- Matilda Discover Architecture
- Matilda Discover Installation
- Matilda Server Requirements
- Ports to be Open on the Matilda Server
- Access to External URLs
- Matilda Software Installation Prerequisites – Linux Commands
- Steps for Running a Precheck on the Server
- Prerequisites
Matilda Discover Architecture #
The diagram below describes the components of Matilda Discover, and highlights the Discover Analysis Database, in which the data about your applications and their supporting software and hardware is stored for subsequent use by Matilda Migrate. Matilda Migrate automates the migration of the discovered applications to the clouds of your choice.
Matilda Discover Installation #
The following installation guide pertains to on-premise installation. Please contact Matilda Cloud to assist with on-premise installation.
Matilda Server Requirements #
Supported Operating Systems #
Operating System | Versions Supported |
RHEL | 7.8 or 7.9 |
CentOS | 7.8 or 7.9 |
Ubuntu | 18.04 or 20.04 |
SUSE | 12 or 15 |
Note: cat /etc/os-release provides the details related to each operating system
Required Matilda Server Capacity #
Matilda Discover Requirements for a Customer Environment Size: 1-100 Instances | |
vCPU | 4 |
RAM | 8 GB |
Storage | 100 GB |
File System Requirements | Root(/) – 30 Gb
Var(/var) – 90 Gb Tool(/matilda) – 100 Gb |
User Access Requirements | 1) User account with root permissions should be created on the server.
2) Enable switching to root context with no password authentication on Matilda Server. |
Matilda Discover Requirements for a Customer Environment Size: 1-500 Instances | |
vCPU | 8 |
RAM | 16 GB |
Storage | 200 GB |
File System Requirements | Root(/) – 30 Gb
Var(/var) – 90 Gb Tool(/matilda) – 200 Gb |
User Access Requirements | 1) User account with root permissions should be created on the server.
2) Enable switching to root context with no password authentication on Matilda Server. |
Matilda Discover Requirements for a Customer Environment Size: 1-1000 Instances | |
vCPU | 12 |
RAM | 24 GB |
RAM | 350 GB |
File System Requirements | Root(/) – 30 Gb
Var(/var) – 90 Gb Tool(/matilda) – 350 Gb |
User Access Requirements | 1) User account with root permissions should be created on the server.
2) Enable switching to root context with no password authentication on Matilda Server. |
Ports to be Open on the Matilda Server #
Ports | Direction | Comments |
22
443 8443 |
Incoming to Matilda Server | Port 22 is to connect to server to deploy the tool
Ports 443 & 8443 are useful to run the Matilda Platform in customer environment and accessible Matilda Discover platform from VDI/VPN/Customer Internal Network |
22
5985/5986 445 1433 1521 3306 27017 Custom Database Ports |
Outgoing from Matilda Server | SNMP: 161/162 (Optional)
Linux/Unix – SSH: 22 Windows – WinRM: 5985/5986 SMB: 445 Database Ports: Oracle DB: 1521 MSSQL: 1433 MySQL: 3306 MongoDB: 27017 Cloud Services: HTTPS/443 |
Access to External URLs #
The Matilda Discover server needs access to the external URLs below to set up Matilda Discover.
- https://auth.docker.io/
- https://bitbucket.org/
- https://dev.azure.com/
- https://hub.docker.com/
- https://matildacloud.atlassian.net/
- https://production.cloudflare.docker.com/
- https://registry-1.docker.io/
- https://dl.fedoraproject.org/
If you are unable to download the docker images, please use the below policies in your S3 bucket:
- arn:aws:s3:::docker-images-prod
- arn:aws:s3:::docker-images-prod/*
Matilda Software Installation Prerequisites – Linux Commands #
SSH into the instance and switch to root to execute the following commands:
Packages | Operating System-RHEL/Centos | Operating System-Ubuntu |
curl | yum install -y curl | apt-get install -y curl |
git | yum install -y git | apt-get install -y git |
host | yum install -y host | apt-get install -y host |
nc | yum install -y nc | apt-get install -y nc |
openssl | yum install -y openssl | apt-get install -y openssl |
unzip | yum install -y unzip | apt-get install -y unzip |
tar | yum install -y tar | apt-get install -y tar |
To install the prerequisite Linux commands on a RHEL/Centos instance, please install the packages below:
# yum install -y git curl unzip bind-utils nmap-ncat openssl tar
To install the prerequisite Linux commands on an Ubuntu instance, install the packages below:
# apt-get install -y git curl unzip bind-utils nmap-ncat openssl tar
Steps for Running a Precheck on the Server #
For on-premise installation, Matilda Cloud will conduct prechecks on the environment.
- Clone the below repository as root. The Matilda team will provide the necessary credentials to clone the git repository.
# git clone https://dev.azure.com/matildabuild/migrate/_git/discover
- Change the directory to discover.
# cd discover
- Create a directory named /matilda and mount additional storage (350GB).
# mkdir /matilda
- Run the binary script of matilda_precheck.sh and fix the errors.
# ./matilda_precheck.sh
The precheck script will fail in any one of the following cases:
- If the VM requirements (CPU/Memory/FileSystem Size) are not met.
- If the installation prerequisites commands list is not executed prior to the precheck.
- If the mount point /matilda is not created.
Matilda SME Access on the Matilda Server #
- The user account with root permissions must be created on the server.
- Enable switching to root context with no password authentication on Matilda Server
If the Matilda Server is Accessed Through a Bastion or Citrix server #
If accessing bastion server or Citrix server to connect to the Matilda Server, the following software and ports are required:
- Putty- Version 0.74 (any SSH client software)
- Google Chrome – Version 87.0
- Microsoft Office Excel
- Access to Matilda server from Bastion
If the Matilda Server is Running Behind a Proxy Server to Connect to the Internet #
Please perform the following steps:
- Create the directory below:
#mkdir -p /etc/systemd/system/docker.service.d
- Create and update the following file with the needed content
#vi /etc/systemd/system/docker.service.d/http-proxy.conf
File contents (if not using password):
[Service]
Environment=”HTTP_PROXY=http://<proxy_URL>:<port>”
Environment=”HTTPS_PROXY=https://proxy_URL:<port>”
If you are using a password to connect to the proxy, then update the following content in the file:
[Service]
http_proxy=http://SERVER:PORT/
http_proxy=http://USERNAME:PASSWORD@SERVER:PORT/ (if using password)
https_proxy=http://SERVER:PORT/
https_proxy=http://USERNAME:PASSWORD@SERVER:PORT/ (if using password)
- Start the required services below:
#systemctl daemon-reload #systemctl restart docker
Generate SSL certificates #
CA Certificate #
Follow your internal process to procure CA certificates and copy key and cert files to the Matilda server. Share the certificate’s location on the server to the Matilda SME.
Self-Signed Certificates #
Self-signed certificates will be automatically generated during installation.
Discovery IP Request Template Link #
Use this template to fill in the details for assets that need to be discovered. The template uses the following mandatory entries:
- IP Address (Single IP Address, Range of IP Address or CIDR)
- Account Name (For Login)
- Application Name
- Environment
- Data Center
- Region
- Line of Business
Discovery Request Template #
The discovery input request template will be shared by the Matilda SME prior to installation.
The Minimum Accounts and Permissions for a Successful Discovery of the Target Environment #
- All the accounts including database accounts (Oracle and MSSQL) should be created ahead and uploaded to Matilda platform.
- All the accounts uploaded to Matilda platform are securely stored in HashiCorp Vault
- Matilda provides plugins to integrate with CyberArk and Centrify.
- All Services can be uploaded to Matilda using the web interface.
Minimum Ports to be Opened on the Target Assets for Successful Discovery #
Port | Platform | Source | Target | Interaction | Purpose and services/components
(See the column description) |
ICMP | ALL | Matilda VM | ALL | System to System | Matilda can detect the device only if ICMP is enabled on the device. |
22 | LINUX/UNIX | Matilda VM on Customer Network | LINUX/UNIX Machine on Customer Network | System to System | Matilda probe logs in to the Linux Asset and completes the discovery using SSH connection. |
161/162 | ALL | Matilda VM | ALL | System to System | Matilda can identify the type of device only if SNMP is enabled on the device and 161/162 port is enabled. This port is optional. |
5985 | WINDOWS | Matilda VM on Customer Network | Windows Machines on Customer Network | System to System | Matilda probe logs in to the Windows asset and completes the discovery using WINRM connection. |
445 | WINDOWS | Matilda VM on Customer Network | Windows Machines on Customer Network | System to System | To let the service account login to the Windows asset and read the configuration files |
1433* | MSSQL | Matilda VM on Customer Network | SQL Servers on Customer Network | System to System | To let the service account login to the MSSQL server using the SQL server port. If the customer has configured the custom port for the SQL server, the respective port should be enabled. |
1521* | ORACLE | Matilda VM on Customer Network | ORACLE Servers on Customer Network | System to System | To let the service account login to the ORACLE Server using the Oracle Server port. If the customer has configured a custom port for an Oracle server, the respective port should be enabled. |
3306 | MariaDB/MySQL | Matilda VM on Customer Network | MySQL/MariaDB Servers on Customer Network | System to System | To let the service account login to the MariaDB/MySQL server using the MariaDB/MySQL server port. If the customer has configured a custom port for an Oracle server, the respective port should be enabled. |
27017 | MongoDB | Matilda VM on Customer Network | MongoDB Servers on Customer Network | System to System | To let the service account login to the MongoDB Server using the MongoDB server port. If the customer has configured a custom port for an Oracle server, the respective port should be enabled. |
*All the Ports including database ports should be enabled on the target database servers. If the database server was configured with any custom database port, use custom database port communication from Matilda Discover instance to database instances.
Prerequisites #
Click here to download Discovery Prerequisites – Target Instances PDF, which outlines the minimum ports to be opened on the target assets for a successful discovery, ports and service access requirements, prerequisites on Windows target servers, and Matilda Discover commands list (Linux/UNIX).
Prerequisites on Linux/UNIX Target Servers (to be discovered) #
Service or application account | Account type
(Local, AD, Database) |
Interactive?
(Yes or No) |
Platform | Privileges required | Purpose and services/components
(See the column description) |
Matilda_SVC | Local/AD | NO | Windows | Local Admin Role on Windows, WINRM Service Enabled and running. | To discover the assets, and utilizations and Dependencies. |
Matilda_SVC | Local/AD | NO | NON-Windows | SSH Access to the instances
Read access on all Non-Root Folders and Files Service Account Login Shell should be “BASH” Password less SUDO Access is required for Commands provided here Comment “Defaults requiretty” in “\etc\sudoers” file |
To discover the assets, and utilizations and Dependencies. |
Matilda_DB_SVC | Database | NO | ORACLE | DB Account for Databases with Select_Catalog_Role | To discover the ORACLE Databases |
Matilda_DB_SVC | Database | NO | MSSQL | DB Account with view Server state Permissions and Select Access on system tables. | To discover the MSSQL Databases. |
Matilda_DB_SVC | Database | No | MariaDB/MySQL | DB Account with view Server state Permissions and Select Access on system tables. | To discover the MariaDB/MySQL Databases. |
Matilda_DB_SVC | Database | No | Mongo database | Database account with view server state permissions and select access on system tables. | To discover the MongoDB Databases. |
*Follow the steps in the confluence pages to provide necessary privileges to the user account. If you are unable to access the confluence pages, please contact the Matilda team to gain access.
Matilda Discover Installation Steps #
Note: The preceding Matilda Discover Prerequisites must be properly performed before proceeding into the installation steps below.
Installation Support: Contact Matilda support team 24 hours prior to installation for necessary credentials for successful installation. The Matilda team will make necessary changes (IP whitelisting is required) to allow the connection from the client location to the Matilda installation repository. The provided credentials are valid for only 24 hours and this cannot be transferable to other systems.
Installation Steps #
- Download the installation git repository from the following location:
# git clone https://dev.azure.com/matildabuild/migrate/_git/discover
- Change the directory to discover and set executable permissions to installation script
# cd discover
# chmod +x matilda_install.sh
- Update the config file in the installation directory. The Matilda team will provide the necessary details.
# vim config
USERNAME==<Matilda team to share>
PASSWORD=<Matilda team to share>
EMAIL=<Matilda team to share>
DNS_NAME=<Client to provide>
TLS_KEY_PATH=<Client to provide>
TLS_CRT_PATH=<Client to provide>
*Configuration updates are mandatory and without proper configuration, installation will not proceed.
- Run the installation script.
# ./matilda_install.sh config
- External Identity Provider Integration Steps (optional)
Please refer the below documentation for OIDC and SAML integration https://matildacloud.atlassian.net/wiki/spaces/MM/pages/2204106753/External+Identity
If you are unable to access the above confluence page, contact the Matilda team to gain access.
- Once the installation is completed, use the following Matilda Application URLs:
-
- Discovery URL: http://<dns_name>
- Logins: Single sign on email / local login id
- Password: < Admin password >
The Matilda team will share the local admin credentials. SupportMatilda support is offered by email during working hours Monday-Friday. Please contact info@matildacloud.com for assistance.
RACI Matrix #
Client and Matilda Responsibilities
Description | Responsibility |
Matilda Discover VM provisioning | Client |
Matilda SME On Boarding with required user account privileges | Client |
Service account creation/validation with required privileges for Windows & Linux as requested in the document | Client |
Database account creation with required privileges for ORACLE/MSSQL/MariaDB/MySQL/MongoDB Servers | Client |
VPN/VDI/RDP Access and Matilda SNE Access to Matilda Discover VM | Client |
Fill Discovery Template and upload to Matilda or Share with Matilda. Business Application Name mapping with IP Address is preferred | Client |
Set up of Matilda Discover Platform on the provisioned VM | Matilda |
Pre-check and validation of Matilda deployment | Matilda |
Windows/Linux Service Accounts and database accounts need to be updated in Matilda Discover Web Interface | Client/Matilda |
Dry Run for handpicked servers (Windows, Linux for different execution methods like sudo, dzdo and pbrun) to test end to end | Client/Matilda |
Pre-Check for the identified IP’s to verify all the prerequisites met | Client/Matilda |
Initiate Discover of the targeted assets (Windows/Linux/UNIX) | Matilda |
Utilizations Collections/Connections include Memory, CPU, storage, network connections etc. | Matilda |
Assessment and Reporting | Matilda |