IT Asset Management (Cloud)
When using the HTTPS protocol for any communication between a managed inventory
device (the client) and an
inventory beacon (the server), the communication is
secured by one of two kinds of Transport Layer Security (TLS):
- In unilateral or standard TLS, the server has a valid certificate and a
public/private key pair (but the client does not). To be valid, a
certificate must have been issued by a Certificate Authority that is also
trusted by the client (and the DNS name on the certificate of course matches
the DNS name of the server). When the client connects to the server, the
server presents its TLS certificate, and the client verifies the server's
certificate. It may also conduct a certificate revocation check, validating
that the server certificate has not been revoked early. If the certificate
is verified successfully, the communication from this point is done on an
encrypted TLS connection.
- In mutual TLS, both the client and server have valid certificates, and both
sides validate the certificates:
- When the client connects to the server, the server presents its TLS
certificate and the client verifies the server's certificate, in
just the same way as for standard TLS.
- Now the client presents its TLS certificate, and the server verifies
the client's certificate. This is a much simpler verification,
simply checking that the client certificate is in a valid format and
is valid for the current date (although there is no revocation
checking).
- If both certificates are verified successfully, the communication is
done on an encrypted TLS connection.
It is the second of these, mutual TLS, that is the focus of this topic.
Configuring a target inventory device for mutual TLS is a matter of setting a number
of preferences on each device. For UNIX-like platforms, the relevant preferences are
saved in the config.ini file that acts as a pseudo-registry.
For more information about the client-side settings, see Gathering FlexNet Inventory. For UNIX-like platforms, see the
preferences:
On the inventory beacon side, the following process covers the
configuration of the FlexNet Beacon software itself, as well as configuring IIS to
support and require mutual TLS. Once the inventory beacon is configured in
this way, only inventory devices with the appropriate preference settings can
received policy from, and upload inventory to, this beacon.
To configure the system for mutual TLS:
-
Run the inventory beacon interface (for example, Start >
FlexNet Beacon).
Remember: Running the inventory beacon requires an account with
administrator privileges.
-
In the navigation bar on the left, from the Beacon
configuration group, select the Local web
server tab.
-
Under Web Server Settings, select the IIS web
server radio button.
Support for mutual TLS is only available through IIS.
-
Click Save.
An
IIS Configuration alert appears to remind you that
this setting does not change IIS settings, but merely communicates your
intentions to the targeted inventory devices:
The beacon will not configure IIS for use with HTTPS.
Please manually configure IIS to use HTTPS.
Click
OK to clear the alert and finish saving your settings
for the
inventory beacon.
-
Run IIS Manager on this inventory beacon (for example, ).
-
Ensure that the server is selected in the left-hand
Connections pane, and in the IIS
group (center pane), double-click Server
Certificates.
Your action here depends on which stage of the process you are up to:
- If you do not yet have a server certificate, continue with step 7.
- If you have received a certificate (.cer file) from
your Certificate Authority (CA), go to step 8.
- If you already have a certificate in .pfx format,
go to step 9.
-
To create a certificate signing request (CSR) for a CA to supply you with a new
certificate:
-
In the right-hand Actions pane, select
Create Certificate Request....
The Request Certificate wizard appears.
-
On the Distinguished Name Properties page,
complete these details:
Common name |
Enter the fully-qualified domain name (FQDN) for your
company's online presence (such as
www.example.com).
|
Organization |
The legally registered name of your enterprise (such as
Your Company,Inc).
|
Organizational unit |
Optionally, enter the name of your department within the
organization. You might use a value like
IT, or perhaps Web
Security; or you may leave this field
blank.
|
City/locality |
Specify (in full) the city where your enterprise is
located (in its legal registration). Note the warning on
the dialog to use official names without
abbreviations.
|
State/province |
Enter the state or province given in the legal
registration of your enterprise. |
Country/region |
From the drop-down list, select the country where your
enterprise is legally located.
|
-
Click Next.
-
On the Cryptographic Service Provider Properties
page, complete these details:
Cryptographic service
provider |
In the drop-down list, select Microsoft RSA
SChannel Cryptographic Provider,
unless you have a specific cryptographic provider.
|
Bit length |
In the drop-down list select
2048, unless you have a
specific reason for opting for a larger bit length.
|
-
Click Next.
-
On the File Name page, use the browse
(…) button to find a location where you want
to save your certificate signing request (CSR) file. (The default
location is C:\Windows\System32.)
Tip: Keep a record of the file name and location for later
use.
-
Click Finish.
-
Submit your CSR file to your preferred Certificate Authority.
When you receive your certificate back from your Certificate Authority,
resume this process from step
8.
-
While logged into the same inventory beacon where you created the
certificate signing request:
-
Save the .cer file from your CA on the inventory beacon.
-
Run IIS Manager on this inventory beacon (for example, ).
-
Ensure that the server is selected in the left-hand
Connections pane, and in the
IIS group (center pane), double-click
Server Certificates.
-
In the right-hand Actions pane, select
Complete Certificate Request....
The Complete Certificate Request wizard
appears.
-
On the Specify Certificate Authority Response
page, complete these details:
File name containing the certificate
authority's response |
Use the browse (...) button to
select the .cer file you saved on
this inventory beacon.
|
Friendly name |
Create a helpful name to identify this certificate. Good
practice is to identify the CA and the expiry date
within the friendly name (for example,
mysite-certauth-20221215).
|
Select a certificate store for the new
certificate |
From the drop-down, select the local store on the
inventory beacon where the certificate should
be saved (the Web Hosting
store is recommended for performance and scaling; but if
this server has few certificates, the
Personal store may be
adequate).
|
-
Click OK.
Your SSL certificate is saved. You now need to assign this certificate
to the appropriate site, and specify the protocols (bindings) that must be used.
Skip ahead to step
10
to do this.
-
To import your certificate in the .pfx format:
-
In the right-hand Actions pane, select
Import....
-
In the Import Certificate dialog, use the browse
button (...) to select your
.pfx
Certificate file.
-
Also enter the Password for your private key for
this inventory beacon server.
-
From the Select Certificate Store drop-down,
select the local store on the inventory beacon where the
certificate should be saved (the Web
Hosting store is recommended for performance and
scaling; but if this server has few certificates, the
Personal store may be adequate).
-
Ensure that the check box to Allow this certificate to be
exported remains selected.
-
Click OK to save each certificate in the
selected store, and if necessary loop back and repeat for any additional
certificates required for the chain of authorization. When done, close
the Import Certificate dialog.
Continue the process with step
10.
-
Set the bindings for this web server:
-
If necessary, in IIS, expand the server record, expand
Sites, and select the website you wish to
secure with your saved certificate (likely to be the Default
Web Site).
-
From the Actions panel on the right, select
Bindings.... (Alternatively, if you
right-click the website name in the Connections
list on the left, you may select Edit
Bindings....)
-
In the Site Bindings dialog, select
Add....
-
In the Add Site Binding dialog:
- Set Type to
https.
- Set IP address to All
Unassigned.
- Set Port to
443 (or your preferred
non-default port for HTTPS communications).
- Set Host name to the host name for this
inventory beacon that the target inventory devices
will use for inventory uploads.
Tip: If this field is
left blank, it uses the server name currently selected in
the left navigation bar of the IIS settings. You may also
use the convention
https://localhost.... Naturally, ensure
that the server name you use is configured in your DNS
server with an appropriate IP address.
- Set or clear the check box for Require Server Name
Indication according to your requirements.
- For the SSL certificate field, select
your saved server certificate.
- Click OK.
- Click Close to close the dialog listing
your Site Bindings.
-
In the Connections panel on the left, click the website
again to display the Home page for the site; and then, in
the center panel in the IIS group, double-click
SSL Settings.
-
In the SSL Settings page:
-
Select the Require SSL check box.
-
Under Client certificates, select the
Require radio button.
This setting means that all inventory devices communicating with this
inventory beacon must supply a client certificate for mutual
TLS.
-
In the Actions panel on the right, click
Apply.
-
In the Connections panel on the left, click the default
website to return to its home page; and then in the Actions
panel on the right, click Restart. (Alternatively, you
may right-click the website, and from the context menu select .)
From the time of this restart, inventory devices can only communicate with this
inventory beacon when they have a valid client certificate to present.
For more information about setting up the client-side certificates needed to complete
the mutual TLS infrastructure, see the topic Common: Supporting Mutual TLS in Gathering FlexNet Inventory, available at http://docs.flexera.com.
IT Asset Management (Cloud)
Current