Home
Security
Configure different security features to adequately protect business assets and resources in the data model when using BigFix Inventory.
Assuring compliance with federal encryption standards
You can configure BigFix Inventory to be compliant with the Federal Information Processing Standard requirements that are related to encryption.
Enabling SP800-131 compliance
You can set up a BigFix Inventory profile to meet the SP800-131 requirement that is originated by the National Institute of Standards and Technology (NIST).

Security
Configure different security features to adequately protect business assets and resources in the data model when using BigFix Inventory.
- Flow of data
  There are several different interactions that occur between the components of the BigFix Inventory infrastructure and between the user and tool.
- Security configuration scenarios
  Check what security options need to be enabled on the BigFix server and the BigFix Inventory server to achieve each of the supported security scenarios.
- Configuring secure communication
  To ensure secure communication, BigFix Inventory uses public key cryptography, which is based on algorithms that use two separate keys, a private key and a public key. This key pair is used to encrypt and decrypt communication.
- Assuring compliance with federal encryption standards
  You can configure BigFix Inventory to be compliant with the Federal Information Processing Standard requirements that are related to encryption.
  - Federal Information Processing Standard 140-2
    Federal Information Processing Standards (FIPS) are standards and guidelines that are issued by the National Institute of Standards and Technology (NIST) for federal government computer systems.
  - Configuring the server to achieve FIPS compliance
    You can assure compliance with the FIPS 140-2 standard by modifying the configuration properties for the underlying application server.
  - SP800-131 compliance
    SP800-131 requires longer key lengths and stronger cryptography. The specification also provides a transition configuration to enable users to move to a strict enforcement of SP800-131.
  - Enabling SP800-131 compliance
    You can set up a BigFix Inventory profile to meet the SP800-131 requirement that is originated by the National Institute of Standards and Technology (NIST).
- Authenticating users with LDAP
  BigFix Inventory supports authentication through a Lightweight Directory Access Protocol server. To use this feature, you must configure the BigFix Inventory server.
- Configuring and enabling single sign-on
  Available from 9.2.1. You can now use the two-factor authentication and use single sign-on to log on to BigFix Inventory and maintain login consistency with other applications in the enterprise. You can configure BigFix Inventory to use two-factor authentication with single sign-on based either on the exchange of Security Assertion Markup Language (SAML 2.0) token and Microsoft™ Active Directory Federation Services as Identity Provider or you can use the IBM Lightweight Third-Party Authentication (LTPA) technology and IBM Security Access Manager for Web as the authentication service.
- Configuring passwords and encryption mechanisms
  To improve the application security, define a security policy for user passwords. You can also configure passwords and encryption mechanisms for the keystore in which the passwords are stored, and the BigFix Inventory database.
- Configuring user account lockout
  Available from 9.2.8. By default, user account is locked for 5 minutes after the user attempts to log in to BigFix Inventory more than 10 times within 5 minutes. You can change the default settings or disable the user account lockout.
- Configuring VM Manager Tool to accept trusted VM manager certificates
  By default, the VM Manager Tool accepts all VM manager certificates regardless of whether they are trusted or not. You can change the default behavior to ensure that only trusted certificates are accepted by the VM Manager Tool.
- Relays
  Relays lighten both upstream and downstream burdens on the server. Rather than communicating directly with a server, clients can instead be instructed to communicate with designated relays, considerably reducing both server load and client and server network traffic.

Enabling SP800-131 compliance

You can set up a BigFix Inventory profile to meet the SP800-131 requirement that is originated by the National Institute of Standards and Technology (NIST).

Procedure

You can configure BigFix Inventory to run in SP800-131 strict or transition mode.

To configure the product to run in strict mode:
1. Ensure that your server certificates meet the criteria for SP800-131.
  For more information about SP800-131, see the National Institute of Standards and Technology Special Publication 800-131A.
2. Modify your HTTPS configuration to use the TLS version 1.2 protocol.
3. Enable the Java Secure Socket Extension (JSSE) to run in SP800-131 strict mode: set the system property com.ibm.jsse2.sp800-131 to strict. The property must be set in the jvm.options file, which is in the installation_dir/wlp/usr/servers/server1 directory.
  Example:
```
-Dcom.ibm.jsse2.sp800-131=strict
```
Note: If your server certificates do not meet the criteria for SP800-131 or if the TLS version 1.2 protocol is not used, then after you restart the server you are not able to connect to BigFix Inventory. In this event, you can remove the com.ibm.jsse2.sp800-131 property from the jvm.options file, or set the property to transition.
To configure the product to run in transition mode, enable JSSE to run in SP800-131 transition mode by setting the system property com.ibm.jsse2.sp800-131 to transition. The property must be set in the jvm.options file, which is in the installation_dir/wlp/usr/servers/server1 directory.
Example:
```
-Dcom.ibm.jsse2.sp800-131=transition
```