Configuring the PATROL Agent network communication to be TLS compliant

To configure the PATROL Agent to enable TLS 1.2


Perform the following steps to make the PATROL Agent to Integration Service communication TLS 1.2 compliant:

  1. Navigate to the config_v3.0 folder by running the following command:

    # Microsoft Windows operating system
    $cd <PATROL Agent installation directory>\common\security\config_v3.0
     
    # Unix operating system
    $cd <PATROL Agent installation directory>/common/security/config_v3.0
  2. Verify your PATROL Agent's installation directory. If the PATROL Agent's installation directory is not same as the default installation directory that is C:\Program Files (x86)\BMC Software, perform the following sequence of steps:

    Perform this step only if the installation directory is not same as the default installation directory

     The following set of instructions are applicable:

    • If you want to run set_unset_tls script on the PATROL Agents running on Microsoft Windows operating system to configure TLS 1.2
    • For all the PATROL Agents running on any of the security levels 2,3, or 4.

    1. Using a text editor, open the tls_agent.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location, and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

      #Original entry

      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"

      #Modified entry

      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"
      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"

    2. Using a text editor, open the tls_esi.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

      #Original entry

      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"

      #Modified entry

      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"

    3. Using a text editor, open the tls_proxy.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

      #Original entry

      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"

      #Modified entry

      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"

  3. Run the script to enable TLS mode as shown in the following code block:

    #Syntax
    set_unset_tls.cmd <$BMC_ROOT> <SET_TLS;UNSET_TLS> <security_level> -serverDbPath <serverDbPath> -clientDbPath <clientDbPath> -identity <identity>
    #Example
    $set_unset_tls.cmd "C:\Program Files (x86)\BMC Software" SET_TLS 3 -serverDbPath "C:\Certificates\server_db" -clientDbPath "C:\Certificates\client_db" -identity bmcpatrol

    Notes

    • Use set_unset_tls.cmd script on the Microsoft Windows operating system, and set_unset_tls.sh script on the Unix operating system.
    • When you run the set_unset_tls.sh script on AIX and HP-UX operating systems to enable TLS 1.2, the system creates symbolic links for Mozilla NSS v3.20 libraries in the default system library directory /usr/lib.

    • set_unset_tls.sh -h will display the help for the set_unset_tls command.
    • There are six command line arguments for the set_unset_tls script as explained in the following section:
      • BMC_ROOT: The directory where the PATROL Agent is installed.
      • SET_TLS / UNSET_TLS: The second command line argument can either be SET_TLS, or UNSET_TLS. If you select SET_TLS, the PATROL Agent is configured in TLS mode. If you select UNSET_TLS, the PATROL Agent is configured in Non-TLS mode.
      • security_level: PATROL Agent communicates with the Integration Service at a security_level 2 or higher. If your PATROL Agent is running at a security_level 0 or 1, then set the security_level as 2 in the preceding command. Ensure that you set the PATROL Agent's security_level same as your Integrations Service's security_level.
      • serverDbPath: The directory where the server certificates are present. This argument is mandatory if the security_level is set to 3.
      • clientDbPath: The directory where the client certificates are present. This argument is mandatory if the security_level is set to 3.
      • identity: The certificate identity. If you do not specify any value to this argument, the default value is set to bmcpatrol.

Where to go from here

Administering

Related topic

Security planning

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Anthony Yon

    Once you run the set_unset_tls command to enable the TLS mode, is there a way to validate it IS set? Is there a command, such as PatrolAgent -v, that shows the Agent is set to TLS?

    Feb 19, 2019 08:07