1 / 25

IBM Director Agent 5.10

IBM Director Agent 5.10. Eric W. Brown, Sridhar Venkat, Julianne Bielski. Agenda. Motivation High-level Architecture New Features Tier 0 / 1 functions Security Discovery preferences Promotion Gotchas. Motivation. Marketing requirements Open Integrated Easy-to-use

albany
Download Presentation

IBM Director Agent 5.10

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IBM Director Agent 5.10 Eric W. Brown, Sridhar Venkat, Julianne Bielski

  2. Agenda • Motivation • High-level Architecture • New Features • Tier 0 / 1 functions • Security • Discovery preferences • Promotion • Gotchas

  3. Motivation • Marketing requirements • Open • Integrated • Easy-to-use • Reduced agent footprint • Windows • Linux • AIX • i5/OS • Give customers more choice • Alert function only • Upward integration only • Full-featured Director • Easily promote to higher levels of functionality

  4. Tier 0 high-level architecture Director Server Inventory collectors copied to system using sftp or Windows RPC. Then invoked, data collected, and deleted Standard IANA ports used for discovery, security, and management 137*, 138*, 139*, 145* 22 ssh DCOM Inventory Collectors ssh service** Operating System **Must be provided by operating system *Windows only

  5. CIMOM (Pegasus, WMI) Pegasus providers Tier 1 high-level architecture Tivoli Director Server SNMP Manager Director Agent Not all consumers are necessary. Just choose the one needed for a specific UIM environment Director Event Consumer Standard IANA ports used for discovery, security, and management CIM events for Director consumer sent to remote CIM listener CIM Event Listener 5989 427 22 162 snmp cim/xml over https slp ssh wmicimserver* SNMP Event Consumer cimsubscribe Tivoli Event Consumer Inventory collectors ssh service CIM Client programs CIM2MIF CIM Event Listener slp service agent cim-xml over http cim-xml over http publish tier1 slp attributes *Windows only

  6. CIMOM (Pegasus, WMI) Pegasus providers Tier 2 high-level architecture Director Server 14247 or 14248 22 Director IPC ssh if wanted for secure Remote Session Director Agent Task Framework Director subagent Director subagent Director subagent Director subagent CIM events for Director consumer sent to local CIM listener on Tier2 wmicimserver* Director Event Consumer Tier 2 cimsubscribe Inventory collectors ssh service Tier 1 CIM Event Listener CIM Client programs CIM2MIF cim-xml over http slp service agent cim-xml over http publish tier1 slp attributes *Windows only

  7. Features • No reboot required after install on Tier 1 or Tier 2 • Caveat – endpoint must have MSI 3.0 installed • Smaller footprint • Choice on endpoint functional profile • Ease of agent deployment using Tier 0 discover and push • Standard security protocols • Standard discovery protocol • Event subscription CLI • Optional OpenSSH package for Windows

  8. Tier 0 function • Discovery • Request Access • Inventory* • Remote Session (requires ssh on the target system) • Power Control • Promotion to Tier 1 or 2 through Update Assistant • Event Log • Online/Offline only *Windows and Linux only

  9. Tier 1 function* • All Tier 0 function • Additional inventory data • Promotion to Tier 2 through Update Assistant • Alerts • Hardware Status • Power Control across Windows and Linux • Upward integration support programs • Event subscription CLI (See Jake Kitchener’s presentation) • Optional OpenSSH package for Windows *Windows and Linux only

  10. Tier 1 function – Request Access • Self signed certificate is created at Server install time by GenCertificate tool • Generated certificate is valid for 365 days from the date of installation • Certificate stored in data\cim\keystore directory as ibmd_cert.jks • Data\cim\keystore\key.credential file contains the password and alias information encrypted. • When Tier 1 system is discovered and unlocked, this certificate is pushed to CIMOM side using user id and password supplied in RequestAccess dialog box; userid/pw must have admin-level privileges. • All subsequent access to Tier 1 system – ping, hardware status, power management are done in the context of Director Server certificate identity • Warning events will be sent if certificate is about to expire. User can configure how many days in advance the warning should be sent and how often certificate validity should be checked – through data\CertificateExpirationManager.properties file • Event action plan can be set in advance to get notification when certificate is about to expire

  11. Tier 1 function - Alerts • When Tier 1 system is discovered and unlocked successfully, subscriptions are created • Filter created with Director Server’s UID as filter name • Handler created with Director Server’s UID as handler name. Destination is set as http://<Director server ip address>:6988/CIMListener/DirectorConsumer/<server’s ip address> • Subscription is created with above mentioned filter and handler • CIM Listener distributes CIM instances to Director consumer to be delivered to appropriate Director server • Server’s uid is used as name for filter and handler so that multiple Servers can manage a Tier 1 system effectively

  12. Tier 1 function – Hardware Status • When Tier 1 system is discovered and unlocked, hardware status gets the initial status • All subsequent updates to the Hardware Status GUI for the system are made as a result of asynchronous events sent to the Director server by the system • Initial status for a system is retrieved • When an already discovered Tier 1 system goes to Online from offline state • When the Director server managing the system is restarted • When a new Tier 1 system is discovered and unlocked • When already unlocked Tier 0 system is promoted to Tier 1

  13. Tier 1 function – Power control • When a Tier 1 system is discovered and unlocked, Power Control tasks are made available for the system • Power management for Tier 1 systems is done using the CIM protocol • Reboot and shutdown power options are available for Tier 1 systems • Reboot • Reboot method of IBMPSG_OperatingSystem instance of root/ibmsd namespace is invoked after accessing CIMOM through certificate • Shutdown • Shutdown method of IBMPSG_OperatingSystem instance of root/ibmsd namespace is invoked after accessing CIMOM through certificate

  14. Tier 1 function – OpenSSH package for windows • OpenSSH for Windows 3.8p1-1 package is distributed on product CD • Can be deployed through Software Distribution task • Discover windows box as Tier 0 or Tier 1 box • Make sure DCOM protocol is available in Attribute list • Import OpenSSH package using UpdateAssistant wizard • Drag-and-drop or schedule for distribution • Post-distribution configuration required to distribute public key • Secure remote session task can be performed after deploying and configuring OpenSSH

  15. Security • Tier 0 • Windows • UserID/Password used to initially request access is stored on management server. If user later removes or changes these credentials on the endpoint, managed object will relock on next ping or next task invocation. • Protocol used is DCOM (Windows RPC, same protocol used for ‘net use’) • Linux/AIX/i5OS • If UserID/Password presented at RequestAccess time is valid, ssh keys are generated and the public key copied and published to the remote endpoint. This way, userid/pw does not have to be stored on management server, and there’s protection from changes in credentials on endpoint • Protocol used is ssh

  16. Security • Tier 0 to Tier 1 promotion • Security protocol updated from Tier 0 userid/pw-based to Tier 1 certificate-based upon promotion. No additional Request-Access required as long as original credentials were not changed. • Tier 1 • Windows • Director Server uses SSL certificate-based client authentication to wmicimserver for Hardware Status, Power Control, EAPs • Director server uses Windows native security and ssh public key (if ssh is available on windows node) for Software Distribution and Inventory (b/c they involve copying down files, not connecting to CIMOM) • Linux • Director Server uses SSL certificate-based client authentication to Pegasus for Hardware Status, Power Control, EAPs • Director Server uses ssh for Software Distribution and Inventory • Self-signed certificate generated for Director server at install time • Certificate is valid for 365 days • New self-signed certificate can be generated and deployed through CLI • Signed certificates can be imported into server trust store and deployed to endpoints using CLI (need example from Heather) • Tier 1 to Tier 2 promotion • Security protocol updated from Tier 1 SSL certificates to Tier 2 certificates upon promotion

  17. Discovery Preferences • Tier 0 • User can add unicast ranges or single addresses to scan • User can also import list of addresses/ranges from a file • Tier 1 • SLP attributes : These values are used by SLP user agent to discover Tier 1 system(s) • List of SLP directory agent IP addresses • List of SLP scopes • Timeout period in seconds • Multicast / broadcast boolean switches

  18. Promotion - Technology • UpdateXPress XML package descriptors • xSeries developed descriptor used in UX product and Director 3.x, 4.x, 5.x products to describe packages • SolutionInstall XML package descriptors • eServer developed descriptor used by Director 5.x product, Tivoli Configuration Manager in 5/05 product • Taken forward to W3C as a standard; supported by InstallShield and NetZero • Software Distribution 5.1 enhanced to support SI packages, software health-specific tags, and distribution of updates to Tier 1 • NET : Files have slightly different naming conventions and are converging on supported features so that all eServer systems management products, including UX, will use SI in 2006

  19. Promotion - Packages • Tier 1 Package • Windows • Point to coresvcs\dir5.10_coreservices-toc_windows.xml • TableOfContents XML brings in options for both Tier 1 and OpenSSH • Linux • Point to coresvcs\dir5.10_coreservices-toc_linux.xml (quicker than drilling down to META-INF directory) • Tier 2 Package • Windows • Point to director\agent\windows\i386\META-INF\dir5.10_agent_windows_installArtifact.xml • Linux • Point to director\agent\windows\i386\META-INF\dir5.10_agent_linux_installArtifact.xml • AIX • Point to director\agent\windows\i386\META-INF\dir5.10_agent_aix_installArtifact.xml • i5/OS • Point to director\agent\windows\i386\META-INF\dir5.10_agent_i5OS_installArtifact.xml

  20. Windows Tier 1 Packages for IA32, x86-64

  21. Promotion - Process • Tier 0 and Tier 1 systems can be promoted to Tier 1 and Tier 2 systems • Any Solution Install-based package can be deployed onto Tier 0 or Tier 1 systems using enhanced software distribution (look for *installArtifact.xml) • Use existing Update Assistant Wizard to import SI packages and create software distribution subtasks • Update Assistant Wizard modified to accept SI xml files as inputs; still supports legacy UX package descriptors • Once package is imported and subtask created, it can be deployed onto a system or group of systems through drag and drop method • Validation : Operating system and Operating system architecture details from package is verified against the same attributes of managed objects. • Deployment is done through over SSH • Only three deployments at a time, but the number is controlled internally • User experience is same as existing Software Distribution functionality • Tier 2 package deployment includes copying of Director server’s public key, so that Tier 2 system appears unlocked after promotion

  22. Gotchas • Certificate timestamp • Within a given timezone, server time must be at same time or earlier than the endpoint +/- 1 hour, otherwise certificate will be considered invalid by SSL handshake protocol [Heather has fixed this problem. Need update] • If a locked Tier 0 system’s IP address changes, and the user’s DNS server isn’t setup to resolve the new IP address to the existing FQDN, a second system will appear in the console and must be manually deleted • If an unlocked, Windows Tier 0 system’s Request Access credentials are deleted or changed on the endpoint, system will relock upon next Presence check • Windows XP SP2 systems have Internet Firewall turned on by default, which will prevent Tier 0 discovery and management on this OS. Port must be opened manually, or ICF disabled. • No Tier 0 or 1 support for IA64

  23. Backup Slides

  24. More information as available at the time of presentation… • Migration from 4.x • Footprint comparisons • Install • Functional differences across platforms

  25. Reduced Agent Footprint *does not include RAID

More Related