Unattended iAgent on Linux-Unix - iTivity User Guide

iTivity™ User Guide

8. Installing and Running
the Unattended iAgent on Linux or UNIX

Table of Contents

8.1 Capabilities of the Unattended iAgent on Linux or UNIX

8.2 UNIX/Linux System Requirements

8.3 Installing the Unattended iAgent on UNIX/Linux

8.4 Configuring the Unattended iAgent on UNIX/Linux

8.5 UNIX/LinuxUnattended iAgent Commands

8.6 Installing the Secure Dial (igetty) Agent

iTivity provides a UNIX/Linux version of the Unattended iAgent for remote support of UNIX/Linux systems.

This chapter explains how to install, configure and use the Unattended iAgent on UNIX or Linux.

8.1 Capabilities of the Unattended iAgent on
Linux or UNIX

iTivity provides various capabilities for view and remote control of Linux and UNIX computers. These capabilities are provided by the UNIX/Linux Unattended iAgent plus additional software.

Base Capabilities

When the Unattended iAgent is installed on a UNIX/Linux system, you can use iManager to remotely connect to that system via TELNET and FTP. You can also connect and remotely view an X-Windows console, and, via the iTivity WebTunnel feature, you can connect to network applications that are accessible to the iAgent computer.

Additional Capabilites with DoubleVision Pro

If Tridia's DoubleVision Pro software is installed on the UNIX/Linux system along with the Unattended iAgent, then iManager users can also:

· List the users (terminal sessions) that are logged in.

· View the terminal sessions.

Note: DoubleVision Pro is sold with iTivity. The custom installers that you build from the Tridia Support site always include DoubleVision Pro as part of the install. See Appendix B for information.

Secure Dial (igetty iAgent)

You can establish a secure dial connection to a UNIX/Linux system using a separate iAgent called the igetty iAgent. The igetty iAgent is named for the UNIX getty utility and is available for various UNIX/Linux versions.

See Section 8.6, Installing the Secure Dial (iGetty) iAgent, for more information.

8.2 UNIX/Linux System Requirements

The UNIX/Linux version of the Unattended iAgent requires the following platform.

Software

Any of the following operating systems:

· Red Hat 9.0 or Red Hat Enterprise 4.0/5.0/5.1/5.2/5.3

· Solaris SPARC 2.7/2.8/2.9/2.10 for 32 and 64 bit systems

· AIX 5.1/5.2/5.3/6.1 for 32 and 64 bit systems.

· HP-UX 11.11/11.23/11.31 for 32 and 64 bit systems

· SCO 3.2.5/3.2.6

Hardware

· 60 MB minimum disk space

· 5MB RAM baseline,
plus 336 KB per connection to Unattended iAgent

· 300 Mhz minimum CPU

8.3 Installing the Unattended iAgent on UNIX/Linux

Use the following instructions to download and install an Unattended iAgent. Filenames and some command names will vary depending on the exact version you are installing.

For information on configuring the Unattended iAgent after installation, see Section 8.4, Configuring the Unattended iAgent on UNIX/Linux.

Note: You can also build custom installation files for your Unattended iAgent. See Appendix B, Creating Custom Installers.

1. Contact Tridia for the URL and filename to download the Unattended iAgent Linux or UNIX distribution file for your specific operating system.

Example Filename: iagent-linux.tar

Note: Many popular Window's based ZIP file utilities do not properly extract the contents of our distribution files. Please do not attempt to use them with any of the distribution files.

2. Place the downloaded file in your home directory on the UNIX/Linux server where you want to install the Unattended iAgent.

Example: /home/username/
where username is your actual user name

3. Log on as the root user or issue the su command.

4. Change to the /tmp directory.

cd/tmp [Enter]

5. To verify the presence of the distribution file, list the directory contents of your home directory:

ls –l /home/username/*.tar [Enter]
where username is your actual user name

6. Extract the distribution (*.tar) file:

tar xvf /home/username/<filename>

Several files are extracted into the /tmp folder. One of these is the install script.

Note: At this point you can remove the distribution file by moving it to a different directory or using the rm command.

7. Run the install Unattended iAgent script. (The exact command will depend on your version and file name.)

./install-agent

A Welcome screen is displayed:

8. Type y to proceed.

The License Agreement is displayed:

9. Press the Enter (or Return) key to scroll down the license agreement or type q to jump to the end of the license agreement. Type y to accept the license agreement and proceed.

The Installation Directory screen is displayed:

10. Press Enter to accept the default directory, or type a different directory and then press Enter.

If the specified directory does not already exist, you are prompted to confirm creating it. Type Y to confirm.

The following screen appears, prompting you for the DNS name or IP address of the iServer that this iAgent will connect to:

11. Type in the DNS name or IP address and press Enter.

The iTivity iServer Support Domain screen is displayed:

12. If you use Support Domains, type in the name of one or more support domains that will have access to this iAgent. Separate multiple support domain names with a comma.

For more information on support domains, see the iTivity Deployment Guide.

Press Enter to continue.

The iTivity iAgent Host Registration Port screen is displayed:

13. Change the default port if desired. Otherwise just press Enter.

The Host System Name screen is displayed. The computer host name is the default value for this setting.

14. Enter a Name to be used to identify this computer in iTivity iManager. Then press Enter.

The Host System Name Description screen is displayed.

15. Enter a Description to be used to identify this computer in iTivity iManager. Then press Enter.

Files are extracted and the installation proceeds.

The SSL Certificate Verification screen appears.

Note: This screen gives you the option of disabling validation of the iServer encryption certificate. This option should be used only on secure LANs. The recommended best practice is to enable encryption and to ensure the certificates match by manually copying the certificate from the iServer. For example, copy

From (iServer system):
/usr/lib/iTivity/iServer/itivity_data/root.pem

To (iAgent System):
/usr/lib/iTivity/iAgent/itivity_data/root.pem

16. Type n if you intend to copy root.pem (recommended) or y to disable certificate validation.

The iTivity iAgent Authentication and Authorization screen is displayed:

17. Type 1, 2 or 3 to select the Authentication method that iManager users will need to view and control this iAgent computer. Then Press Enter.

If you choose PAM in Step 17, the PAM Service Installation screen is displayed:

17A. Type y to install the PAM service.

17B. When the Installation completes, you are prompted to press Return (Enter) to continue.

18. The following screen appears, allowing you to specify whether you want the Unattended iAgent to start at system startup.

Note: You can also start the Unattended iAgent from the command line. See Section 8.5, UNIX/Linux Unattended iAgent Commands.

19. Type y to start the daemon at boot time or n to cancel this option.

The installation proceeds. You are prompted whether or not to start the iAgent after the installation is finished.

20. Type y or n, then press Enter.

The installation proceeds. You are prompted to specify whether or not to remove temporary installation files.

21. Type y to confirm or n to cancel.

If you typed y, the files are removed. You are prompted to press Return (Enter) to continue.

The installation is now complete.

8.4 Configuring the Unattended iAgent on UNIX/Linux

8.4.1 Editing the iAgent.conf File

For the UNIX/Linux version of the Unattended iAgent, all configuration settings are controlled by an ASCII text file called iAgent.conf, which is placed in the /etc/iTivity/ directory on the Linux or UNIX computer.

You can change the settings by opening the file in any text editor. The following table describes the settings in the file.

COMMON OPTIONS
Programdir	Specifies the directory in which the Unattended iAgent is installed. This setting is automatically configured by the Installation program. Default: /usr/lib/iTivity/iAgent
dataDir	Specifies the directory where the Unattended iAgent stores information between program invocations. This information includes encryption keys and other data used internally. Default: /usr/lib/iTivity/iAgent/itivity_data
vnchostname vnchostdesc	The iAgent name and Description as listed in iTivity iManager for this Unattended iAgent. The default vnchostname is the UNIX/Linux machine name. The vnchostdesc can be entered during the Installation procedure.
CONNECTOR OPTIONS
randomFile keyFile caFile	These settings specify the filenames and location of three files used for encryption. The Unattended iAgent automatically generates default versions of these files the first time it runs. There is no need to change these settings unless the default files in the dataDir directory are not acceptable. Defaults: randomFile=/usr/lib/iTivity/IAgent/itivity_data/random.dat keyFile=/usr/lib/iTivity/iAgent/itivity_data/keys.pem caFile=/usr/lib/iTivity/iAgent/itivity_data/root.pem
autoAcceptAllCerts	This flag enables or disables verification of the encryption certificate received from the iServer. Enabling this option (setting the value = 1) prevents a change in the encryption certificate on the iServer from blocking access. Caution: Enabling this function prevents iTivity from detecting a man-in-the-middle attack on the encrypted connection. The recommended practice is to copy the "root.pem" file from your iServer to the iAgent system. For example, From: iServerSystem:/usr/lib/iTivity/iServer/itivity_data/root.pem To: AgentSystem:/usr/lib/iTivity/iAgent/itivity_data/root.pem When the root.pem file is copied from the iServer to the iAgent system the iServer's certificate will be trusted correctly. At this point, autoAcceptAllCerts can remain disabled and providing a higher level of security. Default: autoAcceptAllCerts=0
Log File Flags	The following options control which events are written to the Syslog. A value of 1 (one) enables logging and a value of 0 (zero) disables logging. Syslog facility and priority: iTivity.daemon
connectSysLogMask	Arrival of an encrypted connection. Default = 0.
disconnSysLogMask	Closing of an encrypted connection. Default = 0.
startSysLogMask	iAgent startup. Default = 1.
stopSysLogMask	iAgent shutdown. Default = 1.
allowSysLogMask	Granting of user permission by the iAgent. Default = 0
telnetService SysLogMask	Initiation of a TELNET session with the iAgent. Default = 0
ftpServiceSys LogMask	Granting of FTP access by the iAgent. Default = 0
chatServiceSys LogMask	Granting of Chat access by the iAgent. Default = 0
TCP Connection	These settings control the TCP connection ports and interface of the Unattended iAgent.
transportPort	Must always match proxySvcPort=21800. Default = 21800
iasServerPort	The port for iServer connections. Default = 23800.
iasServerHost	Host DNS for the iServer. Note: You must enter the DNS name for your iServer here for the iAgent to connect. Default none. Example: iserver.acme_heavy_industries.com
transportTimeout serviceTimeout	These two settings control the timeout behavior of Unattended iAgent data connections. transportTimeout - Timeout in milliseconds set for end-to-end or host to host network connections. Keep this value high if using the Internet or other high-latency network transport (such as satellite connections). serviceTimeout - Timeout in milliseconds for internal or local connections between Unattended iAgent daemons. Defaults: transportTimeout=90000 serviceTimeout=45000
Keep-Alive Settings	These three settings control the keep-alive behavior of Unattended iAgent data connections.
endToEndKeepAlive	Determines whether the Unattended iAgent sends keep alive packets. Not supported on all transports. Values are: 1 (one) - send packets 0 (zero) - no packets. Default = 1.
iasVerifySessionFlag	In addition, the Unattended iAgent can send application messages to guarantee the connections are viable and detect lost connections more reliably. Set this flag to 1 (enabled) to have the iServer verify session status when there is otherwise no network traffic. Values are 1, enabled, and 0, disabled. Default = 1.
iasVerifySessionTimeout	If the iasVerifySessionFlag is set to 1, this value controls how often, in seconds, the verification packets are sent. Default = 240.
connectToIASCycleTime connectToIASMaxRetries	These settings control the reconnect behavior of the Unattended iAgent when the connection to the iServer fails. The default is to retry every five minutes for 24 hours. connectToIASCycleTime is the cycle time specified in milliseconds between reconnect tries. Default = 300000. connectToIASMaxRetries is the maximum number of retries. Default = 288.
disableSessionDNSLookup	Prevents DNS lookups for new connections to query the host name of the foreign system. This can be useful to improve performance in environments with slow DNS service. Values are: 1 (one) - prevent DNS lookup 0 (zero) - allow lookup Default = 0.
cipherList	Specifies the list of cipher algorithms to be allowed for incoming connections. If you add other ciphers to the list, it is highly recommended that you keep the default setting as an option. If this Unattended iAgent connects to an iServer or is contacted by an iManager and there is no mutually acceptable cipher algorithm, the connection will fail. In order for a different cipher to be used, it must also be allowed by the cipherList of the iServer. The recommended best practice is to set the same cipherList in all iTivity systems. Supported OpenSSL ciphers: DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA AES256-SHA EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA:DES-CBC3-MD5 DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA AES128-SHA IDEA-CBC-SHA:IDEA-CBC-MD5 RC2-CBC-MD5 DHE-DSS-RC4-SHA RC4-SHA:RC4-MD5:RC4-MD5:RC4-64-MD5 EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5 EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA DES-CBC-SHA:DES-CBC-MD5 EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-RC4-MD5 EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5 Default: cipherList= AES128-SHA:DES-CBC3-SHA

Connector Port Number	These settings provide the ability to control the port number on which the Connector will attempt to find the local service daemons. Local service daemons listen on the localhost interface and provide local, unencrypted access to services.
commandSvcPort	Remote control authorization and commands. Must always match connectPort=6800 Default = 6800
rfbSvcPort	Unencrypted, raw VNC data Default = 5900
telnetSvcPort	Telnet daemon Default = 23
ftpCtlSvcPort	FTP server control port. Default = 21
ftpDataSvcPort	FTP server data port (passive mode) Default = 20
proxySvcPort	Forwarded iServer connections. Must always match transportPort=21800 Default = 21800
defaultHostPermissions		This setting provides control over which services the iTivity iManager user can access on this iAgent system via iTivity. Each individual service is controlled via a bit flag in this integer. (See the Examples below.) The iManager user must first authenticate with the iAgent system before being allowed to access any services. After authentication (and the authorization check), then the remote user is subject to the permissions restrictions listed in the table. A Status of N/A indicates that this service is Not Available in the UNIX/Linux Unattended iAgent. Decimal Value Status Description 1 required Command Protocol 2 optional View desktop permission 4 N/A Control desktop permission 8 optional Telnet permission 16 optional FTP permission 32 required Proxy permission 64 N/A Chat permission 128 optional TTY remote control permission 256 optional TTY listing permission 1024 N/A desktop sharing The default is to allow access to all supported iTivity services (after remote user authenticates and passes authorization check). Default= 65535 Examples For FTP access only, use a value of 1 + 16 = 17, since the command protocol is required and the FTP permission has a value of 16. For telnet access only, use a value of 1 + 8 = 9. For TTY Listing and TTY remote control only, use a value of 1 + 128 + 256 = 385
Connector_debugMode		Enables debugging output in the connector daemons. A setting of zero ("0") disables output. As the mode number increases from one ("1") to twelve ("12"), more and more information is written to the log file. This option should be disabled in production systems, unless instructed otherwise by Tridia staff. Default = 0.
PROCESSOR OPTIONS
permissionGroup authscheme		These settings control the authentication required of iTivity iManager users to view and control the Unattended iAgent system. The authscheme setting controls the way the Unattended iAgent authenticates. The default setting is “passwd”, which requires that the remote user have an account in the native /etc/passwd database. The other currently valid setting is "none, which disables authentication at the Unattended iAgent level may be disabled using the “none” setting. This is useful in environments where the iTivity iServer is trusted and its authentication is deemed sufficient. Other authscheme values are reserved for future use. The permissionGroup specifies the name of the user group with permission to view and access this system via the Unattended iAgent. To grant a user of iTivity iManager access, simply add the user to this group. To block a user from using the iServer, remove their user id from the group. A user in this group must log in with username and password before viewing this system through iTivity iManager. Defaults: permissionGroup = iadmauth authscheme = passwd

logonSysLogMask logoffSysLogMask	These flags control whether it is recorded in the syslog each time a user of iTivity iManager logs on and logs off of the iAgent system. Setting the flags to 1 (one) enables logging and provides an audit log of authentication. Setting the flags to 0 (zero) disables logging. Syslog facility and priority: iTivity.authpriv logonSysLogMask - Log iTivity iManager user logon (succeed or fail). Default = 1. logoffSysLogMask - Log iManager user logoff (disconnect). Default = 1.
connectPort connectHost connectTimeout	These settings specify the TCP network interface and port on which the processor daemon listens for new Unattended iAgent authentication connections. These connections are internal to the Unattended iAgent and generally use localhost. The connectPort value must always match the value of commandSvcPort. The connectTimeout value specifies the socket timeout for processor connections in milliseconds. Caution: Tridia strongly recommends that you do not change these settings. Defaults: connectPort=6800 connectHost=127.0.0.1 connectTimeout=45000
Processor_debugMode	Enables debugging output in the processor daemon. The default setting of 0 (zero) disables output. As the number increases from 1 to 12, more and more information is written to the log file. This option should be disabled unless instructed otherwise by Tridia staff. Default: 0 (disabled)
ITIVITY WEBTUNNEL SETTINGS	These settings can be used to configure network applications that will be added to the iTivity WebTunnel scan list for this iAgent. For more information on WebTurnnel, see Section 1.5.1, Configuring iTivity WebTunnel.
customAppScan_X	Declares services or applications local to the iAgent that will be scanned by the iAgent for the purpose of application tunneling using iTivity WebTunnel. You can configure custom TCP network based services or applications specific to your environment. customAppScan definitions are indexed using a sequential number ordering. You can configure multiple applications as long as you increment the count. Example: customAppScan_1, customAppScan_2,… Tunneling of a custom application can be disabled by commenting out the service or application customScanApp_X definition in the iAgent.conf file and re-loading the iAgent configuration settings.
port	Declares the TCP port number of the local iAgent service or application. If the iAgent detects a daemon or service listening on your custom port, it will report the service or application as accessible to a connected iManager. The port value should be between 0 and 65536. This is a required setting for an enabled customAppScan definition.
protocol	Declares the protocol used by the local iAgent service or application. Supported protocols include: http, https, telnet, vnc, rdp For web applications, the protocol should be either “http” or “https’. This is a required setting for an enabled customAppScan definition
appname	Declares the user readable display name of the service or application to be tunneled. The name should have a clear meaning to an iManager user. This setting is not required but is highly recommended.
session	Some operating systems have platform specific session labels. This setting should declare the session in which the application or service is running, if any. Typical session names would include “tty0”,”pts/4”,’:4”k”tcp”,”#7’, etc. This setting is optional.
path	Specifies the path to the default page or landing page for the application. Typically used for web/http applications. This configuration setting is optional.
PROXY SERVER SETTINGS	These settings can be used configure the Unattended iAgent to connect to the iServer through a proxy server running the SOCKS v5 protocol.
socksMode	One of the following iTivity modes used to define when the iAgent uses a Proxy Server to connect: 1 - Disable. Only connect to iServer directly, no proxy server used. 2 - Require. Only connect to iServer via proxy, no direct connect. 3 - Fallback. If direct connection fails, then attempt the proxy connection. 4 - Override. If the proxy connection fails, then attempt the direct connection.
socksHost	DNS name of the Proxy Server
socksPort	Port used to connect to the Proxy Server
socksUser	User name used for secure login to the Proxy Server.
socksPwd	Password used for secure login to the Proxy Server.

8.4.2 Changing a Configuration

You can change configuration options without stopping and restarting the Unattended iAgent software. The options can be changed without losing current connections.

To reload the settings of a running Unattended iAgent, run the following script:

/usr/lib/iTivity/iServer/iagent_config_reload

8.5 UNIX/Linux Unattended iAgent Commands

Administrators can use the programs explained in this section to display information about the Unattended iAgent and control its operation.

iagent_downall

This command stops execution of the Unattended iAgent by stopping all daemons.

iagent_version

This command displays version information for the currently installed Unattended iAgent.

install_daemon

This command installs the scripts that launch the Unattended iAgent at boot time.

rc_iagent_daemon

This script starts the Unattended iAgent at system startup.

remove-iagent

This program removes the Unattended iAgent files from the system.

start_iagent

This program can be used to manually start the Unattended iAgent.

stop_iagent

This program can be used to manually stop the Unattended iAgent.

8.6 Installing the Secure Dial (igetty) iAgent

The Secure Dial (igetty) iAgent is installed on a Linux or UNIX system if you want to connect to that system through the iTivity secure dial feature. The installation process is very similar to installing the Unattended iAgent.

For more information on secure dial, see Section 4.1.2.2, Add Secure Dial Site.

Available Versions

The igetty iAgent is named for the UNIX getty utility and is available for these UNIX versions:

· Linux, Red Hat versions RH 9.0 through RH ES 3.x / 4.x Intel

· AIX versions 4.3.1, 4.3.2, 4.3.3, 5.1, 5.2, 5.3

· SCO versions 3.2.5.04 through 3.2.5.07

· HP-UX 11.00/11.11 32 and 64 bit systems

Installation

Follow these steps to download and install the Secure Dial (igetty) iAgent. The iAgent distribution is available in a .tar file on the Tridia ftp site. The filename depends on which version you are installing. Contact Tridia Support for the filename and FTP location.

1. Download the distribution .tar file from the Tridia FTP site. Save the file to the /tmp directory on the target Linux or UNIX system.

2. If not logged in as root, su to root.

3. Change to the /tmp directory
cd /tmp

4. Run
tar –xvf <filename>

Where <filename> is the name of the distribution .tar file.

5. Run
install-igetty

6. Choose the installation directory for igetty. Default is /usr/lib/iTivity/igetty

7. Add the tty device when prompted. Enter the device name of the modem you will be securing with secure dial.

Example: /dev/ttyS0

8. Important: The SecureFile.Key created in the iServer itivity_data directory must be copied over to the Linux or UNIX system. This is the secure key that the iServer and igetty iAgent must share. Without this key, connections are not allowed.

Copy the SecureFile.Key to the following directory on the Linux or UNIX system:

/usr/lib/iTivity/igetty/itivity_data

Installation is now complete:

Table of Contents

webmaster@tridia.com
sales@tridia.com
Technical Support