×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
TrueSight Server Automation 21.02 ... Configuring after installation Administering security Implementing security for communication legs Implementing security - Repeater to agent

Creating a self-signed, client-side certificate on the repeater

Use this procedure to create a self-signed certificate for the repeater and then add the passphrase for that certificate to the securecert file on the repeater.

On UNIX repeaters, TrueSight Server Automation does not load the certificate if group or world permissions are set for the id.pem file or the .bladelogic directory, where the id.pem file is generated.

Before you begin

You must install Network Shell on the repeater. This procedure requires you to run a command that is only available from Network Shell.

To create a self-signed, client-side certificate on the repeater

  1. Using a command line, generate a self-signed certificate by doing one of the following:
    • (UNIX) Log into the repeater as a user to whom connecting users are mapped (typically root). Then, issue the following command for generating a certificate:
      <installDirectory>/bin/bl_gen_ssl
    • (Windows) Do the following:
      1. Log into the repeater server as Administrator.
      2. Create a directory called C:\<WINDIR>\rsc\certs\BladeLogicRSCD.
        In the path shown above, <WINDIR> is typically windows.
      3. Enter the following command for generating a certificate:
        bl_gen_ssl -repeatcert
  2. Enter a passphrase for the private key to the certificate. Then confirm the passphrase by entering it again.
    TrueSight Server Automation generates a certificate in a file named id.pem.
    • (UNIX) The file is created in <userHomeDirectory>/.bladelogic, where <userHomeDirectory> is the user's home directory. For example, if you are logged in as root on a Linux system, id.pem is created in /root/.bladelogic/id.pem.
    • (Windows) The file is created in <WINDIR>\rsc\certs\BladeLogicRSCD.
  3. Update the securecert file to contain an encoded copy of the passphrase. Using Network Shell, enter the following:
    secadmin -m default -cu <user> -cp password
    where <user> is BladeLogicRSCD for Windows repeaters and the user who created the certificate (such as root ) for UNIX repeaters.
    Enter the password in clear text. The secadmin utility encrypts the password.
    After issuing this command, the contents of the securecert file are updated to include an entry for your current user name, such as root or BladeLogicRSCD. For example, this command might create an entry like the following. (The encoded passphrase varies.) 
    
[default]

BladeLogicRSCD=FCUVOMLNGLVRZNOO
  4. For UNIX repeaters, ensure that access is restricted to the id.pem file and the .bladelogic directory by running the following commands: 
    
chmod 700 /opt/bmc/bladelogic/NSH/br/.bladelogic
chmod 600 /opt/bmc/bladelogic/NSH/br/.bladelogic/id.pem
Was this page helpful? Yes No Submitting... Thank you
Last modified by Dave Wicinas on Dec 10, 2015
certificate security repeater agent

Comments

Log in or register to comment.

Implementing security - Repeater to agent
Provisioning agents with a fingerprint of the repeater's self-signed certificate
© Copyright 1996-2021 BladeLogic, Inc. © Copyright 2014-2021 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.