.
Operational Instructions
Phase 1 Virtual
Server Provisioning
Page 2 of 19
Table of Contents
Table of Contents ............................................................................................................ 2
Revisions ......................................................................................................................... 3
Introduction ..................................................................................................................... 4
General Information......................................................................................................... 4
Objective ......................................................................................................................... 4
Concepts ......................................................................................................................... 4
EVERTEC Virtualization Environments ........................................................................... 5
Procedures ...................................................................................................................... 7
1.0 Initial Request .................................................................................................... 7
1.1 Login to ServiceDesk ......................................................................................... 7
1.2 Summary Information Section ............................................................................ 7
1.3 Virtual Server Initiative Information .................................................................... 9
1.4 Create New Virtual Server ............................................................................... 10
2.0 Workflow Tasks ................................................................................................ 14
2.1 Task List ........................................................................................................... 14
2.2 Validate Request .............................................................................................. 17
2.3 Verify Licensing ................................................................................................ 18
2.4 Validate and Assign IP ..................................................................................... 18
2.5 Clone Server .................................................................................................... 18
2.6 Virtual Server pre-defined Systems Firewall Rule ............................................ 18
2.7 Configure Antivirus Software ............................................................................ 18
2.8 Configure Server Monitoring ............................................................................ 18
2.9 Configure Storage space ................................................................................. 18
2.10 Configure Backup ............................................................................................. 18
2.11 Virtual Server Pre-Certification ......................................................................... 18
2.12 Add to CMDB ................................................................................................... 19
2.13 Secure Admin password in Vault ..................................................................... 19
Page 3 of 19
Revisions
The alterations of this document must be coordinated with the Legal Division of EVERTEC. The disclosure of this information will be considered a violation of the politics of the institution, including the Ethic Code. The reproduction for non-authorized use is prohibited.
Date Version Description Author
2016-02-03 1 Original document David Sanchez
2016-02-07 2 Revision David Sanchez
2016-02-10 3 Revision – added appendix A David Sanchez
2016-03-01 4 Revision – new fields David Sanchez
2016-03-30 5 Revision – workflow tasks order changes David Sanchez
Page 4 of 19
Introduction
Server virtualization inherently provides the opportunity for faster system provisioning making
the IT organization more agile and responsive. Adhering the same change management
manual procedures to the virtual server provisioning workflow may unfavorably affect this value.
This document details the virtual server provisioning workflow for the three virtualization
environments at EVERTEC, VMWare, PowerVM and z/VM.
General Information
Objective
Most of the steps involved in the provisioning of virtual servers are common to the three
supported virtualization infrastructures at EVERTEC. When necessary, platform specific
deviations will be indicated.
The main purpose for this workflow is to reduce dramatically the time to place in service virtual
servers once the request for provisioning is received. To achieve such agility, it is essential that
phase 1 of virtual server provisioning follows a workflow that does not require going through the
CAB process. The reasoning being:
o Risk mitigation
Use of Information Security pre-certified OS images (Golden Images). As a requirement, the server will be patched to ensure it is up to date. Immediately following activation of the server it will be pre-certified by
Information Security.
o Faster deployment benefits
Requestor may start working on configuration/installations in a matter of
days instead of months
Opportunity to initiate testing faster.
Reduced time to production
Concepts
Virtualization Technology that allows several operating systems to run on the same
physical server at the same time sharing physical resources such as
Page 5 of 19
processors, memory, disk, network interfaces and fiber channels.
Major virtualization benefits:
Infrastructure and administration simplification
Increased scalability
Maximizes resource usage
Power savings
Lower capital costs
Hypervisor A hypervisor is a program that allows multiple operating systems to share a
single hardware host. Each operating system appears to have the host's
processor, memory, and other resources all to itself. Examples are VMWare,
PowerVM and z/VM.
Virtual Machine A self-contained operating environment that behaves as if it is a separate
computer running under a host operating system (Hypervisor).
Golden Image A Golden Image is a template for a virtual machine (VM). It may also be
referred to as a clone image or master image
Using Golden Images as templates provides consistent environments.
Several Golden Images may be used for different platforms as well as types
of supported services such as Database server, Application server and Web
server to name a few.
These Golden Images will be certified by the Information Security department
on initial generation and as required after changes are applied to them such
as maintenance fixes or release upgrades.
EVERTEC Virtualization Environments
VMWare Primarily used to host Windows and Linux (Red Hat) virtual machines (VMs) used
as application, database or web servers. These VMs will be sized with the
appropriate amount of Virtual Memory and Virtual CPUs required by the
application.
For redundancy purposes, at a minimum, the production servers will be assigned
the following:
Two fiber channel paths to the SAN fabric, each connected to a different
SAN switch.
Access to a shared CPU pool.
Redundant connectivity to the network
Page 6 of 19
PowerVM Primarily used to host AIX virtual machines (VMs) used as application, database or
web servers. These VMs will be sized with the appropriate amount of Virtual
Memory and Virtual CPUs required by the application.
For redundancy purposes, at a minimum, the production servers will be assigned
the following:
Two fiber channel paths to the SAN fabric, each connected to a different SAN switch.
Access to a shared Virtual CPU pool.
Redundant connectivity to the network managed by two VIO servers each managing a separate Network Interface. Each Network Interface is connected to separate Network Switches.
z/VM Primarily used to host SuSE Linux Oracle Database virtual machines (VMs).
These VMs will be sized with the appropriate amount of Virtual Memory and Virtual
CPUs required by the application.
For redundancy purposes, at a minimum, the production servers will be assigned
the following:
Two fiber channel paths to the SAN fabric, each connected to a different
SAN switch.
A minimum of two Virtual CPUs backed by at least two physical CPUs
Connection to the network via a primary (active) virtual switch and a
standby (failover) virtual switch, each connected to a different Network
interface (OSA). Each OSA interface is physically connected to separate
Network Switches.
Page 7 of 19
Procedures
1.0 Initial Request
It is highly recommended that prior to requesting virtual servers using this facility
all important information is known ahead of time. Setting up meetings with areas
such as Network Engineering, Information Security and the Unix or Windows
group is advisable. The more information is provided at the time of opening the
request, the faster the servers can be provisioned.
1.1 Login to ServiceDesk
Select the Service Desk/CA CMDB tab. Click on file and select New Virtual
Server Request…
1.2 Summary Information Section
Page 8 of 19
1.2.1 The “Create New Change Order” panel is displayed. The fields in
this panel are common to all servers requested under this change
order and will be used to build the workflow tasks for the request.
Enter as much information as possible to prevent the workflow from
being held pending additional information. Also it is highly
recommended to attach any documentation pertinent to the request
such as Business cases, proposals, project network diagrams that
would help in the verification and validation of the request.
Field Name Description
Category Drop-down field used to select
whether the request is for Windows
servers only, UNIX servers only or a
combination of both.
Request Title Text field used to enter a brief title
to identify the request
Order Description Text field used to enter a more
detailed description of the request.
Use this field to enter information
relevant to the request that is not
covered by any of the fields in this
form.
Justification Non-required text field used to enter
justification for this request
Page 9 of 19
1.3 Virtual Server Initiative Information
1.3.1 This section is used to enter information related to the initiative the
requested servers belong to.
Field Name Description
Project Lookup field to select the project
this server belongs to
Application Lookup field to select the
application
Type of service Drop-down field to select type of
service this server will support:
Internal
Hosted
Collocation
Priority Drop-down field to select priority
level for the request:
Normal
High
Urgent
Urgent priority requires
justification
Line of Business Drop-down field to select line of
business for chargeback
purposes.
Client Look up field to select client.
This is a must field for Hosted
services.
Page 10 of 19
Expected Date Calendar field to select date this
request is expected to be
fulfilled.
Cost Center Look up field to select Cost
Center for chargeback
purposes.
1.4 Create New Virtual Server
Once the form is completed, click on save. The following pop-up will
appear reminding the requestor that server specifications still need to be
entered.
After clicking OK, the Create New Virtual Server form is presented. Most
fields will be entered by the requestor. There are some fields that will be
filled by the corresponding resources in charge of working on the tasks
generated by the request.
Page 11 of 19
Field Description
Change Order Protected field. Change order number
assigned to this request
OS Drop down field to select operating
system.
OS Version Drop down field to select operating
system version. List may be updated
frequently to reflect versions supported at
EVERTEC.
Size Drop down field to select the pre-defined
sizes supported as standards. If request
deviates from standard it must be justified
in the Justification comments field
High Availability Yes/No
DMZ Will the server be placed behind a DMZ?
Yes/No
Environment Drop-down field with
PROD
TEST
CERT
DRS
Platform Server platform:
VMWare
pSeries
zSeries
CPS data entry completed? This checkbox is filled by the Windows or
Unix resource doing the pre-certification
of the previsioned server
Disk Storage Size in Gigabytes
PCI PCI compliance requirement? Y/N
If the answer to any on the following two
questions is yes then this server must be
treated as PCI compliant
1. Does the application store,
processes, or transmits cardholder
data?
Page 12 of 19
Cardholder data includes:
Credit Card Number
Cardholder Name
Expiration Date
Service Code 2. Does the application store,
processes, or transmits sensitive
authentication data?
Sensitive authentication data
includes:
Full track data (magnetic-
stripe data or equivalent on
an EMV chip)
CAV2/CVC2/CVV2/CID
PINs/PIN blocks
Digital Certificate Server will require digital certificates? Y/N
Type Drop-down to select the type of server:
APP
WEB
DB
APP+WEB
APP+DB
APP+WEB+DB
File and Print
Note: combinations allowed on this field
imply that a single server will support the
role. For example: APP+WEB means
that the server will host both the
application and the WEB server.
Location Drop-down to select the location:
Cupey
Tres Monjitas
Sungard
Virtual Farms Drop down to select the virtual farm
where the cloned server resides.
Note: this field must be entered by the
Page 13 of 19
resource that executes the provisioning
process.
Load Balancer Will the server be placed behind a load
balancer (i.e. F5)
New Relic Will the server be monitored by New
Relic? Y/N
List any required software Text field to indicate any software that
needs to be installed on the server prior
to releasing the server to the requestor.
Licensing compliance will be verified.
Additional comments// Disk
Distribution
Text field where the requestor may enter
any special comments/details/instructions
regarding this server request. In the case
of DB servers it is required that file
system size distribution be specified in
this field. It is important to get this
information from the DB group prior to
initiating the request.
Required users Text field to enter list of users required for
phase 1 on this server
Host Name Host name assigned by the system
administrator in charge of provisioning the
server. The requestor may also enter this
information if known.
Assigned IP addresses and
VLAN
Entered by the network engineer who
assigns the IPs. The requestor may also
enter this information if known.
Network diagram attached Checkbox to indicate if the requestor or
Network engineers attached the network
diagram to the ticket
Common Ports If known, select the ports that the server
will use
Other Required Ports Text field to enter list of specific ports
needed
Justification Text field to enter the justification for non-
standard server size as well as non-
common ports required by the server
Once the fields are entered click on Save to add the server to the request.
Page 14 of 19
Additional servers may be requested. Under the Virtual Server Details tab
will be a list of the requested servers. There is an Add Virtual Server
button, click on it to bring the next request form.
To save time, there is a copy server feature that will basically bring a pre-
filled form based on the information entered on the selected server.
Simply select the server from the list of servers under the Virtual Server
Details tab and the click on the Copy Server button.
2.0 Workflow Tasks
2.1 Task List
The initial request will generate a workflow to assign tasks to all groups involved
in the creation of the virtual server.
Unix
Sequence Task Group
50 VS Provisioning - Validate Request 79095 - OPEN SYSTEMS UNIX
100 Group Start Task
200 VS Provisioning - Verify Licensing 78669 - EVERTEC LICENSING
300 VS Provisioning - Validate and Assign IP 79020 - NETWORK ENGINEERING
Page 15 of 19
Sequence Task Group
400 Group End Task
500 Group Start Task
700 VS Provisioning - Clone Server 79095 - OPEN SYSTEMS UNIX
750 VS Provisioning - Assign Storage Space 78656 - STORAGE SYSTEMS
800
VS Provisioning - Pre Defined Systems Firewall
Rule 78657 - Firewall & VPNs Operations
900 Group End Task
1000 Group Start Task
1100 VS Provisioning - Configure Server Monitoring 78665 - NETWORK PRODUCTION
SUPPORT
1300 VS Provisioning - Configure Backup 79095 - BACKUP SERVICES
1400 Group End Task
1500 VS Provisioning - Pre-Certification 78113 - Unix Security
1600 Group Start Task
1700 VS Provisioning - Add to CMDB 78690 - Capacity Management and CMDB
1800 VS Provisioning - Secure Admin password in Vault 78113 - Unix Security
1900 Group End Task
Windows
Sequence Task Group
50 VS Provisioning - Validate Request 79095 - WINDOWS
100 Group Start Task
200 VS Provisioning - Verify Licensing 78669 - EVERTEC LICENSING
300 VS Provisioning - Validate and Assign IP 79020 - NETWORK ENGINEERING
400 Group End Task
500 Group Start Task
700 VS Provisioning - Clone Server 79095 - WINDOWS
Page 16 of 19
Sequence Task Group
800 VS Provisioning - Pre Defined Systems Firewall Rule 78657 - Firewall & VPNs Operations
900 Group End Task
1000 Group Start Task
1050
VS Provisioning - Windows Pre-Certification - CPS Data
Entry 78663 - SERVER SERVICES
1100 VS Provisioning - Configure Antivirus Software 78657 - WORKPLACE SERVICES
1300 VS Provisioning - Configure Backup 79095 - BACKUP SERVICES
1400 VS Provisioning - Configure Server Monitoring 78665 - NETWORK PRODUCTION
SUPPORT
1500 Group End Task
1600 VS Provisioning - Pre-Certification 78113 - Server Certification
1700 Group Start Task
1800 VS Provisioning - Add to CMDB 78690 - Capacity Management and CMDB
1900 VS Provisioning - Secure Admin password in Vault 78113 - IS WINDOWS AND DATABASE
2000 Group End Task
Windows and Unix Together
Sequence Task Group
100 Group Start Task
200 VS Provisioning - Validate Request 79095 - WINDOWS
300 VS Provisioning - Validate Request 79095 - OPEN SYSTEMS UNIX
400 Group End Task
500 Group Start Task
600 VS Provisioning - Verify Licensing 78669 - EVERTEC LICENSING
700 VS Provisioning - Validate and Assign IP 79020 - NETWORK ENGINEERING
800 Group End Task
900 Group Start Task
Page 17 of 19
Sequence Task Group
1000 VS Provisioning - Clone Server 79095 - WINDOWS
1100 VS Provisioning - Clone Server 79095 - OPEN SYSTEMS UNIX
1200 VS Provisioning - Assign Storage Space 78656 - STORAGE SYSTEMS
1300 VS Provisioning - Pre Defined Systems Firewall Rule 78657 - Firewall & VPNs Operations
1400 Group End Task
1500 Group Start Task
1600
VS Provisioning - Windows Pre-Certification - CPS Data
Entry 78663 - SERVER SERVICES
1700 VS Provisioning - Configure Antivirus Software 78657 - WORKPLACE SERVICES
1800 VS Provisioning - Configure Backup 79095 - BACKUP SERVICES
1900 VS Provisioning - Configure Server Monitoring 78665 - NETWORK PRODUCTION
SUPPORT
2000 Group End Task
2100 Group Start Task
2200 VS Provisioning - Pre-Certification 78113 - Server Certification
2300 VS Provisioning - Pre-Certification 78113 - Unix Security
2400 Group End Task
2500 Group Start Task
2600 VS Provisioning - Add to CMDB 78690 - Capacity Management and CMDB
2700 VS Provisioning - Secure Admin password in Vault 78113 - IS WINDOWS AND DATABASE
2800 VS Provisioning - Secure Admin password in Vault 78113 - Unix Security
2900 Group End Task
2.2 Validate Request
The assigned group, based on operating system and platform selected,
reviews the petition and determines its validity. It is highly advisable to
consult with Network Engineering and Information Security to help validate
Page 18 of 19
the request. If approved the rest of the workflow continues. The requestor
may be contacted for additional information.
2.3 Verify Licensing
Verify licensing compliance issues specific to the software that will be
used.
2.4 Validate and Assign IP
Network engineering will assign the IPs to the servers requested including
the backup segment IP when applicable. It is the responsibility of network
engineering to enter this information in the Assigned IP Address and
VLAN field for each server requested. In some cases there might be a
need to add a new segment that will require additional work outside the
scope of the tasks generated by this workflow. Those should be handled
using the current existing protocols.
2.5 Clone Server
Create the virtual server using a pre-certified image. This should be
further updated with the latest patches and scanned in order to make sure
that it will not fail the pre-certification task.
2.6 Virtual Server pre-defined Systems Firewall Rule
Make sure the server will be granted the rules needed in order for the
other groups to complete the rest of the configuration tasks.
2.7 Configure Antivirus Software
For Windows, add to the anti-virus console
2.8 Configure Server Monitoring
If applicable, since this is phase 1, add basic server monitoring
2.9 Configure Storage space
Assign the required storage space if applicable
2.10 Configure Backup
Configure the backup for the server using the silver policy as default.
2.11 Virtual Server Pre-Certification
Page 19 of 19
Pre certify the server, if it fails it will go back to the group that created the
server.
2.12 Add to CMDB
Add the pertinent server information to the CMDB.
2.13 Secure Admin password in Vault
Add the administrator password to the vault.