OpenSearch Management

The following procedures enable you to manage OpenSearch An AWS search engine, based on Elasticsearch, that Workflow Insights uses to gather information and perform queries. and OpenSearch Dashboards An AWS data visualization dashboard software, based on Kibana, that Workflow Insights uses to show OpenSearch query data in the dashboards. in Workflow Insights:

Upgrading OpenSearch
Downgrading OpenSearch
Configuring Certificates in OpenSearch and OpenSearch Dashboards
Uninstalling OpenSearch

Upgrading OpenSearch

This procedure describes how to upgrade to the newest version of OpenSearch. You must perform this procedure on every Control-M/EM where Workflow Insights is installed.

Before You Begin

Define a Workflow Insights backup, as described in Defining Workflow Insights Backups.
Copy the Workflow Insights cluster backup location that you defined in Configuring Workflow Insights, and paste it to the following location:
- UNIX: $HOME/BMCINSTALL/uninstall/DRNFT.<Current_Version>/Backup_OpenSearch_Snapshots
- Windows: "%EM_HOME%\BMCINSTALL\uninstall\DRNFT.<Current_Version>\Backup_OpenSearch_Snapshots"
Install Control-M/EM 9.0.02, as described in Control-M/EM Upgrade.
Verify that the Control-M/EM Configuration Agent is Up.

Begin

Log in as a Control-M/EM user.
Run the following command to stop OpenSearch and OpenSearch Dashboards:
- UNIX:
- Windows:
In a Control-M/EM Cluster or High Availability Configuration, you must consecutively run this command on every host before you move to the next step.
Run the following command to upgrade OpenSearch and OpenSearch Dashboards:
- UNIX:
- Windows:
In a Control-M/EM Cluster or High Availability Configuration, you must consecutively run this command on every host.
Run the following command to verify that the OpenSearch services are running:

em services-cli -st

Downgrading OpenSearch

This procedure describes how to downgrade OpenSearch and OpenSearch Dashboards in Control-M Workflow Insights to a previous version.

Begin

Log in as a Control-M/EM user.
Do the following:
1. Run the following command to view the backups that can be restored:
  - UNIX: em bmcpython $HOME/ctm_em/services/bin/elasticsearch_restore.py snapshots
  - Windows: bmcpython "%EM_HOME%\services\bin\elasticsearch_restore.py" snapshots
  A list of backups appears.
2. From the list of backups, find and record the backup Name that you want to restore.
Uninstall Control-M Workflow Insights, as described below:
- UNIX: Uninstalling Control-M Workflow Insights from Linux
- Windows: Uninstalling Control-M Workflow Insights from Windows
Run the following command to downgrade Control-M/EM:
- UNIX: $HOME/BMCINSTALL/uninstall/DRNFT.9.0.21.200/uninstall.sh
- Windows: "%EM_HOME%\BMCINSTALL\uninstall\DRNFT.9.0.21.200\uninstall.exe"
Reinstall Control-M Workflow Insights, as described below:
- UNIX: Installing Control-M Workflow Insights on Linux
- Windows: Installing Control-M Workflow Insights on Windows
Restore he previous version of OpenSearch with the backup Name that you recorded, as described in Restoring a Workflow Insights Backup.

Configuring Certificates in OpenSearch and OpenSearch Dashboards

This procedure describes how to configure certificates in OpenSearch and OpenSearch Dashboards, which enables you to replace the demo certificates that are installed with Workflow Insights. These new certificates enable OpenSearch and OpenSearch Dashboards to securely communicate with each other and Control-M Web.

Begin

Create a CA certificate and key.
Replace the CA certificate and key in OpenSearch, as described in Replacing the CA Certificate and Key in OpenSearch.
Replace the CA certificate and key in OpenSearch Dashboards, as described in Replacing the CA Certificate and Key in OpenSearch Dashboards.
Create an OpenSearch certificate and key in PKCS #8 format.
Replace the current OpenSearch certificate, as described in Replacing the OpenSearch Certificate.
Create an OpenSearch Dashboards certificate and key in PKCS #8 format.
Replace the current OpenSearch Dashboards certificate, as described in Replacing the OpenSearch Dashboards Certificate.

Replacing the CA Certificate and Key in OpenSearch

This procedure describes how to replace the CA certificate and key in OpenSearch.

Begin

Copy the new CA certificate and key files to the following directory on all hosts in the Workflow Insights environment:
- UNIX: $HOME/ctm_em/ini/ssl/
- Windows: %EM_HOME%\ini\ssl
Do the following:
1. Navigate to the following directory:
  - UNIX: $EM_HOME/ctm_em/opensearch/config
  - Windows: %EM_HOME%\opensearch\config
2. From the config directory, open the opensearch.yml file in a text editor, and then update the following parameters, as follows:
  - plugins.security.ssl.transport.pemtrustedcas_filepath
    - UNIX: certificates/opensearch_ca.pem
    - Windows: certificates\opensearch_ca.pem
    plugins.security.ssl.transport.pemtrustedcas_filepath: certificates/opensearch_ca.pem
  - plugins.security.ssl.http.pemtrustedcas_filepath
    - UNIX: certificates/opensearch_ca.pem
    - Windows: certificates\opensearch_ca.pem
Restart OpenSearch.

The CA certificate and key are now updated in OpenSearch.

Replacing the CA Certificate and Key in OpenSearch Dashboards

This procedure describes how to replace the CA certificate and key in OpenSearch Dashboards.

Begin

Do the following:
1. From the directory where the CA certificate and key are saved, record the following information:
  - CA certificate name.
  - Key name.
  - Temporary directory pathname.
2. Navigate to the following directory:
  - UNIX: $HOME/ctm_em/ini/ssl/
  - Windows: %EM_HOME%\ini\ssl\
3. From the ssl directory, verify that the names of the new CA certificate and key match the names of the current CA certificate and key.
Restart OpenSearch Dashboards and Tomcat.
Do the following:
1. Navigate the following directory:
  - UNIX: $HOME/ctm_em/ini/ssl/
  - Windows: %EM_HOME%\ini\ssl\
2. Locate the following files:
  - new_opensearch_dashboards_ca.pem: The new CA certificate for OpenSearch Dashboards.
  - new_opensearch_dashboards_ca_key.pem: The new CA key for OpenSearch Dashboards.
3. From the SSL directory, copy the files to the following directory on all hosts in the Workflow Insights environment:
  - UNIX: $HOME/ctm_em/ini/ssl/
  - Windows: %EM_HOME%\ini\ssl
Do the following:
1. Navigate to the following folder:
  - UNIX: $EM_HOME/ctm_em/opensearch-dashboards/config
  - Windows: %EM_HOME%\opensearch-dashboards\config
2. Locate the opensearch_dashboards.yml file, open it in a text editor, and then update the opensearch.ssl.certificateAuthorities parameter with the new CA certificate pathname.
  - UNIX: opensearch.ssl.certificateAuthorities: ['/home/em/ctm_em/ini/ssl/new_opensearch_dashboards_ca.pem']
  - Windows: opensearch.ssl.certificateAuthorities: ['\home\em\ctm_em\ini\ssl\new_opensearch_dashboards_ca.pem']
Do the following:
1. Restart OpenSearch Dashboards.
2. Restart Tomcat.
The CA certificate is now updated.

Replacing the OpenSearch Certificate

This procedure describes how to replace the OpenSearch certificate, which enables authentication, encryption, and decryption of data between the OpenSearch client, server, and hosts. The OpenSearch certificate periodically expires and must be updated on all hosts where OpenSearch is installed.

Before You Begin

Verify that the OpenSearch certificate key PEM file is available and is in PKCS #8 format.
Verify that the CA key PEM file is available, as described in OpenSearch Management.

Begin

Navigate to the following directory:
- UNIX: $EM_HOME/ctm_em/opensearch/config
- Windows: %EM_HOME%\opensearch\config
From the config directory, copy the OpenSearch certificate and CA key PEM files to the certificates sub-directory.
From the config directory, open the opensearch.yml file in a text editor, and then update the following parameters, as follows:
- plugins.security.ssl.transport.pemcert_filepath
  - UNIX: certificates/elk-transport-crt.pem
  - Windows: certificates\elk-transport-crt.pem
    
    plugins.security.ssl.transport.pemcert_filepath: certificates/elk-transport-crt.pem
- plugins.security.ssl.transport.pemkey_filepath
  - UNIX: certificates/elk-transport-key.pem
  - Windows: certificates\elk-transport-key.pem
- plugins.security.ssl.transport.pemtrustedcas_filepath
  - UNIX: certificates/opensearch_ca.pem
  - Windows: certificates\opensearch_ca.pem
- plugins.security.ssl.http.pemcert_filepath:
  - UNIX: certificates/elk-node-crt.pem
  - Windows: certificates\elk-node-crt.pem
- plugins.security.ssl.http.pemkey_filepath:
  - UNIX: certificates/elk-node-key.pem
  - Windows: certificates\elk-node-key.pem
- plugins.security.ssl.http.pemtrustedcas_filepath:
  - UNIX: certificates/opensearch_ca.pem
  - Windows: certificates\opensearch_ca.pem
- plugins.security.authcz.admin_dn: - 'CN=CONTROL-M_EM_ES_admin,O=BMC_Software_Ltd,L=Houston,ST=Texas,C=US'
The OpenSearch certificate is now updated.

Replacing the OpenSearch Dashboards Certificate

This procedure describes how to replace the OpenSearch Dashboards certificate, which enables the authentication, encryption, and decryption of all data that is sent between OpenSearch Dashboards and Control-M Web. The OpenSearch Dashboards certificate periodically expires and must be updated on all hosts where OpenSearch Dashboards is installed.

Before You Begin

Verify that the OpenSearch Dashboards certificate key PEM file is available and is in PKCS #8 format.
Verify that the CA key PEM file is available, as described in OpenSearch Management.

Begin

Navigate to the following directory:
- UNIX: $EM_HOME/ctm_em/opensearch/config
- Windows: %EM_HOME%\opensearch\config
From the config directory, copy the OpenSearch Dashboards certificate PEM file and CA key PEM file to the certificates sub-directory.
From the config directory, open the opensearch_dashboards.yml file in a text editor, and update the parameters, as follows:
- server.ssl.certificate: <Full_OpenSearch_Dashboards_Certificate_Pathname>
- server.ssl.key: <Full_CA_Key_Pathname>
  - UNIX: server.ssl.key: /home/em/ctm_em/opensearch-dashboards/config/certificates/new_opensearch-dashboards_key.pem
  - Windows: server.ssl.key: "C:\Program Files\BMC Software\Control-M EM\Default\opensearch-dashboards\config\certificates\new_opensearch-dashboards_key.pem"
Restart OpenSearch Dashboards.
Do the following to test the new OpenSearch Dashboards certificate:
1. Run the following command:
  - UNIX: curl --cacert $EM_HOME/ctm_em/ini/ssl/elastic_ca.pem -L https://`hostname`:<Server_Hostname>
  - Windows: curl --cacert "%EM_HOME%\ini\ssl\elastic_ca.pem" -L https://`hostname`:<Server_Hostname>
  curl --cacert $HOME/ctm_em/ini/ssl/elastic_ca.pem -L https://dba-tlv-v1cwm6:19201
2. Verify that the following message appears:
  
  {"statusCode":401,"error":"Unauthorized","message":"Authentication required"}
The OpenSearch Dashboards certificate is now updated.

Uninstalling OpenSearch

This procedure describes how to uninstall OpenSearch and OpenSearch Dashboards and restore Elasticsearch and Kibana in Control-M Workflow Insights. You must uninstall OpenSearch when you downgrade from 9.0.02 to Server 9.0.21.100 and lower.

Begin

Log in as a Control-M/EM user.
Do the following:
1. Run the following command to view the backups that can be restored:
  - UNIX: em bmcpython $HOME/ctm_em/services/bin/elasticsearch_restore.py snapshots
  - Windows: bmcpython "%EM_HOME%\services\bin\elasticsearch_restore.py" snapshots
  A list of backups appears.
2. From the list of backups, find and record the backup Name that you want to restore.
Uninstall Control-M Workflow Insights, as described below:
- UNIX: Uninstalling Control-M Workflow Insights from Linux
- Windows: Uninstalling Control-M Workflow Insights from Windows
Run the following command to downgrade Control-M/EM:
- UNIX: $HOME/BMCINSTALL/uninstall/DRNFT.9.0.21.200/uninstall.sh
- Windows: "%EM_HOME%\BMCINSTALL\uninstall\DRNFT.9.0.21.200\uninstall.exe"
Reinstall Control-M Workflow Insights, as described below:
- UNIX: Installing Control-M Workflow Insights on Linux
- Windows: Installing Control-M Workflow Insights on Windows
Restore Elasticsearch with the backup Name that you recorded, as described in Restoring a Workflow Insights Backup.