Enabling NIST SP800-131A compliance after you install the server
After you install the server by using the installer program, you can enable NIST SP800-131A compliance in a number of ways.
About this task
You must also make sure that the server certificate is compliant by ensuring that you follow the prerequisites for NIST support. For more information about certificate prerequisites, see NIST SP800-131A compliance in BigFix Remote Control.
To enable NIST SP800-131A compliance after an automated BigFix® Remote Control Server installation, complete the following steps.
Procedure
- Choose the appropriate method for enabling the NIST configuration.
- Option 1
- Go to the tools directory that is in the server installation directory.
- Edit the trcsetup.cmd or trcsetup.sh file, depending on your operating system.
- In the line that calls the ssl.cmd or ssl.sh file,
change the 0 that is before trc to a 1. Change the 0 that is at the end of the
command to a 1 also. For example,
The command before the change is,
...\tools\ssl.cmd" "C:\Program Files (x86)\IBM\Tivoli\TRC\server" 1 0 "C:\" "%CERTSTOREPW%" "servername.localnet" 0 trc "%CERSTOREPWSELF%" "TrC" "0"
The command after the change is,
...\tools\ssl.cmd" "C:\Program Files (x86)\IBM\Tivoli\TRC\server" 1 0 "C:\" "%CERTSTOREPW%" "servername.localnet" 1 trc "%CERSTOREPWSELF%" "TrC" "1"
- Save the file.
- In the same directory, edit tmem.sh or tmem.cmd, depending on your operating system.
- Set the value of NIST800=1. Set the value of FIPSON=1 if it is not already set.
- Run the following command.
Where userid and password are the database connection credentials and certpassword is your certificate file password.trcsetup userid password certpassword
Note: Derby does not have database credentials, therefore use userid and password for the credentials. Type the following command when you are using Derby.trcsetup userid password certpassword
- Option 2 - Temporary NIST configuration
- Note: The configuration changes set in this option are overwritten if you run the trcsetup or tmem files again.
- Edit the ssl.xml file that is in the
[installdir]\wlp\usr\servers\trcserver directory.
Where
- [installdir]
- Is the server installation directory.
- Add sslProtocol="TLSv1.2" to the line ssl
id="defaultSSLConfig". For example,
<server> <ssl id="defaultSSLConfig" sslProtocol="TLSv1.2" /> <keystore id="defaultKeyStore" password="TrCWebAS" /> </server>
- Save the ssl.xml file.
- In the same directory, edit the jvm.options file.
- Add the lines, -Dcom.ibm.jsse2.sp800-131=strict and -Dcom.ibm.jsse2.overrideDefaultTLS=true.
- Save the file.
- Edit the ssl.xml file that is in the
[installdir]\wlp\usr\servers\trcserver directory.
- Log on to the BigFix® Remote Control Server with a valid admin ID and password.
- Click
- In the common.properties file, set sp800131a.compliance to true.
- Click Submit.
- Click
. Restart the server service.For more information about restarting the server service, see Manage the component services. Follow the steps in the section that is relevant to your operating system.
Results
Check to see whether the BigFix® Remote Control Server is configured for NIST SP800-131A by completing the following step.
- Click .
The following fields show that NIST SP800-131A compliance is enabled.
- Enabled NIST SP800-131A mode
- JVM configured for NIST SP800-131A mode