Configuring Mutual TLS
FlexNet Manager Suite 2022 R1 (On-Premises)
When using the HTTPS protocol for any communication between a managed inventory
device (the client) and an inventory beacon (the server), the communication is
secured by one of two kinds of Transport Layer Security (TLS):
- In unilateral or standard TLS, the server has a valid certificate and a public/private key pair (but the client does not). To be valid, a certificate must have been issued by a Certificate Authority that is also trusted by the client (and the DNS name on the certificate of course matches the DNS name of the server). When the client connects to the server, the server presents its TLS certificate, and the client verifies the server's certificate. It may also conduct a certificate revocation check, validating that the server certificate has not been revoked early. If the certificate is verified successfully, the communication from this point is done on an encrypted TLS connection.
- In mutual TLS, both the client and server have valid certificates, and both
sides validate the certificates:
- When the client connects to the server, the server presents its TLS certificate and the client verifies the server's certificate, in just the same way as for standard TLS.
- Now the client presents its TLS certificate, and the server verifies the client's certificate. This is a much simpler verification, simply checking that the client certificate is in a valid format and is valid for the current date (although there is no revocation checking).
- If both certificates are verified successfully, the communication is done on an encrypted TLS connection.
Configuring a target inventory device for mutual TLS is a matter of setting a number
of preferences on each device. For UNIX-like platforms, the relevant preferences are
saved in the config.ini file that acts as a pseudo-registry.
For more information about the client-side settings, see the Gathering FlexNet Inventory reference, available as a PDF through the title page of online help, or
as a PDF or in HTML pages through docs.flexera.com. For UNIX-like platforms, see the
preferences:
AddClientCertificateAndKey
SSLClientCertificateFile
SSLClientPrivateKeyFile
.
To configure the system for mutual TLS:
From the time of this restart, inventory devices can only communicate with this inventory beacon when they have a valid client certificate to present.
For more information about setting up the client-side certificates needed to complete the mutual TLS infrastructure, see the topic Common: Supporting Mutual TLS in the Gathering FlexNet Inventory reference, available through the title page of online help as a PDF, or through http://docs.flexera.com in either PDF or HTML formats.
FlexNet Manager Suite (On-Premises)
2022 R1