BigFix Action Regenerator
When you take an action from a Fixlet message in TEM, the TEM Clients receive a copy of the action that is authorized by the TEM Console user. If the underlying Fixlet message changes, the copy of the action you took earlier will not change. This behavior is designed specifically into TEMas a security precaution -- the TEMuser knows that actions will not "change from underneath them" in a way that is potentially dangerous.
However, the downloads for some Fixlet messages change quite often. For example, the "BigFix AntiPest Update Definitions" Fixlet message will change weekly when new definitions are released. You will need to send out a new action every week to ensure that your AntiPest definitions are up to date. Some BigFix users wish to automate the process of reapplying actions when they change. The BigFix Action Regenerator was built for this purpose.
- The BigFix Action Regenerator can be run on a Windows 2000, Windows XP, Windows 2003 Enterprise, Windows Server 2012, or Windows 2008 Enterprise. Note: The Action Regenerator is not suitable for Linux Servers.
- The BigFix Action Regenerator must be able to connect to the TEM Server database and TEM Root server (the network requirements are the same as the TEM Console).
- The BigFix Action Regenerator must be given a valid username, passphrase, and private key file that will be used to connect to the database and then digitally sign and propagate actions.
- The current BigFix Action Regenerator will work with BES 5.1, BES 6.0, BES 7.0, BES 7.1, BES 7.2, BES 8.0, TEM 8.1, TEM 8.2, and IEM 9.0.
- The TEM Client, TEM Console and TEM Server API must be installed on the computer that will run the BigFix S Action Regenerator. The TEM Client must be functioning normally and also in communication with the TEM Root Server.
Download the BigFix Action Regenerator to a computer that will run the BigFix Action Regenerator on a periodic basis. You can use the TEM Server, but BigFix recommends that you not use the BigFix Action Regenerator on your TEM Server for security reasons and that you use a separate secure computer in which the key and passphrase can be better secured. The server to hosting the BigFix Action Regenerator should have the TEM Client and TEM Console installed on it.
- Extract the contents to a permanent location.
- You will need to install the BigFix API before the script will work. To do this, run the "setup.exe" file located in "BES API Installer" folder that you just unzipped. Follow the instructions to install the BigFix API.
- Next, you will need to set the configuration parameters of the BigFix Action Regenerator. To do this, use a text editor to open the "ActionRegenerator.config" file in the "ActionRegenerator" folder.
- You will need to specify the ODBC DSN value so that the BigFix Action Regenerator knows which TEM Server database to use. Fill in the "databasedsn" value in the config file. If the TEM Console is installed on the same computer, the DSN will be "bes_EnterpriseServer". If the TEM Console is not installed on the computer, use the instructions here to set up a DSN.
- You will also need to supply a TEM private key file, a username, and a passphrase in the config file. The username and passphrase will be used to both connect to the database and to unlock the private key file. It is recommended that you generate a separate user and key file to be used explicitly for the BigFix Action Regenerator (by making a new user and key file, it will be easier to manage and to revoke the user if necessary).
Double check that you have filled in the databasedsn, username, passphrase, and signing keys with the appropriate values. The BigFix Action Regenerator is configured by default to update the "BigFix AntiPest - Update Definitions" Fixlet message (Fixlet ID 4 on the BigFix AntiPest site) if it changes. You can change the other configuration values if you would like. When it is complete, the config file should look something like this:
# Action Regenerator Config File
## You need to change these config options:
## You probably don't want to change these (although you can if you want)
sitename=BigFix AntiPest (powered by PestPatrol);
- The BigFix Action Regenerator should now be configured.
When you run the BigFix Action Regenerator, it will create an action that will be targeted at all relevant computers for the "BigFix AntiPest - Update Definitions" Fixlet message (or whichever Fixlet message you specify). The action that will be created will look the same as if you opened the TEM Console, clicked on the Fixlet action, targeted to all computers, and then sent the action out (the only difference will be that the action name will start with "AUTOGENERATED:").
- When you run the BigFix Action Regenerator again, it will look to see if the download has changed from the last time it ran. If the download has changed, it will send out another action that will include the new download.
- You can use the Windows task scheduler to run this BigFix Action Regenerator periodically.
The file ActionRegenerator.log in the same folder as BESActionRegenerator.exe will contain a log of the activities. Here is an example log entry:
Wed Nov 30 17:20:25 2005: Running Script...
Wed Nov 30 17:20:25 2005: LastRunSHA1 doesn't exist (probably the first time the script has been run). Propagating action 1 of Fixlet 4 of site "BigFix AntiPest (powered by PestPatrol)"...
Wed Nov 30 17:20:25 2005: Starting action propagation...
Wed Nov 30 17:20:32 2005: Action propagtion finished -- Generated Action ID: 938 in 7 seconds.
Wed Nov 30 17:20:32 2005: Script Finished...
Wed Dec 30 17:18:36 2005: Running Script...
Wed Dec 30 17:18:38 2005: SHA1 in action 1 of Fixlet 4 of site "BigFix AntiPest (powered by PestPatrol)" is the same. The download is the same as the last time the script ran. No need to propagate new action...
Wed Dec 30 17:18:38 2005: Script Finished...
Fri Dec 1 17:46:16 2005: Running Script...
Fri Dec 1 17:46:20 2005: SHA1 in action 1 of Fixlet 4 of site "BigFix AntiPest (powered by PestPatrol)" has changed! There is a new download available. Beginning action propagation...
Fri Dec 1 17:46:20 2005: Starting action propagation...
Fri Dec 1 17:46:30 2005: Action propagtion finished -- Generated Action ID: 956 in 10 seconds.
Fri Dec 1 17:46:31 2005: Script Finished...
- Using the BigFix Action Regenerator will cause actions to automatically go out to the agents whenever it is run. Normally, a BigFix user must specifically review and authorize each action. Using the BigFix Action Regenerator removes this manual process, which is convenient but potentially dangerous for security and accountability reasons. Please be sure you understand the implications and dangers of automatically pushing new Fixlet messages. Contact a your support technician if you have any questions.
- Your private key file and password are very powerful. Make sure you secure the private key file and config file that contains the passphrase to prevent unauthorized access. It is recommended that you change the file permissions on the BigFix Action Regenerator folder to allow only authorized access. Note that you can revoke the private key at any time using TEM Admin.
- Currently, the action that is generated will target all computers who need the update with an expiration of midnight in 7 days and a temporal distribution of 60 minutes (both options are configurable in the config file). There is currently no way to customize the rest of the action paramaters (i.e., retry time, user message, restart behavior, etc.)
- The BigFix Action Regenerator is set up by default to be used with the "BigFix AntiPest Update Definitions" Fixlet message. You can change the config file to use the BigFix Action Regenerator with other Fixlet messages.
- If the BigFix Action Generator fails after upgrading the TEM Server API to version 7.1, try creating a new TEM Console user set the BigFix Action Regenerator to use the new username/password/keyfiles. The BigFix Server API may fail to validate keys created before upgrading to BES 7.1.