Configuring the Agent Deployer for securing agents
Learn how you can establish a secure connection between the Edge Flow Manager (EFM) and the agents. EFM's agent deployer functionality provides a convenient approach for security configuration. By enabling auto-configuration, the deployment script automatically downloads a security bundle during agent setup, containing the agent's certificates along with its binary. This streamlined process ensures a robust and secure environment for seamless communication between EFM and agents.
There are two ways to sign the agent certificates:
- Using your own Intermediate CA key and certificate to sign the agent certificate
In this scenario, you need to place your own private key and certificate with the names efm-cert.pem and efm-key.key respectively under the folder specified in the efm.agent-deployer.security.ca.location property.
- LettingEFM generate a self-signed Root CA certificate
During EFM startup, the application checks if efm-cert.pem and efm-key.key are present in the configured folder. If they are missing, EFM generates them using the efm.agent-deployer.security.ca.* properties. In clustered mode, these certificates are synchronized between the EFM nodes as needed.
Minimal configuration
The default configuration is suitable for basic use cases. It enables security auto-configuration and generates a self-signed Root CA certificate, which is utilized for signing the agent certificates.
efm.agent-deployer.security.autoConfiguration=true
efm.agent-deployer.security.ca.privateKeyPassword=password
efm.agent-deployer.security.autoConfigurationIndicates the automatic generation of the Root CA and agent certificates.
efm.agent-deployer.security.ca.privateKeyPasswordSpecifies the password for the private key of the root certificate.
Advanced configuration
efm.agent-deployer.security.autoConfiguration=true
efm.agent-deployer.security.trustSelfSignedCertificates=true
efm.agent-deployer.security.accessTokenTtlMin=60
efm.agent-deployer.security.autoConfigurationEnables the automatic generation of the root CA and agent certificates.
efm.agent-deployer.security.trustSelfSignedCertificatesAllows configuration to trust self-signed certificates by default or not. You can override this parameter anytime under Show Advanced Configurations in the UI.
efm.agent-deployer.security.accessTokenTtlMinFor security reasons, this parameter allows you to configure how long the generated command can be used after its generation.
Root Certificate properties
These properties are used to generate the Root CA certificate. If you wish to use your own key and certificate, just set the efm.agent-deployer.security.ca.privateKeyPassword and efm.agent-deployer.security.ca.location properties and place the efm-cert.pem and efm-key.key files in this location.
efm.agent-deployer.security.ca.dn=CN=generated-efm-root-ca
efm.agent-deployer.security.ca.privateKeyAlgorithm=RSA
efm.agent-deployer.security.ca.privateKeyEncryptionAlgorithm=AES-256-CBC
efm.agent-deployer.security.ca.privateKeySize=4096
efm.agent-deployer.security.ca.privateKeyPassword=password
efm.agent-deployer.security.ca.certificateSigningAlgorithm=SHA256WITHRSA
efm.agent-deployer.security.ca.certificateValidityInDays=7305
efm.agent-deployer.security.ca.location=conf
efm.agent-deployer.security.ca.dnSpecifies the Distinguished Name (DN) of the self-signed root certificate (if you are not providing your own certificate).
efm.agent-deployer.security.ca.privateKeyAlgorithmSets the algorithm of the root certificate’s private key (default: RSA).
efm.agent-deployer.security.ca.privateKeyEncryptionAlgorithmSpecifies the algorithm used for encrypting the root certificate’s private key (default: AES-256-CBC).
efm.agent-deployer.security.ca.privateKeySizeDetermines the number of bits for generated keys (default: 4096).
efm.agent-deployer.security.ca.privateKeyPasswordThe password for the private key.
efm.agent-deployer.security.ca.certificateSigningAlgorithmSets the algorithm for root certificate generation (default: SHA256WITHRSA).
efm.agent-deployer.security.ca.certificateValidityInDaysSpecifies the validity period of the root certificate in days. The default is 20 years, which can be adjusted based on the security requirements.
efm.agent-deployer.security.ca.locationThe directory path where the efm-key.key and and efm-cert.pem files are located.
Agent Certificate properties
Agent keys and certificates are generated using these properties.
efm.agent-deployer.security.agent.privateKeyAlgorithm=RSA
efm.agent-deployer.security.agent.privateKeyEncryptionAlgorithm=AES-256-CBC
efm.agent-deployer.security.agent.privateKeySize=4096
efm.agent-deployer.security.agent.certificateSigningAlgorithm=SHA256WITHRSA
efm.agent-deployer.security.agent.certificateValidityInDays=7305
efm.agent-deployer.security.agent.keystoreType=JKS
efm.agent-deployer.security.agent.truststoreType=JKS
efm.agent-deployer.security.agent.location=conf
efm.agent-deployer.security.agent.privateKeyAlgorithmSpecifies the algorithm of the agent’s private key (default: RSA).
efm.agent-deployer.security.agent.privateKeyEncryptionAlgorithmSets the algorithm for encrypting the agent’s private key (default: AES-256-CBC).
efm.agent-deployer.security.agent.privateKeySizeDetermines the number of bits for generated keys (default: 4096).
efm.agent-deployer.security.agent.certificateSigningAlgorithmSets the algorithm for signing agent certificates (default: SHA256WITHRSA).
efm.agent-deployer.security.agent.certificateValidityInDaysSpecifies the validity period for agent certificates in days. The default is 20 years, which can be adjusted based on the security requirements.
efm.agent-deployer.security.agent.keystoreTypeFor Java agents, you can configure the keystore type (default: JKS, other options are BCFKS, PKCS12).
efm.agent-deployer.security.agent.truststoreTypeFor Java agents, you can configure the truststore type (default: JKS, other options are BCFKS, PKCS12).
efm.agent-deployer.security.agent.locationThe folder in the agent’s device where the keystore/truststore/key/cert is placed (default: conf).
