Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Version 9.5
WebUI
Administrators Guide
IBM
IBM BigFix
Version 9.5
WebUI
Administrators Guide
IBM
Note
Before using this information and the product it supports, read the information in “Notices” on page 63.
This edition applies to version 9, release 5, modification level 0 of IBM BigFix and to all subsequent releases and
modifications until otherwise indicated in new editions.
© Copyright IBM Corporation 2016.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Chapter 1. Introduction . . . . . . . . 1 Working With Custom Tiles . . . . . . . . . 36
WebUI Audience . . . . . . . . . . . . . 1 Create a Key Numbers Tile . . . . . . . . 41
Create a Summary Tile . . . . . . . . . 42
Chapter 2. Deployment Requirements . . 3 Create a List Tile . . . . . . . . . . . 43
Create a Checks Tile . . . . . . . . . . 44
Requirements Overview . . . . . . . . . . 3
Create a Chart Tile . . . . . . . . . . . 45
Hardware Requirements . . . . . . . . . . 4
Disk Space . . . . . . . . . . . . . . . 4
Network Port Conflicts . . . . . . . . . . . 4 Chapter 7. Performance . . . . . . . 47
Microsoft Hotfix KB2577795 . . . . . . . . . 5 Operator Performance . . . . . . . . . . . 47
Slow Filters . . . . . . . . . . . . . 47
Chapter 3. WebUI Installation . . . . . 7 Concurrence . . . . . . . . . . . . . 47
Administrator Performance . . . . . . . . . 48
Install the WebUI Service (Platform V9.5.3 or later) . 7
Operator Shaping . . . . . . . . . . . 48
Requirements . . . . . . . . . . . . . 7
Environment Upgrades . . . . . . . . . 48
Installation Checklist . . . . . . . . . . 7
ETL Performance . . . . . . . . . . . 48
Remove the WebUI Service . . . . . . . . 9
Change Ports . . . . . . . . . . . . . 9
Renew WebUI Certificates . . . . . . . . . 9 Chapter 8. Log Locations . . . . . . . 49
Enable the WebUI (Platform V9.2.6 – V9.5.2) . . . . 9
Change Communication Ports . . . . . . . 12 Chapter 9. WebUI Server Settings . . . 51
SSL Certificates . . . . . . . . . . . . 13 Access WebUI Server Settings . . . . . . . . 51
Send Notifications . . . . . . . . . . . . 14 Server Settings Definitions . . . . . . . . . 52
Access the WebUI . . . . . . . . . . . . 14
Chapter 10. SAML 2.0 . . . . . . . . 57
Chapter 4. Provisioning Users. . . . . 17
Master Operator Permissions . . . . . . . . 17 Chapter 11. Supported Patch Sites . . . 59
Non-Master Operator Permissions . . . . . . . 17
Operators and Roles in IBM BigFix . . . . . 18
Permission Effects in the WebUI . . . . . . 18
Appendix. Support . . . . . . . . . 61
Apply WebUI Permissions . . . . . . . . . 20
Explicit and Effective Permissions . . . . . . 21 Notices . . . . . . . . . . . . . . 63
Setting WebUI Permissions . . . . . . . . 22 Trademarks . . . . . . . . . . . . . . 65
Interface Login Privileges. . . . . . . . . . 23 Terms and conditions for product documentation. . 66
Create Actions Privileges . . . . . . . . . . 24
The web-based BigFix WebUI harnesses the flexibility and power of IBM BigFix.
Using a browser, operators can log in to the WebUI and manage endpoints. The
WebUI augments the IBM BigFix Console but does not replace it. BigFix WebUI
components include Custom Content, Patch, Query, and Software Distribution. Use
of the WebUI might not be suitable for all deployments. Some customers use both
the WebUI and the Console to complete different BigFix tasks.
WebUI Audience
The WebUI is not intended for all IBM BigFix deployments, and is not currently as
scalable as a traditional IBM BigFix deployment. Currently, the WebUI has the
following upper use limits:
v 30 concurrent users.
v 60,000 managed endpoints.
While nothing prevents the use of the WebUI in larger deployments, there might
be significant impact to performance. For more information, see Chapter 7,
“Performance,” on page 47.
Requirements Overview
The BigFix WebUI is a component of a standard IBM BigFix installation from
version 9.2.6 onward. Environments that run version 9.2.6 or later contain the
software components that are required to enable the WebUI. The required
hardware, software, and environment settings are summarized here, more detailed
descriptions follow:
v IBM BigFix 9.2.6 or later. For detailed production environment requirements and
installation procedures, see the IBM BigFix Installation Guide. If you are already
running a previous version of IBM BigFix, upgrading to 9.2.6 is sufficient.
v The WebUI is accessed through a number of supported internet browsers:
– Internet Explorer 10 or later,
– Microsoft Edge,
– Firefox, updated to the latest version.
– Safari, updated to the latest version.
– Chrome, updated to the latest version.
v Minimum screen resolution of 1024x768.
v Minimum disk space of 50 GB.
v A network port must be open for WebUI communication; the default port is 80
and 443 for HTTP and HTTPS. For more information, see “Network Port
Conflicts” on page 4.
v Microsoft Hotfix KB2577795 applied to Windows Server 2008 R2, if applicable.
v Signed SSL Certificates (optional) ensure secure communication with your
WebUI deployment. For more information, see “SSL Certificates” on page 13.
System requirements for using the Executive Dashboard and dashboard editing
tools:
v BigFix version 9.2.6 and later.
v The WebUI enabled in your environment.
Hardware Requirements
The WebUI operates as part of a standard IBM BigFix deployment. However,
additional hardware resources are required to power the WebUI.
Baseline hardware requirements for an IBM BigFix deployment are described in the
IBM BigFix Installation Guide. The WebUI requires more CPU and memory, and
the amount varies depending on the number of concurrent users:
Table 1. Additional Resources for WebUI
Function Additional CPUs Additional Memory in GB
WebUI Baseline +1 +4
Per 10 Concurrent Users +3 +2
(Linux)
Per 10 Concurrent Users +6 +4
(Windows)
Disk Space
The amount of disk space that is required on your server is highly dependent on
your deployment size. For deployments up to 60,000 managed endpoints, the
recommended free disk space is 50 GB. Solid state drives are highly recommended.
Traditional magnetic drives can be used, but performance is greatly degraded due
to the heavy reliance on ETL procedures.
A possible conflict can arise between WebUI and the Web Reports component of
IBM BigFix. Web Reports defaults to port 80 in IBM BigFix version 9.2.4.X and
earlier. As of release 9.2.5 Web Reports defaults to port 8080 to avoid conflict with
WebUI. When upgrading an existing deployment to 9.2.5 or later, the port used for
Web Reports is not changed. Therefore, it is possible to run a fully updated
deployment while still encountering a port conflict.
During WebUI installation any port conflict with Web Reports is detected and the
option to change the Web Reports port is provided. For more information, see
“Enable the WebUI (Platform V9.2.6 – V9.5.2)” on page 9 and “Change
Communication Ports” on page 12.
If you have enabled WebUI on an IBM BigFix server running Windows Server 2008
R2, you must patch that computer with Microsoft Hotfix KB2577795. If KB2577795
is not applied you might see socket errors after some time has passed.
After the WebUI has been enabled, you can quickly check your server's
compliance:
1. From the IBM BigFix Console, navigate to BigFix Management > BES
Component Management > WebUI, or locate Fixlet 2251 by your preferred
means.
2. If Fixlet 2251 is relevant, you have a computer that matches all of these criteria:
v WebUI is enabled,
v The operating system is Windows Server 2008 R2, and
v KB2577795 is NOT applied.
3. If Fixlet 2251 is relevant, the issue is not resolved. If Fixlet 2251 is not relevant,
your WebUI deployment is properly patched.
Note: Because the WebUI enablement Fixlet requires the hotfix to be applied to
relevant servers, it is unlikely that the hotfix Fixlet will be relevant. This can occur,
however, if the WebUI was manually enabled, which is not recommended.
Note: WebUI services installed by earlier versions of the BigFix Platform do not
work on V9.5.3. Customers upgrading to V9.5.3 from an earlier version must
reinstall the WebUI with the V9.5.3-specific installation Fixlet. Following
installation, your pre-V9.5.3 data will be available when the first ETL process
completes.
Requirements
To install the WebUI service:
v Customers upgrading to V9.5.3 from an earlier version of the Platform must run
the V9.5.3-specific WebUI installation Fixlet.
v If you are installing the WebUI service on a remote server, the operating system
on the BigFix server and the remote server must be the same. Either:
– Windows Server 2008 (64 bit) or later, or
– Red Hat Linux 6 or 7 (64 bit).
v If you are installing the WebUI service on a remote machine, that machine must
be running theV9.5.3 BigFix Agent before you deploy the installation Fixlet.
Installation Checklist
Before you run the V9.5.3 installation Fixlet, Install IBM BigFix WebUI Service
(Version 9.5.3):
v Have the host name or IP address of the target WebUI server ready.
v The default installation directories are:
– On Windows machines:
When you are ready, deploy the Fixlet Install IBM BigFix WebUI Service (Version
9.5.3).
Notes:
v If the Fixlet fails, revoke the certificates that it generates and sends to the target
machine.
v The installation Fixlet does not remove anything from the BigFix server. Node
executable files, log files, and site directories will remain, though node processes
will no longer be running. If you are installing on the BigFix Server, it will move
the webui.db and the WebUI sites directory.
v Start, stop, and restart the WebUI process on a remote machine using
services.msc on Windows, or through the terminal in Red Hat Linux. If stopped,
the Fixlet 2562 - BES WebUI Service not Started can also be used to start the
WebUI.
Change Ports
On BigFix Platform V9.5.3 and above use the Fixlet Change Ports for WebUI
Service and Web Reports to change the communication ports on either the BigFix
server or a remote machine. Use the Fixlet description to enter the port numbers
you want to use.
Use the enablement Fixlets to turn on the WebUI. The Fixlets check for potential
WebUI and Web Report port conflicts and provide an easy way to change them if
necessary. Extra security can be implemented in the form of SSL certificates
Fixlet 2252 checks for a port conflict with Web Reports, if Web Reports is present.
If a conflict is found an error message displays, and the Fixlet stops.
Note: You cannot determine the target of Fixlet 2252 until you select it. Therefore,
if you have multiple IBM BigFix Servers in your environment, Fixlet 2252 may not
report a port conflict when one does exist with one of your individual IBM BigFix
Servers. If so, Fixlet 2250 will fail, and you will need to select a different port, as
described in the following step. This situation can be resolved later, as described in
Note: The WebUI enablement Fixlet checks for the presence of Microsoft Hotfix
KB2577795 if your server runs Windows Server 2008 R2. For more information, see
“Microsoft Hotfix KB2577795” on page 5. If your WebUI deployment is properly
patched the Fixlet will not be relevant.
1. If a port conflict with Web Reports is detected, run Fixlet 2252 again and
choose a different port for WebUI. Even if you plan to change either the Web
Reports or WebUI ports, you must choose a non-conflicting port to enable the
WebUI. For more information, see “Change Communication Ports.”
2. After the Fixlet has completed by restarting the BesRootServer, WebUI is
enabled. To confirm, navigate to All Content > WebUI Apps. If the WebUI
Apps menu item is not present, enablement has failed and Fixlet 2252 should
be run again. There may be a small delay between enablement and the menu
item displaying depending on your deployment.
If either WebUI or Web Reports is enabled in your environment, you might want
to change their communication port. As of IBM BigFix release 9.2.5, Web Reports
defaults to port 8080 while the default port for WebUI is 80 for HTTP and 443 for
HTTPS. However, in previous versions of IBM BigFix, Web Reports defaulted to
port 80. If left unchanged, this might create a conflict during WebUI enablement. .
This issue is resolved during WebUI enablement as described in “Enable the
WebUI (Platform V9.2.6 – V9.5.2)” on page 9.
After the WebUI is enabled, the ports that are defined for WebUI and Web Reports
can be changed using Fixlet 2250.
SSL Certificates
Secure Sockets Layer certificates enable secure communication with your IBM
BigFix WebUI deployment.
For instructions on enabling the email notification service in your deployment, see
the IBM BigFix Configuration Guide. For read about setting operator permissions,
see “Apply WebUI Permissions” on page 20, and “Create Actions Privileges” on
page 24.
<http_or_https>://<IP_or_FQDN>:<port_if_not_80/443>
If the WebUI has initialized and is ready for use you are presented with the login
prompt:
Operators can have access to elements in the IBM BigFix Console without having
access to those elements in the WebUI. For example, an Operator might be given
access to Patch content in the BigFix console and denied access to patch content in
the WebUI.
For detailed information about the concepts of Operator and Role, see the BigFix
Console Operator's Guide. However, it is important to note that Operator and Role
permissions are additive. That is, IBM BigFix will always favor increased
permissions. For example, if an Operator is denied a particular permission but that
same Operator is part of a Role that is granted that permission, the Operator will
gain the permission. The reverse is true, if an Operator is granted a permission,
but is denied it, as part of a Role they are a member of, they will still retain the
permission.
This concept is discussed within the context of the UI in “Explicit and Effective
Permissions” on page 21.
For the most part, the effects of permissions are clear: an Operator who is not
granted Patch permissions will not have access to the Patch workflow in the
WebUI. However, there are a few nuances that should be discussed.
It is important to note that all Operators see deployment related data regardless of
content type. It is limiting if an Operator views an endpoint but cannot see that a
patch was deployed to that endpoint, even if that Operator does not have Patch
permissions. However, that Operator will not have the ability to take Patch actions
or alter that deployment.
Operators see all deployments regardless of source. The WebUI offers a window
into your deployment and it is not self-contained. Actions initiated from the
traditional IBM BigFix Console, external sites, or the REST API will be reflected in
the WebUI.
The WebUI allows email messages, associated with performed actions, to be sent.
The ability to send these notifications requires this feature be enabled within the
IBM BigFix console, as described in “Send Notifications” on page 14. Because these
notifications are enacted through custom content, Operators must have Custom
Content and Can Create Actions permissions to see the associated workflow within
the WebUI, allowing them to use this functionality.
Master operators see all dashboard elements and data. Users who do not have
permission to use a WebUI component do not see data that is related to that
component on their dashboard. For example, a non-master operator who does not
have access to the Software component do not see information that is related to
software packages. Operators that are limited to a specific set of devices see device
totals that reflect their device assignments. For example, their dashboard totals will
be different than totals for master operators, and might include zeros.
Operators who do not have access do not see Query in the Content menu, and
cannot access the Query landing page through the URL. Operators with access see
the Query button on the Overview and Device document pages.
An operator’s Can Submit Queries setting does not control access to the WebUI
Query component, All Content > WebUI Apps permissions does. An operator’s
Can Submit Queries permission controls whether their requests can be submitted
to the REST API that supports queries. Since processes other than the Query app
also submit such requests, a REST-specific setting for operators is used.
v When Can Submit Queries is set to “Yes” an operator who submits a query
receive results.
v When Can Submit Queries is set to “No” an operator who submits a query
does not receive results, but the error message, “The logged in user is not
allowed to submit queries”.
For more information about configuring BigFix Query’s optional settings and using
its REST API’s, see “Getting client information using BigFix Query” in the BigFix
Platform Configuration Guide. Administrators might be interested in learning how
to set query time-out limits for Master Operators and Non-Master Operators.
You are free to edit permission in any location you desire, however to avoid
redundancy, we will primarily consider the All Content > WebUI Apps location in
the Console.
In the Operator Permissions tab there are two sets of permissions listed: Explicit
Permissions and Effective Permissions. Explicit permissions are those permissions
that are granted directly to that Operator. Prior to WebUI, these are the
permissions set per Operator in All Content > Operators. Explicit permissions are
the base permissions for any given Operator. They do not exist for Roles and are
therefore not listed as a column in the Role Permissions tab.
To set permissions by Operator, Role, or apply a global permission set, perform the
following steps:
1. From All Content > WebUI Apps, select the WebUI component whose
permissions you wish to alter:
v Custom
v Patch
v SWD
1. In the Operator Permissions tab, check the Enable for All Operators checkbox
to toggle permissions for all Operators. This affects all Operators’ effective
permissions and leaves their explicit permissions as is.
1. Use the Role Permissions tab to change effective permissions for any Roles.
Selecting a defined Role and using the Allow and None buttons sets the Role’s
permissions in an identical manner as using the All Content > Roles site.
Setting this value for an Operator sets the explicit value. The effective value is also
displayed, which is only altered by the same setting in a Role that the Operator is
a member of. As in all permissions, this permission is additive between Operators
and Roles they are members of.
If setting this value within a Role, you are setting the effective value for any
associated Operators.
Note: The WebUI Interface Login Privileges affect the ability to login to the WebUI
only. They do not affect an Operator’s ability to login to the traditional Console. Separate
settings allow control over Console and REST API usage.
Setting this value for an Operator sets the explicit value. The effective value is also
displayed, which is only altered by the same setting in a Role that the Operator is
a member of. As in all permissions, this permission is additive between Operators
and Roles they are members of.
If setting this value within a Role, you are setting the effective value for any
associated Operators.
Use the Update Manager to view and apply available updates, and to see which
versions are currently running. Click the Settings icon on the navigation bar to
open the Update Manager. Only Master Operators see this icon.
To install an update:
1. Click Select to display a confirmation dialog that shows the version you will be
running following the update.
2. Click Update Now to complete the operation, or Cancel to return to the
Update Manager.
When you run an update, the release you selected and all the updates preceding it
are applied. In other words, selecting an update installs all the updates up to, but
not beyond, the indicated point in time. The number following the release date
shows the number of updates included in that release.
The application version number is shown for each update, and reflects the
application site. For example, the Patch application resides in the WebUI Patch site,
the Custom Content application resides in the WebUI Custom site, and so on. The
WebUI application itself, which includes the Common application, the ETL
application, and the Login application, resides in the Common site. The Update
Manager application resides in the Application Administration site.
Notes
v If AutoUpdate is On and the delay period is set to zero, the number of available
updates in the Update Manager will also be zero, because new updates are
automatically applied.
v If AutoUpdate is On and the delay period set to 30 days, the number of
available updates will extend back 30 days, because updates older than 30 days
have been applied.
v If AutoUpdate is Off, the number of available updates will extend back in time
for an indefinite period.
Use the BigFix Console to adjust the AutoUpdate and AutoUpdateDelay settings
on the computer where the WebUI service is installed.
Note: The first time that you change the AutoUpdate and AutoUpdateDelay
defaults following installation of the WebUI, you will be adding the client settings
specified below, not updating them. To add a setting for the first time, in Step 3 of
Drag tiles to arrange them, and preview dashboard designs as you build. Draw
from a library of pre-defined tiles, or design your own.
While the WebUI’s default overview tiles are useful to many users, the custom tiles
enable you to place critical information specific to your own deployment on the
WebUI and Executive overviews. Use the five custom tile types to design and
build your own tiles: Key Numbers, Summaries, Lists, Checks, and Charts.
To add a tile:
1. Click the Add Tile button. Place up to six tiles on a dashboard. To add a tile to
a dashboard that already has six, delete one first.
2. Select a tile from one of the tile libraries.
v To add a custom tile, click the Add Custom Tiles bar. For instructions on
building custom tiles, see “Working With Custom Tiles” on page 36.
v To add a predefined tile, click the Add From Tile Library bar. Select a tile
and drag it to the required location. For a description of each tile and its
elements, see “Working with Predefined Tiles.”
Select a custom tile from the Edit Dashboard page to display the Build Tile page.
36 IBM BigFix: WebUI Administrators Guide
1. Entering a title for the tile. The Preview area on the right side of the page
shows the tile-in-progress.
2. Select a BigFix object from the Build Tile drop-down list:
v Devices
v Deployments
v Packages (Software)
v Patches
v Tasks (Custom Content)
The next example illustrates the use of multiple filters. On the left: critical patches
with 10 or more vulnerable devices on Windows machines. On the right: the same
operation in a tile filter.
On a tile, you can display data based on more than one high-level object by using
a complex filter. (List filters don't perform this type of operation.) Complex filters
appear at the end of an object's Condition list.
In a complex filter the condition box is nested inside the top-level object.
A basic understanding of how complex filters are processed will help you use
them effectively.
1. A query is performed on each top-level object: some combination of Devices,
Patches, Software Packages, Tasks, and Deployments. Every instance of each
condition specified is found.
2. A set intersection on the results of both queries is created using an identifier
common to both, and the results are returned to you. For example, a complex
filter that involves devices, creates a list of Device IDs that meet the conditions
specified for each object. The set of Device IDs common to both lists is
returned.
v On the Build Tile page, drag a line item to change its order in the Items list.
Click the X to delete it.
v Click the pencil icon to edit a line item. Continue refining a tile and its filters
until you click Done. At that point, they can no longer be edited.
v The Define Filters page prevents you from accidentally selecting the same
condition twice (they are inactive in subsequent drop-down lists).
v Tile results that are derived from complex filters are not clickable (hyper-linked
to related data).
v Filters that are concise and limited in scope run more efficiently. Broad, general
filters that return large data sets take longer and use more resources.
Performance is not static, and various factors can influence it, including
hardware changes, changes in the number of endpoints, and the amount of data
an operator has access to.
v If a complex filter returns unexpected results, check for:
– An empty set. If one of the filters returns 0 (for example, because you did not
specify a condition), any intersection with that set will also return 0.
– A very large set. If one of the filters returns every instance in the set, for
example, all devices that have an applicable patch, the results will contain all
instances. While accurate, they might be so broad as to be meaningless.
Use this tile to track device compliance for specific patches and custom content
(tasks and baselines). Percentages for each bar are calculated by dividing the
number of unique non-relevant devices by the total number of devices. The tile
total is calculated by dividing the number of unique non-relevant devices by the
total number of devices for all line items on the tile. For example, in the sample
tile pictured, 20% of all devices are compliant with Fixlets A, B, and C.
When you work with bar charts on the Define Filters page, start by gathering the
data for your chart by using the Add Condition and Add Value buttons. Then, use
the fields in the Set Bars pane to visually represent the components of that data.
The Create chart bars based on field prevents you from inadvertently duplicating
the conditions used in the filter by disabling them in the drop-down list.
Operator Performance
Operators functioning within the WebUI may encounter performance issues. Due
to the inherent design of the WebUI, Operators’ ability to affect performance is
limited.
Slow Filters
Filtering options can cause query delays. The following filters currently create the
most overhead and avoiding them might help alleviate the issue:
v Deployments List > Failure Rate
v Patch > Sort by Name
v Patch > Sort by Release Date
Concurrence
A source of slow WebUI performance can be concurrence, or the number of
Operators accessing the WebUI at the same time.
Operator Shaping
One way to limit the load on the WebUI at any given moment is to shape your
Operators ability to interact with endpoints.
Defining Operators and Roles to specific content and/or subsets of endpoints can
greatly reduce query overhead. If a given Operator is only concerned with a subset
of endpoints, such as Windows endpoints, best practice is to define their role
accordingly. Removing unnecessary content can greatly reduce the load on the
server.
Environment Upgrades
Several key environment considerations can greatly increase WebUI performance.
Increasing the CPU cores of your server machine to support WebUI is both a
requirement and an option to help alleviate performance issues. However, the
nature of the WebUI favors faster cores over more cores. If your CPUs are clock
limited, increasing the clock speed will have an enormous performance impact.
Upgrading your deployment to faster clocked cores will have a significantly bigger
impact than increasing the number of cores.
ETL Performance
The single biggest performance factor is the ETL process between the IBM BigFix
server and the WebUI server.
Currently the ETL is not multithreaded and is performed on a single CPU core. It
is expected behavior to see CPU usage spikes when the ETL is running. Upgrading
your CPU clock speed can help alleviate this performance bottle cap.
Windows Deployment
Linux Deployment
//var/opt/BESServer/WebUI/Logs/
It is possible to change the location where logs are written as well as alter the
verbosity of the log files. These options can be performed by creating or editing
several server settings as described in Chapter 9, “WebUI Server Settings,” on page
51. Note that these settings should not be altered under most circumstances and
should be reserved for very specific situations.
These settings are for advanced users only and chiefly exist to help troubleshoot
issues or tweak behaviors to optimize performance for your specific deployment.
As a rule, these settings should not be changed unless specifically required; some
of these settings can drastically affect the behavior and performance of your
deployment.
Locate your WebUI Server by navigating to All Content > Computers. Select your
server computer and right click. Select Edit Computer Settings to display the Edit
Settings dialogue box.
For detailed instructions on adding or editing server settings, see the IBM BigFix
Console Operator's Guide. Server settings are written in the following format:
<server_setting_name>=<value>
Click Add or Edit to create or edit a new server setting. Note that all server
settings begin with an underscore.
Note: The BesRootServer service must be restarted to apply these server settings.
_WebUI_AppServer_IsEnabled
Enables and disables the WebUI. The default is 0. Value 1 enables the WebUI. This
parameter is set by Fixlet 2252 as part of WebUI enablement as described in
“Enable the WebUI (Platform V9.2.6 – V9.5.2)” on page 9.
_WebUI_Logging_Filter
The value of this parameter is a regular expression that filters events to be logged.
The default is:
bf*error,bf:bfetl:debug,bf:bfapp:debug,bf:appmonitor:debug
bf*
To log all debug events including third party applications use simply:
_WebUI_Logging_LogPath
<server_dir>/WebUI/logs/service-app.log
Note that it is not possible to define the names of any logs except the service app
log.
_WebUI_Logging_LogMaxSize
This defines the maximum size of each log file in bytes. The default is 5,242,880 or
5 MB (5*1024*1024). When a log file exceeds the limit set here, a second log file is
created. This continues until 10 log files have been created, at which point, the first
log file is overridden. Therefore the maximum log file size for each log is ten times
the value defined here.
Note that depending on usage, log files for each WebUI Application may be
written at very different rates. This parameter defines the size of all log files.
_WebUI_HTTPS_Port
This parameter defines the port used for HTTPS. The default is 443. This
parameter is written by Fixlet 2252 during WebUI Enablement. Fixlet 2250: can be
used to change this value at any time. For more information, see “Enable the
WebUI (Platform V9.2.6 – V9.5.2)” on page 9 and “Change Communication Ports”
on page 12.
_WebUI_Redirect_Port
This parameter defines the HTTP port used by WebUI if port 80 is not used. This
setting does not exist by default.
When Fixlets 2252 and 2250 define a port other than 80, this parameter is defined
and enabled. For more information, see “Enable the WebUI (Platform V9.2.6 –
V9.5.2)” on page 9 and “Change Communication Ports” on page 12.
_WebUI_Redirect_Enable
This setting allows the WebUI to use a HTTP port other than 80. This setting does
not exist by default.
If a port other than 80 is required, the value must be set to 1. This parameter
works in conjunction with _WebUI_Redirect_Port.
When Fixlets 2252 and 2250 define a port other than 80, this parameter is defined
and enabled. For more information, see “Enable the WebUI (Platform V9.2.6 –
V9.5.2)” on page 9 and “Change Communication Ports” on page 12.
_WebUI_ETL_DelaySeconds
Lowering this value increases WebUI feedback times but may significantly impact
server performance.
_BESRelay_WebUISiteGather_IntervalMinutes
This setting defines how often the WebUI Server gathers sites published by IBM.
As the title suggests, this variable is an integer representing minutes between site
updates. The default is 5.
_BESRelay_WebUISiteGather_Schedule
This setting sets repeating times where the WebUI Server gathers sites published
by IBM. This setting overrides the following setting
_BESRelay_WebUISiteGather_IntervalMinutes. However, when enabling this
setting, it is best practice to change the interval minutes to the default of 5, if you
have changed it previously.
<Day>:<hh:mm> where <Day> = Mon, Tue, Wed, Thu, Fri, Sat, or Sun
For example the following value will schedule site updates every Sunday at 9am,
Saturday at noon, and Friday at 10:30 PM.
_BESRelay_WebUISiteGather_Schedule=Sun09:00,Sat12:00,Fri22:30
_WebUI_HTTPS_StrictTransportSecurity
This setting prevents browsers from connecting to the WebUI using HTTP in favor
of HTTPS. The default value is 0. Set this to 1 to enable this security feature.
_WebUIAppEnv_ETL_DIR
Use this setting to change the default location of the WebUI database file,
webui.db. Enter a full file path. The default locations for webui.db are:
Windows Deployment
Linux Deployment
//var/opt/BESServer/WebUI/ETL/
_WebUIAppEnv_ENABLE_WEBUI_METRICS
This setting can be enabled with a value of 1. It turns on more robust ETL logging.
This setting is of value to WebUI developers and has very little value for
administrators under most circumstances.
_WebUIAppEnv_ETL_STATISTICS_THRESHOLD
_WebUIAppEnv_ETL_STATISTICS_THRESHOLD_TIME
This setting defines the times the ETL will analyze any tables that meet the
threshold set in _WebUIAppEnv_ETL_STATISTICS_THRESHOLD. The default
value is 03:00 indicating that analyzation runs each day at 3 AM.
Enter comma separated values in the following case sensitive format using 24 hour
time:
hh:mm
For example the following value will schedule analyzation of relevant tables at
4:00AM and 2:00PM every day:
04:00,14:00
_WebUIAppEnv_APP_RESTART_DELAY_SECONDS
This setting defines the number of seconds the App Monitor will wait before
attempting to restart any applications that have stopped for any reason.
Note: If you want to use SAML with the full compliment of WebUI applications
and functions do not use SAML-Only mode. Instead, use the standard enablement
procedures: WebUI Enablement in this guide, and Enabling SAML V2.0
Authentication for LDAP Operators in the Platform Configuration Guide.
Note: To enable SAML authentication for Web Reports, Web Reports must be
enabled for SSL. (This is required whether WebUI is in standard or SAML-Only
mode.) For instructions, see How to Configure BigFix to Integrate With SAML
2.0 in the Platform Configuration Guide.
7. Restart the BES Root Server and the Web Reports services to complete the
process. SAML authentication is now enabled for Web Reports, BigFix Console
and WebUI, running in SAML-Only mode.
Notes
v In SAML-Only mode, appending /login to your WebUI URL displays the
standard WebUI login form.
v Logging in to the WebUI (using either SAML or the /login page) redirects users
to the SAML Administration page. On this page Master Operators can configure
SAML settings. Non Master Operators will see the “403 (Forbidden)” message,
and will not be able to view or edit the SAML configuration.
v If a user attempts to manually access the / URL after logging in, they will see a
blank WebUI dashboard. Only the Home and Log Out controls will be active.
Logging out redirects the user to the Reauthenticate page, regardless of the
method they used to log in. All other navigable WebUI URLs (except / and the
SAML Administration page) return an “Access Forbidden” message.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.
All IBM prices shown are IBM's suggested retail prices, are current and are subject
to change without notice. Dealer prices may vary.
This information is for planning purposes only. The information herein is subject to
change before the products described become available.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to actual people or business enterprises is entirely
coincidental.
COPYRIGHT LICENSE:
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the web at www.ibm.com/legal/
copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered
trademarks or trademarks of Adobe Systems Incorporated in the United States,
other countries, or both.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,
Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or
registered trademarks of Intel Corporation or its subsidiaries in the United States
and other countries.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Java™ and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are
trademarks of HP, IBM® Corp. and Quantum in the U.S. and other countries.
Notices 65
Terms and conditions for product documentation
Permissions for the use of these publications are granted subject to the following
terms and conditions.
Applicability
These terms and conditions are in addition to any terms of use for the IBM
website.
Personal use
You may reproduce these publications for your personal, noncommercial use
provided that all proprietary notices are preserved. You may not distribute, display
or make derivative work of these publications, or any portion thereof, without the
express consent of IBM.
Commercial use
You may reproduce, distribute and display these publications solely within your
enterprise provided that all proprietary notices are preserved. You may not make
derivative works of these publications, or reproduce, distribute or display these
publications or any portion thereof outside your enterprise, without the express
consent of IBM.
Rights
IBM reserves the right to withdraw the permissions granted herein whenever, in its
discretion, the use of the publications is detrimental to its interest or, as
determined by IBM, the above instructions are not being properly followed.
You may not download, export or re-export this information except in full
compliance with all applicable laws and regulations, including all United States
export laws and regulations.
Printed in USA