Skip to main content
Version: NG-2.16

Antivirus / Endpoint Security Recommendations

Approved by customer policy:

  • Exclude AGENT_HOME from real-time scanning (reduces CPU/I/O overhead and file lock risk).
  • Exclude the agent log directory to avoid log rotation lock issues.
  • Ensure endpoint protection does not block outbound traffic to vuSmartMaps endpoints and required ports.

Additional recommendation (Java agents only)

  • If Java runtime scanning causes overhead, exclude the JRE/JDK directory used by the agent (customer decision).

Update SSL certificates

This section describes the steps to update agents to trust the new broker certificates provided by client.

Agent-side changes must be performed only after successful broker-side verification. Refer the documentation here.

Prerequisites

Before initiating the certificate update process, ensure the following certificate files are available:

  • Server certificate (.pem)
  • Private key corresponding to the server certificate
  • CA certificate used to sign the server certificate
  • Intermediate CA certificates (if applicable) to complete the certificate chain

All certificate files must be validated and available before initiating the maintenance activity

Beat Agents

A. Updating Agent Installation Package in Minio (New Installations)

This section describes how to update the agent installation package stored in Minio so that all new agent installations automatically trust the updated CA certificate.

Step 1: Extract the Existing agent Package

Extract the agent package:

tar -xvzf agent.tar.gz

Step 2: Update CA Certificate

Navigate to the certificates directory inside the extracted package:

cd agent/certs

Copy the updated CA certificate:

cp <clientrootCA.pem> agent/certs/

Step 3: Repackage the Healthbeat Agent

After updating the certificate and configuration, repackage the agent:

tar -cvzf agent.tar.gz agent/

Once this is done, upload the package to Minio.

Step 4: Verification

  • Download the agent from Minio
  • Verify that the updated CA certificate is present in the certs directory
  • Confirm configuration file points to the correct CA path
  • Install and start the agent
  • Validate that the agent connects successfully to the broker without SSL errors

B. Updating Certificates for Existing Installations

Beats-based agents require an update to the CA certificate path so that the agent can trust the newly deployed broker certificate.

Step 1: Copy CA Certificate to Agent

Log in to the agent node and navigate to the agent certificate directory (e.g., healthbeat/certs)

Copy the customer-provided CA certificate to this directory by replacing the contents of the existing CA certificate file with the new certificate, while retaining the same file name.

cp <clientrootCA.pem> <AGENT_HOME>/certs/

Step 2: Restart the Agent

Stop and start the healthbeat agent service to apply the changes.

./agent stop
./agent start

Check the agent logs to see if there are any errors related to SSL or handshake issues.

Java Agents

Java-based agents require the broker CA certificate to be added to a truststore so that SSL connections to the broker are trusted.

A. Updating Agent Installation Package in Minio (New Installations)

This section describes how to update the agent installation package stored in Minio so that all new agent installations automatically trust the updated CA certificate.

Step 1: Create Truststore

Import the CA certificate into the Java truststore. Create a new .jks file using the client CA certificate and replace the existing one while keeping the same file name.

keytool -importcert -trustcacerts \
  -file <client.pem> \
  -alias broker-ca \
  -keystore vunet-client-truststore.jks \
  -storepass Touro#7814\
  -noprompt

Step 2: Extract the Existing agent Package

Extract the agent package:

tar -xvzf agent.tar.gz

Step 3: Update CA Certificate

Navigate to the certificates directory inside the extracted package:

cd agent/certs

Copy the updated CA certificate and truststore file:

cp <vunet-ca-cert.pem> agent/certs/
cp <vunet-client-truststore.jks> agent/certs/

Step 4: Repackage the Healthbeat Agent

After updating the certificate and configuration, repackage the agent:

tar -cvzf agent.tar agent/

Once this is done, upload the package to Minio.

Step 5: Verification

  • Download the agent from Minio
  • Verify that the updated CA certificate is present in the certs directory
  • Confirm agent configuration points to the correct CA path
  • Install and start the agent
  • Validate that the agent connects successfully to the broker without SSL errors

B. Updating Certificates for Existing Installations

Step 1: Create or Update Truststore

On the agent node, import the CA certificate into the Java truststore. Create a new .jks file using the client CA certificate and replace the existing one while keeping the same file name.

keytool -importcert -trustcacerts \
  -file <client.pem> \
  -alias broker-ca \
  -keystore vunet-client-truststore.jks. \
  -storepass Touro#7814\
  -noprompt

Copy the updated CA certificate and truststore file:

cp <vunet-ca-cert.pem> <AGENT_HOME>/agent/certs/
cp <vunet-client-truststore.jks> <AGENT_HOME>/agent/certs/

Step 2: Restart the Java Agent

Restart the Java-based agent service to apply the changes.

./agent stop
./agent start

Once everything is done, check the agent logs to see if there are any errors.