Configuring the PATROL Agent to Integration Service communication to enable TLS 1.2

Perform the following steps to enable the Remote Integration Service to PATROL Agent communication to be TLS 1.2 compliant:

To configure the Integration Service to enable TLS 1.2

The following set of steps guide you to configure both the local or remote Integration Services.

To configure the remote Integration Service and the PATROL Agent communication to enable TLS 1.2


  1. Stop the Integration Service by running the following command: 

    pw is stop
  2. To stop the Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
  3. Double-click the Services icon to launch the Services dialog box.
  4. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Stop
  5. Click Yes to close the warning message that is displayed. 
    The status for the Integration Service changes from Started to (blank).

  6. Navigate to the <Remote Integration Service Install Directory>\agent\patrol\common\security\config_v3.0 directory by running the following command:

    # Microsoft Windows operating system
    $cd <Remote Integration Service install directory>\agent\patrol\common\security\config_v3.0

    # Unix operating system
    $cd <Remote Integration Service install directory>/agent/patrol/common/security/config_v3.0

  7. Run the following command:

    #Syntax
    set_unset_tls_IS.cmd <$BMC_ROOT> <SET_TLS;UNSET_TLS> <security_level> -serverDbPath <serverDbPath> -identity <identity>
    #Example
    $set_unset_tls_IS.cmd <Remote Integration Service Install Directory> SET_TLS 3 -serverDbPath "C:\Certificates\server_db" -identity bmcpatrol

To configure the local Integration Service and the PATROL Agent communication to enable TLS 1.2

  1. Stop the Infrastructure Management Server by running the following command:

    pw system stop

  2. Navigate to the <Infrastructure Management Server Install Directory>\agent\patrol\common\security\config_v3.0 directory by running the following command:

    # Microsoft Windows operating system
    $cd <Infrastructure Management Server Install Directory>\pw\patrol\common\security\config_v3.0

    # Unix operating system
    $cd <Infrastructure Management Server Install Directory>/pw/patrol/common/security/config_v3.0

  3. Run the following command:

    #Syntax
    set_unset_tls_IS.cmd <$BMC_ROOT> <SET_TLS;UNSET_TLS> <security_level> -serverDbPath <serverDbPath> -identity <identity>
    #Example
    $set_unset_tls_IS.cmd <Infrastructure Management Server Install Directory>\pw  SET_TLS 3 -serverDbPath "C:\Certificates\server_db" -identity bmcpatrol

Parameter description

The following notes describe the key parameters used in the preceding command:

  • Use the set_unset_tls_IS.cmd script on the Microsoft Windows operating system, and the set_unset_tls_IS.sh script on the Unix operating system.
  • set_unset_tls.sh -h will display the help for the set_unset_tls_IS command.
  • There are six command line arguments for the set_unset_tls_IS script as explained in the following section:
    • $BMC_ROOT: The directory where the Integration Service is installed.
    • SET_TLS / UNSET_TLS: The second command line argument can either be SET_TLS, or UNSET_TLS. If you select SET_TLS, the Integration Service is configured in TLS mode. If you select UNSET_TLS, the Integration Service is configured in Non-TLS mode.
    • security_level: The current value of this variable represents the security level at which the Integration Service is running. Integration Service runs at a security_level 2 or higher. Ensure that you set the Integration Service's security_level same as your PATROL Agent's security_level.
    • serverDbPath: The directory where the server certificates are present. This argument is mandatory for all the security_levels of the Integration Service.
    • identity: The certificate identity. If you do not specify any value to this argument, the default value is set to bmcpatrol.

To configure the PATROL Agent to enable TLS 1.2

Perform the following steps to make the PATROL Agent to Integration Service communication TLS 1.2 compliant:

  1. Navigate to the config_v3.0 folder by running the following command:

    # Microsoft Windows operating system
    $cd <PATROL Agent installation directory>\common\security\config_v3.0
     
    # Unix operating system
    $cd <PATROL Agent installation directory>/common/security/config_v3.0

  2. Verify your PATROL Agent's installation directory. If the PATROL Agent's installation directory is not same as the default installation directory that is C:\Program Files (x86)\BMC Software, perform the following sequence of steps:

    Perform this step only if the installation directory is not same as the default installation directory

     The following set of instructions are applicable:

    • If you want to run set_unset_tls script on the PATROL Agents running on Microsoft Windows operating system to configure TLS 1.2

    • For all the PATROL Agents running on any of the security levels 2,3, or 4.

     

    1. Using a text editor, open the tls_agent.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location, and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

      #Original entry

      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"

      #Modified entry

      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"
      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"

    2. Using a text editor, open the tls_esi.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

      #Original entry
      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
      #Modified entry
      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"

    3. Using a text editor, open the tls_proxy.reg registry file located in the <PATROL Agent Installation Directory>\config_v3.0\config_v3.0 directory location and update the entries to reflect the PATROL Agent's actual installation path as shown in the following example code:

      #Original entry
      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, C:\\\\Program Files (x86)\\\\BMC Software\\\\common\\\\security\\\\keys\\\\sample.bin"
      #Modified entry
      "password"="17fa9e37f011ec79ef0b32d00cbc98c4f4ca367272714f6b, <PATROL Agent Installation Directory>\\\\common\\\\security\\\\keys\\\\sample.bin"

  3. Run the script to enable TLS mode as shown in the following code block:

    #Syntax
    set_unset_tls.cmd <$BMC_ROOT> <SET_TLS;UNSET_TLS> <security_level> -serverDbPath <serverDbPath> -clientDbPath <clientDbPath> -identity <identity>
    #Example
    $set_unset_tls.cmd "C:\Program Files (x86)\BMC Software" SET_TLS 3 -serverDbPath "C:\Certificates\server_db" -clientDbPath "C:\Certificates\client_db" -identity bmcpatrol

    Notes

    • Use set_unset_tls.cmd script on the Microsoft Windows operating system, and set_unset_tls.sh script on the Unix operating system.

    • When you run the set_unset_tls.sh script on AIX and HP-UX operating systems to enable TLS 1.2, the system creates symbolic links for Mozilla NSS v3.20 libraries in the default system library directory /usr/lib.

    • set_unset_tls.sh -h will display the help for the set_unset_tls command.
    • There are six command line arguments for the set_unset_tls script as explained in the following section:
      • BMC_ROOT: The directory where the PATROL Agent is installed.
      • SET_TLS / UNSET_TLS: The second command line argument can either be SET_TLS, or UNSET_TLS. If you select SET_TLS, the PATROL Agent is configured in TLS mode. If you select UNSET_TLS, the PATROL Agent is configured in Non-TLS mode.
      • security_level: PATROL Agent communicates with the Integration Service at a security_level 2 or higher. If your PATROL Agent is running at a security_level 0 or 1, then set the security_level as 2 in the preceding command. Ensure that you set the PATROL Agent's security_level same as your Integrations Service's security_level.
      • serverDbPath: The directory where the server certificates are present. This argument is mandatory if the security_level is set to 3.
      • clientDbPath: The directory where the client certificates are present. This argument is mandatory if the security_level is set to 3.
      • identity: The certificate identity. If you do not specify any value to this argument, the default value is set to bmcpatrol.

To start the servers

Perform the following set of steps after the configuration changes are completed.

To edit the Integration Service's properties

  1. Logon to the TrueSight console, and access Configuration > Managed DevicesManaged Devices page displays the BMC TrueSight Infrastructure Management components that are displayed in a hierarchical order as shown in the following diagram.
    managedDevices_edit.png
  2. Click the action menu callout_1.png of the Integration Service for which the TLS configurations need to be applied. When the Integration Service is in the disconnected state, the action menu displays the options: Edit, Delete, View, Connect.
  3. Select the Edit option.
  4. The Integration Service properties are displayed. Set the Connection to Infrastructure Management Server property to Direct access using SSL TCP/IP.
  5. Click Save.

To start the local Integration Service

  1. Start the Infrastructure Management Server by running the following command:

    pw system start

    The Integration Service is restarted along with the Infrastructure Management Server.

To start the remote Integration Service

  1. Start the remote Integration Service (Unix) by running the following command:

    pw is start
  2. To start the remote Integration Service (Microsoft Windows), navigate to Start > Settings > Control Panel.
  3. Double-click the Services icon to launch the Services dialog box.
  4. Locate the BMC TrueSight Infrastructure Management Integration Service on the list of services, highlight, then click Restart
  5. Click Yes to close the warning message that is displayed. 
    The status for the Integration Service changes from blank to (started).

To start the PATROL Agent

  1. Start the PATROL Agent by running the following command:

    patrolagent -p 9090

 

Related topics

Managing-TLS-security-certificates

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*