Skip to Content

TLS with client-side certs - Securing a Windows Application Server

Use this procedure to generate a self-signed, client-side certificate for a Windows Application Server, provision all targeted agents or repeaters with an SHA1 fingerprint of the Application Server self-signed certificate, and configure those agents or repeaters to authenticate incoming requests using client-side certificates. If your environment includes multiple Application Servers, you should repeat this procedure for each Application Server.

Note that in the context of this topic, a client refers to an Application Server that is attempting to establish contact with the server hosting an agent. Generally, in BMC Server Automation documentation a client refers to a host running the BMC Server Automation Console or Network Shell.

To stop using self-signed, client-side certificates, see TLS with client-side certs - Discontinuing use of client-side certificates.

You can use this procedure to use TLS with client-side certificates to secure communication between a Windows Network Shell proxy server and agents or repeaters. The procedure for a Network Shell proxy server is identical to the procedure for an Application Server.

The following is a master procedure. Each of the steps in this procedure references a topic that describes another procedure.

  1. Create a self-signed, client-side certificate on the Application Server. Then add the passphrase for that certificate to the securecert file.
  2. Provision all targeted agents and repeaters with a SHA1 fingerprint of the Application Server self-signed certificate.
  3. Configure all targeted agents or repeaters to authenticate incoming requests using client-side certificates.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Server Automation 8.2