Enabling FIPS compliance on an automated server installation

About this task

To enable FIPS compliance on an automated BigFix® Remote Control Server installation, complete the following steps:

Procedure

  1. Edit the java.security file that is found at the following directory.
    Windows® systems
    %TRC_SERVER_PATH%\java\jre\lib\security\java.security

    Where %TRC_SERVER_PATH% is the path for the installation directory for the BigFix® Remote Control Server.

    Linux® / UNIX® systems
    $TRC_SERVER_PATH/java/jre/lib/security/java.security

    Where $TRC_SERVER_PATH is the path for the installation directory for the BigFix® Remote Control Server.

  2. Modify the security.provider.x= list so the following entry is the first one in the list:

    security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPS
    security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS

    Fix the number sequence of the other items in this list so that all items are numbered in sequence. For example, the full list after the changes is as follows:

    security.provider.1=com.ibm.fips.jsse.IBMJSSEFIPS
    security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.4=com.ibm.crypto.provider.IBMJCE
    security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.6=com.ibm.security.cert.IBMCertPath
    security.provider.7=com.ibm.security.sasl.IBMSASL
    security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider
    security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider
    security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
    security.provider.11=sun.security.provider.Sun

  3. Save the file.
  4. Edit the jvm.options file and add a new line, -Dcom.ibm.jsse2.usefipsprovider=true.
    Windows® systems
    %TRC_SERVER_PATH% \wlp\usr\servers\trcserver\jvm.options

    Where %TRC_SERVER_PATH% is the path for the installation directory for the BigFix® Remote Control Server.

    Linux® / UNIX® systems
    $TRC_SERVER_PATH/wlp/usr/servers/trcserver/jvm.options

    Where $TRC_SERVER_PATH is the path for the installation directory for the BigFix® Remote Control Server.

  5. Log on to the BigFix® Remote Control Server with a valid admin ID and password.
  6. Click Admin > Edit properties files
  7. In the common.properties file set FIPS.compliance to true.
  8. Click Submit.
  9. Click Admin > Reset Application. Restart the server service.

Results

Check to see whether the BigFix® Remote Control Server is configured for FIPS by completing the following step.

  • Click Admin > View Current Server Status.

The following fields show that FIPS compliance is enabled.

  • Enabled FIPS mode: - The value of this field is determined by the FIPS.compliance property in the common.properties file.
  • JVM configured for FIPS: - The value of this field is determined by the configuration of the JVM and the security providers that are listed in the java.security file.