Configuring FIPS 140-2 on the BigFix Server

You can configure the BigFix server to use FIPS 140-2.

In this way, when the state of BigFix Cryptographic Module is in error, BigFix does not start or stops running.

To verify the appropriate setup and initialization of the module you must check the client log file by completing the following steps:
  1. On the BigFix server, launch the BigFix Administration Tool by selecting Start > All Programs > BigFix > BigFix Administration Tool.
  2. Browse to the location of your site license and click OK
  3. Select the Masthead Management tab.
  4. Click Edit Masthead.
  5. Check Require use of FIPS 140-2 compliant cryptography to enable FIPS 140-2.
  6. Click OK.
  7. Enter the Administrator password to perform the action.
  8. To ensure that the setting has been enabled check the client log file (default log path: C:\Program Files\BigFix Enterprise\BES Client\__BESData\__Global\Logs\YYYYMMDD.log for the following types of messages:
    • FIPS 140-2 Enable log file message
      At 14:36:12 -0700 -
      FIPS mode enabled by masthead.
      At 14:36:13 -0700 -
      Cryptographic module initialized successfully in FIPS mode.
    • FIPS 140-2 Disabled log file message
      At 14:58:28 -0700 -
      FIPS mode disabled by default.
      Unrestricted mode 
You can enforce the FIPS mode, by setting the _BESClient_Cryptography_FipsMode value on the client.
Note: The client setting _BESClient_Cryptography_FipsMode overrides the FIPS setting specified in the masthead for the BES Client and the Web Reports components. When setting the value to none, the BES Client and the Web Reports components will not use the FIPS libraries. When setting the value to required, they will use the FIPS libraries.

In this way the client does not run in FIPS mode when the Cryptographic Module encounters an error at startup.

To force BigFix components to use only the FIPS validated Cryptographic library, complete the following steps:
  1. Launch the BigFix Console.
  2. From the Computers tab, right-click any listed computer and choose Edit Computer Settings.
  3. Click Add.
  4. In the Add Custom Settings dialog enter: _BESClient_Cryptography_FipsMode in the Setting Name and required in the Setting Value.
  5. Click OK.
  6. In the Target tab select All computers. When FIPS mode is enabled all cryptographic operations such as digital signatures, encryption and SHA1, SHA2 hashing are performed using the FIPS 140-2 Level 2 certified cryptographic module.
  7. In the Execution tab of the dialog choose Reapply this action whenever it becomes relevant again and click OK
Note: To enable FIPS 140-2 on the BigFix Linux server, see the -advRequireFIPScompliantCrypto option described in Editing the Masthead on Linux systems.
Note:
  • When enabling the FIPS module, the OpenSSL library must be loaded at a static address to satisfy its own self tests.
  • The most common error related to the FIPS mode startup occurs on AIX and HP-UX systems when there is not enough system entropy available for the Cryptographic Module.
  • The FIPS Mode setting and the Message Level Encryption (MLE) setting are independent. You can set FIPS without setting the MLE and viceversa.

For information on Message Level Encryption see Message Level Encryption (MLE) Overview and Message Level Encryption and DSA