Managing Zone Servers and hubs

You must enable trust between each Tanium Server and Tanium Zone Server Hub so that they can communicate. You must also map each Tanium Zone Server to a Zone Server Hub so that only trusted Zone Servers communicate with hubs. In a high availability (HA) deployment, you enable trust and configure mappings for each Tanium Server and Zone Server Hub. These procedures address the following use cases:

  • You upgraded from Tanium Core Platform 7.3 or earlier and must enable trust and configure mappings because the servers require them in version 7.4 or later.
  • You completed the fresh installation of the Tanium Servers, Zone Servers, and Zone Server Hubs, and now you must enable trust and configure mappings.
  • You must add a Zone Server or Zone Server Hub to an existing deployment.
  • You must replace a Zone Server or Zone Server Hub. In this case, you must revoke the trust state and delete the mappings for the old hub and then enable trust and configure mappings for the new hub.

You require the Administrator reserved role to manage trust and mappings among Zone Servers and hubs.

Enable trust and configure mappings

Before you begin

Install the Tanium Servers, Zone Servers, and Zone Server Hubs. For the procedures, see the deployment guide for your Tanium infrastructure under Tanium Core Platform Servers. When you add a Zone Server Hub, the Tanium Console automatically displays it as a tile in the Configuration > Tanium Server > Zone Server Hub Trusts page.

In an HA deployment, perform the following tasks in sequence on each Tanium Server.

Approve trust for Zone Server Hubs

Perform the following steps for each Zone Server Hub.

If you upgraded the Zone Server Hub from version 7.3 or earlier, the hub migrates the ZoneServerList.txt file into Zone Server mappings after you approve trust for the hub.

  1. Log into the CLI of the host where you installed the Zone Server Hub.
  2. Navigate to the Zone Server Hub installation directory (such as \Program Files (x86)\Tanium\Tanium ZoneServer):

    > cd <Zone Server>

  3. Display the registration fingerprint of the Zone Server Hub:

    > TaniumZoneServer pki show-registration-fingerprint

  4. Log into the Tanium Console of a Tanium Server.
  5. Go to Configuration > Tanium Server > Zone Server Hub Trusts.

    The page displays a tile for each Zone Server Hub that you installed.

  6. Verify the identity of each Zone Server Hub by its Fingerprint and its IP address or FQDN.

    If the identifiers of a Zone Server Hub are wrong, decommission the hub before denying trust for it. Denied trust is irreversible for any particular instance of a hub. To subsequently approve trust, you must uninstall and reinstall the hub so that it generates a new fingerprint.

  7. In the Zone Server Hub tile, click Accept/Deny to initiate the trust approval workflow.
  8. Verify that the hub details are correct, click Accept, enter your login password, and click OK.

    In the Zone Server Hub tile, the trust Status changes to Approved.

Map Zone Servers to a Zone Server Hub

After approving trust for Zone Server Hubs, perform the following steps for each Zone Server.

  1. Log into the Zone Server CLI.
  2. Navigate to the Zone Server installation directory (such as \Program Files (x86)\Tanium\Tanium ZoneServer):

    > cd <Zone Server>

  3. Display the registration fingerprint of the Zone Server:

    > TaniumZoneServer pki show-registration-fingerprint

  4. Log into the Tanium Console.
  5. In a Zone Server Hub tile, click Add Zone Server.
  6. Enter the Zone Server IP address or FQDN. If you configured the Zone Server to use a port other than the default 17472 for traffic from the Zone Server Hub, you must also specify that port in the format <[FQDN] | [IP address]>:<port>, for example zs1.example.com:17473 or 192.168.2.1:17473.

    Configuring separate ports for traffic from Zone Server Hubs and Tanium Clients is a best practice to improve the security of the Zone Server. For details, see Tanium Core Platform Deployment Guide for Windows: Configure ports for traffic from Zone Server Hubs and Tanium Clients.

  7. Click OK, enter your login Password, and click OK again.

    The Tanium Console might take a few minutes to show the mapping. When it does, the mapping Status displays Pending in the Zone Server tile. The mapping also appears in the Zone Servers to Zone Server Hub Mappings grid.

  8. In the Zone Server tile, click Accept/Deny to initiate the mapping workflow.
  9. Verify the identity of each Zone Server by its Fingerprint and its IP address or FQDN.

    If the identifiers of a Zone Server are wrong, decommission the server before denying trust for it.

  10. Click Accept, enter your login password, and click OK.

    In the Zone Server tile, the mapping Status changes to Approved.

Revoke trust and delete mappings

If you need to replace one of the Zone Server Hubs, revoke the trust state and Zone Server mappings for the old hub before establishing trust and mappings for the new hub. If you need to replace a Zone Server, delete its hub mapping before creating a mapping for the new Zone Server. In an HA deployment, perform these tasks on each Tanium Server.

Revoke a Zone Server Hub

  1. Log into the Tanium Console of a Tanium Server.
  2. Go to Configuration > Tanium Server > Zone Server Hub Trusts.

    The page displays a tile for each Zone Server Hub.

  3. In the Zone Server Hub tile, click Revoke, enter your login password, and click OK.

    The Zone Server Hub section no longer displays a tile for the hub.

Revoke a Zone Server

  1. Log into the Tanium Console of a Tanium Server.
  2. Go to Configuration > Tanium Server > Zone Server Hub Trusts.

    The page displays a tile for each of the Zone Servers.

  3. In the Zone Server tile, click Revoke, enter your login password, and click OK.

    The Zone Servers section no longer displays a tile for the server.

Delete a Zone Server Hub-to-Zone Server mapping

  1. Log into the Tanium Console of a Tanium Server.
  2. Go to Configuration > Tanium Server > Zone Server Hub Trusts.

    The Zone Servers to Zone Server Hub Mappings grid has an entry for each mapping.

  3. Select the mapping, click Delete Mapping, enter your login password, and click OK.