Ensuring all bladelogic.keystore files are consistent
This topic was created by a BMC Contributor and has not been approved. More information.
This topic describes how to make the bladelogic.keystore files consistent across your environment.
When you have a multi-Application Server or multi-Application Server instance BMC Server Automation environment, all of your bladelogic.keystore files must be consistent within the /br/deployments directories at the various Application Servers. If you have set up your BMC Server Automation environment correctly, no further action is necessary. However, with a regularly scheduled job, you can ensure that these files are always the same in case they are tampered with, moved, or changed for any reason.
You want to ensure that your bladelogic.keystore files do not appear as in the following figure:
To ensure the consistency of the bladelogic.keystore files, you create a Compliance Job that compares a file that is in a non-unique directory against other files that are in non-unique directories on the same server and on other servers based on a Compliance Rule in a Component Template.
An Audit Job is not sufficient for this task.
Preparing the Environment
To prepare your environment for the Compliance Job, perform the following tasks.
Defining the App Server Path Property
- Select Configuration > Property Dictionary View.
- Navigate to the Built-In Property Classes > Server property. Define a new Property called BSA_APPSERV_PATH (or a similar name to designate the Application Server installation path), and leave all of the other values as defaults.
- Click OK.
You can now set the value of this property on your Application Servers.
Setting the Application Server Path property
- Navigate to one of the Application Servers in the Servers area of the console.
- Within the Properties tab, expand the Extended node and browse to the BSA_APPSERV_PATH (or whatever property you created to designate the Application Server path).
- Define the Application Server installation path for that server using NSH syntax.
For example, if your Application Server is installed at C:\Program Files\BMC Software\BladeLogic\NSH, set the path to /C/Program Files/BMC Software/BladeLogic/NSH.
- Repeat the previous step for all other Application Servers in your environment.
Capturing the Checksum
Comparing the md5 checksum of two files is a great way to tell if they are exactly the same or not. (This is different from a light checksum, which only compares the first 512 bytes of a file.) Compare the md5 checksum of the correct bladelogic.keystore with all of the other bladelogic.keystore files to see if they are the same.
- Launch NSH from the first Application Server that you installed in your environment. This server should have the bladelogic.keystore file that you copied (or will want to copy) to all of your other instances and Application Servers.
- Navigate to the <bsa install dir>/br/deployments directory, and run the following command: md5sum bladelogic.keystore
- Capture the md5 checksum value that is returned.
Defining the Template for Compliance Jobs
Use the following procedure to define the Compliance Rule that you will use to check the md5 checksum that you captured against all of the bladelogic.keystore files.
- Create a new Component Template, and call it bladelogic.keystore (or any similar name).
- Add a new part, and browse to the bladelogic.keystore file inside the /br/deployments directory on one of your Application Servers. Move it to the selected parts area and click OK.
- After the Component Template is created, open the Template and click the Parts tab at the bottom.
- Parameterize the path to the bladelogic.keystore file by substituting everything up to /br/deployments with ??BSA_APPSERV_PATH?? (or whatever property you created earlier for designating the Application Server installation path).
- Click the Compliance tab of the Component Template, and define a new Compliance Rule.
- Specify a name such as checksum validation, and then click on the Rule tab.
- Define a new condition by clicking the drop-down next to the green +, and create a new Foreach Loop.
- Select the Part that points to the bladelogic.keystore file using the parameterized path.
- For the value, specify Checksum = <md5 checksum> where <md5 checksum> is the md5 checksum that you copied earlier from NSH in Capturing the Checksum.
- Test the compliance rule against one or more Application Servers.
A successful result shows all bladelogic.keystore files as consistently having the correct md5sum, the same md5sum as the original bladelogic.keystore file.
Where to go from here
You are now ready to run the Compliance Job based on the Compliance rule that you defined. For more information, see Running a Compliance Job based on Compliance Content templates.
After running the Compliance Job, you can remediate Compliance failures, as described in the following topics:
- Remediating compliance results
- How to create compliance job remediation
- Example procedure for remediating compliance
Related Knowledge Articles
Creating a new bladelogic.keystore and syncing it with all BSA Application Servers (Knowledge Article ID: 000095314)