Managing credential records for applications on remote systems

You can define a credential record for each application on a remote system for which you want a specific user to run actions. You can use the iadmin command for the following options to update credential records in the credential_repository.xml file and to initialize any changes to the action task definitions in the .xml files in the installationDirectory\pw\server\data\admin\actions directory (Microsoft Windows) or user/pw/server/data/admin/actions directory (UNIX or Linux).

The iadmin options for the credential record are:

Command	Description
-acr:	adds a credential record to the credential_repository.xml file.
-mcr:	modifies an existing credential record.
-dcr:	deletes a credential record.
-lcr:	lists the credential.
-reinit actions	loads the action files after any additions or changes to the action tasks defined in the .xml files in the **installationDirectory\pw\server\data\admin\actions directory (Microsoft Windows) or /usr/pw/pronto/data/admin/actions directory (UNIX or Linux). Guidelines for using the iadmin command to manage credential records**
The asterisk*	functions as a wildcard - it is a valid entry only for the applicationname and applicationinstancename fields. It indicates that any value of the applicationname or applicationinstancename field is acceptable. The search algorithm does not support pattern matching. Your entry must match exactly the underlying value. Any alphanumeric value is valid for the applicationname and applicationinstancename fields. Enclose any password values in double quotation marks to ensure proper processing. On UNIX or Linux systems, run the iadmin command without the bash shell to reinforce the proper processing of the password value.

To add a credential record

From the installationDirectory\pw\server\bin directory (Microsoft Windows) or the /usr/pw/server/bin directory (UNIX or Linux), run the iadmin command using the -acr option, using the following syntax:

iadmin -acr userorgroup=<user/group>:credentialId=<string>:
applicationname=<string>:applicationinstance=<string>:
hostname_or_domain=<Hostname or Domain>:loginuser=<string>:
loginpassword=<string>:executeuser=<string>:executepassword=<string>:
login_user_domain=<string>

The following table lists the required fields for the -acr option. You must include values for the required fields; otherwise, the credential record is not created.

Required fields: adding a credential record

-acr field name	Description
credentialId	The user account (default) or the group Id value.
hostname_or_domain	The host name of the remote system, as in myremotecomputer123, or the domain name in which it resides.
applicationname	Name of the application. You can enter an asterisk "*" to bypass a specific application value.
applicationinstance	Name of the application instance. You can enter an asterisk "*" to bypass a specific instance value.
login_user_domain	This option is required when the log-on account belongs to an Microsoft Windows system.

The userorgroup field is optional. If you leave the userorgroup field blank, the -acr option assumes that user is the selection, and the value you enter in the credentialId field (required) is the user account. To specify a group Id value, set the userorgroup field equal to group, and then specify the group value in the credentialId field.

Using the iadmin command syntax, you enter password values in clear text. However, the passwords are encrypted when they are added to the credential_repository.xml file.

To modify a credential record

From the installationDirectory\pw\server\bin directory (Microsoft Windows) or /usr/pw/server/bin directory (UNIX or Linux), run the iadmin command using the -mcr option, using the following syntax:

iadmin -mcr userorgroup=<user/group>:
credentialId=<string>:hostname_or_domain=<string>:
applicationname=<string>:applicationinstance=<string>:
login_user_domain=<string>:loginuser=<string>:
loginpassword=<string>:executeuser=<string>:
executepassword=<string>

You can modify any of the fields, but you must enter required fields listed in the following table to create a record.
Required fields: modifying a credential record

-acr field name	Description
credentialId	The user account (default) or the group Id value. If you specify a group Id value, you must set userorgroup equal to group.
hostname_or_domain	The host name of the remote system, such as myremotecomputer123, or the domain name where the remote system resides (domain).
applicationname	Name of the application. You can enter an asterisk "*" to bypass a specific application value.
applicationinstance	Name of the application instance. You can enter an asterisk "*" to bypass a specific instance value.

To delete a credential record

From the installationDirectory\pw\server\bin directory (Microsoft Windows) or /usr/pw/server/bin directory (UNIX or Linux), run the iadmin command using the -dcr option, using the following syntax:
```
iadmin -dcr userorgroup=<user/group>:credentialId=<string>:
hostname_or_domain=<string>:applicationname=<string>:
applicationinstance=<string>
```

To delete a record, you must specify values for the required fields listed in the following table:
Required fields: deleting a credential record

-dcr field name	Description
credentialId	The user account (default) or the group Id value.
hostname_or_domain	The host name of the remote system, such as myremotecomputer123, or the domain name where the remote system resides.
applicationname	Name of the application. You can enter an asterisk "*" to include all values.
applicationinstance	Name of the application instance. You can enter an asterisk "*" to include all values.

To list credential records

From the installationDirectory\pw\server\bin directory (Microsoft Windows) or /usr/pw/server/bin directory (UNIX or Linux), run the iadmin command using the -lcr option, as in the following example. You do not have to specify any credential record parameters.

iadmin -lcr

How JServer searches for credentials

After the action task is invoked by the action rule, the JServer searches the credential record for the corresponding remote log-on credentials in the following sequence:

JServer_USER + ApplicationName + ApplicationInstanceName + Host
JServer_USER_GROUP + ApplicationName + ApplicationInstanceName + Host
JServer_USER + ApplicationName + ApplicationInstanceName + Domain
JServer_USER_GROUP + ApplicationName + ApplicationInstanceName + Domain
JServer_USER + ApplicationName + * + Host
JServer_USER_GROUP + ApplicationName + * + Host
JServer_USER + ApplicationName + * + Domain
JServer_USER_GROUP + ApplicationName + * + Domain
JServer_USER + * + * + Host
JServer_USER_GROUP + * + * + Host
JServer_USER + * + * + Domain
JServer_USER_GROUP + * + * + Domain
JServer_USER + * + ApplicationInstanceName + Host
JServer_USER_GROUP + * + ApplicationInstanceName + Host
JServer_USER + * + ApplicationInstanceName + Domain
JServer_USER_GROUP + * + ApplicationInstanceName + Domain

The wildcard * in the ApplicationName and ApplicationInstanceName fields indicates any value.

If you are implementing automatic remote execution, the JServer searches the credential records for an JServer_USER with the same value as the JServer user name defined under the Encryption Key parameter of the Admin record. Therefore, to use the default Admin record, you must modify the default Encryption Key value of 0 by changing it to a specific JServer user name and password. Then you define in the credential record the JServer user with the credential ID set equal to the value you specified in the Encryption Key value of the Admin record.