chicken and egg. how are you going to talk to the server via bsa unless the rscd is on it ?
Let me answer your question by questions:
How Agent Installer Job do this job?
ssh using automation principals
ssh + sudo using automation principals
ssh + su using automation principals
psexec using automation principals
And I wold like the same, of course I can use above mechanisms and pass password by parameter (blenc - but it's no good idea, it's able to de-crypt this hash).
But I want to do it using automation principals - or even Remote Host Authentications (and Routing Rules) because I wan't repeat tasks.
I’m not sure if you can get the AP passwd out as it shouldn’t be stored w/ blenc. Why not just let the uai try to do the install, if it fails because of the passwd then it fails and you scrape the job log and try something else ?
I would dig around in the unreleased commands – Impersonation, RemoteHostAuthentication. Maybe there is something there you can use.
rscd installation it's change in ITIL terms in my env. So i need to deploy agent in change windows.
I just need to be well prepared for such deployment.
I have to check (before change window):
- connectivity: status - done
- credentials: status - under consideration how to archive simplest
As Bill mentioned, you can't really test an automation principal per say using BSA while the remote target doesn't yet have a RSCD agent installed and running. So the only way to test the user account/password it would use is to do it the native way, from a server than can reach all your targets, using ssh for Unix, and psexec for Windows. You could however automate that test using NSH (basically calling the local psexec and ssh scripts to test those accounts using NSH).
- or -
If you don't mind possibly doing half the work in one pass and the remaining part after fixing accounts that didn't work, you can do like Bill suggested and use the Unified Agent Installer and install the agent on as many servers as you can, and then tackle the ones that failed on a case by case basis (or in batches as you wish).
Well – i think if he could pull out the ap passwd he could pass through to a psexec call, but i’m not sure if we allow that via the blcli.
Yeah I know you can set the automation principal password via blcli, but I don't think you can read and decrypt it.
And I looking for such possibility.
Sorry, I looked in both the released and unreleased commands and there is only a way to set the passphrase of an AP using blcli, but nothing available to get it and even less so decrypt it. I checked in the db and the passphrase field is a binary one, it's not using blenc (thank God for that), so using a SQL query wouldn't work either. I'm afraid what you are looking for does not exist and doesn't seem feasible.
Therefore, Bill's second option (using the Unified Agent Installer and try, then catch and fix remaining ones) is probably your only option.