ControlUp is continuing to improve the security around the communication between ControlUp Agents and the Real-Time Console and ControlUp Monitors in your environment.
For more information on how to set up secure agents, read the ControlUp Agent Security Best Practices.
The following enhancements are available for the ControlUp Agent when adding machines to the ControlUp Console:
- You have the option to encrypt communication between the agent and console and monitors.
- There is a default agent authentication key for all deployed agents.
Encrypt Agent Communication
In the Real-Time Console > Agent Deployment Settings page, you can select to encrypt the communication between all agents within your ControlUp organization where you select this option.
Encrypt Communication with the ControlUp Agents
This option is turned off by default. You can select this option in the Agent Settings page in the Real-Time Console.
- Only a user who is the Organization Owner or who has Roles Manager permissions as set in the Security Policy Panel can select this option.
- .Net Framework 4.7.2 or later must be installed on the agent, console and monitor.
To Encrypt Communication with the ControlUp Agents:
- In the Real-Time Console > Settings menu, select Agents. The Agent Deployment Settings page opens.
- Select Use only encrypted communication.
- Restart the Real-Time Console and all monitor clusters.
- Update all agents to version 8.2.5 or higher.
If this option is selected and you get any of these messages:
- The agent does not support encrypted communication
- Failed to establish an encrypted connection with the agent
- Operation timeout
Ensure that all consoles, monitors and agents are running:
- .Net framework version 4.7.2 or higher
- ControlUp version 8.2.5 or higher
Agent Authentication Key
ControlUp generates a unique authentication for every ControlUp organization. By default all agents are configured with this public authentication key and accept communication only from trusted consoles or monitors that have the same corresponding private key.
The authentication key is automatically configured for the agent machine during deployment.
Access Key Value
Because this is the default method of authenticating communication between the agents with the consoles and monitors, you don't have to take any action.
If for any reason you do need to access the Agent Authentication Key, you can access it in the Real-Time Console > Settings > Agent Deployment Settings page. The same key is used for all agents deployed from this console.
Click Copy to access the key value itself.
On the agent machine, this authentication key is stored in the ControlUp Agent's registry in this path: HKLM\SOFTWARE\Smart-X\ControlUp\Agent\Communication\AuthKey
The key can be manually set at any time and does not require the agent machine to be restarted.
Add Key to Configuration Files that Install the Agents
When installing agents using the Add Machine feature in the Real-Time Console, this key is automatically added to the agent machine by default.
If you select not to deploy the agents automatically when the machines are added to the organization, you must manually add the same key as displayed in the Agent Deployment Settings page to whatever configuration file you are using to add the agent.
To manually configure the key:
Ensure that these registry key specifications are on every machine where the agent is deployed:
Value: Public key string base64 encoded from the Real-Time Console > Agent Deployment Settings page.
To deploy agents along with the key using an MSI installer command parameter:
The Agent MSI installer enables you to configure the Agents Authentication Key using an MSI PARAM.
If you use the link to Download MSI Installer in the Real-Time Console > Agent Deployment Settings page, that MSI already comes configured with this parameter but you must update the key value.
Param name: AUTHKEY
Usage: AUTHKEY=agent authentication key
Usage example: Agentinstaller.msi AUTHKEY=agent authentication key
Installing an agent along with this parameter configures the specified authentication key for the agent.