Managed server requirements

The servers to be managed by WebSphere Automation must meet certain requirements.

Usage metering requirement

WebSphere Automation uses the usage metering feature within WebSphere Application Server and WebSphere Application Server Liberty to collect data about the servers you want to monitor so that their vulnerability status or health status can be assessed. The usage metering feature must be manually configured on each server to be managed so that it can communicate with WebSphere Automation. The usage metering feature is a supported, stabilized component of WebSphere Application Server and WebSphere Application Server Liberty for use with WebSphere Automation. It was previously used with the now removed metering service in IBM Cloud Private. Stabilization of the feature supersedes any mention of its deprecation in the documentation for WebSphere Application Server or WebSphere Application Server Liberty.

WebSphere Automation cannot communicate with servers that do not have this feature. Because of this limitation and the date that the usage metering feature was released, WebSphere Automation does not evaluate security bulletins that were created before 2018. The following application servers can be managed:
  • WebSphere Application Server (all editions) 8.5.5.15 and later
  • WebSphere Application Server (all editions) 9.0.0.9 and later
  • WebSphere Application Server Liberty (all editions) 18.0.0.3 and later

As service updates or new versions of WebSphere software are installed, the security status of the server inventory is updated.

Security fix installation and health monitoring requirements

In addition to the usage metering requirement, servers must meet these requirements for security fix installation and health monitoring by WebSphere Automation.

Table 1. Requirements for managed servers
Requirement Security fix installation Health monitoring
Python and Python3 (installed and on the PATH for all users) Python 3 (version 3.5 or later) Python 3 (version 3.5 or later)
Java™ (installed and on the PATH for all users) (WebSphere Application Server Liberty only) Required Required
Windows servers must have PowerShell 5.1 or later installed Required Required
Servers must be accessible from WebSphere Automation with SSH (Linux® or UNIX), or SSH or WinRM (Windows) Required Required
All Linux and UNIX servers must be accessible with the same SSH credentials and user account. Windows servers must be accessible with the same SSH or WinRM credentials and user account. Required Required
The user account must have permissions to use the wsadmin script (WebSphere Application Server) or the server script (WebSphere Application Server Liberty) Required Required
On Linux and UNIX servers, the user account must have at least read access to the WebSphere Application Server or WebSphere Application Server Liberty installation and profile directories. If the owner of these installation or profile directories is different from the user account, the user account must have ability to become that user by using the sudo command. Required N/A
On Linux and UNIX servers, if a custom data location was used when Installation Manager was installed in group mode, Installation Manager must either be reinstalled without a custom data location or the InstallationManager.dat file must be placed in the following location.

/user_home_directory/var/ibm/InstallationManager_Group/etc/.ibm/registry/InstallationManager.dat

The InstallationManager.dat file is typically located in the following location.

application_data_location/etc/.ibm/registry/InstallationManager.dat

If Installation Manager is installed in administrator mode, the installation must be managed by a user with administrator privileges.

Required N/A
The user account must have access to heap dump files that are generated by WebSphere Application Server or WebSphere Application Server Liberty N/A Required
On Windows servers, the user account must either have:
  • Administrative permissions and the SeDebugPrivilege Windows privilege enabled. SeDebugPrivilege is enabled by default for administrators.
  • Nonadminstrator privileges but ownership of the WebSphere Application Server installation directory and access to the Installation Manager directory. The SeDebugPrivilege Windows privilege must not be enabled.
Required N/A
Instana agent must be installed and configured to communicate with an installation of Instana. For more information, see Setting up Instana to send alerts to WebSphere Automation. N/A Required
Note: If security is enabled for WebSphere Application Server traditional server, security credentials must be included in the soap.client.props file of each node where a heap dump might be generated.
com.ibm.SOAP.loginUserid=<USERID>
com.ibm.SOAP.loginPassword=<PASSWORD>
Note: For WebSphere Application Server Liberty servers, the Liberty profile cannot be running as an embedded process in another product.