Creating technical user credential files

SSX provides a tool that you can use to create technical user credential files:

  • createTechUserCreds.exe on Windows
  • createTechUserCreds on UNIX

At a later stage, you can use the technical user credential files to search for and discover LDAP users securely on LDAP servers that do not support anonymous requests. With a default installation, this tool is available in the following directory:

  • Windows:

    C:\SoftwareAG\common\security\ssx\bin\

    Note:

    The tool may also be available in the ssx_32 directory (instead of ssx). This is only for backwards compatibility.

  • UNIX:

    /opt/softwareag/common/security/ssx/bin/

To start the createTechUserCreds tool, you can use a command prompt. When you start the tool, you enter a user name and a password which are then encrypted and provided in the result text file.

Even though this is optional, you definitely should specify and use a key file to encrypt the technical user's password in the result. See Additional information about key files. If you do not use a key file, the result is still encrypted, but a hardcoded standard key is used in this case. For production environments, this would be considered a security risk!

To create a technical user credential file

  1. Set up the environment as described in Preparing the environment.
  2. Start the tool using the following command: 
    createTechUserCreds -f result_file_name -k key_file_name
  -p password user_ID -o

    When you execute the tool without specifying an argument for the result file name, it still creates a text file with the corresponding technical user credentials. The file is created in the same directory in which you started the tool and has a predefined default name (techuser).

    To customize the parameters for invoking this tool, you can use a set of predefined optional arguments. The available arguments and their descriptions are as follows:

    Argument Description
    -f Provide a name for the result text file which contains the technical user credentials. If you do not use this argument, the tool creates a default result file.
    -k Provide an alternative key file to encrypt the result text file that contains the technical user credentials. If you do not use this argument, the tool uses a default key. Relying on the default key is considered insecure.
    -p Provide the password for the user_ID on the command line. If you do not use this argument, the tool interactively asks for the password. Using this argument is considered insecure.
    user_ID Provide the full DN of the technical user on UNIX or the usual domain\user name tuple on Windows. This depends, however, to which kind of LDAP server the connection will be made.
    -o Overwrite existing technical user credentials without asking.
  3. Press ENTER.
    If -p is not provided, the tool will ask you to provide the password. If -o is not provided, the tools will ask for a confirmation to overwrite the existing file.

Examples

The following examples provide information about more typical use cases of the tool: 

createTechUserCreds.exe -f techUser.txt -k techuser.key DOM\admin
  
createTechUserCreds -f techUser.txt -k techuser.key cn=admin,dc=domain,dc=com

The tool creates a text file which contains the encrypted technical user credentials and stores it in the same directory in which you started it.

As a next step, you can provide the file to the configuration option techLdapUserCredFile (see the corresponding product documentation for more information). Do not forget to also provide the techLdapUserKeyFile option. See also Additional information about key files.