Agents
Use the Agents page to manage the following types of DDC agents:
DDC Standard Agent: Manage using Standard Agents tab.
DDC ML Agents: Manage using Machine Learning Agents tab.
See DDC agents to learn how to install DDC agents.
The Agents page allows you to:
View a list of all available agents. See Viewing list of agents.
Edit the agent information. See Editing agent information.
Manage the agent's labels. See Managing agent labels.
View the agent's time difference information. See Agent time difference information.
To access the Agents page, click Data Stores > Agents.
Viewing list of agents
The Agents page lists all available agents on the Standard Agents and Machine Learning Agents tabs. After a server restart, the list might take a moment to populate.
The page shows the following information about the installed agents:
Header | Description |
---|---|
Agent Name | Name of the agent (automatically assigned). |
Operating System | Operating system on which the agent is running. |
Version | Agent version from among the supported agent platforms (for example, Linux 2.3). |
Connection IP | The IP address of the agent. |
Status | The status of the agent - "Connected" or "Not connected". |
Data Stores | The number of data stores that the agent is associated with. NOTE: Modifying data store settings after assigning an agent might trigger a new agent search. If multiple compatible agents are available, the same agent isn't guaranteed to be re-selected. |
Labels | The number of labels assigned to the agent. |
Local Storage Only | When this option is enabled, the agent can only be used with the Local Storage data stores. When disabled (default), the agent can be used as proxy, and can be associated with other data stores (in the same network). NOTE: Disabling a currently used agent prevents it from being selected for new data stores, but does not affect its behavior in the existing data stores. |
Note
The agents are shown in any domain. The Local Storage Only option is managed independently of the domain, that is you can have an agent with the Local Storage Only option enabled in Domain A, and the same agent with the Local Storage Only option disabled in Domain B.
Use the Search box to search for an agent. Search results display agents that contain specified text in their names. By default, agents are listed in ascending alphabetic order of their names.
Editing agent information
You can edit agents information only for Standard Agents.
In the Standard Agents tab, click the ellipses icon (
) for the selected agent.
Click the View/Edit option that is displayed in the context menu.
The Standard Agent details screen displays. It shows the same information as the main Agents screen, split in the GENERAL and LABELS sections.
Modify the agent information as desired and click Save Changes.
Managing agent labels
You can add or edit labels only for Standard Agents.
A label is a way to mark an agent, for example its special features, such as its data store scanning capabilities and scanning performance.
For example, you could label an agent "Oracle" if it's set up to scan Oracle databases, or "Critical" if it's dedicated to highly sensitive data stores.
There are no predefined labels, but you can make custom labels as needed. After a custom label is created, it cannot be modified. However, you can assign new labels to the agent. An agent can have multiple labels. Agent labels can only be created in the Labels section inside the agents.
To add or edit the labels for an agent:
In the Standard Agents tabs, click the ellipses icon (
) for the selected agent.
Click the View/Edit option.
Modify the agent labels as desired (add or remove) and click Save Changes.
Note
Editing an agent's labels changes which data stores can automatically select it. Adding a label makes that agent available to any data store configured with the same label.
Refer to Mitigating security risks section to learn how to use agent labels to enhance the security of your environment.
Agent time difference information
When there is a time difference between the scanner service (where CM is deployed) and the agent machine (where the agent is installed) a clock icon is shown with the difference in seconds (always in seconds):
Icon | Description |
---|---|
![]() | This is the kind of warning that you will see if the time is behind the CM clock. |
![]() | This is the kind of warning that you will see if the time is ahead of the CM clock. |
Tip
When the date/time has been changed in the agent machine, it's necessary to restart the agent service.
Warning
Be careful when the scan is launched and there is a difference between the scanner service and agent machine. If the agent's clock is slower that scanner service, then the scan will start at that time. Furthermore, it will also delay resuming a scan when using the auto-pause functionality.
Note
If your Agent's system clock does not match with a Cloud Data Store's clock, you may hit issues while adding the Cloud Data Store in DDC, so it is highly recommended to set up a NTP server to synchronize the clocks. This can be achieved in the following manner:
In CM through the Admin Settings -> NTP.
For Windows agents, refer to: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/configure-authoritative-time-server.
For RedHat / CentOS agents, refer to: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_ntpd.
For Ubuntu agents, refer to: https://ubuntu.com/server/docs/network-ntp.
Automatic agent selection
DDC automatically selects agents to scan data stores. For data stores without an agent on the same host, a proxy agent is selected.Proxy DDC agent scans the data residing on the data store. The automatic agent selection process is triggered under the following conditions:
A new data store is added.
An existing data store is updated.
Labels on any associated agent are changed.
At the start of every scan execution (to ensure agents are valid and up to date).
Once automatic agent selection process is triggered, the DDC server first identifies all the connected DDC agents and excludes any that are disconnected.
Note
To control the agents that can scan a particular data store:
Allow access to the data store endpoint, so only desired agents can reach it, and other agents are blocked at the network or data store configuration side.
Use labels, as indicated in the Managing agent labels section.
Agent selection for Local data store
For Local data store, DDC selects an agent in this specific order:
Hostname Match: It looks for a DDC Agent whose hostname matches that of the data store.
IP Address Match: If no hostname matches, it then looks for an agent with a network interface whose IP address matches the data store's IP.
Failure: If neither of these conditions is met, the agent selection for that Local Data Store fails.
Agent selection for other types of Data Stores
For all other types of data stores, DDC follows a more detailed process:
Configuration Check: DDC considers the minimum and maximum number of agents configured for that data store.
Label Matching: It checks the labels associated with the data store. Any agent selected must have at least the same set of labels as the data store (it can have additional ones too).
Agent selection for existing data stores (Re-evaluating previously selected agents):
If this isn't the first time DDC is automatically selecting agents for this data store, it will first verify if the agents chosen in the previous execution are still suitable. They must:
Be connected to the DDC server.
Have the required set of labels.
Not have the "Local Storage Only" configuration attribute set.
Satisfy the minimum and maximum agent requirements.
The automatic agent selection succeeds if all conditions are met and at least the minimum number of DDC agents can connect to the data store endpoint. Otherwise, DDC runs complete agent selection as if it was a newly added data store instance.
Agent selection for new data stores (if previous agents are not reachable or it is a new selection):
If this is the first selection for this data store (or if the previously selected agents don't meet all conditions), the DDC server will:
Iterate through all connected DDC agents.
(For each agent) Verifies its suitability by checking whether:
It does not have the "Local Storage Only" configuration attribute set.
It has all the mandatory labels defined for the data store.
It can connect to the data store endpoint.
This iteration stops once the "maximum number of agents" that can connect are found, or when there are no more agents left to try.
The automatic agent selection succeeds if at least the minimum number of DDC agents can connect to the data store endpoint. Otherwise, it fails.
Data store status
If agent selection for a data store is successful, DDC sets its status to Ready and includes it in the scan.
If DDC cannot find the required agents, it updates the data store status to Failed and that data store will not be included in the scan.
Note
Instructions to install and configure DDC agents can be found in the Data Discovery and Classification deployment guide.
Port 11117 on the CipherTrust Manager appliance must be accessible from DDC agent hosts.
Data store endpoint needs to be accessible from DDC agent hosts.
Each data store type may require a specific DDC agent (Windows or Linux) to proxy requests. Refer to the Agent Compatibility Matrix to verify the required agent type for their Data Store.
Automatic agent selection algorithm only considers DDC agents with "Local Storage Only" enabled for Local Storage Data Stores. Refer to Viewing List of Agents for details.