M-LinkConfiguration and Operational Management
An M-Link Server maintains its own configuration, which a suitably privileged client can view or modify using XMPP commands. Isode provides a GUI tool, M-Link Console (MLC), which manages this configuration over XMPP, provides server control and monitoring services. User accounts are held in a Directory, with Active Directory or Isode's M-Vault being popular choices. User accounts in the Directory can be managed externally and Isode provides administration tools for this purpose.
Monitoring of server and system performance can be done using MLC, a Web Application and by SNMP (integrating server monitoring with Enterprise monitoring of network and application components).
M-Link Console (MLC)
MLC's setup wizard allows administrators to quickly setup a single or multi-node (clustered) XMPP service. M-Link requires a Directory to hold user and group information. MLC enables the setup of an M-Vault Directory to be used in conjunction with M-Link for this purpose and also allows for the utilisation of an existing LDAP Directory, including Microsoft Active Directory.
MLC provides a "System Diagnostics" view, to make checks on the local machine & validate configuration and can can start and stop M-Link servers on Windows, Solaris and Linux. A Security Check List , for both node and service, warns the operator of any settings which may suggest security risks.
A typical M-Link deployment will be provided by multiple servers operating in a clustered configuration to provide reliability. M-Link Console provides management at both service and cluster node level. Most management is done at the service level, with configuration changes automatically affecting all nodes. Some functionality is available the node level, including:
- Statistics information on the performance of each node.
- Option to perform node-specific configuration, which may be useful for advanced deployments. When this is done, the UI shows clearly where node options are set differently to the service wide default.
- Configuration changes that need to adjust node-specific files (e.g., setup of private keys for TLS)
MLC validates that the nodes in a cluster have consistent configuration and status. More information on clustering can be found on the M-Link: Clustering & Reliability page.
MLC enables configuration of M-Link Security Label capabilities, including setting up Security Label Catalogs, and configuring Security Labels associated with MUC Rooms and Domains. See the M-Link: Security page for more information.
TLS & X.509 PKI
MLC enables setup and configuration of Strong Authentication for TLS and for peer authentication, by configuring an X.509 identity and associated PKI and TLS parameters for each server. Identity setup makes use of CSRs (Certificate Signing Requests) to interact with a Certification Authority. Trust anchors can be configured manually, or make use of the Windows Certificate Store defaults. MLC can use strong authentication to connect to M-Link, including use of Smart Cards.
Components, IM, MUC and PubSub domains
M-Link can support multiple domains, which can be used for multiple purposes (IM, MUC, or PubSub). MLC enables setup and management of these domains. Domain management can also be used to configure XEP-0114 components to integrate third party services. For MUC domains, MLC provides detailed MUC administration view, so that MUC rooms can be created and managed from MLC as part of an M-Link service.
MLC provides a tab for managing groups, which are important in most XMPP services. There is a special operator group (for users that can manage the M-Link service) and a range of custom groups. Groups can be defined as an explicit list, as an LDAP search, or reference a Directory group (AD Group or LDAP Group). Groups can be referenced for MUC access control, and can be used to provide roster pre-population, or to enable administration configuration of user rosters.
M-Link Edge makes use of peering controls to control how messages are routed and to control message flow. The Peering Configuration tab enables setup of routing configuration, filtering and controls associated with the peer. Link control enables use of special protocols between a pair of M-Link servers, in particular:
- XEP-0361, to reduce handshaking on slow links.
- STANAG 5066 for use over HF Radio.
- Custom integration for use with High Assurance Guards.
User Account Management
Users of an M-Link server or service will be configured in a Directory. User provisioning may be handled independently of M-Link, for example when using a third party directory such as Microsoft Active Directory. Isode provides an integrated approach from M-Link Console to support user provisioning, which uses direct access to M-Vault over LDAP. This enables:
- Adding/Disabling Accounts.
- Deletion of Accounts, either permanently or by "tomb stoning" and use of "tomb stones" to warn operator about creating accounts with a name that has been previously used.
- Display account "last use" time and auto-disable accounts after configurable period
- Removal of M-Link rosters from deleted and/or "tomb stoned" accounts.
MLC connects to an XMPP service, and can provide a range of monitoring information including general service status & uptime, information on connected users & peers, general server statistics and detailed performance information. Multiple XMPP services can be monitored, including limited monitoring of XMPP servers other than M-Link.
An M-Link Web Application is available which provides an overview of some key statistics for the M-Link Server, displaying a graph for each statistic and a summary of the current values in a table.
These include the authoritative server-to-server (S2S) session count, MUC messages per hour, MUC room count, total number of MUC occupants, server uptime and user session count. The charts are updated automatically, at a regular time interval determined by the M-Link Server.
M-Link includes SNMP support, to enable monitoring of key server performance metrics with network management tools such as OpenView, or with Web applications. The SNMP framework enables monitoring of an enormous variety of network components and applications by use of the MIB (Management Information Base) concept. A MIB defines the variables that are available in the application to be monitored using SNMP.
MIB support in M-Link includes:
- Network Services Monitoring MIB (RFC 2788).
- The 'Isode Services MIB' an Isode extension to RFC 2788 to include authentication and encryption data, bandwidth counts per session and session type.
- The 'Isode XMPP MIB' which provides XMPP-specific statistics such as stanza counts.
Amongst other capabilities, monitoring enables the operator to see the number of connections (client/server and server/server), the operation rate for different types of operation, where encryption is used and bandwidth usage. Further information on the benefits of SNMP monitoring is given on the page discussing Isode's SNMP Architecture.