What are the best practices for moving the root node keys using tw_root_node_key_export and tw_root_node_key_import ? |
After processing to a wipe of an appliance connected to an existing CMDB, it is ESSENTIAL to restore the root node keys first BEFORE scanning endpoint. In Discovery the root node keys are used to uniquely relate the Discovery data to the CMDB data. For any appliance which performs CMDB sync, the "keys" are very important, and they should be preserved. If endpoints are rediscovered after wipe and BEFORE the keys import will have been executed the endpoints already synchronized in the CMDB will be duplicated in the CMDB at the next CMDB because they'd then have a new and different key in Discovery.
Prerequisites to this KA:
For CMDB backups, please check with your CMDB admin, or the BMC CMDB support.
Notes:
1- Preserve the keys: The procedure to preserve the keys is to run tw_root_node_key_export on the consolidator. It is recommended to run the command at regular intervals, such as weekly. cron may be used to set this. To run a successful tw_root_node_key_export from the Discovery command line: 1- ssh to the terminal of the appliance. In case of a cluster execute the following steps below on a single member (any of them, coordinator or not) 2- Start a screen session to be able to reconnect to the session in case of a disconnection with the ssh server during the procedure. Run the following command line: screen 3- Run the following command line to export the root node keys keys and enter the password for the Discovery "system" user: tw_root_node_key_export root_node_keys.xml
To verify that the procedure was successful, run the following commands: a) Confirm that the tw_root_node_key_export process is no longer running, this command should not output any result (but the one for this grep command only): ps -ef | grep root_node b) The number of keys from the file root_node_keys.xml that was just created should be similar to the number of OSIs in the appliance: grep " <root-node-key-info " root_node_keys.xml | wc -l tail root_node_keys.xml The last two lines in the XML file should look like this:
Restore the keys: To restore the keys to a new consolidator, run tw_root_node_key_import. To run a successful tw_root_node_key_import from the Discovery command line: 1- ssh to the terminal of the appliance. In case of a cluster execute the following steps below on a single member (any of them, coordinator or not) 2- Start a screen session to be able to reconnect to the session in case of a disconnection with the ssh server during the procedure. The screen command is extremely important for large imports of root node keys, as imports will take much longer than the export. Run the following command line: screen 3- Run the following command line and note the number of root node key nodes already existing in the datastore: tw_query --no-headings "search RootNodeKeyInfo" | wc -l 4- Go to the folder where the root_node_keys.xml from a previous export resides. Note the results from the following command line, it count the number of keys in the file: grep " <root-node-key-info " root_node_keys.xml | wc -l
5- Run the import: tw_root_node_key_import root_node_keys.xml
ps -ef | grep root_node
6- Run the following command line and confirm that the result corresponds to the output of the command at step 4 tw_query --no-headings "search RootNodeKeyInfo" | wc -l |