Skip to main content

Configure a sensor for automation

After installing and activating a sensor, you must configure it for automation.

Initial configuration occurs on the sensor system itself. Here you specify the network appliances for which the sensor will manage TLS certificates.

There are two possible configuration methods:

Important

Make sure your network appliance is supported by CertCentral managed automation. For a list of supported models and versions, see Get started with automation.

The login password of each network appliance must meet the DigiCert password requirements so it will work with automation. The password must contain lower and upper case letters, numbers, or symbols.

Interactive configuration

The addagentless utility is used to perform local configuration of a DigiCert sensor. This command adds network appliances for certificate automation by the sensor.

The addagentless utility is located within the cli subdirectory of the sensor installation directory. Invoke it differently based on the system type:

  • Linux: ./addagentless.sh

  • Windows: addagentless.bat

  • Docker:

    • Without signing into the docker sensor container:

      docker exec -it <container-id/name> cli/addagentless.sh

    • After first signing into the docker sensor container:

      Run docker exec -it <container-id/name> bash to get a bash shell in the container, then run cli/addagentless.sh

    • (Note: Run the docker ps command to find the container ID or name.)

Invoked by itself, the addagentless command prints a usage statement listing all its possible arguments.

To add a new network appliance for automation, use the -type argument followed by one of the below values:

  • A10: A10 load balancer

  • AWS: Amazon Elastic Load Balancer (ALB or NLB)

  • AWS-CLOUDFRONT: Amazon Cloudfront CDN

  • BIGIP: F5 BIG-IP load balancer

  • NETSCALER: Citrix NetScaler load balancer

Run a separate addagentless command for each individual network appliance that will be managed by the sensor. After making each command, you are presented with a series of interactive prompts to supply the required parameters for that appliance.

For example, the terminal output below shows where the Windows version of the addagentless utility was used to add an A10 load balancer for sensor-based automation. Note the interactive prompts after the initial addagentless.bat -type A10 command, and the values supplied for each in this example.

C:\Program Files\DigiCert\DigiCert sensor\cli>addagentless.bat -type A10

Sensor CLI. Copyright 2020, DigiCert Inc.
Add or change login credentials and specify data IP addresses for certificate automation.
Enter management IP address:10.141.17.192
Enter Management Port (443):443
If available, do you want to map this sensor with the previously voided loadbalancer (Y/N)?:N
Important: Enter an account that has admin (superuser) permission to manage all partitions on the A10 load balancer.
Enter admin username:admin
Enter admin password:
Confirm admin password:
Successfully added or changed the agentless.
IMPORTANT: After you run this command, return to Manage Automation Agents. Verify that the certificate host appears and is configured.

Notice

For examples of configuring different types of network appliances for automation, see Sensor configuration examples .

Configure from file

Instead of configuring a sensor interactively, you can read in the configuration from a file. This method can help you plan your configuration before implementing it. To do so:

  1. Create configuration text file.

    Create a basic text file containing the configuration parameters for the network appliance (one parameter per line). Required parameters depend on the appliance type. See examples below.

  2. Read in configuration from the text file.

    Run the addagentless command, using the -type argument to specify the network appliance type, plus the -file argument to specify the file containing the configuration parameters. For example, to configure an A10 load balancer using the configuration parameters in "myfile1.txt":

    • Linux: ./addagentless.sh -type A10 -file myfile1.txt

    • Windows: addagentless.bat -type A10 -file myfile1.txt

    • Docker:

      • Without signing into the docker sensor container:

        docker exec -it <container-id/name> cli/addagentless.sh -type A10 -file myfile1.txt

      • After first signing into the docker sensor container:

        Run docker exec -it <container-id/name> bash to get a bash shell in the container, then run cli/addagentless.sh -type A10 - file myfile1.txt

      • (Note: Run the docker ps command to find the container ID or name.)

The following examples show the parameters needed in the configuration file for different network appliance types:

Network appliance type

Example configuration parameters

A10

(For single configuration)

MANAGEMENT_IP=10.141.17.192
MANAGEMENT_PORT=443
ADMIN_USERNAME=username001
ADMIN_PASSWORD=password001

A10

(For high availability configuration)

HA_MANAGEMENT_IP=10.141.17.192
HA_MANAGEMENT_PORT=443
ADMIN_USERNAME=username001
ADMIN_PASSWORD=password001
ENABLE_PASSWORD=password01
PEER_INFO=10.141.17.196,443,username001,password001 : 10.141.17.197,443,username002,password002

Note: Use a colon (:) symbol surrounded by blank spaces to separate the login information for each peer.

AWS Network/Application Load Balancer

AWS_ACCOUNT_ID=123456789012
AWS_REGION=us-east-4
KEY_REQ=2
ACCESS_KEY_ID=ABCD12E3F4GHIJ567KLM
SECRET_KEY=HIDNmmbd55416d1vXIHNC415HhiwY99Yni8484B

Note: See below for possible KEY_REQ values and required authentication parameters for each.

AWS CloudFront

AWS_ACCOUNT_ID=123456789012
KEY_REQ=3
PROFILE_NAME=myprofile1

Note: See below for possible KEY_REQ values and required authentication parameters for each.

Citrix NetScaler

MANAGEMENT_IP=10.141.17.192
MANAGEMENT_PORT=443
WEB_PROTOCOL=http
WEB_USERNAME=username01
WEB_PASSWORD=password01
SSH_USERNAME=username02
SSH_PASSWORD=password02
SSH_PORT=20           

F5 BIG-IP

MANAGEMENT_IP=10.141.17.192
MANAGEMENT_PORT=443
WEB_USERNAME=username1
WEB_PASSWORD=password1

For AWS NLB/ALB and AWS CloudFront, set the KEY_REQ value to reflect your preferred method of authentication, as follows:

KEY_REQ value

Required authentication parameters

Description

1

Provide login credentials using default AWS credential provider chain.

2

ACCESS_KEY_ID

SECRET_KEY

Supply the credentials yourself.

3

PROFILE_NAME

Use an AWS profile name as your login credentials.

What's next?

After completing the local configuration of your sensor system, go to CertCentral to verify and finalize it: