Universal Discovery Agent certificates

  • Document ID:KM02794262
  • Creation Date:17-May-2017
  • Modified Date:08-Jun-2017
    • Micro Focus Products:
      universal cmdb 10.22
      universal cmdb 10.20
      universal cmdb 10.21
      universal cmdb 10.30
      universal cmdb 10.31
      universal cmdb 10.32

Archived Content: This information is no longer maintained and is provided "as is" for your convenience.

Summary

The article provides a more detailed look on the topic of Universal Discovery Agent Certificates

Question

Universal Discovery Agent certificates are files that provide encrypted communication between the Universal Discovery Agent and Data Flow Probe.
For each Universal Discovery Agent credential that is created, there is a corresponding pair of certificate files.
• Acstrust.cert. This file is the public certificate file of the Data Flow Probe.
• Agentca.pem. This file contains the public and private certificate file of the Universal Discovery Agent.

They can only be exported and attached to agent media. The CN of these certificate is “Enterprise Discovery Server” and may appear as a security hole to some customers as they refer to DES-CBC3-SHA ciphers types as medium strength ciphers. According to the concerned, the CN should be the name of the server or using CA signed cert.

Caution! These files are critical in maintaining communication between the Data Flow Probe and the discovery nodes!

If you want to change the certificate files, you must uninstall the Universal Discovery Agents, create new credentials and perform Universal Discovery Agent deployment again.

Using Certificates:
In order for Data Flow Probes to use the same Universal Discovery Agent certificates in different domains, perform the following:
1. Select your credential in the Data Flow Probe Setup > Domains and Probes > Credentials pane.
2. Click the Copy selected credential to another domain  button.


So, to some the issue here is that when new UDA credential in DFM UI are created. UCMDB will create automatically the 2 mentioned certificate files “.pem and .cert” and they can only be exported and attached to agent media. The CN of these certificate is “Enterprise Discovery Server”

So what I need to do in order to change the certificate itself by generating a cert file through openssl tool and use it with the agent? Is it possible to regenerate a self-signed certificate for UD agent with proper CN?

The answer is that the CN of the UDA certificate is hardcoded, so that's why it is always "Enterprise Server". However, from version 10.30 onwards, custom certificates for can be used for the communication between the Probe and UD agents. In order to use this feature, an upgrade to 10.30 is required.

For additional information on this topic, you can refer to 10.30 version Hardening Guide page 115.