Recommendations for SSL and Certificates

When using SSL and thus certificates BMC Software strongly recommends you to carefully plan your authority and certificate strategy before actually putting it in place. You can also make modifications later on, but if you are not VERY careful, all communication may break down.

If all components are installed with SSL activated they are initiated with the default BMC authority and certificates; the agent rollout by default does not include any customised certificates. As soon as you make changes to one single agent it is quite possible that no agents might communicate anymore. We therefore recommend you to prepare your complete SSL setup. This means:

• preparing all operational rules via the Update INI File modifying the Security section of the mtxagent.ini files of ALL network devices to their respective new authorities and certificates
• creating the queries and groups required to send and execute these operational rules
• creating the packages to distribute the new certificate files and
• assigning the operational rules with a common schedule to these groups to ensure that the large majority of rules, that is, the ini file modifications, are executed pretty much at the same time. This will limit the down time in communication as much as possible.

After the operational rules are launched you need to give the system some time to receive and execute them, so for some time part or all your network cannot be able via the CM agents , until all rules are executed on all devices. Depending on the up situation of devices, parts of the network might still not be reachable until they connect again to then receive and update to the new scheme.