RSCD Agent and Smart Agent Installation Help

Introduction

Architecture of TSSA requires that the RSCD agents running on targets are accessible either directly or indirectly via SOCKS proxies. For any actions or job executions on targets, the TrueSight Server Automation(TSSA) uses RSCD protocol which requires a persistent TCP connection to targets. Customers have started moving their workloads to public clouds like AWS, Azure, GCP and Alibaba and they want to manage their VMs running in these clouds via TSSA. Most of the VMs in these clouds run in their virtual private networks and not reachable directly. There are several thousands of such isolated or disconnected networks and it becomes challenging for customers to setup thousands of SOCKS proxies for each such network, for TSSA to manage the VMs sitting in those network. Hence there is a need for a solution that is simple to deploy and manage for existing TSSA customers.

RSCD Agent

  • RSCD Agent (Remote System Call Daemon) Server side agent that TrueSight Server Automation accesses for executing various commands for patching, compliance, executing scripts, etc.

Role of RSCD Agent -

  • RSCD agent only accepts incoming connections and talks in RSCD protocol.

SmartAgent

Agent running on VM which is provisioned either in public/private cloud or datacenters. SmartAgent is light weight agent which runs along side RSCD and monitors the health of RSCD and reports the heartbeat to SmartHub.

Role of SmartAgent -

  • Monitor RSCD state/status.
  • Automatically enrol servers without manual intervention.

Supported Platforms

Smart Agent is supported for RHEL and Windows only.

Supported Operating System

  • 64-bit Operating System for RHEL.
  • 64-bit Operating System for Windows.

Qualified Versions and Builds details used for testing purpose

  • Linux AMI Version(64-bit) - RHEL-7.6_HVM-20190618-x86_64-0-Hourly2-GP2 (ami-08a7d2bfef687328f)
  • Windows AMI Version(64-bit) - Windows_Server-2016-English-Full-Base-2019.11.13 (ami-08c7081300f7d9abb)
  • Linux RSCD Installer Build -  BladeLogic_RSCD_Agent-release_intmaster_0_0_hotfix-20.02.01.608-rhas5.0-x86_64.rpm
  • Windows RSCD Installer Build - RSCD-WIN64-release_intmaster_0_0_hotfix-608.msi 
  • VC++ version - Microsoft Visual C++ 2015 Redistributable(x64)

Architecture Diagram


Arch1.png

Flow

Following are high level steps which gets executed:

  1. Connector gets downloaded from cloud security.
  2. While on-boarding connector make sure you select newly created BMC EC2 RSCD Discovery 1.1.0 policy for connector policy mappings. 
  3. Before running the connector, map the connector under BMC EC2 RSCD Discovery 1.1.0 Policy.
  4. Run the downloaded connector.
  5. Connector will scan the desired account and make the policy rule results compliant/non-compliant.
  6. Trigger the remediation action for rules which has the remediation which internally triggers smart agent installation job, by means of SSM.
  7. In post installation of smart agent job, agent itself register itself against smart agent.

Prerequisites for installing RSCD agent

  1. AWS SSM must be installed and configuration on each EC2 machine (Both RHEL and Windows machine)

           Follow the steps mentioned in the docs and configure all EC2s which need to be managed by TSSA.

           https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up.html

       2. For Windows EC2 machines, Visual C++ must be installed on each Windows Machine.

           Following Versions of VC++ are supported

  • Microsoft Visual C++ 2015 Redistributable (x64)
  • Microsoft Visual C++ 2017 Redistributable (x64)
  • Microsoft Visual C++ 2019 Redistributable (x64)

    • 3. All the three installer paths(Windows Installer Path, Linux Installer Path and VC++ installer path) must be accessible by EC2.

       NOTE: It is Recommended to Always Create New Connector. 

Importing BMC EC2 RSCD Discovery 1.1.0 Policy from Policy Library  for connector policy mapping

importing_policy_image_1.PNG


Policy Imported

managed_policy-image-2.PNG

Note After Importing BMC EC2 RSCD Discovery 1.1.0 Policy, map the AWS Connector with the BMC EC2 RSCD Discovery 1.1.0 policy

connector-assignment-image-3.PNG

Rules Supported by BMC EC2 RSCD Discovery 1.1.0 Policy

    BMC EC2 RSCD Discovery 1.1.0 Policy basically supports two rules which will show different states(Compliant and Non-compliant) of EC2 resources in an AWS environment.

      a) Check for SSM configured on AWS EC2

      b) Check for AWS EC2 Managed by TSSA.

Roles-supported-image-4.PNG

Rule Description

   a)  Check for SSM configured on AWS EC2

      Description:  Rule state if SSM configured for AWS EC2

  • Rule will be non-compliant, if SSM is not configured to the EC2 instance.
  • Rule will be compliant, if SSM is configured to the EC2 instance.

    ssm_rule_description-image-5.PNG



NOTE Out of the above 2 rules, remediation is only  available for "Check for AWS EC2 managed by TSSA" rule. 

     1.  Initially when the EC2 instance is down or stopped, the BMC EC2 RSCD Discovery 1.1.0 rules will be shown as below

            Check for SSM configured on AWS EC2 - Non-Compliant

            Check for AWS EC2 Managed by TSSA - Indeterminate

SSM_on_complaint-image-6.PNG

 When the EC2 instance is up and running, also RSCD agent is installed on the machine, in that case both the rules will be compliant.

           Check for SSM configured on AWS EC2 - Compliant

           Check for AWS EC2 Managed by TSSA -   Compliant

policy_complaint-image-7-image-11.PNG

Performing Remediation action for "Check for AWS EC2 Managed by TSSA" Rule

To remediate rule "Check for AWS EC2 managed by TSSA", follow the below steps:

  1. First enable the action content of the rule to On Demand Mode.
  2. Pass the following list of parameters details in order to remediate

Parameters required for RSCD Agent installation on EC2 machine

Below parameters list or fields that are required by the "Check for AWS EC2 Managed by TSSA" rule to perform the remediation action that is installing RSCD agent on EC2 machines.

  • Smart hub(hostname:port)
  • RSCD Access key
  • Linux Installer Path
  • Windows Installer Path
  • VC++ Installer Path
  • Enroll Interval Minutes
  • Enroll As
  • Tunnel Enable

parameter_full_view.PNG

parameter_with_values.PNG

Smart hub(hostname:Port)

Smart hub hostname is the Hostname/IP Address of the Smart Hub server.

Smart hub Port is the Smart hub service listener port.

Note: This is the mandatory parameter.

For Example, 52.220.123.13:443

Here  52.220.123.13 is the hostname and 443 is the Port number

RSCD Access key

Access key for specified Smart Hub service. This is also a mandatory parameter.

Linux Installer Path 

This is the Linux installation URL, should be accessible from EC2. This is mandatory parameter for remediation on Linux EC2 machine.

Windows Installer Path

This is the Windows Installation URL, should be accessible from EC2. This is the mandatory parameter for remediation on Windows EC2 machine.        

VC++ Installer Path 

This is the VC++ Installation URL, should be accessible from EC2. This is also a mandatory parameter for remediation on Windows EC2 machine.

Enroll Interval Minutes

The interval at which the server enrollment request is sent (in minutes). The interval can be in the range 1 - 360 minutes. By default, it is 15 minutes.

Enroll As

The server is enrolled into the Application Server using this identifier. Predefined identifiers are: <HOSTNAME>, <SMARTHUB_PEER_IP>, <SMARTHUB_PEER_FQDN>, <UUID>, <CLOUD_RESOURCE_ID>.

Tunnel Enable

Enable the Tunnel feature in Smart Agent. By default, it is set to false.

Once the remediation has been successfully done,"Check for AWS EC2 Managed by TSSA" rule status will be shown as Remediation Completed on UI.

remediation-completed-image-10.PNG

Note  It will take 1-2 minutes to remediate

On connector evaluation, this rule "Check for AWS EC2 Managed by TSSA" become compliant. On the target server, RSCD agent will get installed.

policy_complaint-image-7-image-11.PNG

Troubleshooting the errors

Case 1 If the user forgets to attach role with the EC2 instances

Effect then the rule "Check for SSM configured on AWS EC2" will become non-compliant.

Reason SSM details not found, configure SSM role and install SSM agent for this i-0483c4996d84c22bb, to resolve it.

SSM-not-configured-image-12.PNG


Case 2 When the user is having only minimum permission

Effect The user will get following error on Cloud Security UI.

doc*1.png

Resolution To resolve this issue, just edit the Compliance JSON under minimum permission by adding following ssm permissions

"ssm:describeInstanceInformation",

"ssm:getCommandInvocation",

"ssm:sendCommand"

This will resolve the above error.

Below is the link for Compliance JSON

https://docs.bmc.com/docs/CloudSecurity/compliance-json-892249387.html


Case 3 When the user forgets to add access permission to installer path location.

Effect Remediation will fail and it will show error on UI that msi download fail.

s3-not-public-image-14.PNG

Resolution Giving access permission to the installer path location will resolve this issue.

For more info about smart hub and smart agent, refer to the TrueSight Server Automation online documentation:


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*