This is the manual procedure for the running the script that is outlined in this article. This information gives you the details of what happens on each of your console and monitor machines when you run the automated script in case you want to troubleshoot the procedure or go through all the steps manually.
First read through Certificate-Based Agent Authentication to be sure you have all the prerequisites listed and that you create the certificates as recommended.
You have to complete these manual steps for every machine or location running the ControlUp Console and the ControlUp Monitor.
Apply Private Key Certificate to the Machines Running the ControlUp Console and Monitors
- Ensure the private key (.pfx file) you created is copied onto the machines running the ControlUp Console and Monitors, and that you have the password for the certificate stored in this file.
- Access the directory with the private key and double click the .pfx file. The Windows Certificate Import Wizard opens.
- Select Local Machine and click Next.
Note: You can select the Current User option if you want to require a certificate for each user separately for this console.
- Confirm that the selected .pfx file is correct and click Next.
Enter the private key password and click Next.
Store the certificate. Select Place all certificates in the following store and click Browse to select the Personal directory to store it there. Click Next.
- In the next window, click Finish and the Certificate Import Wizard confirms that the import was successful.
Configure Registry Key on the ControlUp Console and Monitor Machines
For the console and monitors to start using a client-side certificate, a registry configuration is required. The registry can be configured either under the HKCU or HKLM registry hives for the console and under the HKLM for the monitors. Each hive refers to the appropriate certificate store.
Once you complete creating this registry key, you can export it to be used on any other ControlUp Console machines and the ControlUp Monitor machines.
On the console machine, open the Registry Editor and go to: HKLM/SOFTWARE/Smart-X/ControlUp/ClientCert
Missing keys must be created manually.
Create a DWORD value named Enabled and assign it the value of 1.
Create a string value (REG_SZ) named Thumbprint and assign it the same value as assigned in the Thumbprint in the private key certificate.
You can find the Thumbprint in the private key certificate as follows.
Add Network Service to the ControlUp Monitor Machine Private Key
All the machines running ControlUp Monitors in your environment must also have this private key certificate file and the registry key you created above.
Additionally you must add the Network Service to the Security table for the certificate applied to the monitor machines. This is because the monitor runs in the context of the Network Service account.
- Access the Microsoft Management Console (mmc).
- Open the Certificates item and go to Personal > Certificates.
- Right-click the private key you applied to this machine per the above procedure. Select All Tasks > Manage Private Keys...
Note: If you have a non-standard deployment, you may have to search for the private key file.
- Add the Network Service to the Security table allowing Full Control (default option).
- Restart the monitor machine.
Once you have completed this stage of the procedure, restart the ControlUp Real-Time Console. When you log into the console, you should see a Certificate icon displayed at the bottom of the console window.
You should repeat this for every machine running the ControlUp Real-Time Console. You can export the registry configuration and import it to the other machines running the console and the monitors.
You must now configure the ControlUp Agent machines per the instructions in this article: Certificate-Based Agent Authentication.