Agent Tunnels - Node Binding/Matching by Certificate Attribute

Started by Staj, November 26, 2020, 05:26:20 PM

Previous topic - Next topic

Staj

It would be useful to have additional agent tunnel node binding actions based on an attribute of a verified agent certificate (eg: Common Name, Subject, SAN, arbitrary OID etc. against node name, node IP etc.) such as "Bind tunnel to existing node using certificate" and "Bind tunnel to existing node or create new node".

With Windows Agents now able to access client certificates using the System Certificate Store (CAPI CNG), this would close the loop at the server and and allow for semi-or-fully automated TLS setups for NetXMS nodes, depending on user requirements.

One could use ADCS to make a NetXMS Agent Certificate Template that has an CA-decided attribute which allows for node matching, configure a GPO to enable certificate auto-enrolment using the Certificate Services Client on Windows devices to obtain said ADCS issued certificate. The NetXMS Agent certificate is presented to NetXMS server by the agent upon initial connection, the NetXMS server verifies it and, upon successful verification, matches the agent to a node utilising value(s) from the verified certificate, presented by the agent, either for existing nodes only or even automating node creation as well.

It would be important to consider certificate renewal scenarios though such as when new, but still verified and valid, certificates are presented by an agent to the server for a matching node that was already matched to the same agent but with an older certificate.