Step 3: Enabling secure communication

You can enable encrypted communication (HTTPS) to ensure secure communication between your server and all users that access it. You can base your communication on self-signed certificates that are provided by default in BigFix Inventory, but these certificates are not intended for production environments. To improve security, create your own private key and certificate, and upload them to BigFix Inventory.

Before you begin

Note:
  • The use of HTTPS is enabled by default, but this configuration is based on temporary self-signed certificates that are not intended for production environments.
  • Enabling or disabling the use of HTTPS changes the web address of your BigFix Inventory server. Ensure that you run a data import afterward to update the address in the Fixlets that use it to download files from the server.
Starting from BigFix Inventory update 10.0.3, the TLS 1.2 and secure ciphers are enabled by default for the fresh application installations due to vulnerabilities in the cipher suites. Manual configuration is required for the existing and upgraded BigFix Inventory installations.
Perform the below steps:
  1. Update the following line in the xml file:
    <ssl clientAuthenticationSupported="false" id="defaultSSLConfig" keyStoreRef="defaultKeyStore"/>
    With the below:
    <ssl clientAuthenticationSupported="false" id="defaultSSLConfig" keyStoreRef="defaultKeyStore"
    sslProtocol="TLSv1.2" enabledCiphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"/>

    The server.xml file is located in the following folder.

    <Installation_directory>/wlp/usr/servers/server1/server.xml

    <Installation_directory>\wlp\usr\servers\server1\server.xml

  2. Restart the server.

Procedure

Procedure
  1. Log in to BigFix Inventory.
  2. In the top navigation bar, click Management > Server Settings.
  3. Select Use HTTPS. The Certificate subsection opens.
  4. Optional: Select Use TLSv1.2.
    Important:
    • Enabling TLS 1.2 disables TLS 1.0.
    • To use TLS 1.2, ensure that your browser supports TLS 1.2, and that it is enabled.
    • To fulfill all the requirements for SP800-131 compliance, see: Enabling SP800-131 compliance.
  5. Provide information about the certificate.
    • If you have a private key and a certificate:
      1. Select Import a PEM encoded private key and certificate.
      2. Click Browse to locate the files in the computer file system.
      3. In the Private key password field, enter the password for the key. This field is required only if you set a password for your private key.
      4. Click Save.
      Note: The certificate and the key must be PEM-encoded.
    • If you want to generate a new self-signed certificate:
      Restriction: A self-signed certificate contains a public key, information about the owner of the certificate, and the owner's signature. Because such a certificate is signed by its own private key, it does not provide means to verify the origin of the certificate through a trusted certificate authority.
      1. Select Generate a self-signed certificate.
      2. Specify the certificate subject common name. The common name must correspond to the DNS name of the BigFix Inventory server.
      3. In the Expiration Date field, enter the date when the certificate expires.
      4. Click Save.
      Note: Most browsers display a warning message when a self-signed certificate is used.
  6. Restart the server.

Results

You enabled secure communication on your server. All outgoing communication is now encrypted with the private key that you provided.