Key Manager Agent

Troubleshooting the Key Manager agent often requires starting and stopping the sshmgr-agent-monitor service. The commands for starting the service are as follows:

Linux# service ssh-agent-monitor start

AIX# startsrc -s sshmgr-agent

HP-UX# /sbin/init.d/ssh-agent-monitor start

Solaris# /etc/init.d/ssh-agent-monitor start

Windows# sc start "SSH UKM Agent"

To stop the sshmgr-agent-monitor service:

Linux# service ssh-agent-monitor stop

AIX# stopsrc -s sshmgr-agent

HP-UX# /sbin/init.d/ssh-agent-monitor stop

Solaris# /etc/init.d/ssh-agent-monitor stop

Windows# sc stop "SSH UKM Agent"

To restart or reload the ssh-agent-monitor. First stop the service, then start the service.

The Key Manager agent logs messages as follows:

On Windows hosts, the Key Manager agent logs to the Windows event log.
On Unix hosts, the Key Manager agent logs to the agent log at /var/log/ssh-key-agent.log by default. If the agent-monitor service was started with the -S option, the log messages are instead written to syslog.

For a list of Key Manager agent log messages, see Agent-Monitoring Messages.

In all problem situations, the Key Manager agent can be started in debug mode for a more precise problem report:

Enabling Agent debug mode on Unix machines

Stop the Key Manager agent monitor (commands provided above).
Start the agent in debug mode:
```
# /opt/sshmgr-agent/sbin/ssh-key-agent -D4 2> /tmp/agent-debug.txt
```
Running the agent in debug mode allows the agent to create a debug log to the path specified in the command. Any errors that occurred during the debug agent runtime can be reviewed from the generated log. Press Ctrl+C to terminate the debug agent. After that, remember to start the agent monitor to resume the normal agent.

Enabling Agent debug mode on Windows machines

Locate the PrivX Key Manager Agent registry key. On 32-bit platforms the key is located at:

HKEY_LOCAL_MACHINE\SOFTWARE\SSH Communications Security\SSH Universal Key Manager Agent

And on 64-bit platforms:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SSH Communications Security\SSH Universal Key Manager Agent
In the PrivX Key Manager Agent key, add a new string value called enableDebug with the value yes.
Restart the agent service to apply the changes.

On modern Windows systems such as Windows 7 and Windows Server 2012 the debug output is stored to the following location:

%PROGRAMDATA%\SSH Communications Security\SSH Universal Key Manager Agent\UKMAgent.log

On older Windows systems the debug output is stored to:

%ALLUSERSPROFILE%\Application Data\SSH Communications Security\SSH Universal Key Manager Agent\UKMAgent.log

Symptom: The Key Manager agent does not connect to the Key Manager Server

The symptom may be fixed by reconfiguring the Key Manager agent with a new ICB file.

Download a new ICB via the Key Manager GUI.
Make sure the Key Manager Server parameters are correct in the ICB file. The Key Manager Server parameters are listed after the private key date in the ICB file:
- server_addr: This should be the address (FQDN or IP) of the Key Manager back end that is to manage the host. You should also make sure that the agent-based host is able to resolve and connect to the specified address, for example, by pinging the Key Manager back end from the agent-based host.
- server_port: This should be the Key Manager back end port that the Tectia SSH Server listens to. By default this should be 22.
- server_username: This should be sshmgr
After you have made sure that the settings in the the ICB file are correct, configure the Key Manager agent with the ICB file. To do this, run the following (replace /path/to/icb_file with the path of the ICB file):
```
# /opt/sshmgr-agent/bin/ssh-agent-install-icb /path/to/icb_file
```
Restart the sshmgr-agent-monitor.

For more information about configuring Key Manager agents, see the Installation Manual.

If the problems persist, you can get more detailed information about the problem by restarting the Key Manager agent in debug mode. See above for instructions on achieving this.

Symptom: On HP-UX hosts, a Key Manager agent running with sudo settings fails to connect to the Key Manager Server

This may be caused by sudo commands printing last logon information, which causes Key Manager actions to fail.

You can test this by running an arbitrary sudo command. For example:
```
# sudo echo ''
```
If the sudo command outputs the last logon information (in addition to any output the command is supposed to output), disable the last logon messages for sudo commands. This is done by adding the following line in the /etc/pam.conf file:
```
sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login   
```

Enabling Agent debug mode on Unix machines​

Enabling Agent debug mode on Windows machines​

Symptom: The Key Manager agent does not connect to the Key Manager Server​

Symptom: On HP-UX hosts, a Key Manager agent running with sudo settings fails to connect to the Key Manager Server​

Enabling Agent debug mode on Unix machines

Enabling Agent debug mode on Windows machines

Symptom: The Key Manager agent does not connect to the Key Manager Server

Symptom: On HP-UX hosts, a Key Manager agent running with sudo settings fails to connect to the Key Manager Server