IIS Web Server: Configuring Mutual TLS

IT Asset Management (Cloud)
When using the HTTPS protocol for any communication between a managed inventory device (the client) and an inventory beacon (the server), the communication is secured by one of two kinds of Transport Layer Security (TLS):
  • In unilateral or standard TLS, the server has a valid certificate and a public/private key pair (but the client does not). To be valid, a certificate must have been issued by a Certificate Authority that is also trusted by the client (and the DNS name on the certificate of course matches the DNS name of the server). When the client connects to the server, the server presents its TLS certificate, and the client verifies the server's certificate. It may also conduct a certificate revocation check, validating that the server certificate has not been revoked early. If the certificate is verified successfully, the communication from this point is done on an encrypted TLS connection.
  • In mutual TLS, both the client and server have valid certificates, and both sides validate the certificates:
    1. When the client connects to the server, the server presents its TLS certificate and the client verifies the server's certificate, in just the same way as for standard TLS.
    2. Now the client presents its TLS certificate, and the server verifies the client's certificate. This is a much simpler verification, simply checking that the client certificate is in a valid format and is valid for the current date (although there is no revocation checking).
    3. If both certificates are verified successfully, the communication is done on an encrypted TLS connection.
It is the second of these, mutual TLS, that is the focus of this topic.
Configuring a target inventory device for mutual TLS is a matter of setting a number of preferences on each device. For UNIX-like platforms, the relevant preferences are saved in the config.ini file that acts as a pseudo-registry. For more information about the client-side settings, see Gathering FlexNet Inventory. For UNIX-like platforms, see the preferences:
  • AddClientCertificateAndKey
  • SSLClientCertificateFile
  • SSLClientPrivateKeyFile.
On the inventory beacon side, the following process covers the configuration of the FlexNet Beacon software itself, as well as configuring IIS to support and require mutual TLS. Once the inventory beacon is configured in this way, only inventory devices with the appropriate preference settings can received policy from, and upload inventory to, this beacon.

To configure the system for mutual TLS:

  1. Run the inventory beacon interface (for example, Start > FlexNet Beacon).
    Remember: Running the inventory beacon requires an account with administrator privileges.
  2. In the navigation bar on the left, from the Beacon configuration group, select the Local web server tab.
  3. Under Web Server Settings, select the IIS web server radio button.
    Support for mutual TLS is only available through IIS.
  4. Click Save.
    An IIS Configuration alert appears to remind you that this setting does not change IIS settings, but merely communicates your intentions to the targeted inventory devices: 
    The beacon will not configure IIS for use with HTTPS. 
Please manually configure IIS to use HTTPS.
    Click OK to clear the alert and finish saving your settings for the inventory beacon.
  5. Run IIS Manager on this inventory beacon (for example, Start > Administrative Tools > Internet Information Services (IIS) Manager).
  6. Ensure that the server is selected in the left-hand Connections pane, and in the IIS group (center pane), double-click Server Certificates.
    Your action here depends on which stage of the process you are up to:
    • If you do not yet have a server certificate, continue with step 7.
    • If you have received a certificate (.cer file) from your Certificate Authority (CA), go to step 8.
    • If you already have a certificate in .pfx format, go to step 9.
  7. To create a certificate signing request (CSR) for a CA to supply you with a new certificate:
    1. In the right-hand Actions pane, select Create Certificate Request....
      The Request Certificate wizard appears.
    2. On the Distinguished Name Properties page, complete these details:
      Common name

      Enter the fully-qualified domain name (FQDN) for your company's online presence (such as www.example.com).
      Organization

      The legally registered name of your enterprise (such as Your Company,Inc).
      Organizational unit

      Optionally, enter the name of your department within the organization. You might use a value like IT, or perhaps Web Security; or you may leave this field blank.

      City/locality

      Specify (in full) the city where your enterprise is located (in its legal registration). Note the warning on the dialog to use official names without abbreviations.
      State/province Enter the state or province given in the legal registration of your enterprise.
      Country/region

      From the drop-down list, select the country where your enterprise is legally located.

    3. Click Next.
    4. On the Cryptographic Service Provider Properties page, complete these details:
      Cryptographic service provider

      In the drop-down list, select Microsoft RSA SChannel Cryptographic Provider, unless you have a specific cryptographic provider.

      Bit length

      In the drop-down list select 2048, unless you have a specific reason for opting for a larger bit length.

    5. Click Next.
    6. On the File Name page, use the browse () button to find a location where you want to save your certificate signing request (CSR) file. (The default location is C:\Windows\System32.)
      Tip: Keep a record of the file name and location for later use.
    7. Click Finish.
    8. Submit your CSR file to your preferred Certificate Authority.
    When you receive your certificate back from your Certificate Authority, resume this process from step 8.
  8. While logged into the same inventory beacon where you created the certificate signing request:
    1. Save the .cer file from your CA on the inventory beacon.
    2. Run IIS Manager on this inventory beacon (for example, Start > Administrative Tools > Internet Information Services (IIS) Manager).
    3. Ensure that the server is selected in the left-hand Connections pane, and in the IIS group (center pane), double-click Server Certificates.
    4. In the right-hand Actions pane, select Complete Certificate Request....
      The Complete Certificate Request wizard appears.
    5. On the Specify Certificate Authority Response page, complete these details:
      File name containing the certificate authority's response

      Use the browse (...) button to select the .cer file you saved on this inventory beacon.
      Friendly name

      Create a helpful name to identify this certificate. Good practice is to identify the CA and the expiry date within the friendly name (for example, mysite-certauth-20221215).
      Select a certificate store for the new certificate

      From the drop-down, select the local store on the inventory beacon where the certificate should be saved (the Web Hosting store is recommended for performance and scaling; but if this server has few certificates, the Personal store may be adequate).

    6. Click OK.
    Your SSL certificate is saved. You now need to assign this certificate to the appropriate site, and specify the protocols (bindings) that must be used. Skip ahead to step 10 to do this.
  9. To import your certificate in the .pfx format:
    1. In the right-hand Actions pane, select Import....
    2. In the Import Certificate dialog, use the browse button (...) to select your .pfx Certificate file.
    3. Also enter the Password for your private key for this inventory beacon server.
    4. From the Select Certificate Store drop-down, select the local store on the inventory beacon where the certificate should be saved (the Web Hosting store is recommended for performance and scaling; but if this server has few certificates, the Personal store may be adequate).
    5. Ensure that the check box to Allow this certificate to be exported remains selected.
    6. Click OK to save each certificate in the selected store, and if necessary loop back and repeat for any additional certificates required for the chain of authorization. When done, close the Import Certificate dialog.
    Continue the process with step 10.
  10. Set the bindings for this web server:
    1. If necessary, in IIS, expand the server record, expand Sites, and select the website you wish to secure with your saved certificate (likely to be the Default Web Site).
    2. From the Actions panel on the right, select Bindings.... (Alternatively, if you right-click the website name in the Connections list on the left, you may select Edit Bindings....)
    3. In the Site Bindings dialog, select Add....
    4. In the Add Site Binding dialog:
      1. Set Type to https.
      2. Set IP address to All Unassigned.
      3. Set Port to 443 (or your preferred non-default port for HTTPS communications).
      4. Set Host name to the host name for this inventory beacon that the target inventory devices will use for inventory uploads.
        Tip: If this field is left blank, it uses the server name currently selected in the left navigation bar of the IIS settings. You may also use the convention https://localhost.... Naturally, ensure that the server name you use is configured in your DNS server with an appropriate IP address.
      5. Set or clear the check box for Require Server Name Indication according to your requirements.
      6. For the SSL certificate field, select your saved server certificate.
      7. Click OK.
      8. Click Close to close the dialog listing your Site Bindings.
  11. In the Connections panel on the left, click the website again to display the Home page for the site; and then, in the center panel in the IIS group, double-click SSL Settings.
  12. In the SSL Settings page:
    1. Select the Require SSL check box.
    2. Under Client certificates, select the Require radio button.
      This setting means that all inventory devices communicating with this inventory beacon must supply a client certificate for mutual TLS.
    3. In the Actions panel on the right, click Apply.
  13. In the Connections panel on the left, click the default website to return to its home page; and then in the Actions panel on the right, click Restart. (Alternatively, you may right-click the website, and from the context menu select Manage Website > Restart.)

From the time of this restart, inventory devices can only communicate with this inventory beacon when they have a valid client certificate to present.

For more information about setting up the client-side certificates needed to complete the mutual TLS infrastructure, see the topic Common: Supporting Mutual TLS in Gathering FlexNet Inventory, available at http://docs.flexera.com.

IT Asset Management (Cloud)

Current