General information
The Thycotic agents will make the following changes to the endpoint(s) during installation:
- Agent binary files will be installed to multiple directories under the default location C:\Program Files\Arellia
- Agent configuration files will be installed to multiple directories under C:\ProgramData\Arellia
- A firewall rule will be added that allows inbound traffic to the Thycotic Agents on TCP port 5593
- A digital certificate will be selected for use in encrypting client/server communications
Criteria for evaluating pre-existing digital certificates
Pre-existing certificates that match the following criteria will be used:
- Certificates that belong in the Local Machine store and are issued to the hostname or FQDN of the endpoint
- Certificates that specify a Subject Alternative Name whose DNS Name matches the machine FQDN
- Certificates whose intended purpose must be for All Purposes or Client Authentication
- Certificates whose chains must only contain trusted Certification Authorities
- Certificates that have a private key that LocalSystem and the Administrators group can read
If multiple certificates meet the previous criteria, then the following selection priority will be used:
Priority 1 | Certificates issued by a trusted Certification Authority to the FQDN of the endpoint |
Priority 2 | Certificates issued by a trusted Certification Authority to the hostname (or FQDN using Subject Alternative Name) of the endpoint |
Priority 3 | Self-signed certificates issued to the FQDN of the endpoint |
Priority 4 | Self-signed certificates issued to the hostname (or FQDN using Subject Alternative Name) of the endpoint |
The Thycotic agents will:
- select certificates that match the priority level of the certificate with the longest validity from the current date.
- generate its own trusted self-signed certificate if it does not identify an existing one