NIST SP800-131A compliance in IBM BigFix Remote Control
IBM® BigFix® Remote Control version 9.1.0 components can be configured for NIST SP800-131A compliance.
The National Institute of Standards and Technology (NIST) Special Publications (SP) 800-131A standard strengthens algorithms and increases the cryptographic key lengths to improve security.
The following prerequisites are required:
- Ensure that all keys have at least a key security strength greater than or equal to 112 bits. RSA keys must be at least 2048 bits.
- Ensure that all certificates are created with the new key strengths. Any RSA certificates that use keys shorter than 2048 bits must be replaced with a certificate that uses 2048-bit keys or higher.
- Ensure that all certificates are signed by an allowed signature algorithm of minimum SHA-2.
When you enable NIST SP800-131A compliance, the TLSv1.2 protocol
is used for providing secure connections. Therefore, you must ensure
that your browser is compatible.
| TLSv1.2 not supported | TLSv1.2 supported but disabled but default | TLSv1.2 supported and enabled by default | |
|---|---|---|---|
| Internet Explorer | All versions of IE on Windows™ XP and Windows Vista operating systems (IE6, IE7, IE8, IE9) | IE8, IE9, IE10 on Windows 7 and Windows 8 operating system. | IE11 on Windows 7 operating system and later |
| Firefox | <24 | 24 | None |
Compliance with NIST SP800-131A also requires that the cryptographic provider is FIPS 140-2 certified. When SP800-131A compliance is enabled, FIPS 140-2 compliance is enabled automatically, even when it is disabled in the settings.
For NIST SP800-131A compliance, you must configure all your components. There is no compatibility with earlier versions of the components.
Note: There is no support for NIST SP800-131A with Oracle JVMs. Therefore,
to take advantage of the NIST support, you must install the stand-alone
controller component.