Agent Manager uses the self-signed certificate created during installation of the central computer to enable secure communication between the central computer and agents. By default, agent computers do not provide their own agent certificates to the central computer.
Agent Manager supports all SChannel cipher suites, including the Advanced Encryption Standard (AES), adopted as a standard by the U.S. government. central computers and agents authenticate one another by validating client and/or server certificates, an industry-standard technique for establishing trust.
To enable authenticated communication, use your PKI to deploy and install trusted certificates on the central computer, agent computers, or both, depending on your environment. You can configure authenticated communication for any of the following scenarios:
You can enable agent authentication, so the central computer that monitors your agents communicates only with agent computers presenting valid, trusted certificates.
You can enable central computer authentication, so monitored agents communicate only with a central computer presenting a valid, trusted certificate.
You can enable mutual authentication, so agents communicate only with central computers presenting valid, trusted certificates, and central computers communicate only with agent computers presenting valid, authenticated certificates.
After generating and installing trusted certificates on both agent computers and the central computer, as necessary, modify the registry on all affected computers to configure central computer Authentication and Agent Authentication settings. For more information about modifying the registry to enable authentication, see Enabling Agent Authentication and Enabling central computer Authentication.
For authentication changes to take effect, you must restart the NetIQ Agent Manager service on the central computer and all affected agents.
If you enable authentication between a central computer and an agent but do not correctly install or configure certificates for both components, the following situations occur:
The agent is unable to send a heartbeat to the central computer.
The central computer is unable to update the agent configuration.