Space banner This version of the product has reached end of support. The documentation is available for your convenience. However, you must be logged in to access it. You will not be able to leave comments.

Certificates

Normal usage of the SSL standard is the server authentication. When connecting to a secured Web server with a browser (HTTPS instead of HTTP) often a pop-up displays with a warning because the received certificate is not trusted. Then it must be decided if the connection is to be accepted or the handshake stopped. This is because a secured server is responsible for sending its server certificate at the beginning of the SSL handshake. The client is then responsible for allowing or not the connection depending on the certificate issuer. The certificate issuer is the authority that signed (delivered) the certificate. If an authority is trusted, all those certificates are trusted that are signed by this authority.

are signed by this authority.SSL connections themselves between the agents are managed by certificates. These allow an agent to access all other agents it needs to. However, via these certificates it is also possible to completely isolate a part of the network, for example a subnet or even the whole network.

The following different types of certificates are used for agent communication:

  • Certificate Authority (CertAuth)
     The certificate authority is the authority signing the agent certificate (client CM server).
  • Trusted Certificates (CertTrusted)
     An agent requesting a connection with another agent accepts the connection if the certificate was signed by one of the trusted authorities which is listed in its parameter for trusted certificates. If the returned certificate is signed by an unknown authority the requesting agent will abandon the connection.

These certificates are specified via the respective parameters in the Security section of the agent configuration file (mtxagent.ini). If no certificates are defined the default BMC certificates will be established as the authority and used for certification. The parameters must be modified individually on the device agents in the .ini file or they can be modified in bulks via the operational rule that allows to modify a configuration file.ssl.png

The preceding graphic shows an example with two subnets with separate certificate authorities, Asia and Europe. The agents from the subnet may contact all other agents in their subnet, but not those of the rest of the network.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*