iTivity™ User Guide

8. Installing and Running
the Unattended iAgent on Linux or UNIX
 
Previous Chapter Table of Contents Next Chapter

8.1 Capabilities of the Unattended iAgent on Linux or UNIX
8.2 UNIX/Linux System Requirements
8.3 Installing the Unattended iAgent on UNIX/Linux
8.4 Configuring the Unattended iAgent on UNIX/Linux
8.5 UNIX/LinuxUnattended iAgent Commands
 

iTivity provides a UNIX/Linux version of the Unattended iAgent for remote support of UNIX/Linux systems.

This chapter explains how to install, configure and use the Unattended iAgent on UNIX or Linux.

8.1  Capabilities of the Unattended iAgent on
Linux or UNIX

iTivity provides various capabilities for accessing, viewing and remote control of Linux and UNIX computers. These capabilities are provided by the UNIX/Linux Unattended iAgent plus additional software.

Base Capabilities

When the Unattended iAgent is installed on a UNIX/Linux system, you can use iManager to remotely connect to that system via secure shell login (SSH), TELNET login, remote graphical access to the X-Windows console (VNC), standard and secure web servers (HTTP and HTTPS), file transfer (FTP) and secure file transfer (SFTP). Via the iTivity WebTunnel feature, you can connect to network applications that are accessible to the iAgent computer.

Additional Capabilites with DoubleVision Pro

If Tridia's DoubleVision Pro software is installed on the UNIX/Linux system along with the Unattended iAgent, then iManager users can also:

·         List the users (terminal sessions) that are logged in.

·         View the terminal sessions.

Note: DoubleVision Pro is sold with iTivity. The custom installers that you build from the Tridia Support site always include DoubleVision Pro as part of the install. See Appendix B for information.

8.2  UNIX/Linux System Requirements

The UNIX/Linux version of the Unattended iAgent supports the following platforms.

Software

Any of the following operating systems:

·         Red Hat Enterprise Linux 4.x/5.x/6.x

·         CentOS 4.x/5.x/6.x

·         Ubuntu 10.x/11.x/12.x/13.x

·         Oracle Enterprise Linux 5.x/6.x

·         AIX 5.1/5.2/5.3/6.1/7.1 for 32 and 64 bit systems.

·         Solaris SPARC 2.7/2.8/2.9/2.10/2.11 for 32 and 64 bit systems

·         HP-UX 11.11/11.23/11.31 for 32 and 64 bit systems

·         SCO 3.2.5/3.2.6

Hardware

·         250 MB minimum disk space

·         5MB RAM baseline,
plus 336 KB per connection to Unattended iAgent

·         1 GHz minimum CPU

8.3  Installing the Unattended iAgent on UNIX/Linux

Use the following instructions to download and install an Unattended iAgent. Filenames and some command names will vary depending on the exact version you are installing.

For information on configuring the Unattended iAgent after installation, see Section 8.4, Configuring the Unattended iAgent on UNIX/Linux.

Note: You can also build custom installation files for your Unattended iAgent. See Appendix B, Creating Custom Installers.

1.       Contact Tridia for the URL and filename to download the Unattended iAgent Linux or UNIX distribution file for your specific operating system.

Example Filename:  iagent-linux.tar

Note: Many popular Window's based ZIP file utilities do not properly extract the contents of our distribution files. Please do not attempt to use them with any of the distribution files.

2.       Place the downloaded file in your home directory on the UNIX/Linux server where you want to install the Unattended iAgent.

Example: /home/username/
where username is your actual user name

3.       Log on as the root user or issue the su command.

4.       Change to the /tmp directory.

cd /tmp [Enter]

5.       To verify the presence of the distribution file, list the directory contents of your home directory:

ls –l /home/username/*.tar [Enter]
where username is your actual user name

6.       Extract the distribution (*.tar) file:

tar xvf /home/username/<filename>

Several files are extracted into the /tmp folder. One of these is the install script.

Note: At this point you can remove the distribution file by moving it to a different directory or using the rm command.

7.       Run the install Unattended iAgent script. (The exact command will depend on your version and file name.)

./install-agent 

A Welcome screen is displayed:

8.       Type y to proceed.

The License Agreement is displayed:

9.       Press the Enter (or Return) key to scroll down the license agreement or type q to jump to the end of the license agreement. Type y to accept the license agreement and proceed.

The Installation Directory screen is displayed:

10.   Press Enter to accept the default directory, or type a different directory and then press Enter.

If the specified directory does not already exist, you are prompted to confirm creating it. Type Y to confirm.

The following screen appears, prompting you for the DNS name or IP address of the iServer that this iAgent will connect to:

11.   Type in the DNS name or IP address and press Enter.

The iTivity iServer Support Domain screen is displayed:

12.   If you use Support Domains, type in the name of one or more support domains that will have access to this iAgent. Separate multiple support domain names with a comma.

For more information on support domains, see the iTivity Deployment Guide.

Press Enter to continue.

The iTivity iAgent Host Registration Port screen is displayed:

13.   Change the default port if desired. Otherwise just press Enter.

The Host System Name screen is displayed. The computer host name is the default value for this setting.

14.   Enter a Name to be used to identify this computer in iTivity iManager. Then press Enter.

The Host System Name Description screen is displayed.

15.   Enter a Description to be used to identify this computer in iTivity iManager. Then press Enter.

Files are extracted and the installation proceeds.

The SSL Certificate Verification screen appears.

Note: This screen gives you the option of disabling validation of the iServer encryption certificate. This option should be used only on secure LANs. The recommended best practice is to enable encryption and to ensure the certificates match by manually copying the certificate from the iServer. For example, copy

From (iServer system):
/usr/lib/iTivity/iServer/itivity_data/root.pem

To (iAgent System):
/usr/lib/iTivity/iAgent/itivity_data/root.pem

16.   Type n if you intend to copy root.pem (recommended) or y to disable certificate validation.

The iTivity iAgent Authentication and Authorization screen is displayed:

17.   Type 1, 2 or 3 to select the Authentication method that iManager users will need to view and control this iAgent computer. Then Press Enter.

If you choose PAM in Step 17, the PAM Service Installation screen is displayed:

17A.  Type y to install the PAM service.

17B. When the Installation completes, you are prompted to press Return (Enter) to continue.

18.   The following screen appears, allowing you to specify whether you want the Unattended iAgent to start at system startup.

Note: You can also start the Unattended iAgent from the command line. See Section 8.5, UNIX/Linux Unattended iAgent Commands.

19.   Type y to start the daemon at boot time or n to cancel this option.

The installation proceeds. You are prompted whether or not to start the iAgent after the installation is finished.

20.   Type y or n, then press Enter.

The installation proceeds. You are prompted to specify whether or not to remove temporary installation files.

21.   Type y to confirm or n to cancel.

If you typed y, the files are removed. You are prompted to press Return (Enter) to continue.

The installation is now complete.

8.4  Configuring the Unattended iAgent on UNIX/Linux

8.4.1 Editing the iAgent.conf File

For the UNIX/Linux version of the Unattended iAgent, all configuration settings are controlled by an ASCII text file called iAgent.conf, which is placed in the /etc/iTivity/ directory on the Linux or UNIX computer.   

You can change the settings by opening the file in any text editor. The following table describes the settings in the file.

COMMON OPTIONS

 

Programdir

Specifies the directory in which the Unattended iAgent is installed.  This setting is automatically configured by the Installation program.

Default: /usr/lib/iTivity/iAgent

dataDir

Specifies the directory where the Unattended iAgent stores information between program invocations. This information includes encryption keys and other data used internally.

Default: /usr/lib/iTivity/iAgent/itivity_data

vnchostname

vnchostdesc

The iAgent name and Description as listed in iTivity iManager for this Unattended iAgent.

The default vnchostname is the UNIX/Linux machine name. The vnchostdesc can be entered during the Installation procedure.

CONNECTOR
OPTIONS

 

randomFile

keyFile

caFile

 

These settings specify the filenames and location of three files used for encryption. The Unattended iAgent automatically generates default versions of these files the first time it runs. There is no need to change these settings unless the default files in the dataDir directory are not acceptable.

Defaults:

randomFile=/usr/lib/iTivity/IAgent/itivity_data/random.dat

keyFile=/usr/lib/iTivity/iAgent/itivity_data/keys.pem

caFile=/usr/lib/iTivity/iAgent/itivity_data/root.pem

autoAcceptAllCerts

This flag enables or disables verification of the encryption certificate received from the iServer.

Enabling this option (setting the value = 1) prevents a change in the encryption certificate on the iServer from blocking access.

Caution: Enabling this function prevents iTivity from detecting a man-in-the-middle attack on the encrypted connection.

The recommended practice is to copy the "root.pem" file from your iServer to the iAgent system.  For example,

From:
iServerSystem:/usr/lib/iTivity/iServer/itivity_data/root.pem

To:
AgentSystem:/usr/lib/iTivity/iAgent/itivity_data/root.pem

When the root.pem file is copied from the iServer to the iAgent system the iServer's certificate will be trusted correctly. At this point, autoAcceptAllCerts can remain disabled and providing a higher level of security.

Default: autoAcceptAllCerts=0

Log File Flags

The following options control which events are written to the Syslog. A value of 1 (one) enables logging and a value of 0 (zero) disables logging.

Syslog facility and priority: iTivity.daemon 

connectSysLogMask

Arrival of an encrypted connection.  Default = 0.

disconnSysLogMask

Closing of an encrypted connection. Default = 0.

startSysLogMask

iAgent startup. Default = 1.

stopSysLogMask

iAgent shutdown. Default = 1.

allowSysLogMask

Granting of user permission by the iAgent. Default = 0

sshServiceSysLogMask

Initiation of an SSH session with the iAgent. Default = 0

telnetServiceSysLogMask

Initiation of a TELNET session with the iAgent. Default = 0

ftpServiceSysLogMask

Granting of FTP access by the iAgent. Default = 0

chatServiceSysLogMask

Granting of Chat access by the iAgent. Default = 0

termRCServiceSysLogMask

Granting of terminal remote control at the iAgent via DoubleVision Pro. Default = 0

TCP Connection

These settings control the TCP connection ports and interface of the Unattended iAgent.

transportPort

Must always match proxySvcPort=21800. Default = 21800

iasServerPort

The port for iServer connections. Default = 23800.

iasServerHost

Host DNS for the iServer.

Note: You must enter the DNS name for your iServer here for the iAgent to connect.

Default  none.

Example: iserver.acme_heavy_industries.com

transportTimeout

serviceTimeout

These two settings control the timeout behavior of Unattended iAgent data connections.

transportTimeout - Timeout in milliseconds set for end-to-end or host to host network connections. Keep this value high if using the Internet or other high-latency network transport (such as satellite connections).

serviceTimeout - Timeout in milliseconds for internal or local connections between Unattended iAgent daemons. 

Defaults:

transportTimeout=90000

serviceTimeout=45000

Keep-Alive Settings

These three settings control the keep-alive behavior of Unattended iAgent data connections.

endToEndKeepAlive

Determines whether the Unattended iAgent sends keep alive packets. Not supported on all transports. Values are:

1 (one) - send packets
0 (zero) - no packets.

Default = 1.

iasVerifySessionFlag

In addition, the Unattended iAgent can send application messages to guarantee the connections are viable and detect lost connections more reliably. Set this flag to 1 (enabled) to have the iServer verify session status when there is otherwise no network traffic. Values are 1, enabled, and 0, disabled.

Default = 1.

iasVerifySessionTimeout

If the iasVerifySessionFlag is set to 1, this value controls how often, in seconds, the verification packets are sent.

Default = 240.

connectToIASCycleTime

connectToIASIntervalRetries

connectToIASMaxRetries

These settings control the reconnect behavior of the Unattended iAgent when the connection to the iServer fails. The default is to retry every five minutes for 24 hours and then enter a binary-backoff retry timing. During the binary-back off stage the retry interval is doubled for each failed connection attempt.

connectToIASCycleTime is the cycle time specified in milliseconds between reconnect tries during the first stage of equal intervals. Default = 300000.

connectToIASIntervalRetries is the total number of equal interval retries. Default = 288. The default works out to about 24 hours if the cycle time above is also at default.

connectToIASMaxRetries is the maximum number of retries of any kind. Assign this setting a value of -1 to allow unlimited retries. Default = -1.

disableSessionDNSLookup

Prevents DNS lookups for new connections to query the host name of the foreign system. This can be useful to improve performance in environments with slow DNS service. Values are:

1 (one) - prevent DNS lookup
0 (zero) - allow lookup

Default = 0.

cipherList

Specifies the list of cipher algorithms to be allowed for incoming connections. If you add other ciphers to the list, it is highly recommended that you keep the default setting as an option. If this Unattended iAgent connects to an iServer or is contacted by an iManager and there is no mutually acceptable cipher algorithm, the connection will fail.

In order for a different cipher to be used, it must also be allowed by the cipherList of the iServer. The recommended best practice is to set the same cipherList in all iTivity systems.

Supported OpenSSL ciphers:

  DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA    AES256-SHA
    EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA    DES-CBC3-SHA:DES-CBC3-MD5
    DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA    AES128-SHA
    IDEA-CBC-SHA:IDEA-CBC-MD5
    RC2-CBC-MD5
    DHE-DSS-RC4-SHA
    RC4-SHA:RC4-MD5:RC4-MD5:RC4-64-MD5
    EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5
    EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA
    DES-CBC-SHA:DES-CBC-MD5
    EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-RC4-MD5
    EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA
    EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5

Default: cipherList= AES128-SHA:DES-CBC3-SHA
 

 

Connector Port Number

These settings provide the ability to control the port number on which the Connector will attempt to find the local service daemons. Local service daemons listen on the localhost interface and provide local, unencrypted access to services.

commandSvcPort

Remote control authorization and commands. Must always match connectPort=6800

Default = 6800

rfbSvcPort

Unencrypted, raw VNC data

Default = 5900

telnetSvcPort

Telnet daemon

Default = 23

ftpCtlSvcPort

FTP server control port.

Default = 21

ftpDataSvcPort

FTP server data port (passive mode)

Default = 20

proxySvcPort

Forwarded iServer connections. Must always match transportPort=21800

Default = 21800

defaultHostPermissions

This setting provides control over which services the iTivity iManager user can access on this iAgent system via iTivity. Each individual service is controlled via a bit flag in this integer. (See the Examples below.)

The iManager user must first authenticate with the iAgent system before being allowed to access any services. After authentication (and the authorization check), then the remote user is subject to the permissions restrictions listed in the table. A Status of N/A indicates that this service is Not Available in the UNIX/Linux Unattended iAgent.

Decimal
Value        Status           Description

   1             required         Command Protocol

   2             optional          View desktop permission

   4             N/A               Control desktop permission

   8             optional          Telnet permission

  16            optional          FTP permission

  32            required         Proxy permission

  64            N/A               Chat permission

 128           optional          TTY remote control permission

 256           optional          TTY listing permission

512            N/A               RDP permission

1024           N/A              desktop sharing

2048           optional         dynamic tunnel permission

4096           optional         SSH permission

The default is to allow access to all supported iTivity services (after remote user authenticates and passes authorization check).

Default= 65535

Examples

For FTP access only, use a value of 1 + 16 = 17, since the command protocol is required and the FTP permission has a value of 16.

For telnet access only, use a value of 1 + 8 = 9. 

For TTY Listing and TTY remote control only, use a value of 1 + 128 + 256 = 385

PROXY SERVER
SETTINGS

These settings can be used configure the Unattended iAgent to connect to the iServer through a proxy server running the HTTP or SOCKS v5 protocol.

socksMode

One of the following iTivity modes used to define when the iAgent uses a Proxy Server to connect:

1  -  Disable.  Only connect to iServer directly, no proxy server used.

2  - Require. Only connect to iServer via proxy, no direct connect.

3  - Fallback. If direct connection fails, then attempt the proxy connection.

4  - Override. If the proxy connection fails, then attempt the direct connection.

socksHost

DNS name of the Proxy Server

socksPort

Port used to connect to the Proxy Server

socksUser

User name used for secure login to the Proxy Server.

socksPwd

Password used for secure login to the Proxy Server.

hProxyMode

One of the following iTivity modes used to define when the iAgent uses a Proxy Server to connect:

1  -  Disable.  Only connect to iServer directly, no proxy server used.

2  - Require. Only connect to iServer via proxy, no direct connect.

3  - Fallback. If direct connection fails, then attempt the proxy connection.

4  - Override. If the proxy connection fails, then attempt the direct connection.

hProxyHost

DNS name of the Proxy Server

hProxyPort

Port used to connect to the Proxy Server

hProxyUser

User name used for secure login to the Proxy Server.

hProxyPwd

Password used for secure login to the Proxy Server.

debugMode

Enables debugging output in the connector daemons. A setting of zero ("0") disables output. As the mode number increases from one ("1") to twelve ("12"), more and more information is written to the log file. This option should be disabled in production systems, unless instructed otherwise by Tridia staff.

Default = 0.

PROCESSOR
OPTIONS

 

permissionGroup

authscheme

These settings control the authentication required of iTivity iManager users to view and control the Unattended iAgent system.

The authscheme setting controls the way the Unattended iAgent authenticates. The default setting is “passwd”, which requires that the remote user have an account in the native /etc/passwd database. The other currently valid setting is "none, which disables authentication at the Unattended iAgent level may be disabled using the “none” setting. This is useful in environments where the iTivity iServer is trusted and its authentication is deemed sufficient. Other authscheme values are reserved for future use.

The permissionGroup specifies the name of the user group with permission to view and access this system via the Unattended iAgent. To grant a user of iTivity iManager access, simply add the user to this group. To block a user from using the iServer, remove their user id from the group. A user in this group must log in with username and password before viewing this system through iTivity iManager.

Defaults:
permissionGroup = iadmauth
authscheme = passwd
 

 

logonSysLogMask

logoffSysLogMask

These flags control whether it is recorded in the syslog each time a user of iTivity iManager logs on and logs off of the iAgent system. Setting the flags to 1 (one) enables logging and provides an audit log of authentication. Setting the flags to 0 (zero) disables logging.

Syslog facility and priority:  iTivity.authpriv

logonSysLogMask - Log iTivity iManager user logon (succeed or fail). Default = 1.

logoffSysLogMask - Log iManager user logoff (disconnect). Default = 1.

connectPort

connectHost

connectTimeout

These settings specify the TCP network interface and port on which the processor daemon listens for new Unattended iAgent authentication connections. These connections are internal to the Unattended iAgent and generally use localhost.

The connectPort value must always match the value of commandSvcPort.

The connectTimeout value specifies the socket timeout for processor connections in milliseconds.

Caution: Tridia strongly recommends that you do not change these settings.

Defaults:
connectPort=6800
connectHost=127.0.0.1
connectTimeout=45000

supportDomain

A comma separated list of support domain names which are authorized to access this iAgent system. See the iTivity Deployment Guide, Section 1.3, Advanced Authentication Using Permission Groups and Support Domains for more information.

allowRemoteSettings

This flag indicates whether iManager users are allowed to update the iAgent settings remotely (via the iManager user interface).

Default: 1 (enabled)

debugMode

Enables debugging output in the processor daemon. The default setting of 0 (zero) disables output. As the number increases from 1 to 12, more and more information is written to the log file. This option should be disabled unless instructed otherwise by Tridia staff.

Default: 0 (disabled)

ITIVITY WEBTUNNEL SETTINGS

These settings can be used to configure network applications that will be added to the iTivity WebTunnel scan list for this iAgent. For more information on WebTurnnel, see Section 1.5.1, Configuring iTivity WebTunnel.

customAppScan_X

Declares services or applications local to the iAgent that will be scanned by the iAgent for the purpose of application tunneling using iTivity WebTunnel. You can configure custom TCP network based services or applications specific to your environment. 

customAppScan definitions are indexed using a sequential number ordering. You can configure multiple applications as long as you increment the count. 

Example:  customAppScan_1, customAppScan_2,…

Tunneling of a custom application can be disabled by commenting out the service or application customScanApp_X definition in the iAgent.conf file and re-loading the iAgent configuration settings.

port

Declares the TCP port number of the local iAgent service or application. If the iAgent detects a daemon or service listening on your custom port, it will report the service or application as accessible to a connected iManager. The port value should be between 0 and 65536. This is a required setting for an enabled customAppScan definition.

protocol

Declares the protocol used by the local iAgent service or application.  Supported protocols include:

http, https, telnet, vnc, rdp

For web applications, the protocol should be either “http” or “https’. This is a required setting for an enabled  customAppScan definition

appname

Declares the user readable display name of the service or application to be tunneled. The name should have a clear meaning to an iManager user. This setting is not required but is highly recommended.

session

Some operating systems have platform specific session labels.  This setting should declare the session in which the application or service is running, if any. 

Typical session names would include “tty0”,”pts/4”,’:4”k”tcp”,”#7’, etc. This setting is optional.

path

Specifies the path to the default page or landing page for the application. Typically used for web/http applications. This configuration setting is optional.

8.4.2 Changing a Configuration

You can change configuration options without stopping and restarting the Unattended iAgent software. The options can be changed without losing current connections.

To reload the settings of a running Unattended iAgent, run the following script:

/usr/lib/iTivity/iAgent/iagent_config_reload

8.5  UNIX/Linux Unattended iAgent Commands

Administrators can use the programs explained in this section to display information about the Unattended iAgent and control its operation. These commands can be found in the iAgent installation directory. By default, the iAgent installation directory is: 

/usr/lib/iTivity/iAgent/

iagent_downall

This command stops execution of the Unattended iAgent by stopping all daemons.

iagent_version

This command displays version information for the currently installed Unattended iAgent.

install_daemon

This command installs the scripts that launch the Unattended iAgent at boot time.

rc_iagent_daemon

This script starts the Unattended iAgent at system startup.

remove-iagent

This program removes the Unattended iAgent files from the system.

start_iagent

This program can be used to manually start the Unattended iAgent.

stop_iagent

This program can be used to manually stop the Unattended iAgent.

 

 

Previous Chapter Table of Contents Next Chapter

Copyright © 2017 - 2023, iTivity Corporation
Copyright © 2004 - 2016, Tridia Corporation
Copyright and License Information

webmaster@tridia.com
sales@tridia.com
Technical Support