Silent Configuration
The BVD configuration can be invoked to run in a silent mode. In this mode, you modify the BVD settings in a configuration .conf file, then run the BVD configuration tool with the configuration file as input.
-
Open a command prompt or shell.
-
Log in as user with administrator privileges (for example, root on Linux).
-
Create a copy of the sample configuration .conf file:
Windows:
<BVD_Install_Dir>\BVD\bvdconfig_example.conf
Linux:
/opt/HP/BVD/bvdconfig_example.conf
-
Modify the BVD settings in your copy of the configuration .conf file.
The configuration file contains settings for the database, the web server, the data receiver, TLS usage, license usage, the built-in administrator user, the LDAP configuration, and data aging.
Linux Only. NonRoot Parameters
Prerequisite
In a non-root environment, SELinux must be disabled on your system:
-
Edit the configuration file:
/etc/selinux/config
-
Disable SELinux:
SELINUX=disabled
-
Save the file.
Specify the following parameters in the
[NonRoot]
section of the BVD configuration file to change the user account that is associated with BVD and associated processes.Parameter Description username
User account under which the processes will run. BVD will create the user account if it does not exist yet. Leave empty to run BVD under root user account.
group
Group account for the user under which BVD will run. BVD will create the group account if it does not exist yet. Leave empty to run BVD under root group account.
Database Parameters
Complete the following parameters in the
[Database]
section of the BVD configuration file to define how the database will be configured.Note: Before connecting to an external PostgreSQL database, make sure the database is installed as required by BVD. For details, see Database Requirements.
Parameter Description type
The type of database to be used:
postgres
: for use with an external PostgreSQL databaseinternal
: for use with the embedded PostgreSQL databaseDefault:
internal
host
External database only. The name of the host machine on which PostgreSQL is installed.
Default:
localhost
for the embedded databasedatabase
External database only. The name of a PostgreSQL that already exists. The database name must not be
postgres
.Default:
bvd
for the embedded databaseport
The PostgreSQL listening port.
Default:
5432
username
The name of a user that BVD uses to connect to and retrieve data from the BVD database. The user must have permissions to create tables in the database.
Default:
pg_user
password
The password of the user. This setting is empty by default.
adminuser
Embedded database only. The name of a user with administrative permissions on the embedded PostgreSQL database.
Default:
pg_admin
adminpassword
Embedded database only. The password of the administrative user. This setting is empty by default. Web Server Parameters
Complete the following parameters in the
[WebServer]
section of the BVD configuration file to configure the web server.Parameter Description port
HTTP port of the web server.
Default:
80
usessl
Enables or disables TLS for the web server. If set to true, you must also specify the
sslport
parameter for the TLS port.Note: HPE recommends to enable TLS and use a trusted certificate for both the web server and the receiver.
Default:
true
sslport
TLS port of the web server.
Default:
443
wsProcesses
Number of web server processes running in parallel. If this number exceeds the number of the machine's CPUs/cores, this setting will be ignored and the number of available CPUs/cores is used instead.
Default:
1
stickySessionHeader
Optional if BVD is configured with a load balancer or proxy. The name of the header that is used to get the IP address of the UI client system. If the specified header is not found, BVD uses the IP address of the TCP connection. This IP address is used to determine which process of the BVD web server handles all requests from a certain UI client (sticky session).
Default:
x-forwarded-for
loginDelay
The minimum time interval (in milliseconds) between a user's consecutive logins. Users will not be able to log in again unless their last login dates back later than the specified login delay.
Default:
2000
allowedLoginAttempts
Number of allowed login attempts before an error message is displayed. After the specified number of login attempts, the user profile will be locked for as long as specified in the
userLockOutTime
.Default:
5
userLockOutTime
The length of time (in seconds) for which a user is locked out of BVD if the number of allowed login attempts is exceeded.
Default:
900
Receiver Parameters
Complete the following parameters in the
[Receiver]
section of the BVD configuration file to configure the BVD data receiver.Parameter Description port
HTTP port of the data receiver.
Default:
12224
usessl
Enables or disables TLS for the receiver. If set to true, you must also specify the
sslport
parameter for the TLS port.Note: HPE recommends to enable TLS and use a trusted certificate for both the web server and the receiver.
Default:
true
sslport
TLS port of the receiver.
Default:
12225
rcProcesses
Number of receiver processes running in parallel. If this number exceeds the number of the machine's CPUs/cores, this setting will be ignored and the number of available CPUs/cores is used instead.
Default:
1
TLS Parameters
You can configure the BVD web server, the BVD receiver, or both to support secure connections only.
Complete the following steps to configure BVD for TLS:
-
Obtain a server certificate from your certificate authority (CA). Make sure the certificate is issued to the FQDN of your BVD server. BVD supports certificates in PEM or PFX format.
-
Place the certificates in the file system on your BVD server and make sure the certificates are readable by the Windows SYSTEM user or, on Linux, by the user under whose account the BVD processes are running (default: root).
- In the
[Web Server]
and[Receiver]
sections, enable TLS by settingusessl
totrue
and specifying asslport
. - Complete the following parameters in the
[SSL]
section of the BVD configuration file to define the TLS setup:Parameter Description certificate
Specify the file name of the certificate. The certificate must be an X.509 or CA certificate in PEM or PFX format.
Example:
certificate.pem
key
Private key of the certificate.
Example:
key.pem
pfx
Container file with the certificate, private key, and CA certificates, in PFX format.
Example:
certificate.pfx
passphrase
Optional. Passphrase used to encrypt the key or .pfx file.
License Parameter
Complete the following parameter in the
[License]
section of the BVD configuration file to configure the license.For details on configuring licensing for BVD, see Licensing.
Parameter Description file
File name and path to the license file containing the BVD license. Leave empty to use the 60-day evaluation license.
Administrator Parameters
One built-in super-admin user is defined for every installation of BVD. Complete the following parameters in the
[Administrator]
section of the configuration file to specify the account details:Parameter Description name
Login name of the built-in BVD super-admin.
The built-in super-admin is not listed among the users in user management. If you have logged in as the super-admin, you can change the user's information, including password and contact information in the My Account page in the
Personal User Settings menu.
Default:
admin
password
Password of the built-in super-admin. This setting is empty by default.
LDAP Parameters
Automatic user creation from LDAP servers and mapping groups in BVD simplifies the user management process for administrators as authentication is performed through the LDAP server.
For details on LDAP, permissions, and setup workflows, see LDAP Authentication and Mappings.
In order to configure the connection to the LDAP server silently, complete the following settings in the
[LDAP]
section of the configuration file:Parameter Description enabled
Set to
true
to enable LDAP authentication; set tofalse
to disable LDAP authentication. (If the parameter is missing, LDAP is enabled and you must complete the following parameters.)Default:
false
domain
Required. The LDAP domain used to uniquely identify the LDAP server connection.
Example:
If you specify
emea
, users will be able to log in to BVD in the formatemea\janedoe
.Alternatively, users can log in using the mail address format, for example,
jane.doe@example.com
. In the case of email addresses, the domain suffix (example.com
) has to be chosen as the unique domain name.url
Required. The URL to the LDAP server including the port number.
The required format is:
ldap(s)://<LDAP_FQDN>:<port>
LDAP servers typically use port 389 or secure port 636.
Example:
ldap://192.0.2.24:389
bindDn
Required. The Distinguished Name (DN) of a user with search privileges on the LDAP directory server. Leave this entry blank for an anonymous user.
Example:
bindDn=CN=Administrator,CN=Users,DC=hpe,DC=com
bindCredentials
Required. The password of the user entitled to search the LDAP server entities. Leave this entry blank for an anonymous user. bindProperty
Optional. When an LDAP user tries to log on, the search-entitled user specified in
bindDn
searches the LDAP server entities for that user. When found, the user is authenticated against LDAP based on one of the user's LDAP properties, by default thedn
property. You can use thebindProperty
parameter to specify another user property to use for authentication (for example,sAMAccountName
oremail
).Example:
bindProperty=dn
searchBase
Required. The Distinguished Name (DN) of the LDAP entity from which you want to start your user search. Example:
searchBase=CN=Users,DC=omi,DC=hpe,DC=com
searchFilter
Required. Enter the relevant parameters to indicate which attributes are to be included in the user search.
Note:
You must use the literal
{{username}}
to search for the given login name.BVD by default uses the
??sub
scope; other scopes are not supported.Example:
searchFilter=(cn={{username}})
searchFilter=(sAMAccountName={{username}})
groupSearchBase
Required. The Distinguished Name (DN) of the LDAP entity from which you want to start your groups search. Example:
groupSearchBase=CN=Groups,DC=hpe,DC=com
groupSearchFilter
Required. Enter the relevant parameters to indicate which attributes are to be included in the groups search.
Note:
-
You must use the literal
{{dn}}
to search for group members with a given distinguished name. -
You can search for group members that are part of one out of two groups by using nested queries (see second example).
-
BVD does not support dynamic LDAP groups. Dynamic groups are therefore ignored in groups search.
Examples:
groupSearchFilter=(member={{dn}})
groupSearchFilter=(member=(&(objectCategory=Person)(userPrincipalName={{username}})(|(memberOf=slk-Admin,OU=Groups,OU=slk-Acc,DC=slka,DC=slkb,DC=slkc)(memberOf=cn=slk-Viewer,OU=Groups,OU=slk-Acc,DC=slka,DC=slkb,DC=slkc)))
groupDnProperty
Optional. By default, the LDAP user property dn
is used to identify users in groups. You can use thegroupDnProperty
setting to specify other properties.Example:
groupDnProperty=dn
tlsCA
Required with LDAPS only. This parameter is only required if the secure LDAP (LDAPS) protocol is used for communication with the LDAP server. Specify a comma-separated list of trusted CA certificate files. The certificate files must be PEM-encoded. Example:
tlsCA=/tmp/ca1_certificate.crt,/tmp/ca2_certificate.crt
tlsVerifyServerCertificate
Optional with LDAPS only. This parameter is optional for LDAPS connections to the LDAP server. If set to
true
or missing, the LDAP server certificate is verified against the list of trusted CA certificates specified intlsCA
.Default:
true
mixedMode
Required. When set to
true
, both LDAP users and local users can log into BVD. When set tofalse
, only LDAP users are able to log in.Default:
true
autoCreateUser
Required. When set to
true
, BVD automatically creates a user for every LDAP user when the user logs into BVD with correct credentials for the first time. When set tofalse
, an LDAP user can only log into BVD when created manually in BVD User Management.Default:
true
Aging Parameters
By default, up to 500 data records per data channel are stored in the database. The aging process scans the database every hour to identify and automatically delete records that exceed the configured maximum or that are older than 100 days.
Complete the following parameters in the
[Aging]
section of the configuration file to modify the aging defaults:Parameter Description agingInterval
Time interval (in minutes) at which the aging process scans the database to identify and automatically delete data records.
If the parameter is missing or commented out, the aging process runs every 60 minutes by default. The value must be an integer greater than 0.
Default:
60
minutespurgeMoreThan
Maximum number of data records stored in the database per data channel. If this number is exceeded, the oldest records are deleted by the aging process.
If the parameter is missing or commented out, no records are deleted based on this criteria. The value must be an integer greater than 0.
Default:
500
purgeOlderThan
Time period (in days) during which data records are kept in the database. Records older than the configured time period are automatically deleted by the aging process.
If the parameter is missing or commented out, no records are deleted based on this criteria. The value must be an integer greater than 0.
Default:
100
daysunusedChannelStorageTime
Time period (in days) during which a data channel is available in the list of data channels in the widget properties. If a data channel does not receive any data during the configured time period and the data channel is not associated with a widget, it is deleted from the data store. If the data channel is associated with a widget, the channel is not deleted even if the data last received for the channel is older than the configured time period.
If the parameter is missing or commented out, no records and channels are deleted based on this criteria. The value must be an integer greater than 0.
Default:
1
dayNote: The aging process cannot identify and automatically delete data records if both
purgeMoreThan
andpurgeOlderThan
are missing or commented out. The database will therefore grow with the number of records received. -
-
Run the BVD configuration tool by using your configuration .conf file as input:
Windows:
<BVD_Install_Dir>\BVD\bin\configure.bat ‑c <file_path>\<config_file>.conf
Linux:
/opt/HP/BVD/bin/configure.sh ‑c <file_path>/config_file>.conf
- After the configuration tool completes, verify that the BVD processes are running. Run the following command:
ovc -status
-
Optional. Check the configuration log file at:
Windows:
<BVD_Data_Dir>\BVD\log\configure.log
Linux:
/var/opt/HP/BVD/log/configure.log
-
In a browser, enter the BVD URL:
http(s)://<BVD_server>:<port>/login/
where
<BVD_server>
represents the Fully Qualified Domain Name (FQDN) of the system on which you configured BVD;<port>
is the port assigned to BVD during the configuration. Example:http://localhost:80/login
-
Enter your login name and password. Initial access can be gained using the administrator user name and password that you specified in the configuration .conf file.
-
Store the configuration .conf file in a secure place.
After the BVD configuration completes, the .conf file is only needed if you want to reconfigure BVD. See also Reconfigure BVD.
Caution: As the .conf file contains passwords in plain text, move it to a secure location where only authorized users can access it.