Change AMagent and SDagent passwords when CAF Load Creds is in use

Document ID : KB000050672
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

In IT Client Manager the caf loadcreds command can be stored in the cafcreds.txt file.

This text file includes the user account and password of the domain active directory account for the AMAGENT and SDAGENT, so these agents can be accessed by network resources.

The process below will explain the caf loadcreds and caf setcreds commands and how to change passwords that are included in the cafcreds.txt when required.

The caf setcreds command sets the credentials for a CA ITCM service.

Currently only the Asset Management and Software Delivery Agents are supported. This command can be used directly on a console or by sending an asset or software delivery job to many machines.

Important Note: Beware that you are embedding plain text passwords when using an asset or software job.

Here are some examples of using the caf setcreds command to set the SDAGENT and AMAGENT Passwords.

  • Open a command prompt window.

  • Set the credentials for SDAGENT using the command line:

    Caf setcreds sdagent user administrator password xxx

    Test that it works by issuing the following command:

    Caf start sdagent

  • The sdagent program (sd_jexec.exe) should appear in the Task Manager running as administrator.

  • To set the password for amagent please use the following command:

    caf setcreds amagent administrator password xxx

  • This can also be tested by using the caf start amagent command and again it will appear in task manager running as administrator.

Solution:

Maintain two accounts and alternate between the two. If, say, the rule is the password must be changed every 3 months, do the following EVERY month:

  • Change the password on the user NOT currently in use (user2).

  • Immediately send a job to modify the credentials on all targets to user2. This job should be set to timeout after 30 days instead of the default 7 days. This will allow time for people on vacation, etc. to get the job.

  • Next month, change the password for user1 and send a job to switch back to user1.

  • Effectively the user password would be changed every 2 months, and every target's credentials would be changed monthly.

With a little work, the above process could be automated.

Using this method, the password can be changed prior to sending the job without fear of users being locked out since the targets will still be using the other user until they get the new credentials. Each user account will be used for a month at a time plus whatever time it takes for the job to run at every target, and sufficient time is allowed for the job to run on targets which may not be active for a week or two due to vacation or whatever.