Manual installation of Change Guardian Windows Agent requires two artifacts, e.g., Agent Certificate for target host and Installer. The Administrator should first generate the Agent certificate for the Agent host before proceeding with the installation.

The steps below will help administrators build a custom script within third party deployment solutions which can generate agent certificates and download Agent Installer artifacts.

For illustration purpose the code snippets are in Power shell syntax supporting version 5.1.

Step -1

Prerequisite: Create a temporary user with the Administrator Role to interact with Server APIs.

    [String]$server = $(Read-Host "$(Get-Date -format g) Enter Change Guardian Server IP Address/FQDN"),
    [String]$user = $(Read-Host "$(Get-Date -format g) Enter Change Guardian Server Username"),
    [String]$password = $(Read-Host "$(Get-Date -format g) Enter Change Guardian Server Password")

Step -2

Get the Authentication Token for accessing Server APIs as below.

POST Request Response for “https://${server}:8443/SentinelAuthServices/auth/tokens” should fetch the details of token which can be later used for accessing Agent Manager APIs.

Authorization header should be Base64 encoded.

$url = "https://${server}:8443/SentinelAuthServices/auth/tokens"
$type = "application/json"
$header = @{"Authorization" = "Basic "+[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($user+":"+$password))}
$response = Invoke-RestMethod -Uri $url -Headers $header -Method Post -ContentType $type
$tokenDigest = $response.TokenDigest
$token = $response.Token


Write functions to fetch IP Address and FQDN of your Agent Host.

$agentHostname = get-Hostname
$agentIP = get-IPAddress


Call Agent Manager API to get Agent Certificates by providing Agent Hostname/IPaddress.

$cert_download_URL = "https://" + $server + ":8443/cg-api/ams/api/agent-manager/download/ChangeGuardianAgentCertificates_" + $agentHostname + ".zip?location=c0d42d81-eff6-4ea9-b1b7-ebc891600fa3&id=0&hostname=" + $agentHostname + "&ipaddress=" + $agentIP
$local_url = "https://localhost:8443/SentinelAuthServices/auth/tokens"
$cookie_auth = 'Spiffy_Session=' + 'X-SAML,' + $tokenDigest + ',' + $local_url + ',' + $local_url + ',' + $user
$amsheader = @{}
$certs_file = "ChangeGuardianAgentCertificates_" + $agentHostname + ".zip"
Invoke-WebRequest  -Uri $cert_download_URL  -Headers $ams_header -Passthru -OutFile $certs_file

Step-5 (Optional)

Call Agent Manager API to download Change Guardian Windows Agent Package.

This step is optional if you already downloaded Generic Agent Installer MSI Package.

Note: Windows Installer URL attributes differ based on version of Change Guardian and also depends on order of configuration. So capture the URL from your Agent Manager Download Option.

$installer_file = "ChangeGuardianAgentForWindows_" + $AgentHostname + ".zip"
#URL Specific to Change Guardian Version 5.1
#$Windows_Installer_URL = "https://" + $server + ":8443/cg-api/ams/api/agent-manager/download/"
#URL Specific to Change Guardian Version 5.0
$Windows_Installer_URL = "https://" + $server + ":8443/cg-api/ams/api/agent-manager/download/"
Invoke-WebRequest -Method Get -Uri $windows_installer_URL  -Headers $amsheader -Passthru -OutFile $installer_file


Copy and extract both the artifacts to a temporary directory.

$randDir = [System.Guid]::NewGuid().ToString()
$tempDir = "C:\Windows\temp"
if (New-Item -Path $tempDir -Name $randDir -ItemType "directory")
     Write-Host "$(Get-Date -format g) Temp Directory Created"
$archive_Path = $tempDir + "\" + $randDir
Expand-Archive -Path $installer_file -DestinationPath $archive_Path
Expand-Archive -Path $certs_file  -DestinationPath $archive_Path -Force


Run the Agent Installer from Temporary directory.

$installed = Start-Process NetIQCGAgentSilentInstaller.exe -ArgumentList "/s" -Wait -Verb runas -WindowStyle Minimized -WorkingDirectory $archive_Path -PassThru


Clean up the temporary directory & Delete the Server Authentication token.

$encodedToken = [System.Web.HttpUtility]::UrlEncode($token)
$deleteURL = $Url +"/"+ $encodedToken
Invoke-WebRequest -Uri $deleteURL -Headers $header -Method Delete


Due to self signed certificate usage Invoke Web cmdlets need to have a snippet of .NET Code to ignore certificate errors for PS Versions 4.0/5.0/5.1.

Starting with PS 6.0 Core Version Invoke-WebRequest/Invoke-RestMethod cmdlets provides “-SkipCertificateCheck” option.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: kalyanj
Dec 5, 2018
9:07 am
Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Process Automation IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow