Topics on this page

Protect Deep Security Agent

During agent activation, Deep Security Agent can authenticate the identity of the Workload Security console by pinning the console's certificate to the agent. It does this by validating the connecting console's certificate path and ensuring it is signed by a trusted Certificate Authority (CA). If the certificate path is validated, the console authentication passes and activates the agents. This prevents agents from activating with a malicious server that is pretending to be Workload Security.

To protect your agents, you must configure each agent so that they can recognize their authorized manager before they try to activate.

  1. Run the following command: curl https://web.entrust.com/root-certificates/entrust_g2_ca.cer?_ga=2.268214990.1906231865.1600974902-1043992707.1600974902 > ds_agent_dsm_public_ca.crt
  2. On the agent computer, place the ds_agent_dsm_public_ca.crt file in one of these locations:
    • Windows: %ProgramData%\Trend Micro\Deep Security Agent\dsa_core
    • Linux/Unix: /var/opt/ds_agent/dsa_core
If you are activating Deep Security Agent 20.0.1412 or a newer agent, the following error message appears upon activation, which indicates you have not pinned Workload Security's certificate to the agent:

[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate

Pinning a trusted certificate is optional, so you can ignore this error if it doesn't apply to you. However, if you'd like to use a trusted certificate, follow the steps in the section above before activating the Deep Security Agent.