BES Admin Tools command line options

(imported topic written by arnaud91)

Hi,

I wrote a vbscript that uses BES Admin Tools command line options to “silently” create new BES users. The script looks like this :

BESAdmin.exe /createUser:<userLogin> /userPassword:<userPassword> /userKeysOutputFolder:<keysPath> /userEmail:<userEmail> /masterOp:no /customContent:yes /sitePassword:<sitePassword> /sitePvkFile:<sitePvkFilePath>

If i run this script on the machine on which all BES components are installed (Server, Database, Console, Admin Tools), it works great, silently, not showing any User Interface.

But we need it to run on another machine, on which only BES Console and BES Admin Tools are installed. If I run it on this machine, a popup appears asking for database “sa” password.

Is there an option (something like /databasePassword…) that allows to run BES Admin through command line without getting this popup ? if yes, same question when using /deleteUser option.

More widely (not sure this is the good way to say it in english :wink: ), is there a documentation about the BES Admin Tools command line options ?

Thanks for your support,

Arnaud

(imported comment written by BenKus)

Hi Arnaud,

We added the BES Admin command line options for a specific customer in BES 6.0, but we never released the public documentation. We will put it on the documentation todo list if it is interesting for people to use.

You should use the “/dsn” option and specify an ODBC source that uses NT Authentication so that you don’t need to bother with the username/password.

Ben

(imported comment written by arnaud91)

Hi Ben,

I created a ODBC source named “provisioning” that uses NT Authentication, but i hava an error when i try the following syntax :

BESAdmin.exe /createUser:<userLogin> /userPassword:<userPassword> /userKeysOutputFolder:<keysPath> /userEmail:<userEmail> /masterOp:no /customContent:yes /dsn:provisioning /sitePvkFile:<sitePvkFilePath>

The message error popup says : class ReadPrivateKeyFailed

there is certainly an error in the command line i use, but i don’t know where.

Any idea about that ?

Arnaud

(imported comment written by arnaud91)

Oups, i found my error : i forgot to specify the /sitePassword, which is the password of the PrivateKey.

So the good syntax is :

BESAdmin.exe /createUser:<userLogin> /userPassword:<userPassword> /userKeysOutputFolder:<keysPath> /userEmail:<userEmail> /masterOp:no /customContent:yes /dsn:provisioning /sitePassword:<PvkPassword> /sitePvkFile:<sitePvkFilePath>

Ben, thanks again for your support.

Arnaud.

(imported comment written by arnaud91)

Hi,

I come back to this topic, with a few more questions :

As we are MSSP, we created a customer production script, that runs BESAdmin.exe with command-line options. This works well if only one guy runs it at the same time.

But if two guys runs the script at the same time, we are experiencing two types of error due to BESAdmin.exe :

  1. a popup saying

    Site propagation aborted by BES Server

    for the following reason: ERROR: Unable to acquire lock; lockfile corrupt. Please manually remove
    "lockfile" from propagation server.

The operator is created, but the certificate is not available and the BES Console is not available for this user.

I solve this problem by adding a routine in the script, that tests if BESAdmin.exe is already running, and waits for it not runnig.

  1. a popup saying :

    Site propagation aborted by BES Server

    for the following reason: Unable to proceed because another user is currently propagating

    this site. Please

    try again in a few minuts.

The operator is created, and he can use BES Console. So i don’t really know what the consequences of this error.

My questions :

  1. What is the meaning of each popup ?

  2. Does the BESAdmin.exe command line returns error code that we can manage ?

  3. Is there a way to catch these error before the popups appear ?

  4. What tests could we implement in our script to avoid these errors ?

Regards,

Arnaud.

(imported comment written by BenKus)

Hi Arnaud,

Answers:

You are correct that you can only have one instance of BES Admin propagating changes at once.

  1. If you have a lock collision, it is possible you strand a lock for 30 minutes and you will receive the errors you posted. Here is more info: http://support.bigfix.com/cgi-bin/kbdirect.pl?id=176

  2. BES Admin doesn’t return error codes that will help you.

  3. Avoid simultaneous propagations of BES Admin.

  4. You might implement a system (like the one you mentioned) that only allows running one instance of BESAdmin at a time.

Ben

(imported comment written by arnaud91)

Hi Ben,

Thanks for your explanations.

The system i implemented works, ie only one instance of BESAdmin.exe can run at the same time. So the message :

Site propagation aborted by BES Server 

for the following reason: ERROR: Unable to acquire lock; lockfile corrupt. Please manually remove 
"lockfile" from propagation server.

doesn’t appear any more.

But it seems that even after BESAdmin is closed, the propagation continues a few seconds after, so i always have this message if i an operator is created just after first one :

Site propagation aborted by BES Server 

for the following reason: Unable to proceed because another user is currently propagating 

this site. Please 

try again in a few minuts.

How can i know if a propagation is running ? Any table in the database, or a file as the “lockfile” ?

I would like to add a test to know if a propagation is running, to avoid this message.

By the way, even if this message appears, i can log in the BES Console with the second operator credentials, so i don’t really understand what this “propagation” does. Can you explain me the goal of it ?

Regards,

Arnaud.

(imported comment written by BenKus)

Hi Arnaud,

Sending actions to agents is a process we call “propagation” (including digitally signing the actions, updating the database, sending the data to the server, etc.) This happens every time you make a change that needs to go to the agents and when a new user is created, there is a propagation step that occurs so that the agents know about the new user (including some digital signature information).

Multiple propagations can simultaneously occur for different users because they use different “operator sites”, but all the master operators and BES Admin share a single “actionsite” and only one propagation of the actionsite is allowed at any one time.

I don’t believe there isn’t any good way to check to see if a propagation is active in the database and we will be changing the way this works in future versions as we streamline the propagation process to make it faster. Perhaps the best thing to do in your current situation is to add a delay after a user is created so that you avoid the lock situation?

Ben

(imported comment written by arnaud91)

Hi Ben,

I will modify my script (it’s a .hta with vbscript) this way :

Try to create a file C:\running.txt   If error (ie the file already exists)   Then stop script execution and show a message to user like 
"Another user is actually creating an operator. Please try again in few minuts"   Else   execute production actions (Citrix user creation, BES Operator creation, etc...)   remove file C:\running.txt   End If

As the script execute others actions after BESAdmin.exe call, it should add a sufficient delay to avoid problems.

I have a training sessions next week with 7 provisioning team guys, who will use this script simultaneously, so it will be a good way to see if this is a good solution :wink:

Thanks for your support,

Arnaud.

(imported comment written by arnaud91)

UP

I have another new questions about BESAdmin.exe commandline option :

  1. Is there a syntax to modify the BES Console password for an existing operator ?

  2. Is there a syntax to modify the Private key password for an existing operator ?

Regards,

Arnaud.

(imported comment written by jessewk)

Hi Arnaud,

Console passwords are either SQL or Active Directory accounts. You can use any available command line tool that modifies those type of accounts.

Private key passwords are done through openssl. You can use a command like this to change the password:

openssl.exe pkcs8 -topk8 -in -out -v1 PBE-SHA1-3DES

Jesse

(imported comment written by MrFixit)

When using the BESAdmin via command line to create a user what is the argument for Key Size?

Also if creating users via command line do I also have to propagate the newly created operator or all operators? Or is that already part of the using the /createuser:…?

thanks,

-Gary

(imported comment written by BenKus)

Key sizes are 1024, 2048, 4096.

I believe it will propagate the changes for you (which is why it takes awhile to run)…

Ben

(imported comment written by drbyars91)

Can anyone confirm/reject this command-line option is still available with BigFix 7.2??

I’ve tried all of the examples to create users using BESAdmin.exe /createUser:abc <etc.>, but every time I run it I get the GUI instead :frowning:

(imported comment written by MrFixit)

Command line for BESadmin.exe must be complete and arguments correct or it will just fall through to the GUI. Check your arguments for correct syntax and you will need them all… I think the only optional argument is the one for the key size, which is not in the eariler examples.

-Gary