The IBM CMOD arsstash command allows for the storage of user credentials (User ID & Password) in an encrypted format, which meets many organizations requirement for storing authentication information securely (i.e., non-plain text files like shell scripts or files protected only by Operating Systems permissions). Stash files replace the arsload.cfg configuration file used in versions of IBM Content Manager OnDemand prior to V9.0.
arsstash can be used to store credentials for the arsload utility, OnDemand Distribution Facility, LDAP, or database passwords. This allows automated scripts (like scheduled jobs) to access Content Manager OnDemand without having to store passwords in clear-text inside shell scripts or files.
The cryptographic method(s) used to protect the stash file aren't clearly documented in the IBM CMOD V9.0 documentation. It's unknown if an attacker that was able to obtain a copy of the stash file (either by obtaining access through a user account, or by a side-channel such as stolen backup tapes) could decrypt the stash file and use the credentials to access the CMOD server. Most production installs simply assign IBM CMOD System Administrator privileges to an 'ARSLOAD' user, or store the admin password in the stash file -- making any potential compromise of the IBM CMOD stash file providing an attacker with total and complete control of the Content Manager OnDemand server.
Upgrading from arsload.cfg to ars.stash
In IBM CMOD V9.0 and higher, using the arsload.cfg file is deprecated, and will produce warnings on the system console, and in the OnDemand System Log. Simply delete the existing arsload.cfg file, and follow the instructions for creating a new stash file.
Here is the online help for arsstash:
ARS1600I Usage: arsstash [-a <action>] [-c] -s <stash_file> -u <userid> Version: 184.108.40.206 -a <action> Action to perform 1 - Store the OnDemand userid and password (default) 2 - Delete the OnDemand userid and password 3 - Store the OnDemand userid and password for ARSLOAD 4 - Store the OnDemand userid and password for ODF 5 - Store the OnDemand userid and password for RDF 6 - Store the OnDemand userid and password for PDD 7 - Store the LDAP userid and password 8 - Store the DB2 userid and password 9 - Store the Oracle userid and password If no userid (-u) is given for actions 3 thru 9, then the currently assigned userid for the corresponding OnDemand command or database will be displayed -c Create stash file -s <stash_file> Stash file name -u <userid> Userid -1 <trace_file> Trace file -2 <trace_level> Trace level
arsstash -a parameter
The -a parameter defines the action to be taken.
- Stores an IBM CMOD User ID and password for usage with arsdoc, arsadmin, and other Content Manager OnDemand commands.
- Deletes a previously stored User ID and password combination from the arsstash file.
- Stores an IBM CMOD User ID and password pair for usage with the arsload command.
- It is STRONGLY RECOMMENDED that you do not use the IBM CMOD Admin password with this option. Instead, create a new user, and assign it permission to add documents to specific Application Groups.
- Stores a User ID & password for use with the IBM OnDemand Distribution Facility ("ODF").
- Stores a User ID & password for use with the IBM CMOD Report Distribution Facility.
- The functionality of RDF has been integrated into ODF starting in Content Manager OnDemand v9.0.
- Stores a User ID & password for use with PDD
- Stores a User ID & password for use with Lightweight Directory Access Protocol
- LDAP intergration with CMOD allows you to authenticate passwords from a central respository.
- On systems with remote databases or forced password authentication, store the DB2 database User ID & password.
- On systems with remote databases or forced password authentication, store the Oracle database User ID & password.
If you don't specify the -u option with an action, OnDemand will display the currently assigned User ID stored in the stash file, and update the password.
Configuring ars.ini for ars.stash
After the stash file is creates and contains the required credentials, you must configure IBM CMOD to use the stash file by modifying the ars.ini configuration file to specify which stash file to use.
For more information about configuring stash files for multiple CMOD servers, see the ars.ini page.
arsstash environment variables
All of the parameters defined in the OnDemand ars.ini and ars.cfg files are used as 'Environment Variables'. You can replace these environment variables at any time by 'exporting' them from your UNIX/Linux shell:
This way, you can use an alternate User ID and password for any commands issued by the CMOD Administrator account on the interactive command line. This is useful for complying with regulatory and audit requirements for specific industries.