Problem(Abstract)
If we miss the three new keys introduced in 9.5.3, then the migration, the restore will fail.
Cause
The below three keys are introduced in the bigfix 9.5.3.
-EncyptedAPIServerKey
-EncyptedPlatKey
-EncryptedWebUICAkey
But if the migration or the restore does not handle these three keys, it will cause the failure that the bigfix server’s plug-in.
Resolving the problem
Currently, we have opened a DOC APAR IV90723 to fix the migration to add the steps to handles these new keys. But before the document to be updated, the below method can be used as a workaround.
Unfortunately we don’t have a tool available to decrypt the above keys that has to be moved on a different system.
As workaround you can use the existing ServerKeyTool.exe and follow the procedure below.
On the Source server stop the Bigfix services and move all the Encrypted Keys located under C:\Program Files (x86)\BigFix Enterprise\BES Server in a backup folder.
For each of the 3 keys listed above do the following:
Below the procedure for the file EncryptedWebUICAkey.
Copy from the backup folder the file EncryptedWebUICAkey in C:\Program Files (x86)\BigFix Enterprise\BES Server
Rename the file EncryptedWebUICAkey in EncryptedServerSigningKey
Run the tool ServerKeyTool.exe with the following syntax:
C:\ServerKeyTool>ServerKeyTool.exe decrypt UnencryptedWebUICAKey
A file named UnencryptedWebUICAKey is generated.
Move the file UnencryptedWebUICAKey on the new server and encrypt it using the tool ServerKeyTool.exe with the following syntax:
ServerKeyTool.exe encrypt UnencryptedWebUICAKey
The tool generates a file name EncryptedServerSigningKey that has to be renamed to EncryptedWebUICAkey and copyed under the folder C:\Program Files (x86)\BigFix Enterprise\BES Server of the new server.
Repeat the same procedure for the other 2 files: EncyptedAPIServerKey and EncyptedPlatKey
It is annoying that this wasn’t better documented before now.
This has definitely impacted some, and will likely impact more even after the documents are updated for those following an old script or that have the old methods memorized.
Hey guys, a couple of questions around this… Referencing current Server Signing Key Tool page.
If I want to perform a test migration - i.e. not actually interfere with my production root server - can I stop the prod root server BES services; copy the keys to a different folder (on the prod root server itself); and then decrypt them from there?
When setting up the new test root server, do the keys need to be already re-encrypted and in placed under the (empty) BES Server folder structure, before initiating the BES Server install? Referencing this note specifically:
Note: By using the ServerKeyTool to migrate the keys on BigFix server for version 8.2.xx, you ensure also that the existing LDAP configuration is successfully migrated to the new server. In fact, when installing the new server, if the installer does not find the encrypted EncryptedServerSigningKey key under C:\Program Files\BigFix Enterprise\BES Server, it generates automatically a new key which is unknown to the configured LDAP server. If this happens the login of the LDAP operators on the new server will not work.
Run the ServerKeyTool to decrypt the keys as follows:ServerKeyTool.exe /decrypt /dirIn:<absolute_path> /dirOut:<absolute_path>
where: dirIn:<absolute_path>Specifies the full path to the BigFix Enterprise\BES Server folder containing the files with the encrypted keys on the old server. If you chose the default setting when installing the BigFix Server, the path is %PROGRAM FILES%\BigFix Enterprise\BES Server. The ServerKeyTool fails if the input directory does not exist.
The problem was that I did not follow the instructions. I had neglected to include: /dirin: and /dirout:. After including those parameters, it worked perfectly.