Security
Encryption of passwords
Passwords used in the configuration file are automatically encrypted when the configuration file is managed via the Snow Inventory Admin Console.
Data anonymization options
The Snow Inventory Agent can be configured to send anonymous user data from the inventoried computer. It can also be configured not to inventory any IP addresses assigned to the network interfaces of the computers.
Anonymous user data
Both usernames of logged-on users and usernames within the software metering (i.e. users who have used applications on the computer) can be replaced with SHA-1 hash. The same encrypted string will be used for the same user each time, even if the user uses multiple computers, no duplicate entries are created.
To enable the anonymous user data option, the following system setting needs to be added to the configuration file:
privacy.hide_user=true
Default setting (not anonymous)
With privacy.hide_user=true (anonymous)
Anonymous IP addresses
The IP addresses assigned to the network interfaces of the computer can be replaced with SHA-1 hash. Add the following system setting to the configuration file:
privacy.hide_ip=true
Note
When this option is enabled, it is not possible to use Auto Connect Rules in Snow License Manager based on computer IP addresses for allocation of computers to different units in the organization structure. However, other criteria can still be used for Auto Connect Rules, such as computer hostnames and site names.
Communication
It is possible to use any combination of X.509 certificates to secure and authenticate communication between the agent and the server.
If the server certificate has been issued by a trusted root certificate authority (CA), no additional configuration is required other than to configure the agent to use the HTTPS (or HTTP) URI scheme.
Self-signed or self-issued certificates
If your server uses a self-signed certificate for TLS, it is best practice to ensure that the root CA for the self-signed certificate is present and available to the agent so that certificate verification can be performed.
If no trusted root CA is present on the client machine, and therefore no certificate verification can be performed, you must disable the validation check. This is however insecure and strongly discouraged.
To disable the validation check, set http.ssl_verify in the agent configuration file to false:
<SystemSettings> <Setting key="http.ssl_verify" value="false" /> </SystemSettings>
Note
Read Configuring the agent for public key pinning for more security-related information in regard to certificates.
Client authentication using certificates
The Snow Inventory Agent supports the use of client certificates. The certificates need to be password protected, and the password must be stored (encrypted) in the agent configuration file.
A common practice is to distribute the client certificate alongside the agent as part of the update package. The agent is then configured to look for a certificate.pfx file that contains the client certificate for client authentication and use that (provided it has the correct password).
If the server endpoint is used with a client certificate and the password does not match, an error is generated in the snowagent.log. The agent will continue with other server endpoint configurations if any have been set.
Note
Specify one client certificate per server endpoint. It is possible to have multiple entries for the same server endpoint with different client certificates
Communication using TLS
To use Transport Layer Security (TLS) for the communication between the Snow Inventory Agent and the Snow Inventory endpoint (a Snow Inventory Server or Snow Extender), the below requirements must be met.
TLS versions supported by the agents are listed in Security considerations in Snow Inventory. From a security point of view, using the latest stable version is always advisable.
Windows agent | The root certificate (.cer) must be installed in the Trusted Root Certification Authorities of the computer to be inventoried. |
Unix agent | The certificate file (.cer) must be placed in the /opt/snow/ directory of the computer to be inventoried. Note: If the connection between the agent and the Snow Inventory endpoint fails, see Troubleshooting TLS connection failures for Unix for possible reasons and solutions. |
Linux agent | Since the location of the certificate file differs between Linux distributions, the agent must be told where to find it via the setting key http.ssl_capath in the agent configuration file. Example: <SystemSettings>
<Setting key="http.ssl_capath" value="/etc/ssl/certs/mycert.pem" />
</SystemSettings> |
macOS agent | By default, the agent collects the certificate file from Keychain. If you want to provide your own certificate file, specify it using the setting key http.ssl_capath in the agent configuration file, see the example above. |
Troubleshooting TLS connection failures for Unix
If any of the following error messages are shown in the Unix agent log, follow the instructions to enable the connection between the agent and the Snow Inventory endpoint.
Error message: RSA premaster secret error
The components local_policy.jar and US_export_policy.jar must be updated in Java.
Error message: ERROR; Posting to server;;; Couldn't connect to server: https://<inventory_URL>:443: Exception caught: A system call received a parameter that is not valid. (Read failed)
The Snow Inventory endpoint requires a newer version of TLS than is enabled by default in your Java version. To enable the use of the required TLS version, carry out one of the following options:
Option 1: Force the connection with the supported TLS version. At the command prompt, enter:
-Djdk.tls.client.protocols=TLSv[x.y] [agent scan command] -Djdk.tls.client.protocols=TLSv[x.y] [agent send command]Where TLSv[x.y] is the required TLS version.
Option 2: Override the default protocol. At the command prompt, enter:
-Dcom.ibm.jsse2.overrideDefaultTLS=true [agent scan command] -Dcom.ibm.jsse2.overrideDefaultTLS=true [agent send command]
Example 18.Option 1:
java -Djdk.tls.client.protocols=TLSv1.2 -jar /opt/snow/snowagent.jar -w /opt/snow scan >/dev/null 2>&1 ; java -Djdk.tls.client.protocols=TLSv1.2 -jar /opt/snow/snowagent.jar -w /opt/snow send >/dev/null 2>&1Option 2:
java -Dcom.ibm.jsse2.overrideDefaultTLS=true -jar /opt/snow/snowagent.jar -w /opt/snow scan >/dev/null 2>&1 ; java -Dcom.ibm.jsse2.overrideDefaultTLS=true -jar /opt/snow/snowagent.jar -w /opt/snow send >/dev/null 2>&1Note
In most systems the minimum required TLS version is 1.2. It was made the default protocol in IBM Java 7 with Service Refresh 5, fix pack 15 and in IBM Java 8 with Service Refresh 8, fix pack 15.