RHEL 6 and BigFix 11

Looks like RHEL 6 is not supported with the v11 agent. Does anyone know what functionality would be lost if the v10 agent is used to report into a v11 setup? We are looking at exploring the AI/Runbook automation that looks to only run on V11.

The main issue I can thnk of is that v11 will not support any agent below 9.5 so any older OS that need to use the 9.2 agent or earlier will stop functioning. Check out the V11 annoucment as this does also detail some of the pre-requsites that needs to be considered before upgrading from v10.

BigFix 11 introduced some security improvements that cannot be managed by a v10 Client:

  • SHA384 as cryptographic digest algorithm for all digital signatures to validate TLS communication and all BigFix content and actions
  • TLS 1.3 for HTTPS communications among the BigFix component

The above features cannot be enforced if the customer wants to use not-v11 Clients in the deployment

You do know that RHEL 6 went out of mainstream support over 3 years ago and leaves extended support in three months, right? Just sayin’…

I’m not doubting this statement, but I can’t find anything in the Release Announcement to back this up. Can anyone verify this with HCL documentation? I’ve briefly searched and can’t find anything myself…

Ok I had to dig for that a bit myself.
From the Release Announcement at BigFix 11.0 - the latest and greatest BigFix release - available now!

I followed the link to V11 Overview

which has the note

After you have started upgrading to BigFix 11, even if your deployment is not all at Version 11 yet, you will get the following benefits:

  • TLS handshakes will use SHA-384 certificates whenever they are available. After upgrading the BigFix Server to v11, SHA-384 certificates will be available to:
    • All Agents/Relays at Version 11
    • Agents and Relays at 10.0 patch 7 (or later patch) that have had their certificates refreshed, either automatically for expiration of the 13-month validity period, or manually with the “client certificate refresh” actionscript command (see Client certificate)
    • All Agents and Relays installed after upgrading the BigFix Server to Version 11, regardless of their version.
  • Content generated by MOs and NMOs like sites, Fixlets, analyses, actions, etc. will be signed with both SHA-256 and SHA-384. To validate such content, BigFix components at v11 will rely on both, while BigFix components at earlier versions will rely on the SHA-256 signature.
  • The BigFix Server will validate external site content using either the SHA-256 or the SHA-384 signature.
  • The BigFix Server will process Agent reports that are signed using either SHA-256 or SHA-384.
  • BigFix Platform 11 will support both TLS 1.2 and TLS 1.3 (with TLS 1.3 being always the first attempted option), while it will no longer support TLS 1.1 or below in ANY scenario requiring HTTPS.

Note: Because of the above, BigFix Platform components at Version 11 will no longer be backward compatible with BigFix components at version 9.0 or lower.

In effect, 9.2 and 9.5 should still be good, but 9.0 or lower clients will not be able to communicate with an 11.x deployment. We dropped support for TLS 1.0 and 1.1 entirely.

2 Likes

That’s what I thought, as we (unfortunately) have a couple of Windows XP machines still reporting with 9.2.x clients. :grimacing: