I need to get a specific file to a client. How do I do that? Both prefetch and download commands use URL, which I don’t have. I just have a file locally on a server. Is it possible to do it? How?
First you have to upload file using “Manage Softwre Distribution” , then create using “Manage Tasks” . After this steps you can change your task with your commands.
I’m sorry but I don’t know what do you mean by that… What is Manage software distribution and Manage tasks? I need to create a task or baseline, which will allow me to upload and import a new security certificate on a server. Usually when I create a fixlet or task which is supposed to upload a file to a client, I use the Software distribution wizard to generate a prefetch block, which also uploads the file to the root server. But obviously, this is usable only for cases, where the file is the same each time I use the task. Now I need a task, which will use a different file each time it is used.
Hello @Tobytja
On Root Server place your file :- C:\Program Files (x86)\BigFix Enterprise\BES Server\wwwrootbes\Uploads/XYZ.txt
On BigFix Console write below action script:-
download http://PEPWAP07913.corp.pep.pvt:52311/Uploads/xyz.txt
move “__Download/xyz.txt” “/home/svcrsp/.ssh/xyz.txt”
Here’s the context and what I need to do:
I receive a new x509 certificates for a server and I need to import them. Since it’s quite complicated to log on to the server itself (you have to go to an application which stores passwords, you have to request the password, then check it out, after log in to the server you have to change the password, and then change it in the database), we’d like to be able to do that through BigFix. So I copy the two certificate files ready to a server where I run the BF console. I have a task ready to do all the steps from the point when the files are stored on the target server, but I need a way to get them to the target server. I need something like action parameter query which asks for the path and names of the files, then send the files to the server and then do all needed actions to import the certificates. I need it to go smoothly, without having to get files to root server manually.
If your targets are Windows machines, importing certs is easy via either Certutil.exe or Powershell commands. Figure out the syntax you need to do it interactively on one machine, then put that into a custom task and away you go. I’ve scripted the import and export certs on thousands of machines that way.
If using *nix, then OpenSSL commands would accomplish the same thing.
If you take it a step further, it is also possible to script the binding of the certs to IIS or a Java application server.
Unless you are going to be doing this a lot, you’ll find it easier and safer to just log on to the server and do it manually. Certificates, and in particular their private keys, should not be distributed with normal “download” commands via Bigfix because the keys can be exposed that way.
Updating the list of trusted CAs is not a problem, those only have public keys anyway. But for individual server certificates with private keys, you’d want to build a task using Secure Parameters to encrypt the key before sending it down to that particular client.
The ideal way to do certificate distribution is using an Enterprise PKI array of Certificate Authorities. Computers and/or users can subscribe to various certificate templates based on the security guidelines of your organization.
This works well for enrollment and avoids the security concerns that Jason mentioned by keeping the private key local to the computer. Where I’ve found Bigfix to be useful is where I need to bind an SSL certificate to a web server or Java application server. We do this for thousands of systems without the need to interactively do anything.
I can create the powershell commands easily. But I need to get the certificate files to the server to be able to import them. And that’s what I don’t know how to do. The process of certificate installation is strictly done by the customer, I have no way to influence that. We create and send the certificate request to the customer, who creates the certificate using their own CA, sends us the finished certificate, and we upload the files to the server and import them. It’s done several times per month, mainly on DMZ and no-domain servers, where the conventional connectivity is problematic and we can’t just use samba directly from terminal server to the target server and must direct the files through several other servers. That’s why I need to use BigFix, to use its client.
We don’t use certificates with private keys. No input is needed during the certificate import. We just select the certificate file and import it to the correct store. And then we import it to the software (SCOM) using a specific tool.
@Tobytja, another way to approach it is to ask if the customer’s CA has either web or RPC interface open. Using Certutil or powershell, you can get the CA to sign the CSR through a script. This assumes that the CA is properly configured with appropriate permissions and that firewall rules allow access to it. I’ve done this successfully in Bigfix with Certutil commands.
If they do, making a rich RPC call gives the most flexibility. The lightweight alternative would be to configure the CA to do SCEP via web service calls. This is trickier to setup properly and less flexible.
Either approach eliminates the while file download issue altogether.
There are two major problems with that - Remote Procedure Call is blocked on most servers where this action will be relevant (DMZ), and the second is, that customer won’t agree to this. Customer creates certificates, we apply them. That’s the way it is, no discussion allowed 