Agent configuration file parameters

This topic describes more advanced information about the combination of SSL with certification in BMC Client Management.

CertAuth Parameter

In BMC Client Management an agent authority can be overridden. The CertAuth parameter in the agent configuration file (mtxagent.ini) includes the name of the authority certificate to be used for signing the agent certificate.

When starting, the agent scans this directory and installs any new certificate as new available authorities. All the files must have the same common name (only the extension is different). This common name is used in the configuration file to elect the new authority.

To change the certificate authority, the required files must be moved first to the ${AGENT_BIN}/certs/auth directory. These files are:

• the authority X509 certificate (extension .crt)
• it is attached RSA Private Key (extension .key)
• an optional Key Encrypted Password file (extension .kep)

The KEP (Key Encrypted Password) file is a feature offered by BMC, as it can cipher the RSA Private Key with a password that need not be deployed, and the CM agent can retrieve the password depending on different elements. The automatic password generation is based on different pieces of information, including the file names. It is, therefore, not possible to rename any of the files after the KEP functionality is in use.

CertTrusted Parameter

The CM agent must know which authorities to trust. Therefore, the second parameter, CertTrusted, in the agent configuration file (mtxagent.ini ), includes a comma-separated list of authority certificates to trust. A certificate must be installed before being referenced in the configuration. Unlike the authority, only the X509 certificate is required (extension .crt) to trust an authority.

Then, to add a new trusted certificate authority, the required file, the authority X509 certificate (extension .crt), must be moved first to the ${AGENT_BIN}/certs/trusted directory. When starting, the agent scans this directory and installs any new certificate as new trusted authorities. As for the previous authority section, any certificate referenced in the configuration file must not include any extension.

You can use end-user certificates (not those of authorities). In this case, the certificate chain is not verified. If an agent presents such a trusted end-user certificate, the default verification mechanism is not required, and the certificate is accepted.

SSLProtocols Parameter

The SSLProtocols parameter in the agent configuration file (mtxagent.ini) enables/disables the TLS protocols. This parameter is not defined by default, so only TLS1.2 and TLS1.3 are enabled (TLS1.0 and TLS1.1 are disabled). If this parameter is set to TLS1.3, then TLS1.0, TLS1.1, and TLS1.2 are automatically disabled. This parameter is available in the Java console settings and the agent security operational rule. We recommend setting this parameter to protect against the BEAST (Browser Exploit Against SSL/TLS) vulnerability.

SSLCiphers Parameter

The SSLCiphers parameter in the agent configuration file (mtxagent.ini) enables/disables the ciphers. By default, BCM configures this parameter with high security standards. The configured value is used verbatim to configure the underlying SSL context. You should double-check the configured value to avoid security risks. This parameter is not available in the Java console settings and the agent security operational rule. To make sure better security, redefine this parameter to use different rules. This parameter is not present in the configuration file by default. Add it to the security section of the configuration file.

The following configuration does not match the default one, but has been tested to dramatically reduce the ciphers:

SSLCiphers=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSAAES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256