How does the central computer and agent exchange keys using the initialize, rekey, and reinitialize (NETIQKB33523)

  • 7733523
  • 02-Feb-2007
  • 11-Sep-2007

Resolution

goal
How does the central computer and agent exchange keys using the initialize, rekey, and reinitialize process?

goal
How do I force the central and agent computers to exchange keys?

goal
How do I trigger the re-initialization process?

fact
Security Manager 4.20

fact
Security Manager 4.50

fact
Security Manager 5.x

fix

The agent and central computer exchange keys using an initialize, rekey, and reinitialize process. These processes are defined as follows:

Initialize
The initial key process automatically occurs during agent deployment. This process uses encrypted communication to exchange keys between the central computer and the agent. The agent generates an initialization event providing the serial number of the system hard drive and the MAC address of the first ethernet card for the agent computer. You can use this information to manually validate the agent computer. For more information about validating and examining the information for authenticated agents, please refer to the following knowledge base article:  

https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB33528

Rekey
The rekey process automatically allows the central computer and agent to periodically exchange new keys. Security Manager does not generate initialization events during a rekey process. By default, the rekey period is set for 90 days. The agent and consolidator exchange their new public keys using their existing keys to sign and verify the signatures. If the agent is not rekeyed after two rekey periods (agent is not running during this time), the agent must be reinitialized in order to communicate with the central computer again.

Reinitialize
The reinitialization process is the same as the initialization process except that it is manually initiated. The reinitialize process removes old keys and allows the central computer and agent to exchange new keys and generate initialization events. You can reinitialize the key exchange if you want to revalidate an agent computer or resolve an issue when a valid agent cannot successfully authenticate with the central computer. To complete the reinitialization process, the administrator must run the keyutils program on the agent machine to remove the existing public/private key pairs.

You can reinitialize only agent computers that support secure communications. You cannot reinitialize the following computers:

  • Computers that are not configured to use authentication.
  • Computers using outdated Security Manager agent software.
  • Central computers, which act as an agent on the local central computer, do not require a key exchange.
  • Computers unable to use encrypted communication, such as computers running the French version of Windows NT 4.0. Note: Security Manager 5.5 and later does not support Windows NT 4.0 computers.
  • Computers unable to use authenticated communication, such as computers sharing agents with Microsoft Operations Manager (MOM). Note: Security Manager 5.1 and later no longer share agents with MOM.

To reinitialize a key exchange between an agent and the central computer for Security Manager 5.5:

  1. On the Monitor Console computer, start the Monitor Console in the NetIQ Security Manager program group.
  2. Click Security Manager Monitor Console in the left pane to open the Today page.
  3. Click Launch Agent Administrator under Getting.
    Started in the right pane
  4. Click Agent Summary and then click Agent Summary View on the right side.
  5. For managed agents, select the agent and then click on ReKey Agent on the right side and then click Yes to acknowledge the warning.
    For unmanaged agents, select the agent and then click on ReInitialize on the right side and then click Yes to acknowledge the warning.
  6. After all agents have been processes, click on Apply
  7. Click Close, check Apply configuration changes now and then click OK twice.
  8. After the next agent manager scan, all agents selected for rekey will have their keys automatically rekeyed.
  9. Complete the reinitialization process on the unmanaged agent computer by completing the following steps:

    1. Log on with an administrator account to the unmanaged agent computer.
    2. Stop the NetIQ Security Manager service using the 'Services' administrative tool. Administrative Tools are located in the Control Panel.
    3. Run the following command at the command prompt in the folder where you installed the agent, typically C:\Program Files\NetIQ Security Manager\OnePoint:

      Keyutils.exe -r configurationgroup

      Where configurationgroup is the name of the configuration group containing the agent computer.

    4. Restart the Security Manager service.

       

To reinitialize a key exchange between an agent and the central computer for Security Manager 5.1 and below:

  1. Begin the reinitialization process by completing the following steps:
    1. On the 'Monitor Console' computer, start the Monitor Console in the NetIQ Security Manager program group.
    2. Expand the Security Manager Monitor Console in the left pane.
    3. Expand Configuration in the left pane.
    4. Click Central Computers (Agent Managers for 4.5 and below) in the left pane.
    5. In the right pane, click the Central Computer (Agent Manager for 4.5 and below) for the agent you want to reinitialize the key exchange.
    6. Click Properties, from the 'Action' menu.
    7. On the 'Managed Computers' tab, click the computer with the agent for which you want to reinitialize the key exchange.
    8. Click Reinitialize.
    9. Click Yes.
    10. Click OK.
  2. Complete the reinitialization process on the agent computer by completing the following steps:

    1. Log on with an administrator account to the agent computer.
    2. Stop the NetIQ Security Manager service (OnePoint service for 5.0 and below) using the 'Services' administrative tool. Administrative Tools are located in the Control Panel.
    3. Run the following command at the command prompt in the folder where you installed the agent, typically C:\Program Files\NetIQ Security Manager.
      \OnePoint (C:\Program Files\MCS OnePoint\OnePoint for 5.0 and below)

      Keyutils.exe -r configurationgroup

      Where configurationgroup is the name of the configuration group containing the agent computer.

    4. Restart the Security Manager service (OnePoint service for 5.0 and below).
  3. Review the initialization event in the Security Views | Security Manager Self-monitoring | Agents | Agent Initialization Events view.
.


note

Overview of Agent Authentication mechanism in Security Manager.

https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB33349

How can I troubleshoot and resolve errors with Agent Authentication failures?

https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB33348

How can I validate and examine the information for authenticated agents?

 https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB33528

What ports, communication and encryption methods does Security Manager use?

https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB1092 



Additional Information

Formerly known as NETIQKB33523