AddClientCertificateAndKey

IT Asset Management (Cloud)

Command line | Registry

When using the HTTPS protocol for any communication between a managed inventory device (the client) and an inventory beacon (the server), the communication is secured by one of two kinds of Transport Layer Security (TLS):
  • In unilateral or standard TLS, the server has a valid certificate and a public/private key pair (but the client does not). To be valid, a certificate must have been issued by a Certificate Authority that is also trusted by the client (and the DNS name on the certificate of course matches the DNS name of the server). When the client connects to the server, the server presents its TLS certificate, and the client verifies the server's certificate. If the certificate is verified successfully, the communication from this point is done on an encrypted TLS connection.
  • In mutual TLS, both the client and server have valid certificates, and both sides authenticate using their public/private key pairs:
    1. When the client connects to the server, the server presents its TLS certificate and the client verifies the server's certificate.
    2. Now the client presents its TLS certificate, and the server verifies the client's certificate.
    3. If both certificates are verified successfully, the communication is done on an encrypted TLS connection.
Keep in mind that the FlexNet Inventory Agent has multiple components that may either receive or send communications from/to an inventory beacon, such as the installation component, the inventory component, and the upload component. This means that for mutual TLS, all components of the FlexNet Inventory Agent must be able to provide the client certificate. All the client components make use of this AddClientCertificateAndKey preference, which is disabled by default, and must be enabled to allow use of mutual TLS. There is a Common preference available, so that the setting applies to all components; and, if necessary you can override the common behavior with settings for individual components. You can also set the individual preferences to the same value, which may provide more reliable operation.
Tip: As well as setting the AddClientCertificateAndKey preference for all required clients (managed devices where the FlexNet Inventory Agent is locally installed, and communicating routinely with one or more inventory beacons), the inventory beacon server must also be configured to require a client-side certificate for authentication in mutual TLS. Be aware that this is a single setting on the inventory beacon, so that once an inventory beacon is configured for mutual TLS with a single client, it requires mutual TLS from every FlexNet Inventory Agent. Since each installation of the FlexNet Inventory Agent may randomly choose which inventory beacon to contact (for example, for policy updates, or for uploads of collected inventory), this means that the decision to use mutual TLS is a global one to be implemented across (at least) an entire partition of your network.

Values

Values / range

Boolean (True or False)

Default value

False

Example values

True

Command line

Tool

inventory component (ndtrack), upload component (ndupload)

Example

-o AddClientCertificateAndKey="True"

Registry

Installed by

Manual configuration

Computer preference

[Registry]\ManageSoft\Configuration
[Registry]\ManageSoft\Tracker\CurrentVersion
[Registry]\ManageSoft\Uploader\CurrentVersion
[Registry]\ManageSoft\Common

IT Asset Management (Cloud)

Current