IBM Support

How to change the password on the license.pvk private key

Technote (FAQ)


How do I change my license.pvk password?


The BigFix user is essentially two users:

  • a BigFix username / private key
  • a Database user (using NT or SQL Server Authentication Usernames)
Initially when the BigFix user account is created, both passwords for the private key and SQL login are set to the same value (When using SQL Server Authentication).

When the private key password is changed, the SQL Server Authentication Login is not changed or automatically updated. To keep both passwords consistent the SQL Login password will need to be updated too, otherwise the user will be prompted for two different passwords on login.

Changing the Private key password
Changing the private key password does not change the SQL login password.
  1. Open the BigFix Console and select Tools > Manage Signing Keys
  2. Click the "Browse" button next to the first key (publisher.pvk) and Browse to your license.pvk file in your site credentials folder
  3. Click the "Change Password" button
  4. Type in your old password and the new password (for the site credentials)
  5. Click OK to set the password
SQL Login password change
You must be using SQL Auth for this menu option to be available. If you are using NT Authentication this step does not need to be performed.

  1. Open the BigFix Console and select File > Change Database Password...
  2. Type in your old password, new password, and Confirm new password
  3. Click the OK button

Changing the site level key password and not the user key, you can do so through the BES Admin Tool

  1. Start the BES Admin tool
  2. click change password...
  3. Type in the old password, the new password, and a confirmation of the new password
  4. Click the OK button

The private key file itself is encrypted with the site admin password so if you lose the password there is no way for anyone to be able to open the file and get to the unencrypted private key (if there was, it would be a security issue). Your license.pvk file is the key that controls your whole deployment and the file itself and the password are never known by BigFix. We could delete the key and recreate a new one for you, but it would be an equivalent process to deleting and remaking the user.

Our standard recommendation is that you keep a secure copy of the key/password so it can be retrieved in the event of a problem.

If you have lost the site admin level password you can not change the password, you will need to contact and request a new license and you will have to reinstall the software with the new license. The process of switching private keys is analogous to what would happen if you lost a master key to a building... You need to create a new master key and change all the locks.

If you have an older version of the license.pvk that hasn't been modified, then it will still be encrypted by the old password.

Additional information and Knowledge Base articles regarding passwords

Enforcing password complexity
This will work for both database and private key passwords (only for new users).

There are two options that will need to be created.

Name Value
passwordComplexityRegex (?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:punct:]]).{6,}
passwordComplexityDescription requires 6-letters or longer password containing lower-case, upper case, and punctuation

  1. Launch the BES Admin tool
  2. Select the "Advanced Options" tab
  3. Click on the Add button
  4. The add the above entries

For NSA level password complexity use the following value:

Name Value
passwordComplexityRegex (?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]).*$
passwordComplexityDescription At least 1 small-case letter, At least 1 Upper case letter, At least 1 digit, At least 1 special character Length should be between 8-30 characters

Historical Number


Document information

More support for: IBM BigFix family

Software version: 7.0, 7.1, 8.0, 8.1

Operating system(s): Platform Independent

Reference #: 1505878

Modified date: 20 June 2016