Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Network Performance Monitor (NPM) > Upgrade the agent certificate

Upgrade the agent certificate

Created by Seamus.Enright, last modified by Steve.Hawkins on Sep 13, 2017

Views: 23 Votes: 0 Revisions: 8

Updated: September 13, 2017

Overview

This article describes how to upgrade the agent certificate.

Environment

  • Orion Server
  • Agent Management Service (AMS) business layer on Orion Server
  • SolarWinds Information Service (SWIS) is installed on additional pollers and websites
  • Agent

Prerequisite 

  • Valid Orion certificate
  • Agent can communicate with AMS

Upgrade process in AMS

  1. AMS receives a new Orion certificate file from Core.
  2. AMS generates a new agent provisioning certificate.
  3. AMS creates a special message to all agents: Prepare for certificate upgrade. The message includes new Orion and Provision certificates. 
  4. AMS sends a message to all agents and tracks the response. If an agent does not receive the message and is connected, AMS resends the message.
  5. The agent receives the message with new certificates and stores them in a special location.
  6. Orion/AMS is upgraded to use the new Orion and Provision certificates. All agent certificates must be removed from the Orion/AMS database at this point (PKCS12 and Cert tables only).
  7. The agent chain verification fails. If a signing certificate failure occurs, the agent checks the signing certificate in the chain to ensure it matches new Orion certificate. If "yes", the agent installs a new Orion and provision certificates and starts the re-provisioning process.

Upgrade process in scope of whole Orion

Capture.JPGCapture2.JPG

 

  1. When the Core Business Layer (BL) starts, it checks the current certificate for an MD5 signature. If no signature exists, it does nothing. 
  2. Core generates a new certificate with an SHA1 signature from the previous certificate and places it on the disk. 
  3. At the same time, AMS starts updating the agents (if auto-update is enabled).
  4. Core sends AMS the path to the new certificate.
  5. AMS generates a new provisioning certificate and sends it with the new public Orion certificate to all agents.
  6. AMS distributes a new certificate to all AMS instances on the pollers and send it to all agents connected to these pollers.
  7. Core intermittently asks the AMS if it updated all agents certificates until it receives a positive response.
  8. Core replaces the certificate with a new certificate, and lets the AMS know that that the certificate was upgraded. 
  9. AMS deletes all existing certificates from the database, saves new provisioning certificate, and restarts the endpoint.
  10. All agents reconnect and re-provision using the new certificate.
  11. Core calls new SWIS verb Orion.Environment.SyncCertificateWithDatabase on all additional pollers and websites. This verb loads the certificate from the database, replacing the local copy. If the poller is running AMS, it notifies AMS that the certificate was replaced. 

If Core does not receive a positive response from the AMS regarding all updated agents, it informs the user that some agents are not ready for a certificate upgrade and asks the user if he wants to continue. This allows the user to ignore invalid agents. This notification can display in the Notification panel, website, or a visible component, such as a global website popup.

The AMS contract will be extended with methods that Core can call to check the state and provide new certificate.

AMS message

AMS send the message with a ZIP file attachment:

AgentCertificateUpdate Expand source

The ZIP file contains the following certificates:

  • CA root certificate (SolarWinds Orion) in CER format.
  • Agent provisioning certificate in PKCS12 format. The password is the default provisioning password.

 

This scenario may not wok on SolarWinds Network Performance Monitor (NPM) 11.5.3 if the old MD5 certificate contains an unaligned private key. This issues was resolved in NPM 12.0 or FixIt tool version 1.0.0.8 is needed to be applied. See NetSuite cases NS976171 or NS974854 for more information.

 

 

 

Last modified
14:51, 13 Sep 2017

Tags

Classifications

Internal Use Only