8 Replies Latest reply on Aug 22, 2011 10:00 PM by jdennis

    Orion SDK & Java

    mschenck

      Started to play around with the SDK under Java, and so far it works pretty fine. Packaged the Orion SDK in an utility project, created a few wrapper classes, externalized the SWIS parameters (user, password, host, etc...) into an encrypted properties file, ran a few unit tests, so far so good!

      Few remarks/questions though:

      1. A self-signed certificate for a WS is not an option in a SOA corporate environment. Whats the proper way of updating the SWIS certificate (I should mention I know nothing about .NET...) ? Is updating the SolarWinds.InformationService.Service.exe.config file to point to another certificate in the TrustStore enough ? And if so, do you plan on making this modular/configurable ? Changing the config file is subject to possible loss of the changes every time an upgrade or fix is applied...

      2. Any plans to release CRUD interfave to Java soon ? Ultimately what am really looking for is the ability to publish a WS allowing to create a NPM or IPAM Node/Group. That would really distinguish Orion from competitors by allowing deeper integration in corporate environments

      3. JDK compliance. It is mentioned that JDK6 is required. However I can see this has been compiled with JAX-RS 2.1, which is available is most app server containers running JDK 1.5. Actually I deployed it to JBoss 5.1 with JDK 1.5 and so far everything works fine. Have you identified some problems with 1.5 yet ?

      This is all really promising, cannot wait for the possibility for CRUD operations through Java / SOA !

      Thanks and Regards

        • Re: Orion SDK & Java
          tdanner

          Thanks for trying it out! Let me address your questions in separate replies.

          First, it is possible to use SWIS over HTTPS with a proper certificate authority-issued certificate, but you are correct that upgrades will mess up your configuration and require a redo. I will raise this issue with the product manager so he can prioritize improvements here. If anyone else reading this thread is interested in using a non-self-signed certificate with SWIS, please chime in so we can gauge interest.

          Step 1: Stop the SolarWinds Information Service

          Use the Orion Service Manager tool or Windows Service Manager to stop SolarWinds Information Service, or use the following command in the Windows cmd.exe tool:

          sc stop SWInfoServiceSvc

          Step 2: Generate or obtain the certificate Orion will use to communicate with clients over HTTPS

          The Orion Configuration Wizard will create a self-signed certificate with the common name CN=SolarWinds-Orion. This certificate is used for a number of functions internal to Orion. If your Orion deployment includes one or more Additional Websites or Additional Pollers, this certificate will be replicated to those servers automatically.

          The CN=SolarWinds-Orion certificate is also used for the SWIS over HTTPS endpoint. This is independent of its use for Orion-internal functionality, so you can swap it out without affecting the rest of Orion. If you have an internal certificate authority, you can obtain an X.509 certificate for server authentication and install it in the Local_Machine\My certificate store.

          Step 3: Update the reference in SolarWinds.InformationService.Service.exe.config

          Edit SolarWinds.InformationService.Service.exe.config. This file will be in C:\Program Files (x86)\SolarWinds\Orion\Information Service\2.0 if you have installed Orion to the default directory. Replace the findValue attribute at /configuration/system.serviceModel/service[@name='SolarWinds.InformationService.Core.InformationService']/endpoint[@address='OrionBasic'] with the name of your new certificate.

          This file will be replace if you repair or upgrade Orion.

          Step 4: Get certificate thumbprint (to be used in step 5)

          Follow the instructions provided below to get the thumbprint of the certificate that was chosen in the previous step: The sources of these steps are from http://msdn.microsoft.com/en-us/library/ms734695.aspx.

          To retrieve a certificate’s thumbprint

          1. Open a Command Prompt window.
          2. Type mmc and press the ENTER key.      Note that to view certificates in the local machine store, you must be in      the Administrator role.
          3. On the File menu, click Add/Remove      Snap In.
          4. Click Add.
          5. In the Add      Standalone Snap-in     dialog box, select Certificates.
          6. Click Add.
          7. In the Certificates      snap-in dialog      box, select Computer account and click Next.
          8. In the Select      Computer dialog      box, click Finish.
          9. In the Add      Standalone Snap-in     dialog box, click Close.
          10. On the Add/Remove      Snap-in dialog      box, click OK.
          11. In the Console Root window, click Certificates      (Local Computer)     to view the certificate stores for the computer.
          12. Click the Personal folder to expand it.
          13. Click the Certificates folder to expand it.
          14. Select the certificate “SolarWinds-Orion-IS” and Double-click the      certificate to open it.
          15. In the Certificate dialog box, click the Details tab.
          16. Scroll through the list of      fields and click Thumbprint.
          17. Copy the hexadecimal      characters from the box. If this thumbprint is used in code for the X509FindType, remove the spaces between      the hexadecimal numbers. For example, the thumbprint “a9 09 50 2d d8 2a e4      14 33 e6 f8 38 86 b0 0d 42 77 a3 2a 7b” should be specified as      “a909502dd82ae41433e6f83886b00d4277a32a7b” in code.

          Step 5: Configure HTTP.sys with certificate thumbprint

          Follow the instructions provided below to associate the certificate generated earlier with an SSL port at the kernel level. This will allow the certificate to be presented at the port, whenever clients need to communicate with Orion. The port # to associate with the certificate is 17778

          For this we need Microsoft’s Httpcfg utility. Httpcfg can be found under Supporting Tools for Windows OS. For Windows 2003, these are located on the main installation CD of 2003 server, under the support\tools folder. You can also download these from the Microsoft site with OS Validation. On Windows Vista and later (including Windows 2008, Windows 7, and Windows 2008 R2), you can use the netsh command that is installed with the OS. For Windows XP, you can download the Windows 2003 tools from Microsoft.

          The source of these instructions is http://msdn.microsoft.com/en-us/library/ms733791.aspx.

          In the cmd.exe tool of the Orion server, enter the following:

          httpcfg set ssl –i 0.0.0.0:17778 –h <certificate thumbprint from step 5>

          Ignore exit code 1. 0.0.0.0 is ok and you need not type the ip address of the Orion server.

          If there was an error during this process, you can delete the SSL association and start over by using the command

          httpcfg delete ssl –i 0.0.0.0:17778 –h <certificate thumbprint from step 5>

          If you run the Orion Configuration Wizard again, you will need to redo this step. The Configuration Wizard will delete your custom setting for httpcfg and replace it using the CN=SolarWinds-Orion certificate.

          Step 6: Start the SolarWinds Information Service

          Use the Windows Service Manager or the following command line to start the SolarWinds Information Service on the server running Orion:

          sc start SWInfoServiceSvc

          Step 7: Verify that the SolarWinds Information Service is running

          Using a web browser, try to connect to the web service running at https://orion-server-ip:17778/SolarWinds/InformationService.

          A warning about the certificate not being valid might be displayed depending on what sort of certificate you used, simply ignore the warning and continue. A page with information about the web service should appear. This page will suggest that you use svcutil.exe to generate client code. If your browser gave you a warning about the certificate not being valid, svcutil.exe will fail with an error about an invalid certificate. This is normal. Svcutil.exe does not provide a way to ignore certificate validation, but Visual Studio’s Add Service Reference command does. 

            • Re: Orion SDK & Java
              mschenck

              I was able to perform the steps as mentioned and change the certificate for SWIS on 17778 port, with only a small difference.

               

              In step 5, I had to enter the following:

              httpcfg set ssl /i 0.0.0.0:17778 /h <certificate thumbprint from step 5>

              Notice the switch from '-' to '/'.

              Checked the proper SSL cert assignment using httpcfg query ssl.

              Imported the new certificate in my JDK key store and could run the example code without disabling SSL key validation.

            • Re: Orion SDK & Java
              tdanner

              2. The CRUD operations are available through the SOAP interface. I have attached an updated version of the "JavaClient" sample in the SDK that does the following operations:

               

              • Add a node using the recipe in the SDK doc.
              • Set a custom property on this new node.
              • Delete the "Guest" account.
              I will probably use this code as the new Java sample in the next SDK release. Feedback is welcome.

              [Update 8/9/11: Removing corrupted attachment. See my reply in this thread for a working copy.]

                • Re: Orion SDK & Java
                  tdanner

                  3. I was able to run the sample on JDK 1.5 with just a small tweak (there was an @Override on a method that was overriding an interface method instead of a class method - 1.5 does not allow this). I'll make sure the doc reflects this in the next SDK release.

                    • Re: Orion SDK & Java
                      mschenck

                      Thanks a lot Tim.

                      I shall have checked the WSDL before coming to the conclusion that it didn't expose the Create and other methods...

                      I will test the SSL cert substitution method and get back to you.

                      The ZIP package you attached seems damaged though, I can't extract or repair it from my side.

                      Instead I tried to use Axis2 to discover the WS bindings directly but am running in a lot of problems while doing so because of the CN=SolarWinds-Orion.

                      Would it be possible in the future that the Configuration Wizard, when generating the certificate, adds the server FQDN as an alternate Subject Name ? that should take care of the JDK Hostname verification issue...

                      In the meantime I will override the certificate as described in 1), and then try to rediscover the WS again to generate my own Java client stub.

                      Thanks & Regards

                  • Re: Orion SDK & Java
                    jdennis

                    Nice, I was able to get everything up and running just fine and add a  node to our test servers.  Very promising!   I am basically looking to do the very same things you  are and most likely for the same reasons.  I assume there are a lot more people out there that have desires to do the same thing.  In the end I want to automate  the addition of managed nodes/interfaces to NPM/discovered subnets to IPAM, and backups to NCM, etc.  

                      Today, we use a detailed process to ensure new ranges are added to Sonar discovery based on our deployment model but in the end this just lacks the ability to customize it fully and has no real backend verification.  Before the SDK we had been running a canned query to the DB from a perl script to simply return a True/False  with a basic "$host{monitored} = &ismonitored" from there we just get an e-mail if a host showed up in our backend and didn't show up in Orion.  Simple enough, ensured our process was checked but still to many humans required to do simple data entry.  The other shortage we have is around custom attributes which controll most of our Views and alerting actions.  Sonar picks hosts up fine, but no options to set attributes based on which discovery instance so the NOC has to follow through with adding the attributes.  

                    As it stands today we only manage to the Network port in Orion across 4 regional  instances tied to EOC at the NOC. Getting this integrated into the  back-end will allow us to automate all the way down through APM and  consolidate our monitoring with little manual/operational effort outside  of the development as CRUD matures to meet all the needs. looking at something in the ballpark of 370K asset  monitors at that level to add, can be a manual migration to be realistic. 

                    Enough about my dirty and troubled past, now to what we are looking to do moving forward.  In the end, if you hadn't guessed, the back end DB is uCMDB.  We are happy with it, I have all the data I could ever need to automate programmable tasks.   Now it's time to take the data out and push it to systems that do the work.

                    On the Solarwinds end the requirements are fairly simple day one from my perspective.  Use a simple swql query to validate the legacy "Subnet is monitored", "Node is Monitored", "Subnet is scanned" custom elements set in uCMDB.  This just replaces our DB querry hacks with a ~supported language of coarse, now to react directly on =false is the plan.  From the quick look through I did tonight, good new is I think I can do all of this today!  Bad news, Java is the right way, i'm a newbie at best, avoided it like the plague all my life and stuck with perl and php hacks way to long.  Time to grow up I suppose so I'm out to create a handful classes initially, expecting medium pain :-(

                    • AddNode
                    • AddSupernet
                    • AddSubnet
                    • AddNodeBackup
                    • AddInterface

                    Note, the list above, descriptive of random thoughts, not meaningful..

                    These basic CRUD functions (sorry is it classes?) would cover almost all our requirements today as we can now also set the custom properties on discovery, validate monitored status of all elements, and auto correct over-sites/remove human interaction.   On the cmdb API it's just as easy, except it's a get of Value="False" to build the add parameters for each. 

                    All that said, one quick Google on ucmdb SolarWinds, a lot of people are looking for this capability and more want it for other systems.  Almost every case I see 3rd party companies jump in and offer up development/integration contracts, seems silly, plenty of nerds on here to build this framework, just curious if there is enough interest to start a project around it where Solarwinds users can contribute to a core API framework, add vendor apis as needed and customize?  Maybe even a project for a more centric/agnostic  contrib of API frameworks (Solarwinds-uCMDB, Solarwinds-"Enter random change control system here")  Being an API, it will always take customization to be 100%, just thinking we don't all have to invent the wheel multiple times maybe.  I may be way off tho, I do tent to go on rants some days.  ;-)

                    Regards,

                    ~j