Mac Management Group

The 7.5 SMP Agent for Unix, Linux and Mac (ULM) uses its own certificate store.

It is possible, and sometimes required, for the ULM agent to store multiple certificates. Such instances include when the Notification Server (NS) and Site Server (SS) or Package Server (PS) use different certificates or when switching certificates on an NS or SS.

Recommended steps to add multiple certificates to a ULM client:

1. Export the cer file from the appropriate NS or site server (using MMC).
2. Repeat this for all required certificates from all required servers.
3. If multiple certificates were exported, combine them into a single file. (See example below.)
4. Copy the (combined) file to the ULM client computer. It can be copied anywhere on the client computer. The file name and location on the client do not matter.
5. In the NS console, browse to 'Targeted Agent Settings', select an appropriate policy or create a new one and assign appropriate targets/computers. (For initial testing purposes, it is recommended that a new policy be created and that a single computer be assigned to this new policy. Additional computers can be assigned after testing has been completed and this method has been validated. This avoids locking out client computers.)
6. In the Targeted Agent Settings policy, click the Unix/Linux/Mac tab and check "Use system CA store for certificate checks" and specify the full, absolute path and name of the new cert file from step #4, above.
7. Allow the client to refresh policies. A new version of agent's certificate store will be created and used by the agent for subsequent communication to an NS or SS/PS.

Additional notes:

• The agent's certificate store used for communication is "cainfo-merged.pem" file located in the /opt/altiris/notification/nsagent/etc directory, by default. No certificates should be added to the file manually, as this file can be be overwritten by an agent-initiated regeneration.
   
• By default, the agent will automatically store the certificate bound to port 443 on the NS/SMP server upon initial installation or after an interactive reconfiguration of the agent (aex-configure -iconfigure) to nsagent/etc/cainfo.pem. Please avoid adding any certificates to “cainfo.pem” as these will be lost during an agent upgrade.
   
• The ‘cainfo-merged.pem’ file is regenerated during most agent communication processes, sending basic inventory, refreshing policies, etc. The agent compares the contents of the following files and, if any are changed from their last known state, regenerates the cainfo-merged.pem file: 1) cainfo.pem, 2) cainfo-ss.pem and 3) the file specified in Targeted Agent Settings CA file. It is possible to manually run these processes to trigger the regeneration the cainfo-merged.pem file. (Note that a refresh policies may have to occur twice - once to get the new or updated targeted settings policy and once to regenerate the cainfo-merged.pem file.)
   
• "aex-configure -iconfigure" has a prompt to re-download the certificate with given fingerprint. Agent version 7.5 and 7.5 SP1 will overwrite cainfo.pem! 7.6+ will add certificate to cainfo.pem if required. These will be added to the cainfo-merged.pem file, per the normal process. 
   
• Only PEM formatted certificates are supported. When using MMC to export the client certificate from a Notification Server or Site Server, the proper format is: “Base-64 encoded X.509 (CER)”.
   
• The file specified in the Targeted Agent Settings CA file can have multiple base64 certs. These will all be added to the cainfo-merged.pem file, which can also store multiple certificates. The agent will try each one until a connection is established.

 -----BEGIN CERTIFICATE-----
BASE64DATA for certificate 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
BASE64DATA for certificate 2
-----END CERTIFICATE-----

• The file specified in the Targeted Agent Settings must include the full, absolute path (beginning from root (/) of the file containing the additional certificate(s). The file can be located anywhere on the client system.  The file name does not matter as long as it is correctly named in the Targeted Agent Settings policy.
• Once the Targeted Agent Settings policy has been properly created and the targeted clients have refreshed policies, the corresponding client-side policy file will contain the following line indicating the path to the new certificate file in the "CAInfo=" field of the line shown below. By default, the policy is found at:  "/opt/altiris/notification/nsagent/var/policies/<targeted agent settings policy guid>.xml".  (Hint: In the …/nsagent/var/policies directory, run “grep name *” to find the correct policy and corresponding guid.)

<CurlSSL SSLNSPublicHttpsCertFingerprint="" SSLVerifyPeer="yes" SSLVerifyHost="yes" CAInfo="/mycert.pem" CAPath=""/>

Important note regarding switching certificates on a Notification Server, Site Server, etc.:

Prior to switching certificates on an NS or SS, the new cert should be delivered to client computers to enable them to begin using the new certificate when the switch occurs. Preferably, the file with new certificates should be specified in Targeted Agent Settings CA file. Otherwise, the clients will lose connectivity to the NS/SS when the switch occurs and the certificate will have to be delivered to each client via other means to regain connectivity. Or, the agent would require an interactive configuration using "aex-configure -iconfigure". It's much better to deliver the new certificate to the ULM clients prior to enabling it on an NS or SS.