Enabling NIST SP800-131A compliance after you install the server

After you install the server by using the installer program, you can enable NIST SP800-131A compliance in a number of ways.

About this task

However, if you did not already enable FIPS you must enable if first. For more information about enabling FIPS after you install the server, see Enabling FIPS compliance on an automated server installation.

You must also make sure that the server certificate is compliant by ensuring that you follow the prerequisites for NIST support. For more information about certificate prerequisites, see NIST SP800-131A compliance in BigFix Remote Control.

To enable NIST SP800-131A compliance after an automated BigFix® Remote Control Server installation, complete the following steps.

Procedure

  1. Choose the appropriate method for enabling the NIST configuration.
    Option 1
    1. Go to the tools directory that is in the server installation directory.
    2. Edit the trcsetup.cmd or trcsetup.sh file, depending on your operating system.
    3. In the line that calls the ssl.cmd or ssl.sh file, change the 0 that is before trc to a 1. Change the 0 that is at the end of the command to a 1 also. For example,

      The command before the change is,

      ...\tools\ssl.cmd" "C:\Program Files (x86)\IBM\Tivoli\TRC\server"
       1 0 "C:\" "%CERTSTOREPW%" "servername.localnet" 0 trc
       "%CERSTOREPWSELF%" "TrC" "0"

      The command after the change is,

      ...\tools\ssl.cmd" "C:\Program Files (x86)\IBM\Tivoli\TRC\server"
       1 0 "C:\" "%CERTSTOREPW%" "servername.localnet" 1 trc
       "%CERSTOREPWSELF%" "TrC" "1"
    4. Save the file.
    5. In the same directory, edit tmem.sh or tmem.cmd, depending on your operating system.
    6. Set the value of NIST800=1. Set the value of FIPSON=1 if it is not already set.
    7. Run the following command.
      trcsetup userid password certpassword
      
      Where userid and password are the database connection credentials and certpassword is your certificate file password.
      Note: Derby does not have database credentials, therefore use userid and password for the credentials. Type the following command when you are using Derby.
      trcsetup userid password certpassword
    Option 2 - Temporary NIST configuration
    Note: The configuration changes set in this option are overwritten if you run the trcsetup or tmem files again.
    1. Edit the ssl.xml file that is in the [installdir]\wlp\usr\servers\trcserver directory.

      Where

      [installdir]
      Is the server installation directory.
    2. Add sslProtocol="TLSv1.2" to the line ssl id="defaultSSLConfig". For example,
      <server>
      <ssl id="defaultSSLConfig" sslProtocol="TLSv1.2"
      />
      <keystore id="defaultKeyStore" password="TrCWebAS"
      />
      </server>
    3. Save the ssl.xml file.
    4. In the same directory, edit the jvm.options file.
    5. Add the lines, -Dcom.ibm.jsse2.sp800-131=strict and -Dcom.ibm.jsse2.overrideDefaultTLS=true.
    6. Save the file.
  2. Log on to the BigFix® Remote Control Server with a valid admin ID and password.
  3. Click Admin > Edit properties files
  4. In the common.properties file, set sp800131a.compliance to true.
  5. Click Submit.
  6. Click Admin > Reset Application. Restart the server service.
    For more information about restarting the server service, see Manage the component services. Follow the steps in the section that is relevant to your operating system.

Results

Check to see whether the BigFix® Remote Control Server is configured for NIST SP800-131A by completing the following step.

  • Click Admin > View Current Server Status.

The following fields show that NIST SP800-131A compliance is enabled.

  • Enabled NIST SP800-131A mode
  • JVM configured for NIST SP800-131A mode