Paul,
as discussed many times on the list if you are paranoid enough this is
still not an answer - 'password=xxx' option is visible in `ps -ef` output
:-)
Zlatko Krastev
IT Consultant
Please respond to "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
Sent by: "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
To: ADSM-L AT VM.MARIST DOT EDU
cc:
Subject: Re: creating scripts running outside of TSM - password issue AN
A NSWER
The way I do it is create a script with rwx------ attributes. This way
only
root and myself can execute it or read it. This is the Windows example:
@echo off
set key=%1
set parmin=%~f2
set rc=99
pushd \"program files"\tivoli\tsm\baclient\
dsmadmc -id=userid -password=password -displaymode=table %1 %parmin%
set rc=%errorlevel%
popd
echo Return Code from dsmadmc %rc%
set errorlevel=%rc%
Exit
This is the UNIX ksh example:
#!/usr/bin/ksh
key="$1"
parmin="$2"
rtc=99
dsmadmc -id=userid -password=password -displaymode=table $key $parmin
rtc=$?
echo Return Code from dsmadmc $rtc
exit $rtc
I also have a template version and a perl script that will randomly
generate
a new password and issue a change password for itself and update the
script
on a regular basis. The userid is a special userid not the one that I use
on a daily basis.
This is the template:
#!/usr/bin/ksh
# This is the TSM Perl Macros Interface Script
key="$1"
parmin="$2"
rtc=99
dsmadmc -id=controlm -password=$$temppass -displaymode=table $key $parmin
rtc=$?
echo Return Code from dsmadmc $rtc
exit $rtc
This is the perl script to change the password:
#!/usr/bin/perl
#
# Random Password Generator and Change Facility for TSM Control-M Userid
#
# The purpose of this script is to allow the automation of password
changes
# to a dsmadmc batch invocation script and the TSM Server. The process
# uses a template file exactly like the current file to build the
temporary
# file. A random password is generated with the NGNN format.
#
# As the template is copied to the temporary file the string "$$temppass"
# is changed to the new 8 character password.
#
# Once everything is staged, an update of the TSM server administrator
# password is issued and the files are cascade renamed. The current
# production file is renamed to a ".old" file and the temporary
# file is renamed to be the new production file.
#
# The file can be any type of ascii text file. However, execution rights
# are not set by this script and must be done externally in the production
# job that executes this script.
#
# Invocation: tsmadminpw.pl [input template file]
# [current production file]
# [userid of TSM administrator]
#
# Input Arguments:
#
# [input template file]
# This is a template file used to build the new
production
# file. Typically, it is an identical copy of the
current
# production file except for a specification of
$$temppass
# where password substitutions are to be made.
#
# [current production file]
# This is the current production file to be replaced by
the
# updated template file. The previous version of this
file
# is renamed to ".old". The current production file
must
# exist and must be a script file to be executed to
issue
# the "UPDATE ADMIN" command. Typically, this is the
# dsmadmc.bat script.
#
# [userid TSM administrator]
# This is the userid of the TSM administrator in the
current
# production file. It is used to issue the "UPDATE
ADMIN"
# command.
#
# Fetch the arguements into a list
#
@argin = @ARGV;
$numargs = scalar(@argin);
if ($numargs != 3)
{print ("Input File, Output File, and Userid are Required\n");
exit 99;
}
else
{$infile = @argin[0];
$outfile = @argin[1];
$userid = @argin[2];
print ("Template: ", $infile, "\n");
print ("Output: ", $outfile, "\n");
}
if (!-e$infile)
{print ("Template does not exist.\n");
exit 99;
}
if (!-e$outfile)
{print ("Output File does not exist.\n");
exit 99;
}
#
# Setup the pattern arrays
#
@lista = ('B'..'D','F'..'H','J'..'N','P'..'T','V'..'Z');
#
# Build an all consonants 8 character password
#
$x=0;
do {$pw[$x] = @lista[int(rand (21))];
} until $x++ == 7;
#
# Read the template script and write the run script
#
# 1) Make sure the template script can be read and updated
# 2) Make sure the output script can be openned in/out
# 3) Execute the current script with a password update
# 4) Write the new updated template to the output area
#
# Open the template file
#
if (!open (infile, '<'.$infile))
{print ("Template could not be opened");
exit 99;
}
#
# Open the temporary output file
#
if (!open (outfile, '>'.$outfile.'.tmp'))
{print ("Temporary output file could not be opened: ",
$outfile.".tmp");
close infile;
exit 99;
}
#
# Copy the records of the Template to the temporary output file
# Change the $$temppass to the new password
#
while (<infile>)
{$infile_rec = $_;
$outfile_rec = $infile_rec;
$pws = join('',@pw[0..7]);
$outfile_rec =~ s/\$\$temppass/$pws/;
print outfile ($outfile_rec);
}
close infile;
close outfile;
#
# Build an UPDATE ADMIN command to change the password
#
$command = $outfile.' "update admin '.$userid.' password='.$pws.'"';
system($command); # call the dsmadmc
interface
$exit_value = $? >> 8; # shift to get the
return
code
if ($exit_value == 0)
{print ("Update Successful for Admin Userid: ", $userid, "\n");
}
else
{print ("Update Unsuccessful for Admin Userid: ", $userid, "\n");
exit $exit_value;
}
rename $outfile,$outfile.'.old';
if ($? == 0)
{rename $outfile.'.tmp',$outfile;
if ($? != 0)
{print ("Rename .tmp to Current Failed RC: ", $?, "\n");
exit 99;
}
}
else
{print ("Rename Current to .old Failed RC: ", $?,"\n");
exit 99;
}
print ("File Renames Completed Successfully");
exit 0;
I changed the script to not reveal some security stuff at our site and
have
not tested it, but it should work.
The reason I do things this way is we run both windows and unix servers on
multiple platforms. I write the OS piece in the little dsmadmc.bat and
inteface to it from all my perl scripts which are written platform
independent.
Paul D. Seay, Jr.
Technical Specialist
Naptheon, INC
757-688-8180
|
