cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
flexeranoob
Level 7

Agent authenticating with Beacon server

Dear All,

Presently, Flexera agents connect to the Beacon server without any authentication.   Can this connection be made with an authentication? This is to preserve the integrity of the information received by the beacon. 

Please help. 

This thread has been automatically locked due to inactivity.

To continue the discussion, please start a new thread.

8 Replies
kclausen
Level 14 Flexeran
Level 14 Flexeran

The Beacon runs on Windows and uses IIS for authentication.  Therefore, the Beacon/IIS will use Windows Authentication when the FlexNet Agent is installed on a Windows Devices when uploading to the Beacon.

 

When the FlexNet Agent is installed on Linux/UNIX, Windows Authentication is not possible, which is why IIS must be configured for Anonymous Authentication.

 

With some work, the communication between the Agent and the Beacon can be configured to use HTTPS.  This requires you to supply your own Certificate, and the Certificate must be installed on each non-Windows Devices where the agent is installed.

 

Kirk

@kclausen: Do you have a document or reference notes, as the client wants Flexera agents to connect the Beacon server with authentication using client/end device level certificates.  The following message is from the client.

"The Agent needs to understand Client Authentication certificates and be able to use such a certificate in the Windows certificate store. Also, the FNMS endpoint service must be able to verify such a certificate once an agent presents it as the basis for authentication – including the trust with the Client company PKI/CA"

0 Kudos

Hallo Nathan,

with some luck we convinced our customers to check only our beacon IIS certificate with CRL valididity. So they trust our beacon and we trust every client for delivery. It was not easy to get communication with PKI/CA (Port 80 !) from every client  environment. You have to bolster your client keystores with public keys of the signing key chain. But it is exactly no authentication. You will have to choose, which parts of foreign keys are representative. And what should be the benefits of the customer for the requested authentication? 

Possibly your customer will see your enduring efforts on his bill... For one time implementation and daily run seperated.

With kind regards, Juergen.

ChrisG
Community Manager Community Manager
Community Manager

This is an old thread, but for anybody finding this info here are some references which contain details and guidance on working with mTLS authentication with the FlexNet inventory agent:

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)
0 Kudos
kclausen
Level 14 Flexeran
Level 14 Flexeran

In addition to the excellent links that Chris provided, here is a recent KB Article on this topic:

https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/Configure-Client-Certificate-Authentication-for-FlexNet/ta-p/207382

 

0 Kudos

@kclausenCan we use an existing certificate in the client to authenticate the FlexNet Beacon connection or we should have a new certificate?

0 Kudos

@SenthilNathan - The certificate checking/acceptance is performed by IIS, not the beacon.  Please follow the documentation in the above links provided by Chris.  The answer to your question is that the Certificate installed on the client must be accepted by IIS installed and enabled on the Beacon Server.

0 Kudos
peter_osang
Level 4

Hey @kclausen, Senthil's question stems from a customer who already has a client certificate pair installed in the Trusted Root Certification Authorities on their end user Windows devices that is used for client authentication of another app.    The question is whether the agent can be configured to use that certificate.  This would remove the necessity to deploy a new cert to all end user devices.     

My guess is the answer is no.  Reading between the lines in the documentation, it looks like the agent expects the certificate to be named after the inventory beacon as that seems to be the only way that the agent would know which certificate in the local cert store to use to authenticate itself.

0 Kudos