Automating Manual Process of Installing Change Guardian Windows Agent

Automating Manual Process of Installing Change Guardian Windows Agent

Manual installation of Change Guardian Windows Agent requires two artifacts, e.g., Agent Certificate for target host and Installer. The Administrator should first generate the Agent certificate for the Agent host before proceeding with the installation.



The steps below will help administrators build a custom script within third party deployment solutions which can generate agent certificates and download Agent Installer artifacts.




For illustration purpose the code snippets are in Power shell syntax supporting version 5.1.



Step -1



Prerequisite: Create a temporary user with the Administrator Role to interact with Server APIs.




param
(
[String]$server = $(Read-Host "$(Get-Date -format g) Enter Change Guardian Server IP Address/FQDN"),
[String]$user = $(Read-Host "$(Get-Date -format g) Enter Change Guardian Server Username"),
[String]$password = $(Read-Host "$(Get-Date -format g) Enter Change Guardian Server Password")
)





Step -2



Get the Authentication Token for accessing Server APIs as below.



POST Request Response for "https://${server}:8443/SentinelAuthServices/auth/tokens" should fetch the details of token which can be later used for accessing Agent Manager APIs.



Authorization header should be Base64 encoded.




$url = "https://${server}:8443/SentinelAuthServices/auth/tokens"
$type = "application/json"
$header = @{"Authorization" = "Basic "+[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($user+":"+$password))}
$response = Invoke-RestMethod -Uri $url -Headers $header -Method Post -ContentType $type
$tokenDigest = $response.TokenDigest
$token = $response.Token




Step-3


Write functions to fetch IP Address and FQDN of your Agent Host.






$agentHostname = get-Hostname
$agentIP = get-IPAddress



Step-4


Call Agent Manager API to get Agent Certificates by providing Agent Hostname/IPaddress.






$cert_download_URL = "https://" + $server + ":8443/cg-api/ams/api/agent-manager/download/ChangeGuardianAgentCertificates_" + $agentHostname + ".zip?location=c0d42d81-eff6-4ea9-b1b7-ebc891600fa3&id=0&hostname=" + $agentHostname + "&ipaddress=" + $agentIP
$local_url = "https://localhost:8443/SentinelAuthServices/auth/tokens"
$cookie_auth = 'Spiffy_Session=' + 'X-SAML,' + $tokenDigest + ',' + $local_url + ',' + $local_url + ',' + $user
$amsheader = @{}
$amsheader.add("Upgrade-Insecure-Requests","1")
$amsheader.Add('Cookie',$cookie_auth)
$certs_file = "ChangeGuardianAgentCertificates_" + $agentHostname + ".zip"
Invoke-WebRequest -Uri $cert_download_URL -Headers $ams_header -Passthru -OutFile $certs_file




Step-5 (Optional)



Call Agent Manager API to download Change Guardian Windows Agent Package.



This step is optional if you already downloaded Generic Agent Installer MSI Package.



Note: Windows Installer URL attributes differ based on version of Change Guardian and also depends on order of configuration. So capture the URL from your Agent Manager Download Option.






$installer_file = "ChangeGuardianAgentForWindows_" + $AgentHostname + ".zip"
#URL Specific to Change Guardian Version 5.1
#$Windows_Installer_URL = "https://" + $server + ":8443/cg-api/ams/api/agent-manager/download/ChangeGuardianAgentForWindows.zip?location=30d42d81-5104-5700-b1b7-ebc891600fa2&id=20:1&hostname=&ipaddress="
#URL Specific to Change Guardian Version 5.0
$Windows_Installer_URL = "https://" + $server + ":8443/cg-api/ams/api/agent-manager/download/ChangeGuardianAgentForWindows.zip?location=30d42d81-5006-6300-b1b7-ebc891600fa2&id=20:1&hostname=&ipaddress="
Invoke-WebRequest -Method Get -Uri $windows_installer_URL -Headers $amsheader -Passthru -OutFile $installer_file



Step-6



Copy and extract both the artifacts to a temporary directory.






$randDir = [System.Guid]::NewGuid().ToString()
$tempDir = "C:\Windows\temp"
if (New-Item -Path $tempDir -Name $randDir -ItemType "directory")
{
Write-Host "$(Get-Date -format g) Temp Directory Created"
}
$archive_Path = $tempDir + "\" + $randDir
Expand-Archive -Path $installer_file -DestinationPath $archive_Path
Expand-Archive -Path $certs_file -DestinationPath $archive_Path -Force




Step-7



Run the Agent Installer from Temporary directory.





$installed = Start-Process NetIQCGAgentSilentInstaller.exe -ArgumentList "/s" -Wait -Verb runas -WindowStyle Minimized -WorkingDirectory $archive_Path -PassThru




Step-8



Clean up the temporary directory & Delete the Server Authentication token.




$encodedToken = [System.Web.HttpUtility]::UrlEncode($token)
$deleteURL = $Url +"/"+ $encodedToken
Invoke-WebRequest -Uri $deleteURL -Headers $header -Method Delete



Note:



Due to self signed certificate usage Invoke Web cmdlets need to have a snippet of .NET Code to ignore certificate errors for PS Versions 4.0/5.0/5.1.



Starting with PS 6.0 Core Version Invoke-WebRequest/Invoke-RestMethod cmdlets provides "-SkipCertificateCheck" option.


DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments

Hi,

it's mentioned:

Due to self signed certificate usage Invoke Web cmdlets need to have a snippet of .NET Code to ignore certificate errors for PS Versions 4.0/5.0/5.1.

Can you provide such a snippet?

 

Regards,

Ulrich

I get an error when the following command is executed. All Variable have the correct entries:

 

Invoke-WebRequest -SkipCertificateCheck -Uri $cert_download_URL -Headers $ams_header -PassThru -OutFile $certs_file

 

Invoke-WebRequest : Response status code does not indicate success: 401 (Unauthorized).
At C:\temp\cg-script.ps1:31 char:1
+ Invoke-WebRequest -SkipCertificateCheck -Uri $cert_download_URL -Hea ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Method: GET, Reques\u2026PowerShell/6.2.1
}:HttpRequestMessage) [Invoke-WebRequest], HttpResponseException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

 

I couldn't find any hints what's going wrong 😞

It's Powershell 6.2.1 on Windows 7

Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2018-12-05 17:07
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.