Configure a sensor for automation

After installing and activating a sensor, you must configure it for automation.

Initial configuration occurs on the sensor system itself. Here you specify the network appliances for which the sensor will manage TLS certificates.

There are two possible configuration methods:

Interactive configuration
Run an interactive command on the sensor to add each managed network appliance.
Configure from file
Add the configuration parameters to a text file and read them in from there.

Important

Make sure your network appliance is supported by CertCentral managed automation. For a list of supported models and versions, see Get started with managed automation.

The login password of each network appliance must meet the DigiCert password requirements so it will work with automation. The password must contain lower and upper case letters, numbers, or symbols.

Interactive configuration

The addagentless utility is used to perform local configuration of a DigiCert sensor. This command adds network appliances for certificate automation by the sensor.

The addagentless utility is located within the cli subdirectory of the sensor installation directory. Invoke it differently based on the system type:

Linux: ./addagentless.sh
Windows: addagentless.bat
Docker:
- Without signing into the docker sensor container:
  docker exec -it <container-id/name> cli/addagentless.sh
- After first signing into the docker sensor container:
  Run docker exec -it <container-id/name> bash to get a bash shell in the container, then run cli/addagentless.sh
- (Note: Run the docker ps command to find the container ID or name.)

Invoked by itself, the addagentless command prints a usage statement listing all its possible arguments.

To add a new network appliance for automation, use the -type argument followed by one of the below values:

A10: A10 load balancer
AWS: Amazon Elastic Load Balancer (ALB or NLB)
AWS-CLOUDFRONT: Amazon Cloudfront CDN
BIGIP: F5 BIG-IP load balancer
NETSCALER: Citrix ADC load balancer

Run a separate addagentless command for each individual network appliance that will be managed by the sensor. After making each command, you are presented with a series of interactive prompts to supply the required parameters for that appliance.

For example, the terminal output below shows where the Windows version of the addagentless utility was used to add an A10 load balancer for sensor-based automation. Note the interactive prompts after the initial addagentless.bat -type A10 command, and the values supplied for each in this example.

C:\Program Files\DigiCert\DigiCert sensor\cli>addagentless.bat -type A10

Sensor CLI. Copyright 2020, DigiCert Inc.
Add or change login credentials and specify data IP addresses for certificate automation.
Enter management IP address:10.141.17.192
Enter Management Port (443):443
If available, do you want to map this sensor with the previously voided loadbalancer (Y/N)?:N
Important: Enter an account that has admin (superuser) permission to manage all partitions on the A10 load balancer.
Enter admin username:admin
Enter admin password:
Confirm admin password:
Successfully added or changed the agentless.
IMPORTANT: After you run this command, return to Manage Automation Agents. Verify that the certificate host appears and is configured.

Notice

For examples of configuring different types of network appliances for automation, see Sensor configuration examples .

Configure from file

Instead of configuring a sensor interactively, you can read in the configuration from a file. This method can help you plan your configuration before implementing it. To do so:

Create configuration text file.
Create a basic text file containing the configuration parameters for the network appliance (one parameter per line). Required parameters depend on the appliance type. See examples below.
Read in configuration from the text file.
Run the addagentless command, using the -type argument to specify the network appliance type, plus the -file argument to specify the file containing the configuration parameters. For example, to configure an A10 load balancer using the configuration parameters in "myfile1.txt":
- Linux: ./addagentless.sh -type A10 -file myfile1.txt
- Windows: addagentless.bat -type A10 -file myfile1.txt
- Docker:
  - Without signing into the docker sensor container:
    docker exec -it <container-id/name> cli/addagentless.sh -type A10 -file myfile1.txt
  - After first signing into the docker sensor container:
    Run docker exec -it <container-id/name> bash to get a bash shell in the container, then run cli/addagentless.sh -type A10 - file myfile1.txt
  - (Note: Run the docker ps command to find the container ID or name.)

The following examples show the parameters needed in the configuration file for different network appliance types:

Network appliance type	Example configuration parameters
A10 (For single configuration)	MANAGEMENT_IP=10.141.17.192 MANAGEMENT_PORT=443 ADMIN_USERNAME=username001 ADMIN_PASSWORD=password001
A10 (For high availability configuration)	HA_MANAGEMENT_IP=10.141.17.192 HA_MANAGEMENT_PORT=443 ADMIN_USERNAME=username001 ADMIN_PASSWORD=password001 ENABLE_PASSWORD=password01 PEER_INFO=10.141.17.196,443,username001,password001 : 10.141.17.197,443,username002,password002 Note: Use a colon (:) symbol surrounded by blank spaces to separate the login information for each peer.
AWS Network/Application Load Balancer	AWS_ACCOUNT_ID=123456789012 AWS_REGION=us-east-4 KEY_REQ=2 ACCESS_KEY_ID=ABCD12E3F4GHIJ567KLM SECRET_KEY=HIDNmmbd55416d1vXIHNC415HhiwY99Yni8484B Note: See below for possible `KEY_REQ` values and required authentication parameters for each.
AWS CloudFront	AWS_ACCOUNT_ID=123456789012 KEY_REQ=3 PROFILE_NAME=myprofile1 Note: See below for possible `KEY_REQ` values and required authentication parameters for each.
Citrix ADC (formerly Citrix NetScaler)	MANAGEMENT_IP=10.141.17.192 MANAGEMENT_PORT=443 WEB_PROTOCOL=http WEB_USERNAME=username01 WEB_PASSWORD=password01 SSH_USERNAME=username02 SSH_PASSWORD=password02 SSH_PORT=20
F5 BIG-IP	MANAGEMENT_IP=10.141.17.192 MANAGEMENT_PORT=443 WEB_USERNAME=username1 WEB_PASSWORD=password1

For AWS NLB/ALB and AWS CloudFront, set the KEY_REQ value to reflect your preferred method of authentication, as follows:

KEY_REQ value	Required authentication parameters	Description
1	—	Provide login credentials using default AWS credential provider chain.
2	`ACCESS_KEY_ID` `SECRET_KEY`	Supply the credentials yourself.
3	`PROFILE_NAME`	Use an AWS profile name as your login credentials.

KEY_REQ value

Required authentication parameters

Description

—

Provide login credentials using default AWS credential provider chain.

ACCESS_KEY_ID

SECRET_KEY

Supply the credentials yourself.

PROFILE_NAME

Use an AWS profile name as your login credentials.

What's next?

After completing the local configuration of your sensor system, go to CertCentral to verify and finalize it:

Verify and finalize sensor configuration

In this section: