Configuring the Embedded Agent Manager
Installing External Agent Managers
Understanding How the Agent Manager Communicates with the Management Server
Deploying the Agent Manager Cartridge
Downloading the Agent Manager Installer
Installing the Agent Manager
Configuring the Agent Manager
Installing the Agent Manager using the Installer Interface
Installing the Agent Manager from the Command Line
Using the Agent Manager Silent Installer
Installing the Agent Manager as a Windows Service
Starting or Stopping the Agent Manager Process
Frequently Asked Questions
How do I upgrade the Agent Manager?
How do I uninstall the Agent Manager?
Where can I find the Agent Manager installation log files?
Why does the message "Created system preferences directory in java.home" appear after I finish installing the Agent Manager on AIX?
Are the passwords that are stored in the configuration file, fglam.config.xml, encrypted?
How can I see what parameters are available for the silent installers?
Why are two URLs displayed for localhost when I search for HA peers?
I tested the connection between the Agent Manager and a Management Server, but the Management Server URL failed the connectivity test. Why did this happen?
When I try to install the Agent Manager using the installer interface on Solaris x86 VMware, it fails and a warning message related to fonts appears. Why does this occur?
Why does an AIX compatibility warning appear when I run the Agent Manager installer?
Operating System patches
Launching the Agent Manager Installation Interface
Configuring the Agent Manager from the Command Line
Configuring the Agent Manager to Use SSL Certificates
Configuring an Agent Manager Instance as a Concentrator
Advanced System Configuration and Troubleshooting
Configuring the Concentrator
Configuring Downstream Instances
Creating a Secure Connection with Downstream Instances
Excluding SSL Ciphers from Upstream or Downstream Connections
Configuring the Agent Manager to Accept Connections from the Management Server
Configuring Multiple Agent Manager Instances
Controlling the Polling Rate
Configuring Agent Managers to Work in High Availability Mode
Assigning Agent Managers to HA Partitions
Adding Cartridges to the HA Deployment Whitelist
About Agent Fail-Over
About Non-HA Deployments
Negotiating Agent Manager Resources at Runtime
How the Agent Manager Applies Configuration Settings
Configuration Example
Moving Existing Out-of-Process Agents to the Runtime Resource Negotiation
Disabling Runtime Resource Negotiation
Configuring Credentials
Troubleshooting
Configuring Windows Management Instrumentation (WMI)
Monitoring the Agent Manager Performance
Windows Firewall Interference
Minimum Requirements for Windows Management Instrumentation
Configuring Windows Remote Management (WinRM)
Promoting remote users to administrators on local machines through the Domain Controller
Granting required permissions to individual remote users
WMI Access Violation and OS Connectivity Verification Failure
WMI and Quota Violation Error
Known WMI Issues in Windows Server 2008
Modifying Registry Key Ownership on Windows Server 2008 R2
Configuring Registry Settings for Windows Server 2008 R2 and Windows 7
Resolving Access Denied Errors when Connecting to Windows XP Professional
OS Collection Fails with a Local_Limit_Exceeded Error
Access to DCOM Objects and Registry is Denied
Configuring Registry Settings for WinShell Access through DCOM
Enabling Agents to Connect from UNIX Machines
Enabling Agents to Connect Locally on Windows
Releasing a Locked MySQL Process
Generating a Configuration File Required for WinRM Negotiate Authentication
About the Cross-Realm Negotiate Authentication Behavior
About WinRM Authentication and the Agent Manager
Configuring the Target (Monitored) System
Configuring the Agent Manager (Monitoring) System
Configuring the Command-Shell Connection Settings
Available WinRM Connection Schemes when the Agent Manager Runs on AIX
About WinRM Connection Ports
Troubleshooting
UNIX- and Linux-Specific Configuration
About the Supported Remote Monitoring Protocols
Configuring the Agent Manager to Run as a Daemon
Configuring Agent Manager Agent Privileges
Using Sudo to Configure Secure Launcher Permissions
Using setuid_launcher to Configure Secure Launcher Permissions
Using the HP Patch Checking Tool
About Agent Manager Installations on AIX
Preventing Agent Manager Core Dumps on Linux
Investigating Agent Manager Diagnostics
Deploying the Agent Manager to Large-Scale Environments
Using Agent Manager Silent Installer Parameters
Example: Deploying the Agent Manager to Multiple UNIX Hosts
Example: Deploying the Agent Manager to Multiple Windows Hosts
Next Steps
Configuring the Agent Manager (Monitoring) System
If the Agent Manager fails to find a configuration file, it attempts to automatically detect the required settings and writes them to $FGLAM/state/default/config/krb5.conf.
You can manually override the location of krb5.conf with the following command-line parameter:
|
• |
By default, Windows does not allow JavaTM to access certain required session keys when JavaTM attempts to authenticate with Kerberos. The following registry keys should be added to ensure that the required sessions keys are available. The Agent Manager attempts to detect and update these registry keys automatically the first time a WinRM connection is attempted. |
|
• |
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters |
|
• |
Value Name: allowtgtsessionkey |
|
• |
Value Type: REG_DWORD |
|
• |
Value: 0x01 |
|
• |
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos |
|
• |
Value Name: allowtgtsessionkey |
|
• |
Value Type: REG_DWORD |
|
• |
Value: 0x01 |
The KerberosConfigurationService API provides the ability for agents to modify or create a Kerberos configuration file during runtime.
The Agent Manager uses the Kerberos configuration file to establish WinRM Negotiate connections to hosts. In most cases, the Agent Manager can create the Kerberos configuration for the current domain to which the machine running the Agent Manager belongs. However, the Kerberos configuration typically needs to be modified when cross-domain WinRM connections are required. This can be done by modifying the Kerberos configuration file manually, to add the new domain properties, and restarting the Agent Manager. If no instance of the previous Kerberos configuration file is found, the fglam.config.xml file needs to be updated to instruct the Agent Manger which Kerberos configuration file to use for WinRM connections.
All of these actions can also be performed during runtime, without requiring any manual changes, or an Agent Manager restart. The KerberosConfigurationService allows agents to make these changes during runtime and have the changes take effect immediately. If a new configuration file is created, fglam.config.xml file is updated automatically.
Configuring the Command-Shell Connection Settings
|
• |
MaxConcurrentOperationsPerUser: This parameter specifies the maximum number of concurrent Enumeration operations allowed by an individual user. The value must be in the range of 1 to 4294967295. |
This parameter is only available for WinRM version 2.0 and later. In version 1.1, the MaxConcurrentOperations parameter is used instead.
|
TIP: WinRM parameters can also be edited using the Group Policy Object Editor. To start the editor, type gpedit.msc at the command line, and then navigate to Local Computer Policy > Computer Configuration > Administrative templates > Windows Components > Windows Remote Management (WinRM) and Windows Remote Shell. |
|
• |
MaxConcurrentOperations: This parameter specifies the maximum number of concurrent shells any user can remotely open on the same system. Any number from 1 to 4294967295 can be used. For more information about this parameter, you can visit the following Web page: http://msdn.microsoft.com/en-us/library/cc251426.aspx. |
This parameter is only available for WinRM version 1.1. It is deprecated for version 2.0 and later, and MaxConcurrentOperationsPerUser is used instead.
|
• |
MaxShellsPerUser: This parameter specifies the maximum number of concurrent shells any user can remotely open on the same system. Any number from 0 to 2147483647 can be used, where 0 means unlimited number of shells. If this policy setting is enabled, the user cannot to open new remote shells if the count exceeds the specified limit. |
|
• |
AllowRemoteShellAccess: This parameter controls access to the remote shell. It must be set to true. |
To set this parameter to true, issue the following command:
Available WinRM Connection Schemes when the Agent Manager Runs on AIX
When the Agent Manager monitoring a Windows® machine runs on an AIX® system, WinRM connections only work for the Basic authentication scheme. Attempting to use the Negotiate scheme does not result in a WinRM connection being established.
About WinRM Connection Ports
|
• |
WinRM 1.1 and earlier: The default HTTP port is 80, and the default HTTPS port is 443. |
|
• |
WinRM 2.0 and later: The default HTTP port is 5985, and the default HTTPS port is 5986. |
After issuing the winrm quickconfig command, the listener port number can be determined using the winrm enum winrm/config/listener command. For example: