Manual key exchange
If an agent does not have a certificate and can only reach an authenticating relay on the network, connected through the internet, you can manually run the following command on the agent so it can perform the key exchange with an authenticating relay:
BESClient -register [<password>] http://<relay>:52311
The client
includes the password in its key exchange with the authenticating relay,
which verifies it before forwarding the key exchange to its parent. If you execute the command omitting the password, the password is requested interactively. On Windows sytems, run the command using the cmd /c prefix.
Another way to perform a manual registration to an authenticating relay is
by setting a value to the client setting _BESClient_SecureRegistration
. The value
specifies the password needed to perform a manual registration to the authenticating relay. This
setting is read only at client startup time. You can specify the relay in the
clientsettings.cfg configuration file. For more information about this
configuration file, see Windows Clients.
- A single password in the client setting
_BESRelay_Comm_KeyExchangePassword
on the relay. - A newline-delimited list of one-time passwords stored in a file named
KeyExchangePasswords
in the relay storage directory (value StoragePath ofHKEY\SOFTWARE\WOW6432Node\BigFix\Enterprise Server\GlobalOptions
).