Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
Settings and Resources
Additional Resources
Reports
Reporting API
Customer Support Articles
How to Follow Data Through the Search PipelineEndpoint for Windows Configuration Reference GuideEndpoint Software Command Line InterfaceBasic Troubleshooting Steps (Enterprise Console)Endpoints or Results Fail to be Displayed in the ConsoleMongoDB and TLS 1.3SQL Client SQL Exception ErrorHow to Troubleshoot Spirion Client Search Failures and How to WhitelistCustomer Notice – Spirion Agent Update & Security Assessment for PostgreSQLHow to Enable Verbose/Debug Logging for the Endpoint ServiceHow can I monitor the status of a queue job?Can I monitor the job queue status automatically?Troubleshooting: "Unable to find job queue: search_queue"How to Verify the Discovery Agent's StatusHow to check if port 6433 is open on your networkWhat is the SDM Translator Service?How to Create a Single Tenant App for OneDrive and Exchange Online SearchesHow to Configure Spirion for Sybase DiscoveryHow to Use Certificates to Authenticate with SharePoint OnlineHow to Quarantine to a Remote Location Using Spirion Sensitive Data PlatformA Server Error has Occurred: How to use the Chrome Developer ToolsWhy doesn't my Oracle 19c Database scan?How to Enable Full Disk Access on a Mac AgentWhy is My Scan Node Running Out of Disk Space?What to do about Message Processing and Delays, also known as 'Lag,' in SpirionDetails About the Box API used by Spirion to Search Box AccountsHow to Build a Mac Package (PKG)How to Sanitize AgentsHow to Set User and Role AccessHow to Enable SSL Communication between Linux Agents and the Spirion ConsoleHow to Enable HTTPS for the Spirion ConsoleHow to Search BoxFAQ: How do I avoid being prompted to re-login to the Spirion console?Spirion Sensitive Data Platform Scan PerformanceHow to Authenticate to SharePoint On-PremiseHow to Configure Spirion Sensitive Data Platform to Connect to an Oracle DatabaseFAQ: Linux 12.5 Client Package Build WorkaroundTroubleshoot Exchange Online Using Microsoft Graph ExplorerFAQ: What to do when an agent will not start the discovery team scan?Required SQL Server PermissionsHow to Scan Microsoft Teams with Spirion Sensitive Data PlatformField Input Using Linux Machines Anti-virus Alerts Received during Spirion SearchVersion 13.6 MSI Installation Issues - Exe file not signedWhat are common firewall rules needed for distributed scans?
Release Notes

How to Enable SSL Communication between Linux Agents and the Spirion Console

How to enable SSL communication between Linux Agents and the Spirion Console

How to Enable SSL Communication between Linux Endpoints and the Console

Requirements

To complete the steps in this article, the Console:

  • Must be configured to use HTTPS
  • Must be able to browse to: https://consoleserver/Services/ManagementService.svc
    • where consoleserver is the name or IP address of the enterprise console. 
  • If the link noted previously cannot be accessed, work with the IT staff responsible for the server configuration to configure HTTPS before continuing.

Beyond enabling HTTPS on the console, in most cases, encrypted communication between Linux and the Console will work without any special configuration.  The Linux client software supports a list of publicly trusted root certificate authorities, such as Verisign, Thawte, etc. 

If the Console server uses a private certification authority or a self-signed certificate, then it is necessary to take additional steps to enable encrypted communication.  The instructions below outline the steps required to enable encrypted communications between Linux endpoints and the Console server when a private certificate authority or a self-signed certificate is used.

How to Enable Encrypted Communication (HTTPS)

To enable encrypted communication (HTTPS) between Identity Finder Linux Endpoints and a Console with a private or self-signed certificate, it is necessary for the endpoint system to have a copy of the server's SSL certificate.  The certificate must be exported as a ca.pem file and placed on the endpoint.

If the endpoint is configured to communicate with the console via HTTPS and any of the steps below are not completed, the following errors may be displayed in the endpointservice.log file:

  • ERROR - Service Client Exception: Service call failed (Context: Opening behavior. SSL error). System Error: No such file or directory (2)
  • ERROR - Exception: Service call failed (Context: Opening behavior. SSL error). System Error: No such file or directory (2)
  • ERROR - Failed to acquire an endpoint id

Additional details and troubleshooting information are contained in the following article:

How to Obtain the Server's SSL certificate

If a copy of the ca.pem certificate from the console server is already available, this section may be skipped. 

To obtain the certificate of the Console, perform the following steps:

  1. View https://consoleserver/Services/ManagementService.svc in Firefox where consoleserver is the name or IP address of the console server.
  2. Open the browser's Page Info dialog and select the Security tab.  Depending on your browser version, this may be accessed by clicking on the site name in the URL bar and clicking "More Information...", selecting the Tools menu and then the Page Info menu item, double-clicking on the the "security lock" in the lower right hand corner of the browser window, or other, similar method.
  3. Click on View Certificate to open the Certificate Viewer.
  4. Click on the Details tab.
  5. In the Certificate Hierarchy box, select the parent certificate of console server (the second to last item in the hierarchy).
  6. Click on the Export button in the lower left to open the Save Certificate To File dialog.
  7. Save the certificate as ca.pem
  8. Select the X.509 Certificate chain (PEM) in the Save As drop-down.
  9. Click Save.

How to Install the SSL Certificate

There are several methods for deploying the ca.pem file to the client, listed in the order of recommendation. 

The ca.pem file should be located in a path that is accessible by all users on the system.

  1. A Linux package can be customized to include the SSL certificate.  The same location can be used for the ca.pem files as is used for a license file.  This process is described in the article Creating a Custom Installer for Linux.
  2. Any existing software distribution method that is currently available can be used to copy/deploy the certificate to the client.
  3. The steps in Obtaining the server's SSL certificate can be performed on the client itself and the certificate can be saved locally.

How to Configure the Client to use the SSL Certificate

To configure the client to use the SSL certificate, the Console\caPath setting (as described below) should be added to the identityfindersettings.xml configuration file obtained from the console server (e.g., the xml configuration file that contains the serverUrl and encKey).  Then, that identityfindersettings.xml file should be included in a customized Linux package as described in the article Creating a Custom Installer for Linux.

  1. Obtain the identityfindersettings.xml file
    1. Opening a web browser, navigating to http://consoleserver/Services
      1. where consoleserver is the name or IP address of the console and clicking the appropriate link for Linux to save the identityfindersettings.xml file to the local client.
  3. Open the file identityfindersettings.xml in a text editor to add in the Console\caPath setting as follows:
    1. Under the Console category add a new Setting element.
    2. The Setting element should have the following properties:
      • Multi="false"
      • Name="caPath"
      • Type="String"
    4. Within the new setting, element insert a Value tag that contains the full path to the ca.pem file including the file name, ca.pem

      The location of this file is standard if included within the custom Identity Finder package, but can be in a different location of other methods are used to obtain the ca.pem file and transfer it to a Linux endpoint.
      • If the ca.pem file is being copied by the custom package then it will be in the following standard location:
      • Version 11.4: 
        /var/lib/identityfindercd/ca.pem
      • Version 11.3 and before: 
        /var/lib/identityfinder/ca.pem
        If the ca.pem file is copied to the endpoint using other methods, then identify the full path to the ca.pem file using the following format:
        /full/path/to/ca.pem
  5. After the Console\caPath setting has been properly added to the XML file, it should appear as shown below:
    <Policy Schema="1.1">
      <Container Type="System">
        <Category Name="Console">
          <Setting Multi="false" Name="enable" Type="Integer">
            <Value>1</Value>
          </Setting>
          <Setting Multi="false" Name="serverUrl" Type="String">
            <Value>https://consoleserver/Services</Value>
          </Setting>
          <Setting Multi="false" Name="encKey" Type="String">
            <Value>BgIAAACkAABSU0ExAAQAAAEAAQCHiyKegDXLfLiTLnCiatIbATZi1E9Bj9setTWE6SAl3hUafE3aFYCvLHTSuS/W5jdjwf9ggq6DwWFn9/dK8/WTEWZbpV3a7pNeHAixxa9XQppaqidZMk2ATupCsqHSlAg/wVZ7lyvLRQHFkF1O+EyM3eOLon67JsuhUTEiZstfpg==</Value>
          </Setting>
          <Setting Multi="false" Name="caPath" Type="String">
            <Value>/var/lib/identityfinder/ca.pem</Value>
          </Setting>
        </Category>
      </Container>
    </Policy>
  6. Save the file identityfindersettings.xml and include it in the customized installer or distribute via existing software distribution methods.


Was this article helpful?

Powered by Product Fruits