Using the blcred utility

The blcred utility manages authentication profiles, session credentials, and trusted certificates. To use blcred, you must install the TrueSight Server Automation Console.

This topic includes the following sections:

About session credentials

To log on to a TrueSight Server Automation system, a user must provide an authentication profile, user name, and password. The authentication profile specifies a TrueSight Server Automation Authentication Service and the mechanism that should be employed to authenticate the user. After the Authentication Service validates a user, the Authentication Service issues a session credential. This session credential can be stored in a credential cache file.

TrueSight Server Automation client applications use session credentials to establish secure sessions with a middle tier service-either the Application Service or the Network Shell Proxy Service. TrueSight Server Automation client applications can use a cached session credential when the owner of the credential cache file invokes the client application.

Session credentials have a finite lifetime. After a session credential has expired, it cannot be used to establish a client/server session. However, an established client/server session can continue even though the session credential used to establish that session has expired.

About the blcred command line utility

TrueSight Server Automation users can log on and acquire session credentials using the TrueSight Server Automation Console or blcred command line utility. When operating in a command line environment, the blcred utility lets you:

  • Create an authentication profile
  • Acquire a session credential by providing an authentication profile and the appropriate user credentials for each authentication protocol, as described below:
    • SRP — User name and password.
    • LDAP — Distinguished name and password.
    • SecurID — User name and passcode (PIN plus token code).
    • AD/Kerberos — The blcred utility retrieves the AD/Kerberos user credential from the host system's AD/Kerberos credential store; users do not explicitly use the command line interface to provide AD/Kerberos credentials.
    • Domain Authentication — User name (in the form user@KRBDOMAIN.COMPANY.COM) and password.
    • PKI — Insert a smart card into a smart card reader and provide the appropriate PIN for that smart card. You must insert the smart card before you can use blcred to run the acquire command to obtain a session credential.
  • Test whether a valid session credential already exists and determine the lifetime remaining for that credential.
  • Review, add, and delete authentication profiles.
  • Review, add, import, and delete trusted X.509 certificates.
    • On clients, X.509 certificates are used when establishing a TLS connection to an Authentication Service, Application Server, or Network Shell proxy server.
    • On Application Servers, X.509 certificates are used when establishing a TLS connection to an LDAP server.

Available command line options

For a complete description of all available command line options, refer to the man page for the blcred command.

Typical scenarios for using blcred

The following sections describe some typical scenarios for using the blcred command.

Testing for valid session credentials

If you are using a command line (BLCLI or Network Shell in proxy mode) and you want to determine whether you have a valid session credential, run the following command:

blcred cred -test -profile MyProfile

where MyProfile is the name of the authentication profile for which a session credential has been issued. If this command is successful, it generates a return code of 0, which means a valid session credential does exist for MyProfile.

To determine whether a credential's remaining lifetime exceeds a specified number of minutes, enter a command similar to the following:

blcred cred -test -profile MyProfile -time 500

where 500 is a remaining lifetime in minutes. If this command is successful, it generates a return code of 0, which means the MyProfile session credential is valid for at least 500 minutes.

Interactively obtaining a session credential

If you are interactively running Network Shell (in proxy mode) or the BLCLI and you must obtain a session credential but cannot use the console, run the following command:

blcred cred -acquire

The blcred utility prompts for an authentication profile name, user name and password if the named profile specifies SRP authentication. The example below shows an authentication session that prompts the user for credential information. Alternatively, you can specify the profile name, user name and password as command line options.

$ blcred cred -acquire
profile name: srpProfile
username: BLAdmin
password \*****\*
Authentication succeeded: acquired session credential

If you are using AD/Kerberos authentication, you can enter the same command, but when prompted for an authentication profile name, you must enter a profile name that calls for AD/Kerberos authentication. (Alternatively, you can specify the profile name as a command line option.) When employing AD/Kerberos authentication, blcred does not prompt the user for a name or password. Instead, it retrieves the user's Kerberos credential from the host operating system's AD/Kerberos credential cache. Note that UNIX users must first manually run a kinit before attempting to authenticate, as described in Obtaining-a-TGT-for-a-TrueSight-Server-Automation-client-UNIX-only.

$ blcred cred -acquire
profile name: adkProfile
Authentication succeeded: acquired session credential

Obtaining a session credential by referencing a keytab file

If you are running Network Shell or the BLCLI in batch mode and you must obtain a session credential non-interactively, you can direct blcred to retrieve an SRP user name and password from an SRP keytab file, using a command like the following

blcred cred -acquire -profile srpProfile -i /home/<user>/user_info.dat

Obtaining a session credential using an SRP authentication profile

If you are running Network Shell or the BLCLI in batch mode, you must obtain a session credential non-interactively, and you are using SRP authentication, you can direct blcred to obtain a session credential.

blcred cred -acquire -profile srpProfile -username BLAdmin -password ******

Obtaining a session credential using an LDAP authentication profile

If you are running Network Shell or the BLCLI in batch mode, you must obtain a session credential non-interactively, and you are using LDAP authentication, you can direct blcred to obtain a session credential. If you are using a distinguished name template, you only have to provide a partial distinguished name (in this case admin ) and an LDAP password.

blcred cred -acquire -profile ldapProfile -username admin -password ******

If you are not using distinguished name templates, you must provide a full distinguished name and a password.

Displaying the contents of a session credential

Using a blcred command similar to the following

blcred cred -list

you can display the contents of your current session credential.

Username:         RBACAdmin
Authentication:   SRP
Issuing Service:  service:authsvc.bladelogic:blauth://localhost:9840
Expiration Time:  Fri Aug 17 20:57:29 EDT 2007
Maximum Lifetime: Sat Aug 18 06:57:29 EDT 2007
Client address:   127.0.0.1
Authorized Roles:
    RBACAdmins
Destination URLs:
    service:appsvc.bladelogic:blsess://localhost:9841
    service:proxysvc.bladelogic:blsess://localhost:9842

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*