This document describes the Ivanti Automation Self Signed Root Certificate creation during the installation or upgrade/Update of Ivanti Automation.
- Installations – Full installations of the latest release
- Upgrade – Upgrade from an older version to the latest release
- Update – Update the same release but add/removes Subject Alternative Names
From Ivanti Automation 2018.1 an extra TCP Port is added. Port 3165 is used for HTTPS encryption between the Dispatchers and Agent(s)+. With the introduction of port 3165 Ivanti Automation uses a self-signed certificate to secure the communication between the Dispatcher(s) and Agent(s).
Location of the Dispatcher certificate is in the Personal – Certificates folder.
Location of the Agent certificate is in the Trusted Root Certification Authorities – Certificates folder.
This is discussed later in this blog.
What are Subject Alternative Names in a certificate?
The Subject Alternative Name extension specifies additional host names (sites, IP addresses, common names, etc) to be protected by a single SSL Certificate, such as a Multi-Doamin (SAN) or Extend Multi-Domain Certificate.
To see an example of Subject Alternative Names, in the address bar for this page, click the padlock to examine the SSL Certificate. In the certificate details the Subject Alternative Name extension can be found. In the example below both www.digicert.com and digicert.com are listed plus some additional SANs secured.
When to use Subject Alternative Names with Ivanti Automation?
Subject Alternative Names are used in the Self-Signed Certificate for Ivanti Automation when agents are used outside the LAN environment and need to connect to a FQDN and not to the Dispatcher FQDN.
For example:
A laptop used outside the office connects to automation.ivanti.net. This domain name needs to be added to the Subject Alternative Name during the installation or upgrade of Ivanti Automation.
Fresh installation of Ivanti Automation 2018.0 (10.4.0.0) and higher
After downloading the file from the Ivanti website start the file
Ivanti Automation Installer <buildnumber>.exe
Click Next to continue
Select the option Select and install components and click Next to continue.
Select Ivanti Automation and Next to continue.
Click Install to continue.
Click Next to continue.
Select the I accept the terms in the License Agreement and Next to continue.
Select the installation folder and click Next to continue.
Click Install to continue.
Installation starts and shows a progress bar.
When the installation is finished leave the check mark in front of Launch Ivanti Automation and click Finish. The Ivanti Automation Console is starting, and the first step is creating a database.
Click Yes to create a new database.
Click Next to continue.
In the next screen enter the Server name of the SQL Server, Username and password for connecting to the SQL Server.
In this example the SA account is used. This is only for connecting with enough rights to the SQL Server. This is not the account used for the new created database.
In the next screen we define the Database name. Default is IvntAuto. But can renamed. Click Next to continue.
In the next screen the location of the Database file and Log file is defined. Leave this default and click Next to continue.
Next step is creating a new login name and password to connect to Ivanti Automation Datastore.
Change or leave the default Username and enter twice a password for the Login. Click Next to continue.
Next step is generating the Self-Signed Certificate. When Subject Alternative Names are used enter these in the field. As earlier discussed, this is only necessary when agents are used outside the LAN.
There are two options:
1 – Leave the Subject Alternative Name empty.
2 – Enter the Subject Alternative Name (or multiple with semicolon separated). For example, automation.ivanti.net.
In this document I use a Subject Alternative Name for the Self-Signed Certificate.
Click Next to continue.
Click Finish to continue and the database is created. The Self-Signed certificate is added to the database. That’s why it’s created before creating the database.
Click OK to continue.
In the next screen select the edition which is based on licenses. The link below describes the difference in editions.
https://help.ivanti.com/res/help/en_US/IA/2019/Admin/Content/licensing-editions.htm
In this example select Enterprise Automation and receive 75 evaluation licenses for 45 days.
Click OK to continue and the Ivanti Automation Console is restarting.
Click on Exit Setup Mode to install the first Dispatcher. Go to Topology – Dispatchers and click New in the top menu bar or right mouse click and select New from the menu (see arrows)
In the next screen enter the hostname of the Dispatcher. In this example Ivanti-2019-01.
And click on Deploy Now…. In the connection screen enter a domain account with access to the server or workstation.
Click OK to push the Dispatcher installation to the selected server.
When the installation is finished select Close to continue.
In the dispatcher overview the installed Dispatcher is shown.
Go to Setup – Global Settings – Dispatcher discovery to add the local FQDN of the Dispatcher and the external hostname to the Dispatcher Address List.
Click on Add and select the internal Dispatcher hostname from the drop-down list. Click Add again and add the external hostname manual in the field and click Ok.
The Dispatcher Address List looks like the screenshot below.
Click Ok to continue.
Upgrading older version or the current version of Ivanti Automation
Restart the upgrade with selecting the Installer file.
Click Next to continue
Select the option Select and install components and click Next to continue.
Select the Ivanti Automation Upgrade Packoption and select Next to continue.
Click on Install the start the upgrade.
Click Next to continue.
Accept the license agreement and click Next to continue.
Enter all the required database fields to connect to the current datastore. And click Next to continue.
The next screen is the most important window. In this window we need add the Alternative DNS Name which the external agents connect to the Dispatcher in the DMZ.
Leave this field empty if a Subject Alternative Name isn’t needed.
For example: automation.ivanti.com
Note: There is no need to add the internal FQDN of the Dispatcher because that’s added automatically during the installation.
Select Next to continue.
Select Upgrade to upgrade and create the new Self Signed Certificate.
Upgrade is starting.
After the upgrade select Finish to close the continue.
And close the last screen of the Ivanti Automation Upgrade.
Checking the Self-Signed Certificates
Go to Start – Run and enter mmc followed by <enter>.
Go to File – Add/Remove Snap-in..
Search in the left list for Certificates and add this to the Selected Snap-ins.
After selecting the Certificates Snap-in select Computer Account. And click Next to continue.
Select the option Local Computer in the next screen and Finish to continue.
Click OK to add the Certificates Snap-in.
Go to Personal – Certificates and search for the Ivanti Self Signed Root in the Issued By column. This is the created Dispatcher certificate. In the Friendly Name column, the GUID of the Dispatcher is shown with Ivanti Automation Dispatcher Certificate.
Double click the Ivanti Self Signed Certificate for the Dispatcher and go to the tab Details.
Scroll down till the option Subject Alternative Name and click on the value. In the field below the DNS Names are shown.
Check if the added external DNS Name during the upgrade is added. In the next screen the Dispatcher local FQDN and the external DNS name are shown. This means the Self Signed Certificate is correctly created.
Adding external hostname after upgrading Ivanti Automation
Note: This action is also described in the new installation of Ivanti Automation.
Next step is open the Ivanti Automation Console and go to Setup – Global Settings. Search for the option Dispatcher discovery under the option Dispatcher Detection.
Make sure the local FQDN of the Dispatcher is added to list. Use the dropdown list for this.
And add the Alternative DNS Name manual to the Dispatcher discovery list.
Finish this setting by clicking OK.
Click on Exit Setup Mode in the top menu bar to exit the Setup Mode.
Go to Topology – Dispatchers and check if all Dispatchers are online. Also, the Dispatcher in the DMZ. If not execute a Repair action on the offline Dispatchers.
Select the offline Dispatchers and select Repair from the Top menu bar or right mouse click and select Repair.
When all Dispatchers are online check if the Ivanti Self Signed Certificate is correctly installed with the MMC tool as described earlier in the document.
Repair Ivanti Automation Agents after updating the Self-Signed Certificate or upgrade older versions
After changing the Self Signed Certificate during the Ivanti Automation Upgrade the agents can’t connect to the Dispatchers and need to be repaired.
Go to Topology – Agents in the Ivanti Automation Console and select all offline agents. Select the Repair option or from the top menu bar or when right mouse click select Repair.
When the agents are online after repair go to one of the online agents and go to Start – Run and enter MMC and press <enter>.
Execute the same actions as described earlier and add the Certificates Snap-in. Also select Computer Account and Local Computer.
Go to Trusted Root Certification Authorities – Personal and search for the certificate called Ivanti Self Signed Root in the column Issues To.
Double click the certificate and go to the Details tab. Scroll down to the Subject Alternative Name and select this option. The entered external FQDN must be filled.
Be aware the local FQDN of the dispatchers are not shown!
When the agent is offline it could be possible a lot of old Ivanti Self Signed Root certificates are installed. Like below in the screenshot.
Remove all the old certificates and execute a new repair of the agent(s).
After the repair a new Ivanti Self Signed Root certificate is added. Check the Subject Alternative Name to make sure the external FQDN is added.
