Tectia

System Components

Tectia Manager consists of the following main components:

Management Server

The Management Server is the engine of Tectia Manager. It runs the management logics, stores the environment data, and provides management communications to the managed hosts. The Management Server needs to have a public IP address for the Management Agent connections.

The Management Server includes a built-in, hardened web server that provides the Tectia administrators with a TLS-protected web-based administration interfaces.The administrators may use their remote workstations to connect to the Management Server via a standard web browser.

The installation and initial configuration of the server are described in ??? and ???.

Management Database

Management Server has a built-in SQL database for storing host information, Tectia software versions, configurations of Tectia and OpenSSH products, Management Agent configurations, administrator audit trails, and logs collected from the managed hosts. Critical control and host information is stored in encrypted format in the database.

Tectia Manager includes also a built-in Oracle client functionality, so alternatively an existing installation of an Oracle database can be used as an external Management Database. Setting up the Oracle database for Tectia Manager is described in ???.

Management Agent

To be able to manage and monitor the remote hosts, a software component called Management Agent is installed on each host. The Management Agent automatically contacts the Management Server and sets up an authenticated and encrypted management connection for host registration and management operations.

The Management Agent takes care of all management actions on the remote host, such as detecting SSH software, installing Tectia products, storing configurations and host key files. It also collects the relevant logs and sends them to the Management Server.

The Management Agent operates with root privileges on the host. It collects the logged data and forwards it to Management Server which then composes reports for auditing purposes. The Management Agent also takes care of installing, upgrading, monitoring, and controlling the Tectia software on the host according to the management commands from the Management Server.

The Management Agent requires a data file called the Initial Configuration Block (ICB). The Tectia administrator creates the ICB on the Management Server and it is delivered to the managed and monitored hosts along with the Management Agent software.

The ICB file initially authenticates the Management Agent to the Management Server, after which the Management Agent receives a permanent configuration file to be used on subsequent connections to the Management Server. For more information, see ???.

The first installation of the Management Agent on the managed hosts should be performed locally or by using an existing third party software deployment system (for example, System Management Server (SMS) or Active Directory on Windows). Once the Management Agents have been deployed, they can later be upgraded via Tectia Manager. The versions of the installed agents can be viewed via the administrator interface.

Management Connection

Messaging between the managed hosts and the Management Server is transmitted through a TCP/IP connection. The Management Agents initiate the management connections to the Management Server and the connections are kept on continuously allowing for online monitoring and instant management actions (for example, to push configuration changes to the hosts).

The management connection removes the need to open additional ports or services on the managed hosts, and the need for the server to poll for hosts that may be offline. It also enables connections through Network Address Translation (NAT).

When local Distribution Servers are deployed to facilitate the management of large environments, the Management Agent opens the management connection to the Distribution Server which then continues to connect to the Management Server.

Administration interface (web-based)

The Tectia Manager administrators can access the Management Server from their remote workstations via a web-based administration interface. The web connection is encrypted and the server is authenticated using TLS. The remote workstation does not need to have any additional components, such as Java, installed in order to run the administration interface.

The administrators log into the Management Server using password authentication or optional TLS client authentication with X.509 certificates. The Tectia Manager administration interface is used in managing remote host data, the SSH software installations and configurations, the Management Agents, licenses, administrator data, and in viewing the secure file operations reports.

Distribution Server

In very large environments (more than 2000 hosts), Distribution Servers may be deployed within local sub-environments to share the load of management operations. Distribution Servers are low-maintenance software components with no management database or user interface.

Distribution Server acts as a management connection proxy between the Management Server and the managed hosts concentrating multiple management connections into a single TCP stream. The Distribution Server caches installation binaries and configuration files for distribution so the Management Server needs to transfer each binary or file only once to the Distribution Server, as compared to sending directly to multiple managed hosts.

Distribution Servers can be deployed and configured from the Management Server administration interface. Any Unix Management Agent can be changed into a Distribution Server. The setup of Distribution Servers are described in ???.

After deploying the mode change to the Management Agent, it will start to serve the other Management Agents that are configured to use it as a Distribution Server. It is also possible to provide redundancy by assigning two Distribution Servers to serve a group of Management Agents.

Make sure the hosts you deploy as Distribution Servers have enough free disk space to cache all product installation packages in use, and enough network bandwidth to distribute the packages to Management Agents.

Apart from the extra functionality of routing Management Agent connections and caching installation packages, the Distribution Servers function exactly like normal Management Agents. When no longer needed, the Distribution Servers can be turned back into ordinary Management Agent mode.