Typical scenarios for using blcred
The following sections describe some typical scenarios for using the blcred
command.
Testing for valid session credentials
If you are using a command line (BLCLI or Network Shell in proxy mode) and you want to determine whether you have a valid session credential, run the following command:
blcred cred -test -profile MyProfile
where MyProfile
is the name of the authentication profile for which a session credential has been issued. If this command is successful, it generates a return code of 0, which means a valid session credential does exist for MyProfile.
To determine whether a credential's remaining lifetime exceeds a specified number of minutes, enter a command similar to the following:
blcred cred -test -profile MyProfile -time 500
where 500
is a remaining lifetime in minutes. If this command is successful, it generates a return code of 0, which means the MyProfile session credential is valid for at least 500 minutes.
Interactively obtaining a session credential
If you are interactively running Network Shell (in proxy mode) or the BLCLI and you must obtain a session credential but cannot use the console, run the following command:
blcred cred -acquire
The blcred
utility prompts for an authentication profile name, user name and password if the named profile specifies SRP authentication. The example below shows an authentication session that prompts the user for credential information. Alternatively, you can specify the profile name, user name and password as command line options.
$ blcred cred -acquire
profile name: srpProfile
username: BLAdmin
password \*****\*
Authentication succeeded: acquired session credential
If you are using AD/Kerberos authentication, you can enter the same command, but when prompted for an authentication profile name, you must enter a profile name that calls for AD/Kerberos authentication. (Alternatively, you can specify the profile name as a command line option.) When employing AD/Kerberos authentication, blcred
does not prompt the user for a name or password. Instead, it retrieves the user's Kerberos credential from the host operating system's AD/Kerberos credential cache. Note that UNIX users must first manually run a kinit before attempting to authenticate, as described in Obtaining a TGT for a BMC Server Automation client (UNIX only).
$ blcred cred -acquire
profile name: adkProfile
Authentication succeeded: acquired session credential
Obtaining a session credential by referencing a keytab file
If you are running Network Shell or the BLCLI in batch mode and you must obtain a session credential non-interactively, you can direct blcred
to retrieve an SRP user name and password from an SRP keytab file, using a command like the following
blcred cred -acquire -profile srpProfile -i /home/<user>/user_info.dat
Obtaining a session credential using an SRP authentication profile
If you are running Network Shell or the BLCLI in batch mode, you must obtain a session credential non-interactively, and you are using SRP authentication, you can direct blcred
to obtain a session credential.
blcred cred -acquire -profile srpProfile -username BLAdmin -password ******
Obtaining a session credential using an LDAP authentication profile
If you are running Network Shell or the BLCLI in batch mode, you must obtain a session credential non-interactively, and you are using LDAP authentication, you can direct blcred
to obtain a session credential. If you are using a distinguished name template, you only have to provide a partial distinguished name (in this case admin ) and an LDAP password.
blcred cred -acquire -profile ldapProfile -username admin -password ******
If you are not using distinguished name templates, you must provide a full distinguished name and a password.
Displaying the contents of a session credential
Using a blcred
command similar to the following
blcred cred -list
you can display the contents of your current session credential.
Username: RBACAdmin
Authentication: SRP
Issuing Service: service:authsvc.bladelogic:blauth://localhost:9840
Expiration Time: Fri Aug 17 20:57:29 EDT 2007
Maximum Lifetime: Sat Aug 18 06:57:29 EDT 2007
Client address: 127.0.0.1
Authorized Roles:
RBACAdmins
Destination URLs:
service:appsvc.bladelogic:blsess://localhost:9841
service:proxysvc.bladelogic:blsess://localhost:9842
Comments
Log in or register to comment.