Skip to main content

Hi

 

Last month we upgraded to version 11.22.17 and we implemented a lot of hardening settings. The setting “Enable User Authentication for Agent installs” is also implemented.

 

Now we can’t register clients after they were installed in decoupled mode.

 

Here is the script:

# Register CommVault client

write-host "CommVault client registration starting"

$exe = "D:\Program Files\Commvault\ContentStore\Base\SIMCallWrapper.exe"

&$exe -OpType 1000 -CSHost wi-commserve.saxion.nl  -ClientName $servername -ClientHostName "$servername.domain.local" -output D:\temp\commvault.xml

 

We also use these parameters:

o-user user_name] l-password password] o-passwordEncrypted]

 

 The parameter-passwordEncrypted doesn’t work. Only -password. But then the password is not encrypted.

 

Chris van Oorspronk

 

Is er wellicht een andere manier om clients te registreren. Handmatig installeren is eigenlijk geen optie.

Hi Chris,

 

Thanks for reaching out to us!  I just tested the -passwordEncrypted parameter here in a lab setting and it does appear to work.  However, you need to make sure you’re passing the encrypted value of your password as the value for that parameter rather than a plain text password.

 

There’s a few different ways to obtain the encrypted value.  One simple method of obtaining the AES encrypted password would be to leverage the simcallwrapper tool to encrypt it for you.  You can then take the encrypted version of your password and pass it to the -passwordEncrypted parameter.

 

For example, let’s say your password is ‘password123’ (let’s hope that’s not actually the case, but this is just an example).

 

You can run the following command to output the encrypted version of ‘password’ into a text file :

 

simcallwrapper -optype 100 -enc password123 -output c:\temp\encpassword.txt

 

That command generates a file named encpassword.txt in the c:\temp directory which will include the encrypted string for ‘password123’ :

 

320f183bffa007aa109b3b47620b665979122a7835045f0c6

 

This is the value that should be passed to that -passwordEncrypted parameter rather than your plain text password. 

 

If you’ve done this already and it did not work for you, perhaps you can share the log files so we can review more closely to see why it failed.  Otherwise, please confirm the results.

 

Thank you!

 

-Brian Bruno


Brian

 

I entered this command:

 

# Register CommVault client
write-host "CommVault client registration starting"
$exe = "D:\Program Files\Commvault\ContentStore\Base\SIMCallWrapper.exe"
&$exe -OpType 1000 -CSHost wi-commserve.saxion.nl -user backup\sa-cvlt-clientreg -passwordEncrypted 311a407780dc5820044bf122225638cbe58ccf875e5f95d40217d2198f97ecf6d -ClientName $servername -ClientHostName "$servername.domain.local" -output D:\temp\commvault.x

 

This is the output

<?xml version="1.0" encoding="UTF-8" standalone="no" ?><CVInstallManager_ClientSetup><SimError ErrorCode="67109512" ErrorString="Password is missing for external user ebackup\sa-cvlt-clientreg]" errorLevel="2"/></CVInstallManager_ClientSetup>


Just out of curiosity but why aren't you using the -authcode option? It removes the need to parse username and password to add client computers to the CommCell. You were mentioning the hardening well using -authcode is safer than using username/password.

https://documentation.commvault.com/11.23/expert/2121_registering_client_using_command_line.html

 

 


Onne,

I have used the parameter -authcode and it is working.

But in the output file I see a domain user who is logged in.

This it the powershell script:

$exe = "D:\Program Files\Commvault\ContentStore\Base\SIMCallWrapper.exe"
&$exe -OpType 1000 -CSHost wi-commserve.saxion.nl -ClientName $servername -ClientHostName "$servername.domain.local" -authcode AEFD76C62 -output D:\temp\commvault.xml

 

 

<?xml version="1.0" encoding="UTF-8"?>

-<CVInstallManager_ClientSetup Focus="Instance001">

-<CommServeInfo>

<CommserveHostInfo clientName="wi381-sdp" _type_="3" GUID="A2F1DFC1-9232-4522-9BED-02349C255CF3"/>

</CommServeInfo>

-<ClientAuthentication SSOEnabled="0" ProviderID="0" PrincipalName="" DomainConfigured="0" AuthenticationEnabled="1">

<userAccountToLogin userName="bmzu01" domainName="DOMAIN"/>

</ClientAuthentication>

-<clientComposition packageDeliveryOption="0" activateClient="1">

-<clientInfo>

-<client evmgrcPort="0" cvdPort="8400" clientPassword="33fb7d1e468c1526a3c21da2b61c84fb5d87555b0c1da54205233ec460aa79741e912f4da0ced6a1a3b3aea19f612573f">

<clientEntity clientName="SQL2019-TEST01" _type_="3" GUID="F663DBE7-76FB-4A79-BBB1-B2D70C2DA460" hostName="SQL2019-TEST01.domain.local" clientId="2504"/>

</client>

</clientInfo>

<clientError ErrorCode="0"/>

</clientComposition>

<SimError ErrorCode="0"/>

</CVInstallManager_ClientSetup>


Funny! Is this username known to you? Have you performed a lookup in Commvault itself to see if this user actually exists in the CommCell? I suspect this username to be present in the install.xml that is part of the installation package. 


Onno

 

the user domain\bmzu01 exist in the CommCell. This user has installed the server and I think also the decoupled installation.

We make use of VMware templates to roll out Windows servers without and with SQL server on it.

 

I can’t find a install.xml on the server


Please examine the contents of the installation package that was used or create a fresh new installation package based on authorization code. Anyhow the username mentioned cannot be filled in automatically by Commvault so there has to be a logical explanation where it comes from.


Onno,

 

the username is from the user who installed the decoupled installation. During installing the decoupled installation you can give up the authorization code. Thats new for me, yesterday I enabled this in the admin console. And yesterday I did a new decoupled installation.

 

When I now use the powershell script for registration I left the parameter -authcode and it works.

 

$exe = "D:\Program Files\Commvault\ContentStore\Base\SIMCallWrapper.exe"
&$exe -OpType 1000 -CSHost wi-commserve.saxion.nl -ClientName $servername -ClientHostName "$servername.domain.local" -output D:\temp\commvault.xml

 

In the output xml file exist my username (domain\bcoo02). But in the Commcell this domain is not added. We have a dedicated domain for backup with another name. So I guess the user doesn’t matter.


Correct! Good to hear that you managed to use the authorization code. It is a really handy! We deploy our agents using Chef and to be able to make client side changes so for example add exclusion we use the ability to authenticate locally. In this way you can make small client configuration in the context of the client computer alone. Commands are executed locally on the client and in the context of the client. Other option would be to create an API user and talk to the API and store credentials in a key vault. But to add clients to the CommCell the use of the authorization code is simple and safe ;-)


Onno

 

you can close the case. I upgraded the SQL templates with a decoupled installation with the authentication code in it. After that I created out a new server from this template and the registration works.


Thanks for the update!!  Let me know if you want me to change your user name @SIMCallWrapper.exe .


Hi

 

My name is Chris van Oorspronk 


Hi

 

My name is Chris van Oorspronk 

and now you have a new name here!

Thanks!


Reply