CONFIG mode command details
The following commands are available from the CONFIG mode.
activemq
Apache ActiveMQ service is an open source message broker with a full Java Message Service (JMS) client. When enabled, the service fosters communication from more than one client or server.
Example
/config#activemq
Warning:Maintenance mode command.
Portal service will be stopped during this operation. Proceed? (y/n)
banner
Defines the text to appear in the CLI login banner. The text also appears on the Admin Portal, Ivanti EPMM System Manager, and self-service user portal login screens.
Specify the following parameters:
Parameter |
Description |
bannername |
Multi-word string enclosed in quotes. |
Example
/config#banner “Welcome MyCompany”
certificate client
Generates a self-signed certificate for the client for use with Transport Layer Security (TLS). You can also use the Ivanti EPMM System Manager Security > Certificate Mgmt page for this command. For more information, see “Certificate Mgmt” in the Ivanti EPMM System Manager Guide.
Example
/config#certificate client
Tlsproxy service will be disrupted.
Would you like to proceed? [y/n]:
/config#
The CLI does not provide a confirmation that the certificate was generated.
certificate portal
Generates a self-signed certificate for Sentry configurations.For more information, see “Certificate Mgmt” in the Ivanti EPMM System Manager Guide.
Example
/config#certificate portal
Services will be disrupted.
Would you like to proceed? [y/n]: y
/config#
The CLI does not provide a confirmation that the certificate was generated.
clock set
Sets the date and time on Ivanti EPMM.
Specify the following parameters:
Parameter |
Description |
time |
Current time using the format HH:MM:SS. Specify the hours as a value between 00 and 23. |
day |
Day of the month as a value between 1 and 31. |
month |
Month of the year. Specify one of the following: January, February, March, April, May, June, July, August, September, October, November, December. |
year |
Specify as a 4 digit string. For example: 2021 |
Example
/config#clock set 10:34:59 23 February 2021
/config#
common_criteria_mode
Sets Common Criteria mode on Ivanti EPMM. After the command completes, do a reload for it to take effect on Ivanti EPMM.
Common Criteria mode refers to a set of features in Ivanti EPMM that meet requirements associated with Common Criteria. Also referred to as Common Criteria for Information Technology Security Evaluation, Common Criteria is an international set of guidelines and specifications for evaluating information security products to ensure they meet the established security standard for government deployments.
Example
/config#common_criteria_mode
....
/config#do reload
Enter yes to save.
Enter yes to reboot.
The system will not be reachable until the reboot is complete.
db-admin-account
This commands locks and unlocks MySQL miadmin accounts.
Parameter |
Description |
lock |
Lock the MySQL database miadmin account. |
unlock |
Unlock the MySQL database miadmin account. |
Example
/config#db-admin-account lock
do
Runs EXEC or EXEC PRIVILEGED commands from CONFIGURE mode.
Use the do command when you are in CONFIGURE mode and want to run a command from EXEC PRIVILEGED mode, but don’t want to have to exit and reenter CONFIGURE mode. After the keyword do, enter the command. For example:
config#do ping someWebSite.com
The following table lists the commands you can run using do:
Command |
Description |
Clears the ARP cache on Ivanti EPMM. |
|
Sets the date and time on Ivanti EPMM. |
|
Returns to EXEC mode. |
|
Describes the interactive help system. |
|
Performs a DNS lookup for a specified IP address or host name. |
|
Closes the terminal window. |
|
Sends echo messages. |
|
Turns off Ivanti EPMM. |
|
Halts Ivanti EPMM and performs a code restart. |
|
show |
Executes show commands specified in EXEC mode commands and EXEC PRIVILEGED mode commands. |
Opens a telnet connection. |
|
Sets the idle timeout for the CLI. |
|
Traces route to destination. |
|
Saves configuration changes. |
Example
/config#do show banner
enable secret
Changes the enable-secret password. This password allows you to change from EXEC mode to EXEC PRIVILEGED mode in the CLI.
You can also use the Ivanti EPMM System Manager Settings > CLI page for this command. For more information, see “CLI” in the Ivanti EPMM System Manager Guide.
Example
/config#enable secret NewPwd123
end
Returns to EXEC PRIVILEGED mode.
Example
/config#end
eula
Sets the End User License Agreement (EULA) information.
Specify the following parameters:
Parameter |
Description |
companyname |
The name of the company accepting the EULA. Enclose the name in double quotes if it contains spaces. |
contactname |
The name of the contact at the company. Enclose the name in double quotes if it contains spaces. |
contactemail |
Email address for the contact. |
Example
/config#eula “My Company” “Joe Doe” [email protected]
fips
Enables FIPS mode on Ivanti EPMM.
The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government computer security standard used to accredit cryptographic modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4". It does not specify in detail what level of security is required by any particular application. Ivanti EPMM products are FIPS 140-2 Level 1 Compliant.
Enabling FIPS mode results in Ivanti EPMM changing the selected TLS protocol version for incoming connections to TLS 1.2 and the disabled TLS versions to TLS 1.0 and TLS 1.1. For outgoing connections, the selected and disabled lists remain unchanged. See "Advanced: Incoming SSL Configuration" and "Advanced: Outgoing SSL Configuration" in the Ivanti EPMM System Manager Guide.
Example
/config#fips
1/3 Generating initramfs-2.6.32-696.6.3.el6.x86_64.fips.img ... This will take a while
1/3 Generating initramfs-2.6.32-696.6.3.el6.x86_64.fips.img ...Done
2/3 Updating grub.conf ...
2/3 Updating grub.conf ...Done
3/3 Updating prelink configuration
3/3 Updating prelink configuration...Done
Must reload system before FIPS 140 enabled.
/config#do reload
-
Enter yes.
-
Enter yes.
The system will not be reachable until the reboot is complete.
hostname
Configures Ivanti EPMM’s fully-qualified host name.
Specify the following parameter:
Parameter |
Description |
hostname |
The fully-qualified host name for Ivanti EPMM. |
You can also use the Ivanti EPMM System Manager Settings > DNS and Hostname page for this command. For more information, see “DNS and Hostname” in the Ivanti EPMM System Manager Guide.
Example
/config#hostname myhost123
Please reload the system for the changes to be effective.
/config#
hsts-disable
Disables HSTS.
You can also use the Ivanti EPMM System Manager Security > Advanced > HSTS page for this command. For more information, see “Advanced: HSTS” in the Ivanti EPMM System Manager Guide.
Example
/config#hsts-disable
HSTS disabled adn httpd service to be restarted in 1 minute.
/config#
httpd-reset-default-ssl-ciphers
Resets the cipher suites to their default values.
Example
/config#httpd-reset-default-ssl-ciphers
/config#
interface GigabitEthernet
Switches to INTERFACE mode to configure a physical interface. Specify 1, 2, 3, 4, 5, or 6 to select the interface.
You can also configure the physical interfaces in the Ivanti EPMM System Manager Settings > Network > Interfaces page for this command. For more information, see “Managing network interfaces” in the Ivanti EPMM System Manager Guide.
Example
/config#interface GigabitEthernet 2
/config-if#
See INTERFACE mode commands for available commands.
interface VLAN
Switches to INTERFACE mode to configure virtual Local Area Network (VLAN) interfaces. Specify a number between 1 and 4094 for the VLAN ID.
You can also configure the VLAN interfaces in the Ivanti EPMM System Manager Settings > Network > Interfaces page for this command. For more information, see “Managing network interfaces” in the Ivanti EPMM System Manager Guide.
Example
/config#interface vlan 2
/config-vlan#
ip arp
Updates the ARP cache on Ivanti EPMM. The ARP cache stores a mapping of IP addresses with link layer addresses, which are also known as Ethernet addresses and MAC addresses.
Typically, the ARP cache is updated automatically, making this command unnecessary.
Specify the following parameters:
Parameter |
Description |
IP address |
IP address of Ivanti EPMM. |
Mac address |
Corresponding Mac address, using format: |
Interface type |
Specify GigabitEthernet or VLAN. |
Interface ID |
Specify 1 to 6 for GigabitEthernet. Specify 1 - 4094 for VLAN. |
Example
/config#ip arp 10.10.15.41 00:50:56:91:71:1B GigabitEthernet 1
ip domain-name
Sets the default domain name for Ivanti EPMM.
You can also configure the default domain name in the Ivanti EPMM System Manager Settings > DNS and Hostname page, described in “DNS and Hostname” in the Ivanti EPMM System Manager Guide.
Example
/config# ip domain-name mycompany.com
/config#
ip name-server
Sets the preferred DNS server, which is the IP address of the primary DNS server to use.
You can also configure the preferred DNS server in the Ivanti EPMM System Manager Settings > DNS and Hostname page, described in “DNS and Hostname” in the Ivanti EPMM System Manager Guide.
Example
/config# ip name-server 10.10.15.6
/config#
ip route
Configures a static network route. This command specifies the subnet mask and gateway to use for routing from a network IP address.
Specify the following parameters:
Parameter |
Description |
IP address |
Network IP address. |
mask |
Subnet mask. |
gateway |
IP address for the gateway. |
You can also configure a static network route in the Ivanti EPMM System Manager Settings > Network > Routes page, described in “Routes” in the Ivanti EPMM System Manager Guide.
Example
/config#ip route 192.168.57.0 255.255.255.0 10.10.1.1
kparam
This command configures kernel parameters. Specify the following parameters:
Parameter |
Description |
name |
The name of the kernel parameter. Enter rp_filter, log_martians, or tcp_mtu_probing. |
value |
The value for rp_filter or log_martians. Enter 0, 1, or 2 as follows:
|
Example
/config#kparam rp_filter 2
/config#kparam log_martians 1
mod-security-disable
Mod_security is an Apache module that helps to protect your website from various attacks. It is used to block commonly-known exploits by use of regular expressions and rule sets. This command disables the Apache ModSecurity module. Requires a restart of the HTTPD service.
Example
/config#mod-security-disable
<cr>
no
Deletes, resets, and disables various system configurations, as described in the following table.
Command |
Description |
no appanalytics |
Disables app analytics. |
no banner |
Reverts to the original login banner. |
no hostname |
Reverts the system's fully qualified domain name to localhost.localdomain. Requires a system reload for the change to take effect. |
no interface vlan <vlan number 1 - 4094> |
Deletes the specified VLAN interface. |
no ip arp <IP address> |
Deletes the specified IP address from the ARP cache. |
no ip domain-name |
Deletes the domain-name of Ivanti EPMM. |
no ip name-server <IP address> |
Deletes the specified Internet name server from the list of Internet name servers that Ivanti EPMM uses for DNS lookup. |
no ip route <IP address> <mask> |
Deletes the specified static network route from Ivanti EPMM’s routing table. |
no ntp <IP address or hostname> |
Deletes the specified NTP server from Ivanti EPMM’s list of NTP servers. |
no portalacls |
Deletes portal ACLs. |
no service <service name> |
Disables the specified service (ssh or ntp). |
no sshd_authorized_key |
Disables SSH public key authentication. The public key for the logged in administrator is removed. |
no statichost <IP address> |
Deletes the static host entry. |
no syslog <IP address or hostname> |
Deletes the syslog server specified by the parameter. |
no system user <username> |
Deletes the system user specified by the parameter. |
no system aspm |
Sets a kernel boot parameter to turn on the PCIe Active State Power Management (ASPM) subsystem on Ivanti EPMM physical appliances. |
ntp
Configures the time sources. The time sources are Network Time Protocol (NTP) servers. An NTP server figures out how much the system clock drifts and smoothly corrects it.
You can also configure the NTP servers in the Ivanti EPMM System ManagerSettings > Date and Time (NTP) page, described in “Date and Time (NTP)” in the Ivanti EPMM System Manager Guide.
Specify the following parameters:
Parameter |
Description |
server |
Hostname or IP address of the NTP server. |
index |
The order this NTP server appears in the configuration (0-2). |
Example
/config# ntp 172.16.0.1 0
portalacl
Configures the portal Access Control Lists (ACLs), which restrict access to various portals of Ivanti EPMM. Access is restricted to servers or networks by specifying their IP addresses, network and mask pairs, or hostname.
Parameter |
Description |
module |
Enter one of the following options:
|
host |
The IP address, network, or hostname from which access is allowed. Only one host configuration is supported from CLI. Use the Ivanti EPMM System Manager portal to configure multiple hosts or Networks. |
You can also configure the ACLs in the Ivanti EPMM System Manager Security > Access Control Lists page, described in “Access Control Lists” in the Ivanti EPMM System Manager Guide.
Example
/config#portalacl MyPhoneAtWork 10.101.1.119
randomizer
This command configures a random source. Requires a system reload.
Parameter |
Description |
random |
Using /dev/random may require waiting for the result, as it uses a so-called entropy pool, where random data may not be available at the moment. /dev/random should be suitable for uses that need very high quality randomness such as one-time pad or key generation. When the entropy pool is empty, reads from /dev/random will block until additional environmental noise is gathered. |
urandom |
/dev/urandom returns as many bytes as user requested and thus it is less random than /dev/random. A read from the /dev/urandom device will not block waiting for more entropy. As a result, if there is not sufficient entropy in the entropy pool, the returned values are theoretically vulnerable to a cryptographic attack on the algorithms used by the driver. Knowledge of how to do this is not available in the current unclassified literature, but it is theoretically possible that such an attack may exist. If this is a concern in your application, use /dev/random instead. |
Example
/config#randomizer urandom
reset-devshell-password
This command resets the devshell password.
Example
/config#reset-devshell-password
2+0 records in
2+0 records out
1024 bytes (1.0 kB) copied, 0.000208748 s, 4.9 MB/s
2+0 records in
2+0 records out
1024 bytes (1.0 kB) copied, 0.00016912 s, 6.1 MB/s
devshell password reset successfully.
resize_boot_partition
Increases the boot partition size to 1 GB. Executing this command stops all Ivanti EPMM services, and must be followed by a Ivanti EPMM reload. See reload.
Example
/config#resize_boot_partition
service
Enables the service ssh or ntp. For ssh, this command also sets the number of instances allowed for the service.
Parameter |
Description |
name |
The name of the service. Enter either ssh or ntp. |
instances |
Maximum sessions allowed for ssh. |
You can also configure this information in the Ivanti EPMM System Manager Settings > CLI page. See "CLI" in the Ivanti EPMM System Manager Guide.
Example
/config#service ssh 4
software repository
Configures the software repository URL. This URL specifies the location of software updates for Ivanti EPMM.
You can also configure the software repository in the Ivanti EPMM System Manager, in Maintenance > Software Updates, described in “Ivanti EPMM server software updates” in the Ivanti EPMM System Manager Guide.
Specify the following parameters:.
Parameter |
Description |
urlstring |
URL for the software repository. |
username |
The username portion of the credentials for accessing the repository. |
password |
The password portion of the credentials for accessing the repository. |
sshd_authorized_key
Use this command to enable SSH public key authorization for a CLI user. With this command, you provide Ivanti EPMM with the public key of a SSH public/private key pair. Providing the public key allows a CLI user to use SSH to connect to Ivanti EPMM using the matching private key rather than with a password.
You can enable public key authorization only for the administrator user that you use to log into the CLI session. Each administrator user can have only one public key. If you enable public key authorization with a second public key, the first public key is overwritten.
Procedure
To enable SSH public key authorization, do the following in CONFIG mode:
-
Enter sshd_authorized_key.
-
When prompted, paste the public key.
-
Press Enter.
-
When prompted to save the configuration, enter yes.
Example
asdfasd/config#sshd_authorized_key
Please provide the public key and press enter: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnFsywrE7Q6kGU+uVFKCLaY4/XlgXtxB1pUQAOPJjKRZukn5zfdbGmLqGaJWjWc7TRMTkbPegV4skPW1ddIcUXNuV79Mfbco4sFJkLFr4Qg7xKQUyo/kk47otSE2HRq4EUoTxfN5UeEuD81WEeU3aqdH6RcrIx0gkdvteFbUuSacWorRw4xoskySYplWeLTva4IgERPXI5jkydBF/uH14B3R1V/TzIxo914xW08o6C0dC/A/bnbPzAnvlngOdskGikUDOQ29jXqvHhrw9jnAWPYcq7vsJfNi2b/6AIAeKVcEZkLOuul1i9WtkePXX1k4lXR8e8lBI2MPhXOfiSIDGx admin
Entered key is: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnFsywrE7Q6kGU+uVFKCLaY4/XlgXtxB1pUQAOPJjKRZukn5zfdbGmLqGaJWjWc7TRMTkbPegV4skPW1ddIcUXNuV79Mfbco4sFJkLFr4Qg7xKQUyo/kk47otSE2HRq4EUoTxfN5UeEuD81WEeU3aqdH6RcrIx0gkdvteFbUuSacWorRw4xoskySYplWeLTva4IgERPXI5jkydBF/uH14B3R1V/TzIxo914xW08o6C0dC/A/bnbPzAnvlngOdskGikUDOQ29jXqvHhrw9jnAWPYcq7vsJfNi2b/6AIAeKVcEZkLOuul1i9WtkePXX1k4lXR8e8lBI2MPhXOfiSIDGx admin
Confirm to add to the authorized keys (y/n): y
Done adding to the authorized keys.
statichost
A static host configuration maps a fully-qualified domain name to an IP address. This static mapping is useful in the following cases:
- A DNS server is not available.
- The DNS server entry for a fully-qualified domain name points to an external IP address, outside of your firewall, although the ultimate destination is inside your firewall. You can use this static mapping if you want to associate the fully-qualified domain name with an internal IP address, inside your firewall.
You can also configure static hosts using the Ivanti EPMM System Manager Settings > Static Hosts page, described in “Static Hosts” in the Ivanti EPMM System Manager Guide.
Specify the following parameters:
Parameter |
Description |
ip |
IP address of the fully-qualified domain name. |
fqdn |
The fully-qualified domain name. |
Example
/config#statichost 172.16.80.2 mysentry.mycompany.com
syslog
Configures syslog server information.
Parameter |
Description |
server |
Hostname or IP address of the syslog server |
loglevel |
Specify the log level to be enabled (0-7) |
The log level value you specify in this command corresponds to the following log levels:
Log level value |
Log level description |
0 |
Emergency |
1 |
Alert |
2 |
Critical |
3 |
Error |
4 |
Warning |
5 |
Notice |
6 |
Info |
7 |
Debug |
You can also configure the syslog servers in the Ivanti Ivanti EPMM System Manager Settings > Data Export > Syslog Servers page, described in “Syslog” in the Ivanti EPMM System Manager Guide.
system user
Creates a Ivanti EPMM System Manager user account. Specify the following parameters:.
Parameter |
Description |
username |
User name |
password |
The unencrypted (cleartext) user password |
You can also configure Ivanti EPMM System Manager users in the Ivanti EPMM System Manager, in Security > Identity Source > Local Users, described in “Identity Source > Local Users” in the Ivanti EPMM System Manager Guide.
system aspm
Sets a kernel boot parameter (pcie_aspm) to turn off the PCIe Active State Power Management (ASPM) subsystem on Ivanti EPMM physical appliances.
Turning off the PCIe ASPM subsystem is necessary if Ivanti EPMM physical appliances lose connectivity because of issues in some e1000e interface drivers. These faulty drivers erroneously go off-line and stay off-line when the PCIe ASPM subsystem puts the driver into low power mode. When the driver is off-line, Ivanti EPMM physical appliances that use the driver, such as the M2100 Gen 3 or M2200, lose connectivity. Because the PCIe ASPM subsystem’s capability to save power is not applicable to Ivanti EPMM appliances, turning off the subsystem solves the interface driver issue with no impact to Ivanti EPMM behavior.
The setting persists across reboots. However, it does not persist after a Ivanti EPMM upgrade if the upgrade includes an upgrade to the kernel. Re-execute the command after such an upgrade.
x-frame
This command sets the XFrame configuration for Hypertext Transfer Protocol daemon (HTTPd), that is, your web server. The X-Frame options can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.
Parameter |
Description |
SameOrigin |
The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin. |
Deny |
The page cannot be displayed in a frame, regardless of the site attempting to do so. |
Allow-From |
This is an obsolete directive that no longer works in modern browsers. Don't use it. In supporting legacy browsers, a page can be displayed in a frame only on the specified origin URI. |