Use the secedit utility in DX UIM to recover or modify the hub security.cfg
search cancel

Use the secedit utility in DX UIM to recover or modify the hub security.cfg

book

Article ID: 43713

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) Unified Infrastructure Management for Mainframe CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

  • The security.cfg file contains all security data: users, passwords, ACLs and probe permissions.
  • All hubs have a security.cfg file and all hubs sync to the highest version number.  You can see this version number at the top of your security.cfg.
  • It is sometimes necessary, in the event of corruption for example, to recover a security.cfg file. 
  • Sometimes it is necessary to recover a corrupted security.cfg file OR add sections to the file that have been removed or have disappeared from the file for some unknown reason.
  • It is also a best practice back this file up regularly. If you have a backup of your security.cfg file, you can use this procedure to recover a corrupt security.cfg for your hub.

Environment

CA UIM (NMS) version 7.x or higher

Resolution

BEFORE STARTING: Make sure the controller does not have the option set for strict IP binding (strict_ip_binding). The command line tools such as secedit require the robot to respond on the 127.0.0.1 IP. If strict IP binding is enabled, the secedit tool cannot login and you will get multiple prompts to login, and this process will fail!

1.   Close any open clients such as Infrastructure Manager and any other open clients such as nas or other probe or probe log windows. Kill any leftover Infrastructure Manager client application processes using Windows Task manager.

2.   Copy the secedit7.exe (attached to this KB Article), to the hub folder on the Primary hub (CA UIM/Nimsoft Server).

       a) Using Services.msc, Stop the Nimsoft Robot Watcher Service.

       b) Create a 'backup' folder within the hub folder.

NOTE: If you do not KNOW the administrator password or it is not working, use the Move option below, otherwise use the Copy option:

Move Option: MOVE the hub security.* files (security.bak, security.cfg, and security.dta) into the backup folder.

Copy Option: Copy the hub security.* files (security.bak, security.cfg, and security.dta) into the backup folder

       c) In the hub folder, remove the hubs.sds and robot.sds files

* Note that you may first have to disable all Inbound firewall rules related to the DX UIM/Nimsoft application and/or disable broadcast and/or tunneling, -> that is IF the hub security.* files are getting updated (overwritten) when you start up the Robot service again.

       d) Start the Nimsoft Robot watcher service.

NOTE: The next two sections ONLY apply if you used the MOVE option above.

       e) Log into IM and it will prompt you to initialize security, then select Yes.

Initialize Security (Initialize Security = same as ("Remove the security.cfg then try to log in with IM and you will be prompted to set an administrator password")

       f) Enter a NEW password for the NimBUS (UIM) administrator and click Ok. 

Do NOT login IF the IM client 'prompts' you...just move on to perform the next step below...

3.   Next, choose 'Run as administrator' and open a command prompt and run secedit7.exe.

Enter 'administrator' for the Login and enter the administrator password. This is the same login and password you just used to login to the Infrastructure Manager.

 

4.   That will create and open up a notepad.txt file with the security information included.

5.   Replace the password with a known encrypted password for the administrator account OR the file contents with all contents of your security.cfg backup...
      OR if you know of any specific configuration adjustments that need to be made, make them, e.g., add missing sections, users etc., but be very careful not to add any additional spaces, tabs, characters, etc.

Note also that at the top of the file you will see the version, e.g.,

<setup>
    version = 0095
    expire = 21600
    ignore_ip = no
    auth_mode = 0
    signature = <signature>
    domain = <UIM_domain>
    trusted_ips =
</setup>


This version number MUST be the highest version number in your environment, otherwise, when the hub connects, the security.cfg may get overwritten by another hub’s security file.

You can check your remote/secondary hubs security.cfg files to be certain or set the number much higher than the current hub.

6.   Click File -> Save, to Save the notepad security.txt file and then close the window. The secedit window will also close automatically.

7.   Restart the Nimsoft Robot Watcher service.

8.   Login to Infrastructure Manager and verify the configuration changes, ACLs, users, etc.

9.   If everything checks out, make sure you re-enable any hub or firewall settings mentioned above or otherwise, that you disabled to prevent overwriting the security file.

Additional Information

Note that under normal circumstances, you do not have to change the version of the security file. This is automatically set when the security file is created and increases every time a change is made. That said, MAKE SURE that you are using the most current version of the security.cfg file. The new file MUST contain a version higher than the current version otherwise a remote/secondary hub, once connected to the primary, may overwrite it, hence you will lose any changes.

Please download the attached secedit7.zip file attached to this article.

Further troubleshooting information:
If you still cannot login and you see a prompt from using secedit:

d:\Program Files\Nimsoft\hub>secedit7
This utility lets you change the security.cfg file in notepad.
Make sure that no one is modifying the configuration while you edit it.

Login as administrator.
Login....: administrator
Password.: **********
Login failed!

...and/or you see a prompt in the Infrastructure Manager (IM),

 "The user name or password is incorrect. Letters must be typed using the correct case. Make sure the Caps Locks is not accidentally on" for correct password and usernames, same for LDAP access."

Then on the primary or remote hub you're trying to login to, check the hub.cfg <hub> section, and make sure that the login parameter setting is NOT set to nobody, e.g.,

   login = nobody

Instead it should be set to normal.

   login = normal

If it is set to nobody take the following steps:

- Login to the hub
- Deactivate the hub robot (controller) service
- Edit the hub.cfg and set
     login = normal
- Activate the hub robot

You should then be able to login with no problem/error.

When the notepad opens up containing the contents of the security.cfg file, you can change/edit the file safely, e.g., overwrite the encrypted password with a 'known' password, or restore the entire file from the copy of the security.bkp.

Start the Nimsoft Robot Watcher on the other hubs.

 

UIM - secedit tool for Linux
https://knowledge.broadcom.com/external/article?articleId=201384

Attachments

1560194550637__secedit70.zip get_app
1558534599448TEC1201257.zip get_app
Powered by Wolken Software