Best Practice: Keeping SSL Certificate Information on Local License Servers Synchronized with Certificate Updates in FlexNet Operations Cloud
The SSL (Secure Sockets Layer) certificate for FlexNet Operations Cloud is updated annually. Periodically the intermediate (about every 10 years) and root (about every 20 years) certificates are also updated. The FlexNet Embedded local license server relies on the intermediate and root certificate chain to communicate with FlexNet Operations Cloud. In early 2023, FlexNet Operations will update its SSL certificate, and this update will include a new intermediate certificate.
The following instructions are best practices to have a local license server prepared for this and other future certificate updates in FlexNet Operations Cloud.
Who Should Read This Article?
The intended audience for this article includes FlexNet Embedded local license server administrators, who need to ensure that their license servers are properly configured for an SSL certificate update. (The "you" in this article is the local license server administrator.)
Producers should also read this article to understand what the local license server administrator at each of their customer sites must do to prepare for an upcoming certificate update. Producers need to keep the license server administrators informed of announcements about upcoming certificate updates and expirations. With support from producers, license server administrators can have adequate time to prepare their license servers for certificate upgrades and test a new certificate in UAT before the old certificate actually expires.
Local License Servers 2021.05 or Later
In general, a certificate update is not a concern for FlexNet Embedded local license servers built with the 2021.05 or newer FlexNet Embedded kits as these servers default to using the “cacerts” file included with Java.
The “cacerts” file is maintained and updated by Java. Certificate authorities start issuing new intermediate and root certificates 1-2 years before their actual expiration date. This allows time for the “cacerts” file to be updated well before the change occurs with certificates for FlexNet Operations Cloud. Keeping Java updated to the latest version supported by your local license server helps to ensure that the server's certificate information will be properly synchronized with the FlexNet Operations Cloud certificates whenever certificate updates go into effect. (Refer to the FlexNet Embedded License Server Release Notes for the latest versions of Java supported by the license server.)
Local License Servers 2021.03 or Earlier
If you are using a local license server built with FlexNet Embedded 2021.03 or earlier, check the truststore path in the server’s “local-configuration.yaml” file. (On Linux, this file is found in the “/opt/flexnetls/producer” directory. On Windows, it is located in the same directory as “flexnetls.jar”.) If this file is configured to use the “cacerts” file as its truststore, no action is needed. If the file is configured to use the “flexnet.certs” file, the license server administrator can perform one of these two options.
Whichever option is used, the license server administrator should make sure that the Java version is kept up to date with the latest version supported by the local license server. (See the FlexNet Embedded License Server Release Notes for this information.)
First, update the “local-configuration.yaml” so that it contains the path to the Java “cacerts” file, as shown in the following example:
# Path to truststore containing server certificate.
Then, for the “truststore-password” property, enter the password for the “cacerts” truststore. Note that, if the password was not previously changed from its default value, enter the default password “changeit”. However, if the password was previously changed, the current password must be entered.
# Truststore password. You can obfuscate this with java -jar flexnetls.jar -password your-password-here.
Alternatively, the administrator can first obfuscate the password by following the instructions included in the “yaml” file and then provide the obfuscated value, as shown is this example.
Install a version of the local license server built with FlexNet Embedded 2021.05 or later.
Local Licenses Servers That Run Offline Except for Activations
Some FlexNet Embedded local license servers run offline but occasionally go online to activate the latest licenses from the FlexNet Operations back office. To ensure that the certificate information on the license server is synchronized with FlexNet Operations before performing any activations, the license server administrator needs to do the following:
- Bring the offline device (containing the license server) online.
- Ensure that the device is upgraded with the latest version of Java supported by your license server installation. (See the FlexNet Embedded License Server Release Notes.)
- Ensure that the “local-configuration.yaml” file for the license server points to the “cacerts” file as its truststore. This step is especially important if your license server version is 2021.03 or earlier. For more information, see Local License Servers 2021.03 or Earlier.
- Perform the license activation operations. This step is important (as explained in The SSL Communication Process).
- Take the device offline.
The SSL Communication Process
During SSL communication between the server (FlexNet Operations) and a client (the local license server), an initial "handshake" occurs. During this handshake, the root certificate present in caecerts gives the client a public key to attempt validation. Once validation is successful, the connection is established and further communication can occur.
For offline local license servers, bringing the license server temporarily online to perform activation operations once you have prepared it for a certificate upgrade is necessary to ensure that the initial SSL handshake using the new certificate takes place.
If your local license server has not been properly configured for a certificate upgrade, the license server receives the message "SSL is misconfigured" once the old certificate expires. At this point, to avoid any further license-server downtime, you must perform the steps outlined in this article to ensure that the license server is able to use the new certificate. However, because of this late configuration, you will have missed the UAT phase of the upgrade that allowed you to test the new certificate and resolve any issues before the old certificate expired.
Once you have configured your machine for a certificate upgrade, it should be able to handle future certificate upgrades (as long as you keep your Java installation version up to date). However, ensure that you periodically ask your producer about the schedule of upcoming certificate upgrades and expirations so that you are aware of the timeframe for testing out any new certificate. Keeping up to date on the schedule will help you avoid unnecessary license-server downtime when an old certificate expires.
Practice To Avoid
Because Revenera updates the FlexNet Operations Cloud SSL certificate annually, best practice is not to hard-code the hash of this certificate in your client code. With each certificate update, the hash changes.
If you are using API to integrate your application with FlexNet Operations, see FlexNet Operations Cloud - Digital Certificates for information about exporting and configuring SSL certificates from FlexNet Operations.