IBM Support

Rotating IEM agent private keys

Technote (FAQ)


Question

How do I rotate IBM Endpoint Manager agent private keys?

Cause

If an IEM agent has been compromised or the private key is provided to an untrusted party, the key can be rotated according to the steps below.

Answer

The following steps should be taken to rotate the private key used by the IEM agent on an endpoint in platform releases 9.0 or later. Please be familiar with these steps before starting them. This document covers the case of performing the action manually. Please verify that there is no automated way with the platform to perform this before proceeding with this as capabilities can change.

The following steps must be performed as an administrator or root on the endpoint.

1) Delete the KeyStorage directory and all contents (located in the StoragePath location)
Default locations for this would be as follows:

Windows 32 bit: C:\Program Files\BigFix Enterprise\BES Client\KeyStorage
Windows 64 bit: C:\Program Files (x86)\BigFix Enterprise\BES Client\KeyStorage
Mac OS X: /Library/Application Support/BigFix/BES Agent/KeyStorage
UNIX/Linux: /etc/opt/BESClient/KeyStorage

2) Restart the agent
Perform the following:

Windows : via the Services control panel, restart the "BES Client" service
Mac OS X: /Library/BESAgent/BESAgent.app/Contents/MacOS/BESAgentControlPanel.sh -restart
AIX: /etc/rc.d/rc2.d/SBESClientd restart
HPUX: /sbin/init.d/besclient restart
Solaris or Linux: /etc/init.d/besclient restart

NOTE: When the agent reports in, the original computer id will no longer be valid and you will end up with a duplicate computer entry in the console.

Electively, depending on the reason you are rotating the keys, you may wish to revoke the original client from the console. See the following link for instructions:
http://pic.dhe.ibm.com/infocenter/tivihelp/v26r1/index.jsp?topic=%2Fcom.ibm.tem.doc_9.1%2FPlatform%2FConsole%2FRevokingClientCertificates.html

Please perform appropriate actions in the console to remove the old duplicate computer entries. See the following link for instructions: http://pic.dhe.ibm.com/infocenter/tivihelp/v26r1/topic/com.ibm.tem.doc_9.1/Platform/Console/c_removing_computers.html

If you are connecting to an authenticating relay (or there is a local relay that is authenticating) then you will need to perform a manual key exchange on the endpoint. See the following link for instructions: http://pic.dhe.ibm.com/infocenter/tivihelp/v26r1/index.jsp?topic=%2Fcom.ibm.tem.doc_9.1%2FPlatform%2FConsole%2FManualKeyExchange.html


Cross reference information
Segment Product Component Platform Version Edition
Systems and Asset Management Tivoli Endpoint Manager Platform Independent Version Independent

Product Alias/Synonym

IEM TEM BigFix

Document information

More support for: IBM BigFix family

Software version: Version Independent

Operating system(s): Platform Independent

Reference #: 1670787

Modified date: 18 April 2014


Translate this page: