Secure communication configuration

You can use the following properties in trc.properties to control, how secure communications are enforced.
secure.url= 
Modifiable field secure.url
Field Description Determines the base URL that is used to redirect requests when secure communications are required.
Possible Values User-defined - for example HTTPS://X.X.X.X/trc, where X.X.X.X is the IP address of your BigFix® Remote Control server.
Note: This separate URL property is required because replacing HTTP with HTTPS in the base URL does not work because the ports for each URL might be different.
Value Definition User-defined. URL and context root of application when you are using secure connections.
enforce.secure.web.access= 
Modifiable field enforce.secure.web.access
Field Description An HTTP request that is not a call home, upload, or validation request is redirected to the secure URL. The value that is set in the secure.url property is used as a base.
Possible Values True or False
Value Definition
True
The HTTP request is redirected to the secure URL. This value is the default value.
False
The HTTP request is not redirected to the secure URL.
Note: When you change the value of this property, you must restart the BigFix® Remote Control server service for the new value to take effect.
enforce.secure.endpoint.callhome= 
Modifiable field enforce.secure.endpoint.callhome
Field Description Determines the URL that a target uses to contact the BigFix® Remote Control server.
Possible Values True or False
Value Definition
True
If a call home is received by using HTTP, the request is redirected to the secure URL. The secure URL is also returned in the response from the server. Targets are forced to use the secure URL when they send heartbeats to the BigFix® Remote Control server. This value is the default value.
False
Targets are not forced to use the secure URL when they send heartbeats to the BigFix® Remote Control server.
Note: From BigFix® Remote Control V9.1.3, HTTPS secure communication is enforced by setting the url property in the trc.properties file to HTTPS when Force targets to use https is selected during installation. To ensure HTTP target communication, confirm that the url property is set to the HTTP URL in the trc.properties file. If the url property is set to HTTPS, the targets use HTTPS after they first contact the server.
Note: When you change the value of this property, you must restart the BigFix® Remote Control server service for the new value to take effect.
enforce.secure.endpoint.upload= 
Modifiable field enforce.secure.endpoint.upload
Field Description Determines whether the controller or target uses the secure URL to upload the recordings and audit information to the server.
Possible Values True or False
Value Definition
True
If an upload or a validation request is received by using HTTP, the server redirects the request to an equivalent URL. The equivalent URL is built with the value that is defined in secure.url as a base. It also uses the value of secure.url as a base to provide the upload and validation URLs to the controller and target when the session starts. This value is the default value.
False
The server does not redirect to the secure URL if an upload or a validation request is received by using HTTP.
Note: From BigFix® Remote Control V9.1.3, HTTPS secure communication is enforced by setting the url property in the trc.properties file to HTTPS when Force targets to use https is selected during installation. To ensure HTTP target communication, confirm that the url property is set to the HTTP URL in the trc.properties file. If the url property is set to HTTPS, the targets use HTTPS after they first contact the server.
Note: When you change the value of this property, you must restart the BigFix® Remote Control server service for the new value to take effect.
The following examples consider scenarios that reflect different security requirements that you might have about communications with the BigFix® Remote Control Server:
  • Example 1: All endpoint and user communications with the server must be encrypted with SSL.
    Configuration
    • Set secure.url in the trc.properties file to contain the HTTPS URL.
    • Set the three enforce.secure properties to true by editing the trc.properties file.
    • The Target and CLI do not need to be explicitly configured to use the HTTPS URL, but doing so avoids the first redirection.

  • Example 2: All user communications with the server must be encrypted with SSL. Endpoint communications that are not callhomes must be encrypted. For example, audit and recording uploads or validating session requests.
    Configuration
    • Configure the HTTP URL to be used by the call homes in the urlproperty in the trc.properties file.
    • Configure the HTTPS URL to be used by the users, endpoint uploads, and the API in the secure.url property.
    • enforce.secure.web.access = true.
    • enforce.secure.endpoint.callhome = false.
    • enforce.secure.endpoint.upload = true.
    • Target and CLI tools are configured with the HTTP URL.

  • Example 3: All user communications with the server must be encrypted with SSL. Endpoint communications do not need to be encrypted.
    Configuration
    • Configure the HTTP URL to be used by the endpoints call home and uploads in the URL property in the trc.properties file.
    • Configure the HTTPS URL to be used by the users and the API in the secure.url property.
    • enforce.secure.web.access = true.
    • enforce.secure.endpoint.callhome = false.
    • enforce.secure.endpoint.upload = false.
    • Target and CLI tools are configured with the HTTP URL.
  • Example 4: No need for enforcement other than through the regular configuration options (url property and ServerURL).

    Configuration

    • url = http://localhost/trc.
    • secure.url = https://localhost/trc.
    • enforce.secure.web.access = false.
    • enforce.secure.endpoint.callhome = false.
    • enforce.secure.endpoint.upload = false.