Oct 08, 2020
06:38 AM
4 Kudos
Hey @mag00_75 ,
Thanks for reaching out.
It should be possible to create multiple policies, each to the character limits, encompassing several accounts and then attaching all of these policies to the role which is used by the server running the beacon.
For example, here is a role used by a server of ours with the beacon installed. This beacon uses EC2 metadata (no access keys needed), same as you. As you can see, there are two policies applied, each with their own list of ARNs:
And when the adapter runs it will attempt to assume both roles in each policy:
One issue you might encounter is with the 'Maximum Session Duration'. Because the adapter discovers all associated roles and then assumes them, thus marking the start of our session, the delay between fully populating and assuming all the roles before the inventory can complete may lead to the session becoming invalidated. In this case you can try increasing the maximum session duration.
However if this doesn't work you can request an enhancement to the adapter, so that the roles are assumed just before they are inventoried.
Alternatively, you can use one of the other methods but bare in mind these are less reliable and less performant than using EC2 metadata as you currently are.
I think if after performing the above, of splitting out the policies and seeing if the inventory completes within a reasonable time before session expiry... if you are struggling to implement it then the best course of action would probably be the above enhancement.
... View more
Re: What is the best way to find memory leaks in JaveScript?
Sep 01, 2020
06:46 AM
Sep 01, 2020
06:46 AM
As Kent said, StackOverflow is a better place...
FWIW, there is a lot of information provided by Mozilla here:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Memory_Management
Good luck.
... View more
Aug 26, 2020
10:57 AM
Symptoms:
When running a ServiceNow export from FNMS to ServiceNow, you may encounter one or more errors related to connection or secure channel errors such as:
ServiceNowConnectionTest.SendTestConnection: Error Checking Connetion to endpoint: api/x_fls_flexera_fnms/integration/fnmstosn
System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
at System.Net.HttpWebRequest.GetRequestStream()
at FNMP.ServiceNow.HTTP.ServiceNowRequest.WriteData(HttpWebRequest request, String content)
at FNMP.ServiceNow.HTTP.ServiceNowRequest.Post(String content)
at FNMP.ServiceNow.HTTP.ServiceNowConnectionTest.SendTestConnection()
[2019-09-08 03:01:50] - [DEBUG]: Exiting ServiceNowConnectionTest.SendTestConnection
Diagnosis:
This has been identified as related to the changes ServiceNow made to disable both both TLS 1.0 and TLS 1.1 [1]
This process appears to have been in an instance-by-instance basis so not all customers are experiencing this issue.
Solution:
See KB article Transport Layer Security (TLS) 1.1 & 1.2 Configuration
References:
https://hi.service-now.com/kb_view.do?sysparm_article=KB0746078
... View more
Aug 14, 2020
04:04 AM
1 Kudo
Hello @msutharh,
Are you trying to set up a custom HTTPS certificate at all? There is a known issue where an invalid certificate will throw an error message that exceeds the logging buffer, hence bufio.Scanner: token too long.
If you are trying to set up a custom HTTPS certificate, could you try and follow the steps on the following KB article: How do I generate my own signed certificate for use with Beacon Monitor?
Let me know if any of the above helps.
... View more
Jul 17, 2020
08:46 AM
That's very strange. Your "OS version" is an array of versions... Let me look more into this and get back to you. I would suggest logging a question with support if you haven't already.
... View more
Jul 16, 2020
01:23 PM
Usually this is caused by a lack of permissions on the account if there are definite instances on that account and there are no errors. Please check that you have granted the necessary permissions to the user / role who is collecting data on behalf of the account:
The data collection parts of this script run in PowerShell Runspaces which fail silently.
... View more
Jul 16, 2020
08:39 AM
What output do you get with the following?
Get-OSVersion | ForEach-Object { ($_)::GetVersion() }
... View more
Jul 16, 2020
07:14 AM
Introduction
The built-in functionality of BeaconMonitorConfigurationTool.exe bundled with Beacon Monitor, is enough for simple certificate management:
to generate a self-signed certificate and private key pair.
to generate a key file, then using OpenSSL (using openssl req: generate a certificate signing request (CSR).
However, for more control over generating the certificate it may be preferable or offer greater flexibility, to use a 3rd party tool such as OpenSSL to generate the request. Other tools are also possible, but for the purposes of this guide OpenSSL is primarily used and the CA is Windows Certification Authority.
OpenSSL can be installed easily using Chocolately package manager (https://chocolatey.org/install) or installed manually, to install OpenSSL using Chocolately:
choco install openssl
Outcome
The outcome of this should be a CA-signed certificate and key pair:
The key should be generated in PKCS#8 format, other formats such as PKCS#1 are unsupported.
The certificate should not be encrypted.
The result should be a 'valid and trusted certificate' and no warning related to the certificate in any supported browser:
Procedure
Open a PowerShell window and create a new folder for the new key, cert, etc:
New-Item -ItemType Directory mycert Set-Location mycert
Create an OpenSSL config file (config.cnf) in the same directory with the contents, adjust as appropriate:
[req_distinguished_name]
countryName = GB
stateOrProvinceName = Merseyside
localityName = Cheshire
organizationName = Flexera
commonName = mybeacon.flexera.com
[req]
distinguished_name = req_distinguished_name
default_bits = 2048
req_extensions = v3_req
prompt = no
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = mybeacon.flexera.com
Generate a new PKCS#8 private key:
openssl genpkey -out key.pem -algorithm RSA -pkeyopt rsa_keygen_bits:2048
Alternatively use BeaconMonitorConfigurationTool.exe to generate the key (delete cert.pem after running):
.\BeaconMonitorConfigurationTool.exe generate-cert -ca false
Create the certificate signing request (CSR):
openssl req -new -out server.req -key key.pem -config config.cnf
Copy the server.req to the CA and issue the certificate:
Export the Binary Certificate as server.cer:
Copy the certificate back to the Beacon Monitor and use OpenSSL to change the encoding from binary DER to ASCII PEM:
openssl x509 -inform der -in server.cer -out cert.pem
You should have the following files when you're done. You need cert.pem and key.pem:
Copy the files to the Beacon Monitor Certificate folder and restart the service, check that the certificate now shows as valid and trusted. If it does not, there could be several reasons (this list is not exhaustive):
The CA may not be trusted by the accessing client machine.
The common name in the certificate is different to the domain in the URL, and the name is also missing from the Subject Alternative Name (SAN). For example if the machine's IP and not hostname is used to access the Beacon Monitor and the IP is not present in the certificate then this will generate a certificate warning.
The date on the certificate has expired or is not valid yet.
The CA has revoked the certificate and the CA has a Certificate Revocation List (CRL) which is accessible.
The certificate algorithm is not considered secure by the browser.
... View more
Labels:
Dec 16, 2019
12:16 PM
Hello Sandeep,
I'm a bit confused by your DBA's response of saying that 'Simple' recovery models would slow down FNMS. However, it is fine to leave it on 'FULL' but your DBA must perform regular transaction log back ups and shrinking to maintain database performance.
The results you uploaded to the case I have reviewed and they show that the transaction log is filled and awaiting a back up. This is not a problem of FNMS, but a problem caused by database maintenance tasks not being performed. The FNMSCompliance DB transaction log is 300 GB and the max file size is 300 GB - this will most definitely cause issues.
... View more
Dec 16, 2019
05:07 AM
Hello Sandeep,
Please note that doing so may affect DB monitoring tools and database recovery in event of failure. I would highly recommend consulting your DBA first.
However, if you do run a 'FULL' recovery model you may need to increase the amount of resources you provide SQL server - or you may even have a problem with the transaction log growing too large.
At this point I would recommend opening a support case, I have attached an SQL Script which your DBA can run and provide to the support personnel to diagnose the issue further.
... View more
Dec 13, 2019
10:58 AM
Hello Sandeep,
I noticed on the image you uploaded to the support case has the FNMSCompliance database Recovery model set to "FULL" which is not recommended as per the System Requirements documentation:
https://helpnet.flexerasoftware.com/fnms2019r1/EN/SysReq/index.html#FNMS_sys_req/RN_sys_req_hardware.html
Please ask your DBA to modify these databases carefully to their recommended "SIMPLE" recovery model and the performance should improve.
... View more
Dec 10, 2019
09:46 AM
Yes, you can have one role which specifies multiple policies - the default adapter is designed to handle multiple policies, each with a single Arn for each policy pointing to a different account.
The version I provided last will also allow you to specify multiple Arns per policy (which appears to be the situation in your environment).
I would note that I think the reason it is taking so long, is that you have multiple of the same policy referring to the same Arn - so you're getting inventory once, then you get it again, and again - each time having to remove the duplicates.
It may be an idea to start off with setting up the basic account access (to the master account) - confirm it is working as expected and within performance figures, and then slowly add one at a time to confirm if everything is working.
With the amount of accounts you have, it may be an idea to split them up into groups which use different roles / policies so it's easier to manage - but that's just a simple suggestion 🙂
... View more
Dec 09, 2019
08:24 AM
The factor is R = 18 * Ro (where R = runspaces and Ro = Roles).
Can't edit my posts for some reason 🙂
... View more
Dec 09, 2019
08:19 AM
Hello @mag00_75,
Yes - that would be best to raise a support case at this point. I should note however:
* It looks like your AWS administrators may have possibly specified the same resource (role) for that policy multiple times (as indicated by the multiple lines showing the same role assumed multiple times arn:aws:sts::XXXXXXXXX397:assumed-role/ListEC2ForFNMSRole). This won't harm the adapter from working, but it will likely cause a repeat inventory to occur for each of the listed roles, meaning you are potentially inventorying the same data multiple times for no benefit (the duplicates will be discarded) - which will hurt performance.
* When it is hanging on the sa-east-1 part, this is where the runspaces are initialized. There is one runspace per region and each runspace runs against each role that is assumed. So you can imagine the more roles you specify, the more work that must be done. The factor is R = 17 * Ro (where R = runspaces and Ro = Roles).
... View more
Dec 09, 2019
07:07 AM
Though, as Matt said - it may not and I think it would be worthwhile to try it.
... View more
About
Software Engineer
Latest posts by ccrawford
Subject | Views | Posted |
---|---|---|
1190 | Oct 08, 2020 06:38 AM | |
Re: What is the best way to find memory leaks in JaveScript? | 9 | Sep 01, 2020 06:46 AM |
1296 | Aug 26, 2020 10:57 AM | |
893 | Aug 14, 2020 04:04 AM | |
1429 | Jul 17, 2020 08:46 AM | |
3754 | Jul 16, 2020 01:23 PM | |
1764 | Jul 16, 2020 08:39 AM | |
1042 | Jul 16, 2020 07:14 AM | |
2172 | Dec 16, 2019 12:16 PM | |
2534 | Dec 16, 2019 05:07 AM |
Activity Feed
- Got a Kudo for Re: AWS Connector - scale to 500+ accounts. Oct 08, 2020 09:05 PM
- Got a Kudo for Re: AWS Connector - scale to 500+ accounts. Oct 08, 2020 08:59 AM
- Got a Kudo for Re: AWS Connector - scale to 500+ accounts. Oct 08, 2020 08:52 AM
- Got a Kudo for Re: AWS Connector - scale to 500+ accounts. Oct 08, 2020 08:13 AM
- Posted Re: AWS Connector - scale to 500+ accounts on FlexNet Manager Forum. Oct 08, 2020 06:38 AM
- Posted Re: What is the best way to find memory leaks in JaveScript? on FlexNet Manager Forum. Sep 01, 2020 06:46 AM
- Posted ServiceNow exports failing due to incompatible TLS versions on FlexNet Manager Knowledge Base. Aug 26, 2020 10:57 AM
- Got a Kudo for Re: Beacon Monitoring tool. Aug 14, 2020 04:13 AM
- Posted Re: Beacon Monitoring tool on FlexNet Manager Forum. Aug 14, 2020 04:04 AM
- Kudoed Re: AWS EC2 connector import failing for mfranz. Jul 29, 2020 03:42 AM
- Kudoed Monthly Vulnerability Review – June 2020 for wmahmood. Jul 17, 2020 12:02 PM
- Posted Re: Error when pointing to a new FNMS Database Instance on FlexNet Manager Forum. Jul 17, 2020 08:46 AM
- Posted Re: AWS EC2 connector import failing on FlexNet Manager Forum. Jul 16, 2020 01:23 PM
- Kudoed Re: AWS EC2 connector import failing for ChrisG. Jul 16, 2020 01:15 PM
- Posted Re: Error when pointing to a new FNMS Database Instance on FlexNet Manager Forum. Jul 16, 2020 08:39 AM
- Posted How do I generate my own signed certificate for use with Beacon Monitor? on FlexNet Manager Knowledge Base. Jul 16, 2020 07:14 AM
- Posted Re: Import and Reconcile takes lot of time after upgrade Flexnet Manager Suite to 2019 R1 on FlexNet Manager Forum. Dec 16, 2019 12:16 PM
- Posted Re: Import and Reconcile takes lot of time after upgrade Flexnet Manager Suite to 2019 R1 on FlexNet Manager Forum. Dec 16, 2019 05:07 AM
- Kudoed Re: O365 connector connectivity query for mag00_75. Dec 13, 2019 11:04 AM
- Posted Re: Import and Reconcile takes lot of time after upgrade Flexnet Manager Suite to 2019 R1 on FlexNet Manager Forum. Dec 13, 2019 10:58 AM