RSCD Agent and Smart Agent Installation for Azure connectors

This topic provides an overview of and instructions to install RSCD Agent and Smart Agent for Azure on-premises and Azure cloud connectors.

Introduction

Architecture of TSSA requires that the RSCD agents running on targets are accessible either directly or indirectly via SOCKS proxies. For any actions or job executions on targets, the TrueSight Server Automation (TSSA) uses RSCD protocol which requires a persistent TCP connection to targets. Customers have started moving their workloads to public clouds like AWS, Azure, GCP and Alibaba and they want to manage their VMs running in these clouds via TSSA. Most of the VMs in these clouds run in their virtual private networks and not reachable directly. There are several thousands of such isolated or disconnected networks, and it becomes challenging for customers to setup thousands of SOCKS proxies for each such network, for TSSA to manage the VMs sitting in those network. Hence there is a need for a solution that is simple to deploy and manage for existing TSSA customers.

RSCD Agent

RSCD Agent (Remote System Call Daemon) Server-side agent that TrueSight Server Automation accesses for executing various commands for patching, compliance, executing scripts, etc.

Role of RSCD Agent -

RSCD agent only accepts incoming connections and talks in RSCD protocol.

SmartAgent

Agent running on VM which is provisioned either in public/private cloud or data centers. SmartAgent is light weight agent which runs along side RSCD and monitors the health of RSCD and reports the heartbeat to SmartHub.

Role of SmartAgent -

Monitor RSCD state/status.
Automatically enroll servers without manual intervention.

Supported Platforms

Smart Agent is supported for RHEL and Windows only.

Supported Operating System

64-bit Operating System for RHEL.
64-bit Operating System for Windows..

Qualified Versions and Builds details used for testing purpose

Linux VM - Red Hat Enterprise 7.7
Azure VM - Windows Server 2012, 2015, 2016, 2017
Linux RSCD Installer Build - BladeLogic_RSCD_Agent-release_2002_hotfix-20.02.00.31-rhas5.0-x86_64.rpm
Windows RSCD Installer Build - RSCD-WIN64-release_2002_hotfix-31.msi
VC++ version - Microsoft Visual C++ 2015 Redistributable(x64)

Architecture Diagram

The following diagram shows the architecture for this installation.

Flow

Following are high level steps which gets executed:

Connector gets downloaded from cloud security.
While on-boarding connector make sure you select newly created BMC Azure VM RSCD Discovery policy 1.2.0 for connector policy mappings.
Before running the connector, map the connector under BMC Azure VM RSCD Discovery Policy 1.2.0.
Run the downloaded connector.
Connector will scan the desired account and make the policy rule results compliant/non-compliant.
Trigger the remediation action for rules which has the remediation which internally triggers smart agent installation job.
In post installation of smart agent job, agent itself register itself against smart agent.

Prerequisites for installing RSCD agent

1. On Virtual machine for Azure, Visual C++ must be installed.

Following Versions of VC++ are supported

Microsoft Visual C++ 2015 Redistributable (x64)
Microsoft Visual C++ 2017 Redistributable (x64)
Microsoft Visual C++ 2019 Redistributable (x64)

2. All the three installer paths (Windows Installer Path, Linux Installer Path and VC++ installer path) must be accessible by Virtual machine for Azure.

NOTE: It is Recommended to Always Create New Connector.

Importing BMC Azure VM RSCD Discovery Policy 1.2.0 from Policy Library for connector policy mapping

Azure Policy.png

Note After Importing BMC Azure VM RSCD Discovery Policy 1.2.0, map the Azure on-prem and cloud Connector with the BMC Azure VM RSCD Discovery 1.2.0 policy.

Rule Description

a) Check for AZURE VM managed by TSSA

Description: Rule state if any version of RSCD is in use

Rule will be non-compliant, if RSCD agent not found.
Rule will be compliant, if RSCD agent found.

Initially when the Azure VM instance rscd agent is not installed, the BMC Azure VM RSCD Discovery 1.2.0 rule will be shown as below

Check for AZURE VM managed by TSSA - Non-Compliant

Initially when the Azure VM instance rscd agent is installed, the BMC Azure VM RSCD Discovery 1.2.0 rule will be shown as below

Check for AZURE VM managed by TSSA - Compliant

Initially when the Azure VM instance is down or stopped, the BMC Azure VM RSCD Discovery 1.2.0 rule will be shown as below

Check for AZURE VM managed by TSSA - Indeterminate

Performing Remediation action for "Check for AZURE VM managed by TSSA" Rule

To remediate rule "Check for AZURE VM managed by TSSA", follow the below steps:

1. First enable the action content of the rule to On Demand Mode.

2. Pass the following list of parameters details in order to remediate

Parameters required for RSCD Agent installation on Azure VM

Below parameters list or fields that are required by the "Check for AZURE VM managed by TSSA" rule to perform the remediation action that is installing RSCD agent on Azure VM.

Smart hub(hostname:port)
RSCD Access key
Linux Installer Path
Windows Installer Path
VC++ Installer Path
Enroll Interval Min
Enroll As
Tunnel Enable

Smart hub(hostname:Port)

Smart hub hostname is the Hostname/IP Address of the Smart Hub server.

Smart hub Port is the Smart hub service listener port.

Note: This is the mandatory parameter.

For Example, 11.55.124.4:443

Here 11.55.124.4 is the hostname and 443 is the Port number

RSCD Access key

Access key for specified Smart Hub service. This is also a mandatory parameter.

Linux Installer Path

This is the Linux installation URL, should be accessible from Azure VM. This is mandatory parameter for remediation on Azure VM.

Windows Installer Path

This is the Windows Installation URL, should be accessible from Azure VM. This is the mandatory parameter for remediation on Azure VM.

VC++ Installer Path

This is the VC++ Installation URL, should be accessible from Azure VM. This is also a mandatory parameter for remediation on Azure VM.

Once the remediation has been successfully done, "Check for AZURE VM managed by TSSA" rule status will be shown as Remediation Completed on UI.

Enroll Interval Min

The interval at which the server enrollment request is sent(in minutes). The interval can be in the range 1-360 minutes.

Enroll As

The server is enrolled into the Application server using this identifiers. Predefined identifiers: <HOSTNAME>,<SMARTHUB_PEER_IP>,< SMARTHUB_PEER _FQDN>,<UUID>,<CLOUD_RESOURCE_ID>

Tunnel Enable

Enable the Tunnel feature in Smart Agent. Example: true

Note: It will take 1-2 minutes to remediate

On connector evaluation, this rule "Check for AZURE VM managed by TSSA" become compliant. On the target server, RSCD agent will get installed.

Troubleshooting the errors

RSCD windows remediation without passing VC++ as a remediation parameter
Error Message on UI : Failed to remediate resource. Error: Check remediation parameter VC Installer Path and provide url for installer.
RSCD windows remediation with passing linux rscd installer in place of windows rscd installer.
Error Message on UI : Failed to remediate resource. Error: This installation package could not be opened Contact the application vendor to verify that this is a valid Windows Installer

Package. Passing any random xyz parameter in place of rscd installer(both linux and windows)
Error Message on UI : Failed to remediate resource. Error: RSCD xyz download failed

Error Message on UI : Failed to remediate resource. Error: VC httpsrscdinstallersblobcorewindowsnetrscdinstallersVCredistx64exe download failed
By Removing the public Access permission from the storage account(Linux and Windows)
Remediation on Azure VM that is having only Private access(Publicly not accessable)

Rules Supported by BMC Azure VM RSCD Discovery Policy 1.2.0

BMC Azure VM RSCD Discovery Policy 1.2.0 basically supports one rule which will show different states (Compliant and Non-compliant) for Azure VM resources.

Check for AZURE VM managed by TSSA