OITServiceAccount@cyberark-lab.

local Admin@123
1. DBA: ( đứng trên con web , login bằng account service , account service phải
được add vô admin local , và account service này phải được allow login vào dba với
dạng widnows authen có role creater and security admin)

$observeitInstallerPath = "c:\temp\ObserveIT_Setup_v7.14.3.65"

Start-Process "$observeitInstallerPath\DB\SQLPackage.exe" -ArgumentList

"/server:WIN-GT71PRNHMF1.cyberark-lab.local", "/makedatabase", "/quiet" -Wait

Get-Content "$observeitInstallerPath\DB\Sql_Setup.txt" | Select-String -Pattern

"Package executed successfully"

Nếu hiện lên dòng Package executed successfully là done

lab done cái này rồi nè

2. Web console :

note : chạy cụm dưới đây sài powershell dưới quyền admin

Install-WindowsFeature Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc,

Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Stat-Compression, Web-
Security, Web-Filtering, Web-App-Dev, Web-Net-Ext45, Web-Asp, Web-Asp-Net45, Web-
ISAPI-Ext, Web-ISAPI-Filter, Web-Mgmt-Tools, Web-Mgmt-Compat, Web-Mgmt-Console,
NET-WCF-Services45, NET-WCF-HTTP-Activation45 -IncludeManagementTools

$observeitInstallerPath = "c:\temp\ObserveIT_Setup_v7.14.3.65"
$SQLServer = 'WIN-GT71PRNHMF1.cyberark-lab.local'
$DNSForestName = "cyberark-lab.local"
$Creds = Get-Credential
$WebSiteName = 'ObserveITWebConsole'
$WebSitePort = "443"
$WebSiteProtocol = "https"
$ComputerName = (Get-WmiObject -Class Win32_ComputerSystem).PSComputerName
$MachineFQDN = $ComputerName + '.' + $DNSForestName
$ApplicationPool = "IIS:\AppPools\$WebSiteName"
$WebSiteBinding = ":" + $WebSitePort + ":"
$OutputDestination = 'C:\temp'

New-Item -Name ObserveIT -Path "C:\Program Files" -ItemType Directory

New-Item -Name Web -Path "C:\Program Files\ObserveIT" -ItemType Directory
Import-Module WebAdministration
New-Item $ApplicationPool -Force
New-Item IIS:\Sites\$WebSiteName -PhysicalPath 'C:\Program Files\ObserveIT\Web\' -
Bindings @{protocol = $WebSiteProtocol; bindingInformation =$WebSiteBinding } -
Force
Set-ItemProperty IIS:\Sites\$WebSiteName\ -Name applicationpool -Value $WebSiteName
-Force

Import-Module WebAdministration
$ConfigSection = Get-IISConfigSection -SectionPath
"system.webServer/security/access" -Location "$WebSiteName"
Set-IISConfigAttributeValue -AttributeName sslFlags -AttributeValue Ssl -
ConfigElement $ConfigSection
Get-IISConfigAttributeValue -ConfigElement $ConfigSection -AttributeName sslFlags

Set-ItemProperty -Path "IIS:\Sites\$WebSiteName" -Name Logfile.enabled -Value

$false

$NodeJSInstaller = $observeitInstallerPath + '\Web\PreRequisite_nodeServices.exe'

$ComponentInstallArguments = "wconly=1", "sqlcli=1", "/install", "/quiet",
"/norestart" ,"/log PreRequisite_nodeServices.log"
Start-Process $NodeJSInstaller -ArgumentList $ComponentInstallArguments -Wait

đợi cái trên kia chạy xong tiếp đến chạy cái này

function Set-LogonRight ($accountToAdd) {

if ( [string]::IsNullOrEmpty($accountToAdd) ) {
Write-Output "no account specified"
exit
}
$sidstr = $null
try {
$ntprincipal = new-object System.Security.Principal.NTAccount
"$accountToAdd"
$sid =
$ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
$sidstr = $sid.Value.ToString()
} catch {
$sidstr = $null
}
Write-Output "Account: $($accountToAdd)"
if ( [string]::IsNullOrEmpty($sidstr) ) {
Write-Output "Account not found!"
exit -1
}
Write-Output "Account SID: $($sidstr)"
$tmp = [System.IO.Path]::GetTempFileName()
Write-Output "Export current Local Security Policy"
secedit.exe /export /cfg "$($tmp)"
$c = Get-Content -Path $tmp
$currentSetting = ""
foreach ($s in $c) {
if ( $s -like "SeServiceLogonRight*") {
$x = $s.split("=", [System.StringSplitOptions]::RemoveEmptyEntries)
$currentSetting = $x[1].Trim()
}
}
if ( $currentSetting -notlike "*$($sidstr)*" ) {
Write-Output "Modify Setting ""Logon as a Service"""
if ( [string]::IsNullOrEmpty($currentSetting) ) {
$currentSetting = "*$($sidstr)"
} else {
$currentSetting = "*$($sidstr),$($currentSetting)"
}
Write-Output "$currentSetting"
$outfile = @"
[Unicode]
Unicode=yes
[Version]
signature="`$CHICAGO`$"
Revision=1
[Privilege Rights]
SeServiceLogonRight = $($currentSetting)
"@
$tmp2 = [System.IO.Path]::GetTempFileName()
Write-Output "Import new settings to Local Security Policy"
$outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force
Push-Location (Split-Path $tmp2)
try {
secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas
USER_RIGHTS
} finally {
Pop-Location
}
} else {
Write-Output "NO ACTIONS REQUIRED! Account already in ""Logon as a
Service"""
}
Write-Output "Done."
}

Set-LogonRight "$($Creds.GetNetworkCredential().UserName)"

báo done thì chạy tiếp cái này

$ComponentInstallArguments = "/i", ($observeitInstallerPath + '\Web\WebConsole\

ObserveIT.WebConsoleSetup.msi'), "/qb", "/norestart", "DATABASE_SERVER=$SQLServer",
"TARGETAPPPOOL=$WebSiteName", "TARGETSITE=$WebSiteName",
"DATABASE_LOGON_TYPE=WindowsAccount", "SERVICE_USERNAME=$
($Creds.GetNetworkCredential().Domain + '\' +
$Creds.GetNetworkCredential().UserName)", "SERVICE_PASSWORD=$
($Creds.GetNetworkCredential().Password)","/leo", ".\WebConsoleMSI.log"

Start-Process msiexec.exe -ArgumentList $ComponentInstallArguments -Wait -

NoNewWindow

done thì chạy tiếp cái này :

Set-Location "C:\Program Files\ObserveIT\Web\V2\apis"

Get-ChildItem *.zip | foreach {Expand-Archive -LiteralPath $_.FullName -

DestinationPath $($_.Directory.ToString() + '\' + $_.BaseName.ToString()) -Force}

Set-Location "C:\Program Files\ObserveIT\Web\V2\apps"

Get-ChildItem *.zip | foreach {Expand-Archive -LiteralPath $_.FullName -

DestinationPath $($_.Directory.ToString() + '\' + $_.BaseName.ToString()) -Force}

xong thì chạy cái này để check xem có cài đúng k

add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
 public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object
TrustAllCertsPolicy
iisreset /start
Import-Module WebAdministration
Get-IISSite $WebSiteName | Start-IISSite
$CurrentURL = $WebSiteProtocol + '://localhost:' + $WebSitePort +
'/ObserveIT/FormLoginAuth.aspx?UserDefaultPage=True'
(Invoke-WebRequest $CurrentURL).RawContent -match 'ObserveIT - Login Page'

xong hết rồi thì tiếp cài tới con application

3. Application
Mở powershell dưới quyền administrator

chạy mấy lệnh dưới này để cài các yêu cầu windows :

Install-WindowsFeature Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc,

Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Stat-Compression, Web-
Security, Web-Filtering, Web-App-Dev, Web-Net-Ext45, Web-Asp, Web-Asp-Net45, Web-
ISAPI-Ext, Web-ISAPI-Filter, Web-Mgmt-Tools, Web-Mgmt-Compat, Web-Mgmt-Console,
NET-WCF-Services45, NET-WCF-HTTP-Activation45 -IncludeManagementTools

xong rồi thì mở powershell với service account :

$observeitInstallerPath = "c:\temp\ObserveIT_Setup_v7.14.3.65"
$SQLServer = 'WIN-GT71PRNHMF1.cyberark-lab.local'
$DNSForestName = "cyberark-lab.local"
$Creds = Get-Credential
$WebSiteName = 'ObserveITApplicationServer'
$WebSitePort = "443"
$WebSiteProtocol = "https"
$ComputerName = (Get-WmiObject -Class Win32_ComputerSystem).PSComputerName
$MachineFQDN = $ComputerName + '.' + $DNSForestName
$ApplicationPool = "IIS:\AppPools\$WebSiteName"
$WebSiteBinding = ":" + $WebSitePort + ":"
$OutputDestination = 'C:\temp'

xong rồi tiếp cái này :

New-Item -Name ObserveIT -Path "C:\Program Files" -ItemType Directory
New-Item -Name Web -Path "C:\Program Files\ObserveIT" -ItemType Directory
Import-Module WebAdministration
New-Item $ApplicationPool -Force
New-Item IIS:\Sites\$WebSiteName -PhysicalPath 'C:\Program Files\ObserveIT\
Web\' `-Bindings @{protocol = $WebSiteProtocol; bindingInformation =
$WebSiteBinding } -Force
Set-ItemProperty IIS:\Sites\$WebSiteName\ -Name applicationpool -Value
$WebSiteName -Force

xong rồi thì chạy tiếp cái này để ssl cho application
Import-Module WebAdministration
$ConfigSection = Get-IISConfigSection -SectionPath
"system.webServer/security/access" -Location "$WebSiteName"
 Set-IISConfigAttributeValue -AttributeName sslFlags -AttributeValue Ssl -
ConfigElement $ConfigSection
Get-IISConfigAttributeValue -ConfigElement $ConfigSection -AttributeName
sslFlags

xong rồi thì tiếp cái này

Set-ItemProperty -Path "IIS:\Sites\$WebSiteName" -Name Logfile.enabled -Value
$false
xong rồi thì add cert ssl
add cert xong rồi thfi tiếp cái này để cài app :
$NodeJSInstaller = $observeitInstallerPath + '\Web\
PreRequisite_nodeServices.exe'
$ComponentInstallArguments = "wconly=1", "sqlcli=1", "/install", "/quiet",
"/norestart" ,"/log PreRequisite_nodeServices.log"
Start-Process $NodeJSInstaller -ArgumentList $ComponentInstallArguments -Wait
xong rồi thì tiếp cái này :

function Set-LogonRight ($accountToAdd) {

if ( [string]::IsNullOrEmpty($accountToAdd) ) {
Write-Output "no account specified"
exit
}
$sidstr = $null
try {
$ntprincipal = new-object System.Security.Principal.NTAccount
"$accountToAdd"
$sid =
$ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
$sidstr = $sid.Value.ToString()
} catch {
$sidstr = $null
}
Write-Output "Account: $($accountToAdd)"
if ( [string]::IsNullOrEmpty($sidstr) ) {
Write-Output "Account not found!"
exit -1
}
Write-Output "Account SID: $($sidstr)"
$tmp = [System.IO.Path]::GetTempFileName()
Write-Output "Export current Local Security Policy"
secedit.exe /export /cfg "$($tmp)"
$c = Get-Content -Path $tmp
$currentSetting = ""
foreach ($s in $c) {
if ( $s -like "SeServiceLogonRight*") {
$x = $s.split("=", [System.StringSplitOptions]::RemoveEmptyEntries)
$currentSetting = $x[1].Trim()
}
}
if ( $currentSetting -notlike "*$($sidstr)*" ) {
Write-Output "Modify Setting ""Logon as a Service"""
if ( [string]::IsNullOrEmpty($currentSetting) ) {
$currentSetting = "*$($sidstr)"
} else {
$currentSetting = "*$($sidstr),$($currentSetting)"
}
Write-Output "$currentSetting"
$outfile = @"
[Unicode]
Unicode=yes
[Version]
signature="`$CHICAGO`$"
Revision=1
[Privilege Rights]
SeServiceLogonRight = $($currentSetting)
"@
$tmp2 = [System.IO.Path]::GetTempFileName()
Write-Output "Import new settings to Local Security Policy"
$outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force
Push-Location (Split-Path $tmp2)
try {
secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas
USER_RIGHTS
} finally {
Pop-Location
}
} else {
Write-Output "NO ACTIONS REQUIRED! Account already in ""Logon as a
Service"""
}
Write-Output "Done."
}

Set-LogonRight "$($Creds.GetNetworkCredential().UserName)

chạy mà ok thì tiếp cái này :

$ComponentInstallArguments = "/i", ($observeitInstallerPath + '\Web\AppServer\

ObserveIT.AppServerSetup.msi'), "/qb", "/norestart", "DATABASE_SERVER=$SQLServer",
"TARGETAPPPOOL=$WebSiteName", "TARGETSITE=$WebSiteName",
"DATABASE_LOGON_TYPE=WindowsAccount", "SERVICE_USERNAME=$
($Creds.GetNetworkCredential().Domain + '\' +
$Creds.GetNetworkCredential().UserName)", "SERVICE_PASSWORD=$
($Creds.GetNetworkCredential().Password)","/leo", ".\AppServerMSI.log"
2 cái trên là 1 lệnh xong thì tiếp cái này
Start-Process msiexec.exe -ArgumentList $ComponentInstallArguments -Wait -
NoNewWindow
chạy xong rồi thì cái lệnh này để check xem cài đúng chưa :
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object
TrustAllCertsPolicy
iisreset /start
Import-Module WebAdministration
Get-IISSite $WebSiteName | Start-IISSite
$CurrentURL = $WebSiteProtocol + '://localhost:' + $WebSitePort +
'/ObserveitApplicationServer/v2/apis/health/_health'
Invoke-WebRequest $CurrentURL -UseBasicParsing