How to setup https (SSL/TLS) to secure and encrypt internal FNMS communication between Agents, Beacons and the Application Server

How to setup https (SSL/TLS) to secure and encrypt internal FNMS communication between Agents, Beacons and the Application Server

Consideration

Although HTTPS is still being used. As of 2018 any version of SSL is not recommended and has been deprecated by the IETF(Internet Engineering Task Force) recommendations (see https://tools.ietf.org/html/rfc7568#section-3) due to its vulnerabilities. 

Any version of TLS is more secure than SSLv3, though the highest version available is preferable.

Summary

Explaining what is needed to allow https (SSL/TLS) communication between Agents, Beacons and the Application Server

Synopsis

FlexNet Manager Suite supports both http (using port 80 by default) and https (using port 443 by default). The initial FNMS installation sets http by default, unless you configure it otherwise; but you can follow these instructions to enable https in any or all parts of your environment, as well.

If proper https setup is not taken into consideration, you could see errors like the following:

  1. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
  2. Enable to get certificate CRL.
  3. Download failure: OpenSSL error 0xFC14: unable to get local issuer certificate.

 

Discussion

First: Application Server

To have your Beacons communicate to the Application Server through Https or for your WebUI users to have encrypted connection end-to-end, you need to first setup IIS to accept and serve https communication as follows:

  1. Click on your Server Name located on top of the left navigation bar in IIS Manager
  2. Double-click on the Server Certificates icon
  3. Import a commercial SSL Certificate from a known certificate authority or create a self-signed certificate with the Application Server's Hostname or FQDN.
  4. Under Sites on the left navigation bar, click on Default Web Site
  5. Click on Binding on the right side-bar
  6. Add https to the list and select your desired SSL Certificate
  7. Restart IIS
  8. Run the Config.ps1 PowerShell script with updateConfig argument and use https instead of http in the URL fields using the same Hostname/FQDN used in step #3. This step is explained in detail at the end of your FNMS Installation and FNMS Upgrade Manuals (.\Config.ps1 "Config\FNMS Windows Authentication Config.xml" updateconfig)
  9. Test logging into the WebUI with "https://YourServerName/Suite" from another machine
  10. Make sure there is no Network Firewalls blocking TCP Port 443 (or the configured port in step #6) between the Application Server and the Beacons

Second: The Flexera Beacons

For FNMS Cloud customers, the Beacon is required to use https over TLS 1.1 or 1.2 to communication to the Cloud Application Server by default. If you need any assistance in updating these protocols, please review the Transport Layer Security (TLS) 1.1 & 1.2 Configuration Knowledge Base Article.

For FNMS On Premise installation, by default the Beacon will continue to communicate to the Application Server with the same method as it was installed. If http is still active on the Application Server, the Beacon will continue to function. However, if http is now disabled, the Beacon will not be able to communicate to the Application Server with the same method.

To configure the Beacon to communicate to the Application Server through https, please follow these steps after verifying that the Application Server is now listening on https and that you don't have any firewalls blocking the configured Port:

  1. Open a Run window and type in certmgr.msc
  2. Right-click Trusted Root Certificate Authorities and under All Tasks click Import
  3. Based on the SSL Certificate source that you used in IIS on the Application Server, either import the proper Root Certificate from your SSL certificate authority (for FNMS Cloud Customers, install Digicert Global Root CA from https://www.digicert.com/digicert-root-certificates.htm) or import the self-signed SSL Certificate under Trusted Root Certificate Authorities\Local Computer as shown below to be used by the Local System Account. Self-signed certificates can be exported from IIS or by clicking on view certificate in IE while running as administrator and exporting as a Base 64-encoded file.

    Local Computer SSL Certificate store

  4. Open the FlexNet Beacon UI
  5. Click on Parent Connection on the left navigation bar
  6. Click on Download Configuration
  7. Download the Configuration file from the WebUI as instructed
  8. Go back to the FlexNet Beacon and click Import Configuration
  9. Load the file you downloaded in step #7 and validate that the Application Server name starts with https
  10. Go to Services from your Windows Control Panel and restart the Flexera Beacon Engine Service

If you have more challenges with the self-signed certificate or the Beacon doesn't have internet access to check the Certificate Revocation List online, the Beacon could have communication issues with the Application Server.

As a non-recommended workaround (less secure), you can disable the certificate check and/or the revocation check to avoid such errors. Please add the following Strings with the value of False under this Registry Key "HKLM\SOFTWARE\Wow6432Node\ManageSoft Corp\ManageSoft\Common" for 64-bit Server or "HKLM\SOFTWARE\ManageSoft Corp\ManageSoft\Common" for 32-bit:

CheckServerCertificate
CheckCertificateRevocation

Registry Keys to skip Certificate Checks

If you need to have the Flexera Agents, Lite Agents or SAP Admin Module to communicate to the Beacons with https as well, then you need to apply these changes to your desired Beacon Servers:

  1. Install Microsoft Internet Information Services (IIS) if it wasn't installed already from Windows Server Manager Roles using the same features as the Application Server in the FNMS Installation Manual (as shown below). If IIS was already installed, please verify if all of the below features are installed as well.

    Configuring IIS components

  2. Open the FlexNet Beacon UI
  3. Click on Local Web Server on the left navigation bar
  4. Select IIS web server and check HTTPS
  5. Click Save
  6. Open IIS and follow the same steps when configuring the Application Server above from steps #1 to #7 (Do not apply steps #8 and 9).

Third: The Flexera Agents and Lite Agents

The Flexera Agents and Lite Agents can communicate through https as well if the Beacon was setup accordingly. Please follow one of these steps to insure proper communication between the two.

 

Windows Agents:

For Windows Agents to communicate to the Beacons over https, you can either:

  • Distribute the Root Certificate of your SSL Certificate Authority used on all Beacon Servers or the self-signed Certificate itself through Active Directory Group Policy. If the Agent is already installed and failed to download its policy, you need to re-run the policy download using the mgspolicy -t machine command and then check the end of the installation.log file to review the results.
  • As a non-recommended workaround (less secure) before the Agent is installed, you can add the following lines under [Common] in your bootstrap mgssetup.ini file. Please make sure you don't have duplicate desc0 and desc1 lines already in your current file under [Common].

desc0 = CheckCertificateRevocation
val0 = False
desc1 = CheckServerCertificate
val1 = False

  • As a non-recommended workaround (less secure) after the Agent is installed, you can disable the Certificate Check and Revocation Check by adding the following Strings with the value of False under this Registry Key "HKLM\SOFTWARE\Wow6432Node\ManageSoft Corp\ManageSoft\Common" for 64-bit devices (remove \Wow6432Node for 32-bit devices):

CheckServerCertificate
CheckCertificateRevocation

You would need to re-run the policy download with the mgspolicy -t machine command if the initial Agent install failed.

  • Another option to distribute the above registry keys is creating a SkipCertificateCheck.reg file with notepad and copy the content below. You can then apply this registry setting file through any third-party tool to your environment, or apply it manually by double-clicking the file on the Managed Device when needed. There is no harm for distributing this on devices that have no Flexera Agents on them as well. If you don't have 32-bit Operating Systems in your environment, you can remove the last three lines if desired.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ManageSoft Corp\ManageSoft\Common]
"CheckServerCertificate"="false"
"CheckCertificateRevocation"="false"

[HKEY_LOCAL_MACHINE\SOFTWARE\ManageSoft Corp\ManageSoft\Common]
"CheckServerCertificate"="false"
"CheckCertificateRevocation"="false"

 

Windows Lite Agents:
You can either applying second option above for Windows Agents, or you can add the following arguments to your ndtrack command:

-o CheckServerCertificate=false -o CheckCertificateRevocation=false

 

Non-Windows Agents:
For non-Windows Agents to communicate over https, you can either:

  • Before the Agent is installed, you can create a file called mgsft_rollout_cert and save it next to your installation files. You need to copy/combine the content of all your SSL Certificates in a Base-64 encoded X.509 format (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- header and footer lines for each certificate) from all your https Beacons to the file. If you're using a Certificate issued by a Certificate Authority, you only need to include their certificate chain (which has a longer expire date than the actual certificate) starting from the Root Certificate on top then the Intermediate Certificate of the Certificate Authority after.
  • After the Agent install, you can apply the same requirements as the above option, but rename the file and copy it to /var/opt/managesoft/etc/ssl/cert.pem instead of mgsft_rollout_cert. If your policy download failed after installation, you need to re-run the policy download using the mgspolicy -t machine command and then check the end of the installation.log file to review the results.
  • As a non-recommended workaround (less secure) before the Agent is installed, you can disable the Certificate Check and Revocation Check by adding the following lines in the mgsft_rollout_response file, or modify/enable them if they exist by removing the # sign:
MGSFT_HTTPS_CHECKSERVERCERTIFICATE=false
MGSFT_HTTPS_CHECKCERTIFICATEREVOCATION=false
  • As a non-recommended workaround (less secure) after the Agent is installed, you can disable the Certificate Check and Revocation Check by adding the following lines under [ManageSoft\Common] in the Agent's /var/opt/managesoft/etc/config.ini file.
CheckServerCertificate=false
CheckCertificateRevocation=false

You would need to re-run the policy download with the mgspolicy -t machine command if the initial Agent install failed.

 

Non-Windows Lite Agents:

For non-Windows Lite Agent to communicate over https, you can either:

  • As a non-recommended workaround (less secure) after the Agent install, you can disable the Certificate Check and Revocation Check by adding the following lines under [ManageSoft\Common] in the Agent's /var/opt/managesoft/etc/config.ini file.

CheckServerCertificate=false
CheckCertificateRevocation=false

  • Add the following arguments to your ndtrack command:
-o CheckServerCertificate=false -o CheckCertificateRevocation=false

 

Additional Information

If the above does not work and you need to force the connections to use TLS 1.1 or higher then you should install .Net framework 4.6 and then force TLS 1.1 by adding the following Registry Key:

  1. Open RegEdit.exe as an Administrator
  2. Navigate to the following registry keys:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
  3. Right click in an empty area and create a DWORD value named SchUseStrongCrypto and give it a value of 00000001
  4. Once that is complete, restart the FlexNet Beacon Engine service and you should starting seeing this line in the BeaconEngine.log file instead:



Was this article helpful? Yes No
100% helpful (1/1)
Version history
Revision #:
11 of 11
Last update:
‎Aug 26, 2020 11:56 AM
Updated by: