Pre-requisite

• Configuring Automatic Endpoint Discovery

Discovery Source Prioritization over WSUS

In case different discovery sources reveal the same set of endpoints that are discovered by WSUS and you would like to keep the meta-data that comes from the discovery source (override the WSUS data when the merge between the different discovery sources happen) , please add the following property to the intigua.properties  - 

1. SSH to JetPatch application Server

2. Edit the intigua.properties file (vi /usr/share/tomcat/default/conf/intigua.properties) and add the priority you would like. This is an example of Active Directory prioritized over WSUS 

#1 Default value VSPHERE,AMAZON_EC2,ARM,ASM,WSUS,AD 
#2 First elements has higher priority 
#3 Not listed DS types has higher priorities then listed in the list
#4 To prefer ActiveDirectory DS over WSUS while others will have higher priority set-up the following: 
discovery-source.priority-list=AD,WSUS

3. Save file and exit 

4. Restart tomcat (service tomcat restart) 

Change Discovery Source Timeouts

1. SSH to the JetPatch application Server
2. Edit  /usr/share/tomcat/default/conf/intigua.properties 
3. Add and configure the relevant discovery sources to the properties file

// Amazon 
discovery-source.AWS.success.sleep-time.min (default 10) 
discovery-source.AWS.error.sleep-time.min (default 20) 

// Active directory 
discovery-source.AD.success.sleep-time.min (default 10) 
discovery-source.AD.error.sleep-time.min (default 20) 

// VCenter 
discovery-source.VC.success.sleep-time.ms (default 500) 
discovery-source.VC.error.sleep-time.min (default 5) 

// Azure ASM 
discovery-source.ASM.success.sleep-time.min (default 10) 
discovery-source.ASM.error.sleep-time.min (default 20)  

// Azure ARM 
arm.sleep.success.minutes (default 5)
arm.sleep.error.minutes (default 5)

AWS Organizations multi-account support

JetPatch can now connect to the Master (or Trusted) account in a given AWS Organization, allowing the user to have access to list the available child (or Trusting) accounts and to assume the role of all child accounts.

Initial configuration

In the AWS Organizations management account, perform below steps

1. Create IAM user demo-master
2. Attach AWS-managed inline policy
   • AmazonEC2ReadOnlyAccess
   • AWSOrganizationsReadOnlyAccess

Create customer inline policy demo-sts-assume-policy. Below is the JSON

{
       "Version": "2012-10-17",
       "Statement": [
          {
             "Effect": "Allow",
             "Action": [
                       "iam:ListRoles",
                        "sts:AssumeRole"
             ],
             "Resource": "*"
          }
       ]
}

In the AWS organization member account, perform the below steps

1.  Pre-requisite- All the member accounts should have IAM Roles created
2. Create IAM Role example member-role
3. Attach AWS managed inline policy
   1. AmazonEC2ReadOnlyAccess
4. Under Trusted relationships add Trusted entries as below

{
   "Version": "2012-10-17",
   "Statement": [
     {
         "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::<managemnt-account-number>:<user>"
           },
           "Action": "sts:AssumeRole",
            "Condition": {}
     }
   ]
}

In JetPatch In order to use this feature, you must enable it in intigua.properties

aws.members.fetch=true;

In order to modify the default member role, use the “aws.members.role“ in intigua.properties

aws.members.role="demo-slave-role";

Note - This new feature is available as of 4.2.4 UR6.

For any troubleshooting, search for AssumeRole in the discovery.log of the manager logs.