Discontinuing use of client-side certificates

Use this procedure to stop using client-side certificates that secure access between repeaters and agents.

To discontinue use of client-side certificates

  1. Set up root or Administrator privileges on each managed server hosting an agent.
    To perform this procedure, you must have root or Administrator privileges on any servers hosting agents where you want to discontinue use of client-side certificates. To grant this privilege, update the exports file on a server by creating the following entry:
    (Windows)
    <host> rw,user=Administrator
    (UNIX)
    <host> rw,user=root
    where <host> is the IP address or host name of the Network Shell client.
  2. Remove the SHA1 fingerprint of the repeater's self-signed certificate from managed servers. To accomplish this, use Network Shell to enter the following:
    nukecert <user> <agent1...agentN>
    where <user> is BladeLogicRSCD for a Windows repeater and typically root for a UNIX repeater. If other UNIX users have fingerprints on the agent, you must remove those user names as well. In the command shown above <agent1...agentN> is a space-delimited list of the names or IP addresses of the servers where you want to stop using the repeater's self-signed certificate.
  3. Configure the secure file on all agents where you want to stop using certificates by using Network Shell to run the following secadmin command:
    secadmin -m rscd -p 5 -T encryption_only -e tls
    Running this command generates an rscd entry in the secure file similar to the following:
    rscd:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls

    Note

    Performing this step could have implications for Application Servers or Network Shell proxy servers when they communicate with the same targeted agents. This step sets tls_mode=encryption_only on the targeted agents, which means these agents do not require Application Servers or Network Shell proxy servers to also use client-side certificates.

  4. Revert the setting in the exports file on managed servers back to a more restrictive user mapping. Otherwise, all users accessing those agents are mapped to root or Administrator.
  5. Remove certificates from repeaters by deleting the id.pem file storing the certificate.
    • (Windows) The id.pem file resides in <WINDIR>\rsc\certs\BladeLogicRSCD, where <WINDIR> is typically windows or winnt.
    • (UNIX) The id.pem file resides in <userHomeDirectory>/.bladelogic., where <userHomeDirectory> is the user's home directory. For example, if you are logged in as root, id.pem resides in /root/.bladelogic/id.pem.
Was this page helpful? Yes No Submitting... Thank you

Comments