Important

   

This documentation space contains information about PATROL Agents when deployed in a TrueSight Operations Management environment. If you are a BMC Helix Operations Management user, see PATROL Agent 22.4 for BMC Helix Operations Management. Open link

Security planning

This topic provides you security considerations and helps you plan PATROL Agent installation.

Access control list

The Access Control List (ACL) maintains the list of users who are authorized to connect to an Agent, the modes in which they would connect, and host from which they would connect.

An Agent configuration variable defines the ACL. The ACL configuration variable is described in Defining Access Control Lists Open link For information about setting up an ACL, see Controlling access to the Agent Open link .

Security certificate options

From version 22.3.01, the default mode of communication between PATROL Agent and Integration Services is TLS v1.2.

When you create a deployable package, the following security levels are available:

  • No Certificate Validation (default)
  • Certificate Validation

The following table lists the actions that are performed when you select these options:

No Certificate Validation (default)

Certificate Validation

  • ./executetlscommand.sh /opt/bmc/ 0 
  • ./set_unset_tls.sh $1 SET_TLS 2  


The data in the security key access file:

cat /opt/bmc/common/security/keys/access


[SSL_SERVER]

;

ALLOW_ACL = *@bmc.com,*@abc.COM

NSS_DB_HOME = none


[SSL_CLIENT]

NSS_DB_HOME = none

  • ./executetlscommand.sh /opt/bmc/ 1
  • ./set_unset_tls.sh $1 SET_TLS 2 -serverDbPath "$1/common/security/config_v3.0/demo_certs/nss/demo_server" -clientDbPath "$1/common/security/config_v3.0/demo_certs/nss/demo_client" -identity "PatrolServer - BMC"

The data in the security key access file:

cat /opt/bmc/common/security/keys/access


[SSL_SERVER]

;

ALLOW_ACL = *@bmc.com,*@abc.COM

NSS_DB_HOME = sql:/opt/bmc//common/security/config_v3.0/demo_certs/nss/demo_server


[SSL_CLIENT]

NSS_DB_HOME = sql:/opt/bmc//common/security/config_v3.0/demo_certs/nss/demo_client

Important

If you have installed PATROL Agent with custom certificates, they are retained and validated as per the security option that you select while upgrading.

To change the security certificate options, see Changing the security certificate configuration options. Open link

Tips

TLS 1.2 without certificate validation is the equivalent of previously available security level 2.

TLS1.2 with certificate validation is the equivalent of previously available security level 3.

PATROL access control

Control the PATROL Agent access by setting up definitions in the patrol.conf file. For more information, see  Securing PATROL Agent by using pconfig clients. Open link

Application accounts

Enable PATROL Agent to use separate accounts for individual applications and instances. You can associate accounts with commands. . For more information, see Establishing accounts and ports. Open link

User accounts

The default PATROL account is stored in the defaultAccount variable in the Agent configuration file. The Agent cannot discover applications and attributes without a valid user name.

 For more information, see Default ownership and permissions for files. Open link

Ownership and permissions

The PATROL_HOME/log and PATROL_HOME/config directories are created when the PATROL Agent process runs for the first time and the ownership and permissions of the PATROL Agent log and configuration directories are set.If the PATROL_Admin environment variable is set, the user is the owner of these directories. If the variable is not set, the PATROL default user is the owner

For more information, see Default ownership and permissions for files. Open link

The following table lists the owner and permissions of the PATROL Agent log and config directories:

Directory 

Owner

Permissions

WindowsUNIXWindowsUNIX

log

SYSTEM, Administrators Group, defaultAccount, Users

defaultAccount

Full Control

0755

bin

SYSTEM, Administrators Group, defaultAccount, Users

defaultAccount

Full Control

0755

config

SYSTEM, Administrators Group, defaultAccount, Users

defaultAccount

Full Control

0755

The following table lists the default owners and permissions of the log and config directories:


File name

Owner

Permissions

WindowsUNIXWindowsUNIX

config/config_<host>-<port>

SYSTEM, Administrators, /AgentSetup/defaultAccount

defaultAccount

Change

0644

log/PatrolAgent_<host>-<port>_.errs

SYSTEM, Administrators, /AgentSetup/defaultAccount

defaultAccount

Change

0644

log/history/<host>/<port>/dir

SYSTEM, Administrators, /AgentSetup/defaultAccount

defaultAccount

Change

0644

log/history/<host>/<port>/annotate.dat

SYSTEM, Administrators, /AgentSetup/defaultAccount

defaultAccount

Change

0644

log/history/<host>/<port>/param.hist

SYSTEM, Administrators, /AgentSetup/defaultAccount

defaultAccount

Change

0644

log/PEM_<host>-<port>.log

SYSTEM, Administrators, /AgentSetup/defaultAccount

defaultAccount

Change

0644
Was this page helpful? Yes No Submitting... Thank you

Comments