Importing the TLS security certificates for a PATROL Agent

To import the security certificates into the PATROL Agent certificate store

PATROL Agent communicates with the Integration Service, PATROL console, and the remote cell.

The PATROL Agent acts as a client or a server based on the components with which it communicates, as explained in the following section:

  • PATROL Agent to Integration Service communication: PATROL Agent acts as a client.
  • PATROL Agent to PATROL console communication: PATROL Agent acts as a server.
  • PATROL Agent to remote cell communication: PATROL Agent acts as a client.

TLS mode of communication requires the client, and the server to have public key infrastructure (PKI) certificates deployed in their respective certificate stores. The authentication process varies depending on the PATROL Agent's role as a server or a client, as explained in the following sections:

  • certutil and pk12util used in the following procedure are the utilities available with the Mozilla NSS binaries to manage PKI certificates.
  • If you do not have these executables in your system environment, use them from the Patrol Agent installation directories as explained in the following section.
    • Windows: %BMC_ROOT%\common\security\bin_v3.0\Windows-x86-64\nss
    • Unix: $BMC_ROOT/common/security/bin_v3.0/Windows-x86-64/nss
  • If you have multiple PATROL Agents in your environment, perform the following steps to simplify the process of importing certificates:
    • Perform the certificate importing tasks on a single PATROL Agent, and then copy PatrolAsServer_DB/ PatrolAsClient_DB to the respective PATROL nodes or keep them on a shared location.

PATROL Agent configured as a client

PATROL Agent operates as a client when it is communicating with the Integration Service, and the remote cell. To enable the TLS handshake, deploy the Mozilla NSS certificates in the DB store format at the PATROL Agent. There are two security options as explained in the following section:

  • Integration Service is authenticated by the PATROL Agent: To enable the PATROL Agent to authenticate the server, import the Certificate Authority (CA) certificates of the Integration Service or remote cell to the PATROL Agent certificate store. This is in continuation to the Security Level 3 implementation of the previous versions of the PATROL Agent communication.
  • Integration Service is not authenticated by the PATROL Agent: In a trusted environment, if the PATROL Agent administrator can ensure the authenticity of the Integration Service Host, or the remote cell the PATROL Agent can be configured to bypass sever authentication. This is in continuation to the Security Level 2 implementation of the previous versions of the PATROL Agent communication.

The following sections explain the procedure to implement the preceding security mechanisms:

Integration Service is not authenticated by the PATROL Agent

In this scenario, the Integration Service certificates are not imported to the PATROL Agent certificate store. You can proceed to configure the PATROL Agent to enable TLS 1.2 mode.

Integration Service is authenticated by the PATROL Agent

Perform the following steps to import the security certificates to the PATROL Agent certificate store.

  1. Create a Mozilla certificate store on the central server for the PATROL Agent.
    Run the following command

    #On Microsoft Windows
    $mkdir <installationdirectory>\common\security\keys\PatrolAsClient_DB
    $certutil -N -d sql:<installationdirectory>\common\security\keys\PatrolAsClient_DB

    #On Unix
    $mkdir <installationdirectory>/common/security/keys/PatrolAsClient_DB
    $certutil -N -d sql:<installationdirectory>/common/security/keys/PatrolAsClient_DB
    • PatrolAsClient_DB is the name of the client certificate store for the PATROL Agent

  2. Procure CA certificates of the Integration Service from your security administrator, and place them in the <installationdirectory>\common\security\keys\PatrolAsClient_DB directory.

    • You can choose the PatrolAsClient_DB path, and create directories as per the defined path.
    • You can generate self-signed certificates by using one of the tools such as: Oracle keytool, OpenSSL, Mozilla NSS. For more information, see Creating self-signed certificates

  3. Import the CA certificate to the PATROL Agent client certificate store.
    Run the following command

    certutil -d sql: <installationdirectory>\common\security\keys\PatrolAsClient_DB -A -n "Trusted IS CA" -t "CT,," -a -i ca.crt
    • ca.crt is the CA certificate file name.
    • <installationdirectory>\common\security\keys\PatrolAsClient_DB is the path to build the Mozilla NSS client certificate Store
    • Trusted IS CA” is the certificate alias name
    • “CT” is the flag to mark certificate as trusted.
    • You need to import the complete chain of CA certificates upto root CA certificate using the same command

  4. If the CA certificates are in public-key cryptography standards 12 (PKCS12) format, import the certificate using the following command.

    $pk12util pk12util -i client.p12 -d sql: <installationdirectory>\common\security\keys\PatrolAsClient_DB -W <password>
    • client.p12 is name of the client certificate in the PKCS12.
    • password is the password string for the client.p12 file
  5. Perform the configuration changes needed to enable TLS 1.2 mode.

PATROL Agent configured as a server

Perform the following steps, when PATROL Agent is communicating with the PATROL console.

  1. Create a Mozilla certificate store on the central server for the PATROL Agent.
    Run the following command

    #On Microsoft Windows
    $mkdir <installationdirectory>\common\security\keys\PatrolAsServer_DB
    $certutil -N -d sql:<installationdirectory>\common\security\keys\PatrolAsServer_DB

    #On Unix
    $mkdir ./<installationdirectory>/common/security/keys/PatrolAsServer_DB
    $certutil -N -d sql:./<installationdirectory>/common/security/keys/PatrolAsServer_DB
    • PatrolAsServer_DB is the name of the server certificate store for the PATROL Agent

  2. Procure the CA certificates from your organisation's security administrator, and place them in the <installationdirectory>\common\security\keys\PatrolAsServer_DB directory.

    • You can choose the PatrolAsServer_DB path, and create directories as per the defined path.
    • You can generate self-signed certificates by using one of the tools such as: Oracle keytool, OpenSSL, Mozilla NSS. For more information, see Creating self-signed certificates

  3. Import the procured CA certificates to the PATROL Agent server certificate store.
    Run the following command

    certutil -d sql: <installationdirectory>\common\security\keys\PatrolAsServer_DB -A -n "Trusted IS CA" -t "CT,," -a -i ca.crt
    • ca.crt is the CA certificate file name.
    • <installationdirectory>\common\security\keys\PatrolAsServer_DB is the path to build the Mozilla NSS server certificate Store
    • Trusted IS CA” is the certificate alias name
    • “CT” is the flag to mark certificate as trusted.
    • You need to import the complete chain of CA certificates upto root CA certificate using the same command

  4. If the CA certificates are in public-key cryptography standards 12 (PKCS12) format, import the certificate using the following command.

    pk12util pk12util -i server.p12 -d sql: <installationdirectory>\common\security\keys\PatrolAsServer_DB -W <password>

    PatrolAsServer_DB is the name of the server certificate store for the PATROL Agent

  5. Perform the configuration changes needed to enable TLS 1.2 mode.

Where to go from here

Configuring-the-PATROL-Agent-network-communication-to-be-TLS-compliant

Related topic

Security-planning

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*