Automating Manual Process of Installing Change Guardian Windows Agent

0 Likes

Manual installation of Change Guardian Windows Agent requires two artifacts, e.g., Agent Certificate for target host and Installer. The Administrator should first generate the Agent certificate for the Agent host before proceeding with the installation.


The steps below will help administrators build a custom script within third party deployment solutions which can generate agent certificates and download Agent Installer artifacts.


For illustration purpose the code snippets are in Power shell syntax supporting version 5.1.

Step -1


Prerequisite:

1 - Create a temporary user with the Administrator Role to interact with Server APIs.

2 - Download the Windows Agent Package in the machine in which tools e.g SCCM can be used to deploy agent remotely .

3 - Copy the Windows Agent Package to “C:\Windows\temp\“ folder using any tools e.g. SCCM  to each agent machine .

 




param(
  [String]$server = $(Read-Host "$(Get-Date -format g) Enter Change Guardian Server IP Address/FQDN"),
  [String]$user = $(Read-Host "$(Get-Date -format g) Enter Change Guardian Server Username"),
  [String]$password = $(Read-Host "$(Get-Date -format g) Enter Change Guardian Server Password")
)





Step-2 

Uninstalling the Windows Agent if installed .

 

 

 

Write-Host "Uninstalling the Windows Agent if installed ..." $app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -match "Netiq Change Guardian Agent" } $app.Uninstall()

 

 

 

Step -3

Get the Authentication Token for accessing Server APIs as below.

POST Request Response for "https://${server}:8443/SentinelAuthServices/auth/tokens" should fetch the details of token which can be later used for accessing Agent Manager APIs.

Authorization header should be Base64 encoded.




Write-Host "Getting the Authentication Token for accessing Server APIs..."
$url = "https://${server}:8443/sentinel/views/logon.html"
Invoke-WebRequest -Uri $url -Method POST -Body @{username=$user;password=$password} -SessionVariable sv > $null




Step-4

Write functions to fetch IP Address and FQDN of your Agent Host.






Write-Host "Fetching IP Address and FQDN of your Agent Host... "
$agentHostname = [System.Net.DNS]::GetHostByName($Null).HostName
$agentIP = Test-Connection -ComputerName (hostname) -Count 1 | Select -ExpandProperty IPV4Address
Write-Host "Agent Host Name: " $agentHostname
Write-Host "Agent Ip Address: " $agentIP



Step-5

Call Agent Manager API to get Agent Certificates by providing Agent Hostname/IPaddress.






Write-Host "Calling Agent Manager API to get Agent Certificates by providing Agent Hostname/IPaddress... "
$cert_download_URL = "https://" $server ":8443/cg-api/ams/api/agent-manager/download/ChangeGuardianAgentCertificates_" $agentHostname ".zip?location=c0d42d81-eff6-4ea9-b1b7-ebc891600fa3&id=0&hostname=" $agentHostname "&ipaddress=" $agentIP
$certs_file = "ChangeGuardianAgentCertificates_" $agentHostname ".zip"
Write-Host "Downloading the Agent Certificate... "
Invoke-WebRequest -Uri $cert_download_URL -Method GET -WebSession $sv -Passthru -OutFile $certs_file >$null



Step-6

Copy and extract both the artifacts to a temporary directory.






$randDir = [System.Guid]::NewGuid().ToString()
$tempDir = "C:\Windows\temp"
if (New-Item -Path $tempDir -Name $randDir -ItemType "directory")
{
Write-Host "$(Get-Date -format g) Temp Directory Created"
}
$archive_Path = $tempDir "\" $randDir
Expand-Archive -Path $installer_file -DestinationPath $archive_Path
Expand-Archive -Path $certs_file -DestinationPath $archive_Path -Force




Step-7

Run the Agent Installer from Temporary directory.




Write-Host "Runing the Agent Installer from Temporary directory... "
$installed = Start-Process NetIQCGAgentSilentInstaller.exe -ArgumentList "/s" -Wait -Verb runas -WindowStyle Minimized -WorkingDirectory $archive_Path -PassThru


Note:

Due to self signed certificate usage Invoke Web cmdlets need to have a snippet of .NET Code to ignore certificate errors for PS Versions 4.0/5.0/5.1.

 

Labels:

How To-Best Practice
Support Tip
Comment List
Anonymous
  • My stuff in blue.  the other stuff is PS Script Stuff to quell any confusion. This is a great start for an automation script, but this script will not work if you just copy everything and run it.  There are a few things missing. 

    First, under step 6, 

    Expand-Archive -Path $installer_file -DestinationPath $archive_Path

    there is no defined $installer_file variable anywhere else in the script. So you will have to fix that.  Just point to where the installer will be copied over from, so it can go into the temp location.

    Second, to pass by the tls errors you may encounter, put this after the PARAM statement

    #setting tls1.2 protocol type
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

    Third, to communicate with DCs and have them ignore that your machine is using a selfsigned cert you will need to insert this - right after that TLS 12 fix above.

    #Self Signed Certificate Fix
    add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
    ServicePoint srvPoint, X509Certificate certificate,
    WebRequest request, int certificateProblem) {
    return true;
    }
    }
    "@
    [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

    AND you STIL may get a Invoke-WebRequest error...if you do, just run this by itself. I just made a separate script and saved it and ran it and then ran the full script:

    #Invoke-WebRequest Error Script fix

    param(
    [String]$server = $(Read-Host "$(Get-Date -format g) Enter Change Guardian Server IP Address/FQDN"),
    [String]$user = $(Read-Host "$(Get-Date -format g) Enter Change Guardian Server Username"),
    [String]$password = $(Read-Host "$(Get-Date -format g) Enter Change Guardian Server Password")
    )
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

    #Self Signed Certificate Fix
    add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
    ServicePoint srvPoint, X509Certificate certificate,
    WebRequest request, int certificateProblem) {
    return true;
    }
    }
    "@
    [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

    <#
    Step -3
    Get the Authentication Token for accessing Server APIs as below.

    POST Request Response for "https://${server}:8443/SentinelAuthServices/auth/tokens" should fetch the details of token which can be later used for accessing Agent Manager APIs.

    Authorization header should be Base64 encoded.

    #>

    Write-Host "Getting the Authentication Token for accessing Server APIs..."
    $url = "https://${server}:8443/sentinel/views/logon.html"
    Invoke-WebRequest -Uri $url -UseBasicParsing -Method POST -Body @{username=$user;password=$password} -SessionVariable sv > $null

    In our environment with 2016 Core, and secure boot and very restrictive security settings we are about 50/50 or 60/40 success rate on first runs, and then after the short PS script to jarthe Invoke-WebRequest and then running the full script, it works.  

     

  • I get an error when the following command is executed. All Variable have the correct entries:

     

    Invoke-WebRequest -SkipCertificateCheck -Uri $cert_download_URL -Headers $ams_header -PassThru -OutFile $certs_file

     

    Invoke-WebRequest : Response status code does not indicate success: 401 (Unauthorized).
    At C:\temp\cg-script.ps1:31 char:1
    + Invoke-WebRequest -SkipCertificateCheck -Uri $cert_download_URL -Hea ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (Method: GET, Reques\u2026PowerShell/6.2.1
    }:HttpRequestMessage) [Invoke-WebRequest], HttpResponseException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

     

    I couldn't find any hints what's going wrong

    It's Powershell 6.2.1 on Windows 7

  • Hi,

    it's mentioned:

    Due to self signed certificate usage Invoke Web cmdlets need to have a snippet of .NET Code to ignore certificate errors for PS Versions 4.0/5.0/5.1.

    Can you provide such a snippet?

     

    Regards,

    Ulrich

Related Discussions
Recommended