Administer > SA Core and component security > Agent recertification

Agent recertification

This section describes how to recertify the agent on one or more managed servers. You can recertify the agent on one or more servers separately from a full core recertification process. The full core recertification process recertifies the core and all agents. For more information, see Agent versus core recertification and SA Core recertification.

To recertify the agents on one or more managed servers:

  1. In the SA Client, select the Devices tab.
  2. Under the Servers node, select All Managed Servers or Virtual Servers. This displays all the corresponding servers.

    Or under Device Groups, select one or more device groups.

  3. Select the Actions menu, or right-click and select Run > Agent Recert.

    Or if Run Extension > Recertify Agent is not shown, select Run Extension > Select Extension. This displays the Select Extension window and lists the available extensions. Select Recertify Agent on the Managed Servers in the Select Extension window, then select OK.

    This displays the Run Program Extension window showing the servers or device groups you selected.

  4. At any time, you can select Start Job to accept all the remaining default settings and run the job.
  5. Optionally use Include Devices to add servers or device groups.
  6. Optionally use Remove to remove servers or device groups.
  7. Select Next. This displays the Program screen. Do not make any changes on the Program screen.
  8. Select Next. This displays the Options screen.
  9. On the Options screen, you can change the program timeout value, request detailed information about the job with the -debug option, or specify the amount of job output to save.
    1. Program Timeout—Specify the maximum time in minutes you want the agent recertify job to run. If the agent recertify job fails, it will continue running for the specified time period. If after that time period it has not succeeded, it will abort and display an error message.
    2. Usage options—Enter “-debug” in the text box if you want additional details about the job to be displayed.
    3. Output Options—Specify what you want done with the program output after the job finishes. If you specify “Discard all program output,” then all the output will be unavailable when you open the completed job.
  10. Select the Next button. This displays the Scheduling screen. Specify when you want the job to run.
  11. Select the Next button. This displays the Notifications screen.
  12. On the Notifications screen, specify the email recipients and whether they should receive email messages if the job fails or succeeds or both.
  13. Select Next. . This displays the Job Status screen.
  14. Select Start Job. This starts the job and displays the status.
  15. Select any server to display details on the status of the job on that server.
  16. After the agent recertify job finishes, you can optionally run a communication test on your servers to verify the agents on them.

Agent recertification phases

The following three phases are Agent Recertification phases:

  • Phase 4: Distributing new Agent CA. The purpose of this phase is to ensure continuous Agent-to-Agent communication (recertified Agents communicating with Agents that have yet to be recertified). In addition, it ensures that the automated communications job that performs a device communications test to the Word will succeed with the re-certified Word, which were introduced during phases 1-3.
  • Phase 8: Recertify the Agents. This is a required phase. The purpose of this phase is to issue new crypto material to the Agents.
  • Phase 12: Cleanup the old Agent CAs. This phase is optional. If you do not wish to trust both the old and new CA hierarchies, you must use this phase to remove the old CAs. Otherwise, you can skip this phase.

Agent recertification jobs

Each Agent recertification phase is accomplished by a recurring job. This job is dictated by the properties shown in the following table, which you must specify in the Core Recertification configuration file:

Core Recertification Configuration File: Agent Recertification Properties

Property Name

Req?

Description

Example

agent_recert.all. facilities
.delay=<seconds> 		No The delay in seconds for starting the agent recert jobs after entering the agent recert phases. The value must be between 120 and 7200 seconds. This property is optional. The default delay is 3 minutes.

agent_recert.all.
facilities.delay
=120

The property is available in SA 9.17, 10.03, 10.11,10.22 and later.

agent_recert.all.
facilities.
start_time=<HH:mm>

No

The start time for the Agent Recertification phase. You may overwrite this value for a given facility by specifying the agent_recert.
facility.<facility name>.start property.

Start time must be in the following format,

HH:mm, where 00 <= HH < 24 and 00 <= mm < 60.

Only the hour and minute components are needed. If the specified time has already passed, the Agent Recertification job will start at the specified time the next day.

agent_recert.all.
facilities.start_
time=18:30

agent_recert.
facility.<facility_
name>.start_time=
<HH:mm>

No

If present, the start time of the given facility will be used instead of agent_recert.all.
facilities.start_
time.

agent_recert.facility.
sacramento.start_time=
08:00

agent_recert.all.
facilities.duration=<hours>

Yes

The duration, in hours, for the Agent Recertification job. Duration dictates how long the Agent Recertification job runs before stopping. If the duration has elapsed and the success rate has not been reached, the Agent Recertification job will continue at the next start time. You can overwrite this value for a given facility by specifying the agent_recert.
facility.
<facility_name>.
duration property.

Duration must be an integer value between 1 and 24.

agent.recert.all.
facilities.duration=8

agent_recert.
facility.<facility_
name>.duration=
<hours>

No

If present, the duration of the given facility will be used instead of agent_recert.all.
facilities.duration

agent_recert.facility.
sacramento.duration=10

agent_recert.all.
facilities.success_
rate=
<whole percentage>

Yes

The success rate (in whole percentage) for each facility for the Agent Recertification job. For example, if there are 1000 managed servers in
Facility X and the success rate is 98%, the Agent Recertification job will stop if 980 managed servers have been successfully recertified.

You can overwrite this value for a given facility by specifying the agent_recert.
facility.<facility_ name>.success_rate property.

Success rate must be an integer value between 1 and 100.

agent_recert.all.
facilities.success_rate=
100

agent_recert.
facility.<facility_
name>.success_rate=<whole percentage>

No

If present, the success rate of the given facility will be used instead of agent_recert.all.
facilities.success_
rate.

agent_recert.facility.
sacramento.success_rate=99

agent_recert.all.
facilities.job_
notification=<email addresses>

No

The job notification for the Agent Recertification job. You can overwrite this value for a given facility by specifying the agent_recert.
facility.<facility_ name>.job_
notification property.

agent_recert.all.
facilities.job_
notification=
admin@example.com

agent_recert.
facility.<facility_
name>.job_
notification=
<email addresses>

No

If present, the job notification for the given facility will be used instead of agent_recert.all.
facilities.job_
notification.

agent_recert.facility.
sacramento.job_
notification=
admin3@example.com

agent_recert.using_cdr Yes

Indicates whether the new CAs are to be pushed to the agents. Skipping this phase might result in later phases to fail. The default value is 1.

 agent_recert.using _cdr=1

Agent Recertification Job Flow

The following figure shows the Agent Recertification job flow:

There can be only one Agent Recertification job, scheduled or active, per facility at any given time. An Agent Recertification job will terminate only if:

  • The success rate has been achieved
  • You explicitly cancel the job
  • A fatal error occurs

Send Help Center feedback