Running the BigFix Administration Tool

The installation script install.sh automatically downloads the IBM BigFix Administration Tool bash shell script, BESAdmin.sh, in the /opt/BESServer/bin directory. With this tool you can edit the masthead file, check the signatures of the objects in the database, enable and disable enhanced security, resign all of the users content in the database, rotate the server private key, configure the Console and Web Reports login, resign the database content and synchronize the masthead with the updated license.

Run this script as super user from the command prompt using the following syntax:

./BESAdmin.sh -service { arguments}

where service can be one of the following:

changeprivatekeypassword
editmasthead
findinvalidsignatures
importlicense
minimumSupportedClient
minimumSupportedRelay
repair
reportencryption
resignsecuritydata
rotateserversigningkey
securitysettings
setadvancedoptions
setproxy
syncmastheadandlicense
updatepassword

Note: The notation <path+license.pvk> used in the command syntax displayed across this topic stands for path_to_license_file/license.pvk.

Each service has the following arguments :

changeprivatekeypassword

You can use this service to be prompted for a new password to associate to the license.pvk file. Use the following syntax to run the command:

./BESAdmin.sh -changeprivatekeypassword -sitePvkLocation=<path+license.pvk> 
[ -sitePvkPassword=<password> ]

editmasthead

You can edit the masthead file by specifying the following parameters:

advGatherSchedule (optional, integer)
 values: 
    0=Fifteen Minutes, 
    1=Half Hour, 2=Hour, 
    3=Eight Hours, 
    4=Half day, 
    5=Day, 
    6=Two Days, 
    7=Week, 
    8=Two Weeks, 
    9=Month, 
    10=Two Months
advController (optional, integer)
 values: 
    0=console, 
    1=client, 
    2=nobody 
advInitialLockState (optional, integer)
 values: 
    0=Locked, 
    1=timed (specify duration), 
    2=Unlocked 
advInitialLockDuration (optional, integer)
 values: 
   ( duration in seconds ) 
advActionLockExemptionURL (optional, string)

advRequireFIPScompliantCrypto (optional, boolean)

The syntax to run this service is:

./BESAdmin.sh -editmasthead -sitePvkLocation=<path+license.pvk> 
[ -sitePvkPassword=<password> ][ -display ] 
[ -advGatherSchedule=<0-10> ] [ -advController=<0-2> ]
[ -advInitialLockState=<0|2> | -advInitialLockState=1 
-advInitialLockDuration=<num> ] [ -advActionLockExemptionURL=<url> ]
[ -advRequireFIPScompliantCrypto=<true|false> ]

For additional information, see Editing the Masthead on Linux systems.

findinvalidsignatures

You can check the signatures of the objects in the database by specifying the following parameters:

-list (optional): Lists all invalid signatures that BESAdmin finds.
-resignInvalidSignatures (optional): Attempts to resign any invalid signatures that BESAdmin finds.
-deleteInvalidlySignedContent (optional): Deletes contents with invalid signatures.

For additional information about invalid signatures see http://www-01.ibm.com/support/docview.wss?uid=swg21587965. The syntax to run this service is:

./BESAdmin.sh -findinvalidsignatures 
[ -list | -resignInvalidSignatures | -deleteInvalidlySignedContent ]

importlicense

You can use this service to import an updated license. This service allows you to update the license manually in isolated IBM Endpoint Manager environments.

./BESAdmin.sh -importlicense -sitePvkLocation=<path+license.pvk> 
[ -sitePvkPassword=<password> ] -licenselocation=<path+license.crt>

The license.crt file contains the updated license to import.

minimumSupportedClient

This service defines the minimum version of the BigFix Agents used in your BigFix environment.

Note: Based on this setting, the BigFix components can decide when it is safe to assume the existence of newer functions across all the component in the deployment. Individual agent interactions might be rejected if the interaction does not comply with the limitations imposed by this setting.

The currently allowed values are:

0.0 which means that no activity issued by BigFix Agents earlier than V9.0, such as archive files and reports uploads, are prevented from running or limited. This behavior applies also if the minimumSupportedClient service is not set.
9.0 which means that:
- Unsigned reports, such as the reports sent by BigFix Clients earlier than V9.0, are discarded by FillDB.
- The upload of an unsigned archive file generated on a BigFix Client earlier than V9.0, by an archive now command for example, fails.

If you ran a fresh installation of BigFix V9.2.11 or later, the minimumSupportedClient is not set and so the BigFix Server the can accept archive files and reports uploads from all the Agents, regardless of their version.

The current value <VALUE> assigned in your environment to the minimumSupportedClient service is displayed in the line x-bes-minimum-supported-client-level: <VALUE> of the masthead file.

The syntax to run this service is:

 ./BESAdmin.sh -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>]
    -minimumSupportedClient=<version>.<release>

If you omit to specify [sitePvkPassword=<password>] you are prompted to enter the password when the BESAdmin.sh runs.

For example, if you want to state that Agents earlier than V9.0 are not supported in your BigFix environment, you can run the following command:

 ./BESAdmin.sh -sitePvkLocation=/license/license.pvk -minimumsupportedclient=9.0

minimumSupportedRelay

You can use this service, added with BigFix V9.2.12, to enforce specific criteria affecting the BigFix Agent registration requests. If this service is enabled appropriately, V9.2.12 Agents can continue to register to the V9.2.12 BigFix environment if their registration requests are signed and sent across the Relays hierarchy using the HTTPS protocol.

Note: Based on this service, the BigFix components can decide when it is safe to enable newer functions across all the component in the deployment. Individual agent interactions might be rejected if they do not comply with the limitations imposed by this setting.

The currently allowed values are:

0.0.0 which means that the BigFix Server accepts and manages:
- Signed and unsigned registration requests coming from BigFix Agents.
- Registration requests delivered from BigFix Agents using the HTTP or the HTTPS protocols.
This behavior applies by default when you upgrade from previous versions to BigFix V9.2.12 or later. In this case the minimumSupportedRelay service is not added automatically to your configuration during the upgrade.
9.2.12 which means that:
- The BigFix Server enforces that registration requests coming from BigFix Agents V9.2.12 or later must be properly signed.
- The BigFix Server and the Relays V9.2.12 or later enforce the use of the HTTPS protocol when exchanging BigFix Agent registration data.
These are side effects of enforcing this behavior:
- BigFix Agents earlier than V9.0 cannot send registration requests to the BigFix Server because they cannot communicate using the HTTPS protocol.
- Because BigFix Relays with versions earlier than V9.2.12 cannot handle correctly signed registration requests, any BigFix Client using those Relays could be prevented from continuing to register, or could fall back to a different parent Relay or directly to the Server.

If you ran a fresh installation of BigFix V9.2.12 or later using a License Authorization file, be aware that the side effects listed above apply to your BigFix deployment because, in this particular installation scenario, the minimumSupportedRelay service is automatically set to 9.2.12 by default.

The current value <VALUE> assigned in your environment to the minimumSupportedRelay service is displayed in the line x-bes-minimum-supported-relay-level: <VALUE> of the masthead file. You can see the current value by running the following query on the BigFix Server from the BigFix Query Application available on the BigFix WebUI:

Q: following text of last ": " of line whose (it starts with 
"x-bes-minimum-supported-relay-level:" ) of masthead of site "actionsite"

This query displays a value only when <VALUE> is set to 9.2.12; if it is set to 0.0.0, it does not display a value.

The syntax to run this service is:

 ./BESAdmin.sh -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>]
    -minimumSupportedRelay=<version>.<release>.<modification>

If you omit to specify [sitePvkPassword=<password>] you are prompted to enter the password interactively when the BESAdmin.sh runs.

For example, if you want that only the registration requests that are signed and carried through HTTPS are managed by your BigFix Server, you can run the following command:

 ./BESAdmin.sh -sitePvkLocation=/license/license.pvk -minimumSupportedRelay=9.2.12

repair

You can use this command to handle an inconsistency between the keys stored in the database and those stored on the filesystem.

./BESAdmin.sh -repair -sitePvkLocation=<path+license.pvk> 
[ -sitePvkPassword=<password> ]

If the keywords ServerSigningKey and ClientCAKey do not exist, they are created under /var/opt/BESServer: This command also updates the licenses of sites.

reportencryption

You can generate, rotate, enable and disable encryption for report messaging by running:

BESAdmin.sh -reportencryption { -status |
  -generatekey [-privateKeySize=<min|max>] 
               [-deploynow=yes | -deploynow=no -outkeypath=<path>] 
               -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] |
  -rotatekey [-privateKeySize=<min|max> ] 
             [-deploynow=yes | -deploynow=no -outkeypath=<path> ] 
             -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] |
  -enablekey -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] |
  -disablekey -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] }

where:

status: Shows the status of the encryption and which arguments you can use for that status
generatekey: Allows you to generate a new encryption key.
rotatekey: Allows you to change the encryption key.
enablekey: Allows you to enable the encryption key.
disablekey: Allows you to put the encryption key in PENDING state. If you issue again the reportencryption command with the disablekey argument, the encryption changes from PENDING state to DISABLED.
deploynow=yes: Deploys the report encryption key to the server for decryption.
deploynow=no -outkeypath=<path>: The encryption key is not deployed to the server but it is saved in the outkeypath path.

For more information about this command and its behavior, see Managing Client Encryption.

resignsecuritydata

You must resign all of the users content in the database by entering the following command:

./BESAdmin -resignSecurityData

if you get one of the following errors:

class SignedDataVerificationFailure 
HTTP Error 18: An unknown error occurred while transferring data from the server

when trying to login to the BigFix console. This command resigns security data using the existing key file. You can also specify the following parameter:

-mastheadLocation=<path+actionsite.afxm>

The complete syntax to run this service is:

./BESAdmin.sh -resignsecuritydata -sitePvkLocation=<path+license.pvk>
[ -sitePvkPassword=<password> ] -mastheadLocation=<path+actionsite.afxm>

rotateserversigningkey

You can rotate the server private key to have the key in the file system match the key in the database. The command creates a new server signing key, resigns all existing content using the new key, and revokes the old key.

The syntax to run this service is:

./BESAdmin.sh -rotateserversigningkey -sitePvkLocation=<path+license.pvk>
[ -sitePvkPassword=<password> ]

securitysettings

You can configure enhanced security options to follow the NIST security standards by running the command:

./BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> 
[ -sitePvkPassword=<password> ]
{ -status | -enableEnhancedSecurity [-requireSHA256Downloads] 
| -disableEnhancedSecurity | -requireSHA256Downloads 
| -allowSHA1Downloads} }

where:

status

Shows the status of the security settings set in your BigFix environment.

Example:

BESAdmin.sh -securitysettings -sitePvkLocation=/root/backup/license.pvk
-sitePvkPassword=mypassw0rd -status

Enhanced security is currently ENABLED
SHA-256 downloads are currently OPTIONAL

enableEnhancedSecurity | disableEnhancedSecurity

Enables or disables the enhanced security that adopts the SHA-256 cryptographic digest algorithm for all digital signatures as well as content verification and the TLS 1.2 protocol for communications among the Endpoint Manager components.

Warning: If you use the enableEnhancedSecurity setting you break the backward compatibility because BigFix version 9.0 or earlier components cannot communicate with the BigFix version 9.2 server or relays. When you disable the enhanced security mode, the BESRootServer service fails to restart automatically. To solve the problem, restart the service manually.

requireSHA256Downloads

Ensures that data has not changed after you download it using the SHA-256 algorithm.

Note: The Require SHA-256 Downloads option is available only if you selected to Enable Enhanced Security.

allowSHA1Downloads

Ensures that the file download integrity check is run using the SHA-1 algorithm.

For more information about the BigFix Enhanced Security feature and the supported security configuration, see Security Configuration Scenarios.

setadvancedoptions

You can list or configure any global settings that apply to your particular installation. For example you can set your Console or Web Report login banner to be displayed by entering the following command:

./BESAdmin.sh -setadvancedoptions -sitePvkLocation=/root/backup/license.pvk 
-sitePvkPassword=pippo000 -update loginWarningBanner='new message'

The complete syntax to run this service is:

./BESAdmin.sh -setadvancedoptions -sitePvkLocation=<path+license.pvk>
[-sitePvkPassword=<password>]  
{ -list | -display 
| [ -f ] -delete option_name 
| [ -f ] -update option_name=option_value }

For a list of available options that you can set, see List of advanced options.

setproxy

If your enterprise uses a proxy to access the Internet, you must set a proxy connection to enable the BigFix server to gather content from sites as well as to do component-to-component communication or to download files.

For information about how to run the command and about the values to use for each argument, see Setting a proxy connection on the server.

syncmastheadandlicense

When you upgrade the product you must use this option to synchronize the update license with the masthead and resign all content in the database with SHA-256. The syntax to run this service is:

./BESAdmin.sh -syncmastheadandlicense -sitePvkLocation=<path+license.pvk> 
[-sitePvkPassword=<password>]

updatepassword

You can modify the password used for authentication by product components in specific configurations.

The syntax to run this service is:

./BESAdmin.sh -updatepassword -type=<server_db|dsa_db>
[-password=<password>] -sitePvkLocation=<path+license.pvk> 
[-sitePvkPassword=<pvk_password>]

where:

-type=server_db: Specify this value to update the password used by the server to authenticate with the database.
-type=dsa_db: Specify this value to update the password used in a DSA configuration by a server to authenticate with the database.

The settings -password and -sitePvkPassword are optional, if they are not specified in the command syntax their value is requested interactively at runtime. The password set by this command is obfuscated.