You can edit the vRealize Log Insight agent configuration file to change the SSL configuration, add a path to the trusted root certificates, and define whether certificates are accepted by the agent.

This procedure applies to the vRealize Log Insight agents for Windows and Linux.

For the vRealize Log Insight Linux agent:

Log in as root or use sudo to run console commands.

Log in to the Linux machine on which you installed the vRealize Log Insight Linux agent, open a console and run pgrep liagent to verify that the vRealize Log Insight Linux agent is installed and running.

For the vRealize Log Insight Windows agent:

Log in to the Windows machine on which you installed the vRealize Log Insight Windows agent and start the Services manager to verify that the vRealize Log Insight agent service is installed.

1

Navigate to the folder containing the liagent.ini file.

Operating system

Path

Linux

/var/lib/loginsight-agent/

Windows

%ProgramData%\VMware\Log Insight Agent

2

Open the liagent.ini file in any text editor.

3

Add the following keys to the[server]section of the liagent.ini file.

Key

Description

ssl_ca_path

The path to the trusted root certificates bundle file. If not specified, the vRealize Log Insight Windows agent uses system root certificates. The vRealize Log Insight Linux agent attempts to load trusted certificates from /etc/pki/tls/certs/ca-bundle.crt or /etc/ssl/certs/ca-certificates.crt.

ssl_accept_any

Defines whether any certificates are accepted by the vRealize Log Insight agent. The possible values are yes, 1, no, or 0. When the value is set to yes or 1, the vRealize Log Insight Agent accepts any certificate from the server and establish secure connection for sending data. The default value is no.

Note

If the ssl_accept_any is set to yes or 1, the Log Insight Agent accepts certificates that do not have matching Common Name.

ssl_accept_any_trusted

The possible values are yes, 1, no, or 0. If the vRealize Log Insight Agent has a locally stored trusted Certificate Authority-signed certificate and receives a different valid certificate signed by a different trusted Certificate Authority it checks the configuration option. If the value is set to yes or 1, the Agent accepts the new valid certificate. If the value is set to no or 0, it rejects the certificate and terminates the connection. The default value is no.

ssl_cn

The self -signed certificate Common Name. The default value is VMware vCenter Log Insight. You can define a custom Common Name to be checked against the certificate Common Name field. The vRealize Log Insight Agent checks the Common Name field of the received certificate against the host name configured to connect by hostname key in the [server] section. If it does not match, the Agent checks the Common Name field against the ssl_cn key in the liagent.ini file. If the values match, the vRealize Log Insight Agent accepts the certificate.

Note

The keys are used only if the protocol in the [server] section is set to cfapi and SSL is enabled.

4

Save and close the liagent.ini file.

The following is an example of the SSL configuration.

proto=cfapi
port=9543
ssl=yes
ssl_ca_path=/etc/pki/tls/certs/ca-bundle.crt
ssl_accept_any=no
ssl_accept_any_trusted=yes
ssl_cn=LOGINSIGHT