Configuring SSL for Automate Plus and Ultimate 11

1. SSL Certificate Requirements:

A valid SSL certificate for the Fully Qualified Domain Name (FQDN) or machine name Two:

  1. IIS: Create a self-signed SSL certificate on the machine where the Automate Enterprise Server is installed.
  2. OpenSSL: Create a SSL certificate using -subj "/CN=machinename"
    1. openssl req -x509 -newkey rsa:4096 -sha256 -keyout keypair.key -out keypair.crt -days 365 -subj "/CN=machinename"
    2. openssl pkcs12 -export -out cert.pfx -inkey keypair.key -in keypair.crt

2. Verify You Are on the Machine Running the Automate Enterprise Server

  1. From an elevated command prompt, type “mmc” and then press Enter.
  2. In the Console dialog box that opens:
    1. Select File > Add/Remove Snap-in.
    2. From the Available snap-ins list, double-click on Services.
    3. Select Local computer.
    4. Click Finish.
    5. Click OK to close the Add or Remove Snap-ins dialog box.
  3. Under Console Root, select Services (Local).
  4. In the list of services, verify the following are present:
    1. Automate Enterprise 11 Execution Server
    2. Automate Enterprise 11 Management Server

3. Verify the SSL Certificate is Installed in the Certificate Store

  1. With the Console dialog box still open, do the following:
    1. Select File > Add/Remove Snap-in.
    2. From the Available snap-ins, double-click on Certificates.
    3. Select Computer account.
    4. Click Next.
    5. Click Finish
    6. Click OK to close the Add or Remove Snap-ins dialog box.
  2. Under Console Root, expand Certificates (Local Computer).
  3. Expand Personal.
  4. Select Certificates
  5. Verify the SSL certificate is listed (possibly in a sub-folder).

Note: Unless all components are stored on the same machine (that is, no remote agents or Development Tools are installed), the certificate needs be issued to the FQDN of the Execution server and not the localhost.

4. Identify the SSL Certificate Thumbprint

  1. Double-click on the certificate.
  2. Select the Details tab.
  3. Scroll to the bottom of the list and select Thumbprint.
  4. Copy the Thumbprint Value to the clipboard.
  5. Click OK.

5. Bind the SSL Certificate to the HTTP Ports

From an elevated command prompt, run the following commands, replacing "???" with the thumbprint value of the certificate:

  • netsh http add sslcert ipport=0.0.0.0:9715 certhash=??? appid={00112233-4455-6677-8899-AABBCCDDEEFF} clientcertnegotiation=enable
  • netsh http add sslcert ipport=0.0.0.0:9718 certhash=??? appid={00112233-4455-6677-8899-AABBCCDDEEFF} clientcertnegotiation=enable

6. Disable the Windows Firewall

Disable the firewall in Microsoft Windows.

7. Verify Automate Plus/Ultimate is Licensed

  1. Open the Automate Enterprise Management Console application.
  2. Select Options.
  3. Select Licenses.
  4. Verify the current license is valid.

8. Configure Agents to Connect by FQDN

  1. On each agent machine, open the Windows Registry Editor (regedit.exe).
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\AutoMate\Automate Agent 11\TaskService\Agent.
  3. Double-click on Host, and then enter the FQDN for the Execution machine in the Value data box (which is the same as SSL certificate).
  4. Return to Windows Services.
  5. Right-click on Automate Enterprise 11 Agent, and then select Restart.
  6. Verify the agent can connect by FQDN.

9. Configure Management Service to Connect by FQDN

  1. In Windows Services, individually right-click and then select Stop for each of the following services:
    1. Automate Enterprise 11 Agent
    2. Automate Enterprise 11 Execution Server
    3. Automate Enterprise 11 Management Server 
  3. Depending if you are running the 32-bit or 64-bit version of Automate Enterprise 11, browse to C:\Program Files\Automate Enterprise 11 or C:\Program Files\Automate Enterprise 11 (x86).
  4. Double-click on ConfigurationEditor.exe.
  5. In the Automate Enterprise 11 Configuration Utility, expand Management Server Settings.
  6. Replace the Execution Server Host value with the FQDN for the Execution Server.
  7. Click OK.
  8. Click Yes to restart the Automate Enterprise 11 Execution Server service.
  9. Wait 10 seconds.
  10. In Windows Services, right-click on Automate Enterprise 11 Management Server and then select Start.
  11. Wait 10 seconds.
  12. Right-click on Automate Enterprise 11 Agent and select Start.
  13. Open the Automate Enterprise Management Console and verify that you are still able to connect.

Note: If the Automate Enterprise 11 Execution Server or Automate Enterprise 11 Management Server services are running when the Automate Enterprise Configuration Utility is opened, the connection strings cannot be modified. The services must be fully stopped prior to opening the utility.

10. Configure Automate Enterprise to Use SSL Certificate

  1. Open the Automate Enterprise Management Console application.
  2. Select Options.
  3. Select Server Settings
  4. Double-click on SSL.
  5. Select Use SSL.
  6. For Store Name, select My/Personal.
  7. For Search Type, select Thumbprint.
  8. For Search String, enter the certificate's Thumbprint Value from step 4 (Identify the SSL Thumbprint Certificate).
  9. Click OK.
  10. Click OK again.

11. Shutdown and Restart Automate Enterprise Services

  1. On the machine where the Automate Enterprise Server is running:
    1. From an elevated command prompt, type “mmc” and then press Enter.
    2. From the Console window:
      1. Select File > Add/Remove Snap-in.
      2. From the Available snap-ins list, double-click on Services.
      3. Select Local computer.
      4. Click Finish.
      5. Click OK to close the Add or Remove Snap-ins dialog box.
      6. Under Console Root, select Services (Local).
    3. From the list of services, perform the following the in the order shown:
      1. Right-click on Automate Enterprise 11 Management Server service and then select Stop.
      2. Right-click on Automate Enterprise 11 Execution Server and then select Stop.
      3. After both services are stopped, wait at least 10 seconds.
      4. Right-click on Automate Enterprise 11 Execution Server and then select Start.
      5. Right-click on Automate Enterprise 11 Management Server and then select Start.
  2. On any machine where the Automate Enterprise Agent is running:
    1. From an elevated command prompt, type “mmc” and then press Enter.
    2. From the Console window:
      1. Select File > Add/Remove Snap-in.
      2. From the Available snap-ins list, double-click on Services.
      3. Select Local computer.
      4. Click Finish.
      5. Click OK to close the Add or Remove Snap-ins dialog box.
    3. Under Console Root, select Services (Local).
    4. From the list of services, perform the following in the order shown:
      1. Right-click on Automate Enterprise 11 Agent and then select Stop.
      2. Right-click on Automate Enterprise 11 Agent and then select Start.

12. Verify SSL is Working

  1. Verify the Automate Enterprise 11 services are using the correct SSL ports:
    1. From an elevated command prompt, type “mmc” and then press Enter.
    2. In the Console dialog box that opens:
      1. Select File > Add/Remove Snap-in.
      2. From the Available snap-ins list, double-click on Event Viewer.
      3. Select Local computer.
      4. Click OK.
      5. Click OK again.
    3. Expand Event Viewer (Local).
    4. Expand Windows Logs.
    5. Select Application.
    6. Scroll through the events and verify the following:
      1. There is an event from the source Automate Execution Server 11 with the following description:
        1. "Service is bound to: tcp://0.0.0.0:9725/BPAServer/CommBridge/"
      2. There is an event from the source Automate Execution Server 11 with the following description:
        1. "Service is bound to: tcp://0.0.0.0:9715/BPAExecutionServer/"
      3. There is an event from the source Automate Management Server 11 with the following description:
        1. "Service is bound to: https//0.0.0.0:9718/BPAManagementServer/"
  2. Verify the Automate Enterprise Management Console can establish a connection:
    1. Open the Automate Enterprise Management Console application.
    2. Verify the Management Console properly establishes a connection and expected functionality is available.
  3. Verify the Automate Enterprise Agent connects:
    1. With the Console window still open and Application selected, scroll through the events and verify there is an event from the source Automate Agent 11 with the following description:
      1. "Connection made to Automate Enterprise at local host on port 9715. Disregard following message."

13. Turning SSL Off by Way of the Automate Database

  1. You can update the query by changing the value of the UseSSL column of the serverproperties table of your Automate Database.
  2. An example of this query is below:

    1. UPDate [DatabaseName].[dbo].[serverproperties]Set [UseSSL] = 0

  3. Restart the Automate Enterprise 11 services for this change to take effect.
Still have questions? We can help. Submit a case to technical support

Last Modified On:
You don't have the appropriate permissions.
No, open a new Support Case
+1 800-328-1000
[email protected]
Infrastructure Protection & Data Security
Managed Security Services
Automation
IBM i

Copyright © 2023 Fortra