Managing Tanium Server trust

You must enable trust between Tanium Servers in an active-active cluster so that they can communicate for synchronization. Enable trust to address the following use cases:

• You upgraded from Tanium Core Platform 7.3 and must enable trust because version 7.4 or later requires it.
• You completed a fresh installation of Tanium Servers and must enable trust between them.
• You initially deployed a Tanium Server in a standalone configuration, but now you want to deploy a second server for an active-active configuration.
• You need to replace one of the Tanium Servers in an active-active deployment. In this case, you must revoke the trust state for the old server and enable trust for the new server.

The Administration > Configuration > Key & Trust Management > Trusted Servers page displays details about enabled and revoked trust states.

Enable trust between Tanium Servers

Before you begin

• Install both Tanium Servers in the active-active cluster. For the procedure, see the deployment guide for your Tanium infrastructure under Tanium Core Platform Servers. When you add a second Tanium Server, both servers automatically discover the presence of the other through the Tanium database and appear in the Administration > Configuration > Key & Trust Management > Trusted Servers page.
• (Tanium Appliance deployment only) Check the TanOS version of your appliances (see Tanium Appliance Deployment Guide: View version information). If the version is TanOS 1.6.5 or later, you can skip this procedure because the array installation process automatically establishes trust between appliances in the array (see Tanium Appliance Deployment Guide: Installing an Appliance Array).
• Record the fingerprints of the root public keys that are active on each Tanium Server. You use the fingerprints to verify server identities. To see the fingerprints, sign in to the Tanium Console of each server and select Administration > Configuration > Key & Trust Management > Current Server.

Approve trust

1. Sign in to the Tanium Console of a Tanium Server.

   A message appears at the top of the Console indicating trust approval is required for the Tanium Server that is the peer of the server you signed into.

2. From the Main menu, go to Administration > Configuration > Key & Trust Management > Trusted Servers.

   The page contains information about the Tanium Server that requires trust in relation to the server you signed into.

3. Verify the identity of the Tanium Server that requires trust by its Root Key Fingerprint and IP Address.

   If the identifiers of a Tanium Server are wrong, decommission the server before denying trust. Denied trust is irreversible for any particular instance of a Tanium Server. To subsequently approve trust, you must uninstall and reinstall the server so that it generates a new root key pair.

4. Click Accept to initiate the trust approval workflow and click Confirm to proceed with the operation.

   The Trust Status remains Awaiting trust from other server until you enable trust on the other Tanium Server.

5. You must repeat the same preceding steps on the other Tanium Server. When you finish, the Trust Status changes to Trusted.

Revoke trust between Tanium Servers

To replace one of the Tanium Servers in an active-active deployment, revoke the current trust state for the old server as follows, before enabling trust for the new server.

1. Sign in to the Tanium Console of the Tanium Server that currently trusts the server that you will revoke.
2. From the Main menu, go to Administration > Configuration > Key & Trust Management > Trusted Servers.
3. In the tile of the Tanium Server for which you want to revoke trust, click Revoke Trust, and then click Confirm.

View Tanium Server trust history

You can see details about Tanium Server trust operations, such as who approved or revoked trust, when, and whether the operation succeeded.

1. From the Main menu, go to Administration > Configuration > Key & Trust Management > Activity Log.
2. Review the entries in the Server Trust History grid.