Tech Support Documentation for Inventu Viewer

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Printable Version
Save Permalink URL

Navigation: Common Technical Support Situations

TLS/SSPI Configuration

TLS connections to Host systems utilizes the Windows SSPI Encryption framework. This is a very efficient and high-performance option due to the internal tuning by Microsoft.

There are a few settings you can control by editing the SSPI configuration file found in the installation folder:

c:\program files\inventu\viewer\SSPI

--or--

c:\program files\flynet\viewer\SSPI

(servers with original installations prior to 2020)

While different hosts can have different configurations by naming a .CFG file by the host name, the default.cfg file will generally be what you edit to control your SSPI/TLS connections.

Highlighted is a line that you may have configured differently, but is recommended to be left commented so that the TLS level selected is the highest supported by the connecting host.

Please read the comments in the file if there are other configuration options you feel are necessary such as a Client Certificate, which is configured with this file.

Sample default.cfg

# This is the default Inventu SSPI SChannel SSL/TLS Host Configuration file

# you can change the values in this file for all hosts or create a unique

# file for each host using SSH by naming the file [hostname].cfg

# The Inventu Windows SSPI/SCHANNEL Support will search first for the file with the hostname then use this file (default)

# Note that this file expects each line to contain one = (equals sign) separating a name from its setting.

# Settings use optional quotations using the apostrophe (') or double quote (") which should match.

# Use quotes to include spaces at the beginning or end of a setting.

# Supported standard Escapes are \r = carriage return (13), \n = new line (10) and \t = tab (9)

# To include the host name in a prompt, include a %s token and this will act to pull-in the host name

# Setting names are not case sensitive...

#### protocol ###################

# SSL Requested Protocol, if omitted, the Windows SChannel support will select the highest available

# ssl3 = SSL Version 3

# tls1 = TLS Version 1.0

# tls1_1 = TLS Version 1.1

# tls1_2 = TLS Version 1.2

# tls1_3 = TLS Version 1.3

#protocol = tls1_2 #Experience has shown more hosts without intervention work when no protocol is explicitly set

#### serverauthentication ########

# Logic to Authenticate the Server Certificate- certonly is good for testing with self-generated certs

# none = Do no authentication of the certificate

# certonly = Authenticate the certificate but not the central issuing authority

# full = Do full authentication including chain and issuing authority

serverauthentication = none

#### Client Identification #####

# certstore default is MY (Personal)

# You can set it to that or CA (Intermediate Certification Authorities), ROOT (Trusted Root Certification Authorities), Trust (Enterprise Trust)

# or AddressBook (Other People).

# certstore = MY

##### Can use certsubject and include a string found in the certificate subject (be careful to be unique)

##### ---Or--- CertFriendlyName if you have assigned a friendly name to a certificate

# certsubject = My Company Certificate

# CertFriendlyName = CompanyCert

#### DCAS Configuration #####

# For DCAS single signon, if your host supports DCAS tickets the following entries are used to configure DCAS

# each entry is like the above entries with "dcas" as a prefix

#####

#dcasprotocol= tls1_2

#dcasserveraddress = dcasserver.myco.com

#dcasserverport = 8990

#dcascertstore = MY

#dcascertfriendlyname = OurDCASCert

#dcascertsubject = My DCAS Certificate