During agent activation, the agent can authenticate the identity of the Server & Workload Protection console by pinning the console's certificate to the agent. It does this by validating
the connecting console's certificate path and ensuring it is signed by a trusted Certificate
Authority (CA). If the certificate path is validated, the console authentication passes
and activates the agents. This prevents agents from activating with a malicious server
that is pretending to be Server & Workload Protection.
To protect your agents, you must configure each agent so that they can recognize their
authorized manager before they try to activate.
Procedure
- Run the following command:
curl https://web.entrust.com/root-certificates/entrust_g2_ca.cer?_ga=2.268214990.1906231865.1600974902-1043992707.1600974902 > ds_agent_dsm_public_ca.crt - On the agent computer, place the
ds_agent_dsm_public_ca.crtfile in one of these locations:- Windows:
%ProgramData%\Trend Micro\Deep Security Agent\dsa_core - Linux/Unix:
/var/opt/ds_agent/dsa_core
- Windows:
What to do next
 |
NoteIf you are activating agent version 20.0.1412+, the following error message
appears upon activation, which indicates you have not pinned Server & Workload Protection's
certificate to the agent:
[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate |
Pinning a trusted certificate is optional, so you can ignore this error if it doesn't
apply to you. However, if you'd like to use a trusted certificate, follow the steps
in the section above before activating the agent.