Certificate-Based Agent Authentication

You can enable tighter control over how the ControlUp Agent communicates with the ControlUp Console and ControlUp Monitors.

The procedure below prevents other machines from accessing the agent unless they have been authorized via signature certificate. 

You can read more about ControlUp Agent Security Best Practices and different configuration options.

Prerequisites

  • ControlUp version 8.1.5.649 or higher
  • *.PFX certificate (referred to as the private key)
  • *.CER certificate (referred to as the public key)
  • GPO template to deploy the settings on the agent side. 
    Note: You can create your own GPO or use the attached zip file which contains a template for both this method of authentication and the ACL method described here.

Create the Certificates

You should assign a trustworthy member in your organization as the certificate authority administrator. This administrator should provide the public key and private key certificates.

When creating the certificates, consider the following:

  • The Common Name of the certificate can be modified.
  • Recommend using Windows IIS for issuing a client-side certificate.
  • The supported bit keys are 2048/4096, which are the most common.
  • When a certificate is created, an expiration date is set with it. It’s important to keep this in mind for future renewals.
  • When renewing the certificate, the thumbprint must be replaced in the GPO deploying to the agents and also on the monitor/console machines.

Configure the ControlUp Console and Monitor Machines

You have to complete these steps for every machine or location running the ControlUp Console and the ControlUp Monitor.

Apply Private Key Certificate to the Machines Running the ControlUp Console and Monitors

  1. Ensure the private key (.pfx file) you created is copied onto the machines running the ControlUp Console and Monitors, and that you have the password for the certificate stored in this file.
  2. Access the directory with the private key and double click the .pfx file. The Windows Certificate Import Wizard opens.
    CertImportWizard.png
  3. Select Local Machine and click Next.
    Note: You can select the Current User option if you want to require a certificate for each user separately for this console. 
  4. Confirm that the selected .pfx file is correct and click Next.
    CertImportWizardConfirm.png
  5. Enter the private key password and click Next.

  6. Store the certificate. Select Place all certificates in the following store and click Browse to select the Personal directory to store it there. Click Next.
    CertImportWizardStore.png

  7. In the next window, click Finish and the Certificate Import Wizard confirms that the import was successful.
    CertImportWizardSuccess.png

Configure Registry Key on the ControlUp Console and Monitor Machines

For the console and monitors to start using a client-side certificate, a registry configuration is required. The registry can be configured either under the HKCU or HKLM registry hives for the console and under the HKLM for the monitors. Each hive refers to the appropriate certificate store.

Once you complete creating this registry key, you can export it to be used on any other ControlUp Console machines and the ControlUp Monitor machines.

  1. On the console machine, open the Registry Editor and go to: HKLM/SOFTWARE/Smart-X/ControlUp/ClientCert 
    Missing keys must be created manually. 

  2. Create a DWORD value named Enabled and assign it the value of 1.

  3. Create a string value (REG_SZ) named Thumbprint and assign it the same value as assigned in the Thumbprint in the private key certificate.
    You can find the Thumbprint in the private key certificate as follows.

      1. Access the Microsoft Management Console (mmc).
      2. Choose File Add/Remove Snap-in
      3. Select Certificates from the Available Snap-ins list and click Add > for it to appear in the Selected Snap-ins list.
      4. When prompted, select Computer account, and click Next, and then Finish.
      5. Click OK to close the Add or Remove Snap-ins window.
      6. Open the Certificates item and go to Personal Certificates.
      7. Locate the .pfx certificate file you imported. Double-click the file and open the Details tab.
        The Thumbprint field is shown in the list as follows:CertificateThumbprint.png
      8. Highlight the Thumbprint. In the details box, highlight the thumbprint sequence value and copy it into a Unicode text editor such as Notepad ++. 
        Note: If the sequence if not maintained as Unicode, it may not work when added to the registry key.
      9. Copy the Thumbprint value into the registry key you created above. It should look like this: RegKeyThumbprint.png

Once you have completed this stage of the procedure, restart the ControlUp Real-Time Console. When you log into the console, you should see a Certificate icon displayed at the bottom of the console window.
ConsoleCertificateIcon.png
You should repeat this for every machine running the ControlUp Real-Time Console. You can export the registry configuration and import it to the other machines running the console and the monitors. 

Add Network Service to the ControlUp Monitor Machine Private Key

All the machines running ControlUp Monitors in your environment must also have this private key certificate file and the registry key you created above.

Additionally you must add the Network Service to the Security table for the certificate applied to the monitor machines. This is because the monitor runs in the context of the Network Service account.

  1. Access the Microsoft Management Console (mmc).
  2. Open the Certificates item and go to Personal > Certificates.
  3. Right-click the private key you applied to this machine per the above procedure. Select All Tasks > Manage Private Keys...ManagePrivateKeys.png
  4. Add the Network Service to the Security table allowing Full Control (default option).NetworkService.png
  5. Restart the monitor machine.

Verify the Certificate on the ControlUp Monitor Machines

The ControlUp Console machines can be verified directly in the console UI as described above. The machines running the ControlUp Monitors can also be verified by checking the Registry Editor to see that the keys were imported to the machine and include the following:RegKeyThumbprint.png

If you want to verify the communication to the monitor machine with a certificate, you can use a tool like log4net. Within the data the log supplies, you should see the following among the log lines:

Client certificate read
Enabled=True Thumbprint=<thumbprint value> key=HKEY_LOCAL_MACHINE
Applying client certificate found on HKLM
Client certificate was loaded

Note: To stop the logging, stop the monitor service and remove the file that creates the logs (e.g. log4net). 

Configure the ControlUp Agent Machines

We recommend deploying the agent certificate and registry values via a GPO. The steps below describe how to install the certificate and registry values manually for testing purposes. 

Both the manual setup and via a GPO require the public key (e.g. *.cer file). Each certificate should be stored in the Trusted Publishers certificate store of the Local Machine in scope.

The ControlUp Agent supports multiple trusted certificates that can identify authorized consoles and monitors.

Apply Public Key Certificate Manually to the Machines Running the ControlUp Agent

  1. Copy the public key certificate file (.cer) to the Trusted Publishers directory in the machine running the ControlUp Agent.
  2. On the agent machine, right-click the file and select Install Certificate. The Certificate Import Wizard opens.
    CertImportWizard.png
  3. Select Local Machine and click Next.
  4. Select Place all certificates in the following store.
  5. Click Browse to select the Trusted Publishers directory and click Next.AgentTrustedPublisher.png
  6. Click Finish, and the Certificate Import Wizard confirms that the import was successful. CertImportWizardSuccess.png

Configure Registry Key on the ControlUp Agent Machine

For the agent to start enforcing client-side certificate identification, a registry configuration is required. The registry key should be configured under the HKLM registry hive. This configuration can be part of a GPO.
Note: You can create your own GPO or use the attached zip file which contains a template for both this method of authentication and the ACL method described here.

Here is the manual procedure you can use for testing.

  1. Open the Registry Editor and go to: HKLM/SOFTWARE/Policies/Smart-X/ControlUp/Agent/TrustedClients
    Missing keys must be created manually.  
  2. Create a DWORD value named Enabled and assign it the value of 1.

  3. Create a Multi-String value (REG_MULTI_SZ) named Certificates. This key must contain all of the trusted certificates' thumbprints.
    The added key should look something like this:
    RegEdAgentConfirm.png

Your ControlUp Agent will now communicate with only those ControlUp Consoles and ControlUp Monitor machines that can be authenticated by their private key certificates.

Enforce Certificate-Based Authentication 

From version 8.2.5 and higher, you can enforce the use of this feature on the agent machine if you use the MSI installer to install the agents on monitored machines.

Param name: CERTONLY 
Usage:  CERTONLY=True 
Usage example:   Agentinstaller.msi CERTONLY=True 

 

 

  1.  
1-on-1 Demo
Schedule now
Price Quote
Get it now
Need a Script?
Get it here
Powered by Zendesk