Skip navigation
All Places > Snow Product Hub > General Licensing Forums > Blog > Author: detlev.eufinger2

Background

In the past, we had no way to decrypt our inventory files (* .snowpack).

This is useful for customers with specific security requirements.

 

Previous Solution:

By default, our Snow Inventory Agent uses a standard key to encrypt (*.snowpack) files.

This key is hard coded in both Snow Inventory Agent for encryption and Snow Inventory Server for decryption.

All customers had to contact Snow Support to decrypt their own inventory files.

This was very time consuming,

 

New Solution:

Snow has now created the possibility to create your own encryption keys.

 

How does it work?

 

With the tool AESKEYGEN, you can create your own custom crypto keys for a certain agent or group of computers. The tool creates a key that needs to be copied to a folder on the Inventory server as well as to a folder on the computers to be inventoried. The file is named <fingerprint>.cryptkey.

 

Run aeskeygen.exe <Path> to create your own crypto key

The result is shown

 

Use this setting in the configuration file of the Inventory Server (snowserver.config) to specify the folder where the crypto keys are located:

 

To specify the fingerprint of the crypto key to use for Snowpack encryption, use these settings in the configuration file of the agent (snowagent.config), and the folder where it is located.

 

Deploy your Agent with your created crypto key.

 

With the tool SNOWPACK-UTIL, you can decrypt your generated (*.snowpack) files

Use it with the following options:

 

The unpack command will decrypt the file and unpack the content to a sub-folder of the current folder. To unpack the content, use the following syntax:

 

The pack command will generate a new snowpack file based on the content of a specified folder and encrypt it with the fingerprint of your custom key.

To generate a file, use the following syntax:

 

Note1:

Both tools can be ordered from Snow Support

Note2:

The encryption level is AES128 bit

Note3:

You cannot handle inv files with the Tools.

Note4:

The snowpack-util cannot decrypt the default encryption key

Note5:

The standard snow encryption and decryption always works.

Background

Snow implements more and more microservices in Snow license Manager and Snow Inventory.

We started with Oracle Middleware Scanner which are used the Snow Oracle Service.

This service transports the delivered JSON Blob from Snow Inventory Server to Snow License Manager.

 

The Snow Integration Manager 5.15 will also work partially with this new function. There is also a micro service planned. Today the new method for collecting data will only store JSON blob data in the Snow Inventory Database.

 

Previous Solution:

Previously, the data transfer from Snow Inventory Server to Snow License Manager depended exclusively on the DUJ. The data transfer may have been time critical as it was run only once a day.

 

New Solution:

Dynamic Inventory allows any kind of data to be sent from Snow Agents / Snow Integration Manager and to be stored in the Snow Inventory Database. It collects and send data as JSON blobs.

 

How does it work?

With dynamic inventory we add more elements to the snowpack, which are not bound to any specific schema as long as they are JSON formatted.

 

All JSON blob data will be stored in the Snow Inventory Database

 

 

 

Dynamic inventory data always comes in pairs:

One with Meta data

 

 

One with the JSON data

 

 

The metadata is important to understand the source, the scan date and DaysToRetain, which means how long we should store it before cleaning it out.

 

You can query the JSON data in or with the SQL Management Studio.

The ‘$’ sign means the Toplevel of your JSON data blob and the timestamp is used to distinguish the data records.

 

 

The column "type" is important

 

Type 0                 Null value

Type 1                 string value

Type 2                 DoublePrecisionFloatingPoint value

Type 3                   BooleanTrue or BooleanFalse value

Type 4                   Array value

Type 5                   Object value

 

When you have an Array value in your JSON data, you can drill down

We have two entrys in our array, so we can use

$.KeyProtector[0] for the first entry of the array

 

 

And $.KeyProtector[1] for the second entry of the array

 

 

 

If further arrays occur in a nested form, we can recognize this on Type 4 in the type column.

 

You can also query one special entry such as the RecoveryPassword.

 

 

 

From this point we need a process to transfer some of our data to… maybe a custom field in Snow License Manager or other systems.

 

Note1:

This must be done, because we do not have our own service like the Snow Oracle Service.

 

Note2:

OPENJSON function is available only under compatibility level 130 or higher. If your database compatibility level is lower than 130, SQL Server can't find and run the OPENJSON function. Other JSON functions are available at all compatibility levels

Background

You want to collect additional data that can’t be collected using the standard scanning capabilities of the Snow agent.

 

Previous Solution:

With Snow Inventory version 3 and version 5, Snow offered the possibility in the Windows client/agent to run PowerShell scripts to capture additional data.

These scripts were executed exclusively by our agent or client. Platforms like Linux, Unix or MAC were not covered by this PowerShell solution.

 

New Solution:

However, Snow Inventory 6 enables additional data to be captured independently of the platform it is executed from. This new capability is called “Snow Dynamic Inventory”

How does it work?

Since this new functionality is only available on Snow Inventory Version 6 and higher, you’ll need to upgrade to this version to unlock the potential. Besides that, you also need Snow Agent version 6 running on each of the platforms in your IT estate.

 

Step 1

Create your own script to capture your specific data. The script language does not matter; use the scripting language you know best.

Guidelines for your own scripts:

  • The script name cannot be longer than 100 characters.
  • No space in the filename.
  • The Script itself can be placed anywhere

 

Naming Examples:

Scan-FilevaultEnabled.sh

Scan-BitLockerStatus.ps1

Scan-Whatever.bat

  • The data that you want to collect has to be in valid json format and Base64 encoded.
  • Output the result to the designated output folders with the script name as the destination

 

 

 

Output pathOS

/var/tmp/SnowSoftware/Inventory/Agent/script-output/ + ScriptName/

Unix

/Users/Shared/SnowSoftware/Inventory/Agent/script-output/ + ScriptName/

MacOS

%ProgramData%\SnowSoftware\Inventory\Agent\script-output\ + ScriptName\

Windows

/var/run/SnowSoftware/Inventory/Agent/script-output/ + ScriptName/

Linux

 

 

Step 2

Create and maintain a log file in the output folder named ScriptName.log

This handles the lifecycle of the logfile, i.e. deletion and/or overwrites.

Step 3

Create a metadata file along with the script output called metadata.json

 

The following tags must be included

 

Name
ScriptNameused by the server to separate json blobs in the database table
ScriptRunUTCTimeStamptime in UTC when the script run
DaysToRetainused by the server to determine how many days the data should be kept in the database before getting cleaned out by the Garbage Collector

 

The Server will be parsing this information and use it when storing the data in the database.

 

Example of metadata.json file

 

 

Step 4

Schedule your own script to run!

Note:

Step 1 – Step 3 is included in the main script.

All output data is base64 encrypted

After running your default snow Agent scan, all output files are collected and deleted.

 

You can find your collected data in the inventory Database:

 

 

Example for Shell Script: