Configure Virtual Appliance for Migration Tool

To use the migration tool, configure the Virtual Appliance as follows:
  1. Create a Three-Node Cluster
  2. Configure DNS Entries
  3. Configure Ingress Certificates (Only for SSL Certificates)

Create a Three-Node Cluster

  1. Log in to the primary node console.
  2. Verify the boot status of each node of the cluster:
    CODE 
    appdctl show boot
    Note:
  3. Run the following command in the primary node and specify the IP address of the peer nodes:
    CODE 
    cd /home/appduser
appdctl cluster init <Node-2-IP> <Node-3-IP>
  4. Run the following command to verify the node status:
    CODE 
    appdctl show cluster
microk8s status

    Ensure that the output displays the Running status as true for the nodes that are part of the cluster.

    Sample Output

    CODE 
    NODE           | ROLE  | RUNNING 
----------------+-------+---------
 10.0.0.1:19001 | voter | true    
 10.0.0.2:19001 | voter | true    
 10.0.0.3:19001 | voter | true
    Note: You must re-login to the terminal if the following error is displayed:
    CODE 
    Insufficient Permissions to Access Microk8s

Configure DNS Entries

Verify DNS resolution for the Splunk AppDynamics components. The following script helps identify common network configuration issues that might cause communication issues in Virtual Appliance. It checks if specific host names can be resolved to IP addresses, which is crucial for the proper functioning of the Controller and its services.

Ensure that the globals.yaml.gotmpl contains the primary node IP address of Virtual Appliance. Edit the globals.yaml.gotmpl file as follows:

  1. Log into the console of the primary node.

  2. Navigate to the following folder:
    CODE 
    cd /var/appd/config
  3. Edit the globals.yaml.gotmpl file and update dnsNames and dnsDomain.
    CODE 
    vi globals.yaml.gotmpl

    List the Ingress domain names that you require to configure for the Virtual Appliance.

    Note:
    • Include local host for appdcli to access the cluster. If the domain names are unavailable, specify <nodeip>.nip.io for each cluster. You must also include the dnsDomain as a value, in addition to other specified values.
    • Some network policies might block the IP address that contains x.x.x.x.nip.io. In such scenarios, update the /etc/hosts file. See, エアギャップ環境での DNS 設定の更新.
    • If you are using domain names for your Virtual Appliance, comment or delete the range split function. And, comment the localhost.
    JSON 
    dnsNames: &dnsNames
# - localhost
  - 10.0.0.1.nip.io
  - 10.0.0.2.nip.io
  - 10.0.0.3.nip.io
  - appd.example.com
# If you are using Virtual IP address for your standalone Controller, comment or delete the range split function.
{{ range split " " $internalIPs }} {{ printf " - %s.%s" . "nip.io" }}
{{ end }}
    Add all the DNS names of your classic on-premises environment in Virtual Appliance. If each service in classic on-premises uses a different DNS, you must add all the services.
    CODE 
    dnsNames: &dnsNames
  - localhost
  - <VA-DNS>
  - <Classic-On-Premises-Controller-DNS> 
  - <Classic-On-Premises-EUM-DNS>
  - <Classic-On-Premises-Events-DNS>
  - <Classic-On-Premises-Synth-DNS>
  1. (Optional) Edit the /var/appd/config/secrets.yaml file to update usernames and passwords of the Splunk AppDynamics Services.
    CODE 
    vi /var/appd/config/secrets.yaml
    Note: When you install the Splunk AppDynamics service, the secrets.yaml file becomes encrypted.
    See Edit the secrets.yaml.encrypted file.
  2. Save the following script on the console of your primary Virtual Appliance node as dnsinfo.sh in /var/appd/config.
    Note: If you are running this script for the first time, copy the code for plain YAML. If you are running this script after installing the services, copy the code for encrypted YAML.
    Plain YAML
    CODE 
    #!/bin/bash
set -euo pipefail

# Assuming /var/appd/config/secrets.yaml is now a plain, unencrypted YAML file.
# The '.encrypted' extension and 'helm secrets decrypt' command are removed.
TENANT=$(yq .hybrid.controller.tenantAccountName /var/appd/config/secrets.yaml)
CONTROLLER_DNS_DOMAIN=$(grep -v "^ *\t* *{{" /var/appd/config/globals.yaml.gotmpl | yq -r '.hybrid.controller.domainName')
DNS_DOMAIN=$(grep -v "^ *\t* *{{" /var/appd/config/globals.yaml.gotmpl | yq -r '.dnsDomain')
echo Verify the Virtual Appliance tenant should be \'${TENANT}\'
echo Verify the Virtual Appliance domain name should be \'${DNS_DOMAIN}\'
echo Verify the Controller domain name should be \'${CONTROLLER_DNS_DOMAIN}\'
 
echo
for server_name in "$CONTROLLER_DNS_DOMAIN" "${DNS_DOMAIN}" "${TENANT}.${CONTROLLER_DNS_DOMAIN}" "${TENANT}-tnt-con.${DNS_DOMAIN}" "${TENANT}-tnt-con.${CONTROLLER_DNS_DOMAIN}"; do
  if ! getent hosts "${server_name}" > /dev/null; then
    echo "Please add DNS entry for ${server_name} for controller host IP, VA is not able to resolve it currently"
  fi
done
for server_name in "${TENANT}.auth.${DNS_DOMAIN}" "${TENANT}-tnt-authn.${DNS_DOMAIN}"; do
  if ! getent hosts "${server_name}" > /dev/null; then
    echo "Please double-check on standalone controller that DNS can resolve entry for ${server_name} as VA ingress IP"
  fi
done
    Encrypted YAML
    CODE 
    #!/bin/bash
set -euo pipefail
TENANT=$(helm secrets decrypt /var/appd/config/secrets.yaml.encrypted  | yq .hybrid.controller.tenantAccountName)
CONTROLLER_DNS_DOMAIN=$(grep -v "^ *\t* *{{" /var/appd/config/globals.yaml.gotmpl | yq -r '.hybrid.controller.domainName')
DNS_DOMAIN=$(grep -v "^ *\t* *{{" /var/appd/config/globals.yaml.gotmpl | yq -r '.dnsDomain')
echo Verify the Virtual Appliance tenant should be \'${TENANT}\'
echo Verify the Virtual Appliance domain name should be \'${DNS_DOMAIN}\'
echo Verify the Controller domain name should be \'${CONTROLLER_DNS_DOMAIN}\'
 
echo
for server_name in "$CONTROLLER_DNS_DOMAIN" "${DNS_DOMAIN}" "${TENANT}.${CONTROLLER_DNS_DOMAIN}" "${TENANT}-tnt-con.${DNS_DOMAIN}" "${TENANT}-tnt-con.${CONTROLLER_DNS_DOMAIN}"; do
  if ! getent hosts "${server_name}" > /dev/null; then
    echo "Please add DNS entry for ${server_name} for controller host IP, VA is not able to resolve it currently"
  fi
done
for server_name in "${TENANT}.auth.${DNS_DOMAIN}" "${TENANT}-tnt-authn.${DNS_DOMAIN}"; do
  if ! getent hosts "${server_name}" > /dev/null; then
    echo "Please double-check on standalone controller that DNS can resolve entry for ${server_name} as VA ingress IP"
  fi
done
  3. Run dnsinfo.sh.
    CODE 
    bash ./dnsinfo.sh
    Sample Output:
    CODE 
    Verify the Virtual Appliance tenant should be 'customer1'
Verify the Virtual Appliance domain name should be 'va.mycompany.com'
Verify the Controller domain name should be 'controller.mycompany.com'

Please add DNS entry for controller.mycompany.com for controller host IP, VA is not able to resolve it currently
Please add DNS entry for va.mycompany.com for controller host IP, VA is not able to resolve it currently
Please add DNS entry for customer1.controller.mycompany.com for controller host IP, VA is not able to resolve it currently
Please add DNS entry for customer1-tnt-con.va.mycompany.com for controller host IP, VA is not able to resolve it currently
Please add DNS entry for customer1-tnt-con.controller.mycompany.com for controller host IP, VA is not able to resolve it currently
Please double-check on standalone controller that DNS can resolve entry for customer1.auth.va.mycompany.com as VA ingress IP
Please double-check on standalone controller that DNS can resolve entry for customer1-tnt-authn.va.mycompany.com as VA ingress IP

Configure Ingress Certificates (Only for SSL Certificates)

By default, the Ingress controller is installed with a fully-configured self-signed certificate. You may skip this step if the self-signed certificate provided by the Ingress Controller meets your requirements.

If you require a CA signed certificate for the Ingress Controller, configure an SSL/TLS certificate for Splunk AppDynamics 自己ホスト型仮想アプライアンス by providing all the required host names. This ensures that all components and user access points of the Virtual Appliance are securely accessible. The following script generates a list of Subject Alternative Names (SANs) that would be required for a custom ingress certificate in Virtual Appliance. This is crucial for securing communication with the Virtual Appliance using HTTPS.

Ensure that you have the following files:
  • private key: private.key
  • signed public key: cert.crt
  • CA root chain: ca.crt
Note:
  • Ensure the ingess.key is in PEM plain text format.
  • The SAN of the server certificate in ingress.crt must include all the hostnames that are defined in the dnsNames section of the global.yaml.gotmpl file.
  • For Secure Application, ensure to include *.<DOMAIN-NAME> in the list and the certificates to include SAN aliases
Configure a custom ingress certificate if you want to include the CA signed certificate.
  1. Copy the Ingress key to the Virtual Appliance.
    CODE 
    scp <ingress.pem> appduser@<node-IP-address>:/var/appd/config/ingress.key
  2. Copy the Ingress certificate to the Virtual Appliance.
    CODE 
    scp <ingress.crt> appduser@<node-IP-address>:/var/appd/config/ingress.crt

(Optional) Disable Hybrid Property in VA

If the Virtual Appliance is in hybrid deployment, disable the hybrid property in the globals.yaml.gotmpl file.
JSON 
hybrid:
	enable: false
	controller:
		domainName: controller.nip.io
		port: 8181
		sslEnabled: true
{{ if isFile "/var/appd/config/hybrid-controller-ca.crt" }}
	controllerCaCertsFile: {{ readFile "/var/appd/config/hybrid-controller-ca.crt" | b64enc | quote }}
{{ end }}
mysql:
	dbHost: controller.nip.io
	dbPort: 3388
{{ if isFile "/var/appd/config/hybrid-mysql-ca.crt" }}
	mysqlCaCertsFile: {{ readFile "/var/appd/config/hybrid-mysql-ca.crt" | b64enc | quote }}
{{ end }}
kafka:
defaultCert: true
{{ if isFile "/var/appd/config/hybrid-kafka.key" }}
	keyFile: {{ readFile "/var/appd/config/hybrid-kafka.key" | b64enc | quote }}
{{ end }}
{{ if isFile "/var/appd/config/hybrid-kafka.crt" }}
	certFile: {{ readFile "/var/appd/config/hybrid-kafka.crt" | b64enc | quote }}
{{ end }}
schemaregistry:
	externalUrl: https://<domain_name>/schemaregistry

Disable the Default Certificate Property

The migration tool requires you to use classic on-premises key and certificate instead of VA ingress certificate.

Update the globals.yaml.gotmpl file to disable the setting that uses the default ingress certificate by setting ingress.defaultCert to false. Instead of the default certificate, configure the tool to use the On-Premises key file by specifying the paths to the private key and public certificate files.
JSON 
{{
ingress:
	defaultCert: false
{{ if isFile "path-to-key-file-of-onprem-classic"}}
	keyFile: {{ readFile "path-to-key-file-of-onprem-classic" | b64enc | quote }}
{{ end }}
{{ if isFile "path-to-cert-file-of-onprem-classic" }}
	certFile: {{ readFile "path-to-cert-file-of-onprem-classic" | b64enc | quote }}
{{ end }}}}

Disable the Events Service SSL Property

Update the Events Service configuration on Virtual Appliance depending on your classic on-premises environment.
Update the Events Service configuration to match the classic on-premises environment.
HTTP
CODE 
events:
	enableSsl: false
	externalUrl: <URL_of_Events_Service>
HTTPS
CODE 
events:
	enableSsl: true
	externalUrl: <URL_of_Events_Service>

Apply Licenses to Splunk AppDynamics Services

Use appdcli to apply licenses after installing Splunk AppDynamics Services.

  1. Log in to the cluster node console.
  2. Copy the license files as the license.lic file to the node in the following location.
    CODE 
    cd /var/appd/config
  3. Run the following commands to apply licenses:
    Controller

    Update the Controller license.

    CODE 
    appdcli license controller license.lic
    End User Monitoring
    1. Update the EUM license.
      CODE 
      appdcli license eum license.lic
    2. (Optional) If you are using the Infrastructure-based Licensing model, make sure to specify EUM account and license key in the Administration Console. See Access the Administration Console. Follow the steps to add EUM account and license key:

      1. From Account Settings, select the Controller account that have EUM licenses and click Edit.

      2. Enter the EUM license key and the EUM account name in the EUM License Key and the EUM Account Name fields.

      3. Click Save.

    For more information, see Virtual Appliance CLI.