Home
Security
Configure different security features to adequately protect business assets and resources in the data model when using BigFix Inventory.
Configuring database connection encryption
You can encrypt the connection between BigFix Inventory server and the BigFix Inventory database. Encryption is established between BigFix Inventory server and the database engine using a JDBC driver. You can encrypt the connection while upgrading the server.
Keystores
Keystores and truststores are repositories that contain cryptographic artifacts like certificates and private keys that are used for cryptographic protocols such as TLS. BigFix Inventory uses below keystore and truststore files to enhance its security. They are located in <Installation_directory>/wlp/usr/servers/server1/resources/security directory.

Security
Configure different security features to adequately protect business assets and resources in the data model when using BigFix Inventory.
- Flow of data
  There are several different interactions that occur between the components of the BigFix Inventory infrastructure and between the user and tool.
- Security configuration scenarios
  Check what security options need to be enabled on the BigFix server and the BigFix Inventory server to achieve each of the supported security scenarios.
- Configuring database connection encryption
  You can encrypt the connection between BigFix Inventory server and the BigFix Inventory database. Encryption is established between BigFix Inventory server and the database engine using a JDBC driver. You can encrypt the connection while upgrading the server.
  - Enabling database connection encryption for MS SQL for BigFix Inventory
    Configure the MS SQL Server with BigFix Inventory database to apply SSL-based encryption.
  - Enabling database connection encryption for DB2 for BigFix Inventory
    Configure the DB2 database to apply SSL based encryption.
  - Enabling the database connection encryption for Data Source
    Configure the connection to Data Source (BigFix Platform DB2 / MSSQL database) to apply SSL based encryption.
  - Keystores
    Keystores and truststores are repositories that contain cryptographic artifacts like certificates and private keys that are used for cryptographic protocols such as TLS. BigFix Inventory uses below keystore and truststore files to enhance its security. They are located in <Installation_directory>/wlp/usr/servers/server1/resources/security directory.
- Configuring secure communication
  To ensure secure communication, BigFix Inventory uses public key cryptography, which is based on algorithms that use two separate keys, a private key and a public key. This key pair is used to encrypt and decrypt communication
- Assuring compliance with federal encryption standards
  You can configure BigFix Inventory to be compliant with the Federal Information Processing Standard requirements that are related to encryption.
- Authenticating users with LDAP
  BigFix Inventory supports authentication through a Lightweight Directory Access Protocol (LDAP) server. To use this feature, you must configure the BigFix Inventory server.
- Configuring and enabling single sign-on (SSO)
  Available from 9.2.1. You can now use the two-factor authentication and use SSO to log on to BigFix Inventory and maintain login consistency with other applications in the enterprise. You can configure BigFix Inventory to use two-factor authentication with single sign-on based either on the exchange of Security Assertion Markup Language (SAML 2.0) token and Microsoft™ Active Directory Federation Services as Identity Provider or you can use the IBM Lightweight Third-Party Authentication (LTPA) technology and IBM Security Access Manager for Web as the authentication service.
- Configuring passwords and encryption mechanisms
  To improve the application security, define a security policy for user passwords. You can also configure passwords and encryption mechanisms for the keystore in which the passwords are stored, and the BigFix Inventory database.
- Configuring user account lockout
  Available from 9.2.8. By default, user account is locked for 5 minutes after the user attempts to log in to BigFix Inventory more than 10 times within 5 minutes. You can change the default settings or disable the user account lockout.
- Configuring VM Manager tool to accept trusted VM manager certificates
  By default, the VM Manager tool accepts all VM manager certificates regardless of whether they are trusted or not. You can change the default behavior to ensure that only trusted certificates are accepted by the VM Manager tool.
- Relays
  Relays lighten both upstream and downstream burdens on the server. Rather than communicating directly with a server, clients can instead be instructed to communicate with designated relays, considerably reducing both server load and client and server network traffic.

Keystores

Keystores and truststores are repositories that contain cryptographic artifacts like certificates and private keys that are used for cryptographic protocols such as TLS. BigFix Inventory uses below keystore and truststore files to enhance its security. They are located in <Installation_directory>/wlp/usr/servers/server1/resources/security directory.

key_server.p12: This keystore stores BigFix Inventory server certificate. It is managed by BigFix Inventory server. If you want to configure the server certificate, refer to the instructions provided in Configuring secure communication.
keys_bf_db.p12: This truststore stores BigFix Platform database certificates. To add new certificate to this truststore, refer to the instructions provided in Enabling the database connection encryption for Data Source.
key_bfi_db.p12: This truststore stores BigFix Inventory database certificate. To add new certificate to this truststore, refer to the instructions provided in Enabling database connection encryption for MS SQL for BigFix Inventory or Enabling database connection encryption for DB2 for BigFix Inventory depending on your database type.
keys_ilmt.p12: This keystore stores keys for reports signing, PVU table signatures validation, database passwords and token encryptions. It is manager by BigFix Inventory server.
keys_vmmdc.p12: This keystore stores keys for VM Manager password management. It is managed by BigFix Inventory server.

You can also define your own keystore, such as a SSO keystore. For more information, refer to Configuring SSO keystore passwords and encryption.

To change the keystore password, refer to the instructions provided in Configuring cryptographic keystore password and encryption.

There are more keystore files specific to other BigFix Inventory tools, such as:

VM Manager tool keystore: Improving security of storing VM manager passwords
SAP Metric Data Collector keystore: Changing the default secret key and password to the SAP Metric Data Collector keystore
BigFix Inventory Container Solution keystores: For more information on Container solution, refer to Software discovery in containers.