- Revenera Community
- :
- FlexNet Embedded
- :
- FlexNet Embedded Forum
- :
- Re: Sensitivity of client-server and publisher identity files
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
We understand that the publisher identity is the root of the licensing technology's security and that the client and client server identity file are derived from it. In general - we suppose - that the publisher identity (identity_backoffice.bin) can be used to create new valid licenses.
The C-based license server does not allow using a signed settings file as opposed to the java-based license server which is why we are thinking about ways to secure the license server identity files. However we first want to understand whether we really need to protect the license server identity and have to make efforts to protect this data.
While older license server administration guides (e.g. 2016) state that only the backoffice_identity.bin contains sensitive data and shall be protected, newer versions (e.g. 2022) state that both the client_server_identity.bin and the backoffice_identity.bin should be protected. Did something change or was the documentation extended only?
We would like to understand the impact of theft of the identity files, specifically for the license server identity and the backoffice identity files.
- what would a potential attacker be able to do in case the
- client_server_identity.bin is stolen
- the backoffice_identity.bin is stolen
- what would be potential mitigation actions in case the
- client_server_identity.bin is stolen
- incase of theft - can the client_server identity be "updated" without updating the client and backoffice identity?
- the backoffice_identity.bin is stolen
- client_server_identity.bin is stolen
Do we need to protect the license server identity file?
Is there a way to protect it with the C-server just as with the java-based server (e.g. by using a signed settings file). Would Revenera's professional service be able to help here with a solution?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi @TrinityTonic ,
- incase of theft - can the client_server identity be "updated" without updating the client and backoffice identity?
- No, I do not believe so as these identities are all created at the same time.
Best regards,
Jim
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
@jberthold - do you havev an answer to what would need to happen if the client / server identity file is compromised? Is there a way to "revoke" it? Is there a way to update it without updating the backoffice and client identity files?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi @TrinityTonic ,
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi @jberthold and thanks again for an answer to a question I've already asked a few times. Working on the security department of our products, we have to understand risks and would require some sort of incident response. That's why those two questions above were asked.
- what would a potential attacker be able to do in case the
- client_server_identity.bin is stolen
- the backoffice_identity.bin is stolen
- what would be potential mitigation actions in case the
- client_server_identity.bin is stolen
- incase of theft - can the client_server identity be "updated" without updating the client and backoffice identity?
- the backoffice_identity.bin is stolen
- the worst case, and we do not have to dig into this deeper
- client_server_identity.bin is stolen
The interesting question here is can you replace one of the keys (i.e. the client or client server identity without replacing all 3 identities) making them incompatible to previous versions.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi @TrinityTonic ,
- incase of theft - can the client_server identity be "updated" without updating the client and backoffice identity?
- No, I do not believe so as these identities are all created at the same time.
Best regards,
Jim