IBM Systems and Technology Group
© 2005 IBM CorporationThis presentation is intended for the education of IBM and Business Partner sales personnel. It should not be distributed to customers.
IBM Director Agent 5.10
Eric W. Brown, Sridhar Venkat, Julianne Bielski
IBM Systems and Technology Group
© 2005 IBM Corporation
Agenda
Motivation
High-level Architecture
New Features
Tier 0 / 1 functions
Security
Discovery preferences
Promotion
Gotchas
IBM Systems and Technology Group
© 2005 IBM Corporation
Motivation
Marketing requirements– Open– Integrated– Easy-to-use
Reduced agent footprint– Windows– Linux– AIX– i5/OS
Give customers more choice– Alert function only– Upward integration only– Full-featured Director– Easily promote to higher levels of functionality
IBM Systems and Technology Group
© 2005 IBM Corporation
Tier 0 high-level architecture
Inventory
Collectorsssh service**
Inventory collectors
copied to system using
sftp or Windows RPC.
Then invoked, data
collected, and deleted
**Must be provided by operating system
ssh
22
Operating System
Director
Server
Standard IANA ports used
for discovery, security,
and management137*, 138*,
139*, 145*
*Windows only
DCOM
IBM Systems and Technology Group
© 2005 IBM Corporation
wmicimserver*
cimsubscribe
Tier 1 high-level architecture
Pegasus providers
CIMOM (Pegasus, WMI)
CIM Event Listener
SNMP
Event ConsumerTivoli
Event Consumer
Director
Event Consumer
Inventory collectors
CIM2MIFCIM Client
programs
slp service agent
ssh service
cim-xml over httpcim-xml
over http
CIM events for
Director consumer
sent to remote CIM listener
*Windows only
tier1 slp attributes
publish
slp ssh
427 22 162
Not all consumers
are necessary. Just
choose the one needed for
a specific UIM environment
CIM Event Listener
SNMP
Manager
Director
Server
Director
Agent
cim/xml
over https
5989
Tivoli
Standard IANA ports used
for discovery, security,
and management
snmp
IBM Systems and Technology Group
© 2005 IBM Corporation
wmicimserver*
cimsubscribe
Tier 2 high-level architecture
Pegasus providers
CIMOM (Pegasus, WMI)
CIM Event Listener
Director
Event Consumer
Inventory collectors
CIM2MIF
CIM Client
programs
slp service agent
ssh service
cim-xml over http
cim-xml
over http
Director Agent Task
Framework
Director
subagent
Director
subagent
Director
subagent
CIM events
for Director
consumer
sent to local
CIM listener
on Tier2
Tier 2
Tier 1
*Windows only
tier1 slp attributes
publish
Director IPC ssh if wanted for secure
Remote Session
14247 or 14248 22
Director
Server
Director
subagent
IBM Systems and Technology Group
© 2005 IBM Corporation
Features
No reboot required after install on Tier 1 or Tier 2
– Caveat – endpoint must have MSI 3.0 installed
Smaller footprint
Choice on endpoint functional profile
Ease of agent deployment using Tier 0 discover and push
Standard security protocols
Standard discovery protocol
Event subscription CLI
Optional OpenSSH package for Windows
IBM Systems and Technology Group
© 2005 IBM Corporation
Tier 0 function
Discovery
Request Access
Inventory*
Remote Session (requires ssh on the target system)
Power Control
Promotion to Tier 1 or 2 through Update Assistant
Event Log
– Online/Offline only
*Windows and Linux only
IBM Systems and Technology Group
© 2005 IBM Corporation
Tier 1 function*
All Tier 0 function
Additional inventory data
Promotion to Tier 2 through Update Assistant
Alerts
Hardware Status
Power Control across Windows and Linux
Upward integration support programs
Event subscription CLI (See Jake Kitchener’s presentation)
Optional OpenSSH package for Windows
*Windows and Linux only
IBM Systems and Technology Group
© 2005 IBM Corporation
Self signed certificate is created at Server install time by GenCertificate tool
Generated certificate is valid for 365 days from the date of installation
Certificate stored in data\cim\keystore directory as ibmd_cert.jks
Data\cim\keystore\key.credential file contains the password and alias information encrypted.
When Tier 1 system is discovered and unlocked, this certificate is pushed to CIMOM side using user id and password supplied in RequestAccess dialog box; userid/pw must have admin-level privileges.
All subsequent access to Tier 1 system – ping, hardware status, power management are done in the context of Director Server certificate identity
Warning events will be sent if certificate is about to expire. User can configure how many days in advance the warning should be sent and how often certificate validity should be checked – through data\CertificateExpirationManager.properties file
Event action plan can be set in advance to get notification when certificate is about to expire
Tier 1 function – Request Access
IBM Systems and Technology Group
© 2005 IBM Corporation
When Tier 1 system is discovered and unlocked successfully, subscriptions are created
– Filter created with Director Server’s UID as filter name
– Handler created with Director Server’s UID as handler name. Destination is set as http://<Director server ip address>:6988/CIMListener/DirectorConsumer/<server’s ip address>
– Subscription is created with above mentioned filter and handler
– CIM Listener distributes CIM instances to Director consumer to be delivered to appropriate Director server
– Server’s uid is used as name for filter and handler so that multiple Servers can manage a Tier 1 system effectively
Tier 1 function - Alerts
IBM Systems and Technology Group
© 2005 IBM Corporation
Tier 1 function – Hardware Status
When Tier 1 system is discovered and unlocked, hardware status gets the initial status
All subsequent updates to the Hardware Status GUI for the system are made as a result of asynchronous events sent to the Director server by the system
Initial status for a system is retrieved
– When an already discovered Tier 1 system goes to Online from offline state
– When the Director server managing the system is restarted
– When a new Tier 1 system is discovered and unlocked
– When already unlocked Tier 0 system is promoted to Tier 1
IBM Systems and Technology Group
© 2005 IBM Corporation
Tier 1 function – Power control
When a Tier 1 system is discovered and unlocked, Power Control tasks are made available for the system
Power management for Tier 1 systems is done using the CIM protocol
Reboot and shutdown power options are available for Tier 1 systems
Reboot
– Reboot method of IBMPSG_OperatingSystem instance of root/ibmsd namespace is invoked after accessing CIMOM through certificate
Shutdown
– Shutdown method of IBMPSG_OperatingSystem instance of root/ibmsd namespace is invoked after accessing CIMOM through certificate
IBM Systems and Technology Group
© 2005 IBM Corporation
Tier 1 function – OpenSSH package for windows
OpenSSH for Windows 3.8p1-1 package is distributed on product CD
Can be deployed through Software Distribution task
– Discover windows box as Tier 0 or Tier 1 box
• Make sure DCOM protocol is available in Attribute list
• Import OpenSSH package using UpdateAssistant wizard
• Drag-and-drop or schedule for distribution
• Post-distribution configuration required to distribute public key
Secure remote session task can be performed after deploying and configuring OpenSSH
IBM Systems and Technology Group
© 2005 IBM Corporation
Security
Tier 0
– Windows• UserID/Password used to initially request access is stored on management
server. If user later removes or changes these credentials on the endpoint, managed object will relock on next ping or next task invocation.
• Protocol used is DCOM (Windows RPC, same protocol used for ‘net use’)
– Linux/AIX/i5OS• If UserID/Password presented at RequestAccess time is valid, ssh keys are
generated and the public key copied and published to the remote endpoint. This way, userid/pw does not have to be stored on management server, and there’s protection from changes in credentials on endpoint
• Protocol used is ssh
IBM Systems and Technology Group
© 2005 IBM Corporation
Security
Tier 0 to Tier 1 promotion– Security protocol updated from Tier 0 userid/pw-based to Tier 1 certificate-based upon promotion.
No additional Request-Access required as long as original credentials were not changed.
Tier 1– Windows
• Director Server uses SSL certificate-based client authentication to wmicimserver for Hardware Status, Power Control, EAPs
• Director server uses Windows native security and ssh public key (if ssh is available on windows node) for Software Distribution and Inventory (b/c they involve copying down files, not connecting to CIMOM)
– Linux• Director Server uses SSL certificate-based client authentication to Pegasus for Hardware Status,
Power Control, EAPs• Director Server uses ssh for Software Distribution and Inventory
Self-signed certificate generated for Director server at install time– Certificate is valid for 365 days– New self-signed certificate can be generated and deployed through CLI
Signed certificates can be imported into server trust store and deployed to endpoints using CLI (need example from Heather)
Tier 1 to Tier 2 promotion– Security protocol updated from Tier 1 SSL certificates to Tier 2 certificates upon promotion
IBM Systems and Technology Group
© 2005 IBM Corporation
Discovery Preferences
Tier 0
– User can add unicast ranges or single addresses to scan
– User can also import list of addresses/ranges from a file
Tier 1
– SLP attributes : These values are used by SLP user agent to discover Tier 1 system(s)• List of SLP directory agent IP
addresses• List of SLP scopes• Timeout period in seconds• Multicast / broadcast boolean
switches
IBM Systems and Technology Group
© 2005 IBM Corporation
Promotion - Technology
UpdateXPress XML package descriptors
– xSeries developed descriptor used in UX product and Director 3.x, 4.x, 5.x products to describe packages
SolutionInstall XML package descriptors
– eServer developed descriptor used by Director 5.x product, Tivoli Configuration Manager in 5/05 product
– Taken forward to W3C as a standard; supported by InstallShield and NetZero
Software Distribution 5.1 enhanced to support SI packages, software health-specific tags, and distribution of updates to Tier 1
NET : Files have slightly different naming conventions and are converging on supported features so that all eServer systems management products, including UX, will use SI in 2006
IBM Systems and Technology Group
© 2005 IBM Corporation
Promotion - Packages Tier 1 Package
– Windows• Point to coresvcs\dir5.10_coreservices-toc_windows.xml• TableOfContents XML brings in options for both Tier 1 and OpenSSH
– Linux• Point to coresvcs\dir5.10_coreservices-toc_linux.xml (quicker than drilling down to
META-INF directory)
Tier 2 Package– Windows
• Point to director\agent\windows\i386\META-INF\dir5.10_agent_windows_installArtifact.xml
– Linux• Point to director\agent\windows\i386\META-INF\dir5.10_agent_linux_installArtifact.xml
– AIX• Point to director\agent\windows\i386\META-INF\dir5.10_agent_aix_installArtifact.xml
– i5/OS• Point to director\agent\windows\i386\META-INF\dir5.10_agent_i5OS_installArtifact.xml
IBM Systems and Technology Group
© 2005 IBM Corporation
Windows Tier 1 Packages for IA32, x86-64
IBM Systems and Technology Group
© 2005 IBM Corporation
Promotion - Process
Tier 0 and Tier 1 systems can be promoted to Tier 1 and Tier 2 systems
Any Solution Install-based package can be deployed onto Tier 0 or Tier 1 systems using enhanced software distribution (look for *installArtifact.xml)
Use existing Update Assistant Wizard to import SI packages and create software distribution subtasks
Update Assistant Wizard modified to accept SI xml files as inputs; still supports legacy UX package descriptors
Once package is imported and subtask created, it can be deployed onto a system or group of systems through drag and drop method
Validation : Operating system and Operating system architecture details from package is verified against the same attributes of managed objects.
Deployment is done through over SSH
Only three deployments at a time, but the number is controlled internally
User experience is same as existing Software Distribution functionality
Tier 2 package deployment includes copying of Director server’s public key, so that Tier 2 system appears unlocked after promotion
IBM Systems and Technology Group
© 2005 IBM Corporation
Gotchas
Certificate timestamp
– Within a given timezone, server time must be at same time or earlier than the endpoint +/- 1 hour, otherwise certificate will be considered invalid by SSL handshake protocol [Heather has fixed this problem. Need update]
If a locked Tier 0 system’s IP address changes, and the user’s DNS server isn’t setup to resolve the new IP address to the existing FQDN, a second system will appear in the console and must be manually deleted
If an unlocked, Windows Tier 0 system’s Request Access credentials are deleted or changed on the endpoint, system will relock upon next Presence check
Windows XP SP2 systems have Internet Firewall turned on by default, which will prevent Tier 0 discovery and management on this OS. Port must be opened manually, or ICF disabled.
No Tier 0 or 1 support for IA64
IBM Systems and Technology Group
© 2005 IBM Corporation
Backup Slides
IBM Systems and Technology Group
© 2005 IBM Corporation
More information as available at the time of presentation…
Migration from 4.x
Footprint comparisons
Install
Functional differences across platforms
IBM Systems and Technology Group
© 2005 IBM Corporation
Reduced Agent Footprint
Tier 1 Tier 2
Windows 10* MB
Linux
Tier 2 4.x Tier 2 5.x
Windows
Linux
*does not include RAID