Wiki Admin

dssagentuserconfig - DSS 6 | Data Source Solutions Documentation

Export as HTML Export as PDF Export as DOCX
Edit

Documentation: dssagentuserconfig - DSS 6 | Data Source Solutions Documentation

dssagentuserconfig

Usage

  • <b>dssagentuserconfig</b> [<b>-</b><em>connectopts</em>] List all the agent users in the repository database.
  • <b>dssagentuserconfig</b> [<b>-</b><em>connectopts</em>] <b>-c</b> [<b>-A</b><em>auth</em>] <em>user</em> Create an agent user with the specified authentication method.
  • <b>dssagentuserconfig</b> [<b>-</b><em>connectopts</em>] <b>-d</b> <em>user</em> Delete the agent user.
  • <b>dssagentuserconfig</b> [<b>-</b><em>connectopts</em>] <b>-p</b> <em>user</em> Reset the password of the agent user.

Description

Command dssagentuserconfig allows you to manage agent users. The command includes general options -A,
-c, -d, and -p that allow you to create or delete a user, reset a user password, and connection options (connectopts) -C, -h, -K, -k, -L, -l, R, -r, -S, -s that allow you to access the agent service using different connection modes. For more information, see section Agent Connection Modes.

Options

This section describes the options available for command dssagentuserconfig.

Parameter Description
-Aauth

Set an authentication method for the agent user.

Valid values for auth are:

  • kerberos: The user is authenticated using the Kerberos authentication method. To use this authentication method, Kerberos must be already configured in the user machine/network.

    This authentication method is applicable only for authenticating the agent user on Linux and Solaris systems. Moreover, this authentication is supported only when the hub server is running on Linux.

  • local: The user is authenticated using the username and password of a local user. In this authentication method, the user account is created locally in the DSS Hub System and stored in the repository database of the hub server.

  • pam: The user is authenticated using the username and password of a user available in the Pluggable Authentication Module (PAM). To use this authentication method, PAM must be already configured in the user machine/network. In this authentication method, the DSS uses the PAM authentication service to authenticate a user on Linux and Unix systems. PAM is a login/password authentication service used to validate user credentials on Linux and Unix systems as an alternative to regular username/password authentication, e.g. checking the /etc/passwd file.
    The default PAM authentication service used is login. To use a different PAM service, you must set the agent property PAM_Service using the command dssagentconfig.

    This authentication method is applicable only for authenticating the agent user on Linux and Unix systems.

  • plugin: The user is authenticated using a custom authentication plugin.
    You can supply your own plugin for authenticating the users. The custom plugin file must be named as dssauth and saved in the DSS_CONFIG/plugin/authentication/ directory. An example of the custom authentication plugin can be found in the DSS_HOME/plugin_examples/authentication/ directory.

    The plugin must follow the simple call conventions:

    • It should read a two-line input that contains a username and password.
    • It should exit with code 0 if the username and password are valid. Otherwise, it should exit with code 1.

This option must be used in combination with option -c.

In the User Interface, this option corresponds to the Set Agent Authentication Mode option.
-Cagent_pub_cert_fname

The directory path where a PEM file containing the agent public certificate is located. This is required to verify the identity of the DSS Agent by verifying its public certificate. For more information, see the agent property Agent_Server_Public_Certificate.
-c

Create an agent user.

To set the authentication method, this option must be used in combination with option -A. If option -A is not supplied, the agent user will be created with the local authentication.

User will be prompted for a password if the authentication method is local.

In the User Interface, this option corresponds to the Delete option from the More Options menu.
-d

Delete the agent user.

In the User Interface, this option corresponds to the Delete option from the More Options menu.
-hhub

Hub that connects to the agent.
-Kclient_pub_cert_fname

The directory path where a PEM file containing the client public certificate is located. This is required to verify the public certificate and private key (option -k) of the hub that connects to the agent. For more information, see the repository property Agent_Client_Public_Certificate.
-kclient_priv_key_fname

The directory path where a PEM file containing the client private key is located. A password will be prompted for the client private key. For more information, see the repository properties Agent_Client_Private_Key and Agent_Client_Private_Key_Password.
-Luser/pwd

Authenticate with the user name (user) or user name and password (user/pwd) on the agent machine for connecting the hub to the agent. If you do not specify a password pwd, it will be prompted for.

This option cannot be combined with options -S and -s.

For more information, see the location properties Agent_User and Agent_Password.
-lloc

Location that connects to the agent.
-p Reset the password of an agent user.
-Rurl

Remote hub server. Access the hub server running on a remote machine, via the REST interface.

This option is required for remote CLI access. When using this option, command dsslogin should be run first, for authentication.
-rhost:port

Agent host and port. For more information, see the location properties Agent_Host and Agent_Port.
-S

Authenticate using the time-based setup mode. This option cannot be combined with options -L and -s.

For more information, see the agent property Setup_Mode_Timed_Until.
-stoken

Authenticate using the token-based setup mode. This option cannot be combined with options -L and -S.

For more information, see the agent properties Setup_Mode_Token_Name and Setup_Mode_Token_Value.

Agent Connection Modes

DSS supports connection to a remote agent via the DSS hub (either from a hub machine or any client machine) or through direct network access (not via the DSS hub), which depends on your system configuration.

You can also connect to the agent directly from the machine where the agent is installed. In this case, no connection options are required.

Options -k and -K are required when direct network access is used to the agent with the anonymous authentication mode configured. The agent verifies the public certificate and private key pair of the incoming client (via the agent property Only_From_Client_Public_Certificates). When the anonymous authentication mode is configured, the client (hub server) must present a trusted public certificate and private key pair to the agent to be allowed to establish a connection. The hub server's public certificate and private key are automatically generated and stored in the hub server's repository (repository properties Agent_Client_Public_Certificate and Agent_Client_Private_Key) the first time the hub server repository is created.

Option <b>-C</b> is required to verify the connection is made to the correct agent.

Options <b>-L</b>, <b>-S</b>, and <b>-s</b> are used to authenticate to the agent, only one of them can be used at a time.

If the anonymous authentication mode is configured for the agent, a better practice would be to connect to it via the hub server system using options <b>-R</b> and <b>-r</b> that give access to the client public certificate and private key stored on the hub server (see section Access Via Hub Server System). In this case, options <b>-k</b> and <b>-K</b> are not required.

Direct Network Access

To access an agent via the direct network connection, the following set of connection options can be used.

dssagentuserconfig -r<em>host</em>:<em>port</em> [-C<em>agent_pub_cert_fname</em>] [-k<em>client_priv_key_fname</em> -K<em>client_pub_cert_fname</em>] [-L<em>user</em>[/<em>pwd</em>]] [-S] [-s<em>token</em>]

Access Via Hub Server System

Omit option <b>-R</b><em>url</em> when connecting to the agent from the hub server machine.

To access an agent configured on an existing location via a hub server system, the following set of connection options can be applied.

dssagentuserconfig [-R<em>url</em>] -h<em>hub</em> -l<em>loc</em> [-L<em>user</em>[/<em>pwd</em>]] [-S] [-s<em>token</em>]

To access an agent via a hub server system when creating a new location, the following set of connection options can be applied.

dssagentuserconfig [-R<em>url</em>] -h<em>hub</em> -r<em>host</em>:<em>port</em> [-C<em>agent_pub_cert_fname</em>] [-L<em>user</em>/<em>pwd</em>] [-S] [-s<em>token</em>]

Examples

This section provides examples of using the dssagentuserconfig command.

Example 1. Create agent user with 'local' authentication
dssagentuserconfig -c -A local agent_user_name
Example 2. Create agent user from remote machine

The following command creates agent user named user admin with local authentication. In this case, a remote connection via the hub server system (<b>-R</b>) is made to the agent service that runs in the setup mode (<b>-S</b>).

dssagentuserconfig -R http://hubserverhost:4343/ -h myhub -r agenthost:4340 -S -c admin