Managing Client Encryption
Server and relay-bound communications from clients can be encrypted to prevent unauthorized access to sensitive information. To enable it, you must generate a key and provide a setting value. The value is set in the console and is described in Enabling encryption on Clients.
On Windows server the key is generated from the Encryption tab of the IBM BigFix Administration Tool:
- Launch the IBM BigFix Administration Tool by selecting Start > Programs > IBM BigFix > IBM BigFix Administration Tool.
- Select the Encryption tab.
At the top of the dialog is a statement of the current state (in this example: Report encryption is currently DISABLED). Client encryption has four states: Disabled, Pending, Enabled, and Pending Rotation:
- Disabled
- This state indicates that no encryption certificate is included in your deployment masthead, which means that Clients cannot encrypt their reports even if they are told to do so. Click Generate Key to create an encryption certificate (and the corresponding private key, which can be used to decrypt reports at the receiving end). The state is set to Pending state.
- Pending
- In this state, an encryption certificate has been generated and is ready for deployment, but the private key has not yet been distributed to all necessary decrypting relays and servers. When you have manually distributed the private key, click the Enable Encryption button to embed the certificate in the masthead and send it out to all clients. The state is set to Enabled. Click Cancel to return to the Disabled state.
- Enabled
- In this state, an encryption certificate has been found in your deployment masthead, which means that you are able to turn on encryption (using the setting discussed previously) for any of the clients in your deployment. At any time, you can click Generate new key to create a new encryption certificate. This is useful if you have a key rotation policy or if your encryption key is ever compromised (see next section). Generating a new key returns the state to Pending (unless you choose to deploy immediately as described in the next section). You can also click Disable to move back to the Disabled state.
- Pending Rotation
- In this state, an encryption certificate is included in your deployment masthead, and a new certificate has been generated and is ready to replace the existing certificate.
On Linux server you can encrypt clients as follows:
Run this command as super
user:
/opt/BESServer/bin/Besadmin.sh -reportencryption
To list all the
available options run: ./BESAdmin.sh -reportencryption -h