Installing SA Core with a remote customer-supplied database and additional slice component bundles

This section describes installing all SA components on one host with an existing remote customer-supplied Oracle database that you have installed yourself and additional Slice Component bundle instances. You can use the right-hand column to indicate that a phase is completed:

Core installation phases

Phase	Complete
Phase 1: Preparing to install SA Core
Phase 2: Running the SA installer
Phase 3: Specifying the Core component hosts
Phase 4: Selecting the installation type
Phase 5: Selecting the interview type and provide SA parameter values
Phase 6: Installing the SA components and the Oracle Database

Phase 1: Preparing to install SA Core

1. You will need the SA Product Software media and the Agent and Utilities media.
2. The servers on which the SA Core Components are to be installed must be running a supported Red Hat Enterprise Linux or SUSE Enterprise Server Linux operating system.
3. On the server where you will install the SA Core, mount the following media: Product Software (primary) and the Agent and Utilities media, or NFS-mount a directory that contains a copy of the media:
   1. Open a terminal window and log in as a user with root privileges.
   2. Change to the root directory:

      cd /

Phase 2: Running the SA installer

On a server on which you plan to install SA components, run the install script:

/<distro>/opsware_installer/hpsa_install.sh

where <distro> is the full path to the Product Software (primary) media.

You see messages displayed on screen as the SA Installer loads the required files. Logs for the installation are automatically stored. See Installer logs.

Phase 3: Specifying the Core component hosts

For this example installation, we’ll use four hosts for the core component installation. You will, of course, modify this for your particular system requirements. Components will be installed as follows:

Core component layout

Server	Core Component to be Installed
192.168.136.39	Model Repository
192.168.136.39	Multimaster Infrastructure Components
192.168.136.39	Software Repository Storage and Content
192.168.136.40, 192.168.136.41, 192.168.136.42	Slice
192.168.136.39	SA Provisioning Media Server
192.168.136.39	SA Provisioning Boot Server, Slice version

1. The following screen appears:

   Specify Hosts to Install
========================

   192.168.136.39 (this is the IP address of the host on which the installer is invoked)

   Please select one of the following options:

   1. Add/edit host(s)
2. Delete host(s)

   Enter the option number or one of the following directives
(<c>ontinue, <p>revious, <h>elp, <q>uit): 1

   Enter number of hosts to add:

2. You are asked to specify the number of hosts that will be involved in the installation:

   Enter number of hosts to add:

   Enter the appropriate number. For this example, we add three hosts in addition to the default host:

   Enter number of hosts to add: 3

3. The following screen appears:

   Adding Hosts
   ============

   Parameter 1 of 3
   Hostname/IP []:

   Enter the hostname or IP address of the first server that will host an SA Core Component(s) and press Enter.

   Do the same for all remaining servers. You see this message:

   All values are entered.  Do you wish to continue? (Y/N) [Y]:

   Enter Y to continue.

   For this example, we add the hosts:

   192.168.136.40

   192.168.136.41

   192.168.136.42

4. A screen similar to the following appears:

   Specify Hosts to Install
========================

   Currently specified hosts:

        192.168.136.39
        192.168.136.40
        192.168.136.41
        192.168.136.42

   Please select one of the following options:

   1. Add/edit host(s)
2. Delete host(s)

   Enter the option number or one of the following directives
(<c>ontinue, <p>revious, <h>elp, <q>uit):

5. You are asked to provide the OS credentials for each remote host in the list shown in Step 4:

   Host Passwords
==============

   Parameter 1 of 6

   192.168.136.40 user [root]:

   Parameter 2 of 6

   192.168.136.40 password []:*****

   You are prompted for the credentials for each specified host. After you provide all required credentials, you see the message:

   All values are entered. Do you wish to continue? (Y/N) [Y]:

   Enter Y to continue.

   After you provide all required credentials, the SA Installer attempts to set up NFS mounts to the installation media and prepares each specified server for the installation.

Phase 4: Selecting the installation type

1. After the SA Installation media is mounted for all servers, the following menu appears:

   Install Type
============

   1. Typical Primary Core
2. Custom Primary Core
3. Typical Secondary Core
4. Custom Secondary Core

   Enter the option number or one of the following directives:
(<p>revious, <h>elp, <q>uit)

   Enter 1 (Typical Primary Core) and Enter to continue.

2. The following menu appears:

   Oracle Installation
===================

   1. Install Oracle with SA
2. Use Existing Oracle Database

   Enter the option number or one of the following directives:
(<p>revious, <h>elp, <q>uit)

   Enter 2 (Use Existing Oracle Database) and Enter to continue.

3. The following is displayed:

   Host/Component Layout
=====================

   1. Model Repository, First Core
2. Infrastructure and Software Repository Content
3. Slice
4. OS Provisioning Components

   Enter the number of the component or one of the following directives
(<c>ontinue, <p>revious, <h>elp, <q>uit):

   Note that no host (IP address) is associated with the components.

4. You now must associate the core components with the servers (IP addresses) they are to be installed on. To do so, you enter the component’s number at the prompt. For example, enter 1 to add the host for the Oracle database and the Model Repository, enter 2 for the Multimaster Infrastructure Components, and so on.
5. Screens similar to the following display as you assign component hosts:

   Host Assignment for Model Repository, First Core
===========================================================

   1. 192.168.136.39
2. 192.168.136.40
3. 192.168.136.41
4. 192.168.136.42

   Enter the number of the host or one of the following directives
(<c>ontinue, <p>revious, <h>elp, <q>uit): 1

   Enter 1 to select 192.168.136.39 for the Model Repository. You are returned to the Host Component Layout screen and can select the next component and assign its host. Do the same for all remaining components.

   When you have assigned hosts for all components, you see a screen similar to this:

   Install Components

   =====================

   1. Model Repository, First Core                 :192.168.136.39

   2. Multimaster Infrastructure Components:       :192.168.136.39

   3. Software Repository Storage and Content      :192.168.136.39

   4. Slice                                        :192.168.136.40,

                                                    192.168.136.41,

                                                    192.168.136.42

   5. OS Provisioning Media Server:                :192.168.136.39

   6. OS Provisioning Boot Server, Slice version:  :192.168.136.39

    

   Enter the number of the component or one of the following directives

   (<c>ontinue, <p>revious, <h>elp, <q>uit): c

   The Slice Component bundle (option 4) has multiple host IP addresses listed as the Slice components can have multiple instances to improve performance.

   Enter c and press Enter to continue.

6. Select the TLS version.
   Cryptographic Protocol Selection for the Server Automation Components
[WARNING] Please make sure that all the cores and satellites from the mesh are at the same TLS level. ========================================================================
1. TLSv1
2. TLSv1.1
3. TLSv1.2

Enter the option number or one of the following directives
(<p>revious, <h>elp, <q>uit)[2]:
   Select 2 (TLSv1.1) and press Enter to continue.

7. Select a certificate mode to use in SA and press Enter to continue.

   Select which certificate mode SA will run in.

   =============================================

   1. self-signed

   2. 3rd party

   Enter the option number or one of the following directives

   (<p>revious, <h>elp, <q>uit)[1]:

   In third-party certificate mode, make sure that all the SA Core and Satellite hosts define the hostnames of all Core or Satellite hosts at the beginning of their /etc/hosts file. Otherwise, the SA installation will fail.
   Listing these hostnames in the /etc/hosts file enables SA to generate correct certificate signing requests (CSRs) for the SA hosts.
   
   Example: to install an SA mesh with the following topology,
   16.77.42.65 (oracle_sas, truth_mm_overlay)
16.77.41.24 (infrastructure, word_uploads)
16.77.43.252 (slice, osprov)
16.77.45.21 (satellite)
   add the following lines at the beginning of the /etc/hosts file for 16.77.42.65, 16.77.41.24 and 16.77.43.252:
   16.77.42.65 hostname1.example.com hostname1
16.77.41.24 hostname2.example.com hostname2
16.77.43.252 hostname3.example.com hostname3
   The 16.77.45.21 (satellite) server does not need to be listed here because this server is part of the mesh and not part of the Core.

Phase 5: Selecting the interview type and provide SA parameter values

1. The following menu appears:

   Interview Type
==============

   1. Simple Interview
2. Advanced Interview
3. Expert Interview

   Enter the option number or one of the following directives:
(<p>revious, <h>elp, <q>uit)

   Enter 1 (Simple Interview) and Enter to continue.

2. You are prompted to supply values for the following SA parameters:

   • truth.oaPwd: an SA administrator password (the default username is admin). The password you specify here will be used as the default password for all SA features that require a password until you explicitly change the defaults.

   • fips.mode: This parameter specifies whether to enable FIPS mode for this SA installation.

   • crypto.hash_algorithm: The hashing algorithm [SHA1, SHA224, SHA256, SHA384, SHA512] for SA cryptographic module.
   • crypto.key_length: the key length [2048 or 4096] used for hashing algorithm of SA cryptographic module.

   • crypto.legacyCertificateValidity: the validity period of the temporary self-signed SA Agent certificate. This parameter is displayed only if you have chosen the third-party certification mode and you will use your own CA to sign the certificates. For more information, see Cryptographic material options.

   • bootagent.host: the host on which to install the OS Provisioning Boot Server component.
   • decrypt_passwd: A password for the SA cryptographic material. You will see this prompt only if you are using your own crypto file and not allowing SA to automatically generate the crypto file.
   • truth.dcNm: A name for your SA facility.
   • windows_util_loc: The location for the Microsoft Patching utilities.
   • word.store.host: The IP address of the NFS server for the Software Repository.
   • word.store.path: The absolute path on the NFS server for Software Repository
     (/var/opt/opsware/word)
   • db.host: the IP address of the database server.
   • db.sid: the SID of the Oracle instance containing the Model Repository
   • db.port: the port on which the database is listening

   For more information about these parameters, see the SA Core parameter reference.

   You see these prompts (the prompts display one at a time; after you provide a value and press enter you see a message, Validating..., and if the value is acceptable, the next prompt displays:

   Interview Parameters
====================

   Navigation Keys:
Use <Ctrl>P to go to the previous parameter.
Use <Ctrl>N to go to the next parameter.
Use >Tab> to view help on the current parameter.
Use <Ctrl>C to interrupt the interview.

   Parameter 1 of 16: (truth.oaPwd)
Please enter the password for the opsware_admin user. This is the password used to connect to the Oracle database. If you are installing Oracle with SA the opsware_admin user will be created with this password. Make sure the password complexity matches the security guidelines in your organization.: []

   The password you specify here will be used as the default password for all SA features that require a password until you explicitly change the defaults.

   Parameter 2 of 16: (fips.mode)
Do you want SA to be in FIPS mode? (y/n) [n]: n

   Parameter 3 of 16: (crypto.hash_algorithm)
Please enter the hashing algorithm for SA cryptographic module. Press TAB for a list of possible values. [SHA1]:

   Parameter 4 of 16: (crypto.key_length)
Please enter the key length [2048 or 4096] used for hashing algorithm of SA cryptographic module. [2048]:

   Parameter 5 of 16 (crypto.legacyCertificateValidity)

   Please enter the number of days for which a Legacy Certificate will be valid. [1]:
   

   • The crypto.legacyCertificateValidity parameter is displayed only if you have chosen the third-party certification mode to use an external Certificate Authority for signing the SA certificates. For information on the SA certification modes, see Cryptographic material options.
   • Change the current default value of one day to a more relevant period of time.

   Parameter 6 of 16: (decrypt_passwd)
Please enter the password for the cryptographic material.: []

   You will see this prompt only if you are using your own crypto file and not allowing SA to automatically generate the crypto file.

   Parameter 7 of 16: (truth.dcNm)
Please enter the short name of the facility where the Opsware Installer is being run (no spaces).: []

   Parameter 8 of 16: (windows_util_loc)
Please enter the directory path containing the Microsoft patching utilities. Press Ctrl-I for a list of required files or enter “none” if you do not wish to upload the utilities at this time (none).: []

   • These utilities are required if you plan to use SA to install Windows operating system patches/hotfixes and/or to manage Windows-based servers with SA. If you do not intend to use SA for these tasks, you can bypass the upload of these files by entering “none”. However, if in future you decide to use SA for Windows patching or to manage Windows servers, you will be required to install these files from the SA Client. For information about uploading these files from the SA Client, see the " Server Patching" in the SA 10.60Use section.
   • Uploading the Microsoft patching utilities is optional, however, if you expect to have Windows-based managed servers, you should follow the instructions for obtaining these files as described in System requirements for installation .

   Parameter 9 of 16: (db.host)
Please enter the IP address of the database server: []

   Parameter 10 of 16: (truth.servicename)
Please enter the service name of the Model Repository instance in the facility where Opsware Installer is being run [truth.rose2]:

   Parameter 11 of 16:(db.sid)
Please enter the SID of the Oracle instance containing the Model Repository [truth]:

   Parameter 12 of 16: (db.port)
Please enter the port on which the database is listening. [1521]:

   Parameter 13 of 16: (db.orahome)
Please enter the path of the ORACLE_HOME directory of your Model Repository (truth) server. [/u01/app/oracle/product/12.1.0/db_1]: /u01/app/oracle/product/12.1.0/client_1/

   Parameter 14 of 16: (word.store.host)
Please enter the IP address of the NFS server for the Software Repository. For satellite installs, please enter the IP address of the Software Repository Cache. [192.168.136.39]:

   Parameter 15 of 16: (word.store.path)
Please enter the absolute path on the NFS server for Software Repository [/var/opt/opsware/word]:

   Parameter 16 of 16: (bootagent.host)
Please enter the OS Provisioning Boot Server ip or hostname [192.168.136.39]:

   You are asked to re-enter any required passwords for confirmation.

   When you have supplied values for all parameters, the following message displays:

   All parameters have values. Do you wish to finish the interview? (y/n):

   Enter y and press Enter to continue. If you enter n, you are presented with each parameter again with the value you entered as the default. You can then change the value or accept the default. If you need to exit the installation, press Ctrl-C.

3. You are now ready to begin the SA Component installation.

Phase 6: Installing the SA components and the Oracle Database

1. A screen similar to the following appears:

   Install components

   ==================

   Model Repository, First Core : 192.168.136.39
Multimaster Infrastructure Components : 192.168.136.39
Software Repository Storage : 192.168.136.39
Slice : 192.168.136.40, 192.168.136.41, 192.168.136.42
OS Provisioning Media Server : 192.168.136.39
OS Provisioning Boot Server, Slice version : 192.168.136.39
Software Repository - Content (install once per mesh): 192.168.136.39

   Enter one of the following directives
(<c>ontinue, <p>revious, <h>elp, <q>uit): c

   Enter c and press Enter to begin the prerequisite checks.

   If the server that will host your Slice Component bundle has more than one network interface installed, SA will detect the presence of two NICs and display a screen similar to the following:
   
   Slice Network Interface Configuration
=====================================

Parameter 1 of 2 (Slice: 192.168.136.38)

Please select the interface to use for 192.168.136.38

1) eth2 -- 192.168.136.55
2) eth1 -- 192.168.136.77
3) eth0 -- 192.168.136.38 (default)
[3]:

Parameter 2 of 2 (Slice: 192.168.136.41)

Please select the interface to use for 192.168.136.41

1) eth0 -- 192.168.136.41 (default)
2) eth2 -- 192.168.136.54
3) eth1 -- 192.168.136.76
[1]:

   Select the appropriate network interface for each host by entering the associated number from the list.
   
   When you have configured all interfaces, you see the message:
   
   All values are entered. Do you wish to continue? (Y/N) [Y]:

   Enter y and press Enter to continue. You can edit the list again by pressing n and Enter.
2. The prerequisite check begins.

3. If the prerequisite check completes successfully, you may still see some messages similar to the following:

   Prerequisite Checks
==============

   Results for <IP_address>:

          WARNING Insufficient swap space (18 GBytes).
                24 Gbytes is the recommended for Oracle.

           WARNING File system ‘/’ has 29447 MBytes available and 154050 is
                recommended.

           WARNING Nothing listening at db.host:db.port (ip_address).
                Note: Can be ignored if core install will be performed
                using hpsa_install script.

   Enter the option number or one of the following directives:
(<c>ontinue, <p>revious, <h>elp, <q>uit)

   The Prerequisite check identifies WARNINGs and/or FAILUREs. FAILUREs can cause a failed or incomplete installation and must be resolved before continuing the installation. WARNINGs allow you to continue the installation, however, core performance may be negatively affected if you continue without resolving them.

   If your server passes the prerequisite check, enter c and press Enter to begin the installation.

4. You see many messages displayed as the installation progresses, unless the installation fails, these messages are purely informational. The installation can take several hours based on the performance of your server. When the installation completes, you the Core Description File (CDF) is automatically saved.

5. In third-party certificate mode, SA installs the OCT (Opsware Cert Tool) component on the Model Repository server before the Core installation begins. The OCT component will generate the Certificate Signing Requests (CSRs) for the certificates required for the current installation configuration. After OCT install, follow the following two additional steps before the SA installation begins:
   

   1. Configure the /etc/opt/opsware/crypto/csr.conf file with the attributes of the Subject field and the Subject Alternative Name extension of the SA certificates.

      The csr.conf file enables you to configure your CSRs. If you choose not to configure this file, the default values will be used.

      Do not change the subject@CN entry as SA will not work with any other value for the CN attribute.

      Certificate Signing Request (CSR) configuration

      ===============================================

      Please review and edit the CSR configuration in /etc/opt/opsware/crypto/csr.conf on the server that hosts the Model Repository component [192.168.92.8]. This file defines the attributes of the Subject field and the Subject Alternative Name extension of the SA certificates.

      You can continue with the install process once this file contains the right settings for your organization. SA will use the attributes defined in this file to generate the Subject field of the CSRs that will have to be signed by your CA.

      Enter one of the following directives

      (<c>ontinue, <p>revious, <h>elp, <q>uit):

   2. Enter the location where you want the OCT component to generate the *.csr files.

      Select path where to generate CSRs

      =============================

      Specify the path on the Model Repository server where SA will generate the CSR files

      [/var/tmp/csrFiles]:

      CSRs were generated in the /var/tmp/csrFiles directory on the server that hosts the Model Repository component [192.168.136.39].

      Please have them signed by your CA. You can resume the install process after all CSRs are signed.

      Make sure you copy all certificates in the same directory on the core's Model Repository server.

      You will be prompted for the path to this directory in the next step of the install process.

      Submit these files to your CA for signing and place the issued certificates in a folder of your choice.
      After generating the cryptographic material, SA places the CSRs created for that instance in a subfolder named by date. For example: csr_2017-05-02.08:21:05 csr_2017-05-02.08:22:10. Any new CSRs are placed in the dedicated folder that you provide during the installer interview.
      When providing the third-party certificates, make sure to follow the certificate format and naming requirements described in the SA certificates format.
      

   3. Provide the location where you have placed the custom certificates signed by your CA. The installer checks that the path is correct and that all required certificates are available.
      Enter the path to the directory containing the custom certificates.
===================================================================

      Path to the directory containing the certificates. [/var/tmp/certificateFiles]:
      SA now generates a new cryptographic material containing your signed certificates. The cryptographic material is then copied it on all hosts in the mesh.

Post-installation tasks

You must now complete the tasks described in SA Core post-installation tasks.