Documentation Changes

Updates, corrections, and clarifications to the documentation released with Sybase Control Center 3.2.6.

SSL Support in Replication Server Data Assurance Option

The documentation for the SSL support feature in Replication Server Data Assurance (DA) Option 15.7.1 is not included in the Sybase Control Center for Data Assurance online help. The remote method invocation (RMI) communication between Sybase Control Center for Data Assurance and DA server can be encrypted using Secure Sockets Layer (SSL) / Transport Layer Security (TLS).

For detailed information on the SSL support in DA, see the Replication Server Data Assurance Option 15.7.1 > Users Guide > Security and Access Control .

SCC for Sybase IQ Help: Keyboard Shortcuts

This new topic is not present in the SCC for Sybase IQ online help:

About Sybase Control Center for Sybase IQ > Keyboard Shortcuts

Frequently used key sequences for the Sybase Control Center Web interface.

Key Sequence Action
Ctrl-Alt-F12 Pull down the first menu in the topmost view or in the SCC menu bar. Repeat to toggle between the two first menus.
Ctrl-Alt-Shift-F12 Pull down the first menu (Application) in the SCC menu bar.
Space Select the highlighted option—equivalent to clicking the mouse.
Escape
  • Release a drop-down menu
  • Exit an editable cell or field
  • Close a window
Arrow keys
  • Highlight the next list item or menu option in the indicated direction. For example, the down arrow highlights the next item down in a menu; the right arrow highlights an item in the menu to the right.
  • In a tree hierarchy, the right arrow expands a node; the left arrow collapses it.
Tab
  • In a view, highlight the next item in the tab order. (Tab order progresses through the accessible fields in a left-to-right, top-to-bottom fashion, starting at the upper left.)
  • In a two-pane view, jump from the tree hierarchy in the left pane to the right pane.
  • In a view that includes a table or grid display, press Tab twice to highlight the table, then press the down-arrow to enter it.
Shift-Tab
  • In a view, highlight the previous item in the tab order.
  • In a two-pane view, jump from the right pane back to the tree hierarchy in the left pane.
Home Highlight the first item in the active view (or the active section of a view), for example the first row in a table.
End Highlight the last item in the active view (or the active section of a view), for example the last row in a table.
In the SCC menu bar, View > Select > <your view> Select an open view and bring it to the front.
Ctrl-Alt Arrow key Move the selected view in the indicated direction.
Ctrl-Alt + Increase the size of displayed text.
Ctrl-Alt - Decrease the size of displayed text.
F11 Enable or disable the browser’s full-screen mode.
In the SCC menu bar, Application > Display > Full Screen Enable or disable Sybase Control Center’s full-screen mode.

Sybase Control Center is built on Adobe Flex. For complete information about Adobe Flex keyboard shortcuts, see http://livedocs.adobe.com/flex/3/html/help.html?content=accessible_5.html.

SCC for Sybase IQ Help: Configuring Memory Usage

In the first row of the table in Get Started > Launching Sybase Control Center > Configuring Memory Usage, all four occurrences of 2GB have changed to 4GB. This change is not present in the 3.2.6 version of the online help.

SCC for Sybase IQ Help: Logging in to Sybase Control Center

The following has been added to the Get Started > Logging in to Sybase Control Center topic, but is not present in the SCC for Sybase IQ online help:

Only one login session per account is permitted at a time; multiple users cannot be logged in to the same account simultaneously.

Note: When logging in to a newly installed Sybase Control Center for which secure authentication has not been configured, use the sccadmin account—the password is set during installation. For more information, see the Sybase Control Center Installation Guide.

SCC for Sybase IQ Help: Security

Several changes to the Get Started > Setting Up Security > Security topic are not present in the SCC for Sybase IQ online help:
  • File name changes:
    • roles-map.xml changed to role-mapping.xml
    • csi.properties changed to csi_config.xml
  • The simple login module has been replaced by the preconfigured user login module:

    Preconfigured user login – defines a user name, password, and a list of roles. The default user name is sccadmin; its password is configured during installation and its native role is SCC Administrator, which maps to sccAdminRole. You can create additional accounts by adding preconfigured user login modules to csi_config.xml. However, Sybase does not recommend the use of preconfigured user login modules for authentication in production environments.

  • The last sentence of the NT proxy login module description has been replaced with this:

    Windows authentication is enabled by default, but it requires some configuration after an upgrade from SCC 3.2.5 or earlier.

SCC for Sybase IQ Help: Configuring Authentication for Windows

The Get Started > Setting Up Security > Configuring Authentication for Windows task is now optional and has been updated, but the updates are not present in the SCC for Sybase IQ online help. It reads as follows:

Authentication through the Windows operating system is enabled by default. Configuration is required only if you have upgraded from an older version of Sybase Control Center and no longer want to use the older version’s authentication settings; if you do not want to use Windows for authentication; or if you want to create login accounts manually. Sybase recommends that you allow SCC to create accounts automatically.

This task is optional. However, if you choose not to create Sybase Control Center accounts automatically, you must enter them manually. Even when SCC users authenticate through LDAP or the local operating system, SCC needs the accounts for purposes of setting authorization (user privileges).
  1. Log in to Sybase Control Center using an account with administrative privileges. (The login account or its group must have sccAdminRole.)
  2. Select Application > Administration > Security.
  3. Click to select or deselect the box labeled Automatically add SCC login records for authenticated logins.
  4. Click to select or deselect the box labeled Automatically grant sccUserRole to newly created logins.
  5. Click OK to close the Security dialog.

Next

There are two next steps:
  • If you opted not to automatically create Sybase Control Center login accounts, enter each account into Sybase Control Center manually.
  • Grant privileges to login accounts that require more than basic user access. You can grant privileges by assigning Sybase Control Center roles directly to the login accounts, or by assigning the login accounts to groups and mapping Sybase Control Center roles to the groups. The group approach is generally more efficient.

SCC for Sybase IQ Help: Configuring a Pluggable Authentication Module (PAM) for UNIX

The Get Started > Setting Up Security > Configuring a Pluggable Authentication Module (PAM) for UNIX task has been updated, but the updates are not present in the SCC for Sybase IQ online help. It now reads as follows:

Set up Sybase Control Center to support username and password login using accounts on the UNIX operating system.
  1. Using a login account with root privileges, configure the pluggable authentication module for your platform:
    Platform Action
    Solaris Append the contents of the <SCC-install-dir>/utility/<sunos>/pam.conf file (provided with Sybase Control Center) to the /etc/pam.conf file on your Solaris platform.
    Linux Copy the <SCC-install-dir>/utility/<linux>/sybase-csi file (provided with Sybase Control Center) to the /etc/pam.d directory on your Linux platform.
    Note: The sybase-csi file provided with Sybase Control Center is not compatible with the most recent SUSE Linux versions. For SUSE 11 and later, see the example at the end of this topic.
    Note: In the table above, the portion of the path that indicates the operating system might differ slightly from what is shown.
  2. If the host UNIX system is not using a directory lookup for authentication (yp or NIS, for example) and authentication is carried out against the local /etc/passwd file, change the permissions on /etc/shadow to provide read access to the login account that executes SCC.
  3. (Skip if you configured a PAM before starting Sybase Control Center) Restart Sybase Control Center.
  4. (Optional) Change account creation options.
    1. Log in to Sybase Control Center using an account with administrative privileges (sccAdminRole).
    2. Select Application > Administration > Security.
    3. Click to select or deselect the box labeled Automatically add SCC login records for authenticated logins. (By default, this option is enabled for SCC 3.2.6 and later.)
    4. Click to select or deselect the box labeled Automatically grant sccUserRole to newly created logins. (By default, this option is enabled for SCC 3.2.6 and later.)
    5. Click OK to close the Security dialog.

Example: PAM for SUSE Linux 11 and Later

For SUSE 11 and later, do not use the sybase-csi file provided with Sybase Control Center. Instead, in your /etc/pam.d directory, create a sybase-csi file that contains: 
# sybase-csi PAM Configuration (SUSE style)
auth       include      common-auth
account    include      common-account
password   include      common-password
session    include      common-session

Next

There are two next steps:
  • If you opted not to automatically create Sybase Control Center login accounts, enter each account into Sybase Control Center manually. Sybase Control Center needs the accounts for purposes of setting authorization (user privileges).
  • Grant privileges to login accounts that require more than basic user access. You can grant privileges by assigning Sybase Control Center roles directly to the login accounts, or by assigning the login accounts to groups and mapping Sybase Control Center roles to the groups. The group approach is generally more efficient.

SCC for Sybase IQ Help: Configuring an LDAP Authentication Module

Updates to the Get Started > Setting Up Security > Configuring an LDAP Authentication Module task are not present in the SCC for Sybase IQ online help. The task now reads as follows:

Configure an LDAP authentication module for Sybase Control Center by editing the security configuration file to point to the correct LDAP server.
  1. Open the <SCC-install-dir>\conf\csi_config.xml file.
  2. Uncomment the LDAP module in the configuration file by removing the surrounding <!-- and --> characters (or, if necessary, add an LDAP module to the file). The sample module below specifies the LDAP server that will provide user authentication.

    The sample module shows the properties used for an OpenDS LDAP server. See the example at the end of this task for values that work for ActiveDirectory. Configuration properties you can use in the LDAP module are described in a subtopic.

    <authenticationProvider controlFlag="sufficient" name="com.sybase.security.ldap.LDAPLoginModule">
    <options name="BindDN" value="cn=Directory Manager"/>
    <options name="BindPassword" value="secret"/>
    <options name="DefaultSearchBase" value="dc=example,dc=com"/>
        <options name="ProviderURL" value="ldap://localhost:10389"/>
       
    <options name="ServerType" value="openldap"/>

</authenticationProvider>
<provider name="com.sybase.security.ldap.LDAPAttributer" type="attributer"/>
    Note: Change only values shown in bold. If BindPassword is encrypted (which Sybase recommends), the line that defines it must include encrypted="true". The line should look similar to this: 
    <options name="BindPassword" encrypted="true" value="1snjikfwregfqr43hu5io..."/>
  3. Save the file.
  4. If your LDAP server’s SSL certificate is signed by a nonstandard certificate authority (for example, if it is a self-signed certificate), use the keytool utility to configure your JVM or JDK to trust the certificate. Execute a command similar to this:

    Windows:

    keytool -import -keystore %SYBASE_JRE7%\lib\security\cacerts -file 
<your cert file and path> -alias ldapcert -storepass changeit

    UNIX:

    keytool -import -keystore $SYBASE_JRE7/lib/security/cacerts -file 
<your cert file and path> -alias ldapcert -storepass changeit

LDAP Configuration Values for ActiveDirectory

For an ActiveDirectory server, use these values for configuration properties in your LDAP login module: 
 
ServerType: msad2K
DefaultSearchBase: dc=<domainname>,dc=<tld> or o=<company name>,c=<country code>
                E.g. dc=sybase,dc=com or o=Sybase,c=us
ProviderUrl: ldaps://<hostname>:<port>
                E.g.:  ldaps://myserver:636
AuthenticationFilter: (&amp;(userPrincipalName={uid}) (objectclass=user))
BindDN: <User with read capability for all users>
BindPassword: <Password for BindDN user>
RoleFilter: (|(objectclass=groupofnames) (objectclass=group))
controlFlag: sufficient

Next

Map Sybase Control Center roles to LDAP groups.

SCC for Sybase IQ Help: LDAP Configuration Properties

Several changes to the Get Started > Setting Up Security > Configuring an LDAP Authentication Module > LDAP Configuration Properties task are not present in the SCC for Sybase IQ online help:
  • The first paragraph now reads as follows:

    Use these properties in your csi_config.xml file to control your LDAP service.

  • The AuthenticationFilter table row (row 6) now reads as follows:
    Property Default Value Description
    AuthenticationFilter For most LDAP servers: (&amp;(uid={uid})(objectclass=person))

    or

    For Active Directory email lookups: (&amp;(userPrincipalName={uid}) (objectclass=user)) [ActiveDirectory]

    For Active Directory Windows username lookups: (&amp;(sAMAccountName={uid})(objectclass=user))

    		The filter to use when looking up the user.

    When performing a username based lookup, this filter is used to determine the LDAP entry that matches the supplied username.

    The string "{uid}" in the filter is replaced with the supplied username.

  • The BindPassword table row (row 10) now reads as follows:
    Property Default Value Description
    BindPassword none

    BindPassword is the password for BindDN, which is used to authenticate any user. BindDN and BindPassword are used to separate the LDAP connection into units.

    The AuthenticationMethod property determines the bind method used for this initial connection.

    Sybase recommends encrypting passwords and provides a password encryption utility for the purpose. If you encrypt BindPassword, include encrypted=true in the line that sets the option. For example: 
    <options name="BindPassword" encrypted="true" value="1snjikfwregfqr43hu5io..."/>
    If you do not encrypt BindPassword, the option might look like this: 
    <options name="BindPassword" value="s3cr3T"/>
  • The RoleFilter table row (row 12) now reads as follows:
    Property Default Value Description
    RoleFilter For SunONE/iPlanet: (&amp;(objectclass=ldapsubentry) (objectclass=nsroledefinition))

    For Netscape Directory Server: (objectclass=groupofnames) (objectclass=groupofuniquenames))

    For ActiveDirectory: (objectclass=groupofnames) (objectclass=group))

    		The role search filter. This filter should, when combined with the role search base and role scope, return a complete list of roles within the LDAP server. There are several default values depending on the chosen server type. If the server type is not chosen or this property is not initialized, no roles are available.

SCC for Sybase IQ Help: Setting Up Roles and Passwords

The topic Get Started > Setting Up Security > Configuring an LDAP Authentication Module > Setting Up Roles and Passwords has been removed, but is still present in the SCC for Sybase IQ online help. Disregard it.

SCC for Sybase IQ Help: Mapping Sybase Control Center Roles to LDAP or OS Groups

Updates to the Get Started > Setting Up Security > Mapping Sybase Control Center Roles to LDAP or OS Groups task are not present in the SCC for Sybase IQ online help. The task now reads as follows:

To grant Sybase Control Center privileges to users who are authenticated through LDAP or the operating system, associate roles used in Sybase Control Center with groups in LDAP or the operating system.

Prerequisites
  • Required: Configure an LDAP authentication module.
  • Optional: Create these LDAP groups and assign Sybase Control Center users to them:
    • sybase – confers sccUserRole. Assign all SCC users to the sybase group.
    • SCC Administrator – confers sccAdminRole. Assign only SCC administrators to this group.

Task

You can configure Sybase Control Center to enable users to authenticate through their local operating system or through an LDAP server. To make this type of authentication work, SCC roles must be mapped to groups that exist in the system providing authentication (LDAP or the operating system).

The sybase and SCC Administrator groups are convenient because they are predefined in role-mapping.xml. If you add sybase and SCC Administrator groups to your LDAP system and populate them with SCC users and administrators, you can skip to the next task—you do not need to complete the steps below.

The table lists default mappings of LDAP and OS groups to SCC roles. Login modules are defined in csi_config.xml.

Login Module OS Group Sybase Control Center Roles
UNIX Proxy root uaAnonymous, uaAgentAdmin, uaOSAdmin
sybase uaAnonymous, uaPluginAdmin, sccUserRole
user uaAnonymous
guest uaAnonymous
NT Proxy Administrators uaAnonymous, uaAgentAdmin, uaOSAdmin
sybase uaAnonymous, uaPluginAdmin, sccUserRole
Users uaAnonymous
Guests uaAnonymous
LDAP sybase uaAnonymous, uaPluginAdmin, sccUserRole
SCC Administrator uaAnonymous, sccAdminRole
There are two ways to accomplish the mapping:
  • (Recommended) Add a “sybase” group and an “SCC Administrator” group to the operating system or LDAP server Sybase Control Center is using to authenticate users, and add all users who need to access Sybase Control Center to one or both groups.
  • Configure Sybase Control Center to use existing groups in LDAP or the operating system by editing the role-mapping.xml file. This option is described here.
  1. If Sybase Control Center is running, shut it down.
  2. In a text editor, open:

    <SCC-install-directory>/conf/role-mapping.xml

  3. Locate the sccUserRole section of the file: 
    <Mapping>
    <LogicalName>sccUserRole</LogicalName>
    <MappedName>SCC Administrator</MappedName>
    <MappedName>SCC Agent Administrator</MappedName>
    <MappedName>sybase</MappedName>
</Mapping>
  4. Add a MappedName line for the LDAP or OS group you are using to authenticate SCC users. The sccUserRole section should look similar to this: 
    <Mapping>
    <LogicalName>sccUserRole</LogicalName>
    <MappedName>SCC Administrator</MappedName>
    <MappedName>SCC Agent Administrator</MappedName>
    <MappedName>sybase</MappedName>
    <MappedName>my_SCC_group</MappedName>
</Mapping>
  5. Locate the sccAdminRole section of the file: 
    <Mapping>
    <LogicalName>sccAdminRole</LogicalName>
    <MappedName>SCC Administrator</MappedName>
</Mapping>
  6. Add a MappedName line for the LDAP or OS group you are using to authenticate SCC administrators. The sccAdminRole section should look similar to this: 
    <Mapping>
    <LogicalName>sccAdminRole</LogicalName>
    <MappedName>SCC Administrator</MappedName>
    <MappedName>my_SCC_admin_group</MappedName>
</Mapping>
  7. Save the file and exit.
  8. (LDAP only) Ensure that the roles defined in the LDAP repository match the roles defined in role-mapping.xml.
  9. In the <SCC-install-dir>\conf\csi_config.xml file, set the BindPassword and ProviderURL properties with values used in your deployment.

    In the <SCC-install-dir>\conf\csi_config.xml file, set the BindPassword and ProviderURL properties with values used in your deployment.

  10. Start Sybase Control Center.

SCC for Sybase IQ Help: Encrypting a Password

Several changes to the Get Started > Setting Up Security > Encrypting a Password topic are not present in the SCC for Sybase IQ online help:
  • In the second paragraph, “properties file” has changed to “configuration file.”
  • The third paragraph now reads as follows:

    passencrypt, which is located in the Sybase Control Center bin directory, uses the SHA-256 hash algorithm for passwords used in the PreConfiguredLoginModule in csi_config.xml.

  • In step 2, the -csi option has been added to the passencrypt command:

    To encrypt a password, enter passencrypt -csi.

SCC for Sybase IQ Help: Adding a Login Account to the System

There are two changes to the Get Started > User Authorization > Adding a Login Account to the System topic in the online help:
  • The first note (before step 1) now reads as follows:
    Note: Sybase does not recommend that you manually create a native login account for every Sybase Control Center user. It is more efficient to configure Sybase Control Center to authenticate users through their user accounts in LDAP or the operating system. When you do that, SCC automatically creates a native account for every authenticated user.
  • The second note (after step 9) has been removed from the online help.

SCC for Sybase IQ Help: Logins, Roles, and Groups

Updates to the Get Started > User Authorization > Logins, Roles, and Groups task are not present in the SCC for Sybase IQ online help. The task now reads as follows:

Sybase Control Center includes predefined login accounts and roles.

A login account identifies a user who can connect to Sybase Control Center. An account has roles that control the tasks the user is allowed to perform. Users can be authenticated through native SCC accounts, but a safer approach is to delegate authentication to the operating system or to an LDAP directory service.

Sybase Control Center comes with a predefined login account. Sybase recommends using the predefined account only for installing and setting up Sybase Control Center. This account is not intended for use in a production environment.
Predefined Login Account
Login Name Description
sccadmin Can use all the administration features in Sybase Control Center. Use for configuration and test.

A role is a predefined profile that can be assigned to a login account or a group. Roles control the access rights for login accounts. Sybase Control Center comes with predefined roles that are intended for use in production environments.

Predefined roles
Role Description
sccUserRole Provides nonadministrative access to Sybase Control Center. Required for all users and assigned automatically to every authenticated user.
sccAdminRole Provides administrative privileges for managing Sybase Control Center.

Monitoring privileges for SCC product modules are assigned automatically.

A group is made up of one or more login accounts; all the accounts in a group have the roles granted to the group. In Sybase Control Center you can create groups to suit your business requirements.

SCC for Sybase IQ Help: Setting Up Statistics Collection

This new paragraph has been added after the note in step 11 of the topic Configure > Setting Up Statistics Collection, but it is not present in the SCC for Sybase IQ online help:

You cannot change the duration of a schedule (the once/repetitively/until setting) after you create it. To change the schedule duration, delete and recreate the schedule.

SCC for Sybase IQ Help: Viewing or Deleting a Schedule

This new topic is not present in the SCC for Sybase IQ online help:

Manage and Monitor > Manage Sybase Control Center > Job Scheduling > Viewing or Deleting a Schedule

Display schedule details or remove a schedule from a data collection job.

  1. In the Perspective Resources view, select the resource associated with the job and select Resource > Properties.
  2. Select Collection Jobs.
  3. To display the schedules for a collection job, expand the job by clicking the arrow to the left of the job’s name. If there is no arrow to the left of the job’s name, this job has no schedules.
  4. Select a schedule. The name, description, start and end dates, and repeat interval appear on the Schedule tab.
  5. (Optional) To remove the selected schedule, click Delete.
  6. Click OK.

Alert Reference: SCC for Sybase IQ

This information was omitted from the online help for Sybase Control Center for Sybase IQ.

Data collection names are missing from the online help topic Configure > Creating an Alert > Sybase IQ Alerts, Collections, and KPIs. Alerts are based on key performance indicators (KPIs). For a listing of the KPIs in each data collection, consult the table in the online help at Configure > Setting Up Statistics Collection > Sybase IQ Data Collections. CR #683329-3.

Troubleshooting Sybase IQ Multiplex Login Authentication

This information was omitted from the online help for Sybase Control Center for Sybase IQ.

You must authenticate a multiplex resource monitored by SCC using a shared login account that has access to all nodes in the multiplex. If you try to authenticate with SCC using a login that does not have access to all nodes, you see a security error: Connection disallowed by login policy for this user. CR #653603.

Sybase IQ Configuration File Editor

This information was omitted from the online help for Sybase Control Center for Sybase IQ.

For Sybase IQ servers, you can select Edit Configuration File in the Administration Console. The Configuration File Editor opens and reads the params.cfg file, if one exists in the same directory as the database file, and populates the fields in the editor with the configuration parameters from params.cfg. The Configuration File Editor writes your changes to the params.cfg file when you click OK.

If no params.cfg file exists in the database directory, the Configuration File Editor opens with no parameters shown in fields, and writes a new params.cfg file to the database directory when you click OK.

The Configuration File Editor cannot currently open user configuration files stored in a location other than the database directory, or named something other than params.cfg. CR #647826

Sybase IQ Default Data Collections

This information was omitted from the online help shipped with Sybase Control Center for Sybase IQ, but is included in the help on the Product Documentation Web site.

The following was added to Sybase Control Center for Sybase IQ > Configure > Setting up Statistics Collection > Sybase IQ Data Collections.

Sybase strongly recommends you always keep the default collections running: the Availability Collection in simplex, and the Multiplex Availability Collection in multiplex. CR #684685.

Request Logging for Sybase IQ Server Properties

Certain request logging options must be specified together. For a complete explanation, see SQL Anywhere Server - SQL Reference > System procedures > Alphabetical list of system procedures > sa_server_option_system procedure. CR #653592.

The sccinstance -host Option

The sccinstance -host option was omitted from the topic Get Started > Deploying an Instance from a Shared Disk Installation > sccinstance Command in some Sybase Control Center online help modules.

This optional flag specifies the host where the instance executes; you need it only when the instance name does not match the host name. Use -host with -create. CR #685883.

Launching the Administration Console

Some topics in the online help do not give the steps for launching the Administration Console that are best suited to the task described. The Administration Console can display information for a single resource, for a group of resources, or for all resources in the current perspective.
  • To populate the Administration Console with information on one or more resources: in the Perspective Resources view, select the resources and select Resource > Administration Console. This method is fastest.
  • To populate the Administration Console with information on all the resources in the current perspective: from the main menu bar, select View > Open > Administration Console. If you are monitoring a large number of resources, the Administration Console may take a few minutes to load. CR #668582.