Prepare the environment

1. Back up the following files from <Agent Install Directory>\conf\:
• keystore
• config.properties
2. Stop all FNMEA Agent services.
3. Delete or rename the existing keystore file in the conf directory.
4. Create a folder named:
   <Agent Install Directory>\conf\SSL\
5. Copy the Admin server certificate (Admin_Root.cer) to the <Agent Install Directory>\conf\SSL\ directory. This will be used during the SSL configuration process to allow the Admin module to authenticate with the Agent.
6. Run all configuration commands from either a PowerShell Window (Windows) or Terminal Window (Linux) from the top-level Agent directory:

Windows
C:\Program Files\FNMEA Agent\

Linux
/opt/FNMEA Agent/

Configuration steps

NOTE: The commands below are listed for PowerShell, but the same commands will work in Linux by changing the paths from \ to /.

Generate keys and Certificate Signing Request (CSR)

1. Generate the encryption keys and self-signed certificates:

\jre\bin\keytool.exe -keystore ".\conf\keystore" -storepass "flexnet" -genkeypair -alias "tomcat" -keyalg RSA -validity 7300 -keypass "flexnet" -dname "CN={License Manager Server FQDN},OU=IT,O=test,L=test,S=test,C=US" -ext "SAN=dns:{Server DNS Alias}" -keysize 2048

2. Generate Certificate Signing Request (CSR):

.\jre\bin\keytool.exe -keystore ".\conf\keystore" -certreg -keyalg RSA -alias tomcat -file .\conf\SSL\{License Manager Server}.csr -ext "SAN=dns:{Server DNS Alias}"

Sign and save the certificates

Get certificates signed by your CA team. Once you receive the certificates, you will need to save them as Base64-encoded X.509 (.CER) certificates. Follow the steps below

1. Click on the View Certificate button to open the root certificate.
2. In the Details tab of the root certificate, choose Copy to File.
3. Follow the Certificate Export Wizard prompts to save the root certificate as follows:
• Base-64 encoded X.509 (.CER)
• File Path: <Agent Install Directory>\certs\SSL\{License Manager Server}_Signed.cer

4. Double click on the <Agent Install Directory>\certs\SSL\{License Manager Server}_Signed.cer. The Certificate Properties dialog for the Cognos Server certificate will open.
5. In the Certification Path tab, select the root certificate.
6. Click on the View Certificate button to open the root certificate.
7. In the Details tab of the root certificate, choose Copy to File.

Extract and import CA certificates

1. Follow the Certificate Export Wizard prompts to save the root certificate as follows:
   • Base-64 encoded X.509 (.CER)
   • File Path: <Agent Install Directory>\certs\SSL\{License Manager Server}_Root.cer

2. Double click on the <Agent Install Directory>\certs\SSL\{License Manager Server}_Signed.cer. The Certificate Properties dialog for the Admin Server certificate will open.
3. In the Certification Path tab, select the intermediate certificate.
4. Click on the View Certificate button to open the intermediate certificate.
5. In the Details tab of the intermediate certificate, choose Copy to File.
6. Follow the Certificate Export Wizard prompts to save the intermediate certificate as follows:
   • Base-64 encoded X.509 (.CER)
   • File Path: <Agent Install Directory>\certs\SSL\{License Manager Server}_Intermediate.cer
7. Open the Server certificate and go to the Details tab.
8. Extract and import the root CA certificate.
9. Extract the intermediate CA certificate (if the intermediate certificate exists):
10. Import CA-Signed certificates
    1. .\jre\bin\keytool.exe -keystore ".\conf\keystore" -import -trustcacerts -alias "root" -file ".\certs\SSL\{License Manager Server}_Root.cer"
    2. .\jre\bin\keytool.exe -keystore ".\conf\keystore" -import -trustcacerts -alias "intermediate" -file ".\certs\SSL\{License Manager Server}_Intermediate.cer"
    3. .\jre\bin\keytool.exe -keystore ".\conf\keystore" -import -trustcacerts -alias "tomcat" -file ".\certs\SSL\{License Manager Server}_Signed.cer"
11. Import the Admin Root and {License Manager Server}_Signed.cer into the license server truststore
    1. .\jre\bin\keytool.exe -keystore ".\jre\lib\security\cacerts" -storepass "changeit" -import -alias admin_root -file ".\conf\SSL\admin_root.cer" -trustcacerts -noprompt
    2. .\jre\bin\keytool.exe -keystore ".\jre\lib\security\cacerts" -storepass "changeit" -import -alias agent -file ".\conf\SSL\{License Manager Server FQDN}_Signed.cer" -trustcacerts -noprompt

Configure the FNMEA Agent using the Agent Configuration Wizard

1. Reconfigure the Agent to communicate over the correct ports and protocols using the Agent configurator:
   1. Windows: Run the C:\Program Files\FNMEA Agent\AgentConfiguration.bat command as administrator
   2. Linux: Run the /opt/FNMEA Agent/AgentConfiguration command.
2. Using the configurator, update the settings below as described:

3. Click Finish and then start the Agent services. The Agent should now be communicating over HTTPS. 
   Next, move to the Admin server to complete the setup.
4. Modify the manager side by transferring the {License Manager Server FQDN}_Signed.cer to the Admin server. If you followed the article for the admin configuration, you should already have a folder: <Admin Install Directory>\FLEXnet\certs
5.  Open a PowerShell or Terminal Window to the install directory: <Admin Install Directory>\FLEXnet\manager\admin\
6. Run the below command to import the license server certificate into the Admin server's truststore:

.\jvm\bin\keytool.exe -keystore ".\jvm\lib\security\cacerts" -storepass "changeit" -import -alias {License Manager Server FQDN} -file " <Admin Install Directory>\FLEXnet\certs\{License Manager Server FQDN}_Signed.cer" -trustcacerts -noprompt

7. Navigate to the web UI, go to Servers > Agent Summary, select the agent you just configured, and change the Connection Protocol from TCP to SSL.
8. Select Save & Connect.

The FNMEA Agent now communicates securely with the Manager using SSL, including encrypted broker communication and HTTPS uploads.