Unsupported content


This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

TLS with client-side certs - Securing a UNIX Application Server

Use this procedure to generate a self-signed, client-side certificate for a UNIX-based Application Server, provision all targeted agents or repeaters with an SHA1 fingerprint of the Application Server self-signed certificate, and configure those agents or repeaters to authenticate incoming requests using client-side certificates. This topic is intended for administrators of BMC Server Automation Application Servers.


In this topic, a client refers to an Application Server that is attempting to establish contact with the server hosting an agent. Generally, in BMC Server Automation documentation a client refers to a host running the BMC Server Automation Console or Network Shell.

To stop using self-signed, client-side certificates, see TLS with client-side certs - Discontinuing use of client-side certificates.

You can use this procedure to use TLS with client-side certificates to secure communication between a UNIX Network Shell proxy server and agents or repeaters. The procedure for a Network Shell proxy server is identical to the procedure for an Application Server.


TLS communication with client-side certificates is not compatible with the NSH proxy tunneling mechanism for communication between clients and the Network Shell proxy server. To use one or the other, you must either disable proxy tunneling or discontinue the use of client-side certificates.

The following is a master procedure. Each of the steps in this procedure references a topic that describes another procedure.

  1. Create a self-signed client-side certificate on the Application Server. Then add the passphrase for that certificate to the securecert file.
  2. Provision agents and repeaters with a SHA1 fingerprint of the Application Server self-signed certificate.
  3. Configure agents or repeaters to authenticate incoming requests with client-side certificates.
Was this page helpful? Yes No Submitting... Thank you