Get Started!

The article discusses different deployment architecture scenarios to scale Xton Access Manager (XTAM) utilizing multiple job engine components.

XTAM Job Engine Deployment Architecture

XTAM uses Job Engine components to automate scripts executed on managed servers and end-points. Such scripts include password resets, removing accounts from local Administrator group on Windows computers or privileged account discovery. XTAM WEB Application manages policies and rules to define when and which scripts will be executed on certain servers. Job engine component actually executes the script and passes the result back to XTAM Vault.

Each job engine components is capable to execute multiple scripts in parallel on several different servers using several threads (configured on the Administration / Settings screen). However, in some cases it is desirable to scale the script execution even more or to target servers in isolated networks.

Component Architecture

XTAM contains several components. When XTAM is deployed on a single host all components are installed on the same server and they communicate between each other inside this server. One of these components is Jobs Engine. Jobs engine connects to a central XTAM Vault using the shared database or directly using HTTPS protocol – more about it later. Job Engine executes jobs from the jobs queue on remote managed servers and updates the job queue with the results.

XTAM component architecture PAM

Job engine could be installed on a separate host than the main XTAM WEB application to improve performance of the job execution or to target servers in the networks unreachable by XTAM WEB application. Job Engine should be instructed to use XTAM WEB Application to access the job queue. There are several scenarios connecting Job Engine to the XTAM WEB Application each targeting slightly different use case and requiring a slightly different configuration.

Use Cases for Job Engine Deployment

1
Local Job Engines sharing database with the WEB Application.

In this scenario, multiple job engines are installed on different computers connected to the same database shared with XTAM WEB Application. This setup helps to improve performance of the job execution with multiple job engines executing jobs from the same queue on servers simultaneously. XTAM balances job execution between several job engines but a job engine can execute any job from the queue.

XTAM Job Engine Local Deployment

Configuration for the Local Job Engine setup assumes that XTAM server is installed and operating with some external database.

To add new Local Job Engine run XTAM setup on a qualified compter, select only Worker process to install (do not select Database) and connect to a Database on the setup screen when prompted. After the installation, new local job engine will start processing jobs from the job queue reducing the load on other job engine nodes.

2
Remote Job Engines operating in isolated networks.

In this scenario Job Engine is installed inside the isolated network that cannot be reached from the XTAM WEB Application directly. In this setup Job Engine connects to the WEB Application using specially created service account using XTAM API over standard HTTP(s) protocol. In this case job engine processes only those records from the job queue the specified service account has access to. This way system administrators can designate certain records for specific job engines to process.

XTAM Job Engine Remote Deployment

Configuration for the Remote Job Engine setup assumes that XTAM server is installed and operating.

To start configuring remote job engine add a service account in Administration / Local Users to identify new remote job engine. Assign Service role to this account using Administration / Global Roles screen. Grant job execute permissions to the service account for the records that should be served by this remote job engine.

To add new Remote Job Engine in an isolated network run XTAM setup on a qualified computer, select Database and Worker process to install. Make sure that XTAM WEB Application is accessible from the remote job engine computer using WEB GUI. Connect newly installed remote job engine with the XTAM Server using the following command line command executed from $XTAM_HOME folder

Windows:

bin\PamDirectory.cmd XTConnect web {xtam.server} {xtam.user} {xtam.password}

Linux:

bin/PamDirectory.sh XTConnect web {xtam.server} {xtam.user} {xtam.password}

Where

{xtam.server} is the URL of the XTAM WEB Application (such as https://xtam.company.com/xtam)

{xtam.user} is the service account designated for this remote job engine

{xtam.password} is the service account password (or dash to make command to prompt for the password)

After configuration the remote job engine will start monitoring the job queue and execute jobs designated to this remote job engine on the servers in the isolated network.

3
Hybrid setup.

It is possible to use multiple job engine nodes connected using different setups described above. Remote Job Engine configuration could be used to limit the scope of jobs from the job queue even for the networks that could be reached from the central XTAM WEB application.

It is also possible to grant a service account an access to all records in the vault so the remote job engine will be used to improve overal performance of the job queue execution.

Categories: xton

Mark Klinchin

Mark Klinchin

I am Co-Founder and CEO of Xton Technologies. I am interested in computers, software development, cyber security, content management, photography, image processing and mathematics.

Related Posts

xton

XTAM Search Query Options

Xton Access Manager (XTAM) can quickly find records that match XTAM search criteria. By default, XTAM search query finds records by record name, description and a host name on a record. However, XTAM also uses Read more…

xton

XTAM API VBScript Example

Below is a small example of calling XTAM API using VBScript. Majority of this example are the functions that parse JSon responses from XTAM API and encode parameters. Scroll down to the section “XTAM API Read more…

xton

Privileged Access Management Deployment Architecture

The article discusses a typical mid-size deployment architecture of a Privileged Access Management system. Architecture The diagram below illustrates typical High-Availability (HA) setup of an Xton Privileged Access Management (XTAM) system with Disaster Recovery (DR) Read more…

Copyright © 2018 Xton Technologies, LLC. All rights reserved.