Running the BigFix Administration Tool
The installation script install.sh
automatically
downloads the IBM BigFix Administration
Tool bash shell script, BESAdmin.sh
, in the /opt/BESServer/bin
directory.
With this tool you can
edit the masthead file, check the signatures of the objects in the
database,
enable and disable enhanced security, resign all of the users content
in the database, rotate the server private key, configure the Console
and Web Reports login, resign the database content and synchronize
the masthead with the updated license.
./BESAdmin.sh -service { arguments}
where service
can be one of the
following:changeprivatekeypassword
editmasthead
findinvalidsignatures
importlicense
minimumSupportedClient
minimumSupportedRelay
repair
reportencryption
resignsecuritydata
rotateserversigningkey
securitysettings
setadvancedoptions
setproxy
syncmastheadandlicense
updatepassword
<path+license.pvk>
used in the command syntax displayed across this
topic stands for path_to_license_file/license.pvk
.arguments
:- changeprivatekeypassword
- You can use this service to be prompted for a new password to
associate to the
license.pvk
file. Use the following syntax to run the command:./BESAdmin.sh -changeprivatekeypassword -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ]
- editmasthead
- You can edit the masthead file by specifying the following
parameters:
advGatherSchedule (optional, integer) values: 0=Fifteen Minutes, 1=Half Hour, 2=Hour, 3=Eight Hours, 4=Half day, 5=Day, 6=Two Days, 7=Week, 8=Two Weeks, 9=Month, 10=Two Months advController (optional, integer) values: 0=console, 1=client, 2=nobody advInitialLockState (optional, integer) values: 0=Locked, 1=timed (specify duration), 2=Unlocked advInitialLockDuration (optional, integer) values: ( duration in seconds ) advActionLockExemptionURL (optional, string) advRequireFIPScompliantCrypto (optional, boolean)
The syntax to run this service is:
For additional information, see Editing the Masthead on Linux systems../BESAdmin.sh -editmasthead -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ][ -display ] [ -advGatherSchedule=<0-10> ] [ -advController=<0-2> ] [ -advInitialLockState=<0|2> | -advInitialLockState=1 -advInitialLockDuration=<num> ] [ -advActionLockExemptionURL=<url> ] [ -advRequireFIPScompliantCrypto=<true|false> ]
- findinvalidsignatures
- You can check the signatures of the objects in the database by specifying the following parameters:
- -list (optional)
- Lists all invalid signatures that
BESAdmin
finds. - -resignInvalidSignatures (optional)
- Attempts to resign any invalid signatures that
BESAdmin
finds. - -deleteInvalidlySignedContent (optional)
- Deletes contents with invalid signatures.
./BESAdmin.sh -findinvalidsignatures [ -list | -resignInvalidSignatures | -deleteInvalidlySignedContent ]
- importlicense
- You can use this service to import an updated license. This service
allows you to update the license manually in isolated IBM Endpoint
Manager environments.
The./BESAdmin.sh -importlicense -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ] -licenselocation=<path+license.crt>
license.crt
file contains the updated license to import. - minimumSupportedClient
- This service defines the minimum version of the BigFix Agents used in your BigFix environment. Note: Based on this setting, the BigFix components can decide when it is safe to assume the existence of newer functions across all the component in the deployment. Individual agent interactions might be rejected if the interaction does not comply with the limitations imposed by this setting.The currently allowed values are:
- 0.0 which means that no activity issued by BigFix Agents earlier than V9.0, such as archive
files and reports uploads, are prevented from running or limited. This behavior applies also if the
minimumSupportedClient
service is not set. - 9.0 which means that:
- Unsigned reports, such as the reports sent by BigFix Clients earlier than V9.0, are discarded by FillDB.
- The upload of an unsigned archive file generated on a BigFix Client earlier than V9.0, by an archive now command for example, fails.
minimumSupportedClient
is not set and so the BigFix Server the can accept archive files and reports uploads from all the Agents, regardless of their version.The current value
<VALUE>
assigned in your environment to theminimumSupportedClient
service is displayed in the linex-bes-minimum-supported-client-level: <VALUE>
of the masthead file.The syntax to run this service is:./BESAdmin.sh -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] -minimumSupportedClient=<version>.<release>
If you omit to specify
[sitePvkPassword=<password>]
you are prompted to enter the password when the BESAdmin.sh runs.For example, if you want to state that Agents earlier than V9.0 are not supported in your BigFix environment, you can run the following command:./BESAdmin.sh -sitePvkLocation=/license/license.pvk -minimumsupportedclient=9.0
- 0.0 which means that no activity issued by BigFix Agents earlier than V9.0, such as archive
files and reports uploads, are prevented from running or limited. This behavior applies also if the
- minimumSupportedRelay
- You can use this service, added with BigFix V9.2.12, to
enforce specific criteria affecting the BigFix Agent
registration requests. If this service is enabled appropriately, V9.2.12
Agents can continue to register to the V9.2.12 BigFix environment if
their registration requests are signed and sent across the Relays hierarchy
using the HTTPS protocol. Note: Based on this service, the BigFix components can decide when it is safe to enable newer functions across all the component in the deployment. Individual agent interactions might be rejected if they do not comply with the limitations imposed by this setting.The currently allowed values are:
- 0.0.0 which means that the BigFix
Server accepts and manages:
- Signed and unsigned registration requests coming from BigFix Agents.
- Registration requests delivered from BigFix Agents using the HTTP or the HTTPS protocols.
minimumSupportedRelay
service is not added automatically to your configuration during the upgrade. - 9.2.12 which means that:
- The BigFix Server enforces that registration requests coming from BigFix Agents V9.2.12 or later must be properly signed.
- The BigFix Server and the Relays V9.2.12 or later enforce the use of the HTTPS protocol when exchanging BigFix Agent registration data.
- BigFix Agents earlier than V9.0 cannot send registration requests to the BigFix Server because they cannot communicate using the HTTPS protocol.
- Because BigFix Relays with versions earlier than V9.2.12 cannot handle correctly signed registration requests, any BigFix Client using those Relays could be prevented from continuing to register, or could fall back to a different parent Relay or directly to the Server.
If you ran a fresh installation of BigFix V9.2.12 or later using a License Authorization file, be aware that the side effects listed above apply to your BigFix deployment because, in this particular installation scenario, the
minimumSupportedRelay
service is automatically set to 9.2.12 by default.The current valueThis query displays a value only when<VALUE>
assigned in your environment to theminimumSupportedRelay
service is displayed in the linex-bes-minimum-supported-relay-level: <VALUE>
of the masthead file. You can see the current value by running the following query on the BigFix Server from the BigFix Query Application available on the BigFix WebUI:Q: following text of last ": " of line whose (it starts with "x-bes-minimum-supported-relay-level:" ) of masthead of site "actionsite"
<VALUE>
is set to 9.2.12; if it is set to 0.0.0, it does not display a value.The syntax to run this service is:./BESAdmin.sh -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] -minimumSupportedRelay=<version>.<release>.<modification>
If you omit to specify
[sitePvkPassword=<password>]
you are prompted to enter the password interactively when the BESAdmin.sh runs.For example, if you want that only the registration requests that are signed and carried through HTTPS are managed by your BigFix Server, you can run the following command:./BESAdmin.sh -sitePvkLocation=/license/license.pvk -minimumSupportedRelay=9.2.12
- 0.0.0 which means that the BigFix
Server accepts and manages:
- repair
- You can use this command to handle an inconsistency between the keys stored in the database and
those stored on the
filesystem.
If the keywords./BESAdmin.sh -repair -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ]
ServerSigningKey
andClientCAKey
do not exist, they are created under/var/opt/BESServer
: This command also updates the licenses of sites. - reportencryption
- You can generate, rotate, enable and disable encryption for report
messaging by running:
where:BESAdmin.sh -reportencryption { -status | -generatekey [-privateKeySize=<min|max>] [-deploynow=yes | -deploynow=no -outkeypath=<path>] -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] | -rotatekey [-privateKeySize=<min|max> ] [-deploynow=yes | -deploynow=no -outkeypath=<path> ] -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] | -enablekey -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] | -disablekey -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] }
- status
- Shows the status of the encryption and which arguments you can use for that status
- generatekey
- Allows you to generate a new encryption key.
- rotatekey
- Allows you to change the encryption key.
- enablekey
- Allows you to enable the encryption key.
- disablekey
- Allows you to put the encryption key in PENDING state. If you
issue again the
reportencryption
command with thedisablekey
argument, the encryption changes from PENDING state to DISABLED. - deploynow=yes
- Deploys the report encryption key to the server for decryption.
- deploynow=no -outkeypath=<path>
- The encryption key is not deployed to the server but it is saved
in the
outkeypath
path.
- resignsecuritydata
- You must resign all of the users content in the database by entering the following command:
if you get one of the following errors:./BESAdmin -resignSecurityData
when trying to login to the BigFix console. This command resigns security data using the existing key file. You can also specify the following parameter:class SignedDataVerificationFailure HTTP Error 18: An unknown error occurred while transferring data from the server
The complete syntax to run this service is:-mastheadLocation=<path+actionsite.afxm>
./BESAdmin.sh -resignsecuritydata -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ] -mastheadLocation=<path+actionsite.afxm>
- rotateserversigningkey
You can rotate the server private key to have the key in the file system match the key in the database. The command creates a new server signing key, resigns all existing content using the new key, and revokes the old key.
The syntax to run this service is:
./BESAdmin.sh -rotateserversigningkey -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ]
- securitysettings
- You can configure enhanced security options to follow the NIST
security standards by running the command:
where:./BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ] { -status | -enableEnhancedSecurity [-requireSHA256Downloads] | -disableEnhancedSecurity | -requireSHA256Downloads | -allowSHA1Downloads} }
- status
- Shows the status of the security settings set in your BigFix environment. Example:
BESAdmin.sh -securitysettings -sitePvkLocation=/root/backup/license.pvk -sitePvkPassword=mypassw0rd -status Enhanced security is currently ENABLED SHA-256 downloads are currently OPTIONAL
- enableEnhancedSecurity | disableEnhancedSecurity
- Enables or disables the enhanced security that adopts the SHA-256
cryptographic digest algorithm for all digital signatures as well
as content verification and the TLS 1.2 protocol for communications
among the Endpoint Manager components.Warning: If you use the enableEnhancedSecurity setting you break the backward compatibility because BigFix version 9.0 or earlier components cannot communicate with the BigFix version 9.2 server or relays. When you disable the enhanced security mode, the
BESRootServer
service fails to restart automatically. To solve the problem, restart the service manually. - requireSHA256Downloads
- Ensures that data has not changed after you download it using
the SHA-256 algorithm.Note: The Require SHA-256 Downloads option is available only if you selected to Enable Enhanced Security.
- allowSHA1Downloads
- Ensures that the file download integrity check is run using the SHA-1 algorithm.
- setadvancedoptions
- You can list or configure any global settings that apply to your
particular installation. For example you can set your Console or Web
Report login banner to be displayed by entering the following command:
The complete syntax to run this service is:./BESAdmin.sh -setadvancedoptions -sitePvkLocation=/root/backup/license.pvk -sitePvkPassword=pippo000 -update loginWarningBanner='new message'
./BESAdmin.sh -setadvancedoptions -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] { -list | -display | [ -f ] -delete option_name | [ -f ] -update option_name=option_value }
For a list of available options that you can set, see List of advanced options.
- setproxy
- If your enterprise uses a proxy to access the Internet, you must
set a proxy connection to enable the BigFix server
to gather content from sites as well as to do component-to-component
communication or to download files.
For information about how to run the command and about the values to use for each argument, see Setting a proxy connection on the server.
- syncmastheadandlicense
- When you upgrade the product you must use this option to synchronize
the update license with the masthead and resign all content in the
database with SHA-256. The syntax to run this service is:
./BESAdmin.sh -syncmastheadandlicense -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>]
- updatepassword
You can modify the password used for authentication by product components in specific configurations.
The syntax to run this service is:
where:./BESAdmin.sh -updatepassword -type=<server_db|dsa_db> [-password=<password>] -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<pvk_password>]
- -type=server_db
- Specify this value to update the password used by the server to authenticate with the database.
- -type=dsa_db
- Specify this value to update the password used in a DSA configuration by a server to authenticate with the database.
-password
and-sitePvkPassword
are optional, if they are not specified in the command syntax their value is requested interactively at runtime. The password set by this command is obfuscated.