1 Overview of Configuration Change Console

Enterprise Manager Configuration Change Console supports best practices policies by enabling you to validate user actions against established IT Controls, thereby helping to reduce unauthorized change and uncontrolled access attempts made to the IT infrastructure. By automatically monitoring critical applications and infrastructure components for changes, and then comparing detected changes to planned changes, the software can track activity, generate reports, trigger alert notifications, and identify policy violations.

Used as part of your IT compliance effort, the Configuration Change Console ensures adherence to internal controls supporting essential systems by monitoring, managing and auditing changes against corporate best practices policies. Although the products focus on IT control validation and compliance, they may also support other essential IT operations, including:

You decide which infrastructure components you want to monitor. The Configuration Change Console collects data from those components according to the data collection rules you have defined, generates notifications according to those rules, and maintains a database of the changes made to those infrastructure components.

You can then explore and analyze that data for compliance or for forensic purposes, displaying information in a time-based information model to accurately track exactly what changed and when. The user interface offers graphical visualization tools and the ability to drill down to specific devices, time intervals, and events. The solution provides both packaged and ad hoc reporting capabilities.

Getting Started

To start using the product, you must complete several basic setup tasks before you can start monitoring and collecting data. The following table provides an overview of the steps and the documentation where you can find details.

Table 1-1 Initial Setup Steps

Initial Setup Details

1. Install the Configuration Change Console server and database.

Refer to the Enterprise Manager Configuration Change Console Installation Guide.

2. Configure your web browser to refresh the display every time you access a page.

For Microsoft Internet Explorer:

  1. Tools -> Internet Options -> General: Settings

  2. Select Every visit to the page.

3. Install agents on the devices you want to manage.

Refer to the Enterprise Manager Configuration Change Console Installation Guide.

Once you have performed this basic configuration, the Configuration Change Console user interface provides access to the tools that you will need to analyze changes, configure notifications for critical events or changes, and generate regular reports.

Table 1-2 Post Initial Setup Steps

After Initial Setup Details

1. Provide basic configuration information about your IT infrastructure: People, Teams, Devices, and Device Groups.

See Chapter 3, "Setting Up the Environment".

2. Define monitoring and compliance policies and apply them to components and devices. When a component is applied to a device, it is called an instance.

See the following sections in this User Guide: Chapter 5, "Operations Management"and Chapter 8, "Configuring Threshold Monitoring"

3. Set up application to provide a logical view of your component instances.

See Step 5: Applications

Accessing the Console: User Accounts

Use a web-based interface, such as Mozilla Firefox or Microsoft Internet Explorer, to log on to the Configuration Change Console application. Initial access is available using a default administrator account. When installing the server, you were prompted for a password to use for this account.

Administrator: Has full privileges for all policy configuration and application administration. This account cannot be deleted, renamed, or have its administrative privileges revoked. This account name is in lower case.

The user interface supports different roles corresponding to the ways that users may need to interact with the application. New user accounts can be created with the following roles:

  • Super-administrator (full access to all configuration, including team support assignments)

  • Administrator (full access to policy configuration for devices visible through team support assignments)

  • Regular (view-only privileges for collected change events; no access to configuration screens)

For details on adding users, see Configuring People and Teams.

Once you have successfully logged in, you will be taken immediately to the top level dashboard. For details, see Chapter 2, "About the Dashboard".

Configuration Change Console Architecture

The Configuration Change Console is built on a distributed architecture. Lightweight agents installed on servers in the IT infrastructure serve as data-collectors. Events collected by the agents are sent to a set of central servers and populate a time-based information model stored in a back-end Oracle database. The server hosts the compliance applications, providing access to a web-based user interface for data analysis, solution configuration, audits, change notification, and integration with change management systems.

Figure 1 - Configuration Change Console Architecture

The overall architecture is J2EE-compliant, incorporating an Oracle database and a web application server with Java Servlet and Java Server Pages (JSP) technologies. This open, standards-based architecture integrates easily into complex IT environments.

As shown in Figure 1 - Configuration Change Console Architecture, several major components comprise the solution:

  • Agents on Managed Devices

  • Database

  • Application Servers

  • Messaging Servers

Configuration Change Console Agents

Agents are lightweight processes that perform data collection on managed servers by interacting with operating system, security, database, and other system interfaces. Agents can perform the following tasks:

  • Collect information about specific files, processes or user accounts

  • Track changes to the contents and structure of databases

  • Monitor message queues

  • Track Windows Registry and Active Directory changes

  • Gather performance and inventory information (such as CPU usage and memory capacity).

Agents are available for servers running the Windows Server, Windows NT, Solaris, AIX, HP-UX, Linux, and OS/400 operating systems. The Enterprise Manager Configuration Change Console Installation Guide will outline the versions of each operating system that is supported.

Agents aggregate and compress data for transmission to the database server. You can pause, resume, stop, and even upgrade agents remotely from the server.

Configuration Change Console Database

Configuration Change Console uses an Oracle database to maintain the time-based information model of infrastructure events and information, serving the graphical user interfaces as well as the reporting capabilities of the solution.

The database size depends on the number of managed infrastructure components, the number of changes monitored on those components, and the retention periods for the data. These factors are controlled by monitoring and application policies.

Configuration Change Console Application Server

Each installation has one master application server that presents the graphical user interface for configuration, review, and reporting. This interface is accessible using any standard browser. In addition, some installations may have one or more secondary application servers that manage the gathering of data from the agents and population of the time-based information model. For small deployments or low change volumes, you may not need a secondary server.

For information about administering the Configuration Change Console infrastructure components, see Chapter 12, "
Administering Servers and Agents"

Configuration Change Console Messaging Broker Server

In a clustered environment where you have one primary server and one or more secondaries, there will also be one or more Messaging Broker Servers that facilitate the bidirectional communication between the agents and the servers. All communication goes through these messaging brokers rather than agents talking directly to the primary or secondary server. In a simple non-clustered environment where you only have the primary server, the messaging broker is bundled in with the primary server.

For information about administering the Configuration Change Console infrastructure components, see Chapter 12, "
Administering Servers and Agents"

Using the Configuration Change Console Interface

The Configuration Change Console offers a graphical user interface that lets you browse compliance and change information. This section describes the user-interface features that are common among the many functions of the product.

Agents, installed on managed devices, collect and update the information from the infrastructure. Visualization screens provide views of this collected data. You can specify the types of changes you want to see for specific time periods and for specific portions of the infrastructure. The interface then displays the requested information, with drill-down details on each detected change. Likewise, on configuration screens, you can specify which files, processes, or applications to monitor on which devices.

User Interface Language and Locale

The Configuration Change Console interface supports the following 10 languages:

  • English [en-US]

  • Japanese [jp-JP]

  • Italian [it-IT]

  • French [fr-FR]

  • Spanish [es-ES]

  • Brazilian Portuguese [pt-BR]

  • German [de-DE]

  • Korean [ko-KR]

  • Simplified Chinese [zh-CN]

  • Traditional Chinese [zh-TW]

This only includes the user interface for the product. The online help is only available in English. Any content for events detected from an agent will be stored in the language of the server/software the agent is monitoring. Any user entered content in the UI will be stored in the repository in that language without translation.

To choose the language that you want to use, set your browser language and locale to match one of the above supported languages.

There is a global language and locale setting that is used by the server for things that are generated that are not tied to a user's session. These include some pre-generated reports, notifications and things that are not tied to the user interface. This language and locale is set depending on the primary server installer language you use. You can also change the setting in the repository at a later time if needed. See the Server Configuration Properties appendix of the Configuration Change Console Installation Guide for instructions on which property to change.

Navigation Conventions

The user interface displays tabs that organize the tasks by function. When you click a tab, a number of task links appear, enabling you to drill down to a specific task.

Throughout this book, a navigation path is provided so that you can easily reference the steps to access a particular task screen.

Example: Administration --> Server Configuration --> Devices

In this example, Administration refers to the label on the tab that provides the entry point to a series of functional tasks.

Moving Between Screens

To navigate to different screens, use one of the following methods:

  • Use your browser's back and forward arrows to move to the previous and next screen.

  • Click on an underlined link to jump immediately to a screen displaying information or configuration options for the selected item.

Accessing Online Help

Two types of online help are available:

  • Help tab: To access the table of contents for the full set of online help, click the Help tab in the toolbar at the top of the screen.

  • Context-sensitive help: Available from each screen; click on the question mark icon to view detailed descriptions of the screen's configuration parameters.

Just like the language settings for the user interface in general, the language and locale of the online help that will be shown when you access help will be dependent on what locale and language your browser is set to. This setting will be detected and used to determine which content to display on the screen.

Applying Filters to Displays

Most screens provide filters that allow you to more narrowly define the information of interest to you. Many of the screens allow you to specify date ranges and other filters to limit the information. In general, we suggest that you use timeframes to focus on the information you want. For example, in the following screen you would enter the time frame and scale (Month, Day, Hour, 15-Minute) and click Apply Filters. When moving from screen to screen, some of the most commonly used attributes are retained to make it easier to move to different screens without having to select the items from the filter bar again. For instance, device group, devices, and time scale are all examples of filter options that will be retained as you move from screen to screen.

Figure 2 - Example of Filtering the Data Displayed on a Screen