Manual key exchange

If an agent does not have a certificate and can only reach an authenticating relay on the network, connected through the internet, you can manually run the following command on the agent so it can perform the key exchange with an authenticating relay:

BESClient -register <password> [http://<relay>:52311] 
The client includes the password in its key exchange with the authenticating relay, which verifies it before forwarding the key exchange to its parent.

Another way to perform a manual registration to an authenticating relay is by setting a value to the client setting _BESClient_SecureRegistration. The value specifies the password needed to perform a manual registration to the authenticating relay. This setting is read only at client startup time. You can specify the relay in the clientsettings.cfg configuration file. For more information about this configuration file, see Windows Clients.

You can configure the password on the relay as:
  • A single password in the client setting _BESRelay_Comm_KeyExchangePassword on the relay.
  • A newline-delimited list of one-time passwords stored in a file named KeyExchangePasswords in the relay storage directory (value StoragePath of HKEY\SOFTWARE\WOW6432Node\BigFix\Enterprise Server\GlobalOptions).
Note: You can use only passwords that have ASCII characters and not passwords containing non-ASCII characters.