FAQ for Control-M/Agent Agentless / Remote Host technology |
Control-M Agentless Scheduling Frequently Asked Questions Agentless Scheduling has the potential to exponentially reduce the cost of operating a Control-M environment by eliminating up to 90 percent of installed Control-M/Agents. This technology uses standard protocols that are now available on many platforms, including all major Unix, Linux, VMS, IBM i (AS/400), and Windows operating systems, to manage scheduled jobs without the need to install and maintain a Control-M/Agent on those platforms. This FAQ (Frequently Asked Questions) document seeks to address the most common questions that arise when discussing Agentless Scheduling and its implementation.
Terminology:
Q&A:
Q1: What versions of Control-M components are required to support Remote Host Jobs?
A: All currently supported versions of Control-M. Agentless technology was first introduced in version 6.3.01.
Q2: Why is a Control-M/Agent required for “Agentless” scheduling?
A: Communications to/from a Remote Host are performed by a Control-M/Agent. This Agent is known as the RJX Agent.
Q3: What platforms of Control-M/Agents are able to communicate with Remote Hosts? For example, can a Control-M/Agent for IBM i(AS/400) or Tandem be used as an RJX Agent?
A: Only Control-M/Agents on Unix, Linux, and Windows are able to communicate with Remote Hosts. This means that at least one Control-M/Agent for Unix, Windows, or Linux must be installed in order to use Agentless Scheduling.
Q4: How is Agentless Scheduling accomplished?
A: Control-M/Agents, supporting the Control-M Remote Execution Interface, connect with a Remote Host using either the SSH or WMI protocols. These protocols provide the capability for the Control-M/Agent to initiate a process, monitor it for completion, capture its output, analyze success or failure, and view or edit the script or batch file that is to be run (View/Edit Script).
Q5: On what platforms or environments can jobs be executed using Agentless Scheduling?
A: Control-M Agentless Scheduling is supported on Unix, Linux, IBM i (AS/400), VMS, and Windows systems that use an industry-standard SSH protocol, as well as supported Windows operating systems that provide WMI.
Examples of SSH servers that have been tested include:
Q6: What security credentials are required to run a job on a Remote Host?
A: In order to run a job on a particular remote host for a specific Run as User, the user id and password need to be defined in Control-M when using the WMI or SSH protocol. Instead of a user id and password for SSH, it is possible to create an SSH Private/Public key and load it into the Run as Users account to get access to the environment.
Q7: How are SSH keys stored?
A: The SSH private/public keys are stored in the Control-M/Server database. The keys are always encrypted using a customer-supplied passphrase.
Q8: How are the security credentials managed?
A: The management of user IDs and SSH is done through Web/Configuration and AAPI.
Access to Web/Configuration has several levels of authorization.
Q9: Are there command line interfaces that can be used to define and replace keys?
A: Utilities such as ctmkeygen can be used to generate SSH keys. Additionally refer to Control-M Automation API documentation for managing credentials using command line.
Q10: OpenSSH’s sshd server has a feature where if a process is started in the background, when the client attempts to terminate the SSH connection, the server holds the connection open until the background process terminates. How does Control-M address this behavior?
A: Control-M performs a standard disconnect operation from the SSH server. Any process spawned by the SSH server continues to run, including jobs that are started by Control-M/Agent when the connection inadvertently breaks from the remote Agent. Control-M/Agent will intentionally disconnect from SSH server if the job is a long running job. The Agent polls the remote host for the job status at configured designated time. Q11: Are there any implementation requirements on the SSH server? Subsystems or tunneling, for example?
A: SSH Server Tuning: While no special subsystems are needed, high-volume Agentless execution may require tuning the target SSH daemon (e.g., increasing
MaxStartups or MaxSessions in sshd_config) to handle the concurrent connections coming from the Control-M/Agent.
Q12: Does Agentless Scheduling allow me to run Control-M utilities on Remote Hosts?
A: To limit the size of Agentless footprint the Agent limits the execution of Agentless utilities. Refer to the documentation on configuring Agentless utilities. It is possible to enable these Utilities on the remote hosts. For details on how to configure, refer to: https://documents.bmc.com/supportu/9.0.22/en-US/Documentation/Agentless_Hosts.htm Q13: Can File Watching be performed on a Remote Host?
A: Conventional file watching is performed by the ctmfw. This utility is available on the Agentless remote host, starting version 9.0.21.300, and only with JAVA_RH=Y
PLEASE NOTE: Control-M CM for Advanced File is not supported as it's a plugin on top of the Agent.
Transfer and MFT provide remote file watching as well, and are not supported on Agentless machine
Q14: Where is job output stored for jobs run on a Remote Host?
A: During the job execution, the default location for the output is the HOME directory of the owner. This path can be modified for every Agent. After the job completes, the output is moved to the machine of the Control-M/Agent that managed the connection with the Remote Host.
Q15: When a connection to the remote host is lost from Control-M/Agent how can I determine the status of a running job?
The job output file located on the remote host will contain the exit code of the job. The Agent knows how to recover the connection to the Agentless machine and process job completion. By design the connection between the Agent and the Agentless machine is short-lived.
Q16: How are Control Modules (Application plug-ins) affected by Agentless Scheduling?
A: CONTROL Modules such as BMC Control-M CM for SAP, BMC Control-M CM for MFT, and all other CONTROL Modules require a conventional Control-M/Agent within which to operate. Note, however, that the number of instances required for most CONTROL Modules is very small. For example, a single installation of CM for SAP can schedule and manage all SAP jobs on multiple SAP instances within an organization.
Q17: Where should the Control-M/Agent, used to access Remote Hosts, be installed?
A: For Control-M SaaS environment, at least 1 conventional Control-M/Agent must be installed; for OnPrem the default action during the installation of Control-M/Server is to also install a Control-M/Agent on the same host. This install is identified as <local> in various dialogs, such as defining Remote Hosts and is used by default. This approach simplifies the management process but is optional and may be changed. Additional Control-M/Agents can be installed on other machines to balance the workload, provide redundancy or as desired.
Q18: Is load balancing via the node group mechanism available with Agentless Scheduling?
A: Yes. Remote Hosts can be specified in a Node Group just like conventional Agent hosts. Additionally, each Remote Host can be “connected” via multiple Agent machines, all of which can be inserted into a node group.
Q19: Does it matter which platform is used for the Control-M/Agent and which platform is used for Remote Hosts?
A: Yes. If the Remote Host connection protocol is SSH, the Control-M/Agent can reside on UNIX, Linux, or Windows. If the Remote Host connection protocol is WMI, the Control-M/Agent must be installed on a Windows platform.
Q20: Are there any considerations for Remote Hosts when Control-M is configured to work with CJK (Internationalization – I18N-) characters?
A: The Control-M/Agent must be configured to use the same character set as the remote hosts.
Q21: Are there any considerations for using “virtual” remote hosts running on UNIX or Windows clusters with Agentless Scheduling?
A: No. Such virtual hosts implemented with clustering facilities are transparent to Control-M. Simply use the virtual hostname in the nodeid field or include it in a Node Group just as you would with any real hostname
Q22: If the password of the owner (userid) is identical on all remote hosts, is it necessary to create an entry for each remote host?
A: No, Use the <All> selection for the hostname field in the “owners authentication” dialog.
Q23: How can I find which remote hosts can be accessed by each Control-M/Agent and which Control-M/Agent can access which remote hosts?
A: This information can be displayed in the Web/Configuration using the Show Remote Hosts option from the CONTROL-M/Agent context menu and the Properties option from the Remote Host context menu.
Q24: When a job is running (or after it has been completed) on a Remote Host, how can it be determined which Control-M/Agent was used to access the
Remote Host if multiple agents were defined to balance the workload?
A: The Control-M Log for the job, available via the Log option from the job context menu, displays the Remote Host on which the job was executed along with the Control-M/Agent through which the job was submitted.
Q25: How can I convert conventional Control-M/Agent definitions to remote hosts?
A: Shut down the Control-M/Agent(s). If only a few Control-M/Agents are being converted, this can be accomplished interactively using the Web/Configuration. Right-click on each Control-M/Agent entry and select the “Convert to Remote Host” option. If a large number of Control-M/Agents need to be converted, use the ctmhostmap Control-M/Server utility.
Q26: How can I check the connection status of a remote host?
A: From the Web/Configuration console, right-click on a Remote Host entry and select Ping. The CTM ping and CTM_diag_comm Control-M/Server utilities have also been updated to support Remote Hosts
Q27: What is the ratio between Control-M/Agent installations to Agentless remote hosts? How many remote hosts can a single Control-M/Agent support in an Agentless configuration?
A: It is difficult to provide an absolute ratio between standard Control-M/Agent and Agentless remote hosts. In version 9.0.21, stress tests showed that a single Control-M/Agent can handle approximately 400 concurrently running Agentless jobs. However, actual capacity varies by environment and can be affected by factors such as machine performance, SSHD configuration, network latency, and overall infrastructure stability.
Q28: Does Control-M support WinRM and WinRS?
A: Only WMI and SSH are supported for remote management.
Q29: Can remote hosts connect to multiple Control-M servers at the same time? A: Yes, but a different Output directory should be specified for each server to avoid overlap.
Q30: How secure is the Control-M Remote Host connection to the Microsoft Server?
A: Control-M uses the WMI infrastructure for remote host connectivity on Windows. WMI is Microsoft Windows infrastructure, while using it, BMC does not need to know how it works and what the WMI configurations are that are not related to the activation of the BMC features.
WMI is based on RPC, and RPC is using port 135. Our Control-M implementation of the remote host job execution also requires access to a shared directory for the output of the job. This share is based on the SMB protocol without the need for NetBIOS, which is running over port 445. User credentials for the initial connection are not clear text (based on the RPC encryption method); however, the data being passed back and forth between the Control-M/Agent and remote host is most likely not encrypted. Q32: Is Agentless technology supported on remote host Operating Systems that have passed EOL?
A: No. See Third-Party Product support policy. Q33: Does Agentless jobs in Control-M require that the remote account be able to open an SSH shell session?
A: Yes. Agentless jobs in Control-M rely on standard SSH connectivity to execute commands remotely. The user account specified in the Agentless connection profile must be allowed to establish an interactive SSH shell session on the target host. Additional Information: Customers viewing this solution may find value in the following self-help Connect with Control-M video. |