Table of contents
Topics on this page

Protect the agent

During agent activation, the agent can authenticate the identity of the Workload Security console by pinning the console's certificate to the agent. It does this by validating the connecting console's certificate path and ensuring it is signed by a trusted Certificate Authority (CA). If the certificate path is validated, the console authentication passes and activates the agents. This prevents agents from activating with a malicious server that is pretending to be Workload Security.

To protect your agents, you must configure each agent so that they can recognize their authorized manager before they try to activate:

  1. Run the following command: curl https://web.entrust.com/root-certificates/entrust_g2_ca.cer?_ga=2.268214990.1906231865.1600974902-1043992707.1600974902 > ds_agent_dsm_public_ca.crt
  2. On the agent computer, place the ds_agent_dsm_public_ca.crt file in one of these locations:
    • Windows: %ProgramData%\Trend Micro\Deep Security Agent\dsa_core
    • Linux/Unix: /var/opt/ds_agent/dsa_core
If you are activating agent version 20.0.1412 or later, the following error message appears upon activation, which indicates you have not pinned Workload Security's certificate to the agent:

[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate

Pinning a trusted certificate is optional, so you can ignore this error if it does not apply to you. However, if you want to use a trusted certificate, you need to protect your agent before activating it.