Managed server requirements

The servers to be managed by WebSphere Automation must meet certain requirements. Servers must have the WebSphere Application Server usage metering feature to be monitored, and must meet additional requirements to enable security fix installation or health monitoring.

Operating system requirements

Check the following table to see if a server running meets the operating system requirements to be managed by WebSphere Automation.

Table 1. Supported product features by operating system or architecture
OS/Architecture CVE Monitoring Fix Deployment Memory Leak Analysis *
AIX® Yes Yes Yes
Linux® (x86, ppc64, s390x) Yes Yes Yes
Windows (x86) Yes Yes Yes
HP-UX No No No
IBM® i​ No No No
Max OS X No No No
Solaris No No No
z/OS® Yes ** No No ***

* Instana is required to set up automated health detection and analysis. You must have an entitlement for Instana because it is not included with WebSphere Automation.

** Security bulletins for z/OS specific vulnerabilities are published separately from security bulletins for common vulnerabilities for both z/OS and distributed platforms. CVE monitoring is limited to common vulnerabilities.

*** Instana agent is not available on z/OS.

Usage metering requirement

WebSphere Automation uses the usage metering feature within WebSphere Application Server and WebSphere Application Server Liberty to collect data about the servers you want to monitor so that their vulnerability status or health status can be assessed. The usage metering feature must be manually configured on each server to be managed so that it can communicate with WebSphere Automation. The usage metering feature is a supported, stabilized component of WebSphere Application Server and WebSphere Application Server Liberty for use with WebSphere Automation. It was previously used with the now removed metering service in IBM Cloud Private. Stabilization of the feature supersedes any mention of its deprecation in the documentation for WebSphere Application Server or WebSphere Application Server Liberty.

WebSphere Automation cannot communicate with servers that do not have this feature. Because of this limitation and the date that the usage metering feature was released, WebSphere Automation does not evaluate security bulletins that were created before 2018. The following application servers can be managed:
  • WebSphere Application Server (all editions) 8.5.5.15 and later
  • WebSphere Application Server (all editions) 9.0.0.9 and later
  • WebSphere Application Server Liberty (all editions) 18.0.0.3 and later

As service updates or new versions of WebSphere software are installed, the security status of the server inventory is updated.

Security fix installation and health monitoring requirements

In addition to the usage metering requirement, servers must meet these requirements for security fix installation and health monitoring by WebSphere Automation.

Table 2. Requirements for managed servers
Requirement Security fix installation Health monitoring
Python and Python3 (installed and on the PATH for all users) Python 3 (version 3.5 or later) Python 3 (version 3.5 or later)
Java™ (installed and on the PATH for all users) (WebSphere Application Server Liberty only) Required Required
Windows servers must have PowerShell 5.1 or later installed Required Required
Servers must be accessible from WebSphere Automation with SSH (Linux or UNIX), or SSH or WinRM (Windows) Required Required
All Linux and UNIX servers must be accessible with the same SSH credentials and user account. Windows servers must be accessible with the same SSH or WinRM credentials and user account. Required Required
The user account must have permissions to use the wsadmin script (WebSphere Application Server) or the server script (WebSphere Application Server Liberty) Required Required
On Linux and UNIX servers, the user account must have at least read access to the WebSphere Application Server or WebSphere Application Server Liberty installation and profile directories. If the owner of these installation or profile directories is different from the user account, the user account must have ability to become that user by using the sudo command. Required Required
On Linux and UNIX servers, if a custom data location was used when Installation Manager was installed in group mode, Installation Manager must either be reinstalled without a custom data location or the InstallationManager.dat file must be placed in the following location.

/user_home_directory/var/ibm/InstallationManager_Group/etc/.ibm/registry/InstallationManager.dat

The InstallationManager.dat file is typically located in the following location.

application_data_location/etc/.ibm/registry/InstallationManager.dat

If Installation Manager is installed in administrator mode, the installation must be managed by a user with administrator privileges.

You can specify the user account that is to be used for executing the Installation Manager commands. For more information, see Installing a fix.

 Required N/A

On WebSphere Application Server installations, the user profile specified for the ansible_user parameter must have read access to the following files and their parent directories.

  • app_server_root/properties/profileRegistry.xml
  • app_server_root/properties/version/installed.xml

For more information, see Runbook logs contain file access permission errors in the troubleshooting documentation.

 Required Required
The user account must have access to heap dump files that are generated by WebSphere Application Server or WebSphere Application Server Liberty N/A Required
On Windows servers, the user account must either have:
  • Administrative permissions and the SeDebugPrivilege Windows privilege enabled. SeDebugPrivilege is enabled by default for administrators.
  • Nonadminstrator privileges but ownership of the WebSphere Application Server installation directory and access to the Installation Manager directory. The SeDebugPrivilege Windows privilege must not be enabled.
 Required N/A
Instana agent must be installed and configured to communicate with an installation of Instana. Instana is required for automated health detection and analysis. You must have an entitlement for Instana because it is not included with WebSphere Automation. For more information, see Setting up Instana to send alerts to WebSphere Automation. N/A Required
Note: If security is enabled for WebSphere Application Server traditional server, security credentials must be included in the soap.client.props file of each node where a heap dump might be generated.
com.ibm.SOAP.loginUserid=<USERID>
com.ibm.SOAP.loginPassword=<PASSWORD>
Note: For WebSphere Application Server Liberty servers, the Liberty profile cannot be running as an embedded process in another product.