Important This documentation space contains information about PATROL Agents when deployed in a TrueSight Operations Management environment. If you are a BMC Helix Operations Management user, see PATROL Agent 22.4 for BMC Helix Operations Management.

Security planning

This topic provides you security considerations and helps you plan PATROL Agent installation.

Access control list

The Access Control List (ACL) maintains the list of users who are authorized to connect to an Agent, the modes in which they would connect, and host from which they would connect.

An Agent configuration variable defines the ACL. The ACL configuration variable is described in Defining Access Control Lists. For information about setting up an ACL, see Controlling access to the Agent.

Security certificate options

From version 22.3.01, the default mode of communication between PATROL Agent and Integration Services is TLS v1.2.

When you create a deployable package, the following security levels are available:

  • No Certificate Validation (default)
  • Certificate Validation

The following table lists the actions that are performed when you select these options:

No Certificate Validation (default)

Certificate Validation

  • ./executetlscommand.sh /opt/bmc/ 0 
  • ./set_unset_tls.sh $1 SET_TLS 2  


The data in the security key access file:

cat /opt/bmc/common/security/keys/access


[SSL_SERVER]
;
ALLOW_ACL = *@bmc.com,*@abc.COM
NSS_DB_HOME = none


[SSL_CLIENT]
NSS_DB_HOME = none
  • ./executetlscommand.sh /opt/bmc/ 1
  • ./set_unset_tls.sh $1 SET_TLS 2 -serverDbPath "$1/common/security/config_v3.0/demo_certs/nss/demo_server" -clientDbPath "$1/common/security/config_v3.0/demo_certs/nss/demo_client" -identity "PatrolServer - BMC"

The data in the security key access file:

cat /opt/bmc/common/security/keys/access


[SSL_SERVER]
;
ALLOW_ACL = *@bmc.com,*@abc.COM
NSS_DB_HOME = sql:/opt/bmc//common/security/config_v3.0/demo_certs/nss/demo_server


[SSL_CLIENT]
NSS_DB_HOME = sql:/opt/bmc//common/security/config_v3.0/demo_certs/nss/demo_client

Important

If you have installed PATROL Agent with custom certificates, they are retained and validated as per the security option that you select while upgrading.

To change the security certificate options, see Changing the security certificate configuration options.

Tips

TLS 1.2 without certificate validation is the equivalent of previously available security level 2.

TLS1.2 with certificate validation is the equivalent of previously available security level 3.

PATROL access control

Control the PATROL Agent access by setting up definitions in the patrol.conf file. For more information, see Securing PATROL Agent by using pconfig clients.

Application accounts

Enable PATROL Agent to use separate accounts for individual applications and instances. You can associate accounts with commands. . For more information, see Establishing accounts and ports.

User accounts

The default PATROL account is stored in the defaultAccount variable in the Agent configuration file. The Agent cannot discover applications and attributes without a valid user name.

 For more information, see Default ownership and permissions for files.

Ownership and permissions

The PATROL_HOME/log and PATROL_HOME/config directories are created when the PATROL Agent process runs for the first time and the ownership and permissions of the PATROL Agent log and configuration directories are set.If the PATROL_Admin environment variable is set, the user is the owner of these directories. If the variable is not set, the PATROL default user is the owner

For more information, see Default ownership and permissions for files.

The following table lists the owner and permissions of the PATROL Agent log and config directories:

The following table lists the default owners and permissions of the log and config directories: