cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
985
Views
5
Helpful
7
Replies
Chris Swinney
Contributor

Is it possible to Script a password change in TMS for the VCS Provisioning Extensions account?

Hi All,

We have a password policy that deems we need to change password on a regular occurrence and when people leave etc - no bad thing. However, we operate MANY VCS Controls (50+) managed by a single TMS system, and each one connects back to TMSPE. So, each VCS uses the same generic user name and password to connect to TMSPE.

Is there any way to script TMS in order to update the passwords that the VCS's use to connect to TMSPE?

I had thought that maybe the user/password used by TMSPE to connect with TMS itself (TMS --> Administrative Tools --> Configuration --> Provisioning Extension Settings) might have replicated the change to all connected VCS's, but I don't think it does.

For Ref:

TMS - 14.1.1

VCS - x7.1

Chris

7 REPLIES 7
mahkrish
Participant

Hi Chris, IMO, password change scripts may not work in TMS app in the current software version of TMS. If this critical for your business needs you can submit a new feature request with Cisco sales/account team of your region.

Sent from Cisco Technical Support iPad App

daleritc
Cisco Employee

If you look at the TMSPE Deployment Guide, page 8 under the "For Operation" section, we recommend the following for this username and account that makes the connection with the VCS or VCSs:

Member of the Site Administrator group in Cisco TMS. We recommend creating a service account for this purpose either locally or in Active Directory.

When creating this account, ensure it doesn't expire or get disabled. In my experience, most IT depts have these types of accounts and they do change the passwords periodically but its probably less occurrence than their regular user accounts, and they also are aware of where they are used so that when they do change the password, they know where to update the appropriate applications. However, I see your point on having to change that...in your case 50+ times...if indeed your seperately connecting to each VCS using TMSPE.

Now as far as the username and password being used where you are referring to, this should also be a service type account but what this account does is handle the internal communications between TMS and TMSPE on the TMS server. While the username and password you configure on the provisioning tab on the VCS in TMS when making the TMSPE connection with the VCS is used strictly for that connection. However, the service accounts can be one in the same.

Hope this clarifies.

rgds,

Dale

Hey Dale,

I did certainly did read the Admin guide prior to setting up, installing and configuring TMSPE and indeed I read the part about creating a service account (maybe one of the few that does read the admin guides you produce!), so this is exactly what we have done via AD. Of course, whilst the password does NOT expire, we still make a note of it due its complexity in our password vault. Potentially, when people leave, they may still have access to old vault files, so we try to change all passwords ASAP, as it essentially is a route into TMS. Belt and braces.

Whilst the AD password can be simply updated, reconfiguring all the VCS's to use this password is no easy task. Indeed, we have each VCS separately connecting as they located in different organisations

We do indeed use the same service account for the VCS connect and TMSPE --> TMS connectivity - but wouldn't it be great if TMS would replicate this across all configured VCSs.....

mahkrish  - Looks like a feature request is exactly what we will be doing.

Hi swinster70,

Always happy to hear that folks refer to our documentation And assumed this is what you were doing but just wanted to clarify, i.e. good info for others to know as well

And yes, and as discussed, I see your point wrt having to update 50+ seperate VCSs in the TMS UI (Provisioning tab > TMS Connections Settings pane) after you've changed the password in AD. So yes, open an FR appropriately

Dale

thobonho
Beginner

Hi swinster70,

Yes, everything is possible... It only depends on your developer skills!

I did some research, and you can actually retrieve the current VCS configuration used by the Provisioning Extension and update it at your convenience, just like TMS does.

To retrieve the configuration, do a GET request to the following URI:

http://YOUR_VCS_IP/api/management/configuration/provisioningservice?format=xml

Then, update the returned XML data structure with your new password in clear text and POST it back to the same URI.

Obviously, this is totally unsupported and you'll have to deal with the consequences if something wrong happens, but at least, it gives you another option than to open a feature request and wait for it!

Hi swinster70,

Yes, everything is possible... It only depends on your developer skills!

I did some research, and you can actually retrieve the current VCS configuration used by the Provisioning Extension and update it at your convenience, just like TMS does.

To retrieve the configuration, do a GET request to the following URI:

http://YOUR_VCS_IP/api/management/configuration/provisioningservice?format=xml

Then, update the returned XML data structure with your new password in clear text and POST it back to the same URI.

Obviously, this is totally unsupported and you'll have to deal with the consequences if something wrong happens, but at least, it gives you another option than to open a feature request and wait for it!

--

Thomas

Cheers Thomas for this. I wrote a little app back last year that used the API for some endpoints (via SSH)  to control camera movement via a GUI and to test the camera motors  running a in a loop, so I don't think this would be to far out of the  real of possibility, however, I would still like to see some full  scripting support within TMS, or simple ways to do things like this or  other bulk changes added to the interface. We have put in a feature  request, but I think we have a "Bob Hope" chance of anything coming of  it!

We also requested other password operations. For instance, you can apply a Configuration Template to multiple MXP or VCSs to change the "SystemUnit Password" (can't see any such thing for the 'C' series, although I think this is where provisioning will eventually come in), however, the connection password within TMS  will not update - you would have to manually update these for each  system. You could also update the passwords manually via the system  settings, but again you can only do this on a system by system basis (we  don't currently employ remote admin accounts on infrastructure or  endpoint such as through LDAP, but you would still be left with the connection password in TMS that would need to be changed).

Maybe some of these can also be scripted in some fashion. I'm sure I saw a TMS developers guide knocking around somewhere, but like everything, its time and an am at best, only an enthusiastic  coder. Maybe, some light can be shed there. However, I amazed that  things like this are not common tasks and as such already built into an  enterprise management tool in it 14th generation!

OK, discussion is going away from original topic, but you can actually change the admin password on C-Series with a configuration template. Don't ask why, but you have to choose "Password - Other type" and the password will be updated in TMS database as well. One feature request down at least!

Create
Recognize Your Peers
Content for Community-Ad