Protect Deep Security Agent

During agent-manager communications, Deep Security Agent can authenticate the identity of its manager. It does this by comparing your trusted manager's certificate to the connecting manager's certificate. If they do not match, the manager authentication fails and the agent does not connect.

This prevents agents from activating with or connecting to a malicious server pretending to be your Deep Security Manager. This is recommended especially if agents connect through an untrusted network such as the Internet.

To protect your agents, you must configure each agent so it can recognize its authorized manager before the agent tries to activate:

1. On Deep Security Manager, run the command to export its server certificate:

   dsm_c -action exportdsmcert -output ds_agent_dsm.crt

   where

   • ds_agent_dsm.crt is the name of the manager's server certificate. You must use this exact file name.

2. On each agent's computer, put the ds_agent_dsm.crt file in the following location:

   • On Windows: %ProgramData%\Trend Micro\ Deep Security Agent\dsa_core
   • On Linux or Unix: /var/opt/ds_agent/dsa_core

Initially, after completing these steps, the agent enters a preactivated state. Until the agent is fully activated, operations initiated by other Deep Security Managers or by entering commands to the agent via dsa_control do not work. This is intentional, and the regular operation resumes upon activation.

During agent activation, Deep Security Agent can authenticate the identity of its Deep Security Manager by pinning the manager's certificate to the agent. It does this by validating the connecting manager’s certificate path and ensuring it is signed by a trusted Certificate Authority (CA). If the certificate path is validated, the manager authentication passes and activates the agents. This prevents agents from activating with a malicious server that is pretending to be your Deep Security Manager.

To protect your agents, you must configure each agent so it can recognize its authorized manager before the agent tries to activate.

Import a Deep Security Manager certificate chain issued by a public CA

1. Prepare a chain.pem file based on the following specifications:
   • A private key in PKCS #8 format.
   • The X509 certificate that corresponds to the private key.
   • Any other intermediate X509 certificates to build a chain of trust to a certificate to a trusted certificate authority (CA) root. Each certificate must sign the certificate that directly precedes it, so the order is important. See certificate_list in the RFC.
2. On Deep Security Manager, run the following command to import the certificate chain:

/opt/dsm/dsm_c -action agentHBPublicServerCertificate -set ${path_to_pem_file}

${path_to_pem_file} must be an absolute path.

3. Copy the public CA certificate and rename it to ds_agent_dsm_public_ca.crt.
4. On the agent computer, place the ds_agent_dsm_public_ca.crt file in one of these locations:
   • On Windows: %ProgramData%\Trend Micro\Deep Security Agent\dsa_core
   • On Linux or Unix: /var/opt/ds_agent/dsa_core

To confirm that the certificate chain has been imported, enter the following command:

/opt/dsm/dsm_c -action agentHBPublicServerCertificate -isSet

Delete the imported certificate chain

To stop using a Deep Security Manager certificate chain issued by a public CA, enter the following command:

/opt/dsm/dsm_c -action agentHBPublicServerCertificate -delete

By default, Deep Security Manager reverts to using a self-signed certificate.