What is Agentless or Remote Host technology and how does it work? |
Control-M Agentless Scheduling Frequently Asked Questions CONTROL-M Version 6.3 introduces a revolutionary capability to enterprise job scheduling and workload management. Agentless Scheduling has the potential to exponentially reduce the cost of operating a CONTROL-M environment by eliminating up to 90 percent of installed CONTROL-M/Agents. This technology uses standard protocols that are now available on many platforms, including all major Unix, Linux, VMS, i5, and Windows operating systems, to manage scheduled jobs without the need to install and maintain a
CONTROL-M/Agent on those platforms. Understandably, this technology has generated unprecedented excitement and interest in our industry and among our customers. This FAQ (Frequently Asked Questions) document seeks to address the most common questions that arise when discussing Agentless Scheduling and its implementation.
Terms
Some new terminology is used in this document. This section defines those terms.
Q&A
Q1: What versions of CONTROL-M components are required to support Agentless Scheduling.?
A: CONTROL-M/Enterprise Manager Version 6.3.01 with Fix Pack 1, CONTROLM/Server, and CONTROL-M/Agent Version 6.3.01 are required. CONTROL-M/Enterprise Manager is already available. CONTROL-M/Server, CONTROL-M/Agent, and CONTROL-M/Enterprise Manager Fix Pack 1 are planned to be available in January 2007.
Q2: Why is CONTROL-M/Agent required for “Agentless” scheduling?
A: At least one conventional agent is required since the communications with a Remote Host are performed by a CONTROL-M/Agent.
Q3: Are all CONTROL-M/Agents Version 6.3 able to communicate with Remote Hosts? For example, what about CONTROL-M/Agent for iSeries or Tandem?
A: For Version 6.3, CONTROL-M/Agent for Unix, Linux, and Windows are able to communicate with Remote Hosts. This means that at least one CONTROLM/Agent for Unix, Windows, or Linux must be installed in order to use Agentless Scheduling.
Q4: How is Agentless Scheduling accomplished?
A: CONTROL-M/Agents, supporting the CONTROL-M Remote Execution Interface, connects with a Remote Host using either the SSH Version 2 or WMI protocols. These protocols provide the capability for the CONTROL-M/Agent to initiate a process, monitor it for completion, capture its output (sysout), analyze success or failure, and view or edit the script or batch file that is to be run (View/Edit JCL).
Q5: On what platforms or environments can jobs be executed using Agentless Scheduling?
A: With CONTROL-M Version 6.3, UNIX, Linux, iSeries, and VMS platforms running SSH Version 2 and Windows 2003 running WMI are supported for Agentless Scheduling. An example of such servers
that have been tested are:
Q6: What security credentials are required to run a job on a remote host?
A: In order to run a job on a particular remote host for a specific job owner the user id and password for the owner need to be defined in CONTROL-M when using WMI or SSH protocol. Instead of a user id and password for SSH protocol, one can create an SSH Private/Public key and load it into the owner's account to get access to the environment.
Q7: How are SSH keys stored?
A: The SSH private/public keys are stored in the CONTROL-M/Server database. The keys are always encrypted using a customer-supplied passphrase.
Q8: How are the security credentials managed?
A: The management of user IDs and SSK is done through CCM.
CCM has several levels of authorization. Additionally, access to CCM can be secured using the Secure Sockets layer (SSL).
Q9: Are there command line interfaces that can be used to define and replace keys?
A: A number of new utilities are supplied to administer Agentless Scheduling. Among them is the ctmkeygen utility that can be used to generate SSH keys.
Q10: OpenSSH’s sshd server has a feature where if a process is started in the background, when the client attempts to terminate the SSH connection the
server holds the connection open until the background process terminates.
Does CTM address this behavior? How?
A: CONTROL-M performs a standard disconnect operation from the SSH server. Any process spawned by the SSH server continues to run including jobs that are started by CONTROL-M/Agent when the connection inadvertently breaks from the remote agent. Q11: Are there any implementation requirements on the SSH server? Subsystems or tunneling, for example?
A: No special setup is required on the SSH server to support Agentless scheduling.
Q12: Does Agentless Scheduling allow me to run CONTROL-M utilities on Remote Hosts?
A: Starting with Control-M version 8 it is possible to enable these Utilities on the remote hosts. For details on how to configure refer to this KA: Q13: Can File Watching be performed on a Remote Host?
A: Conventional file watching is performed by the ctmfw CONTROL-M utility and thus currently requires a CONTROL-M/Agent. PLEASE NOTE: CONTROL-M CM for Advanced File
Transfer and MFT provide remote file watching.
Q14: Where is job output (Sysout) stored for jobs run on a Remote Host?
A: During the job execution the default location for the sysout is the HOME directory of the owner. This path can be modified for every agent. After the job completes the sysout is moved to the machine of the CONTROL-M/Agent that managed the connection with the Remote Host.
Q15: When a connection to the remote host is lost from CONTROL-M/Agent how can I determine the status of a running job?
The job output (Sysout) file located on the remote host will contain the exit code of the job.
Q16: How are CONTROL Modules (Application plug-ins) affected by Agentless Scheduling?
A: CONTROL Modules such as BMC CONTROL-M CM for SAP, BMC CONTROLM CM for AFT, and all other CONTROL Modules require a conventional CONTROL-M/Agent within which to operate. Note, however, that the number of instances required for most CONTROL Modules is very small. For example, a single installation of CM for SAP can schedule and manage all SAP jobs on multiple SAP instances within an organization.
Q17: Where should the CONTROL-M/Agent, used to access Remote Hosts, be installed?
A: In version 6.3, the default action during the installation of CONTROL-M/Server is to also install a CONTROL-M/Agent on the same host. This install is identified as <local> in various dialogs such as defining Remote Hosts and is used by default. This approach simplifies the management process but is optional and may be changed. Additional CONTROL-M/Agents can be installed on other machines to balance the workload or as desired.
Q18: Is load balancing via the node group mechanism available with Agentless Scheduling?
A: Yes. Remote Hosts can be specified in a Node Group just like conventional Agent hosts. Additionally, each Remote Host can be “connected” via multiple Agent machines, all of which can be inserted into a node group.
Q19: Does it matter which platform is used for the CONTROL-M/Agent and which platform is used for Remote Hosts?
A: Yes. If the Remote Host connection protocol is SSH, the CONTROL-M/Agent can reside on UNIX, Linux, or Windows. If the Remote Host connection protocol is WMI, the CONTROL-M/Agent must be installed on a Windows platform.
Q20: Are there any considerations for Remote Hosts when CONTROL-M is configured to work with CJK (Internationalization – I18N-) characters?
A: The CONTROL-M/Agent must be configured to use the same character set as the remote hosts.
Q21: Are there any considerations for using “virtual” remote hosts running on UNIX or Windows clusters with Agentless Scheduling?
A: No. Such virtual hosts implemented with clustering facilities are transparent to CONTROL-M. Simply use the virtual hostname in the nodeid field or include it in a Node Group just as you would with any real hostname
Q22: If the password of the owner (userid) is identical on all remote hosts, is it necessary to create an entry for each remote host?
A: No, Use the <All> selection for the hostname field in the “owners authentication” dialog.
Q23: How can I find which remote hosts can be accessed by each CONTROLM/Agent and which CONTROL-M/Agent can access which remote hosts?
A: This information can be displayed in the CCM using the Show Remote Hosts option from the CONTROL-M/Agent context menu and the Properties option from the Remote Host context menu.
Q24: When a job is running (or after It has been completed) on a Remote Host, how can it be determined which CONTROL-M/Agent was used to access the
Remote Host if multiple agents were defined to balance the workload?
A: The CONTROL-M Log for the job, available via the Log option from the job context menu, displays the Remote Host on which the job was executed along with the CONTROL-M/Agent through which the job was submitted.
Q25: How can I convert conventional CONTROL-M/Agent definitions to remote hosts?
A: Shut down the CONTROL-M/Agent(s). If only a few CONTROL-M/Agents are being converted, this can be accomplished interactively using the CCM. Right-click on each CONTROL-M/Agent entry and select the “Convert to Remote Host” option. If a large number of CONTROL-M/Agents need to be converted, use the ctmhostmap CONTROL-M/Server utility.
Q26: How can I check the connection status of a remote host?
A: From the CCM console, right-click on a Remote Host entry and select Ping. The CTM ping and CTM_diag_comm CONTROL-M/Server utilities have also been updated to support Remote Hosts
Q27: What is the ratio between Control-M/Agent installations to Agentless remote hosts? How many remote hosts can a single Control-M/Agent support in an Agentless configuration?
A: It is hard to give an absolute answer on the required ratio between regular Control-M/Agents and Agentless remote hosts. In V7 we have done stress tests and verified a Control-M/Agent handling ~80 Agentless remote hosts concurrently running jobs. However, things may differ in different environments based on the strength of machines, network issues, etc.
Q28: Does Control-M support WinRM and WinRS?
A: No, only WMI and SSH are support for remote management.
Q29: Can remote hosts connect to multiple Control-M servers at the same time? A: Yes, but a different sysout directory should be specified for each server to avoid overlap.
Q30: How secure is the Control-M Remote Host connection to the Microsoft Server?
A: We are using the WMI infrastructure for remote host connectivity on Windows. WMI is Microsoft Windows infrastructure, while using it BMC does not need to know how it works and what are the WMI configurations that are not related to the activation of the BMC features.
WMI is based on RPC and RPC is using port 135. Our Control-M implementation of the remote host job execution also requires access to a shared directory for the output of the job. This share is based on the SMB protocol without the need for NetBIOS, which is running over port 445. User credentials for the initial connection are not clear text (based on the RPC encryption method); however, the data being passed back and forth between the Control-M/Agent and remote host are most likely not encrypted. Q32: Is Agentless technology support on remote host OS that has passed EOL?
A: No. See Third-Party Product support policy. Additional Information: Customers viewing this solution may find value in the following self-help Connect with Control-M video. |