SHA-256 task conversion
IBM BigFix version 9.1 provides the capability to follow the NIST security standards by configuring an enhanced security option. This setting enables SHA-256 as the hashing algorithm for digital signatures and content verification.
When the enhanced security mode is enabled, you can use the SHA-256 algorithm to verify the file download integrity. If you enable this option, SHA-256 downloads are required and all BigFix 9.1 components no longer process action downloads that only specify a SHA-1 hash. For more information about security configurations, see Security Configuration Scenarios.
BigFix for
Software Distribution provides a method to convert tasks that were
created using the Software Distribution dashboard from using the SHA1
algorithm to the SHA-256 algorithm.
Note: If you created tasks outside
of the Software Distribution Dashboard, you must manually update your
custom content to include a SHA-256 hash.
A master operator can convert tasks that are created by all master operators, while a non-master operator can only convert tasks that he created.
To convert SWD tasks that are using still the SHA-1 validation,
complete the following steps:
- Ensure that the enhanced security and SHA-256 downloads options
are enabled from the IBM BigFix Administration
Tool. For more information about setting the enhanced security option,
see the following sources. Important: When you enable the enhanced security option, you configure a restricted security environment that might affect product performance. Also, you cannot roll back to a previous version of BigFix after the option is enabled. For more information, see Security Configuration Scenarios.
- From the Manage Software Distribution dashboard, click Settings.
- Click Sha256 Conversion to update existing
content to include a SHA-256 hash.Note: The conversion might take several minutes to complete.
Figure 1: Settings dialog 