It Depends ™
There are at several potential issues that come to mind.
If Inventory is using the default self-signed certificate, I don’t think there’s any good option for trusting that certificate from the Root Server. The Inventory self-signed certificate is issued to the subject “HCL” which the Root server is not going to trust due to the certificate’s Subject not matching the expected hostname / IP address of the server. @ArturZ any way to have BFI regenerate the self-signed cert and assign a real hostname as the Subject or Subject Alternative Name?
If Inventory is using a real certificate issued by your internal Certificate Authority, or a self-signed certificate you generate yourself, you’ll need to add the Issuer’s certificate (either your internal CA Root Certificate & intermediates, or the self-signed certificate itself) to the root server’s TrustedDownloadCerts folder.
You’ll also need to ensure that the “Catalog Download” task/action that is issued by the Inventory server, configures the Download URL to use the server’s hostname. By default it issues the action referencing the catalogs as ‘http://IP_ADDRESS:PORT’ of the Inventory server. Using the instructions at https://help.hcltechsw.com/bigfix/10.0/inventory/Inventory/planinconf/t_nat_networks.html you’ll need to create or update the
server.env file at
install_dir\wlp\usr\servers\server1 and add the entry
…where the hostname.domainname matches the fully-qualified hostname of your Inventory server, the name must be resolvable from the Root Server, and needs to match the Subject or Subject Alternative Name entries for the certificate you issued to the Inventory server.
(If this is the problem, the “Catalog Download” actions will have prefetch statements referencing the IP address of your Inventory server rather than its hostname)