Executecommand, ITM Command Security and ITM component levels
Albook 120000625S Visits (6847)
as most of you already know, ITM 6.3 introduced an enhancement in order to improve the command security of IBM Tivoli Monitoring (ITM) environments.
This feature is meant to ensures that commands originate from a trusted ITM source and that they are not intercepted/changed before arriving to destination.
An exhaustive description of the feature and related configuration is available at this link:
This feature anyway also introduced complexity that led to some problems especially in environments with mixed ITM component levels, for example in
environments where some agents are lower than v6.3 and ITM servers are instead at 6.3 FP1 or higher.
The aforementioned technote provides an explanation for most of the problem scenarios that may be related to the command security feature and
also explains how to set configuration parameter KMS_
in your ITM infrastructure.
On my experience, a correct configuration of the KMS_
I have anyway faced a scenario where a remote command, executed with "tacmd executecommand" was failing with:
KUIEXC504E: User of the agent is not authorized
despite the ITM servers (TEPS/TEMS) were at a lower level than v6.3.
Initially I focused on authorization of the account used to start the agent, to be sure it had all the necessary permissions to run the wanted command.
It was an account with administrator privileges, so I had to exclude this option from possible root causes.
Looking at the cinfo from TEPS/TEMS and from the target agent nodes I noticed that all the components for TEMS and TEPS (including shared components) were at level 6.23 FP5, while the agent node showed a mixed level for shared components and Agent component.
PC PRODUCT DESC
We can see that the OS agent was at the same level of the TEMS and TEPS, but the shared components were at 6.30 FP3.
The install date of the components matches with the date the problem has been experienced for the first time, so it is clearly related.
The command security feature was not available in the TEMS/TEPS side, but the related code was instead enabled on agent side, because the shared components were at v6.3 FP3 level.
We know that an agent must be at the same or lower level than the connected TEPS/TEMS.
This scenario demonstrates once more that this recommendation must be taken seriously.
In this case the agent component was actually at the same level, but the shared components were instead newer.
The shared components have been upgraded when KAC component has been installed on this node.
For a mistake, ITM 6.3 FP3 installation media has been used instead of the 6.23 FP5.
This caused shared components mismatch between ITM servers and target agent node.
In order to correct the issue, we had to reinstall the CANDLEHOME using the correct level of ITM shared components, including KAC.
After having completed this task the tacmd executecommand started working fine again.
Have a nice day
Subscribe and follow us for all the latest information directly on your social feeds: