WO2003107178A2

WO2003107178A2 - Method and system for simplifying distributed server management

Info

Publication number: WO2003107178A2
Application number: PCT/US2003/017927
Authority: WO
Inventors: Thomas Martin Kraus; Vijay G. Manwani; Sekhar Muddana; Balaji Srinivasa; Ravi Reddy
Original assignee: Bladelogic, Inc.
Priority date: 2002-06-12
Filing date: 2003-06-05
Publication date: 2003-12-24
Also published as: EP3139541B1; WO2003107178A3; EP1573520B1; US8869132B2; US20130232248A1; EP3139541A1; US9100283B2; US20080104217A1; US9794110B2; US20030233431A1; US10659286B2; EP1786142A1; EP1573520A2; AU2003243426A1; US20150326423A1; US7249174B2; ES2548302T3; US8447963B2; EP1772803A2; US8296755B2

Abstract

A method and system fox managing a large number of servers and their server components distributed throughout a heterogeneous computing environment is provided. In one embodiment, an authenticated user, such as an IT system administrator, can securely and simultaneously control and configure multiple servers, supporting different operating systems, through a "virtual server." A virtual server is an abstract model representing a collection of actual target servers. To represent multiple physical servers as one virtual server, abstract system calls that extend execution of operating-system-specific system calls to multiple servers, regardless of their supported operating systems, are used. A virtual server is implemented by a virtual server client and a collection of virtual server agents associated with a collection of actual servers. A method and system for executing and undoing distributed server change operations for a collection of server objects across multiple target servers in a transaction-safe manner is provided. In one embodiment, server change operations fox a collection of server objects, such as files and configuration file entries, are specified in a transaction package. The target servers to which the specified change operation axe directed are also identified in the transaction package. Parameter values for each of the identified target servers are specified through a parameter file in the transaction package. The transaction package is sent to the identified target servers, which execute the change operations on the target servers in a transaction-safe manner using these parameter values. A method and system for configuring heterogeneous servers across a network through modules that can browse, snapshot, track changes, track compliance, correct server objects on each of the servers, and provision new servers is provided. In one embodiment, server objects on multiple servers can be browsed in real time. While browsing, a collection of server object identifiers can be selected and collected in a template. The values of the server objects identified in the template can be recorded for a "gold server" through a "snapshot" process, which collects the values and saves them in a reference model. By comparing other live servers to the reference model, discrepancies in configuration of the other live servers can be identified and corrected. The reference models can also be used to provision a new server. Alternative to the reference model, an arbitrary snapshot or scheduled snapshots of a server can be used to track change and compliance in that server.

Description

METHOD AND SYSTEM FOR SIMPLIFYING DISTRIBUTED SERVER MANAGEMENT

Cross-Reference To Related Application

[0001] This application claims priority to and the benefit of U.S. Provisional Patent Application Serial No. 60/388,112 filed June 12, 2002, entided METHOD AND SYSTEM FOR SIMPLIFYING SERVER MANAGEMENT; U.S. Provisional Patent AppUcation Serial No. 60/453,308 filed March 10, 2003, entitled METHOD AND SYSTEM FOR SIMPLIFYING

SERVER MANAGEMENT; U.S. Patent AppUcation Serial No. 10/414,958 filed April 16, 2003, entided METHOD AND SYSTEM FOR EXECUTING AND UNDOING DISTRIBUTED SERVER CHANGE OPERATIONS; U.S. Patent AppUcation Serial No. 10/414,959 filed April 16, 2003, entided METHOD AND SYSTEM FOR SIMPLIFYING DISTRIBUTED SERVER MANAGEMENT; and U.S. Patent AppUcation Serial No. 10/414,887 filed April 16, 2003, entitled METHOD AND SYSTEM FOR MODEL-BASED HETEROGENEOUS SERVER CONFIGURATION MANAGEMENT the entire disclosures of which are hereby incorporated by reference.

Technical Field [0002] This invention relates to the field of server management and, more particularly, to the management of servers in a heterogeneous computing environment.

Background Information [0003] Information Technology (IT) administrators are facing new chaUenges due to a significant increase in the number of servers in an enterprise's IT infrastructure and the adoption of distributed electronic business appUcations. These chaUenges have resulted from: (1) a transition from cUent- server to Internet-based architectures, resulting in frequent interactions between different types of servers; and (2) the use of component appUcation servers, such as J2EE (Java 2 Platform, Enterprise Edition) and .NET, to generate components, tools, systems, and complex appUcation models. Faced with these chaUenges, an IT aclrninistrator may need to juggle hundreds of incompatible software appUcation configurations and track thousands of server components for the thirty to forty servers he or she manages.

[0004] Currendy available configuration tools are inadequate to manage a large number of software appUcation configuration and server components across multiple servers in a heterogeneous computing environment. To manage and configure heterogeneous servers, particularly in the complex business computing infrastructure, many IT administrators use enterprise systems management (ESM) products offering monitoring tools to automate problem identification across multiple servers. However, these monitoring tools do not provide a centralized management system with a centralized configuration database, which can centraUy keep track of current server components and their interdependencies across the different servers.

[0005] In addition, these ESM products provide Utde or no help in correcting or configuring server components in a heterogeneous computing environment. For UNIX and Linux operating system- based servers, despite the open-source and internaUy developed tools and scripts to handle simple configuration changes to J2EE configurations, neither the tools nor the scripts can be easily extended to address complex distributed appUcations.

[0006] Microsoft Window- based operating system servers are even more difficult to correct and configure than UNIX and Linux operating system based servers, due to a large number of server components having complex interdependencies. Although system management tools are available from Microsoft, they have been designed to target only smaU-scale homogenous Windows-based computing environments, and not the large and heterogeneous computing environment supporting multiple operating systems that most IT administrators have to manage.

[0007] Because of the inadequacies in currendy available management tools, significant portions of any server configuration change operations have to be made manuaUy by the IT administrator for each server. Accordingly, human errors can occur from these manual change operations, and from manual monitoring and tracking of each server's configuration, resulting in frequent server misconfigurations and system downtime.

Summary of the Invention [0008] To aUeviate this situation, systems and methods according to the invention can be used to manage a large number of servers and their server components distributed throughout a heterogeneous computing environment.

[0009] In one embodiment, an authenticated user, such as a IT system administrator, can securely and simultaneously control and configure multiple servers, supporting different operating systems, by implementing a virtual server from the user's management system. In one embodiment, the user is authenticated by an operating-system-user-context-inheritance model or standard authentication protocols, such as a pubUc key protocol, a Kerberos protocol, or a shared secret protocol.

[0010] In some embodiments, a "virtual server" model is used. A virtual server is an abstract model representing a coUection of actual target servers. To represent these multiple physical servers as one virtual server, the abstract system caUs that extend execution of operating-system-specific system caUs to multiple servers regardless of their supported operating systems are used. A virtual server is implemented by a virtual server cUent and a coUection of virmal server agents associated with a coUection of actual servers. The virtual server cUent may be implemented by a network-aware code Ubrary, such as "Ubnc," which is implemented as a network-aware version of the "Ubc" Ubrary. In another embodiment, the virmal server cUent is a Ubrary, such as "Ubnc." [0011] The user's management system contains a software appUcation system, such as a command program (also referred to as a command line interface) or a configuration manager, which generates abstract system caUs to request services to be performed on the target servers. In one embodiment, the virmal server cUent receives the abstract system caUs and instantiates the abstract system caUs in a thread-safe manner. The thread-safe instantiation ensures simultaneous execution of the system caUs on multiple target servers, while sharing the single virmal server cUent among these multiple target servers and their associated virtual server agents. In the instantiating process, the virtual server cUent identifies the target server(s) and their associate virtual server agent(s) to receive the abstract system caUs. In one embodiment, the virmal server cUent identifies the target server(s) in response to a server identifier included in the abstract system caU. Examples of the server identifier include a host name specified in a path and a network address. The server identifier may also be inferred from a group of servers to which the target server belongs.

[0012] Also, in the instantiating process, the virmal server cUent transmits the abstract system caUs to the identified virtual server agent for execution on the target server. Before the transmission of the abstract system caU, the virmal server cUent may encrypt the abstract system caUs using standard encryption protocols, such as the SSL protocol, the Kerberos protocol, or the shared secret protocol, to secure communication between the virmal server cUent and the virtual server agent. In addition, before the transmission of the abstract system caU, the virmal server cUent may specify priority, CPU utiUzation, and/or memory utilization of the abstract system caU on the identified target server. [0013] After the virmal server agent receives the abstract system caUs from the virmal server cUent, the virmal server agent translates the abstract system caU into an operating system-specific system caU, so that system call can be executed on the operating system-specific target server. Before translating the abstract system caU, in one embodiment, the virmal server agent identifies the source host of the user's management system to determine the encryption protocol used on the abstract system caU. The virmal server agent decrypts the abstract system caU after learning about the encryption protocol used by the virmal server cUent. From the decrypted abstract system call, the virtual server agent identifies the authenticated user. In addition, the virmal server agent contains software modules that can map the authenticated user (presented user) to another user (effective user) and locate a corresponding local user identity on the target server for the effective user, and impersonate the effective user as a local user on the target server associated with the virmal server agent. In one embodiment, if the effective user is not identified as a recognized local user on the target server, the user is designated as a local guest user on the target server. The virmal server agent further restricts the user's access to the target server through a software module that limits the user to performing predetermined actions or accessing predetermines resources on the target server, based on a role-based access control model and/or access control Usts (ACLs). [0014] The translated system caUs are then executed on the target server in a thread-safe manner and the results of the execution are transported from the virmal server agent to the virmal server cUent. In one embodiment, the virmal server agent maintains an audit log to record the names of users and the abstract system caUs executed on the target server.

[0015] In another embodiment, the appUcation system can aggregate multiple abstract system caUs into a single high-level abstract system caU, which in turn is transported to the virmal server cUent. After receiving the high-level abstract system caU, the virmal server cUent disintegrates the high-level abstract system caU into the original multiple abstract system caUs and instantiates these original abstract system caUs individuaUy. Accordingly, the virmal server agent receives the individual abstract system caUs for execution on the associated target server.

[0016] In yet another embodiment, after receiving the high-level abstract system caU from the appUcation program, the virmal server cUent instantiates the high-level abstract system caU as a whole. Thus, the identified virmal server agent receives the high-level abstract system call, rather than the original multiple abstract system caUs. The virmal server agent in mrn translates the high- level abstract system into the individual operating system-specific system caUs to be executed on its associated target server.

[0017] In another embodiment, the virmal server modifies an existing non-distributed appUcation supporting only one specific operating system to function as a network-aware appUcation that is appUcable across servers or devices supporting different operating systems by substituting a non network-aware system caU with an abstract system caU. In one exemplary embodiment, a non- distributed Unix sheU program can function as a network-aware appUcation program that is adaptable across multiple servers or devices supporting non-Unix operating systems. In another exemplary embodiment, non-distributed scripting languages, such as Perl and Python, can function as network aware-appUcation programs that are appUcable across multiple servers and devices supporting different operating systems.

[0018] In another ernbodiment, software configuration components (also referred to as server objects) having intricate interdependencies with other server components can be defined and characterized under a single unified system. Through this unified system, fine-grain appUcation change operations can be uniformly and simultaneously implemented across the heterogeneous servers, rather than implementing different appUcation change operations for each of the servers individuaUy.

[0019] In yet another embodiment, a centralized management system can automaticaUy track changes, configure, and manage multiple servers to provide compUance in accordance with predefined poUcies by incorporating the methods and systems described above. [0020] This invention also relates to a method and system for executing and undoing distributed server change operations for a coUection of server objects across multiple target servers in a transaction-safe manner. Here, transaction-safe means that aU required steps of each server change operation are completed before the distributed server change operation is deemed completed, and if an error occurs while performing the required steps on the target servers, any changes made from these steps are undone.

[0021] Examples of distributed sever change operations for a coUection of server objects may be installing, copying, updating, or deleting server objects. In one exemplary embodiment, a coUection of server objects can be copied from a single source to multiple remote target servers. Likewise, aU the changes caused by copying this coUection of server objects can be reversed on the affected multiple remote target servers.

[0022] In one embodiment, server change operations for a coUection of server objects, such as files and configuration file entries, are specified in a transaction package. In particular, server change operations are specified in a transaction package to change code and content (files, appUcations, compound components, etc.), configure parameters of multiple servers simultaneously, and roU- back the changes in the event of a failure. Server change operations in the transaction package can be specified to occur on primitive server objects, compound server objects, abstract configuration server objects, and component server objects. A primitive server object is an elemental server object that serves as a basis for aU other types of server objects. A compound server object is a server object containing primitive server objects and other related compound server objects. An abstract configuration server object is a special type of a primitive server object that represents an entry in a configuration file when the configuration file is mapped to a common abstract configuration file format using a configuration file-specific grammar. A component server object is a sequenced coUection of server objects that contains prerequisite and inheritance information about other types of server objects. [0023] In one embodiment, the server change operations in a transaction package are specified in an XML-based instruction set. In another embodiment, the server change operations are specified in a text-based instruction set.

[0024] In one embodiment, the transaction package includes a transaction context, a parameter file, error handling actions, a sequencing instruction for the change operations, and target server prerequisites for executing the change operations, in addition to the specified change operations. The transaction context is identified by begin-transaction and end-transaction statements that encapsulate the server object change operations. The parameter file specifies parameter values for each of the identified target servers. These parameter values are communicated to the identified target servers along with the transaction package. In one embodiment, the parameter file contains parameters referencing parameter values that are identical across the target servers. In another embodiment, the parameter file contains parameters referencing parameter values that are distinct for each of the target servers. The transaction package supports several types of errors, such as soft errors and hard errors, in its error handling actions. The sequencing instruction provides an execution sequence for the specified change operations. If this instruction is not provided locaUy within the transaction package, an external dependency graph is accessed to provide an execution sequence for the specified change operations. The transaction package also provides the prerequisite information for the target servers to execute the specified change operations. [0025] In one embodiment, the user may optionaUy elect to proceed with a dry run. The dry run provides an additional set of tests to see if the server object change operations can be carried out by the recipient target servers before making any changes.

[0026] After the transaction package is communicated to the target servers, the specified change operations are executed on each of the identified target servers in a transaction-safe manner using the parameter values. [0027] In one embodiment, the specified change operations can be reversed when a user makes an expUcit request or when an error is detected in a transaction log maintained for the transaction package, after a partial or fuU execution of the change operations. The transaction log keeps track of details of aU the steps performed, so that each performed step of a change operation can be retraced and reversed from the affected target servers. [0028] In another embodiment, multiple transaction packages can be assembled into a transaction project. AU the change operations specified in a transaction project can be executed in a transaction-safe manner. [0029] This invention also relates to a method and system for configuring heterogeneous servers across a network by providing modules that can browse, snapshot, track changes, track compUance, restore previous configuration, make updates on each of the servers, and provision new servers and appUcations. [0030] A server object is one or a coUection of related configuration parameters and server assets, such as files, directories, registries, patches, packages, services, and appUcations. In one embodiment, there are four types of server objects: a primitive server object, a compound server object, an abstract configuration server object, and a component server object. A primitive server object is an elemental server object that serves as a basis for aU other types of server objects. A compound server object is a server object containing primitive server objects and other related compound server objects. An abstract configuration server object is a special type of a primitive server object that represents an entry in a configuration file when the configuration file is mapped to a common abstract configuration file format using a configuration file-specific grammar. A component server object is a sequenced coUection of server objects that contains prerequisite and inheritance information about other types of server objects.

[0031] In one embodiment, server objects in multiple servers can be browsed in real time. While browsing, a coUection of server object identifiers (without values) can be selected and manuaUy coUected in a template. In another embodiment, the template may be imported from an external vendor. In yet another embodiment, the template may include one or more previously defined templates.

[0032] The values of the server objects identified in the template can be recorded for a specific server (also referred to as a "gold server") through a process caUed "snapshot," which coUects the values (also referred to as "snapshot results") and saves them in a reference model. In one embodiment, the reference model may be an imported reference model created by an external vendor. In another embodiment, the reference model may include one ore more previously defined reference models. In one embodiment, the reference model may be used to derive compUance rules, such as baseline configuration values and compUance ranges, from the coUected values for other servers on the network. By comparing other Uve servers to the reference model, the systems and methods track compUance and changes in the configuration of the other servers on the network. [0033] Alternatively, instead of saving the snapshot results in the reference model, a snapshot result can be used to capture the configuration of a server at an arbitrary point in time. The configuration may include server objects that are expUcidy selected from a server or that are impUcidy selected via the template. In another embodiment, the snapshot results can also be recurring snapshots of a server taken at scheduled time intervals. In this embodiment, the first snapshot serves as a baseline for subsequent snapshots, so that for the subsequent snapshots, only the changes against the baseline are captured. Thus, any snapshot can be reconstructed to show the entire configuration of a server at a specific time in the time intervals by combining the baseline with the incremental changes saved for the particular snapshot results. In addition, these snapshots taken over a period of time can be used by the user to analyze changes on the server over time. Moreover, a single snapshot or recurring snapshots can be used to track change at an arbitrary point in time or over a scheduled period of time. [0034] After comparing servers on the network and identifying the discrepancies present in the compared servers, server change operations are generated to correct these discrepancies. In one embodiment, these server change operations can be presented to the servers as a transaction package so that the change operations can be executed across multiple servers in a transaction-safe manner to synchronize the target servers to the reference model or to the snapshots. Similarly, to update target servers, the user updates the reference model and packages the updates in a transaction packages to synchronize the target servers to the reference model.

[0035] In one embodiment, the reference model can be used to provision a new server that is newly added to the network to ensure consistency in the configuration of the servers on the network.

[0036] In another embodiment, the servers on the network can restore their previous configuration from the reference model or the snapshots, so that in case of server failure, the server can be restored to recover its existing configuration and contents.

[0037] In yet another embodiment, a Uve server can be compared against another Uve server by comparing the server objects identified in the template. In another embodiment, the user can expUcidy select server objects that are commonly shared between these Uve servers and compare them accordingly.

[0038] In one embodiment, the systems and methods according to the invention manage categoricaUy related configuration parameters across different servers by modeling the parameters in templates. Server objects (also referred to as configuration parameters) are categorized in a template per server type categories, such as an appUcation server category, a database server category, and a web server category. In the same template, the server objects are then categorized by configuration parameter type categories (e.g., network parameters, capacity parameters, availabiUty parameters, performance parameters, and security parameters), sub-categories, and associate key words based on its function. A new template can be derived from the first template that combines the categoricaUy related server objects across the server categories manages the configuration parameters as if they belonged to a single server. For example, the configuration parameters of an individual web server related to security can be changed in concert with security parameters of an appUcation server and a database server.

Brief Description of the Drawings

[0039] In the drawings, like reference characters generaUy refer to the same parts throughout the different views. Also, the drawings are not necessarily to scale, emphasis instead generaUy being placed upon iUustrating the principles of the invention. [0040] FIG. 1 is a block diagram depicting an embodiment of a system for managing multiple servers in a heterogeneous computing environment.

[0041] FIG. 2 is a block diagram depicting a virmal server cUent in accordance with an embodiment of the invention.

[0042] FIG. 3 is a block diagram depicting a virmal server agent in accordance with an embodiment of the invention.

[0043] FIG. 4 is a flowchart depicting an embodiment of a method for receiving and executing a system caU from an appUcation program.

[0044] FIG. 5 is a flowchart depicting the details of instantiating an abstract system caU in one embodiment of the method of FIG. 4. [0045] FIG. 6 is a screen shot of an embodiment of a system implementing the method of FIG. 4.

[0046] FIG. 7 is a block diagram depicting an embodiment of a system for executing and undoing distributed server change operations in a transaction-safe manner.

[0047] FIG. 8 is a flowchart depicting an embodiment of a system for executing and undoing distributed server change operations in a transaction-safe manner. [0048] FIG. 9 is a flowchart depicting an embodiment of a method for executing and undoing distributed server change operations in a transaction-safe manner.

[0049] FIG. 10 is a block diagram depicting an embodiment of a system for configuring multiple servers in a heterogeneous computing environment.

[0050] FIG. 11 is a flowchart depicting an embodiment of a method for configuring multiple servers in a heterogeneous computing environment.

[0051] FIG. 12 is a block diagram depicting an embodiment of a system for managing server objects as described in a embodiment of the invention.

[0052] FIG. 13 is a block diagram depicting an exemplary embodiment of the system of FIG. 12. [0053] FIG. 14 is a user interface display in an embodiment for a system implementing the method of FIG. 11.

Detailed Description [0054] Referring to FIG. 1, a user 10, such as a system administrator, manages a number of servers 15A, 15B, 15C, 15D, generaUy 15, which are computers, each of which can be of the same or of different types than the other servers 15. The servers 15 are typicaUy server-class general-purpose computers, which provide services (e.g. software appUcations and/or data) to other computers via one or more computer networks. For example, the servers may be appUcation servers, routers, firewaUs, load balancers, storage controUers, or a combination of these or other computers or network devices.

[0055] Examples of appUcation servers are databases, such as the Oracle database from Oracle Corporation of Redwood City, CaUfornia or other business appUcations. AppUcation servers may also include web servers, such as the Apache web server from the Apache Foundation, and Internet Information Server (IIS) from Microsoft Corporation of Redmond, WA. In addition to these examples, other programs can be provided by the servers 15. It should be understood that as used herein, the term "server" is not limited to server-class computers or appUcation servers, but refers generaUy to computers on which the embodiments of the invention operate, which may include other types of computers or network devices. [0056] As shown, each of the servers 15 may use a different operating system. For example, server 15A uses MICROSOFT WINDOWS (e.g., WINDOWS NT and WINDOWS 2000), available from Microsoft Corporation of Redmond, WA; server 15B uses SUN SOLARIS, available from Sun Microsystems, Inc. of Santa Clara, CA; server 15C uses RED HAT LINUX, avadable from Red Hat, Inc. of Durham, N.C.; and server 15D uses IBM ALX, avadable from IBM of Armonk, NY. It wiU be understood that this is just one example of the operating systems that may be used on the servers 15, and other combinations and operating systems may be used on the servers 15 in accordance with embodiments of the invention. One of the benefits of the system is its abiUty to operate in an environment having heterogeneous servers.

[0057] In one embodiment, the user 10 manages the servers 15 via a management system 20. The management system 20 is typicaUy a server-class computer that provides the user 10 with an abiUty to manager servers 15 in a consistent manner through use of appUcation programs 25. The management system 20 may be one of the servers 15, or any server-class computer that can communicate with the servers 15 over a network. Any of the target servers 15 can be designated as the management system, as long as the designated server includes appropriate appUcation programs and software modules to manage remotely located servers. [0058] AppUcation programs 25 in the management system 20 can include one or more of a command-line sheU program 25A and related programs for executing sheU commands (e.g., UNIX sheU commands such as Is, mv, rm, etc.), a configuration manager 25B for managing system configuration, and/or other appUcations 25C. The appUcation programs 25, which in some implementations are "network-aware," communicate abstract system caUs to a virmal server cUent 30, which in turn communicates the abstract system caUs to the servers 15 that are the target(s) for execution of the operations requested by the abstract system caUs. Advantageously, through use of the abstract system caUs, the "network-aware" appUcations are able to request services from heterogeneous servers supporting different operating systems without having to modify their architecture to support each of the different operating systems.

[0059] For example, the user 10 enters commands, such as Unix sheU commands, to the sheU program 25A via a command line interface. Commands can be entered, for example, to distribute files, directories, software packages, and patches to the target servers 15. Commands can also be entered to edit configuration files of the target servers 15. In addition, commands can be entered to remotely reboot the target servers 15, and stop and start change operation on the target servers 15. [0060] For example, in one implementation, the Unix sheU command "Is," which requests a server computer to Ust a directory of files, may be modified to be used with the user's management system 20 and the virmal server cUent 30 to Ust a directory of files from any of the target servers 15. From the user's 10 perspective, the "Is" command is used in the normal manner, except that the user 10 can identify a target server 15 for the command in a path associated with the command. For example, if the target server 15A is named "targetserverl," the user 10 may enter the command "Is //targetserverl/path/" to Ust the files in the specified path on the target server 15A. [0061] To implement this Is command of the sheU program 25A on the user's management system 20, the sheU program 25A translates the system caUs caUed by the "Is" command into one or more abstract system caUs. These abstract system caUs are sent to the virmal server cUent 30, which in turn sends the abstract system caUs to appropriate target servers 15, in this case, the target server 15A. After execution of the command on the target servers 15, the results are communicated back to the user 10 via the appUcation programs 25 and the virmal server cUent 30. [0062] Other programs can be made "network aware". For example, in some implementation, script interpreters, such as interpreters for the Perl and Python scripting languages can be modified to work with the virmal server cUent 30. GeneraUy, selected system caUs made by an appUcation program are translated into abstract system caUs, which are communicated through the virmal server cUent 30 to the servers 15. [0063] In addition to providing sheU commands and other appUcation programs, the management system 20 may include a configuration manager 25B. In one embodiment, the configuration manager 25B is used to configure one or more of the servers 15. The configuration manager is a software appUcation program that implements server change operations that are in turn translated into the corresponding operating system specific commands on the target servers 15.

[0064] In one implementation, an appUcation program 25 directs abstract system caUs to specific target servers 15. In another implementation, the appUcation program 25 can also direct abstract system caUs to a group of servers. A group of servers can be pre-defined or dynamicaUy defined based on attributes such as operating systems, capacity, IP address ranges, and instaUed appUcations. For example, the appUcation program 25 can direct an abstract system caU to a group of servers, consisting of a subset of servers 15 running the Linux operating system. AppUcation program 25 thus can deploy a command onto a server in this group without specifying a particular server in the subset. In this way, the appUcation program 25 does not need to keep track of each server, nor determine which servers have sufficient capacity or features to run the program; rather, the appUcation program 25 can deploy commands (or change operations) to a predetermined group, and the virmal server cUent 30 decides which specific server should run these operations. [0065] The virmal server cUent 30, which may be included in the management system 20, presents the servers 15 to the appUcation programs 25 as a single "virmal server" on which system caU operations can be executed. The virmal server cUent 30 is implemented by a software Ubrary, which in one implementation is roughly analogous to the C Ubrary, Ubc. The appUcation programs 25 can be staticaUy or dynamicaUy linked to the virmal server Ubrary, which is caUed Ubnc. In one embodiment, non network-aware appUcation programs 25 are converted to network-aware programs by replacing caUs to the Ubc Ubrary with equivalent caUs to the Ubnc Ubrary, which provides abstract network-aware system caUs. [0066] In an alternative embodiment, the virmal server cUent 30 may be implemented as part of an operating system. For example, the operating system running the user's management system 20 can receive abstract system caUs and communicate them to the remote target servers 15. Accordingly, for purposes of executing an abstract system caU a target servers 15, the source of the abstract system caU is immaterial. [0067] In some embodiments, the virmal server cUent 30 communicates with the servers 15 through virmal server agents 35 associated with the servers 15, which wiU be described in detad below. The virmal server cUent 30 communicates with virmal server agents 35 to present the multiple physical target servers 15 as a single virmal server to the appUcation programs 25. As an abstract representation of a coUection of the physical servers 15, the virmal server intercepts the abstract system caUs via the virmal server cUent 30 and routes the abstract system caUs to the virmal server agents 35.

[0068] When the virmal server cUent 30 receives an abstract system caU from an appUcation program 25, the virmal server cUent 30 checks the abstract system caU to determine whether this system caU is a local caU or a remote caU. If the abstract system caU is a local caU, then the operating system running the management system 20 executes the system caU locaUy. If the abstract system caU is determined to be a remote caU, the virmal server cUent 30 sends the abstract system caU to a virmal server agent 35 associated with a target server 15 via a message protocol. For example, when an "ropen" abstract system caU, representing a remote file open command, is received by the virmal server cUent 30, the data representing the "ropen" command and parameters associated with the "ropen" command are sent to appropriate virmal server agents 35. The target-servers 15 for a system caU are identified by the user 10 or the appUcation programs 25. The virtual server cUent 30 identifies the target servers 15 from their virmal server agents 35 and determines where the system caU should be directed. [0069] The virmal server agents 35 receive abstract system caUs from the virmal server cUent 30 and prepare the abstract system caUs for their associated target servers 15. When the virmal server cUent 30 determines to which virmal server agents an abstract system caU should be directed, each of the virmal server agents 35 receives the abstract system caU. As a part of preparing the abstract system caU for the associated target servers 15, the virmal server agents 35 provide security measures to ensure that the user 10 is authorized to access the target servers 15, and that the virmal server agent 35 controls the user access, as provided by the associated target server 15. Once the user 10 is authorized, the virmal server agent 35 translates the abstract system caU into an operating system specific caU directed to its associated target server 15. The target server 15 executes the abstract system caU and returns the results back to the virmal server agent 35, which in turn sends the results back to the appropriate appUcation programs 25 via the virmal server cUent 30.

[0070] In one embodiment, the virmal server agents 35 (also referred to as Remote System CaU Daemon or RSCD agents) are software modules attached to their corresponding target servers 15. In another embodiment, the virmal server agents 35 are software modules that are not attached to their corresponding target servers 15, but are in communication with their associated remotely located target servers 15.

[0071] In some embodiments, instead of acting as a messenger that sends an abstract system caU to a specific target server 15, one of the virmal server agents 35 can represent a group of physical servers. Thus, if the same command needs to be executed on multiple servers, these servers can be aggregated into a group, represented by a single virmal server agent 35, so that appropriate system caUs can be made to a group of servers simultaneously via that virmal server agent 35. [0072] GeneraUy, abstract system caUs may include aU types of system caUs including file system caUs, operating system caUs, and the like. An abstract system caU typicaUy is implemented as a modification of an analogous standard operating system specific caU. For example, the abstract system caU "ropen" is analogous to a standard system caU "open," which opens a file on a server. [0073] With minor modifications to an appUcation program's source code, any appUcation program can make operating system agnostic abstract system caUs. By changing the system caUs to abstract system caUs, any generic appUcation program can be made into a network aware-appUcation that can operate transparentiy across servers supporting different operating systems.

[0074] In one embodiment, only the system caUs that are appUcable to aU of the target servers 15 can be modeled as abstract system caUs. For example, if the target servers 15 include Unix-based servers, it may not be possible to model a system caU to update a registry as an abstract system caU, since a registry, which is a Windows specific object, does not exist and has no relevance for Unix- based server platforms.

[0075] Referring to FIG. 2, in one embodiment, the virmal server cUent 30 includes various software modules which implement its functionaUty. These modules include a receiver 40 that receives an abstract system caU made by an appUcation program 25, and forwards the abstract system caU to an instantiator 42. The receiver 40 is a software module that acts a messenger between the software appUcation programs 25 and the instantiator 42. In one embodiment, the receiver 40 receives the abstract system caU from one of the software appUcation programs 25 used by the user 10. The receiver 40 then forwards the abstract system caU direcdy to the instantiator 42. In another embodiment, the receiver 40 may receive standard operating system specific system caUs from an appUcation program 25. The receiver forwards such standard system caUs to the instantiator 42 for the instantiator 42 to decide to where the system caUs should be directed.

[0076] The instantiator 42 instantiates abstract system caUs in a thread-safe manner. The thread- safe instantiation shares a single resource between multiple operations without requiring changes to the architecture of the appUcation programs requesting the operations. TypicaUy, thread-safe instantiation shares the same virmal server cUent 30 between multiple simultaneous execution of system caUs. The use of the shared resource, such as the virmal server cUent 30, is coordinated, so that the execution of one operation does not impact the execution of other operations. In one embodiment of the thread-safe instantiation, the appUcation programs 25 can instantiate multiple commands (or operations) via the instantiator 42. For example, the appUcation programs 25 may invoke multiple "ropen" system caUs that are directed to one or more target servers 15. The "ropen" system caU is received by the instantiator 42 in the virmal server cUent 30. The instantiator 42 then distributes the "ropen" abstract system caU to each of the virmal server agents associated with the target servers, so that multiple "ropen" caUs can be executed simultaneous by the target servers 15. [0077] In one embodiment, the instantiator 42 is implemented as a software Ubrary that provides routines that represent the abstract system caUs. One particular implementation of the software Ubrary is caUed "Ubnc." Iibnc is a "network-aware" Ubrary that is analogous to the standard C Ubrary. The Libnc Ubrary supports the network aware appUcation programs 25 by instantiating the abstract system caUs generated by the appUcation programs 25. [0078] In one embodiment, the instantiator 42 determines to which virmal server agents 35 an abstract system caU should be directed. The instantiator 42 identifies target servers 15 by finding the target server identifiers specified in the abstract system caU. The target server identifier may include a path name, which in turn may include a host name or a network address (e.g., IP address) for the server. The target server 15 may also be identified by server names expUcidy stated in a file which is to be run on specific named servers. Alternatively, the server identity may be inferred from a subset of servers or a group of servers (e.g., a group of Linux servers) to which the target server 15 belongs. [0079] Before transmitting the abstract system caU to the virmal server agents 35, the instantiator 42 can also specify the priority, CPU utilization, and memory utilization of the system caU for the target servers 15, so that the identified target server 15 platforms can perform the requested services as specified by the virmal server cUent 30. Once the abstract system caU has been instantiated, it is sent to an encryptor 44 for further processing.

[0080] The encryptor 44 encrypts the abstract system caU before sending it to a transmitter 46 for transmission to the virmal server agents 35. The encryptor 44 uses standard encryption protocols and algorithms to secure communication between the virmal server cUent 30 and the virmal server agents 35. Examples of standard encryption protocols include, but are not limited to, SSL (Secure Sockets Layer), Kerberos, and Shared Secret protocols. SSL uses a pubUc key to encrypt data. Kerberos assigns a unique key to each authorized user. Standard encryption algorithm includes, but are not limited to, DES (Data Encryption Standard), 3DES (Triple DES), Blowfish, and AES (Advanced Encryption Standard). [0081] The encryption protocol and algorithm used by the encryptor 44 must be supported by each virmal server agent 35 with which the virmal server cUent 30 wiU communicate. For example, if the virmal server cUent 30 supports SSL, the virmal server agent 35 must be able to support SSL for that protocol to be used. If the virmal server cUent 30 supports Kerberos, the virmal server agent 35 must also be able to support Kerberos for that protocol to be used. [0082] The transmitter 46 uses a network interface protocol, such as TCP/IP or Ethernet, to send the abstract system caU over a network to the virmal server agents 35. The transmitter transmits the same abstract system caU to each target virmal server agent. In one embodiment, the transmitter 46 uses an IP address to determine to which of the target servers 15 an abstract system caU should be sent. An IP address may be direcdy included in the abstract system caU or may be inferred from a server identifier included in the abstract system caU. The virmal server agent 35 accepts the abstract system caU containing the IP address of the target server 15 associated with that virmal server agent 35. Once the virmal server agent 35 receives the abstract system caU, the virmal server agent 35 processes the abstract system caU for execution on the target server 15. [0083] Referring to FIG. 3, each virmal server agent 35 includes software modules that implement its functionaUty. These modules include a receiver 50, which receives abstract system caUs from the virmal server cUent 30, and transfers the abstract system caUs to a decryptor module 52. [0084] Before the user 10 can access the user's management system 20, the user 10 is authenticated to ensure that the user 10 is in fact the person he or she claims to be. The user 10 can be authenticated in many ways. In one embodiment, the user 10 is authenticated by the operating system of the management system 20 and the target servers 15 subsequendy inherit the user's 10 identity. In another embodiment, SRP (Secure Remote Password) or PKI Cryptography (X.509 Certificates) is used to authenticate user 10. In yet another embodiment, the Kerberos 5 system can be used to authenticate the user 10 by assigning a unique private key to the user 10. [0085] The source identifier module 52 identifies the source machine, e.g., the user's management system 20. The source identifier module 52 first determines the source machine through a network address (e.g., IP address) that was submitted to the virmal server agent 35 from the virmal server cUent 30 with the abstract system caU and checks to see if the source host is authorized. [0086] By identifying the source machine, the source module 52 determines the security protocols to be used by the virmal server agent 35 for encryption and decryption. In one embodiment, the virmal server agent 35 can support different security protocols. For example, the virmal server agent 35 can flexibly support either SSL or Kerberos based on the security protocol of the incoming data from the virmal server cUent 30. Next, the abstract system caU is sent to a decryptor 54, which decrypts the abstract system caU. From the decrypted abstract system caU, the user identifier module 55 identifies the user 10 invoking the appUcation programs 25 from the source machine and verifies that the user 10 is authorized to access the source machine.

[0087] After the user is identified by the user identifier 55, an identity mapper 56 and an impersonator 58 provide additional security measures as the user 10 tries to access the remote target servers 15 from the user's management system 20. The identity mapper 56 optionaUy maps the authenticated user (presented user) to another user (effective user) and locates a local user identity on the target server 15 that corresponds to the authenticated identity of the effective user. Through the impersonator 58, the user 10 is impersonated on a remote target server 15, so that if the effective user is identified and exists as a local user on the remote target server 15, the user 10 takes on the local identity of the effective user and the permissions provided by that identity on the remote target server 15. Thus, the user's 10 access to the remote target server 15 is further restricted to the appropriate levels provided by the permissions granted to the effective user's local identity on the remote server 15. For example, if the user 10 is authenticated as "Joe" on the management system 20 and mapped to an effective user "Jane", local permissions of "Jane" wiU be available to the user 10 on the remote target server 15. If "Jane" does not exist on the remote target server 15, then the user 10 wiU be given a guest account. In one embodiment, the combination of the presented user and the role, which is defined by Role Based Access Control (RBAC), is mapped to an effective user. For example, user "Joe" having the role of a junior administrator can be mapped to an effective user named "junior administrator." Another user "Bob" also having the role of a junior administrator can be mapped to the same effective user named "junior aclministrator."

[0088] The effective user's access for presented user 10 is further restricted by an authorizer 60, which permits the user 10 to perform predetermined actions or access predetermined resources on a particular target server 15. This is achieved by using Access Control Lists (ACLs) to manage the effective user's access to resources on the remote target servers 15. The ACL informs the operating systems of the remote target servers 15 of the access rights of the effective user on specific server resources, such as files or directories. For example, if the user 10 is mapped to the effective user "junior administrator", then the user 10 is only permitted to perform read-only commands on certain directories or files of a group of remote target servers 15 and cannot effect any changes to the target servers 15. [0089] After the user is authorized, a translator 62 translates the abstract system caU into a standard operating system caU that is understandable and executable by the target server 15. The translator 62 examines the abstract system caU and identifies a standard operating system specific system caU that is analogous to the abstract system caU and is supported by the operating system running the associated target server 15. Once the analogous standard system caU is identified, the translator changes the abstract system caU to the standard system caU. This standard operating system caU is forwarded to an executor 66 for execution on the target server 15.

[0090] Once the executor 66 receives a standard operating system caU, the executor 66 performs the services that are requested by the standard system caU. In one embodiment, the executor 66 is the operating system running on the target server 15. The operating system examines system caUs and carries out the operations requested by the system caU by, for example, communicating with other appUcations running on the target server 15.

[0091] An audit log 64 is maintained by each virmal server agent 35 to keep track of the names of the users and aU the activities performed by each user, and to troubleshoot server changes and configuration errors. For example, the audit log 64 saves information about the activities requested and performed by authorized users, information about data, such as the system caUs and the results of the system caUs, that were transferred back and forth between the virmal server cUent 30 and the virmal server agent 35, as weU as aU parameters associated with the abstract system caU. The content of the audit log 64 is then transmitted to a centralized aggregated log kept for aU of the virmal server agents 35.

[0092] A first example of security measures incoφorated in an embodiment of the virmal server implementation foUows. First, the user 10 logs into the management system and is authenticated as "Joe" during the login process. This authentication process can be achieved by using a known network authentication server, such as NTLM, K5, AD, APM, NIS, etc., depending on the operating system running on the management system 20. After the user "Joe" is authenticated in the management system 20, the user "Joe" is authenticated for the target servers 15 by inheriting the user "Joe" identity through the management system 20.

[0093] Next, the user 10 enters a "Is" command, requesting a Usting of files on the remote target server 15A, through the sheU command program 25A on the management system 20. The sheU command program 25A generates an abstract system caU in response to the command and sends the abstract system caU to the virmal server cUent 30 to proceed with the user's 10 request. The virmal server cUent 30 examines the security configuration of the abstract system caU and encrypts the system caU using a shared secret key scheme with a encryption algorithm, such as DES, 3DES, or Blowfish. Once the abstract system caU is encrypted, the system caU is communicated across a network to the virmal server agent 35A of the target server 15A.

[0094] When the virmal server agent 35A receives the abstract system caU, the target server's 15A agent 35A attempts to decrypt the message using the secret key shared with the virmal server cUent 30. The virmal server agent 35A checks to see if the user "Joe" is recognized as a local user on the target server 15A through an effective user. If the user "Joe" is recognized as a local user, then the virmal server agent examines the access control Ust to determine if the combination of the user

"Joe" 10, target server 15A, and the abstract system caU is aUowed. If the combination is aUowed, then the access control Ust is used to determine whether any further restrictions apply to the user's 10 access to the target server 15A. The virmal server agent 35A executes the system caU in accordance with any security restrictions, encrypts the results using the same-shared secret key. The results of the "Is" command are sent back to the virmal server cUent 30, where they are decrypted and displayed to the user.

[0095] In a second example of security measures incoφorated in an embodiment of the virmal server, the user 10 is authenticated using of SRP or PKI Certificates. Once the user 10 is authenticated the user 10 enters an "Is" command, requesting a Usting of files on the remote server 15A, through the sheU command program 25A on the management system 20. The sheU command program 25A generates an abstract system caU in response to the command and sends the abstract system caU to the virmal server cUent 30. The virmal server cUent 30 examines the security configuration of the abstract system caU and encrypts the abstract system caU using pubUc key cryptography, standard encryption algorithms, such as DES, 3DES, or Blowfish, may be used for exchange of session key between the virmal server cUent 30 and the target server agent 35A to estabUsh a cornrnunication session between them.

[0096] After decrypting the abstract system caU received by the virmal server agent 35A, the virmal server agent 35A checks to see if the user "Joe" is recognized as a local user on the target server 15A through an effective user. If the user "Joe" is recognized as a local user, then the virmal server agent 35A examines the ACL to determine if the combination of the user 10, target server 15A, and the abstract system caU is aUowed. If the combination is aUowed, then the access control Ust is used to determine whether any further restrictions apply to the user's 10 access to the target server 15A. The virmal server agent 35A executes the system caU in accordance with any security restrictions, and encrypts the results using the estabUshed session key. The results of the "Is" command are then sent back to the virmal server cUent 30, where they are decrypted and displayed to the user. [0097] A third example of security measures incoφorated in an embodiment of the virmal server implementation foUows. If the management system 20 has an existing Kerberos 5 (K5) infrastructure in place, the user 10 can be authenticated by entering a Kerberos password to the management system 20. Once the user 10 is logged in as the authenticated user "Joe," the user 10 enters the "Is" command, requesting a Usting of files on the remote target server 15A, through the sheU command program 25A on the management system 20. The sheU command program 25A generates an abstract system caU in response to the command and sends the abstract system caU to the virmal server cUent 30 to proceed with the user's 10 request. The virmal server cUent 30 then sends the abstract system caU and a Kerberos ticket, which is retrieved from a Kerberos Domain ControUer (KDC) to the virmal server agent 35A.

[0098] After the virmal server agent 35A receives the abstract system caU and the ticket, the virmal server agent 35A vaUdates the abstract system caU by verifying the ticket via the KDC. Once vaUdated, the virmal server agent 35A checks to see if the user "Joe" is recognized as a local user on the target server 15A through an effective user. If the user "Joe" is recognized as a local user, then the virmal server agent examines the ACL to determine if the combination of the user "Joe" 10, target server 15A, and the abstract system caU is aUowed. If the combination is aUowed, then the access control Ust is used to determine whether any further restrictions apply to the user's 10 access to the target server 15A. The virmal server agent 35A executes the system caU in accordance with any security restrictions, encrypts the results using a Kerberos key. The results of the "Is" command are sent back to the virmal server cUent 30, where they are decrypted and displayed to the user. [0099] Referring now to FIG. 4, a method for managing multiple servers as a single virmal server is described. First, in step 400, the system represents multiple servers as a single virmal server. Next, in step 410, based on a user's request for operations to be performed on target servers, the virmal server cUent 30 receives an abstract systems caU from an appUcation program 25. Finally, in step 420, the virmal server cUent instantiates the abstract system caUs and sends the abstract system caU to the virmal server agents 35 for execution. [0100] FIG. 5 shows steps involved in instantiating an abstract system caU. First in step 422, the virmal server cUent 30 identifies the target servers 15 through target server identifiers provided within the abstract system caU. Once the target servers are identified, in step 424, the abstract system caU is transmitted to the virmal server agents associated with the identified target servers. The virmal server agents 35 prepare the abstract system caU for the target servers 15, so that the abstract system caU can be the executed on the target servers 15. For example, for the target server 15A, the abstract system caUs are translated into standard Windows NT/W2K specific system caUs that are executable by the operating system running on the target server 15A. Upon completion of execution of the system caU, in step 426, the virmal server cUent 30 receives the results of the execution from the virmal server agents 35. [0101] In one embodiment, multiple commands generate multiple system caUs, which can be aggregated into a single high-level abstract system caU by an appUcation program 25. For example, if two commands, such as copy and change permission commands, are to be made to a target server 15A, the abstract system caUs carrying out these commands, such as ropen, rread, rwrite, and rchmod system caUs, can be aggregated into one high-level abstract system caU. When received by the virmal server cUent 30, the virmal server cUent 30 can disintegrate the high level abstract system caU into the original abstract system caUs and transmit the abstract system caUs separately to virmal server agent 35. In another embodiment, instead of disintegrating the high-level system caU into the original abstract system caUs at the virmal server cUent 30, the high-level abstract system caU is received by a virmal server agent 35, which in turn translates the high-level abstract system caU into separate operating system specific system caUs to be executed on the target server 15. [0102] FIG. 6 is a screenshot showing a command being issued to multiple servers through the management system 20. As shown here, server names used as parameters for commands are preceded by two slashed to distinguish them from a path name, which is generaUy separated by a slash. For examples, "//redhatbizl/etc" specifies the /etc path on the server named "redhatbizl." Thus, as seen in the screenshot, to compare the "/etc/hosts" file on two different servers, one named "redhatbizl," and the other named "redhatbiz2," the user 10 enters the command "diff //redhatbizl /etc/hosts // redhatbiz2/etc/hosts."

[0103] Referring back to FIG. 1 , in an alternative embodiment, the user 10 manages the target servers 15 by executing and undoing distributed server change operations across the target servers 15 in a transaction safe-manner, using the virmal server implementation described above.

Distributed server change operations request the operating systems of the target servers 15 to update, delete, instaU, and/or copy server assets and/or configuration file entries of the target servers 15. Transaction-safe server change operations ensure that aU of the required steps of each server change operation are completed before the distributed server change operations are deemed completed. Further, if an error occurs while performing the required steps on the target servers 15, any changes made from these steps are undone, and values of the target servers' 15 assets and/or configuration entries are returned to the values they had before execution of the server change operations. In one embodiment, the appUcation programs 25 can generate a transaction package that bundles an instruction set and necessary server contents for the operating system of each of the target servers 15 to carry out the server change operations.

[0104] Referring to FIG. 7, in one embodiment, the configuration manager 25B generates a transaction package 700 that includes files or configuration file entries 705 (together referred to as server objects), a parameter file 710, and an instruction set 715 to carry out the server change operations on one or more target servers 15 that are specified by an external file, as requested by the configuration manager 25B.

[0105] In one embodiment, the instruction set 715 includes an execution sequence of the server change operations provided for the operating systems of the target servers 15 that carry out the server change operations. If this information is not provided in the instruction set 715 in the transaction package 700, an external dependency graph 720 is accessed to provide an execution sequence of the server change operations. For example, the external dependency graph 720 can provide information about directional relationships between server objects. In particular, if NT- based program A is a prerequisite for another NT-based program B, to successfuUy execute programs A and B, program A must start before program B and program B must stop before program A. Although the sequence information is used to order the sequence of change operations for the server objects that are specified in the transaction package, the sequence information is also used to add impUed server object change operations for related server objects, such as server objects that depend on and/or depend from these specified server objects, that are not specified in the transaction package. In particular, continuing from the previous example, if the only change instruction provided in a transaction package is to stop program A, the sequence information adds the impUed instruction to stop program B and then stop program A based on the directional relationship between programs A and B. Thus, the sequence information from the dependency graph determines the sequences of server change operations to be performed not only on the specified server objects, but also on their related server objects. If an error occurs w iile performing the service change operations, the sequence information also causes the server change operations to stop and to be reversed not only on the specified servers, but also on the related server objects. [0106] As described above, if the instruction set 715 provides the sequence information for the server change operations, the instruction set 715 overrides the sequence information provided by the dependency graph 720. Similar to the sequence information provided by the dependency graph 720, the instruction set 715 provides the information related to the order in which the server change operations should be performed. The related server objects of the specified server objects are provided, so that the server change operations can effect changes on the related server objects, as weU as the specified server objects. The instruction set 715 also provides dependency information between types of servers. For example, if an appUcation server depends on a database server, the sequence information provided in the instruction set 715 wiU instruct the execution of the database server change operations before the execution of the appUcation server change operations. [0107] In one embodiment, the instruction set 715 specifies server change operations to occur on any of the four types of server objects 705: primitive server objects, compound server objects, abstract configuration server objects, and component server objects. A primitive server object is an elemental server object that serves as a basis for aU other types of server objects. For example, for Linux-based servers, primitive server objects include, but are not limited to, files, directories, Redhat Package Manager files, and configuration file entries for text configuration files, such as the "inetd.conf ' file. For Solaris-based servers, primitive server objects include, but are not limited to, files, directories, packages, patches, and configuration files entries for configuration files, such as the "inetd.conf file. For MS NT or W2K-based servers, primitive server objects include, but are not limited to, files, file ACLs, directories, directory ACLs, appUcation programs, hot fixes, the registry entries, registry entry ACLs, COM/COM+ (component object model) catalog entries, Metabase entries, users, accounts, and configuration file entries for aU configuration files, such as ".ini" files. [0108] A compound server object is a server object containing primitive server objects and other related compound server objects. For example, an extended component object model (COM+) object, an NT or W2K-based compound server object, contains primitive server objects, such as a COM+ catalog entry, NT registry entries, and DLL files. In yet another example, an Enteφrise JavaBeans (EJB) object, a compound server object, contains primitive server objects including a Java Archive (JAR) file and multiple configuration file entries. In another example, a server process is a compound server object, containing primitive server objects, such as configuration file entries (e.g., a permission entry, a priority entry, a control signal entry), files, and executables. [0109] An abstract configuration server object is a special type of a primitive server object that represents an entry in a configuration file via a corresponding entry in an abstract configuration file, where mapping of a configuration file to a common abstract configuration format is provided by a configuration file-specific grammar. For example, in the MS NT/W2K environment, configuration file entries are stored in ".ini" files or XML configuration files. In the UNLX environment, configuration file entries are stored in text files such as "inetd.conf files or "httpd.conf , or XML configuration files.

[0110] To reconcile the difference between the configuration file entry formats across different servers, a common abstract configuration format is provided by normaUzing configuration file entries through a supported configuration file-specific grammar. By modeling each configuration file entry as an abstract configuration file entry through this normalization process, server change operations may be made based on the normalized abstract configuration file entries. The change operations requested by the abstract configuration file entries are performed, and the changes are then communicated to the actual configuration file entries. Thus, in this embodiment, configuration file entries can be individuaUy managed through use of abstract configuration file entries, without having to change the entire configuration file each time a server change operation changes an individual entry. Configuration file-specific grammars may be provided for numerous systems, including Solaris, Linux, NT4/W2K, Apache, Web Logic, and Web Sphere.

[0111] A component server object is a sequenced coUection of server objects. For example, an NT Service Pack is a sequenced coUection of NT Hot Fixes to be appUed in a predefined order. Accordingly, a coUection of predefined related change operations can be effected in order through a component server.

[0112] In addition to the constituencies of the instruction set 715 described above, the instruction set 715 specifies the server change operations to be made across the target servers 15 on a coUection of predetermined server objects by communicating with the server objects (e.g., files or configuration file entries 705), the dependency graph 720, and the parameter file 710. Server change operations can be used to deploy or copy files, directories, and software packages to the target servers 15. Change operations can also be used to edit configuration file entries 705 without having to log into each target server 15. In one embodiment, the instruction set 715 provides the information needed by the target servers 15 and their associated virmal server agents 35 to carry out the server change operations. In one embodiment, the instruction set 715 provides a transaction context that is identified by begin-transaction and end-transaction statements encapsulating the server object change operations. After the begin-transaction statement is made, the instruction set provides the necessary information to perform the change operations requested by the appUcation programs 25. [0113] The instruction set 715 also provides error-handling instructions for the target servers and their associated virmal server agents. In one embodiment, several types of errors are avadable. Soft errors are available to alert the target servers and their virmal server agents of a likelihood of occurrence of an error during server change operations. Because no actual error has occurred, the user 10 may ignore the soft errors and continue with the execution of the server change operations. Alternatively, the user 10 may instruct the virmal server agents to expUcidy undo aU the changes made from the execution of the server change operations after reviewing the error information returned by the soft errors.

[0114] Hard errors are available to notify the virmal server agents of an occurrence of an error during the performance of server change operations on the target servers. In one embodiment, the hard errors can be programmed to automaticaUy trigger undo operations to undo any of the changes made during the execution of the server change operations. In another embodiment, the hard errors can be programmed to abort the execution of the remainder of transaction package change operations. The hard errors are triggered by error conditions set forth in the instruction set 715. These error conditions specify that if certain conditions occur, the hard errors should be sent to the target servers and their associated virmal server agents.

[0115] The instruction set 715 also includes prerequisite information for the instructions. An example of this prerequisite information can include, but are not limited to, the minimum set of change operation instructions that must be specified in a transaction package for its successful execution. For example, to successfuUy add a COM+ component on the target servers, instructions for adding the COM+ entr in the catalog, the corresponding Registry entry, and the corresponding DLL file must be specified in the transaction package. Another example of the prerequisite information can include types of permissions needed to carry out the change operations, rriinirnurn disk space required by the target servers 15, and the type of operating system required. In addition, the prerequisite information can also include impUcit instructions for hierarchical server objects. For example, to add a file in the target servers, the parent directory for the file should exist in the target servers, so that the file can be created under the specified parent directory in these servers. [0116] In one embodiment, the instruction set 715 defines the changes that need to be made on the server objects by using named parameters, and later replacing the parameters with actual values obtained from a parameter file 710. The virmal server agents 35 receive the transaction package 700 on behalf of their associated target servers 15, and replace the named parameters with values obtained from the parameter file 710. These named parameters are particularly useful when performing server change operations on server objects that are directed to multiple target servers 15, because the named parameter representing the identity of each target server can be replaced with the actual server identifiers by the virmal server agents 35. For example, named parameters of an instruction can reference a path name for a target server 15 that includes a host name or an IP address of the target server 15. These parameters are replaced with actual server identifiers for each target server 15, as provided in the parameter file(s) 710. [0117] In one embodiment, the parameter file 710 can be either a global parameter file or a host- specific parameter file. A global parameter file contains parameters that are configured by the user 10, thus the identical global parameter file is passed to aU target servers 15. A host specific parameter file contains parameters that are specific to each of target servers 15, thus the host specific parameter file is different for each of target servers 15. Parameter values contained in the global parameter file are useful when copying the same server object to the same destination on multiple target servers 15. Examples of this type of parameter are the user's name and password.

For parameter values contained in the host-specific parameter file, the parameter values are resolved by each of the target servers 15. Examples of these parameters are host names, and path names of the target servers 15. In addition, there are intrinsic parameters that are resolved through host environment variables on the target server. In one embodiment, one or more parameter files 710 are associated with one or more target servers. For example, for a Window-based target server, "windir" and IP address are examples of host environment variables that can be used to resolve intrinsic parameters associated with one or more target servers and passed via the transaction package 700. [0118] Referring to FIGS. 1 and 7, in one embodiment, instead of using abstract system caUs to carry out server change operations generated by the appUcation programs 25, a transaction package 700 can be used to carry out these change operations using an XML-based instruction set 715. To accommodate both system caU level commands and XML-based instruction sets, each virmal server agent 35 is divided into two parts. One part of the virmal server agent 35 is an XML API that can inteφret the XML-based instruction set 715 contained in the transaction package 700, and the other part of the virmal server agent 35 is a system caU API that can inteφret abstract system caUs. Thus, when a virmal server agent 35 receives an XML-based transaction package 700 through the virmal server cUent 30, the XML-based instruction set 715 in the transaction package 700 can be inteφreted via the XML API. In an alternative embodiment, the transaction package 700 can be implemented with a text-based instruction set 715. The commands of the text-based instruction set 715 are translated into abstract system caUs that are in turn inteφreted by the system caU API. [0119] Below is an example of an XML-based transaction package, named "Package_l .XML," specifying a prerequisite, transaction context, compound server object, sequence, and error handling information using an XML-based instruction set 715. Package_l.XML

•blpackage schema-version="2.0" created-date="02/12/03" modified- date= " 02 /22/02 " revision= " 23 " > <name> name of the blpackage </name>

<description> description of the package </description>

< source type="host">web-demol</source>

<param name="$APP_PATH"> c:\program files\app </param> <param-f ile>f oo.params</param-f ile>

<applies-to>

<condition> <os>"$(os) = Windows "</os>

<os-version>$ (os-version) > 5</os-version> < service -pack>2</ service -pack> </condition> </applies-to>

<depends>

<condition> <application>SQL server</application> <version>$ (version) = 8.0 </version> </condition> </depends>

<FailIf>

<ErrorLevel <4

/> </FailIf >

<command id = "1006" undo="net stop w3svc">net start w3svc </command> <file action="add" key="%WINDIR%ado.dll" refid="1001"/>

<acl key="%WINDIR%ado.dll" owner="BUILTIN\Administrators"> <ace action="add" id="1313">web admins</ace> <acemode>0</acemode>

</acl> </file>

<name>svchost .exe</name> <source>0</source> <attributes>2</attributes>

<created-date>02/12/03</created-date> <modified-date>02/22/03</modified-date> <owner></owner> <group>0</group>

<acl key="%WINDIR%ado.dll" owner="BUILTIN\Administrators"> <ace action="add" id="1313">web admins</ace> <acemode>0</acemode> <aceflags>3</aceflags> <acemask>1179817</acemask>

</acl> </file>

<binary_path>%WINDIR%/System32/svchost . exe</binary_jpath> <name>RSCDs c</name> <descriptionx/description> <state>Stopped</state> <runas>

<userid>$Tokenl</userid> <pwd>$Token2</pwd> </runas> </service> </assets> </transaction> </blpackage>

The Parameter file foo.params contains

$TOKENl as a parameter that corresponds to user id - "R2D2\web-aclrnins" $TOKEN2 as a parameter to password for R2D2\web-admins - "c3-po"

[0120] In this example, the <blpackage schema> tag denotes the beginning of the instruction set 715. The <name>, <description> and <source type> tags respectively provide the package name, description, and source server, in this example "web-demol," server, from where the package was created. The <param> tag is use to specify location, in this example "c:\program files\app", of parameters having the name of "$APP_PATH" within the package 700, while <ρaram-file> tag is used to specify an external parameter file 710 caUed "foo.params". In the prerequisite section, which is introduced with the <appUes-to> tag, the MS Windows operating system, version greater than 5 and with service pack 2, is specified as a prerequisite to carry out this instruction set. Also in the prerequisite section, the <depends> tag, indicates that SQL Server, version 8, is a pre-requisite for the package. The error handUng information, which is introduced with the <FailIF> tag, specifies that the server operations should fail if error level faUs below 4.

[0121] The <transaction id="0"> tag introduces the set of change operations requested, and any dependency information for the specified server change operations. The execution sequence information for the server change operations is provided under the <depends> tag. In this example, the order of the operations, -stop w3svc, add service RSCDsvc, start w3svc, add file ado.dU, and add file svchost. exe, would occur in the foUowing order: stop w3svc, add file svchostexe, add service RSCDsvc, start w3svc, and add file ado.dU. [0122] The server assets that are being affected by the server change operations are specified under the <assets> tag. This example has three assets - two files, id=1001 and id=1002, and one service, id=1003. Each file has a corresponding nested File ACL having the <acl key> tags. [0123] The parameter file 710, "foo.params" has two parameters that are used in the transaction package 700, named as "$TOKENl" and "$TOKEN2". Instead of passing physical values directed to each target server, the named parameters are sent, and are resolved by the parameter file 710 when the parameter file 710 substitutes the actual values that are specific for each target servers 15 for the named parameters. As shown in this example, these values can be a path for a coUection of server objects (e.g., files), a user name, or a password. In this example, the first parameter, $TOKENl, corresponds to the user name "R2D2\web-admins", and the parameter $TOKEN 2 corresponds to the password "c3-po."

[0124] In one embodiment, multiple ttansaction packages can be aggregated into a ttansaction project 725. The transaction project 725 coordinates the transaction packages 700 and their server change operations, so that each server change operation can be executed in a ttansaction safe manner. Below is an example of an XML ttansaction project 725 containing a ttansaction package named "BLPkg_web.XML," directed to six web servers, a ttansaction package named

"BLPkg_app.XML," directed to two appUcation servers, and a ttansaction package named "BLPkg_db.XML," directed to two database servers: <PROJECT> <BLPkg> <Name>BLPkg_web.XML</Name>

<Hosts>Web Serverl</Hosts> <Hosts>Web Server2</Hosts> <Hosts>Web Server3</Hosts> <Hosts>Web Server4</Hosts> <Hosts>Web Server5</Hosts>

<Hosts>Web Server6</Hosts> </BLPkg>

<BLPkg> <Name>BLPkg_app.XML</Name>

<Hosts>App Serverl</Hosts>

<Hosts>App Server2</Hosts> </BLPkg>

<BLPkg>

<Name>BLPkg_db.XML< /Name> <Hosts>Db Serverl</Hosts> <Hosts>Db Server2</Hosts> </BLPkg> </PROJECT>

[0125] In this example, first, the package "BLPkg_web.XML" is to be executed on six web servers named Web Serverl through Web Serverό, the package "BLPkg_app.XML" is to be executed on two appUcation servers, and the package "BLPkg_db.XML" is to be executed on two database servers.

[0126] The configuration manager 25B, or any of the appUcation programs 25, prepares the ttansaction package 700 and instructs the virmal server cUent 30 to pass the package 700 to the virmal server agents 35 associated with the target servers. After receiving the ttansaction package 700, the virmal server agents 35 unpack the package 700 and execute the operations on their associated target servers 15. A method for achieving this is shown in FIG. 8 [0127] In Step 800, Configuration manager 25B checks the prerequisite information of the requested change operations. Examples of the prerequisite information include checks related to integrity and completeness of package such as prompting for user name and password if required, making sure simple dependencies are resolved, and making sure the corresponding files are in the package.

[0128] After the prerequisites are checked in step 800, in step 810, the configuration manager 25B checks for the sequence information setting forth the execution order of the requested change operations in the package's instruction set 715. If the sequence information is not provided in the instruction set 715, the configuration manager 25B accesses the external dependency graph 720 to obtain the sequence information. After completion of step 810, in step 815, the configuration manager 25B transfers the package 700 and the associated files and parameter files to the virmal server agents 35 via the virmal server cUent 30. [0129] In one embodiment, the virmal server agent 35 receives the completed ttansaction package 700 via the virmal server cUent 30. On the virmal server agent 35, in step 820, the named parameters are substituted with acmal values. The virmal server agent 35 then executes the server change operations specified in the ttansaction package for its associated target server 15. In another embodiment, instead of transporting the completed ttansaction package 700, the virmal server cUent 30 may ttansport only the parameter file 710 and the instruction set 715, without the acmal files or any of the server objects, to the virmal server agent 35, in case the user 10 optionaUy elects to proceed with a dry run. The dry run provides an additional set of tests to see if the instruction set 715 can be carried out by the recipient virmal server agent 35 before making any changes on the target server 15. After the virmal server agent 35 receives a partial transaction package 700 from the virtual server cUent 30, in step 820, the parameters are substituted with acmal values as provided in the parameter file 710. After completing the dry run, the configuration manager 25B can transfer the entire package 700 to the virmal server agents 35 via the virtual server cUent 30 for acmal execution. [0130] Before executing the operations on each target server 15, in step 835, the agent updates an undo log. The undo log, which is maintained for each target server, records the executed operations, and tracks the changes made by these operations, so that if an error occurs while executing the servers change operations, the operations can be undone as recorded in the undo log. This can be achieved by tracing back the steps performed during the server change operations using the undo log records. In one embodiment, the undo log is identical in structure to the transaction package, but with the parameter files arranged in reverse order and the change operations recorded in reverse order. FinaUy in step 840, the server change operations are executed on the target servers 15. [0131] Referring now to FIG. 9, a method for executing and undoing server change operation in a transaction safe manner is described. In step 900, one or more appUcation programs 25 generate and specify change operations using a ttansaction package 700. Different types of server objects and corresponding target servers 15 are supported through the instruction set provided in the ttansaction package 700. Next, in step 910, the appUcation program specifies the target server(s) to which the server change operations are directed. In step 920, the appUcation program specifies the parameter file that provides parameters and their corresponding values defined for each of the target servers, and places this information in the ttansaction package 700. In step 930, the server cUent 30 sends the server change operation from the appUcation program 25 to the virmal server agents 35 on the target servers 15. In step 940, the target servers 15 execute the server change operations in a transaction-safe manner. Configuration Manager

[0132] Referring now to FIG. 10, the configuration manager 25B is an exemplary appUcation program 25 that tracks changes and compUance and configures target servers by generating and deploying a ttansaction package 700. The configuration manager 25B provides a method and system for configuring different servers using a variety of software modules, such as a browser 1000, a template 1010, a recorder 1020, a reference model 1030, a comparator 1040, and a corrector 1050. [0133] The browser 1000 browses server objects in different servers in real time, to examine the current configuration of the server objects contained inside of the servers 15. First, the user selects a server he/she wishes to browse. Through browsing, a coUection of server object identifiers that identify each server object are selected and entered into the template 1010. Alternatively, instead of building the template 1010 from browsing, the template 1010 may be imported from an external vendor. The template 1010 may also be created by including one or more previously defined templates. In one embodiment, the template 1010 is an abstract template that identifies server objects contained in a server. For example, if an Apache server contains files, and configuration file entries, an Apache server template 1010 contains identifiers that are sufficient to identify the files and configuration file entries of the Apache server. After identifying server objects on the template 1010, values of these identified server objects are recorded to configure servers on the network. [0134] In one embodiment, the recorder 1020 takes a snapshot of values (e.g., attributes) associated with a coUection of server objects. In another embodiment the recorder 1020 takes a snapshot of values of the server objects identified in the template 1010. The values may come from any of the servers browsed by the browser. Alternatively, the values may come from a selected server, also referred to as a gold server. Examples of the values (or attributes) of files recorded in the snapshots include, but are not limited to, file names, sizes, permissions, owners, creation dates, modification dates, and versions. Examples of directory attributes (or values) recorded in snapshots are directory locations, permissions, creation dates, and modification dates. Examples of registry entry attributes recorded in snapshots are field names, and corresponding values.

[0135] In one embodiment, the recorded values or snapshot results of the gold server are used to derive baseline values and compUance ranges in the reference model 1030. In another embodiment, instead of creating the reference model, the snapshot results can be direcdy used to track changes, configure existing servers and provision new servers on the network. Snapshot results record a configuration of a server at a point in time, thus they cannot be changed. However, the reference model 1030 can be edited to represent the reference implementation for compUance or provisioning puφoses.

[0136] For example, when the snapshots of the gold server are taken by the recorder 1020, the values coUected in the snapshots are saved in the reference model 1030. Based on the values of the gold server, the reference model 1030 can provide information, such as baseline values and compUance ranges, for use by other servers in the network to identify their drift in comparison to the gold server. The baseline values provide basis for configuration of other servers. The compUance ranges are ranges of acceptable configuration values that are acceptable for other servers for these servers to be in compUance. Alternative to creating a reference model 1030, the reference model 1030 may be an imported reference model that was created by an external vendor. Also, the reference model 1030 may include one or more previously defined reference models. Subsequendy, the comparator 1040 compares a server to the reference model 1030 to track changes and track compUance in the server. [0137] In another example, a snapshot of a current configuration of a server captured at an arbitrary point in time can be compared against a Uve-version of the captured server to track changes in the captured server. The configuration of a server can include expUcidy selected server objects that are on the server or impUcidy selected server objects provided through the template 1010. [0138] In yet another example, the snapshot results of recurring snapshots of a server taken at scheduled time intervals (e.g., daily, weekly, etc.) can be used to track changes in the captured server. In this example, the first snapshot of the server serves as a baseline, so that for subsequent snapshots, only the changes against the baseline are saved in the snapshot results. Thus, any snapshot result taken during these time intervals can be reconstructed to view its entire configuration and content by combining the baseline with the incremental changes saved in the snapshot result. Moreover, the incremental changes show changes occurred in the configuration of the server over a period of time for the user to analyze the changes of this particular server. Subsequentiy, the comparator 1040 compares a Uve-version of the server to the baseline snapshot to track and save only changes on the server. [0139] In one embodiment, two Uve servers can be compared against each other without the snapshots or the reference model 1030, on an ad-hoc basis. In this embodiment, the user 10 may expUcidy select server objects that are commonly shared between the two Uve servers so that the comparator 1040 can compare the values of the sever objects between these servers. In another example of this embodiment, the comparator 1040 compares the values of the server objects that are impUcidy provided by the template 1010.

[0140] After comparing the servers and identifying the discrepancies present in the compared servers, the corrector 1050 corrects the discrepancies in each target server. The corrector 1050 examines the discrepancies and generates server change operations that request services from the operating systems running on the target servers to correct these discrepancies. As described previously, server change operations can be presented to the servers as a transaction package 700 to remove discrepancies and synchronize the target servers to the reference model 1030 in a transaction-safe manner. Similarly, in one embodiment, configuration updates to the target servers can be made by the transaction package 700. In particular, the configuration manager 25B first makes aU the updates to the reference model 1030, which then packages the discrepancies (inttoduced in the reference model) as updates in the ttansaction package 700. The ttansaction package 700 is propagated to the target servers to synchronize them to the updated reference model

1030.

[0141] The reference model 1030 can also be used to provision a new server to ensure consistency in the configuration of the servers in the network when a new server is added. For example, an Apache reference model 1030 can be used to provision a new Apache server so that the configuration of aU Apache servers in the network are consistent with each other. [0142] In addition, both the reference model 1030 and snapshots can be used restore a previous configuration of a server in case of a disaster recovery. In particular, in case of a server failure, this server can recover its most recent configuration and contents by reconstructing the server's configuration from the snapshots taken over a period of time. With the reference model 1030, in case of a server fadure, the server can look to the basis values of the gold server in the reference model 1030 and synchronize to this configuration to be in compUance again. [0143] FIG. 11 shows an exemplary method of tracking changes and compUance, and correcting component as weU as parameter-level changes across multiple servers. In step 1100, the configuration manager 25B browses servers in the network to obtain server asset and configuration (together referred to as server objects) status information for each server. In the browsing step 1100, selected server objects and their dependent server objects are browsed in real time. In one embodiment, Uve servers in the network and their stored server objects can be browsed via a Graphic User Interface (GUI) which presents the servers and server objects hierarchicaUy.

[0144] Next, in step 1105, the configuration manager 25B, selects identifiers of the browsed server objects to be in the template 1010. The identifiers can include any information about the server object that is sufficient to identify the server object. Next in step 1110, the configuration manager selects a gold server, to provide a baseline configuration and configuration ranges for other servers in the network. In step 1115 snapshots of the values of the server objects identified in the template that are present in the gold server are recorded in the reference model 1030. Based on the values recorded in the reference model 1030, in step 1115, the reference model estabUshes compUance rules, such as the baseline configuration and the compUance ranges. Alternatively, the snapshots of the values are not recorded in the reference model. Instead, the snapshot results of a server can be used to direcdy compare against a Uve-version of this server to ttack changes.

[0145] In step 1120, the configuration manager 25B selects servers and their respective configuration parameters (also referred to as server objects) to compare against the reference model 1030. These servers can be selected from any Uve servers on the network. Alternatively, these Uve- version servers can also be direcdy compared against their own snapshots, taken at an arbittary point in a time, or taken over a specific period, without the reference model 1030, to ttack compUance and changes in these servers. The results of the comparing step 1125 can be viewed item-by-item, by showing which software (or server objects) are instaUed or not instaUed, or host-by-host, by showing each server and the server objects present on the server. [0146] FinaUy, based on the discrepancies obtained during the comparing step 1120, a correcting step 1130 fixes the servers to be in compUance by synchronizing configuration of these servers with the reference model 1030 or the snapshots. Moreover, a newly added servers can be provisioned to be consistent with other servers by synchronizing this new server to the reference model 1030. [0147] Referring to FIG. 12, in one embodiment, the configuration manager 25B can manage the same type of configuration parameters (also referred to as server objects) across different servers by specifying one or more categories for the parameters in templates. The template 1200 first specifies the "server-type" category (e.g., appUcation server category 1210, web server category 1215, and database server category 1220) to specify to what type of server each server object in the network belongs, and then specifies the "parameter-type" category (e.g., network parameters, capacity parameters, availabiUty parameters, performance parameters, security parameters) to specify the parameter type to which each server object belongs. Each server object in the template 1200 can be classified under one or more categories, sub-categories and keywords. In one example, for security parameters, sub-categories can include encryption type and authentication type, and keywords can include "read-only" and constant.

[0148] Referring briefly to FIG. 13, an example of the system described with reference to FIG. 12 is shown. In this example, Internet 1300 and intranet 1305 are available to different categories of servers 1215, 1210, 1220 through firewaUs 1310. Web server category 1215 include an IIS server 1215A for intranet services and Apache Servers 1215B, 1215C for the HTTP/FTP and Wireless/Video Internet services respectively. AppUcation server category 1210 include servers running sales appUcations 1210A, on-line brokerage appUcations 1210B, and customer service appUcation 1210C. Database server category 1220 include sales, trading, and account databases 1220A, 1220B, and 1220C. [0149] Referring again to FIG. 12, each server object in the template 1200 is placed into a parameter category based on its function and server type. For example, the server objects may be grouped into network parameters 1330, capacity parameters 1335, availabiUty parameters 1340, performance parameters 1345, and security parameters 1350. The configuration manager 25B selects categoricaUy related server objects from each category of servers and stores them in the template 1200. For example, aU the security parameters in the appUcation server category 1210 and aU the network parameters in the appUcation server category 1210 are stored in the template 1200. [0150] Referring again to FIG. 13, for the web server category 1215, web server configuration parameters a, b, c, d, e are respectively categorized as network parameters 1330, capacity parameters 1335, availabiUty parameters 1340, performance parameters 1345, and security parameters 1350. For the appUcation server category 1210, appUcation server configuration parameters i, U, iii, iv, v are respectively categorized as network parameters 1330, capacity parameters 1335, availabiUty parameters 1340, performance parameters 1345, and security parameters 1350. Sirnuarly, for the database server category 1220, database server configuration parameters I, II, III, IV, V are respectively categorized as network parameters 1330, capacity parameters 1335, availabiUty parameters 1340, performance parameters 1345, and security parameters 1350.

[0151] After categorizing aU the server objects in the template 1200 by the server-type categories and the parameter-type categories, a new template can be derived from the template 1200 to isolate the categorically related server objects across the server categories and manage the configuration parameters as if they belonged to a single server. For example, security configuration parameters of an individual web server can be changed in concert with other security configuration parameters for other web servers, as weU as for appUcation servers and database servers. In the example shown in FIG. 13, for instance, web server network parameter a can be changed in concert with network parameters i of the appUcation server category 1210 and parameter I of the database server category 1220. Sir larly, Web server capacity parameter b can be changed in concert with other capacity parameters U of the appUcation server category 1210 and II of the database server category 1220. Likewise, correlated changes of parameters can be performed for the availabiUty parameters 1346, the performance parameters 1345, and the security parameters 1350.

[0152] Referring to FIG. 14, an exemplary screenshot of a GUI-based configuration manager 25B includes a module referred to as an asset browser 1400, which aUows a user 10 to browse Uve remote target servers 15, and to manage and store frequendy used server assets (also referred to as server objects). The asset browser 1400 is divided into two panes. The left pane 1410 functions as either a Servers pane or a Depots pane, depending on a tab 1420 selected by the user 10. The Contents pane 1430 on the right side displays the contents of an item selected in the Servers or the Depots pane. [0153] In FIG. 14, the left pane 1410 displays the Servers pane which shows a hierarchical depiction of the servers that the user 10 manages. For example, the user 10 may arrange the servers into groups based on geographical location and/or operating system. Server groups are divided into the eastern and western divisions of an enteφrise, and within those groups, another level of hierarchy for Windows, UNIX, and Linux-based servers. More specificaUy in FIG. 14, within the servers in the Easter Division 1440, the patches object 1460 in the sun 2 server 1450 is selected. The Contents pane 1430 shows the contents of the patches object 1460.

[0154] The Depots pane (not shown) can display central repositories of commonly accessed server objects (e.g., aU files, software to be deployed, and pointers to the content of the files and software residing in other servers in the network). In additions, the Depots pane stores scheduled tasks to be performed, snapshots of server objects, SheU scripts, and ttansaction packages 700. Example

[0155] In an overaU example of operation of the configuration manage, the configuration manager browses Uve servers on a network, tracks changes and compUance in the servers by comparing their server objects against a reference model or a snapshot, and identifying any discrepancies from the reference model or the snapshot. By making records of the values of the gold server's server objects through a snapshot and saving the results as a reference model, the reference model may be used to audit other servers, to determine how configurations of the other servers have changed from the reference model. Alternatively, a server's own snapshot can be taken arbitrarily, or over a specific period of time to ttack changes in the server, without using the reference model. In one example, the server objects being compared in the audit process are provided automaticaUy by the configuration manager via templates. In another example, the user may manuaUy select the server objects to compare. AdditionaUy, the audit process can be scheduled to ttack compUance over time. [0156] After identifying server configuration discrepancies present in the servers, the configuration manager 25B corrects the discrepancies by generating a transaction package 700, that contains server change operations to be performed on the servers 15. The ttansaction package 700 bundles configuration changes operations and corresponding instructions to be deployed on remote target servers 15 to correct any discrepancies that exist in server objects contained in those servers 15. With the transaction package 700, the configuration manager 25B can instaU any types of server objects from a single source to multiple locations. Simnarly, the configuration manger 25B can uninstaU software, and undo server object deployments on the remote target servers 15. As discussed previously, certain values inside the ttansaction package 700 can be parameterized and subsequendy replaced with real values during the deployment of the ttansaction package 700 on the target servers 15, without changing the contents of the ttansaction package 700 for each target server 15.

[0157] In one particular example, the configuration manager 25B can be used to move a working MS SQL server database from a gold server to multiple target servers 15, to dupUcate the changes made in this database to multiple servers. To achieve this dupUcation, the user 10 copies the changes made on the SQL Server database to the reference model, so that the configuration manager 25B can later bundle these changes to other instances of the same SQL Server database in the remote target servers 15. The reference model and the remote target servers 15 have the same initial instaUation of the SQL Server database. The configuration manager takes a snapshot of the gold server to create a reference model that is used as a baseline to compare the SQL Server databases between the gold server and the target servers 15. The necessary database changes are first made to the gold server. Next, the configuration manager 25B creates a ttansaction package 700 to bundle these changes to be deployed on the target servers 15. The configuration manager 25B deploys the ttansaction package 700 to the virmal server agents 35 associated with the target servers 15 to request these changes to be made on their SQL Server databases.

[0158] In some embodiments, the fimctionaUty of the systems and methods described above may be implemented as software on one or more general puφose computers. In such an embodiment, the software may be written in any one of a number of high-level languages, such as FORTRAN, PASCAL, C, C++, LISP, JAVA, or BASIC. Further, the software may be written in a script, macro, or functionaUty embedded in commerciaUy available software, such as EXCEL or VISUAL BASIC. AdditionaUy, the software could be implemented in an assembly language directed to a microprocessor resident on a computer. For example, the software could be implemented in Intel 80x86 assembly language if it were configured to run on an IBM PC or PC clone. The software may be embedded on an article of manufacture including, but not limited to, a "computer-readable medium" such as a floppy disk, a hard disk, an optical disk, a magnetic tape, a PROM, an EPROM, or CD-ROM.

[0159] Variations, modifications, and other implementations of what is described herein wiU occur to those of ordinary skiU in the art without departing from the spirit and the scope of the invention as claimed. Accordingly, the invention is to be defined not by the preceding illustrative description but instead by the spirit and scope of the foUowing claims. [0160] What is claimed is:

Claims

CLAIMS 1. A method for receiving and executing a system caU from a software appUcation program on one of a pluraUty of servers, the method comprising the steps of: (a) providing a representation of a pluraUty of servers as a single virmal server, the representation of the single virmal server implemented by a virtual server cUent and a pluraUty of virmal server agents each running on a respective one of the pluraUty of servers; (b) receiving, by the virmal server cUent, an absttact system caU from a software appUcation program; and (c) instantiating in a thread-safe manner the absttact system caU by: identifying, by the virmal server cUent, a target server to receive the absttact system caU, and identifying a corresponding virmal server agent associated with the target server; transmitting the abstract system caU to the identified agent for execution on the target server; and receiving execution results from the agent.

2. The method of claim 1, wherein at least two of the pluraUty of servers have different operating systems.

3. The method of claim 1 further comprising the step of aggregating at least the absttact system caU and a second absttact system caU into a high-level absttact system caU.

4. The method of claim 3 further comprising the steps of (i) receiving, by the virmal server cUent, the high-level absttact system caU; (ii) disintegrating, by the virmal server cUent, the high-level abstract system caU into the at least the absttact system caU and the second abstract system caU; and (hi) instantiating in a thread-safe manner each of the at least the absttact system caU and the second absttact system caU.

5. The method of claim 3 further comprising the steps of: (i) receiving, by the virmal server cUent, the high-level absttact system caU; and (n) instantiating in a thread-safe manner the high-level abstract system caU.

6. The method of claim 1, wherein the instantiating step (c), the virmal server cUent is implemented by a network-aware code Ubrary.

7. The method of claim 6, wherein the network-aware code Ubrary is a Ubnc.

8. The method of claim 6, wherein the virmal server cUent is a Ubnc.

9. The method of claim 1, wherein the identifying step comprises identifying the target virmal server agent to receive the absttact system caU in response to a server identifier included in the abstract system caU.

10. The method of claim 9, wherein the server identifier comprises a host name specified in a path.

11. The method of claim 9, wherein the server identifier comprises a network address.

12. The method of claim 11 , wherein the server identifier is inferred from a group of servers the target server belongs.

13. The method of claim 1, further comprising after the transmitting step, the steps of: (i) translating, by the virmal server agent, the abstract system caU into an operating system specific system caU to be executed by the target server; and (n) executing, by the target server, the operating system specific system caU in a thread-safe manner.

14. The method of claim 1 further comprising: before the ttansniitting step, specifying at least one of priority, CPU utilization, and memory utilization of the absttact system caU on the target servers associated with the identified virmal server agents.

15. The method of claim 1 further comprising: (i) authenticating a user of the software appUcation program and a management system operating the software appUcation program; (U) after the instantiating step (c), encrypting, by the virmal server cUent, the absttact system caU; (iii) identifying, by the virmal server agent, the management system and the user; (iv) decrypting, by the virmal server agent, the encrypted absttact system caU; (v) mapping the identified user to an associated local user of the target server; (vi) impersonating the identified user as the mapped local user on the target server; (vn) authorizing the decrypted absttact system caU for the mapped local user based on at least one of role-based access control model and access control Usts; and (vi) mamtaining an audit log to record the name of the user and the absttact system caU executed on the target server.

16. The method of claim 15, wherein the authenticating step (i) is performed substantiaUy in accordance with a pubUc key protocol.

17. The method of claim 15, wherein the authenticating step and the encrypting step are performed substantiaUy in accordance with Kerberos protocol.

18. The method of claim 15, wherein the authenticating step and the encrypting step are performed substantiaUy in accordance with Shared Secret protocol.

19. The method of claim 1 further comprising: modifying an existing non-disttibuted appUcation to function as a network-aware appUcation by substituting a non network-aware system caU with the absttact system caU.

20. The method of claim 19, wherein the modifying step comprises modifying a non-distributed Unix sheU to function as the network-aware appUcation program.

21. The method of claim 19, wherein the modifying step comprises modifying a non-distributed scripting language to function as the network aware-appUcation program.

22. The method of claim 21, wherein the non-distributed scripting language comprises Perl.

23. The method of claim 21, wherein the non-distributed scripting language comprises Python.

24. The method of claim 1, wherein the software appUcation program comprises a configuration manager.

25. A virmal server, having a virmal server cUent and a virmal server agent, for representing a pluraUty of servers as an abstract model, wherein the virmal server comprises, (a) a virmal server cUent receiver for receiving an absttact system caU from a software appUcation program; (b) a virmal server cUent instantiator, in communication with the virmal server cUent receiver, for instantiating the absttact system caU in a thread-safe manner; (c) a virmal server cUent transmitter, in communication with the virmal server cUent instantiator, for transmitting the absttact system caU; (d) a virmal server agent receiver for receiving the absttact system caU from the virmal server cUent transmitter; (e) a virmal server agent translator for translating the absttact system caU to an operating system specific system caU; and (f) a target server executor for executing the operating system specific system caU on a target server associated with the virmal server agent in a thread-safe manner.

26. The virmal server of claim 25, wherein at least two of the pluraUty of servers have different operating systems.

27. The virmal server of claim 25 further comprising an aggregator for aggregating at least the absttact system caU and a second absttact system caU into a high-level abstract system caU.

28. The virmal server of claim 27 further comprising: (i) a virmal server cUent receiver for receiving the high-level abstract system caU and disintegrating the high-level abstract system caU into the at least the absttact system caU and the second absttact system caU; and (ii) the virmal server cUent instantiator for instantiating in a thread-safe manner each of the at least the abstract system caU and the second abstract system caU.

29. The virmal server of claim 27 further comprising: (i) a virmal server cUent receiver for receiving the high-level abstract system caU; and (n) the virmal server cUent instantiator for instantiating the high-level absttact system caU in a thread-safe manner.

30. The virmal server of claim 25, wherein the virmal server cUent is implemented by a network- aware code Ubrary.

31. The virmal server of claim 30, wherein the network-aware code Ubrary is a Ubnc.

32. The virmal server of claim 30, wherein the virmal server cUent is a Ubnc.

33. The virmal server of claim 25, wherein the virmal server cUent instantiator identifies the target virmal server agent to receive the absttact system caU in response to a server identifier included in the absttact system caU.

34. The virmal server of claim 33, wherein the server identifier comprises a host name specified in a path.

35. The virmal server of claim 33, wherein the server identifier comprises a network address.

36. The virmal server of claim 35, wherein the server identifier is inferred from a group of servers the target server belongs.

37. The virmal server of claim 25, whereas the virmal server cUent transmitter specifies at least one of priority, CPU utilization, and memory utilization of the absttact system caU on the target servers associated with the identified virmal server agents.

38. The virmal server of claim 25 further comprising: (i) an authenticator for authenticating a user of the software appUcation program and a management system operating the software appUcation program; (n) a virmal server cUent encryptor for encrypting the absttact system caU; (Hi) a virmal server agent identifier for identifying the management system and the user; (iv) a virmal server agent decryptor for decrypting the encrypted absttact system caU; (v) a virmal server agent mapper for mapping the identified user to an associated local user of the target server; (vi) a virmal server agent impersonator for impersonating the identified user as the mapped local user on the target server; (vh) a virtual server agent authorizer for authorizing the decrypted absttact system caU for the mapped local user based on at least one of role-based access conttol model and access conttol Usts; and (vi) an audit log for recording the name of the user and the abstract system caU executed on the target server.

39. The virmal server of claim 38, wherein the virmal server cUent encryptor performs substantiaUy in accordance with a pubUc key protocol.

40. The virmal server of claim 38, wherein the authenticator and the virmal server cUent encryptor perform substantiaUy in accordance with a Kerberos protocol.

41. The virmal server of claim 38, wherein the authenticator and the virmal server cUent encryptor perform substantiaUy in accordance with a Shared Secret protocol.

42. The virmal server of claim 25 further modifies an existing non-disttibuted appUcation to function as a network-aware appUcation by substimting a non network-aware system caU with the absttact system caU.

43. The virmal server of claim 42 further modifies a non-distributed Unix sheU to function as the network-aware appUcation program.

44. The virmal server of claim 42 further modifies a non-distributed scripting language to function as the network aware-appUcation program.

45. The virmal server of claim 44, wherein the non-distributed scripting language comprises Perl.

46. The virmal server of claim 44, wherein the non-distributed scripting language comprises Python.

47. The virmal server of claim 25, wherein the software appUcation program comprises a configuration manager.

48. A method for securely executing a system caU on a remote computer, the method comprising the steps of: (a) receiving, by a virmal server cUent running on a first computer, an absttact system caU from an appUcation caUed by an authenticated user; (b) instantiating in a thread-safe manner the absttact system caU by: identifying, by the virmal server cUent, a virmal server agent running on a remote computer to receive the absttact system caU; (c) encrypting, by the virmal server cUent, the absttact system caU; (d) communicating the encrypted absttact system caU to the virmal server agent; (e) identifying, by the virmal server agent, the first computer and the authenticated user (f) decrypting, by the virmal server agent, the encrypted absttact system caU; (g) mapping the authenticated user to a local user on the remote computer; (h) impersonating the authenticated user as the local user on the remote computer; (i) authorizing the decrypted absttact system caU for the local user based on at least one of role-based access conttol model and access conttol Usts; (j) translating the absttact system caU to an operating system specific system caU; and (k) executing as the local user, by the virmal server agent, the operating system specific system caU on the remote computer.

49. The method of claim 48 further comprising: before the receiving step (a), authenticating a user using an operating system user context inheritance model.

50. The method of claim 48 further comprising: before the receiving step (a), authenticating a user substantiaUy in accordance with a pubUc key protocol.

51. The method of claim 48 further comprising: before the receiving step (a), authenticating a user substantiaUy in accordance with a Kerberos protocol.

52. The method of claim 48, wherein the identifying step (g), if the authenticated user is not identified as a local user in the identifying step (g), then designating the authenticated user as a local guest.

53. The method of claim 48, wherein the authorizing step (h) comprises authorizing the decrypted first absttact system caU for the local user based on at least one of role-based access conttol model and access conttol Usts substantiaUy in accordance with Kerberos protocol.

54. The method of claim 48, wherein the authorizing step (h) comprises authorizing the decrypted first absttact system caU for the local user based on at least one of role-based access conttol model and access conttol Usts substantiaUy in accordance with SSL protocol.

55. The method of claim 48 further comprising: after the executing step (i), encrypting results of the executing step (i); and returning the encrypted results to the virmal server cUent.

56. The method of claim 48, further comprising: mamtaining an audit log, by the virmal server cUent and the identified virmal server agent, that includes names of the authenticated user and the absttact system caU performed.

57. A virmal server for securely executing a system caU on a remote computer, the virmal server comprising: (a) a virmal server cUent receiver running on a first computer for receiving an abstract system caU from an appUcation caUed by an authenticated user; (b) a virmal server cUent instantiator, in communication with the virmal server cUent receiver, for instantiating the absttact system caU in a thread-safe manner by identifying a virmal server agent running on a remote computer to receive the first absttact system caU; (c) a virmal server cUent encryptor, in communication with the virmal server cUent instantiator, for encrypting the absttact system caU; (d) a virmal server cUent transmitter for communicating the encrypted absttact system caU to the virmal server agent; (e) a virmal server agent identifier, in communication with the virmal server agent decryptor, for identifying the authenticated user and the first computer; (f) a virmal server agent decryptor, in communication with the virmal server cUent transmitter, for decrypting the encrypted absttact system caU; (g) a virmal server agent mapper, in communication with the identifier and the decryptor, for mapping the authenticated user to a local user on the remote computer; (h) a virmal server agent impersonator for impersonating the authenticated user as the local user on the remote computer; (i) a virmal server agent authorizer, in communication with the virmal server agent impersonator, for authorizing the decrypted absttact system caU for the local user based on at least one of role-based access conttol model and access conttol Usts; 0 a virmal server agent translator for translating the absttact system caU to an operating system specific system caU; and (k) a virmal server agent executor, in communication with the virmal server agent authorizer, for executing the operating system specific system caU as the local user on the remote computer.

58. The virmal server of claim 57 further comprising: an authenticator for authenticating a user using an operating system user context inheritance model.

59. The virmal server of claim 58, wherein the authenticator performs substantiaUy in accordance with a pubUc key protocol.

60. The virmal server of claim 58, wherein the authenticator performs substantiaUy in accordance with Kerberos protocol.

61. The virmal server of claim 57, if the authenticated user is not identified as a local user by the virmal server agent identifier, then designate the authenticated user as a local guest.

62. The virmal server of claim 57, wherein the virmal server agent authorizer performs substantiaUy in accordance with Kerberos protocol.

63. The virmal server of claim 57, wherein the virmal server agent authorizer performs substantiaUy in accordance with SSL protocol.

64. The virmal server of claim 57, wherein the virmal server agent executor encrypts results of the executing step (i); and returns the encrypted results to the virmal server cUent.

65. The virmal server of claim 57, further comprising: an audit log, maintained by the virmal server cUent and the identified virmal server agents, that includes names of the authenticated users and the abstract system caU performed.

66. A method for executing change operations across a pluraUty of servers in a transaction-safe manner, the method comprising the steps of: (a) specifying change operations for a coUection of server objects in a transaction package, wherein the objects comprise at least one of files and configuration file entries; (b) identifying at least one target server for execution of the change operations specified in the ttansaction package; (c) specifying parameter values for each of the identified target servers; (d) cor numcating the transaction package to the identified target servers; and (e) executing the specified change operations on each of the identified target servers in a transaction-safe manner using the parameter values.

67. The method of claim 66, wherein the server objects comprise at least one of a primitive server object, a compound server object, an abstract configuration server object, and a component server object.

68 The method of claim 67, wherein the primitive server object comprises an elemental server object.

69. The method of claim 67, wherein the compound server object comprises at least one of the primitive server objects and the compound server objects.

70. The method of claim 67, wherein the absttact configuration server object comprises an entry in a configuration file mapped to a corresponding entry in a common absttact configuration file format.

71. The method of claim 67, wherein the component server object comprises a sequenced coUection of server objects.

72. The method of claim 66, wherein the specifying step (a), the ttansaction package comprises an XML-based instruction set.

73. The method of claim 66, wherein the specifying step (a), the ttansaction package comprises a text-based instruction set.

74. The method of claim 66, in addition to the specified change operations in the ttansaction package, the ttansaction package in the specifying step (a) further comprises: (i) a ttansaction context; (U) a parameter file comprising the parameter values specific to each of the identified target servers; (Ui) error handling actions; (iv) a sequencing instruction for the specified change operations; and (v) prerequisite information.

75. The method of claim 74, wherein the (i) ttansaction context in the ttansaction package comprises begin-ttansaction and end-transaction statements that encapsulate the specified change operations.

76. The method of claim 74, wherein the (U) parameter file comprises group-level parameter values that are identical across the identified target servers.

77. The method of claim 76, wherein the (n) parameter file comprises the parameter values that are distinct for each of the identified target servers and override the group-level parameter values if specified.

78. The method of claim 74. wherein the (in) error hanclling actions comprise soft error and a hard error.

79. The method of claim 74, wherein the (iv) sequencing instruction for the server change operations is provided locaUy from the ttansaction package.

80. The method of claim 79, wherein the (iv) sequencing instruction for the server change operations is provided from an external dependency graph, if the sequencing instruction is not provided locaUy from the ttansaction package.

81. The method of claim 74, wherein the (v) prerequisite information comprises prerequisite information for the identified target servers to execute the specified change operations.

82. The method of claim 66 further comprising the steps of: (i) maintaining a transaction log for the ttansaction package, wherein the ttansaction log comprises detads of aU steps performed during execution of the change operations specified in the ttansaction package; (U) after a successful completion of the executing step (e), optionaUy reversing the executed change operations via an exphcit user request; and (Ui) automaticaUy reversing the executed change operations, after detecting an occurrence of an error.

83. The method of claim 66 further comprising the steps of optionaUy performing a dry-run on the ttansaction package.

84. The method of claim 66 further comprising: (i) assembling a pluraUty of ttansaction packages into a transaction project; and (n) executing change operations specified in each ttansaction package in the transaction project in a transaction-safe manner.

85. A transaction package for executing change operations across a pluraUty of target servers in a transaction-safe manner, the ttansaction package comprising: (a) an instruction set for specifying change operations for a pluraUty of server objects and identifying at least one target server for execution of the specified change operations on the identified target servers; and (b) a parameter file, in communication with the instruction set, for comprising parameter values specific to each of the identified target servers.

86. The ttansaction package of claim 85, wherein the (b) parameter file comprises group-level parameter values that are identical across the identified target servers.

87. The ttansaction package of claim 86, wherein the (b) parameter file comprises the parameter values that are distinct for each of the identified target servers and override the group-level parameter values if specified.

88. The ttansaction package of claim 85, wherein the server objects comprise at least one of a primitive server object, a compound server object, an absttact configuration server object, and a component server object.

89. The ttansaction package of claim 88, wherein the primitive server object comprises an elemental server object.

90. The ttansaction package of claim 88, wherein the compound server object comprises at least one of the primitive server objects and the compound server objects.

91. The transaction package of claim 88, wherein the absttact configuration server object comprises an entry in a configuration file mapped to a corresponding entry in a common absttact configuration file format.

92. The ttansaction package of claim 88, wherein the component server object comprises a sequenced coUection of server objects.

93. The transaction package of claim 85, wherein the instruction set is an XML-based instruction set.

94. The ttansaction package of claim 85, wherein the instruction set is a text-based instruction set.

95. The ttansaction package of claim 85, in addition to the specified change operations in the instruction set, the instruction set further comprises: (i) a ttansaction context; (ii) error handling actions; (Hi) a sequencing instruction for the specified change operations; and (iv) prerequisite information.

96. The ttansaction package of claim 95, wherein the (i) transaction context comprises begin- ttansaction and end-transaction statements that encapsulate the specified change operations.

97. The ttansaction package of claim 95, wherein the (H) error handling actions comprise a soft error and a hard error.

98. The ttansaction package of claim 95, wherein the (Hi) sequencing instruction for the server change operations is provided locaUy from instruction set.

99. The ttansaction package of claim 98, wherein the (Hi) sequencing instruction for the server change operations is provided from an external dependency graph, if the sequencing instruction is not provided locaUy from the instruction set.

100. The transaction package of claim 95, wherein the (iv) prerequisite information comprises prerequisite information for the identified target servers to execute the specified change operations.

101. The ttansaction package of claim 85, wherein a dry-run is optionaUy performed on the ttansaction package.

102. The ttansaction package of claim 85, wherein the ttansaction package and a second ttansaction package is assembled into a ttansaction project to execute the change operations specified in each ttansaction package in a transaction-safe manner.

103. The transaction package of claim 85, wherein the ttansaction package maintains: (i) a ttansaction log comprising detaUs of aU steps performed during execution of the change operations specified in the ttansaction package; (H) after a successful completion of at least one of the change operations, an expUcit user request for optionaUy reversing the executed change operations using the details provided from the ttansaction log; and (Hi) an error signal for automaticaUy reversing the executed change operations using the detads provided from the ttansaction log.

104. A method for configuring a pluraUty of heterogeneous servers across a network, the method comprising: (a) browsing server objects in each of a pluraUty of servers across a network; (b) selecting identifiers of at least one browsed server objects to create a template; (c) selecting a gold server from the pluraUty of servers; (d) recording values of the server object identifiers selected in a template from the gold server to create a reference model; (e) comparing a second server from the pluraUty of servers to the reference model; and (f) correcting discrepancies of the second server against the reference model.

105. The method of claim 104, wherein the server objects in the browsing step (a) comprise at least one of files and configuration file entries.

106. The method of claim 105, wherem the server objects in the browsing step (a) comprise at least one of a primitive server object, a compound server object, an absttact configuration server object, and a component server objects.

107. The method of claim 106, wherem the primitive server object comprises an elemental server object.

108. The method of claim 106, wherem the compound server object comprises at least one of the primitive server objects, the absttact configuration server objects, the component server objects and the compound server objects.

109. The method of claim 106, wherem the absttact configuration server object comprises an entry Hi a configuration file mapped to a corresponding entry Hi a common absttact configuration file format.

110. The method of claim 106, wherem the component server object comprises a sequenced coUection of server objects.

111. The method of claim 104, wherein the selecting step (b), the template comprises a manuaUy created template.

112. The method of claim 104, wherem the selecting step (b), the template comprises an externaUy imported template.

113. The method of claim 104, wherein the selecting step (b), the template comprises at least one of previously defined templates.

114. The method of claim 104, wherem the recording step (d), the reference model comprises a manuaUy created template.

115. The method of claim 104, wherein the recording step (d), the reference model comprises at least one of previously defined reference models.

116. The method of claim 104, wherem the recording step (d) comprises arbitrarily taking a snapshot of the current configuration of a first server.

117. The method of claim 116, wherem the comparing step (e) comprises comparing a Hve- version of the first server to the snapshot.

118. The method of claim 116, wherein the correcting step (f) further comprises restoring a previous configuration of the first server from a snapshot.

119. The method of claim 104, wherein the recording step (d) comprises recurrendy taking a pluraUty of snapshots of a first server at predetermined time intervals, wherein a first snapshot from the pluraUty of snapshots forms a baseline for subsequent snapshots from the pluraUty of snapshots and the subsequent snapshots capture changes against the baseline over time.

120. The method of claim 119, wherein the comparing step (e) comprises recurrendy taking a pluraUty of audits of a Uve server at predetermined time intervals to track compUance against at least one of the baseline snapshot and the reference model over time.

121. The method of claim 104, wherem the comparing step (e) further comprises comparing Uve servers by: (i) comparing values of expUcidy selected sever objects that are commonly shared between a first Uve server and a second Uve server. (H) comparing values of impUcidy selected sever objects that are impUcidy specified Hi the template.

122. The method of claim 104, wherem the correcting step (f) further comprises restoring a previous configuration of the second server from the reference model.

123. The method of claim 104 further comprising: provisioning a newly-added thkd server on the network Hi accordance with the reference model.

124. The method of claim 104, wherein the correcting step (f) further comprises: after the comparing the comparing step (e), coUecting the discrepancies identified Hi a ttansaction package to execute a pluraUty of server change operations on the second server; and synchronizing the second server with the reference model.

125. The method of claim 104 further comprising: updating the reference model; and propagating the updates to the pluraUty of servers with a ttansaction package.

126. The method of claim 104 further comprising: (i) categorizing in a template each of the server objects into categories, sub-categories, and associated keywords; and (H) selecting categoricaUy related server objects Hi second templates.

127. The method of claim 126, wherein the categorizing step (i), the categories comprise server type categories including at least one of an appUcation server category, a web server category, and a database server category.

128. The method of claim 126, wherein the categorizing step (i), the categories comprise configuration parameter type categories Hicluding at least one of network parameters, capacity parameters, availabiUty parameters, performance parameters, and security parameters.

129. A system for configuring a pluraUty of heterogeneous servers across a network, the system comprising: (a) a browser for browsing server objects Hi each of a pluraUty of servers across a network; (b) a template comprising a selected pluraUty of identifiers of at least one browsed server objects; (c) a recorder for recording values of the selected pluraUty of server object identifiers in the template from at least one of the pluraUty of servers. (d) a reference model comprising recorded values of the selected pluraUty of server object identifiers Hi the template from a gold server of the pluraUty of servers; (e) a comparator, in communication with the reference model, for comparing a second server from the pluraUty of servers to the reference model; and (f) a corrector, Hi communication with the comparator, for correcting discrepancies of the second server against the reference model.

130. The system of claim 129, wherem the server objects comprise at least one of files and configuration file entries.

131. The system of claim 130, wherein the server objects comprise at least one of a primitive server object, a compound server object, an abstract configuration server object, and a component server object.

132. The system of claim 131, wherein the primitive server object comprises an elemental server object.

133. The system of claim 131, wherein the compound server object comprises at least one of the primitive server objects, the absttact configuration server objects, the component server objects, and the compound server objects.

134. The system of claim 131, wherein the abstract configuration server object comprises an entry Hi a configuration file mapped to a corresponding entry Hi a common absttact configuration file format.

135. The system of claim 131, wherein the component server object comprises a sequenced coUection of server objects.

136. The system of claim 129, wherein the template comprises a manuaUy created template.

137. The system of claim 129, wherein the template comprises an externaUy imported template.

138. The system of claim 129, wherein the template comprises at least one of previously defined templates.

139. The system of claim 129, wherein the reference model comprises a manuaUy created template.

140. The system of claim 129, wherein the reference model comprises at least one of previously defined reference models.

141. The system of claim 129, wherein the recorder arbitrarily takes a snapshot of the current configuration of a first server.

142. The system of claim 141, wherein the comparator compares a Uve-version of the first server to the snapshot.

143. The system of claim 141, wherein the corrector further restores a previous configuration of the first server from the snapshot.

144. The system of claim 129, wherem the recorder recurrendy takes a pluraUty of snapshots of a first server at predetermined time intervals, wherein a first snapshot from the pluraUty of snapshots forms a baseline for subsequent snapshots of the pluraUty of snapshots and the subsequent snapshots capture changes against the baseline over time.

145. The system of claim 144, wherein the comparator recurrendy takes a pluraUty of audits of a Uve server at predetermined time intervals to ttack compUance against at least one of the baseline snapshot and the reference model over time.

146. The system of claim 129, wherein the comparator compares Uve servers by: (i) comparing values of expUcidy selected sever objects that are commonly shared between a first Uve server and a second Uve server. (H) comparing values of impUcidy selected sever objects that are impUcidy specified Hi the template.

147. The system of claim 129, wherem the corrector further restores a previous configuration of the second server from the reference model.

148. The system of claim 129 further comprising: provisioning a newly-added third server on the network n accordance with the reference model.

149. The system of claim 129, wherein the correcting step further coUects the discrepancies identified Hi a ttansaction package to execute a pluraUty of server change operations on the second server; and synchronizing the second server with the reference model.

150. The system of claim 129 further comprising: an updater for updating the reference model and propagating the updates to the pluraUty of servers with a ttansaction package.

151. The system of claim 129 further comprising: (i) a first template categorizing each of the server objects into categories, sub-categories, and associated keywords; and (H) second templates including a selected group of categoricaUy related server objects by server type categories.

152. The system of claim 151, wherein the categories comprise server type categories HicludHig at least one of an appUcation server category, a web server category, and a database server category.

153. The system of claim 151, wherein the categories comprise configuration parameter type categories including at least one of network parameters, capacity parameters, avauabiHty parameters, performance parameters, and security parameters.

154. The system of claim 129, wherein the reference model comprises an externaUy imported template.