There are two ways to add endpoints to JetPatch.

1. Automatic Endpoint Discovery 
2. Non-Automatic Endpoint Discovery

Configuring Automatic Endpoint Discovery

For JetPatch Manager to discover supported vCenter VMs, AWS cloud instances, MS Azure cloud instances, or Active Directory instances, you need to configure JetPatch Manager's connection to organizational vCenter servers,  AWS EC2, Azure, etc with a read-only account.

For other environments, connect to non-discoverable endpoints individually.

To configure Automatic Endpoint Discovery connections:

1. Make sure organizational firewalls allow HTTPS (port 443) communication from the JetPatch Application Server to the required Discovery Source.
2. Log in as a JetPatch Administrator and go to Platform configuration (upper right-hand corner)            
3. Go to Settings > Discovery Sources:

   

4. For each organizational asset inventory (vCenter/AWS EC2/Azure/and more) need to create the relevant Discovery Source:
   1. Click Add Discovery Source.
   2. Select the required Source Type and provide the Source Name (a descriptive name for display in the JetPatch Manager Console):

      

   3. Configure the Discovery Source parameters as described below and click Test Connection. If the connection is successful, a confirmation message appears.
   4. Click Save (available upon successful connection test).
5. Configure endpoint user accounts.

vCenter

• IP address / name - name of Ip of the vCenter
• User name and Password - vSphere user account details, in a Role with Read permissions for retrieving VM details from the vCenter.
• Maximum vCenter calls per minute - to limit the communication between JetPatch Agent Manager and the discovery source (leave empty for unlimited calls).
• Note - To enable fallback hypervisor communications for endpoint operations, the provided user account should be in a Role with all Guest Operations permissions (in Role configuration, under Virtual machine > Guest Operations, select all three Guest Operation permissions).

Note - VM discovery and vSphere communication are supported for VMware vSphere 5.0 and above

Amazon EC2 (AWS)

• Source type: Select Amazon EC2 from the drop-down list
• Source name: Enter a user-friendly name like AWS
• Access Key and Secret Key:  You can generate from the AWS console

• Tags Import - JetPatch can import the required tags from AWS and assign them to the relevant machines, as appear in AWS.

  • Do not import tags - JetPatch won't import any tags
  • Import all tags - JetPatch will import all the tags in the AWS environment
  • Import the following tags only - Provide the tag keys and a comma-separated list (case-sensitive).
    Note - When choosing "Import the following tags only" AWS tags that consist of a comma will not be imported.
  • 

Microsoft Azure Service Management (ASM)

• • • Subscription ID - can found in the Windows Azure Management Portal)
    • Key store (JKS) (certificate file in JKS format) and Certificate password. To obtain the certificate file, export it from Azure and then convert it to JKS. To convert to JKS, run (requires Java JDK):
      • Keytool -importkeystore -srckeystore <cert>.pfx -srcstoretype pkcs12 -destkeystore <cert>.jks -deststoretype JKS
      • Where <cert> is the certificate file name (without extension). Verify that the discovery user has ‘Windows Azure Service Management API’ extra permissions. Add the user to the Microsoft Domain App as an Owner under the RBAC roles (Azure).

Microsoft Azure Resource Management (ARM)

• Tenant ID - instructions can be found here.
• Subscription Id - can be found on your of the navigation panel in Azure>subscriptions>list of subscriptions is displayed along with the subscription ID.
• Client ID and Client Secret (aka authentication key) - instructions can be found here. 

 Active Directory

• Hostname - Enter the Active Directory Hostname
• Domain-  Enter Full qualified domain name (FQDN)
• Port (default 389) - the communication port to the Active Directory.
• Directory User and Password to connect to the Directory User. Can have only read access to Active Directory. The format of the Directory User field should be either:
  • user-name@domain-name
  • domain-name\user-name
  • User’s full DN
• Base DN and Query - 
  •  Connect to AD Server
  • Open command Prompt
  • Run the command "dsquery *"
  • Copy output and insert to the Base DN field

Example of Active Directory configuration:

• SSL Communication (Minumum JAVA version requirement is 1.8.250):
  • In JetPatch server add the FQDN of the AD server in /etc/hosts
  • Take the .cer, .pxf file and place it in the common folder and make sure you have the password of the certificate
  • Import the .cer in the .pfx file and copy it to the JetPatch application server
  • Run the below command to import the certificate in keystore

    keytool -import -trustcacerts -keystore /usr/java/<jre-version>/lib/security/cacerts -storepass <Password> -noprompt -alias <Alias-name>  -file /<Path of cer file>/<file>.cer

  • Run the below command to check the validity

    echo -n | openssl s_client -connect <LDAP-ServerName>l:636 2>/dev/null | openssl x509 -noout -text | grep Subject:

  • Restart tomcat

    systemctl restart tomcat

  • 
    
    • LDAP SSL port should be open for the JetPatch server

    • 

    • Please note: When discovering endpoints in Active Diroctory based on OU (organizational unit) higher key, JetPatch will set the Discovery source proprety to the lowest ou the endpoint belongs to (assuming all OU's were added). This functionality was added to JetPatch v4.1.2.71 onwards

WSUS

• IP address / name - The IP/name of the WSUS machine as appears in JetPatch.

Note: Before adding the WSUS discovery source, you should add the WSUS endpoint as a physical server to JetPatch and install the JetPatch connector on it. 

More information about WSUS Discovery Source can be found in Endpoint and JetPatch Configuration for WSUS and WSUS Scripts.

Discovery Source Prioritization over WSUS

Note: This functionality is available from JetPatch version 4.1.2.71+

In case different discovery sources reveal the same set of endpoints that are discovered by WSUS and you would like to keep the meta-data that comes from the discovery source (override the WSUS data when the merge between the different discovery sources happen) , please add the following property to the intigua.properties  - 

1. SSH to JetPatch application Server

2. Edit the intigua.properties file (vi /usr/share/tomcat/default/conf/intigua.properties) and add the priority you would like. This is an example of Activy Directory prioritizatized over WSUS 

#1 Default value VSPHERE,AMAZON_EC2,ARM,ASM,WSUS,AD 
#2 First elements has higher priority 
#3 Not listed DS types has higher priorities then listed in the list
#4 To prefer ActiveDirectory DS over WSUS while others will have higher priority set-up the following: 
discovery-source.priority-list=AD,WSUS

3. Save file and exit 

4. Restart tomcat (service tomcat restart) 

Change Discovery Source Timeouts

1. Edit  /usr/share/tomcat/default/conf/intigua.properties 
2. Add and configure the relevant discovery sources to the properties file

// Amazon 
discovery-source.AWS.success.sleep-time.min (default 10) 
discovery-source.AWS.error.sleep-time.min (default 20) 

// Active directory 
discovery-source.AD.success.sleep-time.min (default 10) 
discovery-source.AD.error.sleep-time.min (default 20) 

// VCenter 
discovery-source.VC.success.sleep-time.ms (default 500) 
discovery-source.VC.error.sleep-time.min (default 5) 

// Azure ASM 
discovery-source.ASM.success.sleep-time.min (default 10) 
discovery-source.ASM.error.sleep-time.min (default 20)  

Notes

• An Endpoint power status will not be updated when the connection is not via vCenter/Amazon/ Azure etc.
• Newly-added endpoints appear in the endpoint list with the initial status of Untested. Upon first vAgent deployment or upon a manual Refresh status from the Servers tab, the connection status will be updated and JetPatch Agent Manager will attempt to install the connector on the machine.
• To disable a discovery source (for example, before changing a password, to avoid the account being locked due to repetitive login failures), click .

Adding Non-Discoverable Endpoints

There are two ways to manage a non-discoverable endpoint for:

1. 1. Create a single endpoint entry in JetPatch
   2. Upload multiple endpoint entries using JetPatch REST API

Note - Newly-added endpoints appear in the endpoint list with the initial status of Untested. Upon first vAgent/Connector deployment or upon a manual Refresh status from the Servers tab, the connection status will be updated and JetPatch server will attempt to install the connector on the machine.

Single Endpoint

To add a single endpoint into JetPatch Console:

1. In the Servers tab, go to Server Actions > Add Physical Server:

   

2. Configure the following:

   

   • The endpoint's Hostname and IP Address
   • The endpoint's Operating System
   • Access Credentials: If the credentials to this endpoint have already been provided, you can assign them to the endpoint here. Otherwise, you can do this later.
3. Click Save.
4. Configure endpoint user accounts.

Multiple Endpoints

When the need is to create multiple physical servers, the preferred why is to leverage the JetPatch API capabilities.

More information can be found in Adding Endpoints in Bulk via REST API 

Related Articles

• Endpoint and JetPatch Configuration for WSUS
• WSUS Scripts