×
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
 
 
BMC Server Automation 8.8 ... Configuring after installation Administering security Implementing security for communication legs Implementing security - Application Server to agents or repeaters

TLS with client-side certs - Discontinuing use of client-side certificates

Use this procedure to stop using client-side certificates that secure access between Application Servers and agents or repeaters.

To discontinue use of client-side certificates

  1. Set up root or Administrator privileges on each managed server hosting an agent or repeater. 
    To perform this procedure, you must have root or Administrator privileges on any servers hosting agents or repeaters where you want to discontinue use of client-side certificates. 
    To grant this privilege, update the exports file by creating the following entry on the server: 

    (Windows
    <host> rw,user=Administrator 

    (UNIX)
    <host> rw,user=root 
    where <host> is the IP address or host name of the Network Shell client.
  2. Remove the SHA1 fingerprint of the Application Server self-signed certificate from managed servers by entering one the following commands, based on your environment: 
    (Windows
    nukecert SYSTEM <agent1...agentN>

    (UNIX
    nukecert bladmin <agent1...agentN> 
    where <agent1...agentN> is a space-delimited list of the names or IP addresses of the servers where you want to stop using the Application Server self-signed certificate.

  3. Configure the secure file on all agents or repeaters where you want to stop using certificates by using Network Shell to run the following secadmin command: 
    secadmin -m rscd -p 5 -T encryption_only -e tls 
    Running this command generates an rscd entry in the secure file like the following:

    rscd:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls

    Tip

    You can also run this command using nexec from the Application Server (using nexec <hostname> secadmin ...) or by using a NSH script job.

  4. Revert the setting in the exports file on managed servers back to a more restrictive user mapping. Otherwise, all users accessing those agents are mapped to root or Administrator.
  5. Remove certificates from Application Servers by deleting the SYSTEM directory for Windows Application Servers or the .bladelogic directory for UNIX Application Servers.
    • For Windows Application Servers, the SYSTEM directory can be found at C:\<WINDIR>\rsc\certs\SYSTEM, where <WINDIR> is typically windows.
    • For UNIX Application Servers, the bladmin directory can be found at /opt/bmc/bladelogic/NSH/br/.bladelogic.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Fran Coughlin on Apr 13, 2016
security certificate application_server agent repeater tls

Comments

Configuring agents or repeaters to authenticate incoming requests with client-side certificates (Windows)
Implementing security - Network Shell to agent
© Copyright 2017 BMC Software, Inc. © Copyright 2017 BladeLogic, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2021 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.