Automic Workload Automation

What was the solution to resolve this?

Hi SWASTIKA SHET, Lavine Appollis,

this is a certification problem. Make the TLS handshake manually with command
 openssl s_client -connect <Your-AutomationEngine-Server.de:8443
The command will return some information. 
I would not advice to distibute the cert on every agent. You only need to get a cert from your root CA then store the root CA cert or the intermediate cert on every system, and certification problems are solved. 

With the solution you choose you will run into cert hell, because the day will come, the cert ist becoming invalid. So you have to change on every system you use it. The Root CA's or intermediate cert's are handled by your CA and implemented by your system admins. 

Hope that helps

Best Regards

Andrzej Golaszewski

What was the solution to resolve this?

Hi SWASTIKA SHET, Lavine Appollis,

this is a certification problem. Make the TLS handshake manually with command
 openssl s_client -connect <Your-AutomationEngine-Server.de:8443
The command will return some information. 
I would not advice to distibute the cert on every agent. You only need to get a cert from your root CA then store the root CA cert or the intermediate cert on every system, and certification problems are solved. 

With the solution you choose you will run into cert hell, because the day will come, the cert ist becoming invalid. So you have to change on every system you use it. The Root CA's or intermediate cert's are handled by your CA and implemented by your system admins. 

Hope that helps

Best Regards

Andrzej Golaszewski

What was the solution to resolve this?

Hello Lavine Appollis,

1. To understand it, just a little excursion how certificates work. I give only a rough outline of the topic to understand the background.
   I If you connect via webbrowser to a webserver, your browser checks the certificate. And how did this work.
   
   
   1. The client ( browser ) request server for identification
   2. Your web browser downloads the web server's certificate, which contains the public key of the web server. This certificate is signed with the private key of a trusted certificate authority

   3. Your web browser comes installed with the public keys of all of the major certificate authorities. It uses this public key to verify that the web server's certificate was indeed signed by the trusted certificate authority.

   4. The certificate contains the domain name and/or ip address of the web server. Your web browser confirms with the certificate authority that the address listed in the certificate is the one to which it has an open connection.

   5. Browser and server calculate a shared symmetric key which is used for the actual data encryption. Since the server identity is verified the client can be sure, that this "key exchange" is done with the right server and not some man in the middle attacker.
      
2. How did this help. Well the Connection with Automation Engine Server works the same way. 
   1. You create an CSR (Certificate Signing Request) at your local CA. To be felxible enough you should use Multi-Domain-Cert (SAN) to use aliases DNS for your server.
   2. Mostly You will get a bunch of files, the certificate for the AE server itself and public keys, intermediate cert, cert chain...
      As described in the manual build your own keystore for ae, and start your ae processes with this keystore. 
   3. Your system administrator must deploy the root and intermediate cert's on every machine. The standard path for cert's is systemdependend, have a look in the manual: Parameters - Agents, Java Components, Proxy and TLS Gateway
   4. Before you start your ae processes, load the Intermediate cert and into the java truststore you use starting automic processes. 
   5. Well that's the magic. Every client (Agent) connecting to your AE server must have the Intermediate certificate. Validating can be donn with openssl 
      
      openssl s_client -connect <AutomationEngineServer.yourdomain:8443
      
      
   6. If everything  was fine you will get an positive answer for your TLS Handshake request.
      
      
3. As an automic administrator you only need server certificates for your ae servers, create a keystorefile as described in the manual and load the certificate of the intermediate CA into the Java truststore. 

At the first start of your agent, the agent connect's to the AE Server and they handle out a cert for their communication. The cert folder is defined in the ini file, and the cert  file ist stored automatically. 

Hope that explains a little bit the method. An advice from my own experiences. Build it in a test environment and play around with it. It cost me some hours and much more trial and error to understand the whole process. 

Hope that helps, best regards

Andrzej Golaszewski

Hi SWASTIKA SHET, Lavine Appollis,

this is a certification problem. Make the TLS handshake manually with command
 openssl s_client -connect <Your-AutomationEngine-Server.de:8443
The command will return some information. 
I would not advice to distibute the cert on every agent. You only need to get a cert from your root CA then store the root CA cert or the intermediate cert on every system, and certification problems are solved. 

With the solution you choose you will run into cert hell, because the day will come, the cert ist becoming invalid. So you have to change on every system you use it. The Root CA's or intermediate cert's are handled by your CA and implemented by your system admins. 

Hope that helps

Best Regards

Andrzej Golaszewski

What was the solution to resolve this?