IBM Endpoint Manager, Version 9.2

Security

Click the sixth tab to open the Security dialog.

Click the Enable Enhanced Security button to adopt the SHA-256 cryptographic digest algorithm for all digital signatures as well as for content verification and to use the TLS 1.2 protocol for communications among the BigFix components.

To enable SHA-256 ensure that the following conditions are satisfied:

The updated license was gathered.
If you configured a Disaster Server Architecture in your BigFix environment, ensure that the Administration Tool is run on all the secondary servers of the DSA configuration that are not yet using SHA-256.
Unsubscribe from all external sites that do not support SHA-256.

Note: If you use this setting you break backward compatibility because IBM BigFix version 9.0 or earlier components cannot communicate with IBM BigFix version 9.2 server or relays.

Warning: When you disable the enhanced security mode, the BESRootServer service fails to restart automatically. To solve the problem, restart the service manually.

The Require SHA-256 Downloads button is disabled until you click the Enable Enhanced Security button. Click the Require SHA-256 Downloads button to change all download verification to use only the SHA-256 algorithm. Existing custom actions might need to be edited to conform to the prefetch action script syntax updated for V9.1 and above.

Note: If you do not select this option, the file download integrity check is run using the SHA-1 algorithm.

If you click Enable Enhanced Security without selecting Require SHA-256 Downloads, the SHA-256 algorithm will be used to for digital signatures and for content verification, TLS 1.2 protocol will be used for communications among the Endpoint Manager components but you will still be able to download SHA-1 content from external sites.

For more information about the BigFix Enhanced Security feature, the supported security configuration and enhanced security requirements evaluation, see Security Configuration Scenarios.

Feedback