When executed within a script or a program, 'tacmd login' fails authenticating the users if the password is passed redirecting the standard input and the script is also redirecting the standard output (stdout) to a file.
'tacmd login' is always required before running CLI commands on TEMS.
This is true even when those operations are performed within a shell script, or a program.
Into the script, 'tacmd login' is invoked passing the userid and related password.
Anyway, when the 'tacmd login' is issued, the process list shows the password in clear text and this is a possible security exposure.
To avoid showing the password, it can be passed redirecting the standard input, from a file, e.g.:
opt/IBM/ITM/bin/tacmd login -s <servername> -u itmuser -p < opt/IBM/ITM/tmp/tmpfile
where tmpfile is a file containing the password in a single line.
This will avoid having the password showed in the process command text.
Anyway, the script containing this 'tacmd login' works fine only if it does not redirect the standard output.
If you invoke the script redirecting the standard output, e.g.:
./ITMscript.sh > output.log
then the 'tacmd login' fails authenticating the user and returns this error message:
KUIC00006E: The specified user name or password is incorrect.
The unexpected behavior is caused by a wrong parsing of the 'tacmd login' parameters when there is multiple input and output redirection.
Beside the error while invoking scripts outside ITM, this behavior will prevent the script to be used with 'Take Action', because in that case the standard output of the invoked scripts is automatically redirected to a file.
There is anyway an alternative method to run tacmd login within a script and get the needed parameters from a file.
Within the script or the program, instead of:
tacmd login -s <server> -u <user> -p < /file/containing/the/psw
that does not work if the script is invoked redirecting the output, you can use
cat <file_containing_all_the_parameters> | tacmd login -stdin
where <file_containing_all_the_parameters> contains a row like:
-s <servername> -u <itmuser> -p <password>
and any additional parameter you want to pass to 'tacmd login'.
In this way, the process command text will not show the invoked parameters, fixing the security exposure previously highlighted, but the 'tacmd login' will be able to authenticate the userid even if the script is invoked redirecting the output.
The parameter -stdin for 'tacmd login' is available from ITM V6.2.3.
Hope it helps
Subscribe and follow us for all the latest information directly on your social feeds: