General information

The Thycotic agents will make the following changes to the endpoint(s) during installation: 

  1. Agent binary files will be installed to multiple directories under the default location C:\Program Files\Arellia
  2. Agent configuration files will be installed to multiple directories under C:\ProgramData\Arellia
  3. A firewall rule will be added that allows inbound traffic to the Thycotic Agents on TCP port 5593
  4. A digital certificate will be selected for use in encrypting client/server communications

Criteria for evaluating pre-existing digital certificates

Pre-existing certificates that match the following criteria will be used:

  • Certificates that belong in the Local Machine store and are issued to the hostname or FQDN of the endpoint 
  • Certificates that specify a Subject Alternative Name whose DNS Name matches the machine FQDN
  • Certificates whose intended purpose must be for All Purposes or Client Authentication
  • Certificates whose chains must only contain trusted Certification Authorities
  • Certificates that have a private key that LocalSystem and the Administrators group can read

 

If multiple certificates meet the previous criteria, then the following selection priority will be used:

Priority 1Certificates issued by a trusted Certification Authority to the FQDN of the endpoint
Priority 2Certificates issued by a trusted Certification Authority to the hostname (or FQDN using Subject Alternative Name) of the endpoint 
Priority 3Self-signed certificates issued to the FQDN of the endpoint  
Priority 4Self-signed certificates issued to the hostname (or FQDN using Subject Alternative Name) of the endpoint

 

The Thycotic agents will:

  • select certificates that match the priority level of the certificate with the longest validity from the current date.
  • generate its own trusted self-signed certificate if it does not identify an existing one

Communications