Securing Agent and TA Master connections

Each agent includes a Masters.cfg file that lets you strictly control which Tidal Automation Master instances can connect to the agent. To identify unique TA Masters to which the TA agent will create connections, specify:

TA Master alias
TA Master alias and a specific local TCP/IP address
TA Master alias, the specific local TCP/IP address, and a global TCP/IP address

You must create the Masters.cfg file in the agent’s local directory. This directory is in the install path of the agent and has the name of the agent as it was specified when the agent was defined, similar to the default location:

/opt/TIDAL/Agent/TidalAgent1

This file should have limited access using native system access control definitions.

About the Masters.cfg File

The Masters.cfg file uses the structure:

[INCLUDE/EXCLUDE]

TA Master alias entry TA Master alias entry

where:

[INCLUDE/EXCLUDE] is an optional statement on the first line of the file that specifies whether to include or exclude connections with the specified TA Master alias entries:

INCLUDE: Only the specified TA Masters with optionally specified IP addresses will be connected to by the agent.

EXCLUDE: Only the specified TA Masters will be specifically excluded from being connected to by the agent. If omitted, the INCLUDE statement is used.

TA Master alias entry is one of these forms:
- MasterAlias
  
  The MasterAlias typically has the form <hostname-of-master> and is case-insensitive. If specified alone on the line, only the MasterAlias will be verified that it matches what was presented by the TA Master in its registration message.
- MasterAlias:IPaddress1
  
  For local connections, where the TA Master host machine IP addresses are directly accessible by the agent, specify only IPaddress1. This address is verified against the IP address presented by the TA Master in its registration message and the IP address obtained from the network as the origin of the connection that provided the registration message.
- MasterAlias:IPaddress1;IPaddress2
  
  For connections that must traverse a firewall, you must specify a second IP address. IPaddress2 must be the externally known address of the firewall. The externally known address of the firewall is what the agent obtains when it retrieves the IP address of the origination of the connection through which the registration message was delivered.
  
  For situations where a TA Master could have multiple IPs, failover scenarios, or disaster recovery situations, you can specify the same MasterAlias with different IPaddress parameters, similar to this:
  
  INCLUDE
```
hou-testvm-531:192.168.48.111;172.19.25.125 hou-testvm-531:192.168.55.211;172.19.25.125
```
```
zostest:192.168.95.92 zostest:192.168.42.92 catest
```

Agent Connection Protocol

It describes the normal connection sequence to establish a TA-Master-to-agent connection.

The TA Master connects to the agent’s well-known port (default 5912, configurable). The TA Master sends a registration message to the agent specifying the TA Master’s IP address and listening port (and some other configuration information). This connection is then terminated.
For each TA Master that has registered as described in Step 1, the agent attempts to connect using information originating from registration each time the connection is lost for any reason.
The agent attempts to connect to the IP and port provided by the TA Master in the registration message. If this fails, the agent tries to connect to the IP obtained from the network as the source IP (might be a firewall IP) and the port provided in the registration message.
When the connection is made, the agent generates an encryption key based on a random seed.

This encryption key and other configuration information about the agent will be sent to the TA Master. The encryption key is "wrapped" by a method that the TA Master "unwraps" to access the raw key. This key is used to encrypt the body of all future messages (encryption is a configurable option that is on by default).