TLS with client-side certs - Discontinuing use of client-side certificates
Use this procedure to stop using client-side certificates that secure access between Application Servers and agents or repeaters.
To discontinue use of client-side certificates
- Set up root or Administrator privileges on each managed server hosting an agent or repeater.
To perform this procedure, you must have root or Administrator privileges on any servers hosting agents or repeaters where you want to discontinue use of client-side certificates.
To grant this privilege, update the exports file by creating the following entry on the server:
where <host> is the IP address or host name of the Network Shell client.
- Remove the SHA1 fingerprint of the Application Server self-signed certificate from managed servers by entering one the following commands, based on your environment:
nukecert SYSTEM <agent1...agentN>
nukecert bladmin <agent1...agentN>
<agent1...agentN>is a space-delimited list of the names or IP addresses of the servers where you want to stop using the Application Server self-signed certificate.
Configure the secure file on all agents or repeaters where you want to stop using certificates by using Network Shell to run the following
secadmin -m rscd -p 5 -T encryption_only -e tls
Running this command generates an
rscdentry in the secure file like the following:
You can also run this command using nexec from the Application Server (using
nexec <hostname> secadmin ...) or by using a NSH script job.
- Revert the setting in the exports file on managed servers back to a more restrictive user mapping. Otherwise, all users accessing those agents are mapped to root or Administrator.
- Remove certificates from Application Servers by deleting the SYSTEM directory for Windows Application Servers or the .bladelogic directory for UNIX Application Servers.
- For Windows Application Servers, the SYSTEM directory can be found at C:\<WINDIR>\rsc\certs\SYSTEM, where <WINDIR> is typically windows.
- For UNIX Application Servers, the bladmin directory can be found at /opt/bmc/bladelogic/NSH/br/.bladelogic.