_prepForInstall

This topic includes the inclusion library multi-excerpts for the installation process. It includes the following:

List of multiexcerpts in this topic

Item	Multi excerpt name too use
UPI install limitations	upi_install_limitations
Zipkits	zipkit_install_upgrade_list
Linux install requirements for UPI	linuxPrereqs
Windows install requirements for UPI	WindowsPrereqs
Requirements for installing a separate file server	remote_file_server_reqs
Security requirements	security_install_requirements
TrueSight Server Automation PRNGD	prngd
Root equivalency	root_equivalency
Client mapping	client_mapping
Prerequisites for MSVC 2015	MSVCPrereq
Agent-related objects	AgentObjects
Shavlik EOL message for Flash	ShavlikEOL

AES agent appserver compatibility

For RSCD agent versions earlier than 8.9.03.001, application server encrypts the string with BlEncrypt encryption method. Also, a warning message is added to the log file (which log file).

For RSCD agent versions 8.9.03.001 and later, AES 256 is supported.

If you are installing TrueSight Server Automation 8.9.03.001 for the first time, then by default BLNative is selected.

If you are upgrading to TrueSight Server Automation 8.9.03.001, then, by default BLNative is selected. However, you can change the value.

Agent and Application server - both have been configured to use AES technique.

However, if agent is older then it doesnot have that technique.

then Application server deprypts it and encrypts it to BLNATive and send to older agent.

If agent is newer (has AES 256 support), this plain text string is sent to agent which will re encrypt it with his own keys and send it back to appserver.
If agent is old (without AES 256 support) appserver will enrypt it with BLEncrypt . And will also log a warning.

when we find a downlevel agent what happens ? we decrypt the aes256 to plain text and then encode it to blenc ?

>> aes256 encrypted string is always decrypted in appserver’s memory. Either of the two things can happen after that

If agent is newer (has AES 256 support), this plain text string is sent to agent which will re encrypt it with his own keys and send it back to appserver.
If agent is old (without AES 256 support) appserver will enrypt it with BLEncrypt . And will also log a warning.

This list is available in the following user interfaces:

Configuration > Property Dictionary View > Properties tab used to add or modify a property.
Configuration > Property Dictionary View > instances tab used to create or modify an instance of a property class.
TrueSight Server Automation Console Classic perspective > Properties view in the Properties, Permissions, and Audit Trail tab group.

Shavlik EOL message for Flash

BMC Software is alerting users of BMC Server Automation for Windows Patching that they need to upgrade the BMC Server Automation application server and Windows target servers to the latest versions to ensure the continued functioning of Windows Patching within the product.

Ivanti has announced the end-of-life for an underlying Shavlik SDK version that BMC Server Automation uses to get updates for Windows patches. The original end-of-life support for Shavlik 9.1 was December 31, 2018. The end-of-life support is now extended to September 30, 2019, which provides users with additional time to upgrade BMC Server Automation application server and the BMC Server Automation RSCD Agents running on Windows target servers.

BMC Software is alerting users of TrueSight Server Automation for Windows Patching that action must be taken as soon as possible to ensure continued functioning of Windows Patching within the product. Windows patching will stop getting any new patch information after December 31, 2018 unless application server and agents are upgraded to the latest versions listed below. This is due to the end of life announcement by Ivanti for an underlying Shavlik SDK version that is used by TrueSight Server Automation to get updates for Windows patches. Once the application server is upgraded to a version that supports the new Shavlik SDK, all Windows RSCD agents must be upgraded to a version of the RSCD that supports the updated Shavlik SDK for Windows Patching to continue to function. Snapshot, Audit, Compliance, and Live Browse of the 'Hotfixes' node will also not work until both the application server and RSCD agent are upgraded.

Installation limitations for unified product installer

The unified product installer does not support the following scenarios:

32-bit Windows or 32-bit Linux machines
Solaris SPARC machines
A heterogeneous environment where the Application Servers and PXE server are not all installed on the same operating system.
The unified product installer requires the database to be Oracle for Linux environments and SQL Server for Windows environments. In the case of Linux, you can use the Oracle Express database edition shipped with TrueSight Server Automation (for testing purposes) during the evaluation period for the express database edition. However, you must upgrade to Oracle Enterprise edition, after the evaluation period is over.

Zipkits installed in 8.6 or with upgrade

ZipKit name	Type of objects installed
Patch Ready (Windows)	Component template Extended object Depot objects
Windows 2012 R2 Standard Configuration	Component template Depot objects
Activation Status_Windows (For Windows 2008 Servers and above only)	Extended object
IIS 8.5 (Windows 2012 R2)	Depot object (package)
LAMP on CentOS 6	Depot object (package)
Provisioning - Redhat Linux 6.0	Depot object (package)
Provisioning - Windows 2012	Depot object (package)

ZipKit name	Type of objects installed	For more information (link to BMC Communities)
Patch Ready (Windows)	Component template Extended object Depot objects	Component Template with Remediation - Patch Readiness for Windows
Windows 2012 R2 Standard Configuration	Component template Depot objects	Component Template with Remediation - Windows 2012 R2 Standard Configuration Example
Activation Status_Windows (For Windows 2008 Servers and above only)	Extended object	Extended Object - Display Windows Activation Status
IIS 8.5 (Windows 2012 R2)	Depot object (package)	Microsoft IIS 8.5 for Windows 2012 R2
LAMP on CentOS 6	Depot object (package)	LAMP for CentOS 6
Provisioning - Redhat Linux 6.0	Depot object (package)	Internal zipkit, used by quick start page
Provisioning - Windows 2012	Depot object (package)	Internal zipkit, used by quick start page

General Prereqs for install

To know the default installation location of various TrueSight Server Automation components, see Default-installation-location-for-components.
The TrueSight Server Automation Application Server installation program needs a certificate password to generate a self-signed X.509 certificate. Communication between TrueSight Server Automation and servers being provisioned and between the Application Server uses the Transport Layer Security (TLS) protocol and X.509 certificates. The password must be at least 6 characters. For more information about certificates and the TLS protocol, see Authentication.

Linux install requirements for UPI

Requirement	Description
Default shell	Bash UNIX shell must be the default shell on all machines that that TrueSight Server Automation is being installed.
Firewalls	Ensure that your firewall allows communication on all ports used by various components of TrueSight Server Automation. For more information on ports, see TrueSight-Server-Automation-ports.
Perl	Ensure that you have a supported version of Perl installed on the host computer on which you are installing TrueSight Server Automation. (For information about the Perl versions that TrueSight Server Automation supports, see Perl support.) Perl is required to access the Network Shell Perl modules installed with the Network Shell installation. If the host computer on which you are installing TrueSight Server Automation has: A supported version of Perl installed — The Network Shell installation automatically installs the Network Shell Perl module. An unsupported version of Perl installed — The installation copies files that allow you to install the Perl module after you have installed the supported version of Perl.
Permissions	Verify that the umask is 0022 for the root users on the Application Server host computer. TrueSight Server Automation might have many open files at any given point in its operation. Therefore, unless your environment has specific needs for a more restrictive setting (depending on the specific operation of the Application Server), BMC recommends that you set the following operating system parameters for the bladmin user in /etc/security/limits.conf file (or add a /etc/security/limits.d/<file>.conf file): bladmin - nofile 8192 bladmin - nproc 8292 As needed, you can adjust the hard and soft limits if you do not have enough available file descriptors to proceed, for example, the open files to 65536. For more information, see Too-many-open-files-and-Java-out-of-memory. The Linux file system partition to which you plan to install the Default Application Server must not be mounted with the nosuid option.
Separate file server	If you plan to install a separate file server, ensure that you have performed the following prerequisite tasks: The unified product installer automatically installs the RSCD agent on the separate file server during installation. However, you can manually install the RSCD agent on your separate file server, as described in Installing-the-RSCD-agent-Windows or Installing-only-the-RSCD-agent-Linux-and-UNIX. If the Application Server is running on Linux, the unified product installer can only install the RSCD agent on a separate file server that is also running on Linux. If the separate file server is running on Windows, you must manually install the RSCD Agent based on the procedures in Installing-the-RSCD-agent-Windows.
Security	The unified product installer needs to be run by a super user — root or a root-equivalent user on Linux. This enables the installer to install components on the Application Server and File Server. By default, the unified product installer configures the RSCD agent on the file server to map incoming connections to the Administrator or root user. The following mapping is added to the exports file: rw, user=root This mapping allows any server (as root) user, access to the file server. BMC recommends to use <Application_Server_ip> rw,user=[root] in the exports file. Note: The initial account used for mapping incoming connections to the file server must be a local account. If you do not want to map the connections to the root user, you can manually modify the exports file to suit your needs. The exports file is located at the following path, BSA<version_number>-<platform>*\files\installers\other_files\maintenance_scripts.zip\linux\. For more information, see Configuring the exports file. Alternatively, you can manually install the RSCD agent on the separate file server, see Installing-only-the-RSCD-agent-Linux-and-UNIX.
Shared library	Linux platforms on which you plan to install the Application Server or Network Shell must have the appropriate version of libtermcap.so.2 and libtermcap.so.6 shared library installed. Install the shared library before installing these components. For more information, see Requirement for installing the Application Server, TrueSight Server Automation Console, or Network Shell on Linux. If you are using the RedHat offline patch downloader, ensure that the glibc.i386 or glibc.i686 library is present (due to the embedded JRE version 1.8).
Software and hardware	Ensure that your machine meets the minimum software and hardware requirements as described in Minimum-software-requirements and Minimum-hardware-requirements. You must have an X Window display system installed and configured on your Linux machine. Ensure that you have set up a database for use by TrueSight Server Automation, as discussed in Setting-up-an-Oracle-database-for-TrueSight-Server-Automation and Setting-up-a-SQL-Server-database-and-user-for-TrueSight-Server-Automation.
Temp space	Ensure that you have at least 4 GB of /tmp space for Linux installs.

Windows install requirements for UPI

Requirement	Description
Firewall	Ensure that your firewall allows communication on all ports used by various components of TrueSight Server Automation. For more information on ports, see TrueSight-Server-Automation-ports.
Separate file server	If you plan to install a separate file server, ensure that you have performed the following prerequisite tasks: The unified product installer automatically installs the RSCD agent on the separate file server during installation. However, you can manually install the RSCD agent on your separate file server, as described in Installing-the-RSCD-agent-Windows or Installing-only-the-RSCD-agent-Linux-and-UNIX. If you want the unified product installer to automatically install the RSCD agent on your Windows file server, you need to download the Microsoft Sysinternals Suite from http://technet.microsoft.com/en-us/sysinternals/bb897553 and copy the psexec file path (typically C:\Windows\System32\) to the %PATH% variable of the default Application Server, before running the unified product installer. Psexec is not required if you choose to manually install the RSCD agent on your Windows file server. New in 8.9.03Ensure that you must have Server Message Block (SMB) v2 enabled on a Windows server.
Security	The unified product installer needs to be run by a super user — root or a root-equivalent user on Linux. This enables the installer to install components on the Application Server and file server. By default, the unified product installer configures the RSCD agent on the file server to map incoming connections to the Administrator or root user. The following mapping is added to the exports file: rw, user=Administrator This mapping allows any server (as Administrator) user, access to the file server. BMC recommends to use <Application_Server_ip> rw,user=[Administrator] in the exports file. Note: The initial account used for mapping incoming connections to the file server must be a local account. It cannot be a network or domain account. If you do not want to map the connections to the Administrator user, you can manually modify the exports file to suit your needs. The exports file is located at the following path, TSSA<version_number>-<platform>\files\installers\other_files\maintenance_scripts.zip\windows\*. For more information, see Configuring the exports file. Alternatively, you can manually install the RSCD agent on the separate file server, see Installing-the-RSCD-agent-Windows.
Software and hardware	Ensure that your machine meets the minimum software and hardware requirements as described in Minimum-software-requirements and Minimum-hardware-requirements. Ensure that you have set up a database for use by TrueSight Server Automation, as discussed in Setting-up-an-Oracle-database-for-TrueSight-Server-Automation and Setting-up-a-SQL-Server-database-and-user-for-TrueSight-Server-Automation.
UAC mode	Ensure that the UAC (User Account Control) mode is disabled, as described on the Microsoft.com Windows site, Turn User Account Control on or off. To turn UAC on or off Open User Account Control Settings by clicking the Start button , and then clicking Control Panel. In the search box, type uac, and then click Change User Account Control settings. Do one of the following: To turn off UAC, move the slider to the Never notify position, and then click OK. If you're prompted for an administrator password or confirmation, type the password or provide confirmation. You will need to restart your computer for UAC to be turned off. To turn on UAC, move the slider to choose when you want to be notified, and then click OK. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

Prerequisite for MSVC 2015

As a prerequisite to install Microsoft Visual C++ 2015 Redistributable Update 3 on Windows 2012 R2, you must have the following patches installed on your server:

KB2919442 (Required for 2919355)
KB2919355. This patch requires several other patches: clearcompressionflag.exe, KB2919355, KB2932046, KB2959977, KB2937592, KB2938439, and KB2934018. This are all available on the download page for KB2919355.

For more information about the prerequisites for Microsoft Visual C++ 2015 Redistributable Update 3, refer to the Microsoft documentation here.

Worksheet for installing the RSCD agent on Windows

Use the following worksheets to help you collect the information that you need to specify when installing the RSCD agent on Microsoft Windows.

Installation parameter	Value
(Custom) RSCD agent installation folder. The default is: C:\Program Files\BMC Software\BladeLogic\RSCD
(Custom) Security preferences: You can change default security preferences for the agent by editing security configuration files. Editing these configuration files requires a solid understanding of how TrueSight Server Automation uses configuration files to set user permissions. For details about these configuration files, see Setting-up-configuration-files. The files are: secure — Sets communication parameters that define how client and server machines communicate. The RSCD agent has its own secure file, which specifies how the agent communicates with clients. exports — Sets access permissions for client machines that communicate with a server. users.local — Sets override permissions for individual users that communicate with a server. Typically, permissions for users are set through the users file, which the system writes based on RBAC definitions. The users.local file can be used to override permissions set in the users file. (NT Domain Controllers have no local users. If you are installing the RSCD agent in a replicated domain controller environment, you can map users to domain users. For more information, see Impersonation-and-privilege-mapping.
(Custom) Location of agent log files. The default is: C:\Program Files\BMC Software\BladeLogic\RSCD
(Custom) Enable or disable use of secure (digitally signed) logs for the RSCD agent. (Default is enable.) Secure agent logs have message authentication codes and sequence numbers assigned to the current log and digitally signed rolled logs.
(Custom) Enable or disable use of keystroke logs for nexec commands. (Default is enable.) Keystroke logs capture log information for remote commands run on the agent using nexec. The logs are also periodically rolled and digitally signed as they are rolled.

Worksheet for TrueSight Server Automation on Linux and UNIX

Installation parameterValue

Names of the server or servers where you will install any TrueSight Server Automation components, including all managed servers. Root password for each server. Installation must be performed by root. Installation directory The default is: /opt/bmc/bladelogic

Components to select for installation
1-RSCD agent
2-Application Server
P-PXE Server
T-TFTP Server
Client utilities:
3-Network Shell
A-Select all

Certificate password (must be at least 6 characters)

Note

The TrueSight Server Automation Application Server installation program needs a certificate password to generate a self-signed X.509 certificate. Communication between TrueSight Server Automation and servers being provisioned and between the Application Server uses the Transport Layer Security (TLS) protocol and X.509 certificates. The password must be at least 6 characters. For more information about certificates and the TLS protocol, see Authentication.

Whether to enable Provisioning on the Application Server. Select yes to enable a port that the Application Server uses to communicate with bare metal machines being provisioned.

Maximum heap size, in megabytes, to use for the Java Virtual Machine (JVM) for the Application Server Launcher. (In a multiple-Application Server environment, the Application Server Launcher configures and controls all Application Servers on the host.)

Specify a value above the minimum 512 megabytes. The default is 1024 MB.

Recommendation

If you are setting up a multiple-Application Server (MAS) environment, set the MaxHeapSize to 512 MB. Then when you configure each Application Server instance, set MaxHeapSize to a value appropriate for the architecture and operating system. For recommended maximum Java heap sizes, see Sizing and performance.

(PXE server installation) Whether to configure a DHCP server to run on this server.

If the DHCP server is located on another server, the installation program automatically configures this server to function as a DHCP proxy. You must configure the DHCP server differently, depending on whether it is installed on the same computer as the PXE Server. For more information on configuring the DHCP server, see Configuring a DHCP server on Windows and Configuring a DHCP server on Linux. BMC recommends that you install the PXE server and the DHCP server on different host computers.

Whether to install the default .nsh resource files into /etc/skel.

These files make it easy to set up Network Shell as a log-in shell.

Whether to use secure (digitally signed) logs for the RSCD agent. Secure agent logs have message authentication codes and sequence numbers assigned to the current log and digitally signed rolled logs. Enter y to use secure logs; enter n to use plain text logs. Whether to use keystroke logs for nexec commands. Keystroke logs capture log information for remote commands run on the agent using nexec. Whether to install the TrueSight Server Automation Pseudo Random Number Generator Daemon (PRNGD). For information, see TrueSight Server Automation PRNGD. Whether to set up an initial host with root equivalency. For information, see Root equivalency.

Whether to set up mapping for a particular client user. If you choose y, you must specify:

Client user you want to map, such as BLAdmins:BLAdmin or root.
Local user on the server to which you want to map.

For information, see Client mapping.

RSCD log directory Default is /opt/bmc/bladelogic/NSH/log Directory for temp files The default is /tmp Whether to configure Application Server with Post-Installation wizard. Running the Post-Install Configuration wizard requires an X Windows display. If you choose yes, you must define a display variable. For example: hostname 0.0. For information about configuration parameters, see Configuring the Application Server.

TrueSight Server Automation PRNGD

TrueSight Server Automation uses random numbers to encrypt communication securely. On HP-UX, AIX, and Linux 7 systems without a suitable Random Number Generator, the TrueSight Server Automation Application Server installation program gives you the option to install the TrueSight Server Automation Pseudo Random Number Generator Daemon (PRNGD). PRNGD is an entropy gathering daemon (EGD) that performs a variety of actions to generate random data in a secure manner.

If a server includes a hardware device for generating random numbers, it usually resides in /dev/random or /dev/urandom. If that device is not functioning properly or is not FIPS compliant, the installation program advises you to install a patch to correct the problem. BMC recommends this approach for setting up random number support on a server.

Most computers have a random number generator, so you can choose not to install the PRNGD. However, if you choose not to install, the installation program aborts installation because it found no suitable random number generator and you chose to install a working device of your own. You can restart the installation when that has been done.

Root equivalency

The TrueSight Server Automation RSCD agent installation program on Linux and UNIX lets you specify client computers where users should be granted root privileges on this server.

By default, users with root privileges on client computers are not granted root privileges on servers. To be able to perform some functions, such as remotely updating the configuration files or installing software, you must have root privileges. The RSCD agent installation program can set up an initial host from which the root user has root privileges (called root equivalency) on this host. Root equivalency gives you an initial root privileged entry point.

During installation, you can grant root privileges on the server to users on a client computer by choosing to set up an initial host with root equivalency.

To do so, provide this information during RSCD agent installation:

The name of a client system where users with root privileges should be granted root privileges on this server.
Set up a mapping for a particular client user to a local user.

Client mapping

Typically you map user names to give root privileges on the server to client users. However, TrueSight Server Automation does not automatically map a root user on the client to root on the server unless you make that possible for a particular client.

You can set up this client mapping during RSCD agent installation by choosing to set up an initial host with root equivalency and specifying its host name. Then you provide this information:

Client user you want to map. The client user can be an operating system user such as root or a TrueSight Server Automation Role-based access control (RBAC) user such as BLAdmins:BLAdmin.
Local user on the server to whom you want to map.

If you:

Map a client user to a local user, the client user receives the local user's privileges when connecting from any client computer. To implement this mapping, TrueSight Server Automation generates an entry in the users.local configuration file.
Do not map user privileges, TrueSight Server Automation attempts to map a client user to an existing user on the server. If no match is found, TrueSight Server Automation maps the client user to nobody.

For more information about user privilege mapping and the configuration files, see Impersonation-and-privilege-mapping.

Agent-related objects

Object	Depot Path	Can be used for
Installers	/Depot/BMC Maintenance/Agent Installers/	Agent install and upgrade
Bundles	/Depot/BMC Maintenance/Agent Bundles/	Agent upgrade
Jobs	/BMC Maintenance/Agent Installer Jobs/	Agent upgrade

For more information about using these objects, see Installing one or more agents using the TrueSight Server Automation Console and Upgrading-the-RSCD-Agent-using-an-Agent-Installer-Job.