Enabling FIPS compliance on the controller

The IBM® BigFix® Remote Control controller is a Java™ application that requires a FIPS certified cryptographic provider when FIPS compliance is enabled. Only the IBM Java Runtime Environment (JRE) is supported in FIPS-compliant mode.

About this task

The IBM JRE for Windows® operating system and Linux® (Intel®) operating systems is included with IBM BigFix Remote Control and is installed when you install the controller software.

If you are using Windows operating system, the JRE is included in the controller package trc_controller_setup.exe and trc_controller.msi. For Linux operating system, the JRE is included in the package ibm-trc-controller-jre-9.x.x.i386.rpm. Where 9.x.x is the version that you want to install. For example, 9.1.0. These packages install the IBM Java Runtime Environment pre-configured with the IBM FIPS certified cryptographic provider. They also register the MIME type application/x-ibm-trc-jws and a file association for *.trcjws files. The file types are used by the IBM BigFix Remote Control server in FIPS-compliant mode to start the controller. For more information about installation instructions for the controller, see Install the controller.

To use a different installation of the IBM JRE, the IBM BigFix Remote Control controller uses the FIPS-compliant cryptography module that is included with the IBM Java virtual machine. To enable FIPS mode, the settings of the JVM (Java virtual machine) that are used to run the controller need to be modified. When you enable FIPS compliance, any other Java applications that are running on the default JVM can also use the FIPS provider and the other security providers that are listed in the java.security file.
Note: Enabling FIPS on the controller is not supported if you are using an Oracle JVM.

To enable FIPS compliance on the controller if you are not using the version of IBM JRE supplied with IBM BigFix Remote Control, complete the following steps:

Procedure

  1. Edit the java.security file
    Windows systems
    %JRE_HOME%\lib\security\java.security

    Where %JRE_HOME% is the path to the directory where the Java virtual machines Java Runtime Environment (JRE) is installed.

    Linux / UNIX® systems
    $JRE_HOME/lib/security/java.security

    Where $JRE_HOME is the path to the directory where the Java virtual machines Java Runtime Environment (JRE) is installed.

  2. Modify the security.provider.x= list so that the following two entries are the first ones in the list:

    security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPS
    security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS

    Fix the number sequence of the other items in this list so that all items are numbered in sequence. For example,

    security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPS
    security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.4=com.ibm.crypto.provider.IBMJCE
    security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.6=com.ibm.security.cert.IBMCertPath
    security.provider.7=com.ibm.security.sasl.IBMSASL
    security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider
    security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider
    security.provider.10=org.apache.harmony.security.provider.PolicyProvider
    security.provider.11=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

    Note:
    1. Applies to all supported versions of the IBM JVM.
    2. You must make a file association for the *.trcjws files before you start the first session with a target. Use the following commands
      Windows systems
      %JRE_HOME%\jre\bin\javaws

      Where %JRE_HOME% is the path to the directory where the Java virtual machines Java Runtime Environment (JRE) is installed.

      Linux / UNIX systems
      $JRE_HOME/jre/bin/javaws.exe

      Where $JRE_HOME is the path to the directory where the Java virtual machines Java Runtime Environment (JRE) is installed.

Results

Check to see whether the controller is configured for FIPS by completing the following step during a remote control session.

  • Click Controller tools > Show session information in the controller window.
Edit the trc_controller.cfg file on the system that the controller is installed on.
Note: Only required if you are running the controller locally for establishing peer to peer sessions. For details of installing the controller to your local system, see Install the controller .
Windows systems
[controller install dir]\trc_controller.cfg

Where [controller install dir] is the installation directory that is chosen when you install the controller.

Linux systems
opt/ibm/trc/controller/trc_controller.cfg
Set the fips.compliance property to true and save the file.