WEBUI and a REAL SSL cert -and one more question

Has anyone enabled WEBUI and installed a real SSL cert?

I remember hearing it is a lot easier compared to setting up a cert on web reports but I found the documentation in the WebUI rather thin…


Signed SSL certificates can be obtained from any authorized Certificate Authority. To deploy SSL
certificates, perform the following steps:

  1. Copy the ssl.crt and ssl.pvk files provided by your CA to the following location on your IBM
    BigFix® server:
    14
    Windows Deployment
    \\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\
    Linux Deployment
    /var/opt/BESServer/WebUI/
  2. Restart the BESRootServer service.

is there an equivalent doc going through the process similar to web reports?
http://www-01.ibm.com/support/docview.wss?uid=swg21505848


When enabling SAML through the webui this is also supposed to enable this on webreports.
Does this include any instances of webreports NOT on the root server OR only webreports on the root server.

I would like to add that though it might be out of scope for the SAML config it, it does reference using ADFS and if there could be documentation on what setup is needed on ADFS that would be helpful.

2 Likes

I enabled the WEBUI and was unable to get a cert to work. I agree the documentation was thin on the process and no “troubleshooting tips” available.

The cert should be in PEM format and include the full trust chain with the site cert on first, then intermediate cert, then root cert. Rename the files to ssl.crt and ssl.pvk and drop them into the specified directory.

2 Likes

I tried this and then the WebUI broke. I was able to fix it by removing the certs and restarting the BESRootServer service. Do you know what could cause the WebUI to no longer function after adding the certs?

1 Like

@jgallas can you maybe send us the logging information from the WebUI when things broke?

The logs that we are typically after can be found in:
C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\logs

Just give us everything you find there. (PM if you are sensitive to whatever data is there?)

C:\Program Files (x86)\BigFix Enterprise\BES Server\BESrelay.log is also a good thing to send our way.

I too am having prblems with the pvk (key) part of the Cert…
the .crt seems to be fine…
I extracted from the .pem … I tried the RSA and the non rsa (no password) versions… No go… I get a connection timed out and a syn_sent in netstat to the server…
rename the .pvk, restart the root server service and I can access the webui again but as an untrusted connection .
No errors in the etl.log but the service-app.log has this lot towards the end…

Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
    at Error (native)
    at Object.createSecureContext (_tls_common.js:105:19)
    at Server (_tls_wrap.js:605:25)
    at new Server (https.js:36:14)
    at Object.exports.createServer (https.js:56:10)
    at BFProxy.createWebServer (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:433:22)
    at new BFProxy (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:63:25)
    at BFProxy (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:51:12)
    at run (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\lib\server.js:110:13)
    at C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\lib\server.js:105:7
Mon, 02 May 2016 15:38:49 GMT bf:appmonitor:error server.js process exited with code 1
Mon, 02 May 2016 15:38:50 GMT bf:appmonitor:debug Starting server.js process
Mon, 02 May 2016 15:38:52 GMT bf:appmonitor:debug Initializing with SAML configuration: false
Warning: connect.session() MemoryStore is not
designed for a production environment, as it will leak
memory, and will not scale past a single process.
C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\q\q.js:155
                throw e;
                      ^
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
    at Error (native)
    at Object.createSecureContext (_tls_common.js:105:19)
    at Server (_tls_wrap.js:605:25)
    at new Server (https.js:36:14)
    at Object.exports.createServer (https.js:56:10)
    at BFProxy.createWebServer (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:433:22)
    at new BFProxy (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:63:25)
    at BFProxy (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:51:12)
    at run (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\lib\server.js:110:13)
    at C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\lib\server.js:105:7
Mon, 02 May 2016 15:38:52 GMT bf:appmonitor:error server.js process exited with code 1
Mon, 02 May 2016 15:38:53 GMT bf:appmonitor:debug Starting server.js process

@Pete_F: Hey late notice, but I recently had to do some signed cert replacement stuff and I ran into this exact PEM_read_bio:no start line bit in the service-app.log file too:

C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\q\q.js:155
                throw e;
                      ^
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
    at Error (native)
    at Object.createSecureContext (_tls_common.js:105:19)
    at Server (_tls_wrap.js:605:25)
    at new Server (https.js:36:14)
    at Object.exports.createServer (https.js:56:10)
    at BFProxy.createWebServer (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:433:22)
    at new BFProxy (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:63:25)
    at BFProxy (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\node_modules\bfproxy\lib\bfproxy.js:51:12)
    at run (C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\lib\server.js:110:13)
    at C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI\service-app\node_modules\bfappmonitor\lib\server.js:105:7

I read a whole bunch about openssl until I looked at my old .pvk file and compared it to my new .pvk file and noticed that basically my new one didn’t have the header while my old one did…

So, my new key (initially broken) looked like:

SAIFmafeiancpaijefpIJEAm
...
...
-----END RSA PRIVATE KEY-----

And my old key looked like:

-----BEGIN RSA PRIVATE KEY-----
oiajeoifjoaijfoiejafoEIcan
...
...
-----END RSA PRIVATE KEY-----

Simply adding the BEGIN RSA PRIVATE KEY part to my broken key fixed this problem. Maybe that’s what you’re running into too?

-Dex

2 Likes

my PVK is missing begin and end… added it but still didn’t work

http://www-01.ibm.com/support/docview.wss?uid=swg21505848
that didnt work either

so far put the crt and pvk in the directory mentioned and we get
Unable to connect

Firefox can’t establish a connection to the server at bigfix.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

delete and restart besrootserver service
back to business

how easy was it in compliance and inventory? under management dropdown to server settings, click on replace and put the new certs there… that was it.

would be so much easier if they enabled this for WEBREPORTS and WEBUI…

Got it to work: -
openssl req -new -newkey rsa:2048 -nodes -out ssl.csr -keyout ssl.key -subj "/C=US/ST=Virginia/L=McLean/O=CDM/OU=Information Technology/CN=BigFix"
saved 2 files ssl.csr and ssl.key
send ssl.csr to CA to get ssl.cer
make copy of ssl.key and rename to ssl.pvk
make copy of ssl.cer and rename to ssl.crt
stop besrootserver service on BigFix root server
copy ssl.crt and ssl.pvk to "\Program Files (x86)\BigFix Enterprise\BES Server\WebUI"
start besrootserver service on BigFix root server
open browser and type in link to https://bigfix for accessing WEBUI
** if your cert is issued from enterprise CA you are able to add DNS names to aliases being used to access the WEBUI: - common examples of accessing the web link are as follows
https://BigFix
https://bigfixserver
https://webui
https://BigFix.MyDomain.com
https://BigFixserver.MyDomain.com
https://WEBUI.MyDomain.com
NOTE* while requesting this cert make request to add subject alternate names (DNS) names to this cert by adding this to the “Additional Attributes:” section of the cert generating process
san:DNS=WebUI.MyDomain.com&DNS=BigFix.MyDomain.com&DNS=BigFixServer.MyDomain.com&DNS=WEBUI&DNS=BigFix
**this is so any of the names listed here can be used in the web browser to resolve as a valid cert.

2 Likes

Is there any updated documentation on this for WebUI 9.5.3? What exists doesn’t even match the path. I have WebUI installed on its own system (not the BES) server and I have a path:

C:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI

Is that were the cert files go?

Below is what I have from Entrust.

As it is, I’m unsure which files to rename and without knowing the correct path to place them in will make it even more difficult to figure this out.

1 Like

Hi Alexa :wink:

you do have to rename the file from *.key to ssl.pvk and *.cer to ssl.crt
copy ssl.crt and ssl.pvk to "\Program Files (x86)\BigFix Enterprise\BES Server\WebUI"

parameter "workDir" = "{if exists setting whose (name of it = "_WebUIAppEnv_WebUI_DIR") of client then value of setting "_WebUIAppEnv_WebUI_DIR" of client else if windows of operating system then pathname of program files x32 folder &"\BigFix Enterprise\BES WebUI" else "/var/opt/BESWebUI"}"

So if the “workDir” does not exist it looks in 'program files x32 folder &“\BigFix Enterprise\BES WebUI” ’

So this is where the fixlet points things.

_WebUIAppEnv_WORK_DIR = C:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI\sites

I don’t think the certs go there either. I’ll figure it out.

I’ve placed them in the directories below, restarted both BES Root Server service on the BES and BES WebUI on the WebUI server and none work:

C:\Program Files (x86)\BigFix Enterprise\BES WebUI
C:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI
C:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI\sites (the two certs disappear when placed here after the service starts).

Perhaps I have to added Cert locations in the Properties of the WebUI server, as you do with the Web Reports certs? Without instructions, I’m shooting in the dark.

I’ve opened a PMR with IBM and will post results if I hear from them with a resolve. Installing a cert is such an advanced process!

The directory structures are mirrored between local and remote installations, so C:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI becomes C:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI

The instructions are as I mentioned earlier in this post:

If you have done this, and it isn’t working, then your files are not properly formatted or do not contain the proper data. Based on the file list you posted, you will need to open your .crt files in notepad or some other text editor, and copy the intermediate certs and root cert below the server cert, so they are all in one file. Make sure you include all the --------BEGIN CERTIFICATE----------- and -----------END CERTIFICATE----------- headers/footers just as they are in each cert.

The one thing I don’t see is your .key or .pvk file. It is probably included in your .p7b file, and will have to be extracted using OpenSSL or something similar.

So the correct directory for the certs is: C:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI

I did use OpenSSL and I have those files. The ssl.key has -----BEGIN RSA PRIVATE KEY----- / -----END RSA PRIVATE KEY----- so I can change those to -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- if that makes a difference.

Being WebUI is on a separate server, does the Gather Service still have to be restarted for the certs to take affect? If not, which service is best to try new certs? Finally, is there any logging I can use to see what cert may be having an issue or if they are even being seen?

2 Likes

The solution is:

For ssl.pvk follow the process [> here] (http://www.ibm.com/support/knowledgecenter/SS6MCG_9.5.0/com.ibm.bigfix.doc/Platform/Web_Reports/c_creating_a_certificate_signing_request.html), taking the nopwdkey.pem and renaming to ssl.pvk.

For ssl.crt using the 3rd party cert files screenshot earlier in this thread, paste in plain text the three files below in order to make ssl.crt.

ServerCertificate.cert
Intermediate1.cert
Intermediate2.cert

Please both in \WebUI\ directory and restart the WebUI service.

2 Likes

Hi @AlexaVonTess,

I know I’m late to the party but I wanted to thank you for your post specifying the correct location for the WebUI Signed Certificates. The guide I was using was for 9.5.2.56 and was pointing me toC:\Program Files (x86)\BigFix Enterprise\BES Server\WebUI instead of the location you mentioned. After spending almost a week going in circles, moving the files to your location did the trick :). After many hours of googling I only found this and another forum post regarding using a 3rd Party certificate.

1 Like