Installing the public key PEM file for the vRealize Automation Manager Service Host in the correct guest agent folder is the most secure approach to configuring the guest agent to trust a server.
Locate the guest agent folder on each template for the cert.pem PEM file for the Manager Service Host to trust a server:
Windows guest agent folder on each template that uses the gugent
Linux guest agent folder on each template that uses the gugent
If you do not put the cert.pem file in this location, the template reference machine cannot use the guest agent. For example, if you try to collect the public key information after the VM is started for by altering scripts, you break the security condition.
As an alternative, you can configure the guest agent to populate the trusted cert.pem file on first use but this is less secure than manually installing the cert.pem file on each template. Consider this alternative if you use a single template for multiple servers. To allow the guest agent to trust the first server it connects to, create a template with no cert.pem file in the Windows VRMGuestAgent or Linux /usr/share/gugent directory. The guest agent populates the cert.pem file the first time it connects to a server.
Additional considerations apply, depending on your configured environment:
For WIM installations, you must add the public key PEM file contents to the PEBuilder console executable and user interface. The console flag is /cert filename.
For RedHat kickstart installations, you must cut and paste the public key into the sample file, otherwise the guest agent fails to execute.
For SCCM installation, the cert.pem file must reside in the VRMGuestAgent folder.
For Linux vSphere installs, the cert.pem file must reside in the /usr/share/gugent folder.
You can optionally install software and guest agents together by downloading the following script from https://APPLIANCE/software/index.html. The script allows you to handle acceptance of SSL certificate fingerprints as you create the templates.
If you install the software and guest agent together, you do not need to use the instructions in Install the Guest Agent on a Linux Reference Machine or Install the Guest Agent on a Windows Reference Machine.
The template always trusts the first system to which it connects. For security, the guest agent does not check for a certificate if a cert.pem file exists in the Windows VRMGuestAgent or Linux /usr/share/gugent directory. If the server certificate changes, you must remove the cert.pem file from the Windows VRMGuestAgent or Linux /usr/share/gugent directory. The guest agent installs the new cert.pem file the next time it connects to the server.