Scoping a BMC ADDM Deployment

3,255 views

Published on

An introduction to BMC ADDM and scoping out design and requirements, led by CSS.

Published in: Technology
0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,255
On SlideShare
0
From Embeds
0
Number of Embeds
50
Actions
Shares
0
Downloads
218
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide
  • UNIX Credentials
    sshd or ssh key or standard user account
    Public-key cryptography where "encryption and decryption using separate keys
    Not possible to derive the encryption key from the encryption key
    Appliance holds private key publice key deployed to target hosts
    Credentials stored in a vault
    Blowfish encryption
    Secured with a passphrase
    Passwords never exposed ADDM team, operators or Users
    Sudo used for privilege escalation
    Commands and arguments specified to prevent spawning any arbitrary commands
  • Windows Credentials
    Admin user account required for WMI commands
    Slave can be a member of an AD domain
    The AD Slave does not use any credentials entered using the ADDM 8.x user interface
    Credentials stored in a vaults with blow fish encryption

    Multiple windows AD slaves can be connected to one ADDM 8.x Appliance
    One for each AD domain
  • Windows Credentials
    Admin user account required for WMI commands
    Slave can be a member of an AD domain
    The AD Slave does not use any credentials entered using the ADDM 8.x user interface
    Credentials stored in a vaults with blow fish encryption

    Multiple windows AD slaves can be connected to one ADDM 8.x Appliance
    One for each AD domain
  • Scoping a BMC ADDM Deployment

    1. 1. BMC ADDM Scoping
    2. 2. • Introduction to ADDM • How Discovery Works • Application Modelling • Project Overview • Pre-requisite walk-through • Questions Agenda
    3. 3. Introduction to ADDM
    4. 4. • Agentless discovery • Quicker and easier deployment • Immediate results • Platform agnostic – web-based UI • Accurate view of infrastructure • Servers and network devices • Running and installed software • Automatic dependency and impact mapping • Provides data for Configuration Management • Low impact • Runs standard sysadmin commands on endpoint • Uses standard protocols and ports • WMI, SSH, SNMP ADDM – Atrium Discovery and Dependency Mapping
    5. 5. Visibility of Your Infrastructure and Dependencies ADDM captures and provides automatically discovered Configuration data and presents it in many forms.
    6. 6. • Asset and Configuration Management • Primary data provider to CMDB • Automatic inventory of Configuration Items and relationships • Change Management • Updates CMDB automatically on changes to discovered CIs • Application Management • Identify the application stack, environments, communication, dependencies and single points of failure ADDM as part of ITSM
    7. 7. • Hosts, software, databases, network devices, virtualisation, clustering, file systems etc… • Dashboards • Automatic host and software dependencies • Automatic and manual grouping • Customisable Summary of Discovery
    8. 8. How Discovery Works
    9. 9. How Discovery Works ADDM Appliance • Ships as self contained VM image. • Hosted on customer virtual platform • ESX/ESXi 4.1 and later • Disk allocation only – no requirement for OS install • Customer supports the platform (RHEL) • BMC supports the appliance • Security hardened with internal firewall IP Ranges entered into appliance Appliance runs discovery across the network Your IT Estate User
    10. 10. How Discovery Works Ports required for scan without credentials (sweep scan): • TCP: 4, 22, 80, 135, 139, 514 • TCP/UDP: 161 (SNMP) • TCP: 23 (telnet) (optional) • TCP: 513 (rlogin) (optional) • ICMP Type 8 Echo Request (ping) – optional ADDM performs an initial sweep to determine what endpoints respond (if ip range/subnet entered) and will use the port configuration to determine what type of device is discovered. Your IT Estate ADDM Appliance ADDM Administrator requires the following ports to access the appliance: • TCP: 22 – SSH • TCP: 80 – HTTP (optional) • TCP: 443 – HTTPS (optional) Appliance runs discovery across the network User
    11. 11. How Discovery Works – Unix, Other Devices If ADDM determines there is a valid device on the endpoint it will attempt to log in with with supplied credentials and run standard commands to retrieve CI data: • Hardware • OS • Software • Communications Default ports required for successful (full) Host discovery: • Unix • 22 – SSH • 23 – Telnet • 413 – rlogin • SNMP • 161 • VMWare • 443 – HTTPS • 902 –vSphere API Ports can be customised. Your IT Estate ADDM Appliance
    12. 12. How Discovery Works - Windows ADDM Appliance Default ports required for successful (full) Host discovery: Appliance: • ICMP Type 8 “ping” • 135 – DCOM Service Control • 1024-1030 – Restricted DCOM, used after initial negotiation Used by Proxy: • 135 – DCOM Service Control • 139 – Netbios (NT4 RemQuery) • 445 – SMB (RemQuery) • 1024-65535 – Unrestricted DCOM (WMI), used after initial negotiation Your IT Estate A Windows proxy is needed for discovery of Windows servers. The service (Active Directory/Credential) is hosted on a standard Windows server. • Windows 2003 SP2 – 2012 R2 • Customer supports server Windows Proxy Appliance and Proxy communicate on ports 4321-4323 Multiple proxies can be configured for one or more appliances.
    13. 13. Scanning Appliance How Discovery Works - Consolidation Your IT Estate Where there is a requirement for other appliances (and proxies) it is possible to consolidate data to another appliance. Windows Proxy Consolidator Appliance Scanning Appliance Consolidation uses port 25032
    14. 14. How Discovery Works - Clustering In order to improve performance on larger estates, clustering can be enabled to share the discovery workload. • Coordinator and Members act as one appliance (individual UIs – changes are replicated across set) • A cluster can still act as a consolidator/scanner • A cluster can still connect to proxies • Members need to be on the same subnet to gain the performance advantgate Your IT Estate CoordinatorUser Member Member Ports required: • 25030 – Cluster Manager • 25031 – Datastore communication • 25032 – Reasoning communication
    15. 15. How Discovery Works – Firewall Summary Your IT Estate Windows Proxy Consolidator Appliance User User Ports: • 22 – ssh • 80 – http • 443 – https Cluster Ports: • 25030 – Cluster Manager • 25031 – Datastore communication • 25032 – Reasoning communication Proxy Ports: • 4321 – Active Directory • 4322 – Workgroup • 4323 – Credential Scanning Appliance Consolidation Ports: • 25032 Appliance Discovery Ports: • 22 – ssh • 23 – telnet • 513 – rlogin • ICMP – Ping • 135 – DCOM Service Controller • 1024-1030 - rcmd/PSTools Credential-less scanning: • 4,22,80,135,139,161,513,514 Windows Discovery Ports: • 135 – DCOM Service Controller • 139 – netbios for NT4 type domains • 445 – MSFT Dir Services SMB • 1024-65535 – WMI (Cluster)
    16. 16. How Discovery Works – Summary Your IT Estate Windows Proxy Consolidator Appliance User Scanning Appliance 1. Input target IP ranges/subnets/address into ADDM for scanning. 2. ADDM runs credential- less “sweep scan” across network. 3. Add login credentials to ADDM for relevant systems. 4. ADDM runs full discovery scan across network. 5. The raw discovery data is reasoned by ADDM which may also trigger additional discovery patterns.
    17. 17. • Typical privileged commands needed: • lsof • lslpp • dmidecode • hwinfo • mii-tool • ethtool • netstat • esxcfg-info • Full list of commands for each platform: • http://discovery.bmc.com/confluence/display/100/Privileged+commands • Not all are required for successful discovery Priveleged Commands
    18. 18. • BMC Atrium Discovery by its very nature is interacting with the IT infrastructure and will therefore generate some network traffic. • From empirical observations of real deployments, a typical peak load of about 3 Megabits per second has been observed. • Network load can be affected by: • Differences between environments • Custom patterns (for example: retrieving the contents of a very large file that is common in the target environment) • Consolidation • Moving appliance backups. Network Traffic
    19. 19. • Credentials • Stored in an encrypted vault • Can use SSH keys and Active Directory proxy • Platform Scripts • Administrator access only • ‘Read Only’ for other users if necessary • Security of Appliance • Penetration tested and hardened • http://discovery.bmc.com/confluence/display/100/Appliance+hardening Typical Security Concerns
    20. 20. Service/Application Modelling
    21. 21. • Discovery takes place in 2 parts • Discovery of “core” information • Installed packages, running processes, server information, OS details, network interfaces… • Discovery from patterns • Triggered when a specific condition is met during the “core” discovery • Discovers and models information about a server such as running aspects of software – web servers, databases, application servers, clusters, virtualisation, portioning… • 800+ TKU (Technology Knowledge Updates) patterns provided by BMC • Providing OOTB discovery for more than 50,000 product configurations • Updated monthly – increasing in number • It is possible to create your own custom patterns Discovery from Patterns
    22. 22. • Part of the Service Model • Represent your custom business applications made up of individual instances of software • e.g. applications, databases, webservers • Helps in business impact analysis by showing direct relationships and dependencies in the application/hardware stack • Helps in understanding what your business application is made up of • Application Models and Service Models are consumed by ITSM processes such as Incident, Problem, Change for: • Faster time to recovery • Less incident escalations • Planning changes • Impact Analysis Application Models
    23. 23. Model of the Application Stack
    24. 24. Prerequisite Walkthrough
    25. 25. • Virtual Appliance • Supplied in OVF (Open Virtualisation Format) • Production Use: VMware ESX/ESXi 4.1 or above • Test and Dev: VMware Workstation 8.0 and above, VMware Player 4.0 and above • 64-bit only Hosting the Appliance Resource POC Baseline Datacentre Consolidated Enterprise CPUs 2 2 4 4 to 8 DB Disk (GB) - No backup 37 100 200 200 to 660 DB Disk (GB) - With local backup 37 200 400 450 to 1300 RAM (GB) 2 to 4 4 to 8 8 to 16 16 to 32 or more Swap Space (GB) 4 to 8 8 to 16 16 to 32 16 to 32
    26. 26. • Hosted on a virtual or physical server with one of the following OS types: • Windows 2003 SP2 (IPv4 Only) • Windows 2008 SP2 • Windows 2008 R2 • Windows 2012 • Windows 2012 R2 • Minimum host specification • 2GHz Intel Pentium 4 CPU 512k cache (or equivelant) • 2GB Memory • 60GB Harddisk Windows Proxy
    27. 27. • Windows • Local Admin account with WMI rights • Administrative shares must not be disabled (enabled by default) • Netstat • Unix/Linux • SSHD or SSH key • Standard user account with non-root privileges • Sudo or sudoers file for privileged commands • SNMP • Community strings to logon to network devices/printers/etc. Credentials
    28. 28. • Hosting for ADDM appliance(s) • Hosting for Windows Proxy(ies) • Rollout of credentials – Linux/Unix, Windows, Virtual Containers • Specific commands for host communication – netstat, lsof • Network configuration – appliance, proxies, firewalls, ACLs, IDS • Firewall ports • From ADDM scanning appliance to the systems being scanned • From Windows proxy to the systems being scanned • Obtain change approvals for above actions and for scanning environment • Identify target environments – IP/subnet ranges and exclude ranges • Access for consultant to • The appliance and proxies via HTTP and SSH • Use of tools such as PuTTy, WinSCP, Notepad++, Regex Coach, Chrome, Firefox or IE9+ • Adminstrators and Users must be able to access ADDM appliances through HTTP(S) and SSH (administrators) Summary of Prerequisite Actions for Customer
    29. 29. Requirements Gathering
    30. 30. • What OSIs and Devices do you want to discover? • OS/Device type • Virtual/Physical • How many (OS breakdown) • How to access • Additional commands needed beyond platform scripts? • Datacenters? • How many • Locations • Any firewall issues? • Network zones, DMZ • General security issues? • Credentials • Access rights management Infrastructure
    31. 31. • How many applications to model? • Application model questionnaires Business Applications

    ×