Agent Third-Party Deployment: Configuring the Bootstrap File for UNIX
The initial configuration of the FlexNet Inventory Agent can be set for UNIX-like platforms, even though no template file is provided.
For UNIX and OS X, there is no sample bootstrap configuration file available through the central application server. Instead, you can prepare your customized bootstrap configuration file as follows:
To prepare a mgsft_rollout_response file:
-
Copy the sample text from Agent Third-Party Deployment: Sample UNIX Bootstrap Configuration File
into your preferred flat-text editor on a UNIX-like platform.
Tip: Do not edit the file on a Windows device, as this introduces line-ending character pairs that are invalid for UNIX, and is also likely to add an inappropriate file type.
-
Locate and edit the following line to identify the inventory beacon from which the new managed device should download
its initial policy:
MGSFT_BOOTSTRAP_DOWNLOAD=http://beacon.mydomain.com:8080/ManageSoftDL/
- For comparison, in the automated adoption process (the Adopted case, where the inventory beacon installs FlexNet Inventory Agent by remote execution), it is mandatory to use the HTTP protocol. Because you are independently managing your own deployment, it's also normal to use the HTTP protocol for bootstrapping, because it is simpler to set up and get operational. However, if you require the HTTPS protocol for your own deployment, insert it in this value.
- Replace the placeholder beacon.mydomain.com with the fully qualified domain name of the inventory beacon. If required, and provided that you are using the HTTP protocol, you may instead use the server's IP address. (There are widely publicized issues around using an IP address with the HTTPS protocol.) Because you are specifying this address at the FlexNet Inventory Agent end of the communication link, this may use either the IPv4 or IPv6 address families. Keep in mind that, because the fail-over list of inventory beacons delivered through policy must use names (host or FQDN) to support legacy versions of FlexNet Inventory Agent, names are used rather than IP addresses as soon as policy is delivered.
- If you are using the default port (80 for HTTP, and 443 for HTTPS), you
can omit the port number. For any custom port numbers, include the port
number in the URL as shown (
:8080
). - The string literal
ManageSoftDL
is the name of the web service that handles downloads to managed devices. This value is mandatory.
-
Following those same guidelines, edit the following value for the upload
location on the same inventory beacon.
To bootstrap the UNIX agents, both the download and upload locations must be specified. (This is not the case for the agents on Windows, where only the download location is required.) Notice thatMGSFT_BOOTSTRAP_UPLOAD=http://beacon.mydomain.com:8080/ManageSoftRL/
ManageSoftRL
is the name of a web service on the inventory beacon that receives the uploaded inventory and saves it by default to %CommonAppData%\Flexera Software\Incoming\Inventories.Tip: The section about proxies in the bootstrap file is only required in the unusual circumstances that you have a proxy between the managed device(s) and the inventory beacon(s) (in which case follow the guidance in the template). When this is not the case, leave these settings commented out. -
Optionally, configure the local web server on inventory beacons
to use HTTPS protocol.
The web server on the inventory beacon defaults to using the HTTP protocol for simplicity of communications between managed devices and the inventory beacon. However, if you need to use the HTTPS protocol over this leg of the upload/download chain, you may also need to configure how the managed devices should check the security certificates originating from the inventory beacon server. The choice of protocol, along with the configuration for certificate checking if HTTPS is used, are downloaded to managed devices as part of their policy (policy is generated automatically by the inventory beacons). From large to small granularity, the available certificate controls that can be configured in the mgsft_rollout_response file include:
- Whether to check the security certificates at all.
- If checking the supplied certificate, whether to check that the certificate is still current (that is, checking that the certificate has not been revoked by a certificate authority). The default is to validate that the certificate has not been revoked and is still current. This is particularly important when using certificates from public certificate authorities on the Internet. Perhaps if you are providing your own internal certificate authority and long-term certificates, you may turn off the check for revocation of certificates.
- Choosing between, and prioritizing, the two methods for checking certificate revocation.
- Creating caches where downloaded revocation responses can be saved for a limited time.
- Setting cache time-out values for each method used.
Tip: If you are checking server certificates, you must deploy a copy of the appropriate certificate to each managed device. This allows the managed device to check the supplied certificate that covers each download from the inventory beacon server. This is described in Agent Third-Party Deployment: Installing FlexNet inventory agent on UNIX, and there is more information in Agent Third-Party Deployment: Enabling the HTTPS Protocol on UNIX Agents and Agent Third-Party Deployment: HTTPS CA Certificate File Format (UNIX).Settings declared in the mgsft_rollout_response affect all components of the FlexNet Inventory Agent equally. It is also possible to override behaviors for individual components. For details see the preference topics included in the following list. To modify the defaults for certificate checking, use the following settings (in the order corresponding to the above descriptions):-
Server certificates are checked by default. Uncomment and edit the
following line to prevent any certificate checking:
With this setting false, you get the standard encryption of network traffic between managed device and inventory beacon, but no further security. (After installation of the FlexNet Inventory Agent, this setting appears asMGSFT_HTTPS_CHECKSERVERCERTIFICATE=false
CheckServerCertificate
in the/var/opt/managesoft/etc/config.ini
file, in the[ManageSoft\Common]
section. See CheckServerCertificate for more.) -
The client certificate for mutual TLS is not used by default. To
support mutual TLS and allow the client (inventory device) to present
the server (inventory beacon) with a certificate, uncomment and
edit the following line:
With this setting true, mutual TLS authentication is possible, and a client-side certificate and key are required. (After installation of the FlexNet Inventory Agent, this setting appears asMGSFT_HTTPS_ADDCLIENTCERTIFICATEANDKEY=true
AddClientCertificateAndKey
in the[ManageSoft\Common]
section of the /var/opt/managesoft/etc/config.ini file. For more information, see AddClientCertificateAndKey.) -
Optionally when you are using internal certificate authorities, you may
uncomment and edit the following line to prevent a check for revocation
of certificates:
MGSFT_HTTPS_CHECKCERTIFICATEREVOCATION=false
With this setting false, you get a check that the download is coming from the genuine inventory beacon; but there is no check whether the inventory beacon may have been compromised and its certificate subsequently revoked. (After installation of the FlexNet Inventory Agent, this setting appears asCheckCertificateRevocation
in the/var/opt/managesoft/etc/config.ini
file, in the[ManageSoft\Common]
section. See CheckCertificateRevocation for more.) -
Optionally, modify the method(s) that the FlexNet Inventory Agent uses
to check whether a downloaded server certificate has been revoked by a
certificate authority. Uncomment and edit this line:
With this default setting, the FlexNet Inventory Agent first tries for an efficient OCSP response about the single certificate. If this fails, it next tries to download a Certificate Revocation List (CRL) from the certificate authority; but as this file lists every revoked certificate, can be a large file that is time-consuming to fetch. Reverse the order (MGSFT_HTTPS_PRIORITIZEREVOCATIONCHECKS=OCSP,CRL
CRL,OCSP
) to change the priorities around; or omit one or the other (and the comma) to turn off that kind of revocation checking. (After installation of the FlexNet Inventory Agent, this setting appears asPrioritizeRevocationChecks
in the/var/opt/managesoft/etc/config.ini
file, in the[ManageSoft\Common]
section. See PrioritizeRevocationChecks for more.) -
Optionally, change the settings for each cache you may use by
uncommenting and editing the appropriate lines from the following
pair:
MGSFT_HTTPS_SSLCRLCACHELIFETIME=64800 MGSFT_HTTPS_SSLOCSPCACHELIFETIME=64800
After installation of the FlexNet Inventory Agent, these settings also appears in the/var/opt/managesoft/etc/config.ini
file, in the[ManageSoft\Common]
section. For more information about these settings, see:
-
When deploying the FlexNet Inventory Agent into a subnet that uses IPv6
addresses in the network layer, uncomment the following line to cause these to
be used in preference to any IPv4 addresses that may also be returned from a
DNS:
This setting is used in common by multiple components of the FlexNet Inventory Agent (including the tracker, the launcher, and the upload component). Where this is specified but IPv6 addresses are not provided, operations fail over to the use of IPv4 addresses. Where the preference is not specified (or is specified with an unrecognized value), the default behavior is to use the IP version of the first address in the list returned from the Dynamic Name Server (DNS) through the operating system (which, depending on local settings, may also affect the order of the list).PREFERIPVERSION=ipv6
-
If you are planning to deploy the FlexNet Inventory Agent to a custom location
on the AIX operating system, and you want to use a custom folder for data
exchange by the various components, append the following line to your
file:
COMMONAPPDATAFOLDER=/absolute/path/and/folder
The path should not contain white space characters. Use an absolute path in its simplest canonical form, without relative path elements. For example, to use the folder /var/lib/flexera as the data directory accessed by all components of the FlexNet Inventory Agent, include this line in your mgsft_rollout_response file:
COMMONAPPDATAFOLDER=/var/lib/flexera
Unlike the installation path, the data path is created by the installer if it does not already exist. If you omit this option from the mgsft_rollout_response file for a new installation, the default (/var/opt/managesoft) is used for the data folder. This setting is required only on the AIX platform, and only when you require a custom data folder. The setting is ignored for all other platforms.
-
If you prefer that UNIX-like devices report themselves as present in a Windows
domain (which may help resolve inventories from multiple sources, as well as
providing consistent data presentation in the web interface of
IT Asset Management), you can set the domain name by adding lines like
the following to your file:
# Dummy domain name for reporting by UNIX-like devices MGSFT_DOMAIN_NAME=mydomain.com
Replace the mydomain.com placeholder with the domain name to use for reporting. (After deployment, this value is stored in the
ComputerDomain
preference, saved for UNIX-like devices in the/var/opt/ managesoft/etc/config.ini
file. For details, see ComputerDomain.) -
Configure whether the agent will be installed for the default operation mode or
the least privilege operation mode.
- Default operation mode: The installed agent will operate as the
root
user and requires fullroot
access. This is the default setting. To enable this mode, make sure the line aboutFLEXERA_LEAST_PRIVILEGE_AGENT
is either deleted or commented out. - Least privilege operation mode: The agent will operate as the
flxrasvc
standard user. If you install the agent for this mode, make sure thatsudo
is installed on each local device and the path to thesudo
binary is set in thePATH
environment variable before or at the same time the agent is installed. To enable this mode, add the following line:FLEXERA_LEAST_PRIVILEGE_AGENT=1
Important: After an agent is installed for the least privilege operation mode, that agent cannot be changed back to the full privileged default operation mode. You will have to uninstall the agent and re-install the agent for the default operation mode. - Default operation mode: The installed agent will operate as the
-
Save the file as mgsft_rollout_response.
Tip: Leave
MGSFT_RUNPOLICY=1
unchanged, so that downloaded policy is applied after installation. For as long as policy is not available for any reason, on UNIX and OS X the agents run a daily check for policy at a random time between 8am and 11pm (local time on the managed device) until policy is successfully downloaded. (This catch-up behavior is different than the Windows agents, which rely on a machine reboot to check again for missing policy.) Once policy (with schedule) is initially downloaded, it is updated daily on the downloaded schedule, refreshing client settings, inventory-gathering schedule, and the like. -
Configure your preferred deployment technology to install a copy of this file
as /var/tmp/mgsft_rollout_response on the target
device(s).
The path and file name are mandatory. This file must be present before FlexNet Inventory Agent is installed. Post installation scripts in the installation package for FlexNet Inventory Agent use properties from this file to create the initial configuration.
mgssetup.ini
), you could turn application usage tracking on for
the managed devices using the bootstrap file. This is not possible in the bootstrap
file for UNIX-like systems. To turn on usage tracking, the simplest path is to set
usage tracking as part of defining targets (in the web interface of
IT Asset Management), so that managed devices receive this setting as part
of their downloaded policy. Manually editing config.ini
for
UNIX-like platforms is also possible (see Agent Third-Party Deployment: Updating config.ini on a UNIX Device), but
this approach is not as easy to scale.IT Asset Management (Cloud)
Current