Reference: Tanium Operations menu

Tanium™ operations include management of Tanium services, configuration settings, and certificate and public key files.

Start, stop, and restart Tanium services

Tanium™ component servers and the database server can be managed with common service control commands:

  • Start
  • Stop
  • Restart
  • Disable
  • Enable

To issue a command:

  1. Log into the TanOS console as the user tanadmin.

    The TanOS console displays the tanadmin menu.

  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 1 to go to the Tanium Service Control menu.
  4. Enter the line number of the service you want to manage to display the service commands.
  5. Type the number of a service control command to issue it.

Change a Tanium server configuration

You can use the Configuration Settings menu to change the log level or the Tanium component server configuration settings. Contact your technical account manager (TAM) before changing Tanium configuration settings.

Edit server settings

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 2 to go to the Tanium Configuration Settings menu.
  4. Use the menu to view and edit Tanium component server settings.
For detailed guidelines on Tanium Core Platform server settings, see the Tanium Core Platform Deployment Reference Guide: Settings.

Add an authentication user for TDownloader

TDownloader is a utility used by the Tanium Core Platform to perform file downloads. A destination server might require user authentication. Use this menu to add user credentials for the Tanium Server TDownloader instance or the Module Server TDownloader instance.

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 2 to go to the Tanium Configuration Settings menu.
  4. Enter 3 (Tanium Server TDL Auth User) or 7 (Tanium Module Server TDL Auth User) and follow the prompts to configure user credentials for the specified destination server URL.
  5. Review the resulting configuration.

Add an authentication certificate for TDownloader

A destination server might require certificate authentication. Use this menu to add a client certificate and key to Tanium Server TDownloader instance or the Module Server TDownloader instance.

  1. Use SFTP to copy the client certificate file and key file to the /incoming folder.

  2. Log into the TanOS console as the user tanadmin.
  3. Enter 2 to go to the Tanium Operations menu.
  4. Enter 2 to go to the Tanium Configuration Settings menu.
  5. Enter 4 (Tanium Server TDL Auth Cert) or 8 (Tanium Module Server TDL Auth Cert) and follow the prompts to upload the certificate and key file and configure TDownloader to use them for the specified destination server URL.
  6. Review the resulting configuration.

Manage authentication certificates for Tanium Patch connections with RedHat

Tanium Patch downloads files from a RedHat satellite server that requires certificate authentication.

  1. Obtain from RedHat a client certificate and key file that is specific to your subscription entitlement and create files named client-certificate.pem and client-key.pem as described in the Tanium Support KB: Creating a RedHat certficate for Tanium downloads (login required).
  2. Use SFTP to copy the certificate file and key file to the /incoming folder.
  3. Log into the TanOS console as the user tanadmin.
  4. Enter 2 to go to the Tanium Operations menu.
  5. Enter 2 to go to the Tanium Configuration Settings menu.
  6. Enter 4 (Tanium Server TDL Auth Cert)  and follow the prompts to upload the certificate file and key file and to configure TDownloader to use them for the specified destination server URL.
  7. Enter 12 (Control RedHat CA Cert) and use the menu to install the RedHat enterprise CA certificate file (redhat-uep.pem).

Edit zone server list

  1. Log into the Zone Server Hub appliance as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 2 to go to the Configuration Settings menu.
  4. Enter 10 to edit the zoneserverlist.txt file.
  5. Add the IP address or FQDN for each Zone Server and save the file.

Edit zone server isolated subnets list

You can use the Tanium Console to configure the isolated subnets list for Tanium Servers but not Zone Servers. You can use the TanOS menus to configure the list for Zone Servers.

  1. On the Zone Server appliance, log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 2 to go to the Tanium Configuration Settings menu.
  4. Enter 11 to edit the isolatedsubnets.txt file.
  5. Use the menu to specify the CIDR IP address for subnets in which clients should never peer.

Change a Tanium component server port

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 3 to go to the Change Tanium Port menu.
  4. Use the menu to change the port configuration.

Install a custom SOAP certificate

You can replace the self-signed certificates generated by the Tanium Server and Tanium Module Server installers with an SSL certificate issued by a commercial or enterprise certificate authority (CA).

For detailed information about the SSL certificates used in a Tanium deployment, see the Tanium Core Platform Deployment Reference Guide: SSL certificates.

Upload the CA certificate file

  1. Set up an SFTP client to connect to the Tanium appliance:
    1. Specify tancopy for user name.
    2. Click the Advanced button.
    3. Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance in Completing the initial setup (hardware appliances).
  2. Use SFTP to copy the SOAP certificate and key files to the /incoming directory on the appliance.

Install the SOAP certificate file

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 4 to go to the Install Custom SOAP Cert procedure.
  4. Follow the prompts to install the certificate and key files you uploaded in the previous procedure.

If you replace the self-signed SOAP certificate on the Tanium Server with a CA-provided certificate, you must also redo the both remote Module Server configuration steps to update the certificates that are derived from that certificate on each server. See Configure the Tanium Server to use the remote Module Server .

Enable import of user-created content

The Tanium Server requires content XML files that are imported into the Tanium Console to be signed and the signatures are verified by public keys stored on the Tanium Server. The public keys for content developed by Tanium and delivered via content.tanium.com are included with the installation. To import user-created content, you must use a utility provided by Tanium to sign the content, and you must upload the public key from that pair to the Tanium Server.

  1. Download the content signing key utility (keyutility.exe). See Download the content signing key utility.
  2. Use keyutility.exe to generate a cryptographic key pair and use it to sign the user-created content you want to import into the Tanium Server. See the Tanium Core Platform User Guide.
  3. Rename the public key file from that key pair import.pub and use SFTP to upload it to the /incoming folder of the Tanium Server appliance.
  4. Log into the TanOS console as the user tanadmin.
  5. Enter 2 to go to the Tanium Operations menu.
  6. Enter 5 to go to the Manage Custom Signing Keys menu.
  7. Enter 3 to go to the Add Content Signing Key menu and then follow the prompts to import the public key file.

Watch the tutorial on managing content signing keys for the Tanium Appliance on the Tanium Community website.

Download the content signing key utility

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 5 to go to the Manage Custom Signing Keys menu.
  4. Enter 1 to copy the KeyUtility.exe and related files to a zip file in the /outgoing directory.
  5. Use SFTP to copy the file from the /outgoing directory to your local computer.

Manage content signing keys

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 5 to go to the Manage Custom Signing Keys menu.
  4. Use the menus to add, remove, or list the key files.

Download the Tanium Server public key file

Download the Tanium Server public key file so you can include it in Tanium Client installation packages.

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 6 to go to the Download Public Key procedure.
  4. Follow the prompts to copy the public key to the /outgoing directory.
  5. Use SFTP to copy the tanium.pub file from the /outgoing directory on the appliance to your management computer.

Download the Tanium Server SOAP certificate

Download the Tanium Server SOAP certificate file for configuration of a remote Windows Module Server, or other use.

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 7 to go to the Download SOAP Certificate procedure.
  4. Follow the prompts to copy the SOAP certificate file to the /outgoing directory.
  5. Use SFTP to copy the tanium.pub file from the /outgoing directory on the appliance to your management computer.

Import the Tanium public/private key pair

When you migrate an existing deployment to new installations, you might want to migrate the Tanium Server public/private key pair to avoid redistributing the tanium.pub key file to Tanium Clients.

Upload the public and private key files

  1. Add the public/private key pair you want to copy to a passphrase-protected tanum.zip file.
  2. Use SFTP to copy the tanium.zip file to the /incoming directory on the Tanium Server appliance.

Replace the public and private keys

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter 8 and then follow the prompts to import the zip file and install the keys.

Change the Tanium content manifest URL

  1. Log into the TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter C to go to the Manifest URL Change menu and make your changes.

Install the Trace Zone Proxy package

The Trace zone proxy service has two parts: the Trace zone proxy (TZ proxy) and the Trace zone hub (TZ hub). The TZ hub is installed on a Tanium Module Server and the TZ proxy is typically installed on a Zone Server. The TZ hub connects to one or more TZ proxies, creating a tunnel between itself and each proxy to allow Trace remote endpoint connections to be established.

Import the Trace Zone Hub solution

In the Tanium Console, go to the Solutions page and import the Trace Zone Hub solution.

Generate the Trace Zone Proxy package

Go to Trace and generate a Trace Zone Proxy package. See the Tanium Trace User Guide.

When you generate the Trace Zone Proxy package, the package displays a Pending status and a Publish All button. Do not click Publish All until you have downloaded the Trace Zone Proxy package from the Module Server, as described in the next section. As a security feature, the package .zip files are deleted from the Module Server when you click Publish All.

Download the Trace Zone Proxy package from the Module Server

  1. Log into the Module Server TanOS console as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter M to display the Module Operations menu.
  4. Enter 1 and then follow the prompts to copy the Trace Zone Proxy package to the /outgoing folder.
  5. Use SFTP to copy the file to your management computer.

Install the Trace Zone Proxy package on the Zone Server

  1. Use SFTP to copy the file to the Zone Server /incoming folder.
  2. Log into the Zone Server TanOS console as the user tanadmin.
  3. Enter 2 to go to the Tanium Operations menu.
  4. Enter M to display the Module Operations menu.
  5. Enter A and then follow the prompts to install the Trace Zone Proxy package.

Last updated: 4/19/2019 11:23 AM | Feedback