Smart Hub to Application Server and Smart Agent

The Smart Hub, Application Server, and Smart Agents use certificate-based authentication to verify each other. 


Smart Hub private keys and certificates

The Smart Hub acts as a private Certificate Authority (CA) and issues or signs certificates for its clients. To issue or sign certificates, Smart Hub needs a CA signer certificate. To generate the CA Signer certificate, you provide details during the Smart Hub installation. A private CA key, smartHubCA.key and a CA root certificate, smartHubCA.crt are generated during the installation process that are used to sign the certificates.

In addition, the Smart Hub is a server component listening on the default port 443, therefore, it needs a server certificate for itself. To generate this certificate, you provide details during the Smart Hub installation. A private key, smartHubWM.key and a certificate signing request (CSR) is generated. The Smart Hub private CA key, smartHubCA.key and the root certificate, smartHubCA.crt (also called as CA bundle) are used for signing this CSR and creating the server certificate, smartHubWM.crt for the Smart Hub. That means, the Smart Hub server certificate is signed by Smart Hub private CA.


Important

The CA key and certificates are used for issuing or signing the certificates to the Smart Hub clients on receiving the CSR. The server key and certificates are used for the TLS communication between the Smart Hub and its clients.

Inputs required for the authentication and verification mechanism to work

The Smart Hub communication with its clients is established after you complete the following tasks:

  1. During the Smart Hub installation, provide a shared secret key (SSK).
  2. (Optional) After the Smart Hub installation or upgrade is complete, copy the generated CA bundle to the Application Server. The CA bundle is needed for the Application Server to verify whether it is communicating with a legitimate Smart Hub and Smart Hub Gateway.
  3. Provide the same SSK and other Smart Hub details such as host and port number, and optionally, path to the CA bundle, when registering the Smart Hub in the Application Server.
  4. During the Smart Agent installation, provide the required Smart Hub details such as host, port, and access key. The CA bundle included in the access key is needed for the Smart Agent to validate whether it is communicating with a legitimate Smart Hub and Smart Hub Gateway.

How Smart Hub authenticates an Application Server?

When authenticating an Application Server for the first time, the Smart Hub uses the SSK provided during the Smart Hub installation. For subsequent authentications, the Application Server uses the stored certificate. 

The authentication mechanism works as follows.

First time authentication (SSK-based)

  1. During the Smart Hub registration, the Smart Hub and Application Server perform the following tasks:
    1. The Application Server sends a CSR to the Smart Hub along with the authentication details created using SSK, which you provided during the Smart Hub installation.

    2. The Smart Hub performs the following tasks:

      1. Verifies the authentication details using SSK that is stored in its database, thus authenticating the Application Server for the first time.
      1. Acts as a private CA and creates a signed certificate from the received CSR. 
      2. Creates an RSA key pair (private/public key pair). Private key is stored in Smart Hub’s database.
      3. Sends the signed certificate and the public key to the Application Server.
    3. The Application Server saves the certificate and public key in the database. The public key is displayed as an encoded access key on the UI.

Important

The Application Server uses SSK only for the first time authentication, and SSK is not stored by the Application Server.

Subsequent authentications (Certificate-based)

The Application Server uses the stored certificate for any future communication with the Smart Hub. The Smart Hub verifies the certificate presented by Application Server using the CA root certificate.

How Smart Hub authenticates a Smart Agent?

When authenticating a Smart Agent for the first time, the Smart Hub uses the public key. For subsequent authentications, the Smart Agent uses the signed certificates. 

The authentication mechanism works as follows.

First time authentication (Public key-based)

  1. The Smart Agent extracts the public key, CA bundle (if present) and other details from the access key that you provided during the Smart Agent installation.
  2. The Smart Agent sends a CSR to the Smart Hub along with the authentication details created using the public key.
  3. The Smart Hub performs the following tasks:
    1. Verifies the authentication details using the private key it already possesses, thus authenticating the Smart Agent for the first time.
    2. Acts as a private CA and creates a signed certificate from the received CSR.
  4. The Smart Hub issues the signed certificate to the Smart Agent.
  5. The Smart Agent saves the signed certificate and removes the access key from its configuration file.

Subsequent authentications (Certificate-based)

A Smart Agent uses the signed certificates for all its future communications with the Smart Hub, which verifies the certificate presented by Smart Agent using the CA root certificate.

The access key is stored in the Smart Agent configuration file and is protected by the file system permissions.

How an Application Server verifies that it is communicating with a legitimate Smart Hub and Smart Hub Gateway?

An Application Server verifies the server certificate of the Smart Hub and Smart Hub Gateway to decide if it is communicating with a legitimate Smart Hub and Smart Hub Gateway.

The verification mechanism works as follows:

  1. The Application Server verifies the Smart Hub server certificate using the CA bundle that you copied after the Smart Hub installation.
  2. The Application Server saves the Smart Hub details such as host, port, and CA bundle in the database.
  3. The Application Server uses the saved CA bundle for verifying the Smart Hub server certificate for each communication.
  4. If Smart Hub Gateway is also configured with the Smart Hub, the same CA bundle is used for verifying the Smart Hub Gateway server certificate.

Important

If CA bundle is not provided when registering the Smart Hub, the Application Server does not verify the server certificate of Smart Hub and Smart Hub Gateway.

How a Smart Agent verifies that it is communicating with a legitimate Smart Hub and Smart Hub Gateway?

A Smart Agent verifies the server certificate of Smart Hub and Smart Hub Gateway to decide if it is communicating with a legitimate Smart Hub and Smart Hub Gateway.

The verification mechanism works as follows:

  1. if a CA bundle is provided when registering the Smart Hub with the TrueSight Server Automation infrastructure, the access Key includes the CA bundle.
  2. When this access Key is provided during the Smart Agent installation or upgrade, the Smart Agent extracts the CA bundle from the access key and saves it to the file system (protected by file system permissions).
  3. The Smart Agent uses the saved CA bundle for verifying the Smart Hub server certificate for each communication.
  4. If Smart Hub Gateway is also configured with the Smart Hub, the same CA bundle is used for verifying the Smart Hub Gateway server certificate.

Important

If the CA bundle is not provided when registering the Smart Hub, the access Key cannot have the CA bundle details and thus the Smart Agent cannot verify the server certificate of Smart Hub and Smart Hub Gateway.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*