Using the blcred utility
blcred utility manages authentication profiles, session credentials, and trusted certificates. To use
blcred, you must install the BMC Server Automation Console.
To log into a BMC Server Automation system, a user must provide an authentication profile, user name, and password. The authentication profile specifies a BMC Server Automation Authentication Service and the mechanism that should be employed to authenticate the user. After the Authentication Service validates a user, the Authentication Service issues a session credential. This session credential can be stored in a credential cache file.
BMC Server Automation client applications use session credentials to establish secure sessions with a middle tier service-either the Application Service or the Network Shell Proxy Service. BMC Server Automation client applications can use a cached session credential when the owner of the credential cache file invokes the client application.
Session credentials have a finite lifetime. After a session credential has expired, it cannot be used to establish a client/server session. However, an established client/server session can continue even though the session credential used to establish that session has expired.
BMC Server Automation users can log on and acquire session credentials using the BMC Server Automation Console or
blcred command line utility. When operating in a command line environment, the
blcred utility lets you:
- Create an authentication profile
- Acquire a session credential by providing an authentication profile and the appropriate user credentials for each authentication protocol, as described below:
- SRP — User name and password.
- LDAP — Distinguished name and password.
- SecurID — User name and passcode (PIN plus token code).
- AD/Kerberos — The
blcredutility retrieves the AD/Kerberos user credential from the host system's AD/Kerberos credential store; users do not explicitly use the command line interface to provide AD/Kerberos credentials.
- Domain Authentication — User name (in the form user@KRBDOMAIN.COMPANY.COM) and password.
- PKI — Insert a smart card into a smart card reader and provide the appropriate PIN for that smart card. You must insert the smart card before you can use
blcredto run the
acquirecommand to obtain a session credential.
- Test whether a valid session credential already exists and determine the lifetime remaining for that credential.
- Review, add, and delete authentication profiles.
- Review, add, import, and delete trusted X.509 certificates.
- On clients, X.509 certificates are used when establishing a TLS connection to an Authentication Service, Application Server, or Network Shell proxy server.
- On Application Servers, X.509 certificates are used when establishing a TLS connection to an LDAP server.
Available command line options
For a complete description of all available command line options, refer to the man page for the