Preparing to install the Application Server and ETL Engine
Before installing the Application Server and ETL Engine, ensure that your environment meets the installation requirements, and complete the tasks described in this section.
Preparing to install the Application Server without a sysdba password
The sysdba password is needed to automatically create users and tablespaces during installation. If you do not have a sysdba password, you can set up the database users and tablespaces manually before you install the product using scripts provided with the installer.
If the Database Administrator cannot provide the sysdba password, do the following to create users and tablespaces manually:
- Log in to the host computer on which you want to install the Application Server and ETL Engine, and create a temporary directory.
- Extract the downloaded files to the temporary directory.
- Navigate to the <temp_download>/BCO/Disk1/scripts folder.
- Based on the database you are using, copy the following database creation script from the scripts folder to the database server.
- (Oracle) create_users_tablespaces.sql
- (PostgreSQL) create_postgres_users_tablespaces.sql
- Log in to the database server and navigate to the folder in which you have copied the script.
- Edit the script and modify the required values such as database users, roles, and tablespace names.
Ensure to use the same values when you choose the Use existing database users and tablespaces option while installing. - Run the script.
For information about supported database versions and requirements, see Database requirements.
Preparing to install the Application Server as a non-root user
BMC recommends that you install the TrueSight Capacity Optimization product as a root user. If you cannot perform the installation as a root user, do the following:
If you have access to the root user, proceed to Installing the Application Server and ETL Egine. The required user, group, and system properties will be automatically set by the installer.
If you are using a supported Oracle Database Server, you must have a supported Oracle Client installed on the host system or virtual machine. For more information, see Database requirements.
Create the system user, and its home folder.
As a best practice, name the user group cpit, user name cpit, and the home directory /opt/bmc/BCO.
mkdir /opt/bmc/BCO
groupadd -g 87654321 cpit
useradd -g cpit -d /opt/bmc/BCO -s /bin/bash -c "BMC TrueSight Capacity Optimization" -K UMASK=007 cpit
chown cpit:cpit /opt/bmc/BCO
chmod 770 /opt/bmc/BCO- Change the default password, 'cpit', for the cpit user.
Define the open file limit for the cpit user. Defining this limit allows simultaneous execution of other operations on the same host. For example, importing data using ETL tasks.
echo "cpit soft nofile 10240" >> /etc/security/limits.conf
echo "cpit hard nofile 65536" >> /etc/security/limits.conf
sysctl -p- Create a temporary folder for the installation files. BMC recommends you to use /opt/cpitinstall.
- Define the cpit user as the owner of the temporary folder: chown -R cpit:cpit /opt/cpitinstall
(Optional) If, on the application server, you plan to run an ETL process that accesses Windows shares, you need to enable permission for the application server to mount Windows shares. For more information, see Enabling Windows shares mounting.
- Ensure that the Capacity Optimization system user who runs the Application Server and ETL Engine has permissions to use the system crontab file:
- If the host has a cron.deny policy, ensure that the Capacity Optimization user is not included in it.
- If the host has a cron.allow policy, add the Capacity Optimization user to it.
Preparing for TLS-enabled communication between the internal database and the product components
The internal database (Oracle or PostgreSQL) communicates with the Application Server and ETL Engine. By default, this communication is non-secure.
To upgrade the communication channel security to use TLS 1.2 with server certificate validation, do the following:
Before you begin
- Ensure that you use the Oracle database and client versions that support TLS 1.2. For more information, see TLS-considerations-for-TrueSight-Capacity-Optimization.
- Ensure that the Oracle database is configured in TLS 1.2 mode.
Ensure that a TLS 1.2 compliant ojdbc7.jar file exists in the <Oracle client home>/jdbc/lib directory. If not, copy the file from the Oracle website.
I. Procure the Oracle server security certificate and configure the Oracle wallet
- Procure the Certificate Authority (CA) signed Oracle server certificate from the system administrator of your organization. Ensure that the certificate is in x509 format. For example, oracle.crt.
Procure and configure the Oracle wallet for the Oracle client. For more information, see Creating and Managing Oracle Wallet.
Ensure that the Oracle client communicates with the server securely on TCPS port. For more information, see Configuring Secure Sockets Layer Authentication.
II. Import the security certificate
The Application Server and ETL Engine use the cotruststore.ts truststore to communicate with the Oracle database. This truststore is bundled along with the Server installation, and is located in the directory where you extracted the installation files. Example: BCO/Disk1.
Do the following on both the Application Server and the ETL Engine to import the security certificate into their truststore files:
- Log in to the computer where the Application Server and the ETL Engine are installed.
- The keytool utility that is used to import the certificates is present in the directory where you extracted the installation files. Example: BCO/jre/bin. Add this directory path to the PATH environment variable: export PATH= BCO/jre/bin:$PATH
Navigate to the directory where you extracted the installation files (Example: BCO/Disk1) and import the procured certificates by running the following command:
keytool -importcert -trustcacerts -file <path>/<oracle certificate.crt> -keystore cotruststore.ts -alias CODB -storepass changeit
where <oracle certificate.crt> is the name of the procured Oracle certificate and changeit is the default password of the truststore cotruststore.ts as it exists in directory where you extracted the installation files. Example: BCO/Disk1.
Ensure that CODB is used as the alias name.
The Oracle server security certificate is now installed and will be enabled when you install the product.
I. Procure and copy the PostgreSQL server security certificate
- Procure the Certificate Authority (CA) signed certificate for the PostgreSQL database from the system administrator of your organization. Ensure that the certificate is in x509 format. For example, postgres.crt.
- Save the procured certificate file in the directory where you extracted the installation files. Example, BCO/Disk1.
II. Import the security certificate
The Application Server and ETL Engine use the cotruststore.ts truststore to communicate with the PostgreSQL database. This truststore is bundled along with the Server installation, and is located in the directory where you extracted the installation files. For example, BCO/Disk1.
Do the following on both the Application Server and the ETL Engine to import the security certificate into their truststore files:
- Log in to the computer where the Application Server and the ETL Engine are installed.
- The keytool utility that is used to import the certificates is present in the directory where you extracted the installation files. Example: BCO/jre/bin. Add this directory path to the PATH environment variable: export PATH= BCO/jre/bin:$PATH
Navigate to the directory where you extracted the installation files (Example: BCO/Disk1) and import the procured certificates by running the following command:
keytool -importcert -trustcacerts -file <path>/<postgres certificate.crt> -keystore cotruststore.ts -alias CODB -storepass changeit
where <postgres certificate.crt> is the name of the procured PostgreSQL certificate and changeit is the default password of the truststore cotruststore.ts as it exists in directory where you extracted the installation files. Example: BCO/Disk1.
Ensure that CODB is used as the alias name.
The PostgreSQL server security certificate is now installed. You must now run the installer to enable TLS.
Sharing the Content Repository directory
In an environment that has multiple Application Servers or a distributed Application Server, you must share the Content Repository directory.
The Content Repository directory needs to be accessed in read/write mode by the web console and Primary Scheduler, and in read-only mode by the web application component. In addition, the TrueSight Capacity Optimization user on each computer must have permissions to read, write, and update files in the Content Repository. For users to have the required permissions, the UID of the cpit users must be same across all Application Servers in an environment.
To share the Content Repository between two Application Servers, AS1 that is running the web application component, and AS2 that is running the Data hub and Primary scheduler, do the following:
- Run the installer first on AS1 and then on AS2.
- Share the Content Repository that has been created by the installer on each Application Server via a shared file system (NFS, by configuring a mount point on all servers, that maps an external storage).
- Copy the directory and subdirectories structure of Content Repository, from either AS1 or AS2 to the shared Content Repository location. For more information, see System-level-administration-overview.
- Mount the Content Repository location from both AS1 and AS2.
Preparing to install a Remote ETL Engine
To install a remote ETL Engine, you must forward a port on your external firewall to your TrueSight Capacity Optimization Data hub external communication port, to expose it to the remote ETL. You will be asked to provide external Data hub and port parameters during the configuration procedure. Configure both firewall and Data hub if you plan to have a remote ETL installation.
Where to go from here
Perform the other preinstallation tasks listed in Preparing-to-install-TrueSight-Capacity-Optimization.