Foglight Agent Manager 6.0.0 - Foglight Agent Manager Guide

Configuring the Agent Manager (monitoring) system

The Agent Manager automatically attempts to perform the necessary configuration on the monitoring host machine. If for any reason the changes cannot be made, you have to manually update the following settings.

The WinRM Negotiate authentication scheme uses Kerberos. By default, the Agent Manager searches the following files for information about the location of the Key Distribution Center (KDC):

If the Agent Manager fails to find a configuration file, it attempts to automatically detect the required settings and writes them to $FGLAM/state/default/config/krb5.config.

NOTE: The fglam.config.xml file specifies the location of the krb5 file in the <kerberos‑config‑file> element. If the element is empty or omitted, no configuration file is used.

You can manually override the location of krb5 file with the following command-line parameter:

-Djava.security.krb5.conf=</path/to/file>

Generating a configuration file required for WinRM Negotiate authentication

WinRM connections using the default Negotiate authentication require a copy of the krb5.config file. The Agent Manager attempts to auto-generate this file and places it under <fglam_home>/state/default/config/krb5.config.

If the file needs to be created, the format of the krb5.config file for the WinRM Negotiate authentication is as follows:

Where:

The values dns_suffix_upper_case, dns_suffix_lower_case, and DNS_Server_for_dns_suffix_upper_case must be replaced with their actual values.

The [domain_realm] section in the file maps the domain of the host being connected to, to a realm.

The [realm] section provides the relevant kdc (key distribution center) server with a specific realm to use for kerberos authentication. This is generally the DNS server for the relevant domain.

The default_realm value in the libdefaults section is the realm mapping to use when the domain of the host cannot be matched to a realm.

For example, for connecting to hosts on the sample.domain.com domain with the dnsserver.sample.domain.com DNS Server, the contents of the krb5.config file should be as follows:

When connecting to a host1.sample.domain.com, the host1’s domain is mapped to the SAMPLE.DOMAIN.COM realm, which maps to the DNSSERVER.SAMPLE.DOMAIN.COM kdc to use for kerberos authentication.

After the krb5.config file is created the absolute path to the generated krb5.config file should be provided in the <config:krb5-config-file> tag value of the <fglam_home>/state/default/config/fglam-config.xml file, so that it can be accessed by the Agent Manager. Any changes to the fglam-config.xml file require the Agent Manager to be restarted in order for those changes to take effect. Therefore, if the Agent Manager is running while you are making these changes, you must restart it.

Additional registry keys may be required when you deploy an Agent Manager on a Windows host. The Agent Manager installer attempts to make the changes automatically. If the Agent Manager is unable to establish a WinRM connection, check that the following changes were made correctly.

The KerberosConfigurationService API provides the ability for agents to modify or create a Kerberos configuration file during runtime.

The Agent Manager uses the Kerberos configuration file to establish WinRM Negotiate connections to hosts. In most cases, the Agent Manager can create the Kerberos configuration for the current domain to which the machine running the Agent Manager belongs. However, the Kerberos configuration typically needs to be modified when cross-domain WinRM connections are required. This can be done by modifying the Kerberos configuration file manually, to add the new domain properties, and restarting the Agent Manager. If no instance of the previous Kerberos configuration file is found, the fglam.config.xml file needs to be updated to instruct the Agent Manger which Kerberos configuration file to use for WinRM connections.

All of these actions can also be performed during runtime, without requiring any manual changes, or an Agent Manager restart. The KerberosConfigurationService allows agents to make these changes during runtime and have the changes take effect immediately. If a new configuration file is created, fglam.config.xml file is updated automatically.

For complete information about this service, see the Foglight Agent Manager Devkit and Javadoc documentation.

Configuring command-shell connection settings

WinRM relies on a set of configuration parameters that establish the level of system resources the WinRM service needs to address incoming requests. In certain cases, some parameter values do not provide sufficient configuration levels which can lead to run-time errors.

Depending on how WinRM is used, some parameter values may not provide sufficient configuration levels which can lead to connection issues. The Agent Manager makes an attempt to diagnose some of these situations and communicate appropriate recommendations using Warning messages. The configuration levels that the Agent Manager attempts to diagnose are:

TIP: WinRM parameters can also be edited using the Group Policy Object Editor. To start the editor, type gpedit.msc at the command line, and then navigate to Local Computer Policy > Computer Configuration > Administrative templates > Windows Components > Windows Remote Management (WinRM) and Windows Remote Shell.

For additional information, visit the following Web page:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa384372%28v=vs.85%29.aspx

About WinRM connection ports

WinRM uses a set of default ports for communication. Depending on the WinRM version, the following port numbers are used:

After issuing the winrm quickconfig command, the listener port number can be determined using the winrm enum winrm/config/listener command. For example: