Monitoring Tivoli Monitoring Agents with a Non-root user on Linux Unix platform

Problem Circumstances

The database and messaging agents are typically started as non-root users. The Proxy Agent Services (PAS) supports this behavior in ITM 6.2.2 FP1, you can specify that an agent start as particular user in the start script of the CAP file. The PAS relies on the same configuration file kcirunas.cfg with autoscript to get information about which user an agent should RunAs. This information is used when the Proxy Agent Services starts the agent to ensure that it runs as the correct user. If you want to enable PAS support 'non-root user' feature in the older CAP file, update the CAP file as below procedures.

Execution Procedure

Scenario1: PAS As Root Monitors Non-root Agents

Preconditions: *PAS installed as root user, managed agents as non-root user.*
Description: *Running PAS as root, make PAS manage agents as non-root.*

Procedure:

Follow below procedure, you will make PAS to monitor these agents with non-root user correctly in Agent Management Services workspace in ITM 6.2.2 FP1.

1. Using kciedit tool to add agent's instance name and user name into kcirunas.cfg.

Download kciedit package :http://www-01.ibm.com/support/docview.wss?uid=swg21271332

Copy it to $CANDLEHOME, extract it and kciedit will be found under $CANDLEHOME/bin

Go to $CANDLEHOME/bin, run below command:

./kciedit -t TYPE -i INSTANCE -r RUNAS add

For example: ud agent , instance name is db2inst1, run as user is db2inst1

./kciedit -t ud -i db2inst1 -r db2inst1 add

Check kcirunas.cfg, and find below content:

2. For multiple instance agents, you can update the older CAP file if you want to enable this support.

To illustrate it in the following example of the Universal Agent(um) on Linux(lz):

To enable this support in an older CAP file, update start and stop scripts as below syntax.

3. For single instance agents, you can update the older CAP file with below syntax if you want to enable this support.

To illustrate it in the following example of the UNIX Log(ul) on Linux(lz):

To enable this support in an older CAP file, update start and stop scripts as below syntax.

4. Start OS agent and execute action "AMS Start Management" on Agent Management Services workspace, the agent will be started and report the correct user name in Agent's Runtime Status table.

Scenario2: PAS As Non-root Monitors Different Non-root Agents

Preconditions: *PAS installed as non-root user, managed agents as a different non-root user.*
Description: *Running PAS as non-root, make PAS manage agents as a different non-root.*

Procedure:

According to below procedures, you will enable PAS to monitor these agents with another different non-root user on Agent Management Services workspace.

1. Add two different non-root users to the same group which has the permission to access any file under $ CandleHOME.

For example: add non-root users 'test' and 'db2inst1' to group 'db2iadm1'

2. Install PAS using a non-root user such as 'test', install agents using a different non-root user such as 'db2inst1'.

3. Configure kcirunas.cfg file according to the step 1 of above scenario1.

For multiple instance agents, update older CAP file according to the step 2 of above scenario1. If your agents belong to single instance agents, please update older CAP file following step 3 of the scenario1.

4. Configure sudoers file to enable PAS manage agents as a non-root user without password.

# sudoers file.
Cmnd_Alias AMSAGENTSTART = /opt/PAS/ITMTEST/bin/itmcmd agent -[po] [[\:alnum\:]_]*
start [[\:alnum\:]][[\:alnum\:]],/opt/PAS/ITMTEST/bin/itmcmd agent start
[[\:alnum\:]][[\:alnum\:]]
Cmnd_Alias AMSAGENTSTOP = /opt/PAS/ITMTEST/bin/itmcmd agent -[po] [[\:alnum\:]_]*
stop [[\:alnum\:]][[\:alnum\:]],/opt/PAS/ITMTEST/bin/itmcmd agent stop
[[\:alnum\:]][[\:alnum\:]]
Cmnd_Alias ITMAMSCMD = AMSAGENTSTART,AMSAGENTSTOP
# Defaults specification
# Runas alias specification
Runas_Alias ITMAGENTIDS = user1,user2
# Same thing without a password
%itmusers ALL=( ITMAGENTIDS ) NOPASSWD: ITMAMSCMD

For example: make the ud agent to be started by user 'db2inst1'

This is just one possible example. The sudo facility has many advanced capabilities including the ability to audit and to alert administrators of usage of the sudo

command by unauthorized users. See your operating system's sudo man pages for more information.

5. Modify agentInstanceCommand.sh script, replace calls to 'su' with calls to 'sudo'. For example:

6. Start OS agent and execute action "AMS Start Management" on Agent Management Services workspace, PAS is going tobegin to manage the agents and report the correct user name in Agent's Runtime Status table.

Note: In the scenario2, you can not get ProcessID in Agent's Runtime Status table after taking action to start the agents, as below. This is the limitation in ITM 6.2.2 FP2.

About the Author

This topic was written by Jing Liu, Fei Jiang and Ye Qing Sun.