In our environment all machines are linked to an LDAP server for authentication (AD in this case). You need to logon to machines with your personal credentials and use sudo to logon to a system account. This is a common practice and easily implemented in EM Cloud Control through ‘named credentials’. In my case I have several system accounts I need to be able to ‘sudo’ to, to perform actions like patching. So for every system account I created a named credential with the appropriate sudo properties.
When I change my AD password, my stored host credentials will not work and could even lock my global account. You can ofcourse change the password in Cloud Control itself.
For one or two credentials, this is ok. But when you need to maintain more credentials it becomes tedious.
Luckily EM Cloud Control comes with a powerful commandline utility called ’emcli’. With ’emcli’ you can script all your Cloud Control automation needs. It is built on jython and is easy to use. So I created a script to modify all my named credentials of credential type HostCred.
# modifyPWHostCreds.py # # Who: Tony van Esch #What: script to change all your Named HostCred passwords # Why: When using personal host account linked to AD, there is always a pw policy. from emcli import * import sys if len(sys.argv) != 2: print "ERROR. Invalid Arguments (%i): %s " %(len(sys.argv),str(sys.argv)) print "Usage: emcli @modifyPWHostCreds.py <your admin account> <new password for host credentials>" exit() emuser=sys.argv new_password=sys.argv set_client_property('EMCLI_OMS_URL','https://em.wh.nl:7802/em') set_client_property('EMCLI_TRUSTALL','true') login(username='%s' %(emuser)) nc=list_named_credentials(cred_owner=emuser.upper()) print "Modifying passwords for all your personal named hostCred credentials" for cred in nc.out()['data']: if cred['Cred Type Name'] == 'HostCreds': print "Credential Name: %s" %(cred['Credential Name']) modify_named_credential(cred_name=cred['Credential Name'],attributes="HostPassword:%s" %(new_password) ) print "Done"
Update (2014-02-07): Added a filter on the credential list. Now only your personal credentials (you created yourself) are updated. Ofcourse your EM account should match your global (AD) account. But that speaks for itself.