Client Encryption

oki2oki · June 19, 2018, 8:54pm

I am trying to encrypt traffic between client/relay/server and while reading documentation i am not sure how to manually distribute the private key.

In the instructions under explanation for “Pending” i need to manually distribute private key.

https://www.ibm.com/support/knowledgecenter/en/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Config/c_managing_client_encryption.html

Does anyone knows how exactly to do this? Or is there any other better explanation for this?

Thanks!

JasonWalker · June 19, 2018, 9:03pm

You only distribute the private key to relays, and then only if you want the relays to decrypt client reports ; so the relay can bundle multiple reports together, re-encrypt them, and send them to the server in larger batches to reduce workload on the server.

The process and key distribution is described in the second child topic of that article, at https://www.ibm.com/support/knowledgecenter/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Config/c_creating_top_level_decrypting_.html

Aram · June 21, 2018, 2:52am

To add some additional context, communications between Clients and Relays are encrypted by default via HTTPS when possible. If you would like, you can enable an additional layer of security we refer to as Message Level Encryption (MLE) which is essentially end-to-end encryption for Client data being sent upstream.

As suggested above, you can simply enable MLE via BESAdmin to enable this feature, and do not need to distribute any keys unless you would like to designate decrypting relays for the purposes of load distribution and scalability.

oki2oki · June 21, 2018, 12:34pm

Aram,
Thank you for your respond. Do you have an article on how exactly to enable MLE? Also would i be able to see that in the logs on client side that encryption is being used for communication?

Thanks!

Aram · June 21, 2018, 3:52pm

You should be able to follow the steps outlined in the link you reference above. Ultimately, all you have to do is generate an encryption key, and ensure that the report encryption status is ‘enabled’.

On Linux server you can encrypt clients by completing the following steps as super user:

Generate the key:

./besadmin.sh -reportencryption -generatekey -privateKeySize=max -deploynow=no
-outkeypath=<path> -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password>
copy to clipboard

Activate the key:

./besadmin.sh -reportencryption -deploynow=yes 
-sitePvkLocation=<path+license.pvk>  - sitePvkPassword=<password>

On Windows systems, this is done via the BESAdmin GUI: https://www.ibm.com/support/knowledgecenter/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Config/c_generating_a_new_encryption_ke.html

In the Client-side, you can identify if encryption is being used via the logs by looking for lines such as:

Encrypted Report posted successfully