Please refer to Best Practices whitepaper on Remote Host (Agentless)
- http://documents.bmc.com/supportu/952/89/01/468901/468901.pdf
Some of the additional considerations are as followed:
- You can create Agentless Hosts only on all Agent-supported operating systems, as described in https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Control-M-9-0-22-Release-Notes/Control-M-Compatibility/
- On Unix/Linux platforms, only SSH is supported for Control-M Remote Host.
- In order to authenticate through SSH, Remote Host can use other username/password or SSH Keys to gain access.
- If decided to use SSH keys, it is required to import one component of the key on the Remote host machine into every account that will have jobs scheduled on the remote machine.
- Do read “Agentless SSH key management” in the Control-M Workload Automation Administrator Guide.
https://documents.bmc.com/supportu/9.0.21.300/en-US/Documentation/Agentless_Hosts.htm?Highlight=agentless%20ssh%20key%20management#CreatinganSSHKey
- The number of jobs that will be submitted on a given Remote host may require some tuning and configuration adjustments on the SSH server of that remote machine. Starting with Agent release 9.0.22 the infrastructure to manage Agentless execution has changed to improve capacity of concurrent executions. Refer to the documentation for more details.
- Refer to Agent requirements and PSR whitepaper for sizing passthrough Agents. Each Agentless job requires same resources on the passthrough Agent as an OS job execution.
- Each job running concurrently on a given remote host can take up to two sockets. See Control-M Workload Automation Administrator Guide “Remote Hosts” section for more details.
- If using Remote Agent utilities, then it required to configure a firewall to allow the utilities to report back to the Control-M/Agent.
- The Control-M/Agent contain the port in the Agent config file that is used to route the Remote Host (Agentless) connections which is configured as Control-M/Agent System Parameter RU_COMM_PORT.
===== Windows Overview of remote host technology:
Remote job is started and monitored from a Control-M/Agent.
Files are created on Agent with the Service owner and Agent prerequisites require admin privileges in order to create files in Agent directories.
In order to move files to remote host , delete, move from remote host to Agent, the Agent use UNC path as we don’t have an SFTP connection
For that, the Service account is automatically used since the Agent process is started by it.
WMI is used to run and monitor the job (like in SSH) on the remote machine since it is WMI technology we can’t invoke WIN API ‘createprocess’ to launch a job instead we use the class Win32_Process with ExecMethod
Now in order to connect to remote WMI name space (we always connect to WMI root name space) a connection to the remote machine must be established first (RPC)
This is done using the credentials of the process owner (Agent Service owner), after successful login was done, the connection to WMI root namespace will take place using the job owner supplied
Meaning the job itself will run with job owner credentials and not Agent owner credentials (same like as in local job with LOGON_AS_USER Y).
So to summarize all for WMI
- Accessing the remote sysout directory as UNC path is done using Agent service account.
- Creating local files on Agent is done using Agent service account.
- Login to remote machine is done using Agent service account.
if customer doesn’t want to use an admin account he can create a different group that must have all the privileges to perform these 3 steps.
Please note that these privileges also affect OS local jobs and other CM jobs as they are started from Agent process and as such inherits its privileges.
Running the job and monitoring it is done using job owner account.
if customer doesn’t want to run the job with an admin account see the links below for job owner requirements.
please see the following links
https://docs.microsoft.com/he-il/windows/win32/wmisdk/securing-a-remote-wmi-connection?redirectedfrom=MSDN