Hi Markus,
well actually you are right, I did not invest enough time in this.
I used the Powershell scripts from the Documentation:
https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/21.0.4/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/AG_AgentDeploy_WindowsScript.htm#link7As the zip files are deleted after deployment I (wrongly) assumed that the certificates I found in /security came with that package.
Indeed the agent packs for RA and SQL do not contain the Server Certs. Having said that.
During first start both of them receive them, where as the Windows / Unix do not.
So now I am totally confused, how is this supposed to work, and how to control whether the certificates are provided or not.
Reading this part of documentation one could have the impression that no certificates will be transferred and we need to take care on our own:
UNIX (Linux) Agents
You must set the SSL_CERT_DIR and SSL_CERT_FILE environment variables with the User which will start the Agent.
These variables allow you to load the certificates from the TLS/SSL store. The certificates can be stored either in one file per certificate or all certificates in one .pem file :
-
SSL_CERT_DIR location of the trusted CA certificates with each certificate in a separate file, for example,/etc/ssl/certs/
-
SSL_CERT_FILE location of the .pem file with all the trusted CA certificates, for example, /etc/pki/tls/certs/ca-bundle.crt
This is just Unix, what about Windows then? :)
Cheers,
Marcin
------------------------------
Cheers,
Marcin
------------------------------
Original Message:
Sent: Sep 26, 2022 03:21 AM
From: Markus Embacher
Subject: Agentpacks - include Server Certificates
Hi Marcin,
we tried to reproduce that but for the SQL agent the certificate was not included. In general we do not include the certificate in the package.
Could you please provide an evidence that the certificate is included in the package?
Thank you!
Regards, Markus
Original Message:
Sent: Sep 25, 2022 02:42 PM
From: Marcin Uracz
Subject: Agentpacks - include Server Certificates
I have been playing around with the /agentpacks endpoint lately on a classic AA 21.0.4 system with self signed certificates.
What I noticed is that RA, SQL agent package includes the CA certificates whci allows the agents to connect to my system instantly, where the OS Agents ( Windows and Linux have been tested ) does not. Hence I need to provide the server certificate on my own after the deployment.
I was wondering whether there is a reason why it works differntly for different flavours ouf agents. Has anybody else faced the same problem?
I am aware that self signed scenario is not production grade, but still this is kind of weird.
------------------------------
Cheers,
Marcin
------------------------------