Remote Control Broker Certificate

Remote Control does not create a certificate for the broker during the installation. Follow the instructions in this section to create and set up the broker certificate.

A separate certificate is required for each broker that is added to the Remote Control infrastructure. This certificate needs to be trusted by the components that can connect to the broker, that is other brokers, controllers and targets. These certificates can be self-signed or part of a chain coming from a valid internal or external Certificate Authority (CA). The signing certificates are held in a trust store on the Remote Control server and are used to verify the broker certificates at connection time.

The broker certificates must be uploaded to the Remote Control server by following the Adding a certificate to the truststore topic.
Note: If a broker certificate is CA signed then all the certificates which are part of the CA chain must be uploaded to the Remote Control server starting from the CA signer certificate up to the CA root.
The broker supports two key store formats.
PKCS#12
The modern industry-standard for keystores. This is supported by both keytool and OpenSSL.
PEM
PEM files can be generated with the OpenSSL command line tool or other third party tools. The OpenSSL command-line tool is not shipped with Remote Control.
The PEM file needs to contain the following items, in the order listed below.
  1. Broker's certificate
  2. Any intermediate certificates, if required
  3. Root certificate
  4. Broker's private key
Use a text editor or the UNIX cat command to combine all the items in a single file.

Once all certificates are uploaded to the Remote Control server the same list of certificates will be cached in the broker.certs file on each broker. To force the update of this file you can restart the broker service once.

Once the broker.certs file has been updated you can use the following command to validate the TLS connection:
On Windows:
"C:\Program Files (x86)\BigFix\Remote Control\Target\openssl.exe" s_client -connect “my.broker.host.org:443” -CAfile "C:\ProgramData\BigFix\Remote Control\TrustStore\broker.certs"
On Linux:
LD_LIBRARY_PATH=/opt/bigfix/trc/broker /opt/bigfix/trc/broker/openssl s_client -connect "my.broker.host.org:443" -CAfile /var/opt/bigfix/trc/broker/broker.certs

Broker to Broker communication

When multiple brokers are installed, in a Broker-to-Broker (B2B) infrastructure, secure communication relies heavily on Mutual TLS (mTLS). When a broker initiates a connection to another broker, it acts as a client. If the digital certificate assigned to the initiating broker lacks the Client Authentication Extended Key Usage (EKU) attribute, the receiving broker may reject the handshake.

To resolve this a separate certificate must be used for Broker-to-Broker communication. As a result, you end up with two dedicated certificates, for example, cert_with_server_auth.p12 and cert_with_client_auth.p12:

First certificate with Server Authentication (1.3.6.1.5.5.7.3.1)
To allow the broker to prove its identity when receiving connections from clients (the clients will receive and use this certificate while validating the connection with the remote broker as expected in a normal TLS session).
Second certificate with Client Authentication (1.3.6.1.5.5.7.3.2)
To allow the broker to prove its identity when initiating connections to a peer broker (the broker which acts as server requires the client broker to provide its own certificate to authenticate itself as expected in a mTLS session).
Once the separate certificate has been generated, you can configure it in the broker configuration like this:
DefaultTLSCertificateFile = cert_with_server_auth.p12
DefaultTLSCertificatePassphrase=xxxxxx

inbound.ConnectionType = Inbound
inbound.PortToListen = 443
inbound.AllowEndpoints = yes
inbound.AllowBrokers = my.broker3.com

broker.ConnectionType = Broker
broker.DestinationAddress = my.broker2.com
broker.DestinationPort = 8443
broker.TLSCertificateFile = cert_with_client_auth.p12
broker.TLSCertificatePassphrase = xxxx

https.ConnectionType = InboundHTTPS
https.PortToListen = 443
Note: In the SAN field of this dedicated certificate you need to use the same hostname/FQDN contained in the SAN of the other certificate which has the Server Authentication flag in the EKU. Also this additional certificate must be added to the Remote Control server trust store like the other one.
Once the broker.certs file has been updated, you can use the following command to validate the TLS connection:
On Windows
"C:\Program Files (x86)\BigFix\Remote Control\Target\openssl.exe" s_client -connect “my.broker.host.org:443” -cert cert_with_client_auth.p12 -CAfile "C:\ProgramData\BigFix\Remote Control\TrustStore\broker.certs"
On Linux
LD_LIBRARY_PATH=/opt/bigfix/trc/broker /opt/bigfix/trc/broker/openssl s_client -connect "my.broker.host.org:443" -cert cert_with_client_auth.p12 -CAfile /var/opt/bigfix/trc/broker/broker.certs