Ensuring all bladelogic.keystore files are consistent
When you have a multi-application server or multi-application server instance BMC Server Automation environment, all of your bladelogic.keystore files must be consistent within each of the directories inside the /br/deployments directories. These directories vary, depending on which operating system the application server is deployed to and the names of the application server instances that are defined. If you have set up your BMC Server Automation environment correctly, no further action is necessary. However, with a regularly scheduled job, you can ensure that these files are always the same in case they are tampered with, moved, or changed for any reason.
You want to ensure that your bladelogic.keystore files do not appear as in the following figure:
To ensure the consistency of the bladelogic.keystore files, you create a Compliance Job that compares a file that is in a non-unique directory against other files that are in non-unique directories on the same server and on other servers based on a Compliance Rule in a Component Template.
An Audit Job is not sufficient for this task, as illustrated in the following figure:
Preparing the Environment
To prepare your environment for the Compliance Job, perform the following tasks.
Defining the App Server Path Property
- Select Configuration > Property Dictionary View.
- Navigate to the Built-In Property Classes > Server property. Define a new Property called BSA_APPSERV_PATH (or a similar name to designate the application server installation path), and leave all of the other values as defaults.
- Click OK.
You can now set the value of this property on your Application Servers.
Setting the Application Server Path property
- Navigate to one of the Application Servers in the Servers area of the console.
- Within the Properties tab, expand the Extended node and browse to the BSA_APPSERV_PATH (or whatever property you created to designate the application server path).
- Define the application server installation path for that server using NSH syntax.
For example, if your application server is installed at C:\Program Files\BMC Software\BladeLogic\8.2\NSH, set the path to /C/Program Files/BMC Software/BladeLogic/8.2/NSH.
- Repeat the previous step for all other application servers in your environment.
Capturing the Checksum
Comparing the md5 checksum of two files is a great way to tell if they are exactly the same or not. (This is different from a light checksum, which only compares the first 512 bytes of a file.) Compare the md5 checksum of the correct bladelogic.keystore with all of the other bladelogic.keystore files to see if they are the same.
- Launch NSH from the first application server that you installed in your environment. This server should have the bladelogic.keystore file that you copied (or will want to copy) to all of your other instances and application servers.
- Navigate to the <bsa install dir>/br/deployments/_template directory, and run the following command: md5sum bladelogic.keystore
- Capture the md5 checksum value that is returned.
Defining the template for Compliance Jobs
Use the following procedure to define the Compliance Rule that you will use to check the md5 checksum that you captured against all of the bladelogic.keystore files.
- Create a new Component Template, and call it bladelogic.keystore (or any similar name).
- Add a new part, and browse to one of the bladelogic.keystore files inside of the /br/deployments directories on one of your application servers. Move it to the selected parts area and click OK.
- After the Component Template is created, open the Template and click the Parts tab at the bottom.
- Parameterize the path to the bladelogic.keystore file by substituting everything up to /br/deployments with ??BSA_APPSERV_PATH?? (or whatever property you created earlier for designating the application server installation path).
- Click the Compliance tab of the Component Template, and define a new Compliance Rule.
- Specify a name such as checksum validation, and then click on the Rule tab.
- Define a new condition by clicking the drop-down next to the green +, and create a new Foreach Loop.
- Select the Part that points to the bladelogic.keystore file using the parameterized path.
- IMPORTANT: In order for the Foreach loop to work, change the directory between /br/deployments and /bladelogic.keystore to a "*" (asterisk). This will ensure that every directory is checked within the /br/deployments directory for a bladelogic.keystore file.
- For the value, specify Checksum = <md5 checksum> where <md5 checksum> is the md5 checksum that you copied earlier from NSH in Capturing the Checksum.
- You should now be able to verify this compliance rule by testing it against one or more application servers, as in the following figure:
Notice how for the first server, 7 different directories were traversed which contained a bladelogic.keystore file, and all of them were consistent with the correct md5sum of the original bladelogic.keystore file.
Where to go from here
You are now ready to run the Compliance Job based on the Compliance rule that you defined. For more information, see Running a Compliance Job.
After running the Compliance Job, you can remediate an Compliance failures, as described in the following topics: