| FMS | ||
|---|---|---|
| <<< Previous | FMS Tools and Utilites | Next >>> |
Command Line Utility to administer and report on the FMS server. This utility permits an adminstrator to remotely (or locally) send commands to FMS servers and can be used for scripting server administration tasks without user intervention and/or to create customised server management utilities with similiar functionality to the FMC.
fmsconf utility uses default user login credentials of admin and password admin to connect to the FMS server. Ensure that the necessary credentials are configured prior to connecting to the server as described in section the Section called Admin User Creation in the Chapter called Configuring FMS.
The following commands may be supplied using fmsconf '-x admin_command' option
__FMS_Admin_Version. Return the server version.
__FMS_Admin_ReloadConfigurations. Instruct the server to reload the configuration. This command is used when a new configuration must be reloaded without restarting the FMS server. All active messaging sessions are completed before any reload.
__FMS_Admin_GetConfiguration. Retrieve the configuration from the server. This command is used to retrieve an FMS server configuration.
__FMS_Admin_ReloadConnections. Instruct the server to reload any changes to the connection configuration. This command is used when a new configuration file with updated connection settings must be activated without restarting the FMS server. All active messaging sessions are completed before any reload.
__FMS_Admin_CheckLicense. Instruct the server to display the license details. Useful to determine the period for which the license is active.
__FMS_Admin_ReloadLicense. Instruct the server to reload the license activation file without restarting the server.
__FMS_Admin_ConnectionStatistics. Instruct the server to display connection statistics of a running server.
__FMS_Admin_ListCerts truststore truststoreType truststorePassword. Instruct the server to list the certs in any of the various truststores of a running server. The truststoreType must be one of JKS, PCKS_12 or DATABASE.
__FMS_Admin_ServerLogLevel level. Change the server logging level. The level must be one of WARN, INFO, DEBUG or TRACE.
__FMS_Admin_GetServerLogLevel level. Retrieve the server logging level.
__FMS_Admin_AddCert truststore truststoreType truststorePassword alias certificateBase64. Instruct the server to add a new certificate specified by the certificateBase64 string and identified by the alias.
The updateCert.sh script listed in the Section called Script to dynamically update FMS public certificates provides a wrapper for fmsconf to dynamically update certificates on a running FMS server.
__FMS_Admin_GetCert truststore truststoreType truststorePassword alias [full]. Instruct the server to return the certificate in base64 encoded format identified by the alias.
The full certificate detail including fingerprint will be displayed if the optional full argument is included.
__FMS_Admin_DeleteCert truststore truststoreType truststorePassword alias [result]. Instruct the server to delete the cert identified by the alias from the keystore identified by truststore.
The deleted certificate alias and fingerprint will be displayed after deletion if the optional result argument is included.
__FMS_Admin_RenameKey truststore truststoreType truststorePassword keyPassword currentKeyAlias newKeyAlias alias [result]. Instruct the server to rename a certificate or key alias in the keystore identified by truststore.
The fmsconf utility uses the following freely available programs which are typically available on any Linux system.
python
openssl
getopt
An Administrator listener connection must be configured and enabled in the FMS configuration file. The Administrator configuration is automatically generated and may be adjusted to look similar to the following sample.
\ \<cc:listener> \ <cc:name>Administration</cc:name> \ <cc:className>com.flame.connection.impl.admin.Admin</cc:className> \ <cc:aliasRef cc:keystoreID="administrator"> \ <cc:alias>fmsrns</cc:alias> \ <cc:password>fmsrns</cc:password> \ </cc:aliasRef> \ <prop:Properties> \ <prop:comment>Configuration options for com.flame.connection.impl.admin.Admin</prop:comment> \ <prop:entry prop:key="HOST">yourdomain.com</prop:entry> \ <prop:entry prop:key="MAXIMUM_CONCURRENT_CONNECTIONS">1</prop:entry> \ <prop:entry prop:key="READ_TIMEOUT">0</prop:entry> \ <prop:entry prop:key="USE_SSL">true</prop:entry> \ <prop:entry prop:key="MOTD"><html>Welcome to the FMS Management Console<br><br> \ \ Server listening: %2$s<br>Connection: %1$s@%3$s<br><br> \ \ Server Started: %4$tc<br>Uptime: %5$ts seconds</html></prop:entry> \ <prop:entry prop:key="SSL_NEED_CLIENT_AUTH">false</prop:entry> \ <prop:entry prop:key="PORT">29360</prop:entry> \ <prop:entry prop:key="LOG4J_PATTERN">%-5p [%t]: %m%n</prop:entry> \ </prop:Properties> \</cc:listener> \<cc:acl cc:order="allow_deny"/> \ \ |
The keystore configuration is automatically generated at system initialisation and may be adjusted to conform to deployment requirements as follows
\ \<cc:keystoreRef cc:ID="administrator"> \ <cc:name>admin.jks</cc:name> \ <cc:type>JKS</cc:type> \ <cc:pass>mypassword</cc:pass> \</cc:keystoreRef> \ \ |
An Administrator user must also be configured on the server. This should be done as per the instructions in the Section called Admin User Creation in the Chapter called Configuring FMS.
If the Admin listener configuration USE_SSL and SSL_NEED_CLIENT_AUTH properties are set to 'true' then before using fmsconf to connect to the FMS server the necessary key and certificates must be created. The public certificate must be imported into the FMS Administrator listener truststore (admin.jks) as defined above.
This may be done by creating the private key in file mcpriv.pem, and public certificate in file mcpub.pem as per the following instructions.
\ \ openssl genrsa -out mcpriv.pem 1024 \ openssl req -new -x509 -key mcpriv.pem -out mcpub.pem -days 1095 \ \ |
where mcpriv.pem is the private key and mcpub.pem is the public certificate to use when connecting to FMS.
Import mcpub.pem into the FMS truststore as follows
\ \keytool -import -keystore server/admin.jks -storepass changeit -file mcpub.pem -alias admin \ \ |
Note: Ensure that the FMS truststore contains a private key else admin ssl connection will cause the following problem
\ \140735140426592:error:14094410:SSL routines:ssl3_read_bytes:sslv3 \ \ alert handshake failure:s3_pkt.c:1472:SSL alert number 40 \140735140426592:error:1409E0E5:SSL routines:ssl3_write_bytes: \ \ ssl handshake failure:s3_pkt.c:656: \ \ |
which may be done as follows.
\ \ keytool -genkeypair -keyalg RSA -validity 365 -keystore /home/fms/admin.jks -storepass 123456 -keypass fmsrns -alias myalias \ \ |
Refer to the Section called Keystore Setup and Examples in the Chapter called Installation for further details on key and certificate generation for FMS.
Invoke the fmsconf utility as follows to see the usage
\ \fmsconf -? \fmsconf: invalid option -- '?' \Usage: fmsconf [-d] [-c public_certificate_file] [-h fms_host] [-k private_key_file] [-P fms_host_admin_port] [-p password] [-u admin_username] [-x admin_command] [-H] \ where \ -d optional - switch debug to s_client on \ -c /path/to/public_certificate_file - only required if the client authentication property 'SSL_NEED_CLIENT_AUTH' is set to 'true' for the admin listener in the server configuration \ -h host - optional - defaults to xenialmac \ -H : optional - displays help information \ -k /path/to/public_key_file - only required if the client authentication property 'SSL_NEED_CLIENT_AUTH' is set to 'true' for the admin listener in the server configuration \ -P port - optional - defaults to 29360 \ -p password - optional - defaults to admin \ -u admin_username - optional - defaults to admin \ -x admin_command - optional - defaults to '__FMS_Admin_Version'. Can be any one of \ '__FMS_Admin_Version' \ '__FMS_Admin_ReloadConfigurations' \ '__FMS_Admin_GetConfiguration' \ '__FMS_Admin_ReloadConnections' \ '__FMS_Admin_ReloadLicence' \ '__FMS_Admin_CheckLicence' \ '__FMS_Admin_ConnectionStatistics' \ '__FMS_Admin_ServerLogLevel WARN|INFO|DEBUG|TRACE' \ '__FMS_Admin_GetServerLogLevel' \ '__FMS_Admin_ListCerts certs.flame JKS|PKCS12|DATABASE keystorepassword' \ '__FMS_Admin_GetCert certs.flame JKS|PKCS12|DATABASE keystorepassword mykeyalias [full (FMS 5.4.2+ only)]' \ '__FMS_Admin_DeleteCert certs.flame JKS|PKCS12|DATABASE keystorepassword mykeyalias [result (FMS 5.4.2+ only)]' \ '__FMS_Admin_AddCert certs.flame JKS|PKCS12|DATABASE keystorepassword mykeyalias certificateBase64' \ '__FMS_Admin_RenameKey certs.flame JKS|PKCS12|DATABASE keystorepassword keypassword currentkeyalias newkeyalias' \ \ Use this utility to dynamically update a running FMS configuration or report on the status of a running FMS instance. \ \ |
The fmsconf utility behaviour may be customised by adjusting the following environment variables
ERROR_FILE defaults to fmsconf.<pid>.
OPENSSL=${OPENSSL:=openssl}
TLS_ARG Defaults to to an empty string. Results in the openssl s_client process negotiating the highest mutually supported protocol version. May be set up to '-tls1_3' if required to only use TLSv1.3 and if supported in the java.security file.
ADMINUSER Defaults to admin and must match the setting in the FMS the administration users user.cfg file as per the instructions in the Section called Admin User Creation in the Chapter called Configuring FMS.
KEY Defaults to mcpriv.pem and only required if SSL_NEED_CLIENT_AUTH is set on the server administration listener properties.
CER Defaults to mcpub.pem and only required if SSL_NEED_CLIENT_AUTH is set on the server administration listener properties.
ADMINPASS Defaults to admin and must match the setting in the FMS the administration users user.cfg file as per the instructions in the Section called Admin User Creation in the Chapter called Configuring FMS.
| <<< Previous | Home | Next >>> |
| FMS Tools and Utilites | Up | Script to dynamically update FMS public certificates |