Discussing the TED Subscriber | Novell's ZENworks for Servers 3. Administrator's Handbook

The TED subscriber is responsible for receiving and extracting distributions, and validating that they come from an acceptable distributor and that the distribution file is accurate. The subscriber, when the extraction schedule starts, activates TED agents to unpack the distribution and handle the placement of the data in the distribution. If the subscriber should receive, with the distribution, a route that specifies that it send a distribution to other subscribers, the subscriber forwards the distribution to the next level of specified subscribers.

The subscriber system on a server never accesses NDS. The distributor that is sending a distribution to this subscriber is responsible for communicating any information from the subscriber object to the subscriber software. The distributor sends configuration information to the subscriber only if the distributor has a newer revision of the subscriber object or the effective policy. The subscriber stores any changes in a configuration file so that the next time that it is started it loads the configuration information.

All subscribers must have a copy of the digital certificate of the distributor to receive distributions from the distributor. If there is a distribution in the channel that is coming from a distributor for which the subscriber does not hold a copy of the distributor's digital certificate, the subscriber rejects the distribution. You can transmit the digital certificate manually, or ConsoleOne will attempt to contact the subscribers with a UNC path when a distribution is placed in a channel from a new distributor or when a subscriber is added to the channel. Over this connection, the digital certificates of all distributors (that currently have distributions in the channel) are sent and placed on the subscriber's file system. Perform the following steps to secure a copy of the digital certificates of the distributors that may be sent to the subscriber:

Launch ConsoleOne.
Browse to the distributor object of the distributor whose certificate you want to retrieve. Select the distributor object.
Right-click and select Resolve Certificates. You are presented with a dialog box that gives you two radio buttons:
- Copy certificates to subscribers automatically. This goes to all distributions associated with this distributor and then to all the subscribers that are associated with all the channels in which the distribution is, and also to all subscribers that act as parent subscribers to pass the distributions to the subscribers that are associated with the channels. It attempts to gain access to the subscriber file system with a UNC path and to write the certificate to the sys:\ted2\security directory on the subscriber server.
- Save certificates to disk. This writes the certificates to the directory specified on the disk.
Choose Save Certificates to Disk and type in the directory name to copy the certificates on your local drive or floppy. Or, click the Browse button to browse to the directory where you want the certificates copied.
Click OK. The certificates are placed in the directory specified.
Take the files written to the directory and copy them to the directory PATH:\ZENWORKS\TED\SECURITY on the subscriber system.

NOTE

You can also use ConsoleOne to automatically resolve certificates for a specific subscriber, rather than a distributor. By right-clicking the subscriber object and choosing the Resolve Certificate option, the subscriber receives all certificates for all distributors that have distributions associated with the channels to which the subscriber is subscribed.

The NDS Rights and Other pages are described in the sections of this chapter that discuss distributors.

About the Settings Property Page

This page is found under the General tab and represents some general configuration settings that are effective for this subscriber. Figure 6.16 displays a capture of this screen.

Figure 6.16. Settings property page of a subscriber object.

graphics/06fig16.gif

On this property page, you can choose the following settings:

Input rate. This represents the number of bytes per second that you allow a subscriber to consume for all subscriptions' input, independently. The default is for the subscriber to receive at the maximum rate possible on the server. For example, if you choose to enter 4096, this subscriber does not exceed receiving 4Kbps from any distributor, regardless of the capacity of the subscriber.
High Priority. This represents the number of bytes per second that you allow a subscriber to consume for all high-priority subscriptions' output.
Medium Priority. This represents the number of bytes per second that you allow a subscriber to consume for all medium-priority subscriptions' output.
Low Priority. This represents the number of bytes per second that you allow a subscriber to consume for all low-priority subscriptions' output.
Maximum concurrent distributions. Each time that a subscriber is going to relay a distribution (because it is a parent subscriber), it creates a Java thread that handles the sending of the distribution to the child subscriber. This value identifies the maximum number of threads that you will allow the parent subscriber to create to service relaying distributions. The Maximum Number of Concurrent Distributions value is affected by prioritizing because it is subordinate to the priorities set for the distributions. For example, imagine that you have the concurrent distribution number set to 10 and there are 4 high-priority distributions, 5 medium-priority distributions, and 20 low-priority distributions. Initially, the 4 high-priority distributions are sent concurrently; the 5 medium-priority distributions must wait until all 4 high-priority distributions are complete. Then the 5 medium-priority distributions are sent concurrently and only after they are complete are 10 of the 20 low-priority distributions sent.
NOTE

The subscriber always creates all the concurrent receiver threads that it needs regardless of this maximum value. There is currently no method to manage the total number of receiver threads.
Connection timeout. The default for this is 300 seconds. You can also enter a timeout value that, when exceeded, causes the parent subscriber to fail the distribution and retry the distribution every two minutes for the next thirty minutes (as long as it is still in its scheduled window). If after the retries the distribution still cannot succeed, the parent subscriber fails the distribution and the next time it tries is when the distributor reattempts the distribution. This value is also used for the maximum amount of time a subscriber waits between packets while receiving a distribution from a distributor or parent subscriber.
Working directory. This identifies the directory where the subscriber stores the distribution files it receives. The agents, when they are called to extract the files, go to this directory to find the distribution files. It is not recommended to use the SYS volume because of the potential system problems should that volume become full.
Parent subscriber. This enables you to specify a parent subscriber from which this subscriber should receive all distributions (as opposed to getting them directly from the distributor). This can be overridden on a per-distributor basis by including the subscriber in the routing hierarchy on each distributor (see the TED Systems section for more information).
Disk space to be left free. Specifies amount of disk space that you want to remain in addition to the size of any distribution that is to be received. This enables you to enter a value large enough to also allow room for the distribution to be extracted and installed. The subscriber server receives the distribution only if amount of free disk space on the subscriber server is equal to or greater than the sum of the compressed distribution and the value you entered here.

Focusing on the Messaging Property Page

The Messaging property page is under the General tab and can be configured by clicking the active tab and selecting the messaging value under the drop-down on the tab (which you find by pressing the small triangle in the tab). Figure 6.17 provides a sample Messaging page.

Figure 6.17. Messaging property page of a subscriber object.

graphics/06fig17.gif

For each of the appropriate fields, you may enter one of the message levels described in the section on distributors.

You can administer the following configuration parameters on the Message property page:

Server Console. This item identifies the level of messages that are displayed on the subscriber server console (not the main server console).
SNMP Trap. This identifies the level of messages that are sent as an SNMP trap being sent to the SNMP trap target. The SNMP Trap Targets policy must be set in the Service Location Policy Package to be effective for the subscriber object. This information is included in the configuration information sent to the subscriber from the distributor.
Log file. This identifies the level of message that should be stored in the log file. Additionally, you can configure the following about the log file:
- Filename. This is the log file's filename. The default location is PATH:\ZENWORKS\TED\DIST\TED.LOG. You should change the log file's location because it can grow, as well, and may adversely affect the system if it is located on the SYS volume.
- Delete log entries older than X days. In this parameter, you identify the number of days (x) worth of log entries that should remain in the log file. The default is six days. Therefore, any log entries that are older than six days will be cleared from the log file. The process of scanning the log for and removing old log entries happens once every 24 hours and is not configurable.
Email. With this option you can specify the level of messages that will be sent as email to the identified users. The SMTP Host policy in the ZENworks for Servers 3 Service Location policy package must be effective for the subscriber object to enable it to discover the address for the SMTP host to send the email. If this is not specified, the email is not sent.
In addition to identifying the level of messages, you must also specify who should receive these messages. To add users to the list and for them to be sent the message, you must select User, Group, or E-mail from the dropdown list and then click the Add button and specify the NDS User or Group, or an email address. When you select a user, you are asked to browse to the user in the directory, and the system takes the email address attribute from the user and uses that as the address for the user. Should you choose a group, all the users in the group are sent the email message and the email attribute is used for each of those users. Should you not want to use the email address attribute in the user object, you may select the down arrow in the Address Attribute field and select which of the NDS user attributes you want to identify as containing the email address. Many administrators store user email addresses in the Internet E-mail Address attribute instead of the E-mail Address attribute. It is expected that the attribute you identify contain a valid email address.
If you choose to enter an explicit email address, rather than selecting a user or a group, you may choose E-mail from the dropdown list and click the Add button. You are prompted to enter a valid email address. The entered email address is assumed to be valid and is shown as the Username field in the table with an N/A in the Address Attribute field.

Thinking About the Channels Property Page

This page of the subscriber object identifies the channels that this subscriber is going to receive distributions from. A subscriber may subscribe to many channels. To add a channel to the list, click the Add button and browse in NDS to the channel. Once this channel is added, it appears on the list.

To delete a channel from the list, you must first select the channel and then click the Delete button. The subscriber will no longer accept distributions from this channel.

You can view/edit the property pages of the channel by selecting the channel and clicking the Details button.

The same distribution may be placed in more than one channel. It is possible that the same subscriber may be subscribed to multiple channels, and that more than one channel may want to distribute the same distribution. The distributor and subscriber keep a version number on each distribution and do not send the same distribution more than once to the same subscriber, no matter in how many channels the distribution is.

About the Extract Schedule Property Page

The Schedule property page enables you to specify when and how often the extraction agents are called to dissect the distribution file and extract the files within, placing them in the file system of the server as specified in the distribution. Figure 6.18 shows a sample of this page.

Figure 6.18. Extract Schedule property page of a subscriber object.

graphics/06fig18.gif

If there is a Tiered Electronic Distribution policy in a Service Location policy package effective for the subscriber object, the check box for using the policy appears on this page. If there is no effective policy, the check box is not displayed. When this check box is activated, the schedule described in the policy is used for this subscriber. When unchecked, this subscriber has its own schedule and the Schedule Type field is available for administration. The check box is checked by default if there is an effective TED policy.

This page enables you to select when the extraction agents should do their work on the subscriber server: Never, Daily, Monthly, Yearly, Interval, Time, or Run Immediately.

After you have selected when you want the configuration applied, you have additional fields to select in the lower portion of the screen. The following sections discuss the various options you have.

NOTE

The default is Never. Therefore, the subscriber never extracts the files until you change the schedule. Remember, the configuration of the subscriber does not change until the next distribution, when the distributor sends the new configuration.

Never

This option loads the distributor with the configuration information only when it is first loaded on the server, after each reboot or restart.

Daily

When you choose to have the configuration applied to the system daily, you have the additional need to select when the changes will be made.

This schedule requires that you select the days when you want the configuration applied. You select the days by clicking the days you want. The selected days appear as depressed buttons.

In addition to the days, you can select the times the configuration is applied. These times the start and stop times provide a range of time when the configuration will be applied.

You can have the configuration also reapplied within the time frame every specified hour/minute/second by clicking the Repeat the Action Every field and specifying the time delay.

To keep all the distributors from simultaneously accessing NDS, you can select the Randomly Dispatch Policy During Time Period option. This causes each server to choose a random time within the time period when it will retrieve and apply the configuration.

Monthly

Under the monthly schedule, you can select which day of the month the configuration should be applied or you can select Last Day of the Month to handle the last day, because all months obviously do not end on the same calendar date.

After you have selected the day, you can also select the time range when the configuration will be reread and applied.

Yearly

You select a yearly schedule if you want to apply the configuration only once a year.

On this screen, you must choose the day that you want the configuration to be applied. This is done by selecting the Calendar button to the right of the Date field. This brings up a Monthly dialog box, where you can browse through the calendar to select the date you want. This calendar does not correspond to any particular year and may not take into account leap years in its display because you are choosing a date for each year that will come along in the present and future years.

After you have selected the date, you can also select the time range when the configuration should be read and applied.

Interval

This schedule type enables you to specify how often to repeatedly read and apply the configuration. You can specify the interval with a combination of days, hours, minutes, and seconds. This type waits for the interval to pass first before applying the configuration for the first time and then for each sequence after that.

Time

This allows you to specify a specific calendar date and time when the configuration will be applied. When the current date on the server is beyond the identified date, the configuration will be applied.

Run Immediately

The distributor does not use this scheduled type, but it is used by other components. It is described here for completeness in describing all the possible schedulers.

With the Run Immediately schedule type, the schedule causes the activity to occur the first time that the associated object is activated. You may also specify a repeat interval in days, hours, minutes, and seconds. If no repeat interval is specified, the action runs only once, until the object is restarted or refreshed.

Variables Property Pages

Variables enable you to substitute a variable name in the distribution with the value specified in the subscriber. When you create a distribution, you may use variables in the volumes and directory names, for example. When the distribution is sent to the subscriber and the extraction agent is called, the agent replaces these variables with their defined value in the subscriber object. If no value is given, the variable name (including the % percent sign) is used for that value.

If a Tiered Electronic Distribution policy in a Service Location Policy package is in effect for the subscriber, the check box for using the policy appears on this page. If there is no policy, the check box is not displayed. When this check box is activated, the variables described in the policy are used for this subscriber, in addition to the variables that you define in the subscriber. When unchecked, this subscriber has its own independent variables. If there is a duplicate, the subscriber's definition is used. This enables you to override a specific variable from the policy, while still accepting the other variables from the policy.

Unlike ZENworks for Servers policies and software distribution packages, the TED software performs only basic substitution of variable to value and does not enable you to reference an NDS object or its attribute. This eliminates the requirement that the subscriber have access to NDS and all the objects in the tree. This would be especially difficult if the subscriber were an external subscriber not even in the same tree as the distributor!

For example, if you create a distribution and specify %DEST_VOLUME% as the volume name, when the subscriber extracts the files, the agent substitutes the variable DEST_VOLUME defined in this property page with the value. If DEST_VOLUE is not defined, then a directory called %DEST_VOLUME% is created in the SYS volume.

Remember to be consistent in your conventions and your variable names. You should probably come up with a set of common variables that you define with each subscriber that you set up. Then when you create a distribution, you can use these variables in defining the directories where the distribution will be placed. Remember, the subscribers that receive the distribution are based purely on who subscribes to the channels where you place the distribution. If you are not consistent in your variable names across all subscribers, you may inadvertently send a distribution to a subscriber that does not have the variable defined; this results in the distribution being extracted in a place you do not expect (probably on the SYS volume). Some variables that you should consider defining in each of your subscribers include the following:

DEST_VOLUME. Define this variable as the volume that receives the distribution after it is extracted.
DEST_APPVOL. Define this to be the volume where your applications are stored.
DEST_APPDIR. Define this to be the directory under the application volume where you place your applications.