Enabling TLS server certificate validation between the Gateway Server and Continuous Optimization Agents

As an administrator, enable TLS version 1.3 between the Gateway Server and Continuous Optimization Agent (Agent). You can enable and configure TLS during or after installation of these components. 

Important

We recommend that you complete the following steps:

Related topics

Securing-communication-between-product-components

Enable TLS certificate validation for ETLs

Working with Gateway Server and Agent logfiles

Troubleshooting TLS issues

Before you begin

Make sure you meet the following requirements:

  • You have administrator privileges to complete the installation of the Gateway Server and Agent.
  • The computer on which you are installing these components is not running AIX 7.1 Operating System.

To enable and configure TLS during installation

  1. Follow the steps described to install the remote components or upgrade these remote components by following the steps described in Upgrading Gateway Server and Upgrading Agent.
  2. Start the Gateway Server and Agent.
    TLS communication between the two components is enabled based on the configuration settings set in the preceding steps.
  3. Verify the status by parsing the service daemon logfiles.
    For details about logfiles, see Working with Gateway Server and Agent logfiles.

To enable and configure TLS after installation

  1. Stop all the services of the Gateway Server and Agent.
    • (Linux/UNIX) Perform the following steps on computers where these components are installed:
      1. To list the Gateway Server processes, run this command: ps -ef | grep udrCollectMgr, and kill the listed processes.
      2. To stop the Gateway Server, the Agent and the Service daemon, run the following commands:
        1. $BEST1_HOME/bgs/scripts/stopGeneralManager
        2. $BEST1_HOME/bgs/scripts/bgsagent_stop
        3. (Linux) su root -c "systemctl stop bgssd"
          or
          (UNIX) $BEST1_HOME/bgs/bin/bgssd.exe -k
    • (Windows) Perform the following steps:
      1. Open Task Manager and stop the BGS_SDService process.
      2. Stop allied bgscollect and bgsagent processes.

  2. Assign appropriate values to the SECURITY_LEVEL parameter in the $BEST1_HOME/local/setup/Agent.cfg file.

    TLS configuration parameters

    The following table explains the parameter values that can be assigned to the PERFORM_SSLCONF_SECURITY_LEVEL parameter to configure the TLS security level in your product components. 

    Parameter Value

    Description

    SOCKCOMM_SSL_NONE

    Disables TLS in the component and the component communicates using non-TLS sockets. The default value is SECURITY_LEVEL.

    SOCKCOMM_TLSv1_3

    Enables TLS version 1.3.

    SOCKCOMM_SSL_SKIP_HOST_CHECK

    Skips checking of host name during TLS certificate validation.

    SOCKCOMM_SSL_ALLOW_EXPIRED_CERTIFICATE

    Allows components to use TLS certificates that have expired or have no CRL.

    SOCKCOMM_SSL_NO_FALLBACK

    Prevents the Gateway Server from falling back to using non-TLS sockets when communicating with an Agent that is not TLS enabled.

    Sample TLS configuration file

    The following sample excerpt of Agent.cfg enables TLS version 1.3.

    Agent.cfg
    BEGIN_SSL_CONFIGURATION

    # Security level
    # The following parameters are used to set TLS security level

    # The parameters are combined using | to get the desired permission level (no spaces allowed)
    #
    # SOCKCOMM_SSL_NONE                                              - not using TLS security [non-TLS sockets] (default if no SECURITY_LEVEL set)
    # SOCKCOMM_TLSv1_3                                               - use TLS v1.3 (default)
    # SOCKCOMM_SSL_SKIP_HOST_CHECK                                   - client skips name check against host name
    # SOCKCOMM_SSL_ALLOW_EXPIRED_CERTIFICATE                         - allow expired certificates and those w/o CRL
    # SOCKCOMM_SSL_NO_FALLBACK                                       - client does not fallback to plain sockets


    # use the following recommended settings for TLS support
    # SECURITY_LEVEL = SOCKCOMM_TLSv1_3|SOCKCOMM_SSL_SKIP_HOST_CHECK|SOCKCOMM_SSL_ALLOW_EXPIRED_CERTIFICATE

    SECURITY_LEVEL = SOCKCOMM_TLSv1_3  

    END_SSL_CONFIGURATION

  3. Restart all services of the Gateway Server and Agent.
    • (Linux/UNIX) Run the following commands:
      1. (Linux) su root -c "systemctl start bgssd"
        or
        (UNIX) $BEST1_HOME/bgs/bin/bgssd.exe -s
      2. $BEST1_HOME/bgs/bin/bgsagent
      3. $BEST1_HOME/bgs/scripts/startGeneralManager
    • (Windows) To start the Agent, open Task Manager and start the BGS_SDService process.
  4. Verify the status by parsing the service daemon logfiles.
    For details about logfiles, see Working with Gateway Server and Agent logfiles.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*