B.3 Implementing Authenticated Communication

You can configure authenticated communication in your Agent Manager environment by completing the following checklist:

Steps

See Section

If you want to configure authenticated communication with your agent computers, issue and install agent computer certificates.

Section B.3.1, Certificate Requirements

Section B.3.2, Issuing and Installing Agent Authentication Certificates

  1. If you want to configure authenticated communication with your central computers, issue and install central computer certificates.

Section B.3.1, Certificate Requirements

Section B.3.3, Issuing and Installing central computer Authentication Certificates

  1. If you want to configure authenticated communication with your agent computers, enable agent authentication.

Section B.3.4, Enabling Agent Authentication

  1. If you want to configure authenticated communication with your central computers, enable central computer authentication.

Section B.3.5, Enabling central computer Authentication

  1. If you want to customize additional authentication settings, modify the appropriate registry keys.

Section B.3.6, Customizing Certificate Usage

  1. Verify that authenticated agents and central computers can communicate.

Section B.3.7, Verifying Authenticated Communication

  1. Troubleshoot any authentication-related issues.

Section B.3.8, Troubleshooting Authentication Problems

NOTE:

  • You can create and deploy authentication certificates for your agents and central computers either before or after installing Agent Manager.

  • You can enable authentication at any time after installing Agent Manager. However, ensure you issue and install all necessary certificates on agent and central computers before enabling authentication.

B.3.1 Certificate Requirements

When you issue agent or central computer certificates for authentication, ensure all certificates meet the following requirements:

  • The certificate is an X.509 certificate.

  • The certificate has an Client Authentication (1.3.6.1.5.5.7.3.2), a Server Authentication (1.3.6.1.5.5.7.3.1) Enhanced Key Usage (EKU), or both.

  • The certificate has a private key.

  • The certificate has the EXCHANGE key specification, including a public/private key pair used to encrypt session keys so they can be safely stored and exchanged with other users.

NOTE:For added security, NetIQ also recommends you ensure the certificate was issued by one of the certification authorities listed in the TrustedIssuerSubjectNames configuration property.

B.3.2 Issuing and Installing Agent Authentication Certificates

If you want to configure authentication for Agent Manager agent computers, each agent needs to present a trusted certificate to the central computer that monitors the agent. You must install agent certificates in the NetIQ Agent Manager container of the Local Computer certificate store on each agent computer.

Agent certificates should include the Client Authentication EKU, object identifier (OID) 1.3.6.1.5.5.7.3.2, and must be trusted by the central computer. You can establish trust by placing all issuer certificates from the certificate chain of the agent certificate in the Trusted Root Certification Authorities container of the Local Computer certificate store on the central computer.

NOTE:

  • You can install the agent authentication certificate by logging directly into the agent computer using an account that is a member of the local Administrators group or by remotely deploying the certificate to one or more agent computers, depending on your environment and PKI.

  • If you have multiple certificates with the Client Authentication EKU stored in the NetIQ Agent Manager container in the Local Computer certificate store, Agent Manager uses the first valid certificate and ignores any additional certificates.

  • You can configure agent computers to search other certificate stores and locations for certificates, if required by your PKI. For more information about configuring certificate stores, see Section B.3.6, Customizing Certificate Usage.

  • If the agent is configured to use an authentication certificate and is unable to access the associated private key, the agent service fails to start and the agent computer generates an event 21334 in the Application event log.

To issue and install agent authentication certificates:

  1. If you have not configured a certificate authority for your environment, establish a certificate authority (CA) to issue agent authentication certificates. Ensure your certificate authority can issue agent computer certificates that meet all authentication requirements. For more information about certificate requirements, see Section B.3.1, Certificate Requirements.

    NOTE:

    • If all agents and central computers are internal to your company, NetIQ recommends you use a local CA. If any Agent Manager computers are hosted externally, you should purchase a commercial certificate.

    • You can use Microsoft Certificate Services or another CA to issue certificates, as configured in your environment.

  2. Use your certificate authority to issue one or more agent computer certificates.

  3. Install the agent computer certificate in the NetIQ Security Manager container of the Local Computer certificate store on the agent computer.

  4. If the issuer certificate for the agent certificate is not already installed on the agent, install the issuer certificate in the Trusted Root Certification Authorities container of the Local Computer certificate store.

  5. Repeat Step 3Step 4 on each agent computer where you want to configure authentication.

  6. If the issuer certificate for the agent certificate is not already installed on the central computer that monitors the agents you want to authenticate, install the issuer certificate in the Trusted Root Certification Authorities container of the Local Computer certificate store of the central computer.

B.3.3 Issuing and Installing central computer Authentication Certificates

If you want to configure authentication for Agent Manager central computers, each central computer needs to present a trusted certificate to all monitored agent computers. You must install central computer certificates in the LocalMachine > NetIQ Security Manager certificate store on each central computer.

central computer certificates should include the Server Authentication EKU, OID 1.3.6.1.5.5.7.3.1, and must be trusted by all monitored agent computers. You can establish trust by placing all issuer certificates from the certificate chain of the central computer certificate in the Trusted Root Certification Authorities container of the Local Computer certificate store on each monitored agent computer.

NOTE:

  • You can install the central computer authentication certificate by logging directly into the central computer using an account that is a member of the local Administrators group or by remotely deploying the certificate to one or more central computers, depending on your environment and PKI.

  • If you have multiple certificates with the Server Authentication EKU stored in the NetIQ Security Manager container in the Local Computer certificate store, Agent Manager uses the first valid certificate and ignores any additional certificates.

  • You can configure central computers to search other certficate stores and locations for certificates, if required by your PKI. For more information about configuring certificate stores, see Section B.3.6, Customizing Certificate Usage.

  • If you configure central computer authentication and do not establish trust with all monitored agents, your agents cannot communicate with the untrusted central computer.

To issue and install central computer authentication certificates:

  1. If you have not configured a certificate authority for your environment, establish a certificate authority (CA) to issue central computer authentication certificates. Ensure your certificate authority can issue agent computer certificates that meet all authentication requirements. For more information about certificate requirements, see Section B.3.1, Certificate Requirements.

    NOTE:You can use Microsoft Certificate Services or another CA to issue certificates, as configured in your environment.

  2. Use your certificate issuer to issue one or more central computer certificates.

  3. Install the central computer certificate in the NetIQ Security Manager container of the Local Computer certificate store on the central computer.

  4. If the issuer certificate for the central computer certificate is not already installed on the central computer, install the issuer certificate in the Trusted Root Certification Authorities container of the Local Computer certificate store.

  5. Repeat Step 2Step 4 on each central computer where you want to configure authentication.

  6. If the issuer certificate for the central computer certificate is not already installed on the agent computer you want to authenticate the central computer, install the issuer certificate in the Trusted Root Certification Authorities container of the Local Computer certificate store of the agent computer.

  7. Repeat Step 6 on each monitored agent computer.

B.3.4 Enabling Agent Authentication

After creating and installing a valid certificate on your agent computers and installing the issuer certificate for the agent computer on the monitoring central computer, you can enable agent authentication on the central computer by editing the registry.

If you enable agent authentication, you restrict your central computer to only be able to communicate with agents that present valid, trusted Client Authentication certificates.

To enable agent authentication on a central computers:

  1. Log on to the central computer using an account that is a member of the local Administrators group.

  2. Update the following registry entry using the Registry Editor:

    HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\Agent Manager\Configurations\ConfigurationGroupName\Operations\Consolidator\RequirePeerCerts = 1

    Where ConfigurationGroupName is the name of your configuration group.

    WARNING:Be careful when editing your Windows Registry. If there is an error in your registry, your computer may become nonfunctional. If an error occurs, you can restore the registry to its state when you last successfully started your computer. For more information about editing the registry, see the Help for the Windows Registry Editor.

  3. Open the Services Administrative Tool located in the Control Panel.

  4. In the Services pane, click Agent Manager Service.

  5. On the Action menu, click Restart.

  6. After the service restarts, close the Services Administrative Tool.

NOTE:If you want to enable agent authentication on a central computer that has a 64-bit version of Microsoft Windows installed, update the following registry key using the Registry Editor:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NetIQ\Security Manager\Configurations\ ConfigurationGroupName \Operations\Consolidator\RequirePeerCerts = 1

B.3.5 Enabling central computer Authentication

After creating and installing a valid certificate on your central computer and installing the issuer certificate for the central computer on all monitored agent computers, you can enable central computer authentication on your agents by editing the registry on each agent computer.

If you enable central computer authentication, you restrict your agent computers to only be able to communicate with a central computer that presents a valid, trusted Server Authentication certificate.

To enable central computer authentication on an agent computer:

  1. Log on to the agent computer using an account that is a member of the local Administrators group.

  2. Update the following registry entry using the Registry Editor:

    HKEY_LOCAL_MACHINE\SOFTWARE\NETIQ\Security Manager\Configurations\ConfigurationGroupName\Operations\Agent\Consolidator\RequirePeerCerts = 1

    Where ConfigurationGroupName is the name of your configuration group.

    WARNING:Be careful when editing your Windows Registry. If there is an error in your registry, your computer may become nonfunctional. If an error occurs, you can restore the registry to its state when you last successfully started your computer. For more information about editing the registry, see the Help for the Windows Registry Editor.

  3. Open the Services Administrative Tool located in the Control Panel.

  4. In the Services pane, click Agent Manager Service.

  5. On the Action menu, click Restart.

  6. After the service restarts, close the Services Administrative Tool.

  7. Repeat Step 1Step 6 on each agent computer.

NOTE:If you want to enable central computer authentication on a central computer that has a 64-bit version of Microsoft Windows installed, update the following registry key using the Registry Editor:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\NETIQ\Security Manager\Configurations\ ConfigurationGroupName \Operations\Agent\Consolidator\RequirePeerCerts = 1

B.3.6 Customizing Certificate Usage

Agent Manager uses several registry values to configure the default certificate store location, certificate store name, certificate name, and names of trusted issuers. You can modify the following default registry values to configure how Agent Manager finds agent and central computer authentication certificates.

The agent registry values are in the following location in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\Security Manager\Configurations\ConfigurationGroupName\Operations\Agent\Consolidators

Where ConfigurationGroupName is the name of your current configuration group.

The central computer registry values are in the following location in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\Security Manager\Configurations\ConfigurationGroupName\Operations\Consolidator

Where ConfigurationGroupName is the name of your current configuration group.

WARNING:Be careful when editing your Windows Registry. If there is an error in your registry, your computer may become nonfunctional. If an error occurs, you can restore the registry to its state when you last successfully started your computer. For more information about editing the registry, see the Help for the Windows Registry Editor.

Registry Value

Registry Data Type

Default Value Data

Definition

CertificateStoreLocation

String

LocalMachine

Specifies the location of the certificate store containing the agent or central computer authentication certificate.

This property determines whether Agent Manager searches the local computer, current user, or service-specific store to find Agent Manager certificates.

Possible values are LocalMachine, CurrentUser, or Service:ServiceName, where ServiceName is the name of the specific service.

CertificateStoreName

String

NetIQ Security Manager

Specifies the name of the certificate store containing the agent or central computer authentication certificate.

Possible values are NetIQ Security Manager, My, Root, or CustomCertificateStoreName, where CustomCertificateStoreName is a customized certificate store you create.

CertificateSubjectName

String

[EMPTY]

Specifies the subject distinguished name of the specific agent or central computer authentication certificate.

If empty, the agent uses the first certificate found with a Client Authentication EKU, and the central computer uses the first certificate found with Server Authentication EKU.

RequirePeerCerts

DWORD

0

Specifies whether or not the computer is configured to establish trust for the certificate an agent or central computer presents, depending on the computer type, when trying to connect.

If the computer is not configured to trust a certificate received from another computer, the computer cannot communicate with the other computer.

For more information about enabling authentication, see Section B.3.4, Enabling Agent Authentication and Section B.3.5, Enabling central computer Authentication.

TrustedIssuerSubjectNames

 

[EMPTY]

Specifies a list of issuers Agent Manager trusts. Agent Manager uses this list when validating certificates.

If you want to restrict Agent Manager to only trust certificates issued by certain issuers, you can specify a semicolon-separated list of subject distinguished names for certificate issuers you want to trust.

For example, if you want to only trust certificates issued by the Agent Manager Trusted Root certification authority, specify CN=NetIQ Agent Manager Trusted Root.

B.3.7 Verifying Authenticated Communication

The Sentinel Web console devices view shows the authentication status of agents using the Authentication Mode and Authenticated columns. Authenticated shows yes when authentication of the device is required, and the device is properly authenticated.

Authentication mode displays one of the following values:

Not Applicable

The value for the Central Computer, because the central computer has no need to authenticate itself or be authenticated by itself.

Agent Authenticates Central Computer

The value when the agent computer requires authentication, but the central computer does not.

Central Computer Authenticates Agent

The value when the central computer requires authentication, but the agent computer does not.

Mutual Authentication

The value when both the agent computerand the central computer require authentication.

Authentication not required

The value when neither the agentnor the central computer require authentication.

B.3.8 Troubleshooting Authentication Problems

If one or more agents and central computers cannot communicate, you may not have configured authentication correctly. If an agent or central computer does not present a certificate, presents an invalid certificate, or presents a certificate issued by an untrusted certificate issuer, Agent Manager cannot enable authenticated communication.

An authentication error is not the only possible cause of faulty communication between an agent and a central computer. Other network, software, and hardware problems can also cause the failure of communication between agents and central computers. Before you attempt to correct authentication problems, verify that the communication problem is actually caused by an authentication error.

If the error was caused because a computer was offline when a certificate was presented, the central computer and agent computer automatically attempt to present certificates to one another, as applicable depending on your configuration, at the next communication attempt.

Verifying Authentication Certificates

After ruling out network, software, and hardware problems as the cause of faulty communication between one or more agents and central computers, ensure all agent and central computer authentication certificates are valid and are installed in the NetIQ Security Manager container of the Local Computer certificate store.

To verify an authentication certificate:

  1. Log on to the agent or central computer using an account that is a member of the local Administrators group.

  2. Start Microsoft Management Console.

  3. On the File menu in the Console window, click Add/Remove Snap-in.

  4. Click Add.

  5. Select Certificates.

  6. Click Add.

  7. Select Computer account.

  8. Click Next.

  9. Select Local computer (the computer this console is running on).

  10. Click Finish.

  11. Click Close.

  12. Click OK.

  13. On the File menu, click Save.

  14. Specify a location on the computer for the .msc file and click Save.

  15. In the left pane of the Console window, expand Certificates (Local Computer) > NetIQ Security Manager.

  16. In the left pane, click Certificates.

  17. If the Certificates folder is missing or does not contain an authentication certificate, issue and install a new agent or central computer authentication certificate.

    For more information about installing agent authentication certificates, see Section B.3.2, Issuing and Installing Agent Authentication Certificates. For more information about installing central computer authentication certificates, see Section B.3.3, Issuing and Installing central computer Authentication Certificates.

    NOTE:By default, the NetIQ Security Manager container of the Local Computer certificate store on the central computer contains the self-signed certificate NetIQ Security Manager Server, which Agent Manager uses to enable communication between the central computer and agents. This default certificate is not a Server Authentication certificate.

  18. If the Certificates folder contains an authentication certificate, complete the following steps:

    1. In the right pane, double-click the authentication certificate.

    2. On the General tab, ensure the certificate details are correct and that the certificate has a corresponding private key.

    3. Click the Certification Path tab.

    4. If the certificate status is This certificate is OK, click OK.

    5. If the certificate status is not This certificate is OK, re-issue and install a new agent or central computer authentication certificate. For more information about installing agent authentication certificates, see Section B.3.2, Issuing and Installing Agent Authentication Certificates. For more information about installing central computer authentication certificates, see Section B.3.3, Issuing and Installing central computer Authentication Certificates.

  19. Close the Microsoft Management Console.

Verifying Trust of the Certificate Issuer

If the authentication certificate installed on your agent or central computer is valid, ensure the computer to which the agent or central computer presents a certificate trusts the certificate issuer. The issuer certificate must be installed in the Trusted Root Certification Authorities container of the Local Computer certificate store on the authenticating computer.

To verify an authenticating computer trusts a certificate issuer:

  1. Log on to the authenticating agent or central computer using an account that is a member of the local Administrators group.

  2. Start Microsoft Management Console.

  3. On the File menu in the Console window, click Add/Remove Snap-in.

  4. Click Add.

  5. Select Certificates.

  6. Click Add.

  7. Select Computer account.

  8. Click Next.

  9. Select Local computer (the computer this console is running on).

  10. Click Finish.

  11. Click Close.

  12. Click OK.

  13. On the File menu, click Save.

  14. Specify a location on the computer for the .msc file and click Save.

  15. In the left pane of the Console window, expand Certificates (Local Computer) > Trusted Root Certification Authorities.

  16. In the left pane, click Certificates.

  17. If the Certificates folder does not contain the issuer certificate, install the certificate chain for the authentication certificate issuer in the Trusted Root Certification Authorities container.

  18. If the Certificates folder contains the issuer certificate, complete the following steps:

    1. In the right pane, double-click the issuer certificate.

    2. On the General tab, ensure the issuer certificate details are correct.

    3. Click the Certification Path tab.

    4. If the certificate status is This certificate is OK, click OK.

    5. If the certificate status is not This certificate is OK, re-install the certificate chain for the authentication certificate issuer in the Trusted Root Certification Authorities container.

  19. Close the Microsoft Management Console.

Updating Security Settings for SQL Connection

To update security settings for SQL connection from Sentinel to Agent Manager database:

  1. In the Local Group Policy Editor, go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

  2. Select the following security policies and change the security setting to Require 128-bit encryption:

    • Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

    • Network security: Minimum session security for NTLM SSP based (including secure RPC) servers