Configuring secure communication

To ensure secure communication, BigFix Inventory uses public key cryptography, which is based on algorithms that use two separate keys, a private key and a public key. This key pair is used to encrypt and decrypt communication

About this task

BigFix Inventory provides self-signed certificates by default but they are not intended for production environments. To improve security, you must create your own private key and a certificate signing request (CSR) that can be transformed into a certificate after it is signed by a certificate authority (CA). By signing your request, a CA approves your public key and certifies that the certificate can be trusted. You can have your own private CA, use the CA of your organization, or an internationally trusted CA, such as Entrust, VeriSign, etc.

The private key and the associated certificate are uploaded to BigFix Inventory. After enabling the encrypted communication, anyone who connects to your server receives a certificate that contains your public key. All successive communication that originates from the server is encrypted with your private key. After a user receives the communication, it is decrypted with the certificate that they obtained from the server. If the certificate can decrypt the communication, it is known for certain that the server is the originator of the message and that it is valid.

10.0.8 Starting from BigFix Platform version 10.0.8, the validation of certificates is enabled by default of servers when downloading content from them using HTTPS.

Follow either of the below ways to generate your certificate:

generate new self-signed certificate including the name of the server (Common Name in certificate). For more information, refer to Step 3: Enabling secure communication and Regenerating self-signed certificates.
generate a correct and signed certification by following this information provided in this topic

If you not have the signed certificate provided for BigFix Inventory server then Catalog Download (Version: <Catalog Version>) actions will fail while downloading with the following error:

HTTP Error 60: SSL peer certificate or SSH remote key was not OK: SSL: certificate problem: self signed certificate

Downloading error message

Temporary Workaround

It is assumed that BigFix Inventory server is not configured to allow direct download. To accept the certificate as-is, set the Computer Setting _BESRelay_Download_UntrustedSites to 1 on top relay.

Key pair requirements

Your key pair must meet the following requirements to be accepted by BigFix Inventory.

Type: RSA or DSA.
Format: PEM-encoded. Such an encoding is ensured if you create the key pair by using openSSL. You can also create your keys by using other methods, for example Makecert on Windows. Such keys are DER-encoded and therefore not supported by BigFix Inventory. However, you can convert other formats to PEM, for example by using openSSL.
Private key format: PKCS#8 (used by openSSL). The pvk format is not supported.

Limitations

Key pair that is generated for BigFix Inventory can be used for Web Reports only if the private key is not password-protected.

Procedure

Complete the following steps to create your key pair and to enable encrypted communication. If you already have a key pair or want to use the self-signed certificates, you can skip to enabling secure communication.