Automic Workload Automation

 View Only
  • 1.  Agentpacks - include Server Certificates

    Posted Sep 25, 2022 02:42 PM
    I have been playing around with the /agentpacks endpoint lately on a classic AA 21.0.4 system with self signed certificates.

    What I noticed is that RA, SQL agent  package includes the CA certificates whci allows the agents to connect to my system instantly,  where the OS Agents ( Windows and Linux have been tested ) does not. Hence I need to provide the server certificate on my own after the deployment.

    I was wondering whether there is a reason why it works differntly for different flavours ouf agents. Has anybody else faced the same problem?

    I am aware that self signed scenario is not production grade, but still this is kind of weird.

    ------------------------------
    Cheers,
    Marcin
    ------------------------------


  • 2.  RE: Agentpacks - include Server Certificates

    Broadcom Employee
    Posted Sep 26, 2022 03:22 AM
    Hi Marcin,
    we tried to reproduce that but for the SQL agent the certificate was not included. In general we do not include the certificate in the package.
    Could you please provide an evidence that the certificate is included in the package?
    Thank you!
    Regards, Markus


  • 3.  RE: Agentpacks - include Server Certificates

    Posted Sep 27, 2022 02:02 AM
    Hi Markus,
    well actually you are right, I did not invest enough time in this.

    I used the Powershell scripts from the Documentation: https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/21.0.4/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/AG_AgentDeploy_WindowsScript.htm#link7
    As the zip files are deleted after deployment I (wrongly) assumed that the certificates I found in /security came with that package. 

    Indeed the agent packs for RA and SQL do not contain the Server Certs. Having said that. 

    During first start both of them receive them, where as the Windows / Unix do not. 

    So now I am totally confused, how is this supposed to work, and how to control whether the certificates are provided or not. 

    Reading this part of documentation one could have the impression that no certificates will be transferred and we need to take care on our own:

    UNIX (Linux) Agents

    You must set the SSL_CERT_DIR and SSL_CERT_FILE environment variables with the User which will start the Agent.

    These variables allow you to load the certificates from the TLS/SSL store. The certificates can be stored either in one file per certificate or all certificates in one .pem file :

    • SSL_CERT_DIR location of the trusted CA certificates with each certificate in a separate file, for example,/etc/ssl/certs/

    • SSL_CERT_FILE location of the .pem file with all the trusted CA certificates, for example, /etc/pki/tls/certs/ca-bundle.crt


    This is just Unix, what about Windows then?  :) 

    Cheers,
    Marcin



    ------------------------------
    Cheers,
    Marcin
    ------------------------------



  • 4.  RE: Agentpacks - include Server Certificates

    Broadcom Employee
    Posted Sep 27, 2022 03:49 AM
    Hi Marcin,

    kindly provide an evidence that the server certificate was sent from the AE to the agent and stored at the agent.

    Automic uses TLS server authentication for securing the connection between the agents and the JCP. You can use self-signed certificates but we recommend them for sandboxes only. If you are using self signed certificates then you are responsible for distributing them. If you use proper, CA signed certificates, then the clients will use a matching CA root certificate to validate the server certificate. Those CA root certificates are typically part of the PKI and maintained by another team and you will find them in standard locations listed here:
    https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/21.0.4/Automic%20Automation%20Guides/Content/InstallAgents/InstallAgentUNIX.htm#link3

    An agent does not receive and store the server certificate in any folder, this would be against the principles of TLS.

    If your CA root certificate is not in one of the listed standard locations then you can provide an alternative location using the mentioned environment variables.

    Regards, Markus


  • 5.  RE: Agentpacks - include Server Certificates

    Posted Sep 27, 2022 05:35 AM
    Edited by Marcin Uracz Sep 27, 2022 06:21 AM
    Ok, understood. Thank you.

    PS I really did not expect the OneInstaller to mess with my cacerts keystore in the Java installation and import the self-signed Root CA there. 

    ------------------------------
    Cheers,
    Marcin
    ------------------------------



  • 6.  RE: Agentpacks - include Server Certificates

    Broadcom Employee
    Posted Sep 28, 2022 02:21 AM
    Hi Marcin,

    the OneInstaller is designed for POC, Demo or Sandbox Environments. Since it requires a certificate for running the AE it creates a self-signed certificate and stores it in the cacerts keystore of the Java runtime. But if I remember correctly the OneInstaller asks explicitly whether you want to bring your own certificate or have one created upon install.

    Regards, Markus


  • 7.  RE: Agentpacks - include Server Certificates

    Posted Sep 28, 2022 02:44 AM
    Hi Markus,
    yeah sure, I just did not expect that after generating the certs it will also put them into the global CACERTs as Automic has its own trustedCerts folder which are used.

    But I do understand the purpose behind it, it makes things easier. 


    ------------------------------
    Cheers,
    Marcin
    ------------------------------



  • 8.  RE: Agentpacks - include Server Certificates

    Broadcom Employee
    Posted Sep 28, 2022 02:47 AM
    Hi Marcin,

    thanks for the feedback, I understand what you mean and will address that internally.

    Regards, Markus