Providing managed credentials to a script
You can modify scripts to use the App ID Command Line Tool to retrieve managed credentials from the IBM® Security Privileged Identity Manager Server.
Before you begin
- Install a compatible version of Java™ Runtime Environment on the computer where the script runs.
- Add the application credential as a non-exclusive shared access credential.
Procedure
- Copy the App ID Toolkit (ibmappid.jar) to a directory on the computer. For example: C:\IBM\ibmappid.jar
- Register the script. See Registering an Application Instance. Ensure
that the application type is set to 2 (Script).
The fingerprint of a script does not include information about the contents or the file location of the script.
Any script that is running as the same user in the same computer will be regarded by the fingerprinting function as the same instance.
If you want to separate one script from another, specify a group name (-g) when you register the script. The same group name must be specified in Step 4 to retrieve credentials.
For example: java -jar C:\IBM\ibmappid.jar register-first-instance -s pim.example.org -a SSHClient -n SSHClient@MaintServer -t 2 -g ssh-scripts
Note: The implementation of fingerprinting and the definition of an application instance for licensing purposes are independent of each other. Entitlements must be purchased for any distinct script of an application that is managed by the program. - Grant the script access to the credential that it needs. See Granting an application access to shared credentials on resources. For example: Entitle the application SSH Client to the credential, remote1 in the service unixsvr01.example.org.
- Run the App ID Command Line Tool in silent
mode to verify that the script is able to get the credentials: java
-jar C:\IBM\ibmappid.jar get-credential -s <PIM VA URL> -n <App
Instance Name> -r <Resource Alias> -g <Group Name> -x For example: java -jar C:\IBM\ibmappid.jar get-credential
-s pim.example.org -n SSHClient@MaintServer -r unixsvr01.example.org
-g ssh-scripts -x
If the command is successful, the tool exits with code 0 and you will see the retrieved user name and password, which is separated by a new line. For example:
remote1
s3crEt
If the tool encounters an error, the tool exits with a nonzero code and you see an error message. For example: CTGSAE018E There are no credential entitlements that can be used.
- Modify the script to get credentials from IBM Security Privileged Identity Manager.
- Identify the code in the script, which contains hardcoded
credentials.
... # Example Perl script my $username="remote1"; my $password="s3crEt"; $ssh->login($username, $password); ... - Add a statement to run the App ID Command Line Tool from
the script. Use the command that you validated in Step 4.
... my $output=`java -jar C:\IBM\ibmappid.jar get-credential -s pim.example.org -n SSHClient@MaintServer -r unixsvr01.example.org -g ssh-scripts -x`; ... - Add a statement to check the exit code of the command. If the command exits successfully, parse the output, and use
the credentials.
... if ($? == 0) { my @credentials=split(/\n/, $output); $ssh->login($credentials[0], $credentials[1]); } else { print('Failed: ' + $output); } ...
- Identify the code in the script, which contains hardcoded
credentials.