IBM Systems and Technology Group IBM Director Agent 5. 10 Eric W. Brown, Sridhar Venkat, Julianne Bielski © 2005 IBM Corporation This presentation is intended for the education of IBM and Business Partner sales personnel. It should not be distributed to customers.
IBM Systems and Technology Group Agenda § Motivation § High-level Architecture § New Features § Tier 0 / 1 functions § Security § Discovery preferences § Promotion § Gotchas © 2005 IBM Corporation
IBM Systems and Technology Group Motivation § Marketing requirements – Open – Integrated – Easy-to-use § Reduced agent footprint – – Windows Linux AIX i 5/OS § Give customers more choice – – Alert function only Upward integration only Full-featured Director Easily promote to higher levels of functionality © 2005 IBM Corporation
IBM Systems and Technology Group Tier 0 high-level architecture Director Server Inventory collectors copied to system using Standard IANA ports used sftp or Windows RPC. Then invoked, data collected, and deleted for discovery, security, 137*, 138*, 139*, 145* DCOM Inventory Collectors 22 and management ssh service** Operating System **Must be provided by operating system *Windows only © 2005 IBM Corporation
IBM Systems and Technology Group Tier 1 high-level architecture Tivoli Director Server SNMP Manager Director Not all consumers Agent are necessary. Just choose the one needed for Director a specific UIM environment Event Consumer Standard IANA ports used CIM Event Listener CIM events for discovery, security, Director consumer and management sent to remote CIM listener 5989 snmp SNMP Event Consumer Tivoli Event Consumer wmicimserver* cim-xml over http slp ssh cimsubscribe Inventory collectors CIM 2 MIF ssh service programs slp service agent cim-xml over http CIMOM (Pegasus, WMI) Pegasus providers *Windows only 22 over https CIM Client CIM Event Listener 427 cim/xml 162 publish tier 1 slp attributes © 2005 IBM Corporation
IBM Systems and Technology Group Tier 2 high-level architecture Director Server 14247 or 14248 Director IPC 22 ssh if wanted for secure Remote Session Director Agent Task Framework Director subagent CIM events wmicimserver* for Director consumer Event Consumer sent to local CIM listener Tier 2 cimsubscribe Inventory collectors CIM Client CIM Event Listener CIM 2 MIF on Tier 2 ssh service Tier 1 programs cim-xml over http CIMOM (Pegasus, WMI) Pegasus providers *Windows only slp service agent publish tier 1 slp attributes © 2005 IBM Corporation
IBM Systems and Technology Group Features § No reboot required after install on Tier 1 or Tier 2 – Caveat – endpoint must have MSI 3. 0 installed § § § § Smaller footprint Choice on endpoint functional profile Ease of agent deployment using Tier 0 discover and push Standard security protocols Standard discovery protocol Event subscription CLI Optional Open. SSH package for Windows © 2005 IBM Corporation
IBM Systems and Technology Group Tier 0 function § Discovery § Request Access § Inventory* § Remote Session (requires ssh on the target system) § Power Control § Promotion to Tier 1 or 2 through Update Assistant § Event Log – Online/Offline only *Windows and Linux only © 2005 IBM Corporation
IBM Systems and Technology Group Tier 1 function* § § § § § All Tier 0 function Additional inventory data Promotion to Tier 2 through Update Assistant Alerts Hardware Status Power Control across Windows and Linux Upward integration support programs Event subscription CLI (See Jake Kitchener’s presentation) Optional Open. SSH package for Windows *Windows and Linux only © 2005 IBM Corporation
IBM Systems and Technology Group Tier 1 function – Request Access § § Self signed certificate is created at Server install time by Gen. Certificate tool Generated certificate is valid for 365 days from the date of installation Certificate stored in datacimkeystore directory as ibmd_cert. jks Datacimkeystorekey. credential file contains the password and alias information encrypted. § When Tier 1 system is discovered and unlocked, this certificate is pushed to CIMOM side using user id and password supplied in Request. Access dialog box; userid/pw must have admin-level privileges. § All subsequent access to Tier 1 system – ping, hardware status, power management are done in the context of Director Server certificate identity § Warning events will be sent if certificate is about to expire. User can configure how many days in advance the warning should be sent and how often certificate validity should be checked – through dataCertificate. Expiration. Manager. properties file § Event action plan can be set in advance to get notification when certificate is about to expire © 2005 IBM Corporation
IBM Systems and Technology Group Tier 1 function - Alerts § When Tier 1 system is discovered and unlocked successfully, subscriptions are created – Filter created with Director Server’s UID as filter name – Handler created with Director Server’s UID as handler name. Destination is set as http: //<Director server ip address>: 6988/CIMListener/Director. Consumer/<server’s ip address> – Subscription is created with above mentioned filter and handler – CIM Listener distributes CIM instances to Director consumer to be delivered to appropriate Director server – Server’s uid is used as name for filter and handler so that multiple Servers can manage a Tier 1 system effectively © 2005 IBM Corporation
IBM Systems and Technology Group Tier 1 function – Hardware Status § When Tier 1 system is discovered and unlocked, hardware status gets the initial status § All subsequent updates to the Hardware Status GUI for the system are made as a result of asynchronous events sent to the Director server by the system § Initial status for a system is retrieved – When an already discovered Tier 1 system goes to Online from offline state – When the Director server managing the system is restarted – When a new Tier 1 system is discovered and unlocked – When already unlocked Tier 0 system is promoted to Tier 1 © 2005 IBM Corporation
IBM Systems and Technology Group Tier 1 function – Power control § When a Tier 1 system is discovered and unlocked, Power Control tasks are made available for the system § Power management for Tier 1 systems is done using the CIM protocol § Reboot and shutdown power options are available for Tier 1 systems § Reboot – Reboot method of IBMPSG_Operating. System instance of root/ibmsd namespace is invoked after accessing CIMOM through certificate § Shutdown – Shutdown method of IBMPSG_Operating. System instance of root/ibmsd namespace is invoked after accessing CIMOM through certificate © 2005 IBM Corporation
IBM Systems and Technology Group Tier 1 function – Open. SSH package for windows § Open. SSH for Windows 3. 8 p 1 -1 package is distributed on product CD § Can be deployed through Software Distribution task – Discover windows box as Tier 0 or Tier 1 box • • Make sure DCOM protocol is available in Attribute list Import Open. SSH package using Update. Assistant wizard Drag-and-drop or schedule for distribution Post-distribution configuration required to distribute public key § Secure remote session task can be performed after deploying and configuring Open. SSH © 2005 IBM Corporation
IBM Systems and Technology Group Security § Tier 0 – Windows • User. ID/Password used to initially request access is stored on management server. If user later removes or changes these credentials on the endpoint, managed object will relock on next ping or next task invocation. • Protocol used is DCOM (Windows RPC, same protocol used for ‘net use’) – Linux/AIX/i 5 OS • If User. ID/Password presented at Request. Access time is valid, ssh keys are generated and the public key copied and published to the remote endpoint. This way, userid/pw does not have to be stored on management server, and there’s protection from changes in credentials on endpoint • Protocol used is ssh © 2005 IBM Corporation
IBM Systems and Technology Group Security § Tier 0 to Tier 1 promotion – Security protocol updated from Tier 0 userid/pw-based to Tier 1 certificate-based upon promotion. No additional Request-Access required as long as original credentials were not changed. § Tier 1 – Windows • • Director Server uses SSL certificate-based client authentication to wmicimserver for Hardware Status, Power Control, EAPs Director server uses Windows native security and ssh public key (if ssh is available on windows node) for Software Distribution and Inventory (b/c they involve copying down files, not connecting to CIMOM) – Linux • • Director Server uses SSL certificate-based client authentication to Pegasus for Hardware Status, Power Control, EAPs Director Server uses ssh for Software Distribution and Inventory § Self-signed certificate generated for Director server at install time – Certificate is valid for 365 days – New self-signed certificate can be generated and deployed through CLI § Signed certificates can be imported into server trust store and deployed to endpoints using CLI (need example from Heather) § Tier 1 to Tier 2 promotion – Security protocol updated from Tier 1 SSL certificates to Tier 2 certificates upon promotion © 2005 IBM Corporation
IBM Systems and Technology Group Discovery Preferences § Tier 0 – User can add unicast ranges or single addresses to scan – User can also import list of addresses/ranges from a file § Tier 1 – SLP attributes : These values are used by SLP user agent to discover Tier 1 system(s) • • List of SLP directory agent IP addresses List of SLP scopes Timeout period in seconds Multicast / broadcast boolean switches © 2005 IBM Corporation
IBM Systems and Technology Group Promotion - Technology § Update. XPress XML package descriptors – x. Series developed descriptor used in UX product and Director 3. x, 4. x, 5. x products to describe packages § Solution. Install XML package descriptors – e. Server developed descriptor used by Director 5. x product, Tivoli Configuration Manager in 5/05 product – Taken forward to W 3 C as a standard; supported by Install. Shield and Net. Zero § Software Distribution 5. 1 enhanced to support SI packages, software health-specific tags, and distribution of updates to Tier 1 § NET : Files have slightly different naming conventions and are converging on supported features so that all e. Server systems management products, including UX, will use SI in 2006 © 2005 IBM Corporation
IBM Systems and Technology Group Promotion - Packages § Tier 1 Package – Windows • Point to coresvcsdir 5. 10_coreservices-toc_windows. xml • Table. Of. Contents XML brings in options for both Tier 1 and Open. SSH – Linux • Point to coresvcsdir 5. 10_coreservices-toc_linux. xml (quicker than drilling down to META-INF directory) § Tier 2 Package – Windows • Point to directoragentwindowsi 386METAINFdir 5. 10_agent_windows_install. Artifact. xml – Linux • Point to directoragentwindowsi 386META-INFdir 5. 10_agent_linux_install. Artifact. xml – AIX • Point to directoragentwindowsi 386META-INFdir 5. 10_agent_aix_install. Artifact. xml – i 5/OS • Point to directoragentwindowsi 386META-INFdir 5. 10_agent_i 5 OS_install. Artifact. xml © 2005 IBM Corporation
IBM Systems and Technology Group Windows Tier 1 Packages for IA 32, x 86 -64 © 2005 IBM Corporation
IBM Systems and Technology Group Promotion - Process § Tier 0 and Tier 1 systems can be promoted to Tier 1 and Tier 2 systems § Any Solution Install-based package can be deployed onto Tier 0 or Tier 1 systems using enhanced software distribution (look for *install. Artifact. xml) § Use existing Update Assistant Wizard to import SI packages and create software distribution subtasks § Update Assistant Wizard modified to accept SI xml files as inputs; still supports legacy UX package descriptors § Once package is imported and subtask created, it can be deployed onto a system or group of systems through drag and drop method § Validation : Operating system and Operating system architecture details from package is verified against the same attributes of managed objects. § § Deployment is done through over SSH Only three deployments at a time, but the number is controlled internally User experience is same as existing Software Distribution functionality Tier 2 package deployment includes copying of Director server’s public key, so that Tier 2 system appears unlocked after promotion © 2005 IBM Corporation
IBM Systems and Technology Group Gotchas § Certificate timestamp – Within a given timezone, server time must be at same time or earlier than the endpoint +/- 1 hour, otherwise certificate will be considered invalid by SSL handshake protocol [Heather has fixed this problem. Need update] § If a locked Tier 0 system’s IP address changes, and the user’s DNS server isn’t setup to resolve the new IP address to the existing FQDN, a second system will appear in the console and must be manually deleted § If an unlocked, Windows Tier 0 system’s Request Access credentials are deleted or changed on the endpoint, system will relock upon next Presence check § Windows XP SP 2 systems have Internet Firewall turned on by default, which will prevent Tier 0 discovery and management on this OS. Port must be opened manually, or ICF disabled. § No Tier 0 or 1 support for IA 64 © 2005 IBM Corporation
IBM Systems and Technology Group Backup Slides © 2005 IBM Corporation
IBM Systems and Technology Group More information as available at the time of presentation… § Migration from 4. x § Footprint comparisons § Install § Functional differences across platforms © 2005 IBM Corporation
IBM Systems and Technology Group Reduced Agent Footprint Tier 1 Windows Tier 2 10* MB Linux Tier 2 4. x Tier 2 5. x Windows Linux *does not include RAID © 2005 IBM Corporation
Скачать презентацию IBM Systems and Technology Group IBM Director Agent
08060ccd5f7c898b3c6924a5b9c213e3.ppt