NAME
mxnodesecurity - add, modify, list, remove default/global and
node/system credentials in HP Systems Insight Manager
SYNOPSIS
mxnodesecurity -a -p protocol -c username:password [-t on or off ] -n
nodename
Add or modify node/system credential.
mxnodesecurity -a -p wbem -c username:password [-t on or off ] -n
nodename[:Port#]
Add or modify wbem node/system credential.
mxnodesecurity -a -p snmp -c readname:writename [-t on or off ] -n
nodename
Add or modify snmp node/system credential.
mxnodesecurity -a -p signin -c username:password [-t on or off ] [ -n
nodename ]
Add or modify a signin or sign-in default/global or node/system
credential. A signin credential is a protocol independent credential
used to sign into the managed system.
mxnodesecurity -a -p protocol -c username:password
Add a default/global credential.
mxnodesecurity -a -p protocol -c username:password -n @defaultN
Modify a default/global credential.
mxnodesecurity -a -f filename
Add or modify credentials as specified in XML file.
mxnodesecurity -r -p protocol -n nodename
Remove a node/system credential.
mxnodesecurity -r -p wbem -n nodename[:Port#]
Remove a wbem node/system credential.
mxnodesecurity -r -p protocol -n @defaultN [-x fd or fcd ]
Remove a default/global credential.
mxnodesecurity -r -p protocol [-x fd or fcd ]
Remove all default/global credentials of specified protocol.
mxnodesecurity -r -f filename
Remove credentials as specified in XML file.
mxnodesecurity [ -l ]
List all default/global and node/system credentials.
mxnodesecurity -l [-p protocol ] [-n nodename ]
List default/global and node/system credentials by protocol and/or
nodename.
DESCRIPTION
The mxnodesecurity command allows a HP Systems Insight Manager Central
Management Server (CMS) user to add, modify, list, or remove
default/global and node/system credentials in the CMS. The difference
between default and node type credentials should be noted.
Default (or Global) credentials are those credentials that apply to
all managed systems.
Node (or System) credentials are those credentials that apply to
specific managed systems.
All type credentials are stored in the HP Systems Insight Manager
database.
The mxnodesecurity add option allows a user to add a default or node
type credentials. The add option may be used in one of two ways. The
user may specify an input xml file that describes the credentials for
one or more target nodes or the user may declare credentials and
optionally a node name on the command line.
If the user specifies a file name on the command line, the file must
be an XML formatted file. The file format is documented in "XML
format" below. The user may also specify the credential
characteristics on the command line along with the node name. If the
node name is omitted, the default credentials are changed to the new
credential characteristics.
If the node name is included on the command line, mxnodesecurity first
attempts to get the fully qualified name for the node. If the fully
qualified name is not available, the IP address is requested. If an
IP address is not available, the name supplied on the command line is
used. The mxnodesecurity application then searches for the node in
the HP Systems Insight Manager credentials database. If the
credential exists, the credential is updated. If the specified
credential does not exist, a new credential is added for the node with
the specified credential characteristics.
The mxnodesecurity remove option allows a user to delete a default or
node type credential. Like the add option, the remove option allows
the user to supply a file name with the credentials and node name for
deletion. The remove option also allows the user to remove one
credential at a time based on the node name or to remove all
credentials of a specified protocol type.
When removing default/global credentials, it may be necessary to use
the '-x' (extended) option to force the removal of the specified
default/global credential. The reason is that there may be instances
when the global credential being specified for removal is currently
being used by some node/system as its 'working' credential - that is,
the global credential is currently 'in-use'.
When attempting to remove an 'in-use' credential, the CLI will display
the following error/alert msg, indicating (1) that the credential was
not removed and (2) describing the two methods (via -x option) that
may be used to forcefully remove the credential, if desired to do so.
The error/alert msg will look as follows on the screen:
ERROR - Could not remove one or more global credentials
One or more systems are currently using one of the credentials(s)
targeted for removal.
Try removing the credential(s) again and include either of the
following two options.
[-x {forceDelete | fd}]
Deletes credential(s) and any associated working system credential
references.
Warning: This option may cause loss of communications with some
systems.
You must run identification or discovery to attempt to re-establish
working system credentials.
[-x {forceCopyDelete | fcd}]
Copies the global credential(s) to all systems using that credential
as a system and working credential.
Deletes the global credential(s).
This option will preserve communications with all systems.
At this point, the user must decide as to whether or not he/she really
wants to remove the global credential. Forcefully removing (-x fd) a
global credential that is being used by one or more nodes/systems as
their 'working' credential may cause loss of communications by SIM
with that node/system. However, an alternate method has been provided
via the '-x fcd' option, which ensures the global credential is first
copied as a node/system credential, to the node/system that was using
the credential, thus preserving SIM communications with the
node/system.
To forcefully remove (delete) a global credential, use the '-x' option
with the following argument. Note that this method may result in the
loss of communications by SIM with the node/system.
>mxnodesecurity -r -p protoName [-x {forceDelete | fd}]
>mxnodesecurity -r -p protoName -n @default1 [-x {forceDelete | fd}]
To first copy the credential, then forcefully remove (delete) the
global credential, use the '-x' option with the following argument.
Note that this method preserves the communications for the node/system
using the credential.
>mxnodesecurity -r -p protoName [-x {forceCopyDelete | fcd}]
>mxnodesecurity -r -p protoName -n @default1 [-x {forceCopyDelete |
fcd}]
If the user types a protocol and a node name on the command line, the
remove option will attempt to resolve the node name to its fully
qualified name. If the fully qualified name is unavailable, an
attempt is made to find the IP address. If the IP address can not be
found, the name supplied on the command line is used. Once the node
name has been determined, the remove option scans for a matching
credential in HP Systems Insight Manager credentials database. If the
credential exists in the database, the credential is deleted.
If the user omits the node name during a remove operation, all
default/global credentials for the supplied protocol are removed from
the HP Systems Insight Manager credentials database.
The mxnodesecurity list option allows a user to list both
default/global and node/system type credentials stored in the HP
Systems Insight Manager credentials database. There are two options
that the user may use to filter the output list. The user may supply
a protocol and/or a node name.
If the list option is used in conjunction with the protocol option,
all nodes which have credentials of the specified protocol are listed.
If the list option is used in conjunction with the node option, the
node will be located and all of the credentials for that node,
regardless of protocol, will be listed. If both the node and protocol
options are used together, the node will only be displayed if
credentials for the specified protocol exists.
Options
mxnodesecurity recognizes the following options:
-a Indicates that credentials should be added or
modified in the HP Systems Insight Manager
credentials database. Must be used with the -f
option or the -p and -c options.
-r Indicates that credentials should be removed from
the HP Systems Insight Manager credentials
database. Must be used with the -f option or the
-p and -c options.
-l Indicates that node security credentials should be
listed to the screen. Can be used with the -p
option or the -n option.
-f filename Indicates that credentials to be added or removed
are specified in filename. The contents of this
file are described in "XML format", below.
-p protocol Used to specify a protocol such as WBEM or SNMP.
Credentials of the specified type will be
displayed to the screen. This option is used in
conjunction with -a, -r and -l. Standard Systems
Insight Manager protocols are "snmp", "wbem",
"ws-man", "ssh" and "sign-in". Note that
mxnodesecurity will interpret "wsman" or "ws-man"
on the command line as the same protocol. Note
that mxnodesecurity will interpret "signin" or
"sign-in" on the command line as the same
protocol. A "sign-in" credential is a protocol
independent credential used to sign into the
managed system. Note that mxnodesecurity will
also accept any name for a protocol name.
-c username:password
Used to specify a username and *password for
credentials. This option is used in conjunction
with "-a -p wbem".
-c readname:writename
Used to specify a community read name and
community write name for an SNMP protocol
credential. This option is used in conjunction
with "-a -p snmp".
-t on|off Used to turn on and off the Try Others option.
When this option is turned on HP Systems Insight
Manager will try other credentials for the system
if this one fails. If this option is not specified
it defaults to off. This option is used in
conjunction with -a.
-x fc|fcd Used to force the removal of specified
default/global credential(s) that may be currently
in use by one or more nodes/systems. The 'fd'
option will completely remove the default/global
credential and may result in the loss of
communications with the associated system(s). The
'fcd' option will first copy the credential to any
system(s) that may be referencing it, and thus
preserve communications with the system(s).
-n nodename Used to specify a node name. This option is used
in conjunction with -a, -r and -l. If the
"@defaultN" type format is used for the nodename
value, then mxnodesecurity will assume that a
default/global type credential is being specified,
whereby the N value indicates a specific
default/global credential as may be
viewed/referenced in a credentials listing -l
output.
XML FORMAT
The format used for an XML input file is defined by the following
example.
<?xml version="1.0" encoding="UTF-8" ?>
<nodelist>
<node name="nodeName">
<credential protocol="wbem" username="userName" password="userPassword" encoded="" />
</node>
</nodelist>
RETURN VALUE
mxnodesecurity returns one of the following values:
0 Successful completion.
1 Command line syntax error.
2 Error in a file operation or parsing a file.
21 Invalid name.
250 Remote exception.
EXAMPLES
The command below adds a WBEM node/system type credential to the HP
Systems Insight Manager credentials database for the specified node
named "mycomputer.ak.hp.com". The username and *password are defined
uniquely for the specified node. Note that since no port number is
specified, the credential will use a default port assigned by the CMS.
Although the "Try Others" option is not explicitly specified, it will
be turned on by default for this particular credential. Note that if
this credential does already exist in the HP Systems Insight Manager
credentials database (based off protocol and nodename), then a modify
operation will automatically be performed on the credential and the
username and password will be updated.
mxnodesecurity -a -p wbem -c username:password -n
mycomputer.ak.hp.com
The command below adds a WBEM node/system type credential to the HP
Systems Insight Manager credentials database for the specified node
named "mycomputer.ak.hp.com" and for a specified port number of 5990.
Note that only WBEM type node credentials allow for a port number to
be specified along with the nodename in the form of "nodename:port#".
The username and *password are defined uniquely for the specified
node. Although the "Try Others" option is not explicitly specified,
it will be turned on by default for this particular credential. Note
that if this credential does already exist in the HP Systems Insight
Manager credentials database (based off protocol and nodename), then a
modify operation will automatically be performed on the credential and
the username and password will be updated.
mxnodesecurity -a -p wbem -c username:password -n
mycomputer.ak.hp.com:5990
The command below adds a default/global type credential to the Systems
Insight Manager database of specified protocol. Note that when adding
default/global credentials, any protocol name may be specified, except
for WBEM. Note that a node name is not specified when adding
default/global type credentials. Also note that the Try Others option
is explicitly set to the "on" state. When listing default/global
credentials, the node names will be in the form of "@defaultN", where
N is an auto-assigned numerical value indicating usage precedence.
mxnodesecurity -a -p protocol -c username:password
The command below adds a default/global type credential to the Systems
Insight Manager database of specified SIGN-IN protocol. Note that a
SIGN-IN type credential is a special protocol independent credential
which is used to sign into the managed system. Note that a node name
is not specified when adding default/global type credentials. Also
note that the Try Others option is explicitly set to the "on" state.
When listing default/global credentials, the node names will be in the
form of "@defaultN", where N is an auto-assigned numerical value
indicating usage precedence.
mxnodesecurity -a -p sign-in|signin -c username:password
The command below adds a node/system type credential to the Systems
Insight Manager database of specified SIGN-IN protocol for the
specified node named "mycomputer.ak.hp.com". Note that a SIGN-IN type
credential is a special protocol independent credential which is used
to sign into the managed system. Also note that the Try Others option
is explicitly set to the "on" state. Note that if this credential
does already exist in the HP Systems Insight Manager credentials
database (based off protocol and nodename), then a modify operation
will automatically be performed on the credential and the username and
password will be updated.
mxnodesecurity -a -p sign-in|signin -c username:password -n
mycomputer.ak.hp.com
The command below adds a default/global type SNMP protocol credential
to the Systems Insight Manager database with the Try Others option
explicitly set to the off state. The read and write community strings
are required for the SNMP type protocol. Note that a node name is not
specified when adding default/global type credentials. When listing
default/global credentials, the node names will be in the form of
"@defaultN", where N is an auto-assigned numerical value indicating
usage precedence.
mxnodesecurity -a -p snmp -c readname:writename
The command below would modify the username and password of an
existing default/global credential with a specified protocol type of
SSH and a specified nodename of "@default3". The nodename reference
used in the command below would be acquired from an mxnodesecurity
list (-l) command. Note that when listing default/global credentials,
the node names will be in the form of "@defaultN", where N is an
auto-assigned numerical value indicating usage precedence.
mxnodesecurity -a -p ssh -c username:password -n @default3
The command below adds or modifies credentials in the HP Systems
Insight Manager database based on the contents of the XML file named
/home/user1/defs/newcredentials.xml.
mxnodesecurity -a -f /home/user1/defs/newcredentials.xml
The command below removes all WBEM credentials for the node named
"mycomputer.ak.hp.com".
mxnodesecurity -r -p wbem -n mycomputer.ak.hp.com
The command below removes all default/global (and only default/global)
type credentials in the HP Systems Insight Manager of the specified
protocol type/name.
mxnodesecurity -r -p protocol
The command below removes the specified default/global type credential
(as specified by the numeric N value) in the HP Systems Insight
Manager of the specified protocol type/name. The nodename reference
used in the command below would be acquired from an mxnodesecurity
list (-l) command. Note that when listing default/global credentials,
the node names will be in the form of "@defaultN", where N is an
auto-assigned numerical value indicating usage precedence.
mxnodesecurity -r -p protocol -n @defaultN
The command below removes credentials in the HP Systems Insight
Manager database based on the contents of the XML file named
/home/user1/defs/oldcredentials.xml.
mxnodesecurity -r -f /home/user1/defs/oldcredentials.xml
The command below displays the list of all default/global and
node/system credentials contained in the HP Systems Insight Manager
database.
mxnodesecurity -l
The command below displays a list of all credentials (default and
node) of type WBEM protocol.
mxnodesecurity -l -p wbem
The command below displays all node/system credential(s) for the
specified node "mycomputer.ak.hp.com".
mxnodesecurity -l -n mycomputer.ak.hp.com
The command below displays the WBEM node/system credential(s) and for
the specified node "mycomputer.ak.hp.com".
mxnodesecurity -l -p wbem -n mycomputer.ak.hp.com
EXAMPLE LISTING OUTPUT
The example output below shows the format for the -l command that will
list all Default/Global and Node/System credentials. Note that the
Default/Global and Node/System credentials are divided into two
separate listings. Also note the "@defaultN" node naming convention
and the specific numeric N value used in the Default/Global
credentials list. When wanting to Modify an existing Default
credential, you *must* use this listing output as a reference for the
specific credential that you wish to modify as you will be required to
provide a "@defaultN" value string as a node name in either (1) a
commandline nodename -n value or (2) as a name attribute value in an
XML file.
Listing all global credentials...
NODENAME PROTOCOL USERNAME PASSWORD
@default1 snmp public private
@default1 ssh user1 ********
@default1 sign-in user1 ********
@default2 sign-in user2 ********
@default2 ws-man user1 ********
@default2 snmp public2 private2
@default3 abc user1 ********
@default3 sign-in user3 ********
Listing all system credentials...
NODENAME PROTOCOL USERNAME PASSWORD TRYOTHERS
11.11.111.111 snmp public private Yes
mycomputer.ak.hp.com snmp public private Yes
nodeName1 sign-in user1 ******** Yes
nodeName2 ssh user1 ******** Yes
nodeName3 ws-man user2 ******** No
testNode4 abc user4 ******** Yes
mycomputer2.ak.hp.com wbem user1 ******** No
LIMITATIONS
This command may only be run on the CMS and HP Systems Insight Manager
itself must be running in order for the mxnodesecurity CLI to run.
Note that for an HP-UX or Linux CMS, this command can only be run by
the root user.
FILE PROCESSING
If the CMS detects a formatting error while processing an XML input
file, the CMS will not make any changes to the HP Systems Insight
Manager credentials database based on the contents of the input file.
The CMS will interrupt processing and issue an error message
describing the formatting error.
AUTHOR
mxnodesecurity was developed by the Hewlett-Packard Company.
SEE ALSO for HP-UX
mxnodesecurity(4), mxngroup(1M), mxauth(1M), mxuser(1M),
mxinitconfig(1M), mxnode(1M).
SEE ALSO for Linux
mxnodesecurity(4), mxngroup(8), mxauth(8), mxuser(8), mxinitconfig(8),
mxnode(8).
* Note: Care must be taken when specifying passwords on the command-
line. This makes them available in the command history, in the process
list while executing, and in the audit log if executed as part of a
task. Be sure to clear your command history, or use alternate methods
for specifying passwords, e.g. prompt, input file.