Enable encryption BigFix agent <-> BigFix server

Usage and Config
1

Hi!

Well first of all im a newbie on BF and ILMT. However i have managed to set upp a environment containing BF(9.5.9.62) and ILMT(9.2.12.0), i also have agents installed and running ad communications to server.

Now i want to enable encryption(https) between the agent and the server. This is what i have done so far:

./BESAdmin.sh -reportencryption -generatekey -privateKeySize=max -deploynow=no -outkeypath=EncryptionKey.pvk -sitePvkLocation=license.pvk -sitePvkPassword=passWord

The above worked fins, however by misstake the EncryptionKey.pvk was deleted(human error)!

And now i trying to generate an new key:

”Error: -generatekey option cannot be used when the status is different from DISABLED”

But ststus is in “PENDING”?

./BESAdmin.sh -reportencryption -status Status: PENDING Available options: -enablekey -sitePvkLocation= [ -sitePvkPassword= ] -disable -sitePvkLocation= [ -sitePvkPassword= ]

Can i just run an disable? Or will this disable my site key?? Or does it just disables the(removed) encryption key?

-disable -sitePvkLocation= [ -sitePvkPassword= ]

I relly dosent want to destroy anything here and my lack of experience inte the product makes me kind of lost here… Please help!

2

Hello!

The first thing to note is that report encryption is not required in order to have HTTPS communication between the agent and the server. HTTPS communication is leveraged by default. Report encryption (also known as Message Level Encryption) is an optional configuration that enables end-to-end encryption specifically of Client data being sent to the BigFix Server.

For the scenario you describe above, I certainly understand the caution. The site credentials are critical to a given instance of BigFix, and should be protected accordingly. That said, the ‘-disablekey’ option for ‘-reportencryption’ applies specifically to the encryption key, not the site key.

I haven’t tested it, but you may be able to rotate the key (-rotatekey) in this case rather than disable and generate new. Please see https://www.ibm.com/support/knowledgecenter/en/SS6MCG_9.5.0/com.ibm.bigfix.doc/Platform/Installation/c_running_the_tivoli_endpoint_ma_onlinux.html for more information.

3

Ok thx this was good info…:slight_smile:
But can u link me to som documentation that really confirm thats https is enabled per default between BF agent and BF server(Or do i have to sniff the network:))?

Alse thx for clarifying that the connamds i posted does not affecting the site key!

About https!
I read this/here:

https://www.ibm.com/support/knowledgecenter/en/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Installation/c_running_the_tivoli_endpoint_ma_onlinux.html

“9.5.6 or later, which means that:
The BigFix Server enforces that registration requests coming from BigFix Agents V9.5.6 or later must be properly signed.
The BigFix Server and the Relays V9.5.6 or later enforce the use of the HTTPS protocol when BigFix Agent registration data is exchanged.
Enforcing this behavior has the following side effects:
BigFix Agents earlier than V9.0 cannot send registration requests to the BigFix Server because they cannot communicate using the HTTPS protocol.
Because BigFix Relays with versions earlier than V9.5.6 cannot handle correctly signed registration requests, any BigFix Client that uses those Relays might be prevented from continuing to register, or might fall back to a different parent Relay or directly to the Server.”

Is this what we are talking about? Or is it only applicable when using releays? So fuzzy for me…

4

Fuzzy for you to?
I still havent found any docs that can confirm this.
And the masthead file contains only http endpoints.