Enabling certificate verification between the Flow Server and Agent processes when communicating over SSL.
The following solution describes how to make the agent accept connections from hosts that present a certificate signed by a private certificate authority (CA) only.
Assuming the following directories are set up to point to wherever the Flow server is actually installed:
- Copy ssl-ca.conf into %CADIR%
Update the values in the root_ca_distinguished_name section in ssl-ca.conf to reflect the organization's name.
- Initialize the CA
If "touch" is not available, just create an empty index file. To do this from the Windows command prompt:
- Generate a new self-signed server certificate
This code prompts for a number of values that must be set to values appropriate for the organization.
- Sign the server certificate with the CA key
- Import the CA certificate and signed server certificate into the keystore
- Restart the server
- Add the private CA certificate to the trusted CA list for the agent
- Enable certificate verification in the agent
Edit %DATADIR%\conf\agent.conf to contain (update paths as necessary):
- Restart the agent