5.8
Table Of Contents
- VMware vRealize Configuration Manager Troubleshooting Guide
- Contents
- About This Book
- Troubleshooting Overview
- Types of Problems
- Gathering Diagnostic Information
- What to Send to VMware Technical Support
- Capture a Desktop Image
- Capture a Window Image
- Set the Debug Log to Store all Message Types
- Extract the Debug Log
- Extract SQL Server Logs
- Collect IIS Logs
- Collect ARS Files
- Collect the UNIX Syslog Messages
- Collect Import/Export Tool Logs
- Extract Windows Event Logs
- Extract Windows System Information
- Collect UNIX ETL Logs
- Collect VCM Installation Logs
- Enable VCM Patching Logging
- Collect VCM Patching Logs
- Collect Agent Logging
- Troubleshooting Problems with VCM
- Patch Content Does Not Download for Red Hat and SUSE Machines
- Signed Patch Content Cannot Be Validated
- Mismatched Security Setting for AIX Patch Staging with NFS
- UNIX Patch Deployment Fails
- UNIX Patch Assessment Returns No Results
- Patch Deployment Jobs Might Time Out
- UNIX Bulletins Missing from the Required Location
- Report and Node Summary Errors
- Report Parameter Errors
- Protected Storage Errors
- SSL Becomes Disabled
- Troubleshooting the vSphere Client VCM Plug-In
- vSphere Client VCM Plug-In Is Not Enabled
- Cannot Register the vSphere Client VCM Plug-In
- Invalid Certificate on a vSphere Client
- Collector Not Running
- HTTPS/SSL Is Not Configured on the Collector
- Collection Unsuccessful
- Machines Not Listed in the Collect Available List
- Machines Not Listed in the Available List for Any Action
- ESX Servers Are Not Displayed
- VCM Windows Agent
- Windows Agent Installation Environment
- Windows Agent Installation Process
- Detect Previous Install
- Validate Installation Environment
- Interrogate Target Environment
- Resolve Uninstall Dependencies
- Uninstall Module
- Uninstall Module Installer
- Install Simple Installer
- Install Module Installer
- Resolve All Versions of Modules Based on Highest Version Number
- Install Module
- Fully Release the Synchronization Lock on the Target Machine
- Submit Request to Agent
- Check If Request Is Complete
- Transfer Request Results
- Acknowledge Successful Data Transfer
- Prepare Request Results for Insert
- Insert Data Into Database
- Transform Inserted Data
- Cleanup Machine Data
- Partially Release the Synchronization Lock on the Target Machine
- Cleanup Request Data
- Windows Agent Uninstallation Process
- Detect Previous Install
- Validate Installation Environment
- Interrogate Target Environment
- Resolve Uninstall Dependencies
- Uninstall Module
- Uninstall Module Installer
- Fully Release the Synchronization Lock on the Target Machine
- Partially Release the Synchronization Lock on the Target Machine
- Cleanup Request Data
- Windows Agent Upgrade Process
- Windows Agent Manual Installation Process
- Windows Agent Communication Protocols
- Communication Protocol Change Process
- Detect Previous Install
- Uninstall Agent
- Uninstall Package Installer
- Uninstall Basic Installer
- Validate Installation Environment
- Install Simple Installer
- Store Installation Data in the Database
- Install Module Installer
- Fully Release the Synchronization Lock On the Target Machine
- Submit Request to Agent
- Check If Request Is Complete
- Transfer Request Results
- Acknowledge Successful Data Transfer
- Prepare Request Results For Insert
- Insert Data Into Database
- Transform Inserted Data
- Cleanup Machine Data
- Partially Release the Synchronization Lock on the Target Machine
- Cleanup Request Data
- Debug Window Agent Installations
- VCM UNIX Agent
- UNIX Agent Directory Structure After Installation
- /opt/CMAgent
- /opt/CMAgent/Agent
- /opt/CMAgent/CFC
- /opt/CMAgent/data
- /opt/CMAgent/data/db
- /opt/CMAgent/data/db/DtmDB/RDM
- /opt/CMAgent/data/db/PDS
- /opt/CMAgent/data/db/SM/RDM
- /opt/CMAgent/ECMu
- /opt/CMAgent/ECMu/x.x/bin
- /opt/CMAgent/ECMu/x.x/scripts
- /opt/CMAgent/install
- /opt/CMAgent/Installer
- /opt/CMAgent/ThirdParty
- /opt/CMAgent/ThirdParty/x.x/PatchAssessment
- /opt/CMAgent/uninstall
- Directories Created During an Inspection
- Directory of Executed Scripts and Results
- Collector Certificates
- Patch Assessment
- Exploratory UNIX Agent Troubleshooting
- UNIX Agent Directory Structure After Installation
- Index
n RunHigh. Owner root, group cfgsoft, mode r-sr-x---
n RunLow. Owner csi_acct, group csi_acct, mode r-xr-s---
n RunRemote. Owner root, group cfgsoft, mode r-sr-x---
If permissions are correct, check DBE files for errors stating that RunHigh, RunLow, or RunRemote failed.
See "Run Executable Logging" on page 77 for information about the level of error logging.
Run Executable Logging
If RunHigh, RunLow, or RunRemote fails, the executable file logs errors of type auth.err to syslog as
follows.
n (Linux) /var/log/secure
n (Solaris) /var/adm/messages
n Wherever these message types are configured to be logged as set up in /etc/syslog.conf
The error messages only say that the executable program failed. The messages deliberately avoid details
about the failure so that a hacker cannot use the information to design an attack that defeats the security
of the program.
To get detailed messages, rebuild RunHigh, RunLow, and RunRemote with more logging enabled. Search
for a commented-out syslog entry in the code, remove the comment markers, and rebuild the programs.
Detailed logging creates messages in syslog that have an error code, which VCM engineering uses to
trace to a source file and determine the cause of the failure.
Account and Group Configuration
The Collector might report that the job succeeded, but no data appears. For data to appear, the three
executable files in /opt/CMAgent/ECMu/x.x/bin need accounts and groups to be configured.
NOTE If the installation creates the accounts and groups, the uninstall process removes them. It the
accounts and groups were preexisting, the uninstall process does not remove them.
n The csi_acct user account. Must be properly created and cannot have a shell that permits logins. The
shell for csi_acct must be listed under the CSIRegistry NoLoginShells, and the no login shell must
exist on the Agent machine.
n The csi_acct group. By default, the primary group for the csi_acct user is the csi_acct group.
Like the csi_acct user account name, the group name can be changed during Agent installation if you
want to use another name or an existing group. Using an existing group might create a security risk
depending on the existing group privileges. Use a group that has no elevated permissions, like the
standard nobody group.
n The cfgsoft group. Must be created and have this exact name. The csi_acct user must be a
member of the cfgsoft group, but the cfgsoft group should not be the primary group for csi_
acct.
When troubleshooting the setuid binary files, check nsswitch.conf to confirm that all user lookups are
going to the files first. If they are not, the accounts might need to be created in your environment (for
example: YP, LDAP, or Active Directory). A common problem is that the user account is partially created
in the cloud, so the security checks fail. If none of the user information is in the cloud, the secondary check
to files should work properly.
VCM UNIX Agent
VMware, Inc.
77