Symantec Access Management

Toolbelt:  Uncovering a Solution's Installation Wizards features/secrets for WinOS and Unix/Linux

  • 1.  Toolbelt:  Uncovering a Solution's Installation Wizards features/secrets for WinOS and Unix/Linux

    Posted 09-08-2015 12:43 AM

    Hello,

     

    I thought I would share my methodology to augment my knowledge of CA and other solutions' beyond what can be provided from official wiki, pdf, bookshelves, (or google searches).

    I tend to dive deep into the installation processes.

     

    Background:

     

    Solution Installation Wizards are introduced to ease & speed up deployment by having a GUI interface selectively present questions to the administrative user.

    However, the use of the installation wizards can also be a "black box" to what is actually changed on the OS for the solution; which is challenging to understanding all areas of a solution to troubleshoot issues.

     

     

    Methodology:

     

    To open the "black box", I tend to break apart research of installations into two (2) processes:

     

    1)  Addressing installation challenges due to OS dependencies

     

    a) missing OS libraries,

    b) adequate entropy

    c) not enough space under /tmp  (c:\TEMP) to install the solution

    d) port collisions

    e) AntiVirus impact (temporary disable real-time AV to allow solutions to install quicker; then reapply real-time AV; scan the folders as needed; recommend adding processes to AV exclusion list for performance)

     

    2)  Discover of all content that is managed by the solution's installation wizards, e.g. service account ID, service account Password/Hash, HA configuration, Encryption Seed Files (FIPS), etc.or

     

     

    *** *** ***

    Addressing Installation OS Dependencies:

     

    MS Windows OS:

    To Address installation dependencies, on MS Windows OS, I lean heavily on MS Sysinternals Tools from Mark Russinovich

    https://technet.microsoft.com/en-us/sysinternals/bb842062

     

    Particularly, two (2) tools: 

     

    a)  Process Explorer (to view the running processes during and after an installation and the ports they are using)

    Process Explorer

    b)  Process Monitor (execute during an installation to view ALL windows registry and files being read and updated; it also shows how "busy" a server is)

    Process Monitor

    This tool is useful to track how password updates are made using the CA Identity Manager Provisioning Servers' pwdmgr.exe tool.

     

    UNIX/Linux OS:

    To Address installation dependencies on UNIX/Linux, I lean heavily on strace (trace tool) and netstat (monitor ports); and ps (view running processes)

     

    strace will display all paths/libraries and the order the installation solution is looking for those OS dependencies.   Due to any failure error codes, it can be leverage to identify missing x64 and/or x86 (32 bit) libraries. 

    netstat  (with it many switches) is very useful to identify open ports and services tied to those ports.  Example:   netstat -an       or    netstat -lnp

    ps -ef  | grep -v grep | grep whatever

     

    I would be curious to what other processes others use.

     

     

     

    Using strace, you can identify a few CA solution updates outside the installation folder, e.g.

     

    a) the CA installation tracking configuration file, under /var/.com.zerog.registry.xml  (for most CA solutions on UNIX/Linux;  there is also a zerog file on MS Windows as well; Note: may impact re-installations with messages that claims the solution already exists or unable to downgrade the solution version)

    b) the /var/.CA_IAM_FW.registry  (CA framework component; installed with CA IMPS, CCS, and IMPM installations)

    c) update to /etc/profile with a reference to /etc/profile.CA

    d) or use of IATEMPDIR=/export/home/whatever; export IATEMPDIR      (used to address lack of space in /tmp or MS Windows OS temp folder under C:\ that will impact an installation)

     

     

     

     

    *** *** ***

    Discovering Solution Installation Wizards Features/Secrets

     

    To discover a solution's updates to various files and "registry", I have found the follow method very useful.

     

    1) Install the solution at least a minimal of three (3) times with deltas.

    2) Capture the silent install properties file from the 1st installation and use that to automate CLI testing on Windows OS & UNIX/Linux.

    3) Vary the details of passwords, services IDs, the use of FIPS, and hostnames   (use dummy hostnames in /etc/hosts  or  C:\Windows\System32\drivers\etc\hosts)

    4) After each installation, zip/compress the folder on the MS Windows & UNIX/Linux server and label/copy this zip folder to your desktop/workstation/laptop.

    5) Extract each installation zip file into its own folder on your workstation.

    6) Download a "folder/file compare tool" with configuration switches that allow date stamp to be ignored, and allow either a CRC or binary comparision of the folders.

    7)  Use the "folder/file compare tool" to isolate the deltas between the installation.

     

    The above steps/method will uncover the changes made to the solutions configurations files.   This will NOT display configurations stored in a database/directory.

     

    However, this is very useful to understand where to make updates to HA configurations, service account passwords,

     

    I am fond of the tool Beyond Compare for identifying deltas.  

    Scooter Software: Home of Beyond Compare

     

     

    I use Beyond Compare, also during validation checks for HA environments, to ensure configuration files are mapped correctly between peer nodes, e.g. JBOSS/WebLogic/WebSphere

     

     

    ***  ***

    Comments are welcome and I would be interested in what process/methods others use.

     

     

    Cheers,

     

    A.