You can edit the Log Insight Agent configuration file to change the SSL configuration, add a path to the trusted root certificates, and say whether the agent accepts certificates.

If a certificate is not available, you can generate a self-signed certificate by following the instructions in Generate a Self-Signed Certificate for a Log Insight Agent.

The procedure for configuring SSL parameters applies to the Log Insight Agents for Windows and Linux.

Prerequisites

For the Linux agent:
  • Log in as root or use sudo to run console commands.
  • Log in to the Linux machine on which you installed the Log Insight Agent, open a console, and run pgrep liagent to verify that the Linux agent is installed and running.
For the Windows agent:
  • Log in to the Windows machine on which you installed the Log Insight Agent and start the Services manager to verify that the Windows agent service is installed.

Procedure

  1. Navigate to the folder containing the liagent.ini file.
    Operating system Path
    Linux /var/lib/loginsight-agent/
    Windows %ProgramData%\VMware\Log Insight Agent
  2. Open the liagent.ini file in any text editor.
  3. Add the following keys to the [server]section of the liagent.ini file.
    Key Description
    ssl_ca_path

    Overrides the default storage path for root Certificate Authority-signed certificates, which are used to verify connection peer certificates.

    Linux: If no value is specified, the agent uses the value assigned to the LI_AGENT_SSL_CA_PATH environment variable. If the value is not present, the agent attempts to load trusted certificates from the/etc/pki/tls/certs/ca-bundle.crt file or from the /etc/ssl/certs/ca-certificates.crt file.

    Windows: If no value is specified, the agent uses the value specified by the LI_AGENT_SSL_CA_PATH environment variable. If the value is not present, the agent loads certificates from the Windows root certificate store.

    ssl_accept_any Defines whether any certificates are accepted by the Log Insight Agent. The possible values are yes, 1, no, or 0. When the value is set to yes or 1, the agent accepts any certificate from the Cloud Proxy and establishes a secure connection for sending data. The default value is no.
    Note: Because Cloud Proxy presents a self-signed certificate by default, you must set the value of ssl_accept_any to 1.
    Note: These keys are ignored if SSL is deactivated.
  4. Save and close the liagent.ini file.

Example: Configuration

The following is an example of the SSL configuration.

proto=cfapi
port=9543
ssl=yes
ssl_ca_path=/etc/pki/tls/certs/ca.pem
ssl_accept_any=no