The bigfix 9.5.3 introduced three new keys which need special action for the migration or restore

http://www-01.ibm.com/support/docview.wss?uid=swg21994196

Technote (troubleshooting)

Problem(Abstract)
If we miss the three new keys introduced in 9.5.3, then the migration, the restore will fail.

Cause
The below three keys are introduced in the bigfix 9.5.3.
-EncyptedAPIServerKey
-EncyptedPlatKey
-EncryptedWebUICAkey

But if the migration or the restore does not handle these three keys, it will cause the failure that the bigfix server’s plug-in.

Resolving the problem
Currently, we have opened a DOC APAR IV90723 to fix the migration to add the steps to handles these new keys. But before the document to be updated, the below method can be used as a workaround.
Unfortunately we don’t have a tool available to decrypt the above keys that has to be moved on a different system.

As workaround you can use the existing ServerKeyTool.exe and follow the procedure below.

On the Source server stop the Bigfix services and move all the Encrypted Keys located under C:\Program Files (x86)\BigFix Enterprise\BES Server in a backup folder.

For each of the 3 keys listed above do the following:
Below the procedure for the file EncryptedWebUICAkey.

  1. Copy from the backup folder the file EncryptedWebUICAkey in C:\Program Files (x86)\BigFix Enterprise\BES Server
  2. Rename the file EncryptedWebUICAkey in EncryptedServerSigningKey
  3. Run the tool ServerKeyTool.exe with the following syntax:
    C:\ServerKeyTool>ServerKeyTool.exe decrypt UnencryptedWebUICAKey
    A file named UnencryptedWebUICAKey is generated.
  4. Move the file UnencryptedWebUICAKey on the new server and encrypt it using the tool ServerKeyTool.exe with the following syntax:
    ServerKeyTool.exe encrypt UnencryptedWebUICAKey
    The tool generates a file name EncryptedServerSigningKey that has to be renamed to EncryptedWebUICAkey and copyed under the folder C:\Program Files (x86)\BigFix Enterprise\BES Server of the new server.

Repeat the same procedure for the other 2 files: EncyptedAPIServerKey and EncyptedPlatKey

3 Likes

It is annoying that this wasn’t better documented before now.

This has definitely impacted some, and will likely impact more even after the documents are updated for those following an old script or that have the old methods memorized.

2 Likes

Hey guys, a couple of questions around this… Referencing current Server Signing Key Tool page.

  1. If I want to perform a test migration - i.e. not actually interfere with my production root server - can I stop the prod root server BES services; copy the keys to a different folder (on the prod root server itself); and then decrypt them from there?

  2. When setting up the new test root server, do the keys need to be already re-encrypted and in placed under the (empty) BES Server folder structure, before initiating the BES Server install? Referencing this note specifically:

Note: By using the ServerKeyTool to migrate the keys on BigFix server for version 8.2.xx, you ensure also that the existing LDAP configuration is successfully migrated to the new server. In fact, when installing the new server, if the installer does not find the encrypted EncryptedServerSigningKey key under C:\Program Files\BigFix Enterprise\BES Server, it generates automatically a new key which is unknown to the configured LDAP server. If this happens the login of the LDAP operators on the new server will not work.

Thanks :slight_smile:

The things to pay attention are:

  1. Always decrypt on the ‘source’ machine and always encrypt on the ‘destination’ machine
  2. Do not rename these files, because their name is used by the tool
  3. from 9.5 patch 3 the keys to be decrypted/encrypted are 5 ( no 2 as in the previous patches/release )

So for both questions the answer is yes … the details about this procedure can be found at this link

3 Likes

Is the following documentation incorrect? I used the following command-line and it does not work.

ServerKeyTool.exe /decrypt “D:\Bigfix Enterprise\BES Server” “D:\ServerKeyTool\keys”

  1. Decrypt the keys on the old server.

Run the ServerKeyTool to decrypt the keys as follows:ServerKeyTool.exe /decrypt /dirIn:<absolute_path> /dirOut:<absolute_path>
where: dirIn:<absolute_path>Specifies the full path to the BigFix Enterprise\BES Server folder containing the files with the encrypted keys on the old server. If you chose the default setting when installing the BigFix Server, the path is %PROGRAM FILES%\BigFix Enterprise\BES Server. The ServerKeyTool fails if the input directory does not exist.

https://www.ibm.com/developerworks/community/wikis/home?lang=en#/wiki/Tivoli%20Endpoint%20Manager/page/Server%20signing%20key%20Tool

Did you get any kind of an error message? I ran this a few weeks ago on a server hardware migration (but it was still on 9.5.7)

The problem was that I did not follow the instructions. I had neglected to include: /dirin: and /dirout:. After including those parameters, it worked perfectly.

ServerKeyTool.exe /decrypt /dirin:“D:\Bigfix Enterprise\BES Server” /dirout:“D:\ServerKeyTool\keys”

2 Likes