Best Practice: Keeping SSL Certificate Information on Local License Servers Synchronized with Certificate Updates in FlexNet Operations Cloud

Best Practice: Keeping SSL Certificate Information on Local License Servers Synchronized with Certificate Updates in FlexNet Operations Cloud

Introduction

The SSL certificate for FlexNet Operations Cloud is updated annually. Periodically the intermediate (about every 10 years) and root (about every 20 years) certificates are also updated. The FlexNet Embedded local license server relies on the intermediate and root certificate chain to communicate with FlexNet Operations Cloud. In early 2023, FlexNet Operations will update its SSL certificate, and this update will include a new intermediate certificate.

The following instructions are best practices to have a local license server prepared for this and other future certificate updates in FlexNet Operations Cloud.

Local License Servers 2021.05 or Later

In general, a certificate update is not a concern for FlexNet Embedded local license servers built with the 2021.05 or newer FlexNet Embedded kits as these servers default to using the “cacerts” file included with Java.

The “cacerts” file is maintained and updated by Java. Certificate authorities start issuing new intermediate and root certificates 1-2 years before their actual expiration date. This allows time for the “cacerts” file to be updated well before the change occurs with certificates for FlexNet Operations Cloud. Keeping Java updated on the local license server helps to ensure that its certificate information will be properly synchronized with the FlexNet Operations Cloud certificates whenever certificate updates go into effect.

Local License Servers 2021.03 or Earlier

If you are using a local license server built with FlexNet Embedded 2021.03 or earlier, check the truststore path in the server’s “local-configuration.yaml” file.  (On Linux, this file is found in the “/opt/flexnetls/producer” directory. On Windows, it is located in the same directory as “flexnetls.jar”.) If this file is configured to use the “cacerts” file as its truststore, no action is needed.  If the file is configured to use the “flexnet.certs” file, the license server administrator can perform one of these two options.

Whichever option is used, the license server administrator should ensure that Java version installed for the license server is kept up to date.

Option 1

First, update the “local-configuration.yaml” so that it contains the path to the Java “cacerts” file, as shown in the following example:

# Path to truststore containing server certificate.

truststore-path: ${JAVA_HOME}/jre/lib/security/cacerts

Then, for the “truststore-password” property, enter the password for the “cacerts” truststore. Note that, if the password was not previously changed from its default value, enter the default password “changeit”. However, if the password was previously changed, the current password must be entered.

# Truststore password. You can obfuscate this with java -jar flexnetls.jar -password  your-password-here.

truststore-password: changeit

Alternatively, the administrator can first obfuscate the password by following the instructions included in the “yaml” file and then provide the obfuscated value, as shown is this example.

truststore-password: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0

Option 2

Install a version of the local license server built with FlexNet Embedded 2021.05 or later.

Local Licenses Servers That Run Offline Except for Activations

Some FlexNet Embedded local license servers run offline but occasionally go online to activate the latest licenses from the FlexNet Operations back office. To ensure that the certificate information on the license server is synchronized with FlexNet Operations before performing any activations, the license server administrator needs to do the following:

  1. Bring the offline device (containing the license server) online.
  2. Upgrade the device with the latest version of Java.
  3. Ensure that the “local-configuration.yaml” file for the license server points to the “cacerts” file as its truststore. This step is important especially if your license server version is 2021.03 or earlier. For more information, see Local License Servers 2021.03 or Earlier.
  4. Perform the license activation operations.
  5. Take the device offline.
Was this article helpful? Yes No
100% helpful (1/1)
Version history
Last update:
‎Apr 12, 2022 03:06 PM
Updated by:
Contributors