RVY200736: SSL Certification implementation & configuration for RayVentory Agent on Windows and Non-Windows

Introduction

A typical RayVentory (RV) implementation consists of a RV Server and one RV Scan Engine instance for each site. Every RV Scan Engine must be able to directly upload to the RV Server or indirectly by uploading to another RV Scan Engine instance which, in this case, acts as a relay.

In order to set up an encrypted traffic (using HTTPS) between the target devices and RV Scan Engine, provide a full path to the .cert file containing your SSL certificate. The certificate authority has to be trusted on clients connecting to the server. Once a certificate is selected, HTTPS will be the
default communication protocol for RV Agents and RV Scan Engines.

When you install an SSL certificate, your server may ask to import a CA Bundle along with your primary certificate. CA Bundle together with your server certificate (issued specifically for your domain) are files which complete the SSL chain of trust. 

The CA bundle is essential for older browser versions and obsolete systems. If an intermediate certificate is missing or isn’t configured properly, browsers won’t recognize your certificate.

A missing intermediate is one of the most common causes of SSL connection errors. To avoid this issue, you must import the right CA Bundle file. Moreover, the certificates inside the CA Bundle must be in the correct order (Intermediate 2 <- Intermediate 1 <- CA Root, etc.).

Note:

- RV Inventory Agent does not consider certificates from the windows certificate store

- Certificates needs to be exported as .CER with base64

 

SSL Configuration for RayVentory Scan Engine
Prerequisite steps:

A) Obtain SSL certificate (prerequisite).

*OPTIONAL (Depends on configuration) Configure IIS on RayVentoryServer -https://raynetgmbh.zendesk.com/hc/en-us/articles/360001124766 

B) Install SSL certificate first as .PFX into the certificate store of RV Scan Engine Server; then export it as  .CER with base64.

  1. Open the  CertMgr (Start Run > certmgr.exe).
  2. Click [+] next to Certificates > Personal > Certificates.
    Locate and select the certificate for the correct domain.
    Right Click and select All tasks > Export.mceclip1.png
  3. Press Next.
  4. Choose Base-64 encoded X.509 (.CER) for the certificate file format. Click Next.
    mceclip2.png
  5. Click browse and save your .cer file.
  6. Press Next > Finish > OK.

C) Store the .CER file into a folder which is accessible for RV Scan Engine

D) Configure RV Scan Engine to use HTTPS by selecting the .CER file mceclip0.png

  • Use RV Scan Engine Settings (tab ‘Inventory Agent’) to ensure that upload/download parms in the config files (.CFG) contains the correct URL (protocol, port, path) and test those URL’s with any web-browser before installing RayVentory Agents.
  • Restart the HTTP Service of RV Scan Engine, so the new settings are applied

E) Install RayVentory Agent for Windows or Non-Windows - https://raynetgmbh.zendesk.com/hc/en-us/articles/4403064053140-RVY200728-Installation-of-RayVentory-Agent-for-non-Windows-

Configuration options for RV Agents

RV Agents need to trust the CA Authorities in order to communicate via HTTPS.

1. Create .CER files for each CA authority

Follow the steps described above to export the Root certificate and (every) Intermediate certificate as a .CER file (base64).

2. Adding the certificate chain into "curl-ca-bundle.crt" file (RECOMMENDED METHOD 1)

Navigate to the installation location of the InventoryAgent and open the file curl-ca-bundle.crt.

Manually insert the content of the root and each intermediate certificate to the file (you may need to exchange the file). This has to be done for every installation of the Windows agent.

If you need assistance with deployment, we kindly suggest that you contact Raynet Support.
mceclip1.png

3. Specifying the certificate location (ALTERNATIVE METHOD 2)

Copy the content of all .CER files (created in step 1) into a new, separate file (if not wanting to use "curl-ca-bundle.crt") and copy the file to every RV Agent installation.

To specify the certificate location, go to SETTINGS → INVENTORY → INVENTORY AGENT → EDIT

configDownloadCurlArgs=--cacert =<pathtocertificate>

resultUploadCurlArgs=--cacert =<pathtocertificate>

mceclip1_2_.png

 

4. Disabling certificate check (ALTENATIVE METHOD 3 - but NOT recommended)

To disable the checking of the SSL certificate, go to SETTINGS → INVENTORY → INVENTORY AGENT → EDIT

In the CONFIGURATION EDITOR add a "-k" to the properties  "configDownloadCurlArgs" and "resultUploadCurlArgs"

mceclip0.png

Configuration options for Non-Windows 

Prerequisites

A) Install RayVentory Agent for Windows or Non-windows - https://raynetgmbh.zendesk.com/hc/en-us/articles/4403064053140-RVY200728-Installation-of-RayVentory-Agent-for-non-Windows-

B) Navigate and configure file /opt/rvia/rvia.cfg to ensure that upload/download parms in the config files (.CFG) contains the correct URL (protocol, port, path) and test those URL’s with any web-browser.mceclip4.png

RV Agents need to trust the CA Authorities in order to communicate via HTTPS.

1. Create .CER files for each CA authority

Follow the steps described on top to export the Root certificate and (every) Intermediate certificate as a .CER file (base64).

2. Adding the certificate chain into "curl-ca-bundle.crt" file (RECOMMENDED METHOD 1)

Navigate to the installation location of the Inventory Agent and open the file curl-ca-bundle.crt.

Manually insert the content of the root and each intermediate certificate to the file (you may need to exchange the file). This has to be done for every installation of the Inventory Agent.

If you need assistance with deployment, we kindly suggest that you contact Raynet Support.
mceclip1.png

3. Specifying the certificate location (ALTERNATIVE METHOD 2)

Copy the content of all .CER files (created in step 1) into a new, separate file (if not wanting to use "curl-ca-bundle.crt") and copy the file to every RV Agent installation.

Navigate and configure file /opt/rvia/rvia.cfg with text editor:

configDownloadCurlArgs=--cacert =<pathtocertificate>

resultUploadCurlArgs=--cacert =<pathtocertificate>

mceclip5.png

4. Disabling certificate check (ALTENATIVE METHOD 3 - but NOT recommended)

To disable the checking of the SSL certificate, navigate and configure file /opt/rvia/rvia.cfg with text editor:

Add "-k" to the properties  "configDownloadCurlArgs=" and "resultUploadCurlArgs="

mceclip6.png

Testing

On the machine run inventory, then upload.
If configuration was done correctly, the upload will finish successfully.
To check the status of upload and connection to Agent, look inside log (on Windows) C:\ProgramData\Raynet\RayVentoryInventoryAgent\rvia.log or (on non-Windows) [YOURUSER}:///opt/rvia/rvia.log


Comments

Powered by Zendesk