Enabling FIPS compliance on an automated server installation

About this task

To enable FIPS compliance on an automated IBM® BigFix® Remote Control Server installation, complete the following steps:

Procedure

  1. Edit the java.security file that is found at the following directory.
    Windows® systems
    %TRC_SERVER_PATH%\java\jre\lib\security\java.security

    Where %TRC_SERVER_PATH% is the path for the installation directory for the IBM BigFix Remote Control Server.

    Linux® / UNIX® systems
    $TRC_SERVER_PATH/java/jre/lib/security/java.security

    Where $TRC_SERVER_PATH is the path for the installation directory for the IBM BigFix Remote Control Server.

  2. Modify the security.provider.x= list so the following entry is the first one in the list:

    security.provider.1=com.ibm.crypto.FIPS.provider.IBMJCEFIPS

    Fix the number sequence of the other items in this list so that all items are numbered in sequence. For example, the full list after the changes is as follows:

    security.provider.1=com.ibm.crypto.FIPS.provider.IBMJCEFIPS
    security.provider.2=com.ibm.crypto.provider.IBMJCE
    security.provider.3=com.ibm.jsse.IBMJSSEProvider
    security.provider.4=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.6=com.ibm.security.cert.IBMCertPath
    security.provider.7=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl
    security.provider.8=com.ibm.security.cmskeystore.CMSProvider
    security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
    security.provider.10=com.ibm.security.sasl.IBMSASL
    security.provider.11=com.ibm.xml.crypto.IBMXMLCryptoProvider
    security.provider.12=com.ibm.xml.enc.IBMXMLEncProvider
    security.provider.13=org.apache.harmony.security.provider.PolicyProvider

  3. Save the file.
  4. Log on to the IBM BigFix Remote Control Server with a valid admin ID and password.
  5. Click Admin > Edit properties files
  6. In the common.properties file set FIPS.compliance to true.
  7. Click Submit.
  8. Click Admin > Reset Application. Restart the server service.

Results

Check to see whether the IBM BigFix Remote Control Server is configured for FIPS by completing the following step.

  • Click Admin > View Current Server Status.

The following fields show that FIPS compliance is enabled.

  • Enabled FIPS mode: - The value of this field is determined by the FIPS.compliance property in the common.properties file.
  • JVM configured for FIPS: - The value of this field is determined by the configuration of the JVM and the security providers that are listed in the java.security file.