Administration Guide › Managing SystemEDGE and Application Insight Modules (AIMs) › How to Deploy SystemEDGE and AIMs › Infrastructure Deployment Process › Prerequisites for Automatically Deploying CA Server Automation Infrastructure

Prerequisites for Automatically Deploying CA Server Automation Infrastructure

The Infrastructure Deployment component lets you remotely install agent software to target computers. The installation can only be done using the facilities offered by the underlying operating systems on source and target computers, and is subject to any restrictions imposed by an enterprise network configuration.

The initial step when deploying software is to install a small primer application remotely, the IDPrimer, onto the target computer. This IDPrimer software is responsible for subsequent transfer of software component installation images, and the invocation of their installation. When delivering the IDPrimer to the target computers, the deployment manager must supply user credentials that are valid on the target.

The IDPrimer is transferred to the target system using one of the following mechanisms. If the target computer's operating system is known to the deployment manager, an appropriate transfer mechanism is selected. If the target operating system cannot be determined, each of the following mechanisms is attempted in turn.

• Opening a network share

  The deployment manager tries to connect to a Windows network share on the target system. By default, the share name used is ADMIN$, but this is controlled by an IDManager configuration option. This mechanism is available only from deployment managers running on a Windows-based environment and will only succeed on some Windows targets. Windows variants such as Windows XP Home do not support this deployment mechanism.

• Opening a network connection to the target computer using the SSH protocol, and transferring the primer installation package using SFTP

  This mechanism works on any computer running an SSH server, however, it is useful when targeting Linux or UNIX computers.

  Note: When deploying to Solaris systems, we recommend that you use either SunSSH v1.1 (or higher) or the latest version of OpenSSH. Refer to the following website for additional details about patches applicable for Solaris platforms and versions: http://opensolaris.org/os/community/security/projects/SSH.

  If you are running a firewall on the target computer, verify that the SSH port (22) is enabled to permit connection from the deployment manager. You should also check that the SSH server on the target computer is configured to use an RSA key with the 3DES cipher for encryption and the HMAC-SHA1 message authentication code (MAC). Most SSH servers support this configuration by default, but if they do not, consult your SSH server documentation for further instructions.

  To successfully deploy to a UNIX or Linux agent, configure the /etc/ssh/sshd_config configuration file of your recent SSH implementation as follows:

  • Set PasswordAuthentication to Yes
  • Set PermitRootLogin to Yes or configure sudo/pfexec as described in section Remote Deployment to UNIX/Linux Using Non Privileged User Account
  • Verify that SFTP subsystem is enabled

  Remote Deployment supports deploying software to systems with /tmp file system mounted with noexec flag.

  When deploying to some IBM AIX systems that are running both an IPv4 and IPv6 stack, using an IPv6 address, the target computer SSH server may be listening only on port 22 for IPv4. This would cause the deployment to fail. To correct this, edit the sshd_config configuration file and set the ListenAddress to "::".

  Note: If you want the SSH communication between the deployment manager and the target computer to be FIPS-compliant, you must verify that the SSH server running on the target is also using FIPS-compliant cryptographic module, apart from setting FIPS-only mode on the deployment manager.

Important! Some modern operating systems do not encourage, and sometimes actively prohibit, the remote installation of software. If you try to deploy software to these systems, you will usually see the deployment fail with a status of No Primer Transport. In such cases, installation of software components may be performed in other ways, for example, installation off physical distribution media such as DVD.

Alternatively, you can pre-install or provision machines with the IDPrimer software. This will allow deployment without having to rely on facilities offered by the underlying operating systems. In cases where no authentication has been carried out, valid credentials would need to be supplied before deployments being authorized.

To determine whether automatic deployment is possible in your environment, you can perform some simple checks by running the following standard operating system operations:

• For delivery of the IDPrimer image using Windows shares, you must be able to map a share (default: ADMIN$) from your deployment manager host computer to each deployment target computer using the target user credentials supplied in the deployment request.
• For delivery of the IDPrimer image using SSH, you must be able to connect using SSH from the deployment manager to the deployment target computers.

More Information

Remote Deployment to UNIX/Linux Using Non Privileged User Account