×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Unsupported content

 

This version of the product is in limited support. However, the documentation is available for your convenience. You will not be able to leave comments.
BMC Client Management 12.7 ... Administering Managing security Configuring SSL for BMC Client Management

Advanced SSL and Certification

Following you can see some more advanced information on the combination of SSL with certification in BMC Client Management .

CertAuth Parameter

In BMC Client Management an agent authority can be overridden. The CertAuth parameter in agent configuration file ( mtxagent.ini ) includes the name of the authority certificate to be used for signing the agent certificate.

When starting, the agent scans this directory and installs any new certificate as new available authorities. All the files must have the same common name (only the extension is different). This common name is the one to use in the configuration file in order to elect the new authority.

In order to change the certificate authority, the required files must be moved first to the ${AGENT_BIN}/certs/auth directory. These files are:

  • the authority X509 certificate (extension .crt )
  • its attached RSA Private Key (extension .key )
  • an optional Key Encrypted Password file (extension .kep )

The KEP (Key Encrypted Password) file is a feature offered by BMC , as it has the capability to cipher the RSA Private Key with a password that need not to be deployed, and the CM agent can retrieve the password depending on different elements. The automatic password generation is based on different pieces of information, including the file names. It is therefore not possible to rename any of the files once the KEP functionality is in use.

CertTrusted Parameter

The CM agent must know which authorities to trust, therefore the second parameter CertTrusted in the agent configuration file ( mtxagent.ini ) includes a comma separated list of authority certificates to trust. Here also, a certificate must be installed before being referenced in the configuration. Unlike the authority, only the X509 certificate is required (extension .crt ) in order to trust an authority.

Then, in order to add a new trusted certificate authority, the required file, the authority X509 certificate (extension .crt ), must be moved first to the ${AGENT_BIN}/certs/trusted directory. When starting, the agent scans this directory and install any new certificate as new trusted authorities. As for the previous authority section, any certificate referenced in the configuration file must not include any extension.

You can use end user certificates (not those of authorities). In this case the certificate chain is not verified. If an agents presents such a trusted end user certificate the default verification mechanism is not required and the certificate is accepted.

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Last modified by Deval Faldu on Sep 28, 2018

Comments

Log in or register to comment.

Recommendations for SSL and Certificates
Enabling enhanced security
© Copyright 2013 - 2021 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.