Agent third-party deployment: Enabling the HTTPS Protocol on UNIX Agents

FlexNet Manager Suite 2020 R2 (On-Premises)
The FlexNet inventory agent (or more precisely, its component executables) may make use of the HTTPS protocol for communications with inventory beacons. Whereas Windows systems can manage the security certificates for you, on UNIX and OS X some manual configuration is required.
Tip: The options for checking certificates and checking certificate revocation are supported in networks using the IPv4 or IPv6 address families.
Note: The HTTPS protocol is only available to the installed agents, and is not available to the zero-footprint FlexNet Inventory Scanner.
There are three security levels which can be enabled for HTTPS, using two preference settings. From the highest level of security to the lowest, these are:
  • Checking certificate(s) and excluding revoked certificates
  • Checking certificate(s)
  • Relying on encryption.

Checking certificate(s) and excluding revoked certificates

Full checking of each HTTPS server certificate involves having a local copy on the managed device of all the public certificates (which may come from multiple certificate authorities (CA)) that are used to validate the HTTPS server certificates. These certificates must be available in the /var/opt/managesoft/etc/ssl/cert.pem file on the managed device (or an alternative folder — see Agent third-party deployment: HTTPS CA Certificate File Format (UNIX) for more details). The device must also be able to download the certificate revocation list from an HTTP location, and/or perform an OCSP check for certificate revocation. For this level of security, both the CheckServerCertificate and CheckCertificateRevocation settings should be set to True (these are the default settings). When these are both true, a number of other settings can come into play, a few of which can be configured in the mgsft_rollout_response file that assists with deployment (see Agent third-party deployment: Configure the Bootstrap File for UNIX), and others must be modified in the /var/opt/managesoft/etc/config.ini file that functions in place of the Windows registry for UNIX-like platforms (see Agent third-party deployment: Updating config.ini on a UNIX Device). The additional preferences are:

Checking certificate(s)

This mid-level security model provides an encrypted channel and validation of the HTTPS server, but does not provide a way to check whether the certificate used to validate the HTTPS server has been revoked. This may be adequate where you are confident of the longevity of your certificates, perhaps because you are using an internal certificate authority.

Checking of the server certificate still requires the CA certificate be installed on the managed device in the /var/opt/managesoft/etc/ssl/cert.pem file (and/or the alternative folder). As well, the CheckServerCertificate preference must preserve its default value of True. Ignoring the revocation list is configured by disabling (setting to False) the CheckCertificateRevocation settings for all component agents on the managed device.
Tip: It is also possible to generally disable for most agents, but create exceptions where a particular agent still checks for possible certificate revocation. For details, see CheckCertificateRevocation. (If you override the behavior for particular agent components, you may need to review the revocation settings listed above for the same components.)

Relying on encryption

If you are confident of the security of your infrastructure, it is possible to ignore the server certificates entirely. This provides an encrypted channel of communication, but does not provide validation that the device is actually talking to the correct HTTPS server.

Disabling checking of the server certificate can be achieved by disabling (setting to False) both the CheckServerCertificate and CheckCertificateRevocation settings for all component agents on the managed device. In this mode of operation, the CA certificate is not required to be installed on the managed device.

FlexNet Manager Suite (On-Premises)

2020 R2