Installing the Agent for UNIX
This page guides you through the installation of a UNIX Agent, which can be used for 32-bit and 64-bit. To make use of its full capacity, it is recommended to use the 64-bit Agent.
Tip! This page refers only to the manual installation process. If you want instructions on how to install a containerized UNIX agent, see Installing Containerized UNIX Agents.
Watch the Video: Installing UNIX Agents
Notes:
-
Each supported UNIX variant has a three-character code which is part of the Agent's file name. In this topic the specific code is replaced by "???."
-
Additional installation steps are required before the Agent can be started and used if you intend to use one of the available authentication methods. For more information, see Agent Authentication.
-
For information about CallAPI files and their implementation, see CallAPI for UNIX.
-
Jobs scheduled to run on UNIX Agents can include customer-specific scripts. If one of these scripts modifies the LD_LIBRARY_PATH environment variable while the loader is running, the change remains in the shell environment. If the messenger binary runs after that, loading fails and the job execution is aborted. For more information, see Troubleshooting - LD_LIBRARY_PATH Overridden .
This page includes the following:
Requirements
You must create an own UNIX user ID for the Automation Engine (default: uc4, Home = /opt/uc4).
Important Considerations
The following sections describe some important topics that you must consider when installing and configuring the Agent.
Privileged/Unprivileged Mode
The Agent for UNIX operating systems can be installed to run either as a privileged or an unprivileged process. However, the Agent can only operate with full capabilities if it is installed as a privileged process.
You can use two different methods to start the Agent with root privileges:
-
Start the Agent directly under the user root.
-
Define root as owner, assign the group in which the start user belongs, set the execute bit for the group and set the SetUID (s-bit) for the Agent file owner.
Example
- chown root ucxjlx6
- chgrp admin ucxjlx6
- chmod 4755 ucxjlx6
When using the UNIX platform Agent Solaris, it is not possible to load libraries from custom folders as root unless the Agent is started by root, which means that a regular user with the SetUID flag cannot start the Agent. Therefore, you have to explicitly allow loading libraries from custom folders as root to load the Agent from a custom folder using SetUID. To do so, you can use crle commands.
Example
-
64-bit host: sudo crle -64 -s <agent bin absolute path> -u
-
32-bit host: sudo crle -s <agent bin absolute path> -u
What are root privileges needed for?
The UNIX Agent executes a variety of tasks under control of the Automation Engine. These tasks must be executed under users that are assigned to the tasks. To be able to start tasks as users other than the UNIX Agent start user, to do inter-process communications as users other than the UNIX Agent start user, or to access files as a user other than the UNIX Agent start user, the UNIX Agent requires root privileges to be able to switch the user context.
Which tasks are performed for which users?
In the Automation Engine, jobs, file transfers, file events, or even various Automation Engine scripting language commands are defined for certain users. The user credentials are defined in Login objects in the Automation Engine.
What are the limitations if the UNIX Agent is operated in unprivileged mode?
As an unprivileged process, the UNIX Agent can operate only as the Agent start user. For that reason, file transfers, jobs, or file access can only be performed as the Agent start user.
What configuration is required to run a UNIX Agent in the unprivileged mode?
Since the Agent cannot perform any user context switches, the Agent must also be operated in anonymous mode. To turn on the anonymous mode, set the login_check parameter to no in the configuration (INI) file. Also, set the ANONYMOUS_FT/ANONYMOUS_JOB/ANONYMOUS_FE parameters as desired in the UC_HOSTCHAR_* variable that is associated with the Agent. For more information, see UC_HOSTCHAR_DEFAULT - Host Characteristics.
Important! No matter in which mode you are running a UNIX Agent, you can configure the permissions to the Agent-specific subdirectories in the Agent INI file.
Agent Variables and Folder permissions
During or after the Agent installation, you must configure a number of Agent-specific variables that control the access to the following folders:
-
backup
Agent-specific folder that is created when the Agent starts. It is meant for the file-based rollback and it is available for Jobs and File Transfers. You define its path and the corresponding permissions in the UC_EX_PATH_BACKUP Agent variable.
To use the file-based rollback, you need the OS user under which the related jobs and file transfers are started, and write access to the backup directory
-
temp
Agent-specific folder that is created when the Agent starts. It is where the Agent stores generated jobs on a temporary basis. You define its path and the corresponding permissions in the UC_EX_PATH_TEMP Agent variable.
-
resources
Agent-specific folder that is created when the Agent starts. It is where Client-wide resources are stored You define its path and the corresponding permissions in the UC_EX_PATH_CACHE Agent variable.
Important! By default, the access to these folders is NOT restricted and they can be modified by any user. You configure specific permissions for each folder in the [MISC] section of the Agent INI file.
For more information, see:
-
Agent Unix INI file
Example:
[MISC]
...
; specified user name or id (id use then used as uid and gid) who becomes the owner of the folder
; default is the user who executes the agent
FolderOwner=osgrp
;FolderOwner_backup=
;FolderOwner_cache=
;FolderOwner_temp=
; specified permission masks are set
; default is any access for everyone for newly created folders
; existing folder permissions are not modified
FolderPermissionMask=rwxrwxrwx
;FolderPermissionMask_backup=
;FolderPermissionMask_cache=
;FolderPermissionMask_temp=
...
Important!
For security reasons, if a login has been specified in the PREP_PROCESS script function, the event file is created in the HOME directory of the user. If no login is specified, the system assumes that the succeeding event job runs with Agent privileges. Therefore, PREP_PROCESS creates the file name with the temp path of the Agent. For more information, see PREP_PROCESS.
At the time when PREP_PROCESS is being processed, the system does not know whether the job will use a login or not. From a technical perspective, this cannot currently be determined, because the event job could also specify the login dynamically (with a PUT_ATT script statement).
There are two possible solutions:
- Specify a login in PREP_PROCESS (recommended and secure solution).
- Assign read and write access to the temp directory of the Agent to the user who is defined in the Event job.
Authorizations for jobreport files are specified using the ReportMode= parameter of the INI file of the UNIX Agent. For more information, see Agent Unix.
Connecting to the Automation Engine
The Automation Engine and the Windows, UNIX, and Java Agents communicate using TLS/SSL. These agents establish a connection with the Java communication process (JCP), which uses trusted certificates to prove their identity to other communication partners.
Important! Make sure you are familiar with the TLS/SSL and certificate implementation before installing and/or upgrading the respective component. For more information, see:
When you used certificates signed by a CA, the certificates are stored in the respective Java or OS store by default; that is the Java trust store for Java components and Java Agents, the Windows OS store for Windows Agents, or the TLS/SSL store for UNIX Agents. In this case, you only have to check that the root certificates already are in the respective store.
If the relevant certificates are not there and you want to import them, you can use OS or Java specific tools for that purpose, such as Keytool, cert-manager, OpenSSL and such. For more information on how to use those tools, please refer to the respective product documentation.
If you do not want to use the default locations for the components and Agents listed above, make sure you use the trustedCertFolder=, agentSecurityFolder=, and keyPassword= parameters (if applicable) in the respective configuration (INI) file to define the path to the folder where the trusted certificates are stored.
Note: The TLS/SSL implementation does not apply to the HP-UX Agent, as it is no longer supported in this version.
The Agent searches for certificates in the most common TLS/SSL stores. If you do not use a default location, the UNIX agents additionally require you to define the SSLCertDir= and SSLCertFile= parameters to load the certificates from the TLS/SSL store.
Default SSLCertDir
-
/etc/ssl/certs
Platforms: Debian/Ubuntu
-
/etc/pki/tls/certs
Platforms: Fedora/RHEL/CentOS
-
/usr/local/share/certs
Platforms: FreeBSD
-
/etc/openssl/certs
Platforms: NetBSD
-
/var/ssl/certs
Platforms: AIX
Default SSLCertFile
-
/etc/ssl/certs/ca-certificates.crt
Platforms: Debian/Ubuntu
-
/etc/pki/tls/certs/ca-bundle.crt
Platforms: Fedora/RHEL 6/CentOS
-
/etc/ssl/ca-bundle.pem
Platforms: OpenSUSE
-
/etc/pki/tls/cacert.pem
Platforms: OpenELEC
-
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Platforms: CentOS/RHEL 7
-
/etc/ssl/cert.pem
Platforms: Alpine Linux
If the Agent does not find any certificates or the paths do not exist in your system, then the Agent is not able to connect to the Automation Engine.
You can use different commands to search for the certificates in your system. Only a privileged user, such as root, can search in these folders.
Examples - SSL_CERT_DIR
sudo find /etc/ssl/ -name '*DigiCert*'
sudo find /etc/ -name 'DigiCert_Global_Root_CA.pem'
Examples - SSL_CERT_FILE
sudo grep -R "DigiCert" /etc/ssl/
sudo grep -R "DigiCert Global Root CA" /etc/
Important! TLS/SSL Agents (in containers and on-premises) as well as the TLS Gateway, when used for the Automic Automation Kubernetes Edition, establish a connection to an ingress / HTTPS load balancer, which requires a certificate for authentication.
Make sure that address of the load balancer is defined on both sides: the Automation Engine and the Agent / TLS Gateway and that your HTTPS load balancer has the required certificates in place. For more information, see Connecting to AWI, the JCP and REST Processes Using an Ingress.
Installing the Agent
-
Transfer the TAR files to the host and set up the system environment.
-
On the host, carry out the following steps:
-
Register with the AE user ID.
-
Transfer the TAR file ucxj???.tar.gz
-
Unpack the TAR files
gzip -d ucxj???.tar.gz or gunzip ucxj???.tar.gz
tar -xvf ucxj???.tar
(Linux: tar -zxvf ucs???.tar.gz)
The unpacked files are displayed. Note any TAR messages and verify that all files are unpacked correctly. You can delete the TAR file after unpacking it.
Make sure that all files have the correct owner and group entry. AE must be the owner. The group must correspond with the code AE. Only a privileged user, such as root, can make these modifications.
chown AE * changes the owners of all files to AE.
chgrp Group_name * changes the user groups of all files.
-
For actual operation, you can give the program ucxj??? the permissions of a privileged user such as root.
-
Change owner to root
chown root ucxj???
-
Set S-Bit (Set-Userid)
chmod 4755 ucxj???
-
-
Customize the INI file of the UNIX Agent using an editor such as vi. You can also edit and transfer the INI file on the Admin computer through FTP. The program ucxj??? and the INI file must be in the same directory (see Agent Unix).
TLS and Certificates
-
When you used certificates signed by a CA, the certificates are stored in the respective Java or OS store by default. In this case, you only have to check that the root certificates already are in the respective store.
If you do not want to use the default location for this component, make sure you use the trustedCertFolder=, agentSecurityFolder=, and keyPassword= parameters (if applicable) in the respective configuration (INI) file to define the path to the folder where the trusted certificates are stored.
For more information, see Securing Connections to the AE (TLS/SSL).
-
If you do not want to use the default locations, UNIX agents additionally require you to define the SSLCertDir= and SSLCertFile= parameters in the [AUTHORIZATION] section of the INI file of the Agent ( see Agent Unix) to load the certificates from the SSL store. The files can be stored either in one file per certificate or all certificates in one .pem file.
-
SSLCerDir= location of the trusted CA certificates with each certificate in a separate file, for example,/etc/ssl/certs/
-
SSLCertFile= location of the .pem file with all the trusted CA certificates, for example, /etc/pki/tls/certs/ca-bundle.crt
The Agent reads the INI file and uses the locations defined there. If they are not defined, the Agent cannot connect and logs it accordingly.
You can use different commands to search for the certificates in your system. Only a privileged user, such as root, can search in these folders.
Examples - SSL_CERT_DIR
sudo find /etc/ssl/ -name '*DigiCert*'
sudo find /etc/ -name 'DigiCert_Global_Root_CA.pem'
Examples - SSL_CERT_FILE
sudo grep -R "DigiCert" /etc/ssl/
sudo grep -R "DigiCert Global Root CA" /etc/
-
Restrict Agent Capabilities
In the [AUTHORIZATION] section of the INI file ( see Agent Unix), you can use the following parameters to restrict the Agent capabilities in the target system:
-
ft_source= the Agent can be the source of a FileTransfer
-
ft_target= the Agent can be the target of a FileTransfer
-
Execute= the Agent can execute jobs
-
CAU_enabled= the Agent can be updated using CAU
By default, the Agent is allowed to perform all these functions.
Permissions
Once the Agent is installed, a number of subdirectories are created automatically upon starting the Agent. These folders do not have any restrictions. You can restrict the access to these folders in the Agent INI file. For more information, see Agent Variables and Folder permissions.
Fork/Batch
You can start jobs either with the fork function or the batch command. Use the start_type= parameter in the INI file of the Agent to define the value. Depending on the definition, the following rules apply to the Agent:
-
fork: When the Agent is started with a user ID with root rights, jobs can start under any user ID. Otherwise, jobs must run under the user ID used to start the Agent. The Agent uses execle for spawning the job with minimal environment settings in contrast to su - where the complete user environment is loaded.
-
batch: The Agent must start with a user ID with root rights. To prevent an unexpected or unreliable behavior, su - should not be used because the complete shell environment is loaded.
-
-
-
On the Admin or server computer, adjust the HEADER.UNIX, TRAILER.UNIX and RESTART.UNIX if necessary. For more information, see Executing Jobs.
-
-
Optionally, on the host, configure the PAM (Pluggable Authentication Modules) authentication. This authentication is supported for the UNIX platform Agents Solaris, Linux and AIX.
-
PAM library installation
The PAM library must be installed on your system (depends on the platform you use).
-
PAM library configuration
The configuration process depends on the UNIX platform that you use. Typically, you handle it using the files /etc/pam.d or /etc/pam.conf. The name of the service complies with the name of the executable Agent file (ucxj???).
-
Agent configuration
In the INI file of the Agent, set the authentication= parameter in the [MISC] section to pam. Use the parameter libname= in the [PAM] section to specify the path and the file name of the PAM library :
[MISC] authentication=pam [PAM] libname=/usr/lib/libpam32.o
-
-
Start the Agent.
-
On the server computer, make sure the AE system is running. For more information, see Multi-Server Operations.
-
On the host, carry out the following steps:
Note: If you start the Agent for testing in the dialog, quitting with the DEL key is only possible as of version 1.20 and if the corresponding parameter has been defined in the INI file. Do not set this parameter, but quit from another terminal using the kill -TERM instead.
-
Start the Agent in the background from the $HOME/bin directory.
If the $HOME/bin directory is set in the system environment PATH, enter the following command:
nohup ucxj???1> ucxj???.log 2>&1 &
If the $HOME/bin directory has not been set in the system environment PATH, enter the following commands:
nohup ./ucxj???1> ucxj???.log 2>&1 &
Note displayed process ID pid.
Information about the process with ps -ppid. Not always available.
Information about all UCX processes with ps -ef | grep ucx.
Information about all processes with ps -e.
-
An Agent object is automatically created in system client 0 and stored in the folder HOST.
Upon start, Agent-specific folders are created. You can configure access permissions to those folders now. For more information, see Agent Variables and Folder permissions.
-
-
In AWI, client 0, verify that the Agent is logged on to the Automation Engine.
Newly logged on Agents are not assigned to a client automatically and can only be viewed in Client 0. Once you have logged in to Client 0, access the Administration perspective and select Agents & Groups.
Assign the new Agent to clients with the required rights using the Agent object definition. For more information, see Authorizations Page.
-
-
On the host, end the Agents using one of the following options:
-
End the Agent normally: kill-TERM pid
-
End the Agent through AWI: In the Agents section of the Administration perspective, right-click the relevant and select Stop.
-
Cancel the Agent in emergency cases (network connections are not properly closed): kill -KILL pid or kill -9 pid.
-
See also:
- Installing the Agents
- Agent Unix INI file