Configuring Platform Agents
Platform process servers are made up of two independent but interacting parts:
- a process server in the central Redwood Server
- a platform agent on the remote system
- On Windows, a service controls the platform agent and automatically restarts it when it stops
- On UNIX, the native init system controls and restarts the platform agent, additionally, the
platform-agent
script ensures all necessary OS processes are running
Both parts are started independently. The process server is usually started when the central Redwood Server System is started, or otherwise by a Start command issued via an API or the GUI. The platform agent is usually started as part of the operating system boot sequence.
Although either can run alone, the system is only functional when both parts are running and the platform agent service of the process server has established a TCP connection to the platform agent. When the connection gets interrupted, the process server will attempt to reconnect to the platform agent.
A connection must be established for processes to start running, file events to fire and monitoring data to be refreshed. A process will continue running on a platform agent when the connection is lost, the central Redwood Server will not be able to set the process to completed, though, until the connection is restored.
Most settings for the platform agent are stored in the repository as process server parameters. Settings that control who can do what are set on the remote system, as they need to be under the control of the individual system administrator of the remote system that the platform agent is running on.
Refer to the Process Server Parameters section for more information on process server parameters that are stored in the repository.
The agent logs its operation status records to a file. See Agent Logging for more information.
Platform process servers that schedule workload or use file events require at least one of the following keys:
- ProcessServerService.External.limit - the total number of external process servers (Platform agents, distinct web service endpoints, and SAP connectors).
- ProcessServerService.OS.limit - the total number of platform agent process servers.
Configuration
You configure platform agents using the installer, to add another platform agent instance to a server, simply run the installer again.
On Microsoft Windows systems the Scheduler Service Manager allows you to configure some options of the platform agent from within a user interface; see the Configuring Platform Agents on Microsoft Windows section for more information. For other platforms all configuration must be done manually. Knowledge of the parameter configuration files can be useful on Microsoft Windows and UNIX systems as well, in case you need to make advanced configuration changes.
The configuration files are stored in the ${InstallDir}/net/
hierarchy. The net
directory can contain subdirectories so that multiple platform agents can be managed from a single tree. The directories are searched in the following order:
net/instance/<instance>/<file>
.net/hostname/<hostname>/<file>
.net/global/<file>
.
In other words, instance specific settings go before hostname specific settings, and hostname specific settings go before global settings.
In the above locations, the following variables were used:
<instance>
is the name of the instance, which by default is set todefault
.<hostname>
is the hostname of the server, as returned by the commandhostname
.<file>
is the name of the file that it is looking for. Files that are supposed to be protected are located under theprivate
directory.
The files that the system looks for on all systems are listed here in alphabetical order. Usually you do not need to change these as the installer configures necessary entries for you.
important
When you set or change server_root
, you must restart the platform agent service/daemon and the process server in the central server for the change to take effect.
File | Use |
---|---|
address_acl | The hostname(s) or IP addresses of the central Redwood Server the platform agent is locked to. |
agent_initiated_url | HTTP(S) URL of the central Redwood Server. (AgentInitiated only). |
cipherlist | TLS ciphers to use when you configure a platform agent to use TLS. |
client_port_range | Port ranges to be used by the client. This defaults to 0-65535 (AgentInitiated only). |
failover_url | Read-only HTTP(s) URL of the fail-over central Redwood Server; the context URL can be set in the /configuration/jcs/security/FailoverContextURL configuration entry. |
gateway_acl | List of internal networks, IP addresses, DNS names the central Redwood Server is allowed to access via secure gateway. The list can be newline or comma-separated. (AgentInitiated only) |
gateway_port_range | Port ranges to be used by the gateway. This defaults to 40000-49999 . (AgentInitiated only) |
hmac | The HMAC algorithm to be used; either SHA256 (default) or MD5. |
http_response_mode | Can be set to 'keep' to consider HTTP/1.0 GET requests as if they are HTTP/1.1 and socket is kept open. |
http_server_timeout | Timeout in seconds for HTTP server requests; default is unlimited (0). |
listen | The IP addresses that the platform agent should listen on. |
max_requests | The maximum number of HTTP requests per connection. |
monitor_process | Command used to monitor OS processes. |
monitor_socket | Command used to monitor sockets. |
no_live_view | Disables live-viewing of output files while the process runs. |
no_proxy | Comma-separated list of hosts, domains, networks for which no proxy is required. Defaults to <hostname> (as returned by the hostname command) and localhost when not available. |
port | The port the agent listens on for inbound connections. |
private/proxy_url_password | The password(s) for the proxy server(s); a comma-separated list if multiple proxy servers are to be used. (AgentInitiated only) |
private/secret | The secret for authentication. |
proxy_incoming | Boolean value that enables reverse proxy support. |
proxy_url | The URL(s) to the proxy server(s); a comma separated list if multiple proxy servers are to be used. |
secure_connection | Enable TLS for the platform agent HTTP server. Requires PEM formatted public certificate (rwscert.pem ) and private key (private/rwskey.pem ) as well as cipherlist and server_root configuration files set. |
server_acl | The central Redwood Server the platform agent is locked to. |
server_root | List of directories that files can be read from. |
rwscert.pem and private/rwskey.pem | PEM formatted public certificate (rwscert.pem ) and private key (rwskey.pem ) for enabling TLS on the platform agent HTTP server. |
version_compatibility | The versions of the central Redwood Server the platform agent is allowed to connect to. The * wildcard is accepted. |
private/whitelist | List of users that jobs can be run as. |
private/blacklist | Users that cannot be used for running jobs. |
note
You must install the Redwood Server platform agent on a local file system; SAN file systems might be considered local, when they are mounted as iSCSI, for example. NFS or Windows shares are not supported as they may not be available at all times.
The format used in the files that can contain more than one word is freely formatted. You can separate keywords by putting them on separate lines or by separating them by a comma or space. A hash '#' character functions as a comment until the end of the line.
The etc
directory contains global configuration files.
File | Use |
---|---|
ca-bundle.crt | List of PEM-encoded certificates the agent tools trust. |
session.rdp | (Windows Server only) Remote Desktop Protocol (RDP) file used by the agent to connect to the Windows server. |
address_acl
If set, the address_acl
file will limit which IP addresses can connect to the server. The file can contain a list of IP addresses, hostnames and/or IP ranges.
Example:
#
## Example address_acl file
#
192.168.10.0/24
10.31.0.0/255.255.0.0
bpa1.prod.sap.de
bpa1.prod.sap.de
The address_acl
is not set by any of the installers; configuring it is up to the administrator.
agent_initiated_url
For AgentInitiated environments, only.
If the agent should run a TCP server and wait for incoming TCP requests from the central Redwood Server this parameter should not be set. This is the default configuration.
If the agent should create TCP clients and actively connect to the central Redwood Server (so-called AgentInitiated mode) this should be set to the full path of the servlet that it needs to connect to. The pattern allowed in this file is:
https://${Server}:${Port}/${Context}/ipi-platformagentservice/BusinessKey/${Partition}.${ProcessServerName}
For example, the following will connect to an app server named server
running at the default port, context and partition and process server name unix1
:
https://pr1.example.com:50300/redwood/ipi-platformagentservice/BusinessKey/GLOBAL.unix1
See the Cloud platform agents section for more information on this parameter.
note
AgentInitiated platform agents must be configured for auto-update; see Cloud platform agents section for more information.
cipherlist
Specifies the ciphers to use for TLS encryption.
The configuration file accepts a comma-separated list (no spaces) of OpenSSL cipher suite names (not IANA/RFC cipher suite names) or the ALL
keyword, which means all cipher suites except the eNULL
ciphers, ordered in a sensible manner.
Example
ECDHE-RSA-CHACHA20-POLY1305,ECDHE-ECDSA-CHACHA20-POLY1305
client_port_range
If set, the client_port_range
file will limit the port numbers used for client connections. It accepts the <low>-<high>
syntax, for example, 1024-1048
. This can be used to identify traffic in a firewall, for example.
etc/ca-bundle.crt
List of PEM-encoded certificates. You append PEM-encoded certificates to this file when you want to trust self-signed certificates, for example.
etc/session.rdp
The Remote Desktop Protocol (RDP) file used to connect to the local Windows Server. Windows Server 2012 and later are supported. Windows client operating systems (Windows 8, 8.1, or 10) are not supported.
failover_url
Read-only HTTP(s) URL of the fail-over central Redwood Server; the context URL can be set in the /configuration/FailoverContextURL
[configuration entry|ConfigurationEntries].
gateway_acl
For AgentInitiated environments, only.
You use this file to specify a newline or comma-separated list of networks or hosts the central Redwood Server is allowed to access. For example, your internal network is 10.x.x.x and you only want the central Redwood Server cloud servers to access the 10.0.0.x and 10.10.x.x subnets, you can set this to the following on each platform agent that will act as secure gateway:
10.0.0.0/24
10.10.0.0/16
The file accepts networks (see example), DNS names and IP addresses.
gateway_port_range
For AgentInitiated environments, only.
The port ranges to use for the gateway; by default, this is set to 40000-49999
.
hmac
Normally the agent will use the SHA256 algorithm to compute hashes that garantuee message correctness. This can be switched to the older MD5 algorithm if desired.
listen
You use the listen
file to specify which IP address of the platform agent's computer is used to accept new connections. By default it is "0.0.0.0" and accepts any connection from any Ethernet card and address. You can limit this to a particular IP address or hostname, which resolves to a local IP address. This in turn means that the agent will only listen for connections that come in on that particular device.
If IP address that you want the agent to listen on is not a permanent address (its availability is not 100%) then you are better of keeping the default address of 0.0.0.0 and then setting up an address_acl
parameter to limit who can connect to the agent, as binding to disappearing network devices will result in failure of the agent each time the device stops.
max_requests
The HTTP server in the agent will normally process unlimited requests per HTTP connection. This can be lowered to a particular number by setting this number in the max_requests
file.
This is a debugging/support feature that should only be used in cooperation with technical support.
monitor_process
You use the monitor_process
file to specify the command to use for monitoring an OS process.
monitor_socket
You use the monitor_socket
file to specify the command to use for monitoring a socket.
port
The port the platform agent will use at startup is saved in a file named port
. If no such file is found, the default of 1555
will be used.
The only contents of the port
file should be the port number; to set the port number for instance production
to 1566
, you can proceed as follows:
On UNIX
echo 1566 > /opt/redwood/net/instance/production/port
Note that /opt/redwood
is the installation directory in the above example.
On Windows
echo 1566 > G:\redwood\net\instance\production\port
Note that G:\\redwood
is the installation directory in the above example.
The port
parameter file is set by the standard installers.
no_live_view
Allows you to disable live viewing of output and log files in the Processes Monitor and Definition Studio. The existence of the file disables live viewing, to enable live viewing again, move or delete the file.
private/proxy_url_password, proxy_url, and no_proxy
For AgentInitiated environments, only.
If set, proxy_url
must contain the URL to the proxy server, private/proxy_url_password
the encrypted password. You use jsecret -p
to generate a proxy_url_password
file.
You can specify multiple proxy servers and passwords as follows:
- Create or edit the
proxy_url
file for the instance, for example theproxy_url
for instance default is stored in/opt/redwood/agent/net/instance/default/proxy_url
. Fillhttp://<user>@<proxy_server1>, http://<user>@<proxy_server2>
into the file; for example:http://jdoe@proxy1.example.com:9090,http://jdoe@proxy2.example.com:9090
- Create two separate password files, merge them into one and apply appropriate privileges (ensure jtool is on your PATH):
- Issue
jtool secret -p /tmp/proxy1_url_password
, note that you must enter the password for the first proxy server, in this case.http://jdoe@proxy1.example.com:9090
- Issue
jtool secret -p /tmp/proxy2_url_password
, note that you must enter the password for the second proxy server, in this case.http://jdoe@proxy2.example.com:9090
- Issue
paste -d',' <file_1> <file2> > <path>/proxy_url_password
; for example:paste -d',' /tmp/proxy1_url_password /tmp/proxy1_url_password > /opt/redwood/agent/net/instance/default/private/proxy_url_password
- Issue
chmod 640 path>/proxy_url_password
; for example:chmod 640 /opt/redwood/agent/net/instance/default/proxy_url_password
- Restart the platform agent:
/opt/redwood/agent/latest/etc/scheduler restart
.
no_proxy
When you have a secure gateway configured, you may restrict the network traffic considered as local traffic and be allowed to be forwarded to the cloud, for example, using the following:
<acl-entry>[,<acl-entry>...]
acl-entry := <host>[/<mask>][:<port-range>] | <ipv6-addr>[/<mask>]
port-range:= [<port-low>][-][<port-high>]
port-low := integer 0-65535, default 0
port-high := integer 0-65535, default 65535
host := <hostname> | <ipv4-address> | '['<ipv6-addr>']'
hostname := dns name
ipv4-addr := <d>.<d>.<d>.<d>
d := integer 0-255
ipv6-addr := [<x>]:[<x>][:[<x>]...]
x := hexadecimal integer 0-ffff
mask := <bits>
bits := integer 0-32 (or 0-255 for ipv6)
Where
acl-entry
is the host, subnet, network, or domain for which no proxy is required.host
is the hostname, domain name, IP address, or subnet for which no proxy is required. Examples:*.internal.example.com
(domain),10.1.0.15
(IP address)hostname
- name of the server(s), accepts wildcards. Examplemyserver.example.com
or*.example.com
ipv4-addr
- IP version 4 address, such as10.15.0.15
or10.15.0.0/32
ipv6-addr
- IP version 6 address, such as1234:5678:ABCD:0018::2004
or1234:5678:ABCD:0018::0/64
mask
- subnet mask for subnet specifications (IP version 4 and 6), for example32
in the IP version 4 subnet specification10.1.0.0/32
bits
- bits of the subnetmask
port-range
is the range of allowed ports.port-low
is the lowest allowable port of the range.port-high
is the highest allowable port of the range.
private/secret
If set, it should contain a secret that the central Redwood Server also has configured for this process server. The secret is used to create a hash function over the content of the message being passed. If both sides do not possess the same secret, the agent log file will contain messages such as these:
error <date> [***-http-request #** tid=***] http.http - Content digest *** does not match computed value ***
error <date> [***-http-request #** tid=***] http.http - Request with content has incorrect HMAC checksum
To correct this, ensure both sides possess the same shared secret.
When you install the platform agent using the installer, the shared secret is generated during the installation. When you registered the platform agent during the installation the shared secret will also be known to the central Redwood Server. If not, you have to paste the value into the SharedSecret process server parameter and restart the process server.
You can generate the shared secret with the jsecret executable.
On Microsoft Windows you can also use the Scheduler Service Manager to set the secret; see the Configuring Platform Agents on Windows section for more information.
The secret
is set by the installers and synchronized with the central Redwood Server when the agent installer registers the agent with the server.
proxy_incoming
When this file contains the value true
, the platform agent is accessible via a reverse proxy such as HAproxy or nginx. Refer to the following for more information on the protocol.
rwscert.pem and private/rwskey.pem
rwscert.pem
and private/rwskey.pem
confiration files contain the public certificate and the private key for TLS. These must be PEM formatted, the certificate must start with -----BEGIN CERTIFICATE-----
and the key must start with -----BEGIN PRIVATE KEY-----
. You can try to convert them using openssl
, for example, or ask your certificate authority to provide you with the appropriate format.
Converting from DER to PEM using OpenSSL
$ openssl x509 -inform DER -outform PEM -text -in mykey.crt -out rwscert.pem
$ openssl rsa -inform DER -outform PEM -in mykey.crt -out private/rwskey.pem
secure_connection
The secure_connection
file, if it exists and contains the keyword true
, will force the platform agent to use TLS for incoming HTTP requests. TLS mandates:
- PEM formatted certificate and private key in
rwscert.pem
andprivate/rwskey.pem
, respectively. - OpenSSL cipher suites, or the
ALL
keyword incipherlist
. - One or more directories to serve listed in
server_root
; only files residing in directories or sub directories ofserver_root
will be served to clients.
See Securing Communications for Platform Agents and System Tools
server_acl
The server_acl
file, if it exists, limits the platform agent to only connecting with central Redwood Servers that have a system ID that is on the list in the server_acl file. To find out what a system's system ID is, log in to the system and observe the browser heading; the part before the [ character is the system ID. You can also issue the REL expression String.getSystemId()
in a process definition parameter; it will return the current system ID. Any characters in the system ID that are not alphanumerical, such as '-' dashes, should be converted to underscores: _. For instance, a system ID named 'My Instance:1234' will be transmitted as 'My_Instance_1234'.
The keywords mentioned in the file can be either just system IDs or a combination of system ID, a slash '/', followed by a process server name. For instance the following server_acl
file will limit the agent to function for these three nodes in a cluster, but it will be configurable as any process server:
## Limit this agent to respond only to nodes in the BPA cluster
SAP_BPA_00
SAP_BPA_01
SAP_BPA_02
If you want this agent to respond only to the nodes in the cluster and for only a particular process server name you should have a file like this:
## Limit this agent to respond only to nodes in the BPA cluster and the MSLN_UNIXS1 process server
SAP_BPA_00/MSLN_UNIXS1
SAP_BPA_01/MSLN_UNIXS1
SAP_BPA_02/MSLN_UNIXS1
If the platform agent file has a server_acl
file any messages or requests from systems and/or process servers that it is not configured to respond to will receive an error message stating 'Refusing connection from server with SystemId ... and ProcessServer ...'. This message is not translated into your local language as it is generated as a HTML response.
If the server_acl
file does not exist the platform agent will dynamically tie itself to the system ID and process server that it is first configured as, and will respond with an error message stating 'Strict checking is enabled, Agent will only respond to X-RW-SystemID requests from ...'. This message is not translated into your local language as it is generated as a HTML response.
The server_acl
is set by the automatic install when the agent installer successfully registers with the central Redwood Server.
server_root
The platform agent contains a HTTP server that can be used to serve out process output and agent log files. It only does so to the Java server, as the caller must have the secret. Furthermore it also limits the reading of files to those directories that it has placed process output and log files in anyway. In some user constellations it may be necessary for the platform agent to serve files that it did not generate itself however, and then it must be told which directories it is allowed to serve files from to the Java server.
The server_root
file can contain a list of paths to the top level directories that it should also serve up. For example:
#
## Directories that contain extra output files to be served up
#
c:\tmp\
d:\oapps\data\
The server_root
parameter is not set by any of the installers, configuring it is up to the administrator.
version_compatibility
The version_compatibility
file contains the version(s) of central Redwood Servers the platform agent is allowed to connect with. This file accepts the *
wildcard.
For example, it could be specified as:
9.2.8.*,9.2.9.*
If instructed by support staff, you can use this setting to use a new version of the platform agent with an older version of the central Redwood Server. In that case make sure that the VersionCompatibility
process server parameter is not set, as that means the agent no longer knows what messages the server supports.
http_response_mode and http_server_timeout
When communicating with servers older than 9.0.10, such as version 8 (M33), you may be instructed by support to set http_response_mode
to value keep
and http_server_timeout
to a low value such as 30
.
private/whitelist and private/blacklist
On Unix, it is common practice to prevent certain users from being able to log in interactively. You can also avoid jobs to run as specific users on UNIX, HP OpenVMS, and Windows. Do this by providing Redwood Server with a list of authorized or banned users. These settings are saved in the ${InstallDir}/net
hierarchy, in the private
sub-folder. For security reasons they should only be readable by user redwood
and root
on UNIX and System
on Windows.
If you provide a whitelist then the blacklist is not used. The default value is a blacklist containing root,daemon,bin,sys,adm,uucp,nuucp,lp,listen,sysadm,smtp,ftp,tftp,news,sysdiag,sundiag
on UNIX, no defaults on Windows or HP OpenVMS.
The file accepts a comma separated list of usernames, no Windows domains.
UNIX network-processor
The UNIX specific parameters for the network-processor
executable are kept in the ${InstallDir}/net
hierarchy, just like the system independent settings.
Some items reside in a further private/
subdirectory. For security reasons these should only be readable by the user that the network-processor
runs as.
File | Use |
---|---|
chown | A symbolic link to the chown binary, improving security when using sudo User Switching Security Mode. |
password_check | PAM service to verify user access, or any value for UNIX systems which do not use PAM. |
usermode | Mode used to switch accounts. |
chown
The Redwood Server installer on UNIX creates a sudo configuration for the Redwood Server user when you choose sudo as your user-switching mode. This could be used by a user to gain access to files owned by root
. To avoid this, Redwood Server allows you to specify your own chown
command. Redwood Server ships with an example chown.sh
which checks various parameters for validity.
The chown
file in the net directory is a symbolic link to the chown
binary as detected by the installation routine. You can create a symbolic link to the chown.sh
script in the Redwood Server bin
directory to improve security. Edit the chown.sh
script to suit your security needs.
Password Checking
The UNIX platform agent uses the usermode
to switch accounts. When the user switch mode is setuid
or sudo
the users that jobs can be run as are determined by the private/whitelist
, private/blacklist
and possibly the sudoers
configuration. Who is allowed to use which account is fully under the Central Scheduler Server's administrator control by means of grants on process definitions and credentials. However, the actual password for the account stored in the Central Scheduler Server is not verified against the current password on the UNIX system. In this sense the UNIX platform agent functions like a trusted sub system.
If it is desired that the central Redwood Server proves that it has the current password, and/or extra authentication or access checks need to be performed then the job-processor can call PAM to further authenticate the user. To do so, set a PAM service name in the password_check
file, for instance:
login
Once the password_check
file is filled a series of pam(3)
Pluggable Authentication Module calls will be made; the exception is AIX for which equivalent usersec
calls are made. If the defined pam services refuses access the OS process will go into the ERROR state.
You can use the network-processor
to test your configuration by using the -o
flag.
Checking the password for a specific instance, password is correct and PAM checking is enabled:
./network-processor -i prod -o
[...]
INFO 2023-09-28 06:07:45,408 GMT [131172-network-processor] common.config - Jobs will only be run for users not on blacklist root,bin,sys,adm
INFO 2023-09-28 06:07:45,408 GMT [131172-network-processor] common.config - Password checking is enabled with value login
INFO 2023-09-28 06:07:45,408 GMT [131172-network-processor] opsys.update - Verified user switch mode is setuid
Enter password for example:
INFO 2023-09-28 06:07:45,508 GMT [131172-network-processor] network.main - Password is correct
INFO 2023-09-28 06:07:45,508 GMT [131172-network-processor] main.main - network-processor exit 0
Checking the password for a specific instance, password is incorrect and PAM checking is enabled:
./network-processor -i prod -o
[...]
INFO 2023-09-28 06:07:45,608 GMT [131175-network-processor] common.config - Jobs will only be run for users not on blacklist root,bin,sys,adm
INFO 2023-09-28 06:07:45,608 GMT [131175-network-processor] common.config - Password checking is enabled with value login
INFO 2023-09-28 06:07:45,608 GMT [131175-network-processor] opsys.update - Verified user switch mode is setuid
Enter password for example:
ERROR 2023-09-28 06:07:45,708 GMT [131175-network-processor] opsys.user - Could not authenticate user 'example' via PAM: Authentication failure
INFO 2023-09-28 06:07:45,708 GMT [131175-network-processor] main.main - network-processor exit 2
Checking the password for a specific instance, password is correct, however, PAM checking is disabled ( password_check
is not set):
./network-processor -i default -o
[...]
INFO 2023-09-28 06:07:45,808 GMT [131195-network-processor] common.config - Jobs will only be run for users not on blacklist root,bin,sys,adm
INFO 2023-09-28 06:07:45,808 GMT [131195-network-processor] common.config - User authorization delegated to sudo configuration and blacklist
INFO 2023-09-28 06:07:45,808 GMT [131195-network-processor] opsys.update - Delaying verification of sudo user switch mode to point when configured by server
Enter password for example:
ERROR 2023-09-28 06:07:45,908 GMT [131195-network-processor] opsys.user - Password checking has not been enabled. Set 'password_check' net configuration file to desired PAM module, usually 'login'
INFO 2023-09-28 06:07:45,908 GMT [131195-network-processor] main.main - network-processor exit 2
Troubleshooting dependencies
$ network-processor -i prod -o
INFO 2023-09-28 06:07:45,169 GMT [12787-network-processor] common.logging - Logging to stderr at level info
INFO 2023-09-28 06:07:45,169 GMT [12787-network-processor] common.logging - Flavor linux-x86 build 9_2_8_20230928_10
INFO 2023-09-28 06:07:45,170 GMT [12787-network-processor] opsys.conv - Network character set is utf8
INFO 2023-09-28 06:07:45,170 GMT [12787-network-processor] opsys.conv - Internal character set is utf8
INFO 2023-09-28 06:07:45,170 GMT [12787-network-processor] opsys.conv - Filedata character set is UTF-8
INFO 2023-09-28 06:07:45,170 GMT [12787-network-processor] opsys.conv - Filesys character set is UTF-8
INFO 2023-09-28 06:07:45,170 GMT [12787-network-processor] opsys.conv - Argument character set is UTF-8
INFO 2023-09-28 06:07:45,171 GMT [12787-network-processor] opsys.env - Operating system Linux=v3.2 id=x86_64
user=32-bit ram=7833MB processors=12
INFO 2023-09-28 06:07:45,173 GMT [12787-network-processor] opsys.socket - IPv4/IPv6 support compiled in.
INFO 2023-09-28 06:07:45,174 GMT [12787-network-processor] opsys.init - Host pr1 FQDN pr1.example.com
INFO 2023-09-28 06:07:45,174 GMT [12787-network-processor] common.config - Jobs will only be run for users not on default
blacklist root,bin,sys,adm,uucp,nuucp,lp,listen,sysadm,smtp,ftp,tftp,news,sysdiag,sundiag
INFO 2023-09-28 06:07:45,174 GMT [12787-network-processor] common.config - Password checking is enabled with value login
INFO 2023-09-28 06:07:45,178 GMT [12787-network-processor] opsys.update - Verified user switch mode is setuid
Enter password for example:
ERROR 2023-09-28 06:07:45,204 GMT [12787-network-processor] opsys.user - Could not authenticate user example via PAM:
Module is unknown
INFO 2023-09-28 06:07:45,204 GMT [12787-network-processor] main.main - exit 2
The above occurs when you run 32-bit GNU/Linux platform agents on 64-bit operating systems without the necessary pam libraries.
$ sudo yum install pam.i686
[...]
$ network-processor -i prod -o
INFO 2023-09-28 06:07:45,256 GMT [13163-network-processor] common.logging - Logging to stderr at level info
INFO 2023-09-28 06:07:45,256 GMT [13163-network-processor] common.logging - Flavor linux-x86 build 9_2_8_20230928_10
INFO 2023-09-28 06:07:45,256 GMT [13163-network-processor] opsys.conv - Network character set is utf8
INFO 2023-09-28 06:07:45,256 GMT [13163-network-processor] opsys.conv - Internal character set is utf8
INFO 2023-09-28 06:07:45,256 GMT [13163-network-processor] opsys.conv - Filedata character set is UTF-8
INFO 2023-09-28 06:07:45,256 GMT [13163-network-processor] opsys.conv - Filesys character set is UTF-8
INFO 2023-09-28 06:07:45,256 GMT [13163-network-processor] opsys.conv - Argument character set is UTF-8
INFO 2023-09-28 06:07:45,257 GMT [13163-network-processor] opsys.env - Operating system Linux=v3.2 id=x86_64
user=32-bit ram=7833MB processors=12
INFO 2023-09-28 06:07:45,260 GMT [13163-network-processor] opsys.socket - IPv4/IPv6 support compiled in.
INFO 2023-09-28 06:07:45,260 GMT [13163-network-processor] opsys.init - Host pr1 FQDN pr1.example.com
INFO 2023-09-28 06:07:45,260 GMT [13163-network-processor] common.config - Jobs will only be run for users not on default
blacklist root,bin,sys,adm,uucp,nuucp,lp,listen,sysadm,smtp,ftp,tftp,news,sysdiag,sundiag
INFO 2023-09-28 06:07:45,261 GMT [13163-network-processor] common.config - Password checking is enabled with value login
INFO 2023-09-28 06:07:45,265 GMT [13163-network-processor] opsys.update - Verified user switch mode is setuid
Enter password for example:
INFO 2023-09-28 06:07:45,307 GMT [13163-network-processor] network.main - Password is correct
INFO 2023-09-28 06:07:45,307 GMT [13163-network-processor] main.main - exit 0
Following the installation of the 32-bit pam libraries, the password check succeeds. Note that on Debian-based systems the package in question is named libpam-modules
. Note that a 64-bit version of the GNU/Linux platform agent is available.
usermode
The user-switching mode that the network-processor uses to run jobs under the correct account is stored in ${InstallDir}/net/.../usermode
. It contains one of the following: plain
, root
, sudo
or setuid
.
This parameter is usually set by the UNIX platform agent installer.
See Also
- Using the Wizard to Create Process Servers
- Configuring Platform Agents on Windows
- Configuring Load Balancing on Platform Agents
- Automatically Updating Platform Agents
- Securing Communications for Platform Agents and System Tools
- Creating a Monitoring Platform Agent
- Monitoring External Systems with Platform Agents
- Support Note 115542 - Character set issues related to processes, jtool and jmail
address_acl agent_initiated_url blacklist chown client_port_range clustername failover_url gateway_acl gateway_port_range listen monitor_process monitor_socket no_proxy password_check port proxy_incoming proxy_url proxy_url_password secret server_acl server_root usermode version_compatibility whitelist