Administration Guide > Encryption > Changing the Authentication Method

Changing the Authentication Method

Subsequent changing of the authentication method involves considerable effort. The Automation EngineThis component drives an Automation Engine system and consists of different types of server processes. and all agents must be restarted regardless of the authentication method you select.

From "None" to "Server"

For the authentication method "Server", the agents require a file which includes the Company Key. It must be made available to the agents' individual computers.

Procedure in detail:

  1. End all agents.
  2. End all server processes.
  3. Call the utility AE.DB Load in batch mode in order to export the Company Key to a file. The Company Key has not yet been set in the databaseA database is an organized collection of data including relevant data structures..
    Example: UCYBDBld -B -TPACKAGE -KUC4PROD
  4. Transfer this file to all agents.
  5. In the agents' INI-file parameter InitialPackage= (Section [AUTHORIZATION]), enter the path and name of the Company Key file.
    In the parameter KeyStore=, enter the path and name of the file in which the agentA program that enables the de-centralized execution of processes (such as deployments) on target systems (computers or business solutions) or a service that provides connectivity to a target system (such as for databases or middleware). An agent is also an object type in the Automation Engine. [Formerly called "Executor."] See also: host should store the Company Key information.
    We highly recommend storing both files in a separate directory which is specially protected.
  6. Now set the authentication method "Server" and the Company Key in the database:
    This is done by calling the utility AE.DB Load in batch mode.
    Example: UCYBDBld -B -TLOCAL -KUC4PROD
  7. Start all server processes.
  8. For security reasons, Automic recommends withdrawing the authentication from all agents. The method "Server" is based upon the principle that the agents will be manually authenticated in the System OverviewThe UserInterface window that contains information about the Automation Engine system. in order to ensure that the agent is not a program of a potential hacker. You can skip this step if you are sure you want to make the changeover without this security measure.
    Log on to system clientA closed environment within an Automation Engine system where you can create and run objects. A client name consists of a 4-digit number that must be indicated when a user logs on to the Automation Engine system. Users and their rights are also defined in clients. A particular Automation Engine object type. 0000. Open the System Overview and switch to the area agents . Highlight all agents and use the context menu command "Withdraw authentication".
  9. Optional: If you have already deleted the Company Key file and want to write the Company Key to additional agents (steps 4 to 5), you can do so at any time in the System Overview of client 0000. It will be exported when you right-click the connection node of client 0. (Step 3 is no longer possible because the Company Key is added to the database in step 6).


  10. Start all agents.
  11. The agents read the Company Key file and store the included information in the KeyStore file. The agent will then automatically delete the Company Key file.
  12. If you followed our recommendation and withdrew the authentication from the agents (step 8), all of them must now be re-authenticated in the System Overview of client 0000. Do so by calling the corresponding  context menu command. Non-authenticated agents cannot log on to the AE system.

From "None" to "Server and Agent"

For the authentication method "Server and Agent", the agents require a file in which the authentication packageA Package is an instance (a version, a revision, a tag, …) of your application and defines the content which you want to deploy. Here you decide, if you want to deploy the entire application or just a few specified components. is stored. As this file differs for each agent,  it must be generated individually and transferred to the corresponding computers.

Procedure in detail:

  1. End all agents.
  2. End all server processes.
  3. Open the utility AE.DB Load in batch mode and set the authentication method to "Server and Agent":
    Example: UCYBDBld -B -TLOCAL_REMOTE -KUC4PROD
    The Company Key is now written to the database. Note that subsequently changing the Company Key is a very complex procedure.
  4. Start all server processes.
  5. Log on to system client 0000. Open the System Overview and switch to "Agents".
  6. For security reasons, Automic recommends withdrawing the authentication from all agents. The method "Server" is based upon the principle that the agents will be manually authenticated in the System Overview in order to ensure that the agent is not a program of a potential hacker. You can skip this step if you are sure you want to make the changeover without this security measure.
    Log on to system client 0000. Open the System Overview and switch to the area agents . Highlight all agents and use the context menu command "Withdraw authentication".


    For all agents for which this step is skipped, make sure that you use the Company Key as the authentication package as of step 8 and skip step 7. You can export the Company Key to the System Overview of client 0000 at any time by right-clicking client 0's connection node.


  7. Now export an  authentication package for each individual agent. Highlight all agents and open the context menu command "Export authentication package".
    As of version 11 the actionActions are predefined building blocks for recurring activities. They are commonly used for managing third party systems or in deployment scenarios. "Export Authentication Package" has been restricted to users in the System client 0. Additionally a userIn the Automation Engine, a user is an instance of a User object, and generally the user is a specific person who works with Automic products. The User object is assigned a user ID and then a set of access rights to various parts of the Automation Engine system and product suite. These access rights come in the form of Automation Engine authorizations and privileges, Decision user roles and EventBase rights and ARA web application object rights. You can manage all these centrally in the ECC user management functions. See also, Unified user management. needs the "W" permission for the Agent objectAutomation Engine controlled activities and processes are structured in the form of objects. See also: Task to be able to export an authentication package.
  8. Transport the files containing the unique authentication packagesDelivery package, a bundle of functionality. for each agent individually to the agents.
  9. In the agents' INI-file parameter InitialPackage= (Section [AUTHORIZATION]), enter the path and name of the authentication package file.
    In the parameter KeyStore=, enter the path and name of the file in which the agent should store the authentication package information.
    We highly recommend storing both files in a separate directory which is specially protected.
  10. Start all agents.
  11. The agent reads the authentication package file and stores the included information in the KeyStore file. The agent will then automatically delete the authentication package file.

Switching from "Server" to "Server and Agent"

As the agents have already been authenticated, you can easily switch from "Server" to "Server and Agent" and vice versa.

Procedure in detail:

  1. Log on to system client 0000. Open the variableIt stores or retrieves values dynamically at runtime. An individual Automation Engine object type. UC_AS_SETTINGS and set the value "LOCAL" or "LOCAL_REMOTE" in the key AUTHENTICATION.
  2. End all server processes.
  3. Start all server processes.
    Agents will automatically connect after the time (in seconds) specified in the parameter RECONNECT_TIME (see: UC_HOSTCHAR_DEFAULT).

From "Server" or "Server and Agent" to "None"

For the authentication method "None", the agents no longer require the Company Key which is stored in the AE database. Therefore, the agents' keystore files must be deleted.

Procedure in detail:

  1. End all agents.
  2. Log on to system client 0000. Open the variable UC_AS_SETTINGS and set the value "NO" in the key AUTHENTICATION.
  3. End all server processes.
  4. AE database access is required for the following step. Ensure the authorized person pays utmost attention when performing the step. Delete the Company Key from the AE database. Process the following SQL statement in a transaction:
    delete from oha
  5. Start all server processes.
  6. Delete the KeyStore file in each agent. Its path and name are stored in the INI file, parameter KeyStore=.
  7. Start all agents.

See also:

Specifying the Authentication Method for the First Time

 


Automic Documentation - Tutorials - Automic Blog - Resources - Training & Services - Automic YouTube Channel - Download Center - Support

Copyright © 2016 Automic Software GmbH