About SEM Manager and agent communications
Beginning with version 2023.2, SEM implements several updates to ensure uninterrupted communications between the SEM Manager and agents. These updates include:
SEM Manager implements a new communication certificate that links with a new SEM agent certificate on each end-entity device. SEM Manager will support the existing SEM agent certificate until each agent has the new certificate. All SEM agent certificates are updated when the agent connects with SEM Manager.
See Prepare to upgrade SEM for instructions on how to upgrade your deployment with the latest certificates.
When an agent attempts to connect to the SEM Manager and an error occurs (for example, the SEM agent certificate is expired), the agent automatically attempts to recover.
The SEM Manager and agents automatically update expired or nearly expired certificates in the background. The certificate update procedure occurs once a day by default when the SEM agent or manager is active and after the agent or manager is restarted.
SEM uses validity offsets to verify the expiration date for CA and end-entity certificates. This process helps to prevent expired certificates that can impact your SEM operations. The following table describes the offset for each certificate type.
|Certificate||Default validity offset||Description|
|CA||One year||Certificates valid for five years are considered expired when their validation term diminishes to one year or less.|
(SEM Manager and agents)
|30 days||Certificates valid for 90 days are considered expired when their validation term diminishes to 30 days or less.|
SEM Manager certificates
The SEM Manager end-entity certificate is always reissued after each restart and during the hostname change operation (CMC).
The background update job updates the end-entity certificate by issuing the certificate with the current CA. The existing end-entity certificate is replaced by the new certificate.
This update job also creates a new CA that includes a new end end-entity certificate. The existing (old) CA and entity certificate are saved to allow the existing agents to connect with the SEM Manager. These certificates are removed after all agents update their certificates with the certificate issued by the CA. This process starts a new CA certificate notification and broadcast job in the SEM Manager.
New CA certificate notifications and broadcasts
When the SEM Manager generates a new CA certificate, it starts a periodical background job. This job is canceled when all online SEM agents begin using a new communication certificate signed by the new CA.
The background certificate update also runs on the SEM agents. When the certificate update job recognizes that the agent certificate requires an update, the agent asks the SEM Manager to issue a new certificate.
The existing agent certificates are updated after your SEM agent is upgraded to version 2023.2. After the SEM Manager updates the SEM agent certificates, the existing certificates are deleted.
Certificate update audits
The SEM Manager audits the certificate operations, including certificate updates and SEM agent certificate signing. The audit information can help you identify certificates and troubleshoot any SEM operation issues.
SolarWinds recommends creating a filter to manage the certificate update process. Below is an example of the parameters you can use to create a certificate audit filter and manage the certificate update process.
Any Alert.ProviderSID is the security identifier (SID) of your targeted alert provider.
Below is an example of the audit results for a CA certificate update.
To prevent unauthorized access to your deployment, the SEM Manager and agents implement the following communications method:
The SEM agent connects to the SEM Manager using the manager IP or hostname (or FQDN).
The SEM Manager implements a TLS connection with the SEM agent and presents its certificate to the agent, which includes a list of SAN names.
The SEM agent compares the SEM Manager IP address from the socket against the value presented in the manager certificate SAN names. If a match exists, the connection is established. If a match does not exist, the connection fails.