Knowledgebase
ThinLinX Support > ThinLinX Help Desk > Knowledgebase

Search help:


How can I protect clients from rogue/unauthorized TMS servers?

Solution

Starting from TMS/tms-client 8.3.0, it is possible to use your own Public Key Infrastructure for TMS and tms_client.  This is useful in order to prevent unauthorized TMS instances from reconfiguring your clients.

However, caution must be taken not to lock yourself out of your clients.  We recommend that to transition to a private PKI, you set up a new TMS server for this and gradually switch your clients over to it, rather than attempt to convert a single instance of TMS and all of its clients at the same time.  I'll refer to these below as TMS Server A (server being phased out) and TMS Server B (server using private PKI).

You will need three certificate files, all in text (PEM/Base64) rather than binary (DER/PFX/P12) format.  The files must be named exactly as follows:

  1. tms.crt - the public key of the certificate the TMS server will use.
  2. tms.key - the unencrypted private key of the certificate the TMS server will use.
  3. tms-ca.crt - the public key of the certificate authority that signed the certificate the TMS server will use.

The private key can be decrypted on TLXOS (or any Unix-like O/S) using a command of the form "openssl rsa -in tms_enc.key -out tms.key" and then entering the private key passphrase.

tms.crt and tms.key must be placed in the following locations on TMS Server B, depending on what platform you are running TMS on:

  • Windows: both files go in "C:\Program Files (x86)\ThinLinX Management Software", or "C:\Program Files\ThinLinX Management Software" on 32-bit Windows editions.
  • deb-based Linux (e.g. Debian/Ubuntu): tms.crt goes in /etc/ssl/certs, tms.key goes in /etc/ssl/private.  Permissions on /etc/ssl/private may need to be relaxed to at least rxw--x--x (0711) to allow TMServer to access the tms.key file when running as an unprivileged user.
  • rpm-based Linux (e.g. CentOS/Red Hat): tms.crt goes in /etc/pki/tls/certs, tms.key goes in /etc/pki/tls/private.

If running, exit and restart TMS Server B after making these changes.

tms-ca.crt must be installed on your TLXOS clients using TMS Server A's "File->Install File" option or from removable media plugged into the client using the equivalent Tlxconfig controls.  If TMS servers A and B are not on the same IP subnet, you will also need to use "Device->Network Configuration->Configure TMS Discovery" to reconfigure the client to connect to TMS Server B (at least until you have a TMS beacon set up).  The client must then be rebooted.

When it comes back up, the client will refuse to connect to TMS Server A, and will only connect to TMS Server B.  If you make a mistake and the client will no longer connect to any TMS server, you will have to use Tlxconfig to either reset it to defaults, or to reinstall the correct tms-ca.crt file from removable media (you can install /actualroot/etc/ssl/certs/tms-ca.crt to restore default behavior and allow connection to TMS Server A once again).

Please note that the tms_client->TMS connection does not perform any DNS-hostname-must-match validation of the TMS server certificate's cn or subjectAltName attributes.  We have to omit checks of this sort because the broadcast TMS discovery method uses IP addresses, not hostnames.  When the TMS server uses our default self-signed certificate (which we cannot change without breaking backward compatibility), tms_client must also trust the certificate regardless of the TMS server's hostname.

Please note also that if your clients rely on broadcast-based discovery, TMS servers with the default certificate, or TMS beacons pointing at such a server, could still be used as a Denial of Service mechanism.  If you are concerned about the possibility of TMS DoS attacks, do not allow your clients to use - or fall through to - the UDP broadcast TMS discovery method.

Related articles Why is my CA certificate not recognized/trusted?
OpenVPN support limitations
How client devices locate a TMS server
I am getting "SSL handshake error" when trying to install licenses using TMS. How do I fix this?
TMS 8.3.0
Article details
Article ID: 73
Category: Frequently Asked Questions
Date added: 2021-05-16 23:26:50
Views: 160

 
« Go back