Certificate for Console - Help

system · August 3, 2012, 5:48pm

(imported topic written by SystemAdmin)

What is the certificate that is used for the console and where is it located in the install? Is it part of the masthead? I have a few security findings regarding the console certificate specifically that need to be addressed.

SSL Certificate with Wrong Hostname - The common Name (CN) of the SSL certificate presented on this service is for a different machine.
SSL Certificate Cannot Be Trusted - The servers X.509 certificate does not have a signature from a known public certificate authority. This situation can occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted. First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority. Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificates not Before dates, or after one of the certificates not After dates. Third, the certificate chain may contain a signature that either didn’t match the certificates information, or was not possible to verify. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificates issuer using a signing algorithm that Nessus either does not support or does not recognize. If the remote host is a public host in production, any break in the chain nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host.

daydrew · February 3, 2015, 3:32pm

Was the above issue ever addressed? I have this issue with my certs in IEM and have security findings for them.

gearoid · February 3, 2015, 3:38pm

Hi
You can replace the certificate provided by the REST API and to the console by the root server with your own certificate or one signed by a trusted CA - is that what you need ?

daydrew · February 3, 2015, 3:54pm

Possibly. Do you have the steps?

The cert I need to replace has a common name of “ServerSigningCertificate_0”

gearoid · February 3, 2015, 4:12pm

You can replace that certificate as follows:

Put the certificate and key into a single file as described here (NOTE: this is for web reports but same approach to creating the file applies).

For Linux server then set the following in the besserver.config file, and restart the root server.

[Software\BigFix\EnterpriseClient\Settings\Client\_BESRelay_HTTPServer_SSLCertificateFilePath]
value                          = <path to .pem file>

[Software\BigFix\EnterpriseClient\Settings\Client\_BESRelay_HTTPServer_UseSSLFlag]
value                          = 1

For windows you set these in the registry in HKEY_LOCAL_MACHINE\Software\Wow6432Node\BigFix\EnterpriseClient\Settings\Client

daydrew · February 3, 2015, 7:47pm

Thank you! That did it I believe.

gearoid · February 16, 2015, 8:46am

This now documented for 9.2 here
http://www-01.ibm.com/support/knowledgecenter/SS2TKN_9.2.0/com.ibm.tivoli.tem.doc_9.2/Platform/Config/t_rest_certonfig.html

Artur · October 13, 2017, 7:16am

Hi
Can anybody explain where current certificate is located if there are no settings in registry described above.
But https is forced to be used when calling bigfix api.
Which setteings and where regulate this?
And I repeat there is nothing in registry like BESRelay_HTTPServer_UseSSLFlag but I see ServerSigningCertificate_0 at this moment.