Using the blcred utility
blcred utility manages authentication profiles, session credentials, and trusted certificates. To use
blcred, you must install the BMC Server Automation Console.
This topic includes the following sections:
About session credentials
To log on to a BMC Server Automation system, a user must provide an authentication profile, user name, and password. The authentication profile specifies a BMC Server Automation Authentication Service and the mechanism that should be employed to authenticate the user. After the Authentication Service validates a user, the Authentication Service issues a session credential. This session credential can be stored in a credential cache file.
BMC Server Automation client applications use session credentials to establish secure sessions with a middle tier service-either the Application Service or the Network Shell Proxy Service. BMC Server Automation client applications can use a cached session credential when the owner of the credential cache file invokes the client application.
Session credentials have a finite lifetime. After a session credential has expired, it cannot be used to establish a client/server session. However, an established client/server session can continue even though the session credential used to establish that session has expired.
blcred command line utility
BMC Server Automation users can log on and acquire session credentials using the BMC Server Automation Console or
blcred command line utility. When operating in a command line environment, the
blcred utility lets you:
- Create an authentication profile
- Acquire a session credential by providing an authentication profile and the appropriate user credentials for each authentication protocol, as described below:
- SRP — User name and password.
- LDAP — Distinguished name and password.
- SecurID — User name and passcode (PIN plus token code).
- AD/Kerberos — The
blcredutility retrieves the AD/Kerberos user credential from the host system's AD/Kerberos credential store; users do not explicitly use the command line interface to provide AD/Kerberos credentials.
- Domain Authentication — User name (in the form user@KRBDOMAIN.COMPANY.COM) and password.
- PKI — Insert a smart card into a smart card reader and provide the appropriate PIN for that smart card. You must insert the smart card before you can use
blcredto run the
acquirecommand to obtain a session credential.
- Test whether a valid session credential already exists and determine the lifetime remaining for that credential.
- Review, add, and delete authentication profiles.
- Review, add, import, and delete trusted X.509 certificates.
- On clients, X.509 certificates are used when establishing a TLS connection to an Authentication Service, Application Server, or Network Shell proxy server.
- On Application Servers, X.509 certificates are used when establishing a TLS connection to an LDAP server.
Available command line options
For a complete description of all available command line options, refer to the man page for the
Typical scenarios for using blcred
The following sections describe some typical scenarios for using the
Testing for valid session credentials
If you are using a command line (BLCLI or Network Shell in proxy mode) and you want to determine whether you have a valid session credential, run the following command:
blcred cred -test -profile MyProfile
MyProfile is the name of the authentication profile for which a session credential has been issued. If this command is successful, it generates a return code of 0, which means a valid session credential does exist for MyProfile.
To determine whether a credential's remaining lifetime exceeds a specified number of minutes, enter a command similar to the following:
blcred cred -test -profile MyProfile -time 500
500 is a remaining lifetime in minutes. If this command is successful, it generates a return code of 0, which means the MyProfile session credential is valid for at least 500 minutes.
Interactively obtaining a session credential
If you are interactively running Network Shell (in proxy mode) or the BLCLI and you must obtain a session credential but cannot use the console, run the following command:
blcred cred -acquire
blcred utility prompts for an authentication profile name, user name and password if the named profile specifies SRP authentication. The example below shows an authentication session that prompts the user for credential information. Alternatively, you can specify the profile name, user name and password as command line options.
$ blcred cred -acquire profile name: srpProfile username: BLAdmin password \*****\* Authentication succeeded: acquired session credential
If you are using AD/Kerberos authentication, you can enter the same command, but when prompted for an authentication profile name, you must enter a profile name that calls for AD/Kerberos authentication. (Alternatively, you can specify the profile name as a command line option.) When employing AD/Kerberos authentication,
blcred does not prompt the user for a name or password. Instead, it retrieves the user's Kerberos credential from the host operating system's AD/Kerberos credential cache. Note that UNIX users must first manually run a kinit before attempting to authenticate, as described in Obtaining a TGT for a BMC Server Automation client (UNIX only).
$ blcred cred -acquire profile name: adkProfile Authentication succeeded: acquired session credential
Obtaining a session credential by referencing a keytab file
If you are running Network Shell or the BLCLI in batch mode and you must obtain a session credential non-interactively, you can direct
blcred to retrieve an SRP user name and password from an SRP keytab file, using a command like the following
blcred cred -acquire -profile srpProfile -i /home/<user>/user_info.dat
Obtaining a session credential using an SRP authentication profile
If you are running Network Shell or the BLCLI in batch mode, you must obtain a session credential non-interactively, and you are using SRP authentication, you can direct
blcred to obtain a session credential.
blcred cred -acquire -profile srpProfile -username BLAdmin -password ******
Obtaining a session credential using an LDAP authentication profile
If you are running Network Shell or the BLCLI in batch mode, you must obtain a session credential non-interactively, and you are using LDAP authentication, you can direct
blcred to obtain a session credential. If you are using a distinguished name template, you only have to provide a partial distinguished name (in this case admin ) and an LDAP password.
blcred cred -acquire -profile ldapProfile -username admin -password ******
If you are not using distinguished name templates, you must provide a full distinguished name and a password.
Displaying the contents of a session credential
blcred command similar to the following
blcred cred -list
you can display the contents of your current session credential.
Username: RBACAdmin Authentication: SRP Issuing Service: service:authsvc.bladelogic:blauth://localhost:9840 Expiration Time: Fri Aug 17 20:57:29 EDT 2007 Maximum Lifetime: Sat Aug 18 06:57:29 EDT 2007 Client address: 127.0.0.1 Authorized Roles: RBACAdmins Destination URLs: service:appsvc.bladelogic:blsess://localhost:9841 service:proxysvc.bladelogic:blsess://localhost:9842