Enforcing strict HTTPS validation of certificates
You can configure BigFix® Remote Control to enforce strict HTTPS validation of certificates. All HTTPS connections from the target, broker, CLI, and controller are verified and the connection fails if the certificate is not trusted.
About this task
To enable strict validation of HTTPS certificates by the BigFix® Remote Control components, the following settings must be enabled:
- Controller component in managed mode
-
- In the BigFix® Remote Control server UI select .
- Select common.properties.
- Set https.strict validation to true and click Submit.
- Select .
- Target or CLI
-
- Set the HTTPSStrictValidation property to Yes in the
following locations.
- Windows operating system.
- Edit the target registry and go to HKEY_LOCAL_MACHINE\SOFTWARE\IBM\Tivoli\Remote
Control\Target.Note: On a 64-bit system, all the 32-bit registry keys are under the WOW6432Node key. For example,HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\IBM\Tivoli\Remote Control\Target
- Linux operating system.
- Edit the /etc/ibmtrct.conf file.
- Restart the target service.
- Set the HTTPSStrictValidation property to Yes in the
following locations.
- Broker component
-
- Edit the trc_broker.properties file.
- Set HTTPSStrictValidation to Yes.
- Save the file and restart the broker service.
Results
After configuration, the components use the system truststore to verify HTTPS connections to the server. If the server certificate is issued by a certificate authority (CA) trusted by your operating system, the components work automatically. If the CA that is used by the server is not trusted by the operating system, it can be added by using the standard operating system certificate management methods.