Skip to main content
Matrix42 Self-Service Help Center

SSL Configuration

Configuring SSL

To ensure secure data transmission between the EgoSecure components (Agent, Console and Server), a connection can be used via TLS, the next version of the SSL encryption protocol.

Version information

  • TLS versions: 1.0/1.1/1.2/1.3
  • OpenSSL version: 1.0.2n

Only exportable certificates are compatible.

Enabling SSL and distributing certificates

To use SSL in the company, the certificates must be generated either in the EgoSecure Console or in your own utility. In the EgoSecure database, three types of certificates can be stored and according to the selected type, the way of distribution changes:

Certificate type How to distribute?

EgoSecure certificates with their private keys

NOT EgoSecure certificates with private keys

NOT EgoSecure certificates without private keys

Option 1: Update Agents to 13.3 (or higher) and install certificates via Console

  • Provide the certificates with their private keys to the Server database:
    • Using EgoSecure certificates: Under Administration | Administrator | SSL configuration, click Create and then click Generate all certificates. To automatically renew the EgoSecure certificates, enable the Automatically renew certificates x days before expiration.
    • Using NOT EgoSecure certificates: Under Administration | Administrator | SSL configuration, select a component and click Import to browse for a certificate with its private key. Repeat this step for all components (Agent, Server, Console).
  • Under Administration | Administrator | SSL configuration, enable the Enable SSL and Allow communication without SSL check boxes.
  • Click Save.
  • Go to Installation | EgoSecure agents | Install/Update.
  • Select the Agents via holding down Ctrl and clicking the rows. Do not use check boxes.
  • Right-click one entry and select Install certificate from the context menu.

clipboard_e6605acc21bcba70cbb9c424e532846cd.png

  • Certificate distribution and installation starts.
  • To install certificates to offline Agents, use the polling mode, certificates will be installed once the connection with the Server occurs.
  • Once the installation finishes, in the Info column, check whether the certificate is installed successfully.
  • Once all certificates are distributed to Agents, disable the Allow communication without SSL option.

Option 2: Generate MSI with an authentication certificate and private key and reinstall or update Agents

  • Provide the certificates with their private keys to the Server database:
    • Using EgoSecure certificates: Under Administration | Administrator | SSL configuration, click Create and then click Generate all certificates. To automatically renew the EgoSecure certificates, enable the Automatically renew certificates x days before expiration option.
    • Using NOT EgoSecure certificates: Under Administration | Administrator | SSL configuration, select a component and click Import to browse for a certificate with its private key. Repeat this step for all components (Agent, Server, Console).
  • Under Administration | Administrator | SSL configuration, enable the Enable SSL check box.
  • Click Save.
  • Go to Installation | EgoSecure agents | Create MSI package.
  • Check the option Add authentication certificate and define a password to protect the Agent authentication certificate and its private key (use only printable characters from the ASCII table for the password).

clipboard_e27912e5b571cdcdf23ec079e8bb6a835.png

  • Click Generate to generate the MSI package.
  • If it is a first installation, install Agents. If Agents have already been installed, reinstall them via Console or perform update locally/via software distribution tools.

Update via Console. When updating Agents via Console, the certificate with it private key will not be installed. That is why, make sure to uninstall existing Agents and install new ones. 

  • Local Agent installation/update: The password defined in step 5 must be entered manually in the dialog that appears during installation.
  • Remote Agent installation via Console: The password is transferred to the Agent in an encrypted form and is automatically applied. It is not needed to enter it manually on the Agent side.
  • Remote Agent installation/update via script/software enrollment tools: Write a password directly in the script via the PKCS12_PASS="" command. The password is transferred to Agents in an unencrypted form. E.g.: msiexec /fvamus ESAgentSetup_x64.msi PKCS12_PASS ="mypassword"

Option 3: Distribute certificates, update Agents to 13.3 (or higher) and provide certificates information to EgoSecure

  • Prepare certificates for distribution:
    • Using EgoSecure certificates: generate certificates in Console and then export them under Administration | Administrator | SSL configuration. To automatically renew the EgoSecure certificates, enable the Automatically renew certificates x days before expiration.
    • Using NOT EgoSecure certificates: omit this step.
  • Distribute certificates to Server, Agents and Console manually or via special tools for automatic certificate distribution.
  • Provide the data for EgoSecure to identify the certificates:
    • Using EgoSecure certificates: omit this step.
    • Using NOT EgoSecure certificates: provide the certificates without its private part via one of the following options:
  • Option 1: import certificates for all components. Select the component from the list and click Import. In the Import certificate dialog, click Browse to select a certificate. Click OK.
  • Option 2: select certificates from local storage for all components. On the computer where Console is launched, import the Agent and Server certificates to the local computer store (e.g., via mmc). In Console, select the component (Agent, Server or Console) and click Select. In the Windows Security dialog, click More choices to expand the list. Select the installed certificate.
  • Under Administration | Administrator | SSL configuration, enable the Enable SSL and Allow communication without SSL check boxes.
  • Click Save.
  • Update Agents to at least 13.3.
  • Once all Agents are updated and all certificates are distributed to all components, disable the Allow communication without SSL option.

Option 4: Generate certificates during Server installation, provide certificates information to EgoSecure and install Agents

  • On the SSL and certificates step of the Server InstallShield Wizard, check Enable SSL.
  • The SSL and certificates step is not shown if the specified database already contains the EgoSecure password for protecting authentication certificates and its private keys.
  • Check the Add authentication certificates with private keys to MSI box and define a password to protect the Agent authentication certificates.
  • Click Next and finish the EgoSecure Server installation. For details about the EgoSecure Server installation, see the EgoSecure Installation Guide.
  • Provide the certificates with their private keys to the Server database:
    • Using EgoSecure certificates: certificates are generated automatically shortly after the EgoSecure Server start. To automatically renew the EgoSecure certificates, enable the Automatically renew certificates x days before expiration.
    • Using NOT EgoSecure certificates: In Console, under Administration | Administrator | SSL configuration, select a component and click Import to browse for a certificate with its private key. Repeat this step for all components (Agent, Server, Console).
  • Go to Installation | EgoSecure agents | Create MSI package.
  • Click Generate to generate the MSI package.
  • Install Agents.
    • Local Agent installation: The password defined in step 2 must be entered manually in the dialog that appears during installation.
    • Remote Agent installation via Console: The password is transferred to the Agent in an encrypted form and is automatically applied. It is not needed to enter it manually on the Agent side.
    • Remote Agent installation via script/software enrollment tools: Write a password directly in the script via the PKCS12_PASS="" command. The password is transferred to Agents in an unencrypted form. E.g.: msiexec /fvamus ESAgentSetup_x64.msi PKCS12_PASS ="mypassword"

Enabling HTTPS server and connecting components 

Adding HTTPS server

  • Go to Administration | Servers | EgoSecure servers.
  • Click Add.
  • The Server Alias dialog appears.
  • In the Alias field, enter the server address according to the following template:
  • (optional) In the Primary IP-range field, define IP addresses of Agents, which are permitted to connect to this Server. For details, see Assigning Server IP range.
  • In the Port field, type 7005.
  • Click OK.
  • The dialog closes.
  • Click Save.

Connecting Console to HTTPS server

  • Start the Console.
  • The Connect to EgoSecure Management Server dialog appears.
  • In the Server field, enter:
  • A green lock icon appears in the Server field. If no certificate is selected, a gray lock appears. If an invalid certificate is selected, a red lock appears.
  • If necessary, click the icon to select a certificate.

clipboard_e9f49a6f2b09697288167b06cc053656f.png

  • In the Port field, enter 7005.
  • Make sure that port 7005 is not blocked by the Firewall or not used by another application. You can change the port in the AdminTool.
  • Enter login data and click OK.
  • The entered Login field data is remembered and will be offered for selection if the Save entered user logins check box is enabled in the Console under Administration | Superadmin | Console policies.
  • The Console opens.

If you have trouble logging in, you can view the log files of the console at C:\ProgramData\EgoSecure\EgoSecureConsole\LOG

Connecting Agents to HTTPS server

  • Go to Installation | EgoSecure agents | Install/Update.
  • Right-click an Agent. To select multiple Agents, hold down Ctrl and click.
  • From the context menu, select Favorite Management Server and select the HTTPS Server.
  • The Agent connects to the favorite Server first. If the favorite Server is not available, the Agent tries to connect to another Server in the following order:
    • The Server, for which the defined Agent IP range matches
    • The Server with the highest priority

Identifying client connections and updating certificates

Via the Console, you can verify that certificates are installed and valid on individual Clients. A distinction is made between archived (valid) certificates and expired (not valid) certificates:

  • Archived certificate: A valid certificate, which was replaced with a new certificate. Such a certificate remains in the database. When the Agent with an archived certificate connects to the Server, the Server provides a new certificate to the Agent (if such a certificate with a private key exists on the Server database). If there is no certificate with a private key in a Server database, then update certificates on your own via software distribution tools and provide certificate information to EgoSecure as described here.
  • Expired certificate: An invalid certificate, which cannot be used for communication more. When the Agent with an expired certificate tries to connect to the Server, the connection fails. Use any of the ways described under Enabling SSL to replace expired certificates.

Under Installation | EgoSecure agents | Install/Update, client connections are marked with the locks of different colors in the Last connected column:

Icon Description
clipboard_e80854d81d8a7200e239469d3198f4d8a.png Secure connection.
clipboard_e09aa3e22eb59397f570c3f9683c2d522.png Secure connection, which demands attention. The client has a valid but not an up-to-date certificate, which must be replaced.
clipboard_eb915014c714bacb7cfda832b948d2545.png Connection is insecure. No certificate on the client side.
clipboard_edb884c1a4cfc1d12991a726e485a918e.png Connection is insecure. No certificate on the client side.

 

  • Was this article helpful?