Use the following information to secure an Uptime Infrastructure Monitor Monitoring Station to Windows Agent communication with TLS v1.2. Users must have administrator access to the machines on which you want to install and configure Agents and to the Monitoring Station.
Stunnel configuration
First, set up the stunnel configuration file to only allow TLS 1.2.
Next, modify the stunnel config file located at
C:\Program Files\uptime software\Uptime agent\stunnel\config\stunnel.conf
using the following information:
[up.time agent]
accept = 9997
connect = 9998
cert = stunnel.pem
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
Firewall modification
Create a firewall rule that blocks port 9998 incoming on the Agent machine so no insecure connections can be made to the Agent. Setting the firewall to notify you when applications are blocked is also a good idea as it aids in configuring it with stunnel.
Run stunnel as a service on the Agent machine
Run stunnel as a service that comes up when Windows starts so that the connection is re-established once the Agent server is rebooted. Open a command prompt as an administrator, and then change the directory path to the stunnel config file that we edited in the previous Stunnel configuration section, for example:
C:\users\robert>cd\Program Files\uptime software\Uptime agent\stunnel\config
Then execute from stunnel's bin folder:
stunnel –install
For example:
C:\Program Files\uptime software\Uptime agent\stunnel\config>..\bin\stunnel.exe –install
Now, open the Services control panel (Start > Run > services.msc), and find the stunnel service and start it. It will be set to automatic, but is not yet running. After running the service, reply Yes if your Windows firewall asks for confirmation.
Monitoring station configuration
In this step, you must modify the Uptime Infrastructure Monitor configuration to restrict secure agent communications to use the version and ciphers of SSL/TLS that you want to use. Run Notepad as an administrator or use Notepad++. The file is located in the Uptime Infrastructure Monitor installation directory, for example: C:\uptime or C:\Program Files\uptime software\uptime if you chose the default.
At the end of the file, add a section similar to the following lines:
#Agent connection security stuff
clientSocketTlsVersion= TLSv1.2
Note that this step is opposite from the Agent setup where you specify what certificate versions NOT to use. For this example, we only allow TLS 1.2, the strongest encryption currently offered by IDERA.
Save the file after you make the modifications. Restart the Uptime Data Collector Service on the Monitoring Station to pick up the changes. Open the Services control panel. Right-click Uptime Data Collector, and then select Restart. The restart may take several seconds to complete. If several minutes pass, open Task Manager and stop the process. Attempt to manually start the service.
Adding secured machines to Uptime or reconfiguring existing monitored servers
The final step in this process is to add the agent based machine or reconfigure it if it already exists, in Uptime. If you plan on having TLS 1.2 (or another version) on all agents, you may as well set that up in the global credentials setting under the config tab available from the top menu in Uptime’s web interface. There is an option for PORT and a checkbox for SSL. For our purposes “SSL” is a blanket terminology for “encryption”… Go ahead and change the PORT from 9998 to 9997 and check the SSL box. There are also options for PSK, not covered in the scope of this guide.
If you make these settings changes in the global credentials and there are any already configured agent machines NOT using the settings as we just configured, those will stop working correctly! If you have other agent machines added NOT using global settings, these will continue to work without issue.
To add a secured agent to Uptime, we do it just like we would normally add an agent based machine except we check the SSL box and use port 9997 (or use the global config settings if you chose to do that earlier in this step). Click “Infrastructure” in Uptime’s top menu, then from the left menu “Add system/network device” and choose the aforementioned options.
To modify an existing agent machine you already have in Uptime but have now setup secure communications on, find the agent in Uptime (easiest is to just type the hostname in the search field up top) and in the info tab for that element click the blue “Edit system profile and collection” button on the far right of the UI. In the ensuing pop-up window, ensure it has the proper settings. If you did the global configuration settings mentioned earlier and it is set to use the global settings, you’re good… If it is set to anything other than port 9997 and SSL checked, change it to reflect these settings and hit save. If it is able to communicate the save should be successful.
Last, and always important, is to TEST that everything is working as expected. From this info screen we are on, you should see an option called “poll agent” in the left-hand menu. Click this and wait for a few seconds for the results. If everything is good you shouldn’t see anything complaining in the output on screen. If there is something wrong, it is likely that you may have not specified corresponding ciphers on the monitoring station and agent, or the TLS or SSL versions do not match, or you specified the wrong ports. If you followed this guide exactly, this however should NOT be the case. Of course if you can’t get it working, give us a call!
This information available online at :
http://docs.uptimesoftware.com/display/KB/Securing+the+Windows+Agent+with+SSL
If you would like to use a preshared key, read this:
http://docs.uptimesoftware.com/display/KB/Configuring+PSK+for+Agents
For more info configuring agents for specific levels and ciphers go here:
http://docs.uptimesoftware.com/display/KB/Configuring+Allowed+TLS+Versions+and+Ciphers+for+the+Monitoring+Station+and+Agents
Check out the Idera community forums at: