CA Automic Workload Automation - Automation Engine
As of version 12.3 of Automation Engine, there is an additional orphan process running along with the Service Manager, that is called ucybsmgr-listener. This article describes what it is and why it was implemented.
Release : 12.3.X
Component : AUTOMATION ENGINE
Service Manager listener (ucybsmgr-listener) was implemented in version 12.3.0 of Automic Automation Engine based on the following security issue that was a concern for customers:
If the service manager is run with the root user, a TCP/IP port is also opened by the root user. This is not allowed by security policy of many companies. Customers are asking for privilege separation, as we implemented for the Unix agent. The listener port should run with an unprivileged user. So if the port is attacked or taken over by a hacker, they cannot do further harm on the system as it is only an unprivileged user.
So the solution was implemented in AWA 12.3.X: The parent process, running as root, forks a child process running as nobody, which opens the listener port and does the socket communication. The unprivileged process communicates via IPC with the parent process, which executes the SM-commands requested by the client.
Since TLS communication using CAPKI needs to access private key and the certificate files, all file IOs are delegated to the parent process which has the required rights. File contents are handed over via IPC to the unprivileged process and enables it to initiate the client communication using CAPKI.