Credentials and privileges used on Linux/Unix-based computers
This Orion Platform topic applies only to the following products:
ACM — DPAIM — NAM — NOM — SAM
Agents installed on Linux/Unix-based computers can use three different credential sets to install and configure the agent. During this process, a service account is created to run the agent service.
You need sufficient privileges to be able to do the following to install and configure the agent:
- open an SSH connection remotely
- SFTP or SCP
- install software
- create a user
- create a group
Credentials are used to install and configure the agent and are not used at any other time. You may remove the credentials from the credential store once the agent is deployed.
Agent installations require a credential set that allows the user to open an SSH session from a remote computer. This can be provided as either a user name and password or as a certificate.
Verify the credentials by opening an SSH connection to the remote computer.
For Linux/Unix-based computers, you may need to include another set of credentials to use
sudo for package installation. You can add these credentials selecting the Include Credentials with Elevated Privileges.
You can use any certificate-based credential that is supported by SSH. Upload a private key file or paste the private key in PEM format.
Credentials with elevated privileges
To install the package, you need credentials with administrator or root-level privileges. Depending on your network security policies, some Linux/Unix-based computers do not allow user accounts to connect remotely and install software. If this applies to the computer you want to monitor, you can select Include Credentials with Elevated Privileges and enter credentials that have the correct privileges. Most Linux/Unix distributions require the user's password when using
sudo. Other distributions, such as SUSE, may require the root password. Depending on your Linux/Unix distribution, enter the required credential for the Include Credentials with Elevated Privileges to install the package.
When this is selected, we connect to the Linux/Unix-based computer using the provided SSH credentials and then switch users to the account with elevated privileges to install and configure the agent.
Select Include SNMP Credentials to collect SNMP data to use in Hardware Health, Asset Inventory, and SNMP component monitor information. This is required if SNMP v3 is installed. The agent software detects if you have SNMP installed on the computer and attempts to use your established SNMP credentials. No data is collected if the agent does not have the correct SNMP credentials.
Hardware Health and Asset Inventory are not supported on AIX devices.
Service account privileges
When the agent software is installed, we create a service account (
SWIAgent), and add it to its own group.
This account does not have remote access privileges and cannot be used to log in to the computer.
The service account is used to run the
swiagentd service. When updating the agent, a second service runs (
swiagentd.update) for the duration of the update.
The service account and group are removed when the agent is deleted from the node.
For SAM users, if you do not enter credentials or select Inherit from node, the monitor executes the script under the agent credentials (SWIAgent). These credentials may not have the elevated permissions required for executing scripts.