Home
Security
Configure different security features to adequately protect business assets and resources in the data model when using BigFix Inventory.
Configuring passwords and encryption mechanisms
To improve the application security, define a security policy for user passwords. You can also configure passwords and encryption mechanisms for the keystore in which the passwords are stored, and the BigFix Inventory database.
Configuring database password encryption
Change the configuration of your locally stored database password to improve application security. Encrypt the password using AES encryption algorithm. This solution does not apply if you use Windows Authentication for the database access.

Security
Configure different security features to adequately protect business assets and resources in the data model when using BigFix Inventory.
- Flow of data
  There are several different interactions that occur between the components of the BigFix Inventory infrastructure and between the user and tool.
- Security configuration scenarios
  Check what security options need to be enabled on the BigFix server and the BigFix Inventory server to achieve each of the supported security scenarios.
- Configuring secure communication
  To ensure secure communication, BigFix Inventory uses public key cryptography, which is based on algorithms that use two separate keys, a private key and a public key. This key pair is used to encrypt and decrypt communication.
- Assuring compliance with federal encryption standards
  You can configure BigFix Inventory to be compliant with the Federal Information Processing Standard requirements that are related to encryption.
- Authenticating users with LDAP
  BigFix Inventory supports authentication through a Lightweight Directory Access Protocol server. To use this feature, you must configure the BigFix Inventory server.
- Configuring and enabling single sign-on
  Available from 9.2.1. You can now use the two-factor authentication and use single sign-on to log on to BigFix Inventory and maintain login consistency with other applications in the enterprise. You can configure BigFix Inventory to use two-factor authentication with single sign-on based either on the exchange of Security Assertion Markup Language (SAML 2.0) token and Microsoft™ Active Directory Federation Services as Identity Provider or you can use the IBM Lightweight Third-Party Authentication (LTPA) technology and IBM Security Access Manager for Web as the authentication service.
- Configuring passwords and encryption mechanisms
  To improve the application security, define a security policy for user passwords. You can also configure passwords and encryption mechanisms for the keystore in which the passwords are stored, and the BigFix Inventory database.
  - Configuring security policy for user passwords
    Available from 9.2.7. If your company has a security policy for user passwords, or you want to improve the application security, you can configure BigFix Inventory to require that user passwords fulfill the policy requirements.
  - Configuring cryptographic keystore password and encryption
    Configure a unique password to the cryptographic keystore, and encrypt it with the AES encryption algorithm.
  - Configuring database password encryption
    Change the configuration of your locally stored database password to improve application security. Encrypt the password using AES encryption algorithm. This solution does not apply if you use Windows Authentication for the database access.
  - Improving security of storing VM manager passwords
    Available from 9.2.9. To improve security of storing passwords to VM managers, you can overwrite the default key that is used to encrypt the passwords or change the default password to the VM Manager Tool keystore. These two procedures are independent. You can change the encryption key, the keystore password or both, depending on your needs.
  - Changing the default secret key and password to the SAP Metric Data Collector keystore
    Available from 9.2.9. To improve security of encrypting the password to the SAP Metric Data Collector, you can change the default secret key or the default password to the SAP Metric Data Collector keystore. These two procedures are independent. You can change the secret key, the keystore password or both depending on your needs.
- Configuring user account lockout
  Available from 9.2.8. By default, user account is locked for 5 minutes after the user attempts to log in to BigFix Inventory more than 10 times within 5 minutes. You can change the default settings or disable the user account lockout.
- Configuring VM Manager Tool to accept trusted VM manager certificates
  By default, the VM Manager Tool accepts all VM manager certificates regardless of whether they are trusted or not. You can change the default behavior to ensure that only trusted certificates are accepted by the VM Manager Tool.
- Relays
  Relays lighten both upstream and downstream burdens on the server. Rather than communicating directly with a server, clients can instead be instructed to communicate with designated relays, considerably reducing both server load and client and server network traffic.

Configuring database password encryption

Change the configuration of your locally stored database password to improve application security. Encrypt the password using AES encryption algorithm. This solution does not apply if you use Windows Authentication for the database access.

Procedure

Stop the BigFix Inventory server.
To encrypt your database password with AES, execute the following command.
Installation_directory/wlp/bin/securityUtility encode --encoding=aes
Installation_directory\wlp\bin\securityUtility.bat encode --encoding=aes
Provide your current database password.
```
Enter text:
Re-enter text:
{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX
```

Update the database password in the server.xml file. Enter the value generated in the previous step in the following code line:

DB2 database:

<properties.db2.jcc databaseName='temadb' driverType='4' enableExtendedIndicators='2' 
password='{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX' portNumber='50000' serverName='localhost' user='db2inst1'/>

MSSQL database

 <properties.microsoft.sqlserver databaseName='temadb' 
password='{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX'' serverName='localhost' user='sa'/>

The server.xml file is located in the following folder.

Installation_directory/wlp/usr/servers/server1
Installation_directory\wlp\usr\servers\server1

Update the database password in the database.yml file, located in the following folder.
- Installation_directory/wlp/usr/servers/server1/config
- Installation_directory\wlp\usr\servers\server1\config
Enter the value generated in the step 2 in the following code line.
```
encrypted_password: "{aes}xxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXXxxxxXXXX"
```
Start the BigFix Inventory server.