TLS with client-side certificates - Securing a UNIX Application Server

Use this procedure to generate a self-signed, client-side certificate for a UNIX-based Application Server, provision all targeted agents or repeaters with a fingerprint of the Application Server self-signed certificate, and configure those agents or repeaters to authenticate incoming requests using client-side certificates. This topic is intended for administrators of TrueSight Server Automation Application Servers.

Note

In this topic, a client refers to an Application Server that is attempting to establish contact with the server hosting an agent. Generally, in TrueSight Server Automation documentation a client refers to a host running the TrueSight Server Automation Console or Network Shell.

To stop using self-signed, client-side certificates, see TLS-with-client-side-certificates-Discontinuing-use-of-client-side-certificates.

You can use this procedure to use TLS with client-side certificates to secure communication between a UNIX Network Shell proxy server and agents or repeaters. The procedure for a Network Shell proxy server is identical to the procedure for an Application Server.

Note

TLS communication with client-side certificates is not compatible with the NSH proxy tunneling mechanism for communication between clients and the Network Shell proxy server. To use one or the other, you must either disable proxy tunneling or discontinue the use of client-side certificates.

The following is a master procedure. Each of the steps in this procedure references a topic that describes another procedure.

  1. Create a self-signed client-side certificate on the Application Server. Then add the passphrase for that certificate to the securecert file.
  2. Provision agents and repeaters with a fingerprint of the Application Server self-signed certificate.
  3. Configure agents or repeaters to authenticate incoming requests with client-side certificates.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*