V11 Overview

BigFix Platform 11 introduces the following major changes in the security area:

  • OpenSSL has been upgraded to 3.1.1
  • TLS 1.3 protocol for HTTPS communications is now supported
  • SHA-384 is now available as cryptographic hash function for all digital signatures.
With BigFix Platform 11:
  • SHA-256 and TLS 1.2 are the minimum security levels used for digital signatures and HTTPS communications respectively
  • SHA-384-only and/or TLS 1.3-only modes can be optionally enforced
  • SHA-1 and SHA-256 are still used for validation of downloaded files in prefetch statements
  • BigFix 10.0.7 is the minimum version supporting the upgrade of the BigFix Server components to Version 11.

Considerations on the upgrade of the BigFix Platform to v11

Compared to previous BigFix versions, there are no changes regarding the manual and Fixlet upgrade options and procedures. The only main difference is related to the upgrade of the BigFix Server for which the following prerequisites must be satisfied:
  • BigFix 10.0.7 is the minimum version supporting the upgrade of the BigFix server components to Version 11.
  • “Enhanced Security” must be enabled (Security Configuration Scenarios).

Note: Plan to enable the "Enhanced Security" well in advance of the upgrade because the feature takes time to propagate through the deployment. For detailed information and guidance, please read carefully Guidance on Enabling Enhanced Security prior to enabling "Enhanced Security".

On Windows, you can enable the "Enhanced Security" using the relevant button of the graphical BigFix Administration Tool, as shown in the following picture:

On Linux, run the following command:
/opt/BESServer/bin/BESAdmin.sh -securitysettings -enableEnhancedSecurity 
-sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ]
By enabling "Enhanced Security", objects within the BigFix Server database will be re-signed. Before proceeding with the upgrade, it is recommended to check for invalid data by running the BESAdmin Command Line with the findinvalidsignatures option as described in:
Note: The update Fixlets might take longer than usual to be reported as relevant due to the change in major version of the BigFix Server.

Results of the upgrade to BigFix v11

After you have started upgrading to BigFix 11, even if your deployment is not all at Version 11 yet, you will get the following benefits:
  • TLS handshakes will use SHA-384 certificates whenever they are available. After upgrading the BigFix Server to v11, SHA-384 certificates will be available to:
    • All Agents/Relays at Version 11
    • Agents and Relays at 10.0 patch 7 (or later patch) that have had their certificates refreshed, either automatically for expiration of the 13-month validity period, or manually with the “client certificate refresh” actionscript command (see Client certificate)
    • All Agents and Relays installed after upgrading the BigFix Server to Version 11, regardless of their version.
  • Content generated by MOs and NMOs like sites, Fixlets, analyses, actions, etc. will be signed with both SHA-256 and SHA-384. To validate such content, BigFix components at v11 will rely on both, while BigFix components at earlier versions will rely on the SHA-256 signature.
  • The BigFix Server will validate external site content using either the SHA-256 or the SHA-384 signature.
  • The BigFix Server will process Agent reports that are signed using either SHA-256 or SHA-384.
  • BigFix Platform 11 will support both TLS 1.2 and TLS 1.3 (with TLS 1.3 being always the first attempted option), while it will no longer support TLS 1.1 or below in ANY scenario requiring HTTPS.

Note: Because of the above, BigFix Platform components at Version 11 will no longer be backward compatible with BigFix components at version 9.0 or lower.

Note: SHA-1 and SHA-256 are still used for validation of downloaded files in prefetch statements.

The communications with the BigFix Database are not affected by the version change but depend on the database configuration.

The following picture provides a summary of what is described above.

Enforcing SHA-384-only for signatures

You can optionally require the usage of SHA-384 as the only allowed cryptographic hash function for all digital signatures.

Note: This requires the whole deployment to be at Version 11. BigFix components at earlier versions will be no longer manageable (e.g. Agents and Relays will no longer be able to gather, validate and process content propagating from the BigFix Server).

Enforcement can be done with the BigFix Administration tool (Security) and has the following consequences:
  • Any content generated by MOs and NMOs like sites, Fixlets, analyses, actions, etc. will be signed only with SHA-384. Therefore, only Agents and Relays at Version 11 will be able to validate and process it.
  • The BigFix Server will validate external site content relying only on the SHA-384 signature.
  • The BigFix Server will only process Agent reports that are signed using SHA-384.

Enforcing TLS 1.3-only for HTTPS communications

You can optionally require the usage of TLS 1.3 as the only allowed protocol for HTTPS communications.

Note: This requires the whole deployment to be at Version 11. BigFix components at earlier versions will be no longer manageable (e.g. Agents and Relays will no longer be able to communicate via HTTPS with BigFix components of Version 11).

Enforcement can be done with the BigFix Administration tool (Security) and will affect the following scenarios:
  • Internal HTTPS communications between BigFix components
  • HTTPS communications where a BigFix component plays as HTTPS Server (e.g. a REST API client connecting to the BigFix Server, or a browser connecting to the Relay Diagnostics page)
  • External site gathers performed by the BigFix Server.

Libraries upgraded in V11

For a full list of libraries upgraded in BigFix Platform V11, see What is new in BigFix 11 Platform.

Updated system requirement matrix in V11

In BigFix Platform 11 the system requirement matrix has been updated. For more information, see BigFix Support Matrix.