There are two ways to add endpoints to JetPatch:
- Automatic Endpoint Discovery
- Non-Automatic Endpoint Discovery
Once endpoints are added, the next step is to deploy the connector.
Configuring Automatic Endpoint Discovery
Automatic Endpoint Discovery allows JetPatch to retrieve all unmanaged Windows and Linux/Unix endpoints in a customer's environment. This speeds up the import of assets, deployment of the JetPatch Connector, and for certain discovery sources, allows for the import of tags, to automatically group assets based on how they are currently set within your environment.
For JetPatch Manager to discover supported vCenter VMs, AWS cloud instances, MS Azure cloud instances, or Active Directory instances, you need to configure JetPatch Manager's connection one of these sources with a read-only account.
For other environments, connect to non-discoverable endpoints individually.
To configure Automatic Endpoint Discovery connections:
- Make sure organizational firewalls allow HTTPS (port 443) communication from the JetPatch Application Server to the required Discovery Source.
- Log in as a JetPatch Administrator and go to Platform configuration (upper right-hand corner)
- Go to Settings > Discovery Sources:
- For each organizational asset inventory (vCenter/AWS EC2/Azure/and more) need to create the relevant Discovery Source:
- Click Add Discovery Source.
- Select the required Source Type and provide the Source Name (a descriptive name for display in the JetPatch Manager Console):
- Configure the Discovery Source parameters as described below and click Test Connection. If the connection is successful, a confirmation message appears.
- Click Save (available upon successful connection test).
- An Endpoint power status will not be updated when the connection is not via an automatic discovery source
- To disable a discovery source (for example, before changing a password, to avoid the account being locked due to repetitive login failures), click .
- IP address / name - name of Ip of the vCenter
- User name and Password - vSphere user account details, in a Role with Read permissions for retrieving VM details from the vCenter.
- Maximum vCenter calls per minute - to limit the communication between JetPatch Agent Manager and the discovery source (leave empty for unlimited calls).
- Note - To enable fallback hypervisor communications for endpoint operations, the provided user account should be in a Role with all Guest Operations permissions (in Role configuration, under Virtual machine > Guest Operations, select all three Guest Operation permissions).
Note - VM discovery and vSphere communication are supported for VMware vSphere 5.0 and above
Amazon EC2 (AWS)
Note: Azure read-only role should be the default “Reader” role. Custom roles may not work properly.
Microsoft Azure Service Management (ASM)
- Subscription ID - can found in the Windows Azure Management Portal)
- Key store (JKS) (certificate file in JKS format) and Certificate password. To obtain the certificate file, export it from Azure and then convert it to JKS. To convert to JKS, run (requires Java JDK):
- Keytool -importkeystore -srckeystore <cert>.pfx -srcstoretype pkcs12 -destkeystore <cert>.jks -deststoretype JKS
<cert> is the certificate file name (without extension). Verify that the discovery user has ‘Windows Azure Service Management API’ extra permissions. Add the user to the Microsoft Domain App as an Owner under the RBAC roles (Azure).
Microsoft Azure Resource Management (ARM)
- Tenant ID - instructions can be found here.
- Subscription Id - can be found on your of the navigation panel in Azure>subscriptions>list of subscriptions is displayed along with the subscription ID.
- Client ID and Client Secret (aka authentication key) - instructions can be found here.
Note: You can add multiple, split by query and/or basedn, and create smart groups based on your existing AD groups
- Hostname - Enter the Active Directory Hostname
- Domain- Enter Full qualified domain name (FQDN)
- Port (default 389) - the communication port to the Active Directory.
- Directory User and Password to connect to the Directory User. Can have only read access to Active Directory. The format of the Directory User field should be either:
- Base DN and Query -
- Connect to AD Server
- Open command Prompt
- Run the command "dsquery *"
- Copy output and insert to the Base DN field
Example of Active Directory configuration:
- SSL Communication (Minumum JAVA version requirement is 1.8.250):
- In JetPatch server add the FQDN of the AD server in /etc/hosts
- Take the .cer, .pxf file and place it in the common folder and make sure you have the password of the certificate
- Import the .cer in the .pfx file and copy it to the JetPatch application server
- Run the below command to import the certificate in keystore
keytool -import -trustcacerts -keystore /usr/java/<jre-version>/lib/security/cacerts -storepass <Password> -noprompt -alias <Alias-name> -file /<Path of cer file>/<file>.cer
- Run the below command to check the validity
echo -n | openssl s_client -connect <LDAP-ServerName>l:636 2>/dev/null | openssl x509 -noout -text | grep Subject:
- Restart tomcat
systemctl restart tomcat
- LDAP SSL port should be open for the JetPatch server
- Please note: When discovering endpoints in Active Directory based on OU (organizational unit) higher key, JetPatch will set the Discovery source property to the lowest ou the endpoint belongs to (assuming all OU's were added). This functionality was added to JetPatch v18.104.22.168 onwards
WSUS (Required for Windows patching - only one can be added)
- IP address / name - The IP/name of the WSUS machine as appears in JetPatch.
Note1: Before adding the WSUS discovery source, you must add the WSUS endpoint as a physical server to JetPatch and deploy the JetPatch connector on it.
Note2: You can only add one WSUS server as a discovery source to JetPatch. For more WSUS servers use a primary-replica setup.
More information about WSUS Discovery Source can be found in Endpoint and JetPatch Configuration for WSUS and WSUS Scripts.
Troubleshooting and Advanced Configuration
If there is an issue while adding a discovery source and it is not clear what to do, please look at the discovery.log file from the manager logs. Please also share version of source (example: vSphere 8)
For advanced configuration, see this article.
Adding Non-Discoverable Endpoints
There are two ways to manage a non-discoverable endpoint for:
- Create a single endpoint entry in JetPatch
- Upload multiple endpoint entries using JetPatch REST API
Note - Newly-added endpoints appear in the endpoint list with the initial status of Untested. Upon first vAgent/Connector deployment or upon a manual Refresh status from the Servers tab, the connection status will be updated and JetPatch server will attempt to install the connector on the machine.
Option 1: Single Endpoint
To add a single endpoint into JetPatch Console:
- In the Servers tab, go to Server Actions > Add Physical Server:
- Configure the following:
- The endpoint's Hostname and IP Address
- The endpoint's Operating System
- Access Credentials: If the credentials to this endpoint have already been provided, you can assign them to the endpoint here. Otherwise, you can do this later.
- Click Save.
- Configure endpoint user accounts.
Option 2: Multiple Endpoints
When the need is to create multiple physical servers, the preferred way is to leverage the JetPatch API capabilities.
More information can be found in Adding Endpoints in Bulk via REST API