I’m a bit lost in the different “signing operations” that happen during install and regular use of the product.
Is it correct to say that the public keys of all operators are distributed to all endpoints so that the endpoints can decrypt whatever they receive (which was encrypted using the operator’s private key) ?
But then I still don’t understand why a password is needed for f.e. deploying an action. What’s the relationshop between the public/private key and the password ?
When you install BigFix (Tivoli Endpoint Manager) a certificate authority is created just for your installation. The masthead document – distributed to each endpoint- – contains the public key of the CA. When users sign an action their digital signature is validated on the endpoint using that CA certificate chain.
When a user creates an action and they are prompted for a password, they are actually decrypting a private key, that private key is then used to sign the action.
I was asked about the possibliity of leveraging a (our proposed) local CA with the TEM CA… Is this possible?..How would this work if possible…? Advantages…disadvantages…?
The BigFix / TEM certificate infrastructure is not meant to be used as a generic PKI. There is no facility to integrate other PKI systems into TEM nor can you expose the TEM CA to be used by other systems.
Basically, we happen to use certificates as the basis for security… the “infrastructure” is meant for internal TEM use only.