Server Automation version history

SA can now connect to a WSUS server on your network to retrieve Microsoft patches from a central Windows patching repository. This adds an alternative workflow to the standard way of importing Windows patches from HPELN and Microsoft's offline catalog of updates.

For tightly secured environments that cannot access the internet, switch SA to the new WSUS patching mode to pull in Windows updates from a custom WSUS repository in your network.

The new WSUS patching option is available under Patch Administration > Patch settings and it connects SA to a Web service that you deploy on the WSUS machine. The SA-WSUS Web service connection supports both HTTP and HTTPS requests.

Your selected patching mode applies to all the managed servers in the SA mesh. This means that you cannot target only specific servers for WSUS patching and keep others under Offline Catalog patching.

For more information on the WSUS patching mode, see Importing the Windows patch database from WSUS in the SA Use section.

Following operating systems are supported on the SA Client.

• Windows Server 2008 R2
• Windows 7
• Windows 8
• Windows 8.1
• Windows 10
• Windows Server 2012
• Windows Server 2012, R2

The new Linux Service OSs provided with SA 10.50 is based on CentOS.

Service OS (SOS) bits are not available for the PPC and IA processor architectures in the current distribution.

In case of an upgrade, the existing RHEL IA and PPC Service OS bits will not be removed. The existing RHEL x86/x64 bits will be renamed, adding 'rpmsave' to the original name. If you want to reuse these bits, restoration can be performed by replacing the linux50/linux60/linux60x64 folder with rhel50rpmsave/rhel60rpmsave/rhel60x64rpmsave, at this path: /opt/opsware/boot/tftpboot/ and /opt/opsware/boot/kickstart/. If you are performing a new installation, there will be no Linux Service OS for these two processor architectures.

SE Linux is supported in Permissive or Enforcing modes for RHEL 6.6. F

The new custom attribute hpsa_preserve_solaris_user_home_path allows you to import users using your user-home path in /home/…. In previous SA versions, the import tool added /export to the path.

To exclude the /export addition to the path, set the custom attribute to managed server.

Using ADT (Agent Deployment Tool) you can select a maximum of 10 PAPXs to be run sequentially after the agent is successfully installed. If one of the APX scripts fails, the system stops at that step, and does not run the remaining APXs, and reports the job as FAILED.

Three PAPXs are included for the following functionality:

• Assign Server to Customer
• Attach Server to Device Group
• Attach Server to Software Policies

• New Run OS Build Plan UI.
• Support for deploying platforms on UEFI with secure boot enabled on HPE ProLiant.
  • New Linux 7 service OS with network and CD boot support for Legacy BIOS, UEFI and UEFI with secure boot.
  • New WinPE4 service OS with network and CD boot support for Legacy BIOS, UEFI and UEFI with secure boot.

• New UAPI to allow the creation of customized pre-unprovisioned servers. See ServerService.create (ServerVO vo, ServerHardwareVO hwVO).

• Content SDK to help customers with the development and deployment of Build Plans. For more details see the documentation under /Opsware/Tools/Content SDK/ContentSDK-<version>.zip.

• ProLiant content upgraded to Insight Control Server Provisioning 7.5.1.
• WinPE 3 and 4 based service OS drivers updated.

• Solaris 10 SPARC
• Solaris 11 SPARC
• Windows 10
• SLES 12
• Ubuntu 14.04
• Novel OES 11

For all platforms, OS Sequences are deprecated in SA 10.50 and later. The migration of any existing OS sequences to OS Build Plans for these platforms is strongly recommended.

Server Automation now offers improved timeout handling for remediation and installation jobs. After a timeout occurs and until the job execution stops, the status of the server is changed to Stopping. While in the Stopping state, the agent does not take on any additional jobs and completes any job that is currently in progress. Moreover, if the timeout occurs during an agent reboot, then after restarting, the agent will not resume the job. After the job execution stops, the server will be marked as Timed Out.

This fixes the discrepancy of the core showing the job as Failed because of a timeout, while the agent is performing the job.

SPARC servers can be provisioned now using OS Build Plans and not just OS Sequences. However, both the methods cannot be used at the same time. The default configuration is the OS Build Plans provisioning mode.

To ease the switch between modes and the dhcpd.conf configuration, use the following script:

/opt/opsware/boot/jumpstart-sparc-ogfs/tools/switch_OSS-OSBP.sh

When run, it will print the current provisioning mode for SPARC servers and request for your confirmation before switching the mode. If you continue, the script will backup the dhcpd.conf file, perform the required changes and restart the dhcpd service.

The SA Web Client is only used for downloading the SA Client launcher. The Web Client can be accessed as before, by navigating to a slice IP address or hostname and it features a completely re-designed home page that contains a Download Server Automation Launcher button, information about SA version and build and a link to the HPE Support site.

The functionalities that were previously available in SA Web Client can be accessed from the SA Client as follows:

• Service Levels can now be found in the SA Client under Administration > System Configuration.
• OS Installation Profiles are now created through a script on an SA Core.

During the interview, an additional step appears asking for "Cryptographic Protocol Selection for the Server Automation Components". The options are (with the option to select each of the protocols listed):

• TLSv1
• TLSv1.1
• TLSv1.2

This is a script that automates and eases the change between TLS protocol versions. It can be called automatically from the patch installer or can be run manually by invoking it from command line as follows:

# /opt/opsware/oi_util/protocol_switch_tool/protocol_switch_tool.sh --backup (to backup the current configuration that can be later restored)

# /opt/opsware/oi_util/protocol_switch_tool/protocol_switch_tool.sh --protocol <TLSvX>

It is recommended to run the script with --help option first.

To use TLS v1.1 or TLS v1.2 protocols, all Cores and satellites must be running an SA version that supports these protocols (SA 10.23 or later).

Mixed protocol environment is not officially supported.

• The satellite media for SA 10.20 currently supports protocol up to TLS v1.0.
• In case of an already hardened infrastructure with TLSv1.1 or TLSv1.2, if a new satellite is required to be added, you must use the newly released SA 10.23 satellite media that supports all protocols (TLS v1.0, TLS v1.1, and TLS v1.2).
• SA 10.23 satellite media can be installed by using the same installation procedure as for SA 10.20.

On hardened infrastructures, the rollback mechanism must be called from SA 10.23 media (or greater).

Modifications have been made to the HPE Server Automation (SA) RHN import tool to support content download from Red Hat content delivery network (CDN) using Red Hat subscription management (RHSM). This allows you to download content for Red Hat Enterprise Linux 7 (RHEL).

The Live Network Connector (LNc) that is installed on the SA core at: /opt/opsware/hpln/lnc/bin is outdated and can no longer be used to download content.

Download the latest version of LNc and install it on the core.

1. From HPELN, download the latest version of the HPE Live Network Connector.

2. Copy the new version to the SA core at /opt/opsware/hpln/lnc and install it:

   #./install

Using ADT (Agent Deployment Tool) you can select a maximum of 10 PAPXs to be run sequentially after the agent is successfully installed. If one of the APX scripts fails, the system stops at that step, does not run the remaining APXs, and reports the job as FAILED.

Three PAPXs are included for the following functionality:

• Assign Server to Customer
• Attach Server to Device Group

• Attach Server to Software Policies

SA now offers a SUSE Manager Importer tool based on the HPSA RedHat Importer. The tool is capable of importing packages and errata from the SUSE Manager 2.1 Server and creating HPSA Software Policies for errata and packages hosted by SUSE Manager.

• Build Plan filtering: You can now associate a platform with an OS Build Plan and use this to improve filtering servers before running the OS Build Plan.
• Improved customer assignment:
  • The Assign Customer step is now part of the OOTB build plans.
  • The UI is improved to be able to assign the server to a customer.

• ProLiant content upgraded to Insight Control Server Provisioning 7.5.0
• WinPE 3 and 4 based service OS drivers updated
• RHEL 6 service OS drivers updated
• RHEL 6 service OSs were upgraded to 6.7

Server Automation now offers improved timeout handling for remediation and installation jobs. After a timeout occurs and until the job execution stops, the status of the server is changed to Stopping. While in the Stopping state, the agent does not take on any additional jobs and completes any job that is currently in progress. Moreover, if the timeout occurs during an agent reboot, then after restarting, the agent will not resume the job. After the job execution stops, the server will be marked as Timed Out.

This fixes the discrepancy of the core showing the job as Failed because of a timeout, while the agent is performing the job.

To designate the new folder, in the Agent Deployment Tool (ADT) Install SA Agent window choose Options > Advanced > Windows installation path field.

Agents installed in the default location can be moved to a different location.

The following prerequisites must be met:

• The SA user needs Allow Install Agent permission
• The SA user needs permissions to run an APX on target servers
• The Windows user used by ADT on the managed server must have the Create symbolic links permission (this permission is granted to Administrators by default)

To move the agent, run the APX Move Agent to Custom Location on the relevant servers. This APX is located in the SA Library in folder /Opsware/Tools/Administrative Extensions.

The agent uninstaller will remove the symbolic links on the system drive and all the agent files, except the target directory structure.

However, for pre-10.2 agents, the uninstaller is unable to remove the symbolic links.

OSBPs can use the custom attribute AgentInstallDir to a custom value for Windows agent installation location. If the custom attribute is not present, the agent will be installed to the default location. This custom attribute is ignored for non-applicable platforms.

Using ADT (Agent Deployment Tool) you can select a maximum of 10 PAPXs to be run sequentially after the agent is successfully installed.

If one of the APX scripts fails, the system will stop at that step and will not run the remaining APXs. In this case the job is reported as FAILED.

Included in this release are three PAPXs for the following functionality:

• Assign Server to Customer
• Attach Server to Device Group
• Attach Server to Software Policies

• Non-C drive agent installation supported in Windows build plans.
• Instead of OS Sequences, use Build Plans for new provisioning jobs.
• OS build plans are now supported for SLES 12.

• New OS build plans for: ESXi 5.1 U3, RHEL 5.11, RHEL 6.6, RHEL 7.1, SLES 12, Windows 8.1 Pro
• New drivers: 2015.03.0

• RHEL 7
• OEL 7
• CentOS 7

This SA version supports the following for the SA Agent:

• Dual Stack(IPv4 and IPv6)
• IPv6-only environments

The following methods of com.opsware.swmgmt.PolicyAttachable now return the software policies ordered by name:

• getPolicyAttachableStates
• getSoftwarePolicyAssociations
• getSoftwarePolicies

The policies naming scheme becomes a basic mechanism to control the order in which software policies are remediated within a job.

As a consequence the following API methods now remediate the software policies ordered alphanumerically:

• com.opsware.swmgmt.PolicyAttachable#startFullRemediateNow
• com.opsware.swmgmt.SoftwarePolicyService#startFullRemediateNow(com.opsware.swmgmt.PolicyAttachableReference)

The following methods have update input parameters:

• com.opsware.osprov.OSBuildPlanService# startOSBuildPlan(OSBuildPlanRef, OSBuildableReference, OSBuildPlanJobParams,String,JobNotification,JobSchedule)
• com.opsware.osprov.OSBuildPlanService# startOSBuildPlan(OSBuildPlanRef, OSBuildableReferenc[],OSBuildPlanJobParams,String,JobNotification,JobSchedule)

The com.opsware.osprov.OSBuildPlanJobParams was updated so OS build plan flow control configuration can be checked/set:

• getInitialFlowControlDirective()
• setInitialFlowControlDirective()
• isFlowControlDisabled()
• setFlowControlDisabled()

The method startCoreRecertSetup takes the argument CoreRecertSetupJobArgument. This object has changed to include the following methods:

• getCustomCertPath. Gets the path of a custom certificate on recert core.
• getKeysize. Gets the keysize to be used to generate SA certificates.
• getSignatureAlgorithm. Get the signature algorithm to be used to generate SA certificates.
• isFipsEnabled. Returns true if fips enablement parameter is set, else false.
• setCustomCertPath. Set the customer certificate path on recert core.
• setFipsEnabled. Sets Fips enablement on or off.
• setKeysize. Sets the keysize to be used to generate SA certificates.
• setSignatureAlgorithm. Sets the algorithm parameter to be used to generate SA certificates.

• A new method com.opsware.server.ServerService#decommission (com.opsware.server.ServerRef, boolean) allows servers of customer Opsware to be decommissioned too.
• The DNS domain of a facility is now public, see:

  • com.opsware.locality.FacilityVO#getDnsSubdomain

  • com.opsware.locality.FacilityVO#setDnsSubdomain

• New fields for the CoreRecertJobArgument: signature algorithm, keysize, fips enablement, and custom certificate path.

• Additional job parameters for start build plans (initialFlowControl and disableFlowControl)

• New APIs to get PatchUnits information for multiple servers.

You can now perform the following audit-related actions for ESXi servers:

• Create audits.
• Create snapshots and snapshots specifications.
• Create and manage audit policies.

Your ESXi servers must be managed by a vCenter that has PowerShell and PowerCLI installed.

• Support for deployments over IPV6.
• Refer to the OS support matrix for details.
• ProLiant content from ICsp 7.4.0 (with support for ProLiant Gen9 SNAP1).
• Provisioning support for RedHat Enterprise Linux 7 and 5.11, Solaris 11.2, Windows 7 and 8.1, ESXi 5.5 U1 and U2, CentOS 7, Oracle Linux 7, Ubuntu 12.04.5
• Build Plan Flow Control:
  • Initial flow control (from UAPI)
  • Restart from last point of failure
  • Checkpoint/Restart
  • Completed the SA Provisioning rewrite

The following types of OS Sequences are deprecated:

• OS Sequences that have build plans.
• OS Sequences that are related to platforms that either are presently designated as 'end-of-life', or will be designated 'end-of-life' soon and no Build Plan support is planned.

Instead of OS Sequences, use Build Plans for new provisioning jobs.

Windows Patch Compliance Export Performance

The Windows “Patch Compliance Export” feature's performance was enhanced. This feature allows you to export compliance information for all Windows patches, and with this release, can scale to a large number of servers more effectively

• Exposure Time

  The new Exposure Time column was added to the installed windows patch view. Exposure Time is calculated with the following formula: Exposure Time (in Days) = [Date When a Patch Was Installed] - [Date When a Patch Was Released By The Vendor] .

• Improved Windows Patch Install Date Reporting

  Starting with this release, SA reports installation dates for all patches, regardless of whether they were installed by SA. If the Windows OS reports that a patch does not have available install dates, the installation date field will be empty.

SLES Patching is now performed using the SLES native package manager Zypper on SLES 11 GA or later, replacing yum.

SA now supports Zypper as the package manager used by remediation jobs on SLES 11 GA or later.

It is now possible to view the package contents for Ubuntu (DEB) packages, similarly to the functionality already available for RPM and ZIP packages.

• Genealogy, which offers complete visibility over the hierarchy of VMs and VM templates that have the same parent.
• IPV6 support:

  • Discovery and use of IPv6 network addresses of the V12N infrastructure, such as virtualization services and hypervisors.

  • Create/edit Solaris zones with IPv6 network address.

  • Leverage OS provisioning with IPv6.

The following operating-systems are supported on the SA Client.

• Windows Server 2003
• Windows Server 2008
• Windows XP
• Windows Vista
• Windows 7
• Windows 8
• Windows Server 2012
• Windows Server 2012, R2

• Ubuntu 12.04 LTS
• ESXi 5.5

• Python 2.7
• Java 7
• Weblogic 11

The Interactive Installation Configurator (iDoc) allows you generate and view (PDF) an SA Core installation procedure document that is confined to only the SA Core configuration and the SA Core Host operating system you have selected. This allows you to view (PDF) or print an installation procedure document that does not contain information intended for SA Core configurations or core host operating systems that are not relevant to the installation you intend to perform.

Simply run SA_10.10_core_install_config.zip in a browser, select your preferred SA Core Layout and core host operating system and select View or Print.

SA complies with the Federal Information Processing Standards publication 140-2, a security standard that enables government entities to procure equipment that uses validated cryptographic modules. During installation you can choose to enable FIPS by setting the fips.mode parameter to enabled.

When FIPS is enabled, you will be restricted to SHA1 as the hash algorithm. You will be prompted during the installation to specify whether FIPS should be enabled or not.

Under normal security conditions, HP recommends using SHA1 with a key length of 2048. Higher security requirements could require FIPS with a key length of 4096 or SHA256.

Note that use of FIPS or SHA256 can impact core performance. Contact your Security Administrator for more information.

SA 10.10 requires that the following ports be open:

8084/8086 - For bandwidth management, if enabled These, and other ports, are configurable at install/upgrade time through installer parameters.

If your SA Core matches one of the SA Core configurations supported for customer upgrade and described in the SA Install section, you can upgrade from a previous SA version to SA 10.0 yourself. However, if your core does not match any of these SA Core configurations, your first SA Core upgrade to SA 10.0 from a previous version must be performed by HP Professional Services or an HP certified consultant.

After the core has been upgraded to SA 10.0, HP supports customer-performed upgrades to SA 10.x or later as long as your core configuration is one of the supported configurations. All other core configurations will continue to require the services of HP Professional Services. If you are uncertain whether you can upgrade an existing SA Core yourself, contact HP Technical Support.

Oracle 12.1.0.1

The SA distributions Media includes preinstalled customized Oracle 12.1.0.1 RDBMS software and the truth database that can be installed during the SA core installation.

You can also use the Oracle Universal Installer to manually install an Oracle 11g or 12c database, however, you will need to perform certain tasks that the HP-supplied database performs automatically on installation.

The following new features have been added to Provisioning for this release:

• Support for Windows Server 2012, Red Hat 6, ESXi5, SLES11
• Update ILO support in MBC to support ILO 2, 3 and 4
• New public ILO UAPI

• Build plan support in MBC SA Client UI updates for:

  • Register ILO device
  • Set static IP configuration
  • Multipath configuration support

• New 64 bit Linux service OS

• Windows PE 64-bit updated to 3.1

• Bare metal PXE boot support (SmartBoot)

• Improved network booting - new pxe_boot_arguments custom attribute

The following new build-plan features have been added:

• New platform support
  • CentOS 5 and 6
  • OEL 5 and 6
  • Ubuntu Server 12.04 LTS
  • Solaris 11 and 10 on X86 hardware

• UEFI support for HP ProLiant hardware:

  • OS Provisioning for RHEL 6.5, SLES 11 SP3, ESXi 5.1

  • OS Provisioning for Windows 2012 R2, 2012, 2008 R2, 2008 x64 SP2

  • iLO UAPI updates

• New Post-Install Network Personalization build plan step (formerly provided by Post-Install Network Configuration APX)

• Updated ProLiant content

• Improved network booting

  • w PXE menu

  • pxe_boot_arguments custom attribute

  • New Hardware Detection Tool

  • New WinPE 4 based maintenance OS

  • Updated RHEL 6.5 based Linux maintenance OS

• Improved history for tracking operations on Build Plans

The following types of OS Sequences are deprecated:

• OS Sequences that have build plans
• OS Sequences that are related to platforms that either are presently designated as 'end-of-life', or will be designated 'end-of-life' soon and no Build Plan support is planned.

Instead of OS Sequences, use Build Plans for new provisioning jobs.

Server Automation (SA) now supports patch management for Ubuntu, enabling you to identify, install, and remove Ubuntu Debian package updates, and maintain a high level of security across managed servers in your organization.

Server Automation (SA) can be used to view and manage Chef Cookbooks and run Chef Recipes. You can upload native Chef Cookbooks to SA, manage them in SA, and run Chef Recipes from SA without having to deploy parallel Chef infrastructure.

Features include:

• Integration with the SA Package Repository (yum based OS-es)
• A new ‘Chef Group’ User Group for seamless extension of the SA security framework
• Multi-tenancy support for Chef Cookbooks
• OOTB mechanism to easily upgrade and configure the used Chef client
• Support for migrating Chef content between meshes (cbt)
• Chef Cookbook management in SA, which enables you to:

  • download Chef Cookbooks from the Chef community and upload them straight into SA

  • view Chef Cookbook properties, metadata and recipes in SA

  • run Chef Recipes on managed servers and device groups

  • customize a Run Chef Recipe job using SA custom attributes

  • view job history and detailed output logs for Run Chef Recipes jobs

In order to improve the performance and scalability of remediation jobs, both the job backend and the UI responsible for displaying the job progress and job results were redesigned. Redundant or verbose data was dropped from the job results, reducing the load on the SA components.

The user experience is now enhanced by having only relevant data displayed to the user, thus making the user interface much more usable, especially for large remediation jobs.

There is a new attribute implemented in mapping.xml:

<Attribute source='Node/Vendor' target-attr='vendor' enable='false'/>

When enabled (TRUE), the data is flowing in UCMDB.

Two non-supported features (Code Deployment and Rollback (CDR), and Configuration Tracking) were removed from the SA Client interface.

CDR was replaced by ADM. Configuration Tracking was replaced by A&R.

SA complies with the Federal Information Processing Standards (FIPS) publication 140-2, a security standard that enables government entities to procure equipment that uses validated cryptographic modules. If FIPS is enabled, you need to upload CA certificates for each virtualization service.

Secure Mode in SA Virtualization is enabled (or True) by default in a new SA 10.10 installation and disabled (or False) on an upgrade to SA 10.1.

See also the deprecated and unsupported sections of these release notes for deprecated and unsupported virtualization components.