",
    "background": true
  }
]

rs0: PRIMARY > db.tasks.getIndexes()[{
  "v": 2,
  "key": {
    "_id": 1
  },
  "name": "_id_",
  "ns": "pronghorn.tasks"
}, {
  "v": 2,
  "key": {
    "name": 1,
    "status": 1,
    "groups": 1,
    "type": 1,
    "job.name": 1,
    "job._id": 1,
    "job.task": 1,
    "metrics.owner": 1,
    "metrics.start_time": -1
  },
  "name": "name_1_status_1_groups_1_type_1_job.name_1_job._id_1_job.task_1_metrics.owner_1_metrics.start_time_-1",
  "ns": "pronghorn.tasks",
  "background": true
  },
  {
  "key": {
    "status": 1,
    "locked": 1
  },
  "background": true,
}, {
  "key": {
    "job._id": 1,
    "job.task": 1
  },
  "background": true
}]

rs0: PRIMARY > db.workflows.getIndexes()[{
  "v": 2,
  "key": {
    "_id": 1
  },
  "name": "_id_",
  "ns": "pronghorn.workflows"
}, {
  "v": 2,
  "unique": true,
  "key": {
    "name": 1,
    "type": 1
  },
  "name": "name_1_type_1",
  "ns": "pronghorn.workflows",
  "background": true
}, {
  "v": 2,
  "key": {
    "groups": 1,
    "created": -1,
    "created_by": 1,
    "last_updated": -1,
    "last_updated_by": 1
  },
  "name": "groups_1_created_-1_created_by_1_last_updated_-1_last_updated_by_1",
  "ns": "pronghorn.workflows",
  "background": true
}]

Itential Automation Platform

Help us improve by sending feedback...

On this page:

Configuration

Configuration File

Encrypting Passwords

Configuration Properties

Application

Path

UI

Authentication

Audit

Express

Logger

Syslog

Alarm

MongoDB

Redis Properties

Redis Adapter Properties

Task Worker

Core Adapters

Adapter Properties

MongoDB Adapter

Redis Adapter

Redis Sentinels

Email Adapter

Authentication Adapters

LDAP Adapter

Active Directory Configuration

OpenLDAP Configuration

LDAP/OAuth Configuration

Radius Adapter

Local AAA Adapter

Add Users and Groups

Database Indexes

Device Manager

Firewall

Form Builder

Golden Config

MOP

Service Catalog

Workflow Engine

Verify Workflow Engine Indexes