constr.md

SECTION 4.3

This procedure applies to all environments.

You will need to ssh to the machine host multiple times. SSH and SCP is only allowed by user tideway. So use a SSH client such as GNU OpenSSH or Putty to log into the machine as tideway. If you need to a root shell, you will need to su - after ssh-ing in. To upload files, use a SCP or SFTP client such as GNU OpenSSH or Puttys pscp or psftp, as user tideway.

You will need to use the machine UI multiple times. Before the SSL certificate is installed, you can do this by using a web browser to open a URL like http://machine_hostname.bnc.ca, or if the hostname is not registered in DNS yet, then like http://11.12.13.14. After the SSL certificate is installed, you can do this by using a web browser to open a URL like https://machine_hostname.bnc.ca, or if the hostname is not registered in DNS yet, then like https://11.12.13.14. Until LDAP integration is configured, you will log in to the UI as user system.

For brevity, when I specify values to set in forms, I am only listing changes. If I don’t mention a setting, leave it at the previous or default value. On many pages after changing any settings you must hit an “Apply” or “Ok” button— do so.

When copy-and-pasting shell commands, it is critically important that you paste or enter a newline after the last command. If you don’t then the last command won’t execute.

4.3.1 Base OS Config

  1. Log into the machine host UI with a web browser as user system, password system. You can use a host name or an IP address.
    1. Set new passwords for app user system, OS user tideway, and credential vault.
    2. Check ‘Save Passphrase’ (or appliance could not boot up with an ADDM Administrator at-hand.
    3. Memorize or securely store all passwords.
  2. https://docs.bmc.com/docs/display/DISCO111/Setting+preferences#Settingpreferences-Tosetapplicationpreferences
  3. ssh into appliance as user tideway with the tideway password that you set above.
    1. From the tideway login shell, run: mkdir /tmp/rpms
    2. From the tideway login shell, run this command then enter the root password: exec su -
    3. Paste this (do include a blank line after the last command):
    cp -av /etc/localtime /etc/localtime.orig
    ln -s /usr/share/zoneinfo/Canada/Eastern /etc/localtime
    cd /etc/sysconfig
    perl -pi.orig -we 's:uk:us:; s:gb:us:;' keyboard
    perl -pi.orig -we 's:Europe/London:Canada/Eastern:;' clock
    tzdata-update
    chmod 0644 /etc/localtime
    
    
  4. Set the current time manually to the current Montreal time with this format: date -s '13:14:15 20170304'
  5. Install VMware Tools:
    mkdir /mnt/optical
    mount /dev/cdrom /mnt/optical
    cd /tmp
    tar -xzf /mnt/optical/*z
    cd vm*
    perl -w *.pl -d
    
    
  6. Reboot the appliance then wait for the host to become accessible again: exec shutdown -r now
  7. Log into the machine UI as user system again, using the new system password that you set earlier.
  8. https://docs.bmc.com/docs/display/DISCO111/Configuring+name+resolution+settings
    It’s possible that DHCP may have populated the desired values. If so, just commit them.
  9. https://docs.bmc.com/docs/display/DISCO111/Performing+time+synchronization
  10. https://docs.bmc.com/docs/display/DISCO111/Managing+security+policies#Managingsecuritypolicies-Accountsandpasswords
  11. ssh into appliance as user tideway again.
  12. Verify that DNS is working. Run: host www.bnc.ca
  13. Put SSH key files in place.
    cd ~/.ssh
    ssh-keygen -N '' -f tideway
    mv tideway tideway.rsa
    cp -av tideway.pub authorized_keys
    
    
  14. Run this command then enter the root password: su -
  15. Verify that disk sdd is the swap space disk with these commands.
    1. This should report 8 GiB at the end: dmesg | egrep sdd.+block
    2. This should report “unrecognized disk label”: parted /dev/sdd p
  16. Paste this (do include a blank line after the last command). The end of the output should show both the original 8 GiB of swap space plus the new 8 GiB.
    cp -av /etc/fstab /etc/fstab.orig
    parted /dev/sdd 'mklabel gpt'
    parted /dev/sdd 'mkpart swap2 linux-swap 0c 100%'
    mkswap -L swap2 /dev/sdd1
    echo 'LABEL=swap2 swap swap defaults 0 0' >> /etc/fstab
    swapon -a; swapon -s
    
    
  17. Run this to exit the root shell and return to the tideway shell: exit
  18. Upload the following files (listed in section 4.2) to the machine host as user tideway.
  19. If you don’t already have it on your workstation, download the file ~tideway/.ssh/tideway.rsa to your workstation.
    This file is just as private as a password file, so protect it.
  20. Back at your tideway command line shell, verify CPU and RAM resources.
    1. This should report approximately the RAM quantity assigned to this VM with VI Client (in kB units): grep MemT /proc/meminfo
    2. This should list a quantity of CPUs matching the quantity of cores assigned to this VM with VI Client (beginning with “processor…: 0”): grep processor /proc/cpuinfo
  21. Use command tw_disco_import_platforms to load customized platform scripts file /tmp/platforms-*.xml (https://docs.bmc.com/docs/display/DISCO111/tw_disco_import_platforms).
  22. Delete redundant and unnecessary app accounts: tw_deluser admin; tw_deluser appmodel
  23. From the tideway login shell, run this command then enter the root password: su -
  24. Install the utility RPM packages: rpm -Uvh /tmp/rpms/*
  25. Run visudo to edit the sudoers file.
    Insert contents of the file /tmp/machine-sudoers-additions.txt into the bottom of the sudoers file.
    You can insert this easily with vim ex command “:r /tmp/machine-sudoers-additions.txt”.
    Remember to save before you exit the visudo editor session.
  26. Exit all command line shells.

4.3.2 Application Config and Proxy Installation

The remaining work is done on Proxy hosts and using the machine web UI.

  1. Log into the machine UI (URL beginning with http://) with a web browser as ‘system’
  2. https://docs.bmc.com/docs/display/DISCO111/Configuring+usage+data+collection
  3. https://docs.bmc.com/docs/display/DISCO111/Managing+groups
  4. https://docs.bmc.com/docs/display/DISCO111/Managing+security+policies#Managingsecuritypolicies-Loginpage
  5. https://docs.bmc.com/docs/display/DISCO111/Configuring+HTTPS+settings#ConfiguringHTTPSsettings-SelfsigningaservercertificateSelfsigningaservercertificate
  6. https://docs.bmc.com/docs/display/DISCO111/Configuring+HTTPS+settings#ConfiguringHTTPSsettings-EnablingordisablingHTTPandHTTPSaccesstotheappliance
  7. https://docs.bmc.com/docs/display/DISCO111/Adding+Windows+proxies#AddingWindowsproxies-ToaddaWindowsProxy
  8. https://docs.bmc.com/docs/display/DISCO111/Managing+disks+and+swap+space Change Usage of /dev/sdb to Datastore Data; and Change Usage of /dev/sdc to Backup Data.
    (We are finished with browser session, so you probably want to log off).
  9. Execute this block for each Proxy host to be used for this environment.
    1. Get an RDP session on the Host as an administrative user.
    2. Run a web browser on the proxy host and download the Proxy installer from a machine (of correct version), page Manage > Discovery Tools. Leave the browser running.
    3. Get a (escalated privileged) CMD shell, go to the download directory containing the installer.
    4. Rename the very long and obtuse name to something reasonable that still includes the version, like: rename addmproxy*.exe proxyinstall_11.2.0.2.exe
    5. Run: proxyinstall_11.2.0.2.exe /adcreate=n dir=D:\DISCO /components="BMC Discovery Proxy Manager" /task="managementui,uninstall" /silent
    6. Run the proxy manager: \DISCO\tw_proxy_manager
      1. If anti-virus causes problems, disable it.
      2. If a host firewall blocks needed access, open it up.
      3. Ctrl+A. Plus icon. Enter the environments machine hostname or IP address.
      4. Click Register once the values populate.
      5. Close the Known Appliances window.
      6. Ctrl+N.
        • Name (this is the service name): lower-case short-proxy-hostname + “_CORP”.
        • This account: RES\RemedyDscvNow
        • Password:
    7. When the browser opens up a new tab, add your new service the “CORP Pool” with the same service exact service Name that you assigned above.
    8. Execute the ping test.
    9. Once the ping test succeeds, drill into the Service and verify that the service details populate.
    10. If this all succeeded then we are finished with work on this Proxy host.
  10. Log into the machine UI (URL beginning with https://) with a web browser as system https://docs.bmc.com/docs/display/DISCO111/Setting+up+ports+for+OS+fingerprinting
  11. https://docs.bmc.com/docs/display/DISCO111/Setting+the+appliance+identification
  12. https://docs.bmc.com/docs/display/DISCO111/Configuring+discovery+settings
  13. https://docs.bmc.com/docs/display/DISCO111/Adding+device+credentials
    1. Add a credential targeting Discovery Machines
      • Match All: uncheck
      • Matching Criteria: individual IP addresses for all known present and future discovery machines
      • Label: Discovery Machines
      • Credential Types: Check only ssh
      • Username: tideway
      • Timeout: 10.0
      • “Choose File” button: upload file tideway.rsa
      • ssh Authentication: Check Key, uncheck Password
    2. Test the Discovery Machines credential against this Machine’s IP.
    3. Add a credential targeting UNIX ssh on port 22
      • Label: Corp SSH/22
      • Credential Types: Check only ssh
      • Username: rmdyscan
      • Timeout: 30.0
      • “Choose File” button: upload file tideway.rsa
      • ssh Authentication: Check Key, uncheck Password
    4. Add a credential targeting UNIX ssh on port 5122
      • Label: Corp SSH/5122
      • Credential Types: Check only ssh
      • Username: rmdyscan
      • ssh Port: 5122
      • Timeout: 30.0
      • “Choose File” button: upload file tideway.rsa
      • ssh Authentication: Check Key, uncheck Password
    5. Add a credential targeting all SNMP devices
      • Match All: uncheck
      • Matching Criteria: individual IP addresses for all known F5 and IBM i devices
      • Label: Corp SNMP
      • Credential Types: Check only SNMP
      • SNMP Version: 2c
      • Community: dummy
    6. Add a credential targeting vCenters
      • Label: Corp vCenters
      • Credential Types: Check only vCenter
      • Username: RES\RemedyDscvNow
      • Password: dummy
    7. TBD SNMP TBD May have additional SNMP credentials for IBM i, F5s, IBM-managed devices, or other targets.
    8. After all credentials have been added, on the main Device Credentials page, click and drag up/down arrows to far left of each credential panel to prioritize the credentials like so:
      1. Discovery Machines
      2. Corp SNMP
      3. Corp SSH/22
      4. Corp SSH/5122
      5. Corp vCenters
  14. https://docs.bmc.com/docs/display/DISCO111/Configuring+model+maintenance+settings
  15. https://docs.bmc.com/docs/display/DISCO111/Setting+up+a+CMDB+synchronization+connection#SettingupaCMDBsynchronizationconnection-ToconfigureaCMDBsynchronizationconnection
    1. Configure a primary synchronization.
      • Name: DEV RoD (on DEV env machine) or PROD RoD (on PROD env machine)
      • Network Address: 10.171.130.108 (on DEV env machine) or 10.171.2.187 (on PROD env machine)
      • Specify TCP Port: checked, 46262
      • Username: ADDM
      • Password:
    2. Test the Connection
    3. Configure a secondary synchronization.
      • Name: QA RoD (on DEV env machine) or TRN RoD (on PROD env machine)
      • Network Address: 10.171.134.82 (on DEV env machine) or 10.171.130.159 (on PROD env machine)
      • Specify TCP Port: checked, 46262
      • Username: ADDM
      • Password:
    4. Test the Connection
  16. https://docs.bmc.com/docs/display/DISCO111/Uploading+knowledge
    1. Load TKU downloaded in section 4.2.2 above
    2. Load EDP update downloaded in section 4.2.2 above
  17. Click the ‘Update All Baselines’ button at the bottom of the Administration > Appliance Baseline page.

4.3.3 Delegated Credential Entry

  1. https://docs.bmc.com/docs/display/DISCO111/Adding+device+credentials

SECTION 5.4.2.1 (LDAP integration)

  1. https://docs.bmc.com/docs/display/DISCO111/Managing+LDAP#ManagingLDAP-LDAPgroupmapping