Home
Security
Configure different security features to adequately protect business assets and resources in the data model when using BigFix Inventory.
Configuring and enabling single sign-on
Available from 9.2.1. You can now use the two-factor authentication and use single sign-on to log on to BigFix Inventory and maintain login consistency with other applications in the enterprise. You can configure BigFix Inventory to use two-factor authentication with single sign-on based either on the exchange of Security Assertion Markup Language (SAML 2.0) token and Microsoft™ Active Directory Federation Services as Identity Provider or you can use the IBM Lightweight Third-Party Authentication (LTPA) technology and IBM Security Access Manager for Web as the authentication service.
Option 2: Configuring SSO based on LTPA
You can configure single sign-on based on IBM Lightweight Third-Party Authentication(LTPA)with ® IBM Security Access Manager for Web.
Step 5: Configuring a virtual junction
A virtual host junction is a mount point for specific content that is located on the WebSEAL server.

Security
Configure different security features to adequately protect business assets and resources in the data model when using BigFix Inventory.
- Flow of data
  There are several different interactions that occur between the components of the BigFix Inventory infrastructure and between the user and tool.
- Security configuration scenarios
  Check what security options need to be enabled on the BigFix server and the BigFix Inventory server to achieve each of the supported security scenarios.
- Configuring secure communication
  To ensure secure communication, BigFix Inventory uses public key cryptography, which is based on algorithms that use two separate keys, a private key and a public key. This key pair is used to encrypt and decrypt communication.
- Assuring compliance with federal encryption standards
  You can configure BigFix Inventory to be compliant with the Federal Information Processing Standard requirements that are related to encryption.
- Authenticating users with LDAP
  BigFix Inventory supports authentication through a Lightweight Directory Access Protocol server. To use this feature, you must configure the BigFix Inventory server.
- Configuring and enabling single sign-on
  Available from 9.2.1. You can now use the two-factor authentication and use single sign-on to log on to BigFix Inventory and maintain login consistency with other applications in the enterprise. You can configure BigFix Inventory to use two-factor authentication with single sign-on based either on the exchange of Security Assertion Markup Language (SAML 2.0) token and Microsoft™ Active Directory Federation Services as Identity Provider or you can use the IBM Lightweight Third-Party Authentication (LTPA) technology and IBM Security Access Manager for Web as the authentication service.
  - Option 1: Configuring single sign-on based on Security Assertion Markup Language token
    You can configure single sign-on based on a Security Access Markup Language (SAML 2.0) token and an external Identity Provider server.
  - Option 2: Configuring SSO based on LTPA
    You can configure single sign-on based on IBM Lightweight Third-Party Authentication(LTPA)with ® IBM Security Access Manager for Web.
    - Step 1: Exporting the LDAP server SSL certificate embedded in BigFix Security Access Manager
      You must export the certificate from the LDAP server embedded in IBM Security Access Manager (ISAM) to be able to configure the single sign-on in the BigFix Inventory web user interface.
    - Step 2: Configuring LTPA single sign-on
      You can use the Single Sign-On Settings pane to configure IBM Lightweight Third-Party Authentication (LTPA) settings in BigFix Inventory.
    - Step 3: Importing LTPA keys into BigFix® Security Access Manager
      You must import the LTPA keys into IBM® Security Access Manager to add BigFix Inventory to the trusted list.
    - Step 4: Importing the BigFix Inventory server certificate into IBM® Security Access Manager
      Import the BigFix Inventory server certificate into BigFix® Security Access Manager for Web to establish trusted server-to-server communication.
    - Step 5: Configuring a virtual junction
      A virtual host junction is a mount point for specific content that is located on the WebSEAL server.
    - Step 6: Enabling the LTPA single sign-on
      As the final step, enable single sign-on in BigFix Inventory web user interface.
    - Optional: Updating the WebUI shortcut
      You might need to edit the WebUI shortcut if you installed or upgraded to BigFix Inventory 9.2.1 and you also enabled single sign-on using LTPA. This URL is defined in the WebUI file that is in the following location: C:\Program Files\BigFix Enterprise\BFI\admin\resources\WebUI.
    - Optional: Reverting disabled SSO configuration for LTPA
      You can revert to the default LTPA SSO configuration with single sign-on disabled if there are problems with logging in to the application.
  - Creating single sign-on users
    To complete an authentication process through single sign-on, you must create users that can later log in to BigFix Inventory.
  - Logging out of the BigFix Inventory server
    To log out of the BigFix Inventory user interface, simply clear your browser history and restart the browser.
  - Disabling the single sign-on configuration
    You can disable the SSO configuration on the Single Sign-on Settings pane.
  - Deleting the single sign-on configuration
    You can delete the SSO configuration on the Single Sign-on Settings pane.
  - Modifying port in BigFix Inventory that has single sign-on enabled
    Modifying the port number on the Server Settings pane in BigFix Inventory while single sign-on is enabled invalidates the single sign-on configuration. To properly modify the port, you must repeat the single sign-on configuration steps.
  - Configuring SSO keystore passwords and encryption
    Configure unique passwords to the SSO keystores, and encrypt them with the AES encryption algorithm.
- Configuring passwords and encryption mechanisms
  To improve the application security, define a security policy for user passwords. You can also configure passwords and encryption mechanisms for the keystore in which the passwords are stored, and the BigFix Inventory database.
- Configuring user account lockout
  Available from 9.2.8. By default, user account is locked for 5 minutes after the user attempts to log in to BigFix Inventory more than 10 times within 5 minutes. You can change the default settings or disable the user account lockout.
- Configuring VM Manager Tool to accept trusted VM manager certificates
  By default, the VM Manager Tool accepts all VM manager certificates regardless of whether they are trusted or not. You can change the default behavior to ensure that only trusted certificates are accepted by the VM Manager Tool.
- Relays
  Relays lighten both upstream and downstream burdens on the server. Rather than communicating directly with a server, clients can instead be instructed to communicate with designated relays, considerably reducing both server load and client and server network traffic.

Step 5: Configuring a virtual junction

A virtual host junction is a mount point for specific content that is located on the WebSEAL server.

Before you begin

Ensure that the HTTPS port of the reverse proxy in BigFix Security Access Manager for web is set to 9081, which is the port number used by BigFix Inventory server. If the port is not set to this value, REST API might not work. To configure this port for the proxy server:

In the IBM Security Access Manager user interface, click Secure Web Settings and then, under Manage click Reverse Proxy.
Select the default proxy and click Edit.
In the Reverse Proxy Basic Configuration - default window, on the Server tab, provide 9081 as the value of the HTTPS Port and click Save.

Procedure

Log on to BigFix® Security Access Manager.
In the top navigation bar, click Secure Web Settings > Manage > Reverse Proxy.
Select the instance and then, from the drop-down list on the right of the Reverse Proxy bar, select Manage > Junction Management. A new pane opens.
From the drop-down list in the upper-left corner of the pane, click New > Virtual Junction.
On the new pane, specify the junction label, Virtual Host, Virtual Host Port, and SSL as the Junction Type, and click Save.
Configure a backend server for this junction: Click the Servers tab and then click New.
Specify the IP address or host name of the BigFix Inventory server and click Save.
Click the Identity tab and select all the items under HTTP Header Identity Information.
Click the SSO and LTPA tab and select the following entries.
- Enable LTPA cookie support
- Use Version 2 Cookies
From the LTPA Keyfile drop-down list, select the file that you into IBM Security Access Manager and in the next field provide the LTPA keyfile password.
Click the General tab and leave all the default configuration unchanged.
Click Save to save the configuration and exit the wizard.
Click Cancel to exit the Junction Management - default pane.