Previous Topic: Configure an Endpoint to Use a CLI Password ConsumerNext Topic: Example: A Script That Gets a Password


How CLI Password Consumers Work

You can use CLI password consumers to replace hard-coded passwords in scripts with privileged account passwords. A CLI password consumer is a representation of a script that uses the acpwd utility to get, check out, or check in privileged account passwords. You also use CLI password consumers to let users run the acpwd utility from the command line on an endpoint. Understanding how CLI password consumers work helps you use the acpwd utility.

Note: To use the acpwd utility in a script or from the command line, you must first define the script or utility as a Software Development Kit (SDK/CLI) password consumer in CA ControlMinder Enterprise Management. The password consumer defines a list of users that are permitted to obtain the privileged account password.

The following process describes how CLI password consumers work:

  1. The acpwd utility on the endpoint is called in one of the following ways:
  2. The acpwd utility requests a privileged account password. The SAM Agent forwards the request to CA ControlMinder Enterprise Management for authorization.
  3. CA ControlMinder Enterprise Management sends the privileged account password to the endpoint. The SAM Agent displays the password or forwards the password to the originating program, and logs a confirmation message.
  4. You, a script or application server, or CA ControlMinder Enterprise Management checks in the account password back in and the SAM Agent logs a confirmation message.
  5. The SAM Agent logs a confirmation message that the check-in was successful.

    Note: A confirmation message with the number zero (0) indicates that the SAM Agent successfully retrieved, checked out, or checked in the password. For more information about the acpwd utility syntax, see the Reference Guide.