Skip to main content

Set Up Secure TLS Communication With Windows Agent

This article will show you how to set the TLS communication for your Windows Agent, this feature is available for all Windows Agent version higher than 17.1.

All screenshots in this article come from a Windows Server 2019, MSLSAM 19.1, and here the MLSAM is using port 3100 (3100 is the default port). Here we'll use an auto signed certificate.

Create the certificate

Before to go further, you need to create a certificate (auto-signed or signed).

We won't show in this article how to create a certificate, you can use OpenSSL commands or the available function in IIS.

Import a certificate into the certificate manager of the Opcon server and into the server hosting the Windows Agent.

  • On the OpCon server get the certificate and execute it by double-clicking on it

  • Choose a local computer:

  • Click Next

  • Type the Private Key of your certificate

  • Choose where to store your certificate: Trusted Root Certification Authorities

  • Finish

If the Windows Agent run on a different server of the OpCon server duplicate steps above on the other server.

Certificate serial number

For the next steps you need to know the serial number of your certificate, below how to get it

  • Start the certificate manager (certlm.msc)

  • Go on Trusted Root Certification Authorities\Certificates

  • Once you identified your certificate, right click on it, properties and Details tab

  • Find serial number and keep it

Enterprise Manager and MSLSAM.ini set up

As you found the serial number of your certificate, you need to fill out the MSLSAM.ini to let your agent know which certificate to use:

  • In the MSLSAM.ini edit these parameters: "UseSecureSocket" to TRUE and "TLSCertificateSerial" with the certificate serial number you found.

A copy/paste of the serial number directly from the certificate store could include invisible special characters thus making the MSLSAM services impossible to start because the certificate is not found. Please write the serial number instead of a copy/paste. If you're encountering the issue above, remove the TLSCertificateSerial line and rewrite the line manually.

  • Change the SMAFT port as with TLS enables JORS and SMAFT cannot have the same port number

  • Restart the Windows agent and the JORS service to apply the change

  • Now in the Enterprise Manager on the Advanced Machine Properties edit these lines like below

  • Once all is set, you can start the communication of your machine.


After you started the communication of your machine in the Enterprise Manager, check the log MSLSAM.log and SMANetcom.log

  • The SMANetcom encrypt all data and check the Windows Agent identity

At this moment your agent use an encrypted flow through your certificate

Client validation

To go further, you can also allow the client verification, the LSAM (as TLS server) will validate the certificate presented by the OpCon server's SMANetCom program (as TLS client).

  • To allow the Windows Agent to verify the OpCon server identity, we need to edit the parameter TLSClientValidation=TRUE in the MSLSAM.ini

  • Once done restart Windows Agent services

  • In the Enterprise Manager -> Server Options add the serial number at the line TLS Certificate Serial Number:

  • Save and Restart SMA OpCon Service Manager


  • Check Windows Agent Log:

04/02/2021 15:03:43.134 Local cert was issued to, CN=WS2019-BB20, O=SMA, L=Houston, C=US and is valid from 01/02/2021 18:04:02 until 01/02/2022 18:04:02
04/02/2021 15:03:43.134 Remote cert was issued to, CN=WS2019-BB20, O=SMA, L=Houston, C=US and is valid from 01/02/2021 18:04:02 until 01/02/2022 18:04:02
04/02/2021 15:03:43.134 Can read: True, write True
04/02/2021 15:03:43.134 Can timeout: True
04/02/2021 15:03:43.248 Connection accepted. 0 : [ ::ffff: ]

  • Check the SMANetcom.log