Panel | |
---|---|
|
Release
...
Release Notes
Universal Agent Controller release 7.0.0.0 contains the following high-level features. , For a complete list of all the included features and fixes, please refer to the Universal Agent 7.0.x Maintenance list.
The following is the 6.9.x release info
Application Integration
...
Upgrading Universal Agent for I-Series
ID | Title | Description | ||||||||||||||||||
B- 10715 | UA Python - Add External Module to Packaged Delivery | The following list of Python Modules and their respective Versions, used by Stonebranch-created Universal Task/Template definitions, will be included within the Python package delivered alongside Universal Agent. They do not require any further installation effort once the Agent has been installed.
No additional installation or set-up activities will be required for the Python modules listed above. |
Universal Agent Architecture
12401 | IBMi: Update IBMi implementation of agent to support changes for OpenSSL 1.1.1b. | Upgrade the current UA for IBMi to allow support of current SSL/TLS Versions as in any of the UA 6.9.0.0 Agents. UA 5.1.1.0 now connects to a UA 6.9 Agent that has a TLS1.2 protocol definition in place which is the current default setting. |
B-12407 | IBMi: Attempt OpenSSL 1.1.1b build on IBMi 5.4. | |
B-12410 | IBMi: packaging of created Agent code as "new" Release (5.1.1.0). |
z/OS Improvements
ID | Title | Description |
B- | 11181Extend password scrubbing to CSK methods | When certain command and scripts are run with embedded user ID/password information, this information can be displayed in trace statements when message_level is set to trace. The two trace points in question are:
With B-11181, the command and script lines in the offending trace statements will be replaced with *****. |
B-12001 | Universal Java networking component (used by OMS Java Client) - Modify properties referenced in code to use the new "uc." pathing initiated by the ControllerCritical | Universal Controller 6.9.0.0 modified the prefix used for properties from “opswise.” to “uc.”. The Universal Java Networking component (used by the OMS Java Client) references a subset of the Controller’s properties related to key managers and trust managers. Therefore, the Universal Java Networking Component must modify the property names it uses to the new “uc.” prefix used by the Controller. Properties in question are In file .\ua\autoctr-projects\universal\src\com\stonebranch\universal\net\UniversalTrustManager.java, function com.stonebranch.universal.net.UniversalKeyManager.UniversalKeyManager() was modified to reference the new property names:
In file .\ua\autoctr-projects\universal\src\com\stonebranch\universal\net\UniversalSession.java, function com.stonebranch.universal.net.UniversalSession.sendNegotiation() was modified to reference the new property name:
In file .\ua\autoctr-projects\universal\src\com\stonebranch\universal\net\UniversalTrustManager.java, function com.stonebranch.universal.net.UniversalTrustManager.UniversalTrustManager() was modified to reference the new property names:
|
z/OS Features
...
Backlog ID
...
Title
...
The $LOGMSG macro will allow assembler programs to issue message to the UAG LOG dataset with a severity level of INFO, DEBUG and TRACE.
The appropriate log level will need to be set to allow the messages to be logged.
It will allow TRACE messages with a level of ENTRY, EXIT, TRACE and WATCH. Trace will need to be active to allow the messages to be logged.
For JESMSGLG messages, the message number will be 1097. The levels will be ERROR, WARN, INFO, AUDIT and TRACE. The appropriate log level will need to be set.
The macro specification will allow a single text string to be sent. The assembler code line number and the issuing CSECT name will be sent as well. These will be printed in the LOG and TRACE datasets to indicate the source of the message.
...
With Universal Agent 6.9.0.0, UAG for z/OS will create and join a Sysplex group if it is running Sysplex-aware.
The XCF group name will consist of the characters UAG, followed by the first 4 (upper cased) characters of the system ID (system_id from UBRCFG00).
Each UAG will have a member name, which will be the group name appended with @ and followed by the MVS system name.
So, for example, my UAG with a system ID of mndv, running on DVZOS202, would have a group name of UAGMNDV and a member name of UAGMNDV@DVZOS202.
...
Recognize when a pre-allocated file is updated on z/OS (Implementation)
Note | ||
---|---|---|
| ||
Universal Agent 6.9.0.0 Behavioral Change: Adding a z/OS File Monitor type "change" that may affect your current file monitor settings for z/OS. |
...
Currently, UAG for z/OS uses SMF record type 15 to detect dataset creates. The same record can be used to detect updates. Create File Monitors will be modified to trigger only on creation of a dataset. Change File Monitors will be supported by having them trigger on dataset updates.
Additionally, UAG for z/OS will start collecting SMF type 18 records. (These are created when a dataset is renamed.) When a dataset rename is detected which matches a Change File Monitor, the File Monitor will also trigger.
For Change File Monitors, z/OS will support only the “Monitor File(s)” field in the “Agent File Monitor Details” section of the “Agent File Monitor” pane. Wildcards * and ? will be supported.
For Create File Monitors, z/OS will continue to support only the “Monitor File(s)” field in the “Agent File Monitor Details” section of the “Agent File Monitor” pane. Wildcards * and ? are supported.
Both Create and Change File Monitors will not be triggered until a dataset has been opened for output and then subsequently closed. Change File Monitors will also trigger when a rename of a dataset completes successfully.
...
Running UDM with an un-authorized User message
ICH408I USER(UBRTRP ) GROUP(UBRGRP ) NAME(####################)
BPX.SUPERUSER CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
is shown within the LOG.
Even though it is an informational message confirming that the user does not have authorization, it is often considered as a "security issue" in Audits. To avoid confusion, the RACF-check, leading to thai message, will be ommited when an unauthorized user is used.
Hybrid IT/Cloud
...
Backlog ID
...
Title
...
A customer has identified a situation in which a Universal Agent’s Access Control List (ACL) entry will not be applied if the host name portion of the entry does not match a resolved host name returned by a domain name server (DNS).
According to RFC-4343, resolved host names returned from a DNS should be compared in a case-insensitive manner.
The Universal Agent logic that selects ACL entries by comparing host names is currently doing a case-sensitive comparison. This means that entries that should be applied for a particular host will be bypassed, mistakenly allowing or denying access to UA components.
To conform to RFC-4343, any host names compared during ACL entry processing will be treated in a case-insensitive manner.
...
Since the client is not aware of its external IP, it cannot report that to the Controller in the JSS-HELLO message. However, the external IP is known by the OMS server when a client connects. What was missing is the way to report that IP from the OMS server to the Controller.
However, OMS Server already has notification messages for client connection connection open/close events. The connection open event (destination=topic.oms.event.connection.open) already contains the “clientid” tag which carries the client’s queue name in the “ops.agent.AGENTID” format.
The new tag “clientip” was added into the event. Its value contains the IP address of the source of client connection to the OMS server. That value is the external IP of a client if it resides behind NAT.
New Central Licensing: UCAM
Backlog ID | Title | Description | |||||||
---|---|---|---|---|---|---|---|---|---|
B-10873 | UAG sending License Information to Ubroker | Ensure proper license processing for Universal Broker working for a pre-Universal Agent 6.9.0.0 environment and map local license keys, as defined in UCMD and UDM Manager components to the new license structure. This is mainly to avoid unnecessary communication between a Broker and the central license managemnt component. Once the Broker has received / Aquired the License key it will handle further license requirements locall on the Broker level. | |||||||
B-10874 | Start-up sequencing between Primary and Secondary z/OS UAGs | When a Primary agent starts, it will initialize normally (Like a non-Sysplex UAG). Additionally, it will broadcast an (internal) XCF message to all members connected to the UAG Sysplex Group. (A group that encompasses all Primary and Secondary agents in the Sysplex that share the same system_id value.) When a Secondary agent receives this message, it will reply to it. Once the Primary agent receives a reply, it will send another XCF message to the replying Secondary agent containing its license information. The Secondary agent will use this information to decide to start processing, or shut down. When a Secondary agent starts, it will initialize to the point where it can start to process. It will remain in a state where no tracking data of any kind will be processed. It will wait to be contacted by a Primary agent.
If a Primary shuts down after granting licenses to Secondary agents, all Secondary agents will return to their initial state, waiting to be contacted by the Primary. Secondaries will have to re-acquire a license when the Primary restarts. If the number of licenses has been reduced for any reason (or the number of Secondaries increased), some Secondaries will not receive a new license and will have to stop processing. Licenses are handed out by the Primary on a first come, first serve basis. In case a Secondary agent starts after the Primary agent, the Primary agent will detect the startup and broadcast the same XCF message it broadcast on startup. Processing will then proceed as described above. (Agents can detect the startup, and shutdown, of any agent in their group through XCF events that are sent to all agents connected to the group.)
| |||||||
B-11515 | Ubroker receives UAG license Information | Implementation allows Ubroker to receive the new license information in the new MSID_BROKER_LICENSE command from the broker interface IPC. Message issued upon reception of license Information:
When GA, the above message will contain the details of the license key received. | B-11518 | Distribute License key, to UAC (SOA conector) when needed | B-11519 | UAGSRV: Receive new license parameters in HELLO message response | |||
Tag | Type | Description | |||||||
LICCUSTOMER | String buffer | Licensed customer name | |||||||
LICEXPIREDATE | String representation of 64-bit unsigned integer | Expiration date (TBD) | |||||||
LICDISTAGENTS | String representation of 32-bit unsigned integer | Number of distributed agents | |||||||
LICZOSAGENTS | String representation of 32-bit unsigned integer | Number of z/OS agents | |||||||
LICZOSSECAGENTS | String representation of 32-bit unsigned integer | Number of z/OS secondary agents | |||||||
LICUSAP | String representation of 32-bit unsigned integer | Number of USAP connections granted by the license | |||||||
LICUPPS | String representation of 32-bit unsigned integer | Number of UPPS connections granted to the agent. | |||||||
LICSOA | String representation of 32-bit unsigned integer | A value that indicates which Web service protocols/endpoints the SOA connector may use/connect to, from the following:
| |||||||
REGISTERED | “YES”/”NO”, or “TRUE”/”FALSE” | Flag indicating whether the agent is successfully registered and the license was granted. | |||||||
B-11543 | Enforce startup order of autostart components so that OMS & UAG start first | Starting with Universal Agent 6.9.0.0, all licensing can, optionally, be handled by Universal Controller for Agent Management Prior to 6.9.0.0 licenses for individual agent components were stored in their respective configuration files. Aside from verifying that the license information was valid (i.e., the individual license parameters were capable of generating a key at runtime that matched the configured license key) To ensure proper startup behavior, the UA components responsible to obtaining license information (manager components) from the Controller must be started in an orderly fashion. Specifically, an OMS Server must exist to enable message exchange between the Central license management and Agent. OMS Server does not need to run on every Agent installation, but it must start first for those agents that do have it set to auto start. Next, a UAG Server must start to register with the Controller and receive the license information. All agents must now execute a UAG Server that connects to an OMS Server (B-11845), and that UAG Server must start before the Broker can proceed with its startup. After OMS Server (if necessary) and UAG Server start – and valid license information is available to the Universal Broker – the order in which the Broker starts remaining auto-start components is not important. | |||||||
B-11544 | Ensure that Universal Broker does not open any local Service Interfaces until license Information is received | At this stage the license received from the Controller by UAG and passed to the Broker. The Broker saves the information and allows the UCMD/UDM component startup only in case if the license was received and the agent is allowed to execute jobs. Also, the current license information on the broker side is available for display in the UQUERY output. In case if UAG did not pass the license to the Controller for any reason (UAG is not connected to OMS, Controller unavailable, etc), the broker will refuse to start UDM or UCMD component with the following error: UNV3354E [1000000001] Error starting component ucmd for client 127.0.0.1:61830: CPMStartComponent, 25, License for running this component was not acquired 2020.06.24 15.48.45.455 UNV3385W [1000000001] Manager component ucmd 1593002837 (PID20045) ended with non-zero exit code 202 (000000CA). | |||||||
B-11546 | Universal Broker to refresh local license Info with UCTRL | The Universal Control (UCTL) utility must not cause Universal Controller-obtained license information that is cached within Universal Broker to be replaced with locally-configured license information during a configuration refresh. The Universal Broker is responsible for responding to a UCTL configuration refresh request (i.e., UCTL -refresh). In its response handling, the Broker re-reads all configuration files and stores the information in its cached configuration information. When this occurs, it is not possible to prevent the Broker from re-reading and re-caching any locally-configured license information that may exist in the configuration files. However, it is possible – and necessary – to prevent the re-cached license information from being applied and enforced against license information obtained from Universal Controller. To enforce the requirement, the Broker must cache license information separately from the configuration file cache. The Broker must know the source of the license information in that separate cache. Finally, the Broker must know when license acquisition is complete, and the source of the license information to enforce is resolved. At startup, the Universal Broker always caches any locally-configured license information and maps that information to the new license parameters. This new licensing information is stored in a cache that is separate from the cache used for local configuration files. At the point where license information is merely mapped and cached, the Broker considers the license to be un-acquired (i.e., the license’s source has not been fully resolved). The Broker knows it has cached local license information, but won’t enforce that information until license acquisition completes. The Universal Broker will allow any cached, locally-configured license information to be refreshed while the license is un-acquired. The idea behind this implementation is to ensure no stale data exists when the Broker resolves the license source to use locally-configured information. If the Broker completes license acquisition and determines that locally-configured license information should be used, that Broker will allow that information to be refreshed at any time and it will enforce the refreshed information. If, at any point during its life, the Broker receives notification that UAG Server successfully connected to Universal Controller and received a 6.9.0.0 or later license, only that remote license information will be used. To prevent a UCTL refresh from overlaying this information, the Broker changes the license source from local to remote. The function within the Broker that handles the license configuration refresh sees that a remote license is being used and will immediately exit. This ensures that after a remote license is acquired, the Broker never allows a UCTL refresh to update the cached license information again. There is no situation in which a Broker will “fall-back” to using locally-configured license information after it acquires a UC 6.9.0.0 or later license. No combination of UCTL refreshes or UAG Server activity will allow remote license information to be replaced with local information. | |||||||
B-11552 | Implementation USAP licensing based on results of B-11521 | Special Handling for USAP/UPPS Licensing Licensed execution of the Universal Connector for SAP (USAP) and Universal Connector for PeopleSoft Process Scheduler (UPPS) will be enforced using a value that represents the number of concurrent connections any USAP or UPPS component executing on behalf of a licensed agent may use at one time. Every agent as of UA 6.9.0.0, that connects to a Universal Controller 6.9.0.0 or later will receive the SAP and PeopleSoft connections that are included with the Controller’s license. The UAG Server is responsible for providing this information to its Universal Broker, which is then responsible for providing the values to the USAP and UPPS components. USAP and UPPS are responsible for defining what constitutes a unique connection. USAP and UPPS are responsible for ensuring that the number of unique connections in use at any given time do not exceed the value provided by the license. Sample Suppose that a customer purchases a license that permits 5 SAP connections. This customer has 2 6.9.0.0 Universal Agents. Each agent will receive this value (5). A USAP instance running on either agent will be permitted to use 5 unique SAP connections at the same time. An attempt to create a 6th unique connection while the other 5 are in use will fail. | |||||||
B-11551 | Implementation UPPS licensing based on results of B-11520 | Legacy licenses did not allow to limit the connections number made by upps, i.e. the number was unlimited. The new license sends the maximum connections allowed by the license to the broker, which must keep track of all active connections and allow/reject any new connections depending on how many connections are currently active. A “connection” for UPPS is defined as the PeopleSoft Connector’s Endpoint . The license restricts the number of simultaneous unique connections performed by UPPS, meaning that the numer of sessions to the same PeopleSoft Endpoint is unlimited. | |||||||
B-11553 | Implement USOA licensing depending on results of B-11522 | The Universal Connector for SOA (USOA) is an optional agent component that executes Web services using one of the five connection protocols or endpoints:
All that USOA needs to know is whether or not the customer purchased a license that permits Web service execution using one of the supported protocols/endpoints. Because there is no requirement for the agent to request any USOA-specific license information from the Controller, no updates to the HELLO message are needed to support USOA’s new licensing implementation. The protocols/endpoints the customer is permitted to execute will be sent via parameters in the HELLO message response. The Universal Broker will forward the value of these parameters to USOA, which is responsible for managing Web service execution based on the values it receives. | |||||||
B-11917 | Universal Broker to check license expiration once a day | A 6.9.0.0 Universal Agent receives license information upon receipt of a UC 6.9.0.0’s HELLO message response The Universal Broker receives the license information from UAG Server The Universal Broker converts the expiration date to local time. Universal Controller licenses expire at 23:59:59 UTC The first expiration check occurs at this time, converted to local time. After the first expiration check, subsequent checks occur at 24 hour intervals. Expiration notices begin 30 days prior to the expiration date. The Universal Broker sends the expiration date to licensed components upon local registration. Each licensed component will report an expired license at startup. When a 6.9.0.0 Universal Agent (UA) connects to a 6.9.0.0 UACM(via UAG Server and OMS) it will receive license information during the HELLO message/response exchange that occurs at UAG Server startup. UC has always maintained its own license information, but in 6.9.0.0 the information it maintains is expanded to control UA licensing. This single set of license information allows the Agent to manage licensing for all of its components and eliminates the need to have licenses stored in local configuration files. UA receives a single license expiration date from the Controller and applies that expiration date to all licensed components. Although UAG Server is the direct recipient of this license information the Universal Broker is the final keeper of it, given its traditional role as owner of an agent’s local configuration. As a long-running process, the Universal Broker must implement a daily check on the license’s expiration date. Starting 30 days prior to a license’s expiration, the Broker will issue the following message when it performs its periodic check on the license: UNV0130W [] Product license expires in nn day(s). Contact Stonebranch, Inc. for license renewal. Individual licensed components will also display this message at startup. When the expiration date elapses, the Broker must ensure that no new work can start on that Universal Agent instance. The Broker and any auto-started components will continue to run, but will fail upon a check of the license’s expiration date. When a license expires, you can expect to see the following message in the Broker log and from licensed components: UNV0129E [] License is expired. Contact Stonebranch, Inc. for license renewal. Expired licenses can still be considered to be valid. Validity and expiration are handled and reported differently. Universal Agents that connect to Universal Controller whose license is expired will still receive a HELLO response. The Agent will be granted the license, provided the number of licensed agents is not exceeded. Universal Agents do not change state when a UACM license expires. Any “online” Agents will continue to show online after the license expires. However, when a UCAM license expires, it will enter a paused state, which will prevent any Universal Agent task execution. After a new license is applied, you must select the UACM Server Operations option and execute the Resume Cluster Node task12811 | Make UBROKER and components (UAG UDM UCMD...) XCF REALLOCATE aware/compatible | Implementation of the required changes to fully support compatibility to XCF reallocate process. This support comes in two basic parts:
XCF events are asynchronous notifications sent to each connector to a structure indicating the state of the structure, the CF and the connection. For example, events occur when users connect to - or disconnect from, the structure, or when failures occur in the structure the CF or the connection to it. System Managed Rebuild will result in (up to) five events. “Structure Temporarily Unavailable”, “Structure State Change”, “Structure Available” and “Alter Begin” and “Alter End”.
| |||||
B-06093 | UAGSRV tracing enhancements | Improved Tracing capabilities for SMF Exits | |||||||
B-11538 | zOS UAGSRV: Extended "Cancel Job" support for jobs running on any Sysplex node | The Problem
The Solution UAG for z/OS tracks internally which system a job is executing on. When a Task Cancel request is received by a Primary UAG for a job which is not executing on the same system as the Primary UAG, the Task Cancel request will be forwarded to the system on which the job is executing. (Note this only works if the job has started execution and the Primary UAG has received the notification thereof.) UAG has been extended to capture and save the address space ID of the submitted job. When a Task Cancel request is received, the address space ID is added to the CANCEL command to uniquely identify the job/address space to be cancelled. | |||||||
B-07134 | UAG File Monitor on z/OS should return an error when attempting to use features not supported | z/OS File Monitor enhancements for better supporting Sysplex secondary Agents and allowing Error based handling when non supported Features are being used. As the primary Agent is, and will remain, the only Agent connected to a Controller and receive workload from a controller, a change has been implemented that will ensure that relevant File Monitors will be made available from the primary to any secondary Agent within the PLEX. That will ensure that any of the secondary Agents can also handle relevant file activity in case it is happening on a secondary Agent. After a secondary Agents has started, and received his license, a file monitor synchronization process will be initiated by the primary Agent to allow triggering the file activity across the PLEX. | |||||||
B-11537 | zOS UAGSRV: Extend file monitor support for secondary agents in a sysplex environment |
Universal Agent Password Handling Extensions
ID | Title | Description |
B-10365 | Add support to UDM scripts for passwords with certain special characters =+-" | In order to support extended UTF-8 characters (those that translate into multibyte sequences) the passwords are internally translated from UTF-8 to UTF-16 and Unicode-aware version of the logon function is now being used for user authentication. This allows to use any extended unicode character to be used in user names and passwords. Since the change was introduced in the common code for UDM, UCMD and UAG, it added support for those unicode characters not only for UDM, but for UCMD and UAG as well. There are no changes in behavior of UDM, UCMD and UAG as result of this change except for support of extended characters in user names and passwords. |
B-12882 | update configuration parsing routines to handle password with all supported characters | |
B-12884 | Allow passwords with any characters to be specified in a udm script |
UFTP Separation Connection and Transfer Logic
ID | Title | Description |
B-11141 | UFTP (SFTP Protocol) - Separate Connection from Transfer Logic | For the respective protocols, the Return-codes are categorized in 3 different, internal, groups 1.) XP_EXIT_ERROR (1002) This generally includes any transfer error. The client should end unsuccessfully with exit code 1002 2.) XP_EXIT_NETWORK (1024) This error Code describes network issues that are encountered while a file transfer processing The client should end unsuccessfully with exit code 1024 3.) XP_EXIT_SECURITY (1023) This error generally occurs with authentication problems. The client should end unsuccessfully with exit code 1023 Any results provided will be mapped to the Windows or Linux Exit-Code field to allow Job Status to be set accordingly. |
B-11140 | UFTP (FTP & FTPS Protocol) - Separate Connection from Transfer Logic | |
B-09713 | UFTP - Add support for timestamps on UNV stdout/stderr messages | In Order to synchronize messaging structure, UFTP is enhanced to allow the same or similar timestamp settings as other components to enhance Messages produced for STDout and STDerr. |
SSL Default Changes
ID | Title | Description |
B-12442 | UAG Remove enable SSL from configuration and installs | Necessary changes based on vulnerability findings in the 2020 Audit performed by SECUVERA. |
B-12368 | UAG change default for enable SSL to YES |
Summary of UIP-Related Items to Strengthen Integration and Orchestration Capabilities
ID | Title | Description |
E-01561 | Universal Agent feature & Function for creating and delivering the Universal Integration Platform | Allow UA Extension to become the new standard for deploying downstream integration Solutions to applications. |