Understanding of the main SSL functions can help you configure the Log Insight Agents properly.
- For Windows go to C:\ProgramData\VMware\Log Insight Agent\cert.
- For Linux go to /var/lib/loginsight-agent/cert.
- The Log Insight Linux Agent loads trusted certificates from /etc/pki/tls/certs/ca-bundle.crt or /etc/ssl/certs/ca-certificates.crt.
- The Log Insight Windows Agent uses system root certificates.
If the vRealize Log Insight Agent has a locally stored self-signed certificate and receives a different valid self-signed certificate with the same public key, then the agent accepts the new certificate. This can happen when a self-signed certificate is regenerated using the same private key but with different details like new expiration date. Otherwise, connection is rejected.
If the vRealize Log Insight Agent has a locally stored self-signed certificate and receives valid CA-signed certificate, the vRealize Log Insight Agent silently replaces new accepted certificate.
If the vRealize Log Insight Agent receives self-signed certificate after having a CA-signed certificate, the Log Insight Agent rejects it. The vRealize Log Insight Agent accepts self-signed certificate received from vRealize Log Insight Server only when it connects to the server for the first time.
If the vRealize Log Insight Agent has a locally stored CA-signed certificate and receives a valid certificate signed by another trusted CA, the Agent rejects it. You can modify the configuration options of the vRealize Log Insight Agent to accept the new certificate. See Configure the vRealize Log Insight Agent SSL Parameters.
vRealize Log Insight Agents communicate over TLSv.1.2. SSLv.3/TLSv.1.0 is disabled to meet security guidelines.