Focal Point
[CLOSED] CMRUN Command

This topic can be found at:
http://forums.informationbuilders.com/eve/forums/a/tpc/f/1381057331/m/7367053086

January 19, 2016, 09:29 AM
TheDarkKnight
[CLOSED] CMRUN Command
The CMRUN is exposing the actual user id and password arguments in a ps -ef listing even if the calling script is using variables that are being read from a protected file. Has anyone been able to properly secure the password from being viewed in a process listing when CMRUN is run on Linux/UNIX systems?

This message has been edited. Last edited by: Tamra,
January 19, 2016, 04:07 PM
Waz
You can use -SET &ECHO=OFF, and set MSG=OFF and SET EMGSRV=OFF, to lock down the WebFOCUS part.


Waz...

Prod:WebFOCUS 7.6.10/8.1.04Upgrade:WebFOCUS 8.2.05OS:LinuxOutputs:HTML, PDF, Excel, PPT
In Focus since 1984
Know The Code

January 19, 2016, 04:52 PM
TheDarkKnight
Thanks for the quick response Waz! Your suggestion was attempted by placing them in the profile for the account running the command and it didn't work on our end. Where specifically do you place the suggested options? BTW - running SuSe Linux 11 and using version 8.0.08 Data Migrator server..
January 19, 2016, 04:59 PM
Waz
I would put it in the fex with the CMRUN command.

If you have a generic fex that is included everywhere, then put it in there.

All depends on what you want to lock down.


Waz...

Prod:WebFOCUS 7.6.10/8.1.04Upgrade:WebFOCUS 8.2.05OS:LinuxOutputs:HTML, PDF, Excel, PPT
In Focus since 1984
Know The Code

January 20, 2016, 02:01 PM
Clif
Note that CMRUN is a program compiled for each platform and can be run from the command line, or from a shell script or bat file. There's no need to call it from a focexec. So I don't quite follow Waz's comments.

It would be helpful to include an example of your script. It took me a bit to figure out what you are doing. If you don't wait for the flow to complete you won't see cmrun in the process listing. So I'm guessing you did something like this:
  
$ export EDAHOME=/ibi/srv77/home
$ export LD_LIBRARY_PATH=$EDAHOME/bin
$ $EDAHOME/bin/cmrun.out s=lnxx64r5, u=edachk, p=password, r=flow01, w=1 & ps -ef | grep cmrun

 Run (    1) Connecting to 'lnxx64r5' as 'edachk'
edachk    6927 13181  0 13:19 pts/57   00:00:00 /ibi/srv77/home/bin/cmrun.out s=lnxx64r5, u=edachk, p=password, r=flow01, w=1
edachk    6929 13181  0 13:19 pts/57   00:00:00 grep cmrun
/prog/edachk$  Run (    2) DM Manager Server: Version 7, Release 7
(ICM18016) Request  /flow01  submitted. Please, wait for request to complete.
(ICM18762) Job ID: 20160120131921_fbc75b8e
(ICM18763) Request  /flow01 complete

It does indeed show the command line with the password. However in the current production Release 7.7.07 (aka 8.1) you store the password in an external file which can be protected and refer to the file containing the password instead of the password. For example using a file in the current directory called "credentials" that contains the password:

 $ $EDAHOME/bin/cmrun.out  u=edachk, s=lnxx64r5, x=credentials, r=flow01, w=1 & ps -ef | grep cmrun
[1]     9131
edachk    9131 13181  0 13:55 pts/57   00:00:00 /ibi/srv77/home/bin/cmrun.out u=edachk, s=lnxx64r5, x=credentials, r=flow01, w=1
edachk    9133 13181  0 13:55 pts/57   00:00:00 grep cmrun

 Run (    1) Connecting to 'lnxx64r5' as 'edachk'
/prog/edachk$  Run (    2) DM Manager Server: Version 7, Release 7
 (ICM18016) Request  /flow01  submitted. Please, wait for request to complete.
 (ICM18762) Job ID: 20160120135528_97b5fce0
 (ICM18763) Request  /flow01 complete

I see that you are using WF Release 8.0 which is equivalent to DataMigrator Release 7.7.05 first available in January 2013. So that you can use this new functionality please upgrade to the current production Release 7.7.06 or 8.1.

This message has been edited. Last edited by: Clif,