Running the Endpoint Manager Administration Tool

./BESAdmin.sh -service { arguments }

changeprivatekeypassword
editmasthead
findinvalidsignatures
minimumSupportedClient
repair
reportencryption
resignsecuritydata
rotateserversigningkey
securitysettings
setadvancedoptions
syncmastheadandlicense

changeprivatekeypassword

You can use this service to be prompted for a new password to associate to the license.pvk file. Use the following syntax to run the command:

./BESAdmin.sh -changeprivatekeypassword -sitePvkLocation=<path+license.pvk> 
[ -sitePvkPassword=<password> ]

editmasthead

You can edit the masthead file by specifying the following parameters:

advGatherSchedule (optional, integer)
 values: 
    0=Fifteen Minutes, 
    1=Half Hour, 2=Hour, 
    3=Eight Hours, 
    4=Half day, 
    5=Day, 
    6=Two Days, 
    7=Week, 
    8=Two Weeks, 
    9=Month, 
    10=Two Months
advController (optional, integer)
 values: 
    0=console, 
    1=client, 
    2=nobody 
advInitialLockState (optional, integer)
 values: 
    0=Locked, 
    1=timed (specify duration), 
    2=Unlocked 
advInitialLockDuration (optional, integer)
 values: 
   ( duration in seconds ) 
advActionLockExemptionURL (optional, string)

advRequireFIPScompliantCrypto (optional, boolean)

The syntax to run this service is:

./BESAdmin.sh -editmasthead -sitePvkLocation=<path+license.pvk> 
[ -sitePvkPassword=<password> ][ -display ] 
[ -advGatherSchedule=<0-10> ] [ -advController=<0-2> ]
[ -advInitialLockState=<0|2> | -advInitialLockState=1 
-advInitialLockDuration=<num> ] [ -advActionLockExemptionURL=<url> ]
[ -advRequireFIPScompliantCrypto=<true|false> ]

For additional information, see Editing the Masthead on Linux systems.

findinvalidsignatures

You can check the signatures of the objects in the database by specifying the following parameters:

-resignInvalidSignatures (optional)

Attempts to resign any invalid signatures that BESAdmin finds.

-deleteInvalidlySignedContent (optional)

Deletes contents with invalid signatures.

For additional information about invalid signatures see http://www-01.ibm.com/support/docview.wss?uid=swg21587965. The syntax to run this service is:

./BESAdmin.sh -findinvalidsignatures 
[ -resignInvalidSignatures | -deleteInvalidlySignedContent ]

minimumSupportedClient

This service defines the minimum version of the Endpoint Manager Agents used in your Endpoint Manager environment.

Note: Based on this setting, the Endpoint Manager components can decide when it is safe to assume the existence of newer functions across all the component in the deployment. Individual agent interactions might be rejected if the interaction does not comply with the limitations imposed by this setting.

The currently available values are:

• 8.2 which means that no activity issued by Endpoint Manager Agents V8.2, such as registration to server, archive files and reports uploads, are prevented from running or limited. This behavior applies also if the minimumSupportedClient service is not set.
• 9.0 which means that:
  • Initial or regular registrations of V8.2 Endpoint Manager Clients to a Relay or to the Server succeed.
  • Reports sent by V8.2 Endpoint Manager Clients are discarded by FillDB.
  • The upload of an archive file generated on a V8.2 Endpoint Manager Client, by an archive now command for example, fails.

If you ran a fresh installation of Endpoint Manager V9.1.11 the minimumSupportedClient is not set and so all the agents, regardless of their version, can join your Endpoint Manager environment.

The syntax to run this service is:

 ./BESAdmin.sh -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>]
    -minimumSupportedClient:<version>.<release>

If you omit to specify [sitePvkPassword=<password>] you are prompted to enter the password when the BESAdmin.sh runs.

For example, if you want to state that agents V8.2 are not supported in your Endpoint Manager environment, you can run the following command:

 ./BESAdmin.sh -sitePvkLocation=/license/license.pvk -minimumsupportedclient:9.0

repair

You can use a repair utility to handle an inconsistency between the keys stored in the database and those stored on the filesystem. When the following command is run the key on the file system are recreated from the keys stored on the database:

./BESAdmin.sh -repair -sitePvkLocation=<path+license.pvk> 
[ -sitePvkPassword=<password> ]

reportencryption

You can generate, rotate, enable and disable encryption for report messaging by running:

BESAdmin.sh -reportencryption { -status |
  -generatekey [-privateKeySize=<min|max>] 
               [-deploynow=yes | -deploynow=no -outkeypath=<path>] 
               -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] |
  -rotatekey [-privateKeySize=<min|max> ] 
             [-deploynow=yes | -deploynow=no -outkeypath=<path> ] 
             -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] |
  -enablekey -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] |
  -disablekey -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] }

where:

status

Shows the status of the encryption and which arguments you can use for that status

generatekey

Allows you to generate a new encryption key.

rotatekey

Allows you to change the encryption key.

enablekey

Allows you to enable the encryption key.

disablekey

Allows you to put the encryption key in PENDING state. If you issue again the reportencryption command with the disablekey argument, the encryption changes from PENDING state to DISABLED.

For more information about this command and its behavior, see Managing Client Encryption.

resignsecuritydata

You can resign all of the users content in the database to enable user login to the Console. The command resigns security data using the existing key file. You can specify the following parameter:

-mastheadLocation=<path+actionsite.afxm>

The complete syntax to run this service is:

./BESAdmin.sh -resignsecuritydata -sitePvkLocation=<path+license.pvk>
[ -sitePvkPassword=<password> ] -mastheadLocation=<path+actionsite.afxm>

rotateserversigningkey

You can rotate the server private key to have the key in the file system match the key in the database. The command creates a new server signing key, resigns all existing content using the new key, and revokes the old key.

The syntax to run this service is:

./BESAdmin.sh -rotateserversigningkey -sitePvkLocation=<path+license.pvk>
[ -sitePvkPassword=<password> ]

securitysettings

You can configure enhanced security options to follow the NIST security standards by running the command:

./BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> 
[ -sitePvkPassword=<password> ]
{ -status | -enableEnhancedSecurity [-requireSHA256Downloads] 
| -disableEnhancedSecurity | -requireSHA256Downloads 
| -allowSHA1Downloads} }

where:

status

Shows the status of the security settings set in your IBM Endpoint Manager environment.

Example:

BESAdmin.sh -securitysettings -sitePvkLocation=/root/backup/license.pvk
-sitePvkPassword=mypassw0rd -status

Enhanced security is currently ENABLED
SHA-256 downloads are currently OPTIONAL

enableEnhancedSecurity | disableEnhancedSecurity

Enables or disables the enhanced security that adopts the SHA-256 cryptographic digest algorithm for all digital signatures as well as content verification and the TLS 1.2 protocol for communications among the Endpoint Manager components.

Warning: If you use the enableEnhancedSecurity setting you break the backward compatibility because IBM Endpoint Manager version 9.0 or earlier components cannot communicate with the IBM Endpoint Manager version 9.1 server or relays.

requireSHA256Downloads

Ensures that data has not changed after you download it using the SHA-256 algorithm.

Note: The Require SHA-256 Downloads option is available only if you selected to Enable Enhanced Security.

allowSHA1Downloads

Ensures that the file download integrity check is run using the SHA-1 algorithm.

For more information about the IBM Endpoint Manager Enhanced Security feature and the supported security configuration, see Security Configuration Scenarios.

setadvancedoptions

You can list or configure any global settings that apply to your particular installation. For example you can set your Console or Web Report login banner to be displayed by entering the following command:

./BESAdmin.sh -setadvancedoptions -sitePvkLocation=/root/backup/license.pvk 
-sitePvkPassword=pippo000 -update loginWarningBanner='new message'

The complete syntax to run this service is:

./BESAdmin.sh -setadvancedoptions -sitePvkLocation=<path+license.pvk>
[-sitePvkPassword=<password>]  
{ -list | -display 
| [ -f ] -delete option_name 
| [ -f ] -update option_name=option_value }

These are some of the advanced options that you can specify:

Table 1. Advanced Settings Names

Name	Value
loginWarningBanner	If set with text, any user who logs into the Console or Web Reports will be shown the text after they log in. The user will have to click OK to continue.
timeoutLockMinutes	The amount of idle time in minutes before the console requires to authenticate again. This is different from loginTimeoutSeconds in that timeout lock will hide the entire console to prevent any other user to see or use it. Idle time refers to the lack of any type of input to the session including key buttons, mouse clicks, and mouse movements.

Note: Non efficient mime advanced option is no longer is supported by the 9.1 server. Existing actions continue to run on clients but the server is no longer able to generate non efficient mime actions.

syncmastheadandlicense

When you upgrade the product you must use this option to synchronize the update license with the masthead and resign all content in the database with SHA-256. The syntax to run this service is:

./BESAdmin.sh -syncmastheadandlicense -sitePvkLocation=<path+license.pvk> 
[-sitePvkPassword=<password>]