Symantec Certificate Intelligence Center (CIC) Installation Guide. Version Dec 2012

Transcription

1 Symantec Certificate Intelligence Center (CIC) Installation Guide Version Dec 2012 December 2012

2 Symantec Certificate Intelligence Center Installation Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version: CIC 2.0 Legal Notice Copyright 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section "Commercial Computer Software - Restricted Rights" and DFARS , "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

3 Symantec Corporation 350 Ellis Street Mountain View, CA

4 Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s support offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services For information about Symantec s support offerings, you can visit our website at the following URL: All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy. Customers with a current support agreement may access Technical Support information at the following URL: Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level

5 Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Licensing and registration Customer service Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Customer service information is available at the following URL: Customer Service is available to assist with non-technical questions, such as the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs, DVDs, or manuals

6 Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America

7 Contents Technical Support... 4 Chapter 1 About Certificate Intelligence Center management tools Certificate Intelligence Center features About sensor, agent, and cloud communications Integration with Managed PKI for SSL For more information Chapter 2 Certificate Intelligence Center (CIC) checklist About the checklist Chapter 3 Preparing to install Installation requirements System requirements for sensors System requirements for certificate automation Web browser requirements Firewalls, routers, and other devices Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) Proxies Deployment guidelines Sensor deployment options Automation configuration options Chapter 4 Installing sensors About installing sensors Downloading the sensor files Sensor directory structure Before you install Installing the sensor on Linux Downloading and unpacking the sensor software Adding a license file Downloading the JCE policy files... 35

8 8 Contents What s next? Installing the sensor as a virtual appliance Starting the sensor What's next? Configuring the sensor What s next? Scheduling scans and verifying results What s next? Stopping and starting a sensor Restarting a sensor Stopping a sensor Resuming a sensor Clearing and starting a stopped sensor Configuring a sensor through a proxy Uninstalling a sensor Updating a sensor Chapter 5 Installing a local automation agent About local automation agents and certificate automation Downloading automation software Agent directory structure Installing a local automation agent Installing a local automation agent on a Linux host Installing a local automation agent on a Microsoft Windows host About local agent commands Starting the agent What s next? Activating IP addresses for automation What s next? Activating IP addresses from a file Verifying a local agent configuration What s next Stopping and restarting a local automation agent Restarting a local automation agent Stopping a local automation agent Controlling how sensors are selected Configuring unknown server applications Configuring credentials for an application Uninstalling a local automation agent... 67

9 Contents 9 Chapter 6 Chapter 7 Configuring load balancers for agentless automation About certificate automation on load balancers Adding agentless settings What s next Adding agentless settings from a file Listing agentless configuration settings Activating data IP addresses for automation Activating data IP addresses from a file Listing high availability pairs Adding a key password Adding a key password from a file Deleting a key password Listing data IP addresses Listing agents registered with a sensor Verifying a load balancer configuration What s next Managing sensors and local automation agents Managing sensors Managing automation agents and hosts Chapter 8 Setting up certificate renewal About renewing certificates What s next? About transferring certificates Installing certificates on clusters Retrieving a private key Chapter 9 Installation troubleshooting About troubleshooting sensors and agents Sensor installation error messages Application configuration error messages Appendix A Using automation scripts About automation scripts Creating an automation script Naming and storing automation scripts Running automation scripts

10 10 Contents Example script Appendix B Application support About application support Microsoft IIS Apache HTTP server Citrix NetScaler F5 BIG-IP Index

11 Chapter 1 About Certificate Intelligence Center management tools This chapter includes the following topics: Certificate Intelligence Center features About sensor, agent, and cloud communications Integration with Managed PKI for SSL For more information Certificate Intelligence Center features Certificate Intelligence Center (CIC) is an SSL certificate management service that discovers and renews SSL certificates on networks where multiple SSL certificates are installed. CIC is ideal for a corporate enterprise that needs to manage a large mix of SSL certificates from different Certificate Authorities. By scanning and centralizing data into one repository, CIC provides network administrators with detailed intelligence to manage their SSL environment. With CIC you can: Scan for SSL certificates on your network View detailed SSL certificate information using reports, graphs, and charts. Schedule and run scans periodically to discover certificates. Automate Symantec SSL certificate renewal and installation. Automate replacement of non-symantec certificates with Symantec certificates.

12 12 About Certificate Intelligence Center management tools Certificate Intelligence Center features CIC is a hybrid service that uses a cloud-based control center hosted by Symantec along with certificate management tools you install on your network. CIC software includes the CIC control center for viewing and managing your certificates. It also includes sensors for discovering certificates on your network, and automation capabilities for renewing and transferring certificates. The CIC control center The CIC control center includes cloud services, database, and console. The CIC cloud provides a secure environment for all your CIC communications. Symantec hosts the CIC cloud. The CIC console is a web-based application and your main interface with the CIC cloud, sensors, and automation agents. You can view the CIC console from any supported web browser running on your network. See Figure 1-1. CIC sensors To set up certificate discovery, you install sensors on your local network. Sensors locate SSL certificates on your network and report this information back to the CIC cloud. Sensors can locate Symantec-issued SSL certificates as well as those issued by other Certificate Authorities. See Figure 1-2. CIC automation software Automation agents help you to renew Symantec SSL certificates, or to replace non-symantec certificates with Symantec certificates. CIC automation includes two installation options: Local automation agents With local automation, you install an automation agent directly on the server that hosts the SSL certificate. The local automation agent runs continuously and receives instructions on certificate-related tasks to perform, such as generating a CSR or renewing a certificate. See Figure 1-3. Agentless automation With agentless automation, the sensor on the sensor host manages certificate renewal and transfer, instead of an agent on the certificate host. You provide one of the sensors on your network with administrator or superuser login credentials to the certificate host. The sensor uses the credentials to remotely access the certificate host and control certificate automation. See Figure 1-4. Currently, CIC agentless configuration is supported for Citrix NetScaler and F5 Big-IP load balancers. For this configuration to work, the load balancer must host and distribute certificates, instead of the certificate host.

13 About Certificate Intelligence Center management tools Certificate Intelligence Center features 13 Figure 1-1 CIC console You can use CIC to add sensors to scan and discover SSL certificates on your network, view certificate status, automate certificate renewal, manage user access and permissions, and generate reports.

14 14 About Certificate Intelligence Center management tools Certificate Intelligence Center features Figure 1-2 Sensors scan for SSL certificates on your network.

15 About Certificate Intelligence Center management tools Certificate Intelligence Center features 15 Figure 1-3 Option 1 - Local agent automation

16 16 About Certificate Intelligence Center management tools Certificate Intelligence Center features Figure 1-4 Option 2 - Agentless automation

17 About Certificate Intelligence Center management tools About sensor, agent, and cloud communications 17 About sensor, agent, and cloud communications Your network s firewall rules and Access Control Lists (ACLs) must be configured to allow communication between the Symantec-hosted CIC cloud, sensors, and agents. The communications requirements include: All communications are first routed through a sensor. No direct communications occur from the CIC cloud to local automation agents. You can change the default ports for sensor-to-agent communication. See Deployment guidelines on page 27. See Installation requirements on page 23. Integration with Managed PKI for SSL For more information CIC works with Symantec Managed PKI for SSL to provide a fully-integrated environment for certificate creation and automation: CIC forwards certificate requests to Managed PKI for SSL for processing and installs the certificates that Managed PKI for SSL creates. CIC tracks and uses the certificate units you purchase in Managed PKI for SSL and maintains a consistent unit count between the two products. All Managed PKI for SSL users can access CIC for certificate discovery and automation. Give them a CIC group assignment, and they are ready to go. To learn more about CIC, refer to these sources: Symantec CIC Installation Guide Refer to this guide for information on how to install sensors and local automation agents. It also includes information on how to configure agentless automation. Account setup flow When you first sign in to CIC, instructions appear at the top of the CIC console. Use these instructions to set up the CIC account. See Figure 1-5. CIC help topics and videos Use the Help menu to view help topics and the videos that describe how to use CIC features.

18 18 About Certificate Intelligence Center management tools For more information Figure 1-5 Account setup for new users

19 Chapter 2 Certificate Intelligence Center (CIC) checklist This chapter includes the following topics: About the checklist About the checklist Table 2-1 shows an overview of the tasks that are required for you to install sensors and agents and configure CIC for certificate discovery and automation. Items are presented in the recommended (but not required) order. You can use this checklist to make sure that you have performed all the required installation and set up tasks for CIC. Table 2-1 CIC checklist Action Plan your deployment Description Select a host on your network to manage certificate discovery and run the sensor software. The sensor host must run Red Hat Enterprise Linux or VMware ESC/EXSi. Select a certificate host on your network with certificates you want to automate. A certificate host must run Linux or Microsoft Windows. Pick an application you want to configure for certificate automation. Supported applications include: Apache HTTP server, Microsoft IIS, Citrix Netscaler, or F5 BIG-IP. See Installation requirements on page 23.

20 20 Certificate Intelligence Center (CIC) checklist About the checklist Table 2-1 CIC checklist (continued) Action Set up users and groups. Description Set up accounts so you can delegate tasks to other CIC administrators. Make sure that group responsibilities are compatible with your organization. For example, are there members of your organization who can perform CIC administrator tasks, sensor installation tasks, and so on. Segregate responsibilities as desired. This step is optional; you can set up users and groups anytime you like. For more information, see CIC help. Install and configure sensors. Download and install sensor software on a sensor host. Make sure that the sensors you installed can reach application hosts on your network and discover certificates. Sign on to CIC and configure the sensor with a range of IP addresses to monitor. Make sure that the sensor is started and running. See About installing sensors on page 29. Run scans and view scan results. Schedule a scan to discover certificates on your network. Configure the scan to run periodically so the latest certificate status is always available. Use the Certificate Intelligence panel to view scan results. See Scheduling scans and verifying results on page 40. Install and configure a local automation agent. Activate IP addresses for automation. Download and install agent software on a certificate host. Make sure that the agent is started and running. Activate the IP addresses for the certificates you want to automate. Use the Manage automation agents panel to verify that the agent can communicate with the cloud. Also verify that the agent has correctly identified the application on the server that uses the certificate. See About local automation agents and certificate automation on page 50. Configure agentless automation. For load balancers, you can configure the sensor to automate certificates on a load balancer: CIC supports automation on Citrix Netscaler and F5 BIG-IP load balancers. Provide the sensor with the load balancer s management IP address and credentials. Activate the IP addresses for the certificates you want to automate. Use the Manage automation agents panel to verify that the agentless automation host is configured and no more server information is needed. See About certificate automation on load balancers on page 69.

21 Certificate Intelligence Center (CIC) checklist About the checklist 21 Table 2-1 CIC checklist (continued) Action Set up certificates for renewal or transfer. Description For a certificate you want to renew or transfer, specify the required CSR parameters. Schedule CSR generation and certificate installation. Verify that the certificate was successfully generated and installed. See About renewing certificates on page 95.

22 22 Certificate Intelligence Center (CIC) checklist About the checklist

23 Chapter 3 Preparing to install This chapter includes the following topics: Installation requirements Firewalls, routers, and other devices Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) Proxies Deployment guidelines Installation requirements This section provides installation requirements for Certificate Intelligence Center (CIC), sensors, local automation agents, and agentless automation. Symantec recommends that you install each sensor on a dedicated host. Local automation agents must be installed on the same system that hosts the certificate you want to automate. You cannot set up local agent automation on a host if a sensor is installed on that host. System requirements for sensors This section describes the hardware, software, and configuration requirements that are required to install CIC sensors.

24 24 Preparing to install Installation requirements Hardware and software requirements for sensors Table 3-1 Hardware and software requirements for sensor installation Installation type Software installation from a.tar.gz package Virtual appliance installation from a.ova file Required Red Hat Enterprise Linux 5.7, 5.8, 6.2, or bit version and US locale required 2 GHz CPU 2 GB RAM 20 GB free disk space GNU tar or equivalent tar utility Root privileges on the host where you install the sensor VMware ESX/ESXi 4.0, 4.1, and 5.0 VMware Infrastructure or vsphere Client 2 GHz CPU 2 GB RAM 20 GB free disk space ESX administrator access on the host where you install the sensor Recommended 2 GHz dual or quad-core CPU 4 GB RAM 2 GHz dual or quad-core CPU 4 GB RAM Network access permissions CIC, sensors, and agents require the following access on your network: The host name for the sensor s host device must be resolvable. For example, on Red Hat Enterprise Linux, make sure that the host name is added to /etc/hosts. The sensor must have outbound HTTP (port 80) and HTTPS (port 443) access to communicate with CIC. This outbound access is required for direct or proxy access. For the sensor to communicate with an agent, you must allow all agents to open connections to the sensors on two ports. By default, these ports are 8080 and The sensor must have access to the IP addresses that you want to scan.

25 Preparing to install Installation requirements 25 Firewall and other access control services must allow the following CIC service URLs: Table 3-2 Port CIC communication ports Protocol or service HTTP HTTP HTTPS HTTPS Purpose Sensor to CIC cloud communication Agent to sensor communication Sensor to CIC cloud communication Agent to sensor communication System requirements for certificate automation This section lists the platform requirements for local agent automation and for agentless automation. Table 3-3 Installation type Local agent support OS version Supported applications Local automation agent (32-bit Windows) Local automation agent (64-bit Windows) Local automation agent (32-bit Linux) Local automation agent (64-bit Linux) Microsoft Windows Server 2003, 2008, and 2008 r2 Red Hat Enterprise Linux 5.7, 5.8, 6.2, and 6.3 Microsoft IIS 6, 7 Apache HTTP server 1.3, , and Apache HTTP server 1.3, , and

26 26 Preparing to install Firewalls, routers, and other devices Table 3-4 Installation type Load balancer support Supported platforms Load balancers (agentless automation) Supported load balancers include: Citrix NetScaler F5 Big-IP, Version 9, 10 Web browser requirements The CIC console supports the following web browsers : Internet Explorer 8, 9, and 10 for Windows Firefox 4.x.x and higher for Windows and Apple Firewalls, routers, and other devices Install the sensor in a location where it can reach its target IP addresses. If the sensor is installed outside a firewall or router, the sensor may be blocked from a target IP address. Symantec recommends that you install a sensor where it can reach its target IP addresses without going through firewalls or routers. Ensure that firewall rules or Access Control Lists allow the sensor to reach the target IP addresses. Additionally, you need to install sensors on any non-routable segments in your network if you want to discover certificates inside that segment. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) When you start running your CIC scans, the scans may trigger false alarms in intrusion detection systems (IDS) or intrusion protection systems (IPS). Configure your IDS/IPS utilities to whitefish your CIC scans, or configure your CIC scans to a slower rate. The slower scan may take longer to complete, but they are less likely to trigger IDS or IPS false alarms. Proxies Sensors must be able to communicate with the CIC cloud. However, security policies may prohibit direct connections to the Internet or cloud-based services from the server that hosts a sensor. In this case, you can configure sensors to use a proxy.

27 Preparing to install Deployment guidelines 27 See Configuring a sensor through a proxy on page 44. Deployment guidelines Sensor deployment options This section provides guidelines for deploying CIC sensors and agents on your network. When you install sensors for the first time, you need to determine where you install your sensors and how many you need to install. Primary objectives to consider when you plan a sensor deployment include: What networks, segments, and IP addresses do you need to scan? Are there network policies or any devices that might restrict where a sensor is installed and where it can scan? As a general rule, install one sensor for an uninterrupted network segment that can be fully scanned in a reasonable time. Install a sensor where it can reach all of its target IP addresses. You need additional sensors if your network: Is segmented by firewalls or routers. Has multiple PLANS or network segments. Has any non-routable segments. You can add more sensors to improve the scanning speed, or you can increase the scanning range of a single sensor. Additional sensors are needed if you plan to scan a large number of IP addresses and ports. Increasing the number of sensors improves the overall time to completion for your scans. However, more sensors increase your network bandwidth usage. You should balance your bandwidth requirements against your scanning speed requirements. To determine the scanning efficiency of a single sensor, following these steps: Install the sensor. Configure and run a scan. Review the time to completion and the results. You can fine-tune your initial sensor and scan configuration settings over time to find the correct balance between coverage and scan speed.

28 28 Preparing to install Deployment guidelines Automation configuration options Symantec offers agentless automation for load balancers and local agent automation for Linux and Microsoft Windows certificate hosts. For local agent installation, you must install a local automation agent on each certificate host. Supported applications include Apache and Microsoft IIS. For agentless automation, you do not install a local automation agent on the certificate host. Instead, you configure a sensor for access to the certificate host. Supported applications include Citrix Netscaler and F5 BIG-IP. Local automation agents must be able to reach one or more sensors for communication. Make sure that all relevant sensor IP addresses and ports are open on the host and accessible by the agent.

29 Chapter 4 Installing sensors This chapter includes the following topics: About installing sensors Downloading the sensor files Sensor directory structure Before you install Installing the sensor on Linux Installing the sensor as a virtual appliance Starting the sensor Configuring the sensor Scheduling scans and verifying results Stopping and starting a sensor Configuring a sensor through a proxy Uninstalling a sensor Updating a sensor About installing sensors You have two options for installing a sensor. Use the appropriate option and installation package for your network environment: Install the sensor directly on a device from a.tar.gz installation package. See See Installing the sensor on Linux on page 32.

30 30 Installing sensors Downloading the sensor files Install the sensor as a virtual appliance from a.ova virtual appliance package. See See Installing the sensor as a virtual appliance on page 36. Downloading the sensor files You can download the sensor installation files and license keys from Certificate Intelligence Center (CIC). To download sensor files 1 Sign in to CIC. 2 Open the Sensors panel and click Add Sensor. A panel appear with a list of download options. From this panel, you can download and save the desired installation packages. Choices include: A package to install the sensor on Linux. A package to install the sensor as a virtual appliance. License keys. In addition to the sensor software, you must get a new license key for each sensor you install. Your CIC account comes with 25 sensor licenses. If you need more licenses, contact Technical Support.

31 Installing sensors Sensor directory structure 31 Figure 4-1 Two options for installing a sensor Sensor directory structure Installing the sensor writes the following directory structure to your system: Table 4-1 Directory/File start.sh Contents of the sensor package Description Script that starts the sensor../automationdata/./bundles/./cli/ Contains user-created custom scripts. Contains the.jar files required to run the sensor. Contains the executable commands for the sensor. Includes the./bin/ directory. This directory contains the.jar files required to run the executables../config/ Contains the configuration files for the sensor components.

32 32 Installing sensors Before you install Table 4-1 Directory/File./jre/./logs/./startup/ Contents of the sensor package (continued) Description Contains the Java runtime for running the sensor on 64-bit Linux systems. Contains log files for the sensor components. Contains the additional scripts and the.jar files that are required to configure and start the sensor. Before you install Review the following checklist before you install your sensors. Network access permissions CIC requires these permissions so that the sensor can communicate with necessary CIC services and scan your network for certificates. Deployment guidelines Deployment guidelines can help you determine where to install one or multiple sensors. See Deployment guidelines on page 27. Installing the sensor on Linux This section describes how to install the sensor on Linux. To install the sensor, perform the following tasks: Download and unpack the sensor software Add a license file Add JCE policy files Downloading and unpacking the sensor software Get the symc_cic_sensor_2.0_linux_x64.tar.gz file from CIC or from a local network location provided by your CIC administrator. To download and unpack the sensor software 1 To get the file from CIC, open the Sensors panel and click Add Sensor. 2 Log in as root (SuperUser) on the host where you plan to install the sensor.

33 Installing sensors Installing the sensor on Linux 33 3 To make sure that the Red Hat Enterprise Linux environment locale is set to US, enter the following command: export LC_ALL=en_US 4 Create an installation directory where you want to install the sensor. The directory pathname should not include spaces or special characters. For example: mkdir cic2 Note: In this chapter, we will use the placeholder term, install_dir, to refer to the sensor installation directory you created. 5 Copy the symc_cic_sensor_2.0_linux_x64.tar.gz file to the installation directory you created. 6 Change into the installation directory and extract the symc_cic_sensor_2.0_x64.tar.gz file For example: cd install_dir tar -xvzf symc_cic_sensor_2.0_linux_x64.tar.gz Where install_dir is the sensor installation directory. After you have extracted the sensor software, you need to add a license file. Adding a license file Add a license file for each sensor you install.

34 34 Installing sensors Installing the sensor on Linux To add a license file 1 Get a license.properties file from CIC or from a local network location provided by your CIC administrator. To download a license file from CIC, open the Sensors panel and click Add Sensor. 2 Choose Get installation files and license keys. The sensor download page appears. 3 Choose License Keys, then select Install new sensors. 4 Set the number of license keys to 1 (one). 5 Click Download. Each file you download contains a unique license ID. To help you track which files are unique, each license file you download is numbered sequentially. For example, license1.properties, license2.properties, and so on. 6 Copy the newly-renamed license.properties file into the sensor configuration directory. For example: cp license.properties2 install_dir/config Where install_dir is the sensor installation directory.

35 Installing sensors Installing the sensor on Linux 35 Note: If you are installing multiple sensors on your network, you must use a unique license.properties file for each sensor installation. Downloading the JCE policy files To finish the installation, you need to download the Java Cryptography Extension (JCE) unlimited strength jurisdiction policy files. These files help ensure that CIC can support certificate discovery on the servers that are enabled for stronger encryption. This task is recommended, but not required. Warning: Servers using certain strong encryption algorithms require these policy files to support certificate discovery. Without these files, CIC may not be able find and return information for certificates on these servers. Downloading the JCE policy files 1 Log in as root (SuperUser) on the sensor host 2 Open a web browser and navigate to: 3 Download and unzip the UnlimitedJCEPolicyJDK7.zip file. 4 Copy the following files into the install_dir/config/ directory: local_policy.jar US_export_policy.jar Where install_dir is the sensor installation directory. What s next? Congratulations! You have success fully installed the sensor software. The next step is to start the sensor. See Starting the sensor on page 37. Note: Sensors must be able to communicate with the CIC cloud. However, security policies may prohibit direct connections to the Internet or cloud-based services from the server that hosts a sensor. In this case, you can configure sensors to use a proxy. See Configuring a sensor through a proxy on page 44.

36 36 Installing sensors Installing the sensor as a virtual appliance Installing the sensor as a virtual appliance This section describes how to install the sensor as a virtual appliance. Tasks include preparing to install, deploying the virtual appliance, starting the virtual appliance, and configuring the virtual appliance. To prepare to install the sensor as a virtual appliance Get the correct sensor file and license.properties file from CIC or from a local network location provided by your CIC administrator. Copy the files to a location that can be reached with vsphere Client. For VMware ESX/ESXi 4.x, make sure that you have the file symc_cic_sensor_x86_x64_4.x.ova. For VMware ESX/ESXi 5.x, make sure that you have the file symc_cic_sensor_x86_x64_5.x.ova. To deploy the virtual appliance 1 Log in to vsphere Client. 2 Select File > Deploy OVF Template. 3 Follow the Deploy OVF Template wizard to deploy the sensor virtual appliance: Select Deploy from file. For ESX/ ESXi 4.x, find the symc_cic_sensor_x86_x64_4.x.ova file For ESX/ ESXi 5.x, find the symc_cic_sensor_x86_x64_5.x.ova file Accept the license agreement. Set the location and name for the deployed image. Select the ESX server host where the image should be deployed. Select the data store where the virtual machine files are stored. Select the network that the deployed image should use. 4 Review the deployment details and click Finish to deploy the image. To start the virtual appliance 1 Select the newly-deployed appliance and click Power on the virtual machine. 2 Go to the Console tab 3 When you are prompted, change the password for the root user and for the cicuser user.

37 Installing sensors Starting the sensor 37 To configure the virtual appliance 1 If the virtual appliance does not find a DHCP server, you must assign a static IP. Run the assigniphostname tool and then continue with the next step. Note: Make sure that you provide the IP address and the host name. 2 SSH to the virtual appliance as the cicuser user, then switch to the root user. 3 Copy a new license.properties file into /opt/symantec/sensor/config/. See Adding a license file on page Copy the following files into the /opt/symantec/sensor/config/ directory: local_policy.jar US_export_policy.jar See Downloading the JCE policy files on page 35. Starting the sensor After you install the sensor software, start the sensor. To start a sensor that is installed on Linux 1 Log in as root (SuperUser) on the sensor host. 2 Navigate to install_dir Where install_dir is the sensor installation directory.

38 38 Installing sensors Configuring the sensor 3 Run the start.sh script. For example:./start.sh Sensor CLI, Version 2.0. Copyright 2013, Symantec Corporation. Build date: 3-December :44 AM Starting the CIC sensor... Starting may take up to two minutes to complete if the sensor has not been activated. Uncompressing the Java Runtime Environment... Validating code signatures on all packages... Installing and starting modules... After starting, sensor activation is required. Activation in progress... Activation completed successfully... Startup completed successfully... IMPORTANT: The sensor has started. Go to the CIC console to configure the sensor and set up scans. 4 The startup script displays a success message after the sensor has started. Full installation logs are written to install_dir/logs/sensor.log. However, error messages display during installation if the sensor installation or startup fails. See About troubleshooting sensors and agents on page 103. What's next? Congratulations! Once you have successfully started the sensor, you are ready to configure the sensor. See Configuring the sensor on page 38. Configuring the sensor After installation, configure the sensor using Certificate Intelligence Center (CIC).

39 Installing sensors Configuring the sensor 39 To configure the sensor 1 Sign on to CIC and open the Sensors panel. 2 Select the sensor you added. When you first add a sensor, the sensor is identified by the 16-digit license number assigned to the sensor. 3 Click Configure. A list of sensor configuration options appears. 4 Click EditProfile and enter a nickname for the sensor. Symantec recommends using the sensor s host name as a nickname. 5 Click Edit settings for future scans.

40 40 Installing sensors Scheduling scans and verifying results 6 In the Enter IP Addresses field, enter a list of IP addresses that you want the sensor to scan, then click Include. 7 When you have finished adding the sensor nickname and IP addresses for scans, click Apply. What s next? Congratulations! You have successfully configured the sensor. The next step is to schedule sensor scans. See Scheduling scans and verifying results on page 40. Scheduling scans and verifying results After you have installed your sensors, CIC provides a flexible interface for configuring which IP address and port combinations to scan. You can also configure how many scans are defined for each sensor, how often the scans are run, and other scan settings.

41 Installing sensors Scheduling scans and verifying results 41 To schedule a scan 1 Sign on to CIC. 2 Click Manage Scans in the Scans panel. 3 Click Add scan. 4 Enter the desired scan information and click Apply. At minimum the scan should include a name to identify the scan, the IP addresses and ports to be scanned on your network, and a schedule for when the scans should run. 5 Once the scan is run, you can verify scan results by opening the Certificate Intelligence panel. This panel shows a list of certificates discovered by the scan.

42 42 Installing sensors Scheduling scans and verifying results Figure 4-2 Scheduling sensor scans What s next? Congratulations! You have successfully added a sensor and run a sensor scan! Now, you can review the rest of this chapter to learn more about sensor CLI commands. Or, you can skip ahead to set up certificate automation. See About local automation agents and certificate automation on page 50.

43 Installing sensors Stopping and starting a sensor 43 Stopping and starting a sensor Restarting a sensor You can manually stop and start a sensor. This feature is helpful if you need to restart the sensor to resolve technical problems. Also, you may need to temporarily stop all sensor activity on the host device, or clear current sensor activity. If a sensor has technical problems, we recommend that you stop and restart it to resolve these problems. The restart.sh command stops the sensor and then immediately restarts it. The sensor then immediately resumes any scans or other activities that were in progress. To manually restart a sensor 1 Log in to the sensor host. 2 Navigate to install_dir/cli. Where install_dir is the installation directory for the sensor. 3 Run the following command:./restart.sh Stopping a sensor If you need to stop a sensor for an indefinite time, run the stop.sh command. To stop a sensor 1 Log in to the sensor host. 2 Navigate to install_dir/cli. Where install_dir is the installation directory for the sensor. 3 Run the following command./stop.sh You can stop the sensor for up to 10 minutes with no effect on the sensor s current activities. If you restart the sensor within 10 minutes, the sensor resumes any scans or other activities that were in progress. When the sensor stops for over 10 minutes, any scans in progress stop and are not completed. Any certificate information retrieved by a partial scan is available in CIC. Scans that are scheduled to start while the sensor is stopped are missed and not started later.

44 44 Installing sensors Configuring a sensor through a proxy Resuming a sensor If you stop a sensor for 10 minutes or less and you want to resume scans and other activities, run the start.sh command. To resume a stopped sensor 1 Log in to the sensor host. 2 Navigate to install_dir. Where install_dir is the installation directory for the sensor. 3 Run the following command:./start.sh Clearing and starting a stopped sensor If the sensor is stopped for more than 10 minutes, run the cleanstart.sh command to clear the sensor s instructions before starting. Clearing the sensor ensures that no unnecessary instructions are still running when the sensor starts The sensor can start the next scan at the scheduled time. To clear sensor instructions and start the sensor 1 Log in to the sensor host. 2 Navigate to install_dir/cli. Where install_dir is the installation directory for the sensor. 3 Run the following command:./cleanstart.sh Configuring a sensor through a proxy Sensors must be able to communicate with the CIC cloud. However, security policies may prohibit direct connections to the Internet or cloud-based services from the server that hosts a sensor. In this case, you can configure sensors to use a proxy. You can configure the sensor to access CIC through a proxy. You need to repeat these steps for each sensor you install that needs proxy access.

45 Installing sensors Configuring a sensor through a proxy 45 To configure a sensor to access CIC through a proxy 1 Using a text editor (such as vi), create a file containing the following proxy configuration settings: enableproxy Whether proxy access is enabled: Use true to enable proxy access. Use false to disable proxy access. httphost httphostport httpauthuser httpauthpassword httpshost httpshostport httpsauthuser httpsauthpassword The IP address of the proxy server that is used for HTTP communication. The port number that the proxy server uses for HTTP communication. The user name that is required to authenticate to the HTTP proxy (Basic Authentication only), if required. The password that is required to authenticate to the HTTP proxy (Basic Authentication only), if required. The IP address of the proxy server that is used for HTTPS communication. The port number that the proxy server uses for HTTPS communication. The user name that is required to authenticate to the HTTPs proxy (Basic Authentication only), if required. The password that is required to authenticate to the HTTPs proxy (Basic Authentication only), if required. The file should appear similar to the following: enableproxy=true httphost= httphostport=80 httpauthuser=admin httpauthpassword=system01@admin httpshost= httpshostport=443 httpsauthuser=admin httpsauthpassword=system02@admin 2 Save the configuration file to a directory on the host where the sensor is installed.

46 46 Installing sensors Uninstalling a sensor 3 Apply the configuration file: If the sensor is running, use the applyproxysettings.sh script on the host where the sensor is installed: install_dir/cli/applyproxysettings.sh. -file path Where path is the full path and the file name of the configuration file. If the sensor is not running, copy the configuration file to: install_dir/config/sensorproxy.properties. 4 Start the sensor. See Starting the sensor on page 37. To retrieve proxy settings for a sensor 1 Log in to the sensor host. 2 Navigate to install_dir/cli. Where install_dir is the installation directory for the sensor. 3 Run the following command:./getproxysettings.sh -file output_file Where output_file is the path and the file name where the script should output the current proxy settings. Uninstalling a sensor Uninstall a sensor when it is no longer needed or if you plan to reinstall the sensor. Before you remove a sensor, void the sensor first to reclaim the sensor license. To void the sensor 1 Sign in to CIC. 2 Open the Manage Sensors panel and locate the sensor you want to void. 3 Click Void Sensor to void the sensor. When you void a sensor, all agents associated with the sensor automatically search for another sensor on your network. To remove a sensor installed from a software file: 1 To make sure that the sensor is stopped, run the stop.sh script in the install_dir/cli/ directory. 2 Delete the install_dir directory and all its contents.

47 Installing sensors Updating a sensor 47 To remove a sensor installed as a virtual appliance: 1 SSH to the virtual appliance as the cicuser user and then switch to the root user. 2 Shut down the appliance: /sbin/shutdown -h now Updating a sensor 3 Log in to vsphere Client. 4 Right-click the sensor virtual appliance and select Delete from Disk. CIC automatically detects new versions of sensor software. If you configure a sensor for automatic software updates, CIC updates the sensor with no action required from you. You can also choose to first approve the software update before CIC updates the sensor software. Sensor software update options are available in CIC, in each sensor s individual settings. Note: Symantec supports the most recent sensor software version as well as several previous versions. Update your sensor software regularly to make sure that you have the latest version. Additionally, if you require manual software updates on your network, you can install the new sensor software directly at the point of installation. To manually update the sensor directly on your server or through your VMware console, Symantec Technical Support at enterprise-sslsupport@symantec.com.

48 48 Installing sensors Updating a sensor

49 Chapter 5 Installing a local automation agent This chapter includes the following topics: About local automation agents and certificate automation Downloading automation software Agent directory structure Installing a local automation agent About local agent commands Starting the agent Activating IP addresses for automation Activating IP addresses from a file Verifying a local agent configuration Stopping and restarting a local automation agent Controlling how sensors are selected Configuring unknown server applications Configuring credentials for an application Uninstalling a local automation agent

50 50 Installing a local automation agent About local automation agents and certificate automation About local automation agents and certificate automation To automate certificate renewal and transfer, you can: Install a local automation agent on the certificate host. Configure a sensor for agentless automation. See About certificate automation on load balancers on page 69. This chapter describes how to install and start a local automation agent. Downloading automation software Table 5-1 includes the agent installation packages you can download to install a local automation agent. Table 5-1 Agent software packages Package name symc_cic_agent_2.0_linux_x64.tar.gz symc_cic_agent_2.0_linux_x86.tar.gz symc_cic_agent_2.0_win_x64.exe symc_cic_agent_2.0_win_x86.exe Description 64-bit, Linux 32-bit, Linux 64-bit, Windows, installer executable 32-bit, Windows, installer executable To download local agent software 1 Sign in to Certificate Intelligence Center (CIC). 2 Open the Manage Local Hosts panel and click Add Agent An agent setup panel appears with a set of installation options. From this panel, you can download and save the desired installation packages. Choices include: A local agent installer for Windows Server. You can choose an installer for a 32-bit OS or for a 64-bit OS. See Installing a local automation agent on a Microsoft Windows host on page 53. Packages to install a local agent on Linux. You can choose a package for a 32-bit OS or for a 64-bit OS. See Installing a local automation agent on a Linux host on page 52.

51 Installing a local automation agent Agent directory structure 51 Instructions for setting up certificate automation on a load balancer. You do not need to download a package. See About certificate automation on load balancers on page 69. Figure 5-1 Downloading automation agent software Agent directory structure Installing a local automation agent creates the following directory structure on the certificate host: Table 5-2 Directory/File start.sh start.bat Contents of the local automation agent package Description Scripts that start the agent. Linux agents have a start.sh script. Windows agents have a start.bat file. These scripts are located in the top level of the agent s installation directory.

52 52 Installing a local automation agent Installing a local automation agent Table 5-2 Directory/File Contents of the local automation agent package (continued) Description./automationdata/./bundles/./bin/ Contains the custom scripts that are created by users. This directory also contains data for certificate lifecycle operations. Contains scripts, jar files, and executable code required to configure and run the agent../startup./cli/./config/./logs/ Contains the executable commands for the agent. Contains the configuration files for the agent components. This directory includes a file with a list of sensors available for communication with the agent. Contains the log files for the agent components. Installing a local automation agent You can install a local automation agent on a Linux host or a Microsoft Windows host. Make sure you install the agent on the machine that hosts the certificates you want to automate. Installing a local automation agent on a Linux host This section describes how to install a local automation agent on a Linux host. To install a local automation agent on a Linux host 1 Get the appropriate compressed file from CIC, or from a local network location provided by your CIC administrator. To get the file from CIC, open the Automation agents panel and click Add agent. 2 Log in as root (SuperUser) on the certificate host.

53 Installing a local automation agent Installing a local automation agent 53 3 Create an installation directory where you want to install the local automation agent. The directory pathname should not include spaces or special characters. For example: mkdir agent2 In this chapter, the installation directory is called install_dir to indicate the directory you created.. 4 Copy the compressed file to the installation directory on the certificate host. For example: cp symc_cic_agent_2.0_linux_x64.tar.gz agent2 5 Extract the compressed file into the empty installation directory. For example: tar -xvzf symc_cic_agent_2.0_linux_x64.tar.gz What s next? Congratulations! You have successfully installed the agent software on the certificate host. The next step is to start the agent. See Starting the agent on page 56. Installing a local automation agent on a Microsoft Windows host This section describes how to install a local automation agent on a Microsoft Windows host. To install a local automation agent on a Microsoft Windows host 1 Get the appropriate installer from CIC, or from a local network location provided by your CIC administrator. To get the file from CIC, open the Automation agents panel and click Add agent. 2 Make sure that you have the correct Administrator privileges for the certificate host. 3 Run the installer on the certificate host. Follow the on-screen instructions. By default, the installer stores the agent in a Program Files > Symantec > CIC Agent folder on the host.

54 54 Installing a local automation agent Installing a local automation agent Running the agent as a Microsoft Windows service The agent is installed as a Microsoft Windows service and starts automatically. You can use the Start > All Programs > Symantec > CIC Agent menu to start, stop, and uninstall the agent; access the agent CLI directory, or view agent log files. What s next? Congratulations! You have successfully installed the agent software on the certificate host. After you make sure the agent has started, the next step is to activate data IP addresses for certificate automation. See Activating IP addresses for automation on page 56.

55 Installing a local automation agent About local agent commands 55 About local agent commands Once the local agent is installed, you can use commands to start the agent and configure applications for certificate automation. Two versions of each local agent command exist: one for Linux hosts, one for Microsoft windows hosts. Table 5-3 lists the agent CLI commands you use to start the agent and configure certificate automation. Command Table 5-3 Syntax Agent CLI commands for certificate automation Description Linux: start.sh Windows: start.bat Linux: activateips.sh Windows: activateips.bat start.sh [-sensor ip-address:port-number] [-sensorlistfile filename] start.bat [-sensor ip-address:port-number] [-sensorlistfile filename] activateips.sh [-file filename] activateips.bat [-file filename] Starts the local automation agent. Optionally, you can specify which sensors to communicate with. See Starting the agent on page 56.. See Controlling how sensors are selected on page 63.. Activate data IP addresses for certificate automation. See Activating IP addresses for automation on page 56.. Linux: configapplication.sh Windows: configapplication.bat Linux: deleteconfiguration.sh configapplication.sh -ip ip-address -port port-number configapplication.bat -ip ip-address -port port-number deleteconfiguration.sh -host ip-address -port port-number Configure credentials for an application that supports certificate automation. See Configuring credentials for an application on page 66.. Delete credentials for an application that supports certificate automation. Windows: deleteconfiguration.bat deleteconfiguration.bat -host ip-address -port port-number Linux: restart.sh Windows: restart.bat Linux: stop.sh Windows: stop.bat restart.sh restart.bat stop.sh stop.bat Stops and starts the local automation agent. See Restarting a local automation agent on page 62. Stops the local automation agent. See Stopping a local automation agent on page 62.

56 56 Installing a local automation agent Starting the agent Starting the agent This section describes how to start a local automation agent on a Linux or Microsoft Windows host. To start a local automation agent 1 Make sure that you have the correct superuser (root) or administrator privileges for the host where the local automation agent is installed. 2 To start the agent on Linux: Navigate to install_dir. Where install_dir is the installation directory for the agent. Run the start script../start.sh 3 On Windows, the agent is installed as a service and starts automatically. If you need to manually start the agent: Open the Start > All Programs > Symantec > CIC Agent menu. Select the Start Agent command. 4 The startup script displays a success message after the local automation agent has started. Full installation logs are written to install_dir/logs/agent.log. However, error messages display during installation if the local automation agent installation or startup fails. See About troubleshooting sensors and agents on page 103. What s next? Congratulations! You have successfully started the agent on the certificate host. The next step is to activate data IP addresses for certificate automation. See Activating IP addresses for automation on page 56. Activating IP addresses for automation A certificate host may have a single IP address or multiple IP addresses for certificate management. When you configure a local automation agent, you must specify the IP addresses you want to activate for certificate automation. Until you activate the IP address, you cannot automate certificate renewal or transfer on

57 Installing a local automation agent Activating IP addresses for automation 57 the host machine. CIC automatically deducts an automation license for each IP address you activate. To activate data IP addresses for automation: 1 Log in to the certificate host. 2 Navigate to the agent CLI directory. On Linux, enter the following command: cd install_dir/cli Where install_dir is the installation directory for the agent. On Windows, select Start > All Programs > Symantec > CIC Agent > Command Prompt.

58 58 Installing a local automation agent Activating IP addresses for automation 3 Run the activateips command. For Linux, the command is activateips.sh. For Windows, the command is activateips.bat. For example (Linux command):./activateips.sh Agent CLI. Copyright 2013, Symantec Corporation. Activate data IPs for certificate automation. To activate data IP addresses for certificate automation, enter each IP address separately below. To finish the list, press Return at the prompt (blank input). To activate all IP addresses found on the host, enter a (for all). Data IP addresses found Enter data IP address: Enter data IP address: Enter data IP address: Successfully activated data IP addresses for certificate automation. IMPORTANT: After you run this command, return to Manage Automation Agents in CIC. Verify that the certificate host appears and is configured. 4 Enter the IP addresses you want to activate. When you have finished entering IP addresses to activate, press Return at the prompt (blank input) to exit the command. Note: If you add a new IP address to an automated host, remember to use the activateips command to activate certificate automation for the new address.

59 Installing a local automation agent Activating IP addresses from a file 59 What s next? Congratulations! You have successfully activated IP addresses for certificate automation. The next step is to make sure that the agent appears in CIC and no configuration errors are present. See Verifying a local agent configuration on page 60. Activating IP addresses from a file Instead of waiting for a prompt to enter each address individually, you can use a file to load IP addresses as a batch. This feature is useful if you have a large number of IP addresses to activate.

60 60 Installing a local automation agent Verifying a local agent configuration To load IP addresses from a file 1 Using a text editor (such as vi or notepad), create a plain text file that contains the IP addresses. For example: DATA_IP= DATA_IP= Save the configuration file to a directory on the host where the agent is installed. 3 Run the activateips command to apply the configuration file. For Linux, the command syntax is:./activateips.sh -file filename For Windows, the command syntax is: activateips.bat -file filename For example (Linux command):./activateips.sh -file /home/hosts/list.ips Agent CLI. Copyright 2013, Symantec Corporation. Activate data IPs for certificate automation. Reading data IP addresses from /home/hosts/list.ips Successfully activated data IP addresses for certificate automation. IMPORTANT: After you run this command, return to Manage Automation Agents in CIC. Verify that the certificate host appears and is configured. Verifying a local agent configuration After you install and start a local agent, make sure that the agent appears in CIC and no configuration errors are present.

61 Installing a local automation agent Verifying a local agent configuration 61 Figure 5-2 Successful configuration To verify a local agent configuration 1 Sign in to CIC. Make sure that the IP address for the certificate host is included in the sensor s configuration. The sensor must scan the host IP addresses and discover the certificate before you can configure the certificate for automation. 2 Make sure that an automation license is enabled for the IP address. 3 Click Manage Automation. You should see the local agent host in the list of automation hosts. If the host is configured properly, a green Active icon appears next to the host name. 4 If configuration errors appear, follow the troubleshooting instructions in this guide to fix the problem. See Application configuration error messages on page 104. What s next Congratulations! You have successfully installed an agent and activated certificates for automation. Now, you can review the rest of this chapter to learn more about agent CLI commands. Or, you can skip ahead to set up certificate renewal. See About renewing certificates on page 95.

62 62 Installing a local automation agent Stopping and restarting a local automation agent Stopping and restarting a local automation agent You can manually stop and start a local automation agent. This feature is helpful if you need to restart the agent to resolve technical problems such as sensor to agent communications. Also, you may need to temporarily stop all agent activity on the host device, or clear current agent activity. Restarting a local automation agent In some cases, a local automation agent may have technical problems (for example, communications issues with the sensor.) To try and resolve these problems, you can restart the agent. The restart command stops the agent and then immediately starts the agent. To manually restart an agent on Linux 1 Navigate to the following directory. install_dir/cli Where install_dir is the agent installation directory. 2 Run the restart command to stop, then restart the agent../restart.sh To manually restart an agent on Windows 1 Open the Start > All Programs > Symantec > CIC Agent menu.. 2 Select Command Prompt. 3 When the command window appears, run the restart command to stop, then restart the agent. restart.bat Stopping a local automation agent If you need to stop a local automation agent for an indefinite time, run the stop command.

63 Installing a local automation agent Controlling how sensors are selected 63 To stop an agent on Linux 1 To stop an agent, navigate to the following directory: install_dir/cli Where install_dir is the agent installation directory. 2 Run the stop command to stop the agent../stop.sh To stop an agent on Windows 1 Open the Start > All Programs > Symantec > CIC Agent menu.. 2 Select Stop Agent. Controlling how sensors are selected When the agent starts, the agent searches for a sensor to use for communication with the CIC cloud, manage certificates, and so on. By default, the agent refers to a list of sensors in the sensors.list file in theinstall_dir/config directory and tries to connect. If no sensor is reachable, the agent halts and displays an error message. You can use one of the following methods to control which sensors the agent selects. To control sensor selection by specifying a sensor To force the agent to select a specific sensor, start the agent with the following command:./start.sh -sensor ip-address:http-port-number:https-port-number Where ip-address:http-port-number:https-port-number indicates the IP address and HTTP, HTTPS port numbers of the sensor you want to manage the agent. For Linux, use start.sh. For Windows, use start.bat. For example (Linux command);./start.sh -sensor :8080:8443

64 64 Installing a local automation agent Configuring unknown server applications To control sensor selection with a list of sensors 1 Create a plain-text file with a list of sensors for the agent to select. For example: :8080: :8080: :8080: Start the agent with the following command:./start.sh -sensorslistfile filename where filename is the path to a plain text file with a list of sensor IP addresses and port numbers. For Linux, use start.sh. For Windows, use start.bat. 3 If the sensors list file is available at a URL, start the agent with the following command:./start.sh -sensorslistfileurl url-address Where url-address is the URL location of a plain text file with a list of sensor IP addresses and port numbers. For Linux, use start.sh. For Windows, use start.bat. Configuring unknown server applications In most cases, when you install an agent on a host machine, CIC automatically recognizes the supported applications running on the host. This information is listed on the Manage Automation Agents panel of CIC. In a few circumstances, CIC may not recognize an application running on the host. In this case, the server application is listed as Unknown. When a server application is unknown, you cannot configure automation for the certificates that are associated with that application. You can use CIC to help identify unknown server applications. To configure an unknown application 1 Open the Manage Automation panel in CIC. 2 Locate the host that includes an unknown application.

65 Installing a local automation agent Configuring unknown server applications 65 3 Select the host, then open Server application details for the unknown application. 4 Use the Server type menu to set the server type. Use the Server software version menu to set the software version. 5 Click Update. Once a server application is properly identified, the server application status changes from Unknown to Configured. You can automate the certificates that are associated with that application. Note: If you have a server application that is not listed on the menus, contact CIC Technical Support. Symantec plans to add support for more server applications in the near future.

66 66 Installing a local automation agent Configuring credentials for an application Configuring credentials for an application In some cases, you may need to configure credentials for an application that supports certificate automation. For example, you may need to provide a passphrase to complete a configuration for the Apache HTTP server. To enter the credentials 1 Log in to the agent host. 2 Navigate to the agent CLI directory. On Linux, enter the following command: cd install_dir/cli Where install_dir is the installation directory for the agent. On Windows, select Start > All Programs > Symantec > CIC Agent > Command Prompt. 3 Run the configapplication command. For Linux, the command is configapplication.sh. For Windows, the command is configapplication.bat. For example (Linux command):./configapplication.sh -ip ip-address -port port-number When you enter the command, a series of prompts appears. At each prompt, enter the specific settings for your application, and press Return. For example:./configapplication.sh Agent CLI. Copyright Symantec Corporation. Configure credentials for an application that supports certificate automation. Enter the target SSL IP address: Enter the target SSL port: 443 Enter the private key passphrase: Confirm the passphrase: Credentials added successfully.

67 Installing a local automation agent Uninstalling a local automation agent 67 Uninstalling a local automation agent Uninstall a local automation agent when it is no longer needed or if you plan to reinstall the agent. To uninstall a local automation agent 1 Sign in to CIC 2 Open the Manage Agent Hosts panel and locate the agent. 3 Click Void Agent to void the agent. When you void an agent, it enables you to reclaim any automation licenses associated with the agent. 4 To make sure that the local automation agent is stopped, run the stop command in the agent s CLI directory. For Linux, the command syntax is:./stop.sh For Windows, select the StopAgent command from the Start > AllPrograms > Symantec > CIC Agent menu. 5 Delete the install_dir directory and all its contents.

68 68 Installing a local automation agent Uninstalling a local automation agent

69 Chapter 6 Configuring load balancers for agentless automation This chapter includes the following topics: About certificate automation on load balancers Adding agentless settings Adding agentless settings from a file Listing agentless configuration settings Activating data IP addresses for automation Activating data IP addresses from a file Listing high availability pairs Adding a key password Adding a key password from a file Deleting a key password Listing data IP addresses Listing agents registered with a sensor Verifying a load balancer configuration About certificate automation on load balancers To configure certificate automation on a load balancer, you do not need to install a local automation agent on the certificate host or on the load balancer host.

70 70 Configuring load balancers for agentless automation About certificate automation on load balancers Instead, you can configure a sensor to remotely log in to the load balancer and manage the automation tasks remotely. This type of certificate automation control is called agentless automation, because a local automation agent is not required. To set up agentless automation for load balancers, you need to specify login credentials and other information that enables remote login to the load balancer. The information varies, depending on the type of load balancer you want to access. Typically, this information includes login name, password, and management IP address. To enhance security, the credentials are encrypted and stored locally; they are not transported back to the Certificate Intelligence Center (CIC) cloud. To specify the information, you have the following options: You can use a CLI command on the sensor to enter login credentials and other configuration settings for the load balancer. The CLI provides instructions on the information you need to enter. This information is encrypted and stored with the sensor. You can fill out a text-file template with configuration settings for your load balancer. Then, use a CLI command on the sensor to specify the pathname of this file. Table 6-1 lists the sensor CLI commands you use to configure agentless automation. Currently, CIC agentless configuration is supported for Citrix NetScaler and F5 Big-IP load balancers. For this configuration to work, the load balancer must host and serve the certificate. The SSL session must terminate on the load balancer, not on the individual certificate hosts. Command Table 6-1 Syntax Sensor CLI commands for agentless automation Description addagentless.sh listagentless.sh addagentless.sh -type (BIGIP NETSCALER) [-file filename] listagentless.sh Add or update login information and the other credentials that are needed for a load balancer. See Adding agentless settings on page 71. See Adding agentless settings from a file on page 74. List all the management IP addresses on the sensor that are configured for agentless automation. See Listing agentless configuration settings on page 76.

71 Configuring load balancers for agentless automation Adding agentless settings 71 Command Table 6-1 Syntax Sensor CLI commands for agentless automation (continued) Description listhapairs.sh activateips.sh addpempassword.sh deletepempassword.sh listdataips.sh listagents.sh listhapairs.sh -ip ip-address activateips.sh (-file filename ) (-ip management-ip-address) addpempassword.sh [-file filename] deletepempassword.sh -ip ip-address -port port-number listdataips.sh [-ip management-ip-address] listagents.sh List the high-availability pairs that are associated with a management IP address. See Listing high availability pairs on page 78. Activate data IP addresses for certificate automation. See Activating data IP addresses for automation on page 76. Add or update a key password for a given data IP address and port combination. See Adding a key password on page 79. Delete a key password for a given data IP address and port combination. See Deleting a key password on page 81. List all data IP addresses managed by a sensor, or list all data IP addresses associated with a given management IP address. See Listing data IP addresses on page 82. List all agents that are registered with a sensor. Command output includes information about each agent. See Listing agents registered with a sensor on page 83.. Adding agentless settings To configure agentless automation for a load balancer, you need to provide login credentials and other configuration settings to the sensor.

72 72 Configuring load balancers for agentless automation Adding agentless settings To add agentless settings 1 Log in to the sensor host. 2 Navigate to the sensor CLI directory. cd install-dir/cli Where install_dir is the installation directory for the sensor.

73 Configuring load balancers for agentless automation Adding agentless settings 73 3 Enter the following:./addagentless.sh -type (BIGIP NETSCALER) Where -type specifies the type of load balancer you want to configure. When you enter the command, a series of prompts appears for each setting you need to enter. At each prompt, enter the specific settings for your load balancer and press Return. For example: addagentless.sh -type NETSCALER Sensor CLI. Copyright 2013, Symantec Corporation. Add or change login credentials and specify data IP addresses for certificate automation. Enter management IP address: Enter web protocol (http or https): https Enter web service username: nsroot Enter web service password: Confirm password: Enter SSH username: nsroot Enter SSH password: Confirm password: Enter SSH port: 22 To activate data IP addresses for certificate automation, enter each IP address separately below, or run the standalone activateips.sh command. To finish the list, press Return at the prompt (blank input). To activate all IP addresses found, enter a (for all). Data IP addresses found Enter data IP address: Enter data IP address: Enter data IP address: Enter data IP address: Successfully added or changed agentless automation. HA pair peers are

74 74 Configuring load balancers for agentless automation Adding agentless settings from a file Management IP: Management IP: (Primary) (Secondary) The sensor may use any of these management IP addresses to perform certificate automation activities. IMPORTANT: After you run this command, return to Manage Automation Agents in CIC. Verify that the certificate host appears and is configured. The information you enter for a load balancer varies depending on which load balancer type you configure (BIGIP or NETSCALER). You can enter data IP addresses as part of this command, or use the separate activateips.sh command. See Table B-3 on page 115. See Table B-5 on page 116. What s next Congratulations! You have successfully configured a sensor and activated data IP addresses for agentless automation. The next step is to make sure that the configuration appears in CIC and no configuration errors are present See Verifying a load balancer configuration on page 86. Adding agentless settings from a file Instead of waiting for a prompt to enter each setting individually, you can use a file to load settings as a batch.

75 Configuring load balancers for agentless automation Adding agentless settings from a file 75 To load agentless settings from a file 1 Using a text editor (such as vi), create a plain text file that contains the agentless configuration settings. For BIG-IP load balancers, the file should appear similar to the following: MANAGEMENT_IP= MANAGEMENT_PORT=443 WEB_USERNAME=admin WEB_PASSWORD=admin For NetScaler load balancers, the file should appear similar to the following: MANAGEMENT_IP= WEB_PROTOCOL=http WEB_USERNAME=nsroot WEB_PASSWORD=nsroot SSH_USERNAME=nsroot SSH_PASSWORD=nsroot SSH_PORT=22 Note: You must create a separate file for each set of configuration settings. You cannot combine settings into a single file. You can include data IP addresses as part of the configuration file. For example: MANAGEMENT_IP= MANAGEMENT_PORT=443 WEB_USERNAME=nsroot WEB_PASSWORD=nsroot DATA_IP= DATA_IP= DATA_IP= Alternatively, you can use a separate activateips.sh command to specify the IP addresses. 2 Save the configuration file to a directory on the host where the sensor is installed.

76 76 Configuring load balancers for agentless automation Listing agentless configuration settings 3 Enter the following command to apply the configuration file../addagentless.sh -type (BIGIP NETSCALER) -file path For example:./addagentless.sh -type BIGIP -file /properties/bigip.cred Listing agentless configuration settings You can use a CLI command to discover which IP addresses are configured for agentless automation on a sensor. To list agentless configurations: 1 Log in to the sensor host. 2 Navigate to the sensor CLI directory. cd install-dir/cli Where install_dir is the installation director for the sensor. 3 Enter the following:./listagentless.sh For example:./listagentless.sh Management IP: Type: BIGIP Version: Management IP: Type: NETSCALER Version: Successfully listed all the Management IP addresses configured for this sensor. Activating data IP addresses for automation You can use a CLI command to activate data IP addresses for automation. Until you activate the load balancer s data IP addresses, you cannot automate certificate renewal or transfer.

77 Configuring load balancers for agentless automation Activating data IP addresses for automation 77 To activate data IP addresses for automation: 1 Log in to the sensor host. 2 Navigate to the sensor CLI directory. cd install-dir/cli Where install_dir is the installation director for the sensor. 3 Enter the following:./activateips.sh [-ip management-ip-address] Where management-ip-address is the management IP address of the load balancer you want to activate for agentless automation. For example:./activateips.sh -ip Sensor CLI. Copyright 2013, Symantec Corporation. Activate data IP addresses for certificate automation. To activate data IP addresses for certificate automation, enter each IP address separately below. To finish the list, press Return at the prompt (blank input). To activate all IP addresses found, enter a (for all). Data IP addresses found Enter data IP address: Enter data IP address: Enter data IP address: Enter data IP address: Successfully activated data IP addresses for certificate automation. IMPORTANT: After you run this command, return to Manage Automation Agents in CIC. Verify that the certificate host appears and is configured.

78 78 Configuring load balancers for agentless automation Activating data IP addresses from a file Activating data IP addresses from a file Instead of waiting for a prompt to enter each data IP address individually, you can use a file to load data IP addresses as a batch. To load data IP addresses from a file 1 Using a text editor (such as vi), create a plain text file that contains the data IP addresses and associated management IP address. For example: MANAGEMENT_IP= DATA_IP= DATA_IP= DATA_IP= Save the configuration file to a directory on the host where the sensor is installed. 3 Enter the following command to apply the configuration file../activateips.sh -file filename For example:./activateips.sh -file /home/hosts/list.ips Sensor CLI. Copyright 2013, Symantec Corporation. Activate data IP addresses for certificate automation. Reading data IP addresses from /home/hosts/list.ips Successfully activated data IP addresses for certificate automation. IMPORTANT: After you run this command, return to Manage Automation Agents in CIC. Verify that the certificate host appears and is configured. Listing high availability pairs You can use a CLI command to discover which management IP addresses are configured for high-availability.

79 Configuring load balancers for agentless automation Adding a key password 79 To list high availability pairs: 1 Log in to the sensor host. 2 Navigate to the sensor CLI directory. cd install-dir/cli Where install_dir is the installation director for the sensor. 3 Enter the following:./listhapairs.sh -ip ip-address Where ip-address is the management IP address of a load balancer that is configured for high availability. For example: listhapairs.sh -ip Sensor CLI. Copyright 2013, Symantec Corporation. List high availability pairs associated with a management IP address. Management IP: Status: Primary Management IP: Status: Secondary Management IP: Status: Unknown In this example, is the active management IP address and is the backup management IP address. Adding a key password In some cases, you may want to protect a key file (*.pem file) with a password. Use the addpempassword.sh command to add or update the password. When you assign a password, you must enter this password to access the key file.

80 80 Configuring load balancers for agentless automation Adding a key password from a file To add a key password 1 Log in to the sensor host. 2 Navigate to the sensor CLI directory. cd install-dir/cli Where install_dir is the installation directory for the sensor. 3 Enter the following:./addpempassword.sh [-file path] When you enter the command, a series of prompts appears. At each prompt, enter the required setup information and press Return. For example: addpempassword.sh Sensor CLI. Copyright 2013, Symantec Corporation. Add or update a key password. Enter data IP address: Enter data port: 443 Enter PEM password: mypassword Confirm password: Successfully added PEM password Adding a key password from a file Instead of waiting for a prompt to enter setup information for a key password, you can use a file to load this information.

81 Configuring load balancers for agentless automation Deleting a key password 81 To set a key password from a file 1 Using a text editor (such as vi), create a plain text file that contains the password settings. For example: DATA_IP= DATA_PORT=443 PEM_PASSWORD=mypassword 2 Save the configuration file to a directory on the host where the sensor is installed. 3 Enter the following command to apply the configuration file../addpempassword.sh [-file filename] For example:./addpempassword.sh -file /properties/password.txt Successfully added PEM password. Deleting a key password Use the deletepempassword.sh command to delete a key password. When the password is deleted, you can access the key file without a password.

82 82 Configuring load balancers for agentless automation Listing data IP addresses To delete a key password 1 Log in to the sensor host. 2 Navigate to the sensor CLI directory. cd install-dir/cli Where install_dir is the installation directory for the sensor. 3 Enter the following:./deletepempassword.sh -ip data-ip-address -port data-port-number -ip data-ip-address -port data-port-number Data IP address that is associated with the key password you want to delete. Data port that is associated with the key password you want to delete. For example:./deletepempassword.sh -ip port 443 Sensor CLI. Copyright 2013, Symantec Corporation. Delete a key password. Successfully deleted PEM password. Listing data IP addresses To help review your network setup, you can list all data IP addresses managed by a sensor. You can also list all data IP addresses associated with a given management IP address.

83 Configuring load balancers for agentless automation Listing agents registered with a sensor 83 To list all data IP addresses 1 Log in to the sensor host. 2 Navigate to the sensor CLI directory. cd install-dir/cli Where install_dir is the installation directory for the sensor. 3 Enter the following:./listdataips.sh [-ip management-ip-address] Where management-ip-address is an optional management IP address. If you enter the listdataips.sh command without the -ip option, the command output includes all data IP addresses managed by the sensor. If you enter the command with the -ip option, only the data IP addresses associated with the management IP you specified are listed. For example:./listdataips.sh -ip Sensor CLI. Copyright 2013, Symantec Corporation. List all management IP addresses configured for automation. IP: IP: IP: Port:443 Name:cda-console Port:8443 Name:automation Port:443 Name:mssl-test Successfully listed data ip addresses associated with management IP The command output includes the IP address, port number, and virtual server name (if any) associated with each data IP. Listing agents registered with a sensor To help review your network setup, you can list all the agents that are registered with a sensor.

84 84 Configuring load balancers for agentless automation Listing agents registered with a sensor To list all agents 1 Log in to the sensor host. 2 Navigate to the CLI directory. cd install-dir/cli Where install_dir is the installation directory for the sensor.

85 Configuring load balancers for agentless automation Listing agents registered with a sensor 85 3 Enter the following:./listagents.sh For example:./listagents.sh Sensor CLI. Copyright 2013, Symantec Corporation. List all agents managed by the sensor. Agent ID: 1E8D38EE4628DEA1 Agent host name: L P11 Data IP addresses: Communications frequency: 30 seconds Lost communication threshold: 5 Last communication time: 2013-APR-30 16:13:40 PST Agent ID: 1F9E49FF5739EFA0 Agent host name: L P12 Data IP addresses: , , Communications frequency: 30 seconds Lost communication threshold: 10 Last communication time: 2013-APR-28 4:55:12 PST Agent ID: 10AF5A00684AF0B2 Agent host name: MGF-1012-LX1 Data IP addresses: Communications frequency: 30 seconds Lost communication threshold: 5 Last communication time: 2013-MAY-04 12:09:31 PST... Command output includes the following information for each agent registered: Agent ID Agent host name Data IP addresses Communications frequency Unique agent identifier (assigned by CIC) Host where the agent resides Comma-separated list of data IP addresses managed by the agent Frequency (in seconds) for agent-to-sensor communications (agent heartbeat)

86 86 Configuring load balancers for agentless automation Verifying a load balancer configuration Lost communication threshold Last communication time Number of agent communication heartbeats the sensor can miss before the agent status changes to "lost." Last time the agent and the sensor have communicated successfully Verifying a load balancer configuration After you use the sensor CLI commands to configure a load balancer, make sure that the load balancer appears in CIC and no configuration errors are present. See Figure 6-1. Figure 6-1 Successful configuration

87 Configuring load balancers for agentless automation Verifying a load balancer configuration 87 To verify a load balancer configuration 1 Sign in to CIC. Make sure that the Management IP address for the load balancer is included in the scan list for a sensor. Give the sensor enough time to discover the certificates that are located on the load balancer. 2 Click Manage Automation. You should see the load balancer in the list of automation hosts. If the load balancer is configured properly, a green Active icon appears next to the host name. 3 If configuration errors appear, you must use the addagentless.sh command on the sensor host to make the necessary corrections. What s next Congratulations! You have successfully configured agentless automation on a sensor and activated certificates for automation. Now, you can review the other parts of this chapter to learn more about agentless automation commands. Or, you can skip ahead to set up certificate renewal. See About renewing certificates on page 95.

88 88 Configuring load balancers for agentless automation Verifying a load balancer configuration

89 Chapter 7 Managing sensors and local automation agents This chapter includes the following topics: Managing sensors Managing automation agents and hosts Managing sensors Sign in to Certificate Intelligence Center (CIC) to manage the sensor and configure scans. See Figure 7-1. You can manage a sensor any time after it has been added in CIC, even if it has not been installed yet. However, if the sensor is not installed and started, the sensor cannot perform any scans.

90 90 Managing sensors and local automation agents Managing sensors Figure 7-1 Using CIC to manage sensors You can view and update the following sensor information. Sign in to CIC to learn more about these settings. Edit profile. Change the sensor nickname and view details about the sensor. Set IP addresses. Identify which IP addresses this sensor can scan. Set software update settings. CIC can automatically update installed sensors when a new version of the sensor is available. Set whether CIC prompts you before the sensor is updated, or if the sensor is updated automatically. View user access. View the user groups that can manage the sensor. Change the access privileges for this sensor's configuration settings. This setting does not affect a network administrator s ability to access the installed sensor software or virtual appliance.

91 Managing sensors and local automation agents Managing automation agents and hosts 91 Download installation files. Download the installation and license key files and view or download the installation documentation. Suspend sensor. Temporarily stop a sensor from running certificate discovery scans. You can add new scans or modify existing scans on this sensor, but scans do not run while the sensor is suspended. A suspended sensor can be reinstated. Void sensor. Permanently disable a sensor. Once a sensor is voided, you cannot modify the sensor or its associated scans, and no scans are run for this sensor. A voided sensor cannot be reinstated. Voiding a sensor does not remove the sensor software from the host where it was installed. To remove the sensor software, you must uninstall the sensor. See Uninstalling a sensor on page 46. Set notifications. Configure how CIC sends notifications about sensors, such as errors that occurred during scans. View sensor audit trail. View all operations that have been performed on this sensor. Managing automation agents and hosts Sign in to CIC to manage local automation agents, manage agentless automation, and configure automation on a host. See Figure 7-2.

92 92 Managing sensors and local automation agents Managing automation agents and hosts Figure 7-2 Using CIC to manage automation agents You can view and update the following information for automation hosts. Sign in to CIC to learn more about these settings. Add automation agent. Download the agent installation files and view or download the installation documentation. Edit profile. Change the nickname of the automation agent host and view details about the agent software and the agent host.

93 Managing sensors and local automation agents Managing automation agents and hosts 93 Automation configuration. View and check configuration information for applications running on the agent host. In addition to viewing the configuration status, you can set the application type and version number for unrecognized applications on the host. Automation blockers. View and check this section to make sure no automation blockers exist. Void automation agent. Permanently disable automation for a host. Once automation is disabled, certificates on the host cannot be configured for automatic renewal. Removing automation does not remove the agent software from the host where it was installed. To remove the agent software, you must uninstall the agent. See Uninstalling a local automation agent on page 67. Set notifications. Configure how CIC sends notifications about automation setup and certificate renewal. View audit trail. View all operations that have been performed on the automation host. View certificates. View all certificates that are associated with the automation host.

94 94 Managing sensors and local automation agents Managing automation agents and hosts

95 Chapter 8 Setting up certificate renewal This chapter includes the following topics: About renewing certificates About transferring certificates Installing certificates on clusters Retrieving a private key About renewing certificates Once the certificate host (or load balancer) is configured for automation, you can use Certificate Intelligence Center (CIC) to automatically generate and install certificates. This section provides a quick overview of the steps you take to renew a certificate. Sign in to CIC to learn more about these settings.

96 96 Setting up certificate renewal About renewing certificates To renew a certificate 1 Use the Certificate Intelligence panel in CIC to monitor certificate status. When a certificate is ready for renewal, a Set up renewal request button appears next to the certificate. 2 Click Set up renewal request.

97 Setting up certificate renewal About renewing certificates 97 3 Follow the on-screen instructions to fill out the renewal request. When you fill out the renewal request, you can specify when the certificate signing request (CSR) is generated and when the certificate is installed. A certificate signing request is a message sent from an application to a certificate authority to apply for a digital identity certificate. 4 When the renewal request is complete, click Submit. CIC automatically generates the CSR and submits the request to Symantec s Managed PKI for SSL for processing. When approved, Managed PKI for SSL issues a new certificate. This certificate is returned to CIC for installation on the application host.

98 98 Setting up certificate renewal About transferring certificates What s next? Congratulations! You have successfully submitted a certificate renewal request. Now, you can review the rest of this chapter to learn more about certificate renewal and transfer. Or, you can sign on to CIC and monitor the renewal progress. To monitor renewal progress for a certificate, click the View details link in the Automation Status column. About transferring certificates You can also use certificate automation features to transfer a non-symantec certificate into a Symantec certificate. See Figure 8-1. Figure 8-1 Setting up certificate transfer

99 Setting up certificate renewal Installing certificates on clusters 99 Installing certificates on clusters In a cluster case, CIC discovers the same certificate on more than one IP address and port. When you replace certificates on a cluster, CIC can automatically generate the CSR, but you must manually install the private key and the certificate. After the CSR is generated and the request is approved, download the certificate, retrieve the private key, and manually install them. See Figure 8-2.

100 100 Setting up certificate renewal Installing certificates on clusters Figure 8-2 Choosing a private key location for a cluster To install a new certificate on a cluster 1 Follow the standard certificate renewal process. See About renewing certificates on page When you are prompted, download the certificate. 3 Retrieve the private key. See Retrieving a private key on page After you download the certificate and retrieve the private key, follow the guidelines that are provided by your application to install the private key and the certificate on each host in the cluster. When you have finished installing the private key and certificate, wait for a scheduled scan, or run a scan to verify that the certificate is installed and working correctly on each host.

101 Setting up certificate renewal Retrieving a private key 101 Retrieving a private key In some cases, you may need to retrieve a certificate s private key to complete a certificate installation. Instructions to retrieve the private key vary depending on your application. Note: Private key retrieval is possible only when certificate installation has failed or has not been run. For example, in a cluster case, you must install certificates manually and retrieve the private key. In most situations, when a certificate installation is successful, CIC does not support (or require) private key retrieval. To retrieve the private key (Apache HTTP servers) 1 Log in to the certificate host. 2 Navigate to the following directory: install_dir/cli Where install_dir is the agent installation directory. 3 Run the getprivatekey command. For Linux, the command syntax is:./getprivatekey.sh -ip ip-address -port port-number For Windows, the command syntax is: getprivatekey.bat -ip ip-address -port port-number Where ip-address and port-number represent the host IP address and the port associated with the certificate. For example (Linux):./getprivatekey.sh -ip port 443 Key name is FA12C8.key. Use the Apache HTTP server instructions to install the certificate with this key. The key name is a unique key identifier generated automatically by CIC.

102 102 Setting up certificate renewal Retrieving a private key To retrieve the private key (Windows IIS) 1 Log in to the certificate host. 2 Navigate to the following directory: install_dir\cli Where install_dir is the agent installation directory. 3 Run the following command: getprivatekey.bat -ip ip-address -port port-number Where ip-address and port-number represent the host IP address and the port associated with the certificate. For example: getprivatekey.bat -ip port 443 Key name is E9A1B7.key. Use the Microsoft IIS instructions to export the key. The key name is a unique key identifier generated automatically by CIC. To retrieve the private key (Netscaler, BIG-IP load balancers) 1 Log in to the sensor host. 2 Navigate to the following directory: install_dir/cli Where install_dir is the sensor installation directory. 3 Run the following command:./getprivatekey.sh -ip ip-address -port port-number Where ip-address and port-number represent the load balancer s management IP address and port. For example:./getprivatekey.sh -ip port 443 Key name is D8B2C6.key. Use the Citrix Netscaler or F5 BIG-IP instructions to install the certificate and private key. The key name is a unique key identifier generated automatically by CIC.

103 Chapter 9 Installation troubleshooting This chapter includes the following topics: About troubleshooting sensors and agents Sensor installation error messages Application configuration error messages About troubleshooting sensors and agents If you encounter problems when installing sensors and agents for Certificate Intelligence Center (CIC), review these causes and solutions. Also review the error messages in the install_dir/logs/sensor.log file and in the install_dir/logs/agent.log file for additional details. If the problem persists, contact Symantec Technical Support. Sensor installation error messages Message Table 9-1 Cause Sensor installation error messages Solution Error: Cannot start the sensor. Possible causes include: The sensor cannot communicate with CIC. Red Hat Enterprise Linux environment locale is not set to US. Make sure CIC has appropriate access to your network and the sensor. Make sure that the Red Hat Enterprise Linux server environment locale is set to US.

104 104 Installation troubleshooting Application configuration error messages Message Table 9-1 Cause Sensor installation error messages (continued) Solution The sensor did not start. The sensor is unable to find the host name. The name of the sensor host cannot be resolved. Make sure that the name of the sensor host is resolvable. For example, on Red Hat Enterprise Linux, make sure that the host name is added to /etc/hosts. The sensor is unable to acquire a lock: <reason for failure> The sensor cannot be invoked multiple times. Error: The sensor cannot be started because of a package validation failure. Error: The heartbeat URL, the communication URL, or the provisioning URL are not configured correctly. A lock prevents more than one sensor from being started on the same host. The sensor software cannot be invoked more than once on the same system. The sensor software cannot be validated. This situation can happen if the software has been tampered with, become corrupted, or if unauthorized modules have been introduced. The URLs are not configured correctly to the CIC Service in the license key file for this sensor. Verify that another instance of the sensor is not running. Verify that the user has write permissions to install_dir/tmp. Verify that there is no file named symccdasensor.lck in the /tmp folder. If the file exists, delete it. Contact Symantec Technical Support if this message appears even if another instance is not running. Verify that the contents of the install_dir have not been modified: Untar symc_cic_sensor_2.0_x64.tar.gz into a different location. Compare the results with the contents of install_dir. Verify that the system on which the sensor is to be installed has connectivity to the Internet. Verify that the license.properties file has not been modified. Application configuration error messages Table 9-2 lists the errors that may occur during agent installation, application configuration, or certificate renewal.

105 Installation troubleshooting Application configuration error messages 105 Table 9-2 Application configuration error messages Message Missing or invalid application credentials. Invalid web service credentials. Missing password. Application configuration error. Missing application. Missing configuration file. Unsupported application. Unknown application. Certificate error. Cannot find certificate. Certificate mismatch. Key error. Unsupported certificate type. Certificate installation error. Communications error. Solution On the sensor, run the addagentless.sh command to re-enter the load balancer credentials. If this retry fails, make sure that sensor-to-cloud communications work. Web service connection settings for this application are not valid. On the sensor, run the addagentless.sh command to update the web service user name and password. On the sensor, run the addpempassword.sh command to add a key file password. The data IP address and port are not configured in the load balancer. Create a virtual server with the correct data IP address and port. Restart the application and run Check Configuration again. Verify the location of the Apache httpd.conf file. Open the application host in CIC and specify the location in the Server information needed panel. Check the list of supported applications for CIC. See About application support on page 113. Set the application type and version in CIC. If the error persists, contact Technical Support. Run a scan to update certificate history. Retry certificate renewal. Run a certificate scan, then try to renew the certificate. If the error persists, contact Technical Support. Run a certificate scan, then try to renew the certificate. If the error persists, contact Technical Support. Make sure the certificate s private key is present on the application host. Retry certificate renewal. RSA-DSA certificate pair renewal is not supported. You must manually renew the certificate. Try to manually install the certificate and the key file. If this retry fails, contact Technical Support. Make sure that the HTTPS communications port is configured properly on the agent. Run Check Configuration again. Make sure that the application server is running and the HTTPS communications port is configured. Retry certificate renewal.

106 106 Installation troubleshooting Application configuration error messages Table 9-2 Application configuration error messages (continued) Message CSR generation error. Invalid key bit length. CSR generation error. CSR generation error. Invalid key algorithm. File system error. Missing IP address. Network error. Permissions error. Local automation agent. Permissions error. Apache configuration file Permissions error. Sensor CLI commands. Permissions error. Incomplete SSL configuration. Virtual host error. Solution Enter a valid bit length and regenerate the CSR. Key bit length can be 512, 1024, or Confirm CSR settings and re-generate the CSR. If the error persists, contact Technical Support. Enter a valid key algorithm: RSA-Private or RSA-Public. Regenerate the CSR. Make sure an agent that is installed with administrator (superuser) permissions can read and edit the Apache certificate authentication directories. Also, make sure that these directories have enough disk space for updates. Make sure this data IP address is available on the load balancer and the IP address is activated for automation. If the error persists, contact Technical Support. Make sure there is an active network connection between the sensor and the load balancer. Make sure the local automation agent that is associated with this application is installed with administrator (superuser) permissions. Make sure users with administrator (superuser) permissions can read and edit the Apache configuration file (httpd.conf). Make sure users with administrator (superuser) permissions can run CLI commands on the sensor. Make sure users with Admin/superuser permissions can read and edit the agent installation directory on the certificate host. If the error persists, contact Technical Support. Make sure the SSL certificate file, key file, and chain file exist. Also, make sure that you have correctly configured their paths in the Apache httpd.conf file. CIC does not support applications running on named virtual hosts. Convert to an IP-based virtual host.

107 Appendix A Using automation scripts This appendix includes the following topics: About automation scripts Creating an automation script Naming and storing automation scripts Running automation scripts Example script About automation scripts In some cases, you may need to create a custom or personalized script to support certificate automation. For example, if you need to restart an application after CIC installs a new certificate, you can create a script to perform that task. Store your automation scripts under the user_scripts directory of the agent (or sensor) that manages the automation you want to script. You can set scripts to run automatically at the following times: Before or after CSR generation You can run scripts before CIC generates a CSR or after CIC generates a CSR. Before or after certificate renewal After all the CSR scripts are run, you can run scripts before CIC installs a certificate on the host or after CIC installs a certificate. For certificate automation with an Apache HTTP server or Microsoft IIS application, the scripts are run on the agent host machine. For certificate automation with a Citrix Netscaler or a F5 BIG-IP load balancer, the scripts are run on the sensor host machine.

108 108 Using automation scripts Creating an automation script Creating an automation script The automation scripts you create must be compatible with the operating system running on the agent (or sensor) host. The scripts must also be compatible with the host application. For example, on a Linux host, you can use a *.sh shell script. On a Microsoft Windows host, you can use a *.bat file. To create an automation script 1 Prepare a file that contains the script. 2 Log in to host where you want to enable automation scripting. For local agent automation, log in to the agent host. For agentless automation, log in to the sensor host. 3 Copy the script file to the user_scripts directory of the agent (or sensor) you want to script. See Naming and storing automation scripts on page Make sure that the script file is executable. For example: chmod a+x renewcertpostscript.sh 5 Manually start the script and verify that it works correctly. Naming and storing automation scripts Use the following naming conventions when you create and store a custom script. For Linux scripts: install_dir/automationdata/ip-address/port-number/user_scripts/purpose.sh For Windows scripts: install_dir\automationdata\ip-address\port-number\user_scripts\purpose.bat install_dir ip-address Sensor or agent installation directory. For the scripts that are associated with local automation, use the agent installation directory on the certificate host. For the scripts that are associated with agentless automation, use the sensor installation directory. The application s IP address and port number. port-number

109 Using automation scripts Running automation scripts 109 purpose The script s purpose. For example, renewcertprescript.sh. Choices include: csrgenprescript - Runs before CSR generation. csrgenpostscript - Runs after CSR generation and before the CSR is submitted to Managed PKI for SSL. renewcertprescript - Runs before the certificate installation procedure starts. renewcertpostscript - Runs after certificate installation. Running automation scripts You can configure CIC to run scripts before certificate automation begins or after it finishes on a host. To run automation scripts 1 Sign in to CIC and navigate to the Manage Automation Agents panel. 2 Locate the host and application you want to script.

110 110 Using automation scripts Example script 3 Open Server application details and click the Scripts link. The scripts settings appear. 4 Make sure that scripts are Enabled. This setting is disabled by default. When scripts are enabled, all pre- and post-processing scripts run, even if certificate automation fails. 5 Click Update. Example script The following is an example of a small shell script to stop and then restart the Apache server after a certificate is installed. #!/bin/bash # Apache Process Monitor # Stop and Restart the Apache web server # Linux stop command STOP="/sbin/service httpd stop"