Customizing HTTPS on Web Reports
BigFix Web Reports is configured to use HTTPS by default when it gets installed and creates its own certificate during the installation. If you want to replace it, you need to configure HTTPS manually.
First steps
If you have a trusted SSL security certificate and key from a certificate authority, you can configure BigFix Web Reports to use this certificate and key to enable trusted connections. You can also use a self-signed certificate.
- Install or upgrade OpenSSL on your system to the latest available version.
- Ensure that an OpenSSL command-line tool is available.
- Create a Certificate Signing Request (csr) with your company and Web Reports server information.
- EITHER: Generate a Self-Signed Certificate OR Request a Certificate from a Certificate Authority.
When an HTTPS certificate is set, the certificate is supplied by the server to connecting clients (browsers) and they present a dialog to the user containing information from the certificate. If the certificate meets all of the trust requirements, then the browser connects without any interventions by the user. If the certificate does not meet the trust requirements of the browser, then the user is prompted with a dialog that asks if it is OK to proceed with the connection, and giving them access to information about the certificate. A trusted certificate is signed by a trusted authority (such as Verisign), contains the correct host name, and has not expired.
When you have a trusted SSL certificate, copy the .pvk (if you have one) and the .pem files on the computer(s) running Web Reports.
- Specify that you are using a secure communication.
- Specify where the SSL certificate and private key files are located.
- Specify the HTTPS port number
- Specify a port to redirect to HTTPS.
- Restart the relevant services.
Customizing HTTPS using the BigFix Console
- From the BigFix console, select the Computers tab.
- Right click on the computer on which Web Reports runs and click Edit Computer Settings.
- Look for the _WebReports_HTTPServer_UseSSLFlag setting. If it
exists, do not create a second one, but edit its value to
1
to enable HTTPS. If it does not exist, add it. - If you combined the private key file with the certificate file, skip this step and set
only the _WebReports_HTTPServer_SSLCertificateFilePath
setting.
Look for the _WebReports_HTTPServer_SSLPrivateKeyFilePath setting. If it exists, do not create a second one, but edit its value to the full path name of the private key (
.pvk
file) which contains the private key for the server. The private key must not have a password. If it does not exist, add it. - Look for the _WebReports_HTTPServer_SSLCertificateFilePath
setting. If it exists, do not create a second one, but edit its value to the full path
name of the
.pem
file which might contain both the certificate and private key for the server, or only the certificate. If it does not exist, add it. - Look for the _WebReports_HTTPServer_PortNumber setting. If it
exists, do not create a second one, but edit its value to the port number you would like
to use. If it does not exist, add it:
- When SSL is enabled define the forwarding port with the following settings:
- _WebReports_HTTPRedirect_Enabled to 1
- _WebReports_HTTPRedirect_PortNumber to the port listening for HTTP connection and redirecting the client to HTTPS.
- To require TLS 1.3 for web browser requests, look for
_WebReports_HTTPServer_RequireTLS13. If it exists, do not
create a second one, but edit its value to
1
. The Web Reports component always uses the higher and most secure version available of TLS when communicating with the BigFix server, regardless of local settings or settings of the masthead.Important: Use of a TLS with a version earlier than 1.2 is deprecated. - Restart the BES Web Reports Server service:
- On Windows, open Services, select BESWebReports and on the Action menu, click Restart.
- On Linux run from the prompt:
systemctl restart beswebreports
Up to BigFix Version 11.0.1, for backward compatibility reasons, you can also run the command:
/etc/init.d/beswebreports restart
Customizing HTTPS manually on Windows systems
When you have a trusted SSL certificate (a .pem
file), place it on the
computer running Web Reports (usually the server) and follow these steps.
- Run regedit and locate
HKEY_LOCAL_MACHINE\Software\Wow6432Node\BigFix\EnterpriseClient\Settings\Client
You need to add or modify subkeys for the HTTPS flag, for the location of the SSL certificate, for the HTTPS port number, and for the redirection to HTTPS.
- Create a subkey of Client called
_WebReports_HTTPServer_UseSSLFlag
(if it does not exist yet). Add a string value (reg_sz) called "value" to the key and set it to 1 to enable HTTPS. - Create a subkey of Client called
_WebReports_HTTPServer_SSLCertificateFilePath
(if it does not exist yet). Add a string value (reg_sz) called "value" to the key and set it to the full path name of the SSL certificate (cert.pem). - Create a subkey of Client called
_WebReports_HTTPServer_PortNumber
(if it does not exist yet). Add a string value (reg_sz) called "value" to the key and set it to the port number you want to use (typically 443). - Create a subkey of Client called
_WebReports_HTTPRedirect_Enabled
(if it does not exist yet). Add a string value (reg_sz) called "value" to the key and set it to 1 to enable the browser redirection of HTTP to HTTPS. - Create a subkey of Client called
_WebReports_HTTPRedirect_PortNumber
(if it does not exist yet). Add a string value (reg_sz) called "value" to the key and set it to the number of the port listening for HTTP requests and redirecting them to HTTPS. - Restart the BESWebReports service.
Customizing HTTPS manually on Linux systems
When you have a trusted SSL certificate (a .pem
file), place it on the
computer running Web Reports and customize the keywords in the applicable file.
besclient.config
- if a client is installed together with Web Reportsbeswebreports.config
- if only Web Reports is installed
[Software\BigFix\EnterpriseClient\Settings\Client\_WebReports_HTTPServer_PortNumber]
value = 443
cert.pem
):[Software\BigFix\EnterpriseClient\Settings\Client\_WebReports_HTTPServer_SSLCertificateFilePath]
value = /tmp/CERT/cert.pem
[Software\BigFix\EnterpriseClient\Settings\Client\_WebReports_HTTPServer_SSLPrivateKeyFilePath]
value = /tmp/CERT/pvtkey.pvk
[Software\BigFix\EnterpriseClient\Settings\Client\_WebReports_HTTPServer_UseSSLFlag]
value = 1
[Software\BigFix\EnterpriseClient\Settings\Client\_WebReports_HTTPRedirect_Enabled]
value = 1
[Software\BigFix\EnterpriseClient\Settings\Client\_WebReports_HTTPRedirect_PortNumber]
value = 8080
Stop and restart the beswebreports service.