Setting the Security parameters
The parameters in this node define the options for secure agent communication. This includes the way the agents communicate between each other as well as the certificates being used for secure communication. For Windows devices the access to the MyApps Kiosk may also be defined.
Parameter | Default value | Description |
|---|---|---|
Secure Communication | Yes | Defines if the agent communicates in secure format. The possible values are:
|
Enabled SSL Protocols | Authorized SSL protocols for agent communication. Accepted values are TLS1.0, TLS1.1, TLS1.2 or a comma separated list of these values. When it is not defined, the default value is configured to TLS 1.2. | |
Authority Certificate | bcm | The authority certificate (CA Cert) to be used for signing the agent certificate of required. The parameter expects a certificate name (without extension) registered in the agent cert store (auth section), such as Numara_ca. This parameter is used on the server side and can also be used on the client side if the server is configured to authenticate the client. |
Current Authority Certificate | bcm | Defines the name of the certificate authority which is currently configured. |
Trusted Authorities | bcm | A comma separated list of certificates to be trusted when connecting to a secured server or a client. By default, the agent trusts the default Numara CA unless a different list of certificates is configured. The parameter expects a list of certificate names (without extension) registered in the agent cert store (trusted section), for example, Numara_ca, enterprise_ca, startfleet_ca. This parameter is used on the client side as well as on the server, for the device to know if it can trust the answering device by comparing its certificate with the list of trusted certificates, if it does not match the authority certificate. |
Current Trusted Authorities | bcm | The currently used trusted authorities configured which the local agent may trust for communication. |
User Certificate | The user defined final certificate to be used for both the client and server roles. When this parameter is configured the agent ignores any other authority except the ones to be trusted. It expects a certificate name (without extension) registered in the Agent certificate store (user section), for example, Numara, enterprise, starfleet. | |
Current User Certificate | The currently used user defined final certificate to be used for the server role. This is a certificate name (without extension) registered in the Agent certificate store (integration section), for example, Numara, enterprise, starfleet. | |
Integration Certificate | The integration defined final certificate to be used for the server role. It expects a certificate name (without extension) registered in the Agent certificate store (integration section), for example, Numara, enterprise, starfleet. | |
Current Integration Certificate | bcm | The currently used integration defined final certificate for the server role. This is a certificate name (without extension) registered in the Agent certificate store (integration section), for example, Numara, enterprise, starfleet. |
Certificate Subject organization | Name of your organization. This value forms a part of the distinguished name for the certificate. | |
Certificate Subject organization unit | Name of your organizational unit (section or division of the organization). This value forms a part of the distinguished name for the certificate. | |
Certificate Subject locality | Name of the town or city where your organization is located. This value forms a part of the distinguished name for the certificate. | |
Certificate Subject state | Full name of the state or province for your organization. This value forms a part of the distinguished name for the certificate. | |
Certificate Subject country | Two-letter ISO country code for your organization. This value forms a part of the distinguished name for the certificate. | |
Block Navigation from Agent User Interface | No | Check this box if the agent user interface is to be run in the browser's kiosk mode (full screen without menus or navigation bar). The installation of an add-on may be necessary to be able to use this mode (for example, with Firefox). |
Strict Agent User Interface Authentication | No | Indicate if the user can apply operational rules assigned to the device without explicit authentication. If the strict authentication mode is disabled the user is able to execute operational rules locally without authentication. Enabling this parameter forces user authentication for all cases. This parameter is ignored for rules that are assigned to users. |
Lock the agent service | No | Check this box if the agent service is to be locked. |
SSL Extension IDs | The agent uses an SSL extension (to be precise: a TLS extension). This parameter specifies the ID of this extension, which must be the same on all devices. The valid values as per the TLS norm must be in the range from 65282 to 65535 included. To change the ID on a product environment, more than one value, separated by comma can be set. | |
Embed Second SSL Layer in WEB Sockets | Yes | When an inter-agent communication goes through a network material like reverse proxy, the SSL layer is handed by it. In order to keep a proper inter-agent authentication, a second SSL layer is created. This leads to being out of the scope of standard protocols. In order to cope with standard protocols, this tells the agent to put the second SSL layer in a Web Socket. |
Trusted Authorities for Base SSL Client | File(s) containing the public authorities that the base SSL client will trust. The default value is the file that is managed by the Update Manager. | |
SSL ClientCheckPeer | Yes | |
Permissive Base SSL Client | Yes | Check this box to trust all configured public authorities. The inter-agent communications still uses the Instance specific certificate for authentication. This should remain enabled for backward compatibility. |
User Base Server Certificate | Certificate to be used when acting as a HTTPS server serving for non-interagent communications. |