Signing content XML files

The Tanium Console supports importing and exporting content such as sensors and packages as XML files. By default, content that you import into the Tanium Server requires a digital signature. You maintain the public keys of trusted signers on the Tanium Server. When you import content, the server checks the signature against its store of public key files. If the check fails, the server does not import the content, and the Tanium Console displays failure messages.

Figure  1:  Errors due to signature verification failure

As a best practice, develop and test content in your lab environment before distributing it to the production servers in your Tanium deployment.

Tanium signs content that you import as a component of Tanium solutions or Tanium content packs. The public key is distributed to the Tanium Server during installation.

Use KeyUtility.exe to sign the XML file

You can use the KeyUtility program to generate cryptographic key pair and sign XML content files. Download the KeyUtility program from the Tanium Support Knowledge Base article about signing content XML files (login required).

The Tanium installation includes a cryptographic key utility you use to sign content XML files. The command-line utility and associated files are in the top-level installation directory (for example, D:\Program Files\Tanium\Tanium Server). You can run the utility from the installation directory or copy the following files to a working directory:

  • KeyUtility.exe
  • libeay32.dll
  • ssleay32.dll

To generate the signing keys, use the following command:

KeyUtility.exe makekeys outFile

For example:

KeyUtility.exe makekeys TaniumLab

The utility generates a public and private key pair. The following is an example of a working directory after the keys have been generated:

D:\Tanium\Working>KeyUtility.exe makekeys TaniumLab

Directory of D:\Tanium\Working
09/05/2018  08:05 PM    <DIR>          .
09/05/2018  08:05 PM    <DIR>          ..
08/17/2018  03:04 AM         4,254,704 KeyUtility.exe
03/27/2018  07:03 PM         2,632,192 libeay32.dll
03/27/2018  07:03 PM           457,728 ssleay32.dll
09/05/2018  08:05 PM               158
09/05/2018  08:05 PM               241 TaniumLab.pvk
5 File(s)      7,345,023 bytes
2 Dir(s)  41,049,174,016 bytes free

Next, use the following command to sign the content XML file:

KeyUtility.exe signcontent TaniumLab.pvk <XMLfile>

For example:

KeyUtility.exe signcontent TaniumLab.pvk "Example Multicolumn Sensor Windows Registry.xml"

The utility appends a signature at the bottom of the XML file. It looks similar to the following:

<!--hash=2a8bc7529c9fcdad037982bcbfc12306aa88ac8b9d95d02248ec369008188b7c0e356ad1811609c7 54eb01dc97c09b9f2acb10331e2d9dbf77d309124c61950a;signature=01AF3D547A97CCBD62A022F398 586DEAD4E29A30C29406283DA2E8F1E9FCF176194D66D4D9602538102F8F2FBBCFBC7AF370DB44E839C04 7253A246447E9A146706F00E94CD26D2CF29D8916E6EE0F21C77F0E13A6769905E5DDC09458912A94BB74 C1311C9B26301DB8D8C73AC043EBC6A5A836FB6815011F1ACB37E0248A30F100B631-->

Copy the content signing public key file to your Tanium servers

Before you import the XML file, copy the public key file to the Tanium Server keys folder, such as D:\Tanium\Tanium Server\content_public_keys\content.

For information on adding the content signing key to the Tanium Server on a Tanium Appliance, see the Tanium Appliance Installation Guide.

Last updated: 11/12/2019 3:19 PM | Feedback