For the first step I launched:
sudo ./BESAdmin.sh -reportencryption -generatekey -privateKeySize=max -deploynow=no -outkeypath=/opt/app/ilmtinst/license/encryption.pvk -sitePvkLocation=/opt/app/ilmtinst/license/license.pvk -sitePvkPassword=Password
After the first step I got encryption.pvk file generated.
Second step:
sudo /opt/BESServer/bin/BESAdmin.sh -reportencryption -deploynow=yes -sitePvkLocation=/opt/app/ilmtinst/license/license.pvk -sitePvkPassword=password
But this command doesn’t work, gives me following output:
"Invalid command: use one and only one of the following options (or set of options) combination:
If MLE is enabled then your masthead has a new certificate in it for the MLE to activate on the endpoint. I’ll have to try this on my deployment as I’ve not enabled it on Linux before but the second command is supposed to be correct as you need to deploy it in the masthead.
Additionally this step is no necessary if generating the key during the first step have provided -deploynow=yes
There are some further minor improvements can be done to that page, so we’d appreciate if You can spend few minutes to open a PMR on this issue ( could indicate the link to this thread )
Few additional details on this topic:
On Linux each time You perform a command on MLE, on success the command displays the status and suggests the ‘correct’ command for possible next steps. For example:
On both Windows and Linux, there’s a PENDING status in my strictly personal opinion find misleading especially attempting to disable the MLE … in fact running a first time the disable, on Linux is:
is possible to see the status is not DISABLED but PENDING … such as need to run the same command again to really disable the MLE ( it is the same on Windows clicking on the related button )
For both Windows and Linux, as written at the end of the doc page but in my opinion not enough pointed out, it is suggested to backup the directory BESServer/Encryption Keys on another machine. This every time something change about the keys, for example are generated or rotated ( means it is generated a new key ). We wish this will never be useful, but in case of a disaster/recovery procedure, for which have lost the content of the file system and need to recover the deployment from a db backup, this backup can be of help. It is critical for pre-9.2.6 patch have not the fix for APAR http://www-01.ibm.com/support/docview.wss?uid=swg1IV76841 ; it is less critical but useful in any case for newer releases/patches.
Thank you for the information, I have an active PMR so I’ll give them link to this thread. Encryption is now enabled and I set the BESClient report encryption custom setting to ‘optional’, so right now I’ll need to test the encryption if it’s really working.
By the way, just an update from IBM support. That now on 9.X version of BigFix, it’s enough to enable the encryption on a server and clients start to encrypt their reports to the server with optional method. No need to deploy “BES Client Setting: Encrypted Reports” fixlet.
The reason for that is pre 9.0 the default setting was “none” for encryption and now it is “optional” meaning if the masthead has the certificate, the client will try and use it.