2 Replies Latest reply on Nov 13, 2014 2:32 PM by davidg5700

    9.6 Best way to ensure cert brokering?

    davidg5700 Specialist

      I am going to be migrating my existing environment from 9.5 over to 9.6 and want to ensure that all agents have the CSA cert installed.  I have read up on the configbroker and LNG file method, but my reading of that is primarily for a self contained exe agent installation for out of band cert brokering.


      My plan is to discover agents in the 9.6 environment and push the new agent to the discovered machines.  This, by nature, will happen in band so the configbroker method would not kick off.  Would it just be a simple matter of adding a EXEC#=%DEST%\brokerconfig.exe /r  in the agent INI file after the Adaptive Settings section?


      Another consideration is that I will be pointing the 9.6 agents to the same CSA as the 9.5 agents and most agents will have the CSA cert.  Is there any sort of stamping process that the 9.6 brokering does to the cert or will the cert put there from the 9.5 suffice?


      Thanks for your help.

        • 1. Re: 9.6 Best way to ensure cert brokering?

          Hi there David,

          The idea of using a self-contained executable is coming from the necessity to deploy an agent and retrieve the certificate for devices outside the network.

          The method work also for agents you are pushing or installing with other methods, as long as you include the lng file in the agent configuration and you leave it available on the core.


          However, for clients that are directly connected to the Core, a simple execution of brokerconfig.exe -r should be enough.


          You can have your clients running the command in several ways, however, there is a script already available you can use to schedule this operation on the clients you want.
          In a Management Suite 9.6 it's in Tools > Distribution > Manage Scripts and it's called Create Management gateway Client Certificate.


          Last, if the certificate is already there from a 9.5 agent, if the upgrade process doesn't remove it (and this depends on which way you are upgrading your agents), it should be good enough for your 9.6 agents as well, provided that your 9.6 Core will use the same certificate as your old 9.5.


          My recommendation would be first testing all these scenarios on a selected number of clients and verify that your processes are going to produce the desired outcome and only after that move forward and roll out your new LANDESK Agent.


          Hope this helps


          • 2. Re: 9.6 Best way to ensure cert brokering?
            davidg5700 Specialist



            I ran a couple of machines through the transition process I plan on using in production and the certificates were retained.  My plan is to discover devices in 9.6 and then push the agent to them.


            For new machines, it should be fairly simple to add the brokerconfig as an action in the provisioning template after the agent has been configured.


            There will be times when the self contained agent install will be needed, but those will be few and far between, so I'll deal with that later.


            Thanks for the information.