Agent Authentication

Securing the authenticity of the communication partners is essential to avoid attacks and eavesdropping. As a system administrator in charge of the security at your company, you can choose between three Agent authentication methods and thus define the level of security you want to apply. The authentication methods determine how to exchange the keys involved in Agent authentication (Authentication Key, Transfer Key, Session Key).

This topics describes the elements involved in Agent authentication and describes the available methods. It also describes what happens if an Agent is compromised.

This page includes the following:

Authentication, Transfer and Session Keys

During the authentication process, the following keys play an important role:

Authentication Methods

Three authentication methods are available to define how the communication key is initially distributed. Each method offers advantages and disadvantages, depending on the required security level.

NO

Agents that start for the first time can log on to the Automation Engine system immediately. The Authentication Key is derived automatically from the system name.

A Transfer Key is generated automatically per Agent when the agent is started for the first time.

Afterward, Agents can only log in to the Automation Engine system with the Authentication Key (which is common for all) and with the Transfer Key (which is specific per Agent).

Advantages:

Disadvantages:

LOCAL (Server)

The system administrator defines the Authentication Key manually during the Automation Engine installation.

The Authentication Key can be exported to a file that must be used during Agent installation. On first start, the Agent loads it to its KeyStore file.

Agents log on to the Automation Engine system using the Authentication Key when they start for the first time. You must manually authenticate the Agents in the Administration perspective of Client 0000 before the Agents can be used.

Advantages:

Disadvantages:

LOCAL_REMOTE (Server and Agent)

This is the most secure authentication method.

An Agent object must be created in system Client 0000 for each Agent that will communicate with the Automation Engine.

The Installation Package contains the system's Authentication Key and the Transfer Key of the particular Agent. The Agent is ready to use as soon as this is done. On first start, the Agent loads the keys from the Package and stores them in its KeyStore file.

Advantages:

Disadvantages:

Note: To guarantee a secure installation, transfer the Installation Package to the Agent either manually or using a secure line. This ensures that potential hackers never get access to it through the network.

Warning! Changing the authentication method is possible, but involves considerable effort. For more information, see Changing the Authentication Method.

Compromised Agents

The architecture of the Automation Engine protects it and its communication against man-in-the-middle attacks. After setup, the connection between the Agent and the Automation Engine starts immediately without any key being exchanged. Therefore, it is not possible to capture the key during the initialization of the connection because it has not to be transferred any more.

Depending on the chosen authentication method, the Transfer Key is never transmitted over the wire. If attackers want to intercept or read a connection, they must compromise an Agent, which means that they need access to the machine on which the Agent is installed. If this happens, the Agent is compromised, however, old messages cannot be read thanks to the different session key used to encrypt them.

Agents do not send commands to the Automation Engine or to other Agents, they simply connect and wait for commands that they execute. Even if an Agent is already compromised, the system architecture prevents that this can lead to other parts being also compromised. The only exception are File Transfers, for which additional security measures are in place, see Secure File Transfer Protocol.

For more information, see Authenticating the Agents.

Education

Broadcom's Enterprise Software Academy provides a comprehensive curriculum of free courses and tutorials. If you have not already done so, register at Enterprise Software Academy. Once registered, you can start profiting from our education offer immediately by enrolling in any course of your interest.

Tip: The Education team is constantly working on new content. Check the Enterprise Software Academy regularly for new free courses!

The following course(s) are associated with this topic:

See also: