# Configuring the PATROL Agent network communication to be TLS compliant

## To configure the PATROL Agent to enable TLS 1.2

Perform the following steps to make the PATROL Agent to Integration Service communication TLS 1.2 compliant:

1. Navigate to the config_v3.0 folder by running the following command:

``````# Microsoft Windows operating system
\$cd <PATROL Agent installation directory>\common\security\config_v3.0

# Unix operating system
\$cd <PATROL Agent installation directory>/common/security/config_v3.0``````
2. Verify your PATROL Agent's installation directory. If the PATROL Agent's installation directory is not same as the default installation directory that is C:\Program Files (x86)\BMC Software, perform the following sequence of steps:

Perform this step only if the installation directory is not same as the default installation directory

The following set of instructions are applicable:

• If you want to run set_unset_tls script on the PATROL Agents running on Microsoft Windows operating system to configure TLS 1.2
• For all the PATROL Agents running on any of the security levels 2,3, or 4.

1. Using a text editor, open the tls_agent.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location, and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

`#Original entry`

`"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"`
`"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"`

`#Modified entry`

`"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"`
`"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"`

2. Using a text editor, open the tls_esi.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

`#Original entry`

`"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"`

`#Modified entry`

`"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"`

3. Using a text editor, open the tls_proxy.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

`#Original entry`

`"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"`

`#Modified entry`

`"password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"`

3. Run the script to enable TLS mode as shown in the following code block:

``````#Syntax
set_unset_tls.cmd <\$BMC_ROOT> <SET_TLS;UNSET_TLS> <security_level> -serverDbPath <serverDbPath> -clientDbPath <clientDbPath> -identity <identity>
#Example
\$set_unset_tls.cmd "C:\Program Files (x86)\BMC Software" SET_TLS 3 -serverDbPath "C:\Certificates\server_db" -clientDbPath "C:\Certificates\client_db" -identity bmcpatrol``````

Notes

• Use set_unset_tls.cmd script on the Microsoft Windows operating system, and set_unset_tls.sh script on the Unix operating system.
• When you run the set_unset_tls.sh script on AIX and HP-UX operating systems to enable TLS 1.2, the system creates symbolic links for Mozilla NSS v3.20 libraries in the default system library directory /usr/lib.

• `set_unset_tls.sh -h` will display the help for the set_unset_tls command.
• There are six command line arguments for the set_unset_tls script as explained in the following section:
• BMC_ROOT: The directory where the PATROL Agent is installed.
• SET_TLS / UNSET_TLS: The second command line argument can either be SET_TLS, or UNSET_TLS. If you select SET_TLS, the PATROL Agent is configured in TLS mode. If you select UNSET_TLS, the PATROL Agent is configured in Non-TLS mode.
• security_level: PATROL Agent communicates with the Integration Service at a security_level 2 or higher. If your PATROL Agent is running at a security_level 0 or 1, then set the security_level as 2 in the preceding command. Ensure that you set the PATROL Agent's security_level same as your Integrations Service's security_level.
• serverDbPath: The directory where the server certificates are present. This argument is mandatory if the security_level is set to 3.
• clientDbPath: The directory where the client certificates are present. This argument is mandatory if the security_level is set to 3.
• identity: The certificate identity. If you do not specify any value to this argument, the default value is set to bmcpatrol.

## Related topic

Security planning

Submitting... Thank you