Configuring FIPS 140-2 on the BigFix Server
You can configure the BigFix server to use FIPS 140-2.
In this way, when the state of BigFix Cryptographic Module is in error, BigFix does not start or stops running.
To verify the appropriate setup and initialization of the module
you must check the client log file by completing the following steps:
- On the BigFix server, launch the BigFix Administration Tool by selecting Start > All Programs > BigFix > BigFix Administration Tool.
- Browse to the location of your site license and click OK
- Select the Masthead Management tab.
- Click Edit Masthead.
- Check Require use of FIPS 140-2 compliant cryptography to enable FIPS 140-2.
- Click OK.
- Enter the Administrator password to perform the action.
- To ensure that the setting has been enabled check the client log
file (default log path:
C:\Program Files\BigFix Enterprise\BES Client\__BESData\__Global\Logs\YYYYMMDD.log
for the following types of messages:- FIPS 140-2 Enable log file message
At 14:36:12 -0700 - FIPS mode enabled by masthead. At 14:36:13 -0700 - Cryptographic module initialized successfully in FIPS mode.
- FIPS 140-2 Disabled log file message
At 14:58:28 -0700 - FIPS mode disabled by default. Unrestricted mode
- FIPS 140-2 Enable log file message
You can enforce the FIPS mode, by setting the
_BESClient_Cryptography_FipsMode
value on the client. Note: The client setting
_BESClient_Cryptography_FipsMode overrides the FIPS setting specified in the
masthead for the BES Client and the Web Reports components. When setting the value to
none, the BES Client and the Web Reports components will not use the FIPS
libraries. When setting the value to required, they will use the FIPS
libraries.
In this way the client does not run in FIPS mode when the Cryptographic Module encounters an error at startup.
To force BigFix components to use only the FIPS validated Cryptographic library,
complete the following steps:
- Launch the BigFix Console.
- From the Computers tab, right-click any listed computer and choose Edit Computer Settings.
- Click Add.
- In the Add Custom Settings dialog enter:
_BESClient_Cryptography_FipsMode
in the Setting Name andrequired
in the Setting Value. - Click OK.
- In the Target tab select
All computers
. When FIPS mode is enabled all cryptographic operations such as digital signatures, encryption and SHA1, SHA2 hashing are performed using the FIPS 140-2 Level 2 certified cryptographic module. - In the Execution tab of the dialog choose Reapply this action whenever it becomes relevant again and click OK
Note: To enable FIPS 140-2 on the BigFix Linux server, see the
-advRequireFIPScompliantCrypto
option described in Editing the Masthead on Linux systems.Note:
- When enabling the FIPS module, the OpenSSL library must be loaded at a static address to satisfy its own self tests.
- The most common error related to the FIPS mode startup occurs on AIX and HP-UX systems when there is not enough system entropy available for the Cryptographic Module.
- The FIPS Mode setting and the Message Level Encryption (MLE) setting are independent. You can set FIPS without setting the MLE and viceversa.
For information on Message Level Encryption see Message Level Encryption (MLE) Overview and Message Level Encryption and DSA