7.3. How the PxM Platform interacts with devices

As an administrator of an PxM Virtual Appliance, you should understand its impact on the network on which it resides. In particular, you should know what it can and can’t do to the devices on your network. So before you start provisioning devices within PxM, read the following.

This chapter outlines what happens initially and subsequently when you provision a device in your PxM Virtual Appliance, covering:

7.3.1. A clean installation

After you first install an virtual appliance, you will have no interaction with the devices on your network. It may make some network requests, such as NTP, but unless you provision a device, the PxM Virtual Appliance will not initiate any interaction with that device.

7.3.2. Why provision a device?

Provisioning a device makes it known to the virtual appliance thereby enabling the possibility for users to:

  • have single sign-on access to the device; and
  • run pre-defined tasks on the device.

You can only provision a device if you have an appropriate device template available. These templates tell the PxM Virtual Appliance how to interact with the device, including what protocols (tools) and tasks are available.

7.3.3. What happens when I provision a device?

The first step is to choose a device template. Amongst other things, this specifies which details are required to access the device.

The second step is to fill in the details and provide access credentials (which will be referred to as the provisioning credentials).

At this stage, the virtual appliance will use the provisioning credentials to attempt to log on to the device. If it is successful, it will perform a device version check to ensure that the device is supported by the chosen device template. This is called the Test connection phase.

The provisioning credentials have not been stored on the virtual appliance, but they are temporarily stored in your browser so you don’t have to type them in again in the final step.

If the Test connection is successful, the final step is to provide the remaining details that the virtual appliance will store about that device. The most important of these details is called the Control account type which is described in the next section.

Upon completion, a device audit will be initiated and marks the end of the interactions associated with the device provisioning process.

7.3.4. Choosing the right Control Account

As mentioned, during provisioning the virtual appliance uses the provisioning credentials to access the device. For subsequent day-to-day interaction, the virtual appliance will use a control account, for which the credentials are stored.

At this point it is appropriate to introduce Authentication service and the role they play. There are two fundamental ways that the virtual appliance can maintain access credentials (accounts) for a device:

Locally It can audit the device to find the accounts directly available on the device.

Authentication service It can use an Authentication service that provides a list of accounts that are valid for the device.

Whether or not a device uses an Authentication service is determined by the device template. However, the choice in the type of control account is the same in either case, but where the actual control account is stored will differ. The types are:

Fully Managed This gives the virtual appliance the autonomy to use the provisioning credentials to create a control account with the required level of privileges.

For locally authenticated devices, the account is made on the device itself.

For devices using authentication services, the account is made on the Authentication service rather than the device.

Managed This gives the virtual appliance permission to manage the credentials (passwords and SSH keys) of the control account. It will not create a new account on the device or authentication service, but it will regularly update the credentials of the control account, making the account, in effect, only accessible through the PxM Client.

Known This allows you to simply enter the credentials of an existing account that has the required level of privileges. At provision time, it is assumed that you wish to save the provisioning credentials for use as the control account. This can be changed afterwards.

The device is unchanged by this choice. The only change is to store the account details on the virtual appliance.

In summary:

  • The PxM Virtual Appliance needs privileged credentials with which to interact with a device. It calls these the control account.
  • The control account is either directly linked to the device or indirectly linked via an Authentication service.
  • Choosing a control account type of:
    • Known will not make any changes to the device or Authentication service.
    • Managed or Fully managed will result in credentials changing or account creation on either the device or the Authentication service.

7.3.5. Accounts in general

Where possible, the virtual appliance maintains a list of discoverable accounts on the devices and authentication services it knows about.

When a user is granted access to a device (via a profile), in general it will not result in changes being made to the device, except in the following circumstance.

If the SuperAdmin chooses to give a user role-based access to a device, then they are asking the virtual appliance to create a personalised account on the device that has the appropriate privileges for the selected role.

In this case, the virtual appliance will connect to the device using the control account and create the personalised Fully managed account for that user.

Similarly, the virtual appliance will never delete an account on a device unless the account was created by the Osirium Server in the first place (it was an Fully managed account) and it is no longer required.

Every device provisioned in the virtual appliance has an Account Management page that allows you to see the associated accounts. Accounts will be in one of the following states:

  • Fully managed
  • Managed
  • Known
  • Approved
  • Unapproved

More detail about these states can be found on the Manage accounts page, but in terms of changes made to a device by the virtual appliance:

  • Managed accounts will have their credentials periodically refreshed
  • Fully managed accounts can be modified or deleted by the server
  • All other accounts types will not be touched on the device

7.3.6. Day-to-day device interactions

There are three levels of interaction with provisioned devices.

7.3.6.1. User-initiated

A user logged on to the virtual appliance can cause device connections to be made either by executing a task or using a tool in the client.

7.3.6.2. Scheduled tasks

Using profiles within the SuperAdmin Web Management Interface, tasks can be scheduled to run. When the scheduled time arrives, the tasks are queued and executed in turn. They will normally cause the virtual appliance to log on to the device using the control account.

The scheduled tasks can be modified through Schedules page.

7.3.6.3. Background tasks

In contrast to scheduled tasks, background tasks are not controllable through the Web Management Interface. These include tasks such as periodically pinging the provisioned devices to test connectivity.

Sometimes, user activity within the Web Management Interface can result in background tasks being queued. For example, modifying a profile may well cause the virtual appliance to ensure that the devices in that profile have the appropriate accounts on them.