Managing Tanium Server trust

Tanium as a Service automatically establishes and manages trust among Tanium Core Platform components.

You must enable trust between Tanium Servers in an active-active high availability (HA) cluster so that they can communicate for synchronization and failover. Enable trust to address the following use cases:

  • You upgraded from Tanium Core Platform 7.3 or earlier and must enable trust because version 7.4 or later requires it.
  • You completed the fresh installation of Tanium Servers and must enable trust between them.
  • You initially deployed the Tanium Server in a standalone (non-HA) configuration, but now you want to deploy a second server to enable HA.
  • You need to replace one of the Tanium Servers in an HA deployment. In this case, you must revoke the trust state for the old server and enable trust for the new server.

The Configuration > Tanium Server > Trusted Tanium Servers page displays details about enabled and revoked trust states in the Trust History grid.

You require the Administrator reserved role to manage trust for Tanium Servers.

Enable trust between Tanium Servers

Before you begin

  • Install both Tanium Servers in the HA cluster. For the procedure, see the deployment guide for your Tanium infrastructure under Tanium Core Platform Servers. When you add a second Tanium Server, both servers automatically discover the presence of the other through the Tanium database and appear in the Configuration > Tanium Server > Trusted Tanium Servers page.
  • Record the fingerprints of the root public keys that are active on each Tanium Server. You use the fingerprints to verify server identities. To see the fingerprints, log into the Tanium Console of each server and select Configuration > Tanium Server > Root Key Management.

Approve trust

  1. Log into the Tanium Console of a Tanium Server.

    A message appears at the top of the console indicating trust approval is required for the Tanium Server that is the HA peer of the server you logged into.

  2. From the Main menu, select Console > Configuration > Tanium Server > Trusted Tanium Servers.

    The page displays information about the Tanium Server that requires trust in relation to the server you logged into.

  3. Verify the identity of the Tanium Server that requires trust by its Root Key Fingerprint and IP Address.

    If the identifiers of a Tanium Server are wrong, decommission the server before denying trust. Denied trust is irreversible for any particular instance of a Tanium Server. To subsequently approve trust, you must uninstall and reinstall the server so that it generates a new root key pair.

  4. Click View More to initiate the trust approval workflow.
  5. Click Accept and confirm the operation when prompted.

    The Trust Status remains Pending until you enable trust on the other Tanium Server.

  6. You must repeat the same preceding steps on the other Tanium Server. When you finish, the Trust Status changes to Trusted.

Revoke trust

To replace one of the Tanium Servers in an HA deployment, revoke the current trust state for the old server as follows, before enabling trust for the new server.

  1. Log into the Tanium Console of the Tanium Server that currently trusts the server to be revoked.
  2. From the Main menu, select Console > Configuration > Tanium Server > Trusted Tanium Servers.
  3. In the tile of the Tanium Server for which you want to revoke trust, click Revoke and confirm the operation when prompted.