Rotating IEM agent private keys
How do I rotate IBM Endpoint Manager agent private keys?
If an IEM agent has been compromised or the private key is provided to an untrusted party, the key can be rotated according to the steps below.
The following steps should be taken to rotate the private key used by the IEM agent on an endpoint in platform releases 9.0 or later. Please be familiar with these steps before starting them. This document covers the case of performing the action manually. Please verify that there is no automated way with the platform to perform this before proceeding with this as capabilities can change.
The following steps must be performed as an administrator or root on the endpoint.
1) Delete the KeyStorage directory and all contents (located in the StoragePath location)
Default locations for this would be as follows:
Windows 32 bit: C:\Program Files\BigFix Enterprise\BES Client\KeyStorage
Windows 64 bit: C:\Program Files (x86)\BigFix Enterprise\BES Client\KeyStorage
Mac OS X: /Library/Application Support/BigFix/BES Agent/KeyStorage
2) Restart the agent
Perform the following:
Windows : via the Services control panel, restart the "BES Client" service
Mac OS X: /Library/BESAgent/BESAgent.app/Contents/MacOS/BESAgentControlPanel.sh -restart
AIX: /etc/rc.d/rc2.d/SBESClientd restart
HPUX: /sbin/init.d/besclient restart
Solaris or Linux: /etc/init.d/besclient restart
NOTE: When the agent reports in, the original computer id will no longer be valid and you will end up with a duplicate computer entry in the console.
Electively, depending on the reason you are rotating the keys, you may wish to revoke the original client from the console. See the following link for instructions:
Please perform appropriate actions in the console to remove the old duplicate computer entries. See the following link for instructions: http://pic.dhe.ibm.com/infocenter/tivihelp/v26r1/topic/com.ibm.tem.doc_9.1/Platform/Console/c_removing_computers.html
If you are connecting to an authenticating relay (or there is a local relay that is authenticating) then you will need to perform a manual key exchange on the endpoint. See the following link for instructions: http://pic.dhe.ibm.com/infocenter/tivihelp/v26r1/index.jsp?topic=%2Fcom.ibm.tem.doc_9.1%2FPlatform%2FConsole%2FManualKeyExchange.html
|Systems and Asset Management||Tivoli Endpoint Manager||Platform Independent||Version Independent|
IEM TEM BigFix