Important - Certificate update to installers for FlexNet Manager Suite 2020 R2 and 2021 R1

mrichardson
Flexera Alumni
0 1 676

This blog applies to installations of FlexNet Manager Suite On-premises 2020 R2 and 2021 R1 who use SQL Server 2017 or above.

While installing or upgrading FlexNet Manager Suite, the database creation/upgrade could fail with the following error:

 

There was an error while attempting to run 'CLRInstallSqlProceduresClr.sql'. CREATE or ALTER ASSEMBLY for assembly 'SqlProceduresClr' with the SAFE or EXTERNAL_ACCESS option failed because the 'CLR strict security' option of sp_configure is set to 1. Microsoft recommends that you sign the assembly with a certificate or asymmetric key that has a corresponding login with UNSAFE ASSEMBLY permission. Alternatively, you can trust the assembly using sp_add_trusted_assembly.

 

FlexNet Manager Suite uses common language runtime (CLR) integration in SQL Server to carry out some automated tasks. SQL Server CLR uses Code Access Security (CAS) in the .NET Framework, which is no longer supported as a security boundary. A CLR assembly created with PERMISSION_SET = SAFE may be able to access external system resources, call unmanaged code, and acquire sysadmin privileges.

Since in SQL Server 2017, CLR strict security is enabled by default. This means SAFE and EXTERNAL_ACCESS assemblies are treated as if they were marked UNSAFE.

To address this, Microsoft recommends that all assemblies be signed by a certificate or asymmetric key with a corresponding login that has been granted UNSAFE ASSEMBLY permission in the master database. The certificate which is used to sign the FlexNet Manage Suite assemblies will have to be imported into the SQL Server of the FlexNet Manage Suite, before installation/upgrade.

FlexNet Manager Suite 2020 R2 and 2021 R1 include a certificate that can be installed in SQL Server 2017 and later to allow a Flexera CLR assembly to be used. This certificate will expire on November 20, 2021, and will subsequently no longer be able to be used for new installations.

In order to install/upgrade FlexNet Manager Suite while running SQL Server 2017, a new certificate is required that meets the specifications from Microsoft listed above. We will be updating the installers for FlexNet Manager Suite 2020 R2 and FNMS 2021 R1 in the Product and License Center later today accordingly.

We've now replaced the installers for FlexNet Manager Suite 2020 R2 and FNMS 2021 R1 on the Product and License Center to include updated signed certificates. If you've downloaded the installers prior to November 19, 2021, please download these updated installers.

When upgrading an existing SQL Server version from before version 2017 to version 2017 or above (and not upgrading FlexNet Manager Suite) no specific actions are needed; the upgrade will go through fine.

Installing the certificate

As a reminder, here are the steps from the Installation Guide detailing how to install the relevant certificate in SQL Server:

For SQL Server 2017 or later, you first need to install a Flexera signed security certificate which identifies the installation as a trusted assembly.

Tip: If it happens that your various databases for FlexNet Manager Suite are on separate database servers running SQL Server 2017 or later, remember to install a copy of the certificate on each server, as follows.

  1.  Download the file Flexera Signed Security Certificate for SQL Server 2017 and 2019 v2.zip from the Product & License Center. Extract the FlexeraCodeSignining.cer file from the downloaded archive to a temporary location on the host where Microsoft SQL Server is running, in a file path to which the SQL Server service account has read access.
  2. Edit the SQLScript.sql file from the archive, and replace <location> with the path where you have copied the FlexeraCodeSigning.cer file. Save your change.
  3. Open SQL Server Studio and execute your updated SQLScript.sql file.
1 Comment
Product Manager UK