Changing the Authentication Method
Subsequent changing of the authentication method involves considerable effort. The and all agents must be restarted regardless of the authentication method you select.
For the authentication method "Server", the agents require a file which includes the Company Key. It must be made available to the agents' individual computers.
Procedure in detail:
- End all agents.
- End all server processes.
- Call the utility AE.DB Load in batch mode in order to export the Company Key to a file. The Company Key has not yet been set in the database.
Example: UCYBDBld -B -TPACKAGE -KUC4PROD
- Transfer this file to all agents.
- In the agents' INI-file parameter InitialPackage= (Section [AUTHORIZATION]), enter the path and name of the Company Key file.
In the parameter KeyStore=, enter the path and name of the file in which the should store the Company Key information.
We highly recommend storing both files in a separate directory which is specially protected.
- Now set the authentication method "Server" and the Company Key in the database:
This is done by calling the utility AE.DB Load in batch mode.
Example: UCYBDBld -B -TLOCAL -KUC4PROD
- Start all server processes.
-
For security reasons, Automic recommends withdrawing the authentication from all agents. The method "Server" is based upon the principle that the agents will be manually authenticated in the System Overview in order to ensure that the agent is not a program of a potential hacker. You can skip this step if you are sure you want to make the changeover without this security measure.
Log on to system 0000. Open the System Overview and switch to the area agents . Highlight all agents and use the context menu command "Withdraw authentication".
- Optional: If you have already deleted the Company Key file and want to write the Company Key to additional agents (steps 4 to 5), you can do so at any time in the System Overview of client 0000. It will be exported when you right-click the connection node of client 0. (Step 3 is no longer possible because the Company Key is added to the database in step 6).
- Start all agents.
- The agents read the Company Key file and store the included information in the KeyStore file. The agent will then automatically delete the Company Key file.
- If you followed our recommendation and withdrew the authentication from the agents (step 8), all of them must now be re-authenticated in the System Overview of client 0000. Do so by calling the corresponding context menu command. Non-authenticated agents cannot log on to the AE system.
For the authentication method "Server and Agent", the agents require a file in which the authentication is stored. As this file differs for each agent, it must be generated individually and transferred to the corresponding computers.
Procedure in detail:
- End all agents.
- End all server processes.
- Open the utility AE.DB Load in batch mode and set the authentication method to "Server and Agent":
Example: UCYBDBld -B -TLOCAL_REMOTE -KUC4PROD
The Company Key is now written to the database. Note that subsequently changing the Company Key is a very complex procedure.
- Start all server processes.
- Log on to system client 0000. Open the System Overview and switch to "Agents".
-
For security reasons, Automic recommends withdrawing the authentication from all agents. The method "Server" is based upon the principle that the agents will be manually authenticated in the System Overview in order to ensure that the agent is not a program of a potential hacker. You can skip this step if you are sure you want to make the changeover without this security measure.
Log on to system client 0000. Open the System Overview and switch to the area agents . Highlight all agents and use the context menu command "Withdraw authentication".
For all agents for which this step is skipped, make sure that you use the Company Key as the authentication package as of step 8 and skip step 7. You can export the Company Key to the System Overview of client 0000 at any time by right-clicking client 0's connection node.
- Now export an authentication package for each individual agent. Highlight all agents and open the context menu command "Export authentication package".
As of version 11 the "Export Authentication Package" has been restricted to users in the System client 0. Additionally a user needs the "W" permission for the Agent object to be able to export an authentication package.
- Transport the files containing the unique authentication packages for each agent individually to the agents.
- In the agents' INI-file parameter InitialPackage= (Section [AUTHORIZATION]), enter the path and name of the authentication package file.
In the parameter KeyStore=, enter the path and name of the file in which the agent should store the authentication package information.
We highly recommend storing both files in a separate directory which is specially protected.
- Start all agents.
- The agent reads the authentication package file and stores the included information in the KeyStore file. The agent will then automatically delete the authentication package file.
As the agents have already been authenticated, you can easily switch from "Server" to "Server and Agent" and vice versa.
Procedure in detail:
- Log on to system client 0000. Open the variable UC_AS_SETTINGS and set the value "LOCAL" or "LOCAL_REMOTE" in the key AUTHENTICATION.
- End all server processes.
- Start all server processes.
Agents will automatically connect after the time (in seconds) specified in the parameter RECONNECT_TIME (see: UC_HOSTCHAR_DEFAULT).
For the authentication method "None", the agents no longer require the Company Key which is stored in the AE database. Therefore, the agents' keystore files must be deleted.
Procedure in detail:
- End all agents.
- Log on to system client 0000. Open the variable UC_AS_SETTINGS and set the value "NO" in the key AUTHENTICATION.
- End all server processes.
-
AE database access is required for the following step. Ensure the authorized person pays utmost attention when performing the step. Delete the Company Key from the AE database. Process the following SQL statement in a transaction:
delete from oha
- Start all server processes.
- Delete the KeyStore file in each agent. Its path and name are stored in the INI file, parameter KeyStore=.
- Start all agents.
See also:
Specifying the Authentication Method for the First Time