Step 2 - Requesting a license certificate and creating the masthead

Before you perform the steps below, you must have purchased a license and obtained an IBM Endpoint Manager license authorization file (*.BESLicenseAuthorization) using your License Key Center account or, in the case of a Proof-of-Concept evaluation, that was provided to you by your IBM Technical Sales Representative.

When you have your license authorization file, you are ready to request a license certificate and then create a personalized site masthead that, in turn, allows you to install and use IBM Endpoint Manager. The masthead includes URLs for the Server CGI programs and other site information in a signed MIME file. The masthead is central to accessing and authenticating your action site. To create the masthead and activate your site, follow these steps:

1. Run the IBM Endpoint Manager installer BigFix-BES-n.n.nnnn.n.exe, where n.n.nnnn.n is the version of the installer). When prompted, choose Production installation and accept the Software License Agreement. On the welcome screen, click Next.
2. After reading and accepting the License Agreement, select I want to install with an IBM Endpoint Manager license authorization file, to create your Private Key and Masthead.
   
3. Enter the location of your license authorization file, which has a name like CompanyName.BESLicenseAuthorization
   
4. Specify a DNS name or IP address for your Endpoint Manager server and click Next.
   
   Note: Enter a DNS name, such as bes.companyname.com, because of its flexibility when changing server computers and doing advanced network configurations. This name is recorded into your license certificate and is used by clients to identify the Endpoint Manager server. After your license certificate is created, the DNS name cannot be changed. To change the DNS name, you must request a new license certificate, which requires a completely new installation.
5. Type a site credential password to allow you to create a site admin key for your deployment. Type your password twice (for verification), and specify a key size (from 2K to 4K bits) for encrypting the private key file. Click Create.
   
   In this way you generate a private/public key pair used to create and authorize all Endpoint Manager users.
6. Save your private key (license.pvk) file from the Browse for Folder dialog in a folder with secure permissions or on a removable drive, such as a PGPDisk or a USB drive. Click OK.
   Important: If you lose the private key file, a new license certificate needs to be created, which requires a completely new installation. In addition, anyone with the private key file and password have full control over all computers with IBM Endpoint Manager clients installed so ensure that you keep the private key file and password secured.
7. If you have internet connectivity, choose the option to submit your request over the internet to IBM.
   
   You are prompted for a location to save the resulting license certificate file (license.crt), and a request file is sent to IBM Endpoint Manager for license verification. Typically, you select the first choice, submit request, to post the request via the internet. This request consists of your original authorization file, your server DSN name and your public key, all packaged into a single file.
8. Click Request. The Wizard retrieves your license certificate (license.crt) from the IBM Endpoint Manager License server.

   Alternatively, if you are on an airgap without internet connectivity, choose the option to save the request as a file named request.BESLicenseRequest. Copy the file to a machine with internet connectivity and submit your request to the URL of the Endpoint Manager website shown in the installer. The page provides you with a license.crt file. Copy the file back to the installation computer and import it into the installer.

9. From the Request License dialog, click Create to create the masthead file
   
10. Enter the parameters of the masthead file that contains configuration and license information together with a public key that is used to verify digital signatures. This file is saved in your credential folder.
    
    You can set the following options:

    Server Port Number:

    In general, you do not need to change this number. 52311 is the recommended port number, but you can choose a different port if that is more convenient for your particular network. Typically, you choose a port from the IANA range of private ports (49152 through 65535). You can use a reserved port number (ports 1-1024), but this might reduce the ability to monitor or restrict traffic correctly and it prevents you from using port numbers for specific applications. If you do decide to change this number after deploying the clients, IBM Endpoint Manager will not work correctly. For additional information, see Modifying port numbers.

    Note: Do not use port number 52314 for the network communication between the Endpoint Manager components because it is reserved for proxy agents.

    Cryptography:

    Check this box to implement the Federal Information Processing Standard 140-2 in your network. This changes the masthead so that every IBM Endpoint Manager component attempts to go into FIPS mode. By default, the client continues in non-FIPS mode if it fails to correctly enter FIPS, which might be a problem with certain legacy operating systems. Be aware that checking this box can add a few seconds to the client startup time.

    Gathering Interval:

    This option determines how long the clients wait without hearing from the server before they check whether new content is available. In general, whenever the server gathers new content, it attempts to notify the clients that the new content is available through a UDP connection, circumventing this delay. However, in situations where UDP is blocked by firewalls or where network address translation (NAT) remaps the IP address of the client from the servers perspective, a smaller interval becomes necessary to get a timely response from the clients. Higher gathering rates only slightly affect the performance of the server, because only the differences are gathered; a client does not gather information that it already has.

    Initial Action Lock:

    You can specify the initial lock state of all clients, if you want to lock a client automatically after installation. Locked clients report which Fixlet messages are relevant for them, but do not apply any actions. The default is to leave them unlocked and to lock specific clients later on. However, you might want to start with the clients locked and then unlock them on an individual basis to give you more control over newly-installed clients. Alternatively, you can set clients to be locked for a certain period of time (in minutes).

    Action Lock Controller:

    This parameter determines who can change the action lock state. The default is Console, which allows any Console operator with management rights to change the lock state of any client in the network. If you want to delegate control over locking to the end user, you can select Client, but this is not recommended.

    Exempt the following site URL from action locking:

    In rare cases, you might need to exempt a specific URL from any locking actions. Check this box and enter the exempt URL.

    Note: You can specify only one site URL and it must begin with http://.

    Click OK when you are finished.
11. Choose the folder in which to install the IBM Endpoint Manager component installers. The IBM Endpoint Manager Installation Guide wizard is launched to lead you through the installation of the IBM Endpoint Manager components.
    Note: This step creates the installers for the IBM Endpoint Manager client, IBM Endpoint Manager console, and IBM Endpoint Manager server, but does not install the components.