Configuring secure communication

To ensure secure communication, BigFix Inventory uses public key cryptography, which is based on algorithms that use two separate keys, a private key and a public key. This key pair is used to encrypt and decrypt communication.

About this task

The private key encrypts communication. The public key, which is contained in a certificate, decrypts communication. The use of encrypted communication requires that you create both a private key and a certificate that is associated with it. You can share the public key (certificate) with anyone because it is used only to read the communication. The safety of your communication depends mainly on your private key that proves your identity, and must therefore be securely stored. The keys are created in such a way that a message encrypted with the private key can be decrypted only with the public key that is associated with it. If someone receives your public key and can decrypt your communication with this key, they know for certain that you are the originator of the message and that it was not tampered with on the way. Otherwise, the public key would be unable to decrypt it.

BigFix Inventory provides self-signed certificates by default, but they are not intended for production environments. To improve security, create your own private key and a certificate signing request (CSR) that can be transformed into a certificate after it is signed by a certificate authority (CA). By signing your request, a CA approves your public key and certifies that it can be trusted. You can create your own private CA, use the CA of your organization, or an internationally trusted CA, such as Entrust, VeriSign, or other.

The private key and the associated certificate are uploaded to BigFix Inventory. After enabling the encrypted communication, anyone who connects to your server receives a certificate that contains your public key. All successive communication that originates from the server is encrypted with your private key. After a user receives the communication, it is decrypted with the certificate that they obtained from the server. If the certificate can decrypt the communication, it is known for certain that the server is the originator of the message and that it is valid.

Key pair requirements

Your key pair must meet the following requirements to be accepted by BigFix Inventory.
  • Type: RSA or DSA.
  • Key strength: maximum 2048 bits. This limitation is caused by IBM Java policy. You can use stronger keys if you substitute default policy files with the unlimited jurisdiction ones. For more information, see: IBM SDK Policy files.
  • Format: PEM-encoded. Such an encoding is ensured if you create the key pair by using openSSL. You can also create your keys by using other methods, for example Makecert on Windows. Such keys are DER-encoded and therefore not supported by BigFix Inventory. However, you can convert other formats to PEM, for example by using openSSL.
  • Private key format: PKCS#8 (used by openSSL). The pvk format is not supported.

Limitations

Key pair that is generated for BigFix Inventory can be used for Web Reports only if the private key is not password-protected.

Structure and format of the private key and certificate

  • Private key format
    • PEM-encoded without password protection. Ensure that the private key (private.key) is enclosed between the following statements:
      -----BEGIN PRIVATE KEY-----
      <<base64 stringfrom private.key>>
      -----END PRIVATE KEY-----
    • PEM-encoded with password protection. Ensure that the private key (private.key) is enclosed between the following statements:
      -----BEGIN ENCRYPTED PRIVATE KEY-----
      <<base64 stringfrom private.key>>
      -----END ENCRYPTED PRIVATE KEY-----
  • X509 certificate format
    PEM-encoded. If you received the intermediate and root certificates as separate files, combine them into a single file. For example, if you have the primary certificate file (certificate.crt) and the intermediate certificate file (ca_intermediate.crt), combine them in the following order.
    BEGIN CERTIFICATE-----
    <<primary certificate: base64 stringfrom certificate.crt>>
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <<intermediate certificate: base64 stringfrom ca_intermediate.crt>>
    -----END CERTIFICATE-----
    If you received the root certificate (ca_root.crt) in addition to the intermediate certificate, combine them in the following order.
    BEGIN CERTIFICATE-----
    <<primary certificate: base64 stringfrom certificate.crt>>
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <<intermediate certificate: base64 stringfrom ca_intermediate.crt>>
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <<root certificate: base64 stringfrom ca_root.crt>>
    -----END CERTIFICATE-----
  • Single file (private key with certificates) format
    PEM-encoded. This file can contain the private key and the primary certificate, or the private key and the chain of certificates combined in the following order:
    • Private key and primary certificate.
      -----BEGIN CERTIFICATE-----
      <<primary certificate: certificate.crt>> 
      -----END CERTIFICATE-----
      -----BEGIN PRIVATE KEY-----
      <<private key: base64 stringfrom private.key>>
      -----END PRIVATE KEY-----
    • Private key, primary certificate, and intermediate certificate.
      BEGIN CERTIFICATE-----
      <<primary certificate: base64 stringfrom certificate.crt>>
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      <<intermediate certificate: base64 stringfrom ca_intermediate.crt>>
      -----END CERTIFICATE-----
      -----BEGIN PRIVATE KEY-----
      <<private key: base64 stringfrom private.key>>
      -----END PRIVATE KEY-----
    • Private key, primary certificate, intermediate certificate, and root certificate.
      BEGIN CERTIFICATE-----
      <<primary certificate: base64 stringfrom certificate.crt>>
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      <<intermediate certificate: base64 stringfrom ca_intermediate.crt>>
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      <<root certificate: base64 stringfrom ca_root.crt>>
      -----END CERTIFICATE-----
      -----BEGIN PRIVATE KEY-----
      <<private key: base64 stringfrom private.key>>
      -----END PRIVATE KEY-----

Procedure

Complete the following steps to create your key pair and to enable encrypted communication. If you already have a key pair or want to use the self-signed certificates, you can skip to enabling secure communication.