BESAdmin Linux Command Line
The BigFix Server
installer places the script to run the BigFix Administration Tool,
BESAdmin.sh
, in the /opt/BESServer/bin
directory.
With this tool you can edit the masthead file, check the signatures of the objects in the database, enable and disable enhanced security, resign all of the users content in the database, rotate the server private key, configure the Console and Web Reports login, resign the database content, and synchronize the masthead with the updated license.
./BESAdmin.sh -service {arguments}
where
service can be one of the following:audittrailcleaner
changeprivatekeypassword
createexplorercredentials
createwebuicredentials
editmasthead
findinvalidactions
findinvalidsignatures
getcertificatebundle
importlicense
minimumsupportedclient
minimumsupportedrelay
propagateoperatorsites
propertyidmapper
removecomputers
repair
reportencryption
resetdatabaseepoch
resignsecuritydata
revokeexplorercredentials
revokewebuicredentials
rotateexplorercredentials
rotateserversigningkey
securitysettings
setadvancedoptions
setproxy
syncmastheadandlicense
testproxyconnection
updatepassword
<path+license.pvk>
used in the command syntax stands for
path_to_license_file/license.pvk
.arguments
:- audittrailcleaner
You can run this service to remove historical data from the bfenterprise database that is stored to serve as an audit trail. This audit trail slowly increases in size over the lifetime of a BigFix deployment. The audit trail contains deleted and earlier versions of Fixlets, tasks, baselines, properties, mailbox files, actions, and analyses. The audit trail is not used by BigFix in any way and can be deleted to reduce the database size. BigFix recommends that you create a historic archive of the current database and save it to a secure location before running this tool to preserve the audit trail, thus removing it from the product database, but not completely deleting the history.
The service can count and delete the following sets of data:
- Older Versions of Custom Authored Content
(
-oldcontent
): Every edit to Fixlets, Tasks, Baselines, and Analyses, creates a new version, the earlier versions can be deleted. - Older Versions of Actions (
-oldactions
): Any time you stop or start an Action, a new version is created; the earlier versions can be deleted. - Older Versions of relay.dat
(
-oldrelaydatfile
): Any time you install or uninstall a new relay, a new version is created; the earlier versions can be deleted. - Older uploaded files
(
-deleteolduploadedfiles
): Removes the old files uploaded by the Archive Manager on the BigFix server. This option deletes the old files after an expiration period (default 180 days) from when they were uploaded. - Deleted Custom Authored Content (all versions)
(
-deletedcontent
): When you delete a Fixlet, Task, Baseline, and Analysis using the console, the data is marked as deleted in the database and preserved. The deleted content, including all of the earlier versions, and the corresponding client reports can be deleted. - Deleted Actions(all versions)
(
-deletedactions
): When you delete an action using the console, the data is marked as deleted in the database and preserved. The deleted actions, including all of the earlier versions, and the corresponding client reports can be deleted. - Useless Action Results
(
-uselessactionresults
): Earlier versions of BigFix might cause clients to report ActionResults that were not used in any way but would use up space in the database. These useless ActionResults can be deleted. - Orphaned sub-actions (
-orphanedsubactions
): From multiple action groups that were deleted. - Hidden Manual Computer Group Actions
(
-hiddenactions
): Manual Computer Groups create hidden actions that add and remove computers to and from groups and the actions can build up over time. This option deletes actions after an expiration period (default 180 days) from when they were created. - Older Version of Mailbox Files
(
-deletedmailbox
): Deleted Mailbox Files are stored in a table in the database and can be removed. - Synchronizing BES Consoles (
-syncconsoles
): The BigFix Console maintains a local cache of the database that becomes not synchronized when data is removed with this tool. To prevent this situation from happening, the tool sets a flag in the database to force all BigFix Consoles to reload the cache when the Console is started up. - Removing data older than (
-olderthan
): Removes data earlier than a specified date. The default value is 99 days. - Batched deletion (
-batchsize
): Deleting large sets of data causes the SQL transaction log to quickly increase in size, the log becomes temporarily larger than the data being removed until the database is shrunk. Batched deletion removes results in sets.
./BESAdmin.sh -audittrailcleaner { -displaysettings | -run [delete_data_options] | -schedule [delete_data_options] [scheduling options] | -preview [delete_data_options] [preview options] }
./BESAdmin.sh -audittrailcleaner -displaysettings
./BESAdmin.sh -audittrailcleaner -run [ -oldcontent ] [ -oldactions ] [ -oldrelaydatfile ] [ -deleteolduploadedfiles ] [ -deletedcontent ] [ -deletedactions ] [ -uselessactionresults ] [ -orphanedsubactions ] [ -hiddenactions=<days> ] [ -deletedmailbox ] [ -syncconsoles ] [ -olderthan=<days> ] [ -batchsize=<size> ]
./BESAdmin.sh -audittrailcleaner -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ] -schedule [ [ -oldcontent ] [ -oldactions ] [ -oldrelaydatfile ] [ -deleteolduploadedfiles ] [ -deletedcontent ] [ -deletedactions ] [ -uselessactionresults ] [ -orphanedsubactions ] [ -hiddenactions=<days> ] [ -deletedmailbox ] [ -syncconsoles ] [ -olderthan=<days> ] [ -batchsize=<size> ] [ -cleanstarttime=<yyyymmdd:hhmm> [ -cleanperiodicinterval=<hours> ] ] | -disable ]
where:./BESAdmin.sh -audittrailcleaner -preview [ [ -oldcontent ] [ -oldactions ] [ -oldrelaydatfile ] [ -deleteolduploadedfiles ] [ -deletedcontent ] [ -deletedactions ] [ -uselessactionresults ] [ -orphanedsubactions ] [ -hiddenactions=<days> ] [ -deletedmailbox ] [ -olderthan=<days> ] | [ -scheduled ] ]
-
displaysettings
shows the settings that are previously defined with theschedule
action. -
run
runs the tool with the specified settings. Before you use this option, check the settings that affect the database by using thepreview
action. schedule
schedules the tool to run at the specified time at each specified interval. To disable the schedule action, use the-disable
option.preview
shows the number of database rows that are affected by the specified settings. If no setting is passed to the preview option, the preview performs the count by setting all options to true and using the default values for dates. Use the-scheduled
option to preview the scheduled settings.
For information about the cleanup tasks log files, see Logging Cleanup Tasks Activities.
- Older Versions of Custom Authored Content
(
- changeprivatekeypassword
- You can use this service to be prompted for a new password to associate to
the
license.pvk
file. Use the following syntax to run the command:./BESAdmin.sh -changeprivatekeypassword -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ]
- createexplorercredentials
- Use this service to to create a BigFix Explorer certificate for the input
hostname, in a similar way as the one for the WebUI certificate. The
following files will be created in the output folder:
- The certificate file of the ExplorerCertificate "authentication": auth_cert.crt
- The key file of the ExplorerCertificate "authentication": auth_key.key
- The certificate file of the ExplorerCACertificate "authentication": ca.crt
- The certificate file of the WebUICACertificate "authentication": apica.crt.
This service generates a folder named cert_explorerHostname in the path specified by the explorerCertDir option../BESAdmin.sh -createexplorercredentials -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> -explorerCertDir=<path> -explorerHostname=<BigFixExplorerHostnameOrIP> [ -f ]
- explorerCertDir
- Specifies the path to the parent folder of the new folder containing the certificates. This folder must exist.
- explorerHostname
- Specifies the hostname or IP address of the computer that will host your BigFix Explorer.
- createwebuicredentials
- Use this service to generate the certificates used as WebUI credentials. Use
the following syntax to run the
command:
This service generates a folder named cert_WebUIHostnameOrIP in the path specified by the webUICertDir option../BESAdmin.sh -createwebuicredentials -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> -webUICertDir=<path> -webUIHostname=<WebUIHostnameOrIP>
- webUICertDir
- Specifies the path to the parent folder of the new folder containing the certificates. This folder must exist.
- webUIHostname
- Specifies the hostname or IP address of the computer that will host your WebUI.
Note: If you need to generate WebUI credentials certificates, but you have no WebUI in your deployment, then set:- webUICertDir
- To the BigFix server folder (/var/opt/BESServer).
- webUIHostname
- To the BigFix server IP address or hostname.
- editmasthead
- You can edit the masthead file by specifying the following
parameters:
advGatherSchedule (optional, integer) values: 0=Fifteen Minutes, 1=Half Hour, 2=Hour, 3=Eight Hours, 4=Half day, 5=Day, 6=Two Days, 7=Week, 8=Two Weeks, 9=Month, 10=Two Months advController (optional, integer) values: 0=console, 1=client, 2=nobody advInitialLockState (optional, integer) values: 0=Locked, 1=timed (specify duration), 2=Unlocked advInitialLockDuration (optional, integer) values: ( duration in seconds ) advActionLockExemptionURL (optional, string) advRequireFIPScompliantCrypto (optional, boolean) advEnableFallbackRelay (optional,boolean) advFallbackRelay (optional, string)
The syntax to run this service is:
For additional information, see Editing the Masthead on Linux systems in the BigFix Configuration Guide../BESAdmin.sh -editmasthead -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ][ -display ] [ -advGatherSchedule=<0-10> ] [ -advController=<0-2> ] [ -advInitialLockState=<0|2> | -advInitialLockState=1 -advInitialLockDuration=<num> ] [ -advActionLockExemptionURL=<url> ] [ -advRequireFIPScompliantCrypto=<true|false> ] [ -advEnableFallbackRelay=0 | -advEnableFallbackRelay=1 -advFallbackRelay=<host> ]
- findinvalidactions
- You can check for invalid actions in the database by specifying the
following parameter:
- (Optional) -deleteInvalidActions: Deletes invalid actions.
./BESAdmin.sh -findinvalidactions [ -deleteInvalidActions ] -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ]
- findinvalidsignatures
-
You can check the signatures of the objects in the database by specifying the following parameters:
- -list (optional)
- Lists all invalid signatures that
BESAdmin
finds. - -resignInvalidSignatures (optional)
- Attempts to resign any invalid signatures that
BESAdmin
finds. - -deleteInvalidlySignedContent (optional)
- Deletes contents with invalid signatures.
./BESAdmin.sh -findinvalidsignatures [ -list | -resignInvalidSignatures | -deleteInvalidlySignedContent ]
- getcertificatebundle
- You can export the certificate bundle (PEM) used by the current version of
BES Admin. In the bundle, there are all the certificates of all the
authorized chains in the masthead. So, for example, with SHA384 forced, in
the bundle there is only the SHA384 chain. The generated file, named
bundle.pem, is located in the folder specified by the
bundleCertDir=<path> option.The syntax to run this service is:
./BESAdmin.sh -getcertificatebundle -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ] -bundleCertDir=<path>
- importlicense
- You can use this service to import an updated license. This service allows
you to update the license manually in isolated BigFix environments.
The./BESAdmin.sh -importlicense -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ] -licenselocation=<path+license.crt>
license.crt
file contains the updated license to import. - minimumsupportedclient
- This service defines the minimum version of the BigFix Agents that
are used in your BigFix environment.
Note: Based on this setting, the BigFix components can decide when it is safe to assume the existence of newer functions across all the component in the deployment. Individual agent interactions might be rejected if the interaction does not comply with the limitations that are imposed by this setting.The currently allowed values are:
- 0.0, which means that no activity that is issued by
BigFix
Agents earlier than V9.0, such as archive files and reports
uploads, is prevented from running or limited. This behavior
applies also if the
minimumsupportedclient
service is not set. - 9.0, which means that:
- Unsigned reports, such as the reports sent by BigFix Clients earlier than V9.0, are discarded by FillDB.
- The upload of an unsigned archive file that is generated on a BigFix Client earlier than V9.0, by an archive now command, for example, fails.
If you ran a fresh installation of BigFix V9.5.6 or later using a BES Authorization file, by default all the BigFix Clients earlier than V9.0 are prevented from joining your environment because the
minimumsupportedclient
service is automatically set to 9.0.The value that is assigned to this service, if set, remains unchanged:- If you upgraded to V9.5.6 or later.
- If you installed BigFix V9.5.6 or later using an existing masthead.
The current value<VALUE>
assigned in your environment to theminimumsupportedclient
service is displayed in the linex-bes-minimum-supported-client-level: <VALUE>
of the masthead file. You can see the current value by running the following query on the BigFix Server from the BigFix Query Application available on the BigFix WebUI:Q: following text of last ": " of line whose (it starts with "x-bes-minimum-supported-client-level:" ) of masthead of site "actionsite"
The syntax to run this service is:./BESAdmin.sh -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] -minimumsupportedclient=<version>.<release>
If you omit to specify
[sitePvkPassword=<password>]
, you are prompted to enter the password interactively when the BESAdmin.sh runs.For example, if you want to state that Agents earlier than V9.0 are not supported in your BigFix environment, you can run the following command:./BESAdmin.sh -sitePvkLocation=/license/license.pvk -minimumsupportedclient=9.0
- 0.0, which means that no activity that is issued by
BigFix
Agents earlier than V9.0, such as archive files and reports
uploads, is prevented from running or limited. This behavior
applies also if the
- minimumsupportedrelay
- You can use this service, added with BigFix V9.5.6, to
enforce specific criteria that affect the BigFix Agent
registration requests. If this service is enabled, V9.5.6 Agents can
continue to register to the V9.5.6 BigFix environment if
their registration requests are signed and sent across the Relays hierarchy
using the HTTPS protocol. Note: Based on this service, the BigFix components can decide when it is safe to enable newer functions across all the component in the deployment. Individual agent interactions might be rejected if they do not comply with the limitations that are imposed by this setting.The currently allowed values are:
- 0.0.0, which means that the BigFix
Server accepts and manages:
- Signed and unsigned registration requests coming from BigFix Agents.
- Registration requests delivered from BigFix Agents using the HTTP or the HTTPS protocols.
minimumsupportedrelay
service is not added automatically to your configuration during the upgrade. - 9.5.6 or later, which means that:
- The BigFix Server enforces that registration requests coming from BigFix Agents V9.5.6 or later must be properly signed.
- The BigFix Server and the Relays V9.5.6 or later enforce the use of the HTTPS protocol when BigFix Agent registration data is exchanged.
- BigFix Agents earlier than V9.0 cannot send registration requests to the BigFix Server because they cannot communicate using the HTTPS protocol.
- Because BigFix Relays with versions earlier than V9.5.6 cannot handle correctly signed registration requests, any BigFix Client that uses those Relays might be prevented from continuing to register, or might fall back to a different parent Relay or directly to the Server.
If you ran a fresh installation of BigFix V9.5.6 or later using a License Authorization file, be aware that the side effects that were just listed apply to your BigFix deployment because, in this particular installation scenario, the
minimumsupportedrelay
service is automatically set to 9.5.6 by default.The current valueThis query displays a value only when<VALUE>
assigned in your environment to theminimumsupportedrelay
service is displayed in the linex-bes-minimum-supported-relay-level: <VALUE>
of the masthead file. You can see the current value by running the following query on the BigFix Server from the BigFix Query Application available on the BigFix WebUI:Q: following text of last ": " of line whose (it starts with "x-bes-minimum-supported-relay-level:" ) of masthead of site "actionsite"
<VALUE>
is set to 9.5.6; if it is set to 0.0.0, it does not display a value.The syntax to run this service is:./BESAdmin.sh -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] -minimumsupportedrelay=<version>.<release>.<modification>
If you omit to specify
[sitePvkPassword=<password>]
, you are prompted to enter the password interactively when the BESAdmin.sh runs.For example, if you want that only the registration requests that are signed and carried through HTTPS are managed by your BigFix Server, you can run the following command:./BESAdmin.sh -sitePvkLocation=/license/license.pvk -minimumsupportedrelay=9.5.6
- 0.0.0, which means that the BigFix
Server accepts and manages:
- propagateoperatorsites
- This service forces the server to propagate a new version of the operator
sites. This command is useful after a server migration because you can be
sure that data is available for clients to gather and it prevents from
failures. This is the command
syntax:
./BESAdmin.sh -propagateoperatorsites { -propagateAllOperatorSites | -propagateOperatorSite=<MastheadUsername> }
- propertyidmapper
- This service creates, updates, and deletes a table (PropertyIDMap) in the
BFEnterprise database that maps retrieved property names for the SiteID,
AnalysisID, PropertyID used to reference properties in the QUESTIONRESULTS
and LONGQUESTIONRESULTS tables. It creates the PropertyIDMap table if it
does not exist (requires table creation permissions). This service must be
run to update the PropertyIDMap table after creating or deleting a
property.
The general syntax of this service is the following:
./BESAdmin.sh -propertyidmapper { -displaysettings | -run [property_idmapper_options] | -schedule [property_idmapper_options] [scheduling options] }
The syntax of this service changes depending on the action you specify:
./BESAdmin.sh -propertyidmapper -displaysettings
./BESAdmin.sh -propertyidmapper -run [ -createtable ] [ -removetable ] [ -lookupproperty=<propertyname> ]
where:./BESAdmin.sh -propertyidmapper -schedule [ -createtable -starttime=<yyyymmdd:hhmm> [ -interval=<hours> ] | -disable ]
-
displaysettings
shows the settings that are previously set with theschedule
action. -
run
runs the tool with the specified settings. Before you use this option, check the settings that affect the database by using thepreview
action. schedule
schedules the tool to run at the specified time at each specified interval. To disable the schedule action, use the-disable
option.
For more information about the cleanup tasks log files, see Logging Cleanup Tasks Activities.
-
- removecomputers
- The service runs database operations for the following sets of data:
- Expired Computers (
-deleteExpiredComputers
) Marks computers as deleted if they did not report in recently. - Deleted Computers (
-purgeDeletedComputers
): Physically deletes the computer related data from the database for computers that are already marked as deleted and have not reported in for a long time. It deletes the data related to an agent (such as the action results or the properties, and so on), not the agent itself that remains logically deleted (IsDeleted = 1) on the database. Therefore, as a consequence, if the same agent becomes active again, it is recognized and will reuse its previous computer ID. - Duplicate Computers
(
-deleteDuplicatedComputers
): Marks older computers as deleted if a computer exists with the same computer name. - Removal of deleted Computers
(
-removeDeletedComputers
): Physically deletes the computer information from the database for computers that are marked as deleted (IsDeleted = 1) since at least the indicated number of days (minimum 7) or the indicated number of hours (minimum 24). It deletes the information of the agent itself ( such as the computer ID, and so on). Therefore, as a consequence, if the same agent becomes active again, a totally new computer ID will be assigned to the agent. - Removal of uploaded Files
(
-removeDeletedUploads
): Physically removes from the database the definition of uploaded files that are marked as deleted. It does not apply to non-native agents. - Removal of uploaded files of removed computers
(
-eraseUploadFilesForRemovedComputers
): Physically removes from the BigFix server filesystem all files uploaded by clients whose definition has been removed from the database. It does not apply to non-native agents. - Removal of Computers by name
(
-removeComputersFile
): Accepts a text file with a list of computer names that are separated by new lines and removes them from the deployment.
Depending on the action that is specified, the syntax changes as follows:./BESAdmin.sh -removecomputers { -displaySettings [display_settings options] | -run [remove_computers_options] | -schedule [remove_computers_options] [scheduling options] | -preview [remove_computers_options] [preview options] }
./BESAdmin.sh -removecomputers -displaySettings [ -name=<TaskName> ]
./BESAdmin.sh -removecomputers -run [ -agentType=<AgentType> ] [ -deleteExpiredComputers=<days> ] [ -removeDeletedComputers=<days> ] [ -removeDeletedUploads ] [ -eraseUploadFilesForRemovedComputers ] [ -purgeDeletedComputers=<days> ] [ -deleteDuplicatedComputers [ -duplicatedPropertyName=<PropertyName> ] ] [ -removeComputersFile=<path> ] [ -batchSize=<batch size> ]
./BESAdmin.sh -removecomputers -schedule [ [ -name=<TaskName> ] [ -agentType=<AgentType> ] [ -deleteExpiredComputers=<days> ] [ -purgeDeletedComputers=<days> ] [ -removeDeletedComputers=<days> ] [ -removeDeletedUploads ] [ -eraseUploadFilesForRemovedComputers ] [ -deleteDuplicatedComputers [ -duplicatedPropertyName=<PropertyName> ] ] [ -batchSize=<batch size> ] [ -removeStartTime=<YYYYMMDD:HHMM> [ -removePeriodicInterval=<Hours> ] ] | [ -disable -name=<TaskName> ] | [ -delete -name=<TaskName> ] | [ -list ] | [ -update [ -name=<TaskName> ] [ -deleteExpiredComputers=<days> ] [ -purgeDeletedComputers=<days> ] [ -removeDeletedComputers=<days> ] [ -removeDeletedUploads ] [ -eraseUploadFilesForRemovedComputers ] [ -deleteDuplicatedComputers [ -duplicatedPropertyName=<PropertyName> ] ] [ -batchSize=<batch size> ] [ -removeStartTime=<YYYYMMDD:HHMM> [ -removePeriodicInterval=<Hours> ] ] ] ]
where:./BESAdmin.sh -removecomputers -preview [ [ -agentType=<AgentType> ] [ -deleteExpiredComputers=<days> ] [ -removeDeletedComputers=<days> ] [ -removeDeletedUploads ] [ -eraseUploadFilesForRemovedComputers ] [ -purgeDeletedComputers=<days> ][ -deleteDuplicatedComputers [ -duplicatedPropertyName=<PropertyName> ] ] | [ -scheduled ] [ -name=<TaskName> ] ]
-
displaySettings
shows the settings that are previously set with theschedule
action. -
run
runs the tool with the specified settings. Before you use this option, check the settings that affect the database by using thepreview
action. schedule
schedules the tool to run at the specified time at each specified interval. To disable the schedule action, use the-disable
option.preview
shows the number of database rows that are affected by the specified settings. If no setting is passed to the preview option, the preview performs the count by setting all options to true and using the default values for dates. Use the-scheduled
option to preview the scheduled settings.
Note: When using option-removeDeletedComputers
, the number of days must be not less than 7 or the number of hours must be not less than 24.For more information about the cleanup tasks log files, see Logging Cleanup Tasks Activities.
- Expired Computers (
- repair
- You can use this command to handle an inconsistency between the keys that
are stored in the database and the keys stored on the
filesystem.
If the keywords./BESAdmin.sh -repair -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ]
ServerSigningKey
andClientCAKey
do not exist, they are created under/var/opt/BESServer
: This command also updates the licenses of sites. - reportencryption
- You can generate, rotate, enable, and disable encryption for report
messaging by running:
where:./BESAdmin.sh -reportencryption { -status | -generatekey [-privateKeySize=<min|max>] [-deploynow=yes | -deploynow=no -outkeypath=<path>] -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] | -rotatekey [-privateKeySize=<min|max> ] [-deploynow=yes | -deploynow=no -outkeypath=<path> ] -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] | -enablekey -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] | -disable -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] }
- status
- Shows the status of the encryption and which arguments you can use for that status.
- generatekey
- Allows you to generate a new encryption key.
- rotatekey
- Allows you to change the encryption key.
- enablekey
- Allows you to enable the encryption key.
- disable
- Allows you to put the encryption key in PENDING state. If you
run again the
reportencryption
command with thedisable
argument, the encryption changes from PENDING state to DISABLED. - deploynow=yes
- Deploys the report encryption key to the server for decryption.
- deploynow=no -outkeypath=<path>
- The encryption key is not deployed to the server but it is saved
in the
outkeypath
path.
- resetdatabaseepoch
- To clear all console cache information in BigFix Enterprise
Service V7.0 or later versions. After running this
command:
subsequent console logins reload their cache files../BESAdmin.sh -resetdatabaseepoch
- resignsecuritydata
-
If you get one of the following errors:
when you try to log in to the BigFix console, you must resign all the user content in the database by entering the following command:class SignedDataVerificationFailure HTTP Error 18: An unknown error occurred while transferring data from the server
This command resigns security data that uses the existing key file. You can also specify the following parameter:./BESAdmin.sh -resignSecurityData
The complete syntax to run this service is:-mastheadLocation=<path+actionsite.afxm>
./BESAdmin.sh -resignsecuritydata -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ] -mastheadLocation=<path+actionsite.afxm>
- revokeexplorercredentials
- Use this service to revoke the BigFix Explorer certificate associated to the
given hostname. Use the following syntax to run the
command:
If an authentication certificate is issued for the specified./BESAdmin.sh -revokeexplorercredentials -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> -explorerHostname=<BigFixExplorerHostnameOrIP>
hostname
, this certificate is revoked and the BigFix Explorer instance running on thatexplorerHostname
can no longer connect to the root server.After revoking the credentials for a BigFix Explorer host, it will no longer connect to the root server. You can either remove the BES Explorer installation, or generate new credentials for that host, and replace the old certificate files on that host.
- revokewebuicredentials
- You can revoke the authentication certificate of a specified WebUI
instance.The syntax to run this service is:
If an authentication certificate is issued for the specified./BESAdmin.sh -revokewebuicredentials -hostname=<host> -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<pvk_password>
hostname
, this certificate is revoked and the WebUI instance running on thathostname
can no longer connect to the root server.After revoking the credentials for a WebUI host, it will no longer connect to the root server. You can either remove the WebUI installation, or generate new credentials for that host, and replace the old certificate files on that host.
- rotateexplorercredentials
- Use this service to rotate one BigFix Explorer certificate associated to the
given hostname, or the whole BigFix Explorer CA. Use the following syntax to
run the command:
You can either rotate one BigFix Explorer certificate, by hostname, if the certificate associated to that given hostname was compromised. The files of the new certificate will be copied in the <explorerCertDir> path../BESAdmin.sh -rotateexplorercredentials -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> -explorerCertDir=<path> -explorerHostname=<BigFixExplorerHostnameOrIP> | -rotateCA
Or you can rotate the BigFix Explorer Certificate Authority and all BigFix Explorer certificates. The files of the new certificates will be copied in a new dedicated folder, in the <explorerCertDir> path, for each BigFix Explorer instance that had a not yet revoked certificate before the command was run. The command
will:./BESAdmin.sh -rotateexplorercredentials -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> -explorerCertDir=<path> -rotateCA
- Stop the Root Server
- Revoke each BigFix Explorer certificate created until that moment.
- Delete the ExplorerCACertificate and ExplorerCAKey files on the Root Server and in the Admin Fields database table.
- Start the Root Server that will recreate the files and entries of the previous point.
- Recreate all the certificates for the previous BigFix Explorer instances.
- rotateserversigningkey
-
You can rotate the server private key to have the key in the file system match the key in the database. The command creates a new server signing key, resigns all existing content that uses the new key, and revokes the old key.
The syntax to run this service is:
./BESAdmin.sh -rotateserversigningkey -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ]
- securitysettings
- You can configure security options to follow the NIST security standards by
running the command:
where:./BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ] { -status | -requireSHA384Signatures [-requireSHA256Downloads] | -allowSHA256Signatures | -requireSHA256Downloads | -allowSHA1Downloads} [ -testTLSCipherList | -setTLSCipherList | -listTLSCiphers | -removeTLSCipherList ] [ -hideFromFieldFromMasthead | -showFromFieldFromMasthead ] [ -enableLocalOperators | -disableLocalOperators] [ -requireTLS13 | -allowTLS12 ]
- status
- Shows the status of the security settings set in your BigFix
environment.
Example:
./BESAdmin.sh -securitysettings -sitePvkLocation=/root/backup/license.pvk -sitePvkPassword=mypassw0rd -status Enhanced security is currently ENABLED SHA-256 downloads are currently OPTIONAL
- requireSHA384Signatures | allowSHA256Signatures
- Enables or disables the security option that adopts the SHA-384
cryptographic digest algorithm for all digital signatures.Warning: If you use the requireSHA384Signatures setting you break the compatibility with BigFix version 10.0 or earlier version components.
For more information about the BigFix SHA-384 enforcement and the supported security configuration, see Security Configuration Scenarios.
- requireSHA256Downloads
- Ensures that the file download integrity check is run using the SHA-256 algorithm.
- allowSHA1Downloads
- Ensures that the file download integrity check is run using the SHA-1 algorithm.
- testTLSCipherList | setTLSCipherList | listTLSCiphers | removeTLSCipherList
-
To test if a TLS cipher list is compatible with the BigFix components, run the following command:
/BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> -testTLSCipherList=<cipher_1>:<cipher_2>:..:<cipher_n>
After identifying a suitable TLS cipher list, you can set it by running the following command:
/BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> -setTLSCipherList=<cipher_1>:<cipher_2>:..:<cipher_n>
To list all the TLS ciphers that are currently enabled, run the following command:
/BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> -listTLSCiphers
To remove a TLS cipher list from the deployment masthead and return to the default cipher list, run the following command:
/BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> -removeTLSCipherList
- hideFromFieldFromMasthead | showFromFieldFromMasthead
- You can specify if you want to show or hide the value displayed
by the From field in the masthead which contains the email
address of the license assignee. During a fresh installation the
value is hidden and the option "hideFromFieldFromMasthead" is
set to 1. During an upgrade the value remains unchanged.For example, if you want to hide the value, run the command as follows:
./BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> -hideFromFieldFromMasthead
- enableLocalOperators | disableLocalOperators
- You can specify if you want to enable or disable the login to
the BigFix environment (BigFix Console, Web Reports, Rest API
and Web UI) of the local operators. The enabled/disabled choice
will be stored in the BFEnterprise database. After disabling the
login of the local operators, access will be granted only to
LDAP users.For example, if you want to disable the login of the local operators, run the command as follows:
./BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> -disableLocalOperators
Note: The local operators are enabled by default.Note: When trying to disable the local operators, if the "REST API credentials for BES Server Plugin Service" are set and if the configured user is a local operator, an error message is displayed and the option is not set.Note: When trying to disable the local operators, if the "SOAP API credentials for BES Server Plugin Service" are set, a non-blocking warning message is displayed and the option is set.
- requireTLS13
- Requires the use of TLS 1.3 for HTTPS communications among
BigFix components.Warning: If you use the requireTLS13 setting you break the compatibility with BigFix version 10.0 or earlier version components.Note: If you use this setting the Console SAML authentication works only on a Windows version that supports the TLS 1.3. For more details, see Assumptions and requirements.
- allowTLS12
- Allows the use of TLS 1.2 for HTTPS communications among BigFix components.
- setadvancedoptions
- You can list or configure any global settings that apply to your particular
installation. The complete syntax to run this service
is:
For example:./BESAdmin.sh -setadvancedoptions -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] { -list | -display | [ -f ] -delete option_name | [ -f ] -update option_name=option_value }
- To customize the Console or Web Report login banner, enter following
command:
./BESAdmin.sh -setadvancedoptions -sitePvkLocation=/root/backup/license.pvk -sitePvkPassword=pippo000 -update loginWarningBanner='new message'
- If your BigFix Server
is V9.5.7 or later, to avoid having duplicate computer entries when
the endpoints are detected as possible clones by the Server, run the
following command:
./BESAdmin.sh -setadvancedoptions -sitePvkLocation=/root/backup/license.pvk -sitePvkPassword=pippo000 -update clientIdentityMatch=100
For a list of available options that you can set, see List of advanced options.
- To customize the Console or Web Report login banner, enter following
command:
- setproxy
- If your enterprise uses a proxy to access the Internet, you must set a proxy
connection to enable the BigFix server to
gather content from sites and to do component-to-component communication or
to download files.
For more information about how to run the command and about the values to use for each argument, see Setting a proxy connection on the server.
- syncmastheadandlicense
- When you upgrade the product, you must use this option to synchronize the
update license with the masthead and resign all content in the database with
SHA-256. The syntax to run this service
is:
./BESAdmin.sh -syncmastheadandlicense -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>]
- testproxyconnection
- You can test the proxy connection. The syntax to run this service
is:
BESAdmin.sh -testproxyconnection -proxyHost=<host> [ -proxyPort=<port> ] [ -proxyUser=<user> -proxyPassword=<pass> ] [ -proxyExcList=<list> ] [ -proxyAuthMeth=<method> ] [ -proxySecTunnel=<true|false> ] [ -fips ]
- updatepassword
You can modify the password that is used for authentication by product components in specific configurations.
The syntax to run this service is:
where:./BESAdmin.sh -updatepassword -type=<server_db|dsa_db> [-password=<password>] -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<pvk_password>]
- -type=server_db
- Specify this value to update the password that is used by the
server to authenticate with the database.
If you modify this value, the command restarts all the BigFix server services.
- -type=dsa_db
- Specify this value to update the password that is used in a DSA configuration by a server to authenticate with the database.
-password
and-sitePvkPassword
are optional, if they are not specified in the command syntax their value is requested interactively at run time. The password set by this command is obfuscated.