Configuring the Agent Deployer for securing agents
Learn how you can establish a secure connection between the Edge Flow Manager and the agents. Edge Flow Manager's agent deployer functionality provides a convenient approach for security configuration. By enabling auto-configuration, the deployment script automatically downloads a security bundle during agent setup, containing the agent's certificates along with its binary. This streamlined process ensures a robust and secure environment for seamless communication between Edge Flow Manager and agents.
There are two ways to sign the agent certificates:
- Using your own Intermediate CA key and certificate to sign the agent certificate
In this scenario, you need to place your own private key and certificate with the names efm-cert.pem and efm-key.key respectively under the folder specified in the efm.agent-deployer.security.ca.location property.
- Letting Edge Flow Manager generate a self-signed Root CA
certificate
During Edge Flow Manager startup, the application checks if efm-cert.pem and efm-key.key are present in the configured folder. If they are missing, EFM generates them using the efm.agent-deployer.security.ca.* properties. In clustered mode, these certificates are synchronized between the Edge Flow Manager nodes as needed.
Minimal configuration
The default configuration is suitable for basic use cases. It enables security auto-configuration and generates a self-signed Root CA certificate, which is utilized for signing the agent certificates.
efm.agent-deployer.security.autoConfiguration=true
efm.agent-deployer.security.ca.privateKeyPassword=password
- efm.agent-deployer.security.autoConfiguration
Indicates the automatic generation of the Root CA and agent certificates.
- efm.agent-deployer.security.ca.privateKeyPassword
Specifies the password for the private key of the root certificate.
Advanced configuration
efm.agent-deployer.security.autoConfiguration=true
efm.agent-deployer.security.trustSelfSignedCertificates=true
efm.agent-deployer.security.accessTokenTtlMin=60
- efm.agent-deployer.security.autoConfiguration
Enables the automatic generation of the root CA and agent certificates.
- efm.agent-deployer.security.trustSelfSignedCertificates
Allows configuration to trust self-signed certificates by default or not. You can override this parameter anytime under Show Advanced Configurations in the UI.
- efm.agent-deployer.security.accessTokenTtlMin
For security reasons, this parameter allows you to configure how long the generated command can be used after its generation.
Root Certificate properties
These properties are used to generate the Root CA certificate. If you wish to use your own key and certificate, just set the efm.agent-deployer.security.ca.privateKeyPassword and efm.agent-deployer.security.ca.location properties and place the efm-cert.pem and efm-key.key files in this location.
efm.agent-deployer.security.ca.dn=CN=generated-efm-root-ca
efm.agent-deployer.security.ca.privateKeyAlgorithm=RSA
efm.agent-deployer.security.ca.privateKeyEncryptionAlgorithm=AES-256-CBC
efm.agent-deployer.security.ca.privateKeySize=4096
efm.agent-deployer.security.ca.privateKeyPassword=password
efm.agent-deployer.security.ca.certificateSigningAlgorithm=SHA256WITHRSA
efm.agent-deployer.security.ca.certificateValidityInDays=7305
efm.agent-deployer.security.ca.location=conf
- efm.agent-deployer.security.ca.dn
Specifies the Distinguished Name (DN) of the self-signed root certificate (if you are not providing your own certificate).
- efm.agent-deployer.security.ca.privateKeyAlgorithm
Sets the algorithm of the root certificate’s private key (default: RSA).
- efm.agent-deployer.security.ca.privateKeyEncryptionAlgorithm
Specifies the algorithm used for encrypting the root certificate’s private key (default: AES-256-CBC).
- efm.agent-deployer.security.ca.privateKeySize
Determines the number of bits for generated keys (default: 4096).
- efm.agent-deployer.security.ca.privateKeyPassword
The password for the private key.
- efm.agent-deployer.security.ca.certificateSigningAlgorithm
Sets the algorithm for root certificate generation (default: SHA256WITHRSA).
- efm.agent-deployer.security.ca.certificateValidityInDays
Specifies the validity period of the root certificate in days. The default is 20 years, which can be adjusted based on the security requirements.
- efm.agent-deployer.security.ca.location
The directory path where the efm-key.key and and efm-cert.pem files are located.
Agent Certificate properties
Agent keys and certificates are generated using these properties.
efm.agent-deployer.security.agent.privateKeyAlgorithm=RSA
efm.agent-deployer.security.agent.privateKeyEncryptionAlgorithm=AES-256-CBC
efm.agent-deployer.security.agent.privateKeySize=4096
efm.agent-deployer.security.agent.certificateSigningAlgorithm=SHA256WITHRSA
efm.agent-deployer.security.agent.certificateValidityInDays=7305
efm.agent-deployer.security.agent.keystoreType=JKS
efm.agent-deployer.security.agent.truststoreType=JKS
efm.agent-deployer.security.agent.location=conf
- efm.agent-deployer.security.agent.privateKeyAlgorithm
Specifies the algorithm of the agent’s private key (default: RSA).
- efm.agent-deployer.security.agent.privateKeyEncryptionAlgorithm
Sets the algorithm for encrypting the agent’s private key (default: AES-256-CBC).
- efm.agent-deployer.security.agent.privateKeySize
Determines the number of bits for generated keys (default: 4096).
- efm.agent-deployer.security.agent.certificateSigningAlgorithm
Sets the algorithm for signing agent certificates (default: SHA256WITHRSA).
- efm.agent-deployer.security.agent.certificateValidityInDays
Specifies the validity period for agent certificates in days. The default is 20 years, which can be adjusted based on the security requirements.
- efm.agent-deployer.security.agent.keystoreType
For Java agents, you can configure the keystore type (default: JKS, other options are BCFKS, PKCS12).
- efm.agent-deployer.security.agent.truststoreType
For Java agents, you can configure the truststore type (default: JKS, other options are BCFKS, PKCS12).
- efm.agent-deployer.security.agent.location
The folder in the agent’s device where the keystore/truststore/key/cert is placed (default: conf).