TECHNICAL WHITE PAPER / 9
Figure 3: Trust Chain in a Shared Collector-Agent Relationship
In addition, for Mutual Authentication in a shared Collector-Agent relationship, each Collector trusts the Agent
Certificate because that Agent Certificate was issued by a Collector Certificate which was, in turn, issued by the
trusted Enterprise Certificate. Since both Collectors trust the Enterprise Certificate, then they can also trust the Agent
Certificate that was issued by a Collector Certificate that was issued by the Enterprise Certificate.
Enterprise Certificates in VCM must have the following properties:
l
Must be capable of signing certificate requests.
l
The path length basic constraint, if present, must be at least two if the Collector certificate will be used for issu-
ing Agent certificates. This means that the Enterprise Certificate may issue a Collector Certificate that may
issue Agent Certificates.
l
May be self-signed. If the certificate is self-signed, it will have to be trusted itself. Trust is bestowed by placing
the certificate in the Trusted Root store (Windows) or in the VCM store (UNIX). This represents a VCM-specific
trust chain.
l
May be signed by another certificate in an existing PKI and placed in the trusted store.
l
Must be stored in the local machine Trusted Root Certification Authorities store on the Windows Collector and
Agents (Windows only).
l
On UNIX platforms, the Agent has a vendor-implemented certificate store. The Enterprise Certificate(s) must
be added to this store. One will be included during initial installation, and subsequent certificate(s) must be
added manually using the CSI_ManageCertificateStore utility included with your VCM UNIX Agent installation.
TLS Implementation for VCM