Certain Unix, Linux and Mac (ULM) agent data that was in clear text in previous versions has been encrypted in 7.5.Among the data that is now encrypted are the package codebase and policy xml files, which are useful for troubleshooting purposes. This data can be made available in a decrypted format by applying what is known as a ‘troubleshooting password’ and running the ‘aex-dsecuredb’ command on a ULM client computer.
On ULM clients, the encrypted data directory is located at:
The complete contents of the files within the securedb directory are encrypted and appear as binary files.
Once the ‘aex-dsecuredb’ command runs, the following directory will contain decrypted copies of the files from the securdb directory:
Set the troubleshooting password in the SMP console.
Allow or force the client to get the troubleshooting password by refreshing policies on the client.
Run 'aex-dsecuredb' or 'aex-dsecuredb -high' depending on the data needed.
Browse decrypted data located at: /opt/altiris/notification/nsagent/var/securedb.decrupted.
Setting the troubleshooting password
The troubleshooting password field is available in the 7.5 SMP/NS console at Settings, All Settings, Agents/Plug-ins, Symantec Management Agent, Settings, Symantec Management Agent Settings – Global, ‘Authentication’ tab, in the ‘Remote troubleshooting password’ section.
After checking the ‘Allow remote troubleshooting’ checkbox and entering a secure password, the troubleshooting password will be encrypted and sent to the clients as part of the global policy. Note that this feature requires a password of at least eight characters and must contain at least on upper case letter, one lower case letter, one number and one special character.
Following is a screen shot of the ‘troubleshooting password’ screen in the NS console:
Decrypting securedb data on the ULM clients
The ULM agent includes a command named ‘aex-dsecuredb’. This command creates decrypted copies of the securedb directory’s encrypted files.
Please note the following regarding the aex-dsecuredb command:
This command does not decrypt password, certificate or other highly sensitive data. This type of data stays encrypted.
The command can be run with or without command line parameters.
Running this command without a command line parameter does NOT require the troubleshooting password and only decrypts a limited set of securedb data.
Running this command with the “-high” command line parameter will prompt for the troubleshooting password. After successfully entering the troubleshooting password, the utility will decrypt a complete set of securedb data.
Sudo or root privileges are required for running the command with the “-high” option.
The troubleshooting password prompt, “Enter superuser password” (“-high” option only), is prompting for the troubleshooting password set in the NS console. It is NOT prompting for the local root or admin password of the computer. Any other references to the superuser password when using this utility refer to the troubleshooting password.
If the client has not yet been updated with the troubleshooting password and the “-high” parameter is entered, the command will return, “Unable to verify superuser password, call ‘aex-refreshpolicies’”.
A soft link to the command should be in the /usr/bin directory so it can be ran from anywhere. The actual path to the utility is: /opt/altiris/notification/nsagent/bin/aex-dsecuredb.
This mode does not prompt for the troubleshooting password. Running this command without any command line parameters results in the decryption of a very limited set of directories and files.
$ sudo aex-dsecuredb Decrypted files will be located in /opt/altiris/notification/nsagent/var/securedb.decrypted Finished successfully
The resulting directory tree is something like:
|-ctagent |---cache |-nsagent |---enrollment
This mode requires elevated privileges and prompts for the troubleshooting password. After successfully entering the troubleshooting password when prompted, this mode creates a complete set of decrypted files.
$ sudo aex-dsecuredb -high
Enter superuser password: Decrypted files will be located in /opt/altiris/notification/nsagent/var/securedb.decrypted Finished successfully
The resulting directory tree is something like the following. Note that all securedb directories have been decrypted.
Policy files contain information regarding each policy assigned to a given client, including (depending on the policy type), the policy name, execution priorities, applicable platforms and other criteria unique to each policy type.
After decrypting the securedb with the “-high” parameter, the decrypted policies are available in: