IBM Systems and Technology Group © 2005 IBM Corporation This presentation is intended for the education of IBM and Business Partner sales personnel. It

IBM Systems and Technology Group

© 2005 IBM CorporationThis presentation is intended for the education of IBM and Business Partner sales personnel. It should not be distributed to customers.

IBM Director Agent 5.10

Eric W. Brown, Sridhar Venkat, Julianne Bielski


© 2005 IBM Corporation

Agenda

Motivation

High-level Architecture

New Features

Tier 0 / 1 functions

Security

Discovery preferences

Promotion

Gotchas



Motivation

Marketing requirements– Open– Integrated– Easy-to-use

Reduced agent footprint– Windows– Linux– AIX– i5/OS

Give customers more choice– Alert function only– Upward integration only– Full-featured Director– Easily promote to higher levels of functionality



Tier 0 high-level architecture

Inventory

Collectorsssh service**

Inventory collectors

copied to system using

sftp or Windows RPC.

Then invoked, data

collected, and deleted

**Must be provided by operating system

ssh

22

Operating System

Director

Server

Standard IANA ports used

for discovery, security,

and management137*, 138*,

139*, 145*

*Windows only

DCOM



wmicimserver*

cimsubscribe


Pegasus providers

CIMOM (Pegasus, WMI)

CIM Event Listener

SNMP

Event ConsumerTivoli

Event Consumer

Director

Event Consumer


CIM2MIFCIM Client

programs

slp service agent

ssh service

cim-xml over httpcim-xml

over http

CIM events for

Director consumer

sent to remote CIM listener

*Windows only

tier1 slp attributes

publish

slp ssh

427 22 162

Not all consumers

are necessary. Just

choose the one needed for

a specific UIM environment

CIM Event Listener

SNMP

Manager

Director

Server

Director

Agent

cim/xml

over https

5989

Tivoli

Standard IANA ports used

for discovery, security,

and management

snmp



wmicimserver*

cimsubscribe


Pegasus providers

CIMOM (Pegasus, WMI)

CIM Event Listener

Director

Event Consumer


CIM2MIF

CIM Client

programs

slp service agent

ssh service

cim-xml over http

cim-xml

over http

Director Agent Task

Framework

Director

subagent

Director

subagent

Director

subagent

CIM events

for Director

consumer

sent to local

CIM listener

on Tier2

Tier 2

Tier 1

*Windows only

tier1 slp attributes

publish

Director IPC ssh if wanted for secure

Remote Session

14247 or 14248 22

Director

Server

Director

subagent



Features

No reboot required after install on Tier 1 or Tier 2

– Caveat – endpoint must have MSI 3.0 installed

Smaller footprint

Choice on endpoint functional profile

Ease of agent deployment using Tier 0 discover and push

Standard security protocols

Standard discovery protocol

Event subscription CLI

Optional OpenSSH package for Windows



Tier 0 function

Discovery

Request Access

Inventory*

Remote Session (requires ssh on the target system)

Power Control

Promotion to Tier 1 or 2 through Update Assistant

Event Log

– Online/Offline only

*Windows and Linux only



Tier 1 function*

All Tier 0 function

Additional inventory data

Promotion to Tier 2 through Update Assistant

Alerts

Hardware Status

Power Control across Windows and Linux

Upward integration support programs

Event subscription CLI (See Jake Kitchener’s presentation)

Optional OpenSSH package for Windows

*Windows and Linux only



Self signed certificate is created at Server install time by GenCertificate tool

Generated certificate is valid for 365 days from the date of installation

Certificate stored in data\cim\keystore directory as ibmd_cert.jks

Data\cim\keystore\key.credential file contains the password and alias information encrypted.

When Tier 1 system is discovered and unlocked, this certificate is pushed to CIMOM side using user id and password supplied in RequestAccess dialog box; userid/pw must have admin-level privileges.

All subsequent access to Tier 1 system – ping, hardware status, power management are done in the context of Director Server certificate identity

Warning events will be sent if certificate is about to expire. User can configure how many days in advance the warning should be sent and how often certificate validity should be checked – through data\CertificateExpirationManager.properties file

Event action plan can be set in advance to get notification when certificate is about to expire

Tier 1 function – Request Access



When Tier 1 system is discovered and unlocked successfully, subscriptions are created

– Filter created with Director Server’s UID as filter name

– Handler created with Director Server’s UID as handler name. Destination is set as http://<Director server ip address>:6988/CIMListener/DirectorConsumer/<server’s ip address>

– Subscription is created with above mentioned filter and handler

– CIM Listener distributes CIM instances to Director consumer to be delivered to appropriate Director server

– Server’s uid is used as name for filter and handler so that multiple Servers can manage a Tier 1 system effectively

Tier 1 function - Alerts



Tier 1 function – Hardware Status

When Tier 1 system is discovered and unlocked, hardware status gets the initial status

All subsequent updates to the Hardware Status GUI for the system are made as a result of asynchronous events sent to the Director server by the system

Initial status for a system is retrieved

– When an already discovered Tier 1 system goes to Online from offline state

– When the Director server managing the system is restarted

– When a new Tier 1 system is discovered and unlocked

– When already unlocked Tier 0 system is promoted to Tier 1



Tier 1 function – Power control

When a Tier 1 system is discovered and unlocked, Power Control tasks are made available for the system

Power management for Tier 1 systems is done using the CIM protocol

Reboot and shutdown power options are available for Tier 1 systems

Reboot

– Reboot method of IBMPSG_OperatingSystem instance of root/ibmsd namespace is invoked after accessing CIMOM through certificate

Shutdown

– Shutdown method of IBMPSG_OperatingSystem instance of root/ibmsd namespace is invoked after accessing CIMOM through certificate



Tier 1 function – OpenSSH package for windows

OpenSSH for Windows 3.8p1-1 package is distributed on product CD

Can be deployed through Software Distribution task

– Discover windows box as Tier 0 or Tier 1 box

• Make sure DCOM protocol is available in Attribute list

• Import OpenSSH package using UpdateAssistant wizard

• Drag-and-drop or schedule for distribution

• Post-distribution configuration required to distribute public key

Secure remote session task can be performed after deploying and configuring OpenSSH



Security

Tier 0

– Windows• UserID/Password used to initially request access is stored on management

server. If user later removes or changes these credentials on the endpoint, managed object will relock on next ping or next task invocation.

• Protocol used is DCOM (Windows RPC, same protocol used for ‘net use’)

– Linux/AIX/i5OS• If UserID/Password presented at RequestAccess time is valid, ssh keys are

generated and the public key copied and published to the remote endpoint. This way, userid/pw does not have to be stored on management server, and there’s protection from changes in credentials on endpoint

• Protocol used is ssh



Security

Tier 0 to Tier 1 promotion– Security protocol updated from Tier 0 userid/pw-based to Tier 1 certificate-based upon promotion.

No additional Request-Access required as long as original credentials were not changed.

Tier 1– Windows

• Director Server uses SSL certificate-based client authentication to wmicimserver for Hardware Status, Power Control, EAPs

• Director server uses Windows native security and ssh public key (if ssh is available on windows node) for Software Distribution and Inventory (b/c they involve copying down files, not connecting to CIMOM)

– Linux• Director Server uses SSL certificate-based client authentication to Pegasus for Hardware Status,

Power Control, EAPs• Director Server uses ssh for Software Distribution and Inventory

Self-signed certificate generated for Director server at install time– Certificate is valid for 365 days– New self-signed certificate can be generated and deployed through CLI

Signed certificates can be imported into server trust store and deployed to endpoints using CLI (need example from Heather)

Tier 1 to Tier 2 promotion– Security protocol updated from Tier 1 SSL certificates to Tier 2 certificates upon promotion



Discovery Preferences

Tier 0

– User can add unicast ranges or single addresses to scan

– User can also import list of addresses/ranges from a file

Tier 1

– SLP attributes : These values are used by SLP user agent to discover Tier 1 system(s)• List of SLP directory agent IP

addresses• List of SLP scopes• Timeout period in seconds• Multicast / broadcast boolean

switches



Promotion - Technology

UpdateXPress XML package descriptors

– xSeries developed descriptor used in UX product and Director 3.x, 4.x, 5.x products to describe packages

SolutionInstall XML package descriptors

– eServer developed descriptor used by Director 5.x product, Tivoli Configuration Manager in 5/05 product

– Taken forward to W3C as a standard; supported by InstallShield and NetZero

Software Distribution 5.1 enhanced to support SI packages, software health-specific tags, and distribution of updates to Tier 1

NET : Files have slightly different naming conventions and are converging on supported features so that all eServer systems management products, including UX, will use SI in 2006



Promotion - Packages Tier 1 Package

– Windows• Point to coresvcs\dir5.10_coreservices-toc_windows.xml• TableOfContents XML brings in options for both Tier 1 and OpenSSH

– Linux• Point to coresvcs\dir5.10_coreservices-toc_linux.xml (quicker than drilling down to

META-INF directory)

Tier 2 Package– Windows

• Point to director\agent\windows\i386\META-INF\dir5.10_agent_windows_installArtifact.xml

– Linux• Point to director\agent\windows\i386\META-INF\dir5.10_agent_linux_installArtifact.xml

– AIX• Point to director\agent\windows\i386\META-INF\dir5.10_agent_aix_installArtifact.xml

– i5/OS• Point to director\agent\windows\i386\META-INF\dir5.10_agent_i5OS_installArtifact.xml



Windows Tier 1 Packages for IA32, x86-64



Promotion - Process

Tier 0 and Tier 1 systems can be promoted to Tier 1 and Tier 2 systems

Any Solution Install-based package can be deployed onto Tier 0 or Tier 1 systems using enhanced software distribution (look for *installArtifact.xml)

Use existing Update Assistant Wizard to import SI packages and create software distribution subtasks

Update Assistant Wizard modified to accept SI xml files as inputs; still supports legacy UX package descriptors

Once package is imported and subtask created, it can be deployed onto a system or group of systems through drag and drop method

Validation : Operating system and Operating system architecture details from package is verified against the same attributes of managed objects.

Deployment is done through over SSH

Only three deployments at a time, but the number is controlled internally

User experience is same as existing Software Distribution functionality

Tier 2 package deployment includes copying of Director server’s public key, so that Tier 2 system appears unlocked after promotion



Gotchas

Certificate timestamp

– Within a given timezone, server time must be at same time or earlier than the endpoint +/- 1 hour, otherwise certificate will be considered invalid by SSL handshake protocol [Heather has fixed this problem. Need update]

If a locked Tier 0 system’s IP address changes, and the user’s DNS server isn’t setup to resolve the new IP address to the existing FQDN, a second system will appear in the console and must be manually deleted

If an unlocked, Windows Tier 0 system’s Request Access credentials are deleted or changed on the endpoint, system will relock upon next Presence check

Windows XP SP2 systems have Internet Firewall turned on by default, which will prevent Tier 0 discovery and management on this OS. Port must be opened manually, or ICF disabled.

No Tier 0 or 1 support for IA64



Backup Slides



More information as available at the time of presentation…

Migration from 4.x

Footprint comparisons

Install

Functional differences across platforms



Reduced Agent Footprint

Tier 1 Tier 2

Windows 10* MB

Linux

Tier 2 4.x Tier 2 5.x

Windows

Linux

*does not include RAID

Documents

IBM Systems and Technology Group © 2005 IBM Corporation This presentation is intended for the education of IBM and Business Partner sales personnel. It