Operating Systems and Hosts

Go through this section for detailed information on the various Operating Systems and Hosts.

IBM Power Systems

Use HMC Dynamic Scope Sets for IBM® Power Systems, when an HMC or IVM manages the LPAR configuration. With HMC Dynamic Scope Sets, you create a scope definition for the HMCs and provide the associated HMC and LPAR credentials, but do not need to create scopes for each managed LPAR. When the HMC is discovered, TSA determines which LPARs are in existence and then automatically scans each LPAR.

For IBM® Power Systems where the configuration of LPARs is static, an alternative method to HMC Dynamic Scope Sets is to iterate by adding scopes and credentials for entities in the following order.
  1. The HMC or IVM instance - Returns high-level information about all the Power Systems that it manages, and the logical partitions contained therein. The IVM returns similar information for the single system that it manages.
  2. The VIOS partitions - Returns information about the physical adapters and resources that these partitions own.
  3. Individual partitions - Sometimes, a non-VIOS partition owns physical adapters.

Hardware Management Console (HMC)

Using HMC Dynamic Scope Sets allows TSA to collect detailed OS information from each LPAR.
Note: For more information, see section HMC Dynamic Scopes
The Power System entities that are scanned have an impact on the data that is collected for the TSA report.
  • By scanning only HMCs, you get all essential information on the Identified tab. HMC Topology, Power Systems Firmware, IBM i® Recommendations, Linux® Recommendations, HMC/VIOS/AIX, and Contract tabs and some adapter information.
  • By scanning VIOS partitions, you get additional information on adapter firmware and connected storage.
  • By scanning LPARs, you get more information about the LPAR, including OS details and instances of specific software such as PowerHA, GPFS, and PowerSC.

To discover HMC instances, complete the following steps.

Preparing the environment
Credentials for access list
  • For HMC Dynamic Scope Sets, use username-password or username-SSH key authentication for the HMC service account.
  • For General Discovery Scope Sets (Computer System), use username-password or username-SSH key authentication for the HMC service account.
  • The HMC user must have the following roles.
    • Resource role - AllSystemResources
    • Task role (based on hmcoperator with command line tasks) -
      • Managed System (lshwres, lssyscfg)
      • Logical Partition (lshwres, lssyscfg, viosvrcmd)
      • HMC Configuration (lshmc)
  • A user (service account) with hmcviewer authority can be used if necessary, which might result in partial data collection.
    Note: When running with hmcviewer authority, information about adapters that are owned by VIOS partitions cannot be obtained. To get this information, make sure that the service account has a minimum of hmcoperator authority. If that is not possible, then add scopes and credentials to discover the VIOS partitions directly in addition to the HMC.

Integrated Virtualization Manager (IVM)

To discover IVM instances, complete the following steps.

Credentials for access list
  • Computer System - Use username-password or username-SSH key authentication for the IVM service account.
  • The service account must have view-only permission.

Virtual I/O Server (VIOS) Partitions

To discover VIOS instances, complete the following steps.

Credentials for access list
  • For HMC Dynamic Scope Sets, use username-password or username-SSH key authentication for the VIOS partition service account.
  • For General Discovery Scope Sets (Computer System), use username-password or username-SSH key authentication for the VIOS partition service account.
  • The service account must be an administrator account such as padmin.
  • The service account must have a user attribute of rlogin=true. You can set this attribute by using SMIT or by editing the /etc/security/user file.
  • The parameter PermitUserEnvironment in the /etc/ssh/sshd_config file must be set to yes.

AIX

To discover AIX instances, complete the following steps.
Preparing the environment
  • Ensure that the packages bos.perf.tools and OpenSSH or openSSL are installed.
  • Disable invalid login attempt fail for the service account.
Credentials for access list
  • For HMC Dynamic Scope Sets, use username-password or username-SSH key authentication for the AIX partition service account.
  • For General Discovery Scope Sets (Computer System), use username-password or username-SSH key authentication for the AIX service account.
  • The service account can be root or an account with sudo authority.
  • The service account must have a user attribute of rlogin=true. You can set this attribute by using SMIT or by editing the /etc/security/user file.
  • Go through the following steps to enable a non-root service account for sudo authority for AIX.
    • Install the sudo RPM (sudo-1.6.9p15-2noldap) and SSH file sets (openssh.base.server, openssh.base.client on the AIX instance).
    • On the target AIX instance, create a non-root user ID that TSA can use to access the system.
    • Modify /etc/sudoers file on each AIX instance to allow TSA to run the specified commands by using sudo authority.
      # Cmnd alias specification 
Cmnd_Alias TSA_CMDS = /usr/bin/lparstat, /usr/sbin/no, /usr/sbin/nfso, /usr/bin/lslicense, /usr/sbin/vmo, /usr/sbin/ioo, /usr/sbin/lvmo, /usr/sbin/schedo, /usr/bin/sysdumpdev, /usr/sbin/smtctl, /usr/sbin/emgr,
/usr/bin/sissasraidmgr, /usr/sbin/lswpar, /usr/sbin/cpuextintr_ctl, /usr/sbin/lsnim, /usr/sbin/raso, /usr/sbin/bosdebug, /usr/sbin/chedition, /usr/esa/bin/esacli, /usr/sbin/bootinfo, /usr/bin/mpio_get_config, /usr/bin/cat /etc/objrepos/CuData,
/usr/bin/cat /etc/objrepos/CuData.vc, /usr/bin/cat /var/adm/ras/bootlog, /usr/bin/cat /etc/lpp/diagnostics/data/diagrpt*.dat, /usr/bin/tapeutil, /usr/lpp/OV/bin/opcagt, /usr/DynamicLinkManager/bin/dlnkmgr view, /usr/sbin/powermt version, /usr/sbin/powermt display,
/usr/bin/pcmpath query, /usr/sbin/datapath query

      # User privilege specification
<User Name> ALL = NOPASSWD: TSA_CMDS
      Note: <User Name> is the non-root service account that TSA uses to collect AIX information. This <User Name> is a user on each AIX instance. The /etc/sudoers file on each AIX instance must be updated with the listed specifications.
    • An alternative to the modifications to /etc/sudoers file is to use the following user privilege specification.
      <User Name> ALL = NOPASSWD: ALL
      Note: <User Name> is the non-root service account that TSA uses to collect AIX information. This user specification allows the service account to use sudo authority on any AIX command.

It is recommended that you configure TSA to use HMC Dynamic Scope Sets to help collect AIX information. As an alternative, you can configure TSA to discover the HMCs and the logical partitions (including VIOS) on the Power Systems.

Linux on Power

To discover Linux® on Power instances, complete the following steps.
Preparing the environment
Disable invalid login attempt fail for the service account.
Credentials for access list
  • For HMC Dynamic Scope Sets, use username-password or username-SSH key authentication for the Linux® partition service account.
  • For General Discovery Scope Sets (Computer System), use username-password or username-SSH key authentication for the Linux® service account.
  • Go through the following steps to enable a non-root service account for sudo authority for Linux®:
    • On the target Linux® instance, create a non-root user ID that TSA can use to access the system.
    • Modify /etc/sudoers on each Linux® instance to allow TSA to run the specified commands by using sudo authority.
      # Cmnd alias specification 
Cmnd_Alias TSA_CMDS = /usr/sbin/lsvpd, /sbin/lsvpd, /usr/sbin/lscfg, /sbin/lscfg, /usr/sbin/lsmcode, /sbin/lsmcode, /usr/sbin/lvmdiskscan, /sbin/lvmdiskscan, /usr/sbin/dmidecode, /usr/bin/mtlib, /usr/bin/tapeutil, 
      
/usr/bin/crontab, /sbin/fdisk, /bin/ls -alR /boot/*, /bin/cat /proc/irq/*, /bin/cat /proc/net/vlan/config, /bin/cat /proc/ppc64/rtas/*, /bin/cat /proc/sys/kernel/cap-bound, /bin/cat /proc/sys/kernel/random/entropy_avail

      # User privilege specification
<User Name> ALL = NOPASSWD: TSA_CMDS
      Note: <User Name> is the non-root service account that TSA uses to collect Linux® information. This <User Name> is a user on each Linux® instance. The /etc/sudoers file on each Linux® instance must be updated with the specified configuration.

IBM i

IBM i® instances are discovered by using an SSH connection. If the IBM i® instance does not have SSH installed and configured, complete the following steps.

Preparing the environment

  • Make sure that the following products are installed and configured for IBM i® 7.4

    • IBM® Portable Utilities for i, 5733-SC1
    • Qshell, 5770-SS1, option 30
    • Portable App Solutions Environment, 5770-SS1, option 33
    • IBM® Developer Kit for Java™, 5770-JV1 option 16
    • Java™ SE 8 32 bit

    Make sure that the following products are installed and configured for IBM i® 7.5

    • IBM® Portable Utilities for i, 5733-SC1
    • Qshell, 5770-SS1, option 30
    • Portable App Solutions Environment, 5770-SS1, option 33
    • IBM® Developer Kit for Java™, 5770-JV1 option 16
    • Java™ SE 8 32 bit

    To start the SSH daemon, run the command - SBMJOB CMD (CALL PGM (QP2SHELL) PARM('/QOpenSys/usr/sbin/sshd'))

    To start the SSHD service on IBM i®, run the command - STRTCPSVR SERVER(*SSHD)

    Note: For more information about how to configure SSH on IBM i®, see chapters 2 and 3 in the Redbooks: Securing Communications with OpenSSH on IBM i5/OS.
Credentials for access list
  • Computer System - Use username-password authentication for the service account.
  • The service account can have any user class including *USER, though extra object authority requirements are needed to collect PTF information (which is done by using the DSPPTF command).
  • The DSPPTF command is shipped with the following object authority restrictions.
    • The command is shipped with *EXCLUDE public authority
    • QPGMR, QSYSOPR, QSRV, and QSRVBAS user profiles are shipped with private authorities to use this command
    • As always, the QSECOFR user profile or any user profile with a user class of *SECOFR can run this command
  • The QSYS/DSPPTF object of object type *CMD can have its authorities edited to allow any other user to run this command.
  • If a new service account is created for TSA, the following recommendations apply.
    • Create the user profile with user class *USER
    • Use the GRTOBJAUT command to allow this user profile to run the DSPPTF command; object is QSYS/DSPPTF of object type *CMD

Unix Systems

Solaris

To discover Solaris instances, complete the following steps.
Preparing the environment
  • On Solaris systems, ensure that the SUNWscpu (Source Compatibility) package is installed.
  • On some Solaris systems, SNEEP needs to be installed and configured to obtain serial numbers.
Credentials for access list
  • Computer System - Use username-password or username-SSH key authentication for the service account.
  • The service account can be non-root.

Solaris via Oracle iLOM

To discover Solaris devices through an Oracle iLOM, complete the following steps.
Credentials for access list
  • Computer System - Use username-password for the service account.
  • The service account can have either Operator or Administrator privileges.

Linux

If the Linux® instance is running on an IBM® Power System, see section Linux on Power, under IBM® Power Systems.

To discover Linux® on x86 devices, complete the following steps.
Preparing the environment
Make sure the pciutils package is installed. The lspci command contained therein is used to collect information about adapters and connections to external storage devices.
Credentials for access list
  • For VMware Dynamic Scope Sets, use username-password or username-SSH key authentication for the Linux® virtual machine service account.
  • For General Discovery Scope Sets (Computer System), use username-password or username-SSH key authentication for the Linux® service account.
  • Set /bin/sh as the shell for this account.
  • For Linux® (x86), the service account can be root or an account with sudo authority.
  • To discover using a non-root service account, add the following to the /etc/sudoers file on the Linux® system.
    # Cmnd alias specification
Cmnd_Alias TSA_CMDS = /usr/sbin/dmidecode
    # User privilege specification
<User Name> ALL = NOPASSWD: TSA_CMDS
    Note: <User Name> is the non-root service account that TSA uses to collect Linux® information. The <User Name> is a user on each Linux® instance. The /etc/sudoers file on each Linux® instance must be updated with the specified configuration.
  • An alternative to the modifications to /etc/sudoers is to use the following user privilege specification.
    <User Name> ALL = NOPASSWD: ALL
    Note: <User Name> is the non-root service account that TSA uses to collect Linux® information. This user specification allows the service account to use sudo authority on any Linux® command.

HP-UX

To discover HP-UX instances, complete the following steps.
Credentials for access list
  • Computer System - Use username-password or username-SSH key authentication for the service account.
  • To enable a non-root service account for sudo authority for HP-UX -
    • Modify /usr/local/etc/sudoers on each HP-UX device to allow TSA to run the specified commands using sudo authority.
      # Cmnd alias specification
Cmnd_Alias TSA_CMDS =/usr/sbin/diskinfo,/opt/hpvm/bin/hpvmstatus
      # User privilege specification
<User Name> ALL=(ALL) NOPASSWD:TSA_CMDS
      Note: <User Name> is the non-root service account that TSA uses to collect HP-UX information.

VMware vCenter Server and VMware ESXi

For VMware environments, use VMware Dynamic Scope Sets. With VMware Dynamic Scope Sets you create a scope definition for the VMware vCenter Server® or ESXi™ and provide the associated VMware and virtual machine credentials, but do not need to create scopes for each managed virtual machine. When the VMware vCenter Server® or ESXi™ is discovered, TSA determines which virtual machines are in existence then and automatically scans each virtual machine.

For VMware environments where the configuration of virtual machines is static, an alternative method to VMware Dynamic Scope Sets is to iterate by adding scopes and credentials for entities in the following order.

  1. The vCenter Server instances - This returns high-level information about the ESXi hosts they manage, and the virtual machine guests contained therein.
  2. ESXi hosts - Add ESXi hosts that are not managed by a vCenter Server.
  3. Individual Virtual Machine guests - This allows collection of more detailed information regarding the operating system.

The following steps are recommended for configuring TSA on VMware environments.

  1. Configure TSA to discover VMware vCenter Servers® where available. Discovering a VMware vCenter Servers® automatically causes TSA to collect information about all the VMware ESXi™ hosts that the vCenter Server manages. No configuration information about the ESXi hosts is required.
  2. Configure TSA to discover VMware ESXi™ hosts only when the ESXi host is not managed by a VMware vCenter Server®.
  3. Install VMware Tools on each virtual machine that are hosted on the ESXi hosts. If VMware Tools is not installed, then some inventory data such as IP address or Operating System installed, will not be accessible.
  4. Configure each VMware ESXi™ host to have the CIM interface active. The CIM interface allows TSA to collect detailed information about the adapters within the ESXi host. For more information about the CIM provider, see sectionCIM Provider for VMware ESXi.
To discover VMware vCenter Server® instances as well as information about the ESXi servers they manage, complete the following steps.
Preparing the environment
  • Install VMware Tools on each virtual machine that is hosted on the ESXi hosts.
  • Configure each VMware ESXi host to have the CIM interface active.
  • The CIM port (5989) for each VMware ESXi host must be accessible to TSA (unblocked by firewalls, etc.) for full discovery.
Credentials for access list
  • For VMware Dynamic Scope Sets - Use username-password for the VMware vCenter Server® service account.
  • For General Discovery Scope Sets (Computer System), use username-password for the VMware vCenter Server® service account.
  • The service account must have Administrator role permissions or at least permissions to a custom Read-only role with following additional privileges.
    • Global → Licenses
    • Global → Settings
    • Host → CIM
    • Host → Configuration → Change settings
    • Host → CIM → CIM Interaction
To discover ESXi instances directly, complete the following steps.
Preparing the environment
  • Install VMware Tools on each virtual machine that are hosted on the ESXi hosts.
  • Configure each VMware ESXi™ host to have the CIM interface active.
Credentials for access list
  • For VMware Dynamic Scope Sets, use username-password authentication for the VMware ESXi™ service account.
  • For General Discovery Scope Sets (Computer System), use username-password authentication for the VMware ESXi service account.
  • The service account must have Administrator role permissions.

Windows

TSA supports discovery of Windows instances with the following methods.
  • WINRM
  • SMB1
Note: Windows® via WINRM is preferred as it is the more secure interface. Use the Legacy Protocols page to disable discovery of devices using SMB1 if desired. For more information, see section Connection settings for Legacy Protocols.

Windows via WINRM

To discover Windows® devices via WINRM, complete the following steps.
Preparing the environment

The most common way to prepare the environment is to use a server certificate generated by a certificate authority that is installed on the target Windows® server. The certificate must meet the following conditions.

  • The root and intermediate certificates from the certificate authority are in the Trusted Root Certification Authorities certificates.
  • The server certificate is installed in the Personal certificates.
  • The server certificate must show that it is issued to the fully qualified hostname of the server.
  • The server certificate must include the private key for this server.

To configure WINRM for remote HTTPS connections, use the command - winrm quickconfig -transport:https.

The command does the following transactions.
  • Enables WINRM if not currently active
  • Modifies the WINRM service so that WINRM starts automatically on restarts
  • Configures the WINRM HTTPS listener
  • Modifies the Windows Firewall rules to allow remote HTTPS connections
The command produces the following output. Enter y to confirm the changes.
WinRM service is already running on the system.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made -
Create a WinRM listener on HTTPS -//* to accept WS-Man requests to any IP on this machine.
Configure a CertificateThumbprint setting for the service to be used for CredSSP authentication.
Configure LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.


Make these changes [y/n]? y
WinRM has been updated for remote management.
Created a WinRM listener on HTTPS://* to accept WS-Man requests to any IP on this machine.
Configured required settings for the service.
Configured LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users.

Finally, to allow username-password authentication over HTTPS, run the command - winrm set winrm/config/service/auth @{Basic="true"}

An alternative is to use a self-signed certificate. For more information, see section Windows that use WINRM.

Credentials for access list
  • For VMware Dynamic Scope Sets, use username-password for the VMware ESXi™ service account.
  • For General Discovery Scope Sets (Computer System - Windows®), use username-password for the VMware ESXi™ service account.
  • The service account must be a member of one of the following groups:
    • Administrators
    • WinRMRemoteWMIUsers__

    To add a user to the WinRMRemoteWMIUsers__ group, use the command: net localgroup WinRMRemoteWMIUsers__ [user_id] /add

Windows via SMB1

To discover Windows devices, complete the following steps.
Preparing the environment
  • Make sure that Windows Scripting Host (WSH) or the Windows Management Instrumentation (WMI) service and VBScript are enabled on the target device.
  • Make sure that the port 445 is not blocked by firewall or IP security policies as TSA uses the Server Message Block (SMBv1) protocol over TCP/IP.
  • To apply security policies, go to Start > Control Panel > Administrative Tools, then choose the following navigation based on whether your policies are stored locally or in an Active Directory.
    • Locally stored policy: Administrative Tools → Local Security Policy → IP Security Policies on Local Computer
    • Policies Stored in Active Directory: Administrative Tools → Default Domain Security Settings → IP Security Policies on Active Directory or Administrative Tools → Default Domain Controller Security Settings → IP Security Policies on Active Directory
  • TSA requires access to the hidden remote administration disk share for access to the system %TEMP% and other directories. Access to the Interprocess Communications share (IPC$) is also required for TSA to access remote registries. Make sure the Interprocess Communication share server service is started. To start the server service, go to the Control Panel > Administrative Tools > Services > Server.
  • Make sure that the Remote Registry Service is active, which helps TSA to establish a session with the Windows® device.
Credentials for access list
  • For VMware® Dynamic Scope Sets, use base administrator account and password. This account works regardless of the User Account Control (UAC) settings.
  • For General Discovery Scope Sets (Computer system - Windows®), use base administrator account and password. This account works regardless of the User Account Control (UAC) settings.
    Note: It is possible to use an account other than the base Administrator account if certain conditions are met. The account must be a local or domain administrator account and the User Account Control (UAC) settings must meet certain requirements. Refer the following table for the combinations of account type and UAC settings that are supported.
Table 1. User Account Control Settings
Always Notify Notifies only when programs change the computer (default setting) Notifies only when programs change the computer (do not dim the desktop) Never Notify
Base Administrator Yes Yes Yes Yes
User in Domain Administrators Group No Yes Yes Yes
User in Local Administrators Group No Yes Yes Yes
Non-Administrator Account (Domain or Local) No No No No
Note: To access UAC Settings, go to Start > Control Panel. Type uac in the search box and click Change User Account Control settings.
User Account Control Settings

ATM Devices

Certain models of ATM devices can be discovered. To discover ATM devices, including basic information about their components, complete the following steps.

Preparing the environment
Wincor Nixdorf models - Follow the instructions specified in the section Windows via SMB1.

Management Module

For IBM Flex Systems®, it is best to iterate by adding scopes and credentials for entities in the following order.

  1. The Flex System Manager (FSM) - Returns high-level information about the Flex System Managers and the Chassis that they manage along with their associated nodes.
    Note: If FSMs are not present, it is recommended to scan the CMMs and any HMCs managing POWER compute nodes on Flex systems.
  2. The Chassis Management Module (CMM) - For chassis that are not managed by an FSM, point to each CMM to retrieve high-level information about each chassis and its associated nodes.
  3. The Compute nodes - Returns detailed information about the Operating System.

Flex System Manager (FSM) Devices

To discover FSM devices, complete the following steps.
Credentials for access list
  • Computer System - Use the username-password for the service account.
  • The service account must have SMAdmin authority.

Chassis Management Module (CMM) Devices

To discover CMM devices, complete the following steps.
Credentials for access list
  • Computer System - Use the username-password authentication for the service account.
  • The service account must have at least operator authority.

Advancement Management Module

To discover AMM devices, complete the following steps.
Credentials for access list
  • Computer System - Use the username-password authentication for the service account.
  • The service account must have at least operator authority.

HP Proliant Blade Server through HP OnBoard Administrator

For Hewlett-Packard (HP) ProLiant Servers, it is best to add scopes and credentials for entities of the HP OnBoard Administrator (HP OBA). The HP OBA returns high-level information about the HP OnBoard Administrator, the enclosure it manages and the nodes that are contained within the enclosure.

To discover an HP Proliant Blade server through HP OnBoard Administrator (OBA), complete the following steps.
Preparing the environment
HP OBA must be in active mode.
Credentials for access list
  • Computer system - Use username-password authentication for the service account.
  • The service account must have either OA administrator, OA operator, or OA user authority on the HP Onboard Administrator. The OA user authority role is recommended.

Integrated Management Module (IMM) and Integrated Management Module II (IMM2) Devices

To discover IMM and IMM2 devices, complete the following steps.
Credentials for access list
  • Computer System - Use the username-password for the service account.
  • The service account can have any valid authority.

HP Integrity and HP9000 Servers through iLO

The iLO is a separate processor card within an HP Integrity and HP9000 Server that provides basic hardware information about the server. The iLO is active when the server is plugged in, even if the server itself is not powered on yet.

To discover the Summary-level inventory information through iLO for HP Integrity and HP9000 servers, complete the following steps.

Credentials for access list
  • Computer system - Use username-password authentication for the service account.
  • The service account can use any valid authority level. User authority is recommended.

Dell Server via Integrated Dell Remote Access Controller (iDRAC)

The iDRAC is a separate processor card within a Dell Server that provides basic hardware information about the server. The iDRAC is not enabled by default and needs to be enabled and configured to be used.

Prerequisites
  • The iDRAC needs to be enabled and configured for its use.
  • An iDRAC service module needs to be installed in the operating system for the OS information to be discoverable.
To discover the Summary-level inventory information through iDRAC for Dell servers, complete the following steps.
Credentials for access list
  • Computer system - Use username-password authentication for the service account.
  • The service account must have at least administrator authority level.
  • The credential must have SSH access to run CLI commands.