Communication using the HTTPS protocol between a client (such as a target inventory
device) and a server (such as an inventory beacon) is secured by Transport
Layer Security (TLS). Traditionally this has been standard (or single-sided) TLS,
where the server has a certificate that the client must verify before communicating.
In more security-conscious environments, it may be necessary not only to validate
that we are communicating with the correct server, as proven by its valid
certificate, but also to be certain that only an authorized client device can join
the communication. Enter mutual TLS, where both the client and the server
must be authorized by separate valid certificates before the communication may
proceed.
Setting up the
inventory beacon for the server side of mutual TLS is documented
in the online help (see
.) In contrast, this topic provides a few introductory notes
for setting up the client side of mutual TLS on your target inventory device. In
fact, there are many possible methods for obtaining and managing client-side
certificates, and your enterprise may already have its preferred process. In that
case, use your preferred process.
IT Asset Management does not mandate any
particular process, nor does it provide tools for managing, distributing, or
installing client-side certificates.
Remember: Once an
inventory beacon has been configured for mutual TLS (specifically, configured
to
require a client-side certificate before communicating), it is
impossible for an inventory device that does not have a client-side certificate
to communicate with that
inventory beacon for any reason:
- It cannot download device policy, schedule changes, or software
updates
- It cannot upload any status changes, nor any collected discovery results
or inventory files.
Also keeping in mind that the locally-installed
FlexNet Inventory Agent is
not tied to a particular
inventory beacon, but assesses for each
download/upload which
inventory beacon is the most appropriate (for
example, has the fastest response times), the decision to implement mutual TLS
is typically a system-wide one (or at least, one that covers all devices within
distinct boundaries, such as clearly defined subnets).
You only need one
client-side certificate, as the same certificate (after export to the appropriate
format) can be distributed to multiple inventory devices. Unlike the case with
server-side certificates, you do not need a separate root certificate that attests
to the Certificate Authority itself for this client-side certificate.
IT Asset Management (Cloud)
Current