There have been some issues with patch 8, eg. Site issues, SCA import failures etc.
Are those issues fixed within Patch 9?
As my prod system is still on patch 7 I’m thinking about directly going to Patch 9 and skip 8.
I hadn’t heard about SCA import failures due to Patch 8, but for the other things, generally what changes in patch 9 makes them easier to resolve but still read the carefully the “Customizing HTTPS for downloads” link @adinia posted above.
The “Failed Downloads due to HTTPS Verification” is unfortunately an intended effect of hardening our HTTPS defaults to be more secure. If you are only downloading from public sites using publicly-trusted certificates, you should be able to upgrade to 10.0.9 without issue.
However if you are using any self-signed or internally-issued certificates for downloads, there are some configurations you’ll need to make. In most deployments this includes Inventory Catalog downloads (where the Root Server downloads a catalog from your BFI server, and the BFI server is using the default self-signed certificates or one issued internally by your org); or you host your own downloads on an internal web server; or you use a Proxy that inspects & rewrites the TLS session with its own certificates. In those cases, you’ll need to update your server’s Certificate Trust Store to include trusts for your certificates (to maintain the more secure TLS authentication), or set _BESRelay_Download_UntrustedSites to 1 (to relax the new TLS authentication and behave like 10.0.7, ignoring the ‘untrusted certificate’ error and allowing the downloads to proceed.).
Adding your certificates to the certificate trust store is more secure and is preferred; disabling the TLS authentication disables the verification for all sites, and is similar to clicking “Connect anyway” to a browser’s dialog about untrusted certificates. Traditionally this didn’t much matter in a BigFix context, where we automatically validate the downloads’ hash values and can be assured that the download file is what we expected, but the TLS authentication is much more important when we consider some dynamic download options.
1 Like
I found that in order for the BFI catalog download to work properly in 10.0.8, _BESRelay_Download_UntrustedSites had to be set to 1.
We use certificates issued by our internal PKI. Are you saying that there is another certificate that the BFI server uses for downloads?
No, I’m saying that the BES Root Server downloads the catalog from the BFI server… this version of the catalog contains both the default software detections along with any custom signatures you’ve added to Inventory. When the Root Server performs this download from the BFI server, it needs to either trust the certificate presented by the BFI server (by adding your internal PKI to the root server’s trusted certificate store), or ignore the untrusted certificate error (by setting _BESRelay_Download_UntrustedSites to ‘1’ as you did).
Ah, OK.
What I found was that none of the clients would start the catalog download until I set _BESRelay_Download_UntrustedSites to 1 on the root server.
Like I said earlier the certificates we use are issued by our internal PKI, the root & intermediates are trusted by all of the BigFix servers and the majority of the clients.
Should I be able to set it back to 0 once I’ve upgraded to 10.0.9?
You should be able to set it back to 0, but may still need to add your internal PKI to the BigFix certificate trust stores. BigFix does not use the operating systems’ trust store, you’ll need to follow the instructions at https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_customizing_HTTPS_downloads.html to add your PKI to .crt or .pem files to <StorageFolder>/TrustedDownloadCerts or setting _BESRelay_Download_CaCertDirectory and/or _BESClient_Download_CaCertDirectory to custom paths and adding your .crt / .pem files there.
For the first look, everythings seems running fine, including downloads. Thanks to team and @JasonWalker for the detailed explanation.
1 Like
Has this happened?
[forum padding]
There’s this one, about issues in some of the open-source libraries we use (curl and OpenSSL) - https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0103724
I’m not sure whether to expect any additional articles, will await further response from @adinia
1 Like
Hi,
Is there any documentation around DB Schema changes between various BigFix Platform releases?
Maybe it will be a good idea to document the schema changes.
I have a customer who needs to know the specific DB schema changes between 10.0.7.52 and the latest 10.0.9.
regards
No, the database schemas are not publicly documented and are expected to change between releases
I confirm, that is the one and only security bulletin for this release. Thx.
1 Like
I’m facing the same situation but I don’t want to totally disable the certs verification on my root server. I have exported the crt file for the bfi inventory server and placed under the TrustedDownloadCerts folder, still the server is not able to download content from the BFI server.
Is is enough with exporting the cert from a browser and place it under that directory or do we need to do something else in order for the server to trust the site?
It Depends ™
There are at several potential issues that come to mind.
-
If Inventory is using the default self-signed certificate, I don’t think there’s any good option for trusting that certificate from the Root Server. The Inventory self-signed certificate is issued to the subject “HCL” which the Root server is not going to trust due to the certificate’s Subject not matching the expected hostname / IP address of the server. @ArturZ any way to have BFI regenerate the self-signed cert and assign a real hostname as the Subject or Subject Alternative Name?
-
If Inventory is using a real certificate issued by your internal Certificate Authority, or a self-signed certificate you generate yourself, you’ll need to add the Issuer’s certificate (either your internal CA Root Certificate & intermediates, or the self-signed certificate itself) to the root server’s TrustedDownloadCerts folder.
-
You’ll also need to ensure that the “Catalog Download” task/action that is issued by the Inventory server, configures the Download URL to use the server’s hostname. By default it issues the action referencing the catalogs as ‘http://IP_ADDRESS:PORT’ of the Inventory server. Using the instructions at Configuring servers in separate networks you’ll need to create or update the
server.envfile atinstall_dir\wlp\usr\servers\server1and add the entrySERVER_URL_CATALOG=https://hostname.domainname:port
…where the hostname.domainname matches the fully-qualified hostname of your Inventory server, the name must be resolvable from the Root Server, and needs to match the Subject or Subject Alternative Name entries for the certificate you issued to the Inventory server.
(If this is the problem, the “Catalog Download” actions will have prefetch statements referencing the IP address of your Inventory server rather than its hostname)
I’m trying to keep up to date KB0102706: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0102706
In BFI and SCA you can regenerate the self-signed certificate with set Common Name - using the real hostname. This is addressing the need to make the certificate to be successfully validated when client will have it added to the client side trust store.
In case of regeneration of the certificate it is worth to remember that BFI/SCA UI are only are providing subset of capabilities and at the end it is WebSphere Liberty configuration (and updating key store pointed by id=‘defaultKeyStore’ in server.xml).
If there is needed to create certificate with multiple DNS Name - it has to be made fully manually using e.g. https://www.ibm.com/docs/en/was-liberty/core?topic=applications-securityutility-command with --extInfo flag
or openssl.
1 Like
Thank Jason,
Our case is that we are using the self-signed certificate generated by the BFI installation.
Due to a mismatch in the certificate’s subject, it can’t be trusted by the tool.
I’m going to review the KB provided by @ArturZ and report back my results.
I have re-created the self-signed certificate to use the fqdn as the common name of it. After restarting the BFI service and placing the new cert under the TrustedDownloadCerts folder of the BigFix Server the downloads completed without any errors.
Since this is our Lab environment we don’t intend to create a CA signed certificate but in our production environment that is already done and it shouldn’t be a problem once we upgrade our environment there.
1 Like
This topic was automatically closed after 30 days. New replies are no longer allowed.