Enabling FIPS compliance on the controller
The BigFix® Remote Control controller is a Java™ application that requires a FIPS certified cryptographic provider when FIPS compliance is enabled. Only the IBM® Java™ Runtime Environment (JRE) is supported in FIPS-compliant mode.
About this task
The IBM® JRE for Windows® operating system and Linux® (Intel®) operating systems is included with BigFix® Remote Control and is installed when you install the controller software.
If you are using Windows® operating system, the JRE is included in the controller package trc_controller_setup.exe and trc_controller.msi. For Linux® operating system, the JRE is included in the package ibm-trc-controller-jre-9.x.x.i386.rpm. Where 9.x.x is the version that you want to install. These packages install the IBM® Java™ Runtime Environment pre-configured with the IBM® FIPS certified cryptographic provider. They also register the MIME type application/x-ibm-trc-jws and a file association for *.trcjws files. The file types are used by the BigFix® Remote Control server in FIPS-compliant mode to start the controller. For more information about installation instructions for the controller, see Install the controller.
To enable FIPS compliance on the controller if you are not using the version of IBM® JRE supplied with BigFix® Remote Control, complete the following steps:
Procedure
- Edit the java.security file
- Windows® systems
- %JRE_HOME%\lib\security\java.security
Where %JRE_HOME% is the path to the directory where the Java virtual machines™ Java™ Runtime Environment (JRE) is installed.
- Linux® / UNIX® systems
- $JRE_HOME/lib/security/java.security
Where $JRE_HOME is the path to the directory where the Java virtual machines™ Java™ Runtime Environment (JRE) is installed.
- Modify the security.provider.x= list so
that the following two entries are the first ones in the list:
security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPS
security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPSFix the number sequence of the other items in this list so that all items are numbered in sequence. For example,
security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPS
security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
security.provider.4=com.ibm.crypto.provider.IBMJCE
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL
security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.10=org.apache.harmony.security.provider.PolicyProvider
security.provider.11=com.ibm.security.jgss.mech.spnego.IBMSPNEGONote:- Applies to all supported versions of the IBM® JVM.
- You must make a file association for the *.trcjws files
before you start the first session with a target. Use the following
commands
- Windows® systems
- %JRE_HOME%\jre\bin\javaws
Where %JRE_HOME% is the path to the directory where the Java virtual machines™ Java™ Runtime Environment (JRE) is installed.
- Linux® / UNIX® systems
- $JRE_HOME/jre/bin/javaws.exe
Where $JRE_HOME is the path to the directory where the Java virtual machines™ Java™ Runtime Environment (JRE) is installed.
Results
Check to see whether the controller is configured for FIPS by completing the following step during a remote control session.
- Click in the controller window.
- Windows® systems
- [controller install dir]\trc_controller.cfg
Where [controller install dir] is the installation directory that is chosen when you install the controller.
- Linux® systems
- /opt/ibm/trc/controller/trc_controller.cfg