Managing security information with mqsusertool command line tool
he mqsusertool command can be used to manage MainView Middleware Monitor security information. The tool runs in several modes based on a sub-command verb specified at the first command line option. The syntax for these different modes is described in the following sections:
mqsusertool options for account verb
The account verb allows for setting or resetting a user account or service user account password.
mqsusertool --account account_options -target target target_options [target target_options]*
account_options
are the arguments and options for the --account
command:
-user user -password password or -user user -unlock or -sync -user user or -syncall
mqsusertool 9.0.00 (build 480)
(C) Copyright 1996-2020 BMC Software, Inc.
Usage:
mqsusertool --account account_options -target target target_options
[target target_options]*
mqsusertool --account --help
account_options - arguments and options for the --account command:
-user user -password password or
-user user -unlock or
-user user -unlock or
-sync -user user or
-syncall or
-ldap_admin_password password
where:
-syncall - synchronize passwords for all services among targets
-sync - synchronize passwords for specific service/user among targets
-user user - user/service account to be modified (required)
-password password - password to be set for the user/service (required)
-unlock - unlock the user account for LDAP targets only.
-logon_password is required to unlock, and
the password must be for the directory administrator user uid=admin,ou=system.
-ldap_admin_password password - set administrative password for LDAP targets only.
-logon_password is required to set the administrative password,
and must be the current password for the directory administrator user uid=admin,ou=system.
where:
-syncall -
synchronize passwords for all services among targets
-sync
- synchronize passwords for specific service/user among targets
-user user
- user/service account to be modified (required)
-password password
- password to be set for the user/service (required)
-unlock
- unlock the user account for LDAP targets only.
(-logon_password is required to unlock. The password must be for the directory administrator user uid=admin,ou=system)
For example:
To synchronize (reset) all service account passwords in both FILE (services.cfg
) and the internal LDAP directory :
Example
mqsusertool --account -syncall -target FILE -target LDAP -logon_user SA -logon_password YOUR_PASSWORD
To unlock a locked user account :
Example
mqsusertool --account -unlock -user locked_user_name -target LDAP -logon_password LDAP_ADMIN_PASSWORD
The output indicates if the user account was locked or not. If the user account is not locked, this command has no effect on the user account.
The "ldapsearch" command, provided in support_tools/bin, can be used to find all locked user accounts :
Example
ldapsearch -D "uid=admin,ou=system" -w YOUR_LDAP_ADMIN_PASSWORD -b "dc=mqsoftware,dc=com" -H ldaps://FULLY.QUALIFIED.LDAP.HOST.NAME:15011 -s sub "(pwdAccountLockedTime=*)"
To set the LDAP administrative password (for the MVMM internal LDAP server)
Example
mqsusertool --account -ldap_admin_password YOUR_NEW_PASSWORD -target LDAP -logon_password CURRENT_PASSWORD
mqsusertool options for database verb
The database verb enables you to set up the database information or credentials.
mqsusertool --database -h
(C) Copyright 1996-2019 BMC Software, Inc.
mqsusertool 9.0.00 (build number)
mqsusertool --database database_options -target target target_options
[target target_options]*
mqsusertool --database --help
database_options - arguments and options for the --database command:
-group group - group keeping database settings to be modified (optional, default: database_login)
-db_name name - database name
-db_type type - database type:
DB2
Oracle or ORACLE
"Microsoft SQL Server" or MSSQL
-db_user name -
database user
-db_password password -
database password
target -
target for the request (required)
FILE
- file (for --account
only)
LDAP
- Apache LDAP
ADS
- Windows Active Directory Service
STANDALONE
- Start a standalone LDAP server (to be used only when qpas will not start due to an incorrect DB configuration specified during installation or the DB credentials have been altered)
target_options
- arguments and options if target FILE
was selected
-file file
- file keeping the settings to be modified (optional, default: services.cfg)
target_options -
arguments and options if target LDAP or ADS was selected
-logon_user user -
user for logging on to the directory service (required)
-logon_password password -
password for logging on to the directory service (required)
-logon_host host -
host of the directory service (optional, default: Read from services.cfg)
-logon_port port -
port number of the directory service (optional, default: Read from services.cfg)
-certChain -
CA certChain to be used for secured connection (optional, default: Read from services.cfg)
-storepass -
the password for the CA certChain (optional if entry in services.cfg is readable, required otherwise. default: Read from services.cfg)
-configfile -
the login configuration file (optional, default: jetty/apache-ds_jaas.config
for LDAP, jetty/ADS_jaas.config
for ADS)
Example:
mqsusertool --database -target STANDALONE -logon_user SA -logon_password BMCSOFTWARE -db_type <dbtype> -db_name <dbname> -db_user <dbusername> -db_password <dbpassword>
If you are still encountering database issues after implementing the above, contact BMC Support.
mqsusertool options for encode verb
The encode verb enables you to manually encode credential passwords for different security functions.
<encoding_options>
arguments and options for the --encode
command:
-t <transformation>
transformation algorithm (optional, default: Cryptor)Cryptor
ApacheSHA
ActiveDirectory
password
OBF
SHA-384
CRYPT-SHA-256
SHA
SMD5
CRYPT-SHA-512
PKCS5S2
SSHA-512
CRYPT-MD5
SSHA-256
SSHA-384
CRYPT-BCRYPT
CRYPT
SHA-256
SHA-512
SSHA
MD5
Comments
Log in or register to comment.