iTivity™ User Guide
8. Installing and Running the Admin Agent on Linux or UNIX
iTivity provides a Linux/UNIX
version of the Admin Agent that allows remote viewing and control of Linux/UNIX
systems. The Linux/UNIX Admin Agent requires its own license (in addition to
the iServer license) and also requires that DoubleVision Pro be installed on
the Linux or UNIX system.
This chapter explains how to install, license, configure and
use the Admin Agent on Linux or UNIX.
8.1 Linux/UNIX System Requirements
The Linux/UNIX version of the
Admin Agent requires the following platform.
Software
·
DoubleVision Pro 4.0 or later
·
Any of the following operating systems:
o
Red Hat 9.0 or Red Hat Enterprise or later
o
Solaris SPARC 2.8/2.9 for 32 and 64 bit systems
o
AIX 4.3.3, 5.1, 5.2 32 and 64 bit systems.
o
HP-UX 11.00/11.11 32 and 64 bit systems
o
SCO 3.2.5
Hardware
·
60 MB minimum disk space
·
5MB RAM baseline,
plus 336 KB per connection to Admin Agent
·
300 Mhz minimum CPU
8.2 Installing the Admin Agent on Linux/UNIX
Note: For information on configuring the Admin Agent
after installation, see Section 8.3, Configuring the Admin Agent on
Linux/UNIX.
Please follow the instructions provided under your chosen
method for obtaining the Admin Agent distribution (via download or CD), then
skip to Continuing the Installation for further installation
instructions.
Download
1.
Contact Tridia for the URL and password for downloading the
Admin Agent Linux or UNIX distribution for your specific operating system.
Example Filename: adminagent_linux_intel.tar
Note: Many popular Window's
based ZIP file utilities do not properly extract the contents of our
distribution files. Please do not attempt to use them with any of the
distribution files.
2.
Place the downloaded file in your home directory on the
Linux/UNIX server where you want to install the Admin Agent.
Example: /home/username/
where username is your actual user name
3.
Skip to Continuing Your Installation.
VIA CD
Note: Reserved for a future release.
CONTINUING YOUR INSTALLATION
1.
Logon as the root user or issue the su command.
2.
Change to the /tmp directory.
cd/tmp
[Enter]
3.
To verify the presence of the distribution file, list the
directory contents of your home directory:
ls –l
/home/username/*.tar [Enter]
where username is your actual user name
4.
Extract the distribution (*.tar) file:
tar
xvf /home/username/<filename>
Several files are extracted into
the /tmp folder. One of these is the install script.
Note: At this point you can remove the distribution file by moving
it to a different directory or using the rm command.
5.
Run the install Admin Agent script.
./install-admin-agent
A
Welcome screen is displayed:
6.
Type y to proceed.
The Evaluation License screen is displayed.
7. After
reviewing the license information, type y to proceed.
The Host Registration Port screen is displayed:
8. Change
the port if desired. Otherwise just press Enter.
The Host System Description screen
is displayed.
9.
Enter a Description to be used to identify this computer in
iTivity iManager. Then press Enter.
The Admin Agent Install Directory
Screen is displayed.
10.
Press Enter to accept the default directory, or type a
different directory and then press Enter.
If the specified directory does
not already exist, you are prompted to confirm creating it. Type Y to
confirm.
The program extracts and installs
the Admin Agent files.
After the files are extracted, the
Installation Code is displayed:
Note: You will need this code to obtain a permanent
license. See Section 8.4, Licensing the Admin Agent on Linux/UNIX.
11.
Press Enter to continue.
The following screen appears,
allowing you to specify whether you want the Admin Agent to start at system
startup.
Note: You can also start
the Admin Agent from the command line. See Section 8.5, Linux/UNIX Admin
Agent Commands.
12.
Type y to start the daemon at boot time or n to
cancel this option.
The installation
proceeds. The SSL Certificate Verification screen appears.
Note: This
screen gives you the option of disabling validation of the iServer encryption
certificate. This option should be used only on secure LANs. The recommended
best practice is to enable encryption and to ensure the certificates match by
manually copying the certificate from the iServer. For example, copy
From
(iServer system):
/usr/lib/iTivity/iServer/itivity_data/root.pem
To (Agent
System):
/usr/lib/iTivity/AdminAgent/itivity_data/root.pem
13.
Type n if you intend to copy root.pem or y to
disable certificate validation.
The installation
proceeds. You are prompted to specify whether or not to remove temporary
installation files. Type y to confirm or n to cancel.
If you typed y, the files
are removed.
14.
Press Enter to continue.
Installation is now complete.
8.3 Configuring the Admin Agent on Linux/UNIX
8.3.1 Editing the AdminAgent.conf File
For the Linux/UNIX version of the Admin Agent, all
configuration settings are controlled by an ASCII text file called
AdminAgent.conf, which is placed in the installation directory on the Linux or
UNIX computer.
You can change the settings by
opening the file in any text editor. The following table describes the settings
in the file.
|
COMMON OPTIONS
|
|
|
Programdir
|
Specifies the directory in which the Admin Agent is
installed. This setting is
automatically configured by the Installation program.
Default: /usr/lib/iTivity/AdminAgent
|
|
dataDir
|
Specifies the directory where the Admin Agent stores
information between program invocations. This information includes encryption
keys and other data used internally.
Default: /usr/lib/iTivity/AdminAgent/itivity_data
|
|
FilePath
|
Specifies the license file for use by the Admin Agent.
Default:
/usr/lib/iTivity/AdminAgent/LicenseData.txt
|
|
vnchostname
vnchostdesc
|
The agent name and Description as listed in iTivity
iManager for this Admin Agent.
The default vnchostname is the Linux/UNIX machine
name. The vnchostdesc can be entered during the Installation procedure.
|
|
CONNECTOR
OPTIONS
|
|
|
randomFile
keyFile
caFile
|
These settings specify the filenames and location of
three files used for encryption. The Admin Agent automatically generates
default versions of these files the first time it runs. There is no need to
change these settings unless the default files in the dataDir directory are
not acceptable.
Defaults:
randomFile=/usr/lib/iTivity/AdminAgent/itivity_data/random.dat
keyFile=/usr/lib/iTivity/AdminAgent/itivity_data/keys.pem
caFile=/usr/lib/iTivity/AdminAgent/itivity_data/root.pem
|
|
autoAcceptAllCerts
|
This flag enables or disables verification of the
encryption certificate received from the iServer.
Enabling this option (setting the value = 1) prevents
a change in the encryption certificate on the iServer from blocking access.
Caution: Enabling this function prevents
iTivity from detecting a man-in-the-middle attack on the encrypted connection.
The recommended practice is to copy the
"root.pem" file from your iServer to the Agent system. For example,
From:
iServerSystem:/usr/lib/iTivity/iServer/itivity_data/root.pem
To:
AgentSystem:/usr/lib/iTivity/AdminAgent/itivity_data/root.pem
When the root.pem file is copied from the iServer to
the Agent system the iServer's certificate will be trusted correctly. At this
point, autoAcceptAllCerts can remain disabled and providing a higher level of
security.
Default: autoAcceptAllCerts=0
|
|
Log
File Flags
|
The following options control which events are written
to the Syslog. A value of 1 (one) enables logging and a value of 0 (zero)
disables logging.
Syslog facility and priority: iTivity.daemon
|
|
connectSysLogMask
|
Arrival of an encrypted connection. Default = 0.
|
|
disconnSysLogMask
|
Closing of an encrypted connection. Default = 0.
|
|
startSysLogMask
|
Agent startup. Default = 1.
|
|
stopSysLogMask
|
Agent shutdown. Default = 1.
|
|
allowSysLogMask
|
Granting of user permission by the Agent. Default = 0
|
|
telnetService
SysLogMask
|
Initiation of a TELNET session with the Agent. Default
= 0
|
|
ftpServiceSys
LogMask
|
Granting of FTP access by the Agent. Default = 0
|
|
chatServiceSys
LogMask
|
Granting of Chat access by the Agent. Default = 0
|
|
TCP
Connection
|
These settings control the TCP connection ports and
interface of the Admin Agent.
|
|
transportPort
|
Must always match proxySvcPort=21800. Default = 21800
|
|
iasServerPort
|
The port for iServer connections. Default = 23800.
|
|
iasServerHost
|
Host DNS for the iServer.
Note: You must enter the DNS name for your
iServer here for the Agent to connect.
Default none.
Example: iserver.acme_heavy_industries.com
|
|
transportTimeout
serviceTimeout
|
These two settings control the timeout behavior of
Admin Agent data connections.
transportTimeout - Timeout in milliseconds set for
end-to-end or host to host network connections. Keep this value high if using
the Internet or other high-latency network transport (such as satellite
connections).
serviceTimeout - Timeout in milliseconds for internal
or local connections between Admin Agent daemons.
Defaults:
transportTimeout=90000
serviceTimeout=45000
|
|
Keep-Alive
Settings
|
These three settings control the keep-alive behavior
of Admin Agent data connections.
|
|
endToEndKeepAlive
|
Determines whether the Admin Agent sends keep alive
packets. Not supported on all transports. Values are:
1 (one) - send packets
0 (zero) - no packets.
Default = 1.
|
|
iasVerifySessionFlag
|
In addition, the Admin Agent can send application
messages to guarantee the connections are viable and detect lost connections
more reliably. Set this flag to 1 (enabled) to have the iServer verify
session status when there is otherwise no network traffic. Values are 1,
enabled, and 0, disabled.
Default = 1.
|
|
iasVerifySessionTimeout
|
If the iasVerifySessionFlag is set to 1, this value
controls how often, in seconds, the verification packets are sent.
Default = 240.
|
|
connectToIASCycleTime
connectToIASMaxRetries
|
These settings control the reconnect behavior of the
Admin Agent when the connection to the iServer fails. The default is to retry
every five minutes for 24 hours.
connectToIASCycleTime is the cycle time specified in
milliseconds between reconnect tries. Default = 300000.
connectToIASMaxRetries is the maximum number of
retries. Default = 288.
|
|
disableSessionDNSLookup
|
Prevents DNS lookups for new connections to query the
host name of the foreign system. This can be useful to improve performance in
environments with slow DNS service. Values are:
1 (one) - prevent DNS lookup
0 (zero) - allow lookup
Default = 0.
|
|
cipherList
|
Specifies the list of cipher algorithms to be allowed
for incoming connections. If you add other ciphers to the list, it is highly
recommended that you keep the default setting as an option. If this Admin
Agent connects to an iServer or is contacted by an iManager and there is no
mutually acceptable cipher algorithm, the connection will fail.
In order for a different cipher to be used, it must
also be allowed by the cipherList of the iServer. The recommended best
practice is to set the same cipherList in all iTivity systems.
Supported OpenSSL ciphers:
EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5
DHE-DSS-RC4-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:IDEA-CBC-MD5:RC2-CBC-MD5
RC4-MD5:RC4-64-MD5:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA
EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5
EXP1024-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA
DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5
Default: cipherList=DES-CBC3-SHA
|
|
Connector
Port Number
|
These settings provide the ability to control the port
number on which the Connector will attempt to find the local service daemons.
Local service daemons listen on the localhost interface and provide local,
unencrypted access to services.
|
|
commandSvcPort
|
Remote control authorization and commands. Must always
match connectPort=6800
Default = 6800
|
|
rfbSvcPort
|
Unencrypted, raw VNC data
Default = 5900
|
|
telnetSvcPort
|
Telnet daemon
Default = 23
|
|
ftpCtlSvcPort
|
FTP server control port.
Default = 21
|
|
ftpDataSvcPort
|
FTP server data port (passive mode)
Default = 20
|
|
proxySvcPort
|
Forwarded iServer connections. Must always match
transportPort=21800
Default = 21800
|
|
defaultHostPermissions
|
This setting provides control over which services the
iTivity iManager user can access on this Agent system via iTivity. Each
individual service is controlled via a bit flag in this integer. (See the
Examples below.)
The remote user must first authenticate with the Agent
system (See authscheme and PermissionGroup.) before being allowed to access
any services. After authentication (and the authorization check), then the
remote user is subject to the permissions restrictions listed in the table. A
Status of N/A indicates that this service is Not Available in the Linux/UNIX
Admin Agent.
Decimal
Value Status Description
1 required Command
Protocol
2 N/A View desktop permission
4 N/A Control desktop permission
8 optional Telnet permission
16 optional FTP permission
32 required Proxy permission
64 N/A Chat permission
128 optional TTY remote control permission
256 optional TTY listing permission
The default is to allow access to all supported
iTivity services (after remote user authenticates and passes authorization
check).
Default= 65535
Examples
For FTP access only, use a value of 1 + 16 = 17, since
the command protocol is required and the FTP permission has a value of 16.
For telnet access only, use a value of 1 + 8 = 9.
For TTY Listing and TTY remote control only, use a
value of 1 + 128 + 256 = 385
|
|
Connector_debugMode
|
Enables debugging output in the connector daemons. A
setting of zero ("0") disables output. As the mode number increases
from one ("1") to twelve ("12"), more and more information
is written to the log file. This option should be disabled in production
systems, unless instructed otherwise by Tridia staff.
Default = 0.
|
|
PROCESSOR
OPTIONS
|
|
|
permissionGroup
authscheme
|
These settings control the authentication required of
iTivity iManager users to view and control the Admin Agent system.
The authscheme setting controls the way the Admin
Agent authenticates. The default setting is “passwd”, which requires that the
remote user have an account in the native /etc/passwd database. The other
currently valid setting is "none, which disables authentication at the
Admin Agent level may be disabled using the “none” setting. This is useful in
environments where the iTivity iServer is trusted and its authentication is
deemed sufficient. Other authscheme values are reserved for future use.
The permissionGroup specifies the name of the user
group with permission to view and access this system via the Admin Agent. To
grant a user of iTivity iManager access, simply add the user to this group.
To block a user from using the iServer, remove their user id from the group.
A user in this group must log in with username and password before viewing
this system through iTivity iManager.
Defaults:
permissionGroup = iadmauth
authscheme = passwd
|
|
logonSysLogMask
logoffSysLogMask
|
These flags control whether it is recorded in the
syslog each time a user of iTivity iManager logs on and logs off of the Agent
system. Setting the flags to 1 (one) enables logging and provides an audit
log of authentication. Setting the flags to 0 (zero) disables logging.
Syslog facility and priority: iTivity.authpriv
logonSysLogMask - Log iTivity iManager user logon
(succeed or fail). Default = 1.
logoffSysLogMask - Log iManager user logoff (disconnect).
Default = 1.
|
|
connectPort
connectHost
connectTimeout
|
These settings specify the TCP network interface and
port on which the processor daemon listens for new Admin Agent authentication
connections. These connections are internal to the Admin Agent and generally
use localhost.
The connectPort value must always match the value of
commandSvcPort.
The connectTimeout value specifies the socket timeout
for processor connections in milliseconds.
Caution: Tridia strongly recommends that you do
not change these settings.
Defaults:
connectPort=6800
connectHost=127.0.0.1
connectTimeout=45000
|
|
Processor_debugMode
|
Enables debugging output in the processor daemon. The
default setting of 0 (zero) disables output. As the number increases from 1
to 12, more and more information is written to the log file. This option
should be disabled unless instructed otherwise by Tridia staff.
Default: 0 (disabled)
|
|
PROXY
SERVER
SETTINGS
|
These settings can be used configure the Admin Agent
to connect to the iServer through a proxy server running the SOCKS v5
protocol.
|
|
socksMode
|
One of
the following iTivity modes used to define when the Agent uses a Proxy Server
to connect:
1 -
Disable. Only connect to
iServer directly, no proxy server used.
2 - Require. Only connect to iServer via
proxy, no direct connect.
3 - Fallback. If direct connection fails,
then attempt the proxy connection.
4 - Override. If the proxy connection fails,
then attempt the direct connection.
|
|
s | | 
