Security Configuration Scenarios

Starting from V9.1 BigFix provides the capability to follow the NIST security standards by configuring an enhanced security option. This setting enables SHA-256 as the hashing algorithm for digital signatures as well as content verification. It also enables the TLS 1.2 communication among the BigFix components.

You can set the enhanced security option only after you install or upgrade all the BigFix components to V9.1 or above. If you have a mixed environment, to keep the product compatibility with BigFix components earlier than V9.1, do not set the enhanced security option or, before setting it, upgrade the BigFix components to V9.1 or above.

Note: When you set this option you configure a very restricted security environment and the product performance might get worse. You can enable or disable this security setting at any time by editing the masthead file. For additional information see Editing the Masthead on Windows systems and Editing the Masthead on Linux systems.

In addition to the enhanced security setting, you can set a check for verifying the file download integrity using the SHA-256 algorithm. If you do not set this option, the file download integrity check is run using the SHA-1 algorithm. This option can be set only if you set the enhanced security option and, therefore, only if all the BigFix components are V9.1 or above.

In a complex environment, you can enable the enhanced security option, only after all the DSA servers are upgraded to BigFix V9.1 or above and have got a new license.

Important: After you turn on the enhanced security option, you cannot roll back to a version of BigFix earlier than V9.1, even if you turn the option off. However, when needed, you can run a disaster recovery restore from BigFix V9.1 or above to the same version regardless of the enhanced security option setting. For additional information see Running backup and restore.