search cancel

Running single-user agent as a service on Windows platform

book

Article ID: 241167

calendar_today

Updated On:

Products

CA Harvest Software Change Manager

Issue/Introduction

The SCM Multi-user mode agent allows any user with permission to login to the agent machine the ability to use the agent software to access the file system or remotely run scripts with hexecp.  If it is preferred to only allow a single user the ability to connect to the SCM Agent, but this needs to run as a service so that it is "always on", how can this be accomplished?

Environment

Release : 14.0

Component : CA Harvest Software Change Manager

Resolution

With CA Harvest SCM, the agent component lets you access the file system of a remote computer for purposes of checking files in and out and running remote scripts.  The agent can run in “Single-User” mode or in “Multi-User” mode. 

Single User Agent

Multi User Agent

Only the user who logs in to the remote agent computer and executes the agntd.exe program from a command prompt window on that machine has permission to connect to that agent to manage files or run remote scripts.

Any user who has permission to login to the agent computer has permission to connect to that agent to manage files or run remote scripts.

Executes in foreground from a command prompt window on the agent computer.

Executes in background as a Windows Service.

The agent activity log is routed to the command prompt window rather than to a log file.

Log files will be found in the %CA_SCM_HOME%\log folder on the agent machine.

When starting the agntd.exe program from the command prompt window, the user can choose the password that will be used for connection.

  • They can include the “-pwd=” option and specify the password to be used to connect to the agent process.  It can be, but does not have to be the same as their Windows login password.
  • They can include the “-eh=” option and specify the name of an encrypted password (dfo) file.
  • They can include the “-pwdmethod=random” option and let the agntd.exe program provide a randomly selected password to be used to connect to the agent process.

When the agntd.exe program starts as a service, it will rely on the Windows system for authentication of user credentials. 

When connecting to the Single User Agent, the user must use the password that was specified when the agntd.exe program was started.

When connecting to the multi-user agent, the user must use the Windows login credentials they would normally use to login to the agent computer.

Agent’s port number is specified when starting the agntd.exe program using the “-port=” option.

Agent’s port number is specified in the HAgent.arg file using the “-port=” option.

 

What if access to the remote agent process must be restricted to one user, but it is not possible or convenient to login to the remote agent computer and start the agntd.exe program from a command prompt before every deployment?  To accomplish this it is necessary to configure the Single User Agent to run in background and to automatically restart it when the computer is restarted.

The following suggested solution is offered only as an example and is not directly supported by the Broadcom Support Team.  You can use this as a starting point from which to develop your own custom solution for this use case. 

On the Windows platform the steps involve:

  • The user who will execute the agntd.exe process in this manner must be granted “Log on as a batch job” permission in Control Panel -> Administrator Tools -> Local Security Policy -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a batch job”
  • The user who will execute the agntd.exe process must be able to modify and write new files to the “%CA_SCM_HOME%\Log” folder.
  • The “CA Harvest SCM Agent Service” must be disabled so that it does not automatically start when the computer is restarted.
  • An encrypted password file must be created using the “svrenc” utility to hold the selected password for the agntd.exe process.
  • A Windows batch script must be created that will start the agntd.exe process with all the necessary options, and the result forwarded to a log file.
  • A Windows Task Scheduler task must be created to execute the batch script when the computer starts up, running whether or not the user is logged in, and running as the user that you want to have access to the SCM Single User Agent.

Here is an example batch script that might be used:

setlocal ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION
@echo off
for /f "tokens=2 delims==" %%a in ('wmic OS Get localdatetime /value') do set "dt=%%a"
set "YY=%dt:~2,2%" & set "YYYY=%dt:~0,4%" & set "MM=%dt:~4,2%" & set "DD=%dt:~6,2%"
set "HH=%dt:~8,2%" & set "Min=%dt:~10,2%" & set "Sec=%dt:~12,2%"

set "datestamp=%YYYY%%MM%%DD%" & set "timestamp=%HH%%Min%%Sec%"

agntd -eh=agent.dfo -port=6005 > "%CA_SCM_HOME%\log\%datestamp%_%timestamp%HAgent_6005.log"