Enforcing strict HTTPS validation of certificates

You can configure BigFix® Remote Control to enforce strict HTTPS validation of certificates. All HTTPS connections from the target, broker, CLI, and controller are verified and the connection fails if the certificate is not trusted.

About this task

To enable strict validation of HTTPS certificates by the BigFix® Remote Control components, the following settings must be enabled:

Controller component in managed mode
  1. In the BigFix® Remote Control server UI select Admin > Edit properties file.
  2. Select common.properties.
  3. Set https.strict validation to true and click Submit.
  4. Select Admin > Reset Application.
Target or CLI
  1. Set the HTTPSStrictValidation property to Yes in the following locations.
    Windows operating system.
    Edit the target registry and go to HKEY_LOCAL_MACHINE\SOFTWARE\IBM\Tivoli\Remote Control\Target.
    Note: On a 64-bit system, all the 32-bit registry keys are under the WOW6432Node key. For example,HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\IBM\Tivoli\Remote Control\Target
    Linux operating system.
    Edit the /etc/ibmtrct.conf file.
  2. Restart the target service.
Broker component
  1. Edit the trc_broker.properties file.
  2. Set HTTPSStrictValidation to Yes.
  3. Save the file and restart the broker service.

Results

After configuration, the components use the system truststore to verify HTTPS connections to the server. If the server certificate is issued by a certificate authority (CA) trusted by your operating system, the components work automatically. If the CA that is used by the server is not trusted by the operating system, it can be added by using the standard operating system certificate management methods.