Server endpoints and drop locations

The agents can deliver the encrypted files in different ways, for example over HTTPS, which is the most common (and recommended) way, or by writing the result to a file share. For this, server endpoints and drop locations are configured.

Server endpoint

A server endpoint represents a possible path for delivery. The Snow Inventory Agent establishes a connection and sends the output file to an Inventory server endpoint defined in the configuration. When several endpoints have been defined, the agent randomly selects one from the list. It tries at least once for each endpoint. As soon as it has successfully managed to negotiate a connection it will use that one for the remainder of the session.

Note

The more server endpoints defined in the agent configuration, the longer it will take to negotiate a connection. This is typically not an issue but when writing scripts, keep in mind that it may introduce a significant delay since the agent has to timeout on a bad server endpoint configuration before it can try the next one.

Configuring the agent for public key pinning

Public key pinning prevents man-in-the-middle attacks from occurring on the communication link between agents and Snow Inventory endpoints, such as Snow Inventory Server or a service gateway. It is recommended to enable the public key pinning feature by default to ensure security of data in transit and fully mitigate potential man-in-the-middle attacks.

During initial communication establishment between an agent and an endpoint, the agent checks whether the encoded hash key of the endpoint matches the expected key, stored as a hash value in the agent configuration file (default snowagent.config). If the values match, communication is established, and dropped otherwise.  

The recommended steps, with example OpenSSL commands:

  1. Open a communication link with the endpoint

    openssl s_client -servername www.invserver.com -connect www.invserver.com:443 < /dev/null | sed -n "/-----BEGIN/,/-----END/p" > www.invserver.com.pem

  2. Extract the public key from the endpoint’s certificate in – often in pem format

    openssl x509 -in www.invserver.com.pem -pubkey -noout > www.invserver.com.pubkey.pem

  3. Convert the public key from pem to the appropriate format for the local operating system

    openssl asn1parse -noout -inform pem -in www.invserver.com.pubkey.pem -out www.invserver.com.pubkey.der

  4. SHA 256 hash and base-64 encode the key in the local format

    openssl dgst -sha256 -binary www.invserver.com.pubkey.der | openssl base64

  5. Add the following code to snowagent.config file:

    <Endpoint>
      <Address>...</Address>
      <Proxy>...</Proxy>
      <ClientCertificate>...</ClientCertificate>
      <ServerPublicKeyHash>sha256//<---encoded key ---></ServerPublicKeyHash>
    </Endpoint>

Drop location

A drop location represents an additional location for delivery of the scan result. It can be network folder, an HTTP endpoint, or an UNC file path. If several one drop locations have been defined, the scan result will be sent to all of them.

Note

If the agent cannot reach a drop location during the send activity, it will not try to resend the file later.