Changing the Authentication Method
You can change the authentication method after it has been defined. However, it involves considerable effort since the Automation Engine and all Agents must be restarted.
This page includes the following:
Changing from NO to LOCAL (Server)
-
End all Agents.
-
End all server processes.
-
Export the Authentication Key to a file. You can do so in batch mode using the AE.DB Load utility, see Start Parameters - Utilities.
The Authentication Key has not yet been set in the database.
-
Make sure the Key file is available to all Agents. To do so, define the following parameter(s) in the [AUTHORIZATION] section of the respective Agent INI file:
-
In the
InitialPackage=
parameter, enter the path and name of the Authentication Key file. -
If you have non-TLS/SSL Agents, in the
KeyStore=
parameter, enter the path and name of the file in which the Agent should store the Authentication Key information. TLS/SSL agents do not require this parameter.
Important! Make sure that both files are stored in protected directories.
-
-
Set the Authentication Method (in this case, LOCAL) and the Authentication Key in the database. You can do so in batch mode using the AE.DB Load utility.
-
Start all server processes.
-
For security reasons, it is recommended withdrawing the authentication from all Agents.
The LOCAL Authentication Method is based on the principle that the Agents will be manually authenticated in the Administration perspective to guarantee that the Agent is not a program of a potential hacker.
You can skip this step if you are sure you want to make the changeover without this security measure.
To withdraw the Agent authentication, do the following:
-
In the Agents list in the Administration perspective, select all Agents.
-
Right-click and select Withdraw Authentication.
-
-
Start all Agents.
-
The Agents read the Authentication Key file and store the information in their KeyStore files. Then, they delete the Authentication Key file automatically.
-
If you followed our recommendation and withdrew the authentication from the Agents, you must authenticate them now:
-
In the Agents list in the Administration perspective, select all Agents.
-
Right-click and select Authenticate Agent.
Important! Authenticated Agents that are not authenticated cannot log on to the Automation Engine system.
-
Changing from NO to LOCAL_REMOTE (Server and Agent)
With the LOCAL_REMOTE method the Agents require a file in which the Authentication Package is stored. As this file differs for each Agent, it must be generated individually and made available to the corresponding computers.
-
End all Agents.
-
End all server processes.
-
Change the Authentication Method to LOCAL_REMOTE. You can do so in batch mode using the AE.DB Load utility, see Start Parameters - Utilities.
The Authentication Key is now written to the database.
-
Start all server processes.
-
Log on to system Client 0 and open the Administration perspective.
-
Open the list of Agents.
-
For security reasons, it is recommended withdrawing the authentication from all Agents.
The LOCAL_REMOTE Authentication Method is based on the principle that the Agents will be manually authenticated in the Administration perspective to guarantee that the Agent is not a program of a potential hacker.
You can skip this step if you are sure you want to make the changeover without this security measure.
To withdraw the Agent authentication, do the following:
-
In the Agents list in the Administration perspective, select all Agents.
-
Right-click and select Withdraw Authentication.
-
-
Export an Authentication Package for each individual Agent:
-
In the Agents list, select all Agents.
-
Right-click and select Download Authentication Package.
Note: You need W (Write) permissions for the Agent object to be able to export the Authentication Package.
-
-
Save the Authentication Package in a secure folder on the Agent's computer.
-
Define the following parameter(s) in the [AUTHORIZATION] section of the respective Agent INI file:
-
In the
InitialPackage=
parameter, enter the path and name of the Authentication Package. -
If you have non-TLS/SSL Agents, in the
KeyStore=
parameter, enter the path and name of the Agent's KeyStore file in which the Agent will store the information retrieved from the Authentication Package. TLS/SSL agents do not require this parameter.
Important! Make sure that both files are stored in protected directories.
-
- Start all Agents.
- The Agents read the Authentication Package files and store the information in their respective KeyStore files. Then they delete the Authentication Package file automatically.
Changing from LOCAL to LOCAL_REMOTE (Server to Server and Agent)
As the Agents have already been authenticated, you can easily switch from LOCAL to LOCAL_REMOTE and vice versa. You can do so in the UC_AS_SETTINGS variable. For more information, see UC_AS_SETTINGS - Advanced Security.
- Log in to Client 0.
-
Enter UC_AS_SETTINGS in the Global Search field.
- A dropdown list with a link to the variable opens up. Click it to display the UC_AS_SETTINGS variable.
- Activate the checkbox next to AUTHENTICATION.
- Click the file icon in the Value 1 column to open the Cell Editor, where you can enter LOCAL_REMOTE.
- Save your changes.
- End all server processes.
-
Start all server processes.
Agents will automatically connect after the time (in seconds) specified in the RECONNECT_TIME parameter. For more information, see UC_HOSTCHAR_DEFAULT - Host Characteristics.
Changing from LOCAL (Server) or LOCAL_REMOTE (Server and Agent) to NO
You can change the authentication method to NO in the UC_AS_SETTINGS variable. For more information, see UC_AS_SETTINGS - Advanced Security.
When you use the Authentication Method "NO", the Agents do not require the Authentication Key that is stored in the Automation Engine database.
- End all Agents.
- Log in to Client 0.
-
Enter UC_AS_SETTINGS in the Global Search field.
- A dropdown list with a link to the variable is displayed. Click it to display the UC_AS_SETTINGS variable.
- Activate the checkbox next to AUTHENTICATION.
- Click the file icon in the Value 1 column to open the Cell Editor, where you can enter NO.
- Save your changes.
- End all server processes.
-
Delete the Authentication Key from the database.
To do so, process the following SQL statement in a transaction:
delete from oha
. -
Start all server processes.
- If you have non-TLS/SSL Agents, delete the KeyStore file which is stored in the
KeyStore=
parameter in the [AUTHORIZATION] section of the corresponding Agent INI file. - Start all Agents.
See also: