How to use F-Secure Endpoint Proxy with Software Updater F-Secure Endpoint Proxy, also referred to as Policy Manager Proxy (PMP) is provided by F-Secure to minimize the bandwidth usage while downloading updates to the clients with F-Secure Elements Agent installed.
This proxy caches software installation packages. If the PMP is not available, the clients may automatically fall back to accessing third-party vendor servers directly or the clients will not use them; the algorithm depends on the Software Updater settings.
To use F-Secure Endpoint Proxy together with Software Updater, you need to have a trusted certificate. We highly recommended using a commercial certificate, as they are a more secure way to establish a connection and serve the software installation packages. However, for testing purposes, you can use a self-signed certificate.
Note: Certificates come in many different formats, and this guidance assumes that you have a basic understanding of the concepts such as certificate chains, java keystores, converting certificates from one format to another, and so on. It is also possible that the certificates you purchase are not in the correct format expected for these instructions, in which case you might need to convert them to the expected format.
These instructions cover configuring F-Secure Endpoint Proxy using a commercial certificate as follows:
- Obtain and prepare the certificate
- Obtain an SSL certificate from your certificate authority (CA) vendor. Make sure of the following:
- The certificate is signed by a party, trusted on all your computers.
- The certificate is in PKCS 12 format.
Note: This format usually has the following file extensions: *.p12 or *.pfx. It is possible to convert the certificate to PKCS 12 format, usually the party providing the certificate should be able to provide you with instructions.
- Import the PKCS 7 certificate to the keystore with the following command:
%JDK_HOME%/bin/keytool -importcert -alias server -keystore %PATH_TO_KEYSTORE% -file <path-to-chain-p7.pem>
Where:
JDK_HOME is your java installation directory. PATH_TO_KEYSTORE is a path to the existing or new keystore.
For example, on Windows, this command may look like the following:
C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool -importcert -alias server -keystore server.p12 -file mycertchain.pem
- Replace the default PM Proxy Java applications expect all certificates to be stored in the Java keystore. New certificates can be imported using keytool which is located under the Java installation locations bin directory.
- Import the certificate to the keystore using the following command:
%JDK_HOME%/bin/keytool -importkeystore -destkeystore "%FSPMS_HOME%\data\fspms.jks" -deststorepass superPASSWORD -destalias fspms -destkeypass superPASSWORD -srckeystore <MyCert.p12> -srcstoretype PKCS12 -srcstorepass <yourcertpassword> -srcalias %ALIAS%
Where:
-
%JDK_HOME% is your Java installation directory. %FSPMS_HOME% is your PMP proxy installation directory. %ALIAS% is the preferred alias for the certificate in the keystore.
For example, on Windows, this command may look like the following:
"C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool" -importkeystore -destkeystore "C:\Program Files (x86)\F-Secure\Management Server 5\data\fspms.jks" -deststorepass superPASSWORD -destalias fspms -destkeypass superPASSWORD -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass <yourcertpassword> -srcalias server Existing entry alias server exists, overwrite? [no]: -> yes
- Configure your PM Proxy to use HTTPS
- Navigate in the registry to:
"HKLM\SOFTWARE\Wow6432Node\DataFellows\F-Secure\Management Server" - Add
"-DpsbProxyMode=true" to "additional_java_args". - Check that
"HttpsPortNum" is 443. If it isn't, change it to 443. - Exit registry editor and restart the PMP proxy.
F-Secure Endpoint Proxy is now configured to work with Software Updater.
If you want to know more about how Software Updater works with F-Secure Endpoint Proxy, visit this help topic.