Provisioning agents and repeaters with a fingerprint of the Application Server self-signed certificate (UNIX)


Use this procedure to create, or update, on each managed server and repeater a file named bladmin. This file contains the SHA1 fingerprint of the Application Server self-signed certificate. An agent or repeater uses this fingerprint to validate the self-signed certificate received from the Application Server during the TLS handshake.

NEW IN 21.02You can use the following hash algorithms for the fingerprint apart from SHA1: SHA224, SHA256, SHA384, and SHA512

These hash algorithms are supported with RSCD Agent 21.02. Therefore, make sure to upgrade the RSCD Agents to 21.02 before using these hash algorithms.

To provision agents and repeaters with a fingerprint of the Application Server self-signed certificate

  1. Ensure that the secure file on all managed servers is configured so that tls_mode=encryption_only. If necessary, generate this setting by running the following secadmin command on each agent: 
    secadmin -m rscd -p 5 -T encryption_only -e tls

    Tip

    You can also run this command using nexec from the Application Server (using nexec <hostname> secadmin ...) or by using a NSH script job.

    Before you can provision a managed server with the fingerprint of the Application Server's certificate, you must ensure that the secure file on the agent or repeater is configured correctly. If you prematurely set the rscd entry in a secure file so that tls_mode=encryption_and_auth, the agent or repeater will refuse the incoming connection because it will not have the SHA1 fingerprint of the Application Server's self-signed cert. The secure file must have the rscd entry set as shown below when deploying the certificate fingerprint. The secure file is located in the /etc/rsc directory on a UNIX server and C:\<WINDIR>\rsc on Windows, where <WINDIR> is typically windows
    rscd:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls
    This is the default setting after a fresh installation of an agent, so in most situations there is no need to perform this step.

  2. Set up root or Administrator privileges on each managed server hosting an agent from the application server host. 
    To provision an agent or repeater with the fingerprint of an Application Server's certificate, you must have root or Administrator privileges on the server hosting the agent. To grant this privilege, update the exports file by creating the following entry: 
    (Windows)<appserver hostname> rw,user=Administrator
    (UNIX)<appserver hostname>  rw,user=root
    where <appserver hostname> is the hostname or IP address of the application server host. Ensure that you revert these settings to more restrictive settings after performing the next two steps, as discussed in step 5.
  3. Using a command line on the Application Server, cd to /opt/bmc/bladelogic/NSH/br/.bladelogic, the directory containing the id.pem file.
  4. Push the fingerprint to managed servers.
    Examples:

    • To push SHA1 fingerprint, enter this command:
      /opt/bmc/bladelogic/NSH/sbin/putcert bladmin id.pem <agent1...agentN>
    • To push other hash algorithm fingerprint, enter this command: NEW IN 21.02
      /opt/bmc/bladelogic/NSH/sbin/putcert -hashalgo <sha_algorithm> bladmin id.pem <agent1...agentN>
      For example, to push SHA512 fingerprint, specify this command:
      /opt/bmc/bladelogic/NSH/sbin/putcert -hashalgo sha512 bladmin id.pem <agent1...agentN>

    where,
    <agent1...agentN> is a space-separated list of the host names or IP addresses (IPv4 or IPv6) of the managed servers hosting agents or repeaters.
    <sha_algorithm> can be any of the following: sha512, sha384, sha256, or sha224
    This command creates or updates a fingerprint file on each targeted agent or repeater. The fingerprint file is saved at the following path:

    • (Windows Agent targetC:\Program Files\BMC Software\BladeLogic\RSCD\certs\bladmin
    • (UNIX Agent target/opt/bmc/bladelogic/NSH/certs/bladmin

    In environments where multiple Application Servers communicate with Agents, you should provision each Application Server with its own self-signed certificate. Performing this procedure for each of those Application Servers generates multiple fingerprints.

  5. Revert the setting in the exports file on managed servers back to a more restrictive user mapping. Otherwise, all users accessing those agents from the application server host are mapped to root or Administrator.

Note

Ensure that you keep a backup of the id.pem file. This backup file will enable you to restore communication between the Application Server and your RSCD Agents if the id.pem file is inadvertently removed or changed. See also Backup-and-restore-of-the-TrueSight-Server-Automation-environment.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*