Agent third-party deployment: Enabling the HTTPS Protocol on UNIX Agents
- Checking certificate(s) and excluding revoked certificates
- Checking certificate(s)
- Relying on encryption.
Checking certificate(s) and excluding revoked certificates
/var/opt/managesoft/etc/ssl/cert.pem
file on the managed device (or an alternative folder — see Agent third-party deployment: HTTPS CA Certificate File Format (UNIX) for more details). The device must also be able to
download the certificate revocation list from an HTTP location, and/or perform an OCSP check
for certificate revocation. For this level of security, both the
CheckServerCertificate
and CheckCertificateRevocation
settings should be set to True
(these are the default settings). When these
are both true, a number of other settings can come into play, a few of which can be
configured in the mgsft_rollout_response file that assists with
deployment (see Agent third-party deployment: Configure the Bootstrap File for UNIX), and others must be
modified in the /var/opt/managesoft/etc/config.ini
file that functions in
place of the Windows registry for UNIX-like platforms (see Agent third-party deployment: Updating config.ini on a UNIX Device). The additional preferences are:
Checking certificate(s)
This mid-level security model provides an encrypted channel and validation of the HTTPS server, but does not provide a way to check whether the certificate used to validate the HTTPS server has been revoked. This may be adequate where you are confident of the longevity of your certificates, perhaps because you are using an internal certificate authority.
/var/opt/managesoft/etc/ssl/cert.pem
file
(and/or the alternative folder). As well, the CheckServerCertificate
preference must preserve its default value of True
. Ignoring the revocation
list is configured by disabling (setting to False
) the
CheckCertificateRevocation
settings for all component agents on the
managed device.Relying on encryption
If you are confident of the security of your infrastructure, it is possible to ignore the server certificates entirely. This provides an encrypted channel of communication, but does not provide validation that the device is actually talking to the correct HTTPS server.
Disabling checking of the server certificate can be achieved by disabling (setting to
False
) both the CheckServerCertificate
and
CheckCertificateRevocation
settings for all component agents on the
managed device. In this mode of operation, the CA certificate is not required to be
installed on the managed device.
FlexNet Manager Suite (On-Premises)
2020 R1