Enabling SSL after install

Reply
Highlighted
L1 Bithead

Enabling SSL after install

I just installed a trial of Traps and becasue of an issue with my self signed ssl and lack of time, we installed the Core, console and some endpoints without SSL. Before I get too far into deploying some endpoints, does anyone know if this going to be a big pain to add the ssl component later? I imagine it could require a resinstall of the Core/Console and redeply any agents I already installed (so far under 10). Are there config files/batch scripts that would make it easier or am I best off re-running the installers? At the very least I would like to configure IIS for https so I'm not passing clear text login if I connect across the network to the web console. I'd rbe better off fixing now I imagine.

 

Thanks

L4 Transporter

Re: Enabling SSL after install

If you already have the certificate, follow the procedure below:

1. Bind the certificate to the port used for agent-ESM communication (2125 by default)
Open CMD {Administrator privileges required} and type:
"netsh http add sslcert ipport=0.0.0.0:2125 certhash=CERTIFICATE_HASH_HERE appid={935e55e3-8b9d-4b95-954c-423626f887f9} clientcertnegotiation=enable"

Notice:
• The certificate hash chould be pasted without any spaces.
• Use the command "netsh http show sslcert" to verify that the certificate is bound to the port.
• If a different port was chosen for agent-ESM communication during the ESM and agent installation, make sure to use that port in all the entries in this article.
 
2. Backup cyveraserver.exe.config file by copying it to another folder.
Edit cyveraserver.exe.config (located by default in C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server):
• Change the security mode value from “None” to “Transport” <security mode="Transport">
• Change http to https in all baseaddress entries:
• <add baseAddress="https://0.0.0.0:2125/CyveraServer/"/>
• <add baseAddress="https://0.0.0.0:2125/CyveraLicensing/"/>
• <add baseAddress="https://0.0.0.0:2125/CyveraStatus/"/>

3. Restart "Endpoint Security Manager service"

 

You can see the entire procedure in the following live community post: live.paloaltonetworks.com/t5/Endpoint-Articles/SSL-configuration-guide/ta-p/77491

I hope it helps.

Tags (2)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!