ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

AWA 12.3.X: What is ucybsmgr-listener?

book

Article ID: 145565

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic Workload Automation - Automation Engine

Issue/Introduction

As of version 12.3 of Automation Engine, there is an additional orphan process running along with the Service Manager, that is called ucybsmgr-listener. This article describes what it is and why it was implemented. 

Environment

Release : 12.3.X

Component : AUTOMATION ENGINE

Resolution

Service Manager listener (ucybsmgr-listener) was implemented in version 12.3.0 of Automic Automation Engine based on the following security issue that was a concern for customers:

If the service manager is run with the root user, a TCP/IP port is also opened by the root user. This is not allowed by security policy of many companies. Customers are asking for privilege separation, as we implemented for the Unix agent. The listener port should run with an unprivileged user. So if the port is attacked or taken over by a hacker, they cannot do further harm on the system as it is only an unprivileged user.

So the solution was implemented in AWA 12.3.X: The parent process, running as root, forks a child process running as nobody, which opens the listener port and does the socket communication. The unprivileged process communicates via IPC with the parent process, which executes the SM-commands requested by the client.

Since TLS communication using CAPKI needs to access private key and the certificate files, all file IOs are delegated to the parent process which has the required rights. File contents are handed over via IPC to the unprivileged process and enables it to initiate the client communication using CAPKI. 

Attachments

1582562502793__Unix Agent Listener.pdf get_app