TLS with client-side certs - Securing a Windows Application Server
Use this procedure to generate a self-signed, client-side certificate for a Windows Application Server, provision all targeted agents or repeaters with an SHA1 fingerprint of the Application Server self-signed certificate, and configure those agents or repeaters to authenticate incoming requests using client-side certificates. If your environment includes multiple Application Servers, you should repeat this procedure for each Application Server.
In this topic, a client refers to an Application Server that is attempting to establish contact with the server hosting an agent. Generally, in BMC Server Automation documentation a client refers to a host running the BMC Server Automation Console or Network Shell.
To stop using self-signed, client-side certificates, see TLS with client-side certs - Discontinuing use of client-side certificates.
You can use this procedure to use TLS with client-side certificates to secure communication between a Windows Network Shell proxy server and agents or repeaters. The procedure for a Network Shell proxy server is identical to the procedure for an Application Server.
The following is a master procedure. Each of the steps in this procedure references a topic that describes another procedure.
- Create a self-signed, client-side certificate on the Application Server. Then add the passphrase for that certificate to the securecert file.
- Provision all targeted agents and repeaters with a SHA1 fingerprint of the Application Server self-signed certificate.
- Configure all targeted agents or repeaters to authenticate incoming requests using client-side certificates.