Step 2 - Requesting a license certificate and creating the masthead

Before you perform the steps below, you must have purchased a license and obtained a BigFix license authorization file (*.BESLicenseAuthorization) using your License Key Center account or, in the case of a Proof-of-Concept evaluation, that was provided to you by your IBM Technical Sales Representative.

When you have your license authorization file, you are ready to request a license certificate and then create a personalized site masthead that, in turn, allows you to install and use BigFix. The masthead includes URLs for the Server CGI programs and other site information in a signed MIME file. The masthead is central to accessing and authenticating your action site. To create the masthead and activate your site, follow these steps:

  1. Run the BigFix installer BigFix-BES-9.2.6.xxxx.exe, where 9.2.6.xxxx is the version of the installer). When prompted, choose Production installation and accept the Software License Agreement. On the welcome screen, click Next.
    Note: If you choose the Evaluation installation, consider that this type of installation does not support the enhanced security option. For more information about this feature, see Security Configuration Scenarios.
  2. After reading and accepting the License Agreement, select I want to install with an IBM Endpoint Manager license authorization file, to create your Private Key and Masthead.
    Select the first option: I want to install with a BigFix license authorization file
  3. Enter the location of your license authorization file, which has a name like CompanyName.BESLicenseAuthorization
    Enter the location of the license authorization file
  4. Specify a DNS name or IP address for your BigFix server and click Next. The name that you enter in this field is recorded in the license and used by clients to identify the BigFix server.
    Note: Enter a DNS name, such as bes.companyname.com, because of its flexibility when changing server computers and doing advanced network configurations. This name is recorded into your license certificate and is used by clients to identify the BigFix server. After your license certificate is created, the DNS name cannot be changed. To change the DNS name, you must request a new license certificate, which requires a completely new installation.
  5. Type a site credential password to allow you to create a site admin key for your deployment. Type your password twice (for verification), and specify a key size (from 2K to 4K bits) for encrypting the private key file. Click Create.
    Enter the password to create a site admin key
    In this way you generate a private/public key pair used to create and authorize all the BigFix users.
  6. Save your private key (license.pvk) file from the Browse for Folder dialog in a folder with secure permissions or on a removable drive, such as a PGPDisk or a USB drive. Click OK.
    Important: If you lose the private key file, a new license certificate needs to be created, which requires a completely new installation. In addition, anyone with the private key file and password have full control over all computers with the BigFix clients installed so ensure that you keep the private key file and password secured.
  7. You are requested to send the request file to IBM for license verification. If you have internet connectivity, choose the option to submit your request over the internet. In this case, a request file is sent to IBM for license verification. This request consists of your original authorization file, your server DNS name and your public key, all packaged into a single file.
    Displays the two options to submit the request to IBM
  8. If you select to submit the request over the Internet and your enterprise uses a proxy to access the Internet, click Set Proxy. The Proxy Settings panel opens. In this panel you can configure the proxy connection.
    Displays the settings to configure the proxy connection
  9. Specify:
    • The hostname or IP Address and, optionally, the port number to communicate with the proxy machine.
    • The credentials of the user defined on the proxy machine that must be used when establishing the connection.
    • The comma-separated list of hostnames, subdomains, IP addresses that identify systems in the BigFix topology that must not be reached thru the proxy. By default, BigFix V9.2 prevents diverting internal communications towards the proxy. If you set a value in this field, you overwrite the default behavior. To ensure that internal communications are not directed to the proxy, add localhost, 127.0.0.1, yourdomain.com, IP_Address to the list of exceptions specified in this field.
    • Whether or not the proxy is enforced to attempt tunneling. By default the proxy does not attempt tunneling.
    • The authentication method to use when establishing the communication. You can either let the proxy choose the authentication method or you can impose to use specific authentication methods.
      Note: If you want to enable FIPS mode, select an authentication method other than digest.
    You can click Test Connection to verify if the connection with the proxy that you configured can be successfully established. For more information about the values and the syntax to use in these input fields, see Setting a proxy connection on the server.

    Click OK save the settings and return to the Request License panel.

  10. Click Request. The Wizard retrieves your license certificate (license.crt) from the BigFix License server.

    Alternatively, if you are on an airgap without internet connectivity, choose the option to save the request as a file named request.BESLicenseRequest. Copy the file to a machine with internet connectivity and submit your request to the URL of the BigFix website shown in the installer. The page provides you with a license.crt file. Copy the file back to the installation computer and import it into the installer.

  11. From the Request License dialog, click Create to create the masthead file
    This window displays where you can create the masthead file.
  12. Enter the parameters of the masthead file that contains configuration and license information together with a public key that is used to verify digital signatures. This file is saved in your credential folder.
    This window displays parameters of the masthead file that contains configuration and license information together with a public key that is used to verify digital signatures.
    You can set the following options:
    Server Port Number:
    In general, you do not need to change this number. 52311 is the recommended port number, but you can choose a different port if that is more convenient for your particular network. Typically, you choose a port from the IANA range of private ports (49152 through 65535). You can use a reserved port number (ports 1-1024), but this might reduce the ability to monitor or restrict traffic correctly and it prevents you from using port numbers for specific applications. If you do decide to change this number after deploying the clients, BigFix will not work correctly. For additional information, see Modifying port numbers.
    Note: Do not use port number 52314 for the network communication between the BigFix components because it is reserved for proxy agents.
    Gathering Interval:
    This option determines how long the clients wait without hearing from the server before they check whether new content is available. In general, whenever the server gathers new content, it attempts to notify the clients that the new content is available through a UDP connection, circumventing this delay. However, in situations where UDP is blocked by firewalls or where network address translation (NAT) remaps the IP address of the client from the servers perspective, a smaller interval becomes necessary to get a timely response from the clients. Higher gathering rates only slightly affect the performance of the server, because only the differences are gathered; a client does not gather information that it already has.
    Initial Action Lock:
    You can specify the initial lock state of all clients, if you want to lock a client automatically after installation. Locked clients report which Fixlet messages are relevant for them, but do not apply any actions. The default is to leave them unlocked and to lock specific clients later on. However, you might want to start with the clients locked and then unlock them on an individual basis to give you more control over newly-installed clients. Alternatively, you can set clients to be locked for a certain period of time (in minutes).
    Exempt the following site URL from action locking:
    In rare cases, you might need to exempt a specific URL from any locking actions. Check this box and enter the exempt URL.
    Note: You can specify only one site URL and it must begin with http://.
    Require use of FIPS 140-2 compliant cryptography
    Check this box to be compliant with the Federal Information Processing Standard in your network. This changes the masthead so that every BigFix component attempts to go into FIPS mode. By default, the client continues in non-FIPS mode if it fails to correctly enter FIPS, which might be a problem with certain legacy operating systems. Be aware that checking this box can add a few seconds to the client startup time.

    For more information see FIPS 140-2 cryptography in the BigFix environment.

    Note: Enabling FIPS mode might prevent the use of some authentication methods when connecting to a proxy. If you selected to use a proxy to access the Internet or to communicate with BigFix subcomponents, ensure that the proxy configuration is set up to use an authentication method other than digest.
    Allow use of Unicode filenames in archives:
    This setting specifies the codepage used to write filenames in the BigFix archives. Check this box to write filenames UTF-8 codepage.
    Do not check this box to write filenames using the local deployment codepage, for example Windows-1252 or Shift JIS. If you run a fresh install of BigFix V9.2, by default, the filenames are written in UTF-8.
    Note: If you upgraded your BigFix environment to V9.2, by default, the filenames are written in the local deployment codepage.
    Click OK when you are finished.
  13. Choose the folder in which to install the BigFix component installers. The BigFix Installation Guide wizard is launched to lead you through the installation of the BigFix components.
    Note: This step creates the installers for the BigFix client, BigFix console, and BigFix server, but does not install the components.
Note: The private key (license.pvk) authorizes the creation and rotation of server signing keys, which are trusted by all agents. This key is not sent to IBM during the license certificate creation process, and must be carefully protected. To reinstall the server on your workstation, you must reuse the stored BigFix credentials. If you did not save them, when you reinstall the server you must regenerate them.