The BigFix Team is pleased to announce the release of version 10 Patch 9 (10.0.9.21) of BigFix Platform. The main features in this release are as follows:
CORE PLATFORM Improved certificate management for HTTPS downloads
This release introduces a more flexible management of the CA bundles used in HTTPS downloads. For details, see Customizing HTTPS for downloads and Download
CLOUD MongoDB dependency removal from Plugin Portal
BigFix Platform 10.0 Patch 9 helps to reduce the total cost of ownership of a BigFix deployment by removing the Plugin Portal dependency from MongoDB for cloud related scenarios. The Plugin Portal can now be installed or upgraded without the need to have MongoDB. In case of Plugin Portal upgrades, reports stored in MongoDB will be automatically migrated to the SQLite database tables. For details see The Plugin Portal.
Note that BigFix Modern Client Management / Mobile V2.1 application still requires MongoDB; if you are using this application, you cannot uninstall MongoDB after upgrading the Plugin Portal to version 10.0.9. The same applies if you are using the MongoDB instance for any non-BigFix-related purpose
Support for AWS IMDSv2
The BigFix Agent is now able to retrieve properties for the Amazon Web Services (AWS) instances that are configured to use AWS IMDSv2 protocol. This allows to further enhance the security level of AWS instances by restricting IMDS usage to v2 only (IMDS v1 disabled) without any side effect on the BigFix deployment. For more details see: Correlated Devices
This release includes all the BigFix Platform components. It also includes the Plugin Portal that enables the Multicloud and Modern Client Management capabilities.
The unixODBC RPM package is a prerequisite for the Server components on Linux systems (see Server Requirements). This applies to version 10.0.2 and later.
For detailed information on the specific changes to minimum supported versions of operating systems and databases for BigFix 10, see Detailed System Requirements.
Before getting started with the upgrade process, stop any active application that is connected to the BigFix database (such as Web Reports, WebUI, BigFix Inventory, or BigFix Compliance).
There have been some issues with patch 8, eg. Site issues, SCA import failures etc.
Are those issues fixed within Patch 9?
As my prod system is still on patch 7 I’m thinking about directly going to Patch 9 and skip 8.
I hadn’t heard about SCA import failures due to Patch 8, but for the other things, generally what changes in patch 9 makes them easier to resolve but still read the carefully the “Customizing HTTPS for downloads” link @adinia posted above.
The “Failed Downloads due to HTTPS Verification” is unfortunately an intended effect of hardening our HTTPS defaults to be more secure. If you are only downloading from public sites using publicly-trusted certificates, you should be able to upgrade to 10.0.9 without issue.
However if you are using any self-signed or internally-issued certificates for downloads, there are some configurations you’ll need to make. In most deployments this includes Inventory Catalog downloads (where the Root Server downloads a catalog from your BFI server, and the BFI server is using the default self-signed certificates or one issued internally by your org); or you host your own downloads on an internal web server; or you use a Proxy that inspects & rewrites the TLS session with its own certificates. In those cases, you’ll need to update your server’s Certificate Trust Store to include trusts for your certificates (to maintain the more secure TLS authentication), or set _BESRelay_Download_UntrustedSites to 1 (to relax the new TLS authentication and behave like 10.0.7, ignoring the ‘untrusted certificate’ error and allowing the downloads to proceed.).
Adding your certificates to the certificate trust store is more secure and is preferred; disabling the TLS authentication disables the verification for all sites, and is similar to clicking “Connect anyway” to a browser’s dialog about untrusted certificates. Traditionally this didn’t much matter in a BigFix context, where we automatically validate the downloads’ hash values and can be assured that the download file is what we expected, but the TLS authentication is much more important when we consider some dynamic download options.
No, I’m saying that the BES Root Server downloads the catalog from the BFI server… this version of the catalog contains both the default software detections along with any custom signatures you’ve added to Inventory. When the Root Server performs this download from the BFI server, it needs to either trust the certificate presented by the BFI server (by adding your internal PKI to the root server’s trusted certificate store), or ignore the untrusted certificate error (by setting _BESRelay_Download_UntrustedSites to ‘1’ as you did).
What I found was that none of the clients would start the catalog download until I set _BESRelay_Download_UntrustedSites to 1 on the root server.
Like I said earlier the certificates we use are issued by our internal PKI, the root & intermediates are trusted by all of the BigFix servers and the majority of the clients.
Should I be able to set it back to 0 once I’ve upgraded to 10.0.9?
You should be able to set it back to 0, but may still need to add your internal PKI to the BigFix certificate trust stores. BigFix does not use the operating systems’ trust store, you’ll need to follow the instructions at https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_customizing_HTTPS_downloads.html to add your PKI to .crt or .pem files to <StorageFolder>/TrustedDownloadCerts or setting _BESRelay_Download_CaCertDirectory and/or _BESClient_Download_CaCertDirectory to custom paths and adding your .crt / .pem files there.
Hi,
Is there any documentation around DB Schema changes between various BigFix Platform releases?
Maybe it will be a good idea to document the schema changes.
I have a customer who needs to know the specific DB schema changes between 10.0.7.52 and the latest 10.0.9.