How to install a fresh CCS 12.6.X installation using the Ansible scripts
search cancel

How to install a fresh CCS 12.6.X installation using the Ansible scripts

book

Article ID: 236310

calendar_today

Updated On: 04-25-2025

Products

Control Compliance Suite Control Compliance Suite Standards Server

Issue/Introduction

Steps on how to install a fresh CCS 12.6.1 environment using the Ansible scripts provided with the CCS 12.6.1 release.

Environment

CCS 12.6.1

Resolution

Steps on how to install a fresh version of CCS 12.6.1 using the Ansible Scripts

NOTE: Ansible needs to be already setup for CCS to use.  CCS Technical Support does not support or assist with setting up Ansible, please contact Professional Services for assistance on setting up Ansible in your environment.

 

Step 1: Configure Ansible to work with CCS

Configure Ansible inventory file

  1. On the Ansible Linux system, navigate to /etc/ansible
  2. Edit the hosts inventory file and provide tags for the target host systems as show in the example below:

    [Win_Target]
    #New Application server IP
    10.255.1.86
    #Remote manager IP
    #10.255.1.74

     

    [Win_Target:vars]
    ansible_user=exampledomain\<ccs service user>
    ansible_password=<ccs service user password>
    ansible_connection=winrm
    ansible_winrm_transport=credssp
    ansible_winrm_server_cert_validation=ignore
    ansible_winrm_port:5986

    Note: Only one target host system can be active in the hosts inventory file at a time. You can comment the rest of the target host systems (IPs).

    Note: The IP addresses in the hosts inventory file (example above) must be changed based on the YAML commands and the target host system. In the example, the YAML scripts that are shown in this document, [Win_Target] is the host for the script.

Configure Ansible Vault to use a password vault file

You will need to create and configure an Ansible vault file for CCS to use

  1. Create a hidden file with the name .vaultPass at a location of your choosing on the Ansible server.
  2. Edit the .vaultPass and enter a password. This password is used for encryption and decryption in the Ansible Vault.
  3. Edit the ansible.cfg file, which is located in the Ansible host system at /etc/ansible/ansible.cfg, and add the path to where you create the file that is created in step 1 in the vault_password_file parameter.
    Example: vault_password_file = /etc/Ansible/.vaultPass
  4. Copy the secureConfig.enc file from CCS install media (in the Ansible_YAML folder) to the /etc/ansible/ directory. This file must contain all the configurations that you want to secure.
    Note: Do not change the file name as secureConfig.enc is hardcoded into the CCS ansible scripts.
  5. From the Ansible Linux machine, run the following command to encrypt the secureConfig.enc file: 
    ansible-vault encrypt secureConfig.enc

    The Ansible vault is now configured and you can use it in YAML scripts.

    Note: Now that the secureConfig.enc file is encrypted, you must now use the 'ansible-vault edit' to edit the file in order to modify a script configuration parameter, or add a new script configuration parameter.  See the command below: 
    ansible-vault edit secureConfig.enc

 

Configure Ansible Vault to prompt for a password (optional)

Alternatively, if you want run the script more securely, you can configure Ansible to prompt for the vault password while running scripts or performing tasks such as encryption or decryption. To configure, append the --ask-vault-pass parameter at the end of each command as shown in the following example:

ansible-vault edit secureConfig.enc --ask-vault-pass

Note: In all the examples shown in this document, a vault password file is used for the configurations. Therefore, when you run a command as shown in an example, you are not prompted for a password.

Configure the secureConfig.enc file

Before you start running the script, edit and configure the secureConfig.enc file according to your specific CCS setup (an example secureConfig.enc is attached to this KB).  For detailed information on the parameters available in the secureConfig.enc file, see the 'Additional information' section below.

Required CCS components prerequisites before 12.6.1 installation

Before you begin CCS Installation on Windows servers, please ensure that you fulfill all the applicable CCS Prerequisites that are mentioned in the Plan the CCS Deployment section in the CCS documentation. Also, ensure that all the required reboots for applying the prerequisites are complete before installing any of the CCS components.

Download and copy the CCS 'Installset' folder to the server

Once you have verified that the CCS prerequisites are applied to the server where you want to install the CCS Application server, you now need to copy over the CCS 12.6 install media folder to the server.

If you have not done so already, download the 12.6 install media from the Broadcom Support site, and save the zip file and unzip the file as a single folder to a known network location.  This network location needs to be accessible to the server where you are installing the Application server as well as the Linux server that you have Ansible installed.

Required configuration: Before you copy, make sure to complete the following steps:

  • Open the Ansible inventory host file, uncomment the IP of the Application Server, and save the file.
  • Update the secureConfig.enc file, which is available on the Ansible host machine, as shown in the following example using the command: 
    # > ansible-vault edit secureConfig.enc

    become_user: "<Network Location User Name>"                    ##NOTE: user must be in in "exampledomain\\user" format
    become_pass: "<Network Location Password>"


To copy the CCS preview build from the network location to the machine where CCS Application Server is to be installed for repave or restoration, run the following command:

ansible-playbook Copy_to_RemoteHost.yml -e @secureConfig.enc -e 'src_path="\\\\<NetworkLocationPath>\\<CCS12.6BuildFolderName>\\Installset" dest_path=C:\'

 

Copy the Ansible Automation folder to the server

Run the following command on the Ansible host machine to copy the automation folder, Ansible_FreshSilentInstall, from the network location to the machine in which you want to install the CCS Application Server.  Example of the command that would be used:

ansible-playbook Copy_to_RemoteHost.yml -e @secureConfig.enc -e 'src_path="\\\\<NetworkLocationPath>\\Ansible_FreshSilentInstall" dest_path=C:\'

Installing CCS Application Server

Consider the following prerequisites before you install CSS Application Server:

  • The operating system, credentials, passphrases, and other environment settings on the machine where you want to restore CCS Application Server must be same as the previously used CCS Application Server.
  • All the shared locations must be accessible to the CCS Service Account user. The installation also must use the same CCS Service user account that was used in previous CCS Application Server.
  • For restoring a CCS Application Server deployment, use a temporary SQL Server if this is going to be used as a Disaster Recovery Application Server install.

Verify the required CCS licenses are available

Ensure that valid CCS licenses are available at <NetworkShared>\Ansible_FreshSilentInstall\CCSLicenses\ folder on the shared network drive.
Required configuration: Before you install, make sure to update the CCS_Suite.xml file, which is available in the automation folder, Ansible_FreshSilentInstall, as shown in the following examples:

<Settings Name="Licenses">

<License File="C:\Ansible_FreshSilentInstall\CCSLicenses\*"></License>

</Settings>

<Settings Name="CSI.TargetPathPageActivity">

<Property Name="Target path" Value="C:\Program Files (x86)\Symantec\CCS\Reporting and Analytics"></Property>
<Property Name="Cache path" Value="C:\ProgramData\Symantec\CSM-RA\MediaCache"></Property>

</Settings>

<Property Name="User name" Value="ExampleDomain\UserName>"></Property>
<Property Name="SQL Server" Value="SQL_Server_Host\InstanceName"></Property>


Before you install, also make sure to update the secureConfig.enc file on the Ansible Linux machine as shown in the following example using the command: ansible-vault edit secureConfig.enc

become_user: <NetworkLocationUserName>       #This is the CCS Service account, and it needs to be in the "domain\\user" format
become_pass: <NetworkLocationPassword>
apsusername: <ApplicationServerServiceAccountUserName>      #This is the CCS Service account, and it needs to be in the "exampledomain\\user" format
apspassword: <ServiceAccountPassword>
EMSPassphrase:<EncryptionManagmentServicePassPhrase>
APSPassphrase:<AppServerServicePassPhrase>
EMSUserName: <EncryptionManagementServiceAccountUserName>      #This is the CCS Service account, and it needs to be in the "exampledomain\\user" format
EMSPassword: <EncryptionManagementServicePassword>

 

NOTE: Before you install, make sure to open the Ansible inventory host file at /etc/ansible/hosts, uncomment the IP of the Application Server machine and save it. You may run command, vim /etc/ansible/hosts

 

Once that is all completed, run the following command on the Ansible Linux machine to install CCS Application Server on remote server:

ansible-playbook CCS_APS_Install.yml -e @secureConfig.enc -e 'winhost=<IPAddressApplicationServer>'

 

Information on SQL Server Always On support for CCS databases

CCS v12.6.1 installer supports the SQL Server Always On feature. After the CCS database is created on SQL Server, you can take a Full backup of the CCS databases and configure SQL Server Always On for CCS production database (CSM_DB) and reporting database (CSM_Reports).

 

Additional Information

The secureConfig.enc file parameters

The following are the parameters that are available in the secureConfig.enc configuration file. The description and example for each parameter are described as comments. 

# User name of the user who has access to the Shared Location where the installer and scripts are copied/placed. The become_user configuration is used to set user's context 
for running a script.
#become_user: "<example domain>\\<user name>"
become_user: ""

# Password of the become_user.
#become_pass: password
become_pass: ""

# HostName or IP address of ADAM Server
#ADAMServer: "<ADAM server HOSTNAME>"
ADAMServer: ""

# Port number of ADAM Server
#ADAMPort: 3890
ADAMPort: 3890

# Application Server Service Account user name
# apsusername: "<example domain>\\<user name>"
apsusername: ""

# Application Server Service Account password
# apspassword: password
apspassword: ""

# Application Server password
# APSPassphrase: password
APSPassphrase: ""

# Encryption key password
# EMSPassphrase: password
EMSPassphrase: ""

# Encryption Management Service Account user name
# EMSUserName: "<exampledomain>\\<user name>"
EMSUserName: "example.net\\<user1>"

# Encryption Management Service Account password
# EMSPassword: password
EMSPassword: ""

# Secure Key Password, a minimum of 10 character long
# Enckeys_PassPhrase: password
Enckeys_PassPhrase: ""

# CCS Manager Certificate's password
# dpscertpassword: password
dpscertpassword: ""

# Hostname or IP address of the SQL Server where the CCS Production database is created
# ProductionSQLServerHost: "<production_database_server>\\<instance1>"
ProductionSQLServerHost: ""

# Instance name of the Production database; If the SQL Named instance is not being used, leave this parameter blank.
# ProductionSQLInstanceName: ""
ProductionSQLInstanceName: ""

# Production Database's port number
# ProductionSQLPortNumber: 1433
ProductionSQLPortNumber: 1433

# If SQL Server uses SSL configuration to connect to the Production database, set this parameter to TRUE, else set this parameter to FALSE
#ProductionUseSSL: FALSE
ProductionUseSSL: FALSE

# If Windows authentication is used to connect to the Production database, set this parameter to TRUE, else set this parameter to FALSE
# ProductionWindowsAuth: TRUE
ProductionWindowsAuth: TRUE

#If SQL authentication is used to connect to the Production database, set this parameter to TRUE, else set this parameter to FALSE; For preview build, only Windows 
authentication is supported.
#ProductionSQLAuth: FALSE
ProductionSQLAuth: FALSE

# This parameter is applicable only when ProductionSQLAuth is set to TRUE; For the preview build, this parameter is set to blank
# ProductionSQLUserName: ""
ProductionSQLUserName: ""

# This parameter is applicable only when ProductionSQLAuth is set to TRUE; For the preview build, this parameter is set to blank
# ProductionSQLPassword: ""
ProductionSQLPassword: ""

# Name of the Production database
# ProductionDatabaseName: "CSM_DB"
ProductionDatabaseName: "CSM_DB"

# Hostname or IP address of the SQL server where the CCS Reporting database is created.
# ReportingSQLServerHost: "<reporting_database_server>\\<instance1>"
ReportingSQLServerHost: ""

# Instance name of the Reporting database; if an instance name is not used, set this parameter to blank
#ReportingSQLInstanceName: ""
ReportingSQLInstanceName: ""

# Port number of the Reporting database
#ReportingSQLPortNumber: 1433
ReportingSQLPortNumber: 1433

# If SQL Server uses SSL configuration to connect to the Reporting database, set this parameter to TRUE, else set this parameter to FALSE
#ReportingUseSSL: FALSE
ReportingUseSSL: FALSE

# If Windows authentication is used to connect to the Reporting database, set this parameter to TRUE, else set this parameter to FALSE
# ReportingWindowsAuth: TRUE
ReportingWindowsAuth: TRUE

# If SQL authentication is used to connect to the Reporting database, set this parameter to TRUE, else set this parameter to FALSE; For preview build, only Windows 
authentication is supported.
#ReportingSQLAuth: FALSE
ReportingSQLAuth: FALSE

# This parameter is applicable only when ReportingSQLAuth is set to TRUE; For the preview build, this parameter is set to blank
# ReportingSQLUserName: ""
ReportingSQLUserName: ""

# This parameter is applicable only when ReportingSQLAuth is set to TRUE; For the preview build, this parameter is set to blank
# ReportingSQLPassword: ""
ReportingSQLPassword: ""

# Name of the Reporting database
# ReportingDatabaseName: "CSM_Reports"
ReportingDatabaseName: "CSM_Reports"

# Signature Algorithm to generate a CCS Manager certificate; set one of the following values
# sha1RSA, sha256RSA, sha384RSA, sha512RSA
# signature_algorithm: "sha1RSA"
signature_algorithm: "sha1RSA"

# Size of the key to generate a CCS Manager certificate, set one of the following values
# 2048, 3072, 4096
# keysize: "2048"
keysize: "2048"

# Name of the organization required to generate a CCS Manager certificate
# organization: "BROADCOM"
organization: ""
Powered by Wolken Software