OnDemand User Group

Support Forums => iSeries => Topic started by: brice on July 07, 2020, 11:47:07 AM

Title: Question regarding stash files
Post by: brice on July 07, 2020, 11:47:07 AM
Hi,

I'm new to this stash file setup. I've created my first stash file and have set up the path in the ARS.INI file to point to that file.  My question is regarding user IDs. Ive added a user ID in there for the ARSDOC DELETE but when the user job executes, it will come back and say that the password for the profile and the password in the file are not the same.  Does the ARSSTASH command not take the password based on the profile?  Does the -p still have to be specified in the command or just -u?

Also, When I use the ARSSTASH command, it asks me for an ONDemand password.  Does that establish a password for that stash file?  Not sure how that works.

Thanks
Brian
Title: Re: Question regarding stash files
Post by: jsquizz on July 07, 2020, 12:49:32 PM
stash file holds encrypted passwords. So, you'd add the username/password thats defined in the admin client to the stash file. Then when you do your commands, you use the -p flag and point it to the stash file. That's how I always do it

I pulled this from my sandbox cmod, only one i have up right now.

arsstash -a 1 -u admin -s /path/to/ars.stash

it will then prompt you for the password.
Title: Re: Question regarding stash files
Post by: Justin Derrick on July 07, 2020, 01:13:25 PM
So...  a few things.

You need to know that a stash file is associated with a USER, and a ROLE.

You specify the name of the user on the command line when you run the Content Manager OnDemand arsstash command, and enter that user's password when prompted.  But, the secret sauce is the -a parameter, which defines what role that user/password combination is for.

Code: [Select]
           1 - Store the OnDemand userid and password (default)
           2 - Delete the OnDemand userid and password
           3 - Store the OnDemand userid and password for ARSLOAD
           4 - Store the OnDemand userid and password for ODF
           5 - Store the OnDemand userid and password for RDF
           6 - Store the OnDemand userid and password for PDD
           7 - Store the LDAP userid and password
           8 - Store the DB2 userid and password
           9 - Store the Oracle userid and password

So you need to get all three items correct - the User, the user's password, and the role you're assigning.

Also, it's not a good idea to create a CMOD stash file for the admin account.  Someone who can read the stash file can use it to do anything they want (reset another user's passwords, delete data, etc.)  It's better to create a user for a specific role, and assign the minimum access required (say, to work with a specific Application Group) to accomplish the task.

There's also a whole discussion to be had about arsdoc delete -- it's NOT wise to use that tool, since it calls into question the accuracy and completeness of your archive, and doesn't delete the underlying documents.  If there are problems with your data, ask the team that supplied the data to correct their data quality issues, and then unload/reload. 

Brice, can you give us more information on what you're trying to accomplish?  Also, can you show us the command you used to create the OnDemand stash file, and how you're trying to use it?

-JD.
Title: Re: Question regarding stash files
Post by: jsquizz on July 07, 2020, 02:20:23 PM

Also, it's not a good idea to create a stash file for the admin account.  Someone who can read the stash file can use it to do anything they want (reset another user's passwords, delete data, etc.)  It's better to create a user for a specific role, and assign the minimum access required (say, to work with a specific Application Group) to accomplish the task.



thanks for this.

Shame on installs I've worked on, using "admin" to run arsload/arsdoc, and do the admin work..:D