The way I do it is create a script with rwx------ attributes. This way only
root and myself can execute it or read it. This is the Windows example:
@echo off
set key=%1
set parmin=%~f2
set rc=99
pushd \"program files"\tivoli\tsm\baclient\
dsmadmc -id=userid -password=password -displaymode=table %1 %parmin%
set rc=%errorlevel%
popd
echo Return Code from dsmadmc %rc%
set errorlevel=%rc%
Exit
This is the UNIX ksh example:
#!/usr/bin/ksh
key="$1"
parmin="$2"
rtc=99
dsmadmc -id=userid -password=password -displaymode=table $key $parmin
rtc=$?
echo Return Code from dsmadmc $rtc
exit $rtc
I also have a template version and a perl script that will randomly generate
a new password and issue a change password for itself and update the script
on a regular basis. The userid is a special userid not the one that I use
on a daily basis.
This is the template:
#!/usr/bin/ksh
# This is the TSM Perl Macros Interface Script
key="$1"
parmin="$2"
rtc=99
dsmadmc -id=controlm -password=$$temppass -displaymode=table $key $parmin
rtc=$?
echo Return Code from dsmadmc $rtc
exit $rtc
This is the perl script to change the password:
#!/usr/bin/perl
#
# Random Password Generator and Change Facility for TSM Control-M Userid
#
# The purpose of this script is to allow the automation of password changes
# to a dsmadmc batch invocation script and the TSM Server. The process
# uses a template file exactly like the current file to build the temporary
# file. A random password is generated with the NGNN format.
#
# As the template is copied to the temporary file the string "$$temppass"
# is changed to the new 8 character password.
#
# Once everything is staged, an update of the TSM server administrator
# password is issued and the files are cascade renamed. The current
# production file is renamed to a ".old" file and the temporary
# file is renamed to be the new production file.
#
# The file can be any type of ascii text file. However, execution rights
# are not set by this script and must be done externally in the production
# job that executes this script.
#
# Invocation: tsmadminpw.pl [input template file]
# [current production file]
# [userid of TSM administrator]
#
# Input Arguments:
#
# [input template file]
# This is a template file used to build the new production
# file. Typically, it is an identical copy of the current
# production file except for a specification of $$temppass
# where password substitutions are to be made.
#
# [current production file]
# This is the current production file to be replaced by
the
# updated template file. The previous version of this
file
# is renamed to ".old". The current production file must
# exist and must be a script file to be executed to issue
# the "UPDATE ADMIN" command. Typically, this is the
# dsmadmc.bat script.
#
# [userid TSM administrator]
# This is the userid of the TSM administrator in the
current
# production file. It is used to issue the "UPDATE ADMIN"
# command.
#
# Fetch the arguements into a list
#
@argin = @ARGV;
$numargs = scalar(@argin);
if ($numargs != 3)
{print ("Input File, Output File, and Userid are Required\n");
exit 99;
}
else
{$infile = @argin[0];
$outfile = @argin[1];
$userid = @argin[2];
print ("Template: ", $infile, "\n");
print ("Output: ", $outfile, "\n");
}
if (!-e$infile)
{print ("Template does not exist.\n");
exit 99;
}
if (!-e$outfile)
{print ("Output File does not exist.\n");
exit 99;
}
#
# Setup the pattern arrays
#
@lista = ('B'..'D','F'..'H','J'..'N','P'..'T','V'..'Z');
#
# Build an all consonants 8 character password
#
$x=0;
do {$pw[$x] = @lista[int(rand (21))];
} until $x++ == 7;
#
# Read the template script and write the run script
#
# 1) Make sure the template script can be read and updated
# 2) Make sure the output script can be openned in/out
# 3) Execute the current script with a password update
# 4) Write the new updated template to the output area
#
# Open the template file
#
if (!open (infile, '<'.$infile))
{print ("Template could not be opened");
exit 99;
}
#
# Open the temporary output file
#
if (!open (outfile, '>'.$outfile.'.tmp'))
{print ("Temporary output file could not be opened: ", $outfile.".tmp");
close infile;
exit 99;
}
#
# Copy the records of the Template to the temporary output file
# Change the $$temppass to the new password
#
while (<infile>)
{$infile_rec = $_;
$outfile_rec = $infile_rec;
$pws = join('',@pw[0..7]);
$outfile_rec =~ s/\$\$temppass/$pws/;
print outfile ($outfile_rec);
}
close infile;
close outfile;
#
# Build an UPDATE ADMIN command to change the password
#
$command = $outfile.' "update admin '.$userid.' password='.$pws.'"';
system($command); # call the dsmadmc
interface
$exit_value = $? >> 8; # shift to get the return
code
if ($exit_value == 0)
{print ("Update Successful for Admin Userid: ", $userid, "\n");
}
else
{print ("Update Unsuccessful for Admin Userid: ", $userid, "\n");
exit $exit_value;
}
rename $outfile,$outfile.'.old';
if ($? == 0)
{rename $outfile.'.tmp',$outfile;
if ($? != 0)
{print ("Rename .tmp to Current Failed RC: ", $?, "\n");
exit 99;
}
}
else
{print ("Rename Current to .old Failed RC: ", $?,"\n");
exit 99;
}
print ("File Renames Completed Successfully");
exit 0;
I changed the script to not reveal some security stuff at our site and have
not tested it, but it should work.
The reason I do things this way is we run both windows and unix servers on
multiple platforms. I write the OS piece in the little dsmadmc.bat and
inteface to it from all my perl scripts which are written platform
independent.
Paul D. Seay, Jr.
Technical Specialist
Naptheon, INC
757-688-8180
-----Original Message-----
From: Chuck Lam [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 14, 2002 2:44 PM
To: [EMAIL PROTECTED]
Subject: creating scripts running outside of TSM - password issue
Hi,
I have TSM 4.1.4 running on AIX 4.3.3.
Whenever I created scripts running outside of TSM, I
needed to hardcode my admin account and its password
in within the TSM command to get it to run. Although
it is not a problem, because no one else has access to
this TSM server at this point. It will be a security
issue eventually. How do you folks getting around
this problem? Are there any other ways that I do not
know of to get it to run without my hardcoded admin
account's password?
TIA
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
