Chat now with support
Chat with Support

Foglight Agent Manager 7.1.0 - Foglight Agent Manager Guide

Configuring the embedded Agent Manager Installing external Agent Managers
Understanding how the Agent Manager communicates with the Management Server Deploying the Agent Manager cartridge Downloading the Agent Manager installer Installing the Agent Manager Starting or stopping the Agent Manager process Frequently asked questions
Configuring the Agent Manager Advanced system configuration and troubleshooting
Configuring Windows Management Instrumentation (WMI) Configuring Windows Remote Management (WinRM) UNIX- and Linux-specific configuration
Monitoring the Agent Manager performance Deploying the Agent Manager to large-scale environments

Enabling agents to connect locally on Windows

When a WMI agent connects to the same machine it is running on (that is, localhost) using credentials that explicitly specify a user other than the currently logged on user, you must make certain registry changes to allow the required COM services to run.

To allow the agent to connect locally on Windows®:
1
Enable the Remote Registry Service.
Once the agent has successfully connected and the Agent Manager connection services have made the required changes, the Remote Registry Service can be disabled.
2
Ensure that the Server service is running.
 
* 
IMPORTANT: Normally, the Server service starts automatically. If it is stopped, or fails to start, it must be manually restarted before the Agent Manager can connect locally using credentials for a user other than the currently logged on user.

Releasing a locked MySQL process

The Agent Manager uses the wmiprvse.exe process to make use of WMI for remote Windows® monitoring. However, in some situations, this process can lock the MySQL process, mysqld.exe, preventing it from being uninstalled, deleted, moved, or updated.

To release a locked MySQL process:
Stop the wmiprvse.exe process.
 
* 
IMPORTANT: Stopping the wmiprvse.exe process does not affect the running state of the WMI service. The process starts again automatically when an application requires WMI.

Configuring Windows Remote Management (WinRM)

Windows Remote Management is the Microsoft® implementation of the Web Services Management Protocol (WSMAN) which is a Simple Object Access Protocol (SOAP) based protocol over HTTP/HTTPS and is used for system management. For more information, visit https://msdn.microsoft.com/en-us/library/aa384470%28v=vs.85%29.aspx.

WinRM has two authentication mechanisms that are used by the Agent Manager to establish connections:
Negotiate authentication is based on Kerberos authentication, involving tickets/keys obtained from a Key Distribution Center (KDC).
Basic authentication uses standard HTTP headers to communicate directly with the remote machine.

When the Agent Manager is installed on AIX, Negotiate authentication is not currently supported. In such cases, only Basic authentication can be used. For more information, see About WinRM connection ports.This section provides solutions for the following issues:
WinRM IPv6 connection support
About WinRM authentication and the Agent Manager
Configuring the target (monitored) system
Configuring the Agent Manager (monitoring) system
Generating a configuration file required for WinRM Negotiate authentication
Configuring command-shell connection settings
About WinRM connection ports
Troubleshooting

WinRM IPv6 connection support

Starting with the Foglight Agent Manager version 5.9.1, the WinRM connection with unique local IPv6 Address and link-local IPv6 Address is supported on the Agent Manager running on Windows, Linux, and Solaris.

Understanding Negotiate/Kerberos authentication

Kerberos is a network security protocol that involves three elements: the KDC, the client user, and the server with the desired service to access. The KDC is installed as part of the Domain Controller and acts as the authentication service and the ticket-granting service.

Each administrative domain has its own KDC, which contains information about the users and services for that particular domain. This administrative domain is a Kerberos realm.

The steps involved in Kerberos authentication involve the following actions:

1
Initial Authentication for a Kerberos Session (Kerberos step 1)
a
A client begins a Kerberos session by requesting a ticket-granting-ticket (TGT) from the KDC based on the domain user name. This is done automatically on Windows login, but can be repeated when a different KDC is needed for a service on a different realm.
b
The KDC creates a TGT and sends it back to the client, in encrypted form, based on the client's password. The client decrypts the TGT using the client's password.
c
In possession of a valid TGT, the client can request tickets for various services.
2
Subsequent Kerberos Authentications (Kerberos step 2)
a
When the client requires access to a service using Kerberos authentication, the client requests a ticket for the particular service, from the KDC by sending the TGT as proof of identity.
b
The KDC sends the ticket for the specific service to the client.
c
The client can then send this ticket to the remote server to establish a session with the server's service.
Finding the Kerberos authentication file

Foglight Agent Manager always generates an auth.login.config file that is used for Kerberos. It is generated by the Agent Manager on both UNIX® and Windows®, and is used to configure the Kerberos module that the Agent Manager uses for authentication. This file is located in the <fglam_dir>/state/default/config directory, and must never be modified.

Observing the contents of the Kerberos configuration file

The Kerberos configuration file specifies the KDC from which tickets are obtained. Operating systems sometimes have their own Kerberos configuration files. If present, the Agent Manager uses them by default. They can be found in the following locations:
Windows: %WINDIR%\krb5.ini which typically translates to C:\Windows\krb5.ini
UNIX:
/etc/krb5.conf
Or:
/etc/krb5/krb5.conf

If none of these files are found, the Agent Manager attempts to create its own kerberos configuration file, based on the detected settings. The detection can only be done on Windows, and on Unix, the empty file is generated.

To detect the settings on Windows, the following environment variables are checked:
%LOGONSERVER%: Provides the name of the domain controller that authenticated the client's logon to the machine. This value is just the simple name of the KDC, but the fully qualified name must be used in the configuration file.
%USERDNSDOMAIN%: Provides the fully qualified DNS domain that the currently logged on user's account belongs to.

These two environment variables are only present when the user credential used to login to the machine, is a domain credential, for example, when the user account belongs to the domain. If a local user account is used, these environment variables are not present, and an attempt to generate the Kerberos configuration file is made using the network information. If not found, the empty file is generated.

If you are running the Agent Manager on a UNIX machine, to determine the values to use in the Kerberos configuration file for the remote machine, simply log in to the remote machine using a domain user credential and check the values. The format of the file is as follows:

[libdefaults]
default_realm = <REALM_NAME_IN_CAPS>
 
[realms]
<REALM_NAME_IN_CAPS> = {
kdc = <fully_qualified_kdc_name>
}
[domain_realm]
.<domain_in_lower_case> = <REALM_NAME_IN_CAPS>

If the Kerberos configuration file is generated by the Agent Manager, it is placed in the <fglam_dir>/state/default/config/krb5.config file, and an entry is added to the <fglam_dir>/state/default/config/fglam.config.xml file so that the Agent Manager is aware of the file location. An example of this entry on Windows is as follows:

<config:krb5-config-file>C:\Quest_Software\fms_5_7_5_5\state\fglam\state\default\.\config\krb5.config</config:krb5-config-file>

If the file is not generated, you can generate your own file, add a value for the krb5-config-file entry in the fglam.config.xml file, and restart the Agent Manager.

About the Kerberos Configuration File Format

 

* 
NOTE: If current OS user have permission to modify krb5.config file, FglAM will automatically specify domain name as the kdc in the file if the kdc entry is not found when making Kerberos authentication.

The Kerberos configuration file typically looks like:

# Copyright 2017 Quest Software Inc.
# ALL RIGHTS RESERVED.
[libdefaults]
default_realm = EXAMPLE.COM
 
[realms]
EXAMPLE.COM = {
kdc = HOST1.EXAMPLE.COM
}
 
[domain_realm]
.example.com = EXAMPLE.COM
Any line that begins with a number sign '#' is considered a comment, and is ignored.
The default_realm value is used to determine what KDC should be used, if the realm cannot be determined from the domain.
The [realms] section is used to provide the KDC for the specified realm.
The [domain_realm] section is used to map the domain to the realm to use.

So for example, if connecting to a host A with user credential example.com\UserX, the kerberos file is used as follows:

1
The domain is determined from the user credential, so in this case the domain name is example.com.
2
The domain example.com maps to the realm EXAMPLE.COM in the domain_realm section.
3
The realm EXAMPLE.COM is then found, and its KDC value is used to determine the KDC to use for authentication.
4
The KDC, HOST1.EXAMPLE.COM, is then communicated with for authentication.

In another example, if connecting to a host B with user credential other.domain\UserY, the same Kerberos file is used as follows:

1
The domain is determined from the user credential, so in this case the domain name is other.domain.
2
The domain other.domain does not map to any realm in the domain_realm section, so the KDC is attempted to be resolved from the DNS.
3
Typically, the DNS does not find the KDC for the different domain, and so the default_realm value, EXAMPLE.COM is used instead.
4
The realm EXAMPLE.COM is then found, and its KDC value is used to determine the KDC to use for authentication.
5
The KDC, HOST1.EXAMPLE.COM, is then communicated with for authentication of the user credential.

To specify a non-default realm to use for the other.domain value is the second example, the Kerberos configuration file can be modified as follows

# Copyright 2017 Quest Software Inc.
# ALL RIGHTS RESERVED.
[libdefaults]
default_realm = EXAMPLE.COM
 
[realms]
EXAMPLE.COM = {
kdc = HOST1.EXAMPLE.COM
}
OTHER.DOMAIN = {
kdc = MYKDC.OTHER.DOMAIN
}
 
[domain_realm]
.example.com = EXAMPLE.COM
.other.domain = OTHER.DOMAIN

Now, if a domain of other.domain is encountered, the realm used will be OTHER.DOMAIN instead of the default_realm value since there is a domain mapping entry. This can be repeated for other domains and realms.

This is the reason that fully qualified domain names be used for the domain value of the credential. Also, to prevent any possible DNS issues with the KDC, the fully qualified name of the host should be used, such as A.example.com or B.other.domain.

There are other sections and properties that can be used in the Kerberos configuration file, but for the Agent Manager purposes, the ones described above are sufficient.

Configuring multiple KDC entries in the same realm

The Kerberos configuration file supports specifying multiple KDC entries in one realm, which enables the WinRM connections to try to obtain the tickets from one of these KDCs, in order to prevent the single point of failure. The multiple KDC entries configuration typically looks like:

[libdefaults]
default_realm = DOMAIN.FGLAM
kdc_timeout = 30000
max_retries = 3
[realms]
WINRM.FGLAM = {
kdc = FGLAMDCS01.WINRM.FGLAM
kdc = FGLAMDCS02.WINRM.FGLAM
}
[domain_realm]
.domain.fglam = DOMAIN.FGLAM
.winrm.fglam = WINRM.FGLAM
kdc_timeout: This parameter sets the maximum number of milliseconds to wait for a reply from a KDC, the default value is 30000 milliseconds.
max_retries: This parameter sets the maximum number of times each KDC will be tried, the default value is 3.

Each KDC listed in the same realm will be tried up to <max_retries> times and each time will wait for up to <kdc_timeout> milliseconds until one succeeds.

NOTE: Multiple KDC entries are not supported with the default settings because the total timeout number (<KDC_number>×<max_retries>×<kdc_timeout>) for KDC listed in the same realm is larger than the default timeout limit (60000 milliseconds) for FglAM WinRM connection.

To fix this issue, follow the instructions to achieve that total timeout number for KDC listed in the same realm does not exceed the timeout limit set by WinRM connection:
Decrease the parameter values of max_retries and kdc_timeout in krb5 file. For example, max_retries=1 and kdc_timeout=10000.
Run fglam with following command-line parameter to increase timeout number for FglAM WinRM connection.
-Dwinrm.connection.timeout.milliseconds=<time>
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating