Sunday, 17 April 2016

Enabling license scanning with IBM Endpoint Manager

Enabling license scanning with IBM Endpoint Manager and IBM PureApplication Software on Microsoft Azure

In IBM PureApplication Software on Microsoft Azure, administrators are responsible for tracking and reporting the use of IBM licensed products installed on deployed virtual machines. This tutorial shows you how to set up the software to collect this information

Introduction

IBM® PureApplication® Software on Microsoft® Azure® uses the IBM Endpoint Manager (IEM) with the IBM License Metric Toolkit (ILMT) to discover and report on installed IBM software products, freeing customers from manually tracking software installation and use. The license scanning architecture is shown below:
Figure 1. Components of license scanning
Components of license scanning
ILMT runs on IEM, which is a complete systems management platform with multiple independent components. IBM PureApplication Software on Azure uses IEM for lifecycle management. For more information, see the IBM Knowledge Center. The required IEM infrastructure consists of two parts:
  • IEM Client (also known as the IEM Agent) -- Automatically installed on the deployed virtual machines during the IBM PureApplication Software deployment process.
  • IEM Server -- Manages software scanning on the virtual machines, and aggregates the scan results.
This article shows you how to set up an IEM IBM PureApplication and configure it to perform license scans on the virtual machines deployed via IBM PureApplication Software on Azure. While IEM supports operation of the server on both Linux® and Windows®, this article covers installation on Windows only, and shows the basic steps to create an operational environment suitable for use with IBM PureApplication Software on Azure.

Pre-installation planning

This section is an overview of the requirements and steps. For more details, see the following sections, as well as Getting started in the IEM Knowledge Center.

Provide a system running Microsoft Windows 2012 Server Standard Edition

This tutorial uses Microsoft Windows 2012 Server Standard Edition, though any current version of Windows can be used. For a current list of supported operating system versions, see the "Windows" sections under IBM Endpoint Manager 9.2.0 System Requirements.

Ensure that network connectivity is available between all of the components

You must establish two independent communication channels:
  • Connection between the IEM Server and the deployed virtual machines
  • Connection between the IEM Server and the IBM PureApplication Software on Azure Management Server (PSM).

IEM installation and setup

Overview of installation steps

  1. Set up a Windows system to host the IEM Server
  2. Establish network connectivity
  3. Obtain IBM Endpoint Manager package and required licenses
  4. Perform IEM Server installation using IEM installation generator
  5. Install IEM Server console application
  6. Enable Microsoft SQL Server authentication in mixed-mode on IEM Server
  7. Set up IEM scanning tasks

1. Set up a Windows system to host the IEM Server system

It is important to size your IEM Server appropriately for the number of deployed virtual machines that you expect to have. For more information on sizing your IEM Server, see the "Windows" sections under IBM Endpoint Manager 9.2.0 System Requirements, and click on the Hardware tab.

2. Establish network connectivity

  • Ensure that firewall ports are open on the IEM Server:
    • The IEM Server must allow inbound traffic on Port 52311 for TCP and UDP for communications between the IEM Server and the deployed virtual machines.
    • The IEM Server must allow inbound traffic on Port 1433 for JDBC access to the database.
  • The IEM Server hostname must be resolvable by the DNS Server used by Microsoft Azure deployments.
  • In addition to network connectivity with deployed Azure virtual machines, there must be connectivity between the IEM Server and the PSM. Also, the PSM hostname must be resolvable by the DNS Server used by the IEM Server.
  • The firewall on the PSM must allow inbound traffic on Port 9082 for TCP communications from the IEM Server.

3. Obtain IBM Endpoint Manager package and required licenses

You are automatically entitled for IBM Endpoint Manager as part of IBM PureApplication Software on Azure. You can download IEM using Passport Advantage, and it will automatically appear in your list of available software.
In addition to the IEM install image, you will need a license authorization file to generate the product keys. The technical contacts for your organization should have received an e-mail the information on how to create and download the IEM License authorization file. For instructions and more information on license management, see Managing Licenses in the IBM Endpoint Manager for Patch Management Knowledge Center.

4. Perform IEM Server installation using IEM Installation Generator

Installation is done via the IEM Server Installation Generator, which captures configuration and license information, and generates the required files and installation binaries.
Run the IEM Installation Generator
  1. From the directory where you saved the downloaded IEM installation image, run setup.exe to launch the Installation Generator.
  2. On the Select Install Type screen, choose the option for Production.
  3. On the next screen, accept the Software License Agreement to continue.
  4. The next screen lets you select the Setup Type. Select as shown below:
    Figure 2. IEM Installation Generator: Select Setup Type
    IEM Installation Generator: Select Setup Type
  5. Select I want to install with an IBM Endpoint Manager license authorization file. Click Next and browse to the location of the file LicenseAuthorization.BESLicenseAuthorization:
    Figure 3. License Authorization file location dialog
    License Authorization file location dialog
  6. The next screen prompts you to enter the DNS name of your IEM Server, which must be resolvable by the deployed virtual machines. The hostname value is filled in -- if it is correct, click Next; if it is not correct, change it to the correct value and click Next:
    Figure 4. Request License: Specify IEM Server name
    Request License: Specify IEM Server name
  7. Enter a password used to create a keypair that is used to create administrative users for the IEM console. You must save this file, but for basic operation you will not need to refer to it again.
    Figure 5. IEM signing key password entry
    IEM signing key password entry
  8. Next you will be prompted for a location in which to save the generated keyfiles and certificate:
    Figure 6. Storage location for IEM signing keys
    Storage location for IEM signing keys
  9. The license request will be submitted over the Internet. If your IEM Server does not have Internet access, follow the instructions on the screen to complete the process manually:
    Figure 7. Submitting IEM license request over the Internet
    Submitting IEM license request over the Internet
  10. Click Request, and then on the next screen click Create to enter the dialog to create the masthead file:
    Figure 8. Creating masthead file
    Creating masthead file
  11. The default values on the Advanced Masthead Parameters screen should be fine for most purposes. Click OK to accept the masthead parameters. You have now created the license files. The next step is to run the Installation Generator to create the IEM Installers. You are prompted for the location to store the installer binaries:
    Figure 9. Specifying the location for the IEM installation components
    Specifying the location for the IEM installation components
  12. Take the default paths, let the dialog run, and then click Finish on the InstallShield Wizard Complete screen to launch the IBM Endpoint Manager Installation Guide:
    Figure 10. Successful completion of Installation Generator
    Successful completion of Installation Generator
    Figure 11. Install IEM Server
    Install IEM Server
  13. On the Installation Guide launchpad, select Install Server on the left, then click Install the Server on this computer on the main panel:
    Figure 12. Launching the IEM Server Installation dialog
  14. The Endpoint Manager Server Installer is launched. Take the defaults on the Select Features screen:
    Figure 13. Selecting IEM Server features
    Selecting IEM Server features
  15. Take the default Single or Master Database on the Select Database Replication screen, and Use Local Database, which will result in the installation of SQL Server 2005 Express:
    Figure 14. Choose destination for Microsoft SQL Server installation
    Choose destination for Microsoft SQL Server installation
  16. Take the default locations for Microsoft SQL Server and for BES Server, and then on the following screen, use the WWW and URL defaults for the Server and the Web Reports Server:
    Figure 15. Specify location and URL for IEM Server root folder
    Specify location and URL for IEM Server root folder
  17. Click Next on the installation parameters review screen to start the process of installing Microsoft SQL Server and the IEM Server.
  18. You will see various processes running that install and configure SQL Server, then a dialog to specify the location of the Site Admin Private Key. Accept the defaults, and on the next prompt enter a Site Admin Private Key Password and record it in your records. Although you will typically not use this key pair directly, it is the basis for all authentication between the IEM Server and the IEM agents on the deployed virtual machines.
  19. Next, you will get a prompt to enter a username and password for the IEM Server Administrative user. Choose a username and password and record them, since you will use them to log in to the IEM Console:
    Figure 16. Create IEM Administrative User
    Create IEM Administrative User
  20. You will get a prompt saying that "Setup has finished install IBM Endpoint Manager Server on your computer" and a checkbox offering to run the IEM Diagnostic Tool. Click Finish:
    Figure 17. Successful completion of IEM Server installation
    Successful completion of IEM Server installation
  21. If you have left the option to run the diagnostics selected, then when it completes, you may see a warning that the BES Client is not running and does not exist. Ignore it, because you have not installed the client. You should not see any other errors. Click Close in this diagnostics dialog if you have run it.

5. Install IEM Server Console

The IEM Server Console is a Windows-only application. It can be installed on the IEM Server as well as on any other Windows based system, and multiple consoles can connect to the IEM Server.
  1. Click Install Console on the left side of the Endpoint Manager Installation Guide and click Install the Console on this computer. If you want to install the console on a different system, follow the instructions on the same panel.
    Figure 18. Installation of IEM Console application
    Installation of IEM Console application
  2. Click Next to use the default location. On the next screen, click Install to start the installation.
    Figure 19. IEM Console Installshield Wizard
    IEM Console Installshield Wizard
  3. Take the defaults for the installation location and to create a desktop shortcut, and then click Install. When the installation is complete, clickFinish to launch the console.

6. Enable Microsoft SQL Server authentication in mixed-mode on IEM Server

The PSM retrieves scanned license data from the IEM Server using JDBC. Because the PSM is Linux-based, it uses the Microsoft Linux JDBC driver for MS SQL, which requires MS SQL Server authentication to be enabled. This is known as Mixed-Mode Authentication. For information on enabling SQL Server authentication and an appropriate user id for access, see Change Server Authentication Mode. The steps described there show you how to use Microsoft SQL Server Studio. You can Download Microsoft SQL Server Management Studio Express from Microsoft.

7. Set up IEM scanning tasks

Configure license scanning in the IBM PureApplication Software on Azure UI
Before completing the setup of license scanning in the IEM console, you must establish the linkage between the PSM and the IEM Server on the Configure License Scanning page of the IBM PureApplication Software UI:
  1. Select System => System Settings and then expand the section License Scanner Settings.
  2. For Database Type, leave the default of MS SQL Server, and enter the correct hostname, username, and password for both Database for IBM Endpoint Manager Server, and for "Web Reports Database." The default username is "sa" and the password is what you set in the step above, "Change Server Authentication Mode." Do not change the default database names, BFEnterprise and BESReporting.
  3. In the middle section, IBM Endpoint Manager Server, enter the hostname of your IEM Server, and the user name and password that you specified above in the section "Install the IEM Server."
  4. Click Test Connection to validate your inputs and verify network connectivity. If connection is successful, click Save to store your settings and initiate a background process in the PSM to configure and start the license scanner component of the PSM.
    Figure 20. IBM PureApplication Software on Azure: License Scanner settings
    BM PureApplication Software on Azure: License Scanner settings
Set up IEM tasks for software license scanning
You must now take several actions in the IEM Console so that the license scan process will run. These steps only need to be done once -- they establish IEM tasks that will be executed automatically for each virtual machine deployed by IBM PureApplication Software on Azure. This section describes these steps along with some background information on IEM.

Overview of IBM Endpoint Manager and task operation

This introduction to IEM gives you enough background to follow the steps below and set up your system. For more detailed information, see IBM Endpoint Manager for Lifecycle Management V9.2 Knowledge Center.
  • IEM is an infrastructure for executing tasks and fixlets on the physical and virtual machines that it manages.
  • Tasks and fixlets are grouped into sites.
  • The site for license scanning is IBM License Reporting (ILMT) V9.
  • For license scanning, we are concerned only with tasks, not fixlets.
  • IEM tasks are started with at least two specifications made for the task:
    • Targets -- The computers on which the task is to be executed
    • Execution rules -- For example the starting and ending time of a task, and the frequency of repetition.
  • Each task has a definition of the virtual machines on which it can be run, and this definition can (and often does) depend on the state of the virtual machine, such as the existence of certain files. In IEM terminology this is known as relevance -- is a task relevant for a given system (virtual machine).
With that background, you can now set up the license scanning by starting a set of tasks. Since you want the tasks to be automatically activated for all deployed virtual machines, for Target, select All Computers. Since the task should take effect for all new deployments at any time in the future, on the Execution tab, specify that the task has no end date, meaning it will stay active and apply to any new systems that are deployed, until it is explicitly stopped. Some of the tasks are run only once per virtual machine, such as installation of the scanner code. However, the scan task, which actually looks for installed software, must run periodically, so you set a scan frequency. For more information, see the relevant sections below.

Activating the ILMT site in the IEM Console

At the beginning of this article it was mentioned that ILMT is an IEM Application. This next steps activate or install ILMT (which performs the license scanning) into the IEM Infrastructure and make all of the scanning related tasks available for use:
  1. In The IEM Console, select the BigFix Management section at the bottom of the left-hand navigation panel, then click License Overview. In the main panel, under IBM License Metric Tool, click Enable to enable the ILMT Site in IEM:
    Figure 21. Enable ILMT Application in IEM Console
    Enable ILMT Application in IEM Console

IEM tasks for scanning

You must set up three distinct tasks in IEM to generate actions on each deployed virtual machine:
  1. Install the scanner -- Installs the scanner code onto the deployed virtual machines.
  2. Initiate software scan -- Instructs the IEM agent to scan for installed software on the virtual machines.
  3. Upload software scan results -- Causes the IEM agent to upload the scan data to the IEM Server.
By establishing these tasks with a target of All Computers, and setting them to remain active until explicitly stopped, they will automatically run on each new deployed virtual machine, so this is a one-time operation. Details and steps for starting them are provided in the next sections.
1. Install the scanner
This task causes the ILMT scanner code to be deployed onto each deployed virtual machine. To activate it:
  1. Click Fixlets and Tasks in the navigation panel to the left, and then type "install scanner" in the search bar at upper right to filter the display of tasks.
  2. Click the Install Scanner line in the results under the search box, and then click Take Action below that. See the following example:
    Figure 22. Activating Install Scanner IEM task
    Activating Install Scanner IEM task
  3. You should see a pop-up window where you can specify the settings for the Install Scanner task. First set the Target for the task: select theDynamically target by property radio button, and then click All Computers:
    Figure 23. Setting target systems for Install Scanner task
    Setting target systems for Install Scanner task
  4. Select the Execution tab, and ensure that the Ends on box is unchecked:
    Figure 24. Clearing Ends On property for Install Scanner task
    Clearing Ends On property for Install Scanner task
  5. Click OK to complete the action.
2. Initiate software scan
The task that performs the actual scanning of the system to detect installed software is next. Follow a similar process:
  1. Click Tasks and Fixlets, enter "Initiate Software Scan" in the filter box, click the task in the results pane, and then click Take Action.
    Figure 25. Activating Initiate Software Scan task
    Activating Initiate Software Scan task
  2. A pop-up window opens, as with the Install Scanner task. Again, choose the Dynamically target by property and All Computers options, and then select the Execution tab. This time, in addition to ensuring that the Ends on checkbox is unchecked, set the scan frequency to 12 hours rather than the default value of 7 days, to make the license data available in the IBM PureApplication Software UI more quickly.
    Figure 26. Setting Execution Interval for software scans
    Setting Execution Interval for software scans
  3. Click OK to complete this action.
4. Upload software scan results
The final step is to start the task that uploads the scan results from the deployed virtual machines to the IEM Server, so that they can be gathered into the IBM PureApplication Software management console. Follow the same process:
  1. Select Fixlets and tasks, and filter for Upload software scan results:
    Figure 27. Activating Upload Software Scan Results IEM task
    Activating Upload Software Scan Results IEM task
  2. On the Take Action popup, for target, select All computers as for the previous tasks. On the Execution tab, ensure that Ends on is unchecked. There is no need to specify a frequency at which this task should run, since it uses a predefined relevance check that tests for the presence of new scan results and runs whenever they are available. That is why you needed to verify that Reapply this action: whenever it becomes relevant again is selected, as shown below:
    Figure 28. Setting Execution parameters for Upload Software Scan Results task
    Setting Execution parameters for Upload Software Scan Results task
  3. Click OK to activate this task.
Verify that your tasks are started
  1. In the left-hand navigation pane, select Fixlets and Tasks, make sure that the filter box in the upper right is clear, and click the Open Action Count column to change the sort order. You may have to click twice to ensure that sort is descending, indicated by a download pointing black triangle above the column heading. You should see the three tasks with a count of 1:
    Figure 29. Verifying active tasks
    Verifying active tasks

Conclusion

At this point, the setup of IEM for license scanning is complete. Any virtual machines that you deploy using IBM PureApplication Software on Azure will automatically register with the IEM Server and have their license usage information reported in the IBM PureApplication System reports, with no manual action required.