Using the blcred utility
The blcred
utility manages authentication profiles, session credentials, and trusted certificates. To use blcred
, you must install the TrueSight Server Automation Console.
This topic includes the following sections:
About session credentials
To log on to a TrueSight Server Automation system, a user must provide an authentication profile, user name, and password. The authentication profile specifies a TrueSight Server Automation Authentication Service and the mechanism that should be employed to authenticate the user. After the Authentication Service validates a user, the Authentication Service issues a session credential. This session credential can be stored in a credential cache file.
TrueSight Server Automation client applications use session credentials to establish secure sessions with a middle tier service-either the Application Service or the Network Shell Proxy Service. TrueSight Server Automation client applications can use a cached session credential when the owner of the credential cache file invokes the client application.
Session credentials have a finite lifetime. After a session credential has expired, it cannot be used to establish a client/server session. However, an established client/server session can continue even though the session credential used to establish that session has expired.
About the blcred
command line utility
TrueSight Server Automation users can log on and acquire session credentials using the TrueSight Server Automation Console or blcred
command line utility. When operating in a command line environment, the blcred
utility lets you:
- Create an authentication profile
- Acquire a session credential by providing an authentication profile and the appropriate user credentials for each authentication protocol, as described below:
- SRP — User name and password.
- LDAP — Distinguished name and password.
- SecurID — User name and passcode (PIN plus token code).
- AD/Kerberos — The
blcred
utility retrieves the AD/Kerberos user credential from the host system's AD/Kerberos credential store; users do not explicitly use the command line interface to provide AD/Kerberos credentials. - Domain Authentication — User name (in the form user@KRBDOMAIN.COMPANY.COM) and password.
- PKI — Insert a smart card into a smart card reader and provide the appropriate PIN for that smart card. You must insert the smart card before you can use
blcred
to run theacquire
command to obtain a session credential.
- Test whether a valid session credential already exists and determine the lifetime remaining for that credential.
- Review, add, and delete authentication profiles.
- Review, add, import, and delete trusted X.509 certificates.
- On clients, X.509 certificates are used when establishing a TLS connection to an Authentication Service, Application Server, or Network Shell proxy server.
- On Application Servers, X.509 certificates are used when establishing a TLS connection to an LDAP server.
Available command line options
For a complete description of all available command line options, refer to the man page for the blcred
command.
Typical scenarios for using blcred
The following sections describe some typical scenarios for using the blcred
command.
Testing for valid session credentials
If you are using a command line (BLCLI or Network Shell in proxy mode) and you want to determine whether you have a valid session credential, run the following command:
blcred cred -test -profile MyProfile
where MyProfile
is the name of the authentication profile for which a session credential has been issued. If this command is successful, it generates a return code of 0, which means a valid session credential does exist for MyProfile.
To determine whether a credential's remaining lifetime exceeds a specified number of minutes, enter a command similar to the following:
blcred cred -test -profile MyProfile -time 500
where 500
is a remaining lifetime in minutes. If this command is successful, it generates a return code of 0, which means the MyProfile session credential is valid for at least 500 minutes.
Interactively obtaining a session credential
If you are interactively running Network Shell (in proxy mode) or the BLCLI and you must obtain a session credential but cannot use the console, run the following command:
blcred cred -acquire
The blcred
utility prompts for an authentication profile name, user name and password if the named profile specifies SRP authentication. The example below shows an authentication session that prompts the user for credential information. Alternatively, you can specify the profile name, user name and password as command line options.
$ blcred cred -acquire
profile name: srpProfile
username: BLAdmin
password \*****\*
Authentication succeeded: acquired session credential
If you are using AD/Kerberos authentication, you can enter the same command, but when prompted for an authentication profile name, you must enter a profile name that calls for AD/Kerberos authentication. (Alternatively, you can specify the profile name as a command line option.) When employing AD/Kerberos authentication, blcred
does not prompt the user for a name or password. Instead, it retrieves the user's Kerberos credential from the host operating system's AD/Kerberos credential cache. Note that UNIX users must first manually run a kinit before attempting to authenticate, as described in Obtaining a TGT for a TrueSight Server Automation client (UNIX only).
$ blcred cred -acquire
profile name: adkProfile
Authentication succeeded: acquired session credential
Obtaining a session credential by referencing a keytab file
If you are running Network Shell or the BLCLI in batch mode and you must obtain a session credential non-interactively, you can direct blcred
to retrieve an SRP user name and password from an SRP keytab file, using a command like the following
blcred cred -acquire -profile srpProfile -i /home/<user>/user_info.dat
Obtaining a session credential using an SRP authentication profile
If you are running Network Shell or the BLCLI in batch mode, you must obtain a session credential non-interactively, and you are using SRP authentication, you can direct blcred
to obtain a session credential.
blcred cred -acquire -profile srpProfile -username BLAdmin -password ******
Obtaining a session credential using an LDAP authentication profile
If you are running Network Shell or the BLCLI in batch mode, you must obtain a session credential non-interactively, and you are using LDAP authentication, you can direct blcred
to obtain a session credential. If you are using a distinguished name template, you only have to provide a partial distinguished name (in this case admin ) and an LDAP password.
blcred cred -acquire -profile ldapProfile -username admin -password ******
If you are not using distinguished name templates, you must provide a full distinguished name and a password.
Displaying the contents of a session credential
Using a blcred
command similar to the following
blcred cred -list
you can display the contents of your current session credential.
Username: RBACAdmin
Authentication: SRP
Issuing Service: service:authsvc.bladelogic:blauth://localhost:9840
Expiration Time: Fri Aug 17 20:57:29 EDT 2007
Maximum Lifetime: Sat Aug 18 06:57:29 EDT 2007
Client address: 127.0.0.1
Authorized Roles:
RBACAdmins
Destination URLs:
service:appsvc.bladelogic:blsess://localhost:9841
service:proxysvc.bladelogic:blsess://localhost:9842
Comments
What is the right command to acquire SSO authentication from Prompt NSH ?
Hi Maximilien,
This is the command to acquire from NSH: blcred cred -acquire -profile srpProfile -username BLAdmin -password <password>