Author Topic: ars.stash usage  (Read 8016 times)

PBastien

  • Jr. Member
  • **
  • Posts: 10
    • View Profile
ars.stash usage
« on: September 12, 2013, 12:54:18 PM »
Good day :)

    we are upgrading to v9 and we have been experimenting with the ars.stash options.  We plan to use it to store our service accounts (users defined specifically for certain tasks and used only in our daily batch scripts). Here are the questions: 

1- Is there a way to list the users already defined in the ars.stash file (without their passwords, of course)? 

2- From what I understood by reading the documentation, I was expecting to be able to omit the -p parameter in all commands when the user specified was defined in the ars.stash file.  However, this seems to work only for the ARSLOAD command.  When using other users in other commands (such as ARSDOC UPDATE) the full path to the ars.stash file must be entered with the -p parameter even if the user was previously defined in the stash file... Is there something I missed ???

3- Doesn't the use of the ars.stash file generate other security issues? Ok, the use of the ars.stash file eliminates the need to include passwords in our scripts... That is why we restricted access to the scripts,  but now, will it not allow anyone to submit line commands without knowing the passwords?

Have a great day  ;D

Alessandro Perucchi

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1002
    • View Profile
Re: ars.stash usage
« Reply #1 on: September 12, 2013, 10:42:55 PM »
Good day  :D

I have a little experience with arsstash, so I will try to answer with the best of my knowledge:

1- Not that I know of! Maybe that would be a great new feature for that command line tool :-) or maybe this security related... and it will never happen :-(

2- If I'm not wrong, when you define the stash in ars.ini with the parameter SRVR_OD_STASH, and then store all your id/pwd there. Then you should be needed the -p at all. If that works, then it is a "Global" stash, and you can override it by creating new stash, and referencing it with the -p parameter.

3- Well for that you need to ensure that the stash have the correct permission. For example user "arsload" might only do arsload command with the arsload.stash, which is only accessible for him, but user "businessuser" cannot use the stash of the user "arsload" because he cannot read it, but he has his own stash "busu.stash" so he can do his own query, and it is also protected by permissions, so nobody except him can read the stash file.
I think we must play with file security and different stash for different purpose here to add more "security"...

Sincerely yours,
Alessandro
Alessandro Perucchi

#Install #Migrations #Conversion #Educate #Repair #Upgrade #Migrate #Enhance #Optimize #AIX #Linux #Multiplatforms #DB2 #Windows #Oracle #TSM #Tivoli #Performance #Audits #Customizing #Availability #HA #DR #JavaApi #ContentNavigator #ICN #WEBi #ODWEK #Services #PDF #AFP #XML

PBastien

  • Jr. Member
  • **
  • Posts: 10
    • View Profile
Re: ars.stash usage
« Reply #2 on: September 13, 2013, 08:29:15 AM »
Hi Alessandro!

   Thanks for the reply :)
   
1. Thanks for the confirmation... it might be a "nice to have" functionality...

2. What you describe matches my understanding of the documentation... but not how CMOD behaves :(   We have defined the ars.stash file location in the ars.ini with the parameter SRVR_OD_STASH, and we have all our userId/passwords stored in that stash file. However, according to my tests, CMOD still requests the -p parameter, escept for ARSLOAD... bug?

3. Thanks for your insights on this.  I took good note of your ideas, however we plan to stick to using only one generic ars.stash file. We'll simply restrict the read access to it.

Have a great weekend  :D

Alessandro Perucchi

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1002
    • View Profile
Re: ars.stash usage
« Reply #3 on: September 16, 2013, 08:42:06 AM »
2. What you describe matches my understanding of the documentation... but not how CMOD behaves :(   We have defined the ars.stash file location in the ars.ini with the parameter SRVR_OD_STASH, and we have all our userId/passwords stored in that stash file. However, according to my tests, CMOD still requests the -p parameter, escept for ARSLOAD... bug?

Hmmmmmmmmm I didn't really checked, but I had this feeling when I tried quickly, and then never had the time to test it really deep.
Maybe it would be nice to open a PMR, and see what the Labs is saying about this feature/bug.
Alessandro Perucchi

#Install #Migrations #Conversion #Educate #Repair #Upgrade #Migrate #Enhance #Optimize #AIX #Linux #Multiplatforms #DB2 #Windows #Oracle #TSM #Tivoli #Performance #Audits #Customizing #Availability #HA #DR #JavaApi #ContentNavigator #ICN #WEBi #ODWEK #Services #PDF #AFP #XML

PBastien

  • Jr. Member
  • **
  • Posts: 10
    • View Profile
Re: ars.stash usage
« Reply #4 on: September 24, 2013, 01:38:44 PM »
Hi, 
  here is an update... According to the article I found in the OnDemand Newsletter (2nd Quarter 2013), The arsstash password usage seems to behave as they describe. Seems like we'll have to include the path and filename of the ars.stash file in the -p parameter after all...

Here is an exerpt:

The stash file to be used by an instance is specified in the ars.ini file (or in the Registry on
Windows) with the SRVR_OD_STASH parameter. For example,
SRVR_OD_STASH=/opt/IBM/ondemand/V9.0/config/ars.stash

The stash file can be used by these commands: arsadmin, arsdoc, arsload, arsmaint, arsrd, and
arsxml. In our example we will use arsload. The supported values for the -a parameter are
available in the arsstash help text.

1) The preferred method is to set a userid and password for the each command in the stash
file. After doing so, the arsload command can be invoked without specifying either the -u
userid or the -p password parameters. This method is always recommended when
running the arsload command as a daemon. To use this method, first run the arsstash
command to store the userid and password for the arsload command: arsstash -a 3 -s
ars.stash -u <userid> and then enter and verify the password when prompted. Then,
when running the arsload command, omit the -u and -p parameters. The arsload
command will obtain the arsload userid and password from the stash file.

2) A second method is to specify the -u parameter for another OnDemand userid that exists
in the stash file. To use this method, first run the arsstash command to store the userid and
password in the stash file: arsstash -a 1 -s ars.stash -u <userid> and then enter and verify
the password when prompted. Then, when running the arsload command, specify the -u
<userid> and -p <stash file> parameters.
The arsload command will obtain the password
for the specified userid from the stash file.


cheers,
Patrick

Alessandro Perucchi

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1002
    • View Profile
Re: ars.stash usage
« Reply #5 on: October 01, 2013, 05:31:19 AM »

Thank you very much for finding this gem :-) I should read this newsletter more often !!  ;)

Alessandro Perucchi

#Install #Migrations #Conversion #Educate #Repair #Upgrade #Migrate #Enhance #Optimize #AIX #Linux #Multiplatforms #DB2 #Windows #Oracle #TSM #Tivoli #Performance #Audits #Customizing #Availability #HA #DR #JavaApi #ContentNavigator #ICN #WEBi #ODWEK #Services #PDF #AFP #XML