Running the Endpoint Manager Administration Tool
The installation script install.sh automatically downloads the IBM Endpoint Manager Administration Tool bash shell script, BESAdmin.sh, in the /opt/BESServer/bin directory. With this tool you can edit the masthead file, check the signatures of the ob enable and disable enhanced security, resign all of the users content in the database, rotate the server private key, configure the Console and Web Reports login, resign the database content and synchronize the masthead with the updated license.
./BESAdmin.sh -service { arguments }
where service
can be one of the
following:changeprivatekeypassword
editmasthead
findinvalidsignatures
minimumSupportedClient
repair
reportencryption
resignsecuritydata
rotateserversigningkey
securitysettings
setadvancedoptions
syncmastheadandlicense
- changeprivatekeypassword
- You can use this service to be prompted for a new password to
associate to the license.pvk file. Use the following syntax to run
the command:
./BESAdmin.sh -changeprivatekeypassword -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ]
- editmasthead
- You can edit the masthead file by specifying the following parameters:
advGatherSchedule (optional, integer) values: 0=Fifteen Minutes, 1=Half Hour, 2=Hour, 3=Eight Hours, 4=Half day, 5=Day, 6=Two Days, 7=Week, 8=Two Weeks, 9=Month, 10=Two Months advController (optional, integer) values: 0=console, 1=client, 2=nobody advInitialLockState (optional, integer) values: 0=Locked, 1=timed (specify duration), 2=Unlocked advInitialLockDuration (optional, integer) values: ( duration in seconds ) advActionLockExemptionURL (optional, string) advRequireFIPScompliantCrypto (optional, boolean)
The syntax to run this service is:
For additional information, see Editing the Masthead on Linux systems../BESAdmin.sh -editmasthead -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ][ -display ] [ -advGatherSchedule=<0-10> ] [ -advController=<0-2> ] [ -advInitialLockState=<0|2> | -advInitialLockState=1 -advInitialLockDuration=<num> ] [ -advActionLockExemptionURL=<url> ] [ -advRequireFIPScompliantCrypto=<true|false> ]
- findinvalidsignatures
- You can check the signatures of the objects in the database by specifying the following parameters:
- -resignInvalidSignatures (optional)
- Attempts to resign any invalid signatures that BESAdmin finds.
- -deleteInvalidlySignedContent (optional)
- Deletes contents with invalid signatures.
./BESAdmin.sh -findinvalidsignatures [ -resignInvalidSignatures | -deleteInvalidlySignedContent ]
- minimumSupportedClient
- This service defines the minimum version of the Endpoint Manager Agents used in your Endpoint Manager environment. Note: Based on this setting, the Endpoint Manager components can decide when it is safe to assume the existence of newer functions across all the component in the deployment. Individual agent interactions might be rejected if the interaction does not comply with the limitations imposed by this setting.The currently available values are:If you ran a fresh installation of Endpoint Manager V9.1.11 the minimumSupportedClient is not set and so all the agents, regardless of their version, can join your Endpoint Manager environment.
- 8.2 which means that no activity issued by Endpoint Manager Agents V8.2, such as registration to server, archive files and reports uploads, are prevented from running or limited. This behavior applies also if the minimumSupportedClient service is not set.
- 9.0 which means that:
- Initial or regular registrations of V8.2 Endpoint Manager Clients to a Relay or to the Server succeed.
- Reports sent by V8.2 Endpoint Manager Clients are discarded by FillDB.
- The upload of an archive file generated on a V8.2 Endpoint Manager Client, by an archive now command for example, fails.
The syntax to run this service is:./BESAdmin.sh -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] -minimumSupportedClient:<version>.<release>
If you omit to specify [sitePvkPassword=<password>] you are prompted to enter the password when the BESAdmin.sh runs.
For example, if you want to state that agents V8.2 are not supported in your Endpoint Manager environment, you can run the following command:./BESAdmin.sh -sitePvkLocation=/license/license.pvk -minimumsupportedclient:9.0
- repair
- You can use a repair utility to handle an inconsistency between
the keys stored in the database and those stored on the filesystem.
When the following command is run the key on the file system are recreated
from the keys stored on the database:
./BESAdmin.sh -repair -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ]
- reportencryption
- You can generate, rotate, enable and disable encryption for report
messaging by running:
where:BESAdmin.sh -reportencryption { -status | -generatekey [-privateKeySize=<min|max>] [-deploynow=yes | -deploynow=no -outkeypath=<path>] -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] | -rotatekey [-privateKeySize=<min|max> ] [-deploynow=yes | -deploynow=no -outkeypath=<path> ] -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] | -enablekey -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] | -disablekey -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] }
- status
- Shows the status of the encryption and which arguments you can use for that status
- generatekey
- Allows you to generate a new encryption key.
- rotatekey
- Allows you to change the encryption key.
- enablekey
- Allows you to enable the encryption key.
- disablekey
- Allows you to put the encryption key in PENDING state. If you issue again the reportencryption command with the disablekey argument, the encryption changes from PENDING state to DISABLED.
- resignsecuritydata
- You can resign all of the users content in the database to enable user login to the Console. The command resigns security data using the existing key file. You can specify the following parameter:
The complete syntax to run this service is:-mastheadLocation=<path+actionsite.afxm>
./BESAdmin.sh -resignsecuritydata -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ] -mastheadLocation=<path+actionsite.afxm>
- rotateserversigningkey
You can rotate the server private key to have the key in the file system match the key in the database. The command creates a new server signing key, resigns all existing content using the new key, and revokes the old key.
The syntax to run this service is:
./BESAdmin.sh -rotateserversigningkey -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ]
- securitysettings
- You can configure enhanced security options to follow the NIST
security standards by running the command:
where:./BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> [ -sitePvkPassword=<password> ] { -status | -enableEnhancedSecurity [-requireSHA256Downloads] | -disableEnhancedSecurity | -requireSHA256Downloads | -allowSHA1Downloads} }
- status
- Shows the status of the security settings set in your IBM Endpoint Manager environment. Example:
BESAdmin.sh -securitysettings -sitePvkLocation=/root/backup/license.pvk -sitePvkPassword=mypassw0rd -status Enhanced security is currently ENABLED SHA-256 downloads are currently OPTIONAL
- enableEnhancedSecurity | disableEnhancedSecurity
- Enables or disables the enhanced security that adopts the SHA-256
cryptographic digest algorithm for all digital signatures as well
as content verification and the TLS 1.2 protocol for communications
among the Endpoint Manager components.Warning: If you use the enableEnhancedSecurity setting you break the backward compatibility because IBM Endpoint Manager version 9.0 or earlier components cannot communicate with the IBM Endpoint Manager version 9.1 server or relays.
- requireSHA256Downloads
- Ensures that data has not changed after you download it using
the SHA-256 algorithm.Note: The Require SHA-256 Downloads option is available only if you selected to Enable Enhanced Security.
- allowSHA1Downloads
- Ensures that the file download integrity check is run using the SHA-1 algorithm.
- setadvancedoptions
- You can list or configure any global settings that apply to your
particular installation. For example you can set your Console or Web
Report login banner to be displayed by entering the following command:
The complete syntax to run this service is:./BESAdmin.sh -setadvancedoptions -sitePvkLocation=/root/backup/license.pvk -sitePvkPassword=pippo000 -update loginWarningBanner='new message'
./BESAdmin.sh -setadvancedoptions -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>] { -list | -display | [ -f ] -delete option_name | [ -f ] -update option_name=option_value }
These are some of the advanced options that you can specify:Table 1. Advanced Settings Names Name Value loginWarningBanner If set with text, any user who logs into the Console or Web Reports will be shown the text after they log in. The user will have to click OK to continue. timeoutLockMinutes The amount of idle time in minutes before the console requires to authenticate again. This is different from loginTimeoutSeconds in that timeout lock will hide the entire console to prevent any other user to see or use it. Idle time refers to the lack of any type of input to the session including key buttons, mouse clicks, and mouse movements. Note: Non efficient mime advanced option is no longer is supported by the 9.1 server. Existing actions continue to run on clients but the server is no longer able to generate non efficient mime actions. - syncmastheadandlicense
- When you upgrade the product you must use this option to synchronize
the update license with the masthead and resign all content in the
database with SHA-256. The syntax to run this service is:
./BESAdmin.sh -syncmastheadandlicense -sitePvkLocation=<path+license.pvk> [-sitePvkPassword=<password>]