Server Management › Secure Agents

Secure Agents

CA Configuration Automation provides the capability for servers to communicate with CA Configuration Automation Agents using an SSL secured connection. The Secure Agents option lets you create the SSL certificates required for CA Configuration Automation Agent security.

Secured communications requires a certificate for identification on both the server side and the agent side. You must create a certificate authority before you can secure Agent communications. See Creating and Managing Security Certificates for more information.

Note: You cannot use Agent Security with an SSH proxy, and you must use the Manually Configured Agent selection for Agent Mode in the Access Profile.

When you switch from Manual Agent to Secured Agent, the access profile associated with the selected servers is modified as follows:

• If you are using a predefined access profile (that is, one of the following profiles installed by the CA Configuration Automation installation program: Manual Agent, Port Probe, Secured Agent,Self Registered, SSH, WMI, or WMI - SSH), a new access profile is created. This new profile is:
  • Automatically assigned a name using the Manual Agent<timestamp> convention (for example, Manual Agent<timestamp1>, Manual Agent<timestamp2>, and so on)
  • Defined as a Secure Agent (that is, the Secure Agent checkbox is checked in the Access Mode tab of the Edit Server Access Profile dialog box)
  • Listed in the table on the Access Profiles tab
  • Assigned to the selected servers
• If you are using a user-defined access profile that is used by multiple servers, a new access profile is created. This new profile is:
  • Renamed using the <user-assigned_name><timestamp> convention (for example, if you are using a profile you created called TestProfile, the new profile would use that name appended with a timestamp: TestProfile<timestamp1>, TestProfile<timestamp2>, and so on)
  • Defined as a Secure Agent (that is, the Secure Agent check box is checked in the Access Mode tab of the Edit Server Access Profile dialog box)
  • Listed in the table on the Access Profiles tab
  • Assigned to the selected servers
• If you are using a user-defined access profile that is used by only the selected server, the access mode of the current access profile is modified to Secure Agent (that is, the Secure Agent check box is checked). A new access profile is not created.

To secure CA Configuration Automation Agents on one or more servers

1. Click the Management link, then the Servers tab.

   The Servers tab page appears.

2. Click the check box next to the servers with agents that you want to secure (the Agent Installed column of the Servers table contains a check mark for servers that have agents installed), then select Agent Actions, Secure Agents from the Select Actions drop-down list.

   The Secure Agents dialog appears.

3. Enter the appropriate information in the following fields, then click OK:

   Agent Certificate Password

   Specifies the password for the certificate.

   Enter the password text again. .

   Confirm Password

   Confirms the password entered in the Agent Certificate Password field. The two passwords must be identical.

   Certificate Authority Password

   Specifies the certificate authority password required to create the agent certificate.

   CA Configuration Automation creates the certificate for the agent, installs this new certificate in the agent installation directory, configures the agent to only accept secure connections, and restarts the agent with the new configuration. After CA Configuration Automation has successfully completed these steps, the Access Mode column of the Server table displays Secure Agent.

To revert to an unsecure agent

1. Do one of the following to edit the Access Profile for the server whose agent you want to set as unsecure:
   • Clear the Secure Agent check box on the Access Mode tab, then click OK.
   • Assign a new profile that does not use Secure Agent mode if do not want to change the existing access profile (in the case where other servers may be using it).
2. Go to CA Configuration Automation Agent installation directory and edit agent.conf file manually by changing the secure option to 0 (zero), and then restart the agent.

   The agent runs in unsecure mode.