Remote Control Broker Certificate
Remote Control does not create certificate for the broker during the installation. Follow the instructions in this section to create and setup the broker certificate.
A separate certificate is required for each broker that is added to the Remote Control infrastructure. This certificate needs to be trusted by the components that can connect to the broker, that is other brokers, controllers and targets . These certificates can be self-signed or part of a chain coming from a valid internal or external Certificate Authority (CA). The signing certificates are held in a trust store on the Remote Control server and are used to verify the broker certificates at connection time.
- PKCS#12
- This key store format is supported by the IBM Key Management tool (ikeyman), which ships as part of Remote Control in the embedded Websphere Application Server (WAS) or standalone WAS.
- PEM
- PEM files can be generated with the OpenSSL command line tool or other third
party tools. The OpenSSL command-line tool is not shipped with Remote Control.The PEM file needs to contain the following items, in the order listed below.
- Broker's certificate
- Any intermediate certificates, if required
- Root certificate
- Broker's private key
Once that all certificates are uploaded on the Remote Control server the same list of certificates will be cached in the broker.certs file on each Broker. To force the update of this file you can restart the Broker service once.
- On Windows:
- "C:\Program Files (x86)\BigFix\Remote Control\Target\openssl.exe" s_client -connect “my.broker.host.org:443” -CAfile "C:\ProgramData\BigFix\Remote Control\TrustStore\broker.certs"
- On Linux:
- LD_LIBRARY_PATH=/opt/bigfix/trc/broker /opt/bigfix/trc/broker/openssl s_client -connect "my.broker.host.org:443" -CAfile /var/opt/bigfix/trc/broker/broker.certs