Hello
Running BigFix version 10.10.10 on Windows. We have enhanced security enabled and when we look in the client log we see the message the reports are being sent encrypted. Curious, do we also need to ensure this client setting is set or is this done by the application when enhanced security is enabled. The client setting is _BESClient_Report_Encryption=optional
That can be confusing because we have several things all on the same screen in BESAdmin/Security.
The âEnhanced Securityâ in BESAdmin refers to disabling TLS 1.1 and 1.0, leaving the Server and Relays communicating with TLS 1.2 for all the HTTPS traffic. All of the site content hashing (validating that the Fixlets and Actions are digitally signed, etc.) are also restricted to SHA56 hashing.
In the same tab you may also âRequire SHA256 Downloadsâ which means all of the Download/Prefetch statements in action scripts also require sha256 hashes. This can break existing custom content if your download commands only had sha1 hashes listed, which is why this is a separate option you can toggle back off if you find it breaks some of your downloads.
That client setting _BESClient_Report_Encryption is a different thing, it refers to Message-Level Encryption as can be configured in BESAdmin on the âEncryptionâ tab. With Message-Level Encryption, the individual clients encrypt their reports before they are posted to the Relay. This is useful in cases where you may not trust the Relays (i.e. they are in public storefronts or kiosks and could possibly be stolen), so that even if a Relay is compromised or stolen the data from reporting clients is still encrypted. However this does have significant overhead in efficiency, both bandwidth and processing, because the Relays are then unable to do things like combine & consolidate client reports (the Relay canât read the report content anymore), and thereâs more overhead at the Root Server or specific Decrypting Relays to decrypt the client reports.
Thank you. So just so I am clear is things are configured using BESAdmin and enabling Encryption on the encryption tab, I should not need to manually deploy the client setting âEncryptionâ tab _BESClient_Report_Encryption=optional as this is the default setting used by BigFix
Youâd actually need both. The BESAdmin tool option to enable Encryption adds a key to the masthead, which the clients can use to encrypt their reports; but the clients must also have the setting applied to make use of it.
Thereâs an overview of this at Managing Client Encryption that may be helpful, please have a look and post back here if you still have any questions on it
Donât you think the setting changes needed for â_BESClient_Report_Encryptionâ belongs on the BESAdmin tab so customers are aware of needing to set it?
Maybe? Or perhaps a link to instructions.