It’s true, Allan is leaving VI.
Leaving VI
Reply
Author Archives: fae
How to Fix pg_hba.conf to Allow bnapsql:// to Read Nicknames
The bnapsql:// protocol was added over two years ago; this protocol connects to BNA’s backing database (progresql) and asks it directly for some information:
wpg_div_wp_graphviz_1
The benefits of this method versus an SMI-S method are simple:
- it doesn’t require a license fee to check or try
- it grabs both “zone aliases” and “aliases” (the “SMI-S” interface — CIM-XML — only shares “zone aliases”)
This worked fine until BNA-12.0.2 (including HPNA and CMCNE); after that, the vict.jar starts to report an error something like this:
FATAL: no pg_hba.conf entry for host “192.168.1.1”, user “dcmuser”, database “dcmdb”, SSL off
Please add the client’s IP address to the file
ie: host all all 0.0.0.0/0 md5
So what’s the problem?
pg_hba.conf is like a hosts.allow used in old UNIX: it lists those allowed to talk to the server. It’s like an Access-Control List.
In BNA-12.0.2, the standard entry was changed from:
host all dcmuser 0.0.0.0/0 md5
to:
#MIGRATION#host all dcmuser 0.0.0.0/0 md5
…so you can see that it’s merely been commented out, as well as an IPv6 equivalent. In short, we’ve lost access to the backing database due to a change in BNA’s ACL to better protect itself.
So what’s the solution?
Strange as it may seem, the error message holds the key to the solution:
Please add the client’s IP address to the file
ie: host all all 0.0.0.0/0 md5
Now, I’d never accuse anyone from not bothering to read the error message, no! 🙂 Seriously, this sort of error message seems like so much spewing TL;DR, and The problem is: which one? which pg_hba.conf? Did I get the correct one of two, three, or four?
Just like everyone else, I like to get stuff done and go home; in support of getting things done, without “throwing my peers under-the-bus too much”, here’s more detail about fixing this problem:
The vict.jar tries to give a hint with a filename, but that only works on Windows installs of a specific version. In short:
- find all the
pg_hba.conffiles- everything but windows:
locate pg_hba.conf - everything but windows:
find /usr/apps -name pg_hba.conf - windows: use whatever windows has this week as a search tool to find these files
- everything but windows:
- change each one, checking when changed
- you may need to SIGHUP the database server
- on linux/UNIX/MacOSX/BSD/everything-but-windows:
killall -HUP progresqlor - on linux/MacOSX/BSD:
ps axwl|grep progresql; kill -HUP(the PIDs shown by that command) - on UNIX (USL) and UNIX variants (including AIX):
ps -ef|grep progresql; kill -HUP(the PIDs shown by that command) - windows: forget it: there’s no signal subsystem. Just restart the postgresql service every time. Yeah, that’s heavy-handed
- on linux/UNIX/MacOSX/BSD/everything-but-windows:
There might be an easier way to find out which directory holds the pg_hba.conf file that matters, but it’s not consistent. I doubt it’s a huge benefit to knowing exactly which pathname on every system supported by progresql; rather, the method of finding it might be more efficient.
a few more links
(links also inline to survive printing)
- bnapsql URLConnection code in the fibrechannel-parsers opensource project: https://github.com/chickenandpork/fibrechannel-parsers/
- 2012-09-13 article announcing bnapsql:// protocol: http://fcfae.com/2012/09/revision-345-how-to-read-nicknames-from-a-bna-server/
- format of the pg_hba.conf file: http://www.postgresql.org/docs/9.3/static/auth-pg-hba-conf.html
How to Collect DCNM and BNA Data via SMI-S Interface
OK, I need to come clean on one thing: this article isn’t about SMI-S per-se, but about connecting via CIM-XML. The thing is, “what is CIM-CML?” When a client connects to, let’s say, BNA, it can talk CIM-over-HTTP, CIM-over-HTTPS, or CIM-over-RMI. In hindsight, maybe I should have focused on RMI, but I had reasons. Had I titled this “…Data via CIM-XML over HTTP”, I would anticipate glazed eyes, and no real up-take on why this matters.
The trick is: it doesn’t matter a whole lot. …but it’s there if you need it, simply because I had it around.
We typically draw information from BNA (and alpha-quality in DCNM) by speaking directly to the underlying database, like this:
wpg_div_wp_graphviz_2
So normally, that’s a command such as:
java -jar vict.jar -N bnapsql://bna.example.com/
java -jar vict.jar -N dcnmsql://dcnm.example.com/ (again, needs QA)
These use the BNADatabase passwords, not the user’s password with which he is more familiar. These are typically hindered by ACL (the evil “pg_hba.conf”, all 4 of them).
The thing is, this method (in BNA) gets the data that isn’t available by SMI-S… err… CIM-XML. This gets the aliases that are not zone aliases. If you don’t recognize the difference, or remember “the McData way”, understand that some data isn’t available.
So there I was working on a DCNM Writer for a customer. It’s been taking way too long, and in order to test, I had added a DCNM CIM-XML client to the parsers. I needed something to bang on the DCNM and see what it had for when I try to push changes into it.
I needed this:
wpg_div_wp_graphviz_3
I decided to complete a functional BNA client (alpha), together with a DCNM client, and make those available to both vict.jar (VW3) and (VW4) vw4tools.jar via underlying FibreChannel-Parsers. They’re used like this:
java -jar vict.jar -N bnacql://bna.example.com/ (this one needs QA)
java -jar vict.jar -N dcnmcql://dcnm.example.com/
java -jar vw4tools.jar -N bnacql://bna.example.com/ (this one needs QA)
java -jar vw4tools.jar -N dcnmcql://dcnm.example.com/
The abbreviation for the protocol is BNA/DCNM, followed by CQL, the CIM Query Language, which is actually similar to SQL92 (Language, not Microsoft product). Microsoft has a variant for the WMI called WQL. If you like, you can be more explicit able the defaults:
java -jar vw4tools.jar -N dcnmcql://scott:T1ger@dcnm.example.com:5988/cimv2
Of course, you’d want a -o or -n to make use of the collected data, and you’ll see collected nicknames show up as NicknameParser counts (these data sources feed a text stream that is parsed by NicknameParser). vw4tools has full capability to –pattern itself into some upper-level entities, or just spit out fcports.
…and that’s the power of what I’ve done: the BNA and DCNM portions are merely small layers over the underlying capability. I could replace the vCenter collector with a CIM-XML client, or use that to interrogate various storage devices, but I assume VirtualWisdom4 Discovery will eventually do that for us in a much more Quality-check and code-reviewed and reliable manner.
As a reminder, the things I build are intended towards the installation timeframe, where a few hiccups are accepted so long as the task is completed. I don’t necessarily feel these tools would be used beyond installation day.
JSON Hierarchy
The Entity Hierarchy for VW4 seems to look like this (still being confirmed)
wpg_div_wp_graphviz_4
The SAXParseException in WebClient API Against 3.3.0 and Later
After installing 3.3.0, I started to get:
org.xml.sax.SAXParseException: The element type "init" must be terminated by the matching end-tag "</init>"
This would appear to be a structure mismatch in the WebClient API during initial login, as a result of 3.3.0, but as a reminder going forward, this <init> might actually be part of this exception dump, which is blindly sent un-URL-escaped to the client:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 500 com/virtualinstruments/cli/ICommandServer</title>
</head>
<body><h2>HTTP ERROR: 500</h2><pre>com/virtualinstruments/cli/ICommandServer</pre>
<p>RequestURI=/WebServices</p><h3>Caused by:</h3><pre>java.lang.NoClassDefFoundError: com/virtualinstruments/cli/ICommandServer
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClassCond(Unknown Source)
at java.lang.ClassLoader.defineClass(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.access$000(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Unknown Source)
at com.finisar.util.XStreamFactory.createXStream(XStreamFactory.java:60)
at com.finisar.web.WebServicesServlet.<init>(WebServicesServlet.java:36)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
Do you see the third-last line? The “<init>” is right there. Since it’s in the middle of XML-ish HTML, it really needs to have a “</init>”, which is really the underlying cause of the Exception.
I guess this is one case where unclean text is just sent across, hindering any graceful attempt to pull out the status message and react accordingly — because part of the message is trashed, so it’s all trashed.
For when I run into it again, the real error is hidden somewhere on the server, and a quick text dump in code helps:
httpPost.setEntity(new StringEntity(loginMessage)); response = httpClient.execute(httpPost); + response.getEntity().writeTo(System.out);
Unfortunately, this dump occurs before the error is realized, so we can’t just react to the error by dumping the raw message — it’s already consumed! 🙁