Security

Encryption of passwords

Passwords used in the configuration file are automatically encrypted when the configuration file is managed via the Snow Inventory Admin Console.

Data anonymization options

The Snow Inventory Agent can be configured to send anonymous user data from the inventoried computer. It can also be configured not to inventory any IP addresses assigned to the network interfaces of the computers.

Anonymous user data

Both usernames of logged on users and usernames within the software metering (i.e. users who have used applications on the computer) can be replaced with SHA-1 hash. The same encrypted string will be used for the same user each time, even if the user uses multiple computers, no duplicate entries are created.

To enable the anonymous user data option, the following system setting needs to be added to the configuration file:

privacy.hide_user=true

Example 58.

Default setting (not anonymous)

NotAnonymous.png

With privacy.hide_user=true (anonymous)

Anonymous.png


Anonymous IP addresses

The IP addresses assigned to the network interfaces of the computer can be replaced with SHA-1 hash. Add the following system setting to the configuration file:

privacy.hide_ip=true

Note

When this option is enabled, it is not possible to use Auto Connect Rules in Snow License Manager based on computer IP addresses for allocation of computers to different units in the organization structure. However, other criteria can still be used for Auto Connect Rules, such as computer hostnames and site names.

Communication

It is possible to use any combination of X.509 certificates to secure and authenticate communication between the agent and the server.

If the server certificate has been issued by a trusted root certificate authority (CA), no additional configuration is required other than to configure the agent to use the HTTPS (or HTTP) URI scheme.

Self-signed or self-issued certificates

If a self-signed or self-issued certificate is used to secure communication, i.e. a certificate that is not installed in the trusted root certificate store of the computer, the agent needs to be configured to ignore warnings about unknown CA’s. Use the following system setting in the configuration:

http.ssl_verify=false

This setting is disabled by default.

Note

The system setting http.ssl_verify=false does not work on Mac OS X 10.8. Even if the setting is set to false, the agent will still try to verify the server’s CA certificate.

Note

Read Configuring the agent for public key pinning for more security-related information in regards to certificates.

Client authentication using certificates

The Snow Agent supports use of client certificates. The certificates need to be password protected, and the password must be stored (encrypted) in the agent configuration file.

A common practice is to distribute the client certificate alongside the agent as part of the update package. The agent is then configured to look for a certificate.pfx file that contains the client certificate for client authentication and use that (provided it has the correct password).

If the server endpoint is used with a client certificate and the password does not match, an error is generated in the snowagent.log. The agent will continue with other server endpoint configurations, if any have been set.

Note

Specify one client certificate per server endpoint. It is possible to have multiple entries for the same server endpoint with different client certificates

Communication using TLS

To be able to use Transport Layer Security (TLS) 1.2 for the communication between the Inventory agent and the Inventory server, the following requirements need to be met:

  • The Windows operating system of the Inventory server (both Master Server and Service Gateway) must be updated to enable the TLS 1.2 protocol for SHA512 certificates. See article https://support.microsoft.com/en-us/help/2973337/sha512-is-disabled-in-windows-when-you-use-tls-1-2.

  • Windows agent

    The root certificate (.cer) must be installed in the Trusted Root Certification Authorities of the computer to be inventoried.

  • Linux and macOS agents

    In the configuration file of the agent, the setting <Setting key="http.ssl_capath" value="" /> must point to the certificate file (.pem).

  • Unix agent

    The certificate file (.cer) needs to be put in the /opt/snow/ directory of the computer to be inventoried.

    If the "RSA premaster secret error" entry is shown in the log, the components local_policy.jar and US_export_policy.jar need to be updated in Java.