Chat now with support
Chat with Support

Foglight Agent Manager 5.8.5.7 - Foglight Agent Manager Guide

Configuring the embedded Agent Manager Installing external Agent Managers
Understanding how the Agent Manager communicates with the Management Server Deploying the Agent Manager cartridge Downloading the Agent Manager installer Installing the Agent Manager Starting or stopping the Agent Manager process Frequently asked questions
Configuring the Agent Manager Advanced system configuration and troubleshooting
Configuring Windows Management Instrumentation (WMI) Configuring Windows Remote Management (WinRM) UNIX- and Linux-specific configuration
Monitoring the Agent Manager performance Deploying the Agent Manager to large-scale environments

Configuring the target (monitored) system

Previous Next


Recent versions of Windows® OS include WinRM, but it is disabled by default. There are two ways to configure HTTP or HTTPS: manually or using Group Policy Objects.
3
Optional. If Negotiate authentication is enabled, and you want to disable it, type the following:
@{Hostname="<host>";CertificateThumbrint="<thumbprint>"}
host is a fully qualified host name, as it appears in the certificate.
thumbprint is the certificate thumbprint, with spaces removed.
2
Type run and press Enter.
4
The Console Root window appears.
5
In the Console Root window, choose File > Add/Remove Snap-In.
6
In the Add or Remove Snap-ins dialog box that appears, in the Available snap-ins area, select Group Policy Object, and click Add.
7
In the Select Group Policy Object dialog box that appears, click Finish to close it.
8
Click OK to close the Add or Remove Snap-ins dialog box.
9
In the Console Root window, in the navigation tree on the left, choose Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service.
fglam --add-certificate alias=/path/to/saved.ca.certificate

Configuring the Agent Manager (monitoring) system

Previous Next


You can manually override the location of krb5.conf with the following command-line parameter:

Generating a configuration file required for WinRM Negotiate authentication

Previous Next

Advanced system configuration and troubleshooting : Configuring Windows Remote Management (WinRM) : Generating a configuration file required for WinRM Negotiate authentication

WinRM connections using the default Negotiate authentication require a copy of the krb5.config file. On Windows®, the Agent Manager attempts to auto-generate this file and places it under <fglam_home>f/state/default/config/krb5.config. Under some circumstances, the Agent Manager is unable to auto-generate the file on Windows, in which case the file needs to be created. On UNIX® systems, the file is never auto-generated and must always be provided.
If the file needs to be created, the format of the krb5.config file for the WinRM Negotiate authentication is as follows:
default_realm = <dns_suffix_upper_case>
<dns_suffix_upper_case> = {
kdc = <DNS_Server_for_dns_suffix_upper_case>
.<dns_suffix_lower_case> = <dns_suffix_upper_case>
The values dns_suffix_upper_case, dns_suffix_lower_case, and DNS_Server_for_dns_suffix_upper_case must be replaced with their actual values.
The [domain_realm] section in the file maps the domain of the host being connected to, to a realm.
The [realm] section provides the relevant kdc (key distribution center) server with a specific realm to use for kerberos authentication. This is generally the DNS server for the relevant domain.
The default_realm value in the libdefaults section is the realm mapping to use when the domain of the host cannot be matched to a realm.
For example, for connecting to hosts on the sample.domain.com domain with the dnsserver.sample.domain.com DNS Server, the contents of the krb5.config file should be as follows:
When connecting to a host1.sample.domain.com, the host1’s domain is mapped to the SAMPLE.DOMAIN.COM realm, which maps to the DNSSERVER.SAMPLE.DOMAIN.COM kdc to use for kerberos authentication.
After the krb5.config file is created the absolute path to the generated krb5.config file should be provided in the <config:krb5-config-file> tag value of the <fglam_home>/state/default/config/fglam-config.xml file, so that it can be accessed by the Agent Manager. Any changes to the fglam-config.xml file require the Agent Manager to be restarted in order for those changes to take effect. Therefore, if the Agent Manager is running while you are making these changes, you must restart it.
By default, Windows does not allow JavaTM to access certain required session keys when JavaTM attempts to authenticate with Kerberos. The following registry keys should be added to ensure that the required sessions keys are available. The Agent Manager attempts to detect and update these registry keys automatically the first time a WinRM connection is attempted.
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01
The KerberosConfigurationService API provides the ability for agents to modify or create a Kerberos configuration file during runtime.
All of these actions can also be performed during runtime, without requiring any manual changes, or an Agent Manager restart. The KerberosConfigurationService allows agents to make these changes during runtime and have the changes take effect immediately. If a new configuration file is created, fglam.config.xml file is updated automatically.

Configuring command-shell connection settings

Previous Next


MaxConcurrentOperationsPerUser: This parameter specifies the maximum number of concurrent Enumeration operations allowed by an individual user. The value must be in the range of 1 to 4294967295.
TIP: WinRM parameters can also be edited using the Group Policy Object Editor. To start the editor, type gpedit.msc at the command line, and then navigate to Local Computer Policy > Computer Configuration > Administrative templates > Windows Components > Windows Remote Management (WinRM) and Windows Remote Shell.
MaxConcurrentOperations: This parameter specifies the maximum number of concurrent shells any user can remotely open on the same system. Any number from 1 to 4294967295 can be used. For more information about this parameter, you can visit the following Web page: http://msdn.microsoft.com/en-us/library/cc251426.aspx.
MaxShellsPerUser: This parameter specifies the maximum number of concurrent shells any user can remotely open on the same system. Any number from 0 to 2147483647 can be used, where 0 means unlimited number of shells. If this policy setting is enabled, the user cannot to open new remote shells if the count exceeds the specified limit.
AllowRemoteShellAccess: This parameter controls access to the remote shell. It must be set to true.
To set this parameter to true, issue the following command:
Related Documents