TLS with client-side certificates - Discontinuing use of client-side certificates

Use this procedure to stop using client-side certificates that secure access between Application Servers and agents or repeaters.

To discontinue use of client-side certificates

  1. Set up root or Administrator privileges on each managed server hosting an agent or repeater. 
    To perform this procedure, you must have root or Administrator privileges on any servers hosting agents or repeaters where you want to discontinue use of client-side certificates. 
    To grant this privilege, update the exports file by creating the following entry on the server: 

    • (Windows
      <host> rw,user=Administrator 
    • (UNIX)
      <host> rw,user=root

    where <host> is the IP address or host name of the Network Shell client.

  2. Remove the fingerprint of the Application Server self-signed certificate from managed servers by entering one the following commands, based on your environment: 
    • (Windows
      nukecert SYSTEM <agent1...agentN>
    • (UNIX
      nukecert bladmin <agent1...agentN> 
      where <agent1...agentN> is a space-delimited list of the names or IP addresses of the servers where you want to stop using the Application Server self-signed certificate.

  3. Configure the secure file on all agents or repeaters where you want to stop using certificates by using Network Shell to run the following secadmin command: 
    secadmin -m rscd -p 5 -T encryption_only -e tls 
    Running this command generates an rscd entry in the secure file like the following:

    rscd:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls

    Tip

    You can also run this command using nexec from the Application Server (using nexec <hostname> secadmin ...) or by using a NSH script job.

  4. Revert the setting in the exports file on managed servers back to a more restrictive user mapping. Otherwise, all users accessing those agents are mapped to root or Administrator.
  5. If client-side certificates are configured on the Application Servers, remove the id.pem file from the Application Servers.
    • For Windows Application Servers, the id.pem file can be found at C:\<WINDIR>\rsc\certs\SYSTEM, where <WINDIR> is typically windows.
    • For UNIX Application Servers, the id.pem file can be found at /opt/bmc/bladelogic/NSH/br/.bladelogic

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*