Configure the VMware Aria Operations for Logs Agent SSL Parameters

You can edit the VMware Aria Operations for Logs agent configuration file to change the SSL configuration, add a path to the trusted root certificates, and say whether the agent accepts certificates.

This procedure applies to the VMware Aria Operations for Logs agents for Windows and Linux.

Prerequisites

For the VMware Aria Operations for Logs Linux agent:

Log in as root or use sudo to run console commands.
Log in to the Linux machine on which you installed the VMware Aria Operations for Logs Linux agent, open a console and run pgrep liagent to verify that the VMware Aria Operations for Logs Linux agent is installed and running.

For the VMware Aria Operations for Logs Windows agent:

Log in to the Windows machine on which you installed the VMware Aria Operations for Logs Windows agent and start the services manager to verify that the VMware Aria Operations for Logs agent service is installed.

Procedure

Navigate to the folder containing the liagent.ini file.

Operating system	Path
Linux	/var/lib/loginsight-agent/
Windows	%ProgramData%\VMware\Log Insight Agent

Open the liagent.ini file in any text editor.

Add the following keys to the [server]section of the liagent.ini file.


Key	Description
ssl_ca_path	Overrides the default storage path for root Certificate Authority-signed certificates, which are used to verify connection peer certificates. When you provide a path for ssl_ca_path, you override the defaults for both Linux and Windows agents. You can use a file where multiple certificates in PEM format are concatenated or a directory that contains certificates are in PEM format and have names of the form hash.0. (See the -hash option of the x509 utility.) Linux: If no value is specified, the agent uses the value assigned to the LI_AGENT_SSL_CA_PATH environment variable. If that value is not present, the agent attempts to load trusted certificates from the/etc/pki/tls/certs/ca-bundle.crt file or from the /etc/ssl/certs/ca-certificates.crt file. Windows: If no value is specified, the agent uses the value specified by the LI_AGENT_SSL_CA_PATH environment variable. If that value is not present, the VMware Aria Operations for Logs Windows agent loads certificates from the Windows root certificate store.
ssl_accept_any	Defines whether any certificates are accepted by the VMware Aria Operations for Logs agent. The possible values are `yes`, `1`, `no`, or `0`. When the value is set to yes or 1, the agent accepts any certificate from the server and establish secure connection for sending data. The default value is no.
ssl_accept_any_trusted	The possible values are yes, 1, no, or 0. If the VMware Aria Operations for Logs agent has a locally stored trusted Certificate Authority-signed certificate and receives a different valid certificate signed by a different trusted Certificate Authority, it checks the configuration option. If the value is set to yes or 1, the agent accepts the new valid certificate. If the value is set to no or 0, it rejects the certificate and ends the connection. The default value is no.
ssl_cn	The `Common Name` of the self-signed certificate. The default value is `VMware vCenter Log Insight`. You can define a custom `Common Name` to be checked against the certificate `Common Name` field. The VMware Aria Operations for Logs agent compares the `Common Name` field of the received certificate to the host name specified for the `hostname` key in the `[server]` section. If they do not match, the agent checks the `Common Name` text box against the ssl_cn key in the liagent.ini file. If the values match, the VMware Aria Operations for Logs agent accepts the certificate.

Note: These keys are ignored if SSL is deactivated.

Save and close the liagent.ini file.

Example: Configuration

The following is an example of the SSL configuration for CA-signed certificates.

proto=cfapi
port=9543
ssl=yes
ssl_ca_path=/var/lib/loginsight-agent/cert
ssl_accept_any=no
ssl_accept_any_trusted=yes
ssl_cn=LOGINSIGHT

The following is an example of the SSL configuration for accepting any type of certificates, including self-signed.

proto=cfapi
port=9543
ssl=yes
ssl_accept_any=yes