Configuring TOS

Overview

Various TOS Aurora settings can be configured using the TOS CLI. This topic covers some of the more common settings you can make to suit the needs of your organization that can be configured using tos config.

All commands must be run on the primary data node as a user with root privileges.

The VMC on AWS URLs, Time Zone, Web Session Inactivity Timeout, and Web Session Maximum Duration configurations involve restarting services, which may take several minutes; some TOS functions may be unavailable until the restart completes successfully.

Avoid New Lines in TOS Aurora Logs

A way to avoid a new line for each entry in TOS Aurora logs.

  • Values: 

    false - write a new line for each log entry

    true - do not write a new line for each log entry

  • Default: false.

Get the Current Value for Avoid New Lines in Logs

A value will only be returned if you have previously used tos config set to set this parameter.

[<ADMIN> ~]# tos config get -p logging.avoidNewLines
tos config get -p logging.avoidNewLines

If you have previously set this parameter using tos config set, the output will list its value. If the parameter exists in more than one TOS Aurora service, all will appear.

Set Avoid New Lines in Logs

[<ADMIN> ~]# tos config set -p logging.avoidNewLines=<TRUE-FALSE>
tos config set -p logging.avoidNewLines=<TRUE-FALSE>

where <TRUE-FALSE> is true or false.

Example

# tos config set -p logging.avoidNewLines=true

Certificate Countdown to Expiry

Set the number of day ahead of central/remote collector cluster certificate expiry, to renew the certificate.

  • Values: 32-394 (days)

  • Default: 32 (days)

Get the Current Value

A value will only be returned if you have previously used tos config set to set this parameter.

[<ADMIN> ~]# tos config get -p secure.channel.certificate.renew.expiryIsLessThanInDays
tos config get -p secure.channel.certificate.renew.expiryIsLessThanInDays

If you have previously set this parameter using tos config set, the output will list its value. If the parameter exists in more than one TOS Aurora service, all will appear.

Set a New Value

[<ADMIN> ~]# tos config set -p secure.channel.certificate.renew.expiryIsLessThanInDays=<DAYS>
tos config set -p secure.channel.certificate.renew.expiryIsLessThanInDays=<DAYS>

where <DAYS> is the number of days ahead of the certificate expiry date that the certificate will automatically be renewed.

Example

# tos config set -p secure.channel.certificate.renew.expiryIsLessThanInDays=45

Certificate Expiry Check Time

Set the time at which to check central/remote collector cluster certificate expiry.

  • Values: Any valid spring-based cron format

  • Default: 0 30 04 ? * SAT

Get the Current Value

A value will only be returned if you have previously used tos config set to set this parameter.

[<ADMIN> ~]# tos config get -p secure.channel.certificate.cron
tos config get -p secure.channel.certificate.cron

If you have previously set this parameter using tos config set, the output will list its value. If the parameter exists in more than one TOS Aurora service, all will appear.

Set a New Value

[<ADMIN> ~]# tos config set -p secure.channel.certificate.cron=<SPRINGCRON>
tos config set -p secure.channel.certificate.cron=<SPRINGCRON>

where <SPRINGCRON> is any valid spring-based cron format e.g. 0 0 9-17 * * MON-FRI (on the hour nine-to-five weekdays).

Example

# tos config set -p secure.channel.certificate.cron= 0 0 9-17 * * MON-FRI

Certificate Validity Period

Set the period for which automatically renewed central/remote collector cluster certificates will be valid.

  • Values: 31-395 (days)

  • Default: 395 (days)

Get the Current Value

A value will only be returned if you have previously used tos config set to set this parameter.

[<ADMIN> ~]# tos config get -p secure.channel.certificate.renew.expiry
tos config get -p secure.channel.certificate.renew.expiry

If you have previously set this parameter using tos config set, the output will list its value. If the parameter exists in more than one TOS Aurora service, all will appear.

Set a New Value

[<ADMIN> ~]# tos config set -p secure.channel.certificate.renew.expiry=<DAYS>
tos config set -p secure.channel.certificate.renew.expiry=<DAYS>

where <DAYS> is the number of days that the certificate will remain valid.

Example

# tos config set -p secure.channel.certificate.renew.expiry=60

SNMP Inbound Monitoring

SNMPv2 get/walk receives requests via port 161. Listening at this port is disabled by default.

  • Values: 

    false - do not listen at port 161

    true - listen at port 161

  • Default: false

Get the Current Value for SNMP Inbound Monitoring

A value will only be returned if you have previously used tos config set to set this parameter.

[<ADMIN> ~]# tos config get -p snmp.inboundMonitoringEnabled
tos config get -p snmp.inboundMonitoringEnabled

If you have previously set this parameter using tos config set, the output will list its value. If the parameter exists in more than one TOS Aurora service, all will appear.

Set SNMP Inbound Monitoring

[<ADMIN> ~]# tos config set -p snmp.inboundMonitoringEnabled=<TRUE-FALSE> -s monitor-tower
tos config set -p snmp.inboundMonitoringEnabled=<TRUE-FALSE> -s monitor-tower

where <TRUE-FALSE> is true or false.

Example

# tos config set -p snmp.inboundMonitoringEnabled=true -s monitor-tower

The TOS Aurora Time Zone

TOS Aurora has its own timezone and it is independent of your host server timezone.

  • Values: Area only, area/location and some abbreviations as they appear in the tz database. For the complete list, see column 'TZ identifier' in the Wikipedia list of tz zones.

  • Default: Taken from the server at installation time.

Get the Current TOS Aurora Time Zone

A value will only be returned if you have previously used tos config set to set this parameter.

[<ADMIN> ~]# tos config get -p server.timezone
tos config get -p server.timezone

If you have previously set this parameter using tos config set, the output will list its value. If the parameter exists in more than one TOS Aurora service, all will appear.

Set the TOS Aurora Time Zone

[<ADMIN> ~]# tos config set -p server.timezone=<TIMEZONE>
tos config set -p server.timezone=<TIMEZONE>

where <TIMEZONE> is the appropriate time zone.

Example

# tos config set -p server.timezone=Europe/Berlin

If you want to change the date or time, see Changing the Time and Date.

VMC on AWS Private URLs

By default TOS uses a public URL to monitor VMC on AWS. Starting from R24-2 PHF1.0.0, you can change this to a private URL. This URL is used for all devices monitored by TOS.

Private URL example:

https://demo-environment.vmwarevmc.com/policy/api/v1/

Public URL example:

https://demo-environment.vmwarevmc.com/vmc/reverse-proxy/api/orgs/eaec1ad1-dbc2-4495-86d1-30aaaef62faf/sddcs/9ccfbb09-48f4-4480-9753-e6389b84cbf1/sks-nsxt-manager/policy/api/v1/

Set Private URL

  • Run the following command:

    tos config set -p NSX.VMC.ENDPOINT.MODE=private

Set Public URL

  • Run the following command:

    tos config set -p NSX.VMC.ENDPOINT.MODE=public

Web Session Inactivity Timeout

The period of inactivity that will cause a user session to expire and force the user to log in again.

  • Values: Integer + m/h/d; e.g. 90m, 24h, 2d

  • Default: 30m

Get the Current Maximum Inactivity Timeout

A value will only be returned if you have previously used tos config set to set this parameter.

[<ADMIN> ~]# tos config get -p web.session.inactivityTimeout
tos config get -p web.session.inactivityTimeout

If you have previously set this parameter using tos config set, the output will list its value. If the parameter exists in more than one TOS Aurora service, all will appear.

Set the Maximum Inactivity Timeout

[<ADMIN> ~]# tos config set -p web.session.inactivityTimeout=<INT><PERIOD>
tos config set -p web.session.inactivityTimeout=<INT><PERIOD>

where

  • <INT> is an integer.

  • <PERIOD> is the time period - m, h or d for minutes, hours or days respectively.

Example

# tos config set -p web.session.inactivityTimeout=90m

Maximum Web Session Duration

The time after which the user will be prompted to log in again, even if active.

  • Values: Integer + m/h/d; e.g. 90m, 24h, 2d

  • Default: 12h

Get the Maximum Duration

A value will only be returned if you have previously used tos config set to set this parameter.

[<ADMIN> ~]# tos config get -p web.session.maxDuration
tos config get -p web.session.maxDuration

If you have previously set this parameter using tos config set, the output will list its value. If the parameter exists in more than one TOS Aurora service, all will appear.

Set the Maximum Duration

[<ADMIN> ~]# tos config set -p web.session.maxDuration=<INT><PERIOD>
tos config set -p web.session.maxDuration=<INT><PERIOD>

where

  • <INT> is an integer.

  • <PERIOD> is the time period - m, h or d for minutes, hours or days respectively.

Example

# tos config set -p web.session.maxDuration=8h

Configure Sending TOS Monitoring Data to Tufin

Disable Sending TOS Monitoring Events

tos config set -p tos.mailbox.enabled=false
tos config set -p tos.mailbox.enabled=false

Enable Sending TOS Monitoring Events

tos config reset -p tos.mailbox.enabled
tos config reset -p tos.mailbox.enabled

Set Frequency for Sending TOS Monitoring Data

The default frequency is once every 30 seconds. To change the frequency, use the following command:

tos config set -s tos-ui -p tos.mailbox.poll.next.interval=<INTERVAL>
tos config set -s tos-ui -p tos.mailbox.poll.next.interval=<INTERVAL>

where <INTERVAL> must be a Duration value between 10 seconds and 10 minutes. For example 15s or 5m.