To improve security, you can bind Deep Security Agent to a specific Deep Security Manager. The instructions vary depending on if you're using manager-initiated activation or agent-initiated activation. Follow the instructions below, depending on your environment:

Manager-initiated activation

During agent-manager communications, Deep Security Agent can authenticate the identity of its manager. It does this by comparing your trusted manager's certificate to the connecting manager's certificate. If they don't match, manager authentication fails and the agent won't connect.
This prevents agents from activating with or connecting to a malicious server that is pretending to be your Deep Security Manager. This is recommended especially if agents connect through an untrusted network such as the Internet.
To do this, you must configure each agent with the trusted manager's server certificate so that they can recognize their authorized manager before they try to connect.
Note
Note
If you reset or deactivate an agent, it deletes the Deep Security Manager certificate. Repeat these steps if you want to reactivate the agent.
  1. On Deep Security Manager, run the command to export its server certificate:
    dsm_c -action exportdsmcert -output ds_agent_dsm.crt [-tenantname TENANTNAME | -tenantid TENANTID]
    where:
    • ds_agent_dsm.crt is the name of the manager's server certificate.
      Note
      Note
      You must use this exact file name. You cannot rename it.
    • -tenantname TENANTNAME is the name of a Deep Security tenant. If the Deep Security Manager is multi-tenant, either this or the -tenantid parameter is required. See also Set up a multi-tenant environment.
    • -tenantid TENANTID is the ID of a tenant.
    If you have multiple tenants, run the command to export the first tenant's certificate, like this:
    dsm_c -action exportdsmcert -output ds_agent_dsm.crt -tenantname TENANT1
    and then continue to the next step. (Don't run the export command again for TENANT2 and others until you are finished with the certificate for TENANT1. The command will overwrite the file.)
  2. On each agent's computer, put the ds_agent_dsm.crt file in this folder:
    • Windows: %ProgramData%\Trend Micro\ Deep Security Agent\dsa_core
    • Linux: /var/opt/ds_agent/dsa_core
    If you have multiple tenants, copy each tenant's certificate file only to its own agents. Agents cannot be activated by other tenants.
  3. If you have a multi-tenant Deep Security Manager, repeat the previous 2 steps for each tenant.
Note
Note
Initially, after completing these steps, the agent enters a 'pre-activated' state. Until the agent is fully activated, operations initiated by other Deep Security Managers or by entering commands to the agent via dsa_control do not work. This is intentional. Normal operation resumes upon activation.

Agent-initiated activation

During agent activation, Deep Security Agent can authenticate the identity of its Deep Security Manager by pinning the manager's certificate to the agent. It does this by validating the connecting manager’s certificate path and ensuring it is signed by a trusted Certificate Authority (CA). If the certificate path is validated, the manager authentication passes and activates the agents. This prevents agents from activating with a malicious server that is pretending to be your Deep Security Manager.
To protect your agents, you must configure each agent so that they can recognize their authorized manager before they try to activate.

Import a Deep Security Manager certificate chain issued by a public CA

  1. Prepare a chain.pem file based on the following specifications:
    • The X509 certificate that corresponds to the above private key.
    • Any other intermediate X509 certificates to build a chain of trust from the above to certificate to a trusted certificate authority (CA) root. Each certificate must sign the certificate that directly precedes it, so the order is important. See certificate_list in the RFC.
  2. On Deep Security Manager, run the following command to import the certificate chain:
    /opt/dsm/dsm_c -action agentHBPublicServerCertificate -set ${path_to_pem_file}
    Note
    Note
    The ${path_to_pem_file} must be an absolute path, not relative.
  1. Copy the public CA certificate and rename it ds_agent_dsm_public_ca.crt.
  2. On the agent computer, place the ds_agent_dsm_public_ca.crt file in one of these locations:
    • Windows: %ProgramData%\Trend Micro\Deep Security Agent\dsa_core
    • Linux/Unix: /var/opt/ds_agent/dsa_core
Note
Note
If you've installed Deep Security Manager 20.0.262 and are activating Deep Security Agent 20.0.1540 or a newer agent, the following error message appears upon activation, which indicates you have not pinned the manager's certificate to the agent:
[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate
Pinning a trusted certificate is optional, so you can ignore this error if it doesn't apply to you. However, if you'd like to use a trusted certificate, follow the steps in the section above before activating the Deep Security Agent.

Confirm the certificate chain is imported

To confirm the certificate chain is imported, enter the following command:
/opt/dsm/dsm_c -action agentHBPublicServerCertificate -isSet

Delete the imported certificate chain

If you'd like to stop using a Deep Security Manager certificate chain issued by a public CA, enter the following command:
/opt/dsm/dsm_c -action agentHBPublicServerCertificate -delete
By default, the Deep Security Manager will revert to using a self-signed certificate.