Other versions

Reference: Setting up TLS communication

In Tanium Core Platform 7.1 and earlier, encryption required a third-party binary or other external dependencies. In version 7.2 and later, you can set up TLS communication natively, for the following network connections:

  • Tanium Client to Tanium Server
  • Tanium Client to Zone Server
  • Tanium Server to Tanium Server (active-active high availability configuration, not shown in the following figure)
  • Tanium Server to Zone Server Hub to Zone Server

The following figure illustrates the types of encryption, if any, applied to the connections among Tanium Core Platform components.

Figure  1:  TLS communication

The TLS implementation uses the following specification:

Protocol Version TLS 1.2
Cipher Suite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

TLS communication has a performance cost. Consult your Tanium technical account manager (TAM) and your network security team before enabling it.

The TLS implementation leverages the existing public key infrastructure (PKI) of the Tanium Core Platform to establish trust between platform components. The platform servers use the existing Tanium Server public/private keypair for the TLS handshake, establishing a unique session key for each session with the client. (The Tanium Server SOAPServer.crt and trusted Module Server certificates are not used for TLS in the network segments described here.)

You can use a Tanium-provided utility to generate the special TLS reporting public/private key pair (reporting.pub/reporting.pvk), as well as the reporting certificate (reporting.crt) that is signed by the Tanium Server private key (tanium.pvk).

Configuration workflows

Enabling TLS is optional. You can configure it for any or none of the network segments that support TLS. In a Tanium deployment, you set up both the client side and server side of the TLS connection. A TLS client initiates a TLS connection with a server. Client-side settings determine whether the client initiates a TLS handshake. Server-side settings determine how the server responds, including the location of the TLS certificate and key files used in the TLS exchange. Server-side settings can also indicate whether TLS is required to connect to it.

Table 1 summarizes the steps to configure TLS for each network segment.

These workflows are for the Tanium Core Platform deployed on Windows infrastructure. To configure TLS on Tanium Appliances, see the Tanium Appliance Installation Guide. To configure TLS in a cloud service environment, consult your TAM.

Table 1:   TLS configuration summary
Network segment Server side Client side
Tanium Client to Tanium Server
  1. The Tanium Server installer generates the certificate and private keys used to set up the TLS connection to the Tanium Server.
  2. If necessary, configure additional server-side settings for the Tanium Server. See Table 3.
Configure settings for the Tanium Client. See Table 4.
Tanium Client to Zone Server
  1. Use the Tanium keyutility program to generate the certificates and keys for the Zone Server. See Table 2.
  2. Configure settings for the Zone Server. See Table 3.
Configure settings for the Tanium Client. See Table 4.
Tanium Server to Tanium Server
  1. The Tanium Server installer generates the certificate and private keys used to set up the TLS connection to the Tanium Server.
  2. If necessary, configure additional server-side settings for each Tanium Server. See Table 3.
For each Tanium Server, configure ReportingTLSMode. See Table 3.
Tanium Server to Zone Server Hub to Zone Server
  1. Use the Tanium keyutility program to generate the certificates and keys for the Zone Server. See Table 2.
  2. Configure settings for the Zone Server. See Table 3.
  1. Configure ReportingTLSMode for the Tanium Server. See Table 3.
  2. Configure ReportingTLSMode for the Zone Server hub. See Table 3.

Generate the certificate and keys

The following procedures generate the certificates and keys used in the TLS connections. Be sure to restrict access to the private key.

Table 2:   Certificate and keys
Component Steps
Tanium Server On Windows, the Tanium Server installer generates the reporting.crt certificate file and reporting.pvk private key file used to set up TLS connections to the Tanium Server. The files are in the Tanium Server installation directory. You can use the keyutility program to regenerate them as necessary.
  1. On the Tanium Server, generate the private key and certificate signing request (CSR).

    Syntax

    keyutility reporting-tls-request [<reporting.pvk>] [<out>]

    Example

    cmd-prompt>keyutility reporting-tls-request reporting.pvk reporting.csr
    Generating key: 'reporting.pvk'
    Successfully generated certificate signing request: 'reporting.csr'
  2. Issue the certificate. Specify the reporting.csr file and sign the resulting certificate with the Tanium Server private key.

    Syntax

    keyutility reporting-tls-issue <reporting.csr> <out> [<tanium.pvk>]

    Example

    cmd-prompt>keyutility reporting-tls-issue reporting.csr c:\Tanium\reporting.crt tanium.pvk
    Successfully issued new certificate: 'c:\Tanium\reporting.crt'

    In an active-active deployment, do the same procedure on each Tanium Server.


Zone Server The Zone Server installer does not generate the reporting.crt certificate file and reporting.pvk private key file used to set up TLS connections to the Zone Server. You must use the keyutility program to generate them.
  1. On the Zone Server, generate the private key and certificate signing request (CSR).

    Example

    cmd-prompt>keyutility reporting-tls-request reporting.pvk reporting.csr
    Generating key: 'reporting.pvk'
    Successfully generated certificate signing request: 'reporting.csr'
  2. Copy the reporting.csr file to the Tanium Server.
  3. On the Tanium Server, issue the certificate. Specify the reporting.csr file and sign it with the Tanium Server private key.

    Example

    cmd-prompt>keyutility reporting-tls-issue reporting.csr c:\Tanium\reporting.crt tanium.pvk
    Successfully issued new certificate: 'c:\Tanium\reporting.crt'
  4. Copy the reporting.crt file to the Zone Server host computer.

The KeyUtility.exe program has online help.

Example

cmd-prompt>keyutility reporting-tls-issue --help
Usage: KeyUtility reporting-tls-rissue <reporting.csr> <out> [<tanium.pvk>]

Issue a reporting TLS certificate.

Options:
  --root-key arg (=tanium.pvk)      Path to tanium root private key
  --csr arg (=reporting.csr)        Path to certificate signing request to
                                    issue a certificate for
  -o [ --out ] arg (=reporting.crt) Output path for generated certificate.
  --expiration arg (=3650)          Certificate expiration in days

Configure Tanium Server and Zone Server settings

  1. Go to the Windows Registry for the server component:
  2. Tanium Server HKLM\Software\Wow6432Node\Tanium\Tanium Server
    Zone Server or Zone Server hub HKLM\Software\Wow6432Node\Tanium\Tanium ZoneServer

  3. Configure TLS settings as described in Table 3.
Table 3:   Tanium Core Platform server TLS settings
Host Setting Type Guideline
Tanium Server, Zone Server Hub ReportingTLSMode REG_DWORD Configures TLS for outgoing connections that the server initiates. On a Tanium Server, configure this option if you want to enable TLS for the Tanium Server to Tanium Server (high availability) segment and Tanium Server to Zone Server Hub segment, if applicable. On a Zone Server Hub, configure this option if you want to enable TLS for the Zone Server Hub to Zone Server segment.
  • 0 (TLS not used): TLS is disabled. This is the default value for servers installed on a Windows system.
  • 1 (TLS required): If a TLS handshake fails, the connection fails.
  • 2 (TLS optional): The server tries to connect over TLS. If the TLS connection fails, the server tries a non-TLS connection.

If you will use TLS, initially setting the value to 2 is a best practice. After you confirm that the servers establish TLS connections reliably, setting the value to 1 will enforce the best security.

Tanium Server, Zone Server ReportingTLSCertPath REG_SZ For inbound connections, set the path to the reporting.crt file. For example:

C:\Tanium\Tanium Server\reporting.crt

This setting must be present only if the path to the certificate differs from the installation path (the value of the Path key).

You can rename the certificate file if you want, but the filename and this entry must match. Keeping the default name (reporting.crt) is a best practice to facilitate communication and troubleshooting.

Tanium Server, Zone Server ReportingTLSKeyPath REG_SZ For inbound connections, set the path to the reporting.pvk file. For example:

C:\Tanium\Tanium Server\reporting.pvk

The Tanium Server installer adds this entry, but the Zone Server installer does not. This setting must be present.

You can rename the key file if you want, but the filename and this entry must match. Keeping the default name (reporting.pvk) is a best practice to facilitate communication and troubleshooting.

Tanium Server, Zone Server ReportingTLSKeyPasswordFile REG_SZ Setting for inbound connections that applies only to hardware security modules. For details, contact your TAM.
Tanium Server, Zone Server RequireIncomingEncryption REG_DWORD Setting for inbound connections.
  • 0 (TLS not required)
  • 1 (TLS required)

Important: When RequireIncomingEncryption is set to 1, only TLS connection requests are processed, so only Tanium Clients that have TLS enabled can register and be managed. Do not set this to 1 until you are sure all Tanium Clients that have been deployed are configured to use TLS (ReportingTLSMode=1 or ReportingTLSMode=2), and you are ready to deploy Tanium Client to new endpoints with TLS configured before initial registration. Do not set this to 1 if your deployment has Tanium Client 6.0, which does not support TLS.

Configure Tanium Client settings

Tanium Client 7.2 supports TLS settings. A Tanium Client 6.0 might receive the settings during registration, but they have no effect because the Tanium Client 6.0 is not TLS-capable.

  1. Go to Administration > Global Settings and filter the grid to show TLS settings.
  2. Configure TLS settings for the Tanium Client as described in Table 4.

It can take up to four hours (Tanium Client registration reset interval) for clients to register and receive the updated settings.

On the Tanium Client endpoint, the setting names in the Registry (Windows endpoints) or Tanium Client settings database (non-Windows endpoints) have the prefix Server_ (for example, Server_ReportingTLSMode). This prefix indicates that the Tanium Client received the settings from global settings on the Tanium Server during registration, and future registration updates might change the settings. In some cases, you might want a Tanium Client to use settings that differ from the Tanium Server global settings. For example, you might roll out a feature such as TLS to your Tanium Clients in stages. To override the Tanium Server global settings, add the settings without the Server_ prefix to the Windows registry entries or Tanium Client settings database on the client endpoints. For example, if you add the ReportingTLSMode setting to a Tanium Client, it overrides the Server_ReportingTLSMode setting.

Table 4:   Tanium Client TLS settings configured in Global Settings
Setting Guideline
ReportingTLSMode
  • 0 (TLS not used): TLS is disabled. This is the default value.
  • 1 (TLS required): If a TLS handshake fails, the Tanium Client cannot register or communicate with the Tanium Server or Zone Server.
  • 2 (TLS optional): The Tanium Client tries to connect over TLS. If the TLS connection fails, the Tanium Client tries a non-TLS connection.

If you will use TLS, initially setting the value to 2 is a best practice. After you confirm that Tanium Clients establish TLS connections reliably, setting the value to 1 will enforce the best security.

OptionalTLSMinAttemptCount Number of times to attempt TLS before falling back to non-TLS. (min=1, max=100, default=3)

Applies when ReportingTLSMode=2 (optional).

OptionalTLSBackoffIntervalSeconds Seconds to wait before retrying TLS again after failing OptionalTLSMinAttemptCount times. This interval doubles after each series of failed attempts. (min=1, max=86400, default=1)

Applies when ReportingTLSMode=2 (optional).

OptionalTLSMaxBackoffSeconds Maximum backoff interval. (min=1, max=86400, default=3600)

Applies when ReportingTLSMode=2 (optional).

Verify the TLS connections

  1. Go to Administration > System Status and check the Using TLS column to verify whether Tanium Clients used TLS to connect with the Tanium Server or Zone Server the last time that they registered.
  2. Go to the Tanium Server Info page at https://<Tanium Server FQDN>/info, log in with an account that has the Administrator reserved role, and review the information on TLS connections for the server segments.

Key changes

The TLS reporting certificate (reporting.crt) is signed with the Tanium Server private key (tanium.pvk). Therefore, if you update the Tanium Server public-private key pair, you must regenerate the reporting.crt and reporting.pvk files used in the TLS implementation.

Last updated: 12/18/2018 10:34 AM | Feedback