Configure Agent Controller TLS with Aembit's PKI
Overview​
Aembit provides the ability for you to utilize Agent Controller Transport Layer Security (TLS) certificates for secure Agent Proxy to Agent Controller communication in Kubernetes environments, and on Virtual Machine deployments, using Aembit's PKI.
Configure Agent Controller TLS with Aembit's PKI in Kubernetes​
If you have a Kubernetes deployment and would like to use Aembit's PKI, there are two configuration options, described below.
Automatic TLS Configuration​
If you are NOT already using a Customer's PKI, install the latest Aembit Helm Chart. By default, Agent Controllers are automatically configured to accept TLS communication from Agent Proxy.
Preserve Existing Customer Configuration​
If you have already configured a Customer's PKI-based Agent Controller TLS, no additional steps are necessary, as your configuration will be preserved.
Configure Aembit's PKI-based Agent Controller for Virtual Machine Deployments​
If you are using a Virtual Machine, Agent Controller will not know which hostname Agent Proxy should use to communicate with Agent Controller. This requires you to manually configure Agent Controller to enable TLS communication between Agent Proxy and Agent Controller.
Aembit Tenant configuration​
-
Log into your Aembit Tenant, and go to Edge Components -> Agent Controllers.
-
Select or create a new Agent Controller.
-
In Allowed TLS Hostname (Optional), enter the FQDN (Ex:
my-subdomain.my-domain.com), subdomain, or wildcard domain (Ex:*.example.com) to use for the Aembit Managed TLS certificate.noteThe allowed TLS hostname is unique to each Agent Controller that you configure it on.
-
Click Save.
Manual Configuration​
If you have not already configured Aembit's PKI, perform the steps listed below.
-
Install Agent Controller on your Virtual Machine, and set the
AEMBIT_MANAGED_TLS_HOSTNAMEenvironment variable to the hostname that Agent Proxy uses to communicate with Agent Controller. When set, Agent Controller retrieves the certificate for the hostname from Aembit Cloud, enabling TLS communication between Agent Proxy and Agent Controller. -
Configure Agent Proxy's Virtual Machines to trust the Aembit Tenant Root Certificate Authority (CA).
Confirming TLS Status​
When you have configured Agent Controller TLS, you can verify the status of Agent Controller TLS by performing the following steps:
-
Log into your Aembit tenant.
-
Click on the Edge Components link in the left navigation pane. You are directed to the Edge Components dashboard.
-
By default, the Agent Controllers tab is selected. You should see a list of your configured Agent Controllers.
-
Verify TLS is active by confirming color status button in the TLS column for the Agent Controller.
If the TLS status is not colored, this means TLS is not configured for Agent Controller.
Agent Controller TLS Support Matrix​
The table below lists the various Agent Controller TLS deployment models, denoting whether the configuration process is manual or automatic.
| Agent Controller Deployment Model | Customer Based PKI | Aembit Based PKI |
|---|---|---|
| Kubernetes | Manual | Automatic |
| Virtual Machine | Manual | Manual |
| ECS | Not Supported | Automatic |
Automatic TLS Certificate Rotation​
Aembit-managed certificates are automatically rotated by the Agent Controller, with no manual steps or extra configuration required.