Ensuring all bladelogic.keystore files are consistent

Contributor content

This topic was created by a BMC Contributor and has not been approved. More information.

This topic describes how to make the bladelogic.keystore files consistent across your environment.

Note

This task is necessary after installing Application Servers using Application Server component installers (as described in Installing-the-Application-Server-and-components-Linux-and-UNIX or Installing-the-Application-Server-and-Network-Shell-on-Windows). You do not need to perform this task when you add Application Server nodes (as described in Adding-additional-Application-Servers) after using the unified product installer to install TrueSight Server Automation.

Overview

When you have a multi-Application Server or multi-Application Server instance TrueSight Server Automation environment, all of your bladelogic.keystore files must be consistent within the /br/deployments directories at the various Application Servers. If you have set up your TrueSight Server Automation environment correctly, no further action is necessary. However, with a regularly scheduled job, you can ensure that these files are always the same in case they are tampered with, moved, or changed for any reason.

You want to ensure that your bladelogic.keystore files do not appear as in the following figure:

different keystore.png

To ensure the consistency of the bladelogic.keystore files, you create a Compliance Job that compares a file that is in a non-unique directory against other files that are in non-unique directories on the same server and on other servers based on a Compliance Rule in a Component Template.

Note

An Audit Job is not sufficient for this task.

Preparing the Environment

To prepare your environment for the Compliance Job, perform the following tasks.

Defining the App Server Path Property

  1. Select Configuration > Property Dictionary View.
    property dictionary.png
  2. Navigate to the Built-In Property Classes > Server property.  Define a new Property called BSA_APPSERV_PATH (or a similar name to designate the Application Server installation path), and leave all of the other values as defaults.

    server property.png
  3. Click OK.
    You can now set the value of this property on your Application Servers.

Setting the Application Server Path property

  1. Navigate to one of the Application Servers in the Servers area of the console.
  2. Within the Properties tab, expand the Extended node and browse to the BSA_APPSERV_PATH (or whatever property you created to designate the Application Server path).
  3. Define the Application Server installation path for that server using NSH syntax.
    For example, if your Application Server is installed at C:\Program Files\BMC Software\BladeLogic\NSH, set the path to /C/Program Files/BMC Software/BladeLogic/NSH.
    set property.pngset property - rh.png
  4. Repeat the previous step for all other Application Servers in your environment.

Capturing the Checksum

Comparing the md5 checksum of two files is a great way to tell if they are exactly the same or not.  (This is different from a light checksum, which only compares the first 512 bytes of a file.)  Compare the md5 checksum of the correct bladelogic.keystore with all of the other bladelogic.keystore files to see if they are the same. 

  1. Launch NSH from the first Application Server that you installed in your environment.  This server should have the bladelogic.keystore file that you copied (or will want to copy) to all of your other instances and Application Servers.
  2. Navigate to the <bsa install dir>/br/deployments directory, and run the following command: md5sum bladelogic.keystore
  3. Capture the md5 checksum value that is returned.

Defining the Template for Compliance Jobs

Use the following procedure to define the Compliance Rule that you will use to check the md5 checksum that you captured against all of the bladelogic.keystore files.

  1. Create a new Component Template, and call it bladelogic.keystore (or any similar name).
  2. Add a new part, and browse to the bladelogic.keystore file inside the /br/deployments directory on one of your Application Servers.  Move it to the selected parts area and click OK.
  3. After the Component Template is created, open the Template and click the Parts tab at the bottom.
  4. Parameterize the path to the bladelogic.keystore file by substituting everything up to /br/deployments with ??BSA_APPSERV_PATH?? (or whatever property you created earlier for designating the Application Server installation path).
  5. Click the Compliance tab of the Component Template, and define a new Compliance Rule.
    1. Specify a name such as checksum validation, and then click on the Rule tab.
    2. Define a new condition by clicking the drop-down next to the green +, and create a new Foreach Loop.
      keystore rule.png
    3. Select the Part that points to the bladelogic.keystore file using the parameterized path.
  6. For the value, specify Checksum = <md5 checksum> where <md5 checksum> is the md5 checksum that you copied earlier from NSH in Capturing the Checksum.
  7. Test the compliance rule against one or more Application Servers.
    A successful result shows all  bladelogic.keystore files as consistently having the correct md5sum, the same md5sum as the original bladelogic.keystore file.

Where to go from here

You are now ready to run the Compliance Job based on the Compliance rule that you defined. For more information, see Running-a-Compliance-Job-based-on-Compliance-Content-templates.

After running the Compliance Job, you can remediate Compliance failures, as described in the following topics:

Related Knowledge Articles

Creating a new bladelogic.keystore and syncing it with all BSA Application Servers (Knowledge Article ID: 000095314)

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*