WebUI SSL Instructions

jmaple 2015-12-10 18:09:19 UTC #1

After enabling the WebUI, I looked at the admin guide for implementing an SSL certificate. The guide is fairly sparse on getting a certificate generated so I’m wondering if I need to have a certificate that has a password or not. The WebReports requires that no password is on the key file but the SCA certificate requires a password. Can we get some clarification?

jmaple 2015-12-10 18:54:25 UTC #2

To that point, I am also seeing my core server listening on 52315 and when I navigate to it, it asks for my PIV card password. I’m assuming this is a piece for SSO. I’m also assuming that when I secure the WebUI in the fashion that the Admin guide states, that port will be secured as well?

dexdexdex 2015-12-11 08:53:19 UTC #3

Let me double check in the morning. My memory suggests to me our cert doesn’t have a password associated with it.

Port 52315 is an internal port that the WebUI uses made available by the platform. You can completely disable outside access for port 52315. I think if you follow the instructions on the administrator guide, it only secures 80/443 (or whatever port you’ve pointed the WebUI at). Right now I think 52315 is a self signed cert.

If you’re wondering what’s up with port 52315, it serves a lot of routes that get consumed by our ETL process to populate webui.db (basically a cached version of BFEnterprise data).

jmaple 2015-12-11 09:35:53 UTC #4

I don’t mind it being there but I know that our vulnerability scans will complain that there is no signed certificate attached. I’m just trying to be ahead of the curve.

gkinger 2016-02-04 18:53:03 UTC #5

I am having the same issue. Can we get more specific instructions on how to properly generate and install this cert.

dexdexdex 2016-02-05 01:33:33 UTC #6

I just went back and confirmed that you don’t need a password for your SSL certificate for the WebUI.

jmaple 2016-02-05 12:58:05 UTC #7

Okay but it looks like we still don’t have solid instructions on how to replace it with a signed cert?

Pete_F 2016-04-29 20:25:45 UTC #8

Did you get anywhere with this ?.. I have a .CRT generated but Im having a devil of a job getting a valid .key to be recognised…

I have the .crt in place, With the .key file. I cannot connect and a netstat -an shows a syn_sent on port 8081 (which is the port I chose for the WebUi… If I remove the .key file. I can connect but I have to allow a site security exception in the browser.

shiva 2016-08-22 12:50:45 UTC #9

Used OPENSSL to generate .KEY and .CSR with 2048 RSA encoding
Using Enterprise Certificate Authority, am able to use the .CSR from OPENSSL to create .CER
There is NO WAY within Microsoft Certificate authority to export this certificate in any other format other than .CER
The available options for exporting a cert within Certificate Authority (OR) from MMC add Certificate to local computer then “IMPORT” the certificate generated by Certificate Authority and export into x509 (DER or Base 64 or P7B) all of these can only be saved as .CER ****we need a .CRT
once you have the cert then OPENSSL to the rescue.

shiva 2016-08-22 12:52:04 UTC #10

Open command prompt and browse to a directory to save all these files. Install OPENSSL x64 binaries and ensure to add openssl.exe to the [PATH] variable.

Create ssl.conf with required fields filled out (change as needed under [ req_distinguished_name ]

[ req ]
default_bits = 2048
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = bigfix

[ req_distinguished_name ]
C = US
ST = Virginia
L = McLean
O = Information Technology LAB
OU = Lab
CN = BigFix
emailAddress = admin@MyDomain.com

[ req_attributes ]
challengePassword = bigfix

Ensure to add all the aliases which will be used for all things BigFix in the following format, give this to be used along with the creation of the Cert from CA (change MyDomain.COM to the domain where BigFix will be installed)
san:DNS=BigFix.MyDomain.COM&DNS=BigFixSrv.MyDomain.COM&DNS=BigFixSrv&DNS=BigFix&DNS=Inventory.MyDomain.COM&DNS=InventorySrv.MyDomain.COM&DNS=InventorySrv&DNS=Inventory&DNS=WebReports.MyDomain.COM&DNS=WebReportsSrv.MyDomain.COM&DNS=WebReportsSrv&DNS=WebReports&DNS=Compliance.MyDomain.COM&DNS=ComplianceSrv.MyDomain.COM&DNS=ComplianceSrv&DNS=Compliance&DNS=WebUI.MyDomain.COM&DNS=WebUISrv.MyDomain.COM&DNS=WebUISrv&DNS=WebUI

send ssl.csr to CA to get ssl.cer
BigFix WEBUI needs this specific name “ssl.crt and ssl.pvk” for the ssl to work
make copy of ssl.key and rename to ssl.pvk
make copy of ssl.cer and rename to ssl.crt
stop besrootserver service on BigFix root server
copy ssl.crt and ssl.pvk to "\Program Files (x86)\BigFix Enterprise\BES Server\WebUI"
start besrootserver service on BigFix root server
open browser and type in link to https://bigfix for accessing WEBUI

jmaple 2016-08-22 14:12:02 UTC #11

1024 and 2048 refer the RSA strength. Where is the issue arising? Did you combine the cert and the certs of your CA and SCAs (if applicable)? Your instructions don’t seem to include that step but your RCA and applicable SCA certs needs to be combined into one certificate.

shiva 2016-08-24 12:50:56 UTC #14

Got it to work: -

openssl req -new -newkey rsa:2048 -nodes -out ssl.csr -keyout ssl.key -subj "/C=US/ST=Virginia/L=McLean/O=CDM/OU=Information Technology/CN=BigFix"
saved 2 files ssl.csr and ssl.key
send ssl.csr to CA to get ssl.cer
make copy of ssl.key and rename to ssl.pvk
make copy of ssl.cer and rename to ssl.crt
stop besrootserver service on BigFix root server
copy ssl.crt and ssl.pvk to "\Program Files (x86)\BigFix Enterprise\BES Server\WebUI"
start besrootserver service on BigFix root server
open browser and type in link to https://bigfix for accessing WEBUI
** if your cert is issued from enterprise CA you are able to add DNS names to aliases being used to access the WEBUI: - common examples of accessing the web link are as follows
https://BigFix
https://bigfixserver
https://webui
https://BigFix.MyDomain.com
https://BigFixserver.MyDomain.com
https://WEBUI.MyDomain.com
NOTE* while requesting this cert make request to add subject alternate names (DNS) names to this cert by adding this to the “Additional Attributes:” section of the cert generating process
san:DNS=WebUI.MyDomain.com&DNS=BigFix.MyDomain.com&DNS=BigFixServer.MyDomain.com&DNS=WEBUI&DNS=BigFix
**this is so any of the names listed here can be used in the web browser to resolve as a valid cert.

dveiga 2017-06-20 18:56:41 UTC #15

Hello guys… I hope someone can answer this old post:
I am kind of confuse on this matter… I am using webui in a different server. And from the certs folder there is already the files auth_cert.crt, auth_key.key and ca.crt.
If I moved them out of the certs folder and include my certs ssl.crt and ssl.pvk the webui service doesn’t start.
If I keep them and also included my certs, the webui page doesn’t consider them and refers to the default certs:

The certificate is not trusted because it is self-signed. The certificate is only valid for localhost

Any extra advise?

AlexaVonTess 2017-06-21 11:16:28 UTC #16

That’s how I have it. You’re best of reading this post.

mbartosh 2019-07-26 21:33:50 UTC #17

For your ssl.conf file, the format for adding the aliases is not clear. Would you please clarify?

mbartosh 2019-07-29 22:30:04 UTC #18

Is port 52315 opened as initiating from the root server to the remote webUI server? I cannot have a port opened bi-directionally.