CMOD.wiki

arsstash

Revision as of 15:58, 4 March 2017 by Jderrick (talk | contribs) (Initial draft of IBM CMOD arsstash article.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

The IBM CMOD arsstash command allows for the storage of user credentials (User ID & Password) in an encrypted format, which meets many organizations requirement for storing authentication information securely (i.e., non-plain text files like shell scripts or files protected only by Operating Systems permissions). Stash files replace the arsload.cfg configuration file used in versions of IBM Content Manager OnDemand prior to V9.0.

arsstash can be used to store credentials for the arsload utility, OnDemand Report Distribution, LDAP, or database passwords. This allows automated scripts to access Content Manager OnDemand without having to store passwords in clear-text inside shell scripts or files.

Related Articles

IBM Knowledge Center - arsstash

ODUG Forums - OnDemand User Group - ars.stash usage

What is the stash file used for in IBM CMOD?

Criticism

The cryptographic method(s) used to protect the stash file aren't clearly documented in the IBM CMOD V9.0 documentation. It's unknown if an attacker that was able to obtain a copy of the stash file (either by obtaining access through a user account, or by a side-channel such as stolen backup tapes) could decrypt the stash file and use the credentials to access the CMOD server. Most production installs simply assign IBM CMOD System Administrator privileges to an 'ARSLOAD' user, or store the admin password in the stash file -- making any potential compromise of the IBM CMOD stash file providing an attacker with total and complete control of the Content Manager OnDemand server.

Upgrading from arsload.cfg to ars.stash

In IBM CMOD V9.0 and higher, using the arsload.cfg file is deprecated, and will produce warnings on the system console, and in the OnDemand System Log. Simply delete the existing arsload.cfg file, and follow the instructions for creating a new stash file.

arsstash parameters

Here is the online help for arsstash: 

ARS1600I Usage: arsstash [-a <action>] [-c] -s <stash_file> -u <userid>
        Version:  9.5.0.6
        -a <action> Action to perform
           1 - Store the OnDemand userid and password (default)
           2 - Delete the OnDemand userid and password
           3 - Store the OnDemand userid and password for ARSLOAD
           4 - Store the OnDemand userid and password for ODF
           5 - Store the OnDemand userid and password for RDF
           6 - Store the OnDemand userid and password for PDD
           7 - Store the LDAP userid and password
           8 - Store the DB2 userid and password
           9 - Store the Oracle userid and password
               If no userid (-u) is given for actions 3 thru 9, then
               the currently assigned userid for the corresponding
               OnDemand command or database will be displayed
        -c Create stash file
        -s <stash_file> Stash file name
        -u <userid> Userid
        -1 <trace_file>  Trace file
        -2 <trace_level> Trace level

arsstash -a parameter

The -a parameter defines the action to be taken.

Retrieved from "https://CMOD.wiki/index.php?title=arsstash&oldid=458"