Agent authenticating with Beacon server
Presently, Flexera agents connect to the Beacon server without any authentication. Can this connection be made with an authentication? This is to preserve the integrity of the information received by the beacon.
The Beacon runs on Windows and uses IIS for authentication. Therefore, the Beacon/IIS will use Windows Authentication when the FlexNet Agent is installed on a Windows Devices when uploading to the Beacon.
When the FlexNet Agent is installed on Linux/UNIX, Windows Authentication is not possible, which is why IIS must be configured for Anonymous Authentication.
With some work, the communication between the Agent and the Beacon can be configured to use HTTPS. This requires you to supply your own Certificate, and the Certificate must be installed on each non-Windows Devices where the agent is installed.
@kclausen: Do you have a document or reference notes, as the client wants Flexera agents to connect the Beacon server with authentication using client/end device level certificates. The following message is from the client.
"The Agent needs to understand Client Authentication certificates and be able to use such a certificate in the Windows certificate store. Also, the FNMS endpoint service must be able to verify such a certificate once an agent presents it as the basis for authentication – including the trust with the Client company PKI/CA"
with some luck we convinced our customers to check only our beacon IIS certificate with CRL valididity. So they trust our beacon and we trust every client for delivery. It was not easy to get communication with PKI/CA (Port 80 !) from every client environment. You have to bolster your client keystores with public keys of the signing key chain. But it is exactly no authentication. You will have to choose, which parts of foreign keys are representative. And what should be the benefits of the customer for the requested authentication?
Possibly your customer will see your enduring efforts on his bill... For one time implementation and daily run seperated.
With kind regards, Juergen.
This is an old thread, but for anybody finding this info here are some references which contain details and guidance on working with mTLS authentication with the FlexNet inventory agent:
- Gathering FlexNet Inventory > Common: Supporting Mutual TLS
- FlexNet Manager Suite Online Help > Configuring Mutual TLS
- Features by Release > Support for mutual TLS on UNIX-like devices
- Knowledge Base > Configure Client Certificate Authentication for FlexNet Inventory Agents
In addition to the excellent links that Chris provided, here is a recent KB Article on this topic:
@SenthilNathan - The certificate checking/acceptance is performed by IIS, not the beacon. Please follow the documentation in the above links provided by Chris. The answer to your question is that the Certificate installed on the client must be accepted by IIS installed and enabled on the Beacon Server.
Hey @kclausen, Senthil's question stems from a customer who already has a client certificate pair installed in the Trusted Root Certification Authorities on their end user Windows devices that is used for client authentication of another app. The question is whether the agent can be configured to use that certificate. This would remove the necessity to deploy a new cert to all end user devices.
My guess is the answer is no. Reading between the lines in the documentation, it looks like the agent expects the certificate to be named after the inventory beacon as that seems to be the only way that the agent would know which certificate in the local cert store to use to authenticate itself.