Unix, Linux and Mac (ULM) agent data is encrypted in all current versions. 

Among the data that is encrypted are the package codebase and policy xml files, which are useful for troubleshooting purposes.

This data can be made available in a decrypted format by applying what is known as a ‘troubleshooting password’ and running the ‘aex-dsecuredb’ command on a ULM client computer. 

On ULM clients, the encrypted data directory is located at:

             /opt/altiris/notification/nsagent/var/securedb.

 The complete contents of the files within the securedb directory are encrypted and appear as binary files.

 Once the ‘aex-dsecuredb’ command runs, the following directory will contain decrypted copies of the files from the securdb directory:

             /opt/altiris/notification/nsagent/var/securedb.decrypted

High-level Overview

1. Set the troubleshooting password in the SMP console.
2. Allow or force the client to get the troubleshooting password by refreshing policies on the client.
3. Run 'aex-dsecuredb' or 'aex-dsecuredb -high' depending on the data needed.
4. Browse decrypted data located at: /opt/altiris/notification/nsagent/var/securedb.decrupted.

Setting the troubleshooting password

The troubleshooting password field is available in the 7.5 SMP/NS console at Settings, All Settings, Agents/Plug-ins, Symantec Management Agent, Settings, Symantec Management Agent Settings – Global, ‘Authentication’ tab, in the ‘Remote troubleshooting password’ section.   

After checking the ‘Allow remote troubleshooting’ checkbox and entering a secure password, the troubleshooting password will be encrypted and sent to the clients as part of the global policy. Note that this feature requires a password of at least eight characters and must contain at least on upper case letter, one lower case letter, one number and one special character.

Following is a screen shot of the ‘troubleshooting password’ screen in the NS console:

Decrypting securedb data on the ULM clients

The ULM agent includes a command named ‘aex-dsecuredb’. This command creates decrypted copies of the securedb directory’s encrypted files.

Please note the following regarding the aex-dsecuredb command:

• This command does not decrypt password, certificate or other highly sensitive data.  This type of data stays encrypted. 
• The command can be run with or without command line parameters.
• Running this command without a command line parameter does NOT require the troubleshooting password and only decrypts a limited set of securedb data.
• Running this command with the “-high” command line parameter will prompt for the troubleshooting password. After successfully entering the troubleshooting password, the utility will decrypt a complete set of securedb data.  
• Sudo or root privileges are required for running the command with the “-high” option.
• The troubleshooting password prompt, “Enter superuser password” (“-high” option only), is prompting for the troubleshooting password set in the NS console. It is NOT prompting for the local root or admin password of the computer.  Any other references to the superuser password when using this utility refer to the troubleshooting password. 
• If the client has not yet been updated with the troubleshooting password and the “-high” parameter is entered, the command will return, “Unable to verify superuser password, call ‘aex-refreshpolicies’”.
• A soft link to the command should be in the /usr/bin directory so it can be ran from anywhere. The actual path to the utility is: /opt/altiris/notification/nsagent/bin/aex-dsecuredb.

Limited mode:

This mode does not prompt for the troubleshooting password. Running this command without any command line parameters results in the decryption of a very limited set of directories and files.

Example:

$ sudo aex-dsecuredb
Decrypted files will be located in /opt/altiris/notification/nsagent/var/securedb.decrypted
Finished successfully

The resulting directory tree is something like:

   |-ctagent
   |---cache
   |-nsagent
   |---enrollment

High Mode:  

This mode requires elevated privileges and prompts for the troubleshooting password. After successfully entering the troubleshooting password when prompted, this mode creates a complete set of decrypted files.

$ sudo aex-dsecuredb -high

Enter superuser password:
Decrypted files will be located in /opt/altiris/notification/nsagent/var/securedb.decrypted
Finished successfully 

The resulting directory tree is something like the following. Note that all securedb directories have been decrypted.

   |-ctagent
   |---cache
   |-nsagent
   |---credentials
   |---enrollment
   |---keys
   |---packages
   |-----17872B48-9792-4C23-9783-D9BFDE505FC3
   |-----7B64672D-FD64-466A-8E0A-4C3423E8802A
   |-----9A75B4D8-1357-43E1-9949-B870047CB1C4
   |---policies
   |-----data
   |-------225067FA-37B3-4B3A-AF01-A9C37BB553D6
   |-------24C34958-27A3-4D74-8822-C0964EB47115
   |-------8918C4B8-F6D0-45C3-BCB9-4628D264DA20

Codebase files:

Codebase files contain the package download locations for each package available to a given client. Knowing the download location is helpful for troubleshooting software installation and other issues.

In previous versions, the codebase file was available in the /opt/altiris/notification/nsagent/var/packages/<package guid>/.aex-pkg-codebase-<package guid> file.

In 7.5, the codebase files are available in the following directory after decrypting them with the troubleshooting password:

/opt/altiris/notification/nsagent/var/securedb.decrypted/nsagent/packages/<package guid>/package.xml

Policy XML files:

Policy files contain information regarding each policy assigned to a given client, including  (depending on the policy type), the policy name, execution priorities, applicable platforms and other criteria unique to each policy type.

After decrypting the securedb with the “-high” parameter, the decrypted policies are available in:

            /opt/altiris/notification/nsagent/var/securedb.decrypted/nsagent/policies/data/<policy guid>/<identifier>