Blog Viewer

TIM 9.6 - the changes

By Jörg Mertin posted 07-23-2014 11:18 AM

  

Introduction

The Transaction Impact Monitor (TIM) 9.6 has been done with a major change in it's distribution format. From Soft-Appliance it went to Software only format. This means that the customer will from now on be responsible for the underlying OS the TIM runs on. This also means that the customer can decide on which Hardware he wants the TIM to run.

 

Licensing implications

The main implication is that the customer will now have to own a license of RedHat if he wants to continue using RedHat as Operating system for the TIM probe to run on. Under RedHat, this will also enable the regular security updates provided by RedHat through the subscription network.
The alternative is to switch to the cost-free CentOS of the same release number.

 

 

Gotchas and good to know

 

Some collected notes on the TIM 9.6 release

  • TIM will be shipped as an executable installer with RPM and has to be installed through command-line.
  • The TIM System Health page and Machine Settings options are not available with the TIM installation
  • OS will not be shipped or maintained from 9.6 onward. It is the customer’s responsibility to maintain the OS and patch it when needed.
  • The customer will have to configure and Harden the system. Note that if SELinux is used, the TIM has to be installed while SELinux is activated !
  • Gives customer the flexibility of using their Linux O/S versions to deploy to align with their security policies and needs.
  • No more web pages on OS maintenance and firewall etc., and no more web based installer (except MTP).
  • TESS does not force sync TIM time. This means that the OS the TIM Probe and the EM/TESS run on need to be synced to the same time/ntp server !
  • A python script TIM-assist is provided to help the WebUI to perform tasks that may require root privileges. There is a helper file with details on using it.
  • All the old FieldPacks (made by me - like apm-scripts, apm-sizing etc.) won't work with the 9.6 release as the directory structure has changed. These will need to be updated ! In case you require one old fieldpack to be ported, please contact the author to adapt it.
  • nCipher is included in APM 9.6. However, it will no longer be updated to later versions of the nCipher software.

 

Note: CA Technologies is researching support for 3G Napatech Drivers that would be made available in a future release.

Upgrade capability

 

On the other hand, an (easy) upgrade is not possible anymore. The RedHat 5.x APM 9.5.x or lower TIM had the “third-party” image that was installed - replacing some software and upgrading some old packages through the different service pack images.


What the third-party image also did, was remove openssl, httpd and openssh RPM Packages (removing the RPM packages without respecting the requirements/dependency links) and replace these with self compiled binaries (and security fixed) from "official" sources.


You cannot remove the third-party image without breaking the system http/openssl and remote access through openssh. So – updating will be very hard, keeping the system security updated in the future impossible (if not restoring the original state) and would take way more time than installing the TIM from scratch.


TIM 9.6 requires a fresh install. However you can:

  • move over custom components such as HTTP Plugins, Evidence collection (adapt the new location path), configuration file settings, etc. to the 9.6 TIM.
  • take a backup of the old /etc/wily/cem/tim/config directory and the network configuration of the TIM 9.x (x<6),
  • remove the TIM from the APM/TESS monitors section
  • install a fresh RedHat/CentOS as per compatibility list on the old hardware
  • install the required dependencies as per the table below
  • configure the network
  • register to a RedHat/CentOs update repository, apply all security updates, harden the system.
  • decide if you want to have SELinux activated or not and apply this choice before installing the TIM 9.6 Software
  • install TIM 9.6 and replicate/restore the “extra” configuration you had on the TIM.


NOTE: for CA employees/Fieldstaff: I have added support to TIM 9.6 to the Kickstart images (available on the zero2hero.ca.com server in the third-party section) from RedHat 5.8 to 5.10 and 6.1 to 6.5 (I skipped 6.0 as it is way too buggy for a stable running system). Installation of the new OS + hardening takes roughly 3 Minutes on a virtual machine, on Hardware add the time it takes to format the 150GB disk partitions (+10 to 15Minutes).

OS Compatibility and Package requirements

 

Officially Supported Platforms (x86/x64 platforms). 

TIM 9.6.0.0
RH/CentOS 5.x (including MTP)RH/CentOS 6.x
  • mod_ssl
  • compat-libstdc++-33
  • pexpect
  • unzip
  • httpd
  • nspr
  • libpcap
  • pstack
  • mod_python
  • java-1.6.0-openjdk
  • mod_ssl
  • compat-libstdc++-33
  • pexpect
  • unzip
  • httpd
  • nspr
  • libpcap
  • gdb
  • mod_wsgi
  • java-1.7.0-openjdk
  • policycoreutils-python

 

Credits & Acknowledgements

Thanks to Hal German to provide the initial input and Tuesday Tips to create this WIKI page.

Thanks to Cary Andrews for providing most of the documentation for this WIKI.

Thanks to the discussions in the community forum

0 comments
0 views