Nolio Agents Unreachable After 6.7.0.b398

book

Article ID: 211186

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio)

Issue/Introduction

After applying 6.7.0.b398 to your Management Server (NAC) and, more importantly, Execution Servers (NES) the agents may become unreachable. This article will describe:

  • What you can do to prevent this from happening before applying 6.7.3.
  • What you can do if you have already applied 6.7.3 and now your agents are offline/unreachable as a result. 

Cause

Noted in the "Enhancements" portion of the Release Notes for 6.7.3, this cumulative patch upgrades the NES and Agents with a new Keystore to replace an expired certificate. The "Known Issues" portion of the Release Notes goes on to explain that the agents will become unreachable when the execution server and agents are configured to use an encrypted connection. 

Prior to applying the 6.7.3 (6.7.0.b398) you should configure your agents and execution servers to not use encryption. The agent and execution server needs to be restarted when changing its setting from true to false (and vice versa). 

Environment

Release : 6.7

Component : CA RELEASE AUTOMATION AGENT

Resolution

Overview

Before we get into what you can do to prevent/workaround your agents becoming unreachable it is worth noting the following:

  1. Setting up Execution Servers and Agents to communicate securely is documented here: Secure Execution Server to Agent Communication
    • The product documentation outlines how to configure the NES and Agents to communicate securely using different certificates. 
  2. NES and Agents can be configured to communicate securely using Nolio's default certificates.
  3. As long as the NES and Agent are using a known certificate, they will be able to connect regardless of what either of their /config/nimi/network/security/enabled property is set to. However, once an unknown certificate is introduced, the /config/nimi/network/security/enabled property must be set to "false" on both the NES and Agent - in their configuration file: conf/nimi_config.xml

 

Preventing Unreachable Agents Prior to 6.7.3

If your agents are configured to communicate securely you will need to do the following before applying 6.7.3 to prevent the agent from becoming unreachable once 6.7.3 is applied to the NES:

  1. Manually reconfigure all agents (and NES) so that their /config/nimi/network/security/enabled property = false. Then restart the agent. Or,
  2. Import the process attached to this KB article and follow the steps below to reconfigure the agents. Then, either:
    • Manually restart the agent; or
    • Restart the agent using the ROC -> Administration -> Agent Management - Restart option. 

 

export_NolioB398.zip

The attached export_NolioB398.zip contains:

1 Application:

  • NolioB398-Prereq

1 Server Type:

  • NolioAgent

1 Environment:

  • Test

2 Processes:

  • Configure NolioAgent Nimi Security Enabled - False:
    This process will configure the Agent's conf/nimi_config.xml /config/nimi/network/security/enabled property with the value: false

  • Set NolioAgent Nimi Security Enabled - True
    This process will configure the Agent's conf/nimi_config.xml /config/nimi/network/security/enabled property with the value: true

 

To import:

  • Download the export_NolioB398.zip file attached to this article.
  • Log into the ROC as a superuser
  • Navigate to Designer -> Import/Export
  • Click Import (in the upper right corner).
  • Click the "Choose File" button to find and select the downloaded export_NolioB398.zip.

 

To use (applies to both processes):

  • Log into the ROC as a superuser
  • Navigate to Environments -> Agent Assignment.
  • Select the agents that you would like to run the process against. 
  • Navigate to Environments -> Process Execution
  • Expand the Test environment, expand Processes and expand the process you want to run. Then click on that processes Latest tag.
  • Click the "Run Process" button.
  • Select the agents to run the process against. 
  • Click the "Run" button.
  • Once the process has finished, the agents need to be restarted. To restart the agents you can use one of the following methods:
    • Manually restart the agents yourself if you have access to the system (or by coordinating with the sysadmin); or
    • Navigate to Administration -> Agent Management.
      • Then select the agents you ran the process against.
      • Click the "Restart" button.
  • Be sure to manually configure the /config/nimi/network/security/enabled property to false on your Execution Servers (NES) and recycle Nolio services to complete the change. 

 

Once all of your NES and Agents have had their security/enabled property configured to false and have been restarted, apply cumulative fix 6.7.3 (aka 6.7.0.b398) to your management and execution servers. Then, upgrade all agents. Once all agents have been upgraded you can configure the NES and Agents to communicate securely. 

 

 

Workaround for Unreachable Agents After Applying 6.7.3

If your Execution Servers (NES) and Agents were configured to communicate securely and you applied 6.7.3 to your NES then it will not be able to establish a connection to the agents. As noted in the Release Notes:

Two solutions are available:

  • Uninstall, and reinstall agents one by one.
  • Temporarily disable encrypted communication, run the upgrade for NES/agents, and enable encryption again.
    Note: See point #3 in Overview above. Changing the /config/nimi/network/security/enabled property to "false" on only the NES, or on only the Agent, is not sufficient.

 

There is a third option/workaround that could be used temporarily. However, it is important to note that this is only temporary and you will need to revert these changes before configuring the NES and Agents to communicate securely again. This workaround should only be necessary if you have already applied 6.7.3 to your execution servers and now your agents are unreachable as a result of them being configured to communicate securely. 

To apply the workaround, the following steps should be done on the Execution Servers:
  • Stop Nolio services on the Execution Server
  • move the conf/nolio.jks to conf/nolio.jks.new
  • move the conf/keyStore.jks to conf/keyStore.jks.new

 

The above steps backup the new/updated certificate files applied after applying 6.7.3. Once these files have been backed up, you can restore the old certificates to restore the connection with the agents. To restore the old certificate files:

  • copy patchBackup/6.7.0.398/keyStore.jks to conf/
  • copy patchBackup/6.7.0.398/nolio.jks to conf/
  • Start Nolio services on the Execution Server

 

Once the agents are reachable you need to follow an appropriate path outlined in the "Preventing Unreachable Agents Prior to 6.7.3" section above. However, once you are done upgrading all agents to 6.7.3 you will need to restore the new certificates on the NES. Configuring the NES and Agents to communicate securely will not work until the NES has their new certificates restored.

 

 

 

Attachments

1616548693059__export_NolioB398.zip get_app