Customizing HTTPS for Gathering

You can gather license updates and external sites by using the HTTP or HTTPS protocol on a BigFix server or in an airgapped environment.

Starting from Version 9.5.11, HTTPS is the default protocol.

Enabling HTTPS, you can create or download (from the curl website) a package of certificates that you want to trust. The curl website offers a prebuilt package that contains the same certificates that are included with Mozilla.

The BigFix server starts the certificate verification during gathering, trusting the provided certificates.

Managing HTTPS

To gather the external sites by using the HTTPS protocol, complete the following steps

On the BigFix Server:

Set the client property _BESGather_Use_Https to 0, 1 or 2.

When setting the property to 0, the server uses the protocol defined in the URL.

When setting the property to 1, the server tries to gather all sites using the HTTPS protocol only.

When setting the property to 2, the server first tries to gather all sites using the HTTPS protocol. If the server fails to gather a site using HTTPS, it will try to gather again using the HTTP protocol. The fallback from HTTPS to HTTP only applies to sites having URLs starting with http://

The default value for this setting is 2.

In the airgapped environment:

Launch the Airgap command as follows:

Airgap

The server tries first to gather all sites using the HTTPS protocol. In case of failure, the server will gather the sites using the HTTP protocol. This redirection applies only if the URL is hard-coded with HTTP. This is the default behavior.

Airgap -usehttps

The server tries to gather all sites using the HTTPS protocol only.

Airgap -no-usehttps 

The server uses the protocol defined in the URL.

Validating HTTPS certificates

By default the HTTPS certificates used for enabling the HTTPS connection are validated by using the certificate bundle included in the BigFix server installation.

The Windows default path is:
C:\Program Files (x86)\BigFix Enterprise\BES Server\Reference\ca-bundle.crt
The Linux default path is:
/opt/BESServer/Reference/ca-bundle.crt

To validate the HTTPS certificates with a custom bundle of trusted certificates before the HTTPS gathering, complete the following steps:

  1. Create or download a set of trusted certificates (for example, http://curl.haxx.se/ca/cacert.pem). The certificates that you can use are:
    • "VeriSign Universal Root Certification Authority" (to gather sites)
    • "thawte Primary Root CA - G3" (to check license updates)
  2. On the Server:

    Set the client property _BESGather_Use_Https to 1 or 2 for using the HTTPS protocol and _BESGather_CACert keyword to the path of the downloaded set of trusted certificates ( for example c:\TEM\certificates\custom-ca-bundle.crt on Windows systems and /TEM/certificates/custom-ca-bundle.crt on Linux systems).

    In the airgapped environment:

    Launch the Airgap tool with the option -cacert <path>:
    Airgap -cacert <path>
    where <path> is the path of the saved set of trusted certificates.