A new Flexera Community experience is coming on November 25th. Click here for more information.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Change Flexera Agent Configuration ( registry based ) using policy settings

Dears,

can we change the flexera agent registry level configuration through a policy update as follows.

Example Scenario : Set CheckServerCertificate=false for all agents from policy change at DB or at server, so that it'll reflect on clients during the next  policy update.

Example Execution :  At DB , insert or update a the table with CheckServerCertificate=false, then beacon (or app server) pick up this value and request agent to update the same in relevant registry,

 

 

(1) Solution
ChrisG
By Community Manager Community Manager
Community Manager

The short answer is that there is no supported or documented way of setting agent preferences like this through policy.

However the longer answer is that there is an undocumented/unsupported approach that may work for you. You could explore this if you are comfortable in testing and supporting the configuration yourself.

An example of doing this is in the following post: Finding installations of Apache Log4j (or other) files on computers with FlexNet Manager Suite

In particular, look at item 3 in this post under the heading "Configuring agents to gather details of files with a specified name". This provides a SQL script that can be used to configure a setting value in the compliance database which will be deployed to agents through policy. The example given in that post is for the setting named "CTrackerIncludeFile", but in your situation you would want to use the setting name "CCommonCheckServerCertificate" and value "False".

For example:

[... Other parts of the script from the post referenced above ...]

EXEC dbo.BeaconTargetPropertyValuePutByKeyNameBeaconTargetID
    @KeyName = 'CCommonCheckServerCertificate',
    @BeaconTargetID = @btid,
    @Value = 'false'

[... Other parts of the script from the post referenced above ...]

Note that while I'm hopeful this would work for you, you should test it to make sure - not all agent preferences can be set in this way.

Of course, be aware that any agents which are currently unable to download policy from a beacon because they cannot verify the server certificate will not receive an update through this approach.

The other thing to consider is that setting CheckServerCertificate to "false" to mean you lose any security benefit of having the agents having confidence about the server's identity which you would normally get when using the HTTPS communications protocol.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

View solution in original post

(3) Replies

Once the agent is installed, this setting is established in the Windows registry, or in the case of Linux, in the pseudo-registry config.ini.

There doesn't appear to be a way to change it through a Flexera policy setting.

For Windows, you can change it through a change to the registry which you could push out through SCCM.  The change can be made for every aspect of the agent or for specific agent components.

[Registry]\ManageSoft\Common or [Registry]\ManageSoft\<Component>\CurrentVersion where <Component> is the registry key for an individual component.

In the registry, the value name would be CheckServerCertificate and the value data would be false.

For Linux, you would need to push out a script that makes a change to the config.ini file.  This script should do that:

#!/bin/sh
# This file contains a customization to the FlexNet Inventory Agent which
# turns off SSL certificate checking.  If you want to turn it back on,
# set CheckServerCertificate=true.

cat <<EOF >/tmp/mgsconfig.ini
[ManageSoft\Common]
CheckServerCertificate=false
EOF

/opt/managesoft/bin/mgsconfig -i /tmp/mgsconfig.ini

rm /tmp/mgsconfig.ini

Info on CheckServerCertificate.

Info on the mgsconfig tool.

Hope this helps.

--Mark

 

ChrisG
By Community Manager Community Manager
Community Manager

The short answer is that there is no supported or documented way of setting agent preferences like this through policy.

However the longer answer is that there is an undocumented/unsupported approach that may work for you. You could explore this if you are comfortable in testing and supporting the configuration yourself.

An example of doing this is in the following post: Finding installations of Apache Log4j (or other) files on computers with FlexNet Manager Suite

In particular, look at item 3 in this post under the heading "Configuring agents to gather details of files with a specified name". This provides a SQL script that can be used to configure a setting value in the compliance database which will be deployed to agents through policy. The example given in that post is for the setting named "CTrackerIncludeFile", but in your situation you would want to use the setting name "CCommonCheckServerCertificate" and value "False".

For example:

[... Other parts of the script from the post referenced above ...]

EXEC dbo.BeaconTargetPropertyValuePutByKeyNameBeaconTargetID
    @KeyName = 'CCommonCheckServerCertificate',
    @BeaconTargetID = @btid,
    @Value = 'false'

[... Other parts of the script from the post referenced above ...]

Note that while I'm hopeful this would work for you, you should test it to make sure - not all agent preferences can be set in this way.

Of course, be aware that any agents which are currently unable to download policy from a beacon because they cannot verify the server certificate will not receive an update through this approach.

The other thing to consider is that setting CheckServerCertificate to "false" to mean you lose any security benefit of having the agents having confidence about the server's identity which you would normally get when using the HTTPS communications protocol.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

@mfeinman thanks for the reply , but i could recall that i  did something like this few years before, where i needed to to change the reg settings of connected devices via policy.

 

@ChrisG  thanks a lot for the comments, the step i was expecting is the same you described.

i need more information about the keyName, will check at support ticket.