A defaults file can be used to specify default values for the following global parameters:
If these parameters are specified in the defaults file, they can be omitted from epadmin invocations that would otherwise require them.
The default location for the defaults file is
$HOME/.epadmin/defaults. This location can be overridden per command
execution using the
defaultsfile global parameter. In
addition, the defaults file can be ignored per command execution using the
ignoredefaultsfile global parameter. Finally, for the
parameters, if they are specified both in the defaults file and on the command line,
the command line value takes precedence. The associated password precedence is
summarized in the following table.
|Key or Trust Store Value is Specified...||Password Precedence|
|On command line||Password must be specified on command line. Value in defaults file is ignored.|
|In defaults file||
If there is a password in the defaults file, it is always used and a
specified command line password is ignored.
If there is no password in the defaults file, a command line password value is required.
The defaults file consists of the following sections:
Optional section used to specify the keystore to use when decrypting any encrypted passwords specified in the defaults file. There can only be one
Securitysection in a defaults file and it is required, if there are encrypted passwords in the defaults file.
Optional section specifying one or more service names, with multiple service names separated by a space. The service names can be fully-qualified, partially-qualified, or a cluster name. There can be multiple
Servicesections in a defaults file.
Optional section specifying one or more network addresses in the form
hostname:adminport. Multiple network addresses must be separated by a space. There can be multiple
Addresssections in a defaults file.
Section names are case insensitive.
The beginning of a section is marked by a line that begins with a left square bracket and ends with a right square bracket (after any leading and trailing white space is removed). The end of a section is marked by the start of a new section or an end of file.
# Security section # [Security] # Service section # [Service A.X B.X] # Address section # [Address myhost.example.com:12345 myotherhost.example.com:12345]
Within the defaults file:
Blank lines are ignored.
Lines starting with the
#character are comment lines (with leading white space removed) and are ignored.
Within a section:
Property values are specified using
Each property must be on a separate line.
Property values that are relative file paths are relative to
Property values that are passwords can be encrypted using the encrypt secret command .
The supported property values are shown in the following table:
|Property Name||Supported Sections||Description|
Path to an epadmin secret key
store file. When this property is in the
||Path to a plain text password file for the epadmin secret key. Use file permissions to protect the contents of this file. If this property does not exist, and a password must be decrypted, a password prompt is displayed.|
||Path to a client authentication key store file.|
||Key store password for the client authentication key file. This value can be encrypted.|
||Path to a client authentication trust store file.|
||Trust store password. This value can be encrypted.|
See Clarifying keystore Parameters below for
more on the difference between the two uses of
epadmin command is executed, it uses the most
specific service or address match in the defaults file. If there are multiple
equivalent matches, the first one found is used.
sections are used when the
servicename parameter is
specified to execute a command.
Address sections are
adminport are specified to execute a command. For example, consider
this defaults file:
# Cluster X # [Service X] keystore = /path/to/keystore1.pem # Node A.X # [Service A.X] keystore = /path/to/some/other/keystore2.pem
With those defaults, an epadmin command
Here is a full example of a defaults file.
[Security] # # Keystore to use when decrypting encrypted entries in this file. # keystore = /path/to/keystore.ks # # Plain text keystore password. Protect the contents of this file # with appropriate file permissions. Or, omit this property from # the defaults file, in which case, epadmin prompts for the # keystore's password if not specified. # keystorepasswordfile = /path/to/password/file # # Fully-qualified service name. # # Multiple entries separated by spaces. # [Service A.Y.X B.Y.X C.Y.X] keystore = /path/to/client/auth/keystore.pem keystorepassword = notsecret truststore = /path/to/client/auth/truststore.pem truststorepassword = #!!MoupLc8mgVhE5wNVpgCNiQgs96opSn7kkGB1qpKW70bL # Partially-qualified service name [Service .Y.X] # ... # Cluster name [Service X] # ... # Host/port pair [Address myhost.tibco.com:12345] # ...
There are two sets of
A pair of global parameters related to client authentication for nodes.
A pair of target parameters related to epadmin encryption.
- Features of keystore Global Parameters
The global parameters
--keystorepasswordhave these features:
keystorepoints to a PKCS#12 or PEM key file containing certificate and keys necessary for any epadmin command to connect to a node that requires client authentication.
The key file pointed to must have the
keystorepasswordparameters can be stored in one or more [Service] sections of an epadmin defaults file:
The [Service] section of a defaults file defines parameters for an exact node, or set of nodes, or a cluster.
In the [Service] section,
keystorepasswordpoint to the TLS keys that allow client communication with the TLS-enabled nodes defined in that [Service] section.
You can have more than one [Service] section, each with different sets of key files.
- Features of keystore Target Parameters
The target parameters
--keystorepasswordhave these features:
The epadmin install node command and all epadmin secret commands take
The key file pointed to must be created with epadmin create secret.
This key file is used to encrypt and decrypt passwords and other strings in configuration files as described in Encrypting Sensitive Configuration Data.
This file does not have a required extension (although this Guide suggests using
keystorepasswordfileparameters can be stored in the [Security] section of an epadmin defaults file. There, they are ONLY used to decrypt encrypted strings in the same defaults file.
Notice that the defaults file parameter is
keystorepassword. This points to a local plain text file that you protect with operating system access control, such as