News:

We really need your input in this questionnaire

Main Menu

NetXMS 3.6 released

Started by Victor Kirhenshtein, November 20, 2020, 11:06:17 AM

Previous topic - Next topic

Victor Kirhenshtein

Hi all!

NetXMS version 3.6 is just released. We plan that it will be last release in 3.x branch, but depending on progress with 4.0 development and requests from our customers and community we may also introduce 3.7 in a month or two.
Changes since previous release:
- Object categories
- Support for externally provisioned agent certificates
- New instance discovery method "internal table"
- Added option to validate server certificate on agent
- Fixed column sorting in Web Service Definition view
- Support for IPv6 in NXSL functions AddrInSubnet and AddrInRange
- New NXSL function GetServerQueueNames
- New NXSL functions for object search: FindObjectByGUID, FindNodeByAgentId, FindNodeByIPAddress, FindNodeByMACAddress, FindNodeBySysName
- nxdbmgr option to migrate log tables in background
- Windows event log synchronization, server side parsing and agent side filtering
- Added option not to save to database Windows event log and syslog filtered by server parser
- Maximum number of client sessions can be configured
- Added support for SNMP data types FLOAT, DOUBLE, INTEGER64, UINTEGER64
- Correct decoding of values inside OPAQUE SNMP varbinds
- Added view for object tools with output executed on multiple nodes
- Added synchronous methods and completion callbacks for object creation in Java API
- Fixed nxdbmgr crash on import
- New built-in agent action Agent.RotateLog
- Server performance optimization for handling large number of agent connections
- Performance optimization of SNMPv3 processing
- NXSL performance optimization
- Improved handling of external parameter providers in agent
- Added background polling option for external tables in agent
- Authentication method for LDAP users can be changed
- Support for mobile devices with NTCB/FLEX protocol
- Geolocation control for nodes, sensors, and mobile devices
- Fixed screenshot issues on Windows 10 with DPI scaling
- Fixed errors on graph properties modification
- Fixed sorting in summary table when one column has different data types
- Fixed issues:
   NX-904 (Sensitive info should be hidden in Audit Log)
   NX-1294 (Completed Scheduled Task Re-scheduling)
   NX-1416 (NetXMS Agents shutdown does not end ExternalParametersProviders)
   NX-1823 (Using SSH login and password in object tools)
   NX-1905 (Log Parser policy in Template Agent Policies does not automatically include Events in Export Configuration Tool)
   NX-1907 (Add server configuration option to disable outdated SSL/TLS versions)
   NX-1911 (Separate object name for use on maps)
   NX-1931 ("Do not store" option for syslog)
   NX-1933 (Update descriptions and units for server configuration variables)
   NX-1951 (Moving a DCI to container deletes the DCI)
   NX-1962 (Save time of last configuration poll across server restart)

Best regards,
Victor

lindeamon


Mortymer

Thank you very much!
Could you upload the console application for Android please?

Regards,
Mortymer

Victor Kirhenshtein

Just uploaded Android console.

Best regards,
Victor

Victor Kirhenshtein

We just found and fixed critical bug in server communication code, all users currently running server version 3.6.252 are encouraged to upgrade to 3.6.262 as soon as possible.

Best regards,
Victor

Mortymer


Staj

#6
Thank you for the Windows Certificate Store (CNG) Certificate support for Agent Tunnels, this is very much appreciated for our use-case.

Can you explain how https://github.com/openssl/openssl/issues/12859 affects nxagentd and the downgrade to TLS 1.1?

Looking at the code, it will find a Certificate in the SYSTEM Personal Certificate based on matching Friendly Name, Email, Subject, Template, Common Name, Org or Device Serial (in that order)? How does one specify what the agent should consider a match?

EDIT:
Tunnel::createFromConfig and ParseTunnelList seems to have the answer:
QuoteRecord format is address[:port][,certificate[,password]]
Records meaning the configured MasterServers, ControlServers and Servers. So I guess an example would be:
MasterServers = 10.0.0.1,ADCSTemplNetXMS
Assuming ADCSTemplNetXMS was the name of a Certificate Template (Eg: Certificate issued by ADCS)?

Victor Kirhenshtein

Quote from: Staj on November 26, 2020, 12:55:42 PM
Can you explain how https://github.com/openssl/openssl/issues/12859 affects nxagentd and the downgrade to TLS 1.1?

If certificate has exportable private key then agent will get the private key and use standard OpenSSL mechanisms instead of CNG engine for session authentication. In that case TLS 1.3 will be used if server supports it. If private key cannot be exported then agent will switch to TLS 1.1 and use CNG engine for authentication.

Quote from: Staj on November 26, 2020, 12:55:42 PM
Looking at the code, it will find a Certificate in the SYSTEM Personal Certificate based on matching Friendly Name, Email, Subject, Template, Common Name, Org or Device Serial (in that order)? How does one specify what the agent should consider a match?

EDIT:
Tunnel::createFromConfig and ParseTunnelList seems to have the answer:
QuoteRecord format is address[:port][,certificate[,password]]
Records meaning the configured MasterServers, ControlServers and Servers. So I guess an example would be:
MasterServers = 10.0.0.1,ADCSTemplNetXMS
Assuming ADCSTemplNetXMS was the name of a Certificate Template (Eg: Certificate issued by ADCS)?

Not exactly. Tunnel connections configured using ServerConnection parameters, so it will be


ServerConnection = 10.0.0.1, certificate_matching_string


Certificate matching string consists of selector and value separated by :. Possible selectors are:
name - certificate's friendly name (display name) in store
email - EMail portion of certificate DN
subject - certificate's subject
template - template OID (not template name!)
cn - CN part of certificate's DN
org - ORG part of certificate's DN
deviceSerial - device serial number

so for example for certificate with friendly name "NetXMS Server" it will be

ServerConnection = 10.0.0.1, name:NetXMS Server


If you are interested, relevant code is in file src/agent/core/cng_engine.cpp, function MatchWindowsStoreCertificate.

Best regards,
Victor