REST API HTTPS Settings

To enable HTTPS, configure the following client settings, such as the paths of the certificate and private key files or the path of the combined certificate and private key file, the HTTPS port number, a listening for HTTP connections and for redirecting the client to HTTPS on the SSL port as follows:

  1. From the BigFix console select the Computers tab.
  2. Select the computer to configure and Edit Computer Settings from the Edit menu.
  3. Look for _BESRelay_HTTPServer_UseSSLFlag setting. If it exists, do not create a second one, but edit its value to 1 to enable HTTPS. If it does not exist, add it:

    Important: If you combined the private key file with the certificate file, skip the following step and set only the _BESRelay_HTTPServer_SSLCertificateFilePath.
  4. Look for _BESRelay_HTTPServer_SSLPrivateKeyFilePath setting. If it exists, do not create a second one, but edit its value to the full path name of the private key (.pvk file which contains the private key for the server. The private key must not have a password. If it does not exist, add it.
  5. Look for _BESRelay_HTTPServer_SSLCertificateFilePath setting. If it exists, do not create a second one, but edit its value to the full path name of the .pem file which might contain both the certificate and private key for the server, or only the certificate. If it does not exist, add it:

    Ensure that the .pem file is in standard OpenSSL PKCS7 .pem file format.

    The certificate is supplied by the server to connecting clients (browsers) and they present a dialog to the user containing information from the certificate. If the certificate meets all of the trust requirements of the connecting browser, then the browser connects without any interventions by the user. If the certificate does not meet the trust requirements of the browser, then the user will be prompted with a dialog asking them if it is OK to proceed with the connection, and giving them access to information about the certificate. A trusted certificate is signed by a trusted authority (such as Verisign), contains the correct host name, and is not expired.

  6. Look for _BESRelay_HTTPServer_PortNumber. If it exists, do not create a second one, but edit its value to the port number you would like to use (typically 443). If it does not exist, add it:

  7. When SSL is enabled define the forwarding port by setting the following: _BesRelay_HTTPRedirect_Enabled to 1 and _BESRelay_HTTPRedirect_PortNumber to the port listening for HTTP connection and redirecting the client to HTTPS.
  8. To enable TLS12 for web browser requests, look for _BESRelay_HTTPServer_RequireTLS12. If it exists, do not create a second one, but edit its value to 1 .
    Note: The REST API component always uses TLS 1.2 when communicating with the BigFix server, (regardless of local settings or settings of the masthead).
  9. Restart the BES Server service:
    • On Windows, open Services, select BESServer and on the Action menu, click Restart.
    • On Linux run from the prompt: service besserver restart or /etc/init.d/besserver restart.
Note: These settings are stored in the registry under the key HKLM/Software/WoW6432Node/BigFix/EnterpriseClient/Settings/Client.