Configuring network agents

Network agents are deployed locally to allow SSL certificate auto-installation to servers and allow network discovery tasks to scan internal networks. Once a server has been added to a network agent, the network agent will discover all server nodes and associated certificates.

SSL certificate auto-installation can be configured in two ways:

  • Local — A network agent is installed on each individual server. The network agent uses local commands to interact with the server software/configuration.

  • Remote — A single network agent is installed on a central server and configured with the server details of the other servers on your network. The network agent uses remote connections requiring authentication to interact with the server software and configuration.

SSL certificate auto-installation is limited as outlined in the following table.

Vendor Windows Linux

Apache 2.4

N/A

Local/Remote auto-installation

Tomcat 7.x, 9.x

Local auto-installation

Local/Remote auto-installation

Microsoft IIS 10

Local/Remote auto-installation

N/A

F5 BIG-IP

Remote auto-installation

Remote auto-installation

Adding servers to a network agent

Server requirements

  • Microsoft IIS

  • Apache

  • Apache Tomcat

  • F5 BIG-IP

To add Microsoft IIS servers to a network agent, the following requirements must be satisfied:

  • User is part of local Administrators Group

To add Apache servers to a network agent, the following requirements must be satisfied:

  • Local:

    • The sectigo-network-agent service has, by default, all required permissions to manage an Apache web server.

  • Remote:

    • The account specified for remote access must have permissions on the remote Apache web server to do the following:

      • Execute apachectl

      • Read and write site configuration files in ServerRoot

      • Write certificate files to a remote certificates directory (default /var/sectigo-network-agent-certs)

    • (SSH Key authentication only) On network agent versions 4.0 or earlier, the SSH key must be PKCS #1 format in a PEM file

To add Apache Tomcat servers to a network agent, the following requirements must be satisfied:

  • Local:

    • The sectigo-network-agent service has, by default, all required permissions to manage an Apache Tomcat web server.

  • Remote:

    • The account specified for remote access must have permissions on the remote Apache Tomcat web server to do the following:

      • Start and stop the Apache Tomcat service

      • Read and write site configuration files in the Tomcat installation folder

      • Write JKS certificate files to the Tomcat installation folder

    • (SSH Key authentication only) On network agent versions 4.0 or earlier, the SSH key must be PKCS #1 format in a PEM file

To add F5 BIG-IP servers to a network agent, the following requirements must be satisfied:

  • User must have the Administrator role with CLI enabled in the F5 BIG-IP application

Add servers

  • Microsoft IIS

  • Apache

  • Apache Tomcat

  • F5 BIG-IP

  1. Navigate to Integrations  Network Agents.

  2. Select your agent and click Edit to open the Edit Network Agent window.

  3. Select the Servers tab and click the Add icon.

  4. Provide a server name and select Microsoft IIS 10.

  5. Select a Connection type.

    As of version 5.0, network agents use PowerShell for certificate installation, except for (Legacy) connection types, which still use native Windows executables.
    • Local

    • Local

    • Local (legacy)

    • Remote (WinRM)

      1. Enter the Host name/IP address of the remote server.

        It is not recommended to enter an IP address since it cannot be used with Kerberos authentication.
      2. Enter the port of the remote server.

      3. Provide your authentication details.

        Username/Password

        1. Provide the username for accessing the server.

        2. Provide the password for accessing the server.

        Credential in Agent Store

        1. Provide the store name where the credentials are stored.

        2. Provide the credential ID for finding login credentials of the server.

          • CyberArk Vault — The ID is a set of key value pairs, separated by semicolons, that would typically go in a query parameter string used to retrieve a specific credential from the CyberArk Central Credential Provider.

        The ID format should be similar to the following:

        <param1>=<value>;<param2>=<value>;...
        • HashiCorp Vault — The ID is the path of the required secret in HashiCorp vault. This path is relative to the --rootpath specified when adding the credential store.

        • Delinea Secret Server — The ID is the unique Secret ID of the Delinea secret.

        • Local credential store — The ID is the unique identifying string of the credential in the local credential store.

      4. Click Save.

    • Remote (SSH)

      1. Enter the Host name/IP address of the remote server.

      2. If the remote SSH server isn’t using the standard port, change the Port from 22.

      3. Provide your authentication details.

        Username/Password

        1. Provide the username for accessing the server.

        2. Provide the password for accessing the server.

        SSH Key on Agent

        1. If required, change the username.

        2. Provide the path to SSH key on the network agent server.

        3. Provide the key file passphrase.

        Credential in Agent Store

        1. Provide the store name where the credentials are stored.

        2. Provide the credential ID for finding login credentials of the server.

          • CyberArk Vault — The ID is a set of key value pairs, separated by semicolons, that would typically go in a query parameter string used to retrieve a specific credential from the CyberArk Central Credential Provider.

            The ID format should be similar to the following:

            <param1>=<value>;<param2>=<value>;...
          • HashiCorp Vault — The ID is the path of the required secret in HashiCorp vault. This path is relative to the --rootpath specified when adding the credential store.

          • Delinea Secret Server — The ID is the unique Secret ID of the Delinea secret.

          • Local credential store — The ID is the unique identifying string of the credential in the local credential store.

      4. Click Save.

    • Remote (legacy)

      1. Enter the Host name/IP address of the remote server.

        It is not recommended to enter an IP address since it cannot be used with Kerberos authentication.
      2. Provide your authentication details.

        Username/Password

        1. Provide the username for accessing the server.

        2. Provide the password for accessing the server.

        Credential in Agent Store

        1. Provide the store name where the credentials are stored.

        2. Provide the credential ID for finding login credentials of the server.

          • CyberArk Vault — The ID is a set of key value pairs, separated by semicolons, that would typically go in a query parameter string used to retrieve a specific credential from the CyberArk Central Credential Provider.

            The ID format should be similar to the following:

            <param1>=<value>;<param2>=<value>;...
          • HashiCorp Vault — The ID is the path of the required secret in HashiCorp vault. This path is relative to the --rootpath specified when adding the credential store.

          • Delinea Secret Server — The ID is the unique Secret ID of the Delinea secret.

          • Local credential store — The ID is the unique identifying string of the credential in the local credential store.

      3. Click Save.

  6. Click Save.

  1. Navigate to Integrations  Network Agents.

  2. Select your agent and click Edit to open the Edit Network Agent window.

  3. Select the Servers tab and click the Add icon.

  4. Provide a server name and select Apache 2.4.

  5. (Optional) Enter the path of apachectl.

    This can be left blank if the application is available in the path.

  6. Select a Connection type.

    • Local

    • Remote (SSH)

      1. Enter the Host name/IP address of the remote server.

      2. If the remote SSH server isn’t using the standard port, change the Port from 22.

      3. If required, change the path to the location where the certificates will be stored.

      4. Provide your authentication details.

        Username/Password

        1. Provide the username for accessing the server.

        2. Provide the password for accessing the server.

        SSH Key on Agent

        1. If required, change the username.

        2. Provide the path to SSH key on the network agent server.

        3. Provide the key file passphrase.

        Credential in Agent Store

        1. Provide the store name where the credentials are stored.

        2. Provide the credential ID for finding login credentials of the server.

          • CyberArk Vault — The ID is a set of key value pairs, separated by semicolons, that would typically go in a query parameter string used to retrieve a specific credential from the CyberArk Central Credential Provider.

            The ID format should be similar to the following:

            <param1>=<value>;<param2>=<value>;...
          • HashiCorp Vault — The ID is the path of the required secret in HashiCorp vault. This path is relative to the --rootpath specified when adding the credential store.

          • Delinea Secret Server — The ID is the unique Secret ID of the Delinea secret.

          • Local credential store — The ID is the unique identifying string of the credential in the local credential store.

  7. Click Save.

  1. Navigate to Integrations  Network Agents.

  2. Select your agent and click Edit to open the Edit Network Agent window.

  3. Select the Servers tab and click the Add icon.

  4. Provide a server name and select Apache Tomcat 7.x, 9.x.

  5. (Optional) Enter the path to the Tomcat installation.

    This can be left blank on Linux if the default install location was used.

  6. (Linux only) Select a Connection type.

    • Local

    • Remote (SSH)

      1. Enter the Host name/IP address of the remote server.

      2. If the remote SSH server isn’t using the standard port, change the Port from 22.

      3. Provide your authentication details.

        Username/Password

        1. Provide the username for accessing the server.

        2. Provide the password for accessing the server.

        SSH Key on Agent

        1. If required, change the username.

        2. Provide the path to SSH key on the network agent server.

        3. Provide the key file passphrase.

        Credential in Agent Store

        1. Provide the store name where the credentials are stored.

        2. Provide the credential ID for finding login credentials of the server.

          • CyberArk Vault — The ID is a set of key value pairs, separated by semicolons, that would typically go in a query parameter string used to retrieve a specific credential from the CyberArk Central Credential Provider.

            The ID format should be similar to the following:

            <param1>=<value>;<param2>=<value>;...
          • HashiCorp Vault — The ID is the path of the required secret in HashiCorp vault. This path is relative to the --rootpath specified when adding the credential store.

          • Delinea Secret Server — The ID is the unique Secret ID of the Delinea secret.

          • Local credential store — The ID is the unique identifying string of the credential in the local credential store.

  7. Click Save.

  1. Navigate to Integrations  Network Agents.

  2. Select your agent and click Edit to open the Edit Network Agent window.

  3. Select the Servers tab and click the Add icon.

  4. Provide a server name and select F5 BIG-IP.

    Only remote auto-installation is supported on F5 BIG-IP. Remote installation is performed using the F5 REST API.
  5. Enter the Host name/IP address of the remote server.

  6. If the remote F5 server isn’t using the standard port, change the Port from 443.

  7. Provide your authentication details.

    Username/Password

    1. Provide the username for accessing the server.

    2. Provide the password for accessing the server.

    Credential in Agent Store

    1. Provide the store name where the credentials are stored.

    2. Provide the credential ID for finding login credentials of the server.

      • CyberArk Vault — The ID is a set of key value pairs, separated by semicolons, that would typically go in a query parameter string used to retrieve a specific credential from the CyberArk Central Credential Provider.

        The ID format should be similar to the following:

        <param1>=<value>;<param2>=<value>;...
      • HashiCorp Vault — The ID is the path of the required secret in HashiCorp vault. This path is relative to the --rootpath specified when adding the credential store.

      • Delinea Secret Server — The ID is the unique Secret ID of the Delinea secret.

      • Local credential store — The ID is the unique identifying string of the credential in the local credential store.

  8. Click Save.

Once added, the server state is displayed as Init (initialized) until the network agent can validate the connection. Once the connection has been validated, the server state changes to Active.

Viewing Server Nodes

A server node is an instance of a server that handles web server operations and may have SSL enabled.

To view server nodes, navigate to Integrations  Network Agents, select your agent, and click Nodes.

Network agent server nodes

Each server is displayed as a collapsible heading that shows the name of the server, the vendor, and the server state.

Column Name Description

Name

The name of the node.

Alias

The alias for the node (if available).

Protocol

Whether the node is connected through HTTP or HTTPS.

IP Address

The IP Address of the node.

Port

The port used to connect to the node.

SSL

The order number of the certificate associated with the node.

Discovered certificates that have not been assigned to an organization or department are displayed as External.

Click the value in the SSL column for any given node to view or manage the associated SSL certificate.