For JetPatch Manager to discover supported vCenter VMs, AWS cloud instances, MS Azure cloud instances, or Active Directory instances, you need to configure JetPatch Agent Manager's connection to organizational vCenter servers, AWS EC2, Azure, etc with a read-only account
For other environments, connect to non-discoverable endpoints individually.
Configuring Automatic Endpoint Discovery
To configure Automatic Endpoint Discovery connections:
- Make sure organizational firewalls allow HTTPS (port 443) communication from the JetPatch Application Server to the required Discovery Source.
- Log in as a JetPatch Administrator and go to Platform configuration (upper right-hand corner)
- Go to Settings > Discovery Sources:
- For each organizational asset inventory (vCenter/AWS EC2/Azure/and more) need to create the relevant Discovery Source:
- Click Add Discovery Source.
- Select the required Source Type and provide the Source Name (a descriptive name for display in the JetPatch Manager Console):
- Configure the Discovery Source parameters as described below and click Test Connection. If the connection is successful, a confirmation message appears.
- Click Save (available upon successful connection test).
- Configure endpoint user accounts.
vCenter
- IP address / name - name of Ip of the vCenter
- User name and Password - vSphere user account details, in a Role with Read permissions for retrieving VM details from the vCenter.
- Maximum vCenter calls per minute - to limit the communication between JetPatch Agent Manager and the discovery source (leave empty for unlimited calls).
- Note - To enable fallback hypervisor communications for endpoint operations, the provided user account should be in a Role with all Guest Operations permissions (in Role configuration, under Virtual machine > Guest Operations, select all three Guest Operation permissions).
Note - VM discovery and vSphere communication are supported for VMware vSphere 5.0 and above
Amazon EC2 (AWS)
- Access key and Secret key for the AWS API. You can generate this key pair from the AWS console, preferably using the AWS IAM service. Choose how you want to import tags.
-
Tags Import - JetPatch can import the required tags from AWS and assign them to the relevant machines, as appear in AWS.
- Do not import tags - JetPatch won't import any tags
- Import all tags - JetPatch will import all the tags in the AWS environment
- Import the following tags only - Provide the tag keys and a comma-separated list (case-sensitive).
Note - When choosing "Import the following tags only" AWS tags that consist of a comma will not be imported.
Microsoft Azure Service Management (ASM)
-
-
- Subscription ID - can found in the Windows Azure Management Portal)
- Key store (JKS) (certificate file in JKS format) and Certificate password. To obtain the certificate file, export it from Azure and then convert it to JKS. To convert to JKS, run (requires Java JDK):
- Keytool -importkeystore -srckeystore <cert>.pfx -srcstoretype pkcs12 -destkeystore <cert>.jks -deststoretype JKS
- Where
<cert>
is the certificate file name (without extension). Verify that the discovery user has ‘Windows Azure Service Management API’ extra permissions. Add the user to the Microsoft Domain App as an Owner under the RBAC roles (Azure).
-
Microsoft Azure Resource Management (ARM)
- Tenant ID - instructions can be found here.
- Subscription Id - can be found on your of the navigation panel in Azure>subscriptions>list of subscriptions is displayed along with the subscription ID.
- Client ID and Client Secret (aka authentication key) - instructions can be found here.
Active Directory
- Hostname and Domain - of the Active Directory machine.
- Port (default 389) - the communication port to the Active Directory.
- SSL Configuration (Minumum JAVA version requirement is 1.8.250):
- Use SSL - As the Java security was strengthened regarding LDAP connection during JDK 8 lifespan, we have to be sure that the hostname of the LDAP server we connect to matches the 'CN' field inside the certificate. And the other way around: the field 'CN' in the certificate must match the hostname. To verify issue from the Linux command line:
-
echo -n | openssl s_client -connect <LDAP SERVER>:636 2>/dev/null | openssl x509 -noout -text | grep Subject:
-
- By enabling Enforce validity of server certificate:
- The certificate must be issued by a known CA
-
The server you talk to is the server this specific certificate was given to - hostname verification
- Use SSL - As the Java security was strengthened regarding LDAP connection during JDK 8 lifespan, we have to be sure that the hostname of the LDAP server we connect to matches the 'CN' field inside the certificate. And the other way around: the field 'CN' in the certificate must match the hostname. To verify issue from the Linux command line:
- Directory User and Password to connect to the Directory User. Can have only read access to Active Directory. The format of the Directory User field should be either:
- user-name@domain-name
- domain-name\user-name
- User’s full DN
- Base DN and Query - Provide the DN query to pull the users from
Example of Active Directory configuration:
WSUS
- IP address / name - The IP/name of the WSUS machine as appears in JetPatch.
More information about WSUS Discovery Source can be found in Endpoint and JetPatch Configuration for WSUS and WSUS Scripts.
Change Discovery Source Timeouts
- Edit /usr/share/tomcat/default/conf/intigua.properties
- Add and configure the relevant discovery sources to the properties file
// Amazon
discovery-source.AWS.success.sleep-time.min (default 10)
discovery-source.AWS.error.sleep-time.min (default 20)
// Active directory
discovery-source.AD.success.sleep-time.min (default 10)
discovery-source.AD.error.sleep-time.min (default 20)
// VCenter
discovery-source.VC.success.sleep-time.ms (default 500)
discovery-source.VC.error.sleep-time.min (default 5)
// Azure ASM
discovery-source.ASM.success.sleep-time.min (default 10)
discovery-source.ASM.error.sleep-time.min (default 20)
Notes
- An Endpoint power status will not be updated when the connection is not via vCenter/Amazon/ Azure etc.
- Newly-added endpoints appear in the endpoint list with the initial status of Untested. Upon first vAgent deployment or upon a manual Refresh status from the Servers tab, the connection status will be updated and JetPatch Agent Manager will attempt to install the connector on the machine.
- To disable a discovery source (for example, before changing a password, to avoid the account being locked due to repetitive login failures), click
.
Comments
0 comments
Please sign in to leave a comment.