Thanks. This is helpful. Being newer to BigFix, that part wasn’t evident that it is unexpected behavior.
I may try the v10patch1 agent (instead of intiall v10 release) on a test client as well…
I’ll look at a ticket as well then. Thanks!
Hi guys,
sorry, to warm this up again, but with all the lessons learned from above, we tried to puzzle together a decent action and migrate clients behind a relay to a new installed relay in the new BF environment.
Switch Masthead with Relay.bes
setting "__RelayServer1"="" on "{parameter "action issue date" of action}" for client
setting "__RelayServer2"="" on "{parameter "action issue date" of action}" for client
setting "_BESClient_RelaySelect_FailoverRelay"="" on "{parameter "action issue date" of action}" for client
setting "_BESClient_Register_Affiliation_SeekList"="" on "{parameter "action issue date" of action}" for client
setting "_BESClient_RelaySelect_TertaryRelayList"="" on "{parameter "action issue date" of action}" for client
setting "_BESClient_RelaySelect_Automatic"="1" on "{parameter "action issue date" of action}" for client
download http://localhost:52311/masthead/masthead.afxm
continue if {exists file "masthead.afxm" of folder "__Download" of client folder of current site}
//Windows
if {windows of operating system}
//Create new Clientsettings.cfg file
delete __createfile
createfile until __EOF__
IP:http://NewRelay:52311/bfmirror/downloads/
__RelaySelect_Automatic=1
__Relay_Control_RootServer=http://NewRootServer:52311/cgi-bin/bfgather.exe/actionsite
__RelayServer1=NewRelay:52311/bfmirror/downloads/
__RelayServer2=NewRelay:52311/bfmirror/downloads/
__Relay_Control_Server1=NewRelay:52311
__Relay_Control_Server2=NewRelay:52311
_BESClient_RelaySelect_TertiaryRelayList=http://NewRelay:52311
_BESClient_RelaySelect_FailoverRelay=http://NewRelay:52311
_BESClient_RelaySelect_ResistFailureIntervalSeconds=0
__EOF__
delete "{pathname of parent folder of regapp "besclient.exe"}\Clientsettings.cfg.new"
move __createfile "{pathname of parent folder of regapp "besclient.exe"}\Clientsettings.cfg.new"
//Overwrite actionsite file
delete "{pathname of parent folder of regapp "besclient.exe"}\ActionSite.afxm"
copy "__Download\masthead.afxm" "{pathname of parent folder of regapp "besclient.exe"}\ActionSite.afxm"
//Restart client and replace clientsettings
delete __appendfile
appendfile @echo off
appendfile echo Your administrator is restarting the BES Client... Please Wait...
appendfile net stop BESClient
appendfile move /Y "{pathname of parent folder of regapp "besclient.exe"}\Clientsettings.cfg.new" "{pathname of parent folder of regapp "besclient.exe"}\Clientsettings.cfg"
appendfile net start BESClient
delete clientRestart.bat
copy __appendfile clientRestart.bat
runhidden clientRestart.bat
//UNIX
else
//Create new Client Settings.cfg file
delete __createfile
createfile until __EOF__
[Software\BigFix\EnterpriseClient]
EnterpriseClientFolder = /opt/BESClient
[Software\BigFix\EnterpriseClient\GlobalOptions]
StoragePath = /var/opt/BESClient
LibPath = /opt/BESClient/BESLib
[Software\BigFix\EnterpriseClient\Settings\Client\__RelaySelect_Automatic]
value = 0
[Software\BigFix\EnterpriseClient\Settings\Client\__Relay_Control_RootServer]
value = http://NewRootServer:52311/cgi-bin/bfgather.exe/actionsite
[Software\BigFix\EnterpriseClient\Settings\Client\__RelayServer1]
value = http://NewRelay:52311/bfmirror/downloads/
[Software\BigFix\EnterpriseClient\Settings\Client\__RelayServer2]
value = http://NewRelay:52311/bfmirror/downloads/
[Software\BigFix\EnterpriseClient\Settings\Client\__Relay_Control_Server1]
value = http://NewRelay:52311
[Software\BigFix\EnterpriseClient\Settings\Client\__Relay_Control_Server2]
value = http://NewRelay:52311
[Software\BigFix\EnterpriseClient\Settings\Client\_BESClient_RelaySelect_TertiaryRelayList]
value = http://NewRelay:52311
[Software\BigFix\EnterpriseClient\Settings\Client\_BESClient_RelaySelect_ResistFailureIntervalSeconds]
value = 0
[Software\BigFix\EnterpriseClient\Settings\Client\_BESClient_RelaySelect_FailoverRelay]
value = http://NewRelay:52311
__EOF__
delete "{pathname of parent folder of parent folder of client folder of current site}/besclient.config.old"
copy "{pathname of parent folder of parent folder of client folder of current site}/besclient.config" "{pathname of parent folder of parent folder of client folder of current site}/besclient.config.old"
delete "{pathname of parent folder of parent folder of client folder of current site}/besclient.config.new"
move __createfile "{pathname of parent folder of parent folder of client folder of current site}/besclient.config.new"
//AIX
if {name of operating system starts with "AIX"}
delete /etc/opt/BESClient/actionsite.afxm
move __Download/masthead.afxm /etc/opt/BESClient/actionsite.afxm
delete "{(client folder of current site as string) & "/__appendfile"}"
appendfile #!/bin/sh
appendfile sleep 30
appendfile /etc/rc.d/rc2.d/KBESClientd stop
appendfile sleep 30
appendfile mv -f "{pathname of parent folder of parent folder of client folder of current site}/besclient.config.new" "{pathname of parent folder of parent folder of client folder of current site}/besclient.config"
appendfile /etc/rc.d/rc2.d/SBESClientd start
wait chmod 555 "{(client folder of current site as string) & "/__appendfile"}"
run {"/bin/sh -c %22trap '' 15;'" & (client folder of current site as string) & "/__appendfile'%22"}
//Linux/SunOS
elseif {name of operating system starts with "Linux" or name of operating system starts with "SunOS"}
delete /etc/opt/BESClient/actionsite.afxm_old
delete /etc/opt/BESClient/ActionSite.afxm_old
if {exists file ("/etc/opt/BESClient/actionsite.afxm")}
move /etc/opt/BESClient/actionsite.afxm /etc/opt/BESClient/actionsite.afxm_old
move __Download/masthead.afxm /etc/opt/BESClient/actionsite.afxm
else
move /etc/opt/BESClient/ActionSite.afxm /etc/opt/BESClient/ActionSite.afxm_old
move __Download/masthead.afxm /etc/opt/BESClient/ActionSite.afxm
endif
delete "{(client folder of current site as string) & "/__appendfile"}"
appendfile #!/bin/sh
appendfile sleep 5
appendfile /etc/init.d/besclient stop
appendfile mv -f "{pathname of parent folder of parent folder of client folder of current site}/besclient.config.new" "{pathname of parent folder of parent folder of client folder of current site}/besclient.config"
appendfile sleep 5
appendfile /etc/init.d/besclient start
wait chmod 555 "{(client folder of current site as string) & "/__appendfile"}"
run "{(client folder of current site as string) & "/__appendfile"}"
else
//Fail if no OS was selected
continue if {false}
endif
endif
client restart
When this is executed agains an agent in the old environment, it tries to download the new data and restart the agent. In the logfile I can find:
Beginning Relay Select
At 13:53:34 +0200 -
Client shutdown (Service manager stop request)
********************************************
Current Date: August 16, 2021
Client version 10.0.2.52 built for RedHat 6 x86_64 running on sysname:Linux release:3.10.0-1160.31.1.el7.x86_64 arch:x86_64
Current Balance Settings: Use CPU: True Entitlement: 0 WorkIdle: 10 SleepIdle: 480
Locale: LC_ALL="" LC_CTYPE="" LC_MESSAGES="" LANG="en_US.UTF-8"
IP Address 0: x.x.x.x
Host name: ClientHostName
Process ID: 95077
Executable Location: /opt/BESClient/bin/BESClient
File Log Location: /var/opt/BESClient/__BESData/__Global/Logs
ICU 54.1 init status: SUCCESS
Agent internal character set: UTF-8
ICU report character set: UTF-8 - Transcoding Disabled
ICU fxf character set: windows-1252 (Latin 1 / Western European) - Transcoding Enabled
ICU local character set: UTF-8 - Transcoding Disabled
********************************************
At 13:53:40 +0200 -
Setting _BESClient_Download_FastHashVerify enabled: Off
Starting client version 10.0.2.52
FIPS mode enabled by masthead.
Cryptographic module initialized successfully in FIPS mode.
Using crypto library libBEScryptoFIPS - OpenSSL 1.0.2u-fips 20 Dec 2019
Initializing Site: actionsite
Restricted mode
Initializing Site: BES Support
Initializing Site: IBM License Reporting
Initializing Site: mailboxsite
Existing mailbox site (mailboxsite1610819529) does not match computer ID (0), starting client reset
Processing Download plugins
Removing client mailbox site since we have no keys.
Beginning Relay Select
At 13:53:41 +0200 -
RegisterOnce: Attempting secure registration with 'https://NewRelay:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=RegisterMe&ClientVersion=10.0.2.52&Body=0&SequenceNumber=0&MinRelayVersion=7.1.1.0&CanHandleMVPings=1&Root=http://OldRelay%3a52311&AdapterInfo=00-50-56-b8-8d-6a_x.x.x.0%2f24_x.xx.x_0'
Response: RelayRejectClient Error: Different Deployment.
RegisterOnce: Response indicates relay is part of a different deployment.
At 13:55:42 +0200 -
RegisterOnce: Attempting secure registration with 'https://NewRelay:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=RegisterMe&ClientVersion=10.0.2.52&Body=0&SequenceNumber=1&MinRelayVersion=7.1.1.0&CanHandleMVPings=1&Root=http://OldRelay%3a52311&AdapterInfo=00-50-56-b8-8d-6a_x.x.x.0%2f24_x.xx.x_0'
Response: RelayRejectClient Error: Different Deployment.
RegisterOnce: Response indicates relay is part of a different deployment.
Everything runs fine, but at the end, when the client restarts and is supposed to register himself via the new relay to the new server, it somehow pulls out the old relay name of the previous BF install and fails, as it belongs to a different install. Any ideas how to persuade the BF client to use the new relay?
I think the problem you have is that you are attempting the new registration to a relay that requires authentication - which should be the case for a DMZ relay - but the client has a certificate from the old infrastructure.
2 Likes
Hi trn,
Thanks for the quick reply! I wasn’t checking that fast this forum.
Yes, we are switching from one authenticating relay to a new authenticating relay. Both relays use the same password (for simplicity).
I followed your suggested link, but this is already something we try to do. We hit the client sharply on the head, place a new client config file at the right spot and restart it.
During the re-register part, it somewhere drags the old hostname from some location. Hmm, maybe I should try to find some files, where the BF client stores the name/certificate of the old relay after the authentication to figure out, where we have to patch.
Cheers
Roland
Hi all,
just as a final note to this thread. The above procedure finally worked to move a client behind an authenticating relay to do a masthead change and register with a new authenticating relay in the new BF Server - Relay tree.
In the previous posts in this thread a certain outline is described. This might vary in your environment. So I won’t post here my final .bes script. In the latest version we turned off automatic relay select (as we are already trying to pin down on a certain relay)
setting "_BESClient_RelaySelect_Automatic"="0" on "{parameter "action issue date" of action}" for client
We also made sure, the old content of certificates for the authenticating relay were gone by adding a line
delete "{pathname of parent folder of parent folder of client folder of current site}/KeyStorage/__*"
for the Unix clients.
Another issue we had: our masthead from the new install was not transferred as binary file to the old BF server. Somewhere inbetween some DOS/Linux CR/LF conversion corrupted the file, giving us some more headaches on the way.
And finally, the above script contains a Windows and a Unix part. We just migrated a Linux client. We tried to keep the Win part in sync, but it isn’t. Just in case you try to use all scripts from the internet without sanity checking first. 
I’m happy, if this post will help some more people to do a migration to a new environment!
Cheers and good luck with your move!
Roland
1 Like