Configure mutual authentication for server, agent relay, and agents

Prerequisites: Add an alias to an agent relay and Configure mutual authentication for server and agent

This topic explains how to finish setting up mutual authentication for a server, agent relay, and agents that communicate with the server through agent relays.

To exchange certificates between server, agent, and agent relay:

  1. Stop the Deployment Automation server and agents.

  2. Open a command prompt and navigate to the conf directory on your server, for example:

    <da_profile_directory>\conf.

  3. Export the server key as a certificate by running this command:

    keytool -export -keystore server.keystore -storepass changeit -alias server -file server.crt

    A message Certificate stored in file server.crt is displayed.

  4. Copy the exported certificate file server.crt to the agent relay directory:

    <relay_install_directory>\<agent_relay_name>\conf\jms-relay

    where <agent_relay_name> is the unique name you gave the agent relay during installation.

  5. From the agent relay directory <relay_install_directory>\<agent_relay_name>\conf\jms-relay, import server.crt by running this command:

    keytool -import -keystore agentrelay.keystore -storepass changeit -alias server -file server.crt -keypass changeit -noprompt

    A message Certificate was added to keystore is displayed.

    Note: Before you export an agent relay key, you must add an alias to the agent relay. For details, see Add an alias to an agent relay. After generating a new key pair, make sure to remove the default key from keystore.

  6. From the agent relay directory <relay_install_directory>\<agent_relay_name>\conf\jms-relay, export the agent relay key as a certificate by running this command:

    keytool -export -keystore agentrelay.keystore -storepass changeit -alias <agent_relay_alias> -file <agent_relay_name>.crt

    A message Certificate is stored in file <agent_relay_name>.crt is displayed.

  7. Copy the exported certificate file <agent_relay_name>.crt to your server's conf directory.

  8. From the server's conf directory, import <agent_relay_name>.crt by running this command:

    keytool -import -keystore server.keystore -storepass changeit -alias <agent_relay_alias> -file <agent_relay_name>.crt -keypass changeit -noprompt

    A message Certificate was added to keystore is displayed.

  9. For an agent configured to connect to the agent relay, copy the exported certificate file <agent_relay_name>.crt to the agent directory:

    <agent_install_directory>\<agent_name>\conf

    where <agent_name> is the unique name you gave the agent during installation.

  10. From the agent directory <agent_install_directory>\<agent_name>\conf, import <agent_relay_name>.crt by running this command:

    keytool -import -keystore agent.keystore -storepass changeit -alias <agent_relay_alias> -file <agent_relay_name>.crt -keypass changeit -noprompt

    A message Certificate was added to keystore is displayed.

  11. From the agent directory <agent_install_directory>\<agent_name>\conf, export the agent key as a certificate by running this command:

    keytool -export -keystore agent.keystore -storepass changeit -alias <agent_alias> -file <agent_name>.crt

    A message Certificate is stored in file <agent_name>.crt is displayed.

    Note: Before you export an agent key, you must add an alias to the agent. For details, see Add an alias to an agent. After generating a new key pair, make sure to remove the default key from keystore.

  12. Copy the exported certificate file <agent_name>.crt to the agent relay directory:

    <relay_install_directory>\<agent_relay_name>\conf\jms-relay.

  13. From the agent relay directory <relay_install_directory>\<agent_relay_name>\conf\jms-relay, import the <agent_name>.crt file by running this command:

    keytool -import -keystore agentrelay.keystore -storepass changeit -alias <agent_alias> -file <agent_name>.crt -keypass changeit -noprompt

    A message Certificate was added to keystore is displayed.

  14. (Optional) To configure another agent that communicates with the server through this agent relay, repeat steps 11–13.

    Note: For each agent, make sure you change the name of the -alias argument <agent_alias> and the -file argument <agent_name>.

  15. Start the server, agent relay, and agents.

Back to top