Symptoms: When running a ServiceNow export from FNMS to ServiceNow, you may encounter one or more errors related to connection or secure channel errors such as: ServiceNowConnectionTest.SendTestConnection: Error Checking Connetion to endpoint: api/x_fls_flexera_fnms/integration/fnmstosn System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at FNMP.ServiceNow.HTTP.ServiceNowRequest.WriteData(HttpWebRequest request, String content) at FNMP.ServiceNow.HTTP.ServiceNowRequest.Post(String content) at FNMP.ServiceNow.HTTP.ServiceNowConnectionTest.SendTestConnection() [2019-09-08 03:01:50] - [DEBUG]: Exiting ServiceNowConnectionTest.SendTestConnection Diagnosis: This has been identified as related to the changes ServiceNow made to disable both both TLS 1.0 and TLS 1.1 [1] This process appears to have been in an instance-by-instance basis so not all customers are experiencing this issue. Solution: See KB article Transport Layer Security (TLS) 1.1 & 1.2 Configuration References: https://hi.service-now.com/kb_view.do?sysparm_article=KB0746078 ... View more

Introduction The built-in functionality of BeaconMonitorConfigurationTool.exe bundled with Beacon Monitor, is enough for simple certificate management: to generate a self-signed certificate and private key pair. to generate a key file, then using OpenSSL (using openssl req: generate a certificate signing request (CSR). However, for more control over generating the certificate it may be preferable or offer greater flexibility, to use a 3rd party tool such as OpenSSL to generate the request. Other tools are also possible, but for the purposes of this guide OpenSSL is primarily used and the CA is Windows Certification Authority. OpenSSL can be installed easily using Chocolately package manager (https://chocolatey.org/install) or installed manually, to install OpenSSL using Chocolately: choco install openssl Outcome The outcome of this should be a CA-signed certificate and key pair: The key should be generated in PKCS#8 format, other formats such as PKCS#1 are unsupported. The certificate should not be encrypted. The result should be a 'valid and trusted certificate' and no warning related to the certificate in any supported browser:   Procedure Open a PowerShell window and create a new folder for the new key, cert, etc: New-Item -ItemType Directory mycert Set-Location mycert Create an OpenSSL config file (config.cnf) in the same directory with the contents, adjust as appropriate: [req_distinguished_name] countryName = GB stateOrProvinceName = Merseyside localityName = Cheshire organizationName = Flexera commonName = mybeacon.flexera.com [req] distinguished_name = req_distinguished_name default_bits = 2048 req_extensions = v3_req prompt = no [v3_req] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = mybeacon.flexera.com Generate a new PKCS#8 private key: openssl genpkey -out key.pem -algorithm RSA -pkeyopt rsa_keygen_bits:2048 Alternatively use BeaconMonitorConfigurationTool.exe to generate the key (delete cert.pem after running): .\BeaconMonitorConfigurationTool.exe generate-cert -ca false Create the certificate signing request (CSR): openssl req -new -out server.req -key key.pem -config config.cnf Copy the server.req to the CA and issue the certificate: Export the Binary Certificate as server.cer: Copy the certificate back to the Beacon Monitor and use OpenSSL to change the encoding from binary DER to ASCII PEM: openssl x509 -inform der -in server.cer -out cert.pem You should have the following files when you're done. You need cert.pem and key.pem: Copy the files to the Beacon Monitor Certificate folder and restart the service, check that the certificate now shows as valid and trusted. If it does not, there could be several reasons (this list is not exhaustive): The CA may not be trusted by the accessing client machine. The common name in the certificate is different to the domain in the URL, and the name is also missing from the Subject Alternative Name (SAN). For example if the machine's IP and not hostname is used to access the Beacon Monitor and the IP is not present in the certificate then this will generate a certificate warning. The date on the certificate has expired or is not valid yet. The CA has revoked the certificate and the CA has a Certificate Revocation List (CRL) which is accessible. The certificate algorithm is not considered secure by the browser. ... View more

Summary We have enabled Controlled Folder Access (CFA) and now Windows Defender is telling us that the agent is trying to modify files. Why is this? Symptoms We have enabled Controlled Folder Access (CFA) and now Windows Defender is telling us that the agent is trying to modify files. Why is this? Cause As per Microsoft: Controlled Folder Access in Windows Security reviews the apps that can make changes to files in protected folders. Occasionally, an app that is safe to use will be identified as harmful. This is a false detection caused by the new CFA feature found in recent versions of Windows Defender (Windows 10 and Windows Server 2016). As the FNMS agent must run on multiple versions of Windows where CFA may or may not be present, the method in how the agent requests access and scans a machine could be seen as malicious activity by such a feature. Steps To Reproduce Resolution Add the agent to the list of CFA exclusions or turn off CFA. The instructions to perform this are available via the Microsoft link in the Additional Inforrmation section of this KB. Workaround Additional Information Allow a blocked app in Windows Security, Microsoft. Retrieved 28/11/18 Allow specific apps to make changes to controlled folders, Microsoft. Retrieved 03/12/18 Related Documents Related KB Articles ... View more