Securing Tanium Server, Zone Server, and Tanium Client access

Tanium as a Service (TaaS) uses Transport Layer Security (TLS) to secure the connections among Tanium Core Platform components. You cannot change the digital certificates and keys that TaaS uses for TLS communication.

Overview of TLS in the Tanium Core Platform

Tanium Core Platform 7.2 or later uses the following protocols for communication among platform components:

  • Tanium Protocol: This application protocol is proprietary to Tanium and uses TLS 1.2 to encrypt communication. You cannot use network devices such as firewalls to decrypt and inspect Tanium Protocol traffic.
  • Hypertext Transfer Protocol Secure (HTTPS): The Tanium Core Platform uses TLS 1.2 to encrypt HTTPS communication among platform components. The components negotiate the TLS version for HTTPS connections with external servers but enforce TLS 1.2 as the minimum version.

The following table lists the connections among Tanium Core Platform components and the protocol that each connection uses. The numbers correspond to the connections in Figure  1.

 Table 1: TLS communication in the Tanium Core Platform
  Connection Protocol
1 Tanium Console or API user systems to Tanium Servers HTTPS
2 Tanium Console or API user systems to external servers (such as content.tanium.com) HTTPS
3 (Windows only) Tanium Servers to Tanium database in deployments where the database is not on the Tanium Server host No encryption by default but configuring encryption is a best practice. Consult your database administrator.
4 Tanium Servers to Tanium Module Server HTTPS
5 Module Server to external servers HTTPS
6 Tanium Server to Tanium Server in an active-active deployment Tanium Protocol *

* Tanium Appliances use IPsec to secure Tanium database traffic and Lightweight Directory Access Protocol (LDAP) synchronization traffic.

7 Tanium Servers to external servers HTTPS
8 Tanium Servers to Zone Server Hub

Figure  1 shows the Zone Server Hub installed on a host that is separate from the Tanium Server hosts to illustrate that the connection is encrypted. However, in most deployments, you install the hubs on the same hosts as the Tanium Servers.

Tanium Protocol
9 Zone Server Hub to Zone Server Tanium Protocol
10 Tanium Clients (external) to Zone Server Tanium Protocol
11 Tanium Clients (internal) to Tanium Servers Tanium Protocol
12 Tanium Client to Tanium Client (external and internal) Tanium Protocol *

* Applies only to Tanium Client 7.4 or later.

In the following figure, blue lines indicate Tanium Protocol connections, green lines indicate HTTPS connections, and orange lines indicate connections that use other encryption protocols (as described in Table 1):

Figure  1:  TLS communication in the Tanium Core Platform

To manage the certificates and keys that the Tanium Core Platform uses for HTTPS traffic, see Securing Tanium Console, API, and Module Server access.

The Tanium Core Platform supports TLS for additional connections that various Tanium modules and shared services require. For details, see the user guides for your Tanium products at docs.tanium.com.

TLS communication starts when a TLS client initiates a TLS handshake to establish a secure connection with a server. The following are examples in the context of the Tanium Core Platform:

  • The Zone Server acts as a client when registering with the Tanium Server.
  • The Tanium Client acts as a client when registering with the Zone Server or Tanium Server.
  • A Tanium Server acts as a client when performing active-active synchronization with another Tanium Server.

During the TLS handshake, the client and server generate a shared, unique session key, which they use to secure communication for the duration of their session. You can configure TLS as optional for certain versions of Tanium Core Platform servers and Tanium Clients, as listed in Table 2. If the handshake fails and TLS is optional, the client and server attempt a non-TLS (unencrypted) connection instead. If the handshake fails and TLS is configured as required, the client and server cannot connect.

Tanium Core Platform 7.2 or later supports the following cipher suites for creating keys and encrypting information in TLS communication:

  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-RSA-CHACHA20-POLY1305
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256

Contact Tanium Support at [email protected] and consult your network security team before modifying the TLS configuration. Whether TLS is available and required depends on the Tanium Core Platform version, components, and infrastructure:

 Table 2: TLS options and defaults
Version Tanium Server, Zone Server, Zone Server Hub Tanium Clients
7.4 or later After a fresh installation or upgrade, TLS is required and you cannot disable it. After a fresh installation or upgrade, TLS is required by default.
7.2 or 7.3 Whether TLS is enabled depends on the infrastructure in which you deploy the Tanium Core Platform:
  • Windows deployment: TLS is disabled by default and enabling it is optional.
  • Tanium Appliance deployment: TLS is enabled by default on the Tanium Server and disabling it is optional for incoming connections. TLS is disabled by default on the Zone Server and Zone Server Hub, and enabling it is optional.
TLS communication is disabled by default and enabling it is optional.
7.1 or earlier Encryption for inter-server communication requires a third-party binary or other external dependencies. Not applicable

The following sections describe how to set up TLS for Tanium Core Platform components that use the Tanium Protocol. For additional details and procedures related to the digital keys for Tanium Protocol traffic, see Tanium Console User Guide: Managing Tanium keys.

Tanium Appliance: Set up TLS

Tanium Server

When you install the Tanium Server role (see Installing an individual Tanium Server), TLS is enabled by default. TLS is required for incoming connections in Tanium Core Platform 7.4 or later but not in earlier versions. If you want to require TLS for incoming connections in version 7.2 or 7.3, go to the Tanium Operations menu and use the Configuration Settings menu to change the values. For details, see Tanium Core Platform server settings.

Tanium Zone Server

When you install the Tanium Zone Server role or Zone Server Hub add-on role, TLS is enabled by default in Tanium Core Platform 7.4 but not in earlier versions. Perform the following procedures to configure TLS in version 7.2 or 7.3.

Configuration overview

Configuring Tanium Zone Server encryption is a three-step process:

  1. On the Zone Server, generate a TLS certificate signing request (CSR): Step 1: Generate a CSR.
  2. On the Tanium Server, issue and sign the TLS certificate: Step 2: Issue the Certificate.
  3. On the Zone Server, add the certificate and key files and configure default values for TLS settings: Step 3: Install the certificate and configure TLS settings.

To change the default values, go to the Tanium Operations menu and use the Configuration Settings menu to change the values.

File transfer methods

TanOS 1.5 and later provide menus that enable the following methods for copying the CSR, certificate, and key files:

  • Copy and paste between TanOS menus on the Zone Server appliance and Tanium Server appliance. This method is convenient if you can open SSH terminal sessions to each appliance. If you use this method, skip to Step 1: Generate a CSR.
  • Menu-driven SFTP between the Zone Server appliance and Tanium Server appliance. This method requires SFTP connectivity from the Zone Server to the Tanium Server. You must copy the public key for the user tanadmin on the first appliance to the authorized key store for the tancopy user on the second appliance, and vice versa.

Add required SSH keys

  1. Start an SSH terminal session on both the Tanium Server appliance and the Zone Server appliance so that you can copy and paste between them.
  2. Copy the tanadmin key from the first appliance to the authorized key store for the tancopy user on the second appliance.
    1. On the first appliance:
      1. From the tanadmin menu, enter C to go to the User Administration menu. ClosedView screen
      2. Enter 3 to go to the SSH Key Management menu. ClosedView screen
      3. Enter the line number for tanadmin to display the key management menu for this user. ClosedView screen
      4. Enter 2 to display the public key. ClosedView screen
      5. Copy the contents of the public key to the clipboard.
    2. On the second appliance:
      1. From the tanadmin menu, enter C to go to the User Administration menu.
      2. Enter 3 to go to the SSH Key Management menu.
      3. Enter the line number for the tancopy user.
      4. Enter 3 to go to the Authorized Keys menu. ClosedView screen
      5. Enter 2 and follow the prompts to paste the contents of the tanadmin user public key file.
  3. Copy the tanadmin key from the second appliance to the authorized key store for the tancopy user on the first appliance.
    1. On the second appliance:
      1. Return to the SSH Key Management menu.
      2. Enter the line number for tanadmin to display the key management menu for this user.
      3. Enter 2 to display the public key.
      4. Copy the contents of the public key to the clipboard.
    2. On the first appliance:
      1. Return to the SSH Key Management menu.
      2. Enter the line number for the tancopy user.
      3. Enter 3 to go to the Authorized Keys menu.
      4. Enter 2 and follow the prompts to paste the contents of the tanadmin user public key file.

Step 1: Generate a CSR

  1. Sign into the Zone Server appliance as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter Z to go to the Zone Server Configuration menu. ClosedView screen
  4. Enter 1 and follow the prompts to generate the CSR. Be sure to copy the text to the clipboard or specify the settings for the SFTP connection to the Tanium Server. ClosedView screen

Step 2: Issue the Certificate

The option for the Zone Server Configuration menu only appears if the Zone Server Hub add-on is installed on the Tanium Server appliance.

  1. Sign into the Tanium Server appliance as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter Z to go to the Zone Server Configuration menu.
  4. Enter 2 to go to the Import Cert Request menu. ClosedView screen
  5. Enter 1 to import the CSR or 2 to paste the text.

    The Tanium Server validates the CSR, generates and signs the reporting.crt certificate file, copies the certificate contents to the screen, and copies the file to the /outgoing directory.

  6. Follow the prompts to prepare for Step 3:
    • Copy the certificate text if you plan to paste it in the next step.
    • Use SFTP to copy reporting.crt from the Tanium Server /outgoing directory to your management computer and then copy it again to the Zone Server /incoming directory if you cannot establish an SFTP connection from the Zone Server to the Tanium Server.
    • If you set up SSH keys and can establish an SFTP connection from the Zone Server to the Tanium Server, do nothing. You can import the certificate file from the Tanium Server /outgoing directory automatically in Step 3: Install the certificate and configure TLS settings.

Step 3: Install the certificate and configure TLS settings

  1. Sign into the Zone Server appliance as the user tanadmin.
  2. Enter 2 to go to the Tanium Operations menu.
  3. Enter Z to go to the Zone Server Operations menu.
  4. Enter 3 to display the Import Signed Certificate menu. ClosedView screen
  5. Use the menu to import the certificate:
    • Enter 1 to import reporting.crt if you copied it to the Zone Server /incoming directory.
    • Enter 2 to paste the text.
    • Enter 3 to pull it from the Tanium Server /outgoing directory.

    The Zone Server installs the certificate and configures default settings. To change the default values, go to the Tanium Operations menu and use the Configuration Settings menu to change the values. For details, see Tanium Core Platform server settings.

Windows: Set up TLS

Tanium Server

The Tanium Server installer generates the TLS public and private keys that are used to set up TLS for connections between Tanium Servers in an active-active deployment and between Tanium Clients and the Tanium Server.

Configure TLS for outgoing connections

In Tanium Core Platform 7.4 or later, TLS is automatically set up and required for outgoing connections between Tanium Servers in an active-active deployment, and you cannot disable it.

In version 7.3 or 7.2, add or edit the setting ReportingTLSMode in the Windows registry to enable or disable TLS. The data type is REG_DWORD and the value is a number. The following values are possible:

  • 0 (TLS not used): TLS is disabled. This is the default value for servers installed on a Windows system.
  • 1 (TLS required): If a TLS handshake fails, the connection fails.
  • 2 (TLS optional): The server tries to connect over TLS. If the TLS connection fails, the server tries a non-TLS connection.

You can use the command-line interface (CLI) to add the registry setting:

> cd <Tanium_Server_installation_folder>
> TaniumReceiver config set ReportingTLSMode <value>

Require TLS for Incoming Connections

Optionally, you can configure TLS as required or optional for incoming connections on the Tanium Server. The Tanium Server version determines which setting you configure.

Version 7.4 or later

From the Tanium Console Main menu, go to Administration > Management > Global Settings, and configure the following settings for connections from Tanium Clients to the Tanium Server.

These settings also apply to connections from Tanium Clients to the Zone Server if you deploy one.

  • require_client_tls_314_flag: Specify one of the following values:
    • 0 (default): The Tanium Server allows both TLS and non-TLS connections from Tanium Clients.
    • 1: The Tanium Server allows connections from Tanium Clients only if TLS is used. Do not set the value to 1 until you are sure that all Tanium Clients that have been deployed are configured to use TLS and you are ready to deploy the Tanium Client to new endpoints with TLS configured before initial registration.
  • require_client_tls_315_flag: Specify one of the following values:
    • 1 (default): The Tanium Server allows connections from Tanium Clients 7.4 or later only if TLS is used. Tanium strongly recommends that you leave the value at 1.
    • 0: The Tanium Server allows both TLS and non-TLS connections from Tanium Clients 7.4 or later. Contact Tanium Support at [email protected] before setting the value to 0.

Version 7.3 or earlier

In the Windows registry, specifying one of the following values for the setting RequireIncomingEncryption:

  • 0: TLS is not required.
  • 1: TLS is required. Do not specify 1 until you are sure that all Tanium Clients that have been deployed are configured to use TLS and you are ready to deploy the Tanium Client to new endpoints with TLS configured before initial registration.

Regenerate the TLS certificate and key

You can regenerate the TLS certificate and private key on the Tanium Server when necessary. For example, if the Tanium root keys (tanium.pub and tanium.pvk) have changed, you must change all subordinate certificates and keys, including the TLS certificate and key.

In Tanium Core Platform 7.4 or later, you can use the Tanium Console to rotate the root keys, and doing so automatically rotates all subordinate keys, including the TLS keys. You can also configure the rotation schedule for subordinate keys. For details, see Tanium Console User Guide: Managing Tanium keys.

In Tanium Core Platform 7.3 or 7.2, use the KeyUtility.exe tool to regenerate the certificate (reporting.crt) and private key (reporting.pvk) as follows. In an active-active deployment, repeat these steps on each Tanium Server.

  1. Access the Tanium Server CLI.
  2. Navigate to the Tanium Server installation directory, where the KeyUtility.exe tool resides.

    cmd-prompt>cd <Tanium Server>

  3. Generate the new private key and a certificate signing request (CSR).

    Syntax

    cmd-prompt>keyutility reporting-tls-request [<reporting.pvk>] [<out>]

    Example

    cmd-prompt>keyutility reporting-tls-request reporting.pvk reporting.csr
    Generating key: 'reporting.pvk' Successfully generated certificate signing request: 'reporting.csr'

  4. Issue a new certificate based on the reporting.csr file and sign the certificate with the Tanium Server private key.

    Syntax

    cmd-prompt>keyutility reporting-tls-issue <reporting.csr> <out> [<tanium.pvk>]

    Example

    cmd-prompt>keyutility reporting-tls-issue reporting.csr c:\Tanium\reporting.crt tanium.pvk
    Successfully issued new certificate: 'c:\Tanium\reporting.crt'

  5. Replace the old TLS certificate and private key with the new certificate and key in the Tanium Server installation folder (default) or in the folder that the ReportingTLSCertPath and ReportingTLSKeyPath registry settings specify. For details, see Table 3.

Tanium Zone Server

Tanium Core Platform 7.4 or later automatically enables TLS for Zone Server connections. In version 7.3 or 7.2, you must generate a TLS certificate (reporting.crt) and private key (reporting.pvk) and configure settings to enable TLS:

  1. Access the Zone Server CLI.
  2. Navigate to the Zone Server installation directory, where the KeyUtility.exe tool resides.

    cmd-prompt>cd <Zone Server>

  3. Generate the private key and CSR (reporting.csr).

    Example

    cmd-prompt>keyutility reporting-tls-request reporting.pvk reporting.csr
    Generating key: 'reporting.pvk' Successfully generated certificate signing request: 'reporting.csr'

  4. Replace the old private key by copying the new key to the Zone Server installation folder (default) or the folder that the ReportingTLSKeyPath setting specifies. For details, see Table 3.
  5. Copy reporting.csr to the Tanium Server installation folder.
  6. Access the Tanium Server CLI, issue a new certificate based on the reporting.csr file, and sign it with the Tanium Server private key (tanium.pvk). For the new Zone Server certificate, specify an output folder that is not the folder where the Tanium Server stores its own reporting.crt certificate; otherwise, the Zone Server certificate overwrites the Tanium Server certificate.

    Example

    cmd-prompt>keyutility reporting-tls-issue reporting.csr c:\Tanium\reporting.crt tanium.pvk
    Successfully issued new certificate: 'c:\Tanium\reporting.crt'

  7. Replace the old TLS certificate by copying the new certificate to the Zone Server installation folder (default) or the folder that the ReportingTLSCertPath setting specifies. For details, see Table 3.
  8. Configure the settings described in Table 3 on the Zone Server, Zone Server Hub, and Tanium Server host computers. You can find the settings in the Windows Registry:
    Tanium ServerHKLM\Software\Wow6432Node\Tanium\Tanium Server
    Zone Server or Zone Server HubHKLM\Software\Wow6432Node\Tanium\Tanium ZoneServer

 Table 3: Tanium Core Platform server TLS settings
Setting Type Guideline
ReportingTLSMode REG_DWORD Configures TLS for outgoing connections that the server initiates. On a Tanium Server, configure this option if you want to enable TLS for the Tanium Server to Zone Server Hub segment, if applicable. On a Zone Server Hub, configure this option if you want to enable TLS for the Zone Server Hub to Zone Server segment.
  • 0 (TLS not used): TLS is disabled. This is the default value for servers installed on a Windows system.
  • 1 (TLS required): If a TLS handshake fails, the connection fails.
  • 2 (TLS optional): The server tries to connect over TLS. If the TLS connection fails, the server tries a non-TLS connection.

If you will use TLS, initially setting the value to 2 is a best practice. After you confirm that the servers establish TLS connections reliably, setting the value to 1 enforces the best security.

ReportingTLSCertPath REG_SZ For inbound connections, set the path to the reporting.crt file. For example:
  • Program Files\Tanium\Tanium Server\reporting.crt
  • Program Files(x86)\Tanium\Tanium Zone Server\reporting.crt

This setting must be present only if the path to the certificate differs from the server installation path (the value of the Path key).

You can rename the certificate file if you want, but the file name and this entry must match. Keeping the default name (reporting.crt) is a best practice to facilitate communication and troubleshooting.

ReportingTLSKeyPath REG_SZ For inbound connections, set the path to the reporting.pvk file. For example:
  • Program Files\Tanium\Tanium Server\reporting.pvk
  • Program Files(x86)\Tanium\Tanium Zone Server\reporting.pvk

The Tanium Server installer adds this entry, but the Zone Server installer does not. This setting must be present.

The key file name you specify for the path must match the actual key file. Keeping the default name (reporting.pvk) is a best practice to facilitate communication and troubleshooting.

ReportingTLSKeyPasswordFile REG_SZ This setting applies only to hardware security modules. For details, contact Tanium Support at [email protected].
RequireIncomingEncryption REG_DWORD Setting for inbound connections from Tanium Clients 7.2 or later to Tanium Core Platform servers 7.3 or earlier.
  • 0: TLS is not required
  • 1: TLS is required

When RequireIncomingEncryption is set to 1, only TLS connection requests are processed, so only Tanium Clients that have TLS enabled can register and be managed. Do not set this to 1 until you are sure all Tanium Clients that have been deployed are configured to use TLS (ReportingTLSMode is 1 or ReportingTLSMode is 2), and you are ready to deploy Tanium Client to new endpoints with TLS configured before initial registration.

The KeyUtility.exe program has online help:
cmd-prompt>keyutility reporting-tls-issue --help
Usage: KeyUtility reporting-tls-rissue <reporting.csr> <out> [<tanium.pvk>]

Issue a reporting TLS certificate.

Options:
  --root-key arg (=tanium.pvk)      Path to tanium root private key
  --csr arg (=reporting.csr)        Path to certificate signing request to
                                    issue a certificate for
  -o [ --out ] arg (=reporting.crt) Output path for generated certificate.
  --expiration arg (=3650)          Certificate expiration in days

Tanium Client: Configure TLS

Whether TLS is enabled or disabled by default, depends on the Tanium Client version:

  • Version 7.4 or later: After a fresh installation or upgrade, TLS is enabled and required by default. Tanium strongly recommends that you use these default settings.
  • Version 7.2: TLS communication is disabled by default and enabling it is optional.

Perform the following steps to enable or disable TLS on Tanium Clients:

  1. From the Main menu, go to Administration > Management > Client Status.
  2. In the Filter by Registration section, select Registered using TLS and Registered unencrypted if they are not already enabled.

    The Using TLS column indicates which Tanium Clients have TLS enabled or disabled.

  3. From the Main menu, go to Administration > Management > Global Settings and configure TLS settings for the Tanium Clients as described in Table 4.

    On the Tanium Client endpoint, the setting names have the prefix Server_ (for example, Server_ReportingTLSMode). This prefix indicates that the Tanium Client received the settings from global settings on the Tanium Server during registration, and future registration updates might change the settings. In some cases, you might want a Tanium Client to use settings that differ from the Tanium Server global settings. For example, you might release a feature such as TLS to your Tanium Clients in stages. To override the Tanium Server global settings, add the settings without the Server_ prefix to the Windows registry entries or Tanium Client settings database on the client endpoints. For example, if you add the ReportingTLSMode setting to a Tanium Client, it overrides the Server_ReportingTLSMode setting.

It takes two to six hours (the randomized client-reset interval) for clients to register and receive the updated settings.

 Table 4: Tanium Client TLS settings configured in Global Settings
Setting Guideline
TLSMode This setting applies to Tanium Client 7.4 or later and specifies whether TLS is required for connections between Tanium Clients and connections between Tanium Clients and the Tanium Server or Zone Server.
  • 0 (TLS not used): TLS is disabled.
  • 1 (TLS required): If a TLS handshake fails, the Tanium Client cannot communicate with other clients or the servers. This is the default value.
ReportingTLSMode This setting applies to Tanium Client 7.2. Set the mode for TLS connections from the Tanium Client to the Tanium Server or Zone Server.
  • 0 (TLS not used): TLS is disabled. This is the default value.
  • 1 (TLS required): If a TLS handshake fails, the Tanium Client cannot register or communicate with the Tanium Server or Zone Server.
  • 2 (TLS optional): The Tanium Client tries to connect over TLS. If the TLS connection fails, the Tanium Client tries a non-TLS connection.

If you will use TLS, initially setting the value to 2 is a best practice. After you confirm that Tanium Clients establish TLS connections reliably, setting the value to 1 will enforce the best security.

OptionalTLSMinAttemptCount This setting applies to Tanium Client 7.2 and only when ReportingTLSMode is set to 2 (optional). It specifies the number of times to attempt TLS before falling back to non-TLS. The range is 1 to 100 and the default is 3.
OptionalTLSBackoffIntervalSeconds This setting applies to Tanium Client 7.2 and only when ReportingTLSMode is set to 2 (optional). It specifies the number of seconds to wait before retrying TLS again after failing OptionalTLSMinAttemptCount times. This interval doubles after each series of failed attempts. The range is 1 to 86400 and the default is 1)
OptionalTLSMaxBackoffSeconds This setting applies to Tanium Client 7.2 and only when ReportingTLSMode is set to 2 (optional). It specifies the maximum back off interval. The range is 1 to 86400 and the default is 3600.

Verify the TLS connections

  1. Verify whether Tanium Clients used TLS to connect with the Tanium Server or Zone Server when the clients last registered: from the Main menu, go to Administration > Management > Client Status and check the Using TLS column.


  2. (Tanium Core Platform 7.3 or earlier) Access the Tanium Server Info page to confirm that TLS is enabled for the server segments. To access the page, go to https://<Tanium Server FQDN>/info and sign in with a user account that has the Administrator reserved role, such as the tanium user created during installation.




Update the TLS configuration when you make changes to key pair

The process for updating the TLS configuration when you make changes to the Tanium root keys depends on the Tanium Core Platform version:

  • Version 7.4 or later: When you add or revoke Tanium root keys, the Tanium Server automatically propagates the changes to all subordinate keys on the platform servers and Tanium Clients (see Tanium Console User Guide: Managing Tanium keys).
  • Version 7.3 or earlier: You use the Tanium Server private key (tanium.pvk) to sign the TLS reporting certificate (reporting.crt). Therefore, if you update the Tanium Server public-private key pair, you must regenerate the reporting.crt and reporting.pvk files used in the TLS implementation.