Configuring the application server and remote device agent after upgrade

This topic describes the tasks that you need to perform after the TrueSight Network Automation upgrade is complete.

Do the following:

Clear the browser cache.
Update ciphers in the TLS protocol
(SQL Server only) Switch the authentication mechanism.
(Windows only) Update the traceroute details for the Find Endpoint span action.
Regenerate and import an SSL certificate.
Generate initial device attributes configurations.
Preserve the device adapter customizations.
Enable the Alternate Addresses dynamic field.
Update device import task formats.
Configure enhanced security.

Clearing the browser cache

Since there have been changes to the software, you must clear the browser cache to ensure that stale downloaded code does not interfere with the presentation of web pages. Refer to the browser's documentation for instructions on clearing the cache. If you neglect to do so, web pages might appear mangled or might behave incorrectly.

Updating ciphers in the TLS protocol

If you have modified the bna.connector.ciphers property before upgrade, follow these steps to update the list of ciphers in the TLS protocol to make the application server more secure:

Stop the enatomcat service.
Open the BCAN_HOME/tomcat/conf/catalina.properties file with a text editor.
Find the bna.connector.ciphers property in the file.
Copy the latest value of this property from the Comments section of the property.
Replace the existing value with the copied value.
Start the enatomcat service.

Switching the authentication mechanism (SQL Server only)

Starting with version 8.9.04 for enhanced security, TrueSight Network Automation supports Windows authentication in addition to the default SQL Server authentication for the SQL Server database user. If you were using SQL Server authentication in your existing installation, and you want to switch to Windows authentication for enhanced security, you need to update the BCA-Networks Web Server service and various configuration files, as described in Switching-from-SQL-Server-authentication-to-Windows-authentication. If you want to switch to SQL Server authentication later, see Switching-from-Windows-authentication-to-SQL-Server-authentication.

(Windows only) Updating the traceroute details for the Find Endpoint span action

If you have modified the tracerouteLastLine property in the global.properties file before upgrade, follow these steps to update its value so that the Find endpoint job can locate the managing switch properly (see the related corrected issue, DRCAN-22699):

Open the BCAN_DATA/global.properties file with a text editor.
Search for the word trace.
The following code snippet is an excerpt of the global.properties file:
# Following are the values for Windows
#tracerouteCmd=tracert -d
#tracerouteRegex=^\\d+[\\s*|\\S*]*?(\\S*)$
tracerouteLastLine=4
Comment tracerouteLastLine by adding '#' and set its value to 3.
Save the file.
Restart the TrueSight Network Automation web service.

Regenerating and importing an SSL certificate

When you upgrade to version 20.02, the .keystore file located in the BCAN_DATA directory is regenerated and the key size is upgraded to 4096-bits if any one of the following conditions is satisfied:

The existing .keystore file was generated with a key size less than 2048-bits
The existing .keystore file was generated with the SHA1WithRSA encryption algorithm

If the .keystore file is regenerated, your existing certificate will not work and you need to generate and import the certificate as described in Generating-and-importing-an-SSL-certificate-for-the-application-server.

Generating initial device attributes configurations

When you upgrade to version 20.02 BMC recommends that you perform a Refresh Device Status action to refresh only the Device Attributes Configuration on all your devices. This generates an initial version of the configurations containing your current device settings. Thereafter, the system generates a new configuration as the device settings change. The initial configurations ensure that if you begin to develop and use compliance rules against this trail, the data actually exists to make the rules useful.

Preserving the device adapter customizations

If you made any modifications to configuration trails, custom actions, device types, or external script actions located on the Admin > Network Admin > Device Adapters page, or if there are changes between your existing adapters and upgraded adapters, the adapters show up as Modified in the Network Automation GUI.

During an upgrade, the latest versions of all the supported device adapters are loaded into your Network Automation system. These might include enhancements and corrections to adapters that you might have previously customized. Your customized version will be active after an upgrade, which will be missing those enhancements and corrections. You must manually merge the two sets of changes.

BMC recommends that you perform the following steps before you start using the system with scheduled job actions:

Navigate to Admin > Network Admin > Device Adapters.
In the State column, filter the adapters in the Modified state.
Expand the hierarchy and find any adapters that contain a Requires Merge flag in the State column, as shown in the following figure:
If an adapter has the Requires Merge flag, perform the following actions:
1. Export the Baseline version of the adapter.
2. Export the Previous Baseline version of the adapter.
3. Export the Modified version of the adapter.
4. Merge your customized changes into the new baseline by performing the following substeps:
  1. Compare your Modified version with the Previous Baseline version to see your changes.
  2. Re-do those changes to the new Baseline version. Now you have the latest Baseline version with your customizations.
5. Import the updated adapter.

The following video (4:32) demonstrates how to reconcile device adapters after upgrading Network Automation.

https://www.youtube.com/watch?v=vU5TGKDvzM4

Enabling the Alternate Addresses dynamic field

The find endpoint algorithm uses the traceroute command to find the IP address of the managing router for the endpoint. If the router has multiple IP addresses defined within it, and the IP address output of the traceroute command does not match the IP address stored in the Network Automation server database for the device, the algorithm fails.

To avoid this problem, Network Automation has a Configuration Profiled dynamic field, Alternate Addresses. This field captures additional IP addresses from the configuration of Cisco IOS-based routers.

The alternate addresses are checked during endpoint actions, in addition to the primary address of the device, when searching the database for the router.

The Alternate Addresses dynamic field is created automatically during the installation of the Network Automation application server. However, the field is not created when performing an upgrade on the application server. After the application server upgrade is complete, you need to add this field if it does not exist, and manually enable it.

To add and enable the Alternate Addresses dynamic field

In the Network Automation GUI, go to Admin > System Admin > Dynamic Fields, and click Add.
On the Details tab, enter or select the following values:
- Component: Select Device.
- Assignment Mechanism: Select Configuration Profiled.
- Value Type: Select Capture Attribute Values.
- Name: Enter Alternate Addresses.
- Enable: (Optional) Select this option to enable the feature.
On the Spans tab, select Entire Network.
On the Queries tab, click Add and enter the following values:
- Device Type: Select Cisco, and then select Cisco IOS Switch/Router.
- Minimum OS Version: Use the default *. *. *
- Maximum OS Version: Use the default *. *. *
- Applicable Trails: Select Running.
- Subject: Select Pattern.
- Pattern: Enter the following string:
  ^\s+ip\s+address\s+(\d+\.\d+\.\d+\.\d+)\s+\d+\.\d+\.\d+\.\d+$ s
- Domain: Select Selected Blocks.
- Begin: Select Pattern, and then enter the following string:
  ^interface\s+.*[a-zA-Z].+[0-9].*
- End: Select Pattern, and then enter the following string:
  ^!$
Click Enter, and then click Save.

Updating device import task formats

Starting with version 8.9.04, the device import task no longer supports the following mapping formats for the BMC Discovery versions that are End of Life (EOL):

BMC Atrium Discovery and Dependency Mapping 8.2+
BMC Atrium Discovery and Dependency Mapping 7.5
BMC Foundation Discovery 1.5

After upgrade to version 20.02, any device import tasks referring to above formats are automatically upgraded to use the BMC Discovery 11.0+ (XML API) format. If you do not want the automatic upgrade, edit your device import tasks to use any other format other than the above mentioned formats before you start upgrading. If you have not edited these tasks, validate whether these tasks are working as expected after upgrade.

Configuring enhanced security

Complete the following tasks to achieve enhanced security.

Updating permissions

If you have changed the OS user name and its details during the application server or remote device agent upgrade, provide the read/write access to this (non-privileged) user account on the TFTP, SCP, and FTP directories that are configured with Network Automation.

Configuring cipher suites

After upgrading to version 20.02, if your environment requires more restricted security as would be the case for federal customers, and the catalina.properties file contains certain set of cipher suites (described in step 3), perform the following steps:

Open the BCAN_HOME/tomcat/conf/catalina.properties file in a text editor.
Find the bna.connector.ciphers property in the file.
If the property value contains the following cipher suites, delete them:
AES128-SHA256:AES256-SHA:AES128-SHA:
DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:
DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:
DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:
DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256