AAPM Agent Logs

this document explains how the kron pam aapm agent processes password requests, manages its local cache, performs regular and intensive status checks, and reacts to password rotation events the objective is to help administrators interpret aapm agent logs precisely and understand the internal state transitions during password retrieval and cache lifecycle events verifying kron pam aapm agent installation during the initial installation of the kron pam aapm agent, check the logs to confirm the following agent registration the logs should indicate that the aapm agent has successfully registered with kron pam ( doregistercall started and doregistercall result ok ) grpc over ssl (if enabled) if the feature is enabled, the logs will show that grpc over ssl has been activated for the aapm agent (rpc server started with ssl) heartbeat confirmation after a successful installation and startup, the logs will display a heartbeat (ping) sent to the kron pam servers, confirming active communication ( ping successful ) aapm agent logs 2026 02 27 12 52 31,869 info c k a c registrationcontroller \[main] agent registration required 2026 02 27 12 52 31,894 info c k a c registrationcontroller \[main] doregistercall started 2026 02 27 12 53 30,518 info c k a c registrationcontroller \[main] doregistercall result ok 2026 02 27 12 53 30,731 info c k a c clientcredentialsconfig \[main] security credentials and paths successfully encrypted 2026 02 27 12 53 33,202 info c k a c registrationcontroller \[main] createjwtrefreshschedule created for 3595 seconds 2026 02 27 12 53 33,207 info c k a c systemcontroller \[main] agent initialization 2026 02 27 12 53 33,207 info c k a c systemcontroller \[main] agent registration policy os = linux , service mode = false 2026 02 27 12 53 33,216 info j u prefs \[main] created user preferences directory 2026 02 27 12 53 33,217 warn j u prefs \[main] prefs file removed in background /opt/kronaapm/agent/ java/ userprefs/ java/ userprefs/prefs xml 2026 02 27 12 53 33,963 info o l s g grpcserverrunner \[main] starting grpc server 2026 02 27 12 53 33,980 info o l s g grpcserverrunner \[main] 'org lognet springboot grpc health defaulthealthstatusservice$$springcglib$$0' service has be en registered 2026 02 27 12 53 33,981 info o l s g grpcserverrunner \[main] 'com kron aapm controller toolservicecontroller' service has been registered 2026 02 27 12 53 33,982 info o l s g grpcserverrunner \[main] 'com kron aapm controller accessservicecontroller' service has been registered 2026 02 27 12 53 34,345 info c k a c grpcsecurityconfig \[main] >>> grpc server started with ssl (pem mode) 2026 02 27 12 53 34,454 info o l s g grpcserverrunner \[main] grpc server started, listening on port 6301 2026 02 27 12 53 34,492 info c k a coreapplication \[main] started coreapplication in 67 174 seconds (process running for 69 435) 2026 02 27 12 54 12,550 info c k a c heartbeatcontroller \[scheduling 1] ping successful 2026 02 27 12 55 19,590 info c k a c heartbeatcontroller \[scheduling 1] ping successful initial password retrieval from kron pam the lifecycle begins when the sdk invokes the agent’s getpassword method at this stage, the agent evaluates whether a valid cache entry exists for the requested vault account this log indicates that the aapm agent received a password request from the sdk and successfully fetched the credential from the kron pam server aapm agent logs 2026 02 19 20 48 07,919 info c k a s agentstatus \[fetch success] password successfully retrieved from pam pam url 10 20 30 40 vault account dynamictestaccount vault account path /testvaultpath at this point the password was not served from cache (or cache was empty/expired) a live fetch operation occurred the agent will now populate its local cache with the retrieved credential cache entry creation and expiration registration immediately after successful retrieval, the agent creates an internal cache entry the expiration timestamp indicates the calculated expiration time for the cached password this value is derived from the account’s nextchange time returned by kron pam aapm agent logs 2026 02 19 20 48 07,919 info c k a c expiringset key = /testvaultpath|dynamictestaccount| expire at 2026 02 19 21 18 07 this expiration is not arbitrary it aligns with the next scheduled password change in kron pam cache registration in expiringcachemanager this confirms that the password is now stored in memory and managed by the cache lifecycle component expiringcachemanager /testvaultpath|dynamictestaccount| cache add to expiringset status check task scheduling after caching, the agent schedules a regular status check task this is proactive validation the agent does not wait passively for expiration statuschecktaskmanager \[regular] task scheduled for key /testvaultpath|dynamictestaccount| the regular mode periodically verifies whether the password has been rotated in kron pam whether the cached password is still valid whether nextchange time has been modified regular status check (no rotation detected) the agent compares lastchange and nextchange timestamps retrieved from kron pam action required confirms that the cache remains synchronized with the vault aapm agent logs 2026 02 19 20 48 24,148 info c k a c accessservicecontroller \[scheduling 1] \[regular] time status \[/testvaultpath|dynamictestaccount|] checking 2026 02 19 20 48 24,190 info c k a c accessservicecontroller \[scheduling 1] no action required for /testvaultpath|dynamictestaccount| \[lastchange 2026 02 19 20 43 35] \[nextchange 2026 02 19 21 18 09] the agent determines cached password matches kron pam state no new rotation has occurred cache remains valid intensive mode checking this mode reduces the validation interval compared to regular mode intensive mode is triggered when password rotation time approaches system transitions near expiration window aapm agent logs 2026 02 19 20 48 56,795 info c k a c accessservicecontroller \[scheduling 1] \[intensive] time status \[/testvaultpath|dynamictestaccount|] checking password rotation detected – cache refresh this log indicates that kron pam rotated the password statustime reflects updated state from pam lastchange no longer matches cached metadata aapm agent logs 2026 02 19 20 48 54,359 info c k a c accessservicecontroller \[scheduling 1] \[regular] time status \[/pam agent response|dynamicuserwithdevice|] checking 2026 02 19 20 48 56,795 info c k a c accessservicecontroller \[scheduling 1] cache should be updated! \[lastchange 2026 02 19 20 43 35] \[statustime 2026 02 19 20 48 44] 2026 02 19 20 48 56,795 info c k a s agentstatus \[scheduling 1] \[agent cache expired] agent cache expired cache will be refreshed pam url 10 20 30 40 vault account dynamictestaccount vault account path /testvaultpath