constr.md

SECTION 4.3

This procedure applies to all environments.

You will need to ssh to the machine host multiple times. SSH and SCP is only allowed by user tideway. So use a SSH client such as GNU OpenSSH or Putty to log into the machine as tideway. If you need to a root shell, you will need to su - after ssh-ing in. To upload files, use a SCP or SFTP client such as GNU OpenSSH or Puttys pscp or psftp, as user tideway.

You will need to use the machine UI multiple times. Before the SSL certificate is installed, you can do this by using a web browser to upen an URL like http://machine_hostname.bnc.ca, or if the hostname is not registered in DNS yet, then like http://11.12.13.14. Until LDAP integration is configured, you will log in to the UI as user system.

For brevity, when I specify values to set in forms, I am only listing changes. If I don’t mention a setting, let leave it at the previous or default value. On many pages after changing any settings you must hit an “Apply” or “Ok” button— do so.

When copy and pasting shell commands, it is critically important that you paste or enter a newline after the last command. If you don’t then the last command won’t execute.

4.3.1 Base OS Config

  1. Log into the machine host UI with a web browser as system / system. You can use a host name or an IP address.
    1. Set new passwords for app user system, OS user tideway, credential vault.
    2. Check ‘Save Password’ (or appliance could not boot up with an ADDM Administrator at-hand.
    3. Memorize or securely store all passwords.
  2. https://docs.bmc.com/docs/display/DISCO111/Setting+preferences#Settingpreferences-Tosetapplicationpreferences
  3. ssh into appliance as user tideway with the tideway password that you set above.
    1. From the tideway login shell, run: mkdir /tmp/rpms
    2. From the tideway login shell, run this command then enter the root password: exec su
    3. Paste this (do include a blank line after the last command):
    cp -av /etc/localtime /etc/localtime.orig
    ln -s /usr/share/zoneinfo/Canada/Eastern /etc/localtime
    cd /etc/sysconfig
    perl -pi.orig -we 's:uk:us:; s:gb:us:;' keyboard
    perl -pi.orig -we 's:Europe/London:Canada/Eastern:;' clock
    tzdata-update
    chmod 0644 /etc/localtime
    
    
  4. Set the current time manually to the current Montreal time with this format: date -s '13:14:15 20170304'
  5. Install VMware Tools:
    mkdir /mnt/optical
    mount /dev/cdrom /mnt/optical
    cd /tmp
    tar -xzf /mnt/optical/*z
    cd vm*
    perl -w *.pl -d
    
    
  6. Reboot the appliance then wait for the host to become accessible again: exec shutdown -r now
  7. Log into the machine UI as user system again.
  8. https://docs.bmc.com/docs/display/DISCO111/Configuring+name+resolution+settings
  9. https://docs.bmc.com/docs/display/DISCO111/Performing+time+synchronization
  10. https://docs.bmc.com/docs/display/DISCO111/Managing+security+policies#Managingsecuritypolicies-Accountsandpasswords
  11. ssh into appliance as user tideway again.
  12. Verify that DNS is working. Run: host www.bnc.ca
  13. Put SSH key files in place.
    cd ~/.ssh
    ssh-keygen -N '' -f tideway
    mv tideway tideway.rsa
    cp -av 
    
    
  14. Run this command then enter the root password: exec su -
  15. Verify that disk sdd is the swap space disk with these commands.
    1. This should report 8 GiB at the end: dmesg | egrep sdd.+block
    2. This should report “unrecognized disk label”: parted /dev/sdd p
  16. Paste this (do include a blank line after the last command). The end of the output should show both the original 8 GiB of swap space plus the new 8 GiB.
    cp -av /etc/fstab /etc/fstab.orig
    parted /dev/sdd 'mklabel gpt'
    parted /dev/sdd 'mkpart swap2 linux-swap 0c 100%'
    mkswap -L swap2 /dev/sdd1
    echo 'LABEL=swap2 swap swap defaults 0 0' >> /etc/fstab
    swapon -a; swapon -s
    
    
  17. Upload the following files to the machine host as user tideway.
  18. If you don’t already have them on your workstation, download the file ~tideway/.ssh/tideway.rsa to your workstation.
    This file is just as private as a password file, so protect it.
  19. ssh into appliance as user tideway again.
  20. Verify CPU and RAM resources
  21. Use command tw_disco_import_platforms to load customized platform scripts (https://docs.bmc.com/docs/display/DISCO111/tw_disco_import_platforms).
  22. This should list a quantity of CPUs matching the quantity of cores assigned to this VM with VI Client (beginning with “processor…: 0”): grep processor /proc/cpuinfo
  23. From the tideway login shell, run this command then enter the root password: su -
  24. Install the utility RPM packages: rpm -Uvh /tmp/rpms/*
  25. Run sudoers to edit the sudoers file.
    Insert contents of the file /tmp/machine-sudoers-additions.txt into the bottom of the sudoers file.
    You can insert this easily with vim ex command “:r /tmp/machine-suders-additions”. Remember to save before you exit the sudoers editor session.
  26. Go back to tideway login shell: exit
  27. Delete redundant and unnecessary app accounts: tw_deluser admin; tw_deluser appmodel
  28. Exit all command line shells.

4.3.2 Application Config and Proxy Installation

The remaining work is done on Proxy hosts and using the machine web UI.

  1. Log into the machine UI with a web browser as ‘system’
  2. https://docs.bmc.com/docs/display/DISCO111/Configuring+usage+data+collection
  3. https://docs.bmc.com/docs/display/DISCO111/Managing+groups
  4. https://docs.bmc.com/docs/display/DISCO111/Managing+security+policies#Managingsecuritypolicies-Loginpage
  5. https://docs.bmc.com/docs/display/DISCO111/Configuring+HTTPS+settings#ConfiguringHTTPSsettings-TogenerateaserverkeyGenerateServerKey
  6. https://docs.bmc.com/docs/display/DISCO111/Adding+Windows+proxies#AddingWindowsproxies-ToaddaWindowsProxy
  7. https://docs.bmc.com/docs/display/DISCO111/Managing+disks+and+swap+space Change Usage of /dev/sdb to Datastore Data; and Change Usage of /dev/sdc to Backup Data.
    (We are finished with browser session, so you probably want to log off).
  8. Execute this block for each Proxy host to be used for this environment.
    1. Get an RDP session on the Host as an administrative user.
    2. Run a web browser on the proxy host and download the Proxy installer from a machine (of correct version), page Manage > Discovery Tools. Leave the browser running.
    3. Get a (escalated privileged) CMD shell, go to the download directory containing the installer.
    4. Rename the very long and obtuse name to something reasonable that still includes the version, like: rename addmproxy*.exe proxyinstall_11.2.0.2.exe
    5. Run: proxyinstall_11.2.0.2.exe /adcreate=n dir=D:\DISCO /components="BMC Discovery Proxy Manager" /task="managementui,uninstall" /silent
    6. Run the proxy manager: \DISCO\tw_proxy_manager
      1. If anti-virus causes problems, disable it.
      2. If a host firewall blocks needed access, open it up.
      3. Ctrl+A. Plus icon. Enter the environments machine hostname or IP address.
      4. Click Register once the values populate.
      5. Close the Known Appliances window.
      6. Ctrl+N.
        • Name (this is the service name): lower-case short-proxy-hostname + “_CORP”.
        • This account: RES*TBD*
        • Password: TBD
    7. When the browser opens up a new tab, add your new service the “CORP Pool” with the same service exact service Name that you assigned above.
    8. Execute the ping test.
    9. Once the ping test succeeds, drill into the Service and verify that the service details populate.
    10. If this all succeeded then we are finished with work on this Proxy host.
  9. Log into the machine UI with a web browser as system https://docs.bmc.com/docs/display/DISCO111/Setting+up+ports+for+OS+fingerprinting
  10. https://docs.bmc.com/docs/display/DISCO111/Setting+the+appliance+identification
  11. https://docs.bmc.com/docs/display/DISCO111/Configuring+discovery+settings
  12. https://docs.bmc.com/docs/display/DISCO111/Adding+device+credentials
    1. Add a credential targeting Discovery Machines
      • Match All: uncheck
      • Matching Criteria: individual IP addresses for all known present and future discovery machines
      • Label: Discovery Machines
      • Credential Types: Check only ssh
      • Username: tideway
      • Timeout: 10.0
      • “Choose File” button: upload file tideway.rsa
      • ssh Authentication: Check Key, uncheck Password
    2. Test the Discovery Machines credential against this Machine’s IP.
    3. Add a credential targeting UNIX ssh on port 22 TBD
      • Label: Corp SSH/22
      • Credential Types: Check only ssh
      • Username: dummy
      • Timeout: 30.0
      • “Choose File” button: upload file tideway.rsa
      • ssh Authentication: Check Key, uncheck Password
    4. Add a credential targeting UNIX ssh on port 5122 TBD
      • Label: Corp SSH/5122
      • Credential Types: Check only ssh
      • Username: dummy
      • ssh Port: 5122
      • Timeout: 30.0
      • “Choose File” button: upload file tideway.rsa
      • ssh Authentication: Check Key, uncheck Password
    5. Add a credential targeting all SNMP devices (incl. IBM i) TBD
      • Match All: uncheck
      • Matching Criteria: individual IP addresses for all known F5 and IBM i devices
      • Label: Corp SNMP
      • Credential Types: Check only SNMP
      • SNMP Version: 2c
      • Community: dummy
    6. Add a credential targeting vCenters TBD
      • Label: Corp vCenters
      • Credential Types: Check only vCenter
      • Username: dummy
      • Password: dummy
    7. Add a credential targeting standalone ESX Hosts TBD
      • Label: Corp Standalone ESX Host
      • Credential Types: Check only vSphere
      • Username: dummy
      • Password: dummy
    8. After all credentials have been added, on the main Device Credentials page, click and drag up/down arrows to far left of each credential panel to prioritize the credentials like so:
      1. Discovery Machines
      2. Corp SNMP
      3. Corp SSH/22
      4. Corp SSH/5122
      5. Corp vCenters
      6. Corp ESX
  13. https://docs.bmc.com/docs/display/DISCO111/Configuring+model+maintenance+settings
  14. https://docs.bmc.com/docs/display/DISCO111/Setting+up+a+CMDB+synchronization+connection#SettingupaCMDBsynchronizationconnection-ToconfigureaCMDBsynchronizationconnection
  15. https://docs.bmc.com/docs/display/DISCO111/Uploading+knowledge

4.3.3 Delegated Credential Entry

  1. https://docs.bmc.com/docs/display/DISCO111/Adding+device+credentials

SECTION 5.4.1.1 (SSL cert)

  1. https://docs.bmc.com/docs/display/DISCO111/Configuring+HTTPS+settings#ConfiguringHTTPSsettings-Uploadingaservercertificate
  2. https://docs.bmc.com/docs/display/DISCO111/Configuring+HTTPS+settings#ConfiguringHTTPSsettings-EnablingordisablingHTTPandHTTPSaccesstotheappliance

SECTION 5.4.2.1 (LDAPS integration)

  1. https://docs.bmc.com/docs/display/DISCO111/Managing+LDAP#ManagingLDAP-ConfiguringLDAP
  2. https://docs.bmc.com/docs/display/DISCO111/Managing+LDAP#ManagingLDAP-LDAPgroupmapping