kyle_wolff
Active participant

Is it possible to use standalone UNIX agent ndtrack.sh over HTTPS?

Is it possible to configure a Unix standalone agent package (ndtrack.sh) to work on HTTPS?

 

When doing a full agent install, there is an mgsft_rollout_cert file that is required to be in the same directory as the install package and mgsft_rollout_response file. After installation, the certs within mgsft_rollout_cert are pinned on the system so it can communicate using HTTPS.

 

What is required for ndtrack.sh to work using pinned certificates?

 

Is it as simple as including your mgsft_rollout_cert file in the same dir you have your ndtrack.sh, ndtrack.ini and InventorySettings.xml files?

 

Or, does it require something additional passed in the command against ndtrack.sh?

 

Or, is it even possible?

 

I ask because in the documentation for ndtrack command line I see Preferences for SSLCA and SSLCRL related options, but only under the full UNIX agent install column, NOT for UNIX ndtrack.sh.

 

If it's possible, could we an example of how it's done?

 

0 Kudos
3 Replies
kyle_wolff
Active participant

Also, I have read How-to-setup-https-SSL-TLS-to-secure-and-encrypt-internal-FNMS, but the only option listed for Non-Windows Lite agent is passing -o CheckServerCertificate=false -o CheckCertificateRevocation=false against ndtrack.sh, but this is not a great option.

0 Kudos

Correct Kyle, passing the arguments is the only option I was able to find when this article was pieced together.

The traffic is still encrypted end to end, but the downside comparing to a proper SSL handshake is:
1) If there is a fake machine impersonating the beacon server name, or if network traffic/routing redirected to a (man-in-the-middle attack) collecting the file instead.
2) If the Beacon server was compromised in the past, you won't be able to tell the ndtrack.sh that the SSL certificate is no longer valid. Ndtrack wouldn't be looking at the revocation list, but you might be able to still keep this option as true if there is network connectivity to the CRL repository.
0 Kudos
kclausen
Flexera
Flexera

@kyle_wolff - If you are using the stand-alone scanner / Core Executable method of using ndtrack.sh on Linux, I am not aware of a way that you can have the connection to the Beacon use HTTPS. 

While there are advantages of using the Core Executable method, AFAIK the major downside on Linux is lack of support for HTTPS.