How do I enable encrption in an existing AppManager environment? (NETIQKB71546)

  • 7771546
  • 24-Apr-2009
  • 20-Dec-2010

Environment

NetIQ AppManager 6.x
NetIQ AppManager 7.0.x

Situation

What are the steps that need to be performed in order to enable encryption in AppManager?
What steps should be performed to change the encryption level in AppManager from Clear Text to Security Level 2?

Resolution

In order to enable encryption (Security Level 2) in AppManager perform the following steps in the order referenced below:

PS:  Types of Encryption available in in AppManager and the description of each is documented in the AppManager Administration Guide.  Before you perform the following steps we strongly recommend that you refer to Chapter 2 (Site Communication and Security) to familiarize yourself with the available options.

  1. On the Repository server, go to the command line (Start --> Run --> cmd)
  2. Execute the following command:
    • nqkeygenwindows -db DatabaseName:SqlUserName:SqlServerName -new (for Windows authentication use: DatabaseName::SqlServerName)
  3. Extract the key (ckey) to be used by the agents.
    • Before extracting the key you will need to create a shared folder that will be accessible by all agents where encryption is being enabled.
  4. To extract the key (ckey) from the repository execute the following command from the command line on the QDB server.
    • nqkeygenwindows -db DatabaseName::SqlServerName -ckey <PathToSharedFolder>\ckey.txt
  5. Verify that the key file was created and is accessible.
  6. Raise the security level of the QDB by executing the following command:
    • nqkeygenwindows -db DatabaseName::SqlServerName -seclev 2
  7. Drop the AgentConfigSecurityKey KS on the agents where encryption is being configured.
    • The location to the key file should look like: \\servername\filepath\ckey.txt
    • Encryption password is the material password you entered when you created the Key pair in the repository.
  8. All of the agents will now have the correct path to the key file. Any agents that fail to update should be look at to make sure they are on line and able to communicate. Do not proceed until all agents have successfully been updated.
  9. Drop the AgentConfigSecurityLevel KS on all of the agents where encryption is being configured EXCEPT the MS(s).
    • Set the security level parameter to 2 before running the job.
  10. Drop the AMAdmin_RestartAMServices job on all of the agents where encryption has been configured EXCEPTthe MS(s).
    • Configuration of this KS should restart only the NetIQMC service. The NetIQccm service should be configured to both Stop and Start.
  11. Once the agent services have been restarted you will need to repeat step 9 on all Management Servers.
  12. Restart all Agent services and Management Server Service on the MS(s).
  13. Communication will now be restored with the appropriate security level in place.

Additional Information

Formerly known as NETIQKB71546

For either security level, all communication between the management server and the agent is encrypted using 40-bit RPC encryption. The option to use encryption and authentication requires the 128-bit Windows High Encryption Pack, which must be installed on the managed client. The High Encryption Pack can be exported from the U.S. to worldwide destinations, except where expressly restricted.