vRealize Hyperic supports the use of SSL communication for both server-to-agent and agent-to-server communications. It is good practice to configure vRealize Hyperic components to communicate with each other using SSL as part of the installation process.
Server-to-agent communication is always SSL.
You configure SSL for agent-to-server communication when you configure agent-server communications.
The vRealize Hyperic agent can manage products over SSL if it is supported by the product plug-in.
When the vRealize Hyperic server and a vRealize Hyperic agent communicate over SSL, each component validates the other's SSL certificate.
vRealize Hyperic Certificate Processing
The first time a vRealize Hyperic agent initiates a connection to the vRealize Hyperic server following installation, the server presents its SSL certificate to the agent. If the agent trusts the certificate that the server presented, the agent imports the server's certificate into its own keystore.
The agent trusts a server certificate:
If that certificate already exists in the agent's keystore.
If the certificate has the same CA as the agent's certificate.
By default, if the agent does not trust the certificate presented by the server, the agent issues a warning. You can terminate the configuration process and configure SSL. The vRealize Hyperic server and the vRealize Hyperic agent do not import untrusted certificates unless you respond
yes to the warning prompt.
It is possible to configure both components to accept untrusted certificates automatically, without warning. For security reasons, this practice is strongly discouraged. Check the values of
agent.setup.acceptUnverifiedCertificate (in AgentHome/conf/agent.properties) and
accept.unverified.certificates in ServerHome/conf/hq-server.conf.
vRealize Hyperic Server and SSL
If you are using the standard vRealize Hyperic setup.sh or
setup.bat installer, you install the vRealize Hyperic server's keystore before installing the server.
If you do not configure the server to use an existing keystore, and supply its location and password during server installation, the vRealize Hyperic installer creates a keystore for the server with a self-signed certificate. The keystore, named hyperic.keystore, is located in ServerHome/conf and uses the password
hyperic. The server presents the self-signed certificate when communicating with agents.
vRealize Hyperic Agent and SSL
To use SSL for agent-to-server communication, you install the vRealize Hyperic agent's keystore prior to first startup. If you use the vRealize Hyperic-generated keystores, you will need to update the password for each generated keystore.