Configuring the agent for public key pinning

Public key pinning prevents man-in-the-middle attacks from occurring on the communication link between agents and Snow Inventory endpoints, such as Snow Inventory Server or a service gateway. It is recommended to enable the public key pinning feature by default to ensure security of data in transit and fully mitigate potential man-in-the-middle attacks.

During initial communication establishment between an agent and an endpoint, the agent checks whether the encoded hash key of the endpoint matches the expected key, stored as a hash value in the agent configuration file (default snowagent.config). If the values match, communication is established, and dropped otherwise.  

Customers who wish to implement additional security measures need to add this information manually – as mentioned above, utmost care should be taken when editing the configuration file.  

The recommended steps, with example OpenSSL commands:

  1. Open a communication link with the endpoint

    openssl s_client -servername www.invserver.com -connect www.invserver.com:443 < /dev/null | sed -n "/-----BEGIN/,/-----END/p" > www.invserver.com.pem

  2. Extract the public key from the endpoint’s certificate in – often in pem format

    openssl x509 -in www.invserver.com.pem -pubkey -noout > www.invserver.com.pubkey.pem

  3. Convert the public key from pem to the appropriate format for the local operating system

    openssl asn1parse -noout -inform pem -in www.invserver.com.pubkey.pem -out www.invserver.com.pubkey.der

  4. SHA 256 hash and base-64 encode the key in the local format

    openssl dgst -sha256 -binary www.invserver.com.pubkey.der | openssl base64

  5. Add the following code to snowagent.config file:

    <Endpoint>
      <Address>...</Address>
      <Proxy>...</Proxy>
      <ClientCertificate>...</ClientCertificate>
      <ServerPublicKeyHash>sha256//<---encoded key ---></ServerPublicKeyHash>
    </Endpoint>