The NetIQ Corporation key file generation program, NQKeyGenWindows.exe, is a command-line program used to set the security level for an AppManager management site and to generate and manage public/private encryption keys for secure communication between the management server and Windows managed computers. This utility is installed in the NetIQ\AppManager\bin folder.
The basic syntax for the NQKeyGenWindows.exe program is:
NQKeyGenWindows -option value
NOTE:Type NQKeyGenWindows without specifying any options to see usage information.
The program supports the following command-line options:
|
Option |
Description |
|---|---|
|
-db |
Specifies the login information for connecting to the repository using the following format: NQKeyGenWindows -db database_name:user_name:sql_server For example: NQKeyGenWindows -db qdb:smithj:nyc2003 If you are using Windows authentication to connect to the repository, leave the username blank. If you are using SQL Server authentication, type a SQL Server username for connecting to the repository. The program prompts for the password to use for the SQL Server account. NOTE:Most of the other options require you to specify the connection information. If you use this option without specifying any additional options, the command displays the current security level setting. |
|
-new |
Creates a new record in the repository for the key information used to encrypt communication and authenticate the management server to the agents. For example: NQKeyGenWindows -db db:user:sqlsvr -new To create a new key file to share across multiple repositories on a computer other than the repository, use the command: NQKeyGenWindows -new filelocation
This option creates a new key with password protection in the specified file location without checking it into the repository. NOTE:When you use the -new option, you’ll be prompted to provide a password for the key stored in the repository. You must specify a password to create the key. |
|
-change |
Changes the key information stored in the repository to use the new key file you specify. You must specify the key file password you used to create the key and the location of the key file to use. For example: NQKeyGenWindows -db db:user:sqlsvr -change filelocation This option enables you to check an existing key from a key file into a new repository when you want to share a key file across multiple repositories and management servers. NOTE:When you use this option, you’ll be prompted to provide the password you specified when you created the key. |
|
-ckey |
Extracts only the agent portion of the key stored in the repository. You must specify a location for the agent key file. For example: NQKeyGenWindows -db db:user:sqlsvr -ckey filelocation To extract the agent portion of the key, you must run NQKeyGenWindows on a management server. NOTE:When you use this option, you’ll be prompted to provide the password you specified when you created the key in the repository. Once you extract the agent portion of the key, you can copy the file and distribute it to the agents for encryption or authentication and encryption. |
|
-info |
Displays the current security level setting stored in repository. You are then prompted for the repository key password to display the checksum for verifying the encryption key and authentication key for an agent. For example: NQKeyGenWindows -db db:user:sqlsvr -info You can compare the checksum from the repository with the checksum returned by the -agentinfo option to verify whether an agent is using the correct key file for a specific repository. You can only use this option if you run NQKeyGenWindows on a management server computer. |
|
-skey |
Extracts the key information stored in the repository. You must specify a location for the key file. For example: NQKeyGenWindows -db db:user:sqlsvr -skey filelocation NOTE:When you use this option, you’ll be prompted to provide the password you specified when you created the key in the repository. This option checks out the current key into a password-protected file format. This file then can be checked into a different repository using the -change option. You can only use this option if you run NQKeyGenWindows on a management server computer. |
|
-seclev |
Sets the security level in the repository for communication between the management server and agents. Valid security levels are:
NOTE:If you change the security level, the change takes effect when the management server is restarted. For example, to set the security level to use authentication of the management server: NQKeyGenWindows -db db:user:sqlsvr -seclev 2 |
|
-agentchange |
Changes the agent key file for a managed computer to a key file you specify. The file location must be a local path. For example: NQKeyGenWindows -agentchange filelocation
This option enables you to update the agent key file for a managed computer. |
|
-agentinfo |
Displays the checksum for verifying the encryption key and authentication key for an agent. For example: NQKeyGenWindows -agentinfo This option is useful for comparing the key information stored in the repository with the agent key information recorded for a managed computer to verify whether the correct key is being used. |
|
-agentseclev |
Sets the security level in the managed computer registry for communication between the management server and the agent. The valid security levels are:
For example, to set the security level to use authentication of the management server: NQKeyGenWindows -agentseclev 2 |
|
-remoteseclev |
Sets the security level for a remote managed computer registry. You must specify the hostname of the remote computer for which you want to set a security level. For example to set the security to authentication and encryption for the remote computer AJAX: NQKeyGenWindows -remoteseclev ajax 2 The valid security levels are:
Requires a user account with permission to access the remote computer’s registry. |
|
-convert |
Converts an old key file from a previous release to the new key file format. For example: NQKeyGenWindows -convert oldkeylocation ‑newkeylocation Enables you to check an older key file generated using the NetIQ Encryption Utility (rpckey.exe) in AppManager 5.0.1 and earlier into the repository and continue using it for all of your agents. After converting an old key file, use the -change option to check the key information into the repository, set the security level to 1 with the -seclev option, and restart your management servers. For more information about updating an older key file after upgrading to AppManager, see the Upgrade and Migration Guide for AppManager, available on the AppManager Documentation page. |
|
-verify |
Verifies the password and encrypted key file location are correct and can be imported into the repository. To use this option, you must specify the password used to create the public/private key and the location of the key file extracted from the repository. For example: NQKeyGenWindows -verify filelocation
NOTE:You are prompted to provide the password you specified when you created the key. |