User Guide

Asset Management

Concepts

The Asset Management Module allows to keep an inventory of a company’s IT infrastructure. NetEye 4 integrates two different solutions to provide this functionality: the server part of the Open Source Software OCS Inventory and GLPI.

To install the Asset Management module, follow the guide for installing additional modules; the Asset menu item will then appear in the left side navigation menu.

OCS Inventory

By deploying agents on each of the company’s devices, that send data to the server on NetEye, with the Asset Management Module it will be possible not only to keep the infrastructure’s inventory updated, but thanks to the REST API and the SNMP support it will be easy to interact with the devices and monitor them.

Currently, OCS inventory is integrated in the NeyEye GUI; during the setup process two users will be created:

  • root is used to access the OCS Inventory’s GUI; here additional users can be created if necessary.

  • agent is used to authenticate the OCS inventory agents, since basic authentication is required for OCS inventory agents to access the OCS inventory server. Note that these tasks can not be excuted as root. The corresponding password is contained in file /root/.pwd_ocsinventory_server_agent

OCS can be directly accessed from the NetEye GUI (within the Asset Management menu) using Single Sign On, if the logged user has permissions to access OCS (see below). Upon the first access to OCS from a user, that user will be created inside OCS with OCS permissions initialized.

Note

If the user logs out from NetEye, its active OCS session will be closed automatically and it will be redirected to the NetEye login page.

The official, full documentation for OCS inventory is available directly from within its interface.

GLPI

GLPI helps you planning and managing IT changes in an easy way, solving problems efficiently, automating business processes and gaining control over the IT infrastructure. GLPI provides advanced features for inventory, asset and mobile devices management.

GLPI can be directly accessed from the NetEye GUI (within the Asset Management menu) using Single Sign On, if the logged user has permissions to access GLPI (see below). Upon the first access to GLPI from a user, that user will be created inside GLPI with GLPI permissions initialized.

The official, full documentation for GLPI is available directly from within its interface.

Note

If the user logs out from NetEye, its active GLPI session will be closed automatically and it will be redirected to the NetEye login page.

Interaction between OCS and GLPI

During NetEye Asset group installation the GLPI’s plugin OCS Inventory NG will be automatically installed and set up.

This plugin allows the automatic synchronization between OCS Inventory NG and GLPI solutions. It replaces the OCS native mode of GLPI and use the plugin massocsimport functionality to provide better compatibility and scalability with OCS.

OCSInventory-NG import is performed using scripts (PHP or Shell) that automate synchronisation of computers. A graphical interface displays the list of defined scripts and all the related data.

Note

GLPI does not import new computers added to the infrastructure, therefore a script based on a systemd timer runs daily to ensure that the data about new computers is stored in GLPI.

During the plugin setup the default NetEye OCS Server will be automatically added to the plugin’s servers list. This server will be pre-configured with default synchronization settings and will point to the current OCS Inventory installation.

You can customize the plugin setting directly from within the GLPI’s GUI: Home ‣ Tools ‣ OCS Inventory NG in the main page of the plugin you can click on OCSNG server: NetEye OCS Server.

Configuration

OCS Permissions

Users who wants to access the OCS from the NetEye GUI will need special permissions. To grant these permissions to users, you need to create a role (go under Configuration > Authentication > Roles) with a suitable permissions/restrictions (like e.g., profile) over the Assetmanagement module.

The OCS profile of users must be mapped correctly in the NetEye (Configuration > Authentication > Roles) to persist across login/logout.

Each NetEye role corresponds to a unique OCS profile. If a user belongs to more than one NetEye role which is assigned to more than one OCS Profile, she/he must be assigned to a single profile by following order:

  • sadmin

  • admin

  • ladmin

  • other profiles (alphabetical order)

All profiles must be manually created, before users login, for having a success permission synchronization. The only exceptions to this are the default OCS profiles. If the profile does not exist for the users in OCS, then he will redirect to the NetEye.

The OCS tags is a comma separated list of OCS computers tags that the users with this role are allowed to see. If left empty, which is the default, the user has access to all the tags. This restriction is considered only if the OCS Profile has the computers limitation enabled.

Note that if you need to investigate on what happens during the permissions synchronization (e.g. for debugging purposes), you can have a look at the following logfile, in which are logged all the actions performed during the process:

/neteye/shared/ocsinventory-ocsreports/log/logs/ocsinventory-ocsreports.log

Special Cases

There exist two special cases, with pre-defined profile:

  • NetEye users with Administrative Access

  • NetEye users with Full Module Access for the Assetmanagement

Both cases correspond to users with sadmin profile.

Note

For any reason, the user must not rename/remove the OCS sadmin profile and also, if he renamed the admin and ladmin profiles than they will be considered as normal profiles (alphabetical order)

Usage of SSL Certificates with OCSInventory NG

The security standards of NetEye disallow all insecure communication over public channels. This affects also the deployment of OCS Inventory Agents on all operating systems.

You can follow the Official Deployment Strategy and use the OCS Inventory NG Packager for deploying the Agents into your infrastructure. This section explains you how to find the server certificate needed by OCS Packager, which is also the certificate used by NetEye for all HTTPS communication and is usually signed by your company’s Certificate Authority.

You can find the correct path to your certificate in the file /etc/httpd/conf.d/ssl.conf and identify the line containing SSLCertificateFile (e.g. SSLCertificateFile /neteye/shared/httpd/conf/tls/certs/neteye.example.com.crt )

Since OCS Inventory Agents expect a cacert.pem file in PEM format, should you have a certificate in crt format, as in the above case, you can convert the file using the following command:

openssl x509 -in /neteye/shared/httpd/conf/tls/certs/neteye.example.com.crt -out cacert.pem

Replace the /neteye/shared/httpd/conf/tls/certs/neteye.example.com.crt file name with the one you found as SSLCertificateFile.

GLPI Permissions

Users who wants to access the GLPI from the NetEye GUI will need special permissions. To grant these permissions to users, you need to create a role (go under Configuration > Authentication > Roles) with a suitable permission (like e.g., recursive) and restrictions (like e.g., profile and entity) over the Assetmanagement module.

The GLPI profile/entities of users must be mapped correctly in the NetEye (Configuration > Authentication > Roles) to persist across login/logout otherwise the GLPI profile/entity will be lost as soon as the user logged out from NetEye.

Each NetEye role corresponds to a unique combination of GLPI recursive-profile-entity. For example, if a user belongs to more than one entity, or has different profile inside GLPI, he should belong to multiple NetEye roles.

All entities and profiles must be manually created, before users login, for having a success permission synchronization. The only exceptions to this are the Root entity and the default GLPI profiles. If the profile/entities does not exist for the users in GLPI, then nothing will happen.

Note that if you need to investigate on what happens during the permissions synchronization (e.g. for debugging purposes), you can have a look at the following logfile, in which are logged all the actions performed during the permissions synchronization:

/neteye/shared/glpi/data/_log/glpi-plugin-icingaweb2sso.log

Special Cases

There exist two special cases, with pre-defined triple recursive-profile-entity:

  • NetEye users with Administrative Access

  • NetEye users with Full Module Access for the Assetmanagement

Both cases correspond to users with Super-Admin recursive profile in the Root entity.

Note that for any reason you must not rename the GLPI Super-Admin profile and the Root entity.

GLPI Marketplace disabled

To guarantee the integrity of the NetEye ecosystem, we have decided to disable GLPI’s Marketplace feature. The users of GLPI will then be unable to use Marketplace.