BigFix Inventory Catalog Update

ncpeteusa 2023-05-11 12:02:45 UTC #1

Hello
We are running BFI version 10.0.11.0-20221209-2054 ran the fixlet to update the catalog on the BigFix Inventory server for 10.0.2.1 and this worked fine. However the automated catalog deployment BFI created is showing download catalog errors. Surprised by this as the action I ran on the BFI server worked fine. We are airgapped so where do I manually download the various catalog xml files from?

JasonWalker 2023-05-11 12:33:58 UTC #2

Are the errors TLS or certificate-related? Did you recently upgrade the platform to 10.0.8 or higher?

If that’s the case, BigFix 10.0.8 and later have stricter certificate trust configurations by default, and you’ll either need to add your Inventory certificate to your root server’s trust store, or disable the stricter certificate validation. If that’s the case I can point you to the relevant docs

ncpeteusa 2023-05-11 13:16:53 UTC #3

The platform is at version 10.0.8 and has been since December. Adding the Inventory certificate to the main application’s trust store is something I haven’t done. Please send the related links

JasonWalker 2023-05-11 13:54:48 UTC #4

https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_customizing_HTTPS_downloads.html

At 10.0.8, you can either disable the stricter validation, or creat a custom ca-bundle (start by copying out default and then add your own root CA or the Inventory self-signed cert to it)

Enabling HTTPS downloads from untrusted sites
Starting from Patch 8, the following settings can be used to allow or disallow the download from untrusted sites:
_BESRelay_Download_UntrustedSites (server/relay). It is a boolean setting. When it is set to 0 (default value), the downloads from untrusted sites are not allowed. When it is set to 1, the downloads from untrusted sites are allowed.
_BESClient_Download_UntrustedSites (client). As described above, but the setting works for the client.

The KB article at that link has the paths to the default ca-bundle (which differs between 10.0.8 and 10.0.9), as well as a sample task for customizing it.