Editing the Masthead on Linux systems

To modify the masthead, run the following command as super user.

./BESAdmin.sh -editmasthead -sitePvkLocation=<path+license.pvk> 
[ -sitePvkPassword=<password> ]
[ -display ] [ -advGatherSchedule=<0-10> ] [ -advController=<0-2> ]
[ -advInitialLockState=<0|2> | -advInitialLockState=1 -advInitialLockDuration=<num> ]
[ -advActionLockExemptionURL=<url> ] [ -advRequireFIPScompliantCrypto=<true|false> ]
[ -advEnableFallbackRelay=0 | -advEnableFallbackRelay=1 
-advFallbackRelay=<host> ]

where:

-sitePvkLocation=<path+license.pvk>

Specifies the private key file (filename.pvk). This private key file and its password are required to run the Administration Tool. Only users with access to the site level signing key and password are able to create new BigFix operators.

Note: The notation <path+license.pvk> used in the command syntax stands for path_to_license_file/license.pvk.

-sitePvkPassword=<password>

Specifies the password associated to the private key file (filename.pvk). This setting is optional, if you omit it you will be asked to specify the password interactively when the command runs.

-display

Displays the current settings for the masthead.

-advGatherSchedule (optional, integer)

Determines how long the clients wait without hearing from the server before they check whether new content is available. In general, whenever the server gathers new content, it attempts to notify the clients that the new content is available through a UDP connection, circumventing this delay. However, in situations where UDP is blocked by firewalls or where network address translation (NAT) remaps the IP address of the client from the servers perspective, a smaller interval becomes necessary to get a timely response from the clients. Higher gathering rates only slightly affect the performance of the Server, because only the differences are gathered; a client does not gather information that it already has. Valid values are:

    0=Fifteen Minutes, 
    1=Half Hour, 2=Hour, 
    3=Eight Hours, 
    4=Half day, 
    5=Day, 
    6=Two Days, 
    7=Week, 
    8=Two Weeks, 
    9=Month, 
    10=Two Months

-advController (optional, integer)

Determines who can change the action lock state. The default is Console, which allows any Console operator with management rights to change the lock state of any client in the network. If you want to delegate control over locking to the user, you can select Client, but this is not recommended. Valid values are:

0=console, 
1=client, 
2=nobody

-advInitialLockState (optional, integer)

Specifies the initial lock state of all clients. Locked clients report which Fixlet messages are relevant for them, but do not apply any actions. The default is to leave them unlocked and to lock specific clients later on. However, you might want to start with the clients locked and then unlock them on an individual basis to give you more control over newly-installed clients. Alternatively, you can set them to be locked for a certain period of time. Valid values are:

0=Locked, 
1=timed (specify duration), 
2=Unlocked

-advInitialLockDuration (optional, integer)

Defines the period of time in seconds the clients must be locked.

-advActionLockExemptionURL (optional, string)

In rare cases, you might need to exempt a specific URL from any locking actions. Check this box and enter the exempt URL.

Note: You can specify only one site URL and it must begin with http://.

-advRequireFIPScompliantCrypto (optional, boolean)

Implements the Federal Information Processing Standard on your network. This changes the masthead so that every BigFix component attempts to go into FIPS mode. By default, the client continues in non-FIPS mode if it fails to correctly enter FIPS, which might be a problem with certain legacy operating systems. Be aware that checking this box can add a few seconds to the client startup time.

Note: Enabling FIPS mode prevents the use of some authentication methods when connecting to a proxy. If you selected to use a proxy to access the Internet or to communicate with BigFix subcomponents, ensure that the proxy configuration is set up to use an authentication method other than digest, negotiate or ntlm.

-advEnableFallbackRelay (optional,boolean)

Enables or disables a fallback relay for your clients when they do not connect to any relay specified in their settings. If you do not define a fallback relay, the root server of your environment is used.

-advFallbackRelay (optional, string)

Defines the host name of the fallback relay of your environment in one of the following formats:

Hostname. For example, myhostname.
Fully qualified domain name (FQDN). For example, myhostname.mydomain.com.
IP address. For example, 10.10.10.10.

Note: Before specifying a fallback relay, ensure that any client or relay reporting directly to the root server has the root server defined as a relay. This setting will not prevent endpoints from selecting the root server. Set _BESRelay_Register_Affiliation_AdvertisementList on the BES Root Server to a group name that will not be set on any clients, such as DoNotSelectMe.