Discontinuing use of client-side certificates
Use this procedure to stop using client-side certificates that secure access between repeaters and agents.
To discontinue use of client-side certificates
- Set up root or Administrator privileges on each managed server hosting an agent.
To perform this procedure, you must have root or Administrator privileges on any servers hosting agents where you want to discontinue use of client-side certificates. To grant this privilege, update the exports file on a server by creating the following entry:
where <host> is the IP address or host name of the Network Shell client.
- Remove the SHA1 fingerprint of the repeater's self-signed certificate from managed servers. To accomplish this, use Network Shell to enter the following:
nukecert <user> <agent1...agentN>
BladeLogicRSCDfor a Windows repeater and typically
rootfor a UNIX repeater. If other UNIX users have fingerprints on the agent, you must remove those user names as well. In the command shown above
<agent1...agentN>is a space-delimited list of the names or IP addresses of the servers where you want to stop using the repeater's self-signed certificate.
Configure the secure file on all agents where you want to stop using certificates by using Network Shell to run the following
secadmin -m rscd -p 5 -T encryption_only -e tls
Running this command generates an
rscdentry in the secure file similar to the following:
Performing this step could have implications for Application Servers or Network Shell proxy servers when they communicate with the same targeted agents. This step sets
tls_mode=encryption_onlyon the targeted agents, which means these agents do not require Application Servers or Network Shell proxy servers to also use client-side certificates.
- Revert the setting in the exports file on managed servers back to a more restrictive user mapping. Otherwise, all users accessing those agents are mapped to root or Administrator.
- Remove certificates from repeaters by deleting the id.pem file storing the certificate.
- (Windows) The id.pem file resides in <WINDIR>\rsc\certs\BladeLogicRSCD, where <WINDIR> is typically windows or winnt.
- (UNIX) The id.pem file resides in <userHomeDirectory>/.bladelogic., where <userHomeDirectory> is the user's home directory. For example, if you are logged in as root, id.pem resides in /root/.bladelogic/id.pem.