TLS/SSL Certificate Considerations

As a system administrator, you have to make sure you are aware of all the TLS/SSL requirements for your environment.

Overview

The communication between the Automation Engine and the different components uses TLS/SSL through a secure WebSocket (WSS). These components establish a connection with the Java communication process (JCP) and/or the REST process (REST), which use trusted certificates to prove their identity to other communication partners, such as Agents.

Therefore, you have to decide which kind of certificates you are going to use to secure the communication in your system. This decision must be considered carefully, as it determines not only how secure the connections are but also the time and effort you have to invest in renewing and deploying the certificates.

Important! TLS/SSL Agents (in containers and on-premises) as well as the TLS Gateway, when used for the Automic Automation Kubernetes Edition, establish a connection to an ingress / HTTPS load balancer, which requires a certificate for authentication.

Make sure that address of the load balancer is defined on both sides: the Automation Engine and the Agent / TLS Gateway and that your HTTPS load balancer has the required certificates in place. For more information, see Connecting to AWI, the JCP and REST Processes Using an Ingress.

For more information on certificates, types of certificates and all the issues that you must consider before implementing TLS/SSL in your environment, see TLS/SSL Considerations for Automic Automation.

Important! Creating and managing certificates it is not the task of the Automic Automation administrator (unless you use self-signed certificates in a testing environment).

However, as an administrator, there are a number of issues that are your responsibility and that you must cover:

• Make sure you understand how TLS/SSL and the different certificates work, so that you know how to use them to secure your Automic Automation environment.

• Contact the person or team in charge of certificates in your company to find out which options you have for your Automic Automation environment. Follow your company's procedure to obtain the relevant certificates.

• Make sure you have all the certificates that you require in place and that they different components (AE, AWI, Agents, and so on) can reach them.

• If you do not store the certificates in the default location of the respective trust store, make sure that you define the path to where the certificates are stored in the configuration file of the respective component.

JCP Certificate Expiration Date

You have to make sure that the certificates being used not only meet the respective security requirements, but also are not expired. Otherwise, the components cannot connect to the Automation Engine.

The system checks the certificate expiration date every 24 hours (at midnight UTC). When one or more certificates is close to expiring, that is, if the expiration date is within 30 days, AWI displays the following notification: "The following JCP certificates will expire within the next 30 days: <certificate name (expiration date)>". The expiration date of the certificate is also written into the JCP log file on startup as well as at midnight (UTC).

The notification is displayed in all Clients but only to users with the privilege Access to Administration, see Granting Automation Engine Privileges .The notification remains visible until the certificate is renewed.

Notes:

• AWI displays only one notification even if there is more than one certificate about to expire. All relevant certificates are listed one after the other separated by a comma sorted by expiration date; the certificate closest to the expiration date is listed first.

• It is not necessary to restart the JCP after renewing the certificate.

• Make sure that the new certificate is set correctly and uses the same definition as the TLS section of the INI file of the Automation Engine, see Automation Engine. Otherwise, the old KeyStore definition is used and the JCP will not start.

Optionally, you can also use the UC_SERVER_TLS_SETTINGS variable to trigger a custom action if one of these certificates is close to expiring. For more information, see UC_SERVER_TLS_SETTINGS - Server Certificate Management.

Note: During File Transfers, the Agents also require certificates for authentication. The Automation Engine automatically renews those certificates for the Windows, UNIX and Java Agents, as well as the certificate for the TLS Gateway.

For information on how to renew expired certificates, see Renewing Expired JCP Certificates.

Education

The Broadcom Software Academy provides a wide range of free online trainings. For information about how to navigate through the Academy and on how to register for courses, see Free Online Courses.

The following course(s) are associated with this topic:

• Automic Automation TLS and Certificates

• Automic Automation TLS Gateway

Installation - Next step:

Preparing the AE Database

See also:

• Securing Connections to the AE (TLS/SSL)

• Preparing for the Manual Installation

• Preparing for the Container-Based Installation

• Upgrade Installation

• Upgrading Container-Based Systems