Managing downloads authentication

Tanium Cloud The Tanium Server and Tanium Module Server sometimes request files, such as those that Tanium Clients use to run certain packages, from remote sources. To ensure file downloads are secure, the source and Tanium Cloudserver must trust each other. If the source regards Tanium Cloudthe server as untrusted, then Tanium Cloudthe server must authenticate. If Tanium Cloudthe server regards the source as untrusted, the source must authenticate.

For example, when Tanium™ Patch scans Linux endpoints to download available patches from repositories such as the Red Hat Content Delivery Network, the repositories do not serve the patches until Tanium Cloudthe Tanium Server authenticates. Tanium CloudThe server uses a client certificate or account credentials to authenticate, depending on which authentication method the remote source requires.

A remote source authenticates by presenting a server certificate for Tanium Cloudthe Tanium Server or Module Server to validate. Tanium CloudThe Tanium Server or Module Server validates using a trusted certificate, which is a certificate authority (CA) certificate or pinned certificate. A CA certificate can validate any certificate that the CA digitally signed. A pinned certificate can validate only the source certificate for a particular domain (such as cdn.redhat.com) and port.

Use the Downloads Authentication page to specify the credentials, client certificates, and CA or pinned certificates that are required for Tanium Cloudthe Tanium Server, Module Server, and remote sources to authenticate.

Only users who are assigned the Administrator reserved role can see and configure downloads authentication settings.

You configure remote sources and trusted certificates only on the Tanium Server (through Tanium Console), which automatically propagates the necessary certificates and credentials to the Module Server.

To troubleshoot issues related to downloads authentication, check the Tanium Downloader (TDL) log. See Tanium Core Platform Deployment Reference Guide: Tanium Downloader log.

Figure 1 illustrates an example deployment where the Tanium Cloud connectsTanium Server and Module Server connect through a proxy server (optional) and firewall (optional) to download files from the following remote sources:

Remote Source A: Tanium Cloud usesThe Tanium Server and Module Server use a client certificate to authenticate to the source and use a CA certificate to verify the source server certificate.
Remote Source B: Tanium Cloud usesThe Tanium Server and Module Server use a client certificate to authenticate to the source and use a pinned certificate to verify the source server certificate.
Remote Source C: Tanium Cloud usesThe Tanium Server and Module Server use credentials to authenticate to the source and do not require the source to present a server certificate.
Remote Source D: Tanium Cloud doesThe Tanium Server and Module Server do not need to authenticate to the source but they use a CA certificate to verify the source server certificate.

Manage remote sources

Remote source configurations determine how Tanium Cloudthe Tanium Server and Module Server authenticate to remote sources.

View remote sources

To see the details of remote sources that are already configured:

From the Main menu, go to Administration > Configuration > Downloads Authentication > Remote Sources.
The tab displays the following information:
- Name: The Display Name appears if one was configured for the source. Otherwise, the Uniform Resource Identifier (URI) of the source appears.
- Validity details: Icons indicate which sources have certificates that are valid , expired , or valid but expiring in less than 30 days . These states do not apply to credentials.
- Modification details: These values indicate which user last modified the certificates or credentials and when.
Expand a source to see the following additional details:
- Authentication type: Certificate or credentials
- URI of the source (certificate authentication) or Username of the account that is used to access the source (credential authentication)
- Expiration date of the certificate (this field is blank for credential authentication)
Click Edit in the row for a source to see its Description, if that setting was configured.

Add remote sources

Before you begin

Determine how Tanium Cloudthe Tanium Server and Tanium Module Server must authenticate to each remote source:

Certificate authentication: Obtain a valid client certificate and matching private key, both in PEM format, from the remote source. Each source has its own methods for processing certificate and key requests. Tanium Cloud supportsThe Tanium Server and Tanium Module Server support password-protected private keys.
Credential authentication: Determine the user name and password that are required to authenticate to the remote source. Each source has its own methods for processing requests for access credentials.

Add a remote source

From the Main menu, go to Administration > Configuration > Downloads Authentication > Remote Sources and click Add Entry.

Configure the following settings and click Save.

Table 1: Remote source settings
Setting	Description
URI	The value depends on the Authentication Type: Certificate Authentication: The source domain, such as cdn.redhat.com Credential Authentication: The URL of the user name that you use to access the source, such as \\server\share
Display Name	(Optional) Enter a name to identify the source on the Remote Sources tab. If you omit this setting, the tab displays the source URI instead.
Description	(Optional) Enter text for other users to understand why Tanium Cloudthe servers downloads files from this source.
Authentication Type	Select Certificate Authentication or Credential Authentication. After you save the source configuration, you cannot change this setting.
Authentication Certificate	(Certificate authentication only) When you add a source, this section appears only after you click Upload Certificate, select the certificate, and click Open. If you later edit the source, you can click Update Certificate to select another certificate. The Authentication Certificate section displays the certificate Subject (common name) and Expiration date-time.
Private Key	(Certificate authentication only) When you add a source, this field displays the file name of the private key only after you click Upload Private Key, select the key, and click Open. If you later edit the source, you can click Update Private Key to select another key.
Username	(Credential Authentication only) Enter the user name that is required to access the remote source.
Password	(Credential Authentication only) Enter the password that is required to access the remote source.

Edit remote sources

You can edit remote source configurations to replace expired certificates or update credentials that have changed. All the source settings are editable except the Authentication Type.

From the Main menu, go to Administration > Configuration > Downloads Authentication > Remote Sources and click Edit in the row for the source that you want to edit.
Update the settings in Table 1 and click Save.

Delete remote sources

From the Main menu, go to Administration > Configuration > Downloads Authentication > Remote Sources.
Click Delete in the row for the source that you want to remove.

Manage trusted certificates

Tanium Cloud The Tanium Server and Tanium Module Server requires untrusted remote sources to authenticate when processing file download requests. You must upload the trusted (CA or pinned) certificates that Tanium Cloud usesthe Tanium Server and Tanium Module Server use to validate the certificates that sources present for authentication.

View trusted certificates

To see the details of certificates that are already uploaded:

From the Main menu, go to Administration > Configuration > Downloads Authentication > Trusted Certificates.
The tab displays the following information:
- Name: The Display Name if one was configured for the certificate.
- Modification details: Which user last modified the certificate and when
- Expiration: The date-time when the certificate expires. The Trusted Certificates tab displays warnings if certificates have expired or will expire in less than 30 days .
Click Edit in the row for a certificate if you want to see the Subject, Domain, and Port settings that Table 2 describes.

Add trusted certificates

Obtain the CA or pinned certificate of the remote source.
From the Main menu, go to Administration > Configuration > Downloads Authentication > Trusted Certificates and click Add Trusted Certificate.
Select the certificate and click Open.

Configure the following settings and click Save.

Table 2: Trusted certificate settings
Setting	Description
Subject	This read-only setting shows the common name of the certificate.
Expiration	This read-only setting shows the date-time when the certificate expires.
Update Certificate	Click the button if you need to upload a different certificate.
Display Name	(Optional) Enter a name to identify the certificate on the Trusted Certificates tab.
Domain	(Pinned certificates only) The domain for which the certificate is trusted.
Port	(Pinned certificates only) The port for which the certificate is trusted.

Edit trusted certificates

Replace certificates when they expire or change other settings when necessary.

From the Main menu, go to Administration > Configuration > Downloads Authentication > Trusted Certificates and click Edit in the row for the certificate that you want to edit.
Update the fields in Table 2 and click Save.

Delete trusted certificates

From the Main menu, go to Administration > Configuration > Downloads Authentication > Trusted Certificates.
Click Delete in the row for the certificate that you want to remove.