Protect Deep Security Agent

If you have enabled manager-initiated communication (see Agent-manager communicationfor details), and by extension, manager-initiated activation, it is highly recommended that you bind the agent to a specific manager during this activation. For details, see the section below.

Bind Deep Security Agent to a specific Deep Security Manager

If manager-initiated activation is enabled between Deep Security Agent and Deep Security Manager, Trend Micro strongly recommends that you protect the agent by allowing it to only be contacted by a known and specific manager during the activation. This configuration should be used if you are in an environment that might include malicious Deep Security Managers.

To bind the agent to a manager, you'll need to export the SSL certificate that is used for securing agent-manager communication, and then add it to the agent computer. Follow these instructions:

  1. On the Deep Security Manager, export the Deep Security Manager SSL certificate by running this command:

dsm_c -action exportdsmcert -output ds_agent_dsm.crt [-tenantname TENANTNAME | -tenantid TENANTID]

where:

  • ds_agent_dsm.crt must be specified exactly as shown (you cannot use another name). It is the name of the Deep Security Manager SSL certificate that is used to secure the communication between the agent and manager.
  • -tenantname TENANTNAME is only required if you have a multi-tenant environment. TENANTNAME is replaced with the name of a tenant where agents are deployed.
  • -tenantid TENANTID is an alternative to -tentantname TENANTNAME. TENANTID is replaced with the ID of a tenant where agents are deployed.
  • To specify multiple tenants, see the last step of this procedure.
  • For details on multi-tenancy, see Set up a multi-tenant environment.
  1. On the computer where the agent that you want to activate is installed, put the ds_agent_dsm.crt file in one of these locations:
  • Windows: %ProgramData%\Trend Micro\Deep Security Agent\dsa_core
  • Linux: /var/opt/ds_agent/dsa_core
  1. If you have multiple tenants, run the command above for each tenant and then copy the certificate to each tenant's agents.
    Example:
    If you have two tenants, run:
    dsm_c -action exportdsmcert -output ds_agent_dsm.crt -tenantname TENANT1
    dsm_c -action exportdsmcert -output ds_agent_dsm.crt -tenantname TENANT2
    ...then copy:
    the first ds_agent_dsm.crt to agents controlled by TENANT1.
    the second ds_agent_dsm.crt to agents controlled by TENANT2.

You have now added the Deep Security Manager certificate to the agent. The agent now only accepts activations from the Deep Security Manager that owns the certificate. If you have tenants, the agent can only be activated by the tenant that was specified in the export command.

After completing these steps, the agent enters a 'pre-activated' state. While in this state, operations initiated by other Deep Security Managers or by the agent's local dsa_control utility do not work properly, by design. After the agent is fully activated, all normal operation resumes.

After resetting or deactivating an agent, the Deep Security Manager certificate is cleared, so the above steps must be re-applied.