Securing Tanium Console, API, and Module Server access

Tanium as a Service (TaaS) uses Transport Layer Security (TLS) to secure the connections among Tanium Core Platform components. However, you cannot change the digital certificates and keys that TaaS uses for TLS communication.

Tanium user and module operations require connections to the Tanium Servers, Module Server, and Tanium module services. The Tanium Core Platform uses SSL/TLS certificates and keys to secure connections to the Tanium Server and Module Server (illustrated in Figure  2). For example, when you use Tanium™ Patch to deploy patches to endpoints, the Tanium Core Platform establishes connections in the following order:

  1. User system (browser or CLI) to the Tanium Server (Tanium Console or API)
  2. Tanium Server to Tanium Module Server
  3. Module Server to Patch service
  4. Patch service to Tanium Server

The Tanium Server and Module Server installers generate self-signed certificates. You can replace these with certificates issued by a commercial certificate authority (CA) or your enterprise CA. As a best practice to facilitate troubleshooting, use the self-signed certificates during initial installation and replace them with CA-issued certificates later. This practice enables you to separate potential installation issues from TLS connection issues. Using a CA-issued certificate is highly recommended for Tanium Console and API access but is optional for communication between the Tanium Server and Module Server.

Tanium Console and API access require user authentication through login credentials, but not for securing the TLS connection.

To manage the keys that secure communication among the Tanium Servers, Zone Server, Zone Server Hub, and Tanium Clients, see Tanium Console User Guide: Managing Tanium keys.

To install the Tanium Server or Module Server, see Tanium Appliance Deployment Guide or Tanium Core Platform Deployment Guide for Windows.