Step 2 - Requesting a license certificate and creating the masthead

Before you perform the steps below, you must have purchased a license and obtained a BigFix license authorization file (*.BESLicenseAuthorization) using your License Key Center account or, in the case of a Proof-of-Concept evaluation, that was provided to you by your HCL Technical Sales Representative.

When you have your license authorization file, you are ready to request a license certificate and then create a personalized site masthead that, in turn, allows you to install and use BigFix. The masthead includes URLs for the Server CGI programs and other site information in a signed MIME file. The masthead is central to accessing and authenticating your action site. To create the masthead and activate your site, follow these steps:

  1. Run the BigFix installer BigFix-BES-9.5.xxxx.exe, where 9.5.xxxx is the version of the installer). When prompted, choose Production installation and accept the Software License Agreement. On the welcome screen, click Next.
    Note: If you choose the Evaluation installation, consider that this type of installation does not support the enhanced security option. For more information about this feature, see Security Configuration Scenarios.
  2. After reading and accepting the License Agreement, select I want to install with an BigFix license authorization file, to create your Private Key and Masthead.
    Select the first option: I want to install with a BigFix license authorization file
  3. Enter the location of your license authorization file, which has a name like CompanyName.BESLicenseAuthorization
    Enter the location of the license authorization file
  4. Specify a DNS name or IP address for your BigFix server and click Next. The name that you enter in this field is recorded in the license and used by clients to identify the BigFix server.
    Note: Enter a DNS name, such as, because of its flexibility when changing server computers and doing advanced network configurations. This name is recorded into your license certificate and is used by clients to identify the BigFix server. After your license certificate is created, the DNS name cannot be changed. To change the DNS name, you must request a new license certificate, which requires a completely new installation.
  5. Type a site credential password to allow you to create a site admin key for your deployment. Type your password twice (for verification), and specify a key size (from 2K to 4K bits) for encrypting the private key file. Make a backup copy of this password and store it in a secure location. Click Create.
    Enter the password to create a site admin key
    In this way you generate a private/public key pair used to create and authorize all the BigFix users.
  6. Save your private key (license.pvk) file from the Browse for Folder dialog in a folder with secure permissions or on a removable drive, such as a PGPDisk or a USB drive. Click OK.
    Important: If you lose the private key file or the site credential password, a new license certificate needs to be created which requires a completely new installation. In addition, anyone with the private key file and password have full control over all computers with the BigFix clients installed, so ensure that you keep the private key file and password secured.
  7. You are requested to send the request file to HCL for license verification. If you have internet connectivity, choose the option to submit your request over the internet. In this case, a request file is sent to HCL for license verification. This request consists of your original authorization file, your server DNS name and your public key, all packaged into a single file.
    Displays the two options to submit the request to HCL
  8. If you select to submit the request over the Internet and your enterprise uses a proxy to access the Internet, click Set Proxy. The Proxy Settings panel opens. In this panel you can configure the proxy connection.
    Displays the settings to configure the proxy connection
  9. Specify:
    • The hostname or IP Address and, optionally, the port number to communicate with the proxy machine.
    • The credentials of the user defined on the proxy machine that must be used when establishing the connection.
    • The comma-separated list of hostnames, subdomains, IP addresses that identify systems in the BigFix topology that must not be reached thru the proxy. By default, BigFix V9.5 prevents diverting internal communications towards the proxy. If you set a value in this field, you overwrite the default behavior. To ensure that internal communications are not directed to the proxy, add localhost,,, IP_Address to the list of exceptions specified in this field.
    • Whether or not the proxy is enforced to attempt tunneling. By default the proxy does not attempt tunneling.
    • The authentication method to use when establishing the communication. You can either let the proxy choose the authentication method or you can impose to use specific authentication methods.
      Note: If you want to enable FIPS mode, select an authentication method other than digest.
    You can click Test Connection to verify if the connection with the proxy that you configured can be successfully established. For more information about the values and the syntax to use in these input fields, see Setting a proxy connection on the server.

    Click OK save the settings and return to the Request License panel.

  10. Click Request. The Wizard retrieves your license certificate (license.crt) from the BigFix License server.

    Alternatively, if you are on an airgap without internet connectivity, choose the option to save the request as a file named request.BESLicenseRequest. Copy the file to a machine with internet connectivity and submit your request to the URL of the BigFix website shown in the installer. The page provides you with a license.crt file. Copy the file back to the installation computer and import it into the installer.

  11. From the Request License dialog, click Create to create the masthead file.
  12. Enter the parameters of the masthead file that contains configuration and license information together with a public key that is used to verify digital signatures. This file is saved in your credential folder.
    This window displays parameters of the masthead file that contains configuration and license information together with a public key that is used to verify digital signatures.
    You can set the following options:
    Server Port Number:
    In general, you do not need to change this number. 52311 is the recommended port number, but you can choose a different port if that is more convenient for your particular network. Typically, you choose a port from the IANA range of private ports (49152 through 65535). You can use a reserved port number (ports 1-1024), but this might reduce the ability to monitor or restrict traffic correctly and it prevents you from using port numbers for specific applications. If you do decide to change this number after deploying the clients, BigFix will not work correctly. For additional information, see Modifying port numbers.
    Note: Do not use port number 52314 for the network communication between the BigFix components because it is reserved for proxy agents.
    Gathering Interval:
    This option determines how long the clients wait without hearing from the server before they check whether new content is available. In general, whenever the server gathers new content, it attempts to notify the clients that the new content is available through a UDP connection, circumventing this delay. However, in situations where UDP is blocked by firewalls or where network address translation (NAT) remaps the IP address of the client from the servers perspective, a smaller interval becomes necessary to get a timely response from the clients. Higher gathering rates only slightly affect the performance of the server, because only the differences are gathered; a client does not gather information that it already has.
    Initial Action Lock:
    You can specify the initial lock state of all clients, if you want to lock a client automatically after installation. Locked clients report which Fixlet messages are relevant for them, but do not apply any actions. The default is to leave them unlocked and to lock specific clients later on. However, you might want to start with the clients locked and then unlock them on an individual basis to give you more control over newly-installed clients. Alternatively, you can set clients to be locked for a certain period of time (in minutes).
    Action Lock Controller:
    This parameter determines who can change the action lock state. The default is Console, which allows any console operator with management rights to change the lock state of any client in the network. If you want to delegate control over locking to the end user, you can select Client, but this is not recommended.
    Exempt the following site URL from action locking:
    In rare cases, you might need to exempt a specific URL from any locking actions. Check this box and enter the exempt URL.
    Note: You can specify only one site URL and it must begin with http://.
    Last fallback Relay for all clients (replacing Root Server):
    You might need to define a fallback relay for your clients when they do not connect to any relay specified in their settings. Select this check box and specify the fallback relay of your environment in one of the following formats:
    • Hostname. For example, myhostname.
    • Fully qualified domain name (FQDN). For example,
    • IP address. For example,

    If you do not select this check box and define a fallback relay, the root server of your environment is used.

    Note: Before specifying a fallback relay, ensure that any client or relay reporting directly to the root server has the root server defined as a relay. This setting will not prevent endpoints from selecting the root server. Also set _BESRelay_Register_Affiliation_AdvertisementList on the BES Root Server to a group name that will not be set on any clients, such as DoNotSelectMe.
    Require use of FIPS 140-2 compliant cryptography
    Check this box to be compliant with the Federal Information Processing Standard in your network. This changes the masthead so that every BigFix component attempts to go into FIPS mode. By default, the client continues in non-FIPS mode if it fails to correctly enter FIPS, which might be a problem with certain legacy operating systems. Be aware that checking this box can add a few seconds to the client startup time.

    For more information see FIPS 140-2 cryptography in the BigFix environment.

    Note: Enabling FIPS mode might prevent the use of some authentication methods when connecting to a proxy. If you selected to use a proxy to access the Internet or to communicate with BigFix subcomponents, ensure that the proxy configuration is set up to use an authentication method other than digest.
    Allow use of Unicode filenames in archives:
    This setting specifies the codepage used to write filenames in the BigFix archives. Check this box to write filenames UTF-8 codepage.
    Do not check this box to write filenames using the local deployment codepage, for example Windows-1252 or Shift JIS. If you run a fresh install of BigFix V9.5, by default, the filenames are written in UTF-8.
    Note: If you upgraded your BigFix environment to V9.5, by default, the filenames are written in the local deployment code page.
    Click OK when you are finished.
  13. Choose the folder in which to install the BigFix component installers. The BigFix Installation Guide wizard is launched to lead you through the installation of the BigFix components.
    Note: This step creates the installers for the BigFix client, BigFix console, and BigFix server, but does not install the components.
Note: The private key (license.pvk) authorizes the creation and rotation of server signing keys, which are trusted by all agents. This key is not sent to HCL during the license certificate creation process, and must be carefully protected. Create also a backup copy of the credential password that you used to encrypt the private key file, and store it in a secure location. To reinstall the server on your workstation, you must reuse the stored BigFix credentials. If you lose the private key file or the site credential password, a new license certificate needs to be created which requires a completely new installation.