Figure 4.1 shows the components of the SSH Tectia Manager system.
- Management Server
The Management Server runs the management logics, stores the configuration and environment information, and provides management communications to the managed hosts. The Management Server software includes a built-in, hardened web server developed by SSH Communications Security.
- Web-based administration interface
The administrator manages the environment via the SSH Tectia Manager administration interface. The SSH Tectia Manager administrators may use remote workstations to connect to the Management Server. The web connection is encrypted and the server is authenticated using TLS. The remote workstation does not need to have any additional components, such as Java, installed in order to run the administration interface. Administrators log into the Management Server using password authentication or optional TLS client authentication using X.509 certificates.
- Management Database
Management Server has a built-in SQL database where the host environment structure, host information, host public keys, SSH Tectia Server and Client configurations, and administrator audit logs are stored. Critical control and host information is stored in encrypted form in the database. SSH Tectia Manager also supports the use of Oracle (versions 9.2 and 10g) as an external Management Database.
- Management Agent
To be able to install and manage SSH Tectia software on a host machine, a software component called Management Agent needs to be installed onto the host.
The Management Agent is responsible for communicating with the Management Server, and installing, upgrading, monitoring, and controlling the SSH Tectia software on the host according to the management commands from the Management Server. The Management Agent operates with root privileges on the host.
The Management Agent needs a configuration file, created by the Management Server, called the Initial Configuration Block (ICB). This file initially authenticates the Management Agent to the Management Server, after which the Management Agent receives a permanent configuration file to be used on subsequent connections to the Management Server.
- Distribution Server
In very large environments (more than two thousand hosts), Distribution Servers may be deployed within local subenvironments to ease the management operations. Distribution Servers act as management connection proxies for the managed hosts, concentrating the multiple management connections into a single TCP stream to the Management Server and caching product installation packages for distribution, so that each installation package needs to be transferred only once to the Distribution Server.
Distribution Servers do not need to be separately installed, as it is possible to turn any Unix Management Agent into Distribution Server mode from the Management Server administration interface. After deploying the mode change to the Management Agent, it will start to serve the other Management Agents that are configured to use it as a Distribution Server. It is also possible to provide redundancy by assigning two Distribution Servers to serve a group of Management Agents.
Hosts deployed as Distribution Servers should have enough free disk space to cache all product installation packages in use, and enough network bandwidth to distribute the packages to Management Agents. Apart from the extra functionality of routing Management Agent connections and caching installation packages, the Distribution Servers function exactly like normal Management Agents. When no longer needed, the Distribution Servers can be turned back into ordinary Management Agent mode.