- Created by Mikhail Yakovlev, last modified on May 23, 2019
Agent requires the following certificates to operate properly:
- Indeed CM Agent CA, which is the root Indeed CM Agent certificate. This is used to issue certificates for user workstations where Agent instances are to be installed to.
- Indeed CM Agent SSL is the authentication certificate, signed by the root certificate. This is required to establish a bi-directional secure connection between the server and workstation with Agent installed. The certificate is issued for the workstation with Indeed CM server installed.
- Workstation certificate is issued automatically upon Agent registration. A client computer provides its certificate to server by sending a request, and the Indeed CM server checks for the certificate authenticity. If correct, the server marks the Agent at the workstation as trusted one and becomes ready to send tasks to it.
Agent certificates are created with IndeedCM.Agent.Cert.Generator.exe utility from the Indeed CM installation package.
- Run the IndeedCM.Agent.Cert.Generator.exe utility in command line as administrator on the Indeed CM server, using the following parameters: /root /csn /installToStore. Wait for the utility to finish operation.
The /csn parameter initiates the certificate issue procedure for DNS name of the workstation the utility is run at. To generate certificates for another workstation, run the utility with /sn <DNS name of workstation> parameter.
The /installToStore publishes the certificates issued by the utility to the server certificate storages:
- The Indeed CM Agent CA certificate is placed to Trusted Root Certification Authorities.
- The Indeed CM Agent SSL certificate is placed to personal certificate storage of the workstation with Indeed CM server installed.
2. The Indeed CM Agent CA.key file shall appear in the utility folder. The file contains the Indeed CM Agent CA certificate image and certificate key value.
3. Place the Indeed CM Agent CA certificate to Trusted Root Certification Authorities at all user workstations.
The Active Directory group policy mechanism can be used to distribute the certificate to user workstations.
4. Set up a secure connection to Agent site. To do this:
- Switch to IIS Manager.
- Select Indeed CM Agent Site, then switch to Bindings section.
- Select the binding to 3003 port and click Edit.
Port 3003 is set by default. If you use another port, then you’d have to create and configure a new binding for it. Make sure that the port is open for incoming connections in firewall.
- Define Indeed CM Agent SSL as certificate and click OK.
5. Figure 10 shows an example of setting a binding for Indeed CM Agent Site site.
Figure 10 – Setting a secure connection to Indeed CM server to work with Agents.
6. If your environment has more than one Indeed CM server with Agents, then a separate Agent SSL certificate is required for each server. The root certificate is one and the same for all the servers. To create a SSL certificate for additional server, copy the folder with IndeedCM.Agent.Cert.Generator.exe utility and Indeed CM Agent CA.key root certificate key file, then execute the following command:
IndeedCM.Agent.Cert.Generator.exe /ssl /сsn /rootKey <path to folder containing root certificate key> /installToStore
Example:
IndeedCM.Agent.Cert.Generator.exe /ssl /сsn /rootKey "C:\AgentCertGenerator\Indeed CM Agent CA.key"/installToStore
- No labels