We are using zero touch to collect inventory form a few Linux devices. The inventory is running correctly (i.e. username etc all correct).
However the upload fails (as see in the tracker.log) with the following error:
Error 0xE1BBFC14: OpenSSL error 0xFC14: unable to get local issuer certificate
and they are unable to create and upload inventories.
We have tried to add the IP and also the FQDN in the BeaconEngine.conf file, but this has made no difference.
The beacon and FNMS are running HTTPS and their certificates are valid.
Do we need to get a local copy of those certificates installed on the Linux devices, or a copy of the RootCA added to the Linux?
Mar 05, 2024 04:27 AM
Unfortunately file upload using HTTPS protocol is not directly supported for UNIX-like platforms when using zero-touch inventory.
See some commentary about this on the following page in the Gathering FlexNet Inventory guide (search in the page for the string "ssl"): Zero-Footprint: System Requirements
Mar 05, 2024 04:37 AM
Yes, deploying the agents (with an appropriate certificate configured) would allow data to be uploaded using HTTPS. Beyond just the HTTPS considerations, having agents deployed is typically a more robust and reliable approach for gathering inventory than using the zero-touch approach. The zero-touch approach is very sensitive to factors such as network connectivity, having credentials for remote access configured, target devices being online, etc.
Mar 05, 2024 04:55 AM
Unfortunately file upload using HTTPS protocol is not directly supported for UNIX-like platforms when using zero-touch inventory.
See some commentary about this on the following page in the Gathering FlexNet Inventory guide (search in the page for the string "ssl"): Zero-Footprint: System Requirements
Mar 05, 2024 04:37 AM
Thanks for the update.
Would it then be better to get the agents deployed on those Linux devices instead?
Mar 05, 2024 04:47 AM
Yes, deploying the agents (with an appropriate certificate configured) would allow data to be uploaded using HTTPS. Beyond just the HTTPS considerations, having agents deployed is typically a more robust and reliable approach for gathering inventory than using the zero-touch approach. The zero-touch approach is very sensitive to factors such as network connectivity, having credentials for remote access configured, target devices being online, etc.
Mar 05, 2024 04:55 AM
So latest update is that we can get the ndlaunch command to run direct from a Linux machine to the beacon HTTPS URL.
However, when we try the task from a discovery/inventory rule on our beacon, it seems to discover correctly, and create an inventory, but we get the following error when trying to upload:
2024-03-05 16:34:12,098 [.BasicInventoryVisitor| rules-9] [INFO ] Queued zero touch inventory on device 'linux02'
2024-03-05 16:34:36,147 [.BasicInventoryVisitor| rules-9] [INFO ] ---------------------------------------------------------------------------------------------------------------------
2024-03-05 16:34:36,147 [.BasicInventoryVisitor| rules-9] [INFO ] Finished processing task of type 'TaskType_Inventory' on target 'x.x.x.112' with result '-3'
2024-03-05 16:34:36,147 [.BasicInventoryVisitor| rules-9] [INFO ] Result of type 'TaskType_Inventory' on target 'x.x.x.112':
<TaskStatus Result="Failed" StartDateTime="2024-03-05T16:34:12" Type="Inventory" Status="RemoteExecutionFailedReturnedNonZero" Duration="24.01">
<Step Result="Success" Type="SSHCopyAgent" Status="SSHExecutionSucceeded" Credential="Linux" Duration="2.44">
<CommandLine>C:\Program Files (x86)\Flexera Software\Inventory Beacon\RemoteExecution\pscp.exe -batch -q -ln "Linux" \\beacon\mgsRET$\Inventory\ndtrack.sh \\beacon\mgsRET$\Inventory\ndtrack.ini \\beacon\mgsRET$\Inventory\InventorySettings.xml x.x.x.112:.</CommandLine>
</Step>
<Step Result="Failed" Type="SSHCommandRunAgent" Status="SSHExecutionOnRemoteHostReturnedNonZero" Credential="Linux" Duration="21.19">
<CommandLine>C:\Program Files (x86)\Flexera Software\Inventory Beacon\RemoteExecution\plink.exe -t -batch -ln "Linux" x.x.x.112 "sudo /bin/sh ./ndtrack.sh -t Machine -o UploadLocation=""https://beacon.dcss.dev/ManageSoftRL"" -o LogModules=""default"" -o IgnoreConnectionWindows=""true"" -o ShowIcon=""false"" -o PolicyRevisionNumber=""165"" -o RuleID=""9"" -o SessionUID=""2ea9222d-6bb5-480c-8130-5aae4052b942"" -o IncludeDirectory="""" -o CALInventory=""False"""</CommandLine>
<ProcessStdOut>[sudo] password for user:
ManageSoft Inventory agent 21.0 -> Build 678
Copyright 2023 Flexera Software LLC
----- Gathering inventory
> Initialising
> Searching for hardware
> Searching for Oracle database instances
> Searching for Oracle listener
> Searching for software
> Searching the native package database
> Symantec Storage Foundation Tracking Started
> IBM MQ Queue Manager Tracking Started
> IBM Db2 tracking started.
> Started Jboss tracking
> Generating inventory '/var/tmp/flexera/tracker/inventories/system on linux02.ndi'
> Compressing inventory 'system on devmgtter02.ndi' to 'mgs82255128.ndi.gz.tmp'
> Uploading inventory
*** Error: Error (s189m263)
*** FlexNet Manager Platform could not upload the inventory.
</ProcessStdOut>
<Parameter Index="0">7</Parameter>
</Step>
</TaskStatus>
Mar 05, 2024 10:48 AM
So we think that the linux agent has a set of scheduled tasks that will collect the inventory and upload to the beacon. That has been checked by running 'ndschedag -e' and the log files show the uploads are working to the HTTPS address of the beacon.
Mar 06, 2024 04:01 AM