Install SA Core with a remote customer-supplied Oracle database

This section describes installing all SA components on the same host with an existing remote non-SA-supplied Oracle database.

You can use the right-hand column to indicate that a phase is completed:

Core installation phases

Phase	Complete
Phase 1: Prepare to install the SA Core
Phase 2: Run the SA installer
Phase 3: Specify Core components Host/Select installation type
Phase 4: Select the interview type and provide SA parameter values
Phase 5: Install the SA components

Phase 1: Prepare to install the SA Core

1. You will need the SA Product Software media and the Agent and Utilities media.
2. The server on which the SA Core Components are to be installed must be running a supported Red Hat Enterprise Linux or SUSE Enterprise Server Linux operating system. See the SA Support and Compatibility Matrix.
3. On the server where you will install the SA, mount the following media: Product Software (primary) and Agent and Utilities (upload) or NFS-mount a directory that contains a copy of the media:

   Open a terminal window and log in as a user with root privileges.

   Change to the root directory:

   cd /

Phase 2: Run the SA installer

On the server on which you plan to install SA and the Oracle database, run the install script:

/<distro>/opsware_installer/hpsa_install.sh

where <distro> is the full path to the Product Software (primary) media.

You see messages displayed on screen as the SA Installer loads the required files.

Logs for the installation are automatically stored. See Installer logs.

Phase 3: Specify Core components Host/Select installation type

1. The following menu appears:

   Specify Hosts to Install
========================

   Currently specified hosts:

   192.168.136.36 (this is the IP address of the host on which the installer is invoked)

   Please select one of the following options:

   1. Add/edit host(s)
2. Delete host(s)

   Enter the option number or one of the following directives:
(<c>ontinue, <p>revious, <h>elp, <q>uit)

   Since this sample installation uses the host, the installer is invoked for all Core Components. Type c and press Enter to continue. You can invoke the installation from a remote machine by selecting 2 to delete the localhost IP address followed by 1 to add the remote host IP address.

   When you are satisfied with the entries, press C to continue.

   At this point, the SA Installer attempts to set up NFS mounts to the installation media and prepare the server for installation.

2. The following menu appears:

   Install Type
============

   1. Typical Primary Core
2. Custom Primary Core
3. Typical Secondary Core
4. Custom Secondary Core

   Enter the option number or one of the following directives:
(<p>revious, <h>elp, <q>uit)

   Enter 1 (Typical Primary Core) and Enter to continue.

3. The following menu appears:

   Oracle Installation
===================

   1. Install Oracle with SA
2. Use Existing Oracle Database

   Enter the option number or one of the following directives:
(<p>revious, <h>elp, <q>uit)

   Enter 2 (Use Existing Oracle Database) and press Enter to continue.

4. Select the TLS version.
   Cryptographic Protocol Selection for the Server Automation Components
[WARNING] Please make sure that all the cores and satellites from the mesh are at the same TLS level. ========================================================================
1. TLSv1
2. TLSv1.1
3. TLSv1.2

Enter the option number or one of the following directives
(<p>revious, <h>elp, <q>uit)[2]:
   Select 2 (TLSv1.1) and press Enter to continue.

5. Select a certificate mode to use in SA and press Enter to continue.

   Select which certificate mode SA will run in.

   =============================================

   1. self-signed

   2. 3rd party

   Enter the option number or one of the following directives

   (<p>revious, <h>elp, <q>uit)[1]:

   In third-party certificate mode, make sure that all the SA Core and Satellite hosts define the hostnames of all Core or Satellite hosts at the beginning of their /etc/hosts file. Otherwise, the SA installation will fail.
   Listing these hostnames in the /etc/hosts file enables SA to generate correct certificate signing requests (CSRs) for the SA hosts.
   
   Example: to install an SA mesh with the following topology,
   16.77.42.65 (oracle_sas, truth_mm_overlay)
16.77.41.24 (infrastructure, word_uploads)
16.77.43.252 (slice, osprov)
16.77.45.21 (satellite)
   add the following lines at the beginning of the /etc/hosts file for 16.77.42.65, 16.77.41.24 and 16.77.43.252:
   16.77.42.65 hostname1.example.com hostname1
16.77.41.24 hostname2.example.com hostname2
16.77.43.252 hostname3.example.com hostname3
   The 16.77.45.21 (satellite) server does not need to be listed here because this server is part of the mesh and not part of the Core.

Phase 4: Select the interview type and provide SA parameter values

1. The following menu appears:

   Interview Type
==============

   1. Simple Interview
2. Advanced Interview
3. Expert Interview

   Enter the option number or one of the following directives:
(<p>revious, <h>elp, <q>uit)

   Enter 1 (Simple Interview) and Enter to continue.

2. You are prompted to supply values for the following SA parameters:

   • truth.oaPwd: an SA administrator password (the default username is admin). The password you specify here will be used as the default password for all SA features that require a password until you explicitly change the defaults.

   • fips.mode: This parameter specifies whether to enable FIPS mode for this SA installation.

   • crypto.hash_algorithm: The hashing algorithm [SHA1, SHA224, SHA256, SHA384, SHA512] for SA cryptographic module.
   • crypto.key_length: the key length [2048 or 4096] used for hashing algorithm of SA cryptographic module.
   • crypto.legacyCertificateValidity: the validity period of the temporary self-signed SA Agent certificate. This parameter is displayed only if you have chosen the third-party certification mode and you will use your own CA to sign the certificates. For more information, see Cryptographic material options.

   • bootagent.host: the host on which to install the OS Provisioning Boot Server component.

   • decrypt_passwd: A password for the SA cryptographic material.
   • truth.dcNm: A name for your SA facility.
   • windows_util_loc: The location for the Microsoft Patching utilities.
   • db.host: the IP address of the remote database server.
   • db.sid: the SID of the Oracle instance containing the Model Repository
   • db.port: the port on which the database is listening
   • word.store.host: The IP address of the NFS server for the Software Repository.
   • word.store.path: The absolute path on the NFS server for Software Repository
     (/var/opt/opsware/word)

   For more information about these parameters, see the SA Core parameter reference.

   You see these prompts (the prompts display one at a time); after you provide a value and press enter, and if the value is acceptable, the next prompt displays:

   Interview Parameters
====================

   Navigation Keys:
Use <Ctrl>P to go to the previous parameter.
Use <Ctrl>N to go to the next parameter.
Use >Tab> to view help on the current parameter.
Use <Ctrl>C to interrupt the interview.

   Parameter 1 of 16: (truth.oaPwd)
Please enter the password for the opsware_admin user. This is the password used to connect to the Oracle database. If you are installing Oracle with SA the opsware_admin user will be created with this password. Make sure the password complexity matches the security guidelines in your organization.: []

   The password you specify here will be used as the default password for all SA features that require a password until you explicitly change the defaults.

   Parameter 2 of 16: (fips.mode)
   Do you want SA to be in FIPS mode? (y/n) [n]: n

   Parameter 3 of 16: (crypto.hash_algorithm)
   Please enter the hashing algorithm for SA cryptographic module. Press TAB for a list of possible values. [SHA256]:

   Parameter 4 of 16: (crypto.key_length)
   Please enter the key length [2048 or 4096] used for hashing algorithm of SA cryptographic module. [2048]: 

    

   Parameter 5 of 16: (crypto.legacyCertificateValidity)

   Please enter the number of days for which a Legacy Certificate will be valid. [1]:

   • The crypto.legacyCertificateValidity parameter is displayed only if you have chosen the third-party certification mode to use an external Certificate Authority for signing the SA certificates. For information on the SA certification modes, see Cryptographic material options.
   • Change the current default value of one day to a more relevant period of time.

   Parameter 6 of 16: (decrypt_passwd)
   Please enter the password for the cryptographic material.: []

    

   Parameter 7 of 16: (truth.dcNm)
Please enter the short name of the facility where the Opsware Installer is being run (no spaces).: []

   Parameter 8 of 16: (windows_util_loc)
Please enter the directory path containing the Microsoft patching utilities. Press Ctrl-I for a list of required files or enter “none” if you do not wish to upload the utilities at this time (none).: []

   These utilities are required if you plan to use SA to install Windows operating system patches/hotfixes and/or to manage Windows-based servers with SA. If you do not intend to use SA for these tasks, you can bypass the upload of these files by entering “none”. However, if in future you decide to use SA for Windows patching or to manage Windows servers, you will be required to install these files from the SA Client. For information about uploading these files from the SA Client, see the "Server Patching" in the SA 10.60Use section.

   Parameter 9 of 16: (db.host)
Please enter the IP address of the database host: []

   Parameter 10 of 16: (truth.servicename)
   Please enter the service name of the Model Repository instance in the facility where Opsware Installer is being run [truth.rose2]: 

   Parameter 11 of 16: (db.sid)
   Please enter the SID of the Oracle instance containing the Model Repository [truth]:

   Parameter 12 of 16: (db.port)
   Please enter the port on which the database is listening. [1521]:

   Parameter 13 of 16: (db.orahome)
   Please enter the path of the ORACLE_HOME directory of your Model Repository (truth) server. [/u01/app/oracle/product/12.1.0.2/db_2]:
   

   Parameter 14 of 16: (word.store.host)
   Please enter the IP address of the NFS server for the Software Repository. For satellite installs, please enter the IP address of the Software Repository Cache. [192.168.136.39]: 

   Parameter 15 of 16: (word.store.path)
   Please enter the absolute path on the NFS server for Software Repository 
   [/var/opt/opsware/word]: 

   Parameter 16 of 16: (bootagent.host)
   Please enter the OS Provisioning Boot Server ip or hostname [192.168.136.49]:
   

   You are asked to re-enter any required passwords for confirmation.

   When you have supplied values for all parameters, the following message displays:

   All parameters have values.  Do you wish to finish the interview? (y/n):

   Enter y and press Enter to continue. If you enter n, you are presented with each parameter again with the value you entered as the default. You can then change the value or accept the default. If you need to exit the installation, press Ctrl-C.

3. You can now install the SA Components.

Phase 5: Install the SA components

1. The following screen appears:

   Install Components
==============
Model Repository, First Core
Core Infrastructure Components
Slice
OS Provisioning Components
Software Repository - Content (install once per mesh)

   Enter the option number or one of the following directives:
(<c>ontinue, <p>revious, <h>elp, <q>uit)

   Enter c and press Enter to begin the prerequisite checks.

2. If the prerequisite check completes successfully, you may still see some messages similar to the following:

   Prerequisite Checks
==============

   Results for <IP_address>:

          WARNING Insufficient swap space (18 GBytes).
                24 Gbytes is the recommended for Oracle.

           WARNING File system ‘/’ has 29447 MBytes available and 154050 is
                recommended.

           WARNING Nothing listening at db.host:db.port (ip_address).
                Note: Can be ignored if core install will be performed
                using hpsa_install script.

   Enter the option number or one of the following directives:
(<c>ontinue, <p>revious, <h>elp, <q>uit)

   The Prerequisite check identifies WARNINGs and/or FAILUREs. FAILUREs can cause a failed or incomplete installation and must be resolved before continuing the installation. WARNINGs allow you to continue the installation, however, core performance may be negatively affected if you continue without resolving them.

   If your server passes the prerequisite check, enter c and press Enter to begin the installation.

   You see many messages displayed as the installation progresses, unless the installation fails, these messages are purely informational. The installation can take several hours based on the performance of your server. When the installation completes, you the Core Description File (CDF) is automatically saved.
   

3. In third-party certificate mode, SA installs the OCT (Opsware Cert Tool) component on the Model Repository server before the Core installation begins. The OCT component will generate the Certificate Signing Requests (CSRs) for the certificates required for the current installation configuration. After OCT install, follow the following two additional steps before the SA installation begins:
   

   1. Configure the /etc/opt/opsware/crypto/csr.conf file with the attributes of the Subject field and the Subject Alternative Name extension of the SA certificates.

      The csr.conf file enables you to configure your CSRs. If you choose not to configure this file, the default values will be used.

      Do not change the subject@CN entry as SA will not work with any other value for the CN attribute.

      Certificate Signing Request (CSR) configuration

      ===============================================

      Please review and edit the CSR configuration in /etc/opt/opsware/crypto/csr.conf on the server that hosts the Model Repository component [192.168.92.8]. This file defines the attributes of the Subject field and the Subject Alternative Name extension of the SA certificates.

      You can continue with the install process once this file contains the right settings for your organization. SA will use the attributes defined in this file to generate the Subject field of the CSRs that will have to be signed by your CA.

      Enter one of the following directives

      (<c>ontinue, <p>revious, <h>elp, <q>uit):

   2. Enter the location where you want the OCT component to generate the *.csr files.

      Select path where to generate CSRs

      =============================

      Specify the path on the Model Repository server where SA will generate the CSR files

      [/var/tmp/csrFiles]:

      CSRs were generated in the /var/tmp/csrFiles directory on the server that hosts the Model Repository component [192.168.136.39].

      Please have them signed by your CA. You can resume the install process after all CSRs are signed.

      Make sure you copy all certificates in the same directory on the core's Model Repository server.

      You will be prompted for the path to this directory in the next step of the install process.

      Submit these files to your CA for signing and place the issued certificates in a folder of your choice.
      After generating the cryptographic material, SA places the CSRs created for that instance in a subfolder named by date. For example: csr_2017-05-02.08:21:05 csr_2017-05-02.08:22:10. Any new CSRs are placed in the dedicated folder that you provide during the installer interview.
      When providing the third-party certificates, make sure to follow the certificate format and naming requirements described in the SA certificates format.
      

   3. Provide the location where you have placed the custom certificates signed by your CA. The installer checks that the path is correct and that all required certificates are available.
      Enter the path to the directory containing the custom certificates.
===================================================================

      Path to the directory containing the certificates. [/var/tmp/certificateFiles]:
      SA now generates a new cryptographic material containing your signed certificates. The cryptographic material is then copied it on all hosts in the mesh.

Post-installation tasks

You must now complete the tasks described in SA Core post-installation tasks.