Enabling SP800-131 compliance

You can set up a BigFix Inventory profile to meet the SP800-131 requirement that is originated by the National Institute of Standards and Technology (NIST).

Procedure

You can configure BigFix Inventory to run in SP800-131 strict or transition mode.
  • To configure the product to run in strict mode:
    1. Ensure that your server certificates meet the criteria for SP800-131.

      For more information about SP800-131, see the National Institute of Standards and Technology Special Publication 800-131A.

    2. Modify your HTTPS configuration to use the TLS version 1.2 protocol.
    3. Enable the Java Secure Socket Extension (JSSE) to run in SP800-131 strict mode: set the system property com.ibm.jsse2.sp800-131 to strict. The property must be set in the jvm.options file, which is in the installation_dir/wlp/usr/servers/server1 directory.
      Example:
      -Dcom.ibm.jsse2.sp800-131=strict
    Note: If your server certificates do not meet the criteria for SP800-131 or if the TLS version 1.2 protocol is not used, then after you restart the server you are not able to connect to BigFix Inventory. In this event, you can remove the com.ibm.jsse2.sp800-131 property from the jvm.options file, or set the property to transition.
  • To configure the product to run in transition mode, enable JSSE to run in SP800-131 transition mode by setting the system property com.ibm.jsse2.sp800-131 to transition. The property must be set in the jvm.options file, which is in the installation_dir/wlp/usr/servers/server1 directory.
    Example:
    -Dcom.ibm.jsse2.sp800-131=transition