Changing the encryption key to secure PATROL Agent data

By default, during the TrueSight Presentation Server installation unique keys are generated that are used to encrypt:

Infrastructure Management policy data credentials, and the PATROL Agent query command credentials that are sent to the PATROL Agent.
Policy data credentials stored in the policy store of the TrueSight Presentation Server.

Post the TrueSight Presentation Server installation, you can change these unique keys using the Presentation Server tssh command based on your key rotation policy.

Best practice
BMC recommends that you export the policies before changing the encryption key. For step-by-step instructions about how to export monitoring policies, see Exporting-and-importing-blackout-and-monitoring-policies.

To change the encryption key

Perform the following sequence of steps to change the unique key:

Log in to the computer on which the Presentation Server is installed, and navigate to the <Presentation Server Install Directory>\truesightpserver\bin directory.
Run the following command to change the key:
#Syntax
tssh key set <module name> (PatrolAgent | PolicyStore) <tenant name>
Important information
- BMC recommends that you restart the Presentation Server after changing the key.
- The default value for the <tenant name> is *.

Example: To change the encryption key for the PATROL Agent

Run the following command to change the unique key that is used to encrypt the Policy data credentials, and PATROL Agent query command credentials and then sent to the PATROL Agent.

Run the command as shown in the following code block:
tssh key set PatrolAgent
When you run the preceding command, you are prompted to provide user name and password to complete the key change request as shown in the following screenshot:
Note
To change the unique key, ensure that you have Administrator - level access.

Example: To change the encryption key for the policy store

Run the following command to change the unique key that is used to encrypt the PATROL Agent policy credentials stored in the policy store.

Run the command as shown in the following code block:
tssh key set PolicyStore
When you run the preceding command, you are prompted to provide user name, password, and a passphrase to complete the key change request as shown in the following screenshot:
Note
- When policies are migrated using import/export policies feature, ensure that both source and destination TrueSight Presentation Servers have the same passphrase to successfully migrate the policies. For more information, see Exporting-and-importing-blackout-and-monitoring-policies.
- To change the unique key, ensure that you have Administrator - level access

Where to go from here

Administering-Infrastructure-Management