IBM Support

Setup for SSL on Tivoli Endpoint Manager Web Reports

Technote (troubleshooting)


Problem(Abstract)

The following instructions detail setting up SSL with a self-signed as well as CA provided certificate for the TEM Web Reports Server.

Resolving the problem

To use HTTPS for the TEM Web Reports service, you must have a proper SSL certificate. If you don't require authentication back to a trusted root, you can generate a self-signed certificate with the OpenSSL utilities. This document also describes modifying a signed PKCS12 certificate using OpenSSL.

OpenSSL for Windows can be found: http://www.slproweb.com/products/Win32OpenSSL.html

Creating a Certificate Signing Request (cert.csr)
For use in either a self signed or CA signed certificate. This will create both a private key (nopwdkey.pem) as well as the certificate request file (cert.csr).

1. In order to create a valid request, you need a valid config file.

Example config file:
[ req ]
default_bits = 1024
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = bigfix

[ req_distinguished_name ]
C = US
ST = California
L = Emeryville
O = BigFix
OU = Development
CN = Common
emailAddress = admin@bigfix.com

[ req_attributes ]
challengePassword = bigfix

Replace "Common" with the fully qualified domain name of the Web Reports Server

Save as mynewconfig.conf

2. Now that the config file is created, create the certificate request. (This also generates the private key called keyfile.pem):
openssl req -new -config "c:\mynewconfig.conf" > cert.csr

3. Remove the password from the private key (keyfile.pem) and generate a new private key (nopwdkey.pem) using the following command:
openssl rsa -in keyfile.pem -out nopwdkey.pem

Generating a Self-Signed Certificate (cert.pem) from a certificate request file (cert.csr)
WARNING: These certificates will not be implicitly trusted by web browsers, they will need to be either manually added to the trusted certificate store on the client (browser) machine or explicitly trusted the first time anyone visits Web Reports.

1. First Create a Certificate Signing Request (cert.csr) using the process outlined above.

2. Then create a certificate file (cert.pem) from your private key (nopwdkey.pem) and certificate request file (cert.csr) using the following command (valid for 365 days):
openssl x509 -in cert.csr -out cert.pem -req -signkey nopwdkey.pem -days 365

3. Open up your private key file (nopwdkey.pem) in a text viewer (wordpad, not notepad), copy the contents and paste them below the certificate (cert.pem).

Example:
-----BEGIN CERTIFICATE-----
MIICYjCCAcugAwIBAgIJANiRLK2nbg9oMA0GCSqGSIb3DQEBBQUAMEoxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQHDApFbWVyeXZpbGxl
MREwDwYDVQQDDAhIRUlNREFMTDAeFw0xMjAzMTUwMjA5MzdaFw0xMzAzMTUwMjA5
MzdaMEoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQH
DApFbWVyeXZpbGxlMREwDwYDVQQDDAhIRUlNREFMTDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA5h5aCcN5Up5rNYn7a88dKAehe7CbKDtPF6jdrn52yShJc97f
mceJeIsnkVmBVRoIBevxFnNIKxMzzR52c0NKK2gU0ax2k6TWD8yVOHHFepBgcCyF
JD9y9g5u444+7S5vsXRpmAx7z3HYHHh9Jjiv7zLoN46Mu+7KpnZnJgFX0QcCAwEA
AaNQME4wHQYDVR0OBBYEFHJXtkgif6mZzQBcrp7U7yptf/WzMB8GA1UdIwQYMBaA
FHJXtkgif6mZzQBcrp7U7yptf/WzMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEARkkc8GmyFtuXsWmjvkUJvRkGJYiQ7LsO5Qg67ONcMr/beJDXsOR3w3lD
cDqCglnQuswNySrcAGDPctDJwE2cZbcvpVdNlUd1UdXnbzHAjg/buh6Uy5OYYc0y
NtbcKlPpgxvBp6cGua7K01bMeb379vXLNr1EcQG9KmlkHYqqJpU=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAOYeWgnDeVKeazWJ
+2vPHSgHoXuwmyg7Txeo3a5+dskoSXPe35nHiXiLJ5FZgVUaCAXr8RZzSCsTM80e
dnNDSitoFNGsdpOk1g/MlThxxXqQYHAshSQ/cvYObuOOPu0ub7F0aZgMe89x2Bx4
fSY4r+8y6DeOjLvuyqZ2ZyYBV9EHAgMBAAECgYEAh2Jh/I6JaUcUsgn85l+SusNK
iTfNAO1ryfKqgYeboRtXo5kDGjkfstDDtargAU5wW/OFAn1OfzEr78i1TXjQP/2h
1ntvOobYeEsRFBlVdoC361GHKoSWMMbrymx75XIRmdW3cIHOSlpHfr2RA9WZfA2R
tn8gtITQNKed0uFyBskCQQD6IeYaxWegfoJwpcAmlTlYfyKXdSL9/DGsG+uhAIhU
pUWPwsH/uHR8/61wQ9coH1NEy2bVRT0qha1s9CvHA0OFAkEA64RD4t5oQcA+Q/2o
TtfYD3MB0NQJVL2KwJaW9hr4+osMQWJSSXTQuymMcd3tLJaS3eg0DVIsg0pO0GYx
bVKKGwJANF9IqK5QhkA225M46lswSKFGAuRZ0UgutlSaP3m3EdIRAIrMx9g9O7bk
/66UrCfy7WKRQ3Jd3jtjFn8Bc4fxaQJBALCVoRjPTThPXeA4piNHbvZWcrwS31Qs
MYao4lNwcdHYw72abLwq2/4Y7vbJQPU3iLLdUXnTbRCbfHCAzvp68pUCQQDX7iVR
Wjd9qVlgtR/6wxAQjSHSmlCyTfHA0ncVNzjEjZzA3FiCNq+gHFkBc6Kr4FxfNWCm
aoyVGYxl1LT+VHJA
-----END PRIVATE KEY-----

4. Refer to cert.pem on your Web Reports server in the certificate path registry setting (see below).

Requesting a Certificate from a Certificate Authority
To encrypt HTTPS Web Reports with a certificate that browsers will implicitly trust, request a signed certificate from a trusted Certificate Authority (or CA) such as Verisign. Here's a brief overview of that process:

1. Create a Certificate Signing Request (csr) using the process described above.

2. Forward the .csr file to a Certificate Authority (CA). They will issue you a signed (browser-trusted) certificate for your server. Request the certificate be issued in PKCS12 format.

3. Once you have received the PKCS12 formatted file, DO NOT import in to any Microsoft default certificate handling facilities.

4. Via openssl perform the following on each PKCS12 file to export to a password stripped PEM file format:
openssl pkcs12 -in PKCS12.p12 -out PEM_CERT_FILE_NAME.pem -nodes -clcerts

5. This will export the PKCS12 file to a PEM formatted file with both the public key and private certificate - all sans any passwords.

6. Open this newly created PEM certificate file with a suitable text editor (note that MS notepad will NOT suffice; use Wordpad instead).

7. Strip out all but the public key and private certificate; be sure to INCLUDE the "BEGIN ..." and "END ..." block stanza headers.

Example:
-----BEGIN CERTIFICATE-----
MIICYjCCAcugAwIBAgIJANiRLK2nbg9oMA0GCSqGSIb3DQEBBQUAMEoxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQHDApFbWVyeXZpbGxl
MREwDwYDVQQDDAhIRUlNREFMTDAeFw0xMjAzMTUwMjA5MzdaFw0xMzAzMTUwMjA5
MzdaMEoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQH
DApFbWVyeXZpbGxlMREwDwYDVQQDDAhIRUlNREFMTDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA5h5aCcN5Up5rNYn7a88dKAehe7CbKDtPF6jdrn52yShJc97f
mceJeIsnkVmBVRoIBevxFnNIKxMzzR52c0NKK2gU0ax2k6TWD8yVOHHFepBgcCyF
JD9y9g5u444+7S5vsXRpmAx7z3HYHHh9Jjiv7zLoN46Mu+7KpnZnJgFX0QcCAwEA
AaNQME4wHQYDVR0OBBYEFHJXtkgif6mZzQBcrp7U7yptf/WzMB8GA1UdIwQYMBaA
FHJXtkgif6mZzQBcrp7U7yptf/WzMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEARkkc8GmyFtuXsWmjvkUJvRkGJYiQ7LsO5Qg67ONcMr/beJDXsOR3w3lD
cDqCglnQuswNySrcAGDPctDJwE2cZbcvpVdNlUd1UdXnbzHAjg/buh6Uy5OYYc0y
NtbcKlPpgxvBp6cGua7K01bMeb379vXLNr1EcQG9KmlkHYqqJpU=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAOYeWgnDeVKeazWJ
+2vPHSgHoXuwmyg7Txeo3a5+dskoSXPe35nHiXiLJ5FZgVUaCAXr8RZzSCsTM80e
dnNDSitoFNGsdpOk1g/MlThxxXqQYHAshSQ/cvYObuOOPu0ub7F0aZgMe89x2Bx4
fSY4r+8y6DeOjLvuyqZ2ZyYBV9EHAgMBAAECgYEAh2Jh/I6JaUcUsgn85l+SusNK
iTfNAO1ryfKqgYeboRtXo5kDGjkfstDDtargAU5wW/OFAn1OfzEr78i1TXjQP/2h
1ntvOobYeEsRFBlVdoC361GHKoSWMMbrymx75XIRmdW3cIHOSlpHfr2RA9WZfA2R
tn8gtITQNKed0uFyBskCQQD6IeYaxWegfoJwpcAmlTlYfyKXdSL9/DGsG+uhAIhU
pUWPwsH/uHR8/61wQ9coH1NEy2bVRT0qha1s9CvHA0OFAkEA64RD4t5oQcA+Q/2o
TtfYD3MB0NQJVL2KwJaW9hr4+osMQWJSSXTQuymMcd3tLJaS3eg0DVIsg0pO0GYx
bVKKGwJANF9IqK5QhkA225M46lswSKFGAuRZ0UgutlSaP3m3EdIRAIrMx9g9O7bk
/66UrCfy7WKRQ3Jd3jtjFn8Bc4fxaQJBALCVoRjPTThPXeA4piNHbvZWcrwS31Qs
MYao4lNwcdHYw72abLwq2/4Y7vbJQPU3iLLdUXnTbRCbfHCAzvp68pUCQQDX7iVR
Wjd9qVlgtR/6wxAQjSHSmlCyTfHA0ncVNzjEjZzA3FiCNq+gHFkBc6Kr4FxfNWCm
aoyVGYxl1LT+VHJA
-----END PRIVATE KEY-----

8. Save out the modified PEM file that should now include only the public certificate and private key.

9. Store this file on your server and refer to it when setting up your Web Reports Registry Keys.

Requesting a Certificate from an IBM Certificate Authority (Internal IBM only)

1. Create a Certificate Signing Request (csr) using the process described above.

2. Access IBM Certificate Authority and use your .csr file, to receive your signed (browser trusted) certificate in PKCS7 format.

3. Via openssl perform the following on the PKCS7 formatted file:
openssl pkcs7 -print_certs -in .\IBM_cert.pem -out .\IBM_cert_x509.pem

4. Open the now nopwdkey.pem in wordpad, copy contents.

5. Open your SSL Certificate ( IBM_cert_x509.pem) and paste the contents from #4 below the certificate information.

Example:
-----BEGIN CERTIFICATE-----
MIICYjCCAcugAwIBAgIJANiRLK2nbg9oMA0GCSqGSIb3DQEBBQUAMEoxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQHDApFbWVyeXZpbGxl
MREwDwYDVQQDDAhIRUlNREFMTDAeFw0xMjAzMTUwMjA5MzdaFw0xMzAzMTUwMjA5
MzdaMEoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQH
DApFbWVyeXZpbGxlMREwDwYDVQQDDAhIRUlNREFMTDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA5h5aCcN5Up5rNYn7a88dKAehe7CbKDtPF6jdrn52yShJc97f
mceJeIsnkVmBVRoIBevxFnNIKxMzzR52c0NKK2gU0ax2k6TWD8yVOHHFepBgcCyF
JD9y9g5u444+7S5vsXRpmAx7z3HYHHh9Jjiv7zLoN46Mu+7KpnZnJgFX0QcCAwEA
AaNQME4wHQYDVR0OBBYEFHJXtkgif6mZzQBcrp7U7yptf/WzMB8GA1UdIwQYMBaA
FHJXtkgif6mZzQBcrp7U7yptf/WzMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEARkkc8GmyFtuXsWmjvkUJvRkGJYiQ7LsO5Qg67ONcMr/beJDXsOR3w3lD
cDqCglnQuswNySrcAGDPctDJwE2cZbcvpVdNlUd1UdXnbzHAjg/buh6Uy5OYYc0y
NtbcKlPpgxvBp6cGua7K01bMeb379vXLNr1EcQG9KmlkHYqqJpU=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAOYeWgnDeVKeazWJ
+2vPHSgHoXuwmyg7Txeo3a5+dskoSXPe35nHiXiLJ5FZgVUaCAXr8RZzSCsTM80e
dnNDSitoFNGsdpOk1g/MlThxxXqQYHAshSQ/cvYObuOOPu0ub7F0aZgMe89x2Bx4
fSY4r+8y6DeOjLvuyqZ2ZyYBV9EHAgMBAAECgYEAh2Jh/I6JaUcUsgn85l+SusNK
iTfNAO1ryfKqgYeboRtXo5kDGjkfstDDtargAU5wW/OFAn1OfzEr78i1TXjQP/2h
1ntvOobYeEsRFBlVdoC361GHKoSWMMbrymx75XIRmdW3cIHOSlpHfr2RA9WZfA2R
tn8gtITQNKed0uFyBskCQQD6IeYaxWegfoJwpcAmlTlYfyKXdSL9/DGsG+uhAIhU
pUWPwsH/uHR8/61wQ9coH1NEy2bVRT0qha1s9CvHA0OFAkEA64RD4t5oQcA+Q/2o
TtfYD3MB0NQJVL2KwJaW9hr4+osMQWJSSXTQuymMcd3tLJaS3eg0DVIsg0pO0GYx
bVKKGwJANF9IqK5QhkA225M46lswSKFGAuRZ0UgutlSaP3m3EdIRAIrMx9g9O7bk
/66UrCfy7WKRQ3Jd3jtjFn8Bc4fxaQJBALCVoRjPTThPXeA4piNHbvZWcrwS31Qs
MYao4lNwcdHYw72abLwq2/4Y7vbJQPU3iLLdUXnTbRCbfHCAzvp68pUCQQDX7iVR
Wjd9qVlgtR/6wxAQjSHSmlCyTfHA0ncVNzjEjZzA3FiCNq+gHFkBc6Kr4FxfNWCm
aoyVGYxl1LT+VHJA
-----END PRIVATE KEY-----

6. Save out the modified PEM file ( IBM_cert_x509.pem) that should now include only the public certificate and private key

7. Store this file on your server and refer to it when setting up your Web Reports Registry Keys

Web Reports HTTPS Registry Settings
To enable HTTPS, set the following client settings (on Windows, these are stored in the registry under the key HKLM/Software/BigFix/EnterpriseClient/Settings/Client, the setting name is the name of a key which contains a string value named "value"):

1._WebReports_HTTPServer_UseSSLFlag
Set to "1" to turn on HTTPS.

2._WebReports_HTTPServer_PortNumber
Set to "443".

3._WebReports_HTTPServer_SSLCertificateFilePath
Set to the full path name of the .pem file which contains the certificate and private key for the server. The .pem file should be in standard OpenSSL PKCS12 .pem file format. The private key must not have a password. The certificate is supplied by the server to connecting clients (browsers) and they will typically present a dialog to the user containing information from the certificate. If the certificate meets all of the trust requirements of the connecting browser, then the browser will connect without any interventions by the user. If the certificate does not meet the trust requirements of the browser, then the user will be prompted with a dialog asking them if it is OK to proceed with the connection, and giving them access to information about the certificate. Typically, a "trusted" certificate is one which is signed by a trusted authority (e.g Verisign), contains the correct host name, and is not expired.

Note: The web server is 32-bit. Therefore, the registry keys are underneath HKLM/Software/WoW6432Node/BigFix/EnterpriseClient/Settings/Client on a 64-bit machine.

Historical Number

193

Document information

More support for: IBM BigFix family

Software version: All Versions

Operating system(s): Platform Independent

Reference #: 1505848

Modified date: 10 February 2014


Translate this page: