Running the IBM Endpoint Manager Administration Tool
The installation script install.sh automatically downloads the IBM Endpoint Manager Administration Tool bash shell script, BESAdmin.sh, in the /opt/BESServer/bin directory. With this tool you can edit the masthead file, check the signatures of the objects in the database, reset the epoch of the database to the current date, resign all of the users content in the database, rotate the server private key.
To run this script from the command prompt, you must specify the
private key file (license.pvk) and your private key
password, as follows:
./BESAdmin.sh -service -sitePvkLocation=<path+license.pvk>
-sitePvkPassword=<password> [arguments] service can be one of the following:
editmasthead
findinvalidsignatures
reissuemanagementrights
reportencryption
resetdatabaseepoch
resignsecuritydata
rotateserversigningkey- -sitePvkLocation=<path+license.pvk>
- Specifies a private key file (filename.pvk).
The private key file and its password are required to run the Administration
Tool. Only users with access to this file and its password are able
to create new Endpoint Manager operators.Note: The notation <path+license.pvk> used in the command syntax stands for path_to_license_file/license.pvk.
- -sitePvkPassword=<password>
- Specifies the password associated to the private key file (filename.pvk).
Each service has the following arguments :
- editmasthead
- You can edit the masthead file by specifying the following parameters:
advRequireFIPScompliantCrypto (optional, boolean) advGatherSchedule (optional, integer) values: 0=Fifteen Minutes, 1=Half Hour, 2=Hour, 3=Eight Hours, 4=Half day, 5=Day, 6=Two Days, 7=Week, 8=Two Weeks, 9=Month, 10=Two Months advController (optional, integer) values: 0=console, 1=client, 2=nobody advInitialLockState (optional, integer) values: 0=Locked, 1=timed (specify duration), 2=Unlocked advInitialLockDuration (optional, integer) values: ( duration in seconds ) advActionLockExemptionURL (optional, string)The syntax to run this service is:./BESAdmin.sh -editmasthead -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> [ -advRequireFIPScompliantCrypto=<true|false> ] [ -advGatherSchedule=<0-10> ] [ -advController=<0-2> ] [ -advInitialLockState=<0|2> | -advInitialLockState=1 -advInitialLockDuration=<num> ] [ -advActionLockExemptionURL=<url> ] - findinvalidsignatures
- You can check the signatures of the objects in the database by specifying the following parameters:
- -resignInvalidSignatures (optional)
- Removes invalid signatures.
- -deleteInvalidlySignedContent (optional)
- Deletes contents with invalid signatures.
./BESAdmin.sh -findinvalidsignatures -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> { -resignInvalidSignatures | -deleteInvalidlySignedContent } - reissuemanagementrights
- reportencryption
- You can enable Message Level Encryption by running:
./BESAdmin.sh -findinvalidsignatures -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> - resetdatabaseepoch
You can reset the epoch of the database to the current date. The action site epoch is a timestamp from when the database is created that is used to synchronize your deployment with a particular instance of the database.
The syntax to run this service is:
./BESAdmin.sh -resetdatabaseepoch- resignsecuritydata
- You can resign all of the users content in the database to enable user login to the Console. You can specify the following parameter:
The syntax to run this service is:-mastheadLocation=<path+/actionsite.afxm>./BESAdmin.sh resignsecuritydata -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> -mastheadLocation=<path+/actionsite.afxm> - rotateserversigningkey
You can rotate the server private key to have the key in the file system match the key in the database.
The syntax to run this service is:
./BESAdmin.sh rotateserversigningkey -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password>