Other versions

Reference: Setting up TLS communication

In prior versions, encryption required a third party binary or other external dependencies. In 7.2, you can set up TLS communication natively, for the following network connections:

  • Tanium Client to Tanium Server
  • Tanium Client to Zone Server
  • Tanium Server to Tanium Server (active-active)
  • Tanium Server to Zone Server Hub to Zone Server
Figure  1:  TLS communication

The TLS implementation uses the following specification:

Protocol Version TLS 1.2
Cipher Suite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

TLS communication has a performance cost. You should consult with your Tanium technical account manager (TAM) and your network security team before enabling it.

The TLS implementation leverages the existing Tanium platform public key infrastructure (PKI) to establish trust between platform components. The platform servers use the existing Tanium Server public/private keypair for the TLS handshake, establishing a unique session key for each session with the client. (The Tanium Server SOAPServer.crt and trusted Module Server certificates are not used for TLS in the network segments described here.)

You can use a Tanium-provided utility to generate the special TLS reporting public/private key pair (reporting.pub/reporting.pvk), as well as the "reporting certificate" (reporting.crt) that is signed by the Tanium Server private key (tanium.pvk).

Configuration workflows

Enabling TLS is optional. You may choose to configure it for any or none of the network segments for which TLS is supported.

In a Tanium deployment, you set up both the client side and server side of the TLS connection. A TLS client initiates a TLS connection with a server. Client-side settings determine whether the client initiates a TLS handshake. Server-side settings determine how the server responds, including the location of the TLS certificate and key files used in the TLS exchange. Server-side settings can also indicate whether TLS is required to connect to it.

Table 1 summarizes the steps you take to configure TLS for each network segment.

Table 1:   TLS configuration summary
Network segment Server side Client side
Tanium Client to Tanium Server
  1. The Tanium Server installer generates the certificate and private keys used to set up the TLS connection to the Tanium Server.
  2. If necessary, configure additional server-side settings for the Tanium Server. See Table 3.
  • Configure settings for the Tanium Client. See Table 4.
Tanium Client to Zone Server
  1. Use the Tanium keyutility program to generate the certificates and keys for the Zone Server. See Table 2.
  2. Configure settings for the Zone Server. See Table 3.
  • Configure settings for the Tanium Client. See Table 4.
Tanium Server to Tanium Server
  1. The Tanium Server installer generates the certificate and private keys used to set up the TLS connection to the Tanium Server.
  2. If necessary, configure additional server-side settings for each Tanium Server. See Table 3.
  • For each Tanium Server, configure ReportingTLSMode. See Table 3.
Tanium Server to Zone Server hub to Zone Server
  1. Use the Tanium keyutility program to generate the certificates and keys for the Zone Server. See Table 2.
  2. Configure settings for the Zone Server. See Table 3.
  1. Configure ReportingTLSMode for the Tanium Server. See Table 3.
  2. Configure ReportingTLSMode for the Zone Server hub. See Table 3.

Generate the certificate and keys

The following procedures generate the certificates and keys used in the TLS connections. Be sure to restrict access to the private key.

Table 2:   Certificate and keys
Component Steps
Tanium Server On Windows, the Tanium Server installer generates the reporting.crt certificate file and reporting.pvk private key file used to set up TLS connections to the Tanium Server. The files are in the Tanium Server installation directory. You can use the keyutility program to regenerate them as necessary.
  1. On the Tanium Server, generate the private key and certificate signing request (CSR).

    Syntax

    keyutility reporting-tls-request [<reporting.pvk>] [<out>]

    Example

    cmd-prompt>keyutility reporting-tls-request reporting.pvk reporting.csr
    Generating key: 'reporting.pvk'
    Successfully generated certificate signing request: 'reporting.csr'
  2. Issue the certificate. Specify the reporting.csr file and sign the resulting certificate with the Tanium Server private key.

    Syntax

    keyutility reporting-tls-issue <reporting.csr> <out> [<tanium.pvk>]

    Example

    cmd-prompt>keyutility reporting-tls-issue reporting.csr c:\Tanium\reporting.crt tanium.pvk
    Successfully issued new certificate: 'c:\Tanium\reporting.crt'

    In an active-active deployment, do the same procedure on each Tanium Server.


Zone Server The Zone Server installer does not generate the reporting.crt certificate file and reporting.pvk private key file used to set up TLS connections to the Zone Server. You must use the keyutility program to generate them.
  1. On the Zone Server, generate the private key and certificate signing request (CSR).

    Example

    cmd-prompt>keyutility reporting-tls-request reporting.pvk reporting.csr
    Generating key: 'reporting.pvk'
    Successfully generated certificate signing request: 'reporting.csr'
  2. Copy the reporting.csr file to the Tanium Server.
  3. On the Tanium Server, issue the certificate. Specify the reporting.csr file and sign it with the Tanium Server private key.

    Example

    cmd-prompt>keyutility reporting-tls-issue reporting.csr c:\Tanium\reporting.crt tanium.pvk
    Successfully issued new certificate: 'c:\Tanium\reporting.crt'
  4. Copy the reporting.crt file to the Zone Server host computer.

The KeyUtility.exe program has online help.

Example

cmd-prompt>keyutility reporting-tls-issue --help
Usage: KeyUtility reporting-tls-rissue <reporting.csr> <out> [<tanium.pvk>]

Issue a reporting TLS certificate.

Options:
  --root-key arg (=tanium.pvk)      Path to tanium root private key
  --csr arg (=reporting.csr)        Path to certificate signing request to
                                    issue a certificate for
  -o [ --out ] arg (=reporting.crt) Output path for generated certificate.
  --expiration arg (=3650)          Certificate expiration in days

Configure Tanium Server and Zone Server settings

  1. Go to the Windows Registry for the server component:
  2. Tanium Server HKLM\Software\Wow6432Node\Tanium\Tanium Server
    Zone Server or Zone Server hub HKLM\Software\Wow6432Node\Tanium\Tanium ZoneServer

  3. Configure TLS settings as described in Table 3.
Table 3:   Tanium component server TLS settings
Host Setting Type Guideline
Tanium Server, Zone Server Hub ReportingTLSMode REG_DWORD
  • 0 (TLS not used)
  • 1 (TLS required)
  • 2 (TLS optional)

Configures TLS for outgoing connections initiated by the server.

On a Tanium Server, you configure this option if you want to enable TLS for the Tanium Server to Tanium Server (active-active) segment and Tanium Server to Zone Server hub segment, if applicable.

On a Zone Server hub, you configure this option to enable TLS for the Zone Server Hub to Zone Server segment.

If you plan to use TLS, we recommend you initially set this option to 2 (optional). When TLS is optional, the server attempts to connect over TLS. If the TLS connection fails, it attempts a non-TLS connection.

If you specify 1, and the TLS handshake fails, the connection fails.

Once you have confirmed the TLS connections are being established reliably, you can set this to 1 (required) to enforce the best security.

Tanium Server, Zone Server ReportingTLSCertPath REG_SZ Setting for inbound connections.

Path to the reporting.crt file. For example: 

C:\Tanium\Tanium Server\reporting.crt

This setting must be present only if the path to the certificate is different from the installation path (the value of the Path key).

You can rename the certificate file if you want, but you must be sure the filename and this entry match. However, we recommend you keep the default name (reporting.crt) to facilitate communication and troubleshooting.

Tanium Server, Zone Server ReportingTLSKeyPath REG_SZ Setting for inbound connections.

Path to the reporting.pvk file. For example:

C:\Tanium\Tanium Server\reporting.pvk

The Tanium Server installer adds this entry, but the Zone Server installer does not. This setting must be present.

You can rename the key files if you want, but you must be sure the filename and this entry match. However, we recommend you keep the default name (reporting.pvk) to facilitate communication and troubleshooting.

Tanium Server, Zone Server ReportingTLSKeyPasswordFile REG_SZ Setting for inbound connections. HSM only. For details, contact your TAM.
Tanium Server, Zone Server RequireIncomingEncryption REG_DWORD Setting for inbound connections.
  • 0 (TLS not required)
  • 1 (TLS required)

Important: When RequireIncomingEncryption is set to 1, only TLS connection requests are processed, so only Tanium Clients that have TLS enabled are able to register and be managed. Do not set this to 1 until you are sure all Tanium Clients that have been deployed are configured to use TLS (ReportingTLSMode=1 or ReportingTLSMode=2), and you are ready to deploy Tanium Client to new endpoints with TLS configured prior to initial registration. Do not set this to 1 if your deployment has Tanium Client 6.0, which does not support TLS.

Configure Tanium Client settings

Tanium Client 7.2 supports TLS settings. The settings have no effect on Tanium Client 6.0.

  1. Go to Administration > Global Settings and filter the grid to show TLS settings.
  2. Configure TLS settings for the Tanium Client as described in Table 4.

It can take up to four hours (Tanium Client registration reset interval) for clients to register and receive the updated setting.

Table 4:   Tanium Client TLS settings
Setting Guideline
ReportingTLSMode
  • 0 (TLS not used)
  • 1 (TLS required)
  • 2 (TLS optional)

If you plan to use TLS, we recommend you initially set this option to 2 (optional). When TLS is optional, the client attempts to connect over TLS. If the TLS connection fails, it attempts a non-TLS connection.

If you specify 1, and the TLS handshake fails, the Tanium Client will not be able to register or communicate with the Tanium Server.

Once you have confirmed the TLS connections are being established reliably, you can set this to 1 (required) to enforce the best security.

Note: The TLS settings affect Tanium Client 7.2 only. A Tanium Client 6.0 might receive the settings during registration, but they have no effect because the Tanium Client 6.0 is not TLS-capable.

OptionalTLSMinAttemptCount Number of times to attempt TLS before falling back to non-TLS. (min=1, max=100, default=3)

Applies when ReportingTLSMode=2 (optional).

OptionalTLSBackoffIntervalSeconds Seconds to wait before retrying TLS again after failing OptionalTLSMinAttemptCount times. This interval doubles after each series of failed attempts. (min=1, max=86400, default=1)

Applies when ReportingTLSMode=2 (optional).

OptionalTLSMaxBackoffSeconds Maximum backoff interval. (min=1, max=86400, default=3600)

Applies when ReportingTLSMode=2 (optional).

 

On the Tanium Client host computer, the setting names in the Windows Registry or client settings database are prepended with Server_. For example, Server_ReportingTLSMode. This prefix indicates the setting has been acquired from the Tanium Server global settings during registration, and the settings may be updated during registration updates.

In some cases, you might want the endpoint to use different settings (not the ones acquired from the Tanium Server global settings). For example, you might roll-out the feature to your endpoints in stages. To override the settings acquired from the Tanium Server, you can create Windows Registry entries or add settings to the client settings database. These setting names should not include the Server_ prefix.

If a client has a setting named Server_ReportingTLSMode and a setting named ReportingTLSMode, the setting named ReportingTLSMode is applied.

Verify the TLS connections

The System Status page indicates whether the Tanium Clients used TLS for the connection to the Tanium Server or Zone Server the last time that they registered.

Figure  2:  System Status: Using TLS column

The Tanium Server Info page has information on TLS connections for the server segments.

Go to https://<Tanium Server FQDN>/info and log in with an account that has the Administrator reserved role.

Figure  3:  TLS status on the Info page

Key changes

The TLS reporting certificate (reporting.crt) is signed with the Tanium Server private key (tanium.pvk). Therefore, if you update the Tanium Server public-private key pair, you must regenerate the reporting.crt and reporting.pvk files used in the TLS implementation.

Last updated: 7/17/2018 3:11 PM | Feedback