Home
Security
Configure different security features to adequately protect business assets and resources in the data model when using BigFix Inventory.
Configuring secure communication
To ensure secure communication, BigFix Inventory uses public key cryptography, which is based on algorithms that use two separate keys, a private key and a public key. This key pair is used to encrypt and decrypt communication
Configuring Cipher suites
This topic describes how to manually select Cipher Suites that should be accepted by BigFix Inventory server.

Security
Configure different security features to adequately protect business assets and resources in the data model when using BigFix Inventory.
- Flow of data
  There are several different interactions that occur between the components of the BigFix Inventory infrastructure and between the user and tool.
- Security configuration scenarios
  Check what security options need to be enabled on the BigFix server and the BigFix Inventory server to achieve each of the supported security scenarios.
- Configuring database connection encryption
  You can encrypt the connection between BigFix Inventory server and the BigFix Inventory database. Encryption is established between BigFix Inventory server and the database engine using a JDBC driver. You can encrypt the connection while upgrading the server.
- Configuring secure communication
  To ensure secure communication, BigFix Inventory uses public key cryptography, which is based on algorithms that use two separate keys, a private key and a public key. This key pair is used to encrypt and decrypt communication
  - Step 1: Creating private keys and certificates
    To improve security, create your own private key and a certificate instead of using the self-signed ones that are available in BigFix Inventory by default. You can use openSSL to create a private key and a certificate signing request (CSR) that can be transformed into a certificate after it is signed by a certificate authority (CA).
  - Step 2: Signing certificates
    Your certificate signing request (CSR) must be signed by a certificate authority (CA) to be transformed into a certificate that can be uploaded to BigFix Inventory. You can use the openSSL cryptographic library to create a private CA and sign your request.
  - Step 3: Enabling secure communication
    You can enable encrypted communication (HTTPS) to ensure secure communication between your server and all users that access it. You can base your communication on self-signed certificates that are provided by default in BigFix Inventory, but these certificates are not intended for production environments. To improve security, create your own private key and certificate, and upload them to BigFix Inventory.
  - Configuring Cipher suites
    This topic describes how to manually select Cipher Suites that should be accepted by BigFix Inventory server.
  - Structuring and formatting of private keys and certificates
  - Regenerating self-signed certificates
    BigFix Inventory allows you to regenerate self-signed certificate by setting the Common Name using BigFix Inventory server.
- Assuring compliance with federal encryption standards
  You can configure BigFix Inventory to be compliant with the Federal Information Processing Standard requirements that are related to encryption.
- Authenticating users with LDAP
  BigFix Inventory supports authentication through a Lightweight Directory Access Protocol (LDAP) server. To use this feature, you must configure the BigFix Inventory server.
- Configuring and enabling single sign-on (SSO)
  Available from 9.2.1. You can now use the two-factor authentication and use SSO to log on to BigFix Inventory and maintain login consistency with other applications in the enterprise. You can configure BigFix Inventory to use two-factor authentication with single sign-on based either on the exchange of Security Assertion Markup Language (SAML 2.0) token and Microsoft™ Active Directory Federation Services as Identity Provider or you can use the IBM Lightweight Third-Party Authentication (LTPA) technology and IBM Security Access Manager for Web as the authentication service.
- Configuring passwords and encryption mechanisms
  To improve the application security, define a security policy for user passwords. You can also configure passwords and encryption mechanisms for the keystore in which the passwords are stored, and the BigFix Inventory database.
- Configuring user account lockout
  Available from 9.2.8. By default, user account is locked for 5 minutes after the user attempts to log in to BigFix Inventory more than 10 times within 5 minutes. You can change the default settings or disable the user account lockout.
- Configuring VM Manager tool to accept trusted VM manager certificates
  By default, the VM Manager tool accepts all VM manager certificates regardless of whether they are trusted or not. You can change the default behavior to ensure that only trusted certificates are accepted by the VM Manager tool.
- Relays
  Relays lighten both upstream and downstream burdens on the server. Rather than communicating directly with a server, clients can instead be instructed to communicate with designated relays, considerably reducing both server load and client and server network traffic.

Configuring Cipher suites

This topic describes how to manually select Cipher Suites that should be accepted by BigFix Inventory server.

About this task

The list of vulnerable Cipher Suites is updated regularly. Accepted cipher suites are updated with new Java service packs so that vulnerable ciphers are not included. You can manually select the ciphers that should be enabled to address security risks before it is addressed by Java service pack or to comply with the security policy.

Below is the recommendation based on internal security scans.

To select the list of accepted cipher suites, modify the installation_directory/wlp/usr/servers/server1/customization.xml file, to make the file contents look like below:

<server>
<ssl id="defaultSSLConfig" enabledCiphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"/>
</server>

Restart BigFix Inventory application after you make the changes.