Operational Instructions Phase 1 Virtual Server … · Page 6 of 19 PowerVM Primarily used to host AIX virtual machines (VMs) used as application, database or web servers. These VMs

.

Operational Instructions

Phase 1 Virtual

Server Provisioning

Page 2 of 19

Table of Contents

Table of Contents ............................................................................................................ 2

Revisions ......................................................................................................................... 3

Introduction ..................................................................................................................... 4

General Information......................................................................................................... 4

Objective ......................................................................................................................... 4

Concepts ......................................................................................................................... 4

EVERTEC Virtualization Environments ........................................................................... 5

Procedures ...................................................................................................................... 7

1.0 Initial Request .................................................................................................... 7

1.1 Login to ServiceDesk ......................................................................................... 7

1.2 Summary Information Section ............................................................................ 7

1.3 Virtual Server Initiative Information .................................................................... 9

1.4 Create New Virtual Server ............................................................................... 10

2.0 Workflow Tasks ................................................................................................ 14

2.1 Task List ........................................................................................................... 14

2.2 Validate Request .............................................................................................. 17

2.3 Verify Licensing ................................................................................................ 18

2.4 Validate and Assign IP ..................................................................................... 18

2.5 Clone Server .................................................................................................... 18

2.6 Virtual Server pre-defined Systems Firewall Rule ............................................ 18

2.7 Configure Antivirus Software ............................................................................ 18

2.8 Configure Server Monitoring ............................................................................ 18

2.9 Configure Storage space ................................................................................. 18

2.10 Configure Backup ............................................................................................. 18

2.11 Virtual Server Pre-Certification ......................................................................... 18

2.12 Add to CMDB ................................................................................................... 19

2.13 Secure Admin password in Vault ..................................................................... 19

Page 3 of 19

Revisions

The alterations of this document must be coordinated with the Legal Division of EVERTEC. The disclosure of this information will be considered a violation of the politics of the institution, including the Ethic Code. The reproduction for non-authorized use is prohibited.

Date Version Description Author

2016-02-03 1 Original document David Sanchez

2016-02-07 2 Revision David Sanchez

2016-02-10 3 Revision – added appendix A David Sanchez

2016-03-01 4 Revision – new fields David Sanchez

2016-03-30 5 Revision – workflow tasks order changes David Sanchez

Page 4 of 19

Introduction

Server virtualization inherently provides the opportunity for faster system provisioning making

the IT organization more agile and responsive. Adhering the same change management

manual procedures to the virtual server provisioning workflow may unfavorably affect this value.

This document details the virtual server provisioning workflow for the three virtualization

environments at EVERTEC, VMWare, PowerVM and z/VM.

General Information

Objective

Most of the steps involved in the provisioning of virtual servers are common to the three

supported virtualization infrastructures at EVERTEC. When necessary, platform specific

deviations will be indicated.

The main purpose for this workflow is to reduce dramatically the time to place in service virtual

servers once the request for provisioning is received. To achieve such agility, it is essential that

phase 1 of virtual server provisioning follows a workflow that does not require going through the

CAB process. The reasoning being:

o Risk mitigation

Use of Information Security pre-certified OS images (Golden Images). As a requirement, the server will be patched to ensure it is up to date. Immediately following activation of the server it will be pre-certified by

Information Security.

o Faster deployment benefits

Requestor may start working on configuration/installations in a matter of

days instead of months

Opportunity to initiate testing faster.

Reduced time to production

Concepts

Virtualization Technology that allows several operating systems to run on the same

physical server at the same time sharing physical resources such as

Page 5 of 19

processors, memory, disk, network interfaces and fiber channels.

Major virtualization benefits:

Infrastructure and administration simplification

Increased scalability

Maximizes resource usage

Power savings

Lower capital costs

Hypervisor A hypervisor is a program that allows multiple operating systems to share a

single hardware host. Each operating system appears to have the host's

processor, memory, and other resources all to itself. Examples are VMWare,

PowerVM and z/VM.

Virtual Machine A self-contained operating environment that behaves as if it is a separate

computer running under a host operating system (Hypervisor).

Golden Image A Golden Image is a template for a virtual machine (VM). It may also be

referred to as a clone image or master image

Using Golden Images as templates provides consistent environments.

Several Golden Images may be used for different platforms as well as types

of supported services such as Database server, Application server and Web

server to name a few.

These Golden Images will be certified by the Information Security department

on initial generation and as required after changes are applied to them such

as maintenance fixes or release upgrades.

EVERTEC Virtualization Environments

VMWare Primarily used to host Windows and Linux (Red Hat) virtual machines (VMs) used

as application, database or web servers. These VMs will be sized with the

appropriate amount of Virtual Memory and Virtual CPUs required by the

application.

For redundancy purposes, at a minimum, the production servers will be assigned

the following:

Two fiber channel paths to the SAN fabric, each connected to a different

SAN switch.

Access to a shared CPU pool.

Redundant connectivity to the network

Page 6 of 19

PowerVM Primarily used to host AIX virtual machines (VMs) used as application, database or

web servers. These VMs will be sized with the appropriate amount of Virtual

Memory and Virtual CPUs required by the application.


the following:

Two fiber channel paths to the SAN fabric, each connected to a different SAN switch.

Access to a shared Virtual CPU pool.

Redundant connectivity to the network managed by two VIO servers each managing a separate Network Interface. Each Network Interface is connected to separate Network Switches.

z/VM Primarily used to host SuSE Linux Oracle Database virtual machines (VMs).

These VMs will be sized with the appropriate amount of Virtual Memory and Virtual

CPUs required by the application.


the following:

Two fiber channel paths to the SAN fabric, each connected to a different

SAN switch.

A minimum of two Virtual CPUs backed by at least two physical CPUs

Connection to the network via a primary (active) virtual switch and a

standby (failover) virtual switch, each connected to a different Network

interface (OSA). Each OSA interface is physically connected to separate

Network Switches.

Page 7 of 19

Procedures

1.0 Initial Request

It is highly recommended that prior to requesting virtual servers using this facility

all important information is known ahead of time. Setting up meetings with areas

such as Network Engineering, Information Security and the Unix or Windows

group is advisable. The more information is provided at the time of opening the

request, the faster the servers can be provisioned.

1.1 Login to ServiceDesk

Select the Service Desk/CA CMDB tab. Click on file and select New Virtual

Server Request…

1.2 Summary Information Section

Page 8 of 19

1.2.1 The “Create New Change Order” panel is displayed. The fields in

this panel are common to all servers requested under this change

order and will be used to build the workflow tasks for the request.

Enter as much information as possible to prevent the workflow from

being held pending additional information. Also it is highly

recommended to attach any documentation pertinent to the request

such as Business cases, proposals, project network diagrams that

would help in the verification and validation of the request.

Field Name Description

Category Drop-down field used to select

whether the request is for Windows

servers only, UNIX servers only or a

combination of both.

Request Title Text field used to enter a brief title

to identify the request

Order Description Text field used to enter a more

detailed description of the request.

Use this field to enter information

relevant to the request that is not

covered by any of the fields in this

form.

Justification Non-required text field used to enter

justification for this request

Page 9 of 19

1.3 Virtual Server Initiative Information

1.3.1 This section is used to enter information related to the initiative the

requested servers belong to.

Field Name Description

Project Lookup field to select the project

this server belongs to

Application Lookup field to select the

application

Type of service Drop-down field to select type of

service this server will support:

Internal

Hosted

Collocation

Priority Drop-down field to select priority

level for the request:

Normal

High

Urgent

Urgent priority requires

justification

Line of Business Drop-down field to select line of

business for chargeback

purposes.

Client Look up field to select client.

This is a must field for Hosted

services.

Page 10 of 19

Expected Date Calendar field to select date this

request is expected to be

fulfilled.

Cost Center Look up field to select Cost

Center for chargeback

purposes.

1.4 Create New Virtual Server

Once the form is completed, click on save. The following pop-up will

appear reminding the requestor that server specifications still need to be

entered.

After clicking OK, the Create New Virtual Server form is presented. Most

fields will be entered by the requestor. There are some fields that will be

filled by the corresponding resources in charge of working on the tasks

generated by the request.

Page 11 of 19

Field Description

Change Order Protected field. Change order number

assigned to this request

OS Drop down field to select operating

system.

OS Version Drop down field to select operating

system version. List may be updated

frequently to reflect versions supported at

EVERTEC.

Size Drop down field to select the pre-defined

sizes supported as standards. If request

deviates from standard it must be justified

in the Justification comments field

High Availability Yes/No

DMZ Will the server be placed behind a DMZ?

Yes/No

Environment Drop-down field with

PROD

TEST

CERT

DRS

Platform Server platform:

VMWare

pSeries

zSeries

CPS data entry completed? This checkbox is filled by the Windows or

Unix resource doing the pre-certification

of the previsioned server

Disk Storage Size in Gigabytes

PCI PCI compliance requirement? Y/N

If the answer to any on the following two

questions is yes then this server must be

treated as PCI compliant

1. Does the application store,

processes, or transmits cardholder

data?

Page 12 of 19

Cardholder data includes:

Credit Card Number

Cardholder Name

Expiration Date

Service Code 2. Does the application store,

processes, or transmits sensitive

authentication data?

Sensitive authentication data

includes:

Full track data (magnetic-

stripe data or equivalent on

an EMV chip)

CAV2/CVC2/CVV2/CID

PINs/PIN blocks

Digital Certificate Server will require digital certificates? Y/N

Type Drop-down to select the type of server:

APP

WEB

DB

APP+WEB

APP+DB

APP+WEB+DB

File and Print

Note: combinations allowed on this field

imply that a single server will support the

role. For example: APP+WEB means

that the server will host both the

application and the WEB server.

Location Drop-down to select the location:

Cupey

Tres Monjitas

Sungard

Virtual Farms Drop down to select the virtual farm

where the cloned server resides.

Note: this field must be entered by the

Page 13 of 19

resource that executes the provisioning

process.

Load Balancer Will the server be placed behind a load

balancer (i.e. F5)

New Relic Will the server be monitored by New

Relic? Y/N

List any required software Text field to indicate any software that

needs to be installed on the server prior

to releasing the server to the requestor.

Licensing compliance will be verified.

Additional comments// Disk

Distribution

Text field where the requestor may enter

any special comments/details/instructions

regarding this server request. In the case

of DB servers it is required that file

system size distribution be specified in

this field. It is important to get this

information from the DB group prior to

initiating the request.

Required users Text field to enter list of users required for

phase 1 on this server

Host Name Host name assigned by the system

administrator in charge of provisioning the

server. The requestor may also enter this

information if known.

Assigned IP addresses and

VLAN

Entered by the network engineer who

assigns the IPs. The requestor may also

enter this information if known.

Network diagram attached Checkbox to indicate if the requestor or

Network engineers attached the network

diagram to the ticket

Common Ports If known, select the ports that the server

will use

Other Required Ports Text field to enter list of specific ports

needed

Justification Text field to enter the justification for non-

standard server size as well as non-

common ports required by the server

Once the fields are entered click on Save to add the server to the request.

Page 14 of 19

Additional servers may be requested. Under the Virtual Server Details tab

will be a list of the requested servers. There is an Add Virtual Server

button, click on it to bring the next request form.

To save time, there is a copy server feature that will basically bring a pre-

filled form based on the information entered on the selected server.

Simply select the server from the list of servers under the Virtual Server

Details tab and the click on the Copy Server button.

2.0 Workflow Tasks

2.1 Task List

The initial request will generate a workflow to assign tasks to all groups involved

in the creation of the virtual server.

Unix

Sequence Task Group

50 VS Provisioning - Validate Request 79095 - OPEN SYSTEMS UNIX

100 Group Start Task

200 VS Provisioning - Verify Licensing 78669 - EVERTEC LICENSING

300 VS Provisioning - Validate and Assign IP 79020 - NETWORK ENGINEERING

Page 15 of 19

Sequence Task Group

400 Group End Task


700 VS Provisioning - Clone Server 79095 - OPEN SYSTEMS UNIX

750 VS Provisioning - Assign Storage Space 78656 - STORAGE SYSTEMS

800

VS Provisioning - Pre Defined Systems Firewall

Rule 78657 - Firewall & VPNs Operations

900 Group End Task


1100 VS Provisioning - Configure Server Monitoring 78665 - NETWORK PRODUCTION

SUPPORT

1300 VS Provisioning - Configure Backup 79095 - BACKUP SERVICES

1400 Group End Task

1500 VS Provisioning - Pre-Certification 78113 - Unix Security


1700 VS Provisioning - Add to CMDB 78690 - Capacity Management and CMDB

1800 VS Provisioning - Secure Admin password in Vault 78113 - Unix Security

1900 Group End Task

Windows

Sequence Task Group

50 VS Provisioning - Validate Request 79095 - WINDOWS




400 Group End Task


700 VS Provisioning - Clone Server 79095 - WINDOWS

Page 16 of 19

Sequence Task Group

800 VS Provisioning - Pre Defined Systems Firewall Rule 78657 - Firewall & VPNs Operations

900 Group End Task


1050

VS Provisioning - Windows Pre-Certification - CPS Data

Entry 78663 - SERVER SERVICES

1100 VS Provisioning - Configure Antivirus Software 78657 - WORKPLACE SERVICES



SUPPORT

1500 Group End Task

1600 VS Provisioning - Pre-Certification 78113 - Server Certification



1900 VS Provisioning - Secure Admin password in Vault 78113 - IS WINDOWS AND DATABASE

2000 Group End Task

Windows and Unix Together

Sequence Task Group


200 VS Provisioning - Validate Request 79095 - WINDOWS

300 VS Provisioning - Validate Request 79095 - OPEN SYSTEMS UNIX

400 Group End Task




800 Group End Task


Page 17 of 19

Sequence Task Group

1000 VS Provisioning - Clone Server 79095 - WINDOWS

1100 VS Provisioning - Clone Server 79095 - OPEN SYSTEMS UNIX

1200 VS Provisioning - Assign Storage Space 78656 - STORAGE SYSTEMS

1300 VS Provisioning - Pre Defined Systems Firewall Rule 78657 - Firewall & VPNs Operations

1400 Group End Task


1600

VS Provisioning - Windows Pre-Certification - CPS Data

Entry 78663 - SERVER SERVICES

1700 VS Provisioning - Configure Antivirus Software 78657 - WORKPLACE SERVICES



SUPPORT

2000 Group End Task


2200 VS Provisioning - Pre-Certification 78113 - Server Certification

2300 VS Provisioning - Pre-Certification 78113 - Unix Security

2400 Group End Task



2700 VS Provisioning - Secure Admin password in Vault 78113 - IS WINDOWS AND DATABASE

2800 VS Provisioning - Secure Admin password in Vault 78113 - Unix Security

2900 Group End Task

2.2 Validate Request

The assigned group, based on operating system and platform selected,

reviews the petition and determines its validity. It is highly advisable to

consult with Network Engineering and Information Security to help validate

Page 18 of 19

the request. If approved the rest of the workflow continues. The requestor

may be contacted for additional information.

2.3 Verify Licensing

Verify licensing compliance issues specific to the software that will be

used.

2.4 Validate and Assign IP

Network engineering will assign the IPs to the servers requested including

the backup segment IP when applicable. It is the responsibility of network

engineering to enter this information in the Assigned IP Address and

VLAN field for each server requested. In some cases there might be a

need to add a new segment that will require additional work outside the

scope of the tasks generated by this workflow. Those should be handled

using the current existing protocols.

2.5 Clone Server

Create the virtual server using a pre-certified image. This should be

further updated with the latest patches and scanned in order to make sure

that it will not fail the pre-certification task.

2.6 Virtual Server pre-defined Systems Firewall Rule

Make sure the server will be granted the rules needed in order for the

other groups to complete the rest of the configuration tasks.

2.7 Configure Antivirus Software

For Windows, add to the anti-virus console

2.8 Configure Server Monitoring

If applicable, since this is phase 1, add basic server monitoring

2.9 Configure Storage space

Assign the required storage space if applicable

2.10 Configure Backup

Configure the backup for the server using the silver policy as default.

2.11 Virtual Server Pre-Certification

Page 19 of 19

Pre certify the server, if it fails it will go back to the group that created the

server.

2.12 Add to CMDB

Add the pertinent server information to the CMDB.

2.13 Secure Admin password in Vault

Add the administrator password to the vault.

Documents

Operational Instructions Phase 1 Virtual Server … · Page 6 of 19 PowerVM Primarily used to host AIX virtual machines (VMs) used as application, database or web servers. These VMs