Configuring access to agentless managed systems

Using an account other than root to access an agentless management system enforces the appropriate security for the system while enabling more detailed audit records for access to the system. To configure access to an agentless managed system for a user account other than root, use the sudo utility.

About this task

The sudo utility is provided with Linux operating systems. To use the sudo utility with AIX® systems, you will need to download and install the utility from the AIX Toolbox Download Web site.

Before configuring access to agentless management systems for user accounts other than root, read the following information:
  • You must create and manage the sudo configuration file on each agentless managed system that requires non-root based access.
  • You must create a sudo configuration file that meets the requirements of your security policies.
  • You must create multiple credential mappings between IBM® Flex System Manager users and all of the agentless managed systems that IBM Flex System Manager is managing using SSH.

Perform these steps to configure access to agentless management systems for user accounts other than root:

Procedure

  1. On each agentless managed system, create the sudo configuration file (called sudoers) if it does not already exist.

    On an agentless managed system, the file should be located in the /etc/sudoers directory.

  2. Ensure that each user account to be used for access to the agentless managed system has authorization to run sudo commands. Before you can access the /opt/ibm/director directory, you must complete the following steps:
    1. Call IBM Support and obtain the password that is required to run the pesh command.
    2. From the management software command-line interface, use the lsconfig -v command to determine the UVMID of management node.
    3. Run the command pesh UVMID, where UVMID is the system ID that you determined in the previous step. When you are prompted, enter the password that you obtained from IBM Support. For more information about the command, see pesh.
  3. In /opt/ibm/director/lwi/conf/overrides/USMi.properties file, set the following system variable:

    com.ibm.usmi.server.security.cts.util.escalateUser=true

  4. Restart the IBM Flex System Manager.
  5. After discovering and requesting access to the endpoint, run the following command: 
    smcli cfgcred -S <Director_User> -W <Director_User_password> -r 
https://<discovery ip>:22/ -c PASSWORD -U <endpoint userid> -P 
<endpoint password>

What to do next

After configuring the agentless managed system, you can then request access to the system through either the IBM Flex System Manager Request Access page, the Configure Access page, or the Configure Systems Credentials page.
Note: To enable use of the Agent Installation Wizard to install and update agents, ensure that the root user account was used to initially request access to the managed system.
Parent topic: Preparing agentless managed systems