License Server TLS & Certificate

- April 5, 2023 at 6:51 pm
  
  ijdavis
  Subscriber
  
  We're running a network license server on a Windows machine and our security scanner is complaining that Ansys is using an unsupported certificate and is also using TLS 1.0. I'd like to be able to either ack these vulnerabilities with a "vendor says it's not an issue" or, perferably, fix them. Is there a way to use a signed cert for the Ansys license server? Is there a way to increase the TLS version to 1.2+?
- April 6, 2023 at 12:37 pm
  
  Rob
  Forum Moderator
  
  If you log onto the Customer Portal there's a section https://download.ansys.com/others/software_security_alerts with further details.
- April 6, 2023 at 12:52 pm
  
  ijdavis
  Subscriber
  
  Thanks for the link, that will definitely be helpful to know about moving forward. It looks like there are no entries there for TLS or certificate issues though. Is there any documentation for those?
- April 6, 2023 at 1:51 pm
  
  Rob
  Forum Moderator
  
  I can't comment beyond what's there, I'll kick the product team as it may be a recent issue that needs addressing.
- May 31, 2023 at 1:15 pm
  
  ijdavis
  Subscriber
  
  Hi Rob, any updates from the product team about TLS versioning?
- May 31, 2023 at 1:33 pm
  
  Rob
  Forum Moderator
  
  Not that I'm aware of. I'll remind the Forum managers.
- June 8, 2023 at 2:03 pm
  ANSYS_MMadore
  Ansys Employee
  You may add this keyword to the license server's ansyslmd.ini file.
  ANSYSLI_TLS_VERSION=1.2
  Description: This keyword allows you to disable previous versions of TLS and enable TLS version 1.2 for communication.
  Default value/range: 1.2
  Corresponding command argument: -ali_tls_version
  Use in combination with these ansyslmd.ini keywords: N/A
  Hardware platform restrictions: N/A
  Action required to make keyword active: Reread or stop and restart the Licensing Interconnect
  Example: This example enables TLS version 1.2.
```
ANSYSLI_TLS_VERSION=1.2
```
- June 8, 2023 at 3:52 pm
  
  ijdavis
  Subscriber
  
  Thanks for the info! Where can I find the ansyslmd.ini in the Windows folder heirarchy? I looked for .ini files and didn't see one.
  - November 8, 2023 at 2:37 pm
    xcfje
    Subscriber
    Did you manage to solve this?
    We have partly same issue, as our vulnerability scanning detects a client port exposing a SHA1 root certificate, and we were also suggested to change ciphers (shrug)
    
    Subject : O='ANSYS Inc'/C=US/ST=PA/L=Canonsburg/CN='ANSYS Licensing Authority Certificate'
    Signature Algorithm : SHA-1 With RSA Encryption
    Valid From : Oct 22 10:08:06 2008 GMT
    Valid To : Oct 10 10:08:06 2058 GMT
    
    Also what puzzles me is that is not on the license server, but the workstation that runs ANSYS...
    - November 8, 2023 at 4:46 pm
      
      ijdavis
      Subscriber
      
      We never ended up getting a solution for this, we just accepted the risk. It would be great if we could either enter our own signed cert or have Ansys provide a cert signed by a root CA but I'm not sure it's high priority for them.
- June 8, 2023 at 3:53 pm
  
  ANSYS_MMadore
  Ansys Employee
  
  C:\Program Files\Ansys Inc\Shared Files\Licensing. If one doesn't exist, you can create one.
- September 6, 2023 at 3:27 pm
  
  ijdavis
  Subscriber
  
  Is there a way to set up a signed cert for the ansysli server that listens on 2325? We can request our own cert but I'm not seeing an obvious way to tell the server to use that instead.