Follow the steps to set up TLS 1.2, which is required for NIST SP800-131compliance.
Before you begin
- The TLS set up requires installing supported versions of MS SQL and the latest patches.
- The minimum required version is MS SQL Server 2012 Service Pack 3.
- Ensure that your browser is TLS 1.2 enabled.
- For BFC V1.10.x and earlier:
- Open the jvm.options file with a text editor and add the following code:
-Dcom.ibm.jsse2.overrideDefaultTLS=true
File location: <SCA>\wlp\usr\servers\server1\
Note: Ensure that there are no extra/empty space or tab in the code.
- You must restart the compliance service for the updates to take effect.
- Open the jvm.options file with a text editor and add the following code:
- For BFC V2.0.x and later, the code is already added in jvm.options.
File location: <SCA>\wlp\usr\servers\server1\configDropins\defaults\
About this task
Procedure
- Install one of the supported versions of MS SQL server and the latest patches. Minimum requirement is MS SQL Server 2012 Service Pack 3. For more information about the updates that Microsoft is releasing to enable TLS 1.2 support for Microsoft SQL Server setup, see https://support.microsoft.com/en-us/help/3135244/tls-1.2-support-for-microsoft-sql-server
- Generate your self-signed certificate using Openssl or IIS manager tool (make sure the certificate owner or 'common name' match with your hostname).
- OpenSSL > req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
- Make sure you combine your certificate and keys into .pfx
- OpenSSL > pkcs12 -export -out sca_server.pfx -inkey privateKey.key -in certificate.crt
- Use IIS manager to generate Self-signed certificate and export to .pfx directly. To install the IIS manager, go to Server Manager, click adding features and add Web Server(IIS). For information on generating certificates, see https://aboutssl.org/how-to-create-a-self-signed-certificate-in-iis/
- Upload the certificate/key into BigFix Compliance.
- From the command line, run mmc.exe.
- Add a certificate snap-in.
- Select File > Add/Remove Snap-in.
- Select the Certificates snap-in and clickAdd.
- Select Computer account and click Next.
- Ensure that the Local computer option is selected and clickFinish.
- Click OK.
- Import the certificate.
- In the Console window, go to Console Root > Certificates.
- Right-click Certificates and select All Tasks > Import.
- From the Welcome Window, click Next.
- Click Browse and select the certificate store that you created.
- Click Next.
- Enter the password for the certificate store and click Next.
- Ensure that Place all certificates in the following store is selectedand that Certificate Store is set to Personal.
- Click Next and click Finish.
- Manage the private keys.
- Right-click the certificate file and select All Tasks > Manage Private Keys.
- Click Add.
- Click Check Names, select MSSQLSERVER and click OK (If MSSQLSERVER is not found, choose SERVICE instead).
- Click OK on the Select Users and Groupswindow.
- Set permissions for MSSQLSERVER on thePermissions window and click OK. For example, selectAllow for Read for a Read-only option.
- Configure the SQL Server to accept the encrypted connections by following the SQL Server documents. For more information, see https://docs.microsoft.com/en-us/previous-versions/sql/sql-server-2012/ms191192(v=sql.110)#EncryptConnection
- Restart the SQL server and BigFix Compliance.