Managing Certificate Verification
search cancel

Managing Certificate Verification

book

Article ID: 288391

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Steps to enable or disable the Certificate Verification for the Server Certificate in System Configuration > Security.

Environment

  • App Control Console: All Supported Versions
  • App Control Agent: All Supported Versions

Resolution

About Certificate Verification:

Enabling Certificate Verification instructs all Agents to verify the authenticity of the Server Certificate against the issuing Certificate Authority or the endpoint's Root Certificates. This adds a level of security to communications because communications between Agent and Server cannot be spoofed.

  • Certificate Verification is not recommended for Self-signed Certificates, as it may cause all Agents to disconnect.
  • After enabling Certificate Verification, it cannot easily be revoked and may cause Agents to become Disconnected.
  • More information regarding Certificate Verification can be found in the User Guide chapter, "System Configuration".
  • If necessary, it is possible to import the certificate on the endpoints for any Agent disconnected due to failed Certificate Verification.

Enabling Certificate Verification:

  1. Log in to the Console and navigate to Settings > System Configuration > Security.
  2. Click Enable Certificate Verification.
  3. Click OK.

Disabling Certificate Verification:

  1. Log in to the Console and navigate to: https://ServerAddress/shepherd_config.php
  2. Find the Defined Property: SSLMode.
  3. Change the Property Value to: 1
  4. Click Change.
  5. Navigate to Settings > System Configuration > Security.
  6. Verify the Certificate Verification feature no longer shows "Enabled".

Any Agent that does not check in after making this change will require either:

  • Importing the Server Certificate on the endpoint.
  • Manually disabling the Agent's Certificate Verification setting via the command line:
    • Windows: 
      cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli password GlobalCLIPassword
dascli sslmode 1
    • macOS: 
      cd /Applications/Bit9/Tools/
      ./b9cli --password GlobalCLIPassword
      ./b9cli --sslmode 1
    • Linux: 
      cd /opt/bit9/bin
      ./b9cli --password GlobalCLIPassword
      ./b9cli --sslmode 1
Powered by Wolken Software