Agent Third-Party Deployment: HTTPS CA Certificate File Format (UNIX)
By default, if the FlexNet Inventory Agent is (or in more detail, its component agents are) configured to use the HTTPS protocol to communicate with an inventory beacon, the certificate(s) for the HTTPS server are checked. This ensures that the agents are communicating with the correct inventory beacon server. Since the server certificate is authorized (signed) by a Certificate Authority, the process may include checking whether that Certificate Authority is trusted (that is, it may be an intermediate Certificate Authority that is itself trusted because it is authorized by a 'higher' Certificate Authority). The checking process continues until it reaches the root Certificate Authority (CA), one which the client device can recognize as trusted. This trust occurs when a CA certificate is 'known' to the client device.
On Windows devices, the operating system handles all root CA certificates (and there may be many), and on Windows the FlexNet Inventory Agent uses those operating system services.
- Individual root CA certificates (in the PEM format discussed here) can be saved in the directory identified in the preference SSLCACertificatePath (default value /var/opt/managesoft/etc/ssl/certs — see SSLCACertificatePath). In this case, the files must be named with the CA subject name hash value (such as 9d66eef0), with any duplicates differentiated by numeric file extensions (such as 9d66eef0.0, 9d66eef0.1, and so on).
- All the root CA certificates that are used by the HTTPS web servers supplying content to
the managed device or receiving content from the managed device can be concatenated into a
single file. (For many organizations, this will be a single certificate for a single root
Certification Authority. It may even be a CA that is internal to the enterprise.) Each
root CA certificate is added to the file named and saved as identified in the
SSLCACertificateFile
preference (default /var/opt/managesoft/etc/ssl/cert.pem), a simple naming convention. If you have multiple root CA certificates, simple shell commands allow the concatenation:#!/bin/sh rm cert.pem for i in ca1.pem ca2.pem ca3.pem ; do openssl x509 -in $i -text >> cert.pem done
Tip: Before, between, and after the certificates in the concatenated file (that is, everywhere except between BEGIN and END tags), free text is allowed that can be used, for example, for descriptions of the certificates.
BEGIN CERTIFICATE
header and an END
CERTIFICATE
footer. That
is:-----BEGIN CERTIFICATE-----
MIIDiTCCAnGgAwIBAgIQWO/IibrLpZ5Hts3u3xH7TzANBgkqhkiG9w0BAQUFADAR
MQ8wDQYDVQQDEwZ0ZncyazMwHhcNMTAxMTI1MDEyMDM4WhcNMTUxMTI1MDEyODA1
......
wXvMSERKsNsJ6FwwXFGA3HBrRLTHzqzsfUlUAbV+SBm/FSFkuWsy4QWAuJCbnCnv
c3ClFHXqwaIq9UWvO5FR5kD4gK9LZOUY4B7tLTQmpJScFSiPZrIBa1cQ5uWl
-----END CERTIFICATE-----
To deploy the resulting certificate during deployment of FlexNet Inventory Agent to managed devices, see Agent Third-Party Deployment: Installing FlexNet inventory agent on UNIX.
Both storage methods may be used at once. The FlexNet Inventory Agent first checks the single concatenated file (where available), and then checks the folder of individual certificates. The checking stops at the first certificate that the managed device recognizes (that is, the first that matches the public certificate for the certificate authority that has been stored locally on the managed device).
IT Asset Management (Cloud)
Current