Troubleshooting: Manually disabling functionality using the command line
By enabling or disabling some functionality, you can more quickly isolate registration and communication issues between the Server Agent and a Trust Protection Platform server.
Refer to the following table for attributes you can use at the command line to enable or disable functionality.
NOTE The Server Agent does not require a restart when using any of these attributes.
CLI command attributes useful for troubleshooting.
|
Attribute Name |
Description |
Example |
|
crl_checking |
CRL checking is enabled by default. NOTE On a newly installed Trust Protection Platform server, this option's value appears blank. Trust Protection Platform checks the Venafi Operational Certificate (VOC) and all intermediate root certificates. If you are not using CRL checking, you should disable it using this attribute. Doing so can help you to get agent deployment working correctly. |
vagent -m crl_checking=disabled You can also substitute "disabled" with either "false" or "0" (zero). |
|
This attribute is enabled by default. When enabled—and if you have event_row_count set to something greater than zero (0)—then Trust Protection Platform begins to log all traffic between the Server Agent and the Trust Protection Platform server. This attribute is helpful in cases where you cannot get the agent to check in or register with the Trust Protection Platform server. NOTE When using this attribute, you should contact Venafi Customer Support as they can help you to navigate sometimes complex log entries. |
vagent -m log_communications=disabled |
|
|
certificate_security |
This attribute is enabled by default. When disabled, Trust Protection Platform no longer checks to make sure that the Venafi Operational Certificate (VOC) is trusted by the agent. This means that Trust Protection Platform will not validate whether the VOC certificate is expired or whether it matches the URL, etc. Simply, if it is a certificate, it is trusted. This attribute can be helpful in cases where an agent is not communicating with the Trust Protection Platform server and you cannot discern the cause. So if you disable this attribute and communication between Trust Protection Platform and the agent resumes, then it is likely that the VOC has issues. WARNING! You should never use this attribute in a production environment! When disabled, your sever becomes a target for a man-in-the-middle (MIM) attack. Use it only when setting up an agent deployment. Other common uses include the following:
|
vagent -m certificate_security=enabled |
|
Lets you specify the maximum number of rows (logged events) that are saved when logging messages to the events.sq3 file. Messages logged in the events.sq3 file can help you to track down root causes with an installed Server Agent. You can set this value to any number from 1 through 999999. NOTE If you specify a number between 1 and 499, the number is automatically increased to 500 so that Trust Protection Platform is able to delete the oldest 50 rows when the maximum number of rows is exceeded. For more information, see About the events.sq3 file. |
event_row_count=50000 |
|
|
client_id |
Use when re-registering an installed agent. When you delete an agent in Trust Protection Platform and then plan to re-register that agent (rather than uninstalling it from a client), you must clear the client_id and rolling_code values at the command line on the client machine. NOTE The client_id maps to both a user and machine. |
./vagent -x client_id=root: In the above example, "root" is simply the user name. Replace root with the intended user. |