Managing security information with mqsusertool command line tool

he mqsusertool command can be used to manage MainView Middleware Monitor security information. The tool runs in several modes based on a sub-command verb specified at the first command line option. The syntax for these different modes is described in the following sections: 

mqsusertool options for account verb

The account verb allows for setting or resetting a user account or service user account password.

mqsusertool --account account_options -target target target_options [target target_options]*

account_options are the arguments and options for the --account command:

-user user -password password or -user user -unlock or -sync -user user or -syncall

mqsusertool 9.0.00 (build 480)
(C) Copyright 1996-2020 BMC Software, Inc.
 
Usage:
  mqsusertool --account account_options -target target target_options
                        [target target_options]*
  mqsusertool --account --help
 
account_options - arguments and options for the --account command:
  -user user -password password    or
  -user user -unlock               or
  -user user -unlock               or
  -sync -user user                 or
  -syncall                         or
  -ldap_admin_password password
 where:
  -syncall     -  synchronize passwords for all services among targets
  -sync        -  synchronize passwords for specific service/user among targets
  -user user         - user/service account to be modified (required)
  -password password - password to be set for the user/service (required)
  -unlock            - unlock the user account for LDAP targets only.
                       -logon_password is required to unlock, and
                        the password must be for the directory administrator user uid=admin,ou=system.
  -ldap_admin_password password - set administrative password for LDAP targets only.
                       -logon_password is required to set the administrative password,
                        and must be the current password for the directory administrator user uid=admin,ou=system.

where:

-syncall - synchronize passwords for all services among targets
-sync - synchronize passwords for specific service/user among targets
-user user - user/service account to be modified (required)
-password password - password to be set for the user/service (required)
-unlock - unlock the user account for LDAP targets only.
(-logon_password is required to unlock. The password must be for the directory administrator user uid=admin,ou=system)

For example:

To synchronize (reset) all service account passwords in both FILE (services.cfg) and the internal LDAP directory :

To unlock a locked user account :

The output indicates if the user account was locked or not. If the user account is not locked, this command has no effect on the user account.

The "ldapsearch" command, provided in support_tools/bin, can be used to find all locked user accounts :

To set the LDAP administrative password (for the MVMM internal LDAP server)

mqsusertool options for database verb

The database verb enables you to set up the database information or credentials.

mqsusertool --database -h
(C) Copyright 1996-2019 BMC Software, Inc.
mqsusertool 9.0.00 (build number)

mqsusertool --database database_options -target target target_options

      [target target_options]*

mqsusertool --database --help

database_options - arguments and options for the --database command:

      -group group - group keeping database settings to be modified (optional, default: database_login)

      -db_name name - database name

      -db_type type - database type:

        DB2
        Oracle or ORACLE
"Microsoft SQL Server" or MSSQL

-db_user name - database user

-db_password password - database password

target - target for the request (required)

FILE - file (for --account only)

LDAP - Apache LDAP

ADS - Windows Active Directory Service

STANDALONE - Start a standalone LDAP server (to be used only when qpas will not start due to an incorrect DB configuration specified during installation or the DB credentials have been altered)

target_options - arguments and options if target FILE was selected

-file file - file keeping the settings to be modified (optional, default: services.cfg)

target_options - arguments and options if target LDAP or ADS was selected

-logon_user user - user for logging on to the directory service (required)

-logon_password password - password for logging on to the directory service (required)

-logon_host host - host of the directory service (optional, default: Read from services.cfg)

-logon_port port - port number of the directory service (optional, default: Read from services.cfg)

-certChain - CA certChain to be used for secured connection (optional, default: Read from services.cfg)

-storepass - the password for the CA certChain (optional if entry in services.cfg is readable, required otherwise. default: Read from services.cfg)

-configfile - the login configuration file (optional, default: jetty/apache-ds_jaas.config for LDAP, jetty/ADS_jaas.config for ADS)

Example:

mqsusertool --database -target STANDALONE -logon_user SA -logon_password BMCSOFTWARE -db_type <dbtype> -db_name <dbname> -db_user <dbusername> -db_password <dbpassword>

If you are still encountering database issues after implementing the above, contact BMC Support.

mqsusertool options for encode verb

The encode verb enables you to manually encode credential passwords for different security functions.

<encoding_options> arguments and options for the --encode command:

-t <transformation> transformation algorithm (optional, default: Cryptor)
Cryptor
ApacheSHA
ActiveDirectory
password
OBF
SHA-384
CRYPT-SHA-256
SHA
SMD5
CRYPT-SHA-512
PKCS5S2
SSHA-512
CRYPT-MD5
SSHA-256
SSHA-384
CRYPT-BCRYPT
CRYPT
SHA-256
SHA-512
SSHA
MD5