Requesting Access to IBM Director Agent on Windows

When IBM Director Server first discovers a managed system, that system might be initially locked (represented by padlock icon next to the system) and require the appropriate credentials be supplied before being able to be managed.

To manage such locked systems, you must right-click the inaccessible system and select Request Access. You then need to specify an account with administrative privileges on the system you are attempting to access. For Linux systems, you can just use the root user ID; however for Windows, the proper credentials vary depending on the type of agent on the remote system.

Tip: You can select multiple systems before requesting access by using Shift-click or Ctrl-click. In this manner, you can request access to all systems using the same credentials in a single operation.

Requesting access to Windows managed systems provides some challenges if domain credentials are supplied. The format of the user name and domain name varies depending on the level of IBM Director Agent installed on the managed system. Refer to Table 1 for acceptable formats for supplying domain credentials to Windows-based systems.

Table 1: Windows domain credentials for accessing secured systems

Level-0 systems

For Level-0 systems (agentless), the process depends, generally, on the operating system of the target. More accurately, it depends on the protocol used for communication. By default, IBM Director uses DCOM to communicate with all Level-0 Windows systems, while using SSH for all other operating systems on all platforms. You can choose to use SSH on Windows systems as well by installing the Open SSH software included on the IBM Director installation CD (in the coresvcs directory).

During Level-0 system discovery, these systems are discovered and added to the management console in a secure state (padlock icon ). Management of these systems is not possible until access is granted using the Request Access task.

Requesting access to Level-0 Windows systems

Level-0 Windows systems require an account with local administrative privileges to successfully be granted access from the Request Access task. You can specify either a local administrative account or domain administrative account, but you must specify the account in either of the following formats:

• username (local accounts)
• username@domain (domain accounts)

If the user name on a Windows Level-0 secured system is local system account and the same user name exists as a domain account, IBM Director uses the local account for authentication, unless you specify the domain using username@domain. This can cause problems if you have a domain account with the same user name as a local account.

Tip: You cannot use the syntax domain\username to unlock Level-0 systems.

Level-1 systems

For Level-1 systems (IBM Director Core Services), SSL secures all communication. When IBM Director Server is installed, a self-signed security certificate is created. During Level-1 system discovery, these systems are discovered and added to the management console in a secure state (padlock icon ). Management of these systems is not possible until access is granted using the Request Access task.

Requesting access to Level-1 Windows systems

Level-1 Windows systems require an account with local administrative privileges to successfully be granted access from the Request Access task. You can specify either a local administrative account or domain administrative account, but you must specify the account in either of the following formats:

• username (local accounts)
• username@domain or domain\username (domain accounts)

Tip: Unlike Level-0 or Level-2, you can use either username@domain or domain\username to unlock Level-1 systems.

Upon acceptance of the proper Request Access credentials, the security certificate is pushed to the CIMOM (WMI for Windows, Pegasus for all other operating systems and platforms) on the managed system. This certificate is used to open a secure pipe between IBM Director Server and the managed system for all subsequent sessions.

Tip: The certmgr command, available in the DIRCLI command line interface to IBM Director Server, can be used to generate, import, distribute, and revoke security certificates for Level-1 managed systems. Note, however, that the certificates created using this command expire after one year. For more information about this and other DIRCLI commands, see Appendix A: IBM Director commands in the IBM Director Systems Management Guide, available from:
http://www.ibm.com/systems/management/director/resources

Level-2 systems

For Level-2 systems (IBM Director Agent), the process is a bit more complex, although invisible to the management console user. It works like this:

1. IBM Director Server attempts to access IBM Director Agent. IBM Director Server bids the public keys that correspond to the private keys it holds.
2. IBM Director Agent checks these keys. If it considers the keys to be trusted, IBM Director Agent replies with a challenge that consists of one of the trusted public keys and a random data block.
3. IBM Director Server generates a digital signature of the random data block using the private key that corresponds to the public key included in the challenge. IBM Director Server sends the signature back to IBM Director Agent.
4. IBM Director Agent uses the public key to verify that the signature is a valid signature for the random data block. If the signature is valid, IBM Director Agent grants access to IBM Director Server.

Requesting access to Level-2 Windows systems

Level-2 Windows systems require an account with local administrative privileges to successfully be granted access from the Request Access task. You can specify either a local administrative account or domain administrative account, but you must specify the account in either of the following formats:

• username (local accounts)
• username\domain (domain accounts)

Tip: You cannot use the syntax username@domain to unlock Level-2 systems.

Windows authentication issues

Issues can arise if you have duplicate user names for local users and domain users or supply domain credentials in the incorrect format, which might prevent you from accessing Windows-based managed systems.

Scenario 1

Local administrator account - username: JohnD, password: 1234
Domain administrator account - JohnD, password: 5678

If you request access to the system with the user name JohnD, IBM Director uses the local system account JohnD and authenticates against password 1234. If you specify JohnD with the password 5678, the request fails because the password is incorrect for the local system account. You need to specify the local system account JohnD with the password 1234 or specify the domain account JohnD@domain (Level-0, Level-1) or domain\JohnD (Level-1, Level-2) with the password 5678 to gain access.

Scenario 2

Local user account - username: JohnD, password: 1234
Domain administrator account - JohnD, password: 5678

If you request access to the system with the user name JohnD, IBM Director uses the local system account JohnD and authenticates against password 1234. If you specify JohnD with the password 1234, the request for access fails because the user does not have local administrative privileges. If you specify JohnD with password 5678, the request fails because the password is incorrect for the local system account. You need to specify JohnD@domain (Level-0, Level-1) or domain\JohnD (Level-1, Level-2) with the password 5678 to gain access.