Starting Universal Broker - Windows
Overview
Universal Broker can be executed in two different environments:
- Console application
- Windows service
Console Application
The ubroker command starts Universal Broker as a console application.
Enter ubroker either from the:
- Command Prompt window
- Run dialog (Select Run... from the Windows Start menu.)
Console Security
Universal Broker inherits its user account from the user that starts it. The Broker itself does not require any additional permissions or rights other than the default ones granted to the Windows group user.
However, components started by the Broker also run with the same user account as the Broker. Some components may require permissions or rights other than those granted to the user account that started the Broker.
For additional information regarding the security requirements of Universal Broker and all Universal Agent components, see Universal Agent Security.
Windows Service
Universal Broker is installed as a Windows service that starts automatically when the system is started. Windows provides a utility called Services that is used to interact with and manage all installed services. Services is an item in the Administrative Tools program group, which is accessible from the Control Panel.
Service Security
The Universal Broker service can be configured to execute with the Local System account or with a specially configured Administrative account. The Local System account automatically provides the permissions necessary to execute the Broker.
An administrative account must have the following privileges to execute the Broker:
- Act as part of the operating system
- Adjust memory quotas for a process
- Bypass traverse checking
- Debug programs
- Log on as a service
- Impersonate a client after authentication
- Increase scheduling priority
- Replace a process level token
- Take ownership of files and other objects
To restrict interactive access by the account to the system, we also recommend adding the following policies:
- Deny log on as batch job
- Deny log on locally
- Deny log on through Terminal Services
Any existing Administrative account may be configured as described above to execute the Broker. The Universal Agent install also provides the ability to create and configure an Administrative account with the privileges above.
Configuring the Broker to run with an Administrative account not only allows the service to execute with just the privileges it needs, it also enables the Broker service to access network resources it would not have visibility to while executing as Local System.
Required File System Permissions
It may be necessary to update the Broker account's access to the Universal Agent installed directories and files. If the product is installed to its default location under the Program Files directory, the local Administrative account used to execute the Broker (such as the default UBrokerService account) will likely get the file system access it needs via permissions inherited from parent directories.
However, if the application is installed to a location outside of the Program Files path - or a domain account is used to execute the Broker Service - the required file system permissions may need to be added after the install.
The recommended approach is to grant the Broker service account Full Control of the following directories, making sure that the permissions are propagated to all sub-directories and files:
- .\Universal install directory.
- %ALLUSERSPROFILE%\Application Data\Universal directory, which is the parent directory of the .\conf and .\comp directories in which the configuration files and component definition files reside, respectively.
Full control is recommended because of the varied requirements and configurations possible with the Universal Agent components. However, should you desire a more precise configuration, the Broker user only requires Read/Execute permissions for the following directories, along with their sub-directories and files:
- .\Universal\nls
- .\Universal\UCmdMgr
- .\Universal\UCtlMgr
- .\Universal\UDMMgr
- .\Universal\UEld
- .\Universal\UEMMgr
- .\Universal\UPIMerge
- .\Universal\UQuery
- .\Universal\USpool
Note
The Universal Agent installation itself does not set the required file permissions for the Broker user. It only relies on permissions inherited from parent directories.
Executing the Broker Service With a Domain Account
The Universal Broker service may be configured to run with a Windows domain account.
To do so, verify the following before starting the installation (the Universal Agent install will not configure a domain account):
- Account already exists.
Account belongs to the Administrators group.
Note
Depending on your environment, it may be necessary to add this account to the Domain Admins group. This will ensure the account has sufficient access to domain resources and is recognized as a true administrative account on all domain member systems that run the Universal Broker service as that account.
- Account has the privileges and file system permissions listed above.
Options
Option Name | Description |
COMMAND | Command to execute for the ubrokerd daemon:
|
Overrides the AGENT_CLUSTERS option in the UAG configuration file. A list of one or more comma-separated agent clusters defined in the Universal Controller that the Agent should join. | |
| -uag_transient | Overrides the TRANSIENT option in the UAG Server configuration file.
If this option is omitted, the value specified for the TRANSIENT option in the UAG Server config file controls start-up behavior. |
| -uag_netname | Overrides the network ID of Universal Automation Center Agent (UAG) in the NETNAME UAG configuration option. UAG Server will use this ID when connecting to a Universal Controller. If the NETNAME value is OPSAUTOCONF (the default), and the UAG Server already has connected to a Universal Controller, the qname value that holds the UAG Server's assigned netname must be deleted before it can be overridden by this option. |
| -uag_oms_servers | Overrides the values in the OMS_SERVERS UAG configuration option. A list of one or more OMS Servers to which this Agent will connect. |
| -uag_autostart | Overrides the AUTOMATICALLY_START option in the UAG Server component definition.
If this option is omitted, the value specified in AUTOMATICALLY_START controls start-up behavior. |
| -uag_extension_accept_list | Overrides the EXTENSION_ACCEPT_LIST option in the UAG configuration file. Specifies a list of Universal Extensions that the Agent will accept via auto-deployment from Universal Controller. The list consists of one or more comma-separated Extension names.
|
| -uag_extension_cancel_timeout | Overrides the EXTENSION_CANCEL_TIMEOUT option in the UAG configuration file. Specifies the amount of time that an Extension process will be allowed to run following a Cancel message being received from the Controller. If the Extension process is still running after the extension_cancel_timeout expires, UAG will forcibly terminate the process. The format of the value is nnnn[s|m|h|d], where nnnn is a numeric value and [s|m|h|d] is one of the following optional unit specifiers:
|
| -uag_extension_deploy_on_registration | Overrides the EXTENSION_DEPLOY_ON_REGISTRATION option in the UAG configuration file. Controls Extension deployment behavior from Universal Controller.
|
| -uag_extension_python_list | Overrides the EXTENSION_PYTHON_LIST option in the UAG configuration file. Specifies a comma-separated list of zero or more Python locations. Each item in the list is expected to contain a complete path to a Python executable. |
| -oms_autostart | Overrides the AUTOMATICALLY_START option in the OMS Server component definition file.
If this option is omitted, the value specified in AUTOMATICALLY_START controls start-up behavior. |
| -uem_autostart | Overrides the AUTOMATICALLY_START option in the UEM definition file.
If this option is omitted, the value specified in AUTOMATICALLY_START controls start-up behavior. |
| h | Display program usage. |