Overview

Universal Broker can be executed in two different environments:

Console application
Windows service

Console Application

The ubroker command starts Universal Broker as a console application.

Enter ubroker either from the:

Command Prompt window
Run dialog (Select Run... from the Windows Start menu.)

Console Security

Universal Broker inherits its user account from the user that starts it. The Broker itself does not require any additional permissions or rights other than the default ones granted to the Windows group user.

However, components started by the Broker also run with the same user account as the Broker. Some components may require permissions or rights other than those granted to the user account that started the Broker.

For additional information regarding the security requirements of Universal Broker and all Universal Agent components, see Universal Agent Security.

Windows Service

Universal Broker is installed as a Windows service that starts automatically when the system is started. Windows provides a utility called Services that is used to interact with and manage all installed services. Services is an item in the Administrative Tools program group, which is accessible from the Control Panel.

Service Security

The Universal Broker service can be configured to execute with the Local System account or with a specially configured Administrative account. The Local System account automatically provides the permissions necessary to execute the Broker.

An administrative account must have the following privileges to execute the Broker:

Act as part of the operating system
Adjust memory quotas for a process
Bypass traverse checking
Debug programs
Log on as a service
Impersonate a client after authentication
Increase scheduling priority
Replace a process level token
Take ownership of files and other objects

To restrict interactive access by the account to the system, we also recommend adding the following policies:

Deny log on as batch job
Deny log on locally
Deny log on through Terminal Services

Any existing Administrative account may be configured as described above to execute the Broker. The Universal Agent install also provides the ability to create and configure an Administrative account with the privileges above.

Configuring the Broker to run with an Administrative account not only allows the service to execute with just the privileges it needs, it also enables the Broker service to access network resources it would not have visibility to while executing as Local System.

Required File System Permissions

It may be necessary to update the Broker account's access to the Universal Agent installed directories and files. If the product is installed to its default location under the Program Files directory, the local Administrative account used to execute the Broker (such as the default UBrokerService account) will likely get the file system access it needs via permissions inherited from parent directories.

However, if the application is installed to a location outside of the Program Files path - or a domain account is used to execute the Broker Service - the required file system permissions may need to be added after the install.

The recommended approach is to grant the Broker service account Full Control of the following directories, making sure that the permissions are propagated to all sub-directories and files:

.\Universal install directory.
%ALLUSERSPROFILE%\Application Data\Universal directory, which is the parent directory of the .\conf and .\comp directories in which the configuration files and component definition files reside, respectively.

Full control is recommended because of the varied requirements and configurations possible with the Universal Agent components. However, should you desire a more precise configuration, the Broker user only requires Read/Execute permissions for the following directories, along with their sub-directories and files:

.\Universal\nls
.\Universal\UCmdMgr
.\Universal\UCtlMgr
.\Universal\UDMMgr
.\Universal\UEld
.\Universal\UEMMgr
.\Universal\UPIMerge
.\Universal\UQuery
.\Universal\USpool

Note

The Universal Agent installation itself does not set the required file permissions for the Broker user. It only relies on permissions inherited from parent directories.

Executing the Broker Service With a Domain Account

The Universal Broker service may be configured to run with a Windows domain account.

To do so, verify the following before starting the installation (the Universal Agent install will not configure a domain account):

Account already exists.
Account belongs to the Administrators group.
Note

Depending on your environment, it may be necessary to add this account to the Domain Admins group. This will ensure the account has sufficient access to domain resources and is recognized as a true administrative account on all domain member systems that run the Universal Broker service as that account.
Account has the privileges and file system permissions listed above.

Options

Option Name	Description
COMMAND	Command to execute for the ubrokerd daemon: start Start the ubrokerd daemon. stop Stop the ubrokerd daemon. restart Stop/start the ubrokerd daemon. status Query the ubrokerd daemon status.
-uag_agent_clusters	Overrides the AGENT_CLUSTERS option in the UAG configuration file. A list of one or more comma-separated agent clusters defined in the Universal Controller that the Agent should join.
-uag_transient	Overrides the TRANSIENT option in the UAG Server configuration file. If yes, UAG Server will register with the Controller as a transient agent, and un-register from the Controller automatically when going offline. If no, UAG Server will NOT enable the transient option. If this option is omitted, the value specified for the TRANSIENT option in the UAG Server config file controls start-up behavior.
-uag_netname	Overrides the network ID of Universal Automation Center Agent (UAG) in the NETNAME UAG configuration option. UAG Server will use this ID when connecting to a Universal Controller. If the NETNAME value is OPSAUTOCONF (the default), and the UAG Server already has connected to a Universal Controller, the qname value that holds the UAG Server's assigned netname must be deleted before it can be overridden by this option.
-uag_oms_servers	Overrides the values in the OMS_SERVERS UAG configuration option. A list of one or more OMS Servers to which this Agent will connect.
-uag_autostart	Overrides the AUTOMATICALLY_START option in the UAG Server component definition. If yes, OMS Server will start automatically at Universal Broker start-up, regardless of the value specified in the component definition file. If no, OMS Server will not start when the Universal Broker starts, regardless of the value specified in the component definition file. If this option is omitted, the value specified in AUTOMATICALLY_START controls start-up behavior.
-uag_extension_accept_list	Overrides the EXTENSION_ACCEPT_LIST option in the UAG configuration file. Specifies a list of Universal Extensions that the Agent will accept via auto-deployment from Universal Controller. The list consists of one or more comma-separated Extension names. A single value of * indicates that all extensions are accepted. A single value of none indicates that no extensions are accepted.
-uag_extension_cancel_timeout	Overrides the EXTENSION_CANCEL_TIMEOUT option in the UAG configuration file. Specifies the amount of time that an Extension process will be allowed to run following a Cancel message being received from the Controller. If the Extension process is still running after the extension_cancel_timeout expires, UAG will forcibly terminate the process. The format of the value is nnnn[s\|m\|h\|d], where nnnn is a numeric value and [s\|m\|h\|d] is one of the following optional unit specifiers: s - seconds (default) m - minutes h - hours d - days
-uag_extension_deploy_on_registration	Overrides the EXTENSION_DEPLOY_ON_REGISTRATION option in the UAG configuration file. Controls Extension deployment behavior from Universal Controller. If yes, the Controller will preemptively deploy all extensions acceptable by UAG. If no, the Controller will only send Extension modules as needed (on demand).
-uag_extension_python_list	Overrides the EXTENSION_PYTHON_LIST option in the UAG configuration file. Specifies a comma-separated list of zero or more Python locations. Each item in the list is expected to contain a complete path to a Python executable.
-oms_autostart	Overrides the AUTOMATICALLY_START option in the OMS Server component definition file. If yes, OMS Server will start automatically at Universal Broker start-up, regardless of the value specified in the component definition file. If no, OMS Server will not start when the Universal Broker starts, regardless of the value specified in the component definition file. If this option is omitted, the value specified in AUTOMATICALLY_START controls start-up behavior.
-uem_autostart	Overrides the AUTOMATICALLY_START option in the UEM definition file. If yes, UEM Server will start automatically at Universal Broker startup, regardless of the value specified in the component definition file. If no, UEM Server will not start when the Universal Broker starts, regardless of the value specified in the component definition file. If this option is omitted, the value specified in AUTOMATICALLY_START controls start-up behavior.
h	Display program usage.

Browser not supported