Enabling FIPS compliance on an automated server installation
About this task
To enable FIPS compliance on an automated BigFix® Remote Control Server installation, complete the following steps:
Procedure
-
Edit the java.security file that is found at the following
directory.
- Windows® systems
- %TRC_SERVER_PATH%\java\jre\lib\security\java.security
Where %TRC_SERVER_PATH% is the path for the installation directory for the BigFix® Remote Control Server.
- Linux® / UNIX® systems
- $TRC_SERVER_PATH/java/jre/lib/security/java.security
Where $TRC_SERVER_PATH is the path for the installation directory for the BigFix® Remote Control Server.
- Modify the security.provider.x= list
so the following entry is the first one in the list:
security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPS
security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPSFix the number sequence of the other items in this list so that all items are numbered in sequence. For example, the full list after the changes is as follows:
security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPS
security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
security.provider.4=com.ibm.crypto.provider.IBMJCE
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL
security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.11=sun.security.provider.Sun - Save the file.
-
Edit the jvm.options file and add a new line,
-Dcom.ibm.jsse2.usefipsprovider=true.
- Windows® systems
- %TRC_SERVER_PATH% \wlp\usr\servers\trcserver\jvm.options
Where %TRC_SERVER_PATH% is the path for the installation directory for the BigFix® Remote Control Server.
- Linux® / UNIX® systems
- $TRC_SERVER_PATH/wlp/usr/servers/trcserver/jvm.options
Where $TRC_SERVER_PATH is the path for the installation directory for the BigFix® Remote Control Server.
- Log on to the BigFix® Remote Control Server with a valid admin ID and password.
- Click
- In the common.properties file set FIPS.compliance to true.
- Click Submit.
- Click . Restart the server service.
Results
Check to see whether the BigFix® Remote Control Server is configured for FIPS by completing the following step.
- Click .
The following fields show that FIPS compliance is enabled.
- Enabled FIPS mode: - The value of this field is determined by the FIPS.compliance property in the common.properties file.
- JVM configured for FIPS: - The value of this field is determined by the configuration of the JVM and the security providers that are listed in the java.security file.