TLS with client-side certs - Securing a UNIX Application Server
Use this procedure to generate a self-signed, client-side certificate for a UNIX-based Application Server, provision all targeted agents or repeaters with an SHA1 fingerprint of the Application Server self-signed certificate, and configure those agents or repeaters to authenticate incoming requests using client-side certificates. This topic is intended for administrators of BMC Server Automation Application Servers.
In this topic, a client refers to an Application Server that is attempting to establish contact with the server hosting an agent. Generally, in BMC Server Automation documentation a client refers to a host running the BMC Server Automation Console or Network Shell.
To stop using self-signed, client-side certificates, see TLS with client-side certs - Discontinuing use of client-side certificates.
You can use this procedure to use TLS with client-side certificates to secure communication between a UNIX Network Shell proxy server and agents or repeaters. The procedure for a Network Shell proxy server is identical to the procedure for an Application Server.
The following is a master procedure. Each of the steps in this procedure references a topic that describes another procedure.
- Create a self-signed client-side certificate on the Application Server. Then add the passphrase for that certificate to the securecert file.
- Provision agents and repeaters with a SHA1 fingerprint of the Application Server self-signed certificate.
- Configure agents or repeaters to authenticate incoming requests with client-side certificates.