arsstash

From CMOD.wiki
Jump to: navigation, search

The IBM CMOD arsstash command allows for the storage of user credentials (User ID & Password) in an encrypted format, which meets many organizations requirement for storing authentication information securely (i.e., non-plain text files like shell scripts or files protected only by Operating Systems permissions). Stash files replace the arsload.cfg configuration file used in versions of IBM Content Manager OnDemand prior to V9.0.

arsstash can be used to store credentials for the arsload utility, OnDemand Distribution Facility, LDAP, or database passwords. This allows automated scripts (like scheduled jobs) to access Content Manager OnDemand without having to store passwords in clear-text inside shell scripts or files.

Related Articles

IBM Knowledge Center - arsstash

ODUG Forums - OnDemand User Group - ars.stash usage

What is the stash file used for in IBM CMOD?

Parameters related to CMOD stash files in ars.cfg

Criticism

The cryptographic method(s) used to protect the stash file aren't clearly documented in the IBM CMOD V9.0 documentation. It's unknown if an attacker that was able to obtain a copy of the stash file (either by obtaining access through a user account, or by a side-channel such as stolen backup tapes) could decrypt the stash file and use the credentials to access the CMOD server. Most production installs simply assign IBM CMOD System Administrator privileges to an 'ARSLOAD' user, or store the admin password in the stash file -- making any potential compromise of the IBM CMOD stash file providing an attacker with total and complete control of the Content Manager OnDemand server.

Upgrading from arsload.cfg to ars.stash

In IBM CMOD V9.0 and higher, using the arsload.cfg file is deprecated, and will produce warnings on the system console, and in the OnDemand System Log. Simply delete the existing arsload.cfg file, and follow the instructions for creating a new stash file.

arsstash parameters

Here is the online help for arsstash:

ARS1600I Usage: arsstash [-a <action>] [-c] -s <stash_file> -u <userid>
        Version:  9.5.0.6
        -a <action> Action to perform
           1 - Store the OnDemand userid and password (default)
           2 - Delete the OnDemand userid and password
           3 - Store the OnDemand userid and password for ARSLOAD
           4 - Store the OnDemand userid and password for ODF
           5 - Store the OnDemand userid and password for RDF
           6 - Store the OnDemand userid and password for PDD
           7 - Store the LDAP userid and password
           8 - Store the DB2 userid and password
           9 - Store the Oracle userid and password
               If no userid (-u) is given for actions 3 thru 9, then
               the currently assigned userid for the corresponding
               OnDemand command or database will be displayed
        -c Create stash file
        -s <stash_file> Stash file name
        -u <userid> Userid
        -1 <trace_file>  Trace file
        -2 <trace_level> Trace level

arsstash -a parameter

The -a parameter defines the action to be taken.

1
Stores an IBM CMOD User ID and password for usage with arsdoc, arsadmin, and other Content Manager OnDemand commands.
2
Deletes a previously stored User ID and password combination from the arsstash file.
3
Stores an IBM CMOD User ID and password pair for usage with the arsload command.
It is STRONGLY RECOMMENDED that you do not use the IBM CMOD Admin password with this option. Instead, create a new user, and assign it permission to add documents to specific Application Groups.
4
Stores a User ID & password for use with the IBM OnDemand Distribution Facility ("ODF").
5
Stores a User ID & password for use with the IBM CMOD Report Distribution Facility.
The functionality of RDF has been integrated into ODF starting in Content Manager OnDemand v9.0.
6
Stores a User ID & password for use with PDD
7
Stores a User ID & password for use with Lightweight Directory Access Protocol
LDAP intergration with CMOD allows you to authenticate passwords from a central respository.
8
On systems with remote databases or forced password authentication, store the DB2 database User ID & password.
9
On systems with remote databases or forced password authentication, store the Oracle database User ID & password.

If you don't specify the -u option with an action, OnDemand will display the currently assigned User ID stored in the stash file, and update the password.

Configuring ars.ini for ars.stash

After the stash file is creates and contains the required credentials, you must configure IBM CMOD to use the stash file by modifying the ars.ini configuration file to specify which stash file to use.

 SRVR_OD_STASH=/opt/IBM/ondemand/V9.5/config/ars.stash

For more information about configuring stash files for multiple CMOD servers, see the ars.ini page.

arsstash environment variables

All of the parameters defined in the OnDemand ars.ini and ars.cfg files are used as 'Environment Variables'. You can replace these environment variables at any time by 'exporting' them from your UNIX/Linux shell:

 export SRVR_OD_STASH=/home/odadmin/config/ars.stash

This way, you can use an alternate User ID and password for any commands issued by the CMOD Administrator account on the interactive command line. This is useful for complying with regulatory and audit requirements for specific industries.