Certificate Manager requirements

Review the requirements before you install and use Certificate Manager.

Core platform dependencies

Make sure that your environment meets the following requirements:

Tanium license that includes Certificate Manager
Tanium™ Core Platform servers: 7.5.5.1140 or later
Tanium™ Client: 7.4 or later

Solution dependencies

Other Tanium solutions are required for Certificate Manager to function (required dependencies) or for specific Certificate Manager features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Certificate Manager dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Certificate Manager requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Certificate Manager, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Certificate Manager to import, you must manually import dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Certificate Manager has the following required dependencies at the specified minimum versions:

Tanium™ Endpoint Configuration 1.7.151 or later
Tanium Reporting 1.13.76 or later
Tanium™ RDB Service 1.2.211 or later

Feature-specific dependencies

Certificate Manager has the following feature-specific dependencies at the specified minimum versions:

Tanium Connect 5.9.65 or later to create connections with reports as the data source

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Certificate Manager.

Operating System	Version	Notes
Windows	Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.
macOS	Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.	SSL Audit only
Linux	Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.	Requires OpenSSL 1.0.1 or later. For more information, see Error: EC_KEY_new_by_curve_name. Requires lsof to capture owning process data. For more information, see ERROR - lsof was not found.

Operating System

Version

Notes

Windows

Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.

macOS

Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.

SSL Audit only

Linux

Same as Tanium Client support. See Tanium Client Management User Guide: Client version and host system requirements.

Requires OpenSSL 1.0.1 or later. For more information, see Error: EC_KEY_new_by_curve_name.

Requires lsof to capture owning process data. For more information, see ERROR - lsof was not found.

Host and network security requirements

Specific processes are needed to run Certificate Manager.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Certificate Manager security exclusions for endpoints
Endpoint OS	Exclusion Type	Exclusion
Windows	Process	<Tanium Client>\Python38\TPython.exe
	Folder	<Tanium Client>\Python38
	Process	<Tanium Client>\TaniumCX.exe
	Process	<Tanium Client>\Tools\StdUtils\TaniumExecWrapper.exe
	Folder	<Tanium Client>\Tools\CertificateManager
Linux	Process	<Tanium Client>/python38/python
	Process	<Tanium Client>/TaniumCX
	Process	<Tanium Client>/Tools/StdUtils/TaniumExecWrapper
	Folder	<Tanium Client>/Tools/CertificateManager
macOS	Process	<Tanium Client>/python38/python
	Process	<Tanium Client>/TaniumCX
	Process	<Tanium Client>/Tools/StdUtils/TaniumExecWrapper
	Folder	<Tanium Client>/Tools/CertificateManager

User role requirements

The following table lists the role permissions required to use Certificate Manager. To review a summary of the predefined roles, see Set up Certificate Manager users.

Do not assign the Certificate Manager Service Account role to users. This role is for internal purposes only.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Certificate Manager user role permissions
Permission	Certificate Manager Operator^1,2,3	Certificate Manager User^2,3	Certificate Manager Read Only User^2,3	Certificate Manager Configuration Approver¹
Certificate Manager SHOW: View the Certificate Manager workbench USER: User access to Certificate Manager	SHOW USER	SHOW USER	SHOW
Certificate Manager API Use the Certificate Manager API	USER	USER	USER
Certificate Manager Config View, update, or distribute the Certificate Manager configuration APPROVE: approve proposed Endpoint Configuration changes for Certificate Manager	READ WRITE EXECUTE	READ	READ	APPROVE
Certificate Manager Read Only Read-only access to the Certificate Manager module	USER	USER	USER
¹ This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Confirmation permissions are granted to this role in the Tanium Console. For more information, see Tanium Endpoint Configuration User Guide: User role requirements. ² This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions. ³ This role provides module permissions for Tanium Reporting. You can view which Reporting permissions are granted to this role in the Tanium Console. For more information, see Tanium Reporting User Guide: User role requirements.

Provided Certificate Manager administration and platform content permissions
Permission	Permission Type	Certificate Manager Operator	Certificate Manager User	Certificate Manager Read Only User	Certificate Manager Configuration Approver
Action Group	Administration	READ	READ	READ
Action	Platform Content	WRITE	WRITE
Dashboard	Platform Content	READ	READ	READ
Filter Group	Platform Content	READ	READ	READ
Own Action	Platform Content	READ	READ
Package	Platform Content	READ	READ	READ
Plugin	Platform Content	READ EXECUTE	READ EXECUTE	READ EXECUTE	READ EXECUTE
Saved Question	Platform Content	READ	READ	READ
Sensor	Platform Content	READ	READ	READ
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.