Supporting Custom Certificates for HTTPS

FlexNet Manager Suite 2022 R2 (Standortgebundene Implementierung)

When the Inventarisierungsstation identified for communication with the Kubernetes-Inventarisierungsagent von Flexera is configured for the HTTPS protocol, communications are secured with certificates. The Inventarisierungsstation presents its certificate, and the Kubernetes-Inventarisierungsagent von Flexera validates that certificate by validating the Certificate Authority (CA) issuing the beacon certificate using its own local copy of the CA's certificate. In the common case that the CA is one of the industry-standard major authorities, such as DigiCert, the Kubernetes-Inventarisierungsagent von Flexera already has the standard CA certificate bundle included in the Ubuntu operating system that forms the agent's base. However, if your enterprise chooses to use internal certificates, or to use certificates issued by a CA that is not included in the standard bundle, the Kubernetes-Inventarisierungsagent von Flexera must be supplied with the CA certificate(s) needed to verify the security certificate presented by the Inventarisierungsstation.

Internally, the Kubernetes-Inventarisierungsagent von Flexera relies on components of the standard FlexNet-Inventarisierungsagent for all interactions with the Inventarisierungsstation. This means that the CA certificates must be configured in the same way as they are for third-party deployments of the FlexNet-Inventarisierungsagent on Linux. However, because in this case the FlexNet-Inventarisierungsagent is installed within a container in Kubernetes, the process by which the CA certificates file is supplied to the FlexNet-Inventarisierungsagent is specific to the Kubernetes-Inventarisierungsagent von Flexera.

At the summary level, the process consists of:
  • Making sure that your version of the Kubernetes-Inventarisierungsagent von Flexera supports custom certificates
  • Preparing the certificates in the format required by the FlexNet-Inventarisierungsagent
  • Storing those certificates in a volume that is to be mounted in the container(s) where the Kubernetes-Inventarisierungsagent von Flexera is running
  • Configuring the Kubernetes-Inventarisierungsagent von Flexera to reference that storage volume so that it discovers and uses the CA certificate(s).

To use custom CA certificates with the Kubernetes-Inventarisierungsagent von Flexera:

  1. Stellen Sie sicher, dass eine ausreichend neue Version des Kubernetes-Inventarisierungsagenten von Flexera installiert ist/wird.
    Es muss mindestens Version 1.3.0 installiert sein/werden. Wenn diese oder eine neuere Version bereits installiert ist, sind an dieser Stelle keine weiteren Aktionen erforderlich. Wenn eine frühere Version installiert ist, aktualisieren Sie diese, indem Sie den Standardprozess zum Herunterladen/Installieren befolgen, bis das Skript install.sh erfolgreich ausgeführt wurde.
    Tipp: Wenn Sie nicht wissen, welche Version des Kubernetes-Inventarisierungsagenten von Flexera im Cluster installiert ist: Diese wird in der Version der bereitgestellten Containerimages wiedergegeben. Beispielsweise enthält folgendes Containerimage:
    flexera/krm:1.3.0
    die Version 1.3.0 des Kubernetes-Inventarisierungsagenten von Flexera. Sie können das Image mithilfe der entsprechenden Controller-Bereitstellung untersuchen (alles in einer Befehlszeile, hier zur Darstellung mit Zeilenumbruch):
    kubectl get deployments --namespace flexera 
    krm-controller -o jsonpath={.spec.template.spec.containers[0].image}
  2. Prepare a single certificate file that combines all required client-side certificates needed for validating the server-side certificates that are presented by your selected Inventarisierungsstation.
    This concatenated certificate file should be saved using the PEM format. Each PEM-format certificate should be base-64 encoded plain text surrounded by a BEGIN CERTIFICATE header and an END CERTIFICATE footer. That is:
    -----BEGIN CERTIFICATE----- 
MIIDiTCCAnGgAwIBAgIQWO/IibrLpZ5Hts3u3xH7TzANBgkqhkiG9w0BAQUFADAR 
MQ8wDQYDVQQDEwZ0ZncyazMwHhcNMTAxMTI1MDEyMDM4WhcNMTUxMTI1MDEyODA1 

...... 

wXvMSERKsNsJ6FwwXFGA3HBrRLTHzqzsfUlUAbV+SBm/FSFkuWsy4QWAuJCbnCnv 
c3ClFHXqwaIq9UWvO5FR5kD4gK9LZOUY4B7tLTQmpJScFSiPZrIBa1cQ5uWl 
-----END CERTIFICATE-----
    If you have multiple root CA certificates, simple shell commands allow the concatenation:
     #!/bin/sh
 rm cert.pem
 for i in ca1.pem ca2.pem ca3.pem ; do
   openssl x509 -in $i -text >> cert.pem
 done
    Tipp: Vor, zwischen und nach den Zertifikaten in der verketteten Datei (also überall, außer zwischen den BEGIN- und END-Tags) ist freier Text zulässig, der beispielsweise zur Beschreibung der Zertifikate verwendet werden kann.
    Name your resulting file cert.pem. (This file name is mandatory. Without this name, the FlexNet inventory agent will not detect and use the certificates.)
  3. Save the certificate file in a volume that will be mounted into the containers where the Kubernetes-Inventarisierungsagent von Flexera is to operate.
    The storage may be any type of volume supported by the Kubernetes VolumeSource type, but common choices include a configmap or a secret (the examples that follow assume that the certificates are stored in a secret). The volume must be mounted at the path /var/opt/managesoft/etc/ssl (this happens to be the default value of the SSLDirectory option, but in this situation is mandatory). Also note that the volume must be in the flexera namespace. If, for example, we name the secret as myorg-certificates, the command line for creating the secret containing the certificate becomes:
    kubectl create secret generic myorg-certificates --namespace flexera --from-file=cert.pem
  4. Configure the Kubernetes-Inventarisierungsagent von Flexera to reference this volume, using the spec.monitor.tlsFiles attribute, by editing the YAML file for the agent's configuration.
    For example, using the same example values as above, the relevant extract from the YAML file is:
    apiVersion: agents.flexera.com/v1
kind: KRM
spec:
  monitor:
    tlsFiles:
      secret:
        secretName: myorg-certificates

When the container is instantiated, the controller automatically ensures that the storage volume is correctly mounted. When the Kubernetes-Inventarisierungsagent von Flexera uses components (such as the ndpolicy component) of the FlexNet-Inventarisierungsagent to communicate with the Inventarisierungsstation, it also hands off the CA certificate(s) so that these are used to authenticate the secure HTTPS communications.

FlexNet Manager Suite (Standortgebundene Implementierung)

2022 R2