Configuring Platform Agents

Platform process servers are made up of two independent but interacting parts:

• a process server in the central Redwood Server
• a platform agent on the remote system
  • On Windows, a service controls the platform agent and automatically restarts it when it stops
  • On UNIX, the native init system controls and restarts the platform agent, additionally, the platform-agent script ensures all necessary OS processes are running

Both parts are started independently. The process server is usually started when the central Redwood Server System is started, or otherwise by a Start command issued via an API or the GUI. The platform agent is usually started as part of the operating system boot sequence.

Although either can run alone, the system is only functional when both parts are running and the platform agent service of the process server has established a TCP connection to the platform agent. When the connection gets interrupted, the process server will attempt to reconnect to the platform agent.

A connection must be established for processes to start running, file events to fire and monitoring data to be refreshed. A process will continue running on a platform agent when the connection is lost, the central Redwood Server will not be able to set the process to completed, though, until the connection is restored.

Most settings for the platform agent are stored in the repository as process server parameters. Settings that control who can do what are set on the remote system, as they need to be under the control of the individual system administrator of the remote system that the platform agent is running on.

Refer to the Process Server Parameters section for more information on process server parameters that are stored in the repository.

The agent logs its operation status records to a file. See Agent Logging for more information.

Platform process servers that schedule workload or use file events require at least one of the following keys:

• ProcessServerService.External.limit - the total number of external process servers (Platform agents, distinct web service endpoints, and SAP connectors).
• ProcessServerService.OS.limit - the total number of platform agent process servers.

Configuration

You configure platform agents using the installer, to add another platform agent instance to a server, simply run the installer again.

On Microsoft Windows systems the Scheduler Service Manager allows you to configure some options of the platform agent from within a user interface; see the Configuring Platform Agents on Microsoft Windows section for more information. For other platforms all configuration must be done manually. Knowledge of the parameter configuration files can be useful on Microsoft Windows and UNIX systems as well, in case you need to make advanced configuration changes.

The configuration files are stored in the ${InstallDir}/net/ hierarchy. The net directory can contain subdirectories so that multiple platform agents can be managed from a single tree. The directories are searched in the following order:

1. net/instance/<instance>/<file>.
2. net/hostname/<hostname>/<file>.
3. net/global/<file>.

In other words, instance specific settings go before hostname specific settings, and hostname specific settings go before global settings.

In the above locations, the following variables were used:

• <instance> is the name of the instance, which by default is set to default.
• <hostname> is the hostname of the server, as returned by the command hostname.
• <file> is the name of the file that it is looking for. Files that are supposed to be protected are located under the private directory.

The files that the system looks for on all systems are listed here in alphabetical order. Usually you do not need to change these as the installer configures necessary entries for you.

important

When you set or change server_root, you must restart the platform agent service/daemon and the process server in the central server for the change to take effect.

File	Use
address_acl	The hostname(s) or IP addresses of the central Redwood Server the platform agent is locked to.
agent_initiated_url	HTTP(S) URL of the central Redwood Server. (AgentInitiated only).
cipherlist	TLS ciphers to use when you configure a platform agent to use TLS.
client_port_range	Port ranges to be used by the client. This defaults to 0-65535 (AgentInitiated only).
failover_url	Read-only HTTP(s) URL of the fail-over central Redwood Server; the context URL can be set in the /configuration/jcs/security/FailoverContextURL configuration entry.
gateway_acl	List of internal networks, IP addresses, DNS names the central Redwood Server is allowed to access via secure gateway. The list can be newline or comma-separated. (AgentInitiated only)
gateway_port_range	Port ranges to be used by the gateway. This defaults to 40000-49999. (AgentInitiated only)
hmac	The HMAC algorithm to be used; either SHA256 (default) or MD5.
http_response_mode	Can be set to 'keep' to consider HTTP/1.0 GET requests as if they are HTTP/1.1 and socket is kept open.
http_server_timeout	Timeout in seconds for HTTP server requests; default is unlimited (0).
listen	The IP addresses that the platform agent should listen on.
max_requests	The maximum number of HTTP requests per connection.
monitor_process	Command used to monitor OS processes.
monitor_socket	Command used to monitor sockets.
no_live_view	Disables live-viewing of output files while the process runs.
no_proxy	Comma-separated list of hosts, domains, networks for which no proxy is required. Defaults to <hostname> (as returned by the hostname command) and localhost when not available.
port	The port the agent listens on for inbound connections.
private/proxy_url_password	The password(s) for the proxy server(s); a comma-separated list if multiple proxy servers are to be used. (AgentInitiated only)
private/secret	The secret for authentication.
proxy_incoming	Boolean value that enables reverse proxy support.
proxy_url	The URL(s) to the proxy server(s); a comma separated list if multiple proxy servers are to be used.
secure_connection	Enable TLS for the platform agent HTTP server. Requires PEM formatted public certificate (rwscert.pem) and private key (private/rwskey.pem) as well as cipherlist and server_root configuration files set.
server_acl	The central Redwood Server the platform agent is locked to.
server_root	List of directories that files can be read from.
rwscert.pem and private/rwskey.pem	PEM formatted public certificate (rwscert.pem) and private key (rwskey.pem) for enabling TLS on the platform agent HTTP server.
version_compatibility	The versions of the central Redwood Server the platform agent is allowed to connect to. The * wildcard is accepted.
private/whitelist	List of users that jobs can be run as.
private/blacklist	Users that cannot be used for running jobs.

note

You must install the Redwood Server platform agent on a local file system; SAN file systems might be considered local, when they are mounted as iSCSI, for example. NFS or Windows shares are not supported as they may not be available at all times.

The format used in the files that can contain more than one word is freely formatted. You can separate keywords by putting them on separate lines or by separating them by a comma or space. A hash '#' character functions as a comment until the end of the line. The etc directory contains global configuration files.

File	Use
ca-bundle.crt	List of PEM-encoded certificates the agent tools trust.
session.rdp	(Windows Server only) Remote Desktop Protocol (RDP) file used by the agent to connect to the Windows server.

address_acl

If set, the address_acl file will limit which IP addresses can connect to the server. The file can contain a list of IP addresses, hostnames and/or IP ranges.

Example:

#
## Example address_acl file
#
192.168.10.0/24
10.31.0.0/255.255.0.0
bpa1.prod.sap.de
bpa1.prod.sap.de

The address_acl is not set by any of the installers; configuring it is up to the administrator.

agent_initiated_url

For AgentInitiated environments, only.

If the agent should run a TCP server and wait for incoming TCP requests from the central Redwood Server this parameter should not be set. This is the default configuration.

If the agent should create TCP clients and actively connect to the central Redwood Server (so-called AgentInitiated mode) this should be set to the full path of the servlet that it needs to connect to. The pattern allowed in this file is:

https://${Server}:${Port}/${Context}/ipi-platformagentservice/BusinessKey/${Partition}.${ProcessServerName}

For example, the following will connect to an app server named server running at the default port, context and partition and process server name unix1:

https://pr1.example.com:50300/redwood/ipi-platformagentservice/BusinessKey/GLOBAL.unix1

See the Cloud platform agents section for more information on this parameter.

note

AgentInitiated platform agents must be configured for auto-update; see Cloud platform agents section for more information.

cipherlist

Specifies the ciphers to use for TLS encryption.

The configuration file accepts a comma-separated list (no spaces) of OpenSSL cipher suite names (not IANA/RFC cipher suite names) or the ALL keyword, which means all cipher suites except the eNULL ciphers, ordered in a sensible manner.

Example

ECDHE-RSA-CHACHA20-POLY1305,ECDHE-ECDSA-CHACHA20-POLY1305

client_port_range

If set, the client_port_range file will limit the port numbers used for client connections. It accepts the <low>-<high> syntax, for example, 1024-1048. This can be used to identify traffic in a firewall, for example.

etc/ca-bundle.crt

List of PEM-encoded certificates. You append PEM-encoded certificates to this file when you want to trust self-signed certificates, for example.

etc/session.rdp

The Remote Desktop Protocol (RDP) file used to connect to the local Windows Server. Windows Server 2012 and later are supported. Windows client operating systems (Windows 8, 8.1, or 10) are not supported.

failover_url

Read-only HTTP(s) URL of the fail-over central Redwood Server; the context URL can be set in the /configuration/FailoverContextURL [configuration entry|ConfigurationEntries].

gateway_acl

For AgentInitiated environments, only.

You use this file to specify a newline or comma-separated list of networks or hosts the central Redwood Server is allowed to access. For example, your internal network is 10.x.x.x and you only want the central Redwood Server cloud servers to access the 10.0.0.x and 10.10.x.x subnets, you can set this to the following on each platform agent that will act as secure gateway:

10.0.0.0/24
10.10.0.0/16

The file accepts networks (see example), DNS names and IP addresses.

gateway_port_range

For AgentInitiated environments, only.

The port ranges to use for the gateway; by default, this is set to 40000-49999.

hmac

Normally the agent will use the SHA256 algorithm to compute hashes that garantuee message correctness. This can be switched to the older MD5 algorithm if desired.

listen

You use the listen file to specify which IP address of the platform agent's computer is used to accept new connections. By default it is "0.0.0.0" and accepts any connection from any Ethernet card and address. You can limit this to a particular IP address or hostname, which resolves to a local IP address. This in turn means that the agent will only listen for connections that come in on that particular device.

If IP address that you want the agent to listen on is not a permanent address (its availability is not 100%) then you are better of keeping the default address of 0.0.0.0 and then setting up an address_acl parameter to limit who can connect to the agent, as binding to disappearing network devices will result in failure of the agent each time the device stops.

max_requests

The HTTP server in the agent will normally process unlimited requests per HTTP connection. This can be lowered to a particular number by setting this number in the max_requests file. This is a debugging/support feature that should only be used in cooperation with technical support.

monitor_process

You use the monitor_process file to specify the command to use for monitoring an OS process.

monitor_socket

You use the monitor_socket file to specify the command to use for monitoring a socket.

port

The port the platform agent will use at startup is saved in a file named port. If no such file is found, the default of 1555 will be used. The only contents of the port file should be the port number; to set the port number for instance production to 1566, you can proceed as follows:

On UNIX

echo 1566 > /opt/redwood/net/instance/production/port

Note that /opt/redwood is the installation directory in the above example.

On Windows

echo 1566 > G:\redwood\net\instance\production\port

Note that G:\\redwood is the installation directory in the above example. The port parameter file is set by the standard installers.

no_live_view

Allows you to disable live viewing of output and log files in the Processes Monitor and Definition Studio. The existence of the file disables live viewing, to enable live viewing again, move or delete the file.

private/proxy_url_password, proxy_url, and no_proxy

For AgentInitiated environments, only.

If set, proxy_url must contain the URL to the proxy server, private/proxy_url_password the encrypted password. You use jsecret -p to generate a proxy_url_password file.

You can specify multiple proxy servers and passwords as follows:

1. Create or edit the proxy_url file for the instance, for example the proxy_url for instance default is stored in /opt/redwood/agent/net/instance/default/proxy_url. Fill http://<user>@<proxy_server1>, http://<user>@<proxy_server2> into the file; for example: http://jdoe@proxy1.example.com:9090,http://jdoe@proxy2.example.com:9090
2. Create two separate password files, merge them into one and apply appropriate privileges (ensure jtool is on your PATH):
3. Issue jtool secret -p /tmp/proxy1_url_password, note that you must enter the password for the first proxy server, in this case. http://jdoe@proxy1.example.com:9090
4. Issue jtool secret -p /tmp/proxy2_url_password, note that you must enter the password for the second proxy server, in this case. http://jdoe@proxy2.example.com:9090
5. Issue paste -d',' <file_1> <file2> > <path>/proxy_url_password; for example: paste -d',' /tmp/proxy1_url_password /tmp/proxy1_url_password > /opt/redwood/agent/net/instance/default/private/proxy_url_password
6. Issue chmod 640 path>/proxy_url_password; for example: chmod 640 /opt/redwood/agent/net/instance/default/proxy_url_password
7. Restart the platform agent: /opt/redwood/agent/latest/etc/scheduler restart.

no_proxy

When you have a secure gateway configured, you may restrict the network traffic considered as local traffic and be allowed to be forwarded to the cloud, for example, using the following:

<acl-entry>[,<acl-entry>...]

acl-entry :=   <host>[/<mask>][:<port-range>] | <ipv6-addr>[/<mask>]
port-range:=   [<port-low>][-][<port-high>]
port-low  :=   integer 0-65535, default 0
port-high :=   integer 0-65535, default 65535
host      :=   <hostname> | <ipv4-address> | '['<ipv6-addr>']'
hostname  :=   dns name
ipv4-addr :=   <d>.<d>.<d>.<d>
d         :=   integer 0-255
ipv6-addr :=   [<x>]:[<x>][:[<x>]...]
x         :=   hexadecimal integer 0-ffff
mask      :=   <bits>
bits      :=   integer 0-32 (or 0-255 for ipv6)

Where

• acl-entry is the host, subnet, network, or domain for which no proxy is required.
• host is the hostname, domain name, IP address, or subnet for which no proxy is required. Examples: *.internal.example.com (domain), 10.1.0.15 (IP address)
  • hostname - name of the server(s), accepts wildcards. Example myserver.example.com or *.example.com
  • ipv4-addr - IP version 4 address, such as 10.15.0.15 or 10.15.0.0/32
  • ipv6-addr - IP version 6 address, such as 1234:5678:ABCD:0018::2004 or 1234:5678:ABCD:0018::0/64
  • mask - subnet mask for subnet specifications (IP version 4 and 6), for example 32 in the IP version 4 subnet specification 10.1.0.0/32
    • bits - bits of the subnet mask
• port-range is the range of allowed ports.
  • port-low is the lowest allowable port of the range.
  • port-high is the highest allowable port of the range.

private/secret

If set, it should contain a secret that the central Redwood Server also has configured for this process server. The secret is used to create a hash function over the content of the message being passed. If both sides do not possess the same secret, the agent log file will contain messages such as these:

error <date> [***-http-request #** tid=***] http.http - Content digest *** does not match computed value ***
error <date> [***-http-request #** tid=***] http.http - Request with content has incorrect HMAC checksum

To correct this, ensure both sides possess the same shared secret. When you install the platform agent using the installer, the shared secret is generated during the installation. When you registered the platform agent during the installation the shared secret will also be known to the central Redwood Server. If not, you have to paste the value into the SharedSecret process server parameter and restart the process server. You can generate the shared secret with the jsecret executable. On Microsoft Windows you can also use the Scheduler Service Manager to set the secret; see the Configuring Platform Agents on Windows section for more information. The secret is set by the installers and synchronized with the central Redwood Server when the agent installer registers the agent with the server.

proxy_incoming

When this file contains the value true, the platform agent is accessible via a reverse proxy such as HAproxy or nginx. Refer to the following for more information on the protocol.

rwscert.pem and private/rwskey.pem

rwscert.pem and private/rwskey.pem confiration files contain the public certificate and the private key for TLS. These must be PEM formatted, the certificate must start with -----BEGIN CERTIFICATE----- and the key must start with -----BEGIN PRIVATE KEY-----. You can try to convert them using openssl, for example, or ask your certificate authority to provide you with the appropriate format.

Converting from DER to PEM using OpenSSL

$ openssl x509 -inform DER -outform PEM -text -in mykey.crt -out rwscert.pem
$ openssl rsa -inform DER -outform PEM -in mykey.crt -out private/rwskey.pem

secure_connection

The secure_connection file, if it exists and contains the keyword true, will force the platform agent to use TLS for incoming HTTP requests. TLS mandates:

• PEM formatted certificate and private key in rwscert.pem and private/rwskey.pem, respectively.
• OpenSSL cipher suites, or the ALL keyword in cipherlist.
• One or more directories to serve listed in server_root; only files residing in directories or sub directories of server_root will be served to clients.

See Securing Communications for Platform Agents and System Tools

server_acl

The server_acl file, if it exists, limits the platform agent to only connecting with central Redwood Servers that have a system ID that is on the list in the server_acl file. To find out what a system's system ID is, log in to the system and observe the browser heading; the part before the [ character is the system ID. You can also issue the REL expression String.getSystemId() in a process definition parameter; it will return the current system ID. Any characters in the system ID that are not alphanumerical, such as '-' dashes, should be converted to underscores: _. For instance, a system ID named 'My Instance:1234' will be transmitted as 'My_Instance_1234'.

The keywords mentioned in the file can be either just system IDs or a combination of system ID, a slash '/', followed by a process server name. For instance the following server_acl file will limit the agent to function for these three nodes in a cluster, but it will be configurable as any process server:

## Limit this agent to respond only to nodes in the BPA cluster
SAP_BPA_00
SAP_BPA_01
SAP_BPA_02

If you want this agent to respond only to the nodes in the cluster and for only a particular process server name you should have a file like this:

## Limit this agent to respond only to nodes in the BPA cluster and the MSLN_UNIXS1 process server
SAP_BPA_00/MSLN_UNIXS1
SAP_BPA_01/MSLN_UNIXS1
SAP_BPA_02/MSLN_UNIXS1

If the platform agent file has a server_acl file any messages or requests from systems and/or process servers that it is not configured to respond to will receive an error message stating 'Refusing connection from server with SystemId ... and ProcessServer ...'. This message is not translated into your local language as it is generated as a HTML response. If the server_acl file does not exist the platform agent will dynamically tie itself to the system ID and process server that it is first configured as, and will respond with an error message stating 'Strict checking is enabled, Agent will only respond to X-RW-SystemID requests from ...'. This message is not translated into your local language as it is generated as a HTML response. The server_acl is set by the automatic install when the agent installer successfully registers with the central Redwood Server.

server_root

The platform agent contains a HTTP server that can be used to serve out process output and agent log files. It only does so to the Java server, as the caller must have the secret. Furthermore it also limits the reading of files to those directories that it has placed process output and log files in anyway. In some user constellations it may be necessary for the platform agent to serve files that it did not generate itself however, and then it must be told which directories it is allowed to serve files from to the Java server.

The server_root file can contain a list of paths to the top level directories that it should also serve up. For example:

#
## Directories that contain extra output files to be served up
#
c:\tmp\
d:\oapps\data\

The server_root parameter is not set by any of the installers, configuring it is up to the administrator.

version_compatibility

The version_compatibility file contains the version(s) of central Redwood Servers the platform agent is allowed to connect with. This file accepts the * wildcard.

For example, it could be specified as:

9.2.11.*,9.2.9.*

If instructed by support staff, you can use this setting to use a new version of the platform agent with an older version of the central Redwood Server. In that case make sure that the VersionCompatibility process server parameter is not set, as that means the agent no longer knows what messages the server supports.

http_response_mode and http_server_timeout

When communicating with servers older than 9.0.10, such as version 8 (M33), you may be instructed by support to set http_response_mode to value keep and http_server_timeout to a low value such as 30.

private/whitelist and private/blacklist

On Unix, it is common practice to prevent certain users from being able to log in interactively. You can also avoid jobs to run as specific users on UNIX, HP OpenVMS, and Windows. Do this by providing Redwood Server with a list of authorized or banned users. These settings are saved in the ${InstallDir}/net hierarchy, in the private sub-folder. For security reasons they should only be readable by user redwood and root on UNIX and System on Windows.

If you provide a whitelist then the blacklist is not used. The default value is a blacklist containing root,daemon,bin,sys,adm,uucp,nuucp,lp,listen,sysadm,smtp,ftp,tftp,news,sysdiag,sundiag on UNIX, no defaults on Windows or HP OpenVMS.

The file accepts a comma separated list of usernames, no Windows domains.

UNIX network-processor

The UNIX specific parameters for the network-processor executable are kept in the ${InstallDir}/net hierarchy, just like the system independent settings. Some items reside in a further private/ subdirectory. For security reasons these should only be readable by the user that the network-processor runs as.

File	Use
chown	A symbolic link to the chown binary, improving security when using sudo User Switching Security Mode.
password_check	PAM service to verify user access, or any value for UNIX systems which do not use PAM.
usermode	Mode used to switch accounts.

chown

The Redwood Server installer on UNIX creates a sudo configuration for the Redwood Server user when you choose sudo as your user-switching mode. This could be used by a user to gain access to files owned by root. To avoid this, Redwood Server allows you to specify your own chown command. Redwood Server ships with an example chown.sh which checks various parameters for validity.

The chown file in the net directory is a symbolic link to the chown binary as detected by the installation routine. You can create a symbolic link to the chown.sh script in the Redwood Server bin directory to improve security. Edit the chown.sh script to suit your security needs.

Password Checking

The UNIX platform agent uses the usermode to switch accounts. When the user switch mode is setuid or sudo the users that jobs can be run as are determined by the private/whitelist, private/blacklist and possibly the sudoers configuration. Who is allowed to use which account is fully under the Central Scheduler Server's administrator control by means of grants on process definitions and credentials. However, the actual password for the account stored in the Central Scheduler Server is not verified against the current password on the UNIX system. In this sense the UNIX platform agent functions like a trusted sub system.

If it is desired that the central Redwood Server proves that it has the current password, and/or extra authentication or access checks need to be performed then the job-processor can call PAM to further authenticate the user. To do so, set a PAM service name in the password_check file, for instance:

login

Once the password_check file is filled a series of pam(3) Pluggable Authentication Module calls will be made; the exception is AIX for which equivalent usersec calls are made. If the defined pam services refuses access the OS process will go into the ERROR state. You can use the network-processor to test your configuration by using the -o flag.

Checking the password for a specific instance, password is correct and PAM checking is enabled:

./network-processor -i prod -o
[...]
INFO  2023-09-28 06:07:45,408 GMT [131172-network-processor] common.config - Jobs will only be run for users not on blacklist root,bin,sys,adm
INFO  2023-09-28 06:07:45,408 GMT [131172-network-processor] common.config - Password checking is enabled with value login
INFO  2023-09-28 06:07:45,408 GMT [131172-network-processor] opsys.update - Verified user switch mode is setuid
Enter password for example:
INFO  2023-09-28 06:07:45,508 GMT [131172-network-processor] network.main - Password is correct
INFO  2023-09-28 06:07:45,508 GMT [131172-network-processor] main.main - network-processor exit 0

Checking the password for a specific instance, password is incorrect and PAM checking is enabled:

./network-processor -i prod -o
[...]
INFO  2023-09-28 06:07:45,608 GMT [131175-network-processor] common.config - Jobs will only be run for users not on blacklist root,bin,sys,adm
INFO  2023-09-28 06:07:45,608 GMT [131175-network-processor] common.config - Password checking is enabled with value login
INFO  2023-09-28 06:07:45,608 GMT [131175-network-processor] opsys.update - Verified user switch mode is setuid
Enter password for example:
ERROR 2023-09-28 06:07:45,708 GMT [131175-network-processor] opsys.user - Could not authenticate user 'example' via PAM: Authentication failure
INFO  2023-09-28 06:07:45,708 GMT [131175-network-processor] main.main - network-processor exit 2

Checking the password for a specific instance, password is correct, however, PAM checking is disabled ( password_check is not set):

./network-processor -i default -o
[...]
INFO  2023-09-28 06:07:45,808 GMT [131195-network-processor] common.config - Jobs will only be run for users not on blacklist root,bin,sys,adm
INFO  2023-09-28 06:07:45,808 GMT [131195-network-processor] common.config - User authorization delegated to sudo configuration and blacklist
INFO  2023-09-28 06:07:45,808 GMT [131195-network-processor] opsys.update - Delaying verification of sudo user switch mode to point when configured by server
Enter password for example:
ERROR 2023-09-28 06:07:45,908 GMT [131195-network-processor] opsys.user - Password checking has not been enabled. Set 'password_check' net configuration file to desired PAM module, usually 'login'
INFO  2023-09-28 06:07:45,908 GMT [131195-network-processor] main.main - network-processor exit 2

Troubleshooting dependencies

$ network-processor -i prod -o
INFO  2023-09-28 06:07:45,169 GMT [12787-network-processor] common.logging - Logging to stderr at level info
INFO  2023-09-28 06:07:45,169 GMT [12787-network-processor] common.logging - Flavor linux-x86 build 9_2_11_20230928_10
INFO  2023-09-28 06:07:45,170 GMT [12787-network-processor] opsys.conv - Network  character set is utf8
INFO  2023-09-28 06:07:45,170 GMT [12787-network-processor] opsys.conv - Internal character set is utf8
INFO  2023-09-28 06:07:45,170 GMT [12787-network-processor] opsys.conv - Filedata character set is UTF-8
INFO  2023-09-28 06:07:45,170 GMT [12787-network-processor] opsys.conv - Filesys  character set is UTF-8
INFO  2023-09-28 06:07:45,170 GMT [12787-network-processor] opsys.conv - Argument character set is UTF-8
INFO  2023-09-28 06:07:45,171 GMT [12787-network-processor] opsys.env - Operating system Linux=v3.2 id=x86_64
user=32-bit ram=7833MB processors=12
INFO  2023-09-28 06:07:45,173 GMT [12787-network-processor] opsys.socket - IPv4/IPv6 support compiled in.
INFO  2023-09-28 06:07:45,174 GMT [12787-network-processor] opsys.init - Host pr1 FQDN pr1.example.com
INFO  2023-09-28 06:07:45,174 GMT [12787-network-processor] common.config - Jobs will only be run for users not on default
blacklist root,bin,sys,adm,uucp,nuucp,lp,listen,sysadm,smtp,ftp,tftp,news,sysdiag,sundiag
INFO  2023-09-28 06:07:45,174 GMT [12787-network-processor] common.config - Password checking is enabled with value login
INFO  2023-09-28 06:07:45,178 GMT [12787-network-processor] opsys.update - Verified user switch mode is setuid
Enter password for example:
ERROR 2023-09-28 06:07:45,204 GMT [12787-network-processor] opsys.user - Could not authenticate user example via PAM:
Module is unknown
INFO  2023-09-28 06:07:45,204 GMT [12787-network-processor] main.main - exit 2

The above occurs when you run 32-bit GNU/Linux platform agents on 64-bit operating systems without the necessary pam libraries.

$ sudo yum install pam.i686
[...]
$ network-processor -i prod -o
INFO  2023-09-28 06:07:45,256 GMT [13163-network-processor] common.logging - Logging to stderr at level info
INFO  2023-09-28 06:07:45,256 GMT [13163-network-processor] common.logging - Flavor linux-x86 build 9_2_11_20230928_10
INFO  2023-09-28 06:07:45,256 GMT [13163-network-processor] opsys.conv - Network  character set is utf8
INFO  2023-09-28 06:07:45,256 GMT [13163-network-processor] opsys.conv - Internal character set is utf8
INFO  2023-09-28 06:07:45,256 GMT [13163-network-processor] opsys.conv - Filedata character set is UTF-8
INFO  2023-09-28 06:07:45,256 GMT [13163-network-processor] opsys.conv - Filesys  character set is UTF-8
INFO  2023-09-28 06:07:45,256 GMT [13163-network-processor] opsys.conv - Argument character set is UTF-8
INFO  2023-09-28 06:07:45,257 GMT [13163-network-processor] opsys.env - Operating system Linux=v3.2 id=x86_64
user=32-bit ram=7833MB processors=12
INFO  2023-09-28 06:07:45,260 GMT [13163-network-processor] opsys.socket - IPv4/IPv6 support compiled in.
INFO  2023-09-28 06:07:45,260 GMT [13163-network-processor] opsys.init - Host pr1 FQDN pr1.example.com
INFO  2023-09-28 06:07:45,260 GMT [13163-network-processor] common.config - Jobs will only be run for users not on default
blacklist root,bin,sys,adm,uucp,nuucp,lp,listen,sysadm,smtp,ftp,tftp,news,sysdiag,sundiag
INFO  2023-09-28 06:07:45,261 GMT [13163-network-processor] common.config - Password checking is enabled with value login
INFO  2023-09-28 06:07:45,265 GMT [13163-network-processor] opsys.update - Verified user switch mode is setuid
Enter password for example:
INFO  2023-09-28 06:07:45,307 GMT [13163-network-processor] network.main - Password is correct
INFO  2023-09-28 06:07:45,307 GMT [13163-network-processor] main.main - exit 0

Following the installation of the 32-bit pam libraries, the password check succeeds. Note that on Debian-based systems the package in question is named libpam-modules. Note that a 64-bit version of the GNU/Linux platform agent is available.

usermode

The user-switching mode that the network-processor uses to run jobs under the correct account is stored in ${InstallDir}/net/.../usermode. It contains one of the following: plain, root, sudo or setuid. This parameter is usually set by the UNIX platform agent installer.

See Also

• Using the Wizard to Create Process Servers
• Configuring Platform Agents on Windows
• Configuring Load Balancing on Platform Agents
• Automatically Updating Platform Agents
• Securing Communications for Platform Agents and System Tools
• Creating a Monitoring Platform Agent
• Monitoring External Systems with Platform Agents
• Support Note 115542 - Character set issues related to processes, jtool and jmail

address_acl agent_initiated_url blacklist chown client_port_range clustername failover_url gateway_acl gateway_port_range listen monitor_process monitor_socket no_proxy password_check port proxy_incoming proxy_url proxy_url_password secret server_acl server_root usermode version_compatibility whitelist