IBM. Compliance Setup Guide. IBM BigFix Compliance. Version 9.2

Similar documents
IBM. Compliance Analytics Setup Guide. IBM BigFix. Version 1.9

IBM Endpoint Manager. Security and Compliance Analytics Setup Guide

IBM Endpoint Manager Version 9.1. Patch Management for Ubuntu User's Guide

IBM. Avoiding Inventory Synchronization Issues With UBA Technical Note

CONFIGURING SSO FOR FILENET P8 DOCUMENTS

Release Notes. IBM Security Identity Manager GroupWise Adapter. Version First Edition (September 13, 2013)

Netcool/Impact Version Release Notes GI

Release Notes. IBM Tivoli Identity Manager Universal Provisioning Adapter. Version First Edition (June 14, 2010)

IBM Cloud Orchestrator. Content Pack for IBM Endpoint Manager for Software Distribution IBM

Patch Management for Solaris

Version 9 Release 0. IBM i2 Analyst's Notebook Premium Configuration IBM

Version 9 Release 0. IBM i2 Analyst's Notebook Configuration IBM

Release Notes. IBM Tivoli Identity Manager Rational ClearQuest Adapter for TDI 7.0. Version First Edition (January 15, 2011)

Platform LSF Version 9 Release 1.1. Migrating on Windows SC

Platform LSF Version 9 Release 1.3. Migrating on Windows SC

Release Notes. IBM Tivoli Identity Manager GroupWise Adapter. Version First Edition (September 13, 2013)

Tivoli Endpoint Manager for Patch Management - AIX. User s Guide

IBM i Version 7.2. Systems management Logical partitions IBM

IBM Maximo Calibration Version 7 Release 5. Installation Guide

IBM. Networking Open Shortest Path First (OSPF) support. IBM i. Version 7.2

Requirements Supplement

IBM InfoSphere Master Data Management Reference Data Management Hub Version 11 Release 0. Upgrade Guide GI

IBM Operations Analytics - Log Analysis: Network Manager Insight Pack Version 1 Release 4.1 GI IBM

Getting Started with InfoSphere Streams Quick Start Edition (VMware)

IBM. Networking INETD. IBM i. Version 7.2

IBM Security Access Manager for Versions 9.0.2, IBM Security App Exchange Installer for ISAM

IBM. IBM i2 Analyze Windows Upgrade Guide. Version 4 Release 1 SC

Installing Watson Content Analytics 3.5 Fix Pack 1 on WebSphere Application Server Network Deployment 8.5.5

IBM. Business Process Troubleshooting. IBM Sterling B2B Integrator. Release 5.2

Readme File for Fix Pack 1

IBM Kenexa LCMS Premier on Cloud. Release Notes. Version 9.3

Using application properties in IBM Cúram Social Program Management JUnit tests

IBM Content Analytics with Enterprise Search Version 3.0. Expanding queries and influencing how documents are ranked in the results

Application and Database Protection in a VMware vsphere Environment

IBM Operational Decision Manager Version 8 Release 5. Configuring Operational Decision Manager on Java SE

IBM Maximo for Service Providers Version 7 Release 6. Installation Guide

A Quick Look at IBM SmartCloud Monitoring. Author: Larry McWilliams, IBM Tivoli Integration of Competency Document Version 1, Update:

IBM OpenPages GRC Platform Version 7.0 FP2. Enhancements

Tivoli Access Manager for Enterprise Single Sign-On

IBM BigFix Compliance PCI Add-on Version 9.2. Payment Card Industry Data Security Standard (PCI DSS) User's Guide IBM

IBM Cognos Dynamic Query Analyzer Version Installation and Configuration Guide IBM

Tivoli Access Manager for Enterprise Single Sign-On

IBM emessage Version 8.x and higher. Account Startup Overview

IBM Maximo Spatial Asset Management Version 7 Release 5. Installation Guide

IBM Security QRadar Version Customizing the Right-Click Menu Technical Note

IBM Tivoli Identity Manager Authentication Manager (ACE) Adapter for Solaris

IBM License Metric Tool Enablement Guide

IBM Maximo Spatial Asset Management Version 7 Release 6. Installation Guide IBM

IBM Maximo for Aviation MRO Version 7 Release 6. Installation Guide IBM

Migrating on UNIX and Linux

Sterling External Authentication Server. Installation Guide. Version 2.4

IBM Spectrum LSF Process Manager Version 10 Release 1. Release Notes IBM GI

IBM License Metric Tool Version Readme File for: IBM License Metric Tool, Fix Pack TIV-LMT-FP0001

Version 2 Release 1. IBM i2 Enterprise Insight Analysis Understanding the Deployment Patterns IBM BA

IBM. IBM i2 Enterprise Insight Analysis Understanding the Deployment Patterns. Version 2 Release 1 BA

Determining dependencies in Cúram data

IBM BigFix Version 9.2. Security Configuration Management - Payment Card Industry Data Security Standard (PCI DSS) content 1.

IBM XIV Provider for Microsoft Windows Volume Shadow Copy Service. Version 2.3.x. Installation Guide. Publication: GC (August 2011)

IBM i Version 7.2. Connecting to your system Connecting to IBM Navigator for i IBM

IBM Netcool/OMNIbus 8.1 Web GUI Event List: sending NodeClickedOn data using Netcool/Impact. Licensed Materials Property of IBM

IBM Operational Decision Manager. Version Sample deployment for Operational Decision Manager for z/os artifact migration

IBM Security QRadar Version 7 Release 3. Community Edition IBM

IBM Watson Explorer Content Analytics Version Upgrading to Version IBM

IBM Extended Command-Line Interface (XCLI) Utility Version 5.2. Release Notes IBM

Release Notes. IBM Tivoli Identity Manager I5/OS Adapter. Version First Edition (January 9, 2012)

Migrating Classifications with Migration Manager

Best practices. Starting and stopping IBM Platform Symphony Developer Edition on a two-host Microsoft Windows cluster. IBM Platform Symphony

IBM Blockchain IBM Blockchain Developing Applications Workshop - Node-Red Integration

Installing and Configuring Tivoli Monitoring for Maximo

Version 2 Release 1. IBM i2 Enterprise Insight Analysis Maintaining a deployment IBM

ios 9 support in IBM MobileFirst Platform Foundation IBM

IBM Security QRadar Version Forwarding Logs Using Tail2Syslog Technical Note

Implementing Enhanced LDAP Security

Installing on Windows

IBM Storage Management Pack for Microsoft System Center Operations Manager (SCOM) Version Release Notes

IBM. myfilegateway. Sterling File Gateway. Version 2.2

IBM Storage Device Driver for VMware VAAI. Installation Guide. Version 1.1.0

IBM Tivoli Directory Server Version 5.2 Client Readme

IBM Maximo Calibration Version 7 Release 6. Installation Guide

Tivoli Access Manager for Enterprise Single Sign-On

IBM FlashSystem V Quick Start Guide IBM GI

IBM OpenPages GRC Platform - Version Interim Fix 1. Interim Fix ReadMe

IBM Copy Services Manager Version 6 Release 1. Release Notes August 2016 IBM

RSE Server Installation Guide: AIX and Linux on IBM Power Systems

Limitations and Workarounds Supplement

IBM FlashSystem V MTM 9846-AC3, 9848-AC3, 9846-AE2, 9848-AE2, F, F. Quick Start Guide IBM GI

IBM UrbanCode Cloud Services Security Version 3.0 Revised 12/16/2016. IBM UrbanCode Cloud Services Security

IBM i2 ibridge 8 for Oracle

IBM WebSphere Sample Adapter for Enterprise Information System Simulator Deployment and Testing on WPS 7.0. Quick Start Scenarios

Tivoli Access Manager for Enterprise Single Sign-On

IBM Spectrum LSF Version 10 Release 1. Readme IBM

IBM i2 Analyze ibase Connector Deployment Guide. Version 4 Release 1 IBM

IBM Tivoli Identity Manager IBM Security Access Manager for Enterprise Single Sign-On Adapter for Tivoli Directory Integrator

Version 2 Release 2. IBM i2 Enterprise Insight Analysis Installing the components IBM SC

Performance Tuning Guide

iscsi Configuration Manager Version 2.0

IBM Rational DOORS Installing and Using the RQM Interface Release 9.2

IBM Worklight V5.0.6 Getting Started

Networking Bootstrap Protocol

IBM Hyper-Scale Manager Version Release Notes IBM

Transcription:

IBM BigFix Compliance IBM Compliance Setup Guide Version 9.2

IBM BigFix Compliance IBM Compliance Setup Guide Version 9.2

Note Before using this information and the product it supports, read the information in Notices on page 27. This edition applies to version 9, release 2, modification level 0 of IBM Endpoint Manager and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation 2012, 2015. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents Chapter 1. Introduction........ 1 System Requirements........... 1 Setup Considerations........... 2 Chapter 2. Installing BigFix Compliance 5 Installing BigFix Compliance......... 5 Downloading IBM BigFix Compliance...... 8 Upgrading from earlier versions of BigFix Compliance............... 8 Migrating keystores............ 9 Perform Initial Configuration........ 10 Configure HTTPS............ 12 Configuring the BigFix Compliance application server to use LDAP............ 13 Adding LDAP servers.......... 13 Linking users to directories........ 14 Authenticating LDAP through user provisioning 15 Authenticating users using single sign-on.... 16 Configuring SAML Single sign-on for your system............... 17 Configuring LTPA single sign-on for your system 18 Appendix A. Server.xml settings for SAML single sign-on......... 21 Appendix B. Server.xml settings for LTPA single sign-on......... 23 Appendix C. Support......... 25 Notices.............. 27 Copyright IBM Corp. 2012, 2015 iii

iv IBM BigFix Compliance: Compliance Setup Guide

Chapter 1. Introduction BigFix Compliance is a component of IBM BigFix Compliance, which includes vulnerability detection libraries and technical controls and tools based on industry best practices and standards for endpoint and server security configuration (Security Configuration Management checklists). The vulnerability detection libraries and the technical controls enable continuous, automated detection and remediation of security configuration issues. BigFix Compliance provides report views and tools for managing the vulnerability of Security Configuration Management checks. BigFix Compliance generates the following reports, which can be filtered, sorted, grouped, customized, or exported using any set of BigFix Compliance properties: v Overviews of Compliance Status, Vulnerabilities and History v Checklists: Compliance Status and History v Checks: Compliance Status, Values, and History v Vulnerabilities: Rollup Status and History v Vulnerability Results: Detailed Status v Computers: Compliance Status, Values, Vulnerabilities, and History v Computer Groups: Compliance Status, Vulnerabilities, and History v Exceptions: Management, Status, and History New features System Requirements The following features and enhancements are included in BigFix Compliance version 1.7. v Single Sign-On user authentication using SAML 2.0 v Single Sign-On user authentication using LTPA Token v Added REST API Token revocation v Update to IBM Java 8.0.1.10 v Update to WebSphere Application server 8.5.5.7 Liberty Profile Set up your deployment according to the system requirements to successfully deploy BigFix Compliance. Configure your BigFix Compliance deployment according to the following requirements: Table 1. Supported components and system requirements to deploy BigFix Compliance Components Requirements Supported browser versions v Internet Explorer versions 10.0, 11.0 v Firefox 31 and later versions v Firefox Extended Support Release (ESR) versions 31 and 38 v Google Chrome 35.0 and later versions Copyright IBM Corp. 2012, 2015 1

Table 1. Supported components and system requirements to deploy BigFix Compliance (continued) Components Requirements Supported IBM BigFix component versions v Console versions 9.0, 9.1, 9.2 BigFix Compliance server operating system requirements BigFix Compliance database server requirements BigFix Compliance server BigFix Compliance database IBM BigFix database user permissions SCM mastheads and Fixlet sites IBM BigFix DB2 database permissions v Web Reports versions 9.0, 9.1, 9.2 v Windows Client versions 9.0, 9.1, 9.2 v UNIX Client versions 9.0, 9.1, 9.2 v Microsoft Windows Server 2008 v Microsoft Windows Server 2008 R2 v Microsoft Windows Server 2012 v Microsoft Windows 2012 R2 Note: BigFix Compliance supports operating systems with the 64-bit versions only. v Microsoft SQL Server 2008 R2 v Microsoft SQL Server 2012 v Microsoft SQL Server 2014 Note: BigFix Compliance supports database servers with the 64-bit versions only. You must have Administrator privileges on the target BigFix Compliance server. You must have dbcreator permissions on the target BigFix Compliance database server. IBM BigFix database user permissions v You might have earlier BigFix Fixlets and custom Fixlets for security compliance in your deployment. These Fixlets continue to function correctly, but only certain Fixlets display within the BigFix Compliance reports. v To view the current list of SCM content sites that are supported with BigFix Compliance, see the technote What SCM content is available for TEM?. You must have data administration authority (DATAACCESS) to perform the following tasks: v Access to create objects v Access to data within an IBM BigFix DB2 database Setup Considerations Note: Version 1.5.78 is the minimum version required to upgrade to Compliance 1.7.30. During setup, match your optimum deployment size to your hardware specifications. Use the suggestions as general guidance to set up BigFix Compliance. 2 IBM BigFix Compliance: Compliance Setup Guide

Consider the requirements of the following servers when you are calculating the data sizing for BigFix Compliance. v BigFix Compliance database server v BigFix Compliance application server Although you can install the BigFix Compliance server on the same computer as your SQL Server, doing so might affect the performance of the BigFix Compliance application. Carefully manage the SQL Server memory and if necessary, use a dedicated SQL Server computer. BigFix Compliance database server The size of the BigFix Compliance database server depends on the following factors. v The number of computers v The amount of content that is subscribed onto these computers v The number of imports that are run You can add more disk space for future growth of endpoints and more security compliance checks. v CPU and memory considerations A minimum of 2 to 3 GHz CPU with 4 GB RAM is sufficient for hosting a BigFix Compliance database server. The database server would gather analytics data for several hundred BigFix Clients. The requirements scale with the number of computers and compliance checks. It is suggested that you add more RAM for the SQL Server as the deployment environment scales up. BigFix Compliance runs on a 64-bit environment with 64-bit JVM. The maximum JVM memory limit is 2 GB physical memory space. Use the following suggested sizing matrix for your deployment environment. Table 2. Suggested sizing matrix for Compliance deployment environments Deployment Size (Number of computers) Data Size CPU Memory 1-500 0-15 GB quad core 8 GB 500-5,000 15-25 GB quad core 8 GB 5,000-30,000 25-60 GB quad core 16 GB 30,000-100,000 60-165 GB quad core 32 GB 100,000+ 165 GB + 1.5 GB for every 1,000 endpoints 2 x quad core 64 GB+ Note: The sizing matrix does not include the database log size. For BigFix Compliance 1.7, the log size generally requires the same size as the database size. v Disk space considerations and assumptions An example deployment size of 30,000 BigFix Clients that are subscribed to SCM contents must take into account the following disk space considerations and assumptions: Chapter 1. Introduction 3

A 60 GB of free disk space is needed by the BigFix Compliance database server with 30,000 BigFix Clients. Add 1.5 GB free disk space for the BigFix Compliance database server for every 1,000 more clients. The disk space suggestions are based on the following assumptions: - Your deployment environment has an average of 2,000 SCM checks and 200 SCM checks per computer - 2% check result change over each import (daily) - 5% of the checks have associated exceptions that are managed in BigFix Compliance - 1% of the measured value change over each import (daily) - All measured value analyses for all checks are activated - Your deployment contains one year of archived compliance data (365 imports) Note: Disk space size is affected by the sum of the following key elements: (Number of check results and their compliance change over time) + (Number of vulnerability results and their compliance change over time) + (Number of measured values change over time) + (Computer Group * Checks * Number of imports over time) + (Number of exceptions + Number of Measured Values) BigFix Compliance application server v A minimum of 3 GB of free disk space is needed by the BigFix Compliance server. 10 GB of free disk space can be sufficient for up to 250,000 computers. v A 2 to 3 GHz CPU Quad-cores with 8 GB RAM free memory space to support 30,0000 computers. It is suggested that you have at least 1 GB of available memory space to facilitate PDF generation tasks. Each PDF generation task runs as a separate process and each process takes as much as 150 MB of memory space. 4 IBM BigFix Compliance: Compliance Setup Guide

Chapter 2. Installing BigFix Compliance Installing BigFix Compliance Before installing BigFix Compliance, ensure that your system meets all prerequisites as described in Systems Requirements. Install and configure IBM BigFix Analytics by completing the following steps: v Install by using the InstallAnywhere installer. v Perform initial configuration by using the web interface. Upgrading from an earlier version requires updating the data schema as well. To do this, the operator must access the BigFix Compliance web interface from the server hosting BigFix Compliance. Click Upgrade Schema. Follow these steps to install BigFix Compliance. Procedure 1. Run the installer executable file. When you are prompted, extract the installer file to a folder. 2. Run tema-windows-x86_64.bat from within the folder to begin the installation. 3. You can change the installation path and port during installation. a. Installation path Copyright IBM Corp. 2012, 2015 5

b. TCP port Note: BigFix Compliance uses HTTPS by default from version 1.6 and later. 4. Specify the user account that runs the IBM BigFix Compliance service. If you configure IBM BigFix Compliance to connect to the SQL Server through a user that is authenticated through Windows, the IBM BigFix Compliance service must be configured to run as that same user. 6 IBM BigFix Compliance: Compliance Setup Guide

5. When the installation is completed, use the web interface to complete the setup of the IBM BigFix Compliance server. 6. The final window of the installer prompts you to launch a web browser to complete the setup. Click Done. The BigFix Compliance web server may take a while to fully load. Allow time for the server to initialize. While the server is loading or during the database configuration, you might receive a message stating Not Found. This is expected. The page automatically reloads when it is ready. Chapter 2. Installing BigFix Compliance 7

Downloading IBM BigFix Compliance To download IBM BigFix Compliance, perform the following steps: 1. In the IBM BigFix console, add the SCM Reporting masthead. 2. In the Security Configuration domain in the console, open the Configuration Management navigation tree. 3. Click the IBM BigFix Compliance 1.7 First-time Install Fixlet under the IBM BigFix Compliance Install/Upgrade menu tree item. 4. Take the associated action and follow the installation steps in the description of the Fixlet. Upgrading from earlier versions of BigFix Compliance Before you begin Updating from an earlier version requires updating the data schema as well. The operator must access the BigFix Compliance web interface from the server hosting BigFix Compliance. Click Upgrade Schema. About this task BigFix Compliance 1.7 uses IBM WebSphere. Earlier versions use Jetty as an application server. When upgrading from earlier versions of BigFix Compliance, the installer replaces the previously supplied server certificate and private key pair with a new self-signed certificate and key pair. To upgrade from earlier versions of BigFix Compliance, you must configure your SSL certificate settings again when installation is completed. Note: Version 1.5 is the minimum version that is required to upgrade to BigFix Compliance 1.7. Procedure 1. Gather the latest version of the SCM Reporting site. 2. In the Security Configuration domain, open the Configuration Management navigation tree. 3. Under the IBM BigFix Compliance Install/Upgrade menu tree item, select the IBM BigFix Compliance 1.7 Upgrade Fixlet, which automatically installs and upgrades to the new patch. Follow the Fixlet instructions and take the associated action to upgrade your IBM BigFix Compliance deployment. 8 IBM BigFix Compliance: Compliance Setup Guide

Migrating keystores 4. Update the data schema. To do this, log in to the IBM BigFix Compliance web interface from the host server and proceed with configuration. Upgrading the data schema is expected and it will take sometime to complete. 5. Once installation is complete, you must configure the SSL certificate settings again. Go to Management > Server Settings. 6. Click Replace in the Certificate section. 7. Click Browse... and select your server certificate and private key. 8. Enter the private key password. 9. Click Save and restart BigFix Compliance. If the original certificate and key pair are difficult to get or are unavailable, follow the steps in Migrating Keystores. Follow these steps to migrate keystores in BigFix Compliance. A keystore is a database file that stores security certificates, such as authorization or public key certificates. About this task The BigFix Compliance installer will save the following files for your reference under <TEMA_ROOT>\wlp\usr\servers \server1\resources\security\. v Under <TEMA_ROOT>\wlp\usr\servers \server1\resources\security\, a copy of your original keystore file v Under <TEMA_ROOT>\wlp\usr\servers \server1\config\ A copy of your original jetty.xml file The keystore password in deobfuscated_password file Migrating keystores require the following: v Java Runtime Environment (installed in <TEMA_ROOT>\jre\bin\ v The original keystore file v The deobfuscated_password file v Command prompt (Windows) with appropriate PATH set Procedure 1. Convert the keystore from JKS to PKCS12 format. Table 3. Example command line of converting the keystore format from JKS to PKCS12 Command line example Reference v Input file: keystore v Output file: keystore.p12 v <password_string>: The password string saved in the deobfuscated_password file v key_pass: The new password of your choice for keystore.p12. The password must be a minimum of 6 characters. 2. Convert the PKCS12 format keystore into PEM format certificate and key using OpenSSL. Chapter 2. Installing BigFix Compliance 9

Table 4. Example command line of converting the keystore format from PKCS12 to PEM Command line example > openssl pkcs12 -in keystore.p12 -out keystore.pem Reference v Input file: keystore.p12 v Output file: keystore.pem You will be prompted to enter the following passwords: v Password (Import password) for keystore.p12 v New password of your choice for the private key. The password must be a minimum of 4 characters. 3. Open the PEM encoded certificate and key (keystore.pem). Save it as certificate and a private key file. a. The file keystore.pem contains both the certificate and private key in sections. b. Copy then save the following section as server.crt. -----BEGIN CERTIFICATE-----... -----END CERTIFICATE----- c. Copy then save the following section as server.key. -----BEGIN RSA PRIVATE KEY-----... -----END RSA PRIVATE KEY----- 4. Go to Management > Server Settings. Apply the following in BigFix Compliance. v certificate (server.crt) v key pair (server.key) Perform Initial Configuration v password (PEM pass phrase entered in Step 2.) To set up the database connection, perform the following steps: 1. Enter the host and database name fields. 2. Select a type of authentication. 3. Click Create to create a new administrative user. 10 IBM BigFix Compliance: Compliance Setup Guide

In the next screen, enter a username and password for the new administrator account. Click Create. Next, connect to your IBM Enterprise Manager database. Enter the host, database name, and authentication method for your primary IBM BigFix database. Click Create. You can also set up a Web Reports database in the fields on the right side of the window. Chapter 2. Installing BigFix Compliance 11

Configure HTTPS IBM BigFix administrators can configure SSL and the TCP ports from the Management > Server Settings section of the web interface. When turning on SSL, you can provide a pre-existing private key and certificate or have the system automatically generate a certificate. If you change the port or SSL settings, you must restart the service for the changes to take effect. If you generate a certificate, you must specify a certificate subject common name. The common name must correspond to the DNS name of the IBM BigFix server. If you provide a pre-existing private key and certificate, they must be PEM-encoded. If your private key is protected with a password, you must enter it in the Private key password field. 12 IBM BigFix Compliance: Compliance Setup Guide

Configuring the BigFix Compliance application server to use LDAP IBM BigFix Compliance supports authentication through the Lightweight Directory Access Protocol (LDAP) server. You can add LDAP associations to IBM BigFix Compliance so you and other users can log in using credentials based on your existing authentication scheme. To use LDAP for authentication of IBM BigFix Compliance users, you must do the following steps: v Add an LDAP server directory v Link a user to the created directory You can also use the user provisioning feature to authenticate LDAP users without creating individual users in the application. Adding LDAP servers To use LDAP for authentication of IBM BigFix Compliance users, you must add a working LDAP directory. Before you begin You must be an Administrator to do this task. Procedure 1. Log in to the BigFix Compliance application server. 2. Go to Management > Directory Servers. 3. To create an LDAP connection, click New. 4. Enter a name for the new directory. 5. Select an LDAP Server for authentication from a list and enter the name of a Search Base 6. If the values of your LDAP server are different from the default, select Other from the LDAP Server list. 7. Enter values of filters and attributes of your LDAP server. 8. Enter a name and a password for the authenticated user. 9. If your LDAP server uses Secure Socket Layer protocol, select the SSL check box. If you require no user credential, select the Anonymous Bind check box. 10. In the Host field, provide the host name on which the LDAP server is installed. 11. Enter the Port. 12. To verify whether all of the provided entries are valid, click Test Connection. 13. Click Create. You configured a system link to an authentication system. Chapter 2. Installing BigFix Compliance 13

14. To add a backup LDAP server, in the Primary Server tab, click the Add backup server link. a. Enter the host and IP of the backup LDAP server. b. Click Test Connection to verify whether all of the provided entries are valid. c. Click Save to confirm the changes. 15. Optional: To edit the directory, select its name. Click Save to confirm the changes. 16. Optional: To delete the created directory, select its name. In the upper left of the window, click Delete. Linking users to directories To complete an authentication process through LDAP, you must create a user that would link to the created directory. Before you begin You must be an Administrator to do this task. Procedure 1. Log in to the BigFix Compliance application server. 2. Go to Management > Users. 14 IBM BigFix Compliance: Compliance Setup Guide

3. To create a user, click New. 4. In the Username field, enter the name of an existing user of an LDAP server. 5. From the list, select a Computer Group that the user would be assigned to. 6. From the Authentication Method list, select the name of an LDAP directory. 7. Click Create. 8. 8. Optional: To delete the created user, click its name. Then in the upper left of the window, click Delete. What to do next To confirm authentication, log in to the BigFix Compliance server with the credentials. Authenticating LDAP through user provisioning You can configure the LDAP group permission to authenticate LDAP users without creating users individually in BigFix Compliance. Before you begin You must configure at least one directory with a working LDAP group in the LDAP server. Procedure 1. Log in to the BigFix Compliance application server. 2. Go to Management > User Provisioning. 3. To create a user, click New. 4. In the Group Names field, type the name of an existing group of an LDAP server. 5. From the list, select a Computer Group that BigFix Compliance would grant for authentication. 6. From the Roles field, click one or more roles that the group users granted for access permission. Chapter 2. Installing BigFix Compliance 15

7. From the Computer Group field, select a computer group that the group users would be assigned to. 8. Click Create. What to do next To confirm authentication, log in to the BigFix Compliance server with user within the LDAP group you created. Authenticating users using single sign-on Learn about configuring your BigFix deployment to authenticate users through single sign-on. BigFix Compliance supports single sign-on (SSO) to authenticate users through Security Assertion Markup Language Single Sign-on (SAML SSO) and Lightweight Third Party Authentication (LTPA) and. v Configuring SAML single sign-on for your system v Configuring LTPA single sign-on for your system Accessing the debugging log You can enable access to the debugging log by adding the following elements within the <web-app> element of web.xml. <context-param> <param-name>config.sso.debug</param-name> <param-value>true</param-value> </context-param> Server.xml settings Refer to the following for the SAML and LTPA single sign-on server.xml settings. v Server.xml settings for LTPA single sign-on v Server.xml settings for SAML single sign-on References for SAML and LTPA single sign-on authentication To know more about single sign-on, see the following references for SAML and LTPA. Security Assertion Markup Language Single Sign-on (SAML SSO) v SAML 2.0 Web Browser Single-Sign-On : http://www-01.ibm.com/ support/knowledgecenter/ssd28v_8.5.5/ com.ibm.websphere.wlp.core.doc/ae/cwlp_saml_web_sso.html v Configuring SAML Web Browser SSO in the Liberty profile : http://www-01.ibm.com/support/knowledgecenter/ssd28v_8.5.5/ com.ibm.websphere.wlp.core.doc/ae/twlp_config_saml_web_sso.html Lightweight Third Party Authentication (LTPA) v Configuring LTPA on the Liberty profile : http://www-01.ibm.com/ support/knowledgecenter/ssd28v_8.5.5/ com.ibm.websphere.wlp.core.doc/ae/twlp_sec_ltpa.html v Customizing SSO configuration using LTPA cookies for the Liberty profile : http://www-01.ibm.com/support/knowledgecenter/ SSD28V_8.5.5/com.ibm.websphere.wlp.core.doc/ae/twlp_sec_sso.html 16 IBM BigFix Compliance: Compliance Setup Guide

Configuring SAML Single sign-on for your system Follow these steps to set up SAML single sign-on for your system. Before you begin v Get the following information from the identity provider (IdP): Login URL Token-signing key Issuer v Backup on the following:.xml files <Install Dir>/wlp/usr/servers/server1/server.xml <Install Dir>/wlp/usr/servers/server1/app/tema.war/web.xml v If you manually configure the single sign-on configuration on server.xml, do not use the Management > Single Sign-On page afterward to avoid breaking your manual configuration. v When enabling single sign-on in Server Settings, you must have existing single sign-on users. Before enabling single sign-on, you might need to do the following: Create SSO users from Management > Single sign-on. The operator must create at least one single sign-on user with an Administrator role. Consider changing the authentication method of existing users to single sign-on users Create User Provisioning rules Note: The user name format for user provisioning must be a user principal name or a sam-account-name. User provisioning on single sign-on is associated with what is indicated on the directory server. Procedure 1. Login to IBM BigFix Compliance as an administrator. 2. Create a single sign-on user with administrator rights in the BigFix Compliance server. a. Go to Management > Users. Click Create User. b. Enter a user name. The format of the user name is related to the NameID format of the claim rules on relaying party trust on ADFS. Ensure that the user name format follows the LDAP attribute format. User-Principal-Name The user name format is < log in name of user> @ < ad domain name >. For example, user01@adfs.bigfix.local. SAM-Account-Name The user name is the log in name of the user. For example, user01. E-Mail-Address The user name is the email address in the profile of the user. For example, user01@bigfix.local c. Enter the applicable computer group. d. Select Single Sign On as the authentication method. e. Enter the email address and contact information. f. Click Create. 3. Follow these steps if you want to use user provisioning. Chapter 2. Installing BigFix Compliance 17

a. Add your identity provider by creating an LDAP entry in Management > Directory Servers. b. Configure the user provisioning rule. When single sign-on is enabled, the authentication method of all the provisioned users is Single Sign on. 4. Create a SAML configuration entry. a. Click New. b. Select SAML as the SSO method. c. Enter the values for the following fields. You can get this information from the identity provider. Url Enter the log in page URL. Certificate Browse to select the identity provider certificate. This certificate refers to the token signing key. Issuer d. Click Save. Enter the trusted issuer. e. Restart the BigFix Compliance server. Note: When the SAML SSO entry is created, only the Delete button and the Download SP Metadata link are enabled. 5. Download the metadata of the service provider and configure the service provider details on the identity provider. Download the service provider metadata XML file, spmetadata.xml, from the link. a. Log in to the BigFix Compliance web interface. Go to Management > Single Sign-On Settings. b. Click the Download SP Metadata link to download the service provider metadata XML file, spmetadata.xml. Note: When the operator configuration setting is on the same server hosting the BigFix Compliance server, edit the spmetadata.xml file with the host name instead of 'localhost'. c. Click Enable. d. Restart BigFix Compliance. Results After restarting, log in to the IBM BigFix Compliance web interface, which must redirect to the log-in page of the identity provider. Enter your credentials. The authentication is successful when the page opens to BigFix Compliance. Configuring LTPA single sign-on for your system Follow these steps to set up Lightweight Third Party Authentication (LTPA) single sign-on for your system. Before you begin Important: After single sign-on is enabled, only single sign-on users can log in to the IBM BigFix Compliance web interface. To avoid log-in access issues, all existing users, except the local Administrator user, should convert to single sign-on users. When enabling single sign-on in Server Settings, you must have existing single sign-on users. Before enabling single sign-on, you might need to do the following: 18 IBM BigFix Compliance: Compliance Setup Guide

v Set up LDAP entry for LTPA. This is manually set up. v Backup on the following.xml files: <Install Dir>/wlp/usr/servers/server1/server.xml <Install Dir>/wlp/usr/servers/server1/app/tema.war/web.xml v If you manually configure the single sign-on configuration on server.xml, do not use the Management > Single Sign-On page afterward to avoid breaking your manual configuration. v Create SSO users from Management > Single sign-on. The operator must create at least one single sign-on user with an Administrator role. v Create User Provisioning rules. Note: The user name format for user provisioning must be a user principal name or a sam-account-name. User provisioning on single sign-on is associated with what is indicated on the directory server. Procedure 1. In IBM BigFix Compliance, go to Management > Directory Servers. 2. Create a directory entry for the single sign-on authentication server. a. Click New. b. Enter details for the following fields. v Name v LDAP Server v User Filter v Login Attribute v Group Filter v Membership Attribute v Search Base. Select from the following options: SSL Anonymous Bind v Under the Primary Server, enter the information for the following fields: Host Port 3. Test the SSO connection to ensure that the directory settings are correct. Click Test Connection. Click Save to confirm changes. 4. Go to Management > User to create an SSO user. 5. Create an LTPA configuration entry. a. Go to Management > Single sign-on. b. Select LTPA as the SSO method. c. Select the SSO directory server that was created through the Management Server in step 2. d. Upload the directory server certificate and click Save. e. Download the LPTA key from the link. directory server certificate if the directory server uses SSL and the directory server certificate is not trusted. f. Download the LPTA key from the link. g. Click Enable. 6. From BigFix Compliance, enable single sign-on. Go to Management > Single sign-on Chapter 2. Installing BigFix Compliance 19

a. Go to Management > Single sign-on. b. Click Enable. 7. Restart the server. 20 IBM BigFix Compliance: Compliance Setup Guide

Appendix A. Server.xml settings for SAML single sign-on Configure the correct settings for SAML SSO in server.xml. Items to be set Features Application binding (inside the <application> element) SAML Settings <feature>appsecurity-2.0</feature><feature>samlweb- 2.0</feature> <application-bnd> <security-role id="temassoauthenticated" name="temassoauthenticated"> <special-subject type="all_authenticated_users"/> </security-role> </application-bnd> <keystore id="spkeystore" location="spkeystore.jceks" password="{xor}kzm8mm9ukzoskw==" type="jceks"/> <keystore id="idpkeystore" location="idpkeystore.jceks" password="{xor}kzm8mm9ukzoskw==" type="jceks"/> <samlwebsso20 enabled="true" id="defaultsp" keyalias="samlsp" keypassword="{xor}kzm8mm9ukzoskw==" keystoreref="spkeystore" loginpageurl="https:// idp.bigfix.ibm.com/login" nameidformat="customize"> <PKIXTrustEngine trustanchor="idpkeystore" trustedissuers="http://idp.bigfix.ibm.com/trust"/> </samlwebsso20> Copyright IBM Corp. 2012, 2015 21

22 IBM BigFix Compliance: Compliance Setup Guide

Appendix B. Server.xml settings for LTPA single sign-on Configure the correct settings for LTPA single sign-on in server.xml. Table 5. Setting details for LTPA single sign-on Items to be set Features LTPA LDAP SSL for LDAP Setting details <feature>ldapregistry-3.0</feature><feature>appsecurity-2.0</ feature> <ltpa keysfilename="resources/security/ltpa.keys" keyspassword="{xor}cdo9hgw="/> <ldapregistry basedn="dc=bigfix,dc=ibm,dc=com" binddn="cn=admin,dc=bigfix,dc=ibm,dc=com" bindpassword="{xor}pty4otyn" host="ldap.bigfix.ibm.com" id="isamldapregistry" ldaptype="custom" port="636" realm="defaultrealm" sslenabled="true" sslref="ldapsslsettings"> <idsfilters groupfilter="(objectclass=groupofnames)" groupmemberidmap="member" userfilter="(objectclass=inetorgperson)" useridmap="cn"/> </ldapregistry> <variable name="isamldapregistry" value="1"/> <ssl id="ldapsslsettings" keystoreref="ldapkeystore" truststoreref="ldaptruststore"/> <keystore id="ldapkeystore" location="ldapsslkeystore.jceks" password="{xor}kzm8mm9ukzoskw==" type="jceks"/> <keystore id="ldaptruststore" location="ldapssltruststore.jceks" password="{xor}kzm8mm9ukzoskw==" type="jceks"/> Copyright IBM Corp. 2012, 2015 23

24 IBM BigFix Compliance: Compliance Setup Guide

Appendix C. Support For more information about this product, see the following resources: v IBM Knowledge Center v IBM Endpoint Manager Support site v IBM Endpoint Manager wiki v Knowledge Base v Forums and Communities Copyright IBM Corp. 2012, 2015 25

26 IBM BigFix Compliance: Compliance Setup Guide

Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd. 1623-14, Shimotsuruma, Yamato-shi Kanagawa 242-8502 Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web Copyright IBM Corp. 2012, 2015 27

sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary. This information is for planning purposes only. The information herein is subject to change before the products described become available. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: 28 IBM BigFix Compliance: Compliance Setup Guide

This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. The sample programs are provided "AS IS", without warranty of any kind. IBM shall not be liable for any damages arising out of your use of the sample programs. If you are viewing this information softcopy, the photographs and color illustrations may not appear. Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at www.ibm.com/legal/copytrade.shtml. Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of The Minister for the Cabinet Office, and is registered in the U.S. Patent and Trademark Office. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries. Notices 29

30 IBM BigFix Compliance: Compliance Setup Guide

IBM Printed in USA