Login
- Released At: 30-10-2025
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
|
|
|
H3C WSM |
|
User Guide |
|
|
|
|
Document version: 5W100-20251027
Copyright © 2025 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
AC Global Parameter Configuration
Additional Information Details
Add/Edit Additional Information
WeChat Official Account Platform
WeChat Work Official Account Platform
WeChat Work Official Account List
WeChat Work Official Account Notification Records
Control Action Upon User Concurrent Login Limit
Certificate expiration notification settings
Configure LDAP server settings
Configure LDAP sync policy settings
Configure RADIUS server settings
Configure RADIUS sync policy settings
Configure TACACS server settings
Configure login authentication settings
Configure two-factor authentication settings
Wireless Management
You can manage ACs, APs, and clients and configure parameters and energy policies in Wireless Management.
Features
· AC
· Fit APs
· Cloud AP
· Radios
Wireless Overview
Features
· Clients
· SSID
Wireless Overview
You can view the total number of APs, ACs, and SSIDs, as well as statistics such as the Top 10 APs by Attached Endpoints and Top 10 Channel Usage.
Clients
Perform this task to query clients. You can choose Basic Query or Advanced Query.
Remarks
· To use real-time client monitoring, set the SNMP version to v2c or v3.
· The upper-layer device of a client can be an AC, fit AP, or cloud AP. When you use the Device Label field in advanced search, a fuzzy search will be performed based on the label of a client's upper-layer device. The device label is case sensitive.
¡ If the upper-layer device of the client is an AC or cloud AP, the fuzzy search will be conducted based on the device label of the AC or cloud AP.
¡ If the upper-layer device of the client is a fit AP, the fuzzy search will be conducted based on the AP label of the fit AP.
Features
· Set Sync Interval
Click the Set Sync Interval button, and then select a cycle (3 minutes, 5 minutes, or user-defined) in the window that opens. If you select user-defined, enter a custom time in seconds. After configuration, click OK to save the settings.
· Monitor
Click the 
icon in the Actions column for a client to view real-time data such as
received/sent traffic, receive/send rate, and signal
strength of that client.
· Basic Query
a. Enter the MAC address of the client in the query field on the top right corner. Click the Query icon.
b. To reset the query criteria, clear the query field first and click the Query icon.
· Advanced Query
a. Click the Expand icon on the right of the query field. Specify the query criteria. Click Query.
b. To reset the query criteria, click Reset.
Client Online History
Perform this task to query the historical online information of clients. You can choose Basic Query or Advanced Query.
Remarks
· If there are no options in the offline time range, no data exists.
· The online time field can be left empty. If filled, the end time of the online period cannot be later than the end time of the offline period.
· Only client online history that can be viewed by the current tenant is displayed.
Features
· Export
Click the Export button to export client online historical data matching the current search criteria and displayed on the page. To view detailed information, download the exported file.
· Scheduled Cleanup
Click the Scheduled Cleanup button to set the data retention days in the window that opens. Client online history exceeding the retention days will be cleared. The default retention period is 7 days, with a maximum of 30 days supported.
· Basic Query
a. Enter the MAC address of the client in the query field on the top right corner. Click the Query icon.
b. To reset the query criteria, clear the query field first and click the Query icon.
· Advanced Query
a. Click the Expand icon on the right of the query field. Specify the query criteria. Click Query.
b. To reset the query criteria, click Reset.
Client Info Management
Perform this task to manage mappings between MAC address and username of clients.
Remarks
· WSM does not obtain usernames of clients in this list from devices.
· Due to encoding format limitations, special characters, such as hyphens (-) and underscores (_), are not considered as valid sorting characters, so page sorting is not significantly affected by them.
Features
· Add Client Information
Click the Add button to access the Add Client Info page. Configure the client's MAC address, username, account name, and other information, and then click OK to add the client information to the system.
· Delete Client Information
Select one or more client entries, click the Delete button, and then click OK in the confirmation dialog box that opens to delete the corresponding client information.
· Edit Client Information
Click the 
icon for a client to access the Edit Client Information page. The MAC
address cannot be edited, but
other parameters can be customized. Click OK to save the configuration.
· Client Identification Management
Click the link corresponding to Vendor, Client Type, or OS to access the corresponding page for add, delete, or edit operations.
¡ Vendor: Vendor of the client.
¡ Client Type: Type of the client.
¡ OS: OS of the client.
SSID
The Service Set Identifier (SSID) is the name used to identify a network-specific wireless network. A client uses the SSID for identification and connection to a specific wireless network. Each wireless network has a unique SSID, allowing users to select the desired network by its ID. The SSID facilitates connectivity and management between APs and clients, enabling more efficient resource allocation in wireless networks.
This page allows you to query the total number of cloud APs, fit APs, and clients for all SSIDs.
Remarks
· The SSID name supports fuzzy search.
· When no query criteria are entered, all SSIDs that the current operator has permission to view will be queried by default.
· After you bind an AP group, synchronization with the AC is required to obtain the binding configuration inherited from the AP group.
AC
An Access Controller (AC) is a critical component in wireless networks, primarily used for managing and controlling multiple Access Points (APs). An AC is responsible for scheduling wireless signals, load balancing, implementing security policies, and authenticating user access. An AC can centrally manage multiple APs, improving network management efficiency and security.
An AP is a type of network device used to expand the coverage area of a wireless network. It communicates with clients via wireless signals and connects these devices to wired networks. Cloud APs and fit APs are two different AP architectures in wireless networks, mainly designed to meet varying network requirements and management approaches.
Wireless Management Configuration Procedure
1. Configure the AC management network and initial device configuration.
2. Add the AC to the network management system.
3. (Optional.) Configure AP groups.
4. Configure the AP onboarding process (choose one of the following):
¡ Create a fit AP template (configured on the Fit APs page).
¡ Enable AP auto-registration (configured on the AC Global Parameter Configuration page).
5. (Optional.) Configure virtual APs.
6. Configure wireless service policies.
7. Configure radio parameters.
8. (Optional.) Configure VLANs.
9. (Optional.) Configure energy policies.
Remarks
· Fuzzy match is supported for query by label or IP address.
· If you do not specify any query criteria, all ACs that you have the permission to view are queried.
· For basic query, all query criteria are ORed. For advanced query, all query criteria are ANDed.
· To use Comware 9-based devices, make sure the device version is V900R001B43D001 or later.
· Synchronizing ACs does not synchronize client information. To synchronize client information, configure the synchronization feature in the client list.
· During AC synchronization, wireless-related data (such as AP quantity and AP status) will be updated in batches. Data inconsistency might occur before synchronization is successful. Please check the data only after synchronization is complete.
Features
· Synchronize
Select one or more data entries, click the Synchronize button to synchronize the latest data on the device.
· AC Group Management
Click the AC Group Management button to access the AC Group Management page.
· Configuration Management
Click the 
button
in the Actions column to access the
Configuration
Management page.
· Real-Time Client Count Monitor
Click the 
icon in the Actions column
to view the number of clients running on this AC in the window that opens.
· Clients Associated with AC
Click the 
icon in the Actions column to configure alarm
parameters in the window that opens. If the number of AC-associated clients
exceeds the alarm threshold, an alarm will be triggered.
AC Group Management
To simplify configuration of active and backup ACs, you can add them to a group and configure the group.
Remarks
This feature is not supported by third-party wireless devices..
Features
· Add AC Group
a. Click Add to open the AC group adding page.
b. Enter an AC group name.
c. Click OK.
· Edit AC Group
a. In the Actions column,
click the icon
for an AC group to open the editing page.
b. Enter the new AC group name.
c. Click OK.
· Delete AC Group
a. In the Actions column,
click the 
icon for an AC group to open the confirmation dialog box.
b. Click OK.
· View AC Group Details
Click the name of an AC group to access the AC Group Details page.
AC Group Details
You can add or delete ACs to or from the AC group.
Remarks
· When there are only two ACs in the group, they act as active and backup for each other. When there are more than two ACs in the group, please select one AC as the backup.
· Make sure the ACs to be added to the same AC group have the same management station setting.
Features
· Add ACs
a. Click Add AC to open the dialog box.
b. Select ACs to be added.
c. Click OK
· Delete ACs
a. Select ACs to be deleted from the list.
b. Click Delete to open the confirmation dialog box.
c. Click OK.
· Set specified as active/backup
¡ Click
the 
button in the Actions column for an AC on the list, and then
click OK in the window that opens to set the device
as the active AC.
¡ Click
the 
button in the Actions column for an AC on the list, and then click OK in the window
that opens to set the device as the backup AC.
· Edit AP Assoc Address
Click the 
icon in the AP Association Address column to edit the IPv4 or IPv6 address for AP
association. After filling in the details, click OK to save the configuration.
Configuration Management
On the AC page, click the 
icon in the Actions
column for an AC to access the corresponding AC configuration management page.
The configurations made on this page only apply to that specific AC.
Features
· AC Global Parameter Configuration
· Fit APs
AC Global Parameter Configuration
Remarks
· Perform this task to edit wireless controller settings.
· This feature is not supported by third-party wireless devices.
· Only V7 wireless devices support setting load balancing restrictions.
Procedure
Configure AC parameters as needed and then click OK.
Parameters
Table 1 AC global parameters
|
Parameter |
Description |
|
Load Balancing Restrictions |
· No Threshold: Disables load balancing restrictions. · Traffic Threshold: Enables traffic load balancing restrictions for the AC. After you enable the restrictions, you must set the traffic load balancing threshold and the difference threshold. · Client Count Threshold: Enables client count load balancing restrictions for the AC. After you enable the restrictions, you must set the client count load balancing threshold and the difference threshold. · Bandwidth Threshold: Enables bandwidth load balancing restrictions for the AC. After you enable the restrictions, you must set the bandwidth load balancing threshold and the difference threshold. NOTE: · Only one type of load balancing restriction can be selected, and the parameters to configure vary depending on the selected restriction type. · The load balancing threshold and the load balancing difference threshold must be used together to ensure load balancing among APs in the network, avoid overload on a single AP, and improve overall network performance. |
|
Traffic Load Balancing Threshold (%) |
Maximum traffic allowed for an AP, set as a percentage of the maximum supported traffic. For example, if an AP's maximum supported traffic is 100 Mbps and the threshold is set to 50%, the AP can use up to 50 Mbps. |
|
Traffic Load Balancing Gap (%) |
Maximum allowed traffic difference between APs, set as a percentage of the maximum supported traffic. For example, if an AP's maximum supported traffic is 100 Mbps and the difference threshold is set to 20%, the traffic usage difference between this AP and others can reach 20 Mbps. When an AP's traffic reaches the load balancing threshold and the difference with other APs reaches the difference threshold, load balancing will start to ensure even traffic distribution across interfaces. |
|
Client Load Balancing Threshold |
Maximum number of clients allowed to connect to an AP. |
|
Client Load Balancing Gap |
Maximum allowed difference in the number of connected clients between APs. When the number of clients connected to an AP reaches the load balancing threshold and the difference with other APs reaches the difference threshold, load balancing will start to ensure reasonable client distribution among APs. |
|
Bandwidth Load Balancing Threshold |
Maximum bandwidth allowed for an AP. |
|
Bandwidth Load Balancing Gap |
Maximum allowed bandwidth difference between APs. When an AP's bandwidth usage reaches the load balancing threshold and the difference with other APs reaches the difference threshold, load balancing will start to ensure reasonable bandwidth allocation. |
|
Auto AP |
You can choose whether to enable the AP auto-registration feature. · Enable: Enables the AP auto-registration feature. · Disable: Does not enable the AP auto-registration feature. When a large number of APs are deployed in the wireless network, enabling AP auto-registration simplifies configuration, because the AC does not need to manually create AP templates. |
|
Country/Region Code |
Country and region code, which can be selected from the list in the interface. |
|
AC Group |
· Desynchronize: The configurations on this page only apply to the current AC. · Select a specific active/backup AC group. The configurations on this page apply as follows: ¡ If the group contains only one or two ACs, the configurations apply to the current AC and all ACs in the selected group. ¡ If the group contains more than two ACs, the configurations apply to the current AC and the backup ACs in the selected group. |
|
Virtual AP |
Whether to enable the virtual AP feature. If yes, you can configure virtual AP-related data under a real AP to bring the virtual AP online. |
Radio Batch Configuration
Perform this task to configure multiple radios in bulk for an AC to reduce workload. For Cisco ACs, you can configure radios for multiple ACs at the same time.
Remarks
· If the radios to be configured belong to APs of different models, the bulk configuration operation might fail.
· The preamble type can be configured only when the radio type is 802.11b, 802.11g, or 802.11gn.
· Because some countries or regions do not allow the activation of wireless communication devices in the 6 GHz band, the radio for this band cannot be configured under the corresponding Country/Region Code. If a radio operating in the 6GHz band is required, the service policy bound to the radio must enable the enhanced open system authentication service or configure the WPA3 security mode.
Procedure
1. Select the parameters to be configured and specify their values.
2. In the Fit AP Radio List area, click the Add button, select the radio in the window that opens, and then click OK to add it to the radio list. You can search for the corresponding radio by AP label, serial number, or radio type in the window that opens; Radios added to the radio list can also be manually removed.
3. Select the target radios and then click OK.
Service Policy Management
Perform this task to configure and manage service policies. You can browse, create, edit, delete service policies, or create a service policy by using one or more global service policy templates. In addition, you can bind one or more service policies to radios in bulk, display all the radios bound to a service policy, and remove the bindings in bulk.
Remarks
· Deleting a service policy deletes all information related to that policy.
· If you select a radio in Up state, unbinding that radio from the service policy results in service interruption.
· Only devices running V500R001B64D029SP50 or later versions and configured with NETCONF can be configured with NAS-IDs.
· The VLAN or VLANs in the VLAN group bound to the radio has a higher priority than the VLAN specified when you bind a service policy to the radio.
Features
· Add Policy
Click the Add Policy button to access the Add Service Policy page, configure the policy information, and then click OK.
· Edit Policy
Click the 
icon in the Actions column for a service policy on the service policy
list to access the Edit Service Policy page, where you can edit parameters as needed.
· Delete Policy
Select one or more service policies to be deleted, click the Delete button, and confirm the deletion in the window that opens to complete the deletion.
· Batch Bind/Unbind
a. Select one or more service policies, click the Batch Bind button, and the Bind to Fit AP Radio page will open.
b. On this page, click the Add button, select the fit AP radio in the dialog box that opens, and then click OK to display the selected radio information in the list.
c. Click the Bind or Unbind button to bind or unbind the service policy to or from the listed radios. Only radios already bound to the policy can be unbound successfully.
· Configure NAS-IDs
In the NAS-ID column for a service policy on the service policy list, you can set the NAS-ID bound to the radio for the service policy.
· Edit VLAN ID/VLAN Group
Click the 
icon in the VLAN ID | VLAN Group column for a service policy
on the service policy list, and then select the VLAN ID or VLAN group to be
bound to
the policy in the window that opens.
· Bound Radios
d. Click the 
icon in the Actions
column for a service policy on the list to view all radios bound to the service policy.
e. Select the radios to be unbound and click Unbind to delete the binding.
Parameters
Table 2 Parameters for adding or editing a service policy
|
Parameter |
Description |
|
Policy Name |
Service policy name. |
|
Enable |
Enable or disable a service policy. |
|
SSID |
The value cannot exceed 32 characters. This field is required. |
|
Coded Format |
Encoding format for the SSID. This field is unconfigurable on the AC and cannot be displayed in the command output. |
|
Max Clients |
Maximum number of clients allowed in the service policy. |
|
Hidden SSID |
Whether to hide SSIDs in Beacon frames. |
|
VLAN |
ID of the VLAN that clients join after coming online from the service template, in the range of 1 to 4094. The default value is 1. |
|
Security IE |
Security information element used in Beacon and probe response frames. Options include None (default), RSN, WPA, OSEN, and All. NOTE: When you select different security IEs, the required security parameters to configure might vary. |
|
Cipher Suite |
Cipher suite to be used for data encryption. · When the security IE None is selected, the available cipher suites are WEP40, WEP104, and WEP128. · When security IE RSN is selected, the available cipher suites are TKIP, CCMP, and GCMP. · When security IE WPA, OSEN, or All is selected, the available cipher suites are TKIP and CCMP. |
|
Key |
When the cipher suite is WEP40, WEP104, or WEP128, it allows you to set the cryptographic key. · When the cipher suite is WEP40, the key is a combination of 5 letters and digits. · When the cipher suite is WEP104, the key is a combination of 13 letters and digits. · When the cipher suite is WEP128, the key is a combination of 16 letters and digits. |
|
Enhanced Open System AuthN |
This parameter can be configured only when the security IE is set to None. Once this feature is enabled, parameters such as the cipher suite and authentication mode will remain in their default states and cannot be configured. |
|
WPA3 Security Mode |
Options include SAE Mandatory, SAE Optional, Enterprise, and Enterprise Only. This parameter can be configured only when the security IE is set to RSN and the cipher suite is selected as CCMP or GCMP. · When the cipher suite is set to CCMP, the WPA3 security mode can be configured as SAE Mandatory, SAE Optional, or Enterprise Only. · When the cipher suite is set to GCMP, the WPA3 security mode can be configured as Enterprise. |
|
PMF |
Options include None, Mandatory mode, and Optional mode. Selecting None means disabling PMF. This feature cannot be configured when the WPA3 security mode is set to Enterprise Only. |
|
AKM Mode |
When the security IE is set to RSN, OSEN, WPA, or All, the AKM mode can be configured. |
|
Authenticated Mode |
When the security IE is set to None, RSN, WPA, or All, the authenticated mode can be configured. |
Table 3 Radio parameters
|
Parameter |
Description |
|
NAS-ID |
Specify a NAS-ID when binding the service policy to a radio, a case-insensitive string of 1 to 63 characters. Spaces are not allowed. |
|
VLAN ID |
Specify the VLAN ID when binding the service policy to a radio, in the range of 1 to 4094. The value range varies by deice model. If the specified VLAN does not exist, the system creates the VLAN when a client comes online through the service policy. |
|
VLAN Group |
Specify the VLAN group when binding the service policy to a radio, a case-insensitive string of 1 to 16 characters. |
Fit APs
Perform this task to configure fit AP templates for easy fit AP configuration
Remarks
· This feature is not supported by third-party wireless devices.
· After you enable the auto AP feature for the AC, fit APs can automatically connect to the AC. After the connections succeed, WSM generates a temporary fit AP template in the fit AP list of the current AC. To change the temporary template to permanent configuration, click Convert auto APs to manual AP on the Management > Wireless Management > Fit APs page. If you do not convert auto APs to manual APs, the temporary fit AP template will be automatically deleted when the auto-connected fit APs go offline.
· Deleting a fit AP template deletes all information related to the template.
· Only a CSV file can be imported. The file must be encoded in ANSI.
· Serial numbers are used as keywords for importing. If a serial number in the file is already used by an AP, WSM updates information for the AP. If s serial number is not used by any AP, WSM adds the serial number.
· The exported fit AP templates are saved in a CSV file.
Features
· Add Fit AP Template
Click Add to open the Add AP Template page. Enter basic fit AP information, and then click OK.
· Edit Fit AP Template
Click the 
icon in the Actions column for a fit AP template to access the Edit AP Template page, where you
can make changes as needed.
· Delete Fit AP Templates
Select the Fit AP templates you want to delete, and then click the Delete button to delete the fit AP templates.
· Import AP Templates
a. Click Import to open the Import AP Template page.
b. Click the Download Import File Template link to download the import template locally. Fill in the corresponding information according to the template and save it.
c. Click the Upload files button and select the file.
d. Click the Next button to import the fit AP templates and display the operation result.
· Export Fit AP Templates
Click Export All to export all templates into a CSV file and then save the file locally.
· Bulk AP Name Change
a. Click the Bulk AP Name Change button to access the Bulk AP Name Change page.
b. Click the Download Import File Template link to download the import template locally.
c. After filling in the current AP names and new AP names in the template, click the Upload files button and select the file.
d. Click the Next button to perform bulk AP name changes and display the operation results.
· Synchronize Fit AP Labels
a. Select the fit AP templates to be synchronized.
b. Click Synchronize AP Label, and then select the synchronization method.
· View AP Details
Click the link in the AP Label column for a fit AP on the fit AP list to access the Fit AP Details page.
Parameters
Table 4 Parameters fr adding/editing a fit AP template
|
Parameter |
Description |
|
AP Name |
An AP is a template before it comes online and cannot provide services. You can specify this parameter to identify an AP template by AP name. The value cannot exceed 64 characters and contains only letters, digits, and underscores (_). This field cannot be empty. |
|
Serial Number |
Specify the serial number of the AP. The length cannot exceed 32 characters. |
|
Model |
Select the models of the APs to be added. You must select the AP models supported by the AC. |
|
Connection Priority |
Specify the connection priority of the APs connected to the AC. The value range is 0 to 7. This field is required. By default, the connection priority is 4. |
|
Client Idle-Timeout Interval(s) |
Idle-timeout interval (in seconds) when the AP and client send requests to each other. The value range is 60 to 86400, and the field cannot be empty. |
|
Client Keepalive Interval(s) |
Interval at which an AP sends keepalive packets to clients. The value range is 3 to 1800, in seconds. |
|
Description |
The value cannot exceed 64 characters. |
|
Synchronize AC |
Synchronize the added or modified fit AP template to all ACs in the selected AC group. |
|
AC Group |
AC group to which configuration is synchronized. |
|
Other Connection Priority |
Connection priority of an AP connected to other ACs in the AC group. The value range is 0 to 7, and this filed cannot be empty. By default, the connection priority is 4. This option is available only when the Synchronize AC option is selected. |
Fit AP Group Management
Perform this task to add fit APs to a fit AP group for easy management.
Prerequisites
· Before you add or manage AP groups, make sure NETCONF is configured.
· Only devices running V500R001B64D029SP50 or later versions and configured with NETCONF can be configured with NAS-IDs.
Features
· Add Fit AP Group
a. Click Add to open the page for adding a fit AP group.
b. Enter a name and a description for the fit AP group you want to add.
c. Click OK.
· Edit Fit AP Group
a. Click the Edit
icon
to open the page for editing a fit AP group.
b. Enter basic information for the target fit AP, and then click OK. Some parameters cannot be edited.
· Delete Fit AP Group
a. Click the Delete
icon
for the fit AP
group you want to delete.
b. In the dialog box that opens, click OK.
· AP List Management
Click the 
icon in the Actions column of the list to access the AP List Management page.
AP List Management
On the AP list management page, you can manage fit APs in the corresponding fit AP group.
On the fit AP group management page, click
the 
icon in the Actions
column for the fit AP group to access this page.
Features
· Add Fit APs to Group
a. Click Add to open the page for adding fit APs.
b. Select the fit APs that you want to add to the fit AP group.
c. Click OK.
· Remove Fit APs from Group
a. Select one or more fit APs to be removed, and then click Delete.
b. Click OK.
Click the Match Rules button to access the rule matching page, where you can preset matching rules for AP groups.
Click the Configuration button to access the configuration deployment page, where you can preset radio configurations or service template configurations.
Match Rules
This feature allows you to create AP grouping rules. The priorities of the following rules are in descending order:
1. AP name rules.
2. AP serial number rules.
3. AP MAC address rules.
4. IPv4 address or IPv6 address rules.
If an AP does not match any grouping rules, it will be assigned to the default group.
Remarks
You cannot create grouping rules for the default group.
Parameters
Table 5 Match rule parameters
|
Parameter |
Description |
|
AP Name matching |
Create an AP grouping rule by AP name. · An AP name is a case-sensitive string of 1 to 64 characters. Only letters, digits, and special characters _.[]/- are allowed. · If an AP name has been configured as a grouping rule for another group, this operation removes the existing rule. |
|
AP MAC Address matching |
Create an AP grouping rule by AP MAC address. · If an AP MAC address has been configured as a grouping rule for another group, this operation removes the existing rule. · You can configure multiple AP MAC address rules for an AP group. · The MAC address of a virtual AP is the MAC address of the physical AP on which the virtual AP resides. |
|
AP Serial matching |
Create an AP grouping rule by AP serial number. · An AP serial number is a string of 1 to 63 characters. Only uppercase letters are supported. If you enter lowercase letters, the system automatically changes them to uppercase letters. · If an AP serial number has been configured as a grouping rule for another group, this operation removes the existing rule. · You can configure multiple AP serial number rules for an AP group. · The serial number of a virtual AP is the serial number of the physical AP on which the virtual AP resides. |
|
AP IPv4 matching |
Create an AP grouping rule by IPv4 subnet. An AP using an IPv4 address in the specified address range joins the AP group. · Both the IPv4 address and the subnet mask use the dotted decimal notation format. The mask value range is 1 to 31 in CIDR notation. · The IPv4 address ranges specified for a group or different groups cannot overlap with or include each other. · You can create a maximum of 32 IPv4 address rules for an AP group. · You can create IPv4 and IPv6 address rules for the same AP group. |
|
AP IPv6 matching |
Create an AP grouping rule by IPv6 subnet. An AP using an IPv6 address in the specified address range joins the AP group. · The IPv6 address uses the colon-separated hexadecimal notation format. The prefix value range is 1 to 128. · The IPv6 address ranges specified for a group or different groups cannot overlap with or include each other. · You can create a maximum of 32 IPv6 address rules for an AP group. · You can create IPv4 and IPv6 address rules for the same AP group. |
Configuration
· Interface VLAN Configuration
Radio Configuration
This feature allows you to configure predefined radio settings. Once an AP joins an AP group, the system deploys the predefined radio settings to the AP if the group has configured radio settings for the AP model.
Remarks
· When you delete radio settings, the system also deletes the radio settings for the corresponding AP model.
· Because some countries or regions do not allow the activation of wireless communication devices in the 6 GHz band, the radio for this band cannot be configured under the corresponding Country/Region Code. If a radio operating in the 6GHz band is required, the service policy bound to the radio must enable the enhanced open system authentication service or configure the WPA3 security mode.
Features
· Add radio configuration
a. Click Add.
b. Configure radio parameters.
c. Click OK.
· Edit radio configuration
a. Click the Edit
icon
for the radio configuration entry to be
edited.
b. Configure the radio parameters.
c. Click OK.
· Delete radio configuration
a. Click the Delete
icon
for the radio configuration entry to be
deleted.
b. In the confirmation dialog box that opens, click OK.
· Reset radio configuration
Click the 
icon in the Actions column
for a radio on the list. In the confirmation dialog box that opens, click OK to restore
that radio to its default settings.
Parameters
Table 6 Radio configuration parameters
|
Parameter |
Description |
|
AP Model |
AP model. |
|
Radio ID |
Radio ID. The value range varies by AP model. |
|
Radio Type |
Radio type. The available options varies by AP model. |
|
Channel Band Width |
This field is available only for 802.11n, 802.11ac, 802.11gac, 802.11ax, and 802.11gax radios. |
|
Radio Status |
Enabling status of the radio. |
|
Channel in Use |
Working channel of the radio. The value range depends on the region code and radio type. |
|
Preamble Type |
This field is available only for 802.11b, 802.11g, and 802.11gn radios. |
|
Max Transmission Power |
Maximum transmit power of the radio. The value range depends on the region code, channel, AP model, radio type, antenna type, and bandwidth. For more information, see the device manual. |
|
A-MPDU Enable |
Select whether to enable A-MPDU. This field is available only for 802.11n, 802.11ac, 802.11gac, 802.11ax, and 802.11gax radios. |
|
A-MSDU Enable |
Select whether to enable A-MSDU. This field is available only for 802.11n, 802.11ac, 802.11gac, 802.11ax, and 802.11gax radios. |
|
Short GI Enable |
Select whether to enable Short GI. This field is available only for 802.11n, 802.11ac, 802.11gac, 802.11ax, and 802.11gax radios. |
|
Power Lock Down |
Select whether to lock the transmit power. |
|
Client Dot11n Only |
· Yes: Enable this feature to allow only clients running the 802.11n, 802.11ac, and 802.11ax protocols to access this AP. · No: Disable this feature to allow any clients to access this AP regardless of their protocols. · Do not deploy: Select this option to prevent deploying the configuration to the device, regardless of whether the device supports the attribute. |
|
Client Dot11ac Only |
· Yes: Enable this feature to allow only clients running the 802.11ac and 802.11ax protocols to access this AP. · No: Disable this feature to allow any clients to access this AP regardless of their protocols. · Do not deploy: Select this option to prevent deploying the configuration to the device, regardless of whether the device supports the attribute. |
Service Configuration
This feature allows you to configure predefined service templates. After an AP is added to this fit AP group, if the corresponding AP model service template exists in the group, the preset service template will be bound to the AP's radio.
Features
· Add service templates
a. Click Add.
b. Configure service template parameters.
c. Click OK.
· Delete service templates
a. Click the Delete
icon
for the service template to be deleted.
b. In the confirmation dialog box that opens, click OK.
Parameters
Table 7 Service template parameters
|
Parameter |
Description |
|
AP Model |
AP model. |
|
Radio ID |
Radio ID. The value range varies by AP model. |
|
Policy Name |
Name of the service template (service policy). |
|
Vlan ID |
VLAN ID specified for the service template, in the range of 1 to 4094. |
|
Hide SSID |
Select whether to hide the SSID of the bound service template. |
Interface VLAN Configuration
This feature allows you to configure predefined port VLAN. Once an AP joins an AP group, the system deploys the predefined port VLAN settings to the AP if the group has a configured port VLAN template for the AP model.
Features
· Add AP Model
a. Click Add AP Model.
b. Select an AP model.
c. Click OK.
· Edit Interface
a. Click the Edit icon 
for the
port VLAN entry to access the
page for editing the port VLAN.
b. Edit the parameters as needed.
c. Click OK to edit the port VLAN configuration.
Parameters
Table 8 Interface VLAN configuration parameters
|
Parameter |
Description |
|
Model |
Type of the port. |
|
Interface Index |
Index of the port. |
|
Interface Link Type |
Specify how a switch interface processes VLAN traffic. Options include Access, Hybrid, and Trunk. The parameters to be configured vary by the selected type. |
|
Access VLAN |
Assign an Access port to a VLAN. You can configure only one VLAN ID. If you leave this field empty, the default Access VLAN is 1. |
|
Trunk PVID |
Specify the VLAN for untagged frames received by a Trunk port. |
|
Trunk VLAN List |
Specify the list of VLAN IDs permitted on a Trunk port. You can enter multiple VLAN IDs. |
|
Hybrid PVID |
Specify the VLAN for untagged frames received by a Hybrid port. |
|
Hybrid VLAN List (tagged) |
Specify the list of VLAN IDs whose packets can pass through a Hybrid port with tags (tagged) during forwarding. |
|
Hybrid VLAN List (untagged) |
Specify the list of VLAN IDs whose packets can pass through a Hybrid port without tags (untagged) during forwarding. If the same VLAN exists in both the tagged list and the untagged list, only the configuration in the untagged list takes effect. |
|
Interface Isolate |
Enable or disable port isolation. |
|
Join Link-aggregation Group |
Specify whether to assign the interface to an aggregation group. After joining an aggregation group, the interface inherits the settings configured for the group. |
|
Qos Trust |
Port priority trust mode. · dot1p: Trusts the 802.1p priority carried by the packet and performs priority mapping according to this priority. · dscp: Trusts the DSCP carried by the IP packet and performs priority mapping according to this priority. · Disable: Disables the trust mode. In this case, the port ignores the priority tags carried in packets and uses the default priority. |
|
Qos Priority |
The priority of an interface determines the interface selection priority during conflicts. The valid value range is 0 to 7. A lower value indicates a higher priority. |
|
Bringup Interface |
Enable or disable an Ethernet port. |
Virtual APs
Perform this task to view information about all virtual APs and import virtual APs in bulk.
Remarks
Make sure NETCONF settings have been configured on the AC.
Features
· Add or edit a virtual AP
a. Click Add to add a virtual AP, or click the Edit AP Template icon for the target AP in the Actions column.
b. Configure basic virtual AP information, and then click OK.
· Delete virtual APs
Select virtual APs to be deleted and then click Delete.
· Import virtual APs
a. Click Import.
b. Click Upload files and select the CSV file to be imported.
c. Click Next.
Parameters
Table 9 Parameters for adding or editing virtual APs
|
Parameter |
Description |
|
AP Name |
The valid length is 1 to 64 characters. |
|
Serial Number |
Virtual AP serial number. If this virtual AP was added on the device at the CLI and has no serial number configured, this field will display Not configured. |
|
Model |
AP model. Select the supported AP model for the current wireless controller from the dropdown menu. |
|
Detailed Description |
For a Comware 7 version, the description can contain up to 499 characters. For a Comware 9 version, the description can contain up to 64 characters. The actual length range varies by device model. |
|
Virtual AP Upgrade |
· During CAPWAP tunnel establishment, if virtual AP upgrade is supported and the AP's software version does not match the one saved in the APDB, the AP must download the corresponding software image file from the AC for a version upgrade before establishing a CAPWAP tunnel connection to the AC. · During CAPWAP tunnel establishment, if virtual AP upgrade is not supported, the AC will not compare whether the AP's current software version matches the one saved in the APDB and will directly establish a CAPWAP tunnel connection to the AP. |
VLAN Group Management
Perform this task to manage VLAN groups. A VLAN group is a collection of VLANs. Multiple VLAN lists can be added to a VLAN group, where each VLAN list represents a set of consecutive VLAN IDs.
Features
· Add VLAN Group
Click the Add button, enter the VLAN group name and members in the dialog box that opens, and then click OK.
· Edit VLAN Group
Click the 
icon in the Actions column for a VLAN group, edit the group members in the dialog box that
opens (the group name cannot be edited), and then click OK to save the
configuration.
· Delete VLAN Group
Click the 
icon in the Actions column for a VLAN group, or select one or more
entries and click the Delete button. Then, click OK in the
confirmation dialog box that opens to delete the
corresponding data.
Parameters
|
Parameter |
Description |
|
VLAN Group Name |
Name of the VLAN group, which is a case-sensitive string of 1 to 31 characters and must begin with a letter. |
|
VLAN List |
VLAN list. Format: Use a hyphen (-) to indicate a range and separate ranges with commas (,). Valid values range from 1 to 4094. Example: 1-10,20,30. |
Fit APs
A fit Access Point (AP) is an AP that is centrally managed by an AC. In this architecture, the AP itself does not require independent configuration or management, because all management tasks are handled by the AC. The AP is responsible for data forwarding and signal coverage.
Remarks
The number of APs that can be used is limited by the authorized license count. If the added AP quantity exceeds the authorized AP license count, the excess APs will not be displayed in the list on the fit APs or cloud APs page.
Features
· Export All
Click the Export All button to directly export all fit AP data displayed in the system.
· Convert auto APs to manual AP
Click the Convert Auto APs to Manual AP button to access the Convert Auto APs to Manual AP page.
Click the AP Access Ports button to access the AP access ports page.
· View Fit AP Details
Click the link in the AP Label column for a fit AP on the fit AP list to access the Fit AP Details page.
· View Clients
Click the link in the Clients column for a fit AP on the fit AP list to access the Clients page, where you can view detailed information about clients associated with that fit AP.
· Edit AP Template
Click the 
icon in the Actions column for a fit AP to access the Edit AP
Template page, and edit parameters as needed.
· AP Monitor
Click the 
icon in the Actions column for a fit AP to view performance and status
metrics of the AP in the window
that opens, along with network traffic monitoring for the radios bound to the AP.
Convert auto APs to manual AP
To facilitate the conversion of automatic APs, WSM now supports batch conversion of multiple auto APs at once, in addition to manually converting separate auto APs.
Remarks
· If no new name is entered for the selected auto APs in the list, the system will use their MAC addresses (containing only digits and letters) as the new AP names by default. Example: 3897D6E0E640.
· Only all auto APs on the current page can be converted.
Procedure
a. Select the auto APs to be converted.
b. Enter a new AP name.
c. Click OK.
AP Access Ports
Remarks
· WSM can uniquely determine which switch and port an AP connects to. In this case, the connection status in the AP access port list displays Direct Connection. If the AP is found connected to multiple switches and its exact connection point cannot be determined, the status displays Non-Direct Connection.
· To view the access port of a PoE switch directly connected to the AP, you must add the PoE switch into the system.
· For fit APs and cloud APs operating in client mode, AP port management cannot accurately obtain their information.
· AP interface information is obtained from Layer 2 network topology. To ensure data accuracy (though not guaranteed at 100%), make sure the associated switch is added to Unified Platform and has LLDP enabled.
Features
· Collect Data
Click the Collect Data button to initiate AP access port data collection. Refresh the page later to view the results.
· Export
Click the Export button to export the AP access port data matching the current search criteria and displayed on the page in Excel file format.
Fit AP Details
On the fit AP details page, you can view basic information about the fit AP, client information, radio information, warning message, group information, etc.
Remarks
· The label is a custom name defined in the environment and bound to the serial number. After you edit the AP label, the new value will not be deployed to the device. It only takes effect in the current environment.
· Due to differences in fit AP configurations, the information displayed on the fit AP details page might vary.
Features
On the Fit AP Details tab, you can perform the following operations:
· On the Device Details tab, you can view basic information about the cloud AP, such as its logical faceplate, interface list, etc.
· On the Fit AP Details tab, you can perform the following actions:
¡ Edit AP Label
In the Basic Information area, click the button next to the AP label, edit the AP label in the window that opens, and then click OK to save the configuration.
¡ Edit Radio Configuration
In the Radio Information area, click the button in the Actions column of the list to adjust radio parameters as needed, and then click OK to save the configuration.
¡ Edit AP Wired Port Configuration
In the AP Wired Port Information area, click the button in the Actions column of the list to edit wired port settings as needed, and then click OK to save the configuration.
· On the Warning Message tab, you can view alarm messages generated by the AP.
· On the Group Information tab, you can check the resource details of the AP and its assigned group.
Cloud AP
Remarks
The number of APs that can be used is limited by the authorized license count. If the added AP quantity exceeds the authorized AP license count, the excess APs will not be displayed in the list on the fit APs or cloud APs page.
Features
· Synchronize
Select one or more data entries, and click the Synchronize button to synchronize the latest data on the device.
· Export All
Click the Export All button to export cloud AP data matching the current search criteria and displayed on the page.
Click the AP Access Ports button to access the AP Access Ports page.
Click the
icon in the Actions column of the list to access the Service Policy
Management page.
· View AP Details
Click the link in the Device Label column of the cloud AP list to access the Cloud AP Details page.
· View Clients
Click the link in the Clients column of the cloud AP list to access the Clients page, where you can view detailed information about clients associated with that cloud AP.
Cloud AP Details
On the cloud AP details page, you can view the device details, alarm messages, group information, and wireless information of the cloud AP.
Remarks
· The information displayed on the cloud AP details page varies depending on the cloud AP configuration.
· Because some countries or regions do not allow the activation of wireless communication devices in the 6 GHz band, the radio for this band cannot be configured under the corresponding Country/Region Code. If a radio operating in the 6GHz band is required, the service policy bound to the radio must enable the enhanced open system authentication service or configure the WPA3 security mode.
Features
· On the Wireless Information tab, you can view device information, global parameter information, client information, and radio information, and edit radio configurations.
¡ Edit
radio configuration: In the radio information module, click the Edit icon
in the Actions column of the list to edit radio configuration parameters, and then click OK to save the configuration.
· On the Group Information tab, you can view the resource information of the cloud AP and its group.
· On the Alarm Information tab, you can view the alarm messages generated by the cloud AP.
· On the Group Information tab, you can view the resource information of the cloud AP and its group.
· On the Alarm Information tab, you can view the alarm messages generated by the cloud AP.
· On the Device Details tab, you can view basic information, logical faceplate, interface list, and other information of the cloud AP.
¡ Basic Info
On the basic information page, click the Edit icon 
next to
the parameter to edit the corresponding information.
¡ Logical Faceplate
On the logical faceplate page, the operational status of the device's hardware components is displayed, including physical interfaces, power supplies, and fans.
¡ Interface List
On the interface list page, the interface information and status of the device are displayed.
Click the link in the Interface Name
column of the list to view detailed information about the interface in the window that opens. In the window that
opens, click the Edit icon 
next to the parameter to edit the
corresponding information.
¡ IP Address Table
On the IP address table page, the IP address information and subnet mask corresponding to the device's interfaces are displayed.
¡ Aggregate Interface Table
On the aggregate interface table page, the aggregate interface information of the device is displayed, where member interfaces represent all physical interfaces that form the aggregate interface.
¡ ARP Table
Click the Sync ARP Information button to synchronize the latest ARP information on the device.
¡ MAC Address Table
Click the Sync MAC Information button to synchronize the latest MAC information on the device.
Radios
In a wireless network, a close relationship exists between APs and radios. Within an AP, the radio is the component responsible for transmitting and receiving wireless signals. An AP might contain one or more radio modules, supporting different frequency bands and implementing various wireless communication standards. The performance and coverage area of an AP are typically closely related to the quantity and quality of its radios.
On this page, you can manage all radios of APs in the system, allowing operations such as synchronization and editing, as well as querying radio information based on different criteria.
Remarks
· For advanced query, all query criteria are ANDed. Fuzzy match is supported for the AC label and host AP label fields. If you select the AC label as the query criterion, no radios of fat APs are queried.
· Only devices running V500R001B64D029SP50 or later versions and configured with NETCONF can be configured with NAS-IDs.
· Because some countries or regions do not allow the activation of wireless communication devices in the 6 GHz band, the radio for this band cannot be configured under the corresponding Country/Region Code. If a radio operating in the 6GHz band is required, the service policy bound to the radio must enable the enhanced open system authentication service or configure the WPA3 security mode.
· After you add or delete a service template, you must synchronize the AC to update whether it is from an AP Group.
· After you edit the radio configuration on other pages, synchronize the AC to update the corresponding radio information on the radios page.
· The radio type, channel in use, and max transmission power all depend on the county/region code configured for the AC. After you edit the country/region code for the AC, update the radio parameters promptly to avoid invalid values caused by the new country/region code.
· The device does not display the channel utilization for radios on virtual APs.
Features
· Synchronize
Click the Synchronize button to synchronize the latest channel usage data on the AP.
· Edit Radio Configuration
Click the 
icon in the Actions column for a radio to access the
page for editing radio configuration parameters. Adjust the
settings as needed, then click OK to save the changes.
· Edit the radio status
Click the 
icon in the Actions column to edit the radio status.
Energy Policy
Perform this task to configure energy policies, such as start and stop APs, radios of APs and SSID services as planned.
Remarks
· Only energy policy information that can be viewed by the current tenant is displayed.
· You cannot delete an energy policy in Waiting state.
· Energy policies in Waiting or Finished state cannot be edited.
· As a best practice, reserve an appropriate interval, such as 10 minutes, between the start time of the policy and the current time to ensure that the policy can be executed promptly.
· When you select APs on the Add Energy Policy page, follow these restrictions and guidelines:
¡ If active and backup APs exist but you do not specify an AC in the search criteria, only the active APs are displayed. After you select an active AP, the energy policy takes effect only on the active AP.
¡ To view and select a backup AP, you must specify the AC connected to it in the search criteria.
· When a large number of devices exist, the policy execution time might differ from the configured, which does not affect policy execution.
Features
· Add an Energy Policy
a. Click Add to open the energy policy adding page.
b. Configure the energy policy parameters.
c. In the AP List/Fit AP Radio List/Cloud AP Radio List, click Add to open the respective query page.
d. Select an AP or radio. The page closes automatically after your selection.
e. Click OK.
· Edit an Energy Policy
a. In the energy policy list, click the 
icon in the Actions column for a policy to open the policy editing page.
b. Edit the energy policy parameters.
c. Click OK.
· Delete an Energy Policy
a. In the energy policy list, click the icon
in the Actions column for a policy to open the confirmation
dialog box.
b. Click OK.
· View Energy Policy Details
Click the link in the Policy Name column for a policy to open the energy policy detail page.
Parameters
Table 10 Energy policy parameters
|
Parameter |
Description |
|
Policy Name |
The maximum length for the value is 32 characters. |
|
Policy Type |
· Start/Stop AP: This feature can restart APs by disabling or enabling the PoE powering, and is only available for devices whose AP access ports support PoE. If an AP is stopped, you cannot use the AP to connect to the wireless network. · Start/Stop Radio: If a radio is stopped, you cannot use the radio to connect to the wireless network. · Start/Stop SSID: This feature can bind or unbind the selected SSID to or from the radio. |
|
SSID |
If the policy type is Start/Stop SSID, you must select an SSID. Click Select SSID to open the SSID query page. Select an SSID and click OK. |
|
Execution Mode |
Available execution modes include One-off and Periodical. The one-off execution modes include Start/Stop, Start, and Stop. |
|
Execution Period |
If you select periodical execution, configure the execution period as Every Day, Every Week, or Every Month. |
|
Started at/Stopped at |
· If the execution mode is selected as one-off, the time format is yyyy-mm-dd hh:mm:ss. · If the execution mode is selected as periodical, the time format is hh:mm:ss. The execution time of a one-off scheduled task cannot be earlier than the current time, and the start time cannot be the same as the stop time. |
|
Always Effective |
If you select periodical execution, set whether the execution is always effective. If not, configure the time for the Validated at and Expired at fields. |
|
Validated at/Expired at |
Set the valid time and expiry time as yyyy-mm-dd hh:mm:ss. The valid time and the expiry time cannot be earlier than the current time. The valid time must be earlier than the expiry time. |
|
Description |
The maximum length for the value is 32 characters. |
|
AP List |
If the Policy Type is set to Start/Stop AP, then select APs. |
|
Fit AP Radio List |
If the Policy Type is set to Start/Stop Radio or Start/Stop SSID, then select the fit AP radio and cloud AP radio. |
|
Cloud AP Radio List |
If the Policy Type is set to Start/Stop Radio or Start/Stop SSID, then select the fit AP radio and cloud AP radio. |
System
From this menu, you can configure system-wide common parameters, users, tenants, organizations, logs, backup & restore, and licenses.
Organization Management
Introduction
Perform this task to divide users into multiple levels based on organizations.
Remarks
· Only users that have the permissions to manage organizations can add, edit, and delete organizations.
· If the Connect component is installed and a hierarchical relationship is established, the organization supports up to seven organization levels. In other situations, the organization supports up to 14 organization levels.
· You can import organizations only within the tenant to which the current user belongs. You cannot import organizations between tenants.
· You can use only the templates of the organization to which the current user belongs and its lower-level organizations to import organizations.
· The imported organizations belong to the organization managed by the current user.
· To import organizations, make sure the template language (Chinese or English) is consistent with the Web interface display language.
· When you use a template file to import organizations, the file can contain a maximum of 3000 organizations. To import more than 3000 organizations, you must use multiple template files.
· The following are typical template errors that might exist:
¡ A required field is empty or has only spaces.
¡ A required field is empty and an optional field has only spaces in a row. If the system prompts you to specify an organization template that can be imported correctly, as a best practice, delete the empty rows and upload the template again.
¡ The organization name repeatedly occurs in a row.
¡ Intermediate organizations are missing.
¡ Duplicate organization names exist under the same level.
¡ The file size cannot exceed 10 M.
· Upper-level sites do not support editing the organizations synchronized from lower-level sites.
· In a hierarchical two-level site scenario, if you delete an organization in thea lower-level site, the resource authorizations of the user or user group that manages that organization in the upper-level site will be removed.
Functions
On the left of the organization management page, the organization tree is displayed. The number in parentheses next to an organization represents the total number of users in that organization and its subordinate organizations. By default, the first level is expanded. On the right of the page, information about the selected organization and the list of users in this organization are displayed.
· View organization information
¡ On the organization tree on the left, click the name of the organization that you want to view. On the right, information about the selected organization is displayed.
· Add an organization
a. On the organization tree on the left, hover
over the 
icon to the right of an organization name, and click the Add icon. The page for adding an organization opens on
the right. The organization will be the parent organization of the newly added
organization.
b. Configure relevant parameters.
c. Click OK.
· Import Organizations
a. Click Import.
b. Click Download Template to save the organization template XLS file, and then configure the organization level settings as needed. To import organizations successfully, make sure no child organizations with the same name and level exist under the same parent organization.
c. Click Click to Upload, and then select the target organization file.
d. Click Upload.
· Export organizations
a. Click Export to export organization information to a local file named Organization Template.xls.
b. After you edit the exported organization information file, you can use the import function to upload the edited file and synchronously update the organization information in the system. When you add a child organization, if a child organization with the same name and level already exists in the same parent organization, the child organization cannot be added to the system.
· Edit an organization
a. On the organization tree on the left, hover
over the 
icon to the right of an organization name, and click the Edit icon.
The page for editing the organization opens on the right.
b. Edit the organization as needed, and click OK.
· Sort Organizations
a. From the organization list on the left,
hover over the 
icon to the right of an organization name, and click the Sort icon
to sort its sub-organizations on the right of the page.
b. You can sort only the organizations of the same level.
· Move an organization
a. On the organization tree on the left, hover
over the 
icon to the right of an organization name, and click the Move icon.
The page for moving the organization opens on the right.
b. You can move an organization only to the child organizations of the organization to which the current user belongs. Moving an organization also moves its child organizations, if any.
· Add a user
a. On the organization tree on the box, hover
over the 
icon to the right of an organization name, and click the Add User
icon. The page for adding a user opens in the middle of the page.
· Delete an organization
a. On the organization tree on the left, hover
over the 
icon to the right of an organization name, and click the Delete
icon. A confirmation dialog box opens.
b. Click OK in the confirmation dialog box to delete the organization.
The following organizations cannot be deleted:
¡ Top-level organization.
¡ An organization will child organizations.
¡ An organization bound to users.
· Search Sub-Oorganizations/Search Current Organization
¡ Search Sub-Oorganization: Click this button to refresh the list of users in the current organization and its sub-organizations.
¡ Search Current Organization: Click this button to refresh the list of users in the current organization.
View the list of resources for which the current user has permissions in the organization.
· Edit the organization of a single resource
a. Click the 
icon in the Actions column for a resource.
b. Select a new organization for that resource.
c. Click OK.
· Bulk edit the organization of resources
a. Select multiple resources, and then click Edit Organization.
b. Select a new organization for the resources.
c. Click OK.
Parameters
Table 11 Organization Management configuration parameters
|
Parameter |
Description |
|
Parent Organization |
The selected organization will be the parent organization of the newly added organization and cannot be changed. |
|
Name |
Up to 255 characters. The string cannot start or end with a space, cannot contain special characters '<' , '/' and '&'. The names of organizations on different levels can be the same, and the names of organizations on the same level must be different. |
|
Organization Code |
Up to 256 characters. The string cannot start or end with a space. Valid characters are letters, digits, spaces, and the following special characters. |
|
Organization Location |
Up to 256 characters. The string cannot start or end with a space. |
|
Type |
The organization type can be IT Department or Other Departments. It is only an organization mark, and does not have special meanings. |
|
Description |
Up to 128 characters. |
|
Contact |
You can select only a user in the current organization and its child organizations. |
|
|
Up to 128 characters. |
|
Tel |
You can only enter an 11-digit telephone number meeting the requirements. |
|
Service Superior |
Select an existing organization as the service superior of the current organization. This operation creates a new service superior-subordinate relationship based on the existing superior-subordinate relationship. The system supports a maximum of 10 layers of organizations that have service superior-subordinate relationship. |
User Management
A user is the management & maintenance personnel for the system and its components. Different users have different management privileges.
Users
Introduction
A user is the management & maintenance personnel for the system and its components. On the user list page, you can add, import, delete, edit, filter, copy, and assign permissions to users.
Remarks
· Only system, tenant, and organization administrators can add or edit users on the user list. Users of different tenants are isolated and invisible to one another. Only the tenant administrator of a user can log in to manage the user. System administrators also cannot manage users of tenants.
· After you add a sub-organization on the organization management page, the organization tree will be displayed on the left of the user list. The number in parentheses next to an organization represents the total number of users in that organization and its subordinate organizations. The user list will display users of the selected organization by default. If you unselect the selected organization, users in all organizations are displayed. If no sub-organizations are added on the organization management page, the organization tree will not be displayed, and the user list will display all manageable users.
· When you reset the password after forgetting the password on the login page, make sure the mail server or SMS server is available and the mailbox or phone number has been configured correctly.
· You cannot edit the permissions or organization of the admin user.
· The user import feature allows for the import of up to 3000 users at a time, with a maximum of 500 users using UKEY authentication.
Functions
· Add a user
Click Add to enter the Add or Edit User page.
· Delete users
¡ To delete a single user, click the Delete icon in the Actions column for that user. Then, click OK in the confirmation dialog box that opens.
¡ To bulk delete users, select the users you want to delete, and click the Delete button. Then, click OK in the confirmation dialog box that opens.
· Import users
a. Click Import.
The Import Users window opens.
b. Click the Download Template button to save the User Template.xlsx file to your computer. Fill in the user information as needed.
c. In the Import Users window, upload the completed User Template.xlsx file.
d. Click the Upload button to complete the user import operation.
You can view detailed import results in the operation log list.
· Refresh the list
a. Click the Refresh icon to reload the user list.
· Edit a user
a. Click Edit icon in the Actions column for the user, and edit the user information.
· Enable/Disable a user
A disabled user cannot log in to the system. Only the login operation is affected.
a. Click the Disable icon or Enable icon in the Actions column for the user.
· Configure permissions
a. Click the Configure Permissions icon in the Actions column for a user to access the authorization wizard page.
· Clear permissions
a. Click the Clear Permissions icon in the Actions column for a user.
b. Click OK in the confirmation dialog box that opens to clear the user roles and resource scope permissions for that user.
· Send key
a. On the System Settings > Security Settings > Authentication Settings > Two-Factor Authentication Settings page, enable two-factor authentication and select dynamic password authentication. In this case, the Send Key feature is displayed on the user list.
b. Click the Send Key icon in the Actions column or click the Send Key button above the list to send a dynamic password through an email to the mailbox of the user registered in the system.
· Copy user
a. Click the Copy icon in the Actions column for a user.
b. Based on the selected user, open the Add User page with the default populated properties (except the user name).
· View user details
a. To view the details of a user, click the name link for the user to enter the User Details page.
· Filter users
a. Enter the user name in the search field.
b. Click the expand button to open the advanced search area.
c. Specify the search criteria as needed.
d. Click Search to refresh the user list.
e. To reset the filtering criteria, click Reset.
· Search Sub-Oorganizations/Search Current Organization
¡ Search Sub-Oorganization: Click this button to refresh the list of users in the current organization and its sub-organizations.
¡ Search Current Organization: Click this button to refresh the list of users in the current organization.
Add or Edit User
Introduction
This task allows you to add or edit a user.
Remarks
· Configure additional user information as needed on the System > User Management > Additional User Information page.
· Make sure that the entered PIN matches the UKEY when configuring the UKEY authentication.
· In addition to the login password method, you can use the user access control list to control user login. A user can log in only if its IP address is permitted in the user access control list.
· The user access control list can contain up to 10 rules. When a user attempts to log in, the system matches the user's IP address against these rules in descending order based on their priorities.
¡ If the user's IP address is in the IP address range specified in a rule, the system will execute the specified access action (permit or deny the login request) for the user, and stop matching the remaining rules.
¡ If the user's IP address cannot match any rule, the system will execute the default access action for the user.
· If the process control type is Self-Service User, the user cannot be authorized on the authorization wizard page.
Functions
· Add a user
Perform this task to add a user that can access the system.
a. On the user list page, click Add. The Add User page opens.
b. Configure basic information, advanced information, additional information for the user as needed.
c. Click OK.
· Edit a user
Perform this task to edit an existing user in the system.
a. Click the Edit icon in the Actions column for the target user.
b. Edit the basic information, advanced information, additional information for the user as needed. The user name cannot be edited.
c. Click OK.
Parameters
Table 12 Basic Information
|
Parameter |
Description |
|
User Name |
Enter the name of the login user. · You can set the username length range in the User Name Settings area on the System > System Settings > Security Settings > Basic Settings page. · Supported characters include only letters, digits, underscores (_), hyphens (-), dots (.), and slashes (\). · The name is case insensitive. · This field cannot be empty. · You cannot edit the name after creation. Make sure the user name is unique. |
|
Organization |
Organization to which the user belongs. · Available options include the organization to which the current logged-in user belongs and its sub-organizations. · This field cannot be empty. |
|
Authentication Method |
Select the authentication method for the user. · Available options include simple password authentication, RADIUS authentication, LDAP authentication, TACACS authentication, third-party authentication and UKEY authentication. · This field cannot be empty. · If you select simple password authentication, the user can use the user name and password for login. · If you select RADIUS authentication, LDAP authentication, or TACACS authentication, you must configure the corresponding authentication settings on the System > System Settings > Security Settings > Authentication Settings page. · If you select Third-Party Authentication, navigate to the System > System Settings > Security Settings > Authentication Settings page to configure third-party authentication in the Login Authentication Settings area. Then, third-party authentication will be performed for users For third-party authentication users, the Max Concurrent Logins parameter is not available. They do not have such a limit. Login password is optional. · If you select Enable UKEY Authentication, you must enable the UKEY authentication on the System > System Settings > Security Settings > Authentication Settings page. Login password is optional. |
|
Login Password |
· The login password field is available when the authentication method is simple password, Third-Party authentication, and UKEY authentication. · You can specify the password length and strength check settings in the User Password Policy Settings area on the System > System Settings > Security Settings page. · If the authentication method is simple password, the login password field cannot be empty. |
|
Confirm Password |
Enter the login password again for confirmation. · This field cannot be empty. · You must enter the same password as that in the Login Password field. |
|
PIN Code |
· If UKEY authentication is selected as the verification method, a PIN code input box will appear. · 8 to 16 characters. It must contain uppercase letters, lowercase letters, and digits. · The PIN code cannot be empty. |
|
Process Control Type |
You can select a process control type only if you have installed the ITSM component. · Process functionality for count-type users is limited by the number of process licenses, which operate on a "first-come, first-served" basis. The available number of licenses is dynamic, equal to the total number of process licenses minus the number of designated-type users. · Designated users can access ITSM components at any time, and each new designated-type user occupies one process license. · Self-service users are limited to using the self-service desk feature only. |
|
Tel |
Enter the phone number of the user. · This field is optional. The phone number must be 11-bit long. · The phone number is required for SMS authentication function in two-factor authentication and password reset through phone number. |
|
|
Enter the email address of the user. · This field is optional. The email address contain no more than 255 characters. · The phone number is required for Google dynamic password authentication function in two-factor authentication, email authentication, and password reset through email. |
Table 13 Advanced Information
|
Parameter |
Description |
|
Last Name |
Enter the last name of the user account. This field is optional field, and its value cannot exceed 32 characters. |
|
First Name |
Enter the first name of the user account. This field is optional, and its value cannot exceed 32 characters. |
|
Full Name |
Enter the full name of the user. This field is optional, and its value cannot exceed 32 characters. The string cannot start or end with spaces. |
|
Permitted Login Time Span |
Specify a login time range for the user. The user is not allowed to log in to the system at a time out of this range. · The value range is 00:00-23:59. · The minimum time granularity is one minute. |
|
Description |
Enter the description of the user. The value is a string of up to 128 characters, which can be displayed in the user list. |
|
Password Validity Period |
After the password expires, the current user cannot log in to the system. |
|
Warning Before Expiration |
When the remaining validity period of a password reaches the early warning threshold, the system sends a system log to notify the user to change the password each time the user logs in. · This field is required if the password validity period is enabled. The default is 10 days. The value is an integer in the range of 0 to 99999. |
|
User Validity Period |
The user will be disabled and cannot log in to the system upon expiration of the account validity period. |
|
Warning Before Expiration |
When the remaining validity period for a user reaches the early warning threshold, the system sends a system log to notify the user to change the account validity period each time the user logs in. · This field is required if the user validity period is enabled. The default is 10 days. The value is an integer in the range of 0 to 99999. |
|
Max Concurrent Logins |
Set the maximum number of concurrent users that use this user account. If the number of concurrent users has reached the upper limit, the system blocks the login request of a new user using this account. · To not limit the maximum number of concurrent users that use this user account, set the value to 0. · The value is an integer in the range of 0 to 999. |
Table 14 User Access Control List
|
Parameter |
Description |
|
Default Access Type |
If the IP address of a user cannot match any rule in the user access control list, the system will execute the default access action for that user. |
|
Start/End IP Address |
IP address range specified for the access control rule. If the IP address of a user belongs to the specified IP address range, the system determines that the user matches the rule. · Both IPv4 addresses and IPv6 addresses are supported. The IPv4 address format is dotted decimal notation, for example, 192.168.66.66. The IPv6 address format is colon hexadecimal notation, for example, c0:a8::42:42. · When you specify an IPv4 address range, broadcast addresses, loopback addresses, and multicast addresses are not supported. When you specify an IPv6 address range, only global unicast addresses are supported. · The start IP address cannot be higher than the end IP address. |
|
Access Type |
Action that the system takes for users matching the access control rule. Supported actions include Permit and Deny. |
|
Description |
Optional. The description is a case-sensitive string of up to 128 characters. |
Details
Introduction
Perform this task to view the user details.
Remarks
After the WSM or ONM component is installed, APs associated with an AC authorized to a user will be also authorized to that user.
Functions
· View basic user information: View the name, authentication method, organization, and password validity period of a user.
· View the user access control list: This list displays the default access type and access control rules.
· View user groups: View information of the user group to which the user belongs.
· View role details: View the roles assigned to the user.
· View permission details: View the permissions assigned to the user.
· View resource authority: View the resource authority to the user.
Online Users
Introduction
This feature displays information about the current online users, including the user name, session ID, login time, idle time, IP address, tenant and Organization. Additionally, you can log out an online user.
Remarks
· By default, the list displays the users in the management organization and its sub-organizations of the current logged-in user.
· After you specify the user idle timeout timer on the System Settings > Security Settings page, if the current value is smaller than the history value, the idle timeout timer might be a negative value. To resolve this issue, refresh the page upon expiration of the cache time in one minute.
Functions
· Refresh the list
When no data sync is in progress, you can click Refresh to refresh data in the list.
· Set to busy
a. Click the Logout icon in the Actions column for a user.
b. In the dialog box that opens, click OK.
· Filter users
a. Specify filtering criteria.
b. Enter the keyword.
c. Press Enter or click Search.
Additional User Information
Introduction
In addition to basic information and advanced information, additional information can be customized, managed, and maintained for a user. After additional information is added to a user, you can view the additional information on the user details page.
Remarks
· A maximum of 20 additional user information entries are supported.
· Additional information entries support custom sorting, so the table headers do not support sorting.
· The search results by additional information name cannot be sorted.
Functions
· View additional information field details
Click the field name of an additional information field to open the Additional Information Details page.
· Add an additional information field
Click Add to open the Add Additional Information page.
· Move up an additional information field
Click the Move Up icon in the Display Order column for the additional information field you want to move.
· Move down an additional information field
Click the Move Down icon in the Display Order column for the additional information field you want to move.
· Edit an additional information field
Click the Edit icon in the Actions column for the additional information field you want to edit to open the Edit Additional Information page.
· Delete an additional information field
a. Click the Delete icon in the Actions column for the additional information field you want to delete.
b. In the dialog box that opens, click OK.
c. After an additional information field is deleted, the field is also deleted from the additional user information bound to a user.
Additional Information Details
Introduction
This page displays the details of an additional user information field.
Functions
· View additional information field details
a. Click the field name of an additional information field.
b. On the page that opens, view detailed information about the field, including the field name, field property, field value type, and default value.
Add/Edit Additional Information
Introduction
Perform this task to add or edit additional user information.
· Add an additional information field: Add information additional to the basic and advanced information for users.
· Edit an additional information field: Edit the settings for an existing additional information field.
Functions
· Add an additional information field
a. Click Add. The Add Additional Information page opens.
b. Configure the additional information field settings.
c. Click OK.
· Edit an additional information field
a. Click the Edit icon in the Actions column for an additional information field.
b. Edit the additional information field settings. The field value type cannot be edited. The Optional field property cannot be edited.
c. Click OK.
Parameters
|
Parameter |
Description |
|
Field Name |
Name of the additional user information field. |
|
Field Property |
Set whether the field is a required or optional field. · Required: The field is a required field. You must configure a default value for the field. If the field value type is Value selected from the option list, the field property can only be Required. · Optional: The field is an optional field. You do not need to configure the default value. |
|
Field Value Type |
Type of the field value: · Integer: You need to configure the maximum value and minimum value (that is, the value range) for the field. · An integer or a decimal with up to five decimal places: You need to configure the maximum value and minimum value (that is, the value range) for the field. · Alphanumeric chars and (-_.@) only: You need to configure the maximum length for the field value. · Any chars: You need to configure the maximum length for the field value. · Value selected from the options list: You need to configure a minimum of one option. |
|
Max Value |
You must configure the max value when the field value type is Integer or An integer or a decimal with up to five decimal places. For an integer, the value range is -2,147,483,648 to 2,147,483,647. For a decimal, it can contain up to five decimal places. |
|
Min Value |
You must configure the min value when the field value type is Integer or An integer or a decimal with up to five decimal places. For an integer, the value range is -2,147,483,648 to 2,147,483,647. For a decimal, it can contain up to five decimal places. |
|
Max Length |
You must configure the max length when the field value type is alphanumeric chars or any chars. The length must be an integer in the range of 1 to 127. |
|
Option |
If you select Value selected from the options list as the field value type, the value of this parameter cannot exceed 128 characters. |
|
Option List |
This parameter displays the added options. You can edit, delete, move up, move down, and configure default value for an option in the option list. |
|
Default Value |
If the field value type is number, the default value must be within the max and min values. If the field value type is characters, the default value cannot exceed the maximum character length. If the field value type is Value selected from the options list, the default value must be one of the options in the option list. |
User Group
Introduction
From the user group list page, you can add, delete, edit, filter, and assign permissions to user groups.
Users in a user group have the permissions assigned to that user group.
Remarks
· Only system, tenant, and organization administrators can add or edit user groups on the user group list. User groups of different tenants are isolated and invisible to one another. Only the tenant administrator of a user group can log in to manage the user group. System administrators also cannot manage user groups of tenants.
· After you delete a user group, users in that user group automatically lose the corresponding permissions. If the user group has been bound to roles, users in the user group will automatically go offline and need to log in again.
· In a hierarchical site environment, if the management organization of a user group is the organization of the lower-level site, performing the following operations will remove the user group:
¡ Uninstall the Connect component on the upper-level site.
¡ Remove the hierarchical relationship between the upper- and lower-level sites.
¡ Delete the organization from the lower-level site.
Functions
· Add a user group
Click Add to access the Add User Group page.
· Delete user groups
¡ To delete a single user group, click the Delete icon in the Actions column for that user group, and then click OK in the dialog box that opens.
¡ To bulk delete multiple user groups, select one or multiple user groups, and then click Delete.
· Refresh the list
Click the Refresh button above the list to reload the user group list.
· Edit a user group
Click the Edit icon in the Actions column for a user group to access the Edit User Group page for that user.
· Configure permissions
Click the Configure Permissions icon in the Actions column for a user group to access the authorization wizard page.
Add or Edit User Group
Introduction
Perform this task to add or edit a user group.
Remarks
A user in a user group or a separately authorized user cannot be assigned to a user group again.
Functions
· Adding a user group
a. On the User Groups page, click the Add button to access the Add User Group page.
b. Configure basic information for the user group.
c. Click Go to Authorize to access the authorization wizard page.
· Edit a user group
a. On the User Groups page, click the Edit icon in the Actions column for a user group to access the Edit User Group page.
b. Edit the description and user list for the user group as needed.
c. Click OK.
Parameters
Table 15 Basic user group information
|
Parameter |
Description |
|
User Group Name |
This string cannot start or end with spaces. This string is of up to 225 characters and cannot contain special characters </&. This string is case-insensitive. This field cannot be empty. You cannot edit the name of a user group after the user group is created. The user group name must be unique. |
|
Description |
Description of the user group. Up to 128 characters. |
|
User List |
Users in the user group. |
User Group Details
Introduction
Perform this task to view details of a user group.
Functions
· View basic user group information: View the name, and description of the user group.
· View the user list: View the users in the user group.
· View the role list: View the roles assigned to the user group.
· View the permissions list: View the permissions assigned to the user group.
· View the resource authority: View the resource authority to the user group.
Tenants
Introduction
From the tenants page, you can use tenants to manage and isolate system entities (including users, roles, organizations, and resources). Tenants are independent of each other and do not affect one another.
System administrators can view all non-MSP tenants. The tenant administrator of a non-MSP tenant can view only information of the non-MSP tenant, while the tenant administrator of an MSP tenant can view information of non-MSP tenants created by the MSP tenant.
Remarks
· Only system administrators and MSP tenant administrators can add tenants.
· Tenants created on the tenant management page are all non-MSP tenants.
· After you delete a tenant, all organizations, users, and resources related to the tenant will be deleted in a cascading manner.
Functions
· Add a tenant
a. Click Add. The Add Tenant dialog box opens.
b. Configure tenant parameters as needed.
c. Click OK.
· Delete tenants
To delete a tenant, click the Delete icon in the Actions column for that Tenant. Then, click OK in the confirmation dialog box that opens.
· Refresh the list
Click the Refresh icon above the list to reload the tenant list.
· Edit a tenant
a. To edit a tenant, click the Edit icon in the Actions column for that tenant.
b. Edit the description of the tenant to facilitate maintenance.
c. Click OK.
· Reset the password for a tenant
To reset the password for a tenant, click the Reset Password icon in the Actions column for that tenant. In the window that opens, enter the new login password and confirm the password, and then click OK.
Parameters
Table 16 Tenant management parameters
|
Parameter |
Description |
|
Name |
Enter a tenant name, a string of up to 255 characters. It supports letters (supports multiple languages), Chinese characters, digits, underscores (_), hyphens (-), and dots (.). You cannot edit the name of a tenant after the tenant is created. The tenant name must be unique. |
|
Description |
Enter the description of the tenant to facilitate maintenance. The string cannot exceed 255 characters. |
|
Username |
Name of the tenant administrator for the tenant. You can set the username length limits in the User Name Settings area on the System > System Settings > Security Settings > Basic Settings page. You cannot configure input characters. The string can contain only letters, digits, and special characters _-.\. This string is case-insensitive. This field cannot be empty. You cannot edit the username after the tenant is created. The username must be unique. |
|
Authentication Method |
Only simple password authentication is supported. |
|
Login Password |
You can specify the password length and strength check settings in the User Password Policy Settings area on the System > System Settings > Security Settings page. |
Remote notifications
Functions
· Notification Settings
¡ SMSC Platform Settings
¡ Mail Server Settings
¡ WeChat Official Account Platform
¡ WeChat Work Official Account Platform
¡ Webhooks
· Notification Record
· Record Archive
Notification Settings
Functions
· SMSC Platform Settings
· Mail Server Settings
· WeChat Official Account Platform
· WeChat Work Official Account Platform
· Webhooks
SMSC Platform Settings
Perform this task to configure SMSC settings.
Procedure
1. Select a sending method. Options are:
¡ Emay SMS Sender: To use the Emay SMS sender, you must configure the serial number and encryption key in the Serial Number area.
In the Internet Connection Info area, click the Edit link in the upper right corner to configure the Internet connection settings. See Network Settings for more information.
¡ Third-Party SMS Sender: To use a third-party SMS sender, you must configure the Interface Type, Sending Method, Encoding Format, Address, Request Headers, and Request Parameters parameters in the SMS Sending Template area. If the sending method is "GET", you can configure the mobile phone number parameter={smsMobile}, SMS content parameter={smsContent}, and SMS signature parameter={smsSign} in the Address; if the sending method is "POST", then You can configure the mobile phone number parameter={smsMobile}, the SMS content parameter={smsContent}, and the SMS signature parameter={smsSign} in the Request Parameters.
In the Token Authentication Info area, click the Edit link in the upper right corner to configure the SMS token authentication settings. See Network Settings for more information.
¡ SMPP SMS Sender: To use the SMPP SMS sender, you must configure the username, password , url and port in the User Authentication area, and configure the test number and test content in the Test Info area.
¡ CMCC MAS Sender: To use the CMCC MAS Sender, you must configure the masEcName, masSendUrl, masApId, masSecretKey and masAddSerial in the SMS Sending Template area.
¡ Aliyun SMS Sender: To use the Aliyun SMS Sender, you must configure the Server Address, templateCode, accessKeyId, Template Parameter and accessKeySecret in the Authentication Info area.
¡ Huawei Cloud SMS Platform: To use the Huawei Cloud SMS Platform, you must configure the Server Address, Channel ID, AccessKey ID, Template ID, AccessKey Secret and Template Parameter in the Authentication Info area.
2. Specify the SMS signature:
Signature: Specify the SMS signature, a string of 0 to 8 characters that can contain letters (supports multiple languages), digits, and Chinese characters.
3. Configure the language in the Language area:
You can select a message language as needed.
4. Configure the test settings in the Test Info area:
¡ Test Number: Specify the test number,.a string of 1 to 32 characters that can contain letters, digits, and Chinese characters, case sensitive.
¡ Test Content: Specify the test message content, a string of up to 500 characters. When the message content carries "\r\n", some SMS platforms will replace it with a newline.
¡ Click Test to verify that the test message can be sent correctly.
5. Click OK.
Network Settings
Perform this task to configure network settings for the SMS sending methods.
Procedure
· Select Internet Connection Info for Configuration Type to configure the Internet connection settings.
The system uses the Internet connection settings to connect to the Internet.
¡ For the system to access the SMS sending interface directly without a proxy, select Direct Connection from the Connection Type list.
¡ For the system to access the SMS sending interface through an HTTP proxy, select HTTP Proxy from the Connection Type list. Then, configure the following parameters:
- Proxy Server Address: Specify the proxy server address, which can be a 32-bit IPv4 address, a 128-bit IPv6 address, or a domain name of up to 255 characters.
- Proxy Server Port: Specify the port number of the proxy server, which must be an integer in the range of 1 to 65535.
- Username: Specify the username for using the proxy service. The username can contain 1 to 32 characters.
- Password: Specify the password for using the proxy service. The password can contain 1 to 32 characters.
· Select Third-Party SMS Token Authentication for Configuration Type to configure the third-party SMS token authentication settings:
¡ Sending Method: Select the request type for the third-party SMS token authentication interface. Options are POST and GET.
¡ Address: Specify the third-party SMS token authentication interface by its domain name or IP address. The value can contain 1 to 255 characters.
¡ Request Message Header: Configure the request message header attributes for third-party SMS authentication interface.
¡ Request Parameters: Specify the request parameters for the third-party SMS authentication interface.
¡ Success Code: Specify the status code returned by the third-party authentication interface upon successful response.
¡ Token Location: Specify the location to place the token data returned by the token authentication interface when sending third-party SMS messages. Options include Body and Header.
¡ Token Key: Specify the name of the token field in the response data of the third-party authentication interface.
· Select SMPP SMS Sender for Configuration Type to configure the SMPP SMS Sender settings:
Set the username, password, URL, and port number in the User Authentication area, specify a signature as needed in the SMS Signature area, and configure the test number and test content in the Test Info area.
Mail Server Settings
Introduction
To correctly notify the service messages (for example, alarms) via mail, you must first set the mail server correctly.
Remarks
· If the mail server address cannot be pinged, the system continuously tries to connect to the mail server for a long time when you send a test mail. Then, the system prompts that it failed to send the test mail.
· If the recipient's address does not exist, the mail server may fail to send the email directly, and send an email return receipt, indicating that the email failed to be sent.
Parameters
Table 17 Mail Server Parameters
|
Parameter |
Description |
|
Server Address |
Enter the IP address or domain name of the mail server. |
|
Server Port |
Enter the port number of the mail server, an integer in the range of 1 to 65535. The default is 25. |
|
Secure Connection (SSL/TLS) |
Specify whether the mail server uses secure connections and select a secure connection type. By default, the mail server does not use secure connections. |
|
Client Authentication |
Specify whether the mail server requires client authentication. If you select to enable client authentication, set the username and password used for client authentication. |
|
Language |
You can select a message language as needed. |
|
Username |
Enter the username of a client that can access the mail server. The username is a string of 1 to 128 characters. |
|
Password |
Enter the password of a client that can access the mail server. The password is a string of 1 to 64 characters. |
|
Sender's Mail Address |
Enter the mail address that the mail server uses to send mails. The sender's mail address must be in the mail address format and is of 1 to 255 characters. |
|
Send Test Mail |
Send a test mail to identify whether the mail server is reachable and whether the username and password are correct. |
WeChat Official Account Platform
This feature allows the system to use WeChat forwarding. You can use this feature to configure official accounts and message templates and view WeChat message records.
Official Accounts
This feature manages WeChat official accounts. You can view follower information about the official accounts or send test messages to the followers.
Procedures
· Search for Official Accounts
¡ In the upper right corner of the page, enter an official account name in the search box. Fuzzy search is supported.
¡ Click the Search
icon 
to view the matching official accounts on the list.
· Add Official Account
a. Click Add to enter the page for adding an official account.
b. Configure the following parameters:
- Official Account Name: Enter a name for the official account The name can contain only letters (supports multiple languages), Chinese characters, digits, underscores (_), hyphens (-), dots (.), back slashes (\), and spaces. The account name can contain 1 to 32 characters.
- Official Account Type: Select Subscription or Service according to the type of the official account.
- Token: Specify the access token for the WeChat official account. For a service or subscription account, the system uses the token to determine whether a request message comes from the WeChat Official Account Platform. The specified token value must match the token value in the WeChat Official Account Platform website. Each official account must have a unique token. The token can contain 3 to 32 characters. The token can contain only letters and digits, and it must start with a letter.
- AppID: Enter the application ID of the official account. The application ID is assigned to the account by the WeChat Official Account Platform after the development feature is enabled. The system uses AppID and AppSecret to communicate with the WeChat server. The specified AppID value must match the AppID value in the WeChat Official Account Platform website.
- AppSecret: Enter the application secret of the official account. The application secret is assigned to the account by the WeChat Official Account Platform after the development feature is enabled. The system uses AppID and AppSecret to communicate with the WeChat server. The specified AppSecret value must match the AppSecret value in the WeChat Official Account Platform website.
- Language: You can select a message language as needed.
c. Click OK.
· Delete Official Account
Click the Delete icon 
in the
Actions column for an official account. Then, click OK in the
confirmation dialog box that opens.
· Send Test Message
a. Click the link in the Followers column for an official account. On the page that opens, you can view follower information of the official account.
b. Click the link in the Send Test Message column for a follower.
c. In the dialog box that opens, configure the following parameters:
- Message Content: Enter message content. The content can contain only letters (supports multiple languages), Chinese characters, digits, underscores (_), hyphens (-), dots (.), and spaces.
- Message Type: If the official account type is subscription, only the customer service message type is supported. If the official account type is service, the customer service and template message types are supported.
- Message Template: This parameter is required if the message type is template message. To use this parameter, you must apply for a message template from the WeChat Official Account Platform website.
d. Click OK. The system will send a test message to the follower.
Remarks
· Deleting an official account also deletes the followers of that official account from the system.
· You cannot delete an official account that has been bound to message templates. To obtain the names of the message templates, enter the details page of the official account.
· A subscription official account cannot send test messages to a follower if the follower has not responded to the official account for 24 hours.
· The service type template message cannot exceed 200 characters at most.
Message Templates
Use this feature to limit the sending scope of WeChat messages and define the message type. The system can send WeChat messages to specific followers of an official account as defined in a message template.
Procedures
· Search for Message Templates
¡ In the upper right corner of the page, enter a template name in the search box. Fuzzy search is supported.
¡ Click the Search icon to view the matching message templates on the list.
· Add Message Template
a. Click Add to enter the page for adding a message template.
b. Configure the following parameters:
- Template Name: Enter a template name. The name can contain only letters (supports multiple languages), Chinese characters, digits, underscores (_), hyphens (-), dots (.), back slashes (\), and spaces. The template name can contain 1 to 32 characters.
- Official Account: Select an official account that has been added to the system.
- Message Type: If the selected official account is a service account, select Customer Service Message or Template Message. If the selected official account is a subscription account, only the customer service message type is supported, and this parameter is not available on the page.
- Message Template: This parameter is required if the selected official account is a service account and the message type is template message. To use this parameter, you must apply for a message template from the WeChat Official Account Platform website.
- Followers: Select followers to send messages from the follower list. The follower list contains all WeChat users that follow the selected official account.
c. Click OK.
· Delete Message Template
Click the Delete 
icon in the Actions column
for a message template. Then, click OK in the confirmation dialog box
that opens.
· View Followers
Click the link in the Followers column for a message template. In the dialog box that opens, you can view the sending scope of that message template.
Remarks
If a follower has unfollowed the official account in a message template, the system will delete that follower's information from the message template.
WeChat Work Official Account Platform
When the system uses the enterprise WeChat Work forwarding function, it needs to configure the enterprise number and message template. At the same time, it provides the function of viewing enterprise wechat message records.
WeChat Work Official Account List
This feature manages WeChat work official accounts. You can view follower information about the official accounts or send test messages to the followers.
Procedures
· Search for Official Accounts
¡ In the upper right corner of the page, enter a key word in the search box. Fuzzy search is supported.
¡ Click the Search icon to view the matching official accounts on the list.
· Add Official Account
a. Click Add to enter the page for adding an official account.
b. Configure the following parameters:
- Enterprise Name: Enter a name for the enterprise The name can contain only letters (supports multiple languages), Chinese characters, digits, underscores (_), hyphens (-), dots (.), back slashes (\), and spaces. The account name can contain 1 to 32 characters.
- CorpID: Enter the ID of the official account. The ID is assigned to the account by the WeChat Work Official Account Platform after the development feature is enabled. The system uses CorpID and Secret to communicate with the WeChat Work server. The specified CorpID value must match the CorpID value in the WeChat Work Official Account Platform website.
- Secret: Enter the application secret of the official account. The application secret is assigned to the account by the WeChat Work Official Account Platform after the development feature is enabled. The system uses CorpID and Secret to communicate with the WeChat server. The specified Secret value must match the Secret value in the WeChat Work Official Account Platform website.
- Description: Enter the custom enterprise description. The value can contain only letters (supports multiple languages), Chinese characters, digits, underscores (_), hyphens (-), dots (.), back slashes (\), and spaces. The value can contain 1 to 32 characters.
- Telephone: Enter the custom enterprise telephone.
- Postcode: Enter the custom enterprise postcode.
- Address: Enter the custom enterprise address.
- Language: You can select a message language as needed.
c. Click OK.
· Sync Official Account
a. Click the Sync button on the enterprise number list page, and the background will synchronize the latest employee department and application information for all enterprise numbers in the enterprise number list from the official background of wechat work.
b. Click the Sync button on the enterprise details page, the background will synchronize the latest employee department and application information of the current enterprise number from the official background of wechat work.
· Delete Official Account
Click the Delete icon 
in the
Actions column for an official account. Then, click OK in the
confirmation dialog box that opens.
Remarks
· If the official account official is deleted, the application and staff of the official account will be deleted from the system. The application and staff will check the details of the official account.
· The detailed information of official account can be viewed by clicking the column of enterprise name.
· After changing the employee, department or application information to the official background of enterprise wechat, the official interface of enterprise wechat will have a delay of about 10 minutes. Therefore, please wait about 10 minutes after the change of enterprise number information before using the function of synchronizing enterprise number.
Wechat Work Message Template
The sending range of wechat work application messages can be specified through the message template function, that is, the system can customize which application messages are sent to which employees of which enterprise.
Procedures
· Search for Application Messages
¡ In the upper right corner of the page, enter a template name in the search box. Fuzzy search is supported.
¡ Click the Search icon to view the matching official accounts on the list.
· Add Message Template
a. Click Add to enter the page for adding a message template.
b. Configure the following parameters:
- Template Name: Enter a template name. The name can contain only letters (supports multiple languages), Chinese characters, digits, underscores (_), hyphens (-), dots (.), back slashes (\), and spaces. The template name can contain 1 to 32 characters.
- Enterprise Number: Select an enterprise number added to the system from the drop-down list.
- Description: The value can contain only letters (supports multiple languages), Chinese characters, digits, underscores (_), hyphens (-), dots (.), back slashes (\), and spaces. The value can contain 1 to 32 characters
- Related Employees: You can click the "select" button to select which employees to send messages to in the list.
- Related Applications: The list shows which applications to send messages to. You can click the "select" button to select.
c. Click OK.
· Delete Message Template
Click the Delete 
icon in the Actions column
for a message template. Then, click OK in the confirmation dialog box that
opens.
· View Related Employees And Related Applications
Click the link in the Related Employees column and Related Applications for a message template. In the dialog box that opens, you can view the sending scope of that message template.
Remarks
If the employees and applications bound in the template are deleted from the wechat cloud, the system will synchronously delete the employees and applications bound at midnight.
Webhooks
A Webhook can automatically send service messages as notifications after Webhook forwarding is configured.
Remarks
· For service messages to be delivered correctly, make sure the Webhook URL is valid.
· If a firewall or security setting is configured, make sure Webhook requests are allowed.
Functions
· Add a Webhook
Click Add, configure relevant parameters in the dialog box that opens, and click OK.
· Edit a Webhook
Click 
in the Actions column
for a Webhook, and edit relevant parameters in the dialog box that opens, and
click OK.
· Delete Webhooks
¡ To delete a single Webhook, click the Delete icon in the Actions column for that Webhook. Then, click OK in the dialog box that opens.
¡ To bulk delete Webhooks, select one or multiple Webhooks, and then click Delete. Then, click OK in the dialog box that opens to bulk delete the selected Webhooks.
Parameters
Table 18 Webhook parameters
|
Parameter |
Description |
|
Name |
The value is a case-sensitive string of up to 32 characters. It can contain only letters (supports multiple languages), Chinese characters, digits, spaces, and special characters _-.\ |
|
Type |
This parameter is not configurable. |
|
URL |
The URL is a string of up to 512 characters, for example, http://www.company.com/index.html. |
|
Description |
Description for the Webhook, the value is a string of up to 1024 characters. |
|
Language |
You can select a message language as needed. |
|
Request Parameters |
Either the key or value parameter can contain a maximum of 1024 characters. You can configure Webhook content parameter as {webhookContent}. A maximum of 20 parameters can be configured. |
Table 19 Webhook alarm forwarding message body parameters
|
Description |
Example |
|
|
WebhookID |
Unique ID of a Webhook rule. |
{ "WebhookID": 1, "Content": { "Alarm": { "userList": [ {“userName”:”zhangsan”, “phoneNumber”:”13566985648”,”e-mail”:”[email protected]”,”fullname”:”zhangsanChina”,”ID Number”:”59845689”}, {“userName”:”wangwu”, “phoneNumber”:”13566985222”,”e-mail”:”[email protected]”,”fullname”:”wangwuChina”,”ID Number”:”95486589”}, ], "AlarmContent": "Alarm Source: 127.0.0.1(127.0.0.1)Alarm Name: Aggregation alarmSeverity: criticalAlarm Time: 2024-10-28 17:15:22Alarm Description: aaaaaaNMS Origin: 172.51.10.113", "AlarmEntity": { "nTipStatus": 0, "oConfirmTime": 0, "strConfirmUserName": "", "strTipMessage": "", "strTipMessageEn": "", "nIsAck": 0, "asnAlarm": {{ "nAction": 1, "nFaultFlag": "0", "nRecover": "0", "nSeverity": "4", "oAckTime": "0", "recoverAlarmSerialNo": null, "sDevIP": "127.0.0.1", "sDevName": "127.0.0.1", "sDevNameEn": "127.0.0.1", "strAckUserName": "", "strCallBackData": "", "strComment": "1.3.6.1.4.1.25506.4.2.62.2.1", "strExperienceEn": "See the recommended actions for the corresponding check item in the most recent check result report.", "strFaultOID": "1.3.6.1.4.1.25506.4.2.62.2.6.1", "strLocationEn": "*1.3.6.1.4.1.25506.4.2.62.2.1=Unified Platform;*1.3.6.1.4.1.25506.4.2.62.2.2=Network Quality Check", "strMeaningEn": "Network Quality Check : Issue detected on product (Unified Platform)", "strNameEn": "Health Check Alarm", "strReasonEn": "Health issue detected", "strRepairEn": "See the recommended actions for the corresponding check item in the most recent check result report.", "strValueListEn": "*Product Name=Unified Platform;*Check Item=Network Quality Check", "ulCategoryMainID": "603", "ulDevID": "0", "ulFaultTime": "1722938036", "ulIfIndex": "0", "ulRepeats": "1", "ulSerialNo": "371381190729856", "ulTenantId": "abd2d9f6-36d9-45b8-b7e3-7a793b3a6f2c" }, "nIsAck": 0, "nTipStatus": 0, "oConfirmTime": 0, "renderInfo": null, "renderInfoEn": null, "strConfirmUserName": "", "strTipMessage": "", "strTipMessageEn": "" } } } }, "WebhookName": "qwert", "DataType": "Alarm", "Component": "Alarm Management", "TimeStamp": 1730106957951
|
|
Content |
Forwarded content. |
|
|
Alarm |
Forwarded alarm content. |
|
|
userList |
List of user information. |
|
|
AlarmContent |
Alarm content (configured based on the content of the Webhook template for alarm forwarding). |
|
|
AlarmEntity |
Alarm information. |
|
|
nTipStatus |
Whether to pop up information. |
|
|
oConfirmTime |
Time when the alarm was acked or unacked. |
|
|
strConfirmUserName |
User who acked or unacked the alarm. |
|
|
strTipMessage |
Prompt message. |
|
|
strTipMessageEn |
Prompt message in English. |
|
|
nIsAck |
Identifier for acking or unacking the alarm. |
|
|
asnAlarm |
Alarm entity. |
|
|
WebhookName |
Name of the Webhook rule. |
|
|
DataType |
Data type. |
|
|
Component |
Message sending component. |
|
|
TimeStamp |
Message sending timestamp. |
|
|
nAction |
Alarm message type. |
|
|
nFaultFlag |
Fault type. Value 0 represents device alarm, and value 1 represents performance alarm. |
|
|
nRecover |
Alarm type. Value 0 represents issue alarm, and value 1 represents recovery alarm. |
|
|
nSeverity |
Alarm severity, 1 for critical, 2 for major, 3 for minor, 4 for warning, and 5 for informational. |
|
|
oAckTime |
Time when the alarm was acked. |
|
|
recoverAlarmSerialNo |
Serial number of the recovered alarm. List type. |
|
|
sDevIP |
IP address of the alarm source. |
|
|
sDevName |
Alarm source name. |
|
|
sDevNameEn |
Alarm source name in English. |
|
|
strAckUserName |
User who acked the alarm. |
|
|
strCallBackData |
Callback parameter. |
|
|
strComment |
Detailed reason. |
|
|
strExperience |
Remediation experience. |
|
|
strExperienceEn |
Remediation experience in English. |
|
|
strFaultOID |
Alarm OID. |
|
|
strLocation |
Location information. |
|
|
strLocationEn |
Location information in English. |
|
|
strMeaning |
Alarm description. |
|
|
strMeaningEn |
Alarm description in English. |
|
|
strName |
Alarm name. |
|
|
strNameEn |
Alarm name in English. |
|
|
strReason |
Alarm cause. |
|
|
strReasonEn |
Alarm cause in English. |
|
|
strRepair |
Remediation recommendation. |
|
|
strRepairEn |
Remediation recommendation in English. |
|
|
strValueList |
VB parameter. The format is key1=value1;key2=value2;key3=value3. |
|
|
strValueListEn |
VB parameter in English. The format is key1=value1;key2=value2;key3=value3. |
|
|
ulCategoryMainID |
Alarm category ID. |
|
|
ulDevID |
ID address of the alarm source. |
|
|
ulFaultTime |
Time when the alarm was generated. |
|
|
ulIfIndex |
Index of the interface that generated the alarm. |
|
|
ulRepeats |
Number of times that the alarm has repeatedly occurred. |
|
|
ulSerialNo |
Serial number of the alarm. |
|
|
ulTenantId |
Tenant ID of the alarm-associated resource. |
|
|
nIsAck |
Ack or unack status. |
|
|
nTipStatus |
Whether to pop up information. Value 0 (default) indicates to not to pop information, and value 1 indicates to pop up information. |
|
|
oConfirmTime |
Timestamp when the alarm was acked or unacked. |
|
|
renderInfo |
Rendering field. Map type. |
|
|
renderInfoEn |
Rendering field in English. Map type. |
|
|
strConfirmUserName |
Name of the user who acked or unacked the alarm. |
Notification Record
Introduction
The notification record query function provides rich query criteria, making it convenient for users to conduct detailed queries of the message records sent.
Functions
· Basic Search
In the search field at the upper right
corner of the page, enter a forward destination, supporting fuzzy search.Then,
click the Search icon 
. The message record list displays all matching records.
· Advanced Search
a. Click the Advanced Search icon in the upper right corner to expand the advanced search area.
b. Configure the search conditions as needed:
- Send Type: You can search notification records based on the send type, and select from all, sms, mail, wechat, wechatWork, workOrder, webhook.
- Service: You can search notification records based on the service.
- Time: You can search the notification records sent within a certain time period.
- Destination: The notification records can be queried according to the receiving end.
- Message Content: You can query notification records based on the content of the message sent.
- Result: You can check the notification records based on the results of the message delivery.
c. Click Search. The message record list displays all matching records.To clear the search conditions and display all message records, click Reset.
SMS Notification Records
Perform this task to search for SMS message records that match specific conditions.
Functions
· Basic Search
a. In the search field at the upper right corner of the page, enter a partial or complete telephone number.
b. Click the Search
icon 
. The SMS message record list displays all matching records.
· Advanced Search
c. Click the Advanced Search icon in the upper right corner to expand the advanced search area.
d. Configure the search conditions as needed:
- Service: Select an SMS sending service from the list.
- Telephone Number: Enter a partial or complete 11-digit mobile phone number.
- Message Content: Enter the message content to search for, a string of up to 500 characters. Fuzzy matching is supported.
- Sending Time: Set the message sending time range.
- Sending Result: Select the result for sending the message to the SMS platform.
e. Click Search. The SMS message record list displays all matching records.
f. To clear the search conditions and display all SMS message records, click Reset.
WeChat Notification Records
Use this feature to view WeChat messages sent by the system.
Procedures
· Search for Message Records
In the upper right corner of the page, enter message content in the search box. Fuzzy search is supported.
Click the Search icon to view the matching message records on the list.
· Delete Message Records
Select one or multiple message records, and click Delete. Then, click OK in the confirmation dialog box that opens.
· View Message Record Details
Click the link in the Sending Result column for a message record to view detailed information about the message record, including the sending status and failure reason.
Remarks
· No message records are generated if the system uses a message template to send WeChat messages after all followers in the message template have unfollowed the official account in the message template.
· No message records are generated if the system fails to connect to the WeChat server when it uses a message template to send WeChat messages.
WeChat Work Official Account Notification Records
Use this feature to view WeChat Work application messages sent by the system.
Procedures
· Search for Message Records
a. In the upper right corner of the page, enter message content in the search box. Fuzzy search is supported.
b. Click the Search icon to view the matching message records on the list.
· Delete Message Records
Select one or multiple message records, and click Delete. Then, click OK in the confirmation dialog box that opens.
· View Message Record Details
Click the link in the Sending Result column for a message record to view detailed information about the message record, including the sending status and failure reason.
Remarks
No message records are generated if the system fails to connect to the WeChat server when it uses a message template to send WeChat messages.
Record Archive
Introduction
The system will periodically archive history notification records that match the archive conditions to a CSV file and delete these notification records from the system.
Remarks
· Modifying the system time might trigger an archive task. To ensure that the system operates normally, do not arbitrarily modify the system time.
· If the administrator selects both the archive count and archive time options, the system automatically archives data according to the selected conditions. The system selects the archive method that matches more data entries.
· If the administrator selects only the archive count option, the data entries are archived as follows: If you set the threshold for the archive count to 8000 and the number of reserved data entries after the archive to 500, the system will automatically check the total number of entries in the database every morning. If the total number exceeds 8000, the system will start the archive function, reserve the latest 500 entries, and archive the earlier entries.
· If the administrator selects only the archive time option, the data entries are archived as follows: If you set the threshold for the archive time to 30 and the reserved data after the archive to 15, the system will automatically check all the entries in the database every morning. If there are entries older than 30 days, the system will start the archive function, reserve entries in the latest 15 days, and archive the earlier entries.
· Notification record archive tasks run at 2:00 a.m. every day.
· The notification record archived file is saved in the /var/lib/ssdata/export/record directory, which is automatically specified by the system and cannot be modified.
· For both immediate archive and scheduled archive, the system checks the archive threshold. If the threshold is not reached, the system will not archive data.
· Reserve enough disk space for saving the archived file.
· In a cluster with multiple subscribe pods, when the scheduled subscribe archiving task is due to run, all the subscribe pods in the cluster will attempt to start the task simultaneously. However, only one pod will successfully start the task. For the pods that fail to start the task, a subscribe archiving task failure log will be generated, which is an expected behavior and does not require additional intervention.
· The dump parameters used for immediate dump are the database save configuration, so after modifying the dump configuration, you need to click OK to make the modified configuration parameters take effect.
Functions
· Archive Records
a. Select the archive method and configure the archive parameters, and click OK to save the archive settings.
b. The system automatically archives the history notification records matching the archive conditions to a CSV file at 2:00 AM every day and deletes these notification records from the system.
c. Click Archive Now to immediately perform an archive task.
Parameters
Table 20 Record archive parameters
|
Parameter |
Description |
|
By Quantity |
· Archive Trigger Threshold(Entries): The archive task is triggered when the threshold is exceeded. · Max Entries to Retain(Entries): The specified number of data entries is reserved in the system after the archive. |
|
By Duration |
· Archive Trigger Threshold(Days): The archive task is triggered when the threshold is exceeded. · Max Days of Data to Retain(Days): Data entries within the latest specified days are reserved in the system after the archive. |
|
Max Archive File Retention Days |
A file exceeding the specified retention days will be deleted from the system. |
|
Archive File Path |
Path for saving the archived file, or mounted system path. |
|
Last Archived |
Time of the last archive task recorded on the page. |
Security Settings
Introduction
Perform this task to enhance the system security.
Remarks
· In a disaster recovery environment, the add and delete functions are not available on the IP Allowlist and Access Address Settings pages for the primary site.
· To use a RADIUS server in U-Center, you must configure the U-Center cluster information on the RADIUS server. Following shows an example configuration:
client 192.168.1.1/16 {
secret = testing123
nastype = livingston
}
· The LDAP user sync and RADIUS user sync functions are mutually exclusive. To use the LDAP user sync function, you must disable RADIUS user sync first.
· To ensure successful login after you enable SMS authentication, email authentication, or dynamic password authentication, do not arbitrarily delete or edit the user's phone number or email.
Basic Settings
Account lock settings
You can unlock a disabled non-system administrator or a disabled non-tenant administrator on the Users page.
1. Specify the number of login failures.
2. Specify the system/tenant administrator lockout duration.
3. Click OK.
User idle timeout timer
1. Specify the idle timeout timer.
2. Specify whether or not to enable maximum idle days as needed.
3. If the option is enabled, specify the maximum idle days.
4. Click OK.
Advanced users
Advanced users are not restricted by maximum idle time.
· Add a user
a. Click Advanced Users
b. Enter the user name.
c. Click Add.
d. Click OK.
· Delete users
a. Click Advanced Users.
b. Select target users.
c. Click Delete.
d. Click 
in the Actions column for the advanced user.
e. In the dialog box that opens, click OK.
· Refresh the list
a. Click Advanced Users.
b. Click Refresh.
User password policy settings
When you create or modify a user, the system uses the enabled password check rule to check the user password.
1. Specify the lower and upper limits for the password length.
2. Select password strength check rules.
3. Select password reset rules as needed.
4. Click OK.
User name settings
1. Specify the lower and upper limits for the user name length.
2. Click OK.
Control Action Upon User Concurrent Login Limit
You can specify one of the following control actions to restrict a user's login when the concurrent login limit is reached:
1. Shut Down Idle Session: Shuts down the user's online session that has been idle for the longest time so that the user can log in again.
2. Deny New Login Request: Denies the new login request until the user shuts down an online session by logging out. Only closing the browser does not shut down the session. Additionally, the user must wait for the session to time out.
You can view the maximum number of concurrent logins for a user on its details page. You can view the user idle timeout settings in Security Settings.
Parameter
Table 21 Account Lock Parameters
|
Parameter |
Description |
|
Max Consecutive Failed Login Attempts |
Specify the threshold for the number of login failures caused by incorrect passwords. · The value is an integer in the range of 2 to 100. · The default setting is 10. · After the number of consecutive login failures caused by incorrect passwords for a user reaches the specified value, the user will be disabled and cannot log in until manually enabled. |
|
System/Tenant Adminstrator Lockout Duration (Min) |
Duration for which the system/tenant administrator login will be locked after the number of login failures caused by incorrect passwords exceeds the threshold. For a non-system administrator or a non-tenant administrator, unlock it on the Users page. · The value is an integer in the range of 2 to 1440 in minutes. · The default setting is 60 minutes. |
Table 22 User Idle Timeout Parameters
|
Parameter |
Description |
|
Idle Timeout Timer |
Specify the amount of time that the system waits for an inactive user to perform operations before it logs out that user. · The default setting is 120 minutes. · The value is an integer in the range of 5 to 2880. |
|
Enable maximum idle days |
· Enable this option to disable a user that does not log in within the specified number of days and sends an alarm. The alarm needs to be manually cleared after the user is enabled. · By default, this feature is disabled. |
|
Maximum idle days |
Enable this option to disable a user that does not log in within the specified number of days and sends an alarm. The alarm needs to be manually cleared after the user is enabled. · Enable Enable maximum idle days before configuring this parameter. · This field is required. The value is an integer in the range of 5 2880. |
Table 23 User Password Policy Parameters
|
Parameter |
Description |
|
Minimum Length |
· Specify the minimum password length. · The default setting is 8. · The value is an integer in the range of 1 to 32. · The value cannot be smaller than the number of selected password strength check options, including digits, upper-case letters, lower-case letters, and special characters. |
|
Maximum Length |
· Specify the maximum password length. · The default setting is 30. · The value is an integer in the range of 1 to 32. |
|
Password Strength Check |
· Specify the password strength check rules. Options include Digits, Uppercase letters, Lowercase letters, Special characters, Cannot start or end with space, Cannot contain username or reverse of username, Cannot use the same digit or letter more than once, and Cannot use adjacent letters on the keyboard. · Supported special characters include !"#$%&'()*+,-./:;^`<=>?@[]{}_|~ · Case sensitivity: The uppercase and lowercase forms of a letter, for example, A and a, are not considered the same. · Adjacent characters on the keyboard: A sequence of four or more characters that appear in a row on the keyboard, for example, 1234 or qwer, count as adjacent. Sequences in reverse order, for example, 4321 or REWQ, also count as adjacent. Vertically aligned characters, such as 1qaz or 2wsx, do not count as adjacent. Additionally, adjacency is case sensitive. Character sequences with different cases, such as Qwer, do not count as adjacent. · You can select multiple options. The number of selected options, including digits, upper-case letters, lower-case letters, and special characters cannot be greater than the minimum password length. |
|
Force Password Change |
· Whether or not to force the user to change its password again at the first login. · Select this option as needed. · When a user logs in to the system for the first time after the user account is created or the user's password is changed by an administrator, the system forces the user to change its password. This feature takes effect only on simple password authentication. |
Table 24 User Name Parameters
|
Parameter |
Description |
|
Minimum Length |
· Specify the minimum name length. · The default setting is 2. · The value is an integer in the range of 1 to 255. |
|
Maximum Length |
· Specify the maximum name length. · The default setting is 32. · The value is an integer in the range of 1 to 255. |
IP allowlist
Only IPv4 or IPv6 addresses on the IP allowlist are permitted to access the system. The system sends an alarm if an IP address not on the IP allowlist accesses the system.
Add an IP address
1. Click Add.
2. Enter an IP address.
3. Enter a description as needed.
4. Click OK.
5. Click OK.
Delete IP addresses
1. Select target IP addresses.
2. Click Delete.
3. Click 
in the Actions column for an IP address.
4. In the dialog box that opens, click OK.
Refresh the list
When no data sync is in progress, you can synchronize data through the refresh function.
Click Refresh.
Filter IP addresses
You can filter IP address through fuzzy matching.
1. Enter a complete IP address or a portion of the IP address.
2. Click Search.
Parameters
Table 25 IP Allowlist Parameters
|
Parameter |
Description |
|
IP Address |
The following IP address formats are supported: · A single IPv4 or IPv6 address. Loopback addresses are not supported. · IP address/mask or prefix length, for example, 10.99.180.0/24. · An IP address range, for example, 10.99.180.11-10.99.180.12. |
|
Description |
· Enter the description of the IP address. · This field is optional. The value range is 0 to 255 characters. |
AuthN-free settings
When a user uses an IPv4 or IPv6 address on the authN-free IP list access the system, the user can directly access the system without login authentication. To configure this feature, you must have the privilege to view the user list.
Add an authN-free IP
1. Click Add.
2. Enter an IP address.
3. Select a user name.
4. Click OK.
Delete authN-free IPs
1. Select target IP addresses.
2. Click Delete.
3. Click 
in the Actions column for an authN-free IP.
4. In the dialog box that opens, click OK.
Refresh the list
Click Refresh to refresh the authN-free IP list.
Filter authN-free IPs
1. Enter the user name.
2. Click Search.
Parameters
Table 26 AuthN-Free Parameters
|
Parameter |
Description |
|
IP Address |
Enter a single IPv4 or IPv6 address. Loopback addresses are not supported. |
|
User Name |
· This field is required. You must specify a user. · A disabled user cannot access the system through the authN-free feature. · If the bound user has a login time restriction, the user can log in without authentication only within the specified time range, and cannot log in during other time ranges. |
HTTPS certificate settings
Upload certificates and set the certification expiration notification settings. You must configure these parameters for HTTPS access.
Protocol settings
1. Specify whether or not to enable HTTPS.
2. Enter a port number.
3. Click OK.
4. Click OK.
HTTPS settings
1. Enable mutual authentication as needed.
2. Upload a server certificate: Click Select File. On the window that opens, select a server certificate.
3. Upload a server private key: Click Select, and then select a server private key certificate file in the window that opens.
4. Upload a CA certificate: Click Select, and then select a CA certificate in the window that opens.
5. Click OK.
Validate Client Certificates
After enabling mutual authentication, enable client certificate validation as needed.
1. Enable client certificate validation.
2. Enter the client certificate CN rules.
3. Enter the client certificate DNS rules.
4. Enter the client certificate IP rules.
5. Click OK.
Certificate expiration notification settings
1. Specify the certificate expiration notification threshold.
2. Click OK.
Parameters
Table 27 Transport Protocol Parameters
|
Parameter |
Description |
|
HTTPS |
· If you enable HTTPS, the HTTPS protocol is used. Otherwise, the HTTP protocol is used. · The default setting is disabled. You can enable this option as needed. |
|
Port Number |
· This field is required, and cannot be empty. · The default setting is 30000. · Do not enter port 443 for HTTP, which is the default port for HTTPS. · Do not enter port 80 for HTTPS, which is the default port for HTTP. · The port number is in the range of 1 to 65535. Some ports might be configured successfully, but you cannot access the Web page through the browser after configuration. This is because such port numbers are reserved. The reserved port numbers include: 1, 7, 9, 11, 13, 15, 17, 19-23, 25, 37, 42-43, 53, 77, 79, 87, 95, 101-104, 109-111, 113, 115, 117, 119, 123, 135, 139, 143, 179; 389, 465, 512-515, 526, 530-532, 540, 556, 563, 587, 601, 636, 993, 995, 1099, 2049, 3659, 4045, 6000, 6665-6669, 9099, 10248, 10257, 10259, and 44444. |
Table 28 HTTPS Parameters
|
Parameter |
Description |
|
Mutual Authentication |
· After this feature is enabled, the server and client mutually authenticate each other. · The default setting is disabled. You can enable this option as needed. · After mutual authentication is enabled, the browser client must obtain the CA certificate for authentication. · After you enable mutual authentication and configure the CA certificate, restart the browser to have the certificate configuration take effect. |
|
Server Certificate |
· The system supports only the certificates generated by OpenSSL. In addition, the system supports only the certificates in pem format that do not contain passwords. · If mutual authentication is disabled, the certificate does not take effect. · To successfully upload a server certificate, you must upload the server private key. |
|
Server Private Key |
· The system supports only the certificates generated by OpenSSL. In addition, the system supports only the certificates in pem format that do not contain passwords. · If mutual authentication is disabled, the certificate does not take effect. · To successfully upload a server private key, you must upload the server certificate. |
|
CA Certificate |
· The system supports only the certificates generated by OpenSSL. In addition, the system supports only the certificates in pem format that do not contain passwords. · If mutual authentication is disabled, do not configure the parameter. If the parameter already exists, it does not take effect. · If mutual authentication is enabled but no CA certificate is configured, the browser client cannot access the system. · After you enable mutual authentication and configure the CA certificate, restart the browser to have the certificate configuration take effect. |
Table 29 Client Certificate Validation Parameters
If mutual authentication is disabled, do not configure the parameters. If mutual authentication is enabled, configure the parameters as needed.
|
Parameter |
Description |
|
Validate Client Certificates |
· Turn on this option to validate the CN rules, DNS (SAN) rules, and IP (SAN) rules of client certificates. · The default setting is disabled. You can enable this option as needed. · After turning on this option, you need to configure the CN rules, DNS (SAN) rules, and IP (SAN) rules or a minimum of one type of these rules. |
|
Client Certificate CN Rules |
· Use semicolons (;) to separate multiple rules, each represented by a regular expression. · The CN rules, DNS (SAN) rules, and IP (SAN) rules cannot be all empty. |
|
Client Certificate DNS Rules |
· Use semicolons (;) to separate multiple rules, each represented by a regular expression. · The CN rules, DNS (SAN) rules, and IP (SAN) rules cannot be all empty. |
|
Client Certificate IP Rules |
· Enter a single IPv4 or IPv6 address with or without the subnet mask or prefix. Use semicolons (;) to separate multiple IPv4 or IPv6 addresses. · The CN rules, DNS (SAN) rules, and IP (SAN) rules cannot be all empty. |
Table 30 Certificate Expiration Notification Parameters
|
Parameter |
Description |
|
Certificate Expiration Notification Threshold |
· By default, the system notifies the user 15 days before the HTTPS certificates are to expire. You can edit this value as needed. · Options are 15, 30, 60, and 180 days. |
Weak password settings
You cannot specify an existing weak password as the login password for a user. A weak password can be successfully added even if it has been specified for users.
Add a weak password
1. Click Add.
2. Enter a weak password.
3. Click OK.
Delete weak passwords
1. Select target weak passwords.
2. Click Delete.
3. In the dialog box that opens, click OK.
4. Click 
in the Actions column for a weak password.
5. In the dialog box that opens, click OK.
Refresh the list
Click Refresh to refresh weak password list.
Filter weak passwords
You can filter weak passwords through fuzzy matching.
1. Enter a complete weak password or a portion of the weak password.
2. Click Search.
Parameters
Table 31 Weak Password Parameters
|
Parameter |
Description |
|
Weak Passwords |
· Configure weak passwords. You cannot specify an existing weak password as the login password for a user. · This field is required. The valid length is 1 to 32. Chinese characters and signs are not supported. · A weak password can be successfully added even if it has been specified for users. |
Access address settings
You can specify domain names and IP addresses that can access the system. System IPs, such as northbound IP and node IP, can access the system by default. The system sends an alarm if a domain name or IP address not specified on the Access Address Settings page accesses the system.
Add an access address
1. Click Add.
2. Enter an access address.
3. Enter a description as needed.
4. Click OK.
Delete access addresses
1. Select target access addresses.
2. Click Delete.
3. In the dialog box that opens, click OK.
4. Click 
in the Actions column for an access address.
5. In the dialog box that opens, click OK.
Refresh the list
Click Refresh to refresh the access address list.
Filter access addresses
You can filter access addresses through fuzzy matching.
1. Enter a complete access address or a portion of the access address.
2. Click Search.
Parameters
Table 32 Access Address Parameters
|
Parameter |
Description |
|
Access Address |
Enter a single IPv4 or IPv6 address. Loopback addresses are not supported. |
|
Description |
· Enter the description of the access address. · This field is optional. The value range is 0 to 255 characters. |
Authentication Settings
Perform this task to configure authentication settings for the system to authenticate user identities upon login.
Configure LDAP server settings
Operations such as addition, deletion, and modification on the user list will not be synchronized to a third-party LDAP server. You can use a LDAP sync policy to synchronize the user from the third-party server to the local system.
If the login authentication method for the user is LDAP authentication, you need to configure the LDAP server settings. Without this configuration, the user cannot log in to the system.
1. Click Edit.
2. Select an LDAP protocol version.
3. Select an LDAP server type.
4. Enter the IP address or domain name of the LDAP server.
5. Enter the port number of the LDAP server.
6. Specify the base DN on the LDAP server.
7. Specify the administrator DN.
8. Specify the administrator password.
9. Specify the user name attribute.
10. Select whether to connect to the LDAP server through an SSL connection.
11. Click Test to test server availability.
12. Click OK to complete server configuration.
Parameters
Table 33 LDAP Server Parameters
|
Parameter |
Description |
|
Version |
Select an LDAP protocol version (V2 or V3) from the list. · This field is required. Options are 2 and 3. · The default setting is 3. |
|
Server Type |
Select an LDAP server type. Options are Microsoft Active Directory and General LDAP Server. · This field is required. Options are Microsoft Active Directory and General LDAP Server. · The default setting is General LDAP Server. |
|
Server Address |
· Enter the IP address or domain name of the LDAP server. · This field is required. To specify the IP address, you can enter a single IPv4 or IPv6 address. Loopback addresses are not supported. · This field cannot be empty. |
|
Server Port |
Enter the port number of the LDAP server. · The default setting is 389. · This field cannot be empty. · The value is an integer in the range of 1 to 65535. |
|
Base DN |
Specify the base DN on the LDAP server for the system to retrieve user information. · Specify the base DN as needed. · The value cn represents common name, the value ou represents organization unit, and the value dc represents domain component. For example: ou=ou,dc=dc,dc=com. · You can click Obtain DNs to obtain the base DN. |
|
Admin DN |
Specify the administrator DN used for communication with the LDAP server. · This field cannot be empty. · The value cn represents common name, the value ou represents organization unit, and the value dc represents domain component. For example: ou=ou,dc=dc,dc=com. |
|
Admin Password |
Specify the administrator password used for communication with the LDAP server. · This field cannot be empty. · The requirements are similar to those of the user password. |
|
User Name Attribute |
Specify the user name attribute for LDAP users. · This field cannot be empty. · Valid characters include only letters, digits, underscores (_), and hyphens (-). The length cannot exceed 64 characters. |
|
Use SSL for LDAP |
Select whether to connect to the LDAP server through an SSL connection. Enable this option as needed. |
Configure LDAP sync policy settings
Suppose user A does not exist in the user list. If you use user A to log in to the system through password authentication, the system assigns tenant, role, and organization based on the LDAP sync policy to the user and adds the user to the user list. If the LDAP sync policy is not enabled, or no match rules exist, a login failure occurs.
A user of the LDAP authentication type that already exists in the user list can directly log in to the system without using the LDAP sync policy.
Enable LDAP sync policy
If a third-party server is used as the LDAP server, you need to configure an LDAP sync policy.
Enable the LDAP sync policy as needed.
Add rule
1. Select a tenant.
2. Select a role.
3. Select an organization.
4. Specify the CN.
5. Click Add Match Rule.
Delete rule
1. Click the Delete
icon 
in the Actions column for a rule.
2. In the dialog box that opens, click OK.
Parameters
Table 34 Parameters for Adding an LDAP Sync Policy Rule
|
Parameter |
Description |
|
Tenant |
Specify the tenant to which users synchronized from the LDAP server will be assigned. · Upon tenant switchover, the selected role and organization are reset. |
|
Role |
Specify the role to which users synchronized from the LDAP server will be assigned. · This field is required. · Upon tenant switchover, this parameter is reset. |
|
CN |
Specify the organization for the LDAP server user to be synchronized. Each CN is an equation, for example, ou=admin. · This field cannot be empty. · The values at the two sides of the equation must both exist. Separate multiple items with commas (,). |
|
Organization |
Specify the organization to which users synchronized from the LDAP server will be assigned. · This field is required. · Upon tenant switchover, this parameter is reset. |
|
Admin DN |
Specify the administrator DN used for communication with the LDAP server. · This field cannot be empty. · The value cn represents common name, the value ou represents organization unit, and the value dc represents domain component. For example: ou=ou,dc=dc,dc=com. |
|
Admin Password |
Specify the administrator password used for communication with the LDAP server. · This field cannot be empty. · The requirements are similar to those of the user password. |
|
User Name Attribute |
Specify the user name attribute for LDAP users. · This field cannot be empty. · Valid characters include only letters, digits, underscores (_), and hyphens (-). The length cannot exceed 64 characters. |
|
Use SSL for LDAP |
Select whether to connect to the LDAP server through an SSL connection. Enable this option as needed. |
Configure RADIUS server settings
If the login authentication method for the user is RADIUS authentication, you need to configure the RADIUS server settings. Without this configuration, the user cannot log in to the system.
1. Click Edit.
2. Select an authentication method.
3. Enter the IP address or domain name of the primary RADIUS server.
4. Enter the IP address or domain name of the secondary RADIUS server.
5. Specify the port used by the RADIUS authentication server.
6. Specify the shared key.
7. Click OK to complete server configuration.
8. Click Test.
9. Enter the test account and password.
10. Then click OK to test server availability.
Parameters
Table 35 RADIUS Server Parameters
|
Parameter |
Description |
|
Authentication Method |
Select the authentication method used by the RADIUS server. Options are PAP and CHAP. · This field is required. · The default setting is PAP. |
|
Primary RADIUS Server |
Specify the IP address or domain name of the primary RADIUS authentication server. This field is required. To specify the IP address, you can enter a single IPv4 or IPv6 address. Loopback addresses are not supported. |
|
Secondary RADIUS Server |
Specify the IP address or domain name of the secondary RADIUS authentication server. The secondary RADIUS server will be used if the primary RADIUS authentication server is unavailable. This field is optional. To specify the IP address, you can enter a single IPv4 or IPv6 address. Loopback addresses are not supported. If the primary RADIUS authentication server is unavailable and no secondary RADIUS server is specified, you cannot log in to the system. |
|
Authentication Port |
Specify the port used by the RADIUS authentication server. The default setting is 1812. · This field is required. The value is an integer in the range of 1 to 65535. |
|
Shared Key |
Specify the shared key used for communication between the RADIUS authentication server and the system. The shared key must match that configured on the RADIUS authentication server. · This field cannot be empty. |
Configure RADIUS sync policy settings
Suppose user A does not exist in the user list. If you use user A to log in to the system through password authentication, the system assigns tenant, role, and organization based on the RADIUS sync policy to the user and adds the user to the user list. If the RADIUS sync policy is not enabled, or no match rules exist, a login failure occurs.
The match order of RADIUS sync policies is determined by changing their display order. The system matches a RADIUS response with the policies in display order, from the top to down, until the first match is found or no match is found after it compares all policies. If no match is found, the user will be unable to access the system.
With RADIUS User Sync enabled, the system creates user accounts for login users who have been authenticated if no local user accounts are available for them. If a local user account is available for a login user, the system overwrites the organization in the local user account with the organization issued by the server. The tenant in the local user account cannot be overwritten with the tenant issued by the server.
With RADIUS User Sync disabled, the system rejects a user to log in if no local user account is available for that user. If a local user account is available, the login user will be assigned the permissions in the local user account.
Add rule
1. Vendor ID: Specify the vendor ID in the message body returned by the RADIUS server for the rule.
2. Vendor Type: Specify the vendor type in the message body returned by the RADIUS server for the rule.
3. Data Type: Specify the data type in the message body returned by the RADIUS server for the rule. The data type can be string or integer.
4. Match Type: Specify the user identity information match rule.
Delete rule
1. Click the Delete
icon 
in the Actions column for a rule.
2. In the dialog box that opens, click OK.
Parameters
Table 36 Parameters for Adding an RADIUS Sync Policy Rule
|
Parameter |
Description |
|
Vendor ID |
· The vendor ID, vendor type, data type, and match type must be in the same configuration status (either configured or empty). · The value cannot exceed 512 characters. |
|
Vendor Type |
· The vendor ID, vendor type, data type, and match type must be in the same configuration status (either configured or empty). · The value cannot exceed 512 characters. |
|
Data Type |
Specify the data the message body returned by the RADIUS server for the rule. The data type can be string or integer. · The vendor ID, vendor type, data type, and match type must be in the same configuration status (either configured or empty). · The default setting is string type. |
|
Match Type |
Specify the content that identifies user identity in the message body returned by the RADIUS server. Configure the match rule based on the selected data type. · The vendor ID, vendor type, data type, and match type must be in the same configuration status (either configured or empty). · The value cannot exceed 512 characters. |
|
Tenant |
Specify the tenant to which users synchronized from the RADIUS server will be assigned. · Upon tenant switchover, the selected role and organization are reset. |
|
Role |
Specify the role to which users synchronized from the RADIUS server will be assigned. · Upon tenant switchover, this parameter is reset. |
|
Organization |
Specify the organization to which users synchronized from the RADIUS server will be assigned. · This field is required. Available options include the organization where the current user belongs and the associated sub organizations, as well as all organizations for the sub tenants. · Upon tenant switchover, this parameter is reset. |
Configure TACACS server settings
If the login authentication method for the user is TACACS authentication, you need to configure the TACACS server settings. Without this configuration, the user cannot log in to the system.
1. Select an authentication method.
2. Enter the IP address or domain name of the TACACS server.
3. Specify the port used by the TACACS authentication server.
4. Specify the shared key.
5. Click OK to complete server configuration.
6. Click Test.
7. Enter the test account and password.
8. Then click OK to test server availability.
Parameters
Table 37 TACACS Server Parameters
|
Parameter |
Description |
|
Authentication Method |
Select the authentication method used by the TACACS server. Options are ASCII, PAP, and CHAP. · This field is required. · The default setting is ASCII. |
|
TACACS Server |
Specify the IP address or domain name of the TACACS server. This field is required. To specify the IP address, you can enter a single IPv4 or IPv6 address. Loopback addresses are not supported. |
|
Authentication Port |
· Specify the port used by the TACACS authentication server. The default setting is 49. · This field is required. The value is an integer in the range of 1 to 65535. |
|
Shared Key |
· Specify the shared key used for communication between the TACACS server and the system. The shared key must match that configured on the TACACS server. · This field cannot be empty. |
AuthN Server Test
Test the connectivity to the selected types of authentication servers at intervals as configured or test their service port availability. The system generates an alarm when the state of a server is abnormal and removes the alarm when the state recovers to normal. If no servers have been specified for a selected server type, the system ignores the server type.
The following test methods are available:
· Ping: Test connectivity of the system to the IP address or domain name of each authentication server.
· Port State Test: Test the port on each authentication server, RADIUS Server not supported.
Enable CAS Server Service
When this system acts as a single sign-on server, you can enable the CAS server service. After a user logs in successfully, the system generates a ticket that can be used by other client services for single sign-on. The initial login takes a long time when the CAS server service is enabled for the first time, because CAS initialization takes some time. CAS initialization is not performed during subsequent logins.
Parameters
Table 38 Enable CAS Server Service Parameters
|
Parameter |
Description |
|
Cookie Directory for CAS Ticket |
Specify the directory where the CAS ticket is stored in the cookie. By default, the CAS ticket is stored in the /cas directory, and only requests in the /cas directory can obtain the CAS ticket. |
Configure login authentication settings
If the user requires third-party login authentication, you need to select the third-party authentication method and configure third-party authentication settings.
1. Select an authentication method.
2. Specify the interface used to verify the third-party token.
3. Specify the address that the user will be redirected to after logout.
4. Specify the SSO authentication address.
5. Specify the parameter name for the target address.
6. Click OK.
Parameters
Table 39 Login Authentication Parameters
|
Parameter |
Description |
|
Authentication Method |
· Specify the login authentication method. Options are System Default Authentication Method and Third-Party Authentication. · System Default Authentication Method: Use the system default token authentication method. · This field is required. · The default setting is System Default Authentication Method. · If you select Third-Party Authentication, you must configure the token verification address, SSO logout address, SSO authentication address, and parameter name for the target address. Then, users accessing the system are redirected to the SSO authentication address for login authentication. The original login page is not displayed. |
|
Token Verification Address |
Specify the interface used to verify the third-party token. If the verification fails, the user will be redirected to the SSO authentication address. · This field is optional. |
|
SSO Logout Address |
Specify the address that the user will be redirected to after logout. · This field cannot be empty. |
|
SSO Authentication Address |
Specify the SSO authentication address. · This field cannot be empty. |
|
Parameter Name |
Specify the parameter name for the address where the user will be redirected to after successful login. · This field cannot be empty. |
Configure two-factor authentication settings
After you enable two-factor authentication, users can log in to the system only after they provide required information on the system login page.
Select a login authentication method.
Click OK.
To customize custom two-Factor authentication, perform the following operations:
· Add custom two-Factor authentication system
The current custom two-Factor authentication system is selected upon creation, and is unnamed by default. After creation, specify parameters for the custom two-Factor authentication system as required no matter whether it is selected.
a. Click Custom.
b. Enter the authentication name.
c. Select a sending method.
d. Enter the request header as needed.
e. Enter the success status code.
f. Enter the request address.
g. Enter the request message body as needed.
h. Enter the success response body as needed.
i. Click OK.
· View custom two-Factor authentication system
a. Hover over the help icon next to the custom two-Factor authentication system name.
b. View custom two-Factor authentication system information in the window that opens.
· Edit custom two-Factor authentication system
a. Hover over the help icon next to the custom two-Factor authentication system name.
b. Click Edit in the window that opens, edit the custom two-Factor authentication system settings as needed.
c. Click OK.
· Delete custom two-Factor authentication system
a. Hover over the help icon next to the custom two-Factor authentication system name.
b. Click Delete in the window that opens.
c. Click OK.
Parameters
Table 40 Two-Factor Authentication Parameters
|
Parameter |
Description |
|
Authentication Method |
Supports graphic code authentication, SMS authentication, email authentication, Google dynamic password authentication, FEITIAN Dynamic Password Authentication and custom two-Factor authentication. With the corresponding feature enabled, a user must pass two authentications to log in to the system. · You can select multiple options as needed. · Custom two-Factor authentication requires customization. The system supports only one custom two-Factor authentication. |
|
Graphic Code Authentication |
When graphic code authentication is enabled, a user must provide the correct graphic code, username, and password on the login page to log in to the system. · The graphical code consists of letters and digits. Case sensitivity is not required for input. · This field is optional. · If the graphic code includes 0 or o, please input o instead. |
|
SMS Authentication |
When SMS authentication is enabled, a user must provide the correct verification code, username, and password on the login page to log in to the system. · The verification code is sent to the user through an SMS message. You must configure a correct mobile phone number on the user management page before enabling this function. · This field is optional. |
|
Email Authentication |
When email authentication is enabled, a user must provide the correct verification code, username, and password on the login page to log in to the system. · The verification code is sent to the user through an email. You must configure a correct email address on the user management page before enabling this function. · This field is optional. |
|
Dynamic Password Authentication |
When Google dynamic password authentication is enabled, the system sends each user in the user list an email that contains a key. For a user to pass dynamic password authentication, its username must be bound to its key on a mobile phone. Before the binding, download and install the Google dynamic password generator on the mobile phone. After the binding, the mobile phone will dynamically generate a password for the user within each password generation interval. To log in to the system, the user must provide the real-time dynamic password in addition to its username and password. · You need to configure a correct email address on the user management page before enabling this function. (The difference between the system time and the client time must be less than 60 seconds.) · This field is optional. |
|
FEITIAN Dynamic Password Authentication |
Before enable FEITIAN dynamic password authentication, configure the following settings: · Download the OTP Mobile Token app on a mobile phone, and bind the user token on the app. The mobile phone generates a dynamic password (OTP) for authentication after binding. You can use the dynamic password and user password to log in to the system. For more information about user token binding, see the documents for OTP server management center. · After you complete the previous settings, navigate to the System > System Settings > Authentication Settings page. In the Two-Factor Authentication Settings area, select the check box next to FEITIAN Dynamic Password Authentication, and then click the FEITIAN Dynamic Password Authentication link to Configure FEITIAN OTP server information. · The difference between the system time, mobile phone client time, and OTP server management center time must be less than 60 seconds. · In the IPV6 single-stack mode, the FEITIAN Dynamic Password Authentication is not supported. · The user name on the system and those on the OTP server management center are case insensitive. · The user name is a string of 2 to 32 characters. The user name can contain only letters, digits, underscores (_), hyphens (-), dots (.). · You can set the maximum number of password attempts on OTP server management center. If the maximum number of password attempts is reached, the user is locked. You can unlock the user on OTP server management center. · This field is optional. |
|
Third-Party Dynamic Password Authentication |
When third-party dynamic password authentication is enabled, you can log in to the system by providing the dynamic password and the correct user password. · A user can pass this dynamic password authentication only when the HTTP status code has a match in the Status Code Criteria field when the Response Body Criterion field is empty or the HTTP status code and response body have a match in the Status Code Criteria and Response Body Criterion fields, respectively. · This field is optional. |
Table 41 FEITIAN Dynamic Password Authentication Parameters
|
Parameter |
Description |
|
IP Address |
Enter a valid IPv4. The IPv4 address must be in dotted decimal notation and cannot be a broadcast addresses, loopback address, multicast address, or reserved address. |
|
Port |
Enter an interval in the range of 1025 to 65535. |
Table 42 Custom Two-Factor Authentication Parameters
|
Parameter |
Description |
|
Authentication Profile Name |
Specify the custom two-Factor authentication profile name. It is used for display purposes when you configure two-factor authentication. · The value is case-sensitive string that can include only Chinese characters, case-sensitive letters (supports multiple languages), digits, underscore (_), hyphens (-), dots (.), and slashes (\). · The value range for this parameter is 2 to 32 characters. · The default setting is unnamed. · This field cannot be empty. |
|
Request Method |
Specify the method for sending custom two-Factor authentication requests. Options are POST and GET. · The default setting is POST. · This field cannot be empty. |
|
Status Code Criteria |
Specify the status code returned upon request success. · The value is an integer in the range of 1 to 10000. · Separate multiple values with commas (,). Repeated values are not allowed. · You can enter a maximum of 10 status codes. · This field is optional. |
|
Request Address |
Enter the domain name or IP address for custom two-Factor authentication. · The valid length is 1 to 255. · The URL can be in the format of http://www.test.com/${user}/${code} or http://10.99.223.206:30000?user=${user}&code=${code}. Placeholders ${user} and ${code} in the URL will be replaced with a user name and a verification code, respectively. · This field cannot be empty. |
|
Request Body |
Specify the third-party two-factor connection parameters. · The valid length is 0 to 512. · ${user} and ${code} can act as placeholders, for example,{"key1":"${user}","key2":"${code}"}. · This field is optional. |
|
Response Body Criterion |
Specify the response body for custom Two-Factor Authentication. A user can pass authentication only when the response body is matched. The system does not determine whether or not the authentication succeeds when the response body is empty. · The valid length is 0 to 512. · This field is optional. |
Alarm Settings for Unauthorized Access from Client
An alarm is generated if a client uses incorrect credentials to access the system (including through both API and browser) for the set maximum number of failed attempts during the set time interval.
1. Enter a time interval.
2. Enter the maximum number of failed attempts allowed.
3. Click OK.
Parameters
Table 43 Alarm Settings for Unauthorized Access from Client Parameters
|
Parameter |
Description |
|
Time Interval |
· Enter a time interval in the range of 1 to 2880 minutes. · The default is 1 minute. |
|
Max Failed Attempts |
· Enter the maximum number of failed attempts allowed, in the range of 1 to 1440. · The default is 30. |
Enable UKEY Authentication
· After enabling UKEY authentication, the login page will display authentication options. The default option is User Login, and USB Key Login is optional. To perform USB key login, please insert the UKEY first, and then select the USB Key Login option for login.
· If UKEY authentication is not enabled, the login page will default to user login.
· During the installation of BMP_Extension, it is necessary to enable the password platform and configure the third-party password platform server; otherwise, the UKEY authentication function will not be available.
Logo Settings
Introduction
From this page, you can customize the system logo, icon, title, copyright information, background image on the login page, custom information as needed.
Functions
· Set the system logo, system title, and system icon
a. Select the system logo.
b. Enter the system title.
c. Select the system icon.
d. Click Apply to complete the system logo, title, and icon configuration. To view the configuration effect, refresh the page.
e. Click Restore Factory Settings to restore the default system log, title, and icon. To view the configuration effect, refresh the page.
· Configure the system copyright information and the background image of the login page
a. Enter the copyright information.
b. Select the background image of the system login page.
c. Click Apply to complete the copyright information and login page background image configuration. To view the configuration effect, refresh the page.
d. Click Restore Factory Settings to restore the default copyright information and login page background image. To view the configuration effect, refresh the page.
· Configure the system custom information
a. Enter the custom information.
b. Click Apply. You can view the custom information on the About page.
Parameters
Table 44 System Logo, Title, and Icon Parameters
In the Preview area, you can preview the custom log, title, and icon in any time. The actual display effect might be different from the previewed effect.
|
Parameter |
Description |
|
System Logo |
Logo that is displayed on the system login page and the top navigation bar. · Available image formats include png, jpg, jpeg, gif, bmp, webp, ico, and svg. An image cannot exceed 1 MB. As a best practice, use an image with the height as 50 pixels and width as 125 to 230 pixels. · The configured system logo does not immediately take effect. It takes effect only after you refresh the page. · If the system logo is not configured, the default system logo applies. · The system logo configured in the current theme and view take effect only on the current theme and view. · If no logo is configured in the current view, the system logo varies by the system logo in current theme of domain view. |
|
System Title |
Web page title displayed in the browser. · The name cannot exceed 64 characters. This field cannot be empty. · The configured system title does not immediately take effect. It takes effect only after you refresh the page. · The system title configured in the current view take effect only on the current view. · If no system title is configured in the view, the system title varies by the system title in the domain view. · Clicking Set Defaults can restore the current system title to the default ones in the current view. |
|
System Icon |
Logo icon displayed in the browser tab. · Available image formats include png and ico. An image cannot exceed 1 MB. As a best practice, use an image with the resolution of 48 × 48. · If the system icon is not configured, the default system icon applies. · The system icon configured in the current view take effect only on the current view. · Clicking Set Defaults can restore the current system icon to the default ones in the current view. · If no system icon is configured in the current view, the system icon varies by the system icon in the domain view. · The configured system icon does not immediately take effect. It takes effect only after you refresh the page. |
Table 45 System Copyright and Login Page Background Image Parameters
|
Parameter |
Description |
|
Copyright Information |
Copyright information displayed on the login page and the About page. · The copyright information cannot contain more than 300 characters. This field cannot be empty. · You can view the copyright information on the About page or the login page. · The copyright information configured in the current view take effect only on the current view. · If no copyright information is configured in the view, the copyright information varies by the copyright information in the domain view. · Clicking Set Defaults can restore the current copyright information to the default ones in the current view. |
|
Background Image of Login Page |
Background image of the system login page. · Available image formats include jpg, jpeg, bmp, webp, and png. An image cannot exceed 1 MB. · You can view the background image on the login page. · To configure the login page background image, first switch to the default view. The background image of login page in the current theme and view take effect only on the current theme and view. · If no login page background image is configured in the view, the login page background image varies by the login page background image in current theme of domain view. |
Table 46 System custom information parameters
|
Parameter |
Description |
|
Custom Information |
Custom information displayed on the About page. · The custom information cannot contain more than 300 characters. This field can be empty. · You can view the custom information on the About page · The custom information takes effect for all views. |
Menu Design
Introduction
From this menu, you can customize the menu design and view settings as needed.
Remarks
· This feature only supports designing the layouts of available menus and extensions in custom views. Only available extensions in predefined views can be added to custom views.
· This feature does not support designing the layout of the online help menu.
· The Help Center icon is not available in custom views.
· When multiple Unified Platform pages are open in the browser simultaneously, if you switchover views on one page, refresh the other pages to avoid display anomalies.
Functions
· Add View
a. Click Add.
b. Enter the view name.
c. Select a view to inherit as needed.
d. Switch the view attribute as needed.
e. The Inherit View option is optional. If you select a view to inherit, the current view can inherit information of the selected view.
f. Click OK.
· Set as Default View/Normal View
You can modify the attribute of the current view to set it as the default view or a normal view. Only one default view is allowed.
a. Set as normal view: Switch the current view from the default view to normal view.
b. Set as default view: Switch the current view from the normal view to default view. If the default view already exists, the system switches the existing default view to normal view.
· Bind/Unbind View
Click the Settings icon in the upper right corner. On the page for switching the view, you can bind the system to a view. If the system is not bound to any view, the default view is used. If the system does not have the default view, the view of the domain is used. If the domain does not have a view, the menus of registered components are used.
a. Click the Settings icon in the upper right corner.
b. From the menu, click Change View.
c. Click the Bind icon or Unbind icon in the Actions column for the target view.
· Change View
Click the Settings icon in the upper right corner. On the page for switching the view, switch to the target view.
a. Click the Settings icon in the upper right corner.
b. From the menu, click Change View.
c. Click the Change icon in the Actions column for the target view.
· Delete View
After deleting a view, the user can refresh the view only after logging in to the system again.
a. Click Delete View.
b. In the dialog box that opens, click OK.
· Add Menu
You can customize and edit menus.
a. Click Add Menu.
b. Configure the menu parameters. The menu name field is required.
c. Click OK.
· Save View Menus
The available menus are menus of installed components. You can save the menu design information, and the view will use the menu design information.
a. Click Save.
b. Save the menus.
· Preview View
You can preview the menu generated on the left. On the preview page, you can click to switch between menus, and cannot perform other operations. (Menu items without URL paths or submenu items are not displayed on the menu pane.)
a. Click Preview to open a new page.
b. On the new page, you can click a menu item to access the corresponding page. You can only view the page but cannot click on the page.
Parameters
Table 47 View Parameters
|
Parameter |
Description |
|
View Name |
Specify a unique view name. · The value is a case-sensitive string that can include only Chinese characters, letters (supports multiple languages), digits, underscore (_), hyphens (-), and dots (.). The valid length is 2 to 32. The field cannot be empty. · The view name can be used to determine the current view. · The view name cannot be edited after it is configured. |
|
Inherit View |
Inherit the menu list and associated attributes of an existing view. · This field can be empty. If you do not specify any view to inherit, the menu list for the view is empty upon view creation. · If you specify a view to inherit, all menu information, including menu name, parent view, icon, permission, and address apply to the view upon creation. |
|
View Attribute |
Specify the view attribute, that is, whether the view is the default view. · This field is required. The default setting is normal view. · Normal View: No attribute is assigned to the view. · Default View: If the system is not bound to any view, the default view is used. |
Table 48 Menu Parameters
|
Parameter |
Description |
|
Menu Name |
Specify a menu name. You can specify the same name for multiple menus. · The value is a string that can include only Chinese characters, letters (supports multiple languages, case-sensitive), digits, underscore (_), hyphens (-), dots (.), backslashes (\), slash (/), ampersand(&), and space. Cannot start or end with space. The valid length is 2 to 32. · The menu name applies to all language environments. |
|
Parent |
Inherit the menu list and associated attributes of an existing view. · This field can be empty. If you do not specify any view to inherit, the menu list for the view is empty upon view creation. · If you specify a view to inherit, all menu information, including menu name, parent view, icon, permission, and address apply to the view upon creation. |
|
Icon |
Specify the menu icon, which is displayed on the left of the menu when you load the menu. · This field is optional. Please upload a 20*20 pixel monochrome SVG icon file to avoid display issues. |
|
Permission |
Specify whether or not to display the menu. · This field is optional. You can leave this field empty or specify multiple permissions. · If you do not specify any permissions, permission control is not performed by default, and the menu item is directly displayed. If you do not specify one or multiple permissions, the menu item is displayed as long as one matching permission exists. |
|
URL |
Specify the path for loading the page. · This field is optional. You can specify a relative path or complete path. To specify a complete path, the browser address bar restrictions apply to the complete path. · If you do not specify a URL, the sub menu with an URL of the menu is loaded. If no URLs exist, the menu is not displayed. · The URL of the menu cannot be any system access path. |
Table 49 Terminology
|
Term |
Description |
|
Domain View |
The domain view is registered for a component (for example,universe), and cannot be edited, updated, or deleted. |
|
Normal View |
View manually added by the user, without any attributes assigned to it. Click the Settings icon in the upper right corner. On the page for switching view, bind the target normal view. |
|
Default View |
The view that applies if no view is bound to the system. |
Favorites
Introduction
This function allows you to create shortcuts to frequently used pages. When you browse a page, you can add it as an item to Favorites. To quickly open the page again, you can click Favorites and select the item from the list.
Remarks
· The system supports a two-level item structure. A folder must reside at the top level, and can contain a maximum of 12 external link or menu items.
· Anuser can manage its own favorite items. After a user logs in, the user can manage only its own favorite items.
· The Settings > Favorites menu displays only the menu and external links (including folders) saved in current view.
Functions
· Add a favorite item
a. Click Add. The Add Item dialog box opens.
b. Configure parameters.
c. Click OK.
· Sync favorite items
a. After an application is uninstalled, you must click the Sync button to delete the favorite items of the Menu type for the uninstalled application.
· View favorite item details
a. To view the details of an item, click the name of the item, The Favorites Item dialog box opens.
b. View basic information: View the type, name, external link (for an external link item only), and folder of an item.
c. Click OK.
· Edit a favorite item
a. To edit an item, click the Edit icon for the item. The Edit Item dialog box opens.
b. Edit parameters as needed.
c. Click OK.
· Delete a favorite item
a. To delete an item, click Delete for the item.
b. On the dialog box that opens, click OK.
· Jump
You can perform jump only for a collection item that is an external link or menu.
a. Click the Jump icon in the Actions column for a collection item.
b. If the collection item is a menu, and the view of the menu is the same as the current view, the system will directly jump to the collected page.
c. If the collection item is a menu, and the view of the menu is different from the current view, a confirmation dialog box that opens. In the confirmation dialog box that opens, click OK to jump to the view of the menu and enter the collected page.
d. If the collection item is an external link, a new tab will be opened on the browser to access the external link.
Parameters
|
Parameter |
Description |
|
Type |
Available types include External Link and Folder. An external link is a pure URL address. A folder can contain menu items and external links. The folder must be placed on the outermost layer. |
|
Name |
Specify the name of the item to be displayed in Favorites. The name can only contain Chinese characters, Japanese characters, letters (supports multiple languages, case sensitive), digits, special characters _-.&\/, and spaces, and cannot exceed 32 characters. It cannot start or end with a space. |
|
External Link |
Specify an URL that starts with http:// or https:// followed by a non-empty character string. |
|
Folder |
You can select a folder for a favorite item. If you do not select a folder, the favorite item is on the outermost layer and does not belong to any folder. |
Support Center
Introduction
You can use Support Center to view the following information:
· Knowledge Base:
¡ AI Customer Service: The AI robot helps you quickly resolve issues.
¡ Quick Questions: You can post questions in this module and your questions will be answered effectively.
¡ H3C Product Improvement: We precious every requirement or suggestion for improvement of H3C products.
¡ Online School: Provides online learning resources for popular technologies.
¡ Document Center: The document center provides entries to the technical documents for all product series of H3C, including deployment guides, configuration guides, maintenance manuals, and troubleshooting guides. You can use these documents with the installation, configuration, and maintenance of your products.
¡ Troubleshooting Charts: Provide troubleshooting suggestions in form of flow charts for convenient troubleshooting.
¡ Easy Deployment: Provides deployment configuration, solution overview, question answering, and teaching videos.
¡ Vulnerability Library: Provides descriptions for vulnerabilities and the solutions.
· Digital Service Center: This function can effectively find potential risks and shorten the repair time through the intelligent correlation and analysis of massive data. It provides various services to help with business development, including intelligent alarm, health inspection, performance evaluation, version management, compliance check, configuration management, software and hardware life cycle management, cloud security, global knowledge base, exclusive experts, service console, and AI customer service.
· Official Document Center: The document center provides the technical documents for all product series of H3C, including installation guides, configuration guides, user manuals, command references, and other types of documents, helping end users resolve installation, configuration, command, and other issues during usage of the products.
· Official Software Download: Software Download provides an entry for downloading software releases, release notes, and software feature changes for H3C products. You can obtain basic software information and usage guidelines from these documents to help address software related issues.
· License Service: Quickly processes device licensing issues.
· H3C Class: Provides a talent empowerment management tool to IT enterprise managers and a social mobile learning window for IT practitioners. Here you can: Learn personal courses pushed according to job skill requirements and personal interests. Complete online/offline multi-scenario empowerment, and leave data footprints in various perspectives. Check your to-do list and view important notifications about your job. Call for related WeChat applets to learn courses conveniently with good teachers and partners.
Procedure
1. Open the Support Center page.
2. To view the information provided in an area, click Details or other links at the right bottom of the area.
Certificate Management
Introduction
The feature allows you to manage local certificates and CA certificates, including importing, requesting, viewing, deleting, and downloading certificates.
Remarks
Only users with certificate management privileges can import, request, delete, and download certificates.
Functions
· Import a local certificate
Only the CRT and PEM file formats are supported for local certificates, and the file cannot exceed 5 MB. Only the KEY and PEM file formats are supported for keys of local certificates, and the file cannot exceed 5 MB. The file name cannot contain underlines (_).
a. Click Import. The Import Certificate page opens.
b. Select the certificate to upload.
c. Select the private key to upload.
d. Click OK to complete the import.
· Request a local certificate
a. Click Import. The Request Certificate page opens.
b. Enter a certificate name.
c. Enter an owner name.
d. Enter a validity period.
e. Select a cryptographic algorithm.
f. Select a key length.
g. Choose to whether to generate a certificate request file.
h. Click OK.
· View the details of a local certificate
To view the details of a local certificate, click the name link of the certificate.
· Download a local certificate
To download a local certificate, click the Download icon for the certificate in the Actions column. The downloaded package includes the local certificate and key.
· Delete a local certificate
a. Click the Delete icon for the certificate in the Actions column.
b. On the dialog box that opens, click OK.
· Import a CA certificate
Only the CRT and PEM file formats are supported for CA certificates, and the file cannot exceed 5 MB.
a. Click Import. The Import Certificate page opens.
b. Select the CA certificate to upload.
c. Click OK to complete the import.
· View the details of a CA certificate
To view the details of a CA certificate, click the name link of the certificate.
· Download a CA certificate
To download a CA certificate, click the Download icon for the certificate in the Actions column.
· Delete a CA certificate
a. Click the Delete icon for the certificate in the Actions column.
b. On the dialog box that opens, click OK.
Parameters
|
Parameter |
Description |
|
Certificate Name |
Enter a certificate name, the value is a string of 1 to 80 characters that can contain only letters and digits. If the entered name is the name of a previously requested certificate, the newly requested certificate will overwrite the previously requested one. |
|
Owner |
Enter the owner of the certificate, the value is a string of 1 to 64 characters that can contain only letters, digits, asterisks (*) and dots (.). |
|
Validity Period (days) |
Enter a validity period in the range of 1 to 20000 days. |
|
Cryptographic Algorithm |
Select a cryptographic algorithm. Options include RSA and SM2. |
|
Key Length (bits) |
Specify a key length in the number of bits. · When the cryptographic algorithm is RSA, the value of this parameter can be 1024 or 2048. · When the cryptographic algorithm is SM2, the value of this parameter is 256. |
|
Generate Certificate Request File |
Choose to whether to generate a certificate request file. If you select Yes, you must use the generated file to request the certificate from a third-party CA server. If you select No, the certificate is automatically signed by the built-in CA server. |
Third-Party Systems
This system supports collecting data from various third-party systems. When you enable the system to collaborate with a third-party system, you can configure an authentication method to ensure secure data access. Supported authentication methods include basic authentication, token-based authentication, and no authentication. If you select the token-based authentication method, you must configure token profiles for the related third-party system.
Third-Party Systems
About this feature
This page allows you to configure the settings of a third-party system, including system address, port number, authentication method, username, and password.
Restriction and guidelines
If the system successfully collaborates with a third-party system, the Status column will display Normal for that third-party system.
Features
· Add a third-party system
To add a third-party system, click Add.
· Delete third-party systems
¡ To delete a single third-party system, click the Delete icon in the Actions column for that third-party system, and then click OK in the dialog box that opens.
¡ To delete multiple third-party systems in bulk, select the desired third-party systems, click the Delete button above the third-party system list, and then click OK in the dialog box that opens.
· Refresh the third-party system list
To refresh the third-party system list, click the Refresh icon above the third-party system list.
· Edit a third-party system
To edit a third-party system, click the Edit icon in the Actions column for that third-party system.
· View the details of a third-party system
To view the details of a third-party system, click the name of that third-party system.
Add/Edit Third-Party System
About this feature
This feature allows you to add or edit a third-party system.
Restriction and guidelines
Before adding a third-party system, make sure it has not been configured for the current system.
Add a third-party system
Perform this task to add a third-party system with which the current system needs to collaborate.
1. On the Third-Party Systems tab, click Add to add a third-party system.
2. Configure the basic settings of the third-party system.
3. Click OK.
Edit a third-party system
Perform this task to edit the settings of an existing third-party system.
1. On the Third-Party Systems tab, click the Edit icon in the Actions column for the desired third-party system.
2. Edit the basic settings of the third-party system as needed. The system name setting is not editable.
3. Click OK.
Parameters
1. Basic third-party system information
|
Parameter |
Description |
|
System Name |
The system name is a string of 1 to 128 characters. Supported characters include Chinese characters, letters (supports multiple languages, case-insensitive), digits, underscores (_), hyphens (-), and backslashes (\). This parameter is not editable once the third-party system is configured. Make sure the system name of each third-party system is unique. |
|
System Type |
Type of the third-party system. |
|
Description |
Description of the third-party system, which cannot exceed 128 characters. |
|
System Address |
IP address that the third-party system uses for connection to the current system. You can enter an IP address (IPv4 or IPv6 address, but not loopback address) or domain name. |
|
Northbound Port |
Port number used for logging in to the third-party system. It must be an integer in the range of 1 to 65535. |
|
HTTPS |
If you enable this service, you must add the certificates required by HTTPS. The server certificate is required and the client certificate is optional. |
|
Server Certificate |
Only the CRT and PEM file formats are supported, and the file cannot exceed 5 MB. |
|
Client Certificate |
Only the CRT, PEM and p12 file formats are supported, and the file cannot exceed 5 MB. |
|
Client Private Key |
If you upload a CRT or PEM client certificate, you must upload a client private key. Only the KEY and PEM file formats are supported, and the file cannot exceed 5 MB. |
|
Password |
If you upload a p12 client certificate, you must enter a password. |
|
Authentication |
Whether authentication is required upon collaboration with the third-party system. |
|
Authentication Method |
Method for verifying user identity and permissions. |
|
Token Profile |
Token profile used for third-party system matching. |
|
URL for Connectivity Test |
Enter the URL for a GET request, which cannot exceed 255 characters. This URL is used to identify whether the current system can access the third-party system. If you do not specify a URL, the system will conduct a connectivity test by requesting a token form the third-party system. |
|
Username |
Username used for accessing the third-party system, which cannot exceed 255 characters. |
|
Password |
Password used for accessing the third-party system, which cannot exceed 255 characters. |
Token Profiles
About this feature
This page allows you to configure token profiles for third-party systems. A token profile includes token request definition, token response definition, and service request definition.
Restriction and guidelines
You can delete or edit a token profile only if the Associations column displays 0 for that token profile.
Features
· Add a token profile
To add a token profile, click Add.
· Delete token profiles
¡ To delete a single token profile, click the Delete icon in the Actions column for that token profile, and then click OK in the dialog box that opens.
¡ To delete multiple token profiles in bulk, select the desired token profiles, click the Delete button above the token profile list, and then click OK in the dialog box that opens.
· Refresh the token profile list
To refresh the token profile list, click the Refresh icon above the token profile list.
· Edit a token profile
To edit a token profile, click the Edit icon in the Actions column for that token profile.
· View the details of a token profile
To view the details of a token profile, click the name of that token profile.
Add/Edit Token Profile
About this feature
This feature allows you to add or edit a token profile.
Restrictions and guidelines
· Before adding a token profile, make sure it has not been configured for the current system.
· Make sure the keys in the request body are the keys of the API provided by the third-party system that uses the token profile. If they are different, the third-party system will be in abnormal state.
Add a token profile
Perform this task to add a token profile.
1. On the Token Profiles tab, click Add to add a token profile.
2. Configure the token request definition, token response definition, and service request definition.
3. Click OK.
Edit a token profile
Perform this task to edit the settings of an existing token profile.
1. On the Token Profiles tab, click the Edit icon in the Actions column for the desired token profile.
2. Edit the settings of the token profile as needed. The profile name setting is not editable.
3. Click OK.
Parameters
Table 50 Token request definition
|
Parameter |
Description |
|
Profile Name |
The profile name is a string of 1 to 128 characters. Supported characters include Chinese characters, letters (supports multiple languages, case-insensitive), digits, underscores (_), hyphens (-), and backslashes (\). This parameter is not editable once the token profile is configured. Make sure the name of each token profile is unique. |
|
Request Method |
Supported request methods include GET, POST, and PUT. |
|
Token Request URL |
URL of the authentication interface, which cannot exceed 255 characters. |
|
Request Header |
Header of the token request. You can specify multiple request headers. When you specify a variable as a header, enclose it with @, for example, @xxx@. The full JSON format is supported, for example, {"key1":"value1", "key2":"value2"}. The length range is 1 to 1024 characters. |
|
Request Body |
Body of the token request. When you specify a variable as the body, enclose it with @, for example, @xxx@. The full JSON format is supported, for example, {"key1":"value1", "key2":"value2"}. The length range is 1 to 1024 characters. The required attribute values include @userName@ and @password@. |
Table 51 Token response definition
|
Parameter |
Description |
|
Success Code |
HTTP status code that indicates a successful token request. The status code must be an integer in the range of 1 to 10000. You can specify up to 10 status codes, and each of them must be unique. |
|
Token Location |
Location of the token in the token response. |
|
Token Key |
Token key in the token response, which cannot exceed 128 characters. |
Table 52 Service request definition
|
Parameter |
Description |
|
Token Expiration Code |
HTTP status code that indicates token expiration. The status code must be an integer in the range of 1 to 10000. You can specify up to 10 status codes, and each of them must be unique. |
|
Token Key in Header |
Token key inserted to the service request header, which cannot exceed 128 characters. |
Log Management
Perform this task to view, export, or delete logs, and configure log storage and log servers.
Operation logs
Introduction
On the Operation Logs page, you can view all operation logs and search operation logs (including advance search).
Remarks
· The operation log list displays only information about operation logs of the security type.
· The module name is not displayed for operation logs that do not carry module information.
· You cannot search failure reasons or operation descriptions after enabling the password platform.
Functions
· Export operation logs
a. Select one or multiple operation logs, and then click Export.
b. Do not select any operation logs, and then click Export to export all operation logs. You can also filter operation logs (by using the search function, including advance search) to export the filtered logs.
· Filter operation logs
a. Specify a start time and an end time.
b. You can also expand the Advanced area, and then specify the search criteria as needed.
c. Click Search to filter operation logs.
d. Click Reset to clear the search criteria or restore the default settings.
· Search for archive files
The Archive Files tab displays archive
files for operation logs. An archive file is named after its creation time. For
example, 20250514022022.zip indicates that the file was created at 02:22:22 on
May 14, 2025. To search for archive files, enter a file name, and then click
the 
icon. Fuzzy matching is supported.
· Export archive files
To export selected archive files, select archive files, and then click Export. To export all archive files, click Export without selecting any archive files.
Security logs
Introduction
On the Security Logs page, you can view all security logs and search security logs (including advance search).
Remarks
· The security log list displays only information about security logs of the security type.
· The module name is not displayed for security logs that do not carry module information.
· You cannot search failure reasons or security descriptions after enabling the password platform.
Functions
· Export security logs
a. Select one or multiple security logs, and then click Export.
b. Do not select any security logs, and then click Export to export all security logs. You can also filter security logs (by using the search function, including advance search) to export the filtered logs.
· Filter security logs
a. Specify a start time and an end time.
b. You can also expand the Advanced area, and then specify the search criteria as needed.
c. Click Search to filter security logs.
d. Click Reset to clear the search criteria or restore the default settings.
System logs
Introduction
On the System Logs page, you can view all system logs and search system logs (including advance search).
Functions
· Export system logs
a. Select one or multiple system logs, and then click Export.
b. Do not select any system logs, and then click Export to export all system logs. You can also filter system logs (by using the search function, including advance search) to export the filtered logs.
· Ack system logs
a. Select one or multiple unacked system logs.
b. Click Ack.
· Unack system logs
a. Select one or multiple acked system logs.
b. Click Unack.
· Filter system logs
a. Specify a start time and an end time, or a component name.
b. You can also expand the Advanced area, and then specify the search criteria as needed.
c. Click Search to filter system logs.
d. Click Reset to clear the search criteria or restore the default settings.
Running logs
Introduction
The running log list displays log information for all running nodes. Each node stores its own log information.
Remarks
· The file name requirements are as follows:
¡ The log file that is archived is named in the format of Pod name.YYYY-MM-DD.log or Pod name.YYYY-MM-DD.log.zip. For example, imf-itom-logconsumer-dm-778db966db-hq86w.2020-07-13.log or imf-itom-logconsumer-dm-778db966db-hq86w.2020-07-13.log.zip.
· If a log file is empty, the log file size is displayed as 0 MB. If the log file size is smaller than 0.01 MB, the log file size is displayed as 0.01 MB.
· Automatic log purging removes all files except .log files from the log space. The system compresses a .log file into a zip file if that file has existed for three days since its last modification, or if it has exceeded 1GB. Additionally, the system removes the log entries from that file to make space for new log entries. Then, the system deletes the .zip log files when it runs an automatic log purging task.
· When a log export task is in progress, you cannot start another node logs export task.
· Specify a directory through a relative path. The matrix-diag/Matrix path prefix represents the /var/log/matrix-diag/Matrix directory. The matrix-diag path prefix represents the/var/lib/ssdata/logcenter directory.
Functions
· Export running logs
a. To export a log file, click the file name in the File column, and then click Export.
b. To export all running logs, click Export. You can also export running logs filtered by using the search function.
c. To export specific log files in bulk, select those files and then click Export.
· Filter global logs
a. Specify the search criteria as needed.
b. Click Search to filter global logs.
c. Click Reset to clear the search criteria or restore the default settings.
Log Settings
Introduction
On the Log Settings page, you can configure settings associated with operation logs, system logs, and running logs.
Operation Log Settings
Introduction
In the Basic Settings area, you can configure basic operation log settings, including cleanup strategy and syslog server settings.
Perform this task to archive operation logs that meet archiving conditions into a file in the specified file path automatically. After the archiving is completed, the operation logs that have been archived will be deleted automatically.
Remarks
· Modifying the system time might trigger log archiving. To ensure correct system operation, modify the system time with caution.
· Typically logs are archived at 2:00 a.m. every day. Make sure the system server is not busy at that time. To change the archiving time, contact the technical support.
· The system compares the logs against the threshold before an immediate or scheduled archiving. If the threshold is not reached, the logs will not be archived.
Basic Settings
1. Click the Operation Logs tab.
2. In the Log Storage Settings area, specify the Log Saving Days and Expired Log Purging Time parameters.
3. In the Log Server Settings area, specify the Sent Security Level parameter, as well as the IP addresses and port numbers of log servers.
4. Click OK.
Archive Setting
You can archive the logs by using either of the following methods:
· Select only the By Quantity archive method.
If you select only the By Quantity archive method and set the archive trigger threshold to a value, for example, 8000 and the max entries to retain to 500, the system will check the log records in the database in early morning every day. If the log quantity exceeds 8000, the system starts log archiving automatically to retain the most recent 500 log entries and archive the other logs.
· Select only the By Duration archive method
If you select only the By Duration archive method and set the archive trigger threshold to a value, for example, 30 and the max days of data to retain to 15, the system will check the log records in the database in early morning every day. If the log entries generated more than 30 days ago exist, the system starts log archiving automatically to retain the log entries generated in the most recent 15 days and archive the other logs.
· Select both the By Quantity and By Duration log archive methods
If you select both the By Quantity and By Duration log archive methods, the system will automatically select the method with the most log entries to archive.
Procedure
1. Select the operation logs for archiving.
2. Select the By Duration or By Quantity archive method, or both.
a. (Optional.) Archive logs by log quantity.
# Select By Quantity.
# Specify the archive trigger threshold by the number of log entries.
# Specify the maximum number of entries to retain.
b. (Optional.) Archive logs by log duration.
# Select By Duration.
# Specify the archive trigger threshold by the number of log retention days.
# Specify the maximum days of entries to retain.
3. Select the archive file type and specify the maximum retention days for the archive file.
4. To archive the logs immediately, click Archive Now.
5. Click OK.
Parameters
Table 53 Basic settings parameters
|
Parameter |
Description |
|
Log Saving Days |
· Number of days to save data. Data that exceeds this value will be automatically deleted. · The default value is 365. The value for this parameter is an integer in the range of 182 to 730. |
|
Expired Log Purging Time |
Time when the system clears expired data every day. This setting takes effect the next day. The default value is 12:00. The value range for this parameter is 00:00 to 23:59. |
|
Sent Severity Level |
· Severity level of logs. The default value is Info. · The logs with a higher or equal severity level will be sent to the log server. Options (arranged in descending order of severity level) for this parameter include Debug, Info, Notice, Warning, Error, Critical, Alert, and Emergency. · The severity level is Info for successful operations, Notice for partially successful operations, and Warning for failed operations. |
|
Server 1-IP Address |
· IP address of log server 1. · Specify an IPv4 or IPv6 address for this parameter. The IPv4 address must be in dotted decimal notation, for example, 192.168.0.1. For IPv4 addresses, broadcast addresses, network addresses, loopback addresses, multicast addresses, or reserved addresses are not supported. The IPv6 address must be in colon hexadecimal notation, for example, 2001:0DB8::1101. For IPv6 addresses, only global unicast addresses are supported. |
|
Server 1-Port Number |
· Specify the port number for server 1. · The default value is 514. The value for this parameter is an integer in the range of 1 to 65535. |
|
Server 2-IP Address |
· IP address of log server 2. · Specify an IPv4 or IPv6 address for this parameter. The IPv4 address must be in dotted decimal notation, for example, 192.168.0.1. For IPv4 addresses, broadcast addresses, network addresses, loopback addresses, multicast addresses, or reserved addresses are not supported. The IPv6 address must be in colon hexadecimal notation, for example, 2001:0DB8::1101. For IPv6 addresses, only global unicast addresses are supported. |
|
Server 2-Port Number |
· Specify the port number for server 2. · The default value is 514. The value for this parameter is an integer in the range of 1 to 65535. |
Table 54 Archive Setting
|
Parameter |
Description |
|
By Quantity |
· Archive Trigger Threshold: If the number of operation log entries reaches the specified threshold, log archiving will be triggered. The value range for this parameter is 2 to 2000000 entries. · Max Entries to Retain: After the system archives operation log entries, the number of operation log entries stored in the database cannot exceed the specified upper limit. The value range for this parameter is 1 to 1999999 entries. |
|
By Duration |
· Archive Trigger Threshold: If the time elapsed since an operation log entry was recorded reaches the specified threshold, the system will archive that operation log entry. The value range for this parameter is 2 to 365 days, and the default threshold is 60 days. · Max Days of Data to Retain: After archiving operation log entries, the system retains these entries in the database only if they are within the specified retention period. The value range for this parameter is 1 to 364 days, and the default value is 30 days. |
|
Archive File Type |
Select the archive file type: CSV or HTML. The file name will be in the format as follows: · exportOperLogData_2022-11-23 11:07:44.html. · exportOperLogData_2022-11-23 11:07:44.csv. |
|
Max Archive File Retention Days |
Maximum days that an archive file can remain in the archive file path. If a file reaches the max retention days, the system will delete it from the path. |
|
Archive File Path |
Path where the archive file is saved. It is set automatically by the system. You cannot change it. |
|
Last Archived |
Time when the most recent archiving occurred. |
System Log Settings
Introduction
After you configure match rule settings for server logs, the system compares newly generated logs in sequence with the match rules. Matching logs will be sent to the log server. A log matches a rule if it matches all the following conditions:
· The log fully matches all information specified in the rule except severity level and description.
· The log description contains the description specified in the rule.
· The log level is higher than or equal to the level specified in the rule.
Functions
1. Click the System Logs tab.
2. In the Log Storage Settings area, specify the Log Saving Days and Expired Log Purging Time parameters.
3. In the Log Server Settings area, specify the IP addresses and port numbers of log servers.
4. In the Log Server Settings area, add log match rules.
¡ Add a log match rule
- Click Add Match Rule.
- In the dialog box that opens, specify the match rule information.
- Click OK.
¡ Edit a log match rule
- Click 
in the Actions column for a log match rule.
- Edit the rule information.
- Click OK.
¡ Delete a log match rule
- Click 
in the Actions
column for a log match rule.
5. Click OK.
Parameters
Table 55 System log parameters
|
Parameter |
Description |
|
Log Saving Days |
· Number of days to save data. Data that exceeds this value will be automatically deleted. · The default value is 365. The value for this parameter is an integer in the range of 31 to 730. |
|
Expired Log Purging Time |
Time when the system clears expired data every day. This setting takes effect the next day. The default value is 12:00. The value range for this parameter is 00:00 to 23:59. |
|
Server 1-IP Address |
· IP address of log server 1. · Specify an IPv4 or IPv6 address for this parameter. The IPv4 address must be in dotted decimal notation, for example, 192.168.0.1. For IPv4 addresses, broadcast addresses, network addresses, loopback addresses, multicast addresses, or reserved addresses are not supported. The IPv6 address must be in colon hexadecimal notation, for example, 2001:0DB8::1101. For IPv6 addresses, only global unicast addresses are supported. |
|
Server 1-Port Number |
· Specify the port number for server 1. · The default value is 514. The value for this parameter is an integer in the range of 1 to 65535. |
|
Server 2-IP Address |
· IP address of log server 2. · Specify an IPv4 or IPv6 address for this parameter. The IPv4 address must be in dotted decimal notation, for example, 192.168.0.1. For IPv4 addresses, broadcast addresses, network addresses, loopback addresses, multicast addresses, or reserved addresses are not supported. The IPv6 address must be in colon hexadecimal notation, for example, 2001:0DB8::1101. For IPv6 addresses, only global unicast addresses are supported. |
|
Server 2-Port Number |
· Specify the port number for server 2. · The default value is 514. The value for this parameter is an integer in the range of 1 to 65535. |
Table 56 Log match rule parameters
|
Parameter |
Description |
|
Component Name |
Specify a component name to filter system logs. |
|
Host Name |
Specify a node name to filter system logs. |
|
Service Name |
Specify a service name to filter system logs. |
|
Module Name |
Specify a module name to filter system logs. |
|
Severity Level |
Specify a severity level to filter system logs. The default value is Info. Options (arranged in descending order of severity level) for this parameter include Debug, Info, Notice, Warning, Error, Critical, Alert, and Emergency. |
|
Description |
Specify a description to filter system logs, a string of up to 128 characters. |
Running Log Settings
Functions
· Node Log Settings
a. Click the Running Logs tab.
b. In the Node Log Settings area, specify the Log Saving Days, Maximum Disk Space (GB), and Reserved Percentage Upon Auto Purging (%) parameters.
c. Click OK.
Parameters
Table 57 Node log parameters
|
Parameter |
Description |
|
Log Saving Days |
· Number of days to save data. Data that exceeds this value will be automatically deleted. · The default value is 180. The value for this parameter is an integer in the range of 7 to 730. |
|
Maximum Disk Space (GB) |
· Maximum disk space for storing logs. The value cannot exceed 80% of the disk partition. Otherwise, the value of 80% of the disk partition applies. · The default value is 50. The value for this parameter is an integer in the range of 5 to 65535. |
|
Reserved Percentage Upon Auto Purging (%) |
· Percentage of logs to reserve upon automatic clearing of running logs. · The default value is 90. The value for this parameter is an integer in the range of 50 to 99. |
Log Level Settings
The log level setting page displays the running log level information of each service in the current environment.
Operation steps
1. Click the [system > log management > log level setting] menu item to enter the log level setting page.
2. Click the "log level" drop-down box of a service to modify the level of the running log.The log levels (arranged in descending order of severity) are divided into the following six types:
¡ FATAL: Indicate that each serious error event will cause the application to exit. This level is relatively high. Major errors, this level of error can directly stop the program.
¡ ERROR: Point out that although an error event occurs, it still does not affect the continued operation of the system. Print error and exception information. If you don't want to output too many logs, you can use this level.
¡ WARN: Indicating potential error situations, some information may not be error information, but there should also be some prompts for programmers.
¡ INFO: Messages emphasize the running process of the application at a coarse-grained level. Print some information that interests or is important to you. This can be used to output important information about program operation in a production environment, but it should not be abused to avoid printing too many logs.
¡ DEBUG: Pointing out that fine-grained information events are very helpful for debugging applications, mainly used to print some running information during the development process.
¡ TRACE: Unrelated logs, with low levels, are generally not used.
Remarks
· Log level settings do not support backup and recovery.
· Each selection of log level will also print logs higher than the current level.
Backup & Restore
Introduction
· Configuration restoration: You can use the saved backup file to restore the product configuration by uploading the backup file or through the backup history list.
Remarks
· Do not perform any configuration or deployment operations when a configuration backup or restoration process is in progress.
· To restore the configuration for a component, make sure the version and service enabling status for the component in the backup environment are consistent with those in the restoration environment.
· After you use the backup data to restore the Unified Platform, if license data backup is enabled, the license connection configuration also restores.
· Disabling disk evaluation might cause the disk space to be fully occupied.
· In the cold backup environment, make sure the primary and backup sites have consistent component version number, component list, protocol, port number, service enabling status, and host permission settings. For some services that are stopped in the backup environment, the associated menus will be hidden. The two sets of environments cannot have both the cold backup and remote disaster recovery relationships.
· In the cold backup environment, make sure the backup site IP configured for the primary site is not an IP in the local cluster, such as the northbound IP or node IP. For multiple sets of cold backup environments, make sure the backup site IPs configured for the primary sites are different, and the backup site IPs cannot be the node IPs in the same cluster.
· Remote backup supports only Linux system as the remote end, and does not support Windows system as the remote end.
· When you use the backup and restore feature to restore Unified Platform data, the Kong gateway will restart, causing the webpage to be unresponsive for a short period or display a 500 error. Please wait for the Kong gateway to complete the restart (taking about three minutes), and then manually refresh the webpage.
· To ensure successful data backup in a cluster environment, make sure a minimum of two active nodes are running correctly. To ensure successful data restoration in a cluster environment, make sure all nodes in the cluster are running correctly.
· In a disaster recovery environment, the primary site and the secondary site do not synchronize their backup files.
· As a best practice, manually back up the most recent component data before using the backup and restoration feature to restore component data. If an exception occurs during data restoration, perform the restoration operation again. Alternatively, use the latest backed up component data to perform restoration, implementing data rollback.
Functions
· Configure backup settings
a. Click Backup Settings.
b. In the window that opens, configure the parameters. For more information, see the parameter description table below.
c. Click OK.
· Sync files
a. Click Sync files to obtain backup files from the path specified in the Remote Backup area, and sync them to the path specified in the Local Backup area.
b. In a cluster environment, clicking Sync files will sync backup files in the local backup file path to each node in the cluster. This ensures backup file consistency among all nodes.
c. If inconsistent backup files are detected in multiple queries upon node restart or recovery from an anomaly (such as power failure), click Sync files to resolve the issue.
· Start backup
Perform this task to manually back up the configuration of selected components immediately.
a. Click Backup.
b. In the dialog box that opens, select the components you want to back up, and click Backup. Backup files created by manual backup are named with the _M.zip suffix and saved to the local path on the Unified Platform server. If a remote backup server is configured, the backup files will also be saved to the remote backup server.
· View logs
Display log information for the most recent backup or restore operation.
· View remote transfer records
Display records for remotely uploading backup files to the remote server. The system saves the latest 1000 records and polls the record list to clear old records every hour.
· Restore a configuration file
To restore a configuration file through file upload:
a. Click the Upload File icon to select the file you want to restore.
b. Click Upload. Verify that the file is uploaded successfully.
c. Click Restore to restore the uploaded file.
To restore a configuration file on the backup file list:
a. Click the Restore icon in the Actions column for the target backup file.
b. In the dialog box that opens, click OK.
· Download a backup file
Click the Download icon in the Actions column for the target backup file to download the file and save it locally.
· Delete backup files
¡ To delete a specific backup file, click the Delete icon in the Actions column for that backup file.
¡ To delete multiple backup files in bulk, select the backup files, and then click Delete.
Parameters
|
Parameter |
Description |
|
Backup File Prefix |
Specify the prefix name for the backup file. By default, the backup file name is in the format of component name_version number_creation time_A/M.zip. Value A represents scheduled backup and value M represents manual backup. |
|
Cold Backup Config: After you enable cold backup, select the primary or backup role. The cold backup feature requires deploying two sets of Unified Platform clusters, one with the primary role and the other with the backup role. The primary cluster periodically backs up data to the backup cluster. Upon receiving the backup data, the backup cluster automatically performs data restoration to ensure data consistency between the primary and backup clusters. When a node failure occurs in the primary cluster, you can manually perform a primary and backup switchover. After the switchover, the new primary cluster will continue to generate backup files and back them up to the new backup cluster. The new backup cluster will automatically perform data restoration upon receiving the backup data. · Select Primary to assign the primary role to the site in the cold backup configuration. In this case, you must configure the backup site IP, backup site protocol, and backup site port for the peer end. In addition, you must enable both remote backup and scheduled backup to transfer the files generated by scheduled backup or manual backup to the remote backup cluster, and trigger auto restoration of the backup cluster. · Select Backup to assign the backup role to the site in the cold backup configuration. In this case, you can configure only the local backup and advanced parameters. Other parameters are not available for configuration. The backup cluster triggers auto restoration after the primary cluster completes backup file synchronization. Because some services might be stopped at the backup cluster, the associated menus will be hidden. · Disabling cold backup for the primary cluster terminates its cold backup relationship with the backup cluster. All services of the primary cluster will maintain their original operating status, and service functions will not be affected. · Disabling cold backup for the backup cluster terminates its cold backup relationship with the primary cluster. To prevent a dual-primary-cluster situation that can cause issues like service preemption or duplicate deployment, the following services of the backup cluster will remain stopped. Typically, do not manually start these services for the backup cluster. ¡ Websocket service: As a channel service, if it is not started, the controller cannot interact with devices. ¡ DC service: To prevent device preemption between primary and backup clusters, the controller does not start the DC service. As a result, core DC services such as device incorporation, configuration deployment, and device onboarding will become unavailable. ¡ Campus service: The controller service is available, but the southbound NIC remains down to prevent device preemption between primary and backup clusters. As a result, the controller cannot interact with devices. In addition, device incorporation, device upgrade, automation, and configuration deployment services will become unavailable. |
|
|
Local backup parameters |
· Path: This field displays the local path for storing the backup files, which is /opt/matrix/app/data/base-service/backupRecovery/historyFiles on the master node. The local file path cannot be edited. · Number of Retained Files: Total number of files that can be backed up manually or through scheduled backup for a product. The valid value range is 1 to 60. After the number is exceeded, the earliest backup files are automatically deleted. You need to back up files in time. |
|
Component-Specific Retained Backup File Count |
Set the number of backup files to retain for each component. This setting applies to both auto and manual backup files. For example, if you set the retained backup file count to 3, the system retains a maximum of three files from auto backup and three files from manual backup. This field is displayed only after the DC or Campus component is deployed. |
|
Remote backup |
· Remote Backup: Enable or disable remote backup. · Transfer Protocol: Supported options are FTP and SFTP. By default, FTP is used for remote backup. You must install an FTP tool on the destination server to support the FTP server function. · Port Number: The protocol port number is configurable. By default, the FTP port number is 21, and the SFTP port number is 22. The value range for the port number is 1024 to 65535. · Server IP: Specify the IP address of the remote server. · File Path: Specify the file storage path for the remote server. A file path is an absolute path if it starts with a slash (/). A file path is a relative path if it does not start with a slash (/). The path will be created under the working directory of the current user. · Username/Password: Specify the username and password of the remote server. |
|
Remote data cleanup |
· Data Cleanup: Enable or disable remote data cleanup. Note that this feature cleans up data from the local directory. · File Path: Specify the backup file storage path transferred from the remote end. The file path must be an absolute path. The following paths are not supported: ¡ / ¡ /opt/matrix/app/data/base-service/backupRecovery/backupFiles ¡ /opt/matrix/app/data/base-service/backupRecovery/backupFiles/ ¡ /opt/matrix/app/data/base-service/backupRecovery/historyFiles ¡ /opt/matrix/app/data/base-service/backupRecovery/historyFiles/ ¡ /opt/matrix/app/data/base-service/backupRecovery/recoveryFiles ¡ /opt/matrix/app/data/base-service/backupRecovery/recoveryFiles/ ¡ /opt/matrix/app/data/base-service/backupRecovery/syncFiles ¡ /opt/matrix/app/data/base-service/backupRecovery/syncFiles/ ¡ /opt/matrix/app/data/base-service/backupRecovery/temporaryFiles ¡ /opt/matrix/app/data/base-service/backupRecovery/temporaryFiles/ ¡ /opt/matrix/app/data/base-service/backupRecovery/uploadFiles ¡ /opt/matrix/app/data/base-service/backupRecovery/uploadFiles/ ¡ /opt/matrix/app/data/base-service/backupRecovery ¡ /opt/matrix/app/data/base-service/backupRecovery/ ¡ /opt/matrix/app/install/packages ¡ /opt/matrix/app/install/packages/ · File Retention Policy: Specify the backup files to retain by file count or file retention period in the cleanup operation that is performed every hour for each component. ¡ Retained File Count: Specify the number of most recent backup files to retain for each component, including manually and automatically backed up files. The remaining backup files will be deleted. ¡ File Retention Period: Specify the number of days that the backup files can be retained for each component, including manually and automatically backed up files. The backup files that exceed the retention period will be deleted. |
|
Scheduled backup |
· Scheduled Backup: Enable or disable scheduled backup. The backup and restoration service will automatically back up configuration files at the scheduled time. The names of the generated backup files are suffixed with _A.zip. · Frequency: Specify the scheduled backup frequency. Options are Daily, Weekly, and Monthly. ¡ If you select Weekly for Frequency, select a specific day from a week. Options are Monday through Sunday. ¡ If you select Monthly for Frequency, select a specific day from a month. Options are 1 to 31. Value 31 indicates the last day of this month. If the specified date is later than the end of this month, the last day of this month applies. · Time: Specify the specific time point for scheduled backup. |
|
Basic Data Backup |
· License Data Backup: Performs backup for license data. · Trap Data Backup: Performs backup for trap data received by the system. · Alarm Data Backup: Performs backup for active alarm and history alarm data in the system. · Syslog Data Backup: Performs backup for raw syslog data and syslog aggregation data in the system. This option is displayed only after the BMP_Syslog component is deployed. |
|
Component Data Backup |
Performance data: Performs backup for the performance index data collected during network device monitoring. This option is displayed only after the UCP component is deployed. |
|
Advanced Settings |
· Disk Evaluation: Specify whether to evaluate the disk usage before data backup or restoration. With disk evaluation enabled, the system performs the following tasks depending on the usage of the backup disk on the master node: Equal to or higher than 85%—The system stops the backup or restoration task. Lower than 85%—The system also takes the space required for running the task into consideration, which is four times the size of the data file to be backed up when calculating the disk usage. If the usage is still equal to or higher than 85%, the system stops the backup or restoration task. If the usage is lower than 85%, the system proceeds with the backup or restoration task. · Timeout Timer: Maximum amount of time of a backup or restoration operation for a single component. The backup or restoration fails if it is not completed upon expiration of the timeout timer. |
RDRS
About this task
This feature allows you to set up a remote backup system (RDRS). The components on the primary and backup sites back up one another. When the RDRS is operating correctly, the primary site synchronizes data to the backup site in real time to ensure data consistency on both sites. You can perform a manual switchover or automatic switchover with arbitration upon failure of the primary site, such as power failure, network failure, or link failure. After a site switchover, the backup site takes over to ensure service continuity.
Prerequisites
· To configure the RDRS successfully, ensure the network connectivity between the primary and backup sites. If you have failed to configure the RDRS, first verify the network connectivity.
· Make sure the primary and backup sites use the same Unified Platform version, controller version, transport protocol (HTTP or HTTPS), and port number settings.
· To use automatic switchover with arbitration, deploy the arbitration service on an independent server in advance.
· When you specify the virtual IP address for the RDRS in a single-subnet scenario, make sure the IP addresses of the primary and backup sites are on the same subnet.
· Make sure the enabling status for each service is consistent on both the primary and backup sites.
Remarks
· Make sure both the primary and backup sites use the same IP version. You cannot create an RDRS on both the primary and backup sites, or upgrade components in the RDRS. To upgrade components, you must first delete the RDRS, upgrade the components, and then establish the RDRS again.
· When you configure the RDRS, make sure the username and password for both sites are the same. The password up to 32 characters. The username is a case-insensitive string of characters. The username can contain only letters, digits, underscores(_), hyphens(-), dots(.), and slashes(\).
· After you configure the RDRS, you cannot edit the internal VIP of the matrix cluster and node IP addresses on both sites or the self-defined VIPs.
· The data on the RDRS page cannot be backed up and restored. The data include names and IP addresses of both sites, username and password for the backup site, and IP address of the arbitration site.
· To use the IP allowlist in a remote backup scenario, add all node IP addresses on the backup site to the primary site, and add all node IP addresses on the primary site to the backup site.
· Do not perform any service operations when adding or deleting disaster recovery components or during primary/backup site switchover.
· Use one of the following methods to configure NTP servers for the primary and backup sites:
¡ Configure the same external server for both the primary and backup sites.
¡ Configure an internal server for one site, and configure an external server for the other site and specify the NTP server address as the northbound service VIP of the peer site.
· After configuring NTP services for the primary and backup sites, you can create an RDRS only after the system time of the primary and backup sites is fully synchronized.
· The data sync status of each component using the Unified Platform database is not component-specific, which is always the data sync status of the Unified Platform database.
· You might experience some delay in obtaining most recent data of RDRS, because the system typically refreshes the data every two minutes. If the displayed data is not as expected, wait a moment and then check the updated data again.
· During the RDRS creation, primary/backup switchover, or deletion process, the backup site might be temporarily inaccessible. After the process is completed, the backup site can be accessed correctly.
· After the primary/backup switchover is completed, when you access the new primary and backup sites, a license exception might occur. If this issue occurs, wait a few minutes and try again. If the issue persists, contact technical engineers.
Functions
· Configure site settings:
a. Configure the name and IP address for the primary site. Make sure the IP address of the primary site is the northbound service VIP of Matrix.
b. Configure the name, IP address, username, and password for the backup site. Make sure the IP address of the backup site is the northbound service VIP of Matrix.
c. Configure the switchover mode. You can select Manual Switchover or Auto Switchover with Arbitration. If you select Auto Switchover with Arbitration, you must configure an additional arbitration site IP address, which must be the server IP address of the deployed arbitration service. In addition, if you select Auto Switchover with Arbitration, the Advanced Settings button appears on the page. Click Advanced Settings to configure key service settings and view the key service list in the dialog box that opens.
d. Specify whether to configure the RDRS VIP and data sync VIP based on service demands. If you do not select Set Virtual IPs for Data Sync when creating the RDRS, the system uses the IP addresses of the primary and backup sites as the virtual IP addresses by default.
e. After completing the previous settings, click Connect. The site configuration completes when the heartbeat link status is Connected.
f. After the RDRS is created, you can click Delete to delete the system.
g. If errors occur during RDRS creation or deletion, you can click the number in the error message, and then click Repair to fix the errors.
· Configure disaster recovery components:
In the disaster recovery component configuration area, you can configure and maintain disaster recovery component.
¡ To view RDRS creation log information, click Creation Log.
¡ To view RDRS deletion log information, click Deletion Log.
¡ To view RDRS switchover log information, click Switchover Log.
¡ Before performing a primary/backup switchover, click Check to check the components and handle them according to the check results.
¡ Click 
to set the
primary role for the component. After role switchover, you must refresh the
page.
¡ Click 
to set the backup
role for the component. After role switchover, you must refresh the page.
¡ If a data sync error occurs for a component in
the cluster, you can click 
in the Actions column for the component
corresponding to the primary site to fix the error. For the fix operation to
succeed, ensure the network connectivity for data sync between the primary and
backup sites during the operation.
¡ In automatic site switchover mode with arbitration, if node exceptions occur in the arbitrator, you can click Fix to fix it. If you fail to fix it, verify the network connectivity or contact technical engineers.
¡ After editing RDRS settings (such as switchover mode or backup site username), click Apply to update the RDRS sytem.
Parameters
Table 58 Site settings parameters
|
Parameter |
Description |
|
Heartbeat Link |
After you configure the RDRS, the primary site sends a heartbeat packet to the backup site to establish a heartbeat link for monitoring the network connectivity between the two sites. |
|
Manual Switchover |
In this mode, the RDRS does not monitor component status on the primary and backup sites. To change the role of a site, you must manually set the primary or backup role for the component. To use this mode, deploy the same version of Unified Platform on both sites in advance. |
|
Auto Switchover with Arbitration |
In this mode, the RDRS monitors component status on the primary and backup sites. If a component fails due to power failure or network failure, the system uses the arbitration service on the arbitration server to perform component role switchovers on both sites. To use this mode, deploy the same version of Unified Platform on both sites and deploy the arbitration service on an independent server as an arbitration server in advance. |
|
Arbitrator |
In auto switchover with arbitration mode, the primary site, backup site, and the arbitration site form an arbitration system. The arbitration system becomes unavailable when the majority of all nodes in it are faulty. |
|
RDRS VIP |
Specify an IP address to provide services for devices. The devices can access only the primary site of the RDRS. |
|
Data Sync VIP |
Specify an IP address for data synchronization between the primary and backup sites of the RDRS. |
Table 59 Disaster recovery component parameters
|
Parameter |
Description |
|
Component |
Name of the component configured for disaster recovery. |
|
Status |
Status of the component configured for disaster recovery. |
|
Data Sync Status |
Component data sync status between the primary and backup sites. |
Table 60 Key service configuration parameters
|
Parameter |
Description |
|
Key Service Detection |
Whether to enable key service detection. |
|
Max Detections |
Maximum number of key service detections. If the detection result is still abnormal when this value is exceeded, an auto switchover is triggered. |
|
Detection Interval |
Key service detection interval, in seconds. |
Snapshots
From this menu, you can configure snapshots for tenants or the network-wide service, and compare and roll back snapshots.
This menu provides the following functions:
· Snapshot List: Configure manual or scheduled snapshots for services, and manage (for example, import, download, compare, roll back, and delete) snapshots.
· Auto Snapshot Schedule: Configure auto snapshot schedule settings.
· Rollback Records: View the snapshot rollback records.
Snapshot List
Introduction
On this page, you can configure manual or scheduled snapshots for tenants or the network-wide service, configure snapshot parameters, and manage (for example, import, download, compare, roll back, and delete) snapshots.
Remarks
· An uploaded snapshot must be a .zip file. The other file types are not supported in the current software version.
· During the process of creating, comparing, or rolling back snapshots, do not perform data consistency check, backup & restore, or instant recovery.
· During the process of creating, comparing, or rolling back snapshots, do not edit the service configuration. Otherwise, the operation results might be unexpected.
· The maximum number of snapshots is in the range of 1 to 500.
· When the number of local snapshots reaches the upper limit, the system will delete the oldest snapshots when it is idle.
Procedure
1. On the Snapshots page, click the Snapshot List tab. On this tab, you can create, import, download, compare, roll back, and delete snapshots, and configure parameter settings.
2. Click Parameters. The Parameters dialog box opens. In the dialog box, set the snapshot name prefix, the maximum number of snapshots saved locally, and the remote backup information, and click OK. Then, the snapshots are created manually or as scheduled according to the parameter settings.
¡ Snapshot Name Prefix: Prefix of a snapshot name. The default snapshot name is creation time_A/M/R.zip, where:
- A: indicates that the snapshot is automatically created as scheduled.
- M: indicates that the snapshot is manually created.
- R: indicates that the snapshot is rollback created.
¡ Local Snapshot Settings: Configure the maximum number of snapshots saved locally in the range of 1 to 500. The system will periodically check the number of local snapshots. If the number of local snapshots exceeds the set upper limit, the system will delete the oldest snapshots until the number of local snapshots is equal to or less than the upper limit.
¡ Remote Backup Settings
- Protocol: Transport protocol. In the current software version, only FTP is supported.
- Remote Server IP: IP address of the remote server.
- Destination File Path: File storage path on the remote server. A file path starting with a slash (/) is an absolute path. A file path not starting with a slash (/) is a relative path, and will be created in the work directory of the current user.
- Username/Password: Username and password for logging in to the remote server.
3. To manually create a snapshot, click Create Snapshot. In the dialog box that opens, create a snapshot for a tenant or the network-wide service.
4. To compare snapshots, perform either of the following tasks:
¡ To compare two snapshots on the snapshot list, select the two snapshots, and click Compare.
¡ To compare a snapshot with the current
configuration, click the Compare 
icon in the Actions
column for the snapshot.
5. To import a snapshot, click Import. In the dialog box that opens, upload a locally saved snapshot, and click Import.
6. To refresh the snapshot list, click Refresh.
7. To delete snapshots, perform either of the following tasks:
¡ To bulk delete snapshots, select the snapshots to be deleted from the snapshot list, and click Delete. In the confirmation dialog box that opens, click OK.
¡ To delete a single snapshot, click the Delete 
icon in the Actions
column for the snapshot.
8. To download a snapshot, click the Download 
icon in the Actions
column for that snapshot.
9. To roll back a snapshot, click the Roll Back 
icon in the Actions
column for the snapshot.
Auto Snapshot Schedule
Introduction
On this page, you can configure auto snapshot schedule settings.
Procedure
1. On the Snapshots page, click the Auto Snapshot Schedule tab. Then, click Add. In the dialog box that opens, you can configure the frequency of creating snapshots, and select the component snapshot type.
2. Click Auto Snapshot Schedule to enable creating snapshots. You can configure the following auto snapshot schedule parameters:
¡ Frequency: Select the frequency of creating scheduled snapshots. Options include Every 4 Hours, Every 8 Hours, Daily, Weekly, and Monthly.
¡ Time: Set the start time when scheduled snapshots are created, which is 00:00 by default. When the frequency is Weekly, select a day in a week. When the frequency is Monthly, select a day in a month, in the range of 1 to 31. The day 31 means the last day in a month.
¡ Component: Select a component to create scheduled snapshots for the component.
¡ Snapshot Type: Select snapshot types. Options include, you can select Network-Wide or Tenant, or both.
3. Click Apply. Then, the system will create snapshots for the selected component as scheduled.
Rollback Records
Introduction
On this page, you can view the snapshot comparison results.
Remarks
Only the latest 100 rollback records are retained.
Procedure
1. On the Snapshots page, click the Rollback Records tab. On this page, you can view the following information of rollback records: component name, baseline snapshot, start time, end time, the number of resources to be rolled back, the number of resources with changes, rollback state, the number of resources rolled back successfully, the number of resources failing to be rolled back, and the failure reason.
2. To refresh the rollback records list, click Refresh.
3. To view details of a rollback record, click
the 
icon in the Actions column for the
rollback record. On the Rollback Record Details page
that opens, you can view the rollback record's basic information and details,
including the operation time, resource type, resource name, rollback state,
resource details, and failure reason.
4. To view the resource detail comparison results in JSON format for the rollback record, click the link in the Resource Details column. A dialog box opens.
5. To return to the Rollback Records page, click Back.
Deployment
Introduction
The system provides a component deployment wizard that guides you through the installation, upgrade, uninstallation, and scale-out of components.
If you use this feature when the system does not have any components deployed, you will enter the component deployment page directly.
Remarks
A network change applies to both the management and RDRS network settings. You cannot change only the management network or RDRS network settings.
Functions
· Component deployment
a. Click Install. The component deployment wizard starts.
b. Click Upload. In the dialog box that opens, upload the installation package of the component to be deployed. The installation package name cannot contain Chinese characters or spaces.
c. Click Next. The Select Component page opens.
d. Select the components to deploy and configure the related parameters.
e. Click Next.
f. Click Next. The Configure Network page opens.
g. Click Next. On the Bind Node page that opens, select service nodes.
h. Click Next. The Bind Resources page opens.
i. Bind networks and subnets to the components so the components can receive IP addresses from the address pools specified for their bound subnets.
j. Click Next. The Confirm Parameters page opens.
k. Verify that the settings configured in previous steps and the IP addresses assigned to the components are correct. You can manually change the IP addresses assigned to components. For vDHCP and vBGP, you must manually specify a VRRP backup group ID in the range of 1 to 255 in this step. The VRRP backup group ID must be unique within the same network.
l. Click Deploy to start the component deployment.
· Uninstall a component
a. On the component list page, select the component you want to uninstall, and then click Uninstall.
b. In the confirmation dialog box that opens, click OK.
· Upgrade a component
You can upgrade a component or roll back the component to the previous version in case of an upgrade failure. Perform the upgrade and rollback operations with caution because the operations might cause service interruptions.
a. On the component list page, click the Expand icon next to the component you want to upgrade, and then click the Upgrade icon in the Actions column.
b. Upload the component upgrade package.
c. Select the uploaded component upgrade package, and then click Deploy.
d. If the upgrade fails, click Roll Back to roll back the component to the previous version.
e. To roll back the component to the previous version before the upgrade, make sure the image file used by the component before the upgrade exists in the system.
· Scale out a component
You can scale out a component operating in standalone mode or cluster mode by installing the component on more hosts.
a. Prerequisites for scaling out a component deployed in standalone mode
b. Make sure Unified Platform is deployed in cluster mode.
c. Prerequisites for scaling out a component deployed in cluster mode
d. Make sure Unified Platform is deployed in cluster mode, and a worker node is available in the cluster where the component can be scaled out to.
e. To scale out a component:
f. On the component list page, click the Expand icon next to the component you want to scale out, and then click the Scale Out icon in the Actions column.
g. Select the host on which you want to install the component and select the uplink interfaces to bind to the networks on the host, and then click OK.
h. Review the scale-out settings and then click OK to start deploying the component on the selected host.
· View component information
On the component list page, click the Expand icon next to a component name to expand the component information area. To view detailed information about a component, click the Details icon in the Actions column for the component.
· Hotfix Upgrade
Resolve problems in the corresponding baseline version.
· Network Changes
After the components are deployed, the system supports editing the networks bound to the components.
· Configure Network
Click Configure Network in the top right corner of the component list, On the Configure Network page that opens, check the network settings in the system and edit the settings as needed.
· One-Click Deployment
When deploying the controller or analyzer, the system automatically analyzes the dependency files and deploys the dependency components.
Configure Network
Introduction
You can create networks of the MACVLAN, OVS-DPDK, PASSTHROUGH-DPDK, and PASSTHROUGH types. To bind both MACVLAN and OVS-DPDK networks to an interface, make sure the VLANs for the networks are different.
Remarks
· To avoid component deployment failure caused by IP address shortage, make sure the CIDR specified for a subnet contains a minimum of 32 host addresses.
· As a best practice, configure the same network bindings for the SeerEngine-Campus and vDHCP Server components in a campus network.
Parameters
|
Parameter |
Description |
|
Network Type |
In the current software version, supported network types include MACVLAN, OVS-DPDK, PASSTHROUGH-DPDK, and PASSTHROUGH. Select a network type for the component to be deployed according to the network requirements. |
|
Network Name |
A network name can contain lower-case letters, digits, and hyphens (-). |
|
VLAN |
VLANs in a network are used for network isolation. When multiple networks use the same uplink interface of a host according to the network plan, you must configure VLANs for network isolation. |
|
Subnet |
· When you add a subnet to a network, you must specify the subnet CIDR and an IP address pool. When a component is installed, the system automatically allocates to the component an IP address in the address pool. As a best practice, make sure the subnet CIDR contains a minimum of 32 host IP addresses. The number of addresses in the address pool is not limited. · You can also manually specify an IP address available in the subnet CIDR for the component as needed. |
|
Host |
Select the server NIC to be bound to a network. The data traffic of the network will be transmitted by the bound NIC. |
Components
Introduction
Use this function to select the components to deploy and the component installation packages and network scheme to use.
Remarks
· In the analyzer, addresses include active collection addresses and passive collection addresses. The IP address of a microservice with init in its name is a passive collection address, and the IP address of a microservice without init in its name is an active collection address.
· Only the uninstall operation is available for vBGP package versions that support only OVS-DPDK networking. For vBGP deployment, upgrade, or expansion, select a MACVLAN-capable vBGP package version.
Component summary
· Supported components
Table 61 Controller
|
Parameter |
Description |
|
Campus network |
Specify the controller for setting up a campus network to implement campus network automation, user access control automation, and policy automation. |
|
The End User Intelligent Access |
The End User Intelligent Access Component provides authentication and authorization for the end users to access the network. |
|
Endpoint Admission Defense |
EAD performs various security checks for terminals in addition to identity authentication and takes action depending on the check result. |
|
Security Manager Platform |
The Security Manager Platform provides security device service config management. |
|
Wireless Service Manager |
Wireless Service Manager (WSM) is developed to manage the wireless service of the system. |
|
Endpoints Profiling System |
Endpoint Profiling System (EPS) is developed to recognize and monitor all endpoints in the network. |
|
Super controller |
Specify the super controller used for hierarchical management for multiple cloud DC networks. The super controller enables data center interconnectivity and service deployment across the DC networks. |
|
Cloud DC |
Specify the controller for setting up a cloud DC network to implement DC network automation and dynamic management of virtual networks and network services. |
|
WAN (Core Network) |
Specify the WAN controller for service automation and intelligent traffic engineering in a core network scenario. |
|
SD-WAN |
Specify the WAN controller for service automation and intelligent traffic engineering in a SD-WAN scenario. Select SD-Branch to deploy the SD-WAN in converged mode. You specify the controller in the branch network for setting up a cloud DC network to implement DC network automation and dynamic management of virtual networks and network services. |
|
Cross-domain service orchestrator |
Specify the cross-domain service orchestrator to interconnect multiple controllers to provide service orchestration across networking scenarios. It enables automated, flexible resource and network function scheduling from a central management pane to accommodate accelerated service and application provisioning requirements. |
|
Security Controller |
Integrates controllers in different scenarios to provide unified orchestration and auto deployment of security functions across the network, creating a uniform user experience through seamless integration of network and security. |
|
VNF Lifecycle Management |
Provides lifecycle management for VNF resources. You can also deploy VNFM-vBRAS to provide fast deployment, initialization, and lifecycle management capabilities for vBRAS virtual network devices. |
Table 62 Analyzer
|
Parameter |
Description |
|
Intelligent analysis engine |
Specify the intelligent analysis engine, which collects network data through telemetry and analyzes the data through big data and AI to implement intelligent assurance and prediction for network services. |
|
ITOA base |
ITOA base is the basic component that provides basic support services for ITOA. |
|
ITOA components |
ITOA components are container components for big data analytics, including ElasticSearch, Kafka, Flink, and Presto. |
|
Network Performance Analytics (NPA) |
This analytics system provides network availability and performance analysis based on data packet statistics. It also supports service-oriented performance management, which couples network operation and service assurance. You can use this system to troubleshoot network failures, improve service assurance, increase network performance, and enhance network availability. |
|
Log Analytics (LGA) |
The LGA system is a unified log management platform that provides one-stop services such as log collection, ETL, storage, search, analysis, alarms, and visualization. Compared with traditional log analytics, LGA provides easy log storage, uniformed log format, easy search of logs, and high problem analysis efficiency. It enables O&M personnel to efficiently use the log data, reducing O&M cost. LGA supports the following versions: · Standard: Uses container components to provide data analysis. · Advanced: Uses clusters of physical servers to provide data analysis. |
|
Trace Analytics (TRA) |
TRA collects endpoint-to-AP connection data. Based on deep analysis on the data, TRA presents information about user access, user location, movement trace of endpoints, and user migration as well as statistics about user gathering, user staying, and user volumes. |
Table 63 Public service
|
Parameter |
Description |
|
Cloudnet(oasis) |
Cloudnet AIOps basic services. |
|
vDHCP Server |
vDHCP is a self-developed DHCP server. It runs in containers, and supports DHCPv4 and DHCPv6 services. |
|
Collector component |
Uses various protocols (such as gRPC, NETCONF, and SNMP) to collect network device information (including device, port, topology, tunnel, and route information), and puts the collected information into topics corresponding to message queues. Then, the analysis tasks in the analyzer can subscribe to and use the information. |
|
AIOps component |
Uses the AI algorithm to perform intelligent analysis on the time series data, predict the data trend within a certain period in the future, and analyze the trend in general scenarios, scenarios with a large amount of data, and scenarios for short-term prediction. This component can use the AI algorithm to automatically recognize abnormal points in the time series data and perform anomaly detection. |
|
Automated Onboarding |
This feature supports address allocation, TFTP service, configuration deployment, version upgrade, and device customization for automated device onboarding. |
License Management
This help provides detailed information about license management.
License Information
Perform this task to view license information.
Remarks
· The system will automatically synchronize licenses with the license server every 20 minutes. To synchronize licenses with the license server immediately, click Refresh.
· The license information in the list can be sorted according to the license name, license quantity, and state.
· Maintenance configuration cannot be backed up or restored.Some versions do not support maintenance configuration. If a version does not support maintenance configuration, this option is not displayed on the page.
Procedure
· To perform basic search:
a. Enter the search criteria in the query box at the upper right corner.
b. Click Search. Then the matching license information will be displayed.
c. Click Reset to reset the search criteria.
· To refresh the license information, click Refresh to synchronize licenses with the license server and refresh the list.
· To hide or show a specific license, click the Hide or Show icon in the Actions column for that license, and then click OK in the dialog box that opens.
Configure License Server
This function allows you to configure IP address, port number, username, and password of the license server.
Functions
· To connect to the license server:
Enter the IP address, port number, username, and password of the license server, and then click Connect.
· To disconnect from the license server:
Click Disconnect to disconnect the device from the license server. After the device disconnects from the license server, all licenses obtained from the license server will be released.
Parameters
· Enter the IP address of the license server, where the primary IP is required and backup IP is optional.
¡ For IPv4, it must be in dotted decimal format and does not support broadcast addresses, loopback addresses, multicast addresses, or reserved addresses.
¡ For IPv6, it must be in colon-separated hexadecimal format and does not support loopback address, multicast address, or reserved address.
· Port: Enter the servicing port number of the license server.
· Username: Enter the username for logging in to the license server.
· Password: Enter the password for logging in to the license server.
· Connection Status:
¡ Succeeded.
¡ Failed.
¡ Not Connected.
¡ Reconnecting.
Remarks
· After the disconnection, all licenses obtained from the license server will be released.
· Manually disconnecting the controller from the license server will not enter the license escape state, but will lead to the unavailability of the license, which may affect the normal operation of the business.
Health Check
Introduction
Perform this task to generate related check reports after checking the following:
· Information about basic CPUs, memory, and database as well as status of the service processes in the operating system.
· Status of basic services for controller operation, such as clusters.
· Status of user services, such as network elements and virtual networks.
Remarks
Active alarms generated in one-click inspection cannot be cleared automatically. To clear such an alarm, access the active alarm page to clear it manually.
Procedure
1. Navigate to the Health Check page.
The page displays the most recent check result, including the component name, description, task name, report generation time, check type, check result, and state.
2. To perform a manual check, click Manual Check. In the dialog box that opens, select the components to check, and then click OK.
To stop a manual check for a component, click the icon in the Actions column for that component.
3. To configure periodic check, click Periodic Check. On the page that opens, configure periodic tasks and view detailed information about periodic tasks.
¡ Periodic Tasks
- To add a periodic task, click Add Periodic Task. In the dialog box that opens, configure the task.
- To edit a periodic task, click the icon in the Actions column for that task.
- To delete a periodic task, click the icon in the Actions column for that task.
¡ Periodic Tasks Details
- To view the check results and states for the components in a task, click the Expand icon to the left of the task time.
- To view the detailed check result for a task, click the icon in the Actions column for that task.
- To download the check report for a task, click the icon in the Actions column for that task.
4. Click Check Settings. On the page that opens, you can view or configure the timeout time and check item settings.
¡ Set Timeout Time
Click the Set Timeout Time tab, set the timeout time, and then click OK.
¡ Check Items
Click the Check Items tab and configure the following settings as needed on the tab:
- Configure thresholds for check items, and click OK.
- To synchronize threshold settings from configuration files of components, click Sync. Automated synchronization is performed every 24 hours after the one-click check component is deployed.
- Enable or disable trap sending for a check item in the Send Trap column, and then click OK for the enabling status change to take effect. Trap sending is enabled for a check item by default. If trap sending is disabled for a check item, the system does not send traps when errors occur on the check item.
- To view check principles and threshold
descriptions for a check item, click 
in the Check Principles column for that check item.
The edited check item settings will take effect at next health check.
5. To view the history check information, click History Records. On the page that opens, you can configure the number of retained component reports.
Backup & restore
When you perform a backup & restore operation on health check data, only periodic tasks, check settings, the number of retained component reports and history records are backed up and restored.
Parameter description
Table 64 Description for the pagination controller parameters
|
Parameter |
Description |
|
Pagination Controller |
By default, the system displays 15 entries per page for pages with pagination. You can change the page size, and then click Save to save the configuration as the default, which is indicated by an asterisk (*). After logging out or closing the browser window, the configuration becomes invalid. |
Table 65 Description for the check result parameters
|
Parameter |
Description |
|
|
The health check failed. |
|
|
The health check result is Abnormal. |
|
|
The health check result is Risky. |
|
|
The health check result needs to be manually acknowledged. |
|
|
The health check result is Normal. |
Table 66 Descriptions for the check state parameters
|
Parameter |
Description |
|
Succeeded |
Check for the component succeeded on all nodes. |
|
Failed |
Check for the component failed on all nodes. |
|
Partially Succeeded |
Check for the component succeeded on part of nodes. |
|
Ongoing |
The component is being checked. |
|
Manually Stopped |
The check is stopped manually. |
There are several reasons for inspection failure:
· Check time out. Please set the timeout configuration value of the component to which the corresponding task belongs.
· Script execution failure for node inspection. Please contact Technical Support to determine the impacts.
· OCC failed to call the inspection start interface of the controller when network exception occurred. Please check whether the network is normal.
· The controller returned a non-2xx error when OCC called the inspection start interface of the controller. Please contact Technical Support to determine the impacts.
Table 67 Description for the periodic check parameters
|
Parameter |
Description |
|
Schedule Settings |
When you add or edit a periodic task, select this option to enable the system to perform periodic check based on the specified schedule. |
Table 68 Check Settings Parameters
|
Parameter |
Description |
|
Timeout Time |
Timeout time for component health check, in minutes. The value must be an integer in the range of 30 to 360. The default value is 30. If the health check duration for a component exceeds the specified timeout time, the system considers the check failed. |
Table 69 Description for the history records parameters
|
Parameter |
Description |
|
Retained Component Reports |
Specify the maximum number of check reports retained on each node for a component (including automatic check and manual check). The value range is an integer in the range of 1 to 90. If the number of reports exceeds the upper limit, the system automatically deletes the oldest reports. To manually delete the oldest reports and perform automatic report deletion at 30-minute intervals, click OK. |
Authorization Wizard
Introduction
Perform this task to configure feature permissions and resource permissions for a single user or for multiple users in bulk.
In the non-tenant scenario (when a non-tenant administrator logs in), the tenant administrator role option is not provided in Feature Authorization. In the non-organization scenario (when a sub-organization is not added on the Organization Management page), the organization administrator role option is not provided in Feature Authorization.
Remarks
· You cannot authorize the admin user, the current logged-in user, or users that are already members of a user group.
· You cannot authorize the system administrator or tenant administrator role to users of sub-organizations.
· A system administrator, tenant administrator, or organization administrator is the highest-permission user within the corresponding management scope. After you select such a role, you cannot select any other role, and you cannot separately select resources.
· When you authorize the specified resources to users, you can directly specify up to 2000 resources per type.
· If you select Select All, a user added to a user group before the authorization is completed inherits the authorization settings of that user group instead of using the current authorization settings.
· You can authorize a maximum of 300 business systems for a user.
· When the license for the CMDB component expires, the Filter Resources by Rules page will not be displayed, but the existing rule-based resource filtering settings will remain unchanged for the user (or user group).
· When the license for the BSM component expires, the Select Resources > Business Systems page will not be displayed, but the existing business system-based resource configuration will remain unchanged for the user (or user group).
· After the WSM or ONM component is installed, APs associated with an AC authorized to a user will be also authorized to that user.
User Information
1. Select users to be authorized.
2. Select users in an organization.
3. Click Next to access the Management Scope page.
Management Scope
1. Select an organization.
2. Click Next to access the Feature Authorization page.
Feature Authorization
1. Select one or more roles.
2. Click Next to access the Resource Authorization page.
Resource Authorization
· Authorize the specified resources
Directly specify resources
¡ Managed objects:
- Click the Select All option to authorize all managed object resources.
- Click the Custom option to authorize some managed object resources.
- Click Add. In the dialog box that opens, select managed object resources as needed.
- Resource selection scope: Resources in the authorized users' management organizations and their sub-organizations.
- Delete the specified resource objects: Authorized or selected resource objects are displayed in the list. Select the resources you want to delete and click the Delete button to bulk delete them.
¡ System data:
- Click the Select All option to authorize all system data resources.
- Click the Custom option to authorize some system data resources.
- Click Add. In the dialog box that opens, select system data resources.
- Resource selection scope: Resources in the authorized users' management organizations and their sub-organizations.
- Delete the specified resource objects: Authorized or selected resource objects are displayed in the list. Select the resources you want to delete and click the Delete button to bulk delete them.
¡ Resource groups:
- Click Add. In the dialog box that opens, select resource groups.
- Resource groups selection scope: Resource groups in the authorized users' management organization and its sub-organizations.
¡ Business systems:
This feature is enabled when you install the BSM component. The system supports selecting resources by business system. After you authorize a business system for a user, the user is assigned the resources associated with the business system within the authorization management scope.
- Click Add. In the dialog box that opens, select business systems.
- Business system selection scope: Business systems in the authorized users' management organizations and their sub-organizations.
Match resources by rule (Optional)
This feature is enabled during CMDB component installation. It supports matching resources by CMDB type and by a specific attribute name within a CMDB type. A maximum of five match rules are supported, and each rule supports a maximum of five attribute names.
¡ You can specify only the CMDB Type field for a rule to match all resources of the specified type.
¡ You can specify the CMDB Type and Attribute Name fields for a rule to filter resources of the specified type that match the specified attribute names. The specified attribute names are in a logical AND relationship.
¡ If you configure multiple rules, a resource that matches any of the rules is considered a match. The rules are in a logical OR relationship.
Match resources by organization
This feature implements resource authorization based on the resource-associated organization. Supported organizations include all sub-organizations within the management scope (excluding the management-scope organization). Choosing a specific organization authorizes resources within that organization and its sub-organizations. Choosing multiple organizations authorizes the union of resources from the selected organizations.
· Authorize all resources
Authorize all resources to the current users.
Resource Groups
Introduction
From this page, you can create resource groups as needed, and add resources to these groups. Then, you can authorize resources by specifying resource groups to achieve personalized resource management.
The resource group management page displays the organization tree on the left. By default, the first level is expanded. A list of resource groups in the selected organization are displayed on the right.
Remarks
· For resource groups of the same type, the resource group name must be globally unique in the organization of the resource group.
· You can view the resource groups and the resource list associated with each resource group registered by related components . However, you cannot edit or delete these resource groups or create new resource groups under them.
· For an area, you can create up to subgroups at the same level.
· For an area, you can create up to 10 levels of resource groups.
· After a new resource group is added, the system automatically authorizes the user who creates the resource group or the user group to which the user belongs.
· Only the resource groups of the local-level site can be exported.
· When you manually add resource groups or import resource groups through a template, make sure the resource group names meet the following requirements:
¡ A resource group name cannot start or end with a space.
¡ A resource group name is a string of up to 255 characters.
¡ A resource group name can contain only letters (supports multiple languages, case-insensitive), digits, underscores (_), hyphens (-), backslashes (\), dots (.), square brackets ([ ]), and Chinese characters.
¡ The resource groups of the same type within the same organization cannot have the same name.
· When you import resource groups through a template, make sure the uploaded file is in xlsx format and cannot exceed 10M in size.
· When you import resource groups through a template, avoid mixed use of Chinese and English templates.
· When you import resource groups through a template, do not edit the header of the template. The template includes organization and group columns.
¡ Each row in the organization column can only contain one organization name, and the organization must be within the management scope of the login user. For each organization name, use slashes (/) to separate the elements from the user's management scope to the specific organization (for example, parent organization/child organization). To add resource groups for multiple organizations, enter the name of the next organization in the row below the lowest-level group of the previous organization. For example, if organization A contains four levels of groups, you must enter the name of organization B in the row below the lowest-level group of organization A.
¡ The group names and group types must be specified in pairs, and the group type can only be Area or Flexible Group.
· When you import resource groups through a template, make sure the resource groups of the same organization, same parent group, and same type do not have the same name.
· Both administrators (system administrator, tenant administrator, and organization administrator) and general users can import resource groups. Follow these guidelines when you use administrator and general user accounts to import resource groups:
¡ For general users, the system only allows them to add new groups starting from the level-1 group, and does not support additional imports. If a level-1 group in the Excel file matches an existing group in the database, the system displays a duplicate name message, and the import will fail.
¡ For administrators, if a resource group name already exists with the same organization, same parent group, and same type in the database, the resource group is skipped during the import operation. If the resource group name does not exist in the database, the resource group will be added as new subgroup.
· When you import resource groups through a template, the import result is based on the entire file, which means that the import for all resource groups is either succeeded or failed.
· You can import a maximum of 3000 resource groups through a template in a single operation.
· The key value in the map configuration is invalid or incorrect, and the page cannot load the map properly. Please check and try again.
Functions
· View resource groups
Select an organization from the organization tree on the left. The resource group list for that organization will be displayed on the right. You can search for resource groups by name to find the matching resource groups. You can sort them by group name and group type.
· View resources in a group
Select the Resource Groups menu, and select an organization from the organization tree on the left to display the resource group list for the selected organization on the right.
Click the link in the Resources column for a resource group to view the resources managed by that group.
· Add a resource group
a. Click Add to access the Add Resources Group page.
b. Configure the parameters as needed.
c. Click OK.
· Add a subgroup
a. Click the Add Subgroup icon in the Actions column for a resource group to access the Add Resource Group page.
b. Configure the parameters as needed.
c. Click OK.
You cannot add subgroups to a resource group in the following conditions:
- The group type is Flexible Group.
- The parent group already has subgroups.
· Edit a resource group
a. In the resource group tree list on the right of the page, click the Edit icon in the Actions column for a resource group to access the Edit Resource Group page.
b. Configure the parameters as needed.
c. Click OK.
· Delete resource groups
a. In the resource group tree list on the right of the page, click the Delete icon in the Actions column for the resource group to be deleted. Alternatively, select multiple resource groups to be deleted and then click the Delete button.
b. Click OK.
You cannot delete the following resource groups:
- A resource group containing subgroups.
· Import resource groups
a. Click Import. The Import Resource Groups window opens.
b. Click the Download Template link to save the resource group template file (.xlsx) to your computer. Configure resource groups in a hierarchical structure as needed.
c. Click Upload and select the edited resource group template file (.xlsx).
d. Click Import to import resource groups.
· Export resource groups
Click Export. The system will export all resource groups within the management organization of the current user (at the local-level site).
Parameters
|
Parameter |
Description |
|
Resource Group Name |
The value is a not case-sensitive string of up to 255 characters and cannot start or end with a space. It can contain only letters (with multi-language support), digits, underscores (_), hyphens (-), backslashes (\), dots (.), square brackets ([ ]), and Chinese characters. In the same organization, the names for the resource groups of the same type must be different. |
|
Parent Group |
Parent group of the group. |
|
Resources |
Resources that can be managed by the resource group. |
|
Options include Area and Flexible Group. |
|
|
Area |
· An area group supports multiple hierarchical levels. Also, you can create flexible groups in exclusive groups. · Resources in areas cannot overlap. A resource can belong to only one area. |
|
· You cannot create subgroups in a flexible group. · You can create flexible groups in organizations or areas. · A resource can belong to multiple flexible groups. · Resource selection scope: If the group is directly under an organization, you can select the resources managed by the organization. If the group is under an area, you can select the resources managed by that area and its general sub-groups. |
MSP Tenant Management
Introduction
System administrators can view all MSP tenants. The tenant administrator of an MSP tenant can view only the MSP tenants created by the current tenant.
A tenant administrator or a system administrator can use the MSP tenant management feature. Non-MSP tenants in MSP tenant management can initiate MSP tenant management requests to an MSP tenant or a system administrator. After the MSP tenant or system administrator approves the requests of a non-MSP tenant, the MSP tenant or system administrator can switch to the system interface of any user of the managed non-MSP tenant and perform management and operations as that user.
Remarks
· Only system administrators and MSP tenant administrators can add tenants.
· Tenants created on the MSP tenant management page are all MSP tenants.
· After you delete a tenant, all organizations, users, and resources related to the tenant will be deleted in a cascading manner.
· The operation records of MSP tenant management are displayed only in the tenant management requests on the tenant management by MSP tab, and will not be displayed in the system or operation logs.
· A tenant can have only one role in MSP tenant management. A tenant can either manage other tenants as an MSP tenant or be managed by an MSP tenant, but cannot both.
· An MSP tenant can manage multiple non-MSP tenants. A non-MSP tenant can be managed by only one MSP tenant.
MSP Tenant List
· Add a tenant
a. Click Add. The Add MSP Tenant dialog box opens.
b. Configure the MSP tenant parameters as needed.
c. Click OK.
· Delete tenants
To delete an MSP tenant, click the Delete icon in the Actions column for that MSP tenant. Then, click OK in the confirmation dialog box that opens.
· Refresh the list
Click the Refresh icon above the list to reload the MSP tenant list.
· Edit a tenant
a. To edit an MSP tenant, click the Edit icon in the Actions column for that tenant.
b. Edit the description of the MSP tenant to facilitate maintenance.
c. Click OK.
· Reset the password for a tenant
To reset the password for an MSP tenant, click the Reset Password icon in the Actions column for that MSP tenant. In the window that opens, enter the new login password and confirm the password, and then click OK.
Tenant Management by MSP
· Request management
a. Click the Tenant Management by MSP tab.
b. Configure the parameters as needed.
c. Click OK to request MSP tenant management.
· Approve management requests
You can specify whether an MSP tenant automatically approve management requests. With auto approval enabled, all management requests will be automatically approved. With auto approval disabled, a user of the MSP tenant need to manually approve management requests on the Manage Tenants page.
a. Log in to the system as a user of the MSP tenant and access the Tenant Management by MSP tab.
b. Click the Manage Tenants button.
c. Click the Tenants Pending Approval tab.
Approve requests
To approve a single pending approval request, click the Approve icon in the Actions column for that tenant management request.
To bulk approve requests, select one or more tenant management requests, and the click Approve to approve the selected requests.
After approval, you can view the tenants that the MSP tenant can manage on the Approved Tenants tab.
Reject requests
To reject a single pending approval request, click the Reject icon in the Actions column for that tenant management request.
To bulk reject approval requests, select one or more tenant management requests, and click Reject. In the dialog box that opens, enter the rejection reason and then click OK to reject the selected tenant management requests.
· Revoke requests
Both non-MSP and MSP tenants can revoke tenant management requests.
¡ Non-MSP tenant: After a non-MSP tenant initiates a tenant management request on the Tenant Management by MSP page, you can click the Revoke icon in the Actions column for that request and then click OK in the confirmation dialog box that opens to revoke the request.
¡ MSP tenant: On the Approved Tenants page, click the Revoke icon in the Actions column for a tenant, and then click OK in the confirmation dialog box that opens to revoke management for the tenant being managed.
· Create a tenant
The tenant to which the current logged-in user belongs can manage tenants created from this page by default.
a. Click Add Tenant.
b. Configure tenant parameters as needed.
c. Click OK.
· Switch users of the tenants managed by the MSP tenant
a. Log in to the system as a tenant administrator of an MSP tenant and access the Tenant Management by MSP tab.
b. Click the Manage Tenants button.
c. Click the name link of a tenant to open the user list window, which displays the users of the tenants managed by the MSP tenant.
d. Click the Switch User icon in the Actions column for a user to log in to the system interface of that user without authentication. On the system interface, you can perform management operations.
e. Hover over the username link at the top right corner of the page, and select Return to MSP User from the dropdown list to return to the system interface of the original user.
· View approval records
An MSP tenant can view the approval records of the MSP tenant management requests, including passed records, rejected records, and revoked records.
a. Log in to the system as the tenant administrator of the MSP tenant, and access the Tenant Management by MSP page.
b. Click the Manage Tenants button.
c. Click the corresponding tab to view the approval records.
Parameters
Table 70 Tenant management parameters
|
Parameter |
Description |
|
Name |
Enter a tenant name, a string of up to 255 characters. It supports letters (supports multiple languages), Chinese characters, digits, underscores (_), hyphens (-), and dots (.). You cannot edit the name of a tenant after the tenant is created. The tenant name must be unique. |
|
Description |
Enter the description of the tenant to facilitate maintenance. The string cannot exceed 255 characters. |
|
Username |
Name of the tenant administrator for the tenant. You can set the username length limits in the User Name Settings area on the System > System Settings > Security Settings > Basic Settings page. You cannot configure input characters. The string can contain only letters, digits, and special characters _-.\. This string is case-insensitive. This field cannot be empty. You cannot edit the username after the tenant is created. The username must be unique. |
|
Authentication Method |
Only simple password authentication is supported. |
|
Login Password |
You can specify the password length and strength check settings in the User Password Policy Settings area on the System > System Settings > Security Settings page. |
Table 71 MSP tenant management parameters
|
Parameter |
Description |
|
Type |
Select one of the following tenant types: Non-MSP Tenant: Tenants of this type can only request management by an MSP tenant. MSP Tenant: Tenants of this type can only manage non-MSP tenants.
|
|
Authorize MSP to Manage Tenant |
Specify whether to authorize an MSP tenant to manage the current tenant. Yes: To initiate MSP tenant management requests, you can select Yes and authorize an MSP tenant to manage the tenant. No: Do not authorize an MSP tenant to manage the tenant.
|
|
MSP Account Name |
Select an MSP tenant. |
|
MSP UUID |
UUID of the selected MSP tenant. |
|
Enterprise Name |
Enter an enterprise name of up to 32 characters as needed. |
Role List
Introduction
The system supports role-based access control by assigning permissions to each role. You can define roles as needed.
The role list displays roles in the management organization and its sub-organizations of the tenant to which the current logged-in user belongs.
Remarks
· Predefined roles cannot be edited or deleted. The system/tenant/organization administrator role, the system/tenant maintainer role and the tenant viewer role cannot be copied.
· Roles created by the organization administrator belong to the organization managed by the current user and can be authorized only to users that manage the organization.
Functions
· Add a role
Click Add to access the Add Role page.
· Delete roles
¡ To delete a single role, click the Delete icon in the Actions column for that role. Then, click OK in the dialog box that opens.
¡ To bulk delete roles, select one or multiple roles, and then click Delete. Then, click OK in the dialog box that opens to bulk delete the selected roles.
· Refresh the list
Click the Refresh icon above the list to reload the role list.
· Edit a role
Click Add to access the Add Role page.
· Copy a role
a. To copy a role, click the Copy icon in the Actions column for that role.
b. The Add Role page opens with the permissions inherited from the copied role.
· View role details
Click the name link of a role to access the Role Details page for that role.
Add/Edit Role
Introduction
From this page, you can add or edit roles.
Remarks
· You cannot add a role that already exists.
· Only system administrators and tenant administrators can create public roles.
Functions
· Add a role
a. On the role list page, click Add to access the Add Role page.
b. Configure basic information for the role.
c. Click OK.
· Edit a role
a. On the role list page, click the Edit icon in the Actions column for a role to access the Edit Role page.
b. Edit basic role information as needed. The role name cannot be edited.
c. Click OK.
Parameters
Table 72 Basic role information
|
Parameter |
Description |
|
Role Name |
Case sensitive. Valid characters include letters (supports multiple languages), Chinese characters, digits, and special characters _-\ The string cannot exceed 128 characters. You cannot edit the name of a role after the role is created. The role name must be unique. |
|
Description |
Description of the role. The string cannot exceed 128 characters. You can view the description of the role on the role list. |
|
Public or Not |
This option is available only for system/tenant administrators. A public role cannot include system/tenant-level permissions, and its permissions are restricted up to the permissions of the organization administrator role. A public role created by a tenant administrator can be used throughout the tenant but cannot be edited. A public role created by a system administrator can be used throughout all non-tenants. |
|
Permission Configuration |
A role includes a set of feature permissions that correspond to the menu structure in the current view. To bind menu feature permissions in another view to a role, first click the Change View icon in the top right corner to switch to that view and then configure the role. |
Hierarchical Management
About this task
Hierarchical management allows you to add, delete, edit, and search for management stations. You can assign lower-level or upper-level roles to management stations to establish hierarchical relationships.
Remarks
· Hierarchical management supports configuring only three levels of regions or two levels of regions+one level of proxy.
· The hierarchical must be associated with the same organization name.
· If the IP address or port is not reachable, the system will take a long time to respond to the lower-level system addition operation. Make sure the correct IP address and port are configured.
· After you edit an upper-level station, the Hub service will use the new IP address and port number to re-establish a channel between the upper-level station and its lower-level station. Make sure the new IP address and port number are reachable.
· After a primary/secondary switchover for lower-level stations, you must manually remove the alarm triggered when the previous primary station was disconnected from the upper-level station.
· When you delete a lower-level station on the upper-level station, the upper-level station also requests the lower-level station to delete itself. If the upper-level station is not deleted on the lower-level station due to network or other reasons, you must manually delete the upper-level station on the lower-level station.
· Before the state of a created management station changes to Running, do not associate resources with the organization specified during the creation of that management station.
Functions
· Add a management station
a. Click Add.
b. Configure relevant parameters on the page that opens.
c. Click OK.
· Edit a management station
a. Click Edit in the Actions column for a management station.
b. On the page that opens, edit relevant parameters as needed.
c. Click OK.
· Delete a management station
a. Click Delete in the Actions column for a management station.
b. Click OK.
· Access a lower-level management station
a. Click Connect in the Actions column for a management station.
b. Switchover between the IPv4 environment and IPv6 environment is not supported.
c. You cannot access a lower-level management station that is not associated with the current management station.
· Recover the management station status
a. The page displays Recover if the current management station is specified as a lower-level management station and the current user has the permission to perform the recover action.
b. To cancel the lower-level status for the current management station, click Recover.
Parameters
Table 73 Management station configuration parameters
|
Parameter |
Description |
|
Management station Role |
Specify the role for the management station. · Upper-Level: Add an upper-level management station for the station. · Lower-Level: Add a lower-level management station for the station. |
|
Deployment Mode |
When you add a lower-level management station, the deployment mode is the mode of the lower-level management station added. Select a deployment mode according to the lower-level management station. If you do not do that, services will be affected because of mode mismatch. Options include Proxy and Region. When you add an upper-level management station, the deployment mode is the mode of the current management station when it acts as a lower-level management station. Options include Proxy and Region. · Proxy: Subcomponent in the management station system to collect the data of monitored applications. This mode is supported only by application monitoring. · Region: Management station in the multi-management station system. In each management region, one management station is deployed. You can assign lower-level or upper-level roles to management stations to establish hierarchical relationships. Then, you can uniformly or hierarchically manage network devices or applications in multiple management regions. |
|
Organization |
Organization to which the user belongs. Available options include the organization to which the current logged-in user belongs and its sub-organizations. |
|
Association |
Select whether to synchronize association to the upper-level and lower-level stations. To perform operations only on the current station, disable this option. Configure this parameter based on the upper-level and lower-level station scenarios. |
|
Name |
Specify a name for the management station, a string of 2 to 32 characters that can contain only letters (supports multiple languages, case-insensitive), Chinese characters, digits, underscores (_), hyphens (-), dots (.), and backslashes (\). |
|
Protocol Type |
Select HTTP or HTTPS from the list. |
|
IP Address |
Enter the IP address (dotted decimal notation) or IPv6 address (colon-separated hexadecimal notation) of a lower-level or upper-level management station. When you add or edit an upper-level management station, the IP address can be used to forward messages to the upper-level management station. |
|
Port |
Enter a port number of a lower-level or upper-level management station, an integer in the range of 1 to 65535. · When you add or edit an upper-level management station, the port can be used to forward messages to the upper-level management station. The specified port is mapped to port 20200. · When you add or edit a lower-level management station, the port can be used to forward messages to the lower-level management station. The specified port is mapped to port 30000. |
|
Username |
Enter the username of the lower-level management station, a string of 1 to 255 characters. |
|
Password |
Enter the password of the lower-level management station, a string of 1 to 32 characters. |
|
Management station ID |
ID of the management station to be added, a positive integer in the range of 1 to 9223372036854775807. You can select whether to enable association for the management station to be added. · If you enable association, you do not need to enter the management station ID. The system automatically obtains the ID when it adds the management station. If you also enter an ID for the management station, the system compares the entered ID with the automatically obtained ID. If the two IDs are different, the management station cannot be added successfully. · If you disable association, you must enter the management station ID. To view the ID, go to the hierarchical management page of the management station to be added. |
|
NAT Mapping IP Address |
Enter an IP address mapped to the northbound IP address through which a lower-level management station connects to when establishing a connection with the upper-level management station. This parameter is optional. If you do not configure this parameter, a lower-level management station directly uses the northbound IP address to request a connection with the upper-level management station. You can enter an IPv4 address in dotted decimal notation or an IPv6 address in colon-separated-hexadecimal notation. |
|
NAT Mapping Port |
Enter a mapped port number through which a lower-level management station connects to when establishing a connection with the upper-level management station. The port number is in the range of 1 to 65535. This parameter is optional. If you do not configure this parameter, a lower-level management station uses port 20200 to request a connection with the upper-level management station. |
System Configuration
From this menu, you can configure the public parameters of the system and related parameters.
Homepage Settings
Introduction
The settings menu allows you to change the theme of the portal, and configure the intelligent wizard, homepage, and favorites folder.
Remarks
· The configuration items for the intelligent wizard and homepage are available only for users that have privileges to configure them.
· This feature allows you to specify a homepage for the system.
· If the system fails to load your specified homepage because of a network issue or deletion of that page, you can restore the default homepage. To restore the default homepage, click the Settings icon in the upper right corner of the page, and then select Configure Homepage. In the window that opens, select Default from the Select Homepage list.
· The Manage Favorites menu on the intelligent wizard displays only the menu and external links (excluding folders) saved in current view.
· When the homepage configuration is not set as the default configuration, it applies to all views of the current user.
Functions
· Change theme
This function allows you to change the theme for the current page. The theme configuration is saved to the browser cache. When you open multiple windows and switch the theme, you must refresh the pages for the windows for which the theme has not been switched.
¡ Star theme: Change to a theme of a dark color.
¡ Light theme: Change to a theme of a light color.
· Configure smart wizard
The smart wizard configuration function can provide the wizard page for users. You can enable or disable the wizard.
¡ Enable user: If smart wizard exists in the current domain, you can configure the smart wizard.
¡ Disable user.
· Configure homepage
This function allows you to configure the homepage by clicking the Settings icon on the top navigation bar and then selecting Configure Homepage from the drop-down menu.
¡ Click the Settings icon on the top navigation bar, and then select Configure Homepage from the drop-down menu.
¡ Click OK.
· Customize dashboard
¡ Click Customize Dashboard to open the dashboard configuration page.
¡ After completing dashboard settings, enter the homepage configuration page to select a homepage again.
Table 74 Dashboard Parameters
|
Parameter |
Description |
|
User-Defined URL |
Enter the custom homepage URL. In this case, the URL is required. · You can configure this option when you want to customize the homepage URL. · Permission control does not apply to the custom URL. · The URL of the dashboard cannot be any system access path. |
|
Homepage URL |
· The input limitations on the browser address bar apply to the homepage URL. · Enter the URL associated with the page displayed when you log in to the system for the first time. · Enter the self-defined URL when you want to configure a custom URL. · Before configuration, identify the protocol, HTTPS or HTTP, used for accessing the environment. Make sure the homepage URL uses the same protocol. |
|
Default Dashboard |
Select the system default dashboard. |
|
Other Dashboard |
Select a dashboard from the existing dashboard list. |
Tab Settings
Introduction
Perform this task to configure tab settings globally by right-clicking a tab name. You can specify the maximum number of opened tabs allowed and the option for opening a new tab when the tab limit is reached.
Remarks
To have the configured tab settings take effect, you must log in to the system again.
Procedure
1. Open a page with two or multiple tabs.
2. Right-click a tab name and select Settings.
3. In the dialog box that opens, configure relevant parameters.
4. Click OK.
Parameters
|
Parameter |
Description |
|
Max Tabs |
Specify the maximum number of tabs that can be opened on the system, an integer in the range of 2 to 50. |
|
Options for opening a new tab when the tab limit is reached |
Select the option for opening a new tab when the number of opened tabs reaches the specified limit. Options include: · Allows the system to close the earliest tab automatically when a new tab is opened. · A new tab can be opened only when an opened tab is manually closed. |