Environment
NetIQ AppManager 7.0.x
Situation
What steps should be performed to change the encryption level in AppManager from Clear Text to Security Level 2?
Resolution
- On the Repository server, go to the command line (Start --> Run --> cmd)
- Execute the following command:
- nqkeygenwindows -db DatabaseName:SqlUserName:SqlServerName -new (for Windows authentication use: DatabaseName::SqlServerName)
- Extract the key (ckey) to be used by the agents.
- Before extracting the key you will need to create a shared folder that will be accessible by all agents where encryption is being enabled.
- To extract the key (ckey) from the repository execute the following command from the command line on the QDB server.
- nqkeygenwindows -db DatabaseName::SqlServerName -ckey <PathToSharedFolder>\ckey.txt
- Verify that the key file was created and is accessible.
- Raise the security level of the QDB by executing the following command:
- nqkeygenwindows -db DatabaseName::SqlServerName -seclev 2
- Drop the AgentConfigSecurityKey KS on the agents where encryption is being configured.
- The location to the key file should look like: \\servername\filepath\ckey.txt
- Encryption password is the material password you entered when you created the Key pair in the repository.
- All of the agents will now have the correct path to the key file. Any agents that fail to update should be look at to make sure they are on line and able to communicate. Do not proceed until all agents have successfully been updated.
- Drop the AgentConfigSecurityLevel KS on all of the agents where encryption is being configured EXCEPT the MS(s).
- Set the security level parameter to 2 before running the job.
- Drop the AMAdmin_RestartAMServices job on all of the agents where encryption has been configured EXCEPTthe MS(s).
- Configuration of this KS should restart only the NetIQMC service. The NetIQccm service should be configured to both Stop and Start.
- Once the agent services have been restarted you will need to repeat step 9 on all Management Servers.
- Restart all Agent services and Management Server Service on the MS(s).
- Communication will now be restored with the appropriate security level in place.
Additional Information
For either security level, all communication between the management server and the agent is encrypted using 40-bit RPC encryption. The option to use encryption and authentication requires the 128-bit Windows High Encryption Pack, which must be installed on the managed client. The High Encryption Pack can be exported from the U.S. to worldwide destinations, except where expressly restricted.