Step 4: Set up the Strategy Recommendations collector - Migration Hub Strategy Recommendations

Step 4: Set up the Strategy Recommendations collector

This section describes how to use the command line collector setup commands to configure the Migration Hub Strategy Recommendations application data collector. These configurations are stored locally.

Before you can use collector setup commands, you must create a bash shell session in the collector Docker container using the following docker exec command.

docker exec -it application-data-collector bash

The collector setup command runs all of the following commands in succession but you can run them individually:

  • collector setup --aws-configurations – Set up AWS configurations.

  • collector setup --vcenter-configurations – Set up vCenter configurations.

    Note

    vCenter configuration setup is only available if the collector is hosted on vCenter. However, you can force vCenter configuration setup by using the command collector setup --vcenter-configurations.

  • collector setup --remote-server-configurations – Set up remote server configurations.

  • collector setup --version-control-configurations – Set up version control configurations.

To set up all the collector configurations at the same time

  1. Enter the following command.

    collector setup
  2. Enter the information for AWS configurations as described in Set up AWS configurations.

  3. Enter the information for vCenter configurations as described in Set up vCenter configurations.

  4. Enter the information for remote server configurations as described in Set up remote server configurations.

  5. Enter the information for version control configurations as described in Set up version control configurations.

  6. Prepare your Windows and Linux servers for collector data collection by following the instructions in Prepare your remote Windows and Linux servers for data collection.

Set up AWS configurations

To set up AWS configurations, when using the collector setup command or the collector setup --aws-configurations command.

  1. Enter Y for yes to the Have you setup IAM permissions... question. You set up these permissions when you created an IAM user to access the collector using the AWSMigrationHubStrategyCollector managed policy following the steps in Creating an IAM Non-Administrative User.

  2. Enter your access key and secret key from the AWS account that has the IAM user that you created to access the collector following the steps in Creating an IAM Non-Administrative User.

  3. Enter a Region, for example, us-west-2. Choose a Region that suits your needs from the Regions that Strategy Recommendations uses. For a list of these Regions, see Strategy Recommendations endpoints in the AWS General Reference.

  4. Enter Y for yes to the Upload collector related metrics to migration hub strategy service? question. Metrics information helps AWS provide you with appropriate support.

  5. Enter Y for yes to the Upload collector related logs to migration hub strategy service? question. Information from logs helps AWS provide you with appropriate support.

The following example shows what displays, including example entries for the AWS configurations.

Have you setup IAM permissions in you AWS account as per doc [Y/N]: Y
AWS access key ID : access-key
AWS secret access Key : secret-access-key
AWS region name [us-west-2]: aws-region   
AWS configurations are saved successfully
Upload collector related metrics to assessment service? By default collector will upload metrics. [Y/N]: Y
Upload collector related logs to assessment service? By default collector will upload logs. [Y/N]: Y
Application data collector configurations are saved successfully
Start registering application data collector
Application data collector is registered successfully.

Set up vCenter configurations

To set up vCenter configurations, when using the collector setup command or the collector setup --vcenter-configurations command:

  1. Enter Y for yes to the Would you like to authenticate using VMware vCenter credentials question, if you want to authenticate using VMware vCenter credentials.

    Note

    Authenticating using VMware vCenter credentials requires that VMware tools are installed on the target servers.

    Enter the Host Url, which can be either the vCenter IP address or URL. Then, enter the Username and Password for VMware vCenter.

  2. Enter Y for yes to the Do you have Windows machines managed by VMware vCenter question, if you want to configure Windows servers.

    Enter the Username and Password for Windows.

    Note

    If your Windows Remote Server belongs to an Active Directory domain, you must enter the user name as domain-name\username when using the CLI to provide remote server configurations. For example, if the name of your domain is exampledomain and your user name is Administrator, then the user name you enter in the CLI is exampledomain\Administrator.

  3. Enter Y for yes to the Setup for Linux using VMware vCenter question, if you want to configure Linux servers.

    Enter the Username and Password for Linux.

  4. Enter Y for yes to the Would you like to setup credentials for servers outside vCenter using NTLM for Windows and SSH/Cert based for Linux questions, if you want to set up remote server credentials for servers outside of vCenter.

  5. For the Would you like to use the same Windows credentials used during vCenter setup question, enter Y for yes if the credentials for the Windows machines managed outside of vCenter are the same as the credentials provided when configuring credentials for vCenter Windows machines. Otherwise, enter N for no.

    If you answer Y for yes, the following questions are asked.

    1. Enter Y for yes to the Are you okay with collector accepting and locally storing server certificates on your behalf during first interaction with windows servers? question.

    2. Enter 1 for the Enter your options question, if you want to configure for SSH authentication.

      If you choose to use SSH authentication, you must copy the generated key credentials to your Linux servers. For more information, see Set up key-based authentication on Linux servers.

The following example shows what displays and example entries for the VMware vCenter configurations.

Start setting up vCenter configurations for remote execution
Note: authenticating using VMware vCenter credentials requires VMware tools to be installed on the target servers
Would you like to authenticate using VMware vCenter credentials? [Y/N]: Y 
Host Url for VMware vCenter: host-url 
Username for VMware vCenter: username 
Password for VMware vCenter: 
Successfully stored vCenter credentials...
Setup for Windows using VMware vCenter? [Y/N]: Y 
Username for Windows: username
Password for Windows: 
Successfully stored vCenter windows credentials...
Setup for Linux using VMware vCenter? [Y/N]: Y 
Username for Linux: username
Password for Linux: 
Successfully stored vCenter linux credentials...
Would you like to setup credentials for servers outside vCenter using NTLM for windows and SSH/Cert based for linux? [Y/N]: Y
Would you like to use the same Windows credentials used during vCenter setup? [Y/N]: Y 
Are you okay with collector accepting and locally storing server certificates on your behalf during first interaction with windows servers? These certificates will be used by collector for secure communication with windows servers [Y/N]:Y
Successfully stored windows server credentials...
Please note that all windows server certificates are stored in directory /opt/amazon/application-data-collector/remote-auth/windows/certs

Please note the IP address of the collector and run the script specified in the user documentation on all the windows servers in your inventory
Would you like to setup credentials for servers not managed by vCenter using SSH/Cert based for Linux? [Y/N]: Y
Choose one of the following options for remote authentication:
1. SSH based authentication
2. Certificate based authentication
Enter your options [1-2]: 1 
Would you like to use the same Linux credentials used during vCenter setup? [Y/N]: Y 
Generating SSH key on this machine...
SSH key pair path: /opt/amazon/application-data-collector/remote-auth/linux/keys/id_rsa_assessment
Please add the public key "id_rsa_assessment.pub" to the "$HOME/.ssh/authorized_keys" file in your remote machines.
Your Linux remote server configurations are saved successfully.              

Set up remote server configurations

To set up remote server configurations, when using the collector setup command or the collector setup --remote-server-configurations command:

  1. Enter Y for yes to the Would you like to setup credentials for servers not managed by vCenter using NLTM for Windows question, if you want to configure Windows servers.

    Enter the Username and Password for WinRM.

    Note

    If your Windows Remote Server belongs to an Active Directory domain, you must enter the user name as domain-name\username when using the CLI to provide remote server configurations. For example, if the name of your domain is exampledomain and your user name is Administrator, then the user name you enter in the CLI is exampledomain\Administrator.

    Enter Y for yes to the Are you okay with collector accepting and locally storing server certificates on your behalf during first interaction with windows servers? question. Windows Server certificates are stored in the directory /opt/amazon/application-data-collector/remote-auth/windows/certs.

    You must copy the generated server credentials to your Windows servers. For more information, see Set up remote server configuration on Windows servers.

  2. Enter Y for yes to the Setup for Linux using SSH or Cert question, if you want to configure Linux servers.

  3. Enter 1 for the Enter your options question, if you want to configure for SSH key based authentication.

    If you choose to use SSH authentication, you must copy the generated key credentials to your Linux servers. For more information, see Set up key-based authentication on Linux servers.

  4. Enter 2 for the Enter your options question, if you want to configure for certificate-based authentication.

    For information about setting up certificate-based authentication, see Set up certificate-based authentication on Linux servers.

The following example shows what displays and example entries for the remote server configurations.

Setting up target server for remote execution
Would you like to setup credentials for servers not managed by vCenter using NLTM for Windows [Y/N]: Y
Username for WinRM: username //Enter domain-name\username, if the server is in AD domain
Password for WinRM: password
Are you okay with collector accepting and locally storing server certificates on your behalf during first interaction with windows servers? These certificates will be used by collector for secure communication with windows servers [Y/N]: Y
Successfully stored windows server credentials...
Please note that all windows server certificates are stored in directory /opt/amazon/application-data-collector/remote-auth/windows/certs

Please note the IP address of the collector and run the script specified in the user documentation on all the windows servers in your inventory
Would you like to setup credentials for servers not managed by vCenter using SSH/Cert based for Linux? [Y/N]: Y
Choose one of the following options for remote authentication:
1. SSH based authentication
2. Certificate based authentication
Enter your options [1-2]: 1 
User name for remote server: username
Generating SSH key on this machine...
SSH key pair path: /opt/amazon/application-data-collector/remote-auth/linux/keys/id_rsa_assessment
Please add the public key "id_rsa_assessment.pub" to the "$HOME/.ssh/authorized_keys" file in your remote machines.
Your Linux remote server configurations are saved successfully.               

Set up version control configurations

To set up version control configurations, when using the collector setup command or the collector setup --version-control-configurations command:

  1. Enter Y for yes to the Set up source code analysis? question.

  2. Enter 1 for the Enter your options question, if you want to configure the Git server endpoint.

    Enter github.com for the GIT server endpoint:.

  3. Enter 2 for the Enter your options question, if you want to configure a GitHub Enterprise Server.

    Enter the enterprise endpoint without https://, as follows: GIT server endpoint: git-enterprise-endpoint

  4. Enter your Git username and personal access token.

  5. Enter Y for yes to the Do you have any csharp repositories that should be analyzed on a windows machine? question, if you want to analyze C# code.

    Note

    To analyze .NET repositories for Porting Assistant for .NET recommendations, you must provide a Windows machine that is set up with the Porting Assistant for .NET porting assessment tool. For more information, see Getting started with Porting Assistant for .NET in the Porting Assistant for .NET User Guide.

  6. For the Would you like to reuse existing windows credentials on this machine? question. Enter Y for yes, if the Windows machine for C# source code analysis uses the same credentials as the credentials previously provided as part of setting up --remote-server-configurations or --vcenter-configurations.

    Enter N for no, if you want to enter new credentials.

  7. To use VMWare vCenter Windows Machine credentials, enter 1 for Choose one of the following options for windows credentials.

  8. Enter the IP address for the Windows machine.

The following example shows what displays and example entries for the version control configurations.

Set up for source code analysis [Y/N]: Y
Choose one of the following options for version control type:
1. GIT
2. GIT Enterprise
Enter your options [1-2]: 1 
GIT server endpoint: github.com
Your GIT username: username
Personal access token [None]: token
Do you have any csharp repositories that should be analyzed on a windows machine? [Y/N]: Y
Would you like to reuse existing windows credentials on this machine? [Y/N]: Y
Choose one of the following options for windows credentials:
1. VMWare vCenter Windows Machine
2. Standard Windows Machine
Enter your options [1-2]: 1 
Windows machine IP Address: ip-address 
Using VMWare vCenter Windows Machine credentials
Successfully stored windows server credentials...       

Prepare your remote Windows and Linux servers for data collection

Note

This step isn’t necessary if you setup the Strategy Recommendations applications data collector using vCenter credentials.

After you set up your remote server configurations, if you are using the collector setup command or the collector setup --remote-server-configurations command, you must prepare your remote servers so that the Strategy Recommendations applications data collector can collect data from them.

Note

You must make sure that the servers are reachable using their private IP address. For further instructions on how to set up the environment through a virtual private cloud (VPC) on AWS for remote running, see the Amazon Virtual Private Cloud User Guide.

To prepare your remote Linux servers, see Prepare remote Linux servers.

To prepare your remote Windows servers, see Set up remote server configuration on Windows servers.

Prepare remote Linux servers

Set up key-based authentication on Linux servers

If you choose to set up SSH key-based authentication for Linux when configuring remote server configurations, you must perform the following steps to set up key-based authentication on your servers so that data can be collected by the Strategy Recommendations applications data collector.

To set up key-based authentication on your Linux servers

  1. Copy the public key generated with the name id_rsa_assessment.pub from the following folder in the container:

    /opt/amazon/application-data-collector/remote-auth/linux/keys.

  2. Append the copied public key in the $HOME/.ssh/authorized_keys file for all the remote machines. If there is no file available, create it using the touch or vim command.

  3. Make sure that the home folder on the remote server has permission level 755 or less. If it's 777, it won't work. You can use the chmod command to restrict permissions.

Set up certificate-based authentication on Linux servers

If you choose to set up certificate-based authentication for Linux when configuring remote server configurations, you must perform the following steps so that data can be collected by the Strategy Recommendations application data collector.

We recommend this option if you already have Certificate Authority (CA) set up for your application servers.

To set up certificate-based authentication on your Linux servers

  1. Copy the user name that works with all your remote servers.

  2. Copy the public key of the collector to the CA.

    The public key for the collector can be found in the following location:

    /opt/amazon/application-data-collector/remote-auth/linux/keys/id_rsa_assessment.pub

    This public key must be added to your CA for generating the certificate.

  3. Copy the certificate generated in the previous step to the following location in the collector:

    /opt/amazon/application-data-collector/remote-auth/linux/keys

    The name of the certificate must be id_rsa_assessment-cert.pub.

  4. Provide the certificate file name during the setup step.

Set up remote server configuration on Windows servers

If you choose to set up Windows when configuring remote server configurations in the collector setup, you must perform the following steps so that data can be collected by Strategy Recommendations.

To understand more about the PowerShell script that is executed on the remote server, read this note.

The script enables PowerShell remote and disables all authentication methods other than negotiate. This is used for Windows NT LAN Manager (NTLM) and sets the "AllowUnencrypted" WSMan protocol to false to ensure that the newly created listener accepts only encrypted traffic. Using the Microsoft provided script, New-SelfSignedCertificateEx.ps1, it creates a self-signed certificate.

Any WSMan Instance that has a HTTP listener is removed along with existing HTTPS listeners. Then, it creates a new HTTPS listener. It also creates an inbound firewall rule for TCP port 5986. In the final step, the WinRM service is restarted.

To set up data collection through a remote connection on your Windows 2008 servers

  1. Use the following command to check the version of PowerShell installed on your server.

    $PSVersionTable
  2. If the PowerShell version is not 5.1, then download and install WMF 5.1 by following the instructions at Install and Configure WMF 5.1 in the Microsoft documentation.

  3. Use the following command in a new PowerShell window to ensure that PowerShell 5.1 is installed.

    $PSVersionTable
  4. Follow the next set of steps, which describe how to set up data collection through a remote connection on Windows 2012 and above.

To set up data collection through a remote connection on your Windows 2012 and newer servers

  1. Download the setup script from the following URL:

    https://application-data-collector-release.s3.us-west-2.amazonaws.com/scripts/WinRMSetup.ps1

  2. Download the New-SelfSignedCertificateEx.ps1 from the following URL and paste the script into the same folder in which you downloaded WinRMSetup.ps1:

    https://github.com/Azure/azure-libraries-for-net/blob/master/Samples/Asset/New-SelfSignedCertificateEx.ps1

  3. To complete the setup, run the downloaded PowerShell script on all application servers.

    .\WinRMSetup.ps1
Note

If Windows Remote Management (WinRM) is not set up properly on the Windows Remote Server, an attempt to collect data from that server will fail. If this happens, you must delete the certificate that corresponds to that server from the following location on the container:

/opt/amazon/application-data-collector/remote-auth/windows/certs/ads-server-id.cer

After you delete the certificate, wait for the data collection process to be retried.

Next step

Step 5: Use Strategy Recommendations in the Migration Hub console to get recommendations