Articles in this section

Configuring Automatic Endpoint Discovery

Todd Kirkland
  • Updated
Follow

For JetPatch Manager to discover supported vCenter VMs, AWS cloud instances, MS Azure cloud instances, or Active Directory instances, you need to configure JetPatch Agent Manager's connection to organizational vCenter servers,  AWS EC2, Azure, etc with a read-only account

VM discovery and vSphere communication are supported for VMware vSphere 5.0 and above .

For other environments, connect to non-discoverable endpoints individually.

To configure vCenter, EC2, and Azure connections:

  1. Make sure organizational firewalls allow HTTPS (port 443) communication from the JetPatch Agent Manager to the vCenter servers and out to the internet.
  2. Log in as a JetPatch Administrator and go to Platform configuration (upper right-hand corner)            Screen-Shot-2019-12-17-at-10.36.57-AM-250x108__1_.png
  3. Go to Settings Discovery Sources:

    1417.png

  4. For each organizational vCenter server, EC2 and Azure account:
    1. Click Add Discovery Source.
    2. Select the Source Type: vCenter, EC2, or Azure, and Source Name: A descriptive name for display in the JetPatch Manager Console:

      1417.png

      • For vSphereServer Name (the vCenter's resolvable name or IP address), the User Name, Password of a vSphere user account in a Role with Read permissions for retrieving VM details from the vCenter and set Maximum vCenter calls per minute to limit the communication between JetPatch Agent Manager and the discovery source (leave empty for unlimited calls).
      • To enable fallback hypervisor communications for endpoint operations, the provided user account should be in a Role with all Guest Operations permissions (in Role configuration, under Virtual machine Guest Operations, select all three Guest Operation permissions).
      • For Microsoft Azure Resource Management (ARM): Enter your Tenant ID (learn how to retrieve the info here), Subscription Id (can be found on your of the navigation panel in Azure>subscriptions>list of subscriptions is displayed along with the subscription ID), Client ID, Client Secret  aka authentication key (learn how to retrieve the info here)
      • For Amazon EC2: The Access key and Secret key for the AWS API. You can generate this key pair from the AWS console, preferably using the AWS IAM service. Choose how you want to import tags.

        *When choosing "Import the following tags only," AWS tags that consist of a comma will not be imported.

      • For Microsoft Azure Service Management (ASM)Subscription ID (found in the Windows Azure Management Portal), certificate file in JKS format, and Certificate password. To obtain the certificate file, export it from Azure and then convert it to JKS. To convert to JKS, run (requires Java JDK):
      • Keytool -importkeystore -srckeystore <cert>.pfx -srcstoretype pkcs12 -destkeystore <cert>.jks -deststoretype JKS
      • Where <cert> is the certificate file name (without extension). Verify that the discovery user has ‘Windows Azure Service Management API’ extra permissions. Add the user to the Microsoft Domain App as an Owner under the RBAC roles (Azure).
      • For Active Directory, use the below image as a template. Note: Credentials of an Active Directory User account with read access to Active Directory. The format of the 'Directory User'  field should be either: 1. user-name@domain-name 2. domain-name\user-name 3. User’s full DN
        • Note: If using java 1.8, the recommended minimum minor version is 250
        • For SSL

          • As the Java security was strengthened regarding LDAP connection during JDK 8 lifespan, we have to be sure that the hostname of the LDAP server we connect to matches the 'CN' field inside the certificate. And the other way around: the field 'CN' in the certificate must match the hostname. To verify issue from the Linux command line:

          • echo -n | openssl s_client -connect <LDAP SERVER>:636 2>/dev/null | openssl x509 -noout -text | grep Subject:
        • For Enforce validity of server certificate.  This means two things:

          • The certificate must be issued by a known CA

          • The server you talk to is the server this specific certificate was given to - hostname verification

        •  
      • mceclip0.pngConfigure the connection fields, depending on the selected source type:

        1234.png

    3. Click Test Connection. If the connection is successful, a confirmation message appears.
    4. Click Save (available upon successful connection test).
  5. Configure endpoint user accounts.

Note: An EndPoint power status will not be updated when the connection is not via vCenter/Amazon/ Azure etc.

Newly-added endpoints appear in the endpoint list with the initial status of Untested. Upon first vAgent deployment or upon a manual Refresh status from the Servers tab, the connection status will be updated and JetPatch Agent Manager will attempt to install the connector on the machine.

To disable a discovery source (for example, before changing a password, to avoid the account being locked due to repetitive login failures), click toggledisable.png.

Change Discovery Source Timeouts

  1. Edit  /usr/share/tomcat/default/conf/intigua.properties 
  2. Add and configure the relevant discovery sources to the properties file
// Amazon 
discovery-source.AWS.success.sleep-time.min (default 10) 
discovery-source.AWS.error.sleep-time.min (default 20) 

// Active directory 
discovery-source.AD.success.sleep-time.min (default 10) 
discovery-source.AD.error.sleep-time.min (default 20) 

// VCenter 
discovery-source.VC.success.sleep-time.ms (default 500) 
discovery-source.VC.error.sleep-time.min (default 5) 

// Azure ASM 
discovery-source.ASM.success.sleep-time.min (default 10) 
discovery-source.ASM.error.sleep-time.min (default 20)  

 

Related articles

Comments

0 comments

Please sign in to leave a comment.