Customizing HTTPS for Gathering
You can gather license updates and external sites by using the HTTP or HTTPS protocol on a BigFix server or in an airgapped environment.
Starting from Version 9.5.11, HTTPS is the default protocol.
Enabling HTTPS, you can create or download (from the curl website) a package of certificates that you want to trust. The curl website offers a prebuilt package that contains the same certificates that are included with Mozilla.
The BigFix server starts the certificate verification during gathering, trusting the provided certificates.
Managing HTTPS
To gather the external sites by using the HTTPS protocol, complete the following steps
On the BigFix Server:
Set the client property _BESGather_Use_Https
to 0
,
1
or 2
.
When setting the property to 0, the server uses the protocol defined in the URL.
When setting the property to 1, the server tries to gather all sites using the HTTPS protocol only.
When setting the property to 2, the server first tries to gather all sites
using the HTTPS protocol. If the server fails to gather a site using HTTPS, it will try to gather
again using the HTTP protocol. The fallback from HTTPS to HTTP only applies to sites having URLs
starting with http://
The default value for this setting is 2.
In the airgapped environment:
Launch the Airgap
command as follows:
Airgap
The server tries first to gather all sites using the HTTPS protocol. In case of failure, the server will gather the sites using the HTTP protocol. This redirection applies only if the URL is hard-coded with HTTP. This is the default behavior.
Airgap -usehttps
The server tries to gather all sites using the HTTPS protocol only.
Airgap -no-usehttps
The server uses the protocol defined in the URL.
Validating HTTPS certificates
By default the HTTPS certificates used for enabling the HTTPS connection are validated by using the certificate bundle included in the BigFix server installation.
C:\Program Files (x86)\BigFix Enterprise\BES Server\Reference\ca-bundle.crt
/opt/BESServer/Reference/ca-bundle.crt
To validate the HTTPS certificates with a custom bundle of trusted certificates before the HTTPS gathering, complete the following steps:
- Create or download a set of trusted certificates (for example,
http://curl.haxx.se/ca/cacert.pem). The certificates that you can use are:
- "VeriSign Universal Root Certification Authority" (to gather sites)
- "thawte Primary Root CA - G3" (to check license updates)
- On the Server:
Set the client property
_BESGather_Use_Https
to1
or2
for using the HTTPS protocol and_BESGather_CACert
keyword to the path of the downloaded set of trusted certificates ( for examplec:\TEM\certificates\custom-ca-bundle.crt
on Windows systems and/TEM/certificates/custom-ca-bundle.crt
on Linux systems).In the airgapped environment:
Launch the Airgap tool with the option-cacert <path>
:
whereAirgap -cacert <path>
<path>
is the path of the saved set of trusted certificates.