Name
credmgr — manipulate credentials used with the securecreds module
Synopsis
/opt/msys/ecelerity/bin/credmgr
{ create_db }
/opt/msys/ecelerity/bin/credmgr
{ create_key }
/opt/msys/ecelerity/bin/credmgr
{ del_cred }
/opt/msys/ecelerity/bin/credmgr
{ get_cred }
/opt/msys/ecelerity/bin/credmgr
{ set_cred }
Description
credmgr is used in conjunction with the securecreds module. Use it to create the credentials database and the credentials key and to set, get, and delete credentials. If you are not using the securecreds module, you do not need to be concerned with this command.
Note
If you are using this tool in a cluster configuration, you must use this tool to set up credentials on each node.
The credentials database is implemented as a SQLite 3 database. Note the following points:
-
If during installation you choose to enable encrypted passwords, the credentials database and key are created at the default location. Root has read/write access to this database and ecuser has read access. This is enforced by having credmgr explicitly set the ownership and permissions appropriately on the credentials files.
-
In a cluster configuration, the credential database and key are local to each node.
-
The credentials database stores usernames and passwords for facilities (or services) running on specified hosts.
-
The username, hostname, and facility name serve as the primary key into the credentials database.
-
The password is stored in an encrypted form and can be decrypted using the credentials key. The key file should only be available to the root and ecuser system accounts. This is enforced by credmgr, which explicitly sets the ownership and permissions.
The actions that you can perform using this command are:
-
create_db
– create the SQLite database where the credentials will be stored. If you wish to use the securecreds module, perform this action immediately after installation. -
create_key
– create the encryption key. If you change an existing key, all encrypted passwords will be re-encrypted. -
del-cred
– delete the credentials for the specified user or hostname. -
get_cred
– when used with no other options, gets all credentials. Otherwise, this action retrieves the credentials of the specified user or hostname. If the user does not exist, no credentials are displayed. -
set_cred
– set the credentials for the specified user or hostname. Create credentials if the user does not exist.
The options available with credmgr are listed below. Not all options are applicable to all actions.
- -d *`db_file`*
-
Set the location of the credentials database file. Use this option with the
create_db
action. The default value for this option is/opt/msys/ecelerity/etc/credentials.db
.Warning
We strongly recommend that you not change the default location of the credentials database. If you absolutely must change the location of this file please create a symlink to the default location.
- -k *`key_file`*
-
Set the location of the encryption key file. Use this option with the
create_key
action. The default value for this option is/opt/msys/ecelerity/etc/credentials.key
.Warning
We strongly recommend that you not change the default location of the encryption key. If you absolutely must change the location of this file please create a symlink to the default location.
- -h *`hostname`* , --hostname=*`hostname`*
-
Set, get or delete the credentials associated with the specified hostname. Use this option along with the
username
andfacility
options. - -u *`username`* , --username=*`username`*
-
Set, get, or delete the credentials associated with the specified username. Use this option along with the
facility
andhostname
options. - -f *`facility`* , --facility=*`facility`*
-
Set, get, or delete the credentials associated with the specified facility. The facility name identifies the type of service associated with a set of credentials. For example, “ldap” indicates that the credentials apply to an LDAP service. Use this option along with the
username
andhostname
options.Facility names are as follows:
-
pgsql
– the built-in PostgreSQL database -
odbc
– any ODBC databases -
mysql
– any MySQL databases -
ldap
– any LDAP services -
proxy
– any proxy server service
-
- -p *`password`* , --password=*`password`*
-
Set, get, or delete a password in plain text. Use this option along with the
username
hostname
andfacility
options. - -P
-
When specified in list credential mode (
get_cred
with no other options), this option shows clear text passwords - --cipher=[aes | des_ede3_cbc |...]
-
Encrypt or decrypt a cipher type. This option defaults to
aes
. Useman enc
for all supported ciphers on your system. - --key_size=[16 | 24 | 32]
-
Length of the key size, in octets. This option defaults to
32
. - --block_mode=[cbc | ecb | ofb |...]
-
Encrypt or decrypt block mode. This option defaults to
cbc
.
Examples of usage follow:
/opt/msys/ecelerity/bin/credmgr create_db -d /opt/msys/ecelerity/etc/credentials.db : create database at given place /opt/msys/ecelerity/bin/credmgr create_key -k /opt/msys/ecelerity/etc/credentials.key : create keyfile at given place, with default encryption/decryption algorithm: aes_256_cbc on Linux /opt/msys/ecelerity/bin/credmgr get_cred : list all the user entries in the database, without credential/password /opt/msys/ecelerity/bin/credmgr get_cred -P : list all the entries in the database, with credential/password shown as clear text /opt/msys/ecelerity/bin/credmgr get_cred --hostname=host1 --username=user1 --facility=facy1 : retrieve the password for the user defined by hostname(host1), username(user1) & facility(facy1) /opt/msys/ecelerity/bin/credmgr set_cred --hostname=host1 --username=user1 --facility=facy1 \ -p password1 : set the password for the user with hostname(host1), username(user1) & facility(facy1) to "password1" password is updated for existing user /opt/msys/ecelerity/bin/credmgr del_cred --hostname=host1 --username=user1 --facility=facy1 : delete the credential entry for the user with hostname(host1), username(user1) & facility(facy1)