Encrypt internal traffic to Agent

Encrypt internal traffic to Agent

In some cases, the agent at the client is on a different server than the proxy (such as IIX or NginX). This means that the traffic from outside first goes to the proxy and then is routed internally to another server. It is possible to encrypt this internal traffic with a certificate. You can enable this encryption as follows:
  1. When starting the agent via salureconnect-agent.exe, provide parameters. Add the parameter --ssl true to enforce encryption. You can (you don't have to) also change the port to e.g. 443. This looks like this: `salureconnect-agent.exe --ssl true --port 443`
  2. When SSL is enforced, the agent needs a certificate to actually encrypt traffic. Make sure you have a certificate and a key file in a folder on the server where the agent is running. For example, in the certs folder. The certificates should be named as follows:
    1. salureconnect_agent_cert.pem
    2. salureconnect_agent_key.pem
  3. After placing the certificates in the folder, add the following parameter: --certfolder <folder certificates>. Suppose you have placed the certificates on c:--certfolder, then the parameter will be `--certfolder c:--certfolder certificates`. Combined with the previous parameter, the whole thing now looks like this: `-salureconnect-agent.exe --ssl true --certfolder c:agentcerts --port 443`
Note that if you use the ssl parameter, the certfolder parameter is mandatory.  

Certificaat aanmaken

  1. install chocolatey if you don't have it installed already: see https://docs.chocolatey.org/en-us/choco/setup
  2. install mkcert if you don't have it installed:
    1. open **Windows Terminal** or **Windows PowerShell** as an administrator and run `choco install mkcert`
    2. run `mkcert -install` 
  3. For the following step you have to be patient. When it looks frozen, it just takes a while:
  4. run `mkcert -key-file salureconnect_agent_key.pem -cert-file salureconnect_agent_cert.pem localhost 127.0.0.1 0.0.0.0 ::1`
  5. run `copy salureconnect_agent_*.pem C:\data_analytics\salureconnect_agent\certs\`
  6. The following step is optional if the root certificate is expired (should be valid for 10 years):
  7. run `copy "C:\Users\$env:UserName\AppData\Local\mkcert\rootCA.pem" "C:\data_analytics\salureconnect_agent\certs\rootCA.pem"`
  8. Now send this rootcertificate to the client, they have to install this certificate in their certificate store.
Client instruction for windows server how to do this:
  1. Open "Manage computer certificates", rightclick on "Trusted Root Certification Authorities" and choose "All tasks" -> "Import" -> "Next" -> "Browse" -> Select rootCA.pem -> "Next" -> "Finish")
  2. Restart browser and verify if https://localhost:7070:salureconnect-agent is reachable (agent must be running).
  3. Run the agent now with the option --ssl true to enable SSL.

    • Related Articles

    • Introduction

      Many organizations use the information architecture principle that one data source is leading. In order to realize this principle, an interface has been developed that exchanges data between various applications. For the exchange of data, the ...