Endpoint Manager - Need to create new masthead file

Manoj1 2015-05-12 16:13:57 UTC #1

During Endpoint Manager installation , the Server DNS name was provided with the “HOSTNAME” of the server .
And when we installed the clients , We found “HOSTNAME” is not defined on the client and we need to contact “IP ADDRESS” to reach the IEM Server. and we cannot use the “HOSTNAME” addition to the client as there are too many clients to update .
So we need to modify the masthead file to update the Server DNS name to “IP Address” .
We need to create the new masthead file to do this ?
The only way we can do is , to use new license key and install the IEM server to generate the new masthead file .

Is there anyway we can do the reinstall of IEM Server retaining the database and configuration ?

Is any configuration required after change Bigfix Server/Client IP

jgstew 2015-05-12 17:12:35 UTC #2

So why can’t you use the hostname as is? It would be best to use a hostname you control and can have in the public DNS, but short of that, you don’t need to add the hostname to all clients, only to the DNS of all clients, which might be feasible.

Migrating a BigFix Server To Another Location on the Network

AlanM 2015-05-12 17:24:07 UTC #3

The hostname/port once picked is forever for the installation. Only a complete re-install of the server will get you out of this situation.

JasonWalker 2015-05-13 12:12:40 UTC #4

Agree with @jgstew, updating DNS is the best way; especially as this gives flexibility in the future to move to a new server host without reinstalling all of the clients.

If thats not possible, there are several ways to get around it. You could build a script for installing the client, to additionally add an entry to the local hosts file so you can resolve the DSA server.

Or you could add a relay that is resolvable by the clients, and let the clients use the relay rather than the BES server directly (which is a best practoce anyway).

In my environment almost none of my clients can reach the BES server, and that’s not a problem.

jgstew 2015-05-13 14:36:00 UTC #5

@JasonWalker makes some very good points. If you don’t use a proper DNS name, then you could be in trouble if your IP addresses ever change in the future.

Similarly putting it in the DNS that the clients use could be fragile, and wouldn’t work well with mobile devices / laptops that roam.

Is there a reason you can’t use a fully qualified hostname?

Manoj1 2015-06-18 12:59:18 UTC #6

Thanks all . We created a DNS for the server and reinstalled the IEM server.
This solves the purpose .
But it would have been better if it allowed to change the server details without reinstall.

jgstew 2015-06-18 14:11:48 UTC #7

You can’t change it after install because that info gets baked into the masthead forever, which is why it is very important to use a DNS name that you can point to different IPs or HostNames at will.

JasonWalker 2015-06-19 02:51:55 UTC #8

At the heart of this limitation is the security that comes from the PKI architecture that’s built-in. It’s set up well enough that most times you don’t even notice it exists - but consider that the client trusts certificates issued by IBM’s certificate authority, and IBM’s certificate authority has issued a CA Certificate to your BES server. Just as if you had acquired an SSL certificate from Verisign or another issuer, that Certificate is bound to the hostname of your web server.

Your BES Server uses its Certicate Authority certificate (issued by IBM and assigned to the hostname of your server) to digitally sign all of the content that originates on the server - Actions, Fixlets, etc. are all signed (transparently to you) using the server’s Private Key (where the Public Key is your masthead file, for practical purposes). This allows the clients to validate that your Actions, Fixlets, etc. actually came from your server and have not been tampered with en-route.

Your masthead file can, in fact, be changed; you just have to work with IBM Support to do that, because they have to issue a new certificate to your BES server. You’d also need to replace the actionsite.axfm on all of your clients (the actionsite.axfm is signed using the original masthead). If you will have your old and new servers online at the same time, there is a masthead switch fixlet that you can run from the old BES Server to point clients to your new BES infrastructure.

Of course, none of this changes the fact that you really, really should have the masthead issued to a hostname rather than an IP address for better flexibility. A masthead swap is useful for changing from one named server to another named server; usually you’d just update your server’s DNS entry to point to the address of the new server, but in cases of domain renames, mergers & acquisitions, etc. masthead swaps may be needed.