Thursday, December 30, 2010

Installing Opalis 6.3 on Windows 2008 R2

As many of you know Opalis is one of the latest join to the System Center family. Btw the family is growing, take a look at the AVICode solution, if you need to monitor managed code applications and web services this is a must have, it has always been a great product but really expensive, now it’s included in SC Suite licensing and is affordable for everyone.
Let’s return to Opalis, the latest release 6.3, eventually adds support for Windows 2008 R2 and publishes the Integration Packs (IPs) for the whole System Center family (OM, CM, SM, VMM, DPM). This has been a great opportunity to add this technology to my System Center Lab, since the whole setup process hasn’t been so easy I want to share with you dos and donts for installing Opalis on Windows 2008 R2.
A foreword: I’m not a java fan, I don’t like it as a programming language, I don’t believe in the write once run everywhere mantra.  This means that, regarding the JBoss/Java stuff I’m not an expert at all, I will just explain the way I set up my environment, I do not claim this is the only way nor the best one. So it won’t be early enough when Microsoft will move away from JBoss and the LogiXML LGX Report stuff.
A second foreword: Opalis is a great solution, if you haven’t had the chance to take a look at it I strongly recommend you do so. It empowers IT people making easy to design and maintain complex automations without requiring programming skills.
Let’s start with my donts:


  • don’t try to push the whole environment to Windows 2008 R2, only the management server and the action servers with the System Center Integration packs are supported on Windows 2008 R2
  • don’t follow the Technet documentation for securing the Operator Console is you’re using an internal CA, I will explain the entire process later
  • I wasn’t able to install the LGX reporting stuff on Windows 2008 R2, after a trial and error session I gave up when the authentication process refused to work with a method not found error (System.Security.Principal.WindowsIdentity.GetRoles). I would suggest to skip LGX reporting waiting for a SQL Reporting Server solution from Microsoft or install the reporting on Windows 2003 (sigh) where it worked at the first attempt.
And my dos:
  • turn UAC off, the setup should work if run with administrative privileges, but until I turned off UAC I had all sort of errors.
  • only use JBoss 32bit, the whole Opalis dlls are 32 bit so don’t even try to install JBoss x64 (as I first did)
  • use Windows 2003 SP2 (sigh) for non System Center Integration Packs, this means you need to have at least two systems: the management server, database server and action server for SC IPs on Windows 2008 R2; one or more Windows 2003 server for other IPs. Things should improve during 2011, let’s see.
  • you will probably want to run your JBoss process as a service, I used this tool with success on Windows 2008 R2: http://labs.jboss.com/jbossweb/downloads/jboss-native-2-0-9.html. Since the tool is designed for an updated JBoss version I would advice, just for clarity and not for functionality, to modify the bat file with the JBoss version used with Opalis
    REM
    REM VERSION, VERSION_MAJOR and VERSION_MINOR are populated
    REM during the build with ant filter.
    REM
    set SVCNAME=JBAS42SVC
    set SVCDISP=JBoss Application Server 4.2
    set SVCDESC=JBoss Application Server 4.2.3 GA/Platform: Windows x64
    set NOPAUSE=Y
  • Add the JAVA_HOME environment variable to the System variables
  • add the %JAVA_HOME%\Bin path to the System PATH environment variable

Pre-setup steps – Windows 2008 R2

Create the Opalis service account and remember to add it to the local administrators’ group on the Management Server and on planned action servers and clients
Create the Opalis database before running setup, the setup procedure doesn’t give you the chance to configure the DB in terms of size, options and so on. So I would advice to create the DB before running setup, to turn off autogrow and probably to put it in simple recovery mode. Don’t forget to add the Opalis service account as a dbo for the newly created DB.
Always install .net framework 3.5 if you plan to use the System Center Integration Pack, it’s a prerequisite documented in the release notes but you could miss it (as I did). Technically you need the .net framework only on the action servers that are supposed to run the IPs and on the Client used to edit the policies, I would recommend to install it on the management server as well.

Opalis Operator Console

To install the Operator Console follow the Technet instruction, remember to install the 32bit version of JBoss and once installed (copied) remember to splistream Service Pack 1 into it (copy SP1 files into JBoss installation directory). Once you took your time to download all the prerequisites in a sort of treasure hunt, just run the powershell script to setup the Operator Console. This entire process should be smooth and it worked as expected in my case.
To run JBoss as a service see my dos topic, this is something you want to do in a production environment.
To secure the console, again something you want to do since the console is authenticated (the basic way) and users are required to type in their username and password in clear, you can follow the Technet documentation if you’re going to use a public CA, but if you want to use an internal CA you have to perform the following steps. (I copy the relevant part of the technet page and modified the checklist when needed)
At the end of the checklist you will have added a certificate called Opalis (alias) enrolled from an internal CA in its own datastore (opalis). I assume the internal PKI has a standard architecture with a secured root CA and a sub CA used for enrollment.
To generate and prepare a certificate store for the Opalis SSL certificate (alias=Opalis)
At the command prompt, type
  1. "%JAVA_HOME%\bin\keytool" -genkey -alias Opalis -keyalg RSA -keystore "%JAVA_HOME%\jre\lib\security\opalis
  2. At the prompts, provide the following information:
    1. Keystore password. In a default JDK installation the password is changeit if you plan to change the password (good idea) remember to spend the new password anywhere you’ll find "changeit".
    2. First and Last name. Type the fully qualified domain name of the Operator console host computer. This is the only relevant information
    3. Organizational unit
    4. Organization
    5. City
    6. State or Province
    7. Two-letter country code
  3. When prompted for the Alias password, leave it blank and press ENTER. (this way it is identical to the keystore password)
    The certificate is added to the JAVA Opalis certificate store. I prefer to have a separate store, easier to maintain and backup.
To generate a certification authority request file
  1. Type the following command:  "%JAVA_HOME%\bin\keytool" -certreq -alias Opalis -keyalg RSA -keystore "%JAVA_HOME%\jre\lib\security\opalis" -file opalis.csr
  2. You will also be asked for the keystore password. In a default installation of the JDK and in our example the password is changeit.
  3. Submit the opalis.csr file to the certification authority.
Submitting the certification request to a Microsoft internal CA.
Logon the web enrollment page for the CA (the following screenshots refer to a Windows 2003 based CA but the same applies to a Windows 2008 based one)
image
Choose advanced certificate request
image
Submit a certificate request … file
image
Copy and paste the content of the csr file you generated opalis.csr (it’s a text file you can open with notepad, you must copy the entire content)
image
download the certificate and let’s call it opalis.cer.
From the same web site, download the root CA certificate in DER format and the Sub CA certificate in DER format, you’ll need them to use the SSL certificate. Let’s assume you named the three certificates rootca.cer, subca.cer, opalis.cer (the latter is the SSL certificate).
Importing the certificate into Java store and enabling the Operator Console
  1. When you receive the certificate from the certification authority, import it using the following commands:
    "%JAVA_HOME%\bin\keytool" -import -Alias RootCA -keystore "%JAVA_HOME%\jre\lib\security\opalis" -trustcacerts -file rootca.cer
    "%JAVA_HOME%\bin\keytool" -import -Alias SubCA -keystore "%JAVA_HOME%\jre\lib\security\opalis" -trustcacerts -file subca.cer
    "%JAVA_HOME%\bin\keytool" -import -alias Opalis -keystore "%JAVA_HOME%\jre\lib\security\opalis" -file opalis.cer
    The certificate is added to the JAVA cacert certificate store.
Next step: Enable Operator console access using HTTPS
To enable Operator Console access using the HTTPS protocol
  1. Open the \server\default\deploy\jboss-web.deployer\server.xml file.
Uncomment the HTTPS protocol information in the server.xml file. The resulting file should look similar to:


address="${jboss.bind.address}"
maxThreads="250" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />


address="${jboss.bind.address}"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="250"
scheme="https" secure="true"
clientAuth="false"
keystoreAlias="Opalis"
keystoreFile="${java.home}/lib/security/opalis"
keystorePass="changeit"
sslProtocol="TLS"     />
  1. Replace for each protocol with the actual port numbers you will use. The default port number for the Operator console is 5314. The default port number for https is 8443.
  2. To turn off a protocol, comment out the connection string of the protocol that you want to block using after the string. Turning off a protocol means that users cannot access the Operator console using that protocol.
  3. Copy the server folder from \offline\protocol\https to .
  4. Modify the application.xml file located at \server\default\deploy\OpsConsoleApp-1.0.ear\ME TA-INF\application.xml by changing
    OpConsoleWebService-1.0.jar to OpConsoleWebServiceSSL-1.0.jar.
  5. Modify the security-constraint section of the \server\default\deploy\OpConsoleWebServiceBridge-1.0.war\WEB-INF\web.xml file to the following:


    SecuredAll
    /*

    CONFIDENTIAL


  6. Restart JBoss to load the new server.xml settings.
- Daniele
This posting is provided "AS IS" with no warranties, and confers no rights.