Bigfix migration fails

mramadan · September 14, 2022, 9:29am

bigfix server fails to start after migration using same masthead to a new server.
the following errors appeared in logs.
relaylogs "Startup failed: the server signing key is not available, Have you run BESAdmin on the server yet?"
filldbclogs "Unexpected exception: Unable to decrypt {aes,1} encrypted string"
and every time i start besserver service it deletes the signing key

ageorgiev · September 14, 2022, 9:45am

Have you copied over all the Encryption key (a bunch of Encrypted*Key files in the root server install directory)? Those are used to decypher all root server certs, so without them you would be expecting something similar in the errors.

That said, this is really a topic that is best to have a support case as they may even jump on a call with you if things are complex and walk you through the fix(es).

mramadan · September 14, 2022, 9:57am

Yes i backed up all the directories mentioned in backup and restore documentation.
the restored them as mentioned in restore and recovery docs

trn · September 14, 2022, 10:09am

I have migrated to a new server, and the process worked. This document was of help
https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/t_mgrt_rootapp_server.html

You do need to raise a ticket with HCL - this forum is not the best place to troubleshoot this.

SLB · September 14, 2022, 10:10am

Maybe a silly question but have you run the BES Admin tool to propgate the newly encrypted keys? I have seen that error after migration using keys that had been decrypted on the old server then re-encrypted on the new server. It was only after running the admin tool that the new keys got propogated and then all services started ok.

gpoliafico · September 14, 2022, 3:25pm

Sounds like during the migration have been not properly managed the 5 server keys can be found in the BESServer folder ( EncryptedServerSigningKey, EncryptedClientCAKey, …) .

Migrating Bigfix server installed on Windows, these keys need to be decrypted in the origin machine and then encrypted in the target one using the ServerKeyTool.exe utility.

The required step is described in the 'Server Recovery" section, step 6:
https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Installation/c_recovery_procedure.html
pointed from the ‘Migrating the BigFix root server’ page already indicated, step 4:
https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/t_mgrt_rootapp_server.html

An updated version of the tool can be found on the wiki here:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/Server%20signing%20key%20Tool