9 Replies Latest reply on Apr 28, 2015 8:28 AM by Yanick Girouard

    check automation principal

    Robert Dołęga

      I would like to check automation principal. It means to check if i can login to group of servers using my automation principals.

      Are there any blcli commands to use them in nsh script?


      I would like to perform this check before rscd installation to ensure than i have right credentials.




        • 1. Re: check automation principal
          Bill Robinson

          chicken and egg.  how are you going to talk to the server via bsa unless the rscd is on it ?

          • 2. Re: check automation principal
            Robert Dołęga

            Let me answer your question by questions:  

            How Agent Installer Job do this job?



            ssh using automation principals

            ssh + sudo using automation principals

            ssh + su using automation principals



            psexec using automation principals


            And I wold like the same, of course I can use above mechanisms and pass password by parameter (blenc - but it's no good idea, it's able to de-crypt this hash).

            But I want to do it using automation principals - or even Remote Host Authentications (and Routing Rules) because I wan't repeat tasks.





            • 3. Re: check automation principal
              Bill Robinson

              I’m not sure if you can get the AP passwd out as it shouldn’t be stored w/ blenc.  Why not just let the uai try to do the install, if it fails because of the passwd then it fails and you scrape the job log and try something else ?


              I would dig around in the unreleased commands – Impersonation, RemoteHostAuthentication.  Maybe there is something there you can use.

              • 4. Re: check automation principal
                Robert Dołęga

                rscd installation it's change in ITIL terms in my env. So i need to deploy agent in change windows.

                I just need to be well prepared for such deployment.


                I have to check (before change window):

                - connectivity: status - done

                - credentials: status - under consideration how to archive simplest

                • 5. Re: check automation principal
                  Yanick Girouard

                  As Bill mentioned, you can't really test an automation principal per say using BSA while the remote target doesn't yet have a RSCD agent installed and running. So the only way to test the user account/password it would use is to do it the native way, from a server than can reach all your targets, using ssh for Unix, and psexec for Windows. You could however automate that test using NSH (basically calling the local psexec and ssh scripts to test those accounts using NSH).


                  - or -


                  If you don't mind possibly doing half the work in one pass and the remaining part after fixing accounts that didn't work, you can do like Bill suggested and use the Unified Agent Installer and install the agent on as many servers as you can, and then tackle the ones that failed on a case by case basis (or in batches as you wish).

                  • 6. Re: check automation principal
                    Bill Robinson

                    Well – i think if he could pull out the ap passwd he could pass through to a psexec call, but i’m not sure if we allow that via the blcli.

                    • 7. Re: check automation principal
                      Yanick Girouard

                      Yeah I know you can set the automation principal password via blcli, but I don't think you can read and decrypt it.

                      • 8. Re: check automation principal
                        Robert Dołęga

                        And I looking for such possibility.

                        • 9. Re: check automation principal
                          Yanick Girouard

                          Sorry, I looked in both the released and unreleased commands and there is only a way to set the passphrase of an AP using blcli, but nothing available to get it and even less so decrypt it. I checked in the db and the passphrase field is a binary one, it's not using blenc (thank God for that), so using a SQL query wouldn't work either. I'm afraid what you are looking for does not exist and doesn't seem feasible.


                          Therefore, Bill's second option (using the Unified Agent Installer and try, then catch and fix remaining ones) is probably your only option.