Security of Collection Folders
Contents
cla140
Contents
This section contains security-related topics that you need to consider while using the Asset Collector.
Protect the Collection Folders
The Asset Collector collects the inventory files from the folders configured in the Collection Folders policy. We recommend that you secure these folders using operating system security so that only authorized users have the rights to create, modify, or delete the files from the folders.
Digitally Signed Inventory Files
The Asset Collector can use a Public Key Infrastructure (PKI) signing process to ensure that the creator of the file is trustworthy.
How the Digitally Signed Inventory Files Are Verified
The following process explains how the digitally signed inventory files are handled.
- The Administrator creates certificates and installs certificates on a machine where inventory files will be signed and public keys on the Asset Collector where the signature will be verified.
- The inventory file is signed using the invsign.exe tool.For more information, see invSign -- Sign, Verify, or Unsign an Inventory File.
- The inventory file is delivered to the Asset Collector Collection folder where the asset collector will validate the signature using the previously installed public key.
Do not modify a signed file as it corrupts the binary information that makes up the signature.
The following illustration depicts this process:
signature creation and verification
cacertutil create -- Create a Certificate
The cacertutil create command creates a certificate.
This command has the following format:
cacertutil create -o:filename - op:passphrase - s:subject -od:filename
-o:
filename
Specify the output filename of the certificate.
- -op:passphraseSpecify a passphrase to encrypt the certificate.
- -s:subjectSpecify the subject name to whom the certificate is issued.
- -od:filenameCreate a DER encoded file with just the public certificate.
Example: Create a Certificate
This example creates two files AssetCollectorCert.p12 and AssetCollectorCert.der. The .der file contains only the public part of the certificate and must be copied on to the Asset Collector computer where the signature is to be verified.
cacertutil create - o:c:\AssetCollectorCert.p12 -op:password -s:"CN=AssetCollector,O=Computer Associates,c=US" -od:c:\AssetCollectorCert.der
cacertutil import -- Import a Certificate
The cacertutil import command imports a certificate into the
CA Client Automation
comstore.This has to be done on the computer where the administrator plans to perform the signing of the inventory files and must be done before the signing.
This command has the following format:
cacertutil import - i:filename -ip:passphrase -t: tag
-i:
filename
Specify the filename of the certificate to be imported.
Important parameters:
- -ip:passphraseSpecify the passphrase and store encrypted in comstore.
- -t:tagSpecify a tag name.
Use the same tag name specified in the - t parameter on the computers that verify and sign the inventory files.
Example: Import a Certificate
cacertutil import - i:C:\AssetCollectorCert.p12 - ip:password - t:AssetCollector
cacertutil import -- Import the Public Key
The cacertutil import command imports the public key on the Asset Collector server to the
CA Client Automation
comstore.This command has the following format:
cacertutil import -i :filename -t:tag -it:certificatetype
-i:
filename
Specify the filename of the certificate to be imported.
Important parameters:
- -it:type
Specify the type of certificate to be imported. Valid options are X509V3 or PKCS#12.
Default
is PKCS#12.- -t:tagSpecify a tag name.
Example: Import the Public Key
cacertutil import - i:C:\AssetCollectorCert.der - t:AssetCollector - it:x509v3
invSign -- Sign, Verify, or Unsign an Inventory File
The invsign command is used to sign, verify, or unsign an inventory file.
The invsign command accepts files with the following extensions: .xiu files for signing, and .xis files for unsigning. The .xiu file is renamed to .xis after successfully signing and the .xis file is renamed to .xiu on a successful unsign.
This command has the following format:
invsign command xiu or xis file [certificate tag]
- CommandIncludes one of the following commands:
- SignSigns the inventory file with the given certificate tag. The signature contains a binary stream of data that is appended to end of the inventory file.Opening a signed inventory file adds unexpected characters at the end of the file. Therefore, do not open or attempt to modify a signed inventory file as it may invalidate the signature and cause the file to be rejected by the Asset Collector.The private keys must have already been imported into the certificate store using the tag name given with the sign command. Also, to sign an inventory file, a certificate must be installed in comstore of the computer where you are signing.
- VerifyVerifies the signature in the inventory file.The public keys must be available under the same tag name as provided during the signing process.
- UnsignRemoves the signature from the inventory file.
- Inventory FileDefines the name of the inventory file that you want to sign, verify, or unsign.
- Certificate Tag(Mandatory for sign command). Defines the certificate tag that you want to assign while signing the inventory file.A certificate tag is an identifier for a unique certificate. Each certificate is assigned a certificate tag.The Certificate tag is required only with the sign command.
Example: invSign Command
invsign sign Server1.xiu AssetCollector invSign verify Server1.xis invSign unsign Server1.xis
You can specify multiple files for signing, un-signing and verifying with the invsign command line.
The format of a multi-file sign is:
Invsign sign file1.xiu file2.xiu file3.xiu [certificate tag]
You can also use wild cards:
Invsign sign f*.xiu [certificate tag]
Or you can use a combination of both:
Invsign sign f*.xiu newComputer.xiu [certificate tag]
You can specify multiple files and wild cards with unsign and verify commands also. With these commands the
CertificateName
should not be supplied.