This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

A new Flexera Community experience is coming on November 25th. Click here for more information.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is it possible to use standalone UNIX agent ndtrack.sh over HTTPS?

kyle_wolff
By
Level 6

Is it possible to configure a Unix standalone agent package (ndtrack.sh) to work on HTTPS?

 

When doing a full agent install, there is an mgsft_rollout_cert file that is required to be in the same directory as the install package and mgsft_rollout_response file. After installation, the certs within mgsft_rollout_cert are pinned on the system so it can communicate using HTTPS.

 

What is required for ndtrack.sh to work using pinned certificates?

 

Is it as simple as including your mgsft_rollout_cert file in the same dir you have your ndtrack.sh, ndtrack.ini and InventorySettings.xml files?

 

Or, does it require something additional passed in the command against ndtrack.sh?

 

Or, is it even possible?

 

I ask because in the documentation for ndtrack command line I see Preferences for SSLCA and SSLCRL related options, but only under the full UNIX agent install column, NOT for UNIX ndtrack.sh.

 

If it's possible, could we an example of how it's done?

 

‎Dec 11, 2020 03:44 PM

0 Kudos
(3) Replies

kyle_wolff
By
Level 6

Also, I have read How-to-setup-https-SSL-TLS-to-secure-and-encrypt-internal-FNMS, but the only option listed for Non-Windows Lite agent is passing -o CheckServerCertificate=false -o CheckCertificateRevocation=false against ndtrack.sh, but this is not a great option.

‎Dec 11, 2020 03:51 PM

0 Kudos

msbeta
By
Level 2
In response to kyle_wolff
Correct Kyle, passing the arguments is the only option I was able to find when this article was pieced together.

The traffic is still encrypted end to end, but the downside comparing to a proper SSL handshake is:
1) If there is a fake machine impersonating the beacon server name, or if network traffic/routing redirected to a (man-in-the-middle attack) collecting the file instead.
2) If the Beacon server was compromised in the past, you won't be able to tell the ndtrack.sh that the SSL certificate is no longer valid. Ndtrack wouldn't be looking at the revocation list, but you might be able to still keep this option as true if there is network connectivity to the CRL repository.

‎Apr 14, 2021 09:29 AM

0 Kudos

kclausen
By
Flexera Alumni

@kyle_wolff - If you are using the stand-alone scanner / Core Executable method of using ndtrack.sh on Linux, I am not aware of a way that you can have the connection to the Beacon use HTTPS. 

While there are advantages of using the Core Executable method, AFAIK the major downside on Linux is lack of support for HTTPS.

‎Dec 14, 2020 01:22 PM