AddClientCertificateAndKey
IT Asset Management
(Cloud)
Command line | Registry
When using the HTTPS protocol for any communication between a managed inventory device (the
client) and an inventory beacon (the server), the communication is secured by one of two
kinds of Transport Layer Security (TLS):
- In unilateral or standard TLS, the server has a valid certificate and a public/private key pair (but the client does not). To be valid, a certificate must have been issued by a Certificate Authority that is also trusted by the client (and the DNS name on the certificate of course matches the DNS name of the server). When the client connects to the server, the server presents its TLS certificate, and the client verifies the server's certificate. If the certificate is verified successfully, the communication from this point is done on an encrypted TLS connection.
- In mutual TLS, both the client and server have valid certificates, and both sides
authenticate using their public/private key pairs:
- When the client connects to the server, the server presents its TLS certificate and the client verifies the server's certificate.
- Now the client presents its TLS certificate, and the server verifies the client's certificate.
- If both certificates are verified successfully, the communication is done on an encrypted TLS connection.
AddClientCertificateAndKey
preference, which is disabled by default, and must be enabled to allow use of mutual TLS.
There is a Common
preference available, so that the setting applies to all
components; and, if necessary you can override the common behavior with settings for
individual components. You can also set the individual preferences to the same value, which
may provide more reliable operation.Tip: As well as setting the
AddClientCertificateAndKey
preference for all required clients (managed
devices where the FlexNet Inventory Agent is locally installed, and communicating routinely
with one or more inventory beacons), the inventory beacon server must also be
configured
to require a client-side certificate for authentication in mutual TLS. Be aware that this is
a single setting on the inventory beacon, so that once an inventory beacon is
configured for mutual TLS with a single client, it requires mutual TLS from every FlexNet Inventory Agent. Since each installation of the FlexNet Inventory Agent may randomly choose
which inventory beacon to contact (for example, for policy updates, or for uploads of
collected inventory), this means that the decision to use mutual TLS is a global one to be
implemented across (at least) an entire partition of your network.Values
Values / range |
Boolean ( |
Default value |
|
Example values |
|
Command line
Tool |
inventory component (ndtrack), upload component (ndupload) |
Example |
|
Registry
Installed by |
Manual configuration |
Computer preference |
|
IT Asset Management (Cloud)
Current