Configuring TDownloader for Linux endpoints

Patch 2.2 introduces support for Red Hat and CentOS Linux endpoints as a Limited Availability feature. For more information about how to configure your Tanium Server for Linux endpoints, consult your TAM.

Overview

To use Patch on Red Hat Linux endpoints, you must configure TDownloader to use certificate authentication for downloads to the Red Hat Satellite server. For more information about TDownloader, see Tanium Core Platform Installation Guide: TDownloader.

The available scanning techniques include Repo Scan and Tanium Scan. For the Repo Scan technique, you can use all repositories from which an endpoint can pull. For the Tanium Scan technique, you must use Red Hat Content Delivery Network, Red Hat Satellite 6 or later, or custom repositories.

Before you begin

Ensure that you meet the following prerequesites:

  • Tanium Platform 7.2.314.3235 or later.
  • Tanium Client 6.0.314.1554 or later.
  • Patch 2.2 or later.
  • Click Initialize Endpoints on the Patch home page.
  • Enable the Enable RedHat/CentOS Linux Support option in the Limited Availability Features tab of the Patch Settings .
  • Obtain a valid SSL client certificate and private key and the SSL certificate authority (CA) certificate of the satellite server from the Red Hat, Inc. website. For more information, see Creating a Red Hat certificate for Tanium downloads (login required).

Configure TDownloader

  1. Copy the SSL client private key, client certificate, and satellite server certificate to your Tanium Server.
  2. Ensure that the Tanium Server can reach cdn.redhat.com or the Red Hat Satellite server by name. Verify using the ping command:
    ping cdn.redhat.com or ping rhelpatchsatellite01.prodqa.local
  3. On each Tanium Server, configure TDownloader to use certificate authentication for downloads to the Red Hat Satellite server. For example:
    cmd-prompt>TDownloader.exe add-auth-cert --url https://rhelpatchsatellite01.prodqa.local --cert C:\client-certificate.pem --key C:\client-key.pem
    where:
    • https://rhelpatchsatellite01.prodqa.local is the URL prefix for the satellite server download URLs
    • C:\client-certficate.pem is the client certificate
    • C:\client-key.pem is the client certificate private key
  4. Check the TDownloader config to see that your certificate has been configured.
    cmd-prompt>TDownloader.exe config list
    Keys:
      - Auth:
    - Auth.0:
    - Auth.0.Certificate: -----BEGIN CERTIFICATE----- MIIFPTCCBCWgAwIBAgIIbY/mIdQbgMowDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNV BAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBwwHUmFsZWln aDEQMA4GA1UECgwHS2F0ZWxsbzEUMBIGA1UECwwLU29tZU9yZ1VuaXQxKjAoBgNV BAMMIXJoZWxwYXRjaHNhdGVsbGl0ZTAxLnByb2RxYS5sb2NhbDAeFw0xODA0MjAw NDAwMDBaFw0xOTA0MjAwMzU5NTlaMEYxGTAXBgNVBAoMEHRhbml1bV9wYXRjaF9k ZXYxKTAnBgNVBAMTIDBjYjk4NjcyZjBhNTQ0MDJhNzIzYmNjOGI5ODFjYTg3MIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtXPySC20fPzMreenmX+4mUhS s/cdArQZOeeKliCdXI7Q/ZW0ZrhsgmMZTL+BNbZKUp72e0L3GF3yj0wx/8LWRLVC S9AaZdbXmJRK7B5mwpQaLtfuE93bJIkmBbzKA49jiwFdDE0J6v+wj0NgBZ3hr0NH V2O1hAwar2xkzz9fCTwyAR6d2I9Dpcfua8nH0ybO5kR8v1Epp70vw9/uMmGM3PCe YFX81ll3wxStbHj/DznUzQ/vFE0SZxLXh9LyWy9Nq+obLaFeDxJ0DT7iXotwVqWs Qow/upQ60vuYpAT57JM5tkrP+rKcct+TVVJNS/QmJC3yOwZWf8rIISRH4cb+GQID AQABo4IB5jCCAeIwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1UdDwQEAwIEsDCBwQYD VR0jBIG5MIG2gBRNdbtnITo9NxbcUdarkRIJv464dqGBkqSBjzCBjDELMAkGA1UE BhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdo MRAwDgYDVQQKDAdLYXRlbGxvMRQwEgYDVQQLDAtTb21lT3JnVW5pdDEqMCgGA1UE AwwhcmhlbHBhdGNoc2F0ZWxsaXRlMDEucHJvZHFhLmxvY2FsggkAx2ndp2OhmcYw HQYDVR0OBBYEFHX7IDsUYNAZdI5dBxckm5a8y60aMBMGA1UdJQQMMAoGCCsGAQUF BwMCMBIGCSsGAQQBkggJBgQFDAMzLjMwFAYJKwYBBAGSCAkIBAcMBUJhc2ljMIGd BgkrBgEEAZIICQcEgY8EgYx42i2MMQrDMBAE9zFukyYgfyJdHmDO8oIEis7cXYz9 e8ck1UwxjNM2GsbXj1bYsFQP6BpVuzRk7cEeSP8kYYRL3EK1OZ51NrED6f5ASK+f 97RK5DIt3KAO7mHiGIyN4rwGw/wVsVxwAp4aKvUSzZXb1epTaC96MJ25BX5rmucc vyYlbSe9CpomkcWhADANBgkqhkiG9w0BAQUFAAOCAQEAubxqAqH/IQqIODQwaX9x NrIuJp3qWIUFjxZ1Vby4lEg2xmwfBtvNKminJBWNwOMZjq40xrEz0C2sxqkr/npv cbI4MMdQX1rdxMwsntgUZK8ApRR/pPwyxqAoa8IjahVBHNdFoA4+BBjcLcvzA1PB PReiXo0GS2gQQAb8U7d/jBTG1gm3ZpJFBxv7NBM9tEey3DwzP5LWPnZZmstRrlfx 7sb5J/2zLvWuMG+dMJ5jkgUKTuNdccdBP9PEVrAKiDuoLCl4UqnP0YzMJd+e9Ktx FC1QCICFUQLhZ/QVAhh8hIw0jSxIcGN+KVJF52BGdzUxvoidfqtMsjc/8NSTRk+T /g== -----END CERTIFICATE-----
    - Auth.0.PrivateKey: (protected) - Auth.0.URL: https://rhelpatchsatellite01.prodqa.local - LogVerbosityLevel: 41 - ProxyPassword: - ProxyPort: - ProxyServer: - ProxyType: NONE - ProxyUserid: - TrustedCertPath: C:\Program Files\Tanium\Tanium Server\Certs\installedcacert.crt - TrustedHostList: localhost,tanium.local,win-2012-r2
  5. Add the satellite server PEM-encoded certificate to the certificate file that is configured in TDownloader for the TrustedCertPath. For example:
    cmd-prompt>TDownloader.exe config list
    Keys:
    - Auth:
    - Auth.0: - Auth.0.Certificate: -----BEGIN CERTIFICATE-----
    ....
    - TrustedCertPath: C:\Program Files\Tanium\Tanium Server\Certs\installedcacert.crt
    To configure TDownloader to work with the Red Hat content delivery network (CDN), append the following certificate for cdn.redhat.com to the end of the installedcacert.crt file.
    Closed-----BEGIN CERTIFICATE-----

Last updated: 11/13/2018 3:06 PM | Feedback