Best Practice: Keeping SSL Certificate Information on Local License Servers Synchronized with Certificate Updates in FlexNet Operations Cloud
The SSL (Secure Sockets Layer) certificate for FlexNet Operations Cloud is updated annually. Periodically the intermediate (about every 10 years) and root (about every 20 years) certificates are also updated. The FlexNet Embedded local license server relies on the intermediate and root certificate chain to communicate with FlexNet Operations Cloud. In early 2023, FlexNet Operations will update its SSL certificate, and this update will include a new intermediate certificate.
The following instructions are best practices to have a local license server prepared for this and other future certificate updates in FlexNet Operations Cloud.
For more information about how the SSL certificate is used in communications between FlexNet Operations and the local license server, see The SSL Communication Process.
Local License Servers 2021.05 or Later
In general, a certificate update is not a concern for FlexNet Embedded local license servers built with the 2021.05 or newer FlexNet Embedded kits as these servers default to using the “cacerts” file included with Java.
The “cacerts” file is maintained and updated by Java. Certificate authorities start issuing new intermediate and root certificates 1-2 years before their actual expiration date. This allows time for the “cacerts” file to be updated well before the change occurs with certificates for FlexNet Operations Cloud. Keeping Java updated to the latest version supported by your local license server helps to ensure that the server's certificate information will be properly synchronized with the FlexNet Operations Cloud certificates whenever certificate updates go into effect. (Refer to the FlexNet Embedded License Server Release Notes for the latest versions of Java supported by the license server.)
Local License Servers 2021.03 or Earlier
If you are using a local license server built with FlexNet Embedded 2021.03 or earlier, check the truststore path in the server’s “local-configuration.yaml” file. (On Linux, this file is found in the “/opt/flexnetls/producer” directory. On Windows, it is located in the same directory as “flexnetls.jar”.) If this file is configured to use the “cacerts” file as its truststore, no action is needed. If the file is configured to use the “flexnet.certs” file, the license server administrator can perform one of these two options.
Whichever option is used, the license server administrator should make sure that the Java version is kept up to date with the latest version supported by the local license server. (See the FlexNet Embedded License Server Release Notes for this information.)
First, update the “local-configuration.yaml” so that it contains the path to the Java “cacerts” file, as shown in the following example:
# Path to truststore containing server certificate.
Then, for the “truststore-password” property, enter the password for the “cacerts” truststore. Note that, if the password was not previously changed from its default value, enter the default password “changeit”. However, if the password was previously changed, the current password must be entered.
# Truststore password. You can obfuscate this with java -jar flexnetls.jar -password your-password-here.
Alternatively, the administrator can first obfuscate the password by following the instructions included in the “yaml” file and then provide the obfuscated value, as shown is this example.
Install a version of the local license server built with FlexNet Embedded 2021.05 or later.
Local Licenses Servers That Run Offline Except for Activations
Some FlexNet Embedded local license servers run offline but occasionally go online to activate the latest licenses from the FlexNet Operations back office. To ensure that the certificate information on the license server is synchronized with FlexNet Operations before performing any activations, the license server administrator needs to do the following:
- Bring the offline device (containing the license server) online.
- Ensure that the device is upgraded with the latest version of Java supported by your license server installation. (See the FlexNet Embedded License Server Release Notes.)
- Ensure that the “local-configuration.yaml” file for the license server points to the “cacerts” file as its truststore. This step is especially important if your license server version is 2021.03 or earlier. For more information, see Local License Servers 2021.03 or Earlier.
- Perform the license activation operations.
- Take the device offline.
The SSL Communication Process
During SSL communication between the server (FlexNet Operations) and a client (the local license server), an initial "handshake" occurs. During this handshake, the root certificate present in caecerts gives the client a public key to attempt validation. Once validation is successful, the connection is established and further communication can occur.
Practice To Avoid
Because Revenera updates the FlexNet Operations Cloud SSL certificate annually, best practice is not to hardcode the hash of this certificate in your client code. With each certificate update, the hash changes.
If you are using API to integrate your application with FlexNet Operations, see FlexNet Operations Cloud - Digital Certificates for information about exporting and configuring SSL certificates from FlexNet Operations.