IBM Support

Executecommand, ITM Command Security and ITM component levels

Technical Blog Post


Abstract

Executecommand, ITM Command Security and ITM component levels

Body

Hello,

as most of you already know, ITM 6.3 introduced an enhancement in order to improve the command security of IBM Tivoli Monitoring (ITM) environments.

This feature is meant to ensures that commands originate from a trusted ITM source and that they are not intercepted/changed before arriving to destination.

An exhaustive description of the feature and related configuration is available at this link:

 

/support/pages/node/603351

 

This feature anyway also introduced complexity that led to some problems especially in environments with mixed ITM component levels, for example in

environments where some agents are lower than v6.3 and ITM servers are instead at 6.3 FP1 or higher.

The aforementioned technote provides an explanation for most of the problem scenarios that may be related to the command security feature and

also explains how to set configuration parameter KMS_SECURITY_COMPATIBILITY_MODE depending on the version of  components running

in your ITM infrastructure.

 

On my experience, a correct configuration of the KMS_SECURITY_COMPATIBILITY_MODE parameter helps 99.9% percent of the time.

I have anyway faced a scenario where a remote command, executed with "tacmd executecommand" was failing with:

 

KUIEXC504E:  User of the agent is not authorized

 

despite the ITM servers (TEPS/TEMS) were at a lower level than v6.3.

Initially I focused on authorization of the account used to start the agent, to be sure it had all the necessary permissions to run the wanted command.

It was an account with administrator privileges, so I had to exclude this option from possible root causes.

Looking at the cinfo from TEPS/TEMS and from the target agent nodes I noticed that all the components for TEMS and TEPS (including shared components) were at level 6.23 FP5, while the agent node showed a mixed level for shared components and Agent component.

----------------------------------------------------

PC  PRODUCT DESC                                             PLAT  VER           BUILD   INSTALL DATE   PATCHES    
     
06  K06(64-bit) CMA/Monitoring Agent for GSMA BlueCARE    WIX64 02.00.00.00  201212101124  NOVALUE          0    
AC  KAC(64-bit) CMA/32/64 Bit Agent Compatibility Package    WIX64 06.30.03.00  201407281318  20160420 1520    0    
GL  KGL(64-bit) CMA/Tivoli Enterprise Monitoring Agent Fram  WIX64 06.30.03.00  d4204a        20160420 1520    0    
GL  KGL(32-bit) CMA/Tivoli Enterprise Monitoring Agent Fram  WINNT 06.30.03.00  d4204a        20160420 1520    0    
NT  KNT(32-bit) CMA/Monitoring Agent for Windows OS            WINNT 06.23.05.00  40431         20141205 0111    0

----------------------------------------------------

We can see that the OS agent was at the same level of the TEMS and TEPS, but the shared components were at 6.30 FP3.

The install date of the components matches with the date the problem has been experienced for the first time, so it is clearly related.

The command security feature was not available in the TEMS/TEPS side, but the related code was instead enabled on agent side, because the shared components were at v6.3 FP3 level.

We know that an agent must be at the same or lower level than the connected TEPS/TEMS.

This scenario demonstrates once more that this recommendation must be taken seriously.

In this case the agent component was actually at the same level, but the shared components were instead newer.

The shared components have been upgraded when KAC component has been installed on this node.

For a mistake,  ITM 6.3 FP3 installation media has been used instead of the 6.23 FP5.

This caused shared components mismatch  between ITM servers and target agent node.

 

In order to correct the issue, we had to reinstall the CANDLEHOME using the correct level of ITM shared components, including KAC.

After having completed this task the tacmd executecommand started working fine again.

 

Have a nice day

 

 

 

Tutorials Point

 

Subscribe and follow us for all the latest information directly on your social feeds:

 

 

image

 

image

 

image

 

 

  

Check out all our other posts and updates:

Academy Blogs:https://goo.gl/U7cYYY
Academy Videos:https://goo.gl/FE7F59
Academy Google+:https://goo.gl/Kj2mvZ
Academy Twitter :https://goo.gl/GsVecH


image

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSVJUL","label":"IBM Application Performance Management"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

UID

ibm11277110