FAQ: Server Agent
This topic contains common questions regarding the Server Agent.
Q: When uninstalling the Server Agent, are any files left behind?
Yes, depending on the version of the Server Agent that you are uninstalling, including older versions, some files are left behind but can be removed manually. For example, during an MSI uninstall of Server Agent 15.2, the msvcr120.dll file is removed. However, if you are uninstalling an older, upgraded version, the uninstaller is unaware of this file and does not remove it. In addition, all of the sq3 files are also left behind intentionally. If you want to remove these files, simply delete the Venafi directory and any sub-folders.
For more information, see Uninstalling the Server Agent.
Q: Do you have any guidelines in terms of CPU and Ram utilization?
The Server Agent is designed to be lightweight and non-intrusive on the systems where it is deployed. Venafi is still compiling estimated usage but here are some preliminary guidelines (the usage profile of the agent is impacted by the number of keys and/or certificates on the host system):
- An agent running on a system with approximately 20 SSH keys and 20 certificates should require approximately 20MB of RAM.
- An agent with approximately 1000 SSH keys and 1000 certificate should require approximately 40MB of RAM.
- An agent with 1000 certificates (no SSH keys) should require approximately 25MB of RAM.
For more information, see Server Agent prerequisites.
Q: Is there any significant additional overhead to an agent which is performing both SSH and SSL discovery?
The agent is designed to minimize CPU usage and system impact. Once the agent performs it’s initial discovery and submission of discovered certificates/keys to the Trust Protection Platform server, it will only submit deltas (differences) to the server. The times when the agent is actively performing scanning or remediation operations is centrally configurable (e.g., hourly, daily, weekly, monthly, time of day, etc.). This enables complete control of the operating footprint of the agent. We are still compiling CPU usage profiles but preliminary testing shows that CPU usage when the agent is actively performing operations is in the low single digits of CPU percentage utilization. The agent utilization profile (both memory and CPU) is impacted by the number of keys and certificates on a system.
Q: How can I force an agent to re-read the configuration from the Trust Protection Platform server and perform a scan?
Currently there is no way from the Trust Protection Platform side to force an agent scan. agent can only receive work when it checks in. The Trust Protection Platform server cannot push work to the agent. There is a way to tell the agent to re-read the configuration and then execute the scan (run vagent command twice). The process would be manual and you would need to login to the agent system and execute the following commands:
Stop the vagent process:
#/etc/init.d/vagent stop
Go to the directory that the vagent binary is in
# cd /opt/venafi/agent/bin
Start the agent to run 1 scan in debug mode, and then exit (run this twice).
./vagent -s -1 -e debug >/tmp/vagent.txt 2>&1
./vagent -s -1 -e debug >/tmp/vagent.txt 2>&1
cat /tmp/vagent.txt (to see the scan results after the second run)
Start the vagent process:
# /etc/init.d/vagent start
The results should now be in Trust Protection Platform and viewable from the Aperture Dashboard. Verify that the scan ran by viewing the /tmp/vagent.txt file created above.
Q: Where are the Agent start/stop script locations on UNIX?
Use the init script to start or stop the agent:
Start:
- RedHat/Linux: /etc/init.d/vagent start
- Solaris: /etc/init.d/vagent start
- AIX: /etc/rc.d/rc2.d/Svagent start or startsrc -s VENAFI.vagent
Stop:
- RedHat/Linux: /etc/init.d/vagent stop
- Solaris: /etc/init.d/vagent stop
- AIX: /etc/rc.d/rc2.d/Svagent stop or stopsrc -s VENAFI.vagent
Q: Does the agent report existing results each time it checks in?
A: The agent only reports deltas from its previous check-in.