TLS with client-side certs - Discontinuing use of client-side certificates

Use this procedure to stop using client-side certificates that secure access between Application Servers and agents or repeaters.

To discontinue use of client-side certificates

  1. Set up root or Administrator privileges on each managed server hosting an agent or repeater. 
    To perform this procedure, you must have root or Administrator privileges on any servers hosting agents or repeaters where you want to discontinue use of client-side certificates. 
    To grant this privilege, update the exports file by creating the following entry on the server: 

    (Windows
    <host> rw,user=Administrator 

    (UNIX)
    <host> rw,user=root 
    where <host> is the IP address or host name of the Network Shell client.
  2. Remove the SHA1 fingerprint of the Application Server self-signed certificate from managed servers by entering one the following commands, based on your environment: 
    (Windows
    nukecert SYSTEM <agent1...agentN>

    (UNIX
    nukecert bladmin <agent1...agentN> 
    where <agent1...agentN> is a space-delimited list of the names or IP addresses of the servers where you want to stop using the Application Server self-signed certificate.
  3. Configure the secure file on all agents or repeaters where you want to stop using certificates by using Network Shell to run the following secadmin command: 
    secadmin -m rscd -p 5 -T encryption_only -e tls 
    Running this command generates an rscd entry in the secure file like the following:

    rscd:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls
    

    Tip

    You can also run this command using nexec from the Application Server (using nexec <hostname> secadmin ...) or by using a NSH script job.

  4. Revert the setting in the exports file on managed servers back to a more restrictive user mapping. Otherwise, all users accessing those agents are mapped to root or Administrator.
  5. Remove certificates from Application Servers by deleting the SYSTEM directory for Windows Application Servers or the .bladelogic directory for UNIX Application Servers.
    • For Windows Application Servers, the SYSTEM directory can be found at C:\<WINDIR>\rsc\certs\SYSTEM, where <WINDIR> is typically windows.
    • For UNIX Application Servers, the bladmin directory can be found at /opt/bmc/bladelogic/NSH/br/.bladelogic.

Was this page helpful? Yes No Submitting... Thank you

Comments