BESAdmin Linux Command Line

The BigFix Server installer places the script to run the BigFix Administration Tool, BESAdmin.sh, in the /opt/BESServer/bin directory.

With this tool you can edit the masthead file, check the signatures of the objects in the database, enable and disable enhanced security, resign all of the users content in the database, rotate the server private key, configure the Console and Web Reports login, resign the database content, and synchronize the masthead with the updated license.

Run this script, as super user from the command prompt, using the following syntax:
./BESAdmin.sh -service {arguments}
where service can be one of the following:
audittrailcleaner
changeprivatekeypassword
createexplorercredentials
createwebuicredentials
editmasthead
findinvalidactions
findinvalidsignatures
getcertificatebundle
importlicense
minimumsupportedclient
minimumsupportedrelay
propagateoperatorsites
propertyidmapper
removecomputers
repair
reportencryption
resetdatabaseepoch
resignsecuritydata
revokeexplorercredentials
revokewebuicredentials
rotateexplorercredentials
rotateserversigningkey
securitysettings
setadvancedoptions
setproxy
syncmastheadandlicense
testproxyconnection
updatepassword
Note: The notation <path+license.pvk> used in the command syntax stands for path_to_license_file/license.pvk.
Each service has the following arguments:
audittrailcleaner

You can run this service to remove historical data from the bfenterprise database that is stored to serve as an audit trail. This audit trail slowly increases in size over the lifetime of a BigFix deployment. The audit trail contains deleted and earlier versions of Fixlets, tasks, baselines, properties, mailbox files, actions, and analyses. The audit trail is not used by BigFix in any way and can be deleted to reduce the database size. BigFix recommends that you create a historic archive of the current database and save it to a secure location before running this tool to preserve the audit trail, thus removing it from the product database, but not completely deleting the history.

The service can count and delete the following sets of data:

  • Older Versions of Custom Authored Content (-oldcontent): Every edit to Fixlets, Tasks, Baselines, and Analyses, creates a new version, the earlier versions can be deleted.
  • Older Versions of Actions (-oldactions): Any time you stop or start an Action, a new version is created; the earlier versions can be deleted.
  • Older Versions of relay.dat (-oldrelaydatfile): Any time you install or uninstall a new relay, a new version is created; the earlier versions can be deleted.
  • Older uploaded files (-deleteolduploadedfiles): Removes the old files uploaded by the Archive Manager on the BigFix server. This option deletes the old files after an expiration period (default 180 days) from when they were uploaded.
  • Deleted Custom Authored Content (all versions) (-deletedcontent): When you delete a Fixlet, Task, Baseline, and Analysis using the console, the data is marked as deleted in the database and preserved. The deleted content, including all of the earlier versions, and the corresponding client reports can be deleted.
  • Deleted Actions(all versions) (-deletedactions): When you delete an action using the console, the data is marked as deleted in the database and preserved. The deleted actions, including all of the earlier versions, and the corresponding client reports can be deleted.
  • Useless Action Results (-uselessactionresults): Earlier versions of BigFix might cause clients to report ActionResults that were not used in any way but would use up space in the database. These useless ActionResults can be deleted.
  • Orphaned sub-actions (-orphanedsubactions): From multiple action groups that were deleted.
  • Hidden Manual Computer Group Actions (-hiddenactions): Manual Computer Groups create hidden actions that add and remove computers to and from groups and the actions can build up over time. This option deletes actions after an expiration period (default 180 days) from when they were created.
  • Older Version of Mailbox Files (-deletedmailbox): Deleted Mailbox Files are stored in a table in the database and can be removed.
  • Synchronizing BES Consoles (-syncconsoles): The BigFix Console maintains a local cache of the database that becomes not synchronized when data is removed with this tool. To prevent this situation from happening, the tool sets a flag in the database to force all BigFix Consoles to reload the cache when the Console is started up.
  • Removing data older than (-olderthan): Removes data earlier than a specified date. The default value is 99 days.
  • Batched deletion (-batchsize): Deleting large sets of data causes the SQL transaction log to quickly increase in size, the log becomes temporarily larger than the data being removed until the database is shrunk. Batched deletion removes results in sets.
The syntax of this service changes depending on the action you specify:
./BESAdmin.sh -audittrailcleaner { -displaysettings | -run [delete_data_options] |  
          -schedule [delete_data_options] [scheduling options] | -preview [delete_data_options] 
           [preview options] }
./BESAdmin.sh -audittrailcleaner -displaysettings 
./BESAdmin.sh -audittrailcleaner -run [ -oldcontent ] [ -oldactions ]
          [ -oldrelaydatfile ] [ -deleteolduploadedfiles ] [ -deletedcontent ] [ -deletedactions ] 
          [ -uselessactionresults ] [ -orphanedsubactions ] [ -hiddenactions=<days> ] 
          [ -deletedmailbox ] [ -syncconsoles ] [ -olderthan=<days> ] [ -batchsize=<size> ]  
./BESAdmin.sh -audittrailcleaner -sitePvkLocation=<path+license.pvk> 
      [ -sitePvkPassword=<password> ] -schedule [ [ -oldcontent ] [ -oldactions ] 
      [ -oldrelaydatfile ] [ -deleteolduploadedfiles ] [ -deletedcontent ] [ -deletedactions ] [ -uselessactionresults ]
      [ -orphanedsubactions ] [ -hiddenactions=<days> ] [ -deletedmailbox ] [ -syncconsoles ]
      [ -olderthan=<days> ] [ -batchsize=<size> ] [ -cleanstarttime=<yyyymmdd:hhmm> 
      [ -cleanperiodicinterval=<hours> ] ] | -disable ]  
./BESAdmin.sh -audittrailcleaner -preview [ [ -oldcontent ] [ -oldactions ] [
      -oldrelaydatfile ] [ -deleteolduploadedfiles ] [ -deletedcontent ] [ -deletedactions ] [ -uselessactionresults ] [
      -orphanedsubactions ] [ -hiddenactions=<days> ] [ -deletedmailbox ] [ -olderthan=<days> ] 
      | [ -scheduled ] ]
where:
  • displaysettings shows the settings that are previously defined with the schedule action.
  • run runs the tool with the specified settings. Before you use this option, check the settings that affect the database by using the preview action.
  • schedule schedules the tool to run at the specified time at each specified interval. To disable the schedule action, use the -disable option.
  • preview shows the number of database rows that are affected by the specified settings. If no setting is passed to the preview option, the preview performs the count by setting all options to true and using the default values for dates. Use the -scheduled option to preview the scheduled settings.

For information about the cleanup tasks log files, see Logging Cleanup Tasks Activities.

changeprivatekeypassword
You can use this service to be prompted for a new password to associate to the license.pvk file. Use the following syntax to run the command:
./BESAdmin.sh -changeprivatekeypassword -sitePvkLocation=<path+license.pvk> 
[ -sitePvkPassword=<password> ]
createexplorercredentials
Use this service to to create a BigFix Explorer certificate for the input hostname, in a similar way as the one for the WebUI certificate. The following files will be created in the output folder:
  • The certificate file of the ExplorerCertificate "authentication": auth_cert.crt
  • The key file of the ExplorerCertificate "authentication": auth_key.key
  • The certificate file of the ExplorerCACertificate "authentication": ca.crt
  • The certificate file of the WebUICACertificate "authentication": apica.crt.
Use the following syntax to run the command:
./BESAdmin.sh -createexplorercredentials
-sitePvkLocation=<path+license.pvk>
-sitePvkPassword=<password> 
-explorerCertDir=<path> 
-explorerHostname=<BigFixExplorerHostnameOrIP>
[ -f ]
This service generates a folder named cert_explorerHostname in the path specified by the explorerCertDir option.
explorerCertDir
Specifies the path to the parent folder of the new folder containing the certificates. This folder must exist.
explorerHostname
Specifies the hostname or IP address of the computer that will host your BigFix Explorer.
createwebuicredentials
Use this service to generate the certificates used as WebUI credentials. Use the following syntax to run the command:
./BESAdmin.sh -createwebuicredentials 
-sitePvkLocation=<path+license.pvk>
-sitePvkPassword=<password> -webUICertDir=<path> 
-webUIHostname=<WebUIHostnameOrIP>
This service generates a folder named cert_WebUIHostnameOrIP in the path specified by the webUICertDir option.
webUICertDir
Specifies the path to the parent folder of the new folder containing the certificates. This folder must exist.
webUIHostname
Specifies the hostname or IP address of the computer that will host your WebUI.
Note: If you need to generate WebUI credentials certificates, but you have no WebUI in your deployment, then set:
webUICertDir
To the BigFix server folder (/var/opt/BESServer).
webUIHostname
To the BigFix server IP address or hostname.
editmasthead
You can edit the masthead file by specifying the following parameters:
advGatherSchedule (optional, integer)
 values: 
    0=Fifteen Minutes, 
    1=Half Hour, 2=Hour, 
    3=Eight Hours, 
    4=Half day, 
    5=Day, 
    6=Two Days, 
    7=Week, 
    8=Two Weeks, 
    9=Month, 
    10=Two Months
advController (optional, integer)
 values: 
    0=console, 
    1=client, 
    2=nobody 
advInitialLockState (optional, integer)
 values: 
    0=Locked, 
    1=timed (specify duration), 
    2=Unlocked 
advInitialLockDuration (optional, integer)
 values: 
   ( duration in seconds ) 
advActionLockExemptionURL (optional, string)
advRequireFIPScompliantCrypto (optional, boolean)
advEnableFallbackRelay (optional,boolean)
advFallbackRelay (optional, string)
 
The syntax to run this service is:
./BESAdmin.sh -editmasthead -sitePvkLocation=<path+license.pvk> 
[ -sitePvkPassword=<password> ][ -display ] 
[ -advGatherSchedule=<0-10> ] [ -advController=<0-2> ]
[ -advInitialLockState=<0|2> | -advInitialLockState=1 
-advInitialLockDuration=<num> ] [ -advActionLockExemptionURL=<url> ]
[ -advRequireFIPScompliantCrypto=<true|false> ] [ -advEnableFallbackRelay=0 |
-advEnableFallbackRelay=1 -advFallbackRelay=<host> ]
For additional information, see Editing the Masthead on Linux systems in the BigFix Configuration Guide.
findinvalidactions
You can check for invalid actions in the database by specifying the following parameter:
  • (Optional) -deleteInvalidActions: Deletes invalid actions.
The syntax to run this service is:
./BESAdmin.sh -findinvalidactions [ -deleteInvalidActions ] 
-sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ]
findinvalidsignatures
You can check the signatures of the objects in the database by specifying the following parameters:
-list (optional)
Lists all invalid signatures that BESAdmin finds.
-resignInvalidSignatures (optional)
Attempts to resign any invalid signatures that BESAdmin finds.
-deleteInvalidlySignedContent (optional)
Deletes contents with invalid signatures.
For additional information about invalid signatures, see Resolving invalidly signed content problems in the console. The syntax to run this service is:
./BESAdmin.sh -findinvalidsignatures 
[ -list | -resignInvalidSignatures | -deleteInvalidlySignedContent ]
getcertificatebundle
You can export the certificate bundle (PEM) used by the current version of BES Admin. In the bundle, there are all the certificates of all the authorized chains in the masthead. So, for example, with SHA384 forced, in the bundle there is only the SHA384 chain. The generated file, named bundle.pem, is located in the folder specified by the bundleCertDir=<path> option.
The syntax to run this service is:
./BESAdmin.sh -getcertificatebundle -sitePvkLocation=<path+license.pvk> 
[ -sitePvkPassword=<password> ] -bundleCertDir=<path>
importlicense
You can use this service to import an updated license. This service allows you to update the license manually in isolated BigFix environments.
./BESAdmin.sh -importlicense -sitePvkLocation=<path+license.pvk> 
[ -sitePvkPassword=<password> ] -licenselocation=<path+license.crt>
The license.crt file contains the updated license to import.
minimumsupportedclient
This service defines the minimum version of the BigFix Agents that are used in your BigFix environment.
Note: Based on this setting, the BigFix components can decide when it is safe to assume the existence of newer functions across all the component in the deployment. Individual agent interactions might be rejected if the interaction does not comply with the limitations that are imposed by this setting.
The currently allowed values are:
  • 0.0, which means that no activity that is issued by BigFix Agents earlier than V9.0, such as archive files and reports uploads, is prevented from running or limited. This behavior applies also if the minimumsupportedclient service is not set.
  • 9.0, which means that:
    • Unsigned reports, such as the reports sent by BigFix Clients earlier than V9.0, are discarded by FillDB.
    • The upload of an unsigned archive file that is generated on a BigFix Client earlier than V9.0, by an archive now command, for example, fails.

If you ran a fresh installation of BigFix V9.5.6 or later using a BES Authorization file, by default all the BigFix Clients earlier than V9.0 are prevented from joining your environment because the minimumsupportedclient service is automatically set to 9.0.

The value that is assigned to this service, if set, remains unchanged:
  • If you upgraded to V9.5.6 or later.
  • If you installed BigFix V9.5.6 or later using an existing masthead.
In both cases, if the service did not exist before, it will not exist afterward as well.
The current value <VALUE> assigned in your environment to the minimumsupportedclient service is displayed in the line x-bes-minimum-supported-client-level: <VALUE> of the masthead file. You can see the current value by running the following query on the BigFix Server from the BigFix Query Application available on the BigFix WebUI:
Q: following text of last ": " of line whose (it starts with "x-bes-minimum-supported-client-level:" ) of masthead of site "actionsite"
The syntax to run this service is:
 ./BESAdmin.sh -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>]
    -minimumsupportedclient=<version>.<release>

If you omit to specify [sitePvkPassword=<password>], you are prompted to enter the password interactively when the BESAdmin.sh runs.

For example, if you want to state that Agents earlier than V9.0 are not supported in your BigFix environment, you can run the following command:
 ./BESAdmin.sh -sitePvkLocation=/license/license.pvk -minimumsupportedclient=9.0
minimumsupportedrelay
You can use this service, added with BigFix V9.5.6, to enforce specific criteria that affect the BigFix Agent registration requests. If this service is enabled, V9.5.6 Agents can continue to register to the V9.5.6 BigFix environment if their registration requests are signed and sent across the Relays hierarchy using the HTTPS protocol.
Note: Based on this service, the BigFix components can decide when it is safe to enable newer functions across all the component in the deployment. Individual agent interactions might be rejected if they do not comply with the limitations that are imposed by this setting.
The currently allowed values are:
  • 0.0.0, which means that the BigFix Server accepts and manages:
    • Signed and unsigned registration requests coming from BigFix Agents.
    • Registration requests delivered from BigFix Agents using the HTTP or the HTTPS protocols.
    This behavior applies by default when you upgrade from previous versions to BigFix V9.5.6 or later. In this case, the minimumsupportedrelay service is not added automatically to your configuration during the upgrade.
  • 9.5.6 or later, which means that:
    • The BigFix Server enforces that registration requests coming from BigFix Agents V9.5.6 or later must be properly signed.
    • The BigFix Server and the Relays V9.5.6 or later enforce the use of the HTTPS protocol when BigFix Agent registration data is exchanged.
    Enforcing this behavior has the following side effects:
    • BigFix Agents earlier than V9.0 cannot send registration requests to the BigFix Server because they cannot communicate using the HTTPS protocol.
    • Because BigFix Relays with versions earlier than V9.5.6 cannot handle correctly signed registration requests, any BigFix Client that uses those Relays might be prevented from continuing to register, or might fall back to a different parent Relay or directly to the Server.

If you ran a fresh installation of BigFix V9.5.6 or later using a License Authorization file, be aware that the side effects that were just listed apply to your BigFix deployment because, in this particular installation scenario, the minimumsupportedrelay service is automatically set to 9.5.6 by default.

The current value <VALUE> assigned in your environment to the minimumsupportedrelay service is displayed in the line x-bes-minimum-supported-relay-level: <VALUE> of the masthead file. You can see the current value by running the following query on the BigFix Server from the BigFix Query Application available on the BigFix WebUI:
Q: following text of last ": " of line whose (it starts with 
"x-bes-minimum-supported-relay-level:" ) of masthead of site "actionsite"
This query displays a value only when <VALUE> is set to 9.5.6; if it is set to 0.0.0, it does not display a value.
The syntax to run this service is:
 ./BESAdmin.sh -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>]
    -minimumsupportedrelay=<version>.<release>.<modification>

If you omit to specify [sitePvkPassword=<password>], you are prompted to enter the password interactively when the BESAdmin.sh runs.

For example, if you want that only the registration requests that are signed and carried through HTTPS are managed by your BigFix Server, you can run the following command:
 ./BESAdmin.sh -sitePvkLocation=/license/license.pvk -minimumsupportedrelay=9.5.6
propagateoperatorsites
This service forces the server to propagate a new version of the operator sites. This command is useful after a server migration because you can be sure that data is available for clients to gather and it prevents from failures. This is the command syntax:
./BESAdmin.sh -propagateoperatorsites { -propagateAllOperatorSites | 
-propagateOperatorSite=<MastheadUsername> }
propertyidmapper
This service creates, updates, and deletes a table (PropertyIDMap) in the BFEnterprise database that maps retrieved property names for the SiteID, AnalysisID, PropertyID used to reference properties in the QUESTIONRESULTS and LONGQUESTIONRESULTS tables. It creates the PropertyIDMap table if it does not exist (requires table creation permissions). This service must be run to update the PropertyIDMap table after creating or deleting a property.

The general syntax of this service is the following:

./BESAdmin.sh -propertyidmapper  { -displaysettings | -run [property_idmapper_options] 
       |  -schedule [property_idmapper_options] [scheduling options] }

The syntax of this service changes depending on the action you specify:

./BESAdmin.sh -propertyidmapper -displaysettings 
./BESAdmin.sh -propertyidmapper -run [ -createtable ] [ -removetable ] 
      [ -lookupproperty=<propertyname> ] 
./BESAdmin.sh -propertyidmapper -schedule [ -createtable -starttime=<yyyymmdd:hhmm> 
     [ -interval=<hours> ] | -disable ] 
where:
  • displaysettings shows the settings that are previously set with the schedule action.
  • run runs the tool with the specified settings. Before you use this option, check the settings that affect the database by using the preview action.
  • schedule schedules the tool to run at the specified time at each specified interval. To disable the schedule action, use the -disable option.

For more information about the cleanup tasks log files, see Logging Cleanup Tasks Activities.

removecomputers
The service runs database operations for the following sets of data:
  • Expired Computers (-deleteExpiredComputers) Marks computers as deleted if they did not report in recently.
  • Deleted Computers (-purgeDeletedComputers): Physically deletes the computer related data from the database for computers that are already marked as deleted and have not reported in for a long time. It deletes the data related to an agent (such as the action results or the properties, and so on), not the agent itself that remains logically deleted (IsDeleted = 1) on the database. Therefore, as a consequence, if the same agent becomes active again, it is recognized and will reuse its previous computer ID.
  • Duplicate Computers (-deleteDuplicatedComputers): Marks older computers as deleted if a computer exists with the same computer name.
  • Removal of deleted Computers (-removeDeletedComputers): Physically deletes the computer information from the database for computers that are marked as deleted (IsDeleted = 1) since at least the indicated number of days (minimum 7) or the indicated number of hours (minimum 24). It deletes the information of the agent itself ( such as the computer ID, and so on). Therefore, as a consequence, if the same agent becomes active again, a totally new computer ID will be assigned to the agent.
  • Removal of uploaded Files (-removeDeletedUploads): Physically removes from the database the definition of uploaded files that are marked as deleted. It does not apply to non-native agents.
  • Removal of uploaded files of removed computers (-eraseUploadFilesForRemovedComputers): Physically removes from the BigFix server filesystem all files uploaded by clients whose definition has been removed from the database. It does not apply to non-native agents.
  • Removal of Computers by name (-removeComputersFile): Accepts a text file with a list of computer names that are separated by new lines and removes them from the deployment.
The general syntax of this service is:
./BESAdmin.sh -removecomputers  { -displaySettings [display_settings options]  | -run [remove_computers_options] 
       | -schedule [remove_computers_options] [scheduling options] 
       | -preview [remove_computers_options] [preview options] }
Depending on the action that is specified, the syntax changes as follows:
./BESAdmin.sh -removecomputers -displaySettings [ -name=<TaskName> ]
./BESAdmin.sh -removecomputers -run [ -agentType=<AgentType> ] [ -deleteExpiredComputers=<days> ] 
    [ -removeDeletedComputers=<days> ] [ -removeDeletedUploads ]
    [ -eraseUploadFilesForRemovedComputers ] 
    [ -purgeDeletedComputers=<days> ] 
    [ -deleteDuplicatedComputers [ -duplicatedPropertyName=<PropertyName> ] ] 
    [ -removeComputersFile=<path> ] [ -batchSize=<batch size> ]
./BESAdmin.sh -removecomputers -schedule [ [ -name=<TaskName> ] [ -agentType=<AgentType> ] [ -deleteExpiredComputers=<days> ] [ -purgeDeletedComputers=<days> ]
[ -removeDeletedComputers=<days> ] [ -removeDeletedUploads ] [ -eraseUploadFilesForRemovedComputers ]
[ -deleteDuplicatedComputers [ -duplicatedPropertyName=<PropertyName> ] ] [ -batchSize=<batch size> ]
[ -removeStartTime=<YYYYMMDD:HHMM> [ -removePeriodicInterval=<Hours> ] ] | [ -disable -name=<TaskName> ] | [ -delete -name=<TaskName> ] | [ -list ] |
[ -update [ -name=<TaskName> ] [ -deleteExpiredComputers=<days> ] [ -purgeDeletedComputers=<days> ]
[ -removeDeletedComputers=<days> ] [ -removeDeletedUploads ] [ -eraseUploadFilesForRemovedComputers ]
[ -deleteDuplicatedComputers [ -duplicatedPropertyName=<PropertyName> ] ] [ -batchSize=<batch size> ]
[ -removeStartTime=<YYYYMMDD:HHMM> [ -removePeriodicInterval=<Hours> ] ] ] ] 
./BESAdmin.sh -removecomputers -preview [ [ -agentType=<AgentType> ] [ -deleteExpiredComputers=<days> ] 
    [ -removeDeletedComputers=<days> ] [ -removeDeletedUploads ]
    [ -eraseUploadFilesForRemovedComputers ] 
    [ -purgeDeletedComputers=<days> ][ -deleteDuplicatedComputers 
    [ -duplicatedPropertyName=<PropertyName> ] ] | [ -scheduled ] [ -name=<TaskName> ] ] 
where:
  • displaySettings shows the settings that are previously set with the schedule action.
  • run runs the tool with the specified settings. Before you use this option, check the settings that affect the database by using the preview action.
  • schedule schedules the tool to run at the specified time at each specified interval. To disable the schedule action, use the -disable option.
  • preview shows the number of database rows that are affected by the specified settings. If no setting is passed to the preview option, the preview performs the count by setting all options to true and using the default values for dates. Use the -scheduled option to preview the scheduled settings.
Note: When using option -removeDeletedComputers, the number of days must be not less than 7 or the number of hours must be not less than 24.

For more information about the cleanup tasks log files, see Logging Cleanup Tasks Activities.

repair
You can use this command to handle an inconsistency between the keys that are stored in the database and the keys stored on the filesystem.
./BESAdmin.sh -repair -sitePvkLocation=<path+license.pvk> 
[ -sitePvkPassword=<password> ]
If the keywords ServerSigningKey and ClientCAKey do not exist, they are created under /var/opt/BESServer: This command also updates the licenses of sites.
reportencryption
You can generate, rotate, enable, and disable encryption for report messaging by running:
./BESAdmin.sh -reportencryption { -status |
  -generatekey [-privateKeySize=<min|max>] 
               [-deploynow=yes | -deploynow=no -outkeypath=<path>] 
               -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] |
  -rotatekey [-privateKeySize=<min|max> ] 
             [-deploynow=yes | -deploynow=no -outkeypath=<path> ] 
             -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] |
  -enablekey -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] |
  -disable -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] }
where:
status
Shows the status of the encryption and which arguments you can use for that status.
generatekey
Allows you to generate a new encryption key.
rotatekey
Allows you to change the encryption key.
enablekey
Allows you to enable the encryption key.
disable
Allows you to put the encryption key in PENDING state. If you run again the reportencryption command with the disable argument, the encryption changes from PENDING state to DISABLED.
deploynow=yes
Deploys the report encryption key to the server for decryption.
deploynow=no -outkeypath=<path>
The encryption key is not deployed to the server but it is saved in the outkeypath path.
For more information about this command and its behavior, see Managing Client Encryption.
resetdatabaseepoch
To clear all console cache information in BigFix Enterprise Service V7.0 or later versions. After running this command:
./BESAdmin.sh -resetdatabaseepoch
subsequent console logins reload their cache files.
resignsecuritydata
If you get one of the following errors:
class SignedDataVerificationFailure 
HTTP Error 18: An unknown error occurred while transferring data from the server
when you try to log in to the BigFix console, you must resign all the user content in the database by entering the following command:
./BESAdmin.sh -resignSecurityData 
This command resigns security data that uses the existing key file. You can also specify the following parameter:
-mastheadLocation=<path+actionsite.afxm>
The complete syntax to run this service is:
./BESAdmin.sh -resignsecuritydata -sitePvkLocation=<path+license.pvk>
[ -sitePvkPassword=<password> ] -mastheadLocation=<path+actionsite.afxm>
revokeexplorercredentials
Use this service to revoke the BigFix Explorer certificate associated to the given hostname. Use the following syntax to run the command:
./BESAdmin.sh -revokeexplorercredentials
-sitePvkLocation=<path+license.pvk>
-sitePvkPassword=<password>
-explorerHostname=<BigFixExplorerHostnameOrIP>
If an authentication certificate is issued for the specified hostname, this certificate is revoked and the BigFix Explorer instance running on that explorerHostname can no longer connect to the root server.

After revoking the credentials for a BigFix Explorer host, it will no longer connect to the root server. You can either remove the BES Explorer installation, or generate new credentials for that host, and replace the old certificate files on that host.

revokewebuicredentials
You can revoke the authentication certificate of a specified WebUI instance.
The syntax to run this service is:
./BESAdmin.sh -revokewebuicredentials
-hostname=<host> 
-sitePvkLocation=<path+license.pvk> 
-sitePvkPassword=<pvk_password>
If an authentication certificate is issued for the specified hostname, this certificate is revoked and the WebUI instance running on that hostname can no longer connect to the root server.

After revoking the credentials for a WebUI host, it will no longer connect to the root server. You can either remove the WebUI installation, or generate new credentials for that host, and replace the old certificate files on that host.

rotateexplorercredentials
Use this service to rotate one BigFix Explorer certificate associated to the given hostname, or the whole BigFix Explorer CA. Use the following syntax to run the command:
./BESAdmin.sh -rotateexplorercredentials
-sitePvkLocation=<path+license.pvk>
-sitePvkPassword=<password> 
-explorerCertDir=<path> 
-explorerHostname=<BigFixExplorerHostnameOrIP>
| -rotateCA
You can either rotate one BigFix Explorer certificate, by hostname, if the certificate associated to that given hostname was compromised. The files of the new certificate will be copied in the <explorerCertDir> path.
Or you can rotate the BigFix Explorer Certificate Authority and all BigFix Explorer certificates. The files of the new certificates will be copied in a new dedicated folder, in the <explorerCertDir> path, for each BigFix Explorer instance that had a not yet revoked certificate before the command was run. The command
./BESAdmin.sh -rotateexplorercredentials
-sitePvkLocation=<path+license.pvk>
-sitePvkPassword=<password> 
-explorerCertDir=<path> 
-rotateCA
will:
  • Stop the Root Server
  • Revoke each BigFix Explorer certificate created until that moment.
  • Delete the ExplorerCACertificate and ExplorerCAKey files on the Root Server and in the Admin Fields database table.
  • Start the Root Server that will recreate the files and entries of the previous point.
  • Recreate all the certificates for the previous BigFix Explorer instances.
rotateserversigningkey

You can rotate the server private key to have the key in the file system match the key in the database. The command creates a new server signing key, resigns all existing content that uses the new key, and revokes the old key.

The syntax to run this service is:

./BESAdmin.sh -rotateserversigningkey 
-sitePvkLocation=<path+license.pvk>
[ -sitePvkPassword=<password> ]
securitysettings
You can configure security options to follow the NIST security standards by running the command:
./BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> 
[ -sitePvkPassword=<password> ]
{ -status | -requireSHA384Signatures [-requireSHA256Downloads]
| -allowSHA256Signatures | -requireSHA256Downloads | -allowSHA1Downloads} 
[ -testTLSCipherList | -setTLSCipherList | -listTLSCiphers | -removeTLSCipherList ]
[ -hideFromFieldFromMasthead | -showFromFieldFromMasthead ]
[ -enableLocalOperators | -disableLocalOperators]
[ -requireTLS13 | -allowTLS12 ]
where:
status
Shows the status of the security settings set in your BigFix environment.
Example:
./BESAdmin.sh -securitysettings -sitePvkLocation=/root/backup/license.pvk
-sitePvkPassword=mypassw0rd -status

Enhanced security is currently ENABLED
SHA-256 downloads are currently OPTIONAL
requireSHA384Signatures | allowSHA256Signatures
Enables or disables the security option that adopts the SHA-384 cryptographic digest algorithm for all digital signatures.
Warning: If you use the requireSHA384Signatures setting you break the compatibility with BigFix version 10.0 or earlier version components.

For more information about the BigFix SHA-384 enforcement and the supported security configuration, see Security Configuration Scenarios.

requireSHA256Downloads
Ensures that the file download integrity check is run using the SHA-256 algorithm.
allowSHA1Downloads
Ensures that the file download integrity check is run using the SHA-1 algorithm.
testTLSCipherList | setTLSCipherList | listTLSCiphers | removeTLSCipherList

To test if a TLS cipher list is compatible with the BigFix components, run the following command:

/BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> 
-testTLSCipherList=<cipher_1>:<cipher_2>:..:<cipher_n>

After identifying a suitable TLS cipher list, you can set it by running the following command:

/BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> 
-setTLSCipherList=<cipher_1>:<cipher_2>:..:<cipher_n>

To list all the TLS ciphers that are currently enabled, run the following command:

/BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> 
-listTLSCiphers

To remove a TLS cipher list from the deployment masthead and return to the default cipher list, run the following command:

/BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> 
-removeTLSCipherList
hideFromFieldFromMasthead | showFromFieldFromMasthead
You can specify if you want to show or hide the value displayed by the From field in the masthead which contains the email address of the license assignee. During a fresh installation the value is hidden and the option "hideFromFieldFromMasthead" is set to 1. During an upgrade the value remains unchanged.
For example, if you want to hide the value, run the command as follows:
./BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> 
-sitePvkPassword=<password> -hideFromFieldFromMasthead

enableLocalOperators | disableLocalOperators
You can specify if you want to enable or disable the login to the BigFix environment (BigFix Console, Web Reports, Rest API and Web UI) of the local operators. The enabled/disabled choice will be stored in the BFEnterprise database. After disabling the login of the local operators, access will be granted only to LDAP users.
For example, if you want to disable the login of the local operators, run the command as follows:
./BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> 
-sitePvkPassword=<password> -disableLocalOperators

Note: The local operators are enabled by default.
Note: When trying to disable the local operators, if the "REST API credentials for BES Server Plugin Service" are set and if the configured user is a local operator, an error message is displayed and the option is not set.
Note: When trying to disable the local operators, if the "SOAP API credentials for BES Server Plugin Service" are set, a non-blocking warning message is displayed and the option is set.
requireTLS13
Requires the use of TLS 1.3 for HTTPS communications among BigFix components.
Warning: If you use the requireTLS13 setting you break the compatibility with BigFix version 10.0 or earlier version components.
Note: If you use this setting the Console SAML authentication works only on a Windows version that supports the TLS 1.3. For more details, see Assumptions and requirements.
allowTLS12
Allows the use of TLS 1.2 for HTTPS communications among BigFix components.
setadvancedoptions
You can list or configure any global settings that apply to your particular installation. The complete syntax to run this service is:
./BESAdmin.sh -setadvancedoptions -sitePvkLocation=<path+license.pvk>
[-sitePvkPassword=<password>]  
{ -list | -display 
| [ -f ] -delete option_name 
| [ -f ] -update option_name=option_value }
For example:
  • To customize the Console or Web Report login banner, enter following command:
    ./BESAdmin.sh -setadvancedoptions -sitePvkLocation=/root/backup/license.pvk 
    -sitePvkPassword=pippo000 -update loginWarningBanner='new message'
  • If your BigFix Server is V9.5.7 or later, to avoid having duplicate computer entries when the endpoints are detected as possible clones by the Server, run the following command:
    ./BESAdmin.sh -setadvancedoptions -sitePvkLocation=/root/backup/license.pvk 
    -sitePvkPassword=pippo000 -update clientIdentityMatch=100

For a list of available options that you can set, see List of advanced options.

setproxy
If your enterprise uses a proxy to access the Internet, you must set a proxy connection to enable the BigFix server to gather content from sites and to do component-to-component communication or to download files.

For more information about how to run the command and about the values to use for each argument, see Setting a proxy connection on the server.

syncmastheadandlicense
When you upgrade the product, you must use this option to synchronize the update license with the masthead and resign all content in the database with SHA-256. The syntax to run this service is:
./BESAdmin.sh -syncmastheadandlicense -sitePvkLocation=<path+license.pvk> 
[-sitePvkPassword=<password>]
testproxyconnection
You can test the proxy connection. The syntax to run this service is:
BESAdmin.sh -testproxyconnection -proxyHost=<host> [ -proxyPort=<port> ] 
[ -proxyUser=<user> -proxyPassword=<pass> ] [ -proxyExcList=<list> ] [ -proxyAuthMeth=<method> ] 
[ -proxySecTunnel=<true|false> ] [ -fips ]
updatepassword

You can modify the password that is used for authentication by product components in specific configurations.

The syntax to run this service is:

./BESAdmin.sh -updatepassword -type=<server_db|dsa_db>
[-password=<password>] -sitePvkLocation=<path+license.pvk> 
[-sitePvkPassword=<pvk_password>]
where:
-type=server_db
Specify this value to update the password that is used by the server to authenticate with the database.

If you modify this value, the command restarts all the BigFix server services.

-type=dsa_db
Specify this value to update the password that is used in a DSA configuration by a server to authenticate with the database.
The settings -password and -sitePvkPassword are optional, if they are not specified in the command syntax their value is requested interactively at run time. The password set by this command is obfuscated.