This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Change Flexera Agent Configuration ( registry based ) using policy settings

Jump to solution
Junaid_V
By
Level 4

Dears,

can we change the flexera agent registry level configuration through a policy update as follows.

Example Scenario : Set CheckServerCertificate=false for all agents from policy change at DB or at server, so that it'll reflect on clients during the next  policy update.

Example Execution :  At DB , insert or update a the table with CheckServerCertificate=false, then beacon (or app server) pick up this value and request agent to update the same in relevant registry,

 

 

‎Dec 26, 2023 03:35 AM

0 Kudos
(1) Solution

Jump to solution
ChrisG
By Community Manager Community Manager
Community Manager

The short answer is that there is no supported or documented way of setting agent preferences like this through policy.

However the longer answer is that there is an undocumented/unsupported approach that may work for you. You could explore this if you are comfortable in testing and supporting the configuration yourself.

An example of doing this is in the following post: Finding installations of Apache Log4j (or other) files on computers with FlexNet Manager Suite

In particular, look at item 3 in this post under the heading "Configuring agents to gather details of files with a specified name". This provides a SQL script that can be used to configure a setting value in the compliance database which will be deployed to agents through policy. The example given in that post is for the setting named "CTrackerIncludeFile", but in your situation you would want to use the setting name "CCommonCheckServerCertificate" and value "False".

For example:

[... Other parts of the script from the post referenced above ...]

EXEC dbo.BeaconTargetPropertyValuePutByKeyNameBeaconTargetID
    @KeyName = 'CCommonCheckServerCertificate',
    @BeaconTargetID = @btid,
    @Value = 'false'

[... Other parts of the script from the post referenced above ...]

Note that while I'm hopeful this would work for you, you should test it to make sure - not all agent preferences can be set in this way.

Of course, be aware that any agents which are currently unable to download policy from a beacon because they cannot verify the server certificate will not receive an update through this approach.

The other thing to consider is that setting CheckServerCertificate to "false" to mean you lose any security benefit of having the agents having confidence about the server's identity which you would normally get when using the HTTPS communications protocol.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

View solution in original post

‎Dec 27, 2023 06:11 PM

(3) Replies

Jump to solution
mfeinman
By
Level 8

Once the agent is installed, this setting is established in the Windows registry, or in the case of Linux, in the pseudo-registry config.ini.

There doesn't appear to be a way to change it through a Flexera policy setting.

For Windows, you can change it through a change to the registry which you could push out through SCCM.  The change can be made for every aspect of the agent or for specific agent components.

[Registry]\ManageSoft\Common or [Registry]\ManageSoft\<Component>\CurrentVersion where <Component> is the registry key for an individual component.

In the registry, the value name would be CheckServerCertificate and the value data would be false.

For Linux, you would need to push out a script that makes a change to the config.ini file.  This script should do that:

#!/bin/sh
# This file contains a customization to the FlexNet Inventory Agent which
# turns off SSL certificate checking.  If you want to turn it back on,
# set CheckServerCertificate=true.

cat <<EOF >/tmp/mgsconfig.ini
[ManageSoft\Common]
CheckServerCertificate=false
EOF

/opt/managesoft/bin/mgsconfig -i /tmp/mgsconfig.ini

rm /tmp/mgsconfig.ini

Info on CheckServerCertificate.

Info on the mgsconfig tool.

Hope this helps.

--Mark

 

‎Dec 27, 2023 11:11 AM

Jump to solution
ChrisG
By Community Manager Community Manager
Community Manager

The short answer is that there is no supported or documented way of setting agent preferences like this through policy.

However the longer answer is that there is an undocumented/unsupported approach that may work for you. You could explore this if you are comfortable in testing and supporting the configuration yourself.

An example of doing this is in the following post: Finding installations of Apache Log4j (or other) files on computers with FlexNet Manager Suite

In particular, look at item 3 in this post under the heading "Configuring agents to gather details of files with a specified name". This provides a SQL script that can be used to configure a setting value in the compliance database which will be deployed to agents through policy. The example given in that post is for the setting named "CTrackerIncludeFile", but in your situation you would want to use the setting name "CCommonCheckServerCertificate" and value "False".

For example:

[... Other parts of the script from the post referenced above ...]

EXEC dbo.BeaconTargetPropertyValuePutByKeyNameBeaconTargetID
    @KeyName = 'CCommonCheckServerCertificate',
    @BeaconTargetID = @btid,
    @Value = 'false'

[... Other parts of the script from the post referenced above ...]

Note that while I'm hopeful this would work for you, you should test it to make sure - not all agent preferences can be set in this way.

Of course, be aware that any agents which are currently unable to download policy from a beacon because they cannot verify the server certificate will not receive an update through this approach.

The other thing to consider is that setting CheckServerCertificate to "false" to mean you lose any security benefit of having the agents having confidence about the server's identity which you would normally get when using the HTTPS communications protocol.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

‎Dec 27, 2023 06:11 PM

Jump to solution
Junaid_V
By
Level 4

@mfeinman thanks for the reply , but i could recall that i  did something like this few years before, where i needed to to change the reg settings of connected devices via policy.

 

@ChrisG  thanks a lot for the comments, the step i was expecting is the same you described.

i need more information about the keyName, will check at support ticket. 

 

 

‎Dec 29, 2023 08:47 AM - edited ‎Dec 29, 2023 08:48 AM

0 Kudos