Previous Topic: Custom Extensions (SmAPSEx)Next Topic: Integrating APS with User Management Tools


Utilities

APS includes a number of command line utilities and other tools to help in the configuration, maintenance and testing of APS. This section details the useful utilities. Other useful testing utilities are provided with the APS prerequisites (for example, SmPortalVfy). See the documentation for each subsystem for details of their use.

Every APS utility or tool that takes the LDAP administrator password (the -w option) now allows this password to be supplied in encrypted format. Use APSEncrypt to encrypt these passwords.

Each utility accepts, minimally, a command line switch of -? that can be used to display the utility's command line syntax. Those utilities that require command line options will display their syntax if run without them.

This section contains the following topics:

APSComplexity - Calculate Password Complexity

APSTestSettings - Check APS Configuration

APSEncrypt - Encrypt an Administrator Password

APSMailTest - Test Email Settings

APSPing - Test connectivity

APSVersion - Display Module Version Numbers

APSXlateTest - Test Translation Settings

SmCPW - Load Test Password Changes

APSForcePWChg - Set Force Password Change Flag

SmPortalVfy - Verify SmPortal Configuration

APSComplexity - Calculate Password Complexity

The password complexity algorithm used by APS may seem a little arcane. APS allows the user to fine-tune the scoring system that it uses.

Administrators can set the threshold, using the Complexity setting, that is required of all new passwords. Determining a value for this setting can be difficult, if not arbitrary.

APSComplexity is provided so that administrators can "get a feel" for the scoring mechanism, fine tune it, and to help them determine a proper setting for the required complexity.

APSComplexity is run with a single command line argument, the password to be analyzed. The utility will display the total complexity score and will also display how the score was determined.

APSComplexity is installed onto the SiteMinder BIN directory on a Policy Server and must be run from there (it requires access to the APS.cfg file).

APSTestSettings - Check APS Configuration

Modifying the APS Configuration File can be a daunting configuration task. When setting overrides are involved, the complexity is further increased. Add to that the fact that APS will use the most restrictive setting applicable, even if it is different from the most specific setting for the user. It can be very difficult to determine the exact setting that APS will use for a particular user.

APS is very consistent in how it handles configuration. It is very predictable. But it is easy for APS to wade through potentially hundreds of settings, determining limits, applicability and restrictiveness based on internal rules. It is not so easy for a human administrator.

APSTestSettings is provided to report the current configuration settings. Without a command line argument, APSTestSettings will report the default settings in effect. Output is grouped functionally. Each setting is flagged as to whether that setting supports overrides.

Command line arguments can be used to specify a particular user, in which case APSTestSettings will show the settings that are currently in effect for that user.

APSTestSettings calls into the APS libraries to obtain the settings. It does not use code separate from APS. Thus, barring output differences, APSTestSettings will always report what APS will actually see for a given user.

Command Line Options

-?

Show Help

-m[sel]

Mode selection

 

s: Settings Mode (default)

 

e: Evaluator Mode

 

l: Lexer Mode

-q

Quiet (all modes)

-d

Show license detail (Settings Mode Only)

-#

Show line numbers (Settings Mode Only)

-r

Show attribute mappings (Settings Mode Only)

-c

Show complexity settings (Settings Mode Only)

-t

Show timings (All Modes)

-S<sections>

Explicitly control which sections are displayed (Settings Mode Only)

-u userpath

User path, such as LDAP://127.0.0.1/uid=erict,o=nds.com (Settings & Eval Modes Only)

macro=val

Context macro definitions (Settings & Eval Modes Only)

APSEncrypt - Encrypt an Administrator Password

To use certain features of APS, specifically the LDAP Rebind and Write back features, the APS Configuration File must contain an LDAP administrator's password. Putting this in the file in clear text may be considered a security problem at some sites.

APS will read the password setting from the file. If the value of the setting is encrypted, APS will decrypt it before use. If the setting is not encrypted, it will be used as the administrator password verbatim.

The APSEncrypt utility will take a password on the command line, encrypt it and output it to the screen. It can then be cut and pasted into the APS Configuration File. Thus, LDAP administrator passwords will not appear in the configuration file in clear text.

Note that such encryption is only supported within the APS Configuration File. It is not supported by command line utilities.

There is no command line utility to decrypt resulting values.

APSMailTest - Test Email Settings

The APSMail library supports a utility called APSMailTest that can be used to test the CA Mail Service's capabilities when talking to your SMTP Mail server.

This utility can also be used to test the formats of your mail files.

APSPing - Test connectivity

APSPing, new with SmPortal 5.0, tests the connectivity between a client and a SiteMinder Policy Server. It is similar to the standard ping utility.

APSPing communicates using standard SiteMinder libraries to a library called APSTransponder, located on a SiteMinder Policy Server.

APSVersion - Display Module Version Numbers

Starting with APS Version 2.2 (and all of its supporting systems), every library and executable has a product and component version number embedded within it.

The APSVersion utility will display the version information for each module name provided on its command line. Wild cards are supported.

APSXlateTest - Test Translation Settings

This utility interactively allows you to test language translation. It is part of the APSXLate package and is documented there.

SmCPW - Load Test Password Changes

Prior to Version 3.0, a utility called SmCPWTest was provided for testing password changes from the command line. Starting in Version 3.0, this functionality has been merged with SmCPW itself.

SmCPW is the CGI interface for user password changes. If run from the command line, it can also do password changes and is useful for testing APS.

SmCPW can detect whether it is running under a Web Server.

If run with no arguments or just language arguments (-L and/or -C), SmCPW will act as it does under a Web Server satisfying a GET action: it will produce the HTML required for the default form (using the language identifiers, if specified).

If invoked with a User Path, old password and new password, it will post the password change through the APS API and display the result (without any HTML wrapped around the resulting message).

The format of the command (when run from the command line) is:

SmCPW <options> <userpath> <oldpassword> <newpassword>

<options> include:

-L <language>

Indicates the desired language code (as the ISO abbreviation). "EN" is the default.

-C <country>

Indicates the desired country code (as the ISO abbreviation).

-Q <qualifier>

Indicates the qualifier to use for the API calls (useful for testing to multiple Policy Servers from a single client without changing SmPortal.cfg).

The <userpath> must be in the format LDAP://<server>/User DN for LDAP users, WinNT://<server>/<userid> for Windows NT users and ODBC://<server>/<userid> for ODBC users.

SmCPW uses SmPortal to communicate with the Policy Server. It can be run on any machine where SmPortal is installed and properly configured. Neither it nor SmPortal require a Web Server or SiteMinder Web Agent.

APSForcePWChg - Set Force Password Change Flag

The APSForcePWChg utility allows the setting of the smapsImmediateChange attribute in an LDAP directory for specified users.

This program accepts one or more LDAP Distinguished Names (DN's) and sets the flag for each supplied DN. The program was designed to accept either one DN per line or a standard LDIF file.

Technically, this utility is no longer needed, since the APS Blob no longer exists. However, it is useful for bulk loaders and many sites have tied in user maintenance utilities to set the flag. It is, then, provided for backwards compatibility.

The command line arguments for this utility are as follows. Command line switches are case-sensitive. The space between the command line switch and its argument is optional.

-v

Verbose mode. Additional messages will be output to the console (and can be captured using output redirection).

-n

Produce the report, but don't actually perform any updates.

-a <attr>

Blob attribute for APS ("audio" assumed). No longer used.

-h <host>

The LDAP server name or IP address. The default is 127.0.0.1, which indicates the current machine.

-p CA Portal

The LDAP server TCP port number. The default is 389, the default LDAP port.

-D <binddn>

The Administrator DN to use to log into the LDAP directory. It defaults to cn=Directory Manager.

-w <password>

The password associated with the binddn. There is no default. This value can be supplied in encrypted form, as supplied by APSEncrypt.

-H

Display usage information (help text)

-c

Continuous mode (do not stop on errors)

-f <file>

Read modifications from the specified file instead of standard input

-e <rejectfile>

Save rejected entries in rejectfile

Note the following:

SmPortalVfy - Verify SmPortal Configuration

SmPortalVfy is a new utility supplied with SmPortal/SmTransact Version 5.0. It tests the validity of the entire SmPortal.cfg file.

It requires no command line arguments.

It can be run either form the command line or under a web server (it does not require a SiteMinder Web Agent, nor does it need to be protected, though we recommend that it be protected if it will be exposed).