Customizing HTTPS on Web Reports

If you have a trusted SSL security certificate and key from a certificate authority, you can configure the BigFix Web Reports computer to use this certificate and key to enable trusted connections.

When an HTTPS certificate is set, the certificate is supplied by the server to connecting clients (browsers) and they present a dialog to the user containing information from the certificate. If the certificate meets all of the trust requirements, then the browser connects without any interventions by the user. If the certificate does not meet the trust requirements of the browser, then the user is prompted with a dialog that asks if it is OK to proceed with the connection, and giving them access to information about the certificate. A trusted certificate is signed by a trusted authority (such as Verisign), contains the correct host name, and has not expired.

When you have a trusted SSL certificate, move the .pvk (if you have one) and the .pem files on the target computer(s) running Web Reports before changing the settings, even when using the BigFix Console.

Complete the steps to accomplish the following tasks:
  • Specify that you are using a secure communication.
  • Specify where the SSL certificate and private key files are located.
  • Define the HTTPS port number, listening for HTTPS connections and redirecting the client to HTTPS on the SSL port.
  1. From the BigFix console, select the Computers tab.
  2. Right click on the computer on which Web Reports runs and click Edit Computer Settings.
  3. Look for the _WebReports_HTTPServer_UseSSLFlag setting. If it exists, do not create a second one, but edit its value to 1 to enable HTTPS. If it does not exist, add it.

  4. If you combined the private key file with the certificate file, skip this step and set only the _WebReports_HTTPServer_SSLCertificateFilePath setting.

    Look for the _WebReports_HTTPServer_SSLPrivateKeyFilePath setting. If it exists, do not create a second one, but edit its value to the full path name of the private key (.pvk file) which contains the private key for the server. The private key must not have a password. If it does not exist, add it.

  5. Look for the _WebReports_HTTPServer_SSLCertificateFilePath setting. If it exists, do not create a second one, but edit its value to the full path name of the .pem file which might contain both the certificate and private key for the server, or only the certificate. If it does not exist, add it.

  6. Look for the _WebReports_HTTPServer_PortNumber setting. If it exists, do not create a second one, but edit its value to the port number you would like to use. If it does not exist, add it:

  7. When SSL is enabled define the forwarding port with the following settings:
    • _WebReports_HTTPRedirect_Enabled to 1
    • _WebReports_HTTPRedirect_PortNumber to the port listening for HTTP connection and redirecting the client to HTTPS.
  8. To require TLS12 for web browser requests, look for _WebReports_HTTPServer_RequireTLS12. If it exists, do not create a second one, but edit its value to 1. The Web Reports component always uses TLS 1.2 when communicating with the BigFix server, regardless of local settings or settings of the masthead.
    Important: Use of a TLS with a version earlier than 1.2 is deprecated.
  9. Restart the BES Web Reports Server service:
    • On Windows, open Services, select BESWebReports and on the Action menu, click Restart.
    • On Linux run from the prompt: service beswebreports restart or /etc/init.d/beswebreports restart

Manually customizing HTTPs settings

If you cannot change the settings using the BigFix Console, you can also set them manually on the target computer(s), by editing the Windows registry or the Linux configuration files. You will need to directly add or edit the same settings you would change in the Console. Remember to specify the location of the SSL certificate, for the HTTPS port number, and for the redirection to HTTPS.

On Windows systems

Run regedit and locate this key:
HKEY_LOCAL_MACHINE\Software\Wow6432Node\BigFix\EnterpriseClient\Settings\Client

The settings can be added or modified directly in the registry by creating or editing the corresponding sub-keys and values.

For example, to change the _WebReports_HTTPServer_UseSSLFlag setting value to 1:
  • Create a subkey of Client named _WebReports_HTTPServer_UseSSLFlag (if it does not already exist).
  • Create a string value (reg_sz) for the key _WebReports_HTTPServer_UseSSLFlag named value and set it to 1 to enable HTTPS.

On Linux systems

The settings can be added or modified directly in the .config files:
  • besclient.config, if a client is installed together with Web Reports
  • beswebreports.config, if only Web Reports is installed

The settings can be added or modified directly in the registry by creating or editing the corresponding configuration file sections and values.

For example, to change the _WebReports_HTTPServer_UseSSLFlag setting value to 1:
  • Locate the appropriate configuration file section. If it does not exist, write it, otherwise, just change the value from 0 to 1.
    [Software\BigFix\EnterpriseClient\Settings\Client\_WebReports_HTTPServer_UseSSLFlag]
    value = 1