Security problems
Security problems in BigFix Inventory might include issues with logging in to the application or those related to the security of your credentials and your environment. However, you can easily recover from these problems.
- Login credentials and the authenticity token are stored as plain text in the HTTP packet.
- After logging in, the login form that contains the credentials is sent as plain text in the HTTP packet. You can solve this issue by configuring SSL.
- When creating a new user, autocomplete is enabled for the password field.
- When creating a new user, the password field might be filled by autocomplete based on the password that is stored in the browser.
- The server is not working properly after certificates are modified.
-
If the server is not working properly after certificates are modified and the server is restarted, then delete the keystore file
key_server.jceks
and restart the server. The keystore file is regenerated with a self-signed certificate. You can investigate the problem in thetema.log
file.The keystore file name is different for different versions:- Starting from 10.0.8.0
- key_server.p12
- For earlier versions
- key_server.jceks
- Starting from 10.0.8.0
- Difficulty establishing a connection with HTTPS.
- If you have difficulty when establishing a connection with HTTPS and you are using SSL, check that your browser supports TLS 1.2 and that it is enabled.
- The single sign-on configuration values are not updated automatically after you modify the server port.
- Modifying the port number on the Server Settings pane in BigFix Inventory while single sign-on is enabled
invalidates the single sign-on configuration. For information how to properly modify the port, see
Modifying port in BigFix Inventory that has single sign-on enabled.If you already modified the BigFix Inventory server port and are experiencing issues signing onto BigFix Inventory, you need to:
- Revert the disabled SSO configuration for SAML or Revert the disabled SSO configuration for LTPA.
- Provide the new port value on the Server Settings page. To access the page, click .
- Re-create the single sign-on configuration with the new port value. For more information, see either Configuring SSO based on SAML token or Configuring SSO based on LTPA.
- After you log in to BigFix Inventory for the first time with single sign-on enabled, you are redirected to an BigFix icon instead of the overview page.
- To recover from this error, follow the instructions in Handling the favicon.ico file with Mozilla Firefox.
- When you are importing a certificate in the PEM format and an encrypted private key in the pkcs8 format, an error about incorrect password for the private key is displayed.
- When you are importing a certificate and a private key in the
pkcs8 format, the following error is displayed:
Error when validating private key password: problem parsing ENCRYPTED PRIVATE KEY: java.lang.SecurityException: JCE cannot authenticate the provider BC.
To solve the problem, add the following line to the installation_dir/jre/lib/security/java.security file:
Then, restart the BigFix Inventory server.security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
- When you log in to BigFix Inventory using the LDAP
authentication, the following error message is displayed:
Error contacting the Directory Server for authentication
. - The error might occur if the SSL LDAP certificate that is used to authenticate users in BigFix Inventory was recently updated. To refresh the
certificate in the BigFix Inventory database, perform the following actions:
- Log in to BigFix Inventory as a local administrator.
- In the top navigation bar, click .
- Choose the LDAP server that is used to authenticate users.
- Click Test Connection, and wait for connection test to finish.
- Click Save.
- Antivirus software detects the LMT/CIT directory as possible threat.
- The LMT/CIT directory is one of the default scanner directories that is required by BigFix Inventory. It is not infected with any malicious software and does not pose any threat to your system. It is recommended to exclude this directory from antivirus scans.
- Secure connection is not initialized and the CWWKO0801E error can be found in the tema.log file.
- Secure connection is not initialized and the following error can be found in the
tema.log
file.
000000b7 com.ibm.ws.channel.ssl.internal.SSLHandshakeErrorTracker CWWKO0801E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported.