Dear All,
Presently, Flexera agents connect to the Beacon server without any authentication. Can this connection be made with an authentication? This is to preserve the integrity of the information received by the beacon.
Please help.
Nov 04, 2019 02:25 AM
The Beacon runs on Windows and uses IIS for authentication. Therefore, the Beacon/IIS will use Windows Authentication when the FlexNet Agent is installed on a Windows Devices when uploading to the Beacon.
When the FlexNet Agent is installed on Linux/UNIX, Windows Authentication is not possible, which is why IIS must be configured for Anonymous Authentication.
With some work, the communication between the Agent and the Beacon can be configured to use HTTPS. This requires you to supply your own Certificate, and the Certificate must be installed on each non-Windows Devices where the agent is installed.
Kirk
Nov 04, 2019 07:08 AM
@kclausen: Do you have a document or reference notes, as the client wants Flexera agents to connect the Beacon server with authentication using client/end device level certificates. The following message is from the client.
"The Agent needs to understand Client Authentication certificates and be able to use such a certificate in the Windows certificate store. Also, the FNMS endpoint service must be able to verify such a certificate once an agent presents it as the basis for authentication – including the trust with the Client company PKI/CA"
Nov 24, 2021 12:35 AM
Hallo Nathan,
with some luck we convinced our customers to check only our beacon IIS certificate with CRL valididity. So they trust our beacon and we trust every client for delivery. It was not easy to get communication with PKI/CA (Port 80 !) from every client environment. You have to bolster your client keystores with public keys of the signing key chain. But it is exactly no authentication. You will have to choose, which parts of foreign keys are representative. And what should be the benefits of the customer for the requested authentication?
Possibly your customer will see your enduring efforts on his bill... For one time implementation and daily run seperated.
With kind regards, Juergen.
Nov 29, 2021 01:04 PM
This is an old thread, but for anybody finding this info here are some references which contain details and guidance on working with mTLS authentication with the FlexNet inventory agent:
Nov 23, 2021 08:43 PM
In addition to the excellent links that Chris provided, here is a recent KB Article on this topic:
https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/Configure-Client-Certificate-Authentication-for-FlexNet/ta-p/207382
Nov 24, 2021 07:17 AM
@kclausen: Can we use an existing certificate in the client to authenticate the FlexNet Beacon connection or we should have a new certificate?
Nov 28, 2021 06:09 AM - edited Nov 28, 2021 11:36 PM
@SenthilNathan - The certificate checking/acceptance is performed by IIS, not the beacon. Please follow the documentation in the above links provided by Chris. The answer to your question is that the Certificate installed on the client must be accepted by IIS installed and enabled on the Beacon Server.
Nov 29, 2021 06:06 AM
Hey @kclausen, Senthil's question stems from a customer who already has a client certificate pair installed in the Trusted Root Certification Authorities on their end user Windows devices that is used for client authentication of another app. The question is whether the agent can be configured to use that certificate. This would remove the necessity to deploy a new cert to all end user devices.
My guess is the answer is no. Reading between the lines in the documentation, it looks like the agent expects the certificate to be named after the inventory beacon as that seems to be the only way that the agent would know which certificate in the local cert store to use to authenticate itself.
Nov 29, 2021 06:37 PM