Agent third-party deployment: Configure the Bootstrap File for UNIX

To prepare a mgsft_rollout_response file:

1. Copy the sample text from Agent third-party deployment: Sample UNIX Bootstrap Configuration File into your preferred flat-text editor on a UNIX-like platform.
   Tip: Do not edit the file on a Windows device, as this introduces line-ending character pairs that are invalid for UNIX, and is also likely to add an inappropriate file type.
2. Locate and edit the following line to identify the inventory beacon from which the new managed device should download its initial policy:

   MGSFT_BOOTSTRAP_DOWNLOAD=http://beacon.mydomain.com:8080/ManageSoftDL/

   • For comparison, in the automated adoption process (the Adopted case, where the inventory beacon installs FlexNet inventory agent by remote execution), it is mandatory to use the HTTP protocol. Because you are independently managing your own deployment, it's also normal to use the HTTP protocol for bootstrapping, because it is simpler to set up and get operational. However, if you require the HTTPS protocol for your own deployment, insert it in this value.
   • Replace the placeholder beacon.mydomain.com with the fully qualified domain name of the inventory beacon. If required, and provided that you are using the HTTP protocol, you may instead use the server's IP address. (There are widely publicized issues around using an IP address with the HTTPS protocol.) Because you are specifying this address at the FlexNet inventory agent end of the communication link, this may use either the IPv4 or IPv6 address families. Keep in mind that, because the fail-over list of inventory beacons delivered through policy must use names (host or FQDN) to support legacy versions of FlexNet inventory agent, names are used rather than IP addresses as soon as policy is delivered.
   • If you are using the default port (80 for HTTP, and 443 for HTTPS), you can omit the port number. For any custom port numbers, include the port number in the URL as shown (:8080).
   • The string literal ManageSoftDL is the name of the web service that handles downloads to managed devices. This value is mandatory.
3. Following those same guidelines, edit the following value for the upload location on the same inventory beacon.

   MGSFT_BOOTSTRAP_UPLOAD=http://beacon.mydomain.com:8080/ManageSoftRL/

   To bootstrap the UNIX agents, both the download and upload locations must be specified. (This is not the case for the agents on Windows, where only the download location is required.) Notice that ManageSoftRL is the name of a web service on the inventory beacon that receives the uploaded inventory and saves it by default to %CommonAppData%\Flexera Software\Incoming\Inventories.

   Tip: The section about proxies in the bootstrap file is only required in the unusual circumstances that you have a proxy between the managed device(s) and the inventory beacon(s) (in which case follow the guidance in the template). When this is not the case, leave these settings commented out.
4. Optionally, configure the local web server on inventory beacons to use HTTPS protocol.
   The web server on the inventory beacon defaults to using the HTTP protocol for simplicity of communications between managed devices and the inventory beacon. However, if you need to use the HTTPS protocol over this leg of the upload/download chain, you may also need to configure how the managed devices should check the security certificates originating from the inventory beacon server. The choice of protocol, along with the configuration for certificate checking if HTTPS is used, are downloaded to managed devices as part of their policy (policy is generated automatically by the inventory beacons). From large to small granularity, the available certificate controls that can be configured in the mgsft_rollout_response file include:

   • Whether to check the security certificates at all.
   • If checking the supplied certificate, whether to check that the certificate is still current (that is, checking that the certificate has not been revoked by a certificate authority). The default is to validate that the certificate has not been revoked and is still current. This is particularly important when using certificates from public certificate authorities on the Internet. Perhaps if you are providing your own internal certificate authority and long-term certificates, you may turn off the check for revocation of certificates.
   • Choosing between, and prioritizing, the two methods for checking certificate revocation.
   • Creating caches where downloaded revocation responses can be saved for a limited time.
   • Setting cache time-out values for each method used.

   Tip: If you are checking server certificates, you must deploy a copy of the appropriate certificate to each managed device. This allows the managed device to check the supplied certificate that covers each download from the inventory beacon server. This is described in Agent third-party deployment: Installing FlexNet inventory agent on UNIX, and there is more information in Agent third-party deployment: Enabling the HTTPS Protocol on UNIX Agents and Agent third-party deployment: HTTPS CA Certificate File Format (UNIX).

   Settings declared in the mgsft_rollout_response affect all components of the FlexNet inventory agent equally. It is also possible to override behaviors for individual components. For details see the preference topics included in the following list. To modify the defaults for certificate checking, use the following settings (in the order corresponding to the above descriptions):
   1. Server certificates are checked by default. Uncomment and edit the following line to prevent any certificate checking:

      MGSFT_HTTPS_CHECKSERVERCERTIFICATE=false

      With this setting false, you get the standard encryption of network traffic between managed device and inventory beacon, but no further security. (After installation of the FlexNet inventory agent, this setting appears as CheckServerCertificate in the /var/opt/managesoft/etc/config.ini file, in the [ManageSoft\Common] section. See CheckServerCertificate for more.)
   2. Optionally when you are using internal certificate authorities, you may uncomment and edit the following line to prevent a check for revocation of certificates:

      MGSFT_HTTPS_CHECKCERTIFICATEREVOCATION=false

      With this setting false, you get a check that the download is coming from the genuine inventory beacon; but there is no check whether the inventory beacon may have been compromised and its certificate subsequently revoked. (After installation of the FlexNet inventory agent, this setting appears as CheckCertificateRevocation in the /var/opt/managesoft/etc/config.ini file, in the [ManageSoft\Common] section. See CheckCertificateRevocation for more.)
   3. Optionally, modify the method(s) that the FlexNet inventory agent uses to check whether a downloaded server certificate has been revoked by a certificate authority. Uncomment and edit this line:

      MGSFT_HTTPS_PRIORITIZEREVOCATIONCHECKS=OCSP,CRL

      With this default setting, the FlexNet inventory agent first tries for an efficient OCSP response about the single certificate. If this fails, it next tries to download a Certificate Revocation List (CRL) from the certificate authority; but as this file lists every revoked certificate, can be a large file that is time-consuming to fetch. Reverse the order (CRL,OCSP) to change the priorities around; or omit one or the other (and the comma) to turn off that kind of revocation checking. (After installation of the FlexNet inventory agent, this setting appears as PrioritizeRevocationChecks in the /var/opt/managesoft/etc/config.ini file, in the [ManageSoft\Common] section. See PrioritizeRevocationChecks for more.)
   4. Optionally, change the settings for each cache you may use by uncommenting and editing the appropriate lines from the following pair:

      MGSFT_HTTPS_SSLCRLCACHELIFETIME=64800
      MGSFT_HTTPS_SSLOCSPCACHELIFETIME=64800

      After installation of the FlexNet inventory agent, these settings also appears in the /var/opt/managesoft/etc/config.ini file, in the [ManageSoft\Common] section. For more information about these settings, see:

      • SSLCRLCacheLifetime
      • SSLOCSPCacheLifetime.
5. When deploying the FlexNet inventory agent into a subnet that uses IPv6 addresses in the network layer, uncomment the following line to cause these to be used in preference to any IPv4 addresses that may also be returned from a DNS:

   PREFERIPVERSION=ipv6

   This setting is used in common by multiple components of the FlexNet inventory agent (including the tracker, the launcher, and the upload component). Where this is specified but IPv6 addresses are not provided, operations fail over to the use of IPv4 addresses. Where the preference is not specified (or is specified with an unrecognized value), the default behavior is to use the IP version of the first address in the list returned from the Dynamic Name Server (DNS) through the operating system (which, depending on local settings, may also affect the order of the list).
6. If you are planning to deploy the FlexNet inventory agent to a custom location on the AIX operating system, and you want to use a custom folder for data exchange by the various components, append the following line to your file:

   COMMONAPPDATAFOLDER=/absolute/path/and/folder

   The path should not contain white space characters. Use an absolute path in its simplest canonical form, without relative path elements. For example, to use the folder /var/lib/flexera as the data directory accessed by all components of the FlexNet inventory agent, include this line in your mgsft_rollout_response file:

   COMMONAPPDATAFOLDER=/var/lib/flexera

   Unlike the installation path, the data path is created by the installer if it does not already exist. If you omit this option from the mgsft_rollout_response file for a new installation, the default (/var/opt/managesoft) is used for the data folder. This setting is required only on the AIX platform, and only when you require a custom data folder. The setting is ignored for all other platforms.

7. If you prefer that UNIX-like devices report themselves as present in a Windows domain (which may help resolve inventories from multiple sources, as well as providing consistent data presentation in the web interface of FlexNet Manager Suite), you can set the domain name by adding lines like the following to your file:

   # Dummy domain name for reporting by UNIX-like devices
   MGSFT_DOMAIN_NAME=mydomain.com

   Replace the mydomain.com placeholder with the domain name to use for reporting. (After deployment, this value is stored in the ComputerDomain preference, saved for UNIX-like devices in the /var/opt/ managesoft/etc/config.ini file. For details, see ComputerDomain.)

8. Save the file as mgsft_rollout_response.
   Tip: Leave MGSFT_RUNPOLICY=1 unchanged, so that downloaded policy is applied after installation. For as long as policy is not available for any reason, on UNIX and OS X the agents run a daily check for policy at a random time between 8am and 11pm (local time on the managed device) until policy is successfully downloaded. (This catch-up behavior is different than the Windows agents, which rely on a machine reboot to check again for missing policy.) Once policy (with schedule) is initially downloaded, it is updated daily on the downloaded schedule, refreshing client settings, inventory-gathering schedule, and the like.
9. Configure your preferred deployment technology to install a copy of this file as /var/tmp/mgsft_rollout_response on the target device(s).
   The path and file name are mandatory. This file must be present before FlexNet inventory agent is installed. Post installation scripts in the installation package for FlexNet inventory agent use properties from this file to create the initial configuration.