Document toolboxDocument toolbox

(12.04.120-en_orig) IGEL UMS Administrator Command-Line Interface

The Universal Management Suite (UMS) Administrator command-line interface (CLI) allows you to control the IGEL UMS Administrator via a terminal and to automate UMS Administrator actions via scripting. Among these actions are creating and editing database connections for the UMS Server, backing up and restoring the embedded database, configuring communication ports and security, managing the UMS ID, configuring the superuser, and restarting the UMS Server.

As this feature allows complete control without any graphical desktop environment, it is possible to run the CLI application on headless Linux systems.


Basic Usage

Like the graphical UMS Administrator application, the CLI requires elevated privileges.

Windows: Open a command prompt (cmd.exe) as Administrator.

Linux: Become root or use sudo

You can run the main command umsadmin-cli from any directory, as the command is made available on the PATH.

To see the global options and the primary subcommands, enter umsadmin-cli

To get all possible options for a specific subcommand, enter umsadmin-cli followed by the subcommand, e.g. umsadmin-cli db create

Certain subcommands have no options and run immediately. Please refer to the Command Reference.

To get the complete online help with all commands, enter umsadmin-cli fullhelp 

To get the list of available commands, enter umsadmin-cli help 



To display help information about any command, use help as a subcommand. For example, enter umsadmin-cli web-certs help  

Global Options

If you intend to use the UMS Administrator CLI in a script, you may want to configure its output to stdout/stderr according to your needs. This makes it easy to further process the output of umsadmin-cli and extract any relevant data.

Please see the available options below. 

--machine-readable

Prints output machine-readable with a semi-colon (;) as default separator.

Example:

root@machine:/home/locadmin# umsadmin-cli --machine-readable db list
ACTIVE;DATABASE;HOST;USER;DB-TYPE;ID
true;rmdb;localhost;root;Embedded DB;1

--no-header

No header line is printed. (Not all commands print a header.)

Example:

root@machine:/home/locadmin# umsadmin-cli --machine-readable --no-header db list
true;rmdb;localhost;root;Embedded DB;1

--quiet

All output to stdout/stderr is suppressed for some commands which might take a long time to execute. These are, for instance, db backup, db restore, db copy, and server-restart.

Example:

root@machine:/home/locadmin# umsadmin-cli --quiet db backup -o /tmp/mybackup02.pbak --full
root@machine:/home/locadmin#

It is still possible to redirect all output to a null device using operating system functions. For example, to redirect standard output and error output to the null device on Linux, use:

command … >/dev/null 2>&1

--separator

Defines a custom column separator for output to stdout/stderr.

Example:

root@machine:/home/locadmin# umsadmin-cli --machine-readable --no-header --separator "||" db list
true||rmdb||localhost||root||Embedded DB||1

Some separator characters, such as the pipe symbol (|), require quotes because they have special functions in terminals.


Exit Codes

Exit CodeMeaning
0Successful execution
1Internal error. An error number is outputted to stderr; for details, see Error Numbers
2Wrong usage of the CLI or invalid arguments

Command Reference

General Usage of Password Options

Some commands require a password. Entering the password in plain text on the command line is not secure and therefore not possible. Therefore, one of the following password options must be used:

--password:in for interactively entering the password (possibly with confirmation)

--password:file <FILE> for providing a file containing the password

A password file must have the password as the first line and the passwords must not be pure whitespace. Additional lines with content are allowed but will not be evaluated.

UMS Server Restart Required

Most of the commands in the sections "Ports", "Cipher", "Reset Certificates", and "Superuser" change the UMS configuration and a restart of the UMS server is required to make the new settings take effect. This can be done in two ways:

  • Use the appropriate function of the OS (e.g. systemctl on Linux)
  • Use the command umsadmin-cli server restart

Database

ActionPrimary SubcommandSecondary SubcommandShort Option Long Option Value TypeOption Description Remarks

List all configured data sources

dblist



Shows the ID of the data source, which is required by other commands.

The lowest ID is 1.

IDs may change upon the creation and deletion of data sources.

It is strongly recommended to always extract the ID before using it in other commands with --id

The ID is calculated like this: highest existing ID + 1

Show all details of a databasedbshow-i--idintegerThe ID of the database to show

Run umsadmin-cli db list to get a list of current data sources and select the ID of a data source.

Run umsadmin-cli db show --id <ID>  with that ID.

Create a new database connection






db






create






-t--typestringThe database type.
For a list of the possible values, type umsadmin-cli db create

Type, user, and port are required.

Other options may or may not be required depending on the DB type

db create will activate the database by default; this can be prevented by using -A or --no-activate. A password option cannot be used then.

If activation fails, the data source entry will still be present and is not active (same behavior as in the graphical UMS Administrator).

'rmdb' is a reserved name for the embedded database type and cannot be used for other types.

-H--hoststringThe database host
-d--domainstringThe database domain
-p--portintegerThe database port
-u--userstringThe database username
-S--schemastringThe database schema
-n--namestring

The database name.

Free text, except 'rmdb'; this name is reserved for the embedded database.


-I--instancestringThe name of the database instance
-A--no-activate
The database will not be activated.

--password:filestringThe password is read from a file (plain text) whose path is provided after this option.
--password:instringThe password is read from stdin; an interactive prompt is shown.
Edit a data sourcedbedit-t--typestringThe database type.
For a list of the possible values, type umsadmin-cli db create

Embedded databases cannot be edited (as in the graphical UMS Administrator).

All options are optional, except --id

-H--hoststringThe database host
-d--domainstringThe database domain
-i--idintegerThe identifier of the database to be edited
-I--instancestringThe name of the database instance

--jdbc-paramsstringAdditional JDBC parameter. 

For details on the JDBC parameters, see (12.04.120-en_orig) How to Set Up a Data Source in the IGEL UMS Administrator.

Examples:

  • rmadmin\umsadmin-cli.exe db create --type=mssql --name=rmdb12_00 --host=122.30.229.1 --port=1433 --user=rmdb --password:in --jdbc-params sendStringParametersAsUnicode=false;
  • rmadmin/umsadmin-cli.bin db edit -i 1 --jdbc-params sendStringParametersAsUnicode=false;


-n--namestring

The database name.

Free text, except 'rmdb'; this name is reserved for the embedded database.


-p--portintegerThe database port
-S--schemastringThe database schema
-u--userstringThe database username
Activate a database connectiondbactivate

--password:filestring

The password is read from a file (plain text) whose path is provided after this option. 

Example: umsadmin-cli db activate --password:file /home/ike/password.txt


--password:instringThe password is read from stdin; an interactive prompt is shown.
-i--idintegerThe identifier of the database to be activated
Deactivate the active database connectiondbdeactivate-i--idintegerThe identifier of the database to be deactivated
Test the active database connectiondbtest
--password:filestring

The password is read from a file (plain text) whose path is provided after this option. 

Example: umsadmin-cli db test --password:file /home/ike/password.txt


--password:instringThe password is read from stdin; an interactive prompt is shown.
Optimize the active databasedb optimize



This command can only be applied to an embedded database or a Derby database.

Create a copy of the current databasedbcopy-t--targetinteger

The ID of the target database

To get the database ID, enter umsadmin-cli db list


--password:filestringThe password is read from a file (plain text) whose path is provided after this option. 
--password:instringThe password is read from stdin; an interactive prompt is shown.
Delete a database connectiondbdelete-i--idintegerThe ID of the database connection that is to be deleted
Create a backup of the current embedded database

db

backup

-o--outfile

Path to the target file. The file suffix .pbak is automatically added. 

Existing backup files are not overwritten.


-f--full
Full backup. Database, server configurations, and transfer files are included.
-p--parent
All directories for the specified path will be created if they are not already existing.
Restore a backup into the embedded databasedbrestore-f--file
Path to the backup file

Ports

ActionPrimary SubcommandSecondary SubcommandShort Option Long Option Value Option Description 
List all ports and SSL flagportslist



Set new port numbers or SSL-only flag



ports



set



-d--dev-commintegerDevice communication port. For details, see (12.04.120-en_orig) Devices Contacting UMS.
-j--java-webstartintegerJava Web Start port
-w--web-serverintegerUMS server port. For details, see (12.04.120-en_orig) UMS with Internal Database and (12.04.120-en_orig) UMS with External Database.
-e--embeddedintegerEmbedded database port

--ssl-onlybooleanAllow SSL connections only

Cipher

ActionPrimary SubcommandSecondary SubcommandShort Option Long Option Option Description 
List all ciphers, optionally filteredcipherlist

List all ciphers
-e--enabledList only enabled ciphers
-d--disabledList only disabled ciphers
Enable cipherscipherenable


Enable ciphers. The ciphers are separated by whitespaces.

Example: umsadmin-cli cipher enable CIPHER1 CIPHER 2 CIPHER3 

--all

Apply for all; individual cipher names are ignored.

Disable cipherscipherdisable


Disable ciphers. The ciphers are separated by whitespaces.

Example: umsadmin-cli cipher disable CIPHER1 CIPHER 2 CIPHER3

--all

Apply for all; individual cipher names are ignored.

Manage Web Certificates

ActionPrimary SubcommandSecondary SubcommandShort Option Long Option Option Description Remarks
Reset web certificatesreset-certs
-y--yes

The reset is only executed after confirmation


Assign certificate to current or all serversweb-certsassign-cert-f--fingerprint-sha1SHA1 fingerprint of certificate
-s--server

Server to which the certificate is assigned. Possible values:

  • ALL_SERVER
  • CURRENT_SERVER (default)

Create a root certificateweb-certscreate-root-cert-a--algorithm

Key pair algorithm; rsa or ec (default: rsa)


-c--countryCountry code (two letters)
-d--expiration-date

Expiration date (YYYY-MM-DD)

(Current date plus 20 years if not specified.)



--key-size

Key size (4096, 8192, ... bits). Valid values :

  • 4k (default)
  • 8k
  • 12k
  • 16k 

-l--locality

Locality

(If not specified, the hash code of a random uuid is used.)


-n--nameCertificate name
(default: Root certificate)


--named-curve

Named curve.
Valid values:

  • nist-p-384 (default)
  • nist-p-256
  • nist-p-521 

-o--organization

Organization

(Mandatory option)


Create signed certificateweb-certscreate-signed-cert-f--fingerprint-sha1SHA1 fingerprint of parent CA certificateThe parent CA certificate is specified by the SHA1 fingerprint. It doesn’t matter whether you use no delimiter, ‘-’ or ‘:’ as the delimiter for the fingerprint.
-n--nameCertificate name
(default: Certificate)


--cnCommon name
-c--countryCountry code (two letters)
-o--organizationOrganization
-l--locality

Locality

(If not specified, the hash code of a random uuid is used.)


-d--expiration-date

Expiration date (YYYY-MM-DD)

(Current date plus 1 year if not specified.)



--ca

Certificate type:

  • true = CA certificate
  • false = End entity (default)


-h--hostnameHostname (hostname or one of these values:
  • ALL_SERVER
  • CURRENT_SERVER (default)
You can specify a list of hostnames for the subject alternative names (SAN) or you can specify, whether the current server (CURRENT_SERVER) or all servers (ALL_SERVER) should be listed in the SAN list.
Delete a certificateweb-certsdelete-f--fingerprint-sha1SHA1 fingerprint of certificate
Export certificateweb-certsexport-cert-c--cert-filePath to which the certificate should be exported
(Name cert.cert is used when only a directory is specified.)

-f--fingerprint-sha1SHA1 fingerprint of certificate
Export certificate chain to keystore (JKS)web-certsexport-cert-chain-f--fingerprint-sha1SHA1 fingerprint of certificate
-k--keystore-filePath to keystore to which certificate chain should be exported

--password:filePath to a file containing the password

--password:inShows an interactive prompt to enter the password
Import certificate chain from keystoreweb-certsimport-cert-chain-k--keystore-fileThe keystore file

--password:filePath to a file containing the password

--password:inShows an interactive prompt to enter the password
Import decrypted private keyweb-certsimport-private-key-f--fingerprint-sha1SHA1 fingerprint of parent CA certificate
-p--private-key-fileThe file containing the private key
Import root certificateweb-certsimport-root-cert-c--cert-fileThe root certificate (CERT, CER, CRT, PEM)
Import signed certificateweb-certsimport-signed-cert-c--cert-fileThe root certificate (CERT, CER, CRT, PEM)A certificate can only be imported when no other certificate with the same fingerprint already exists; otherwise, you will get an error message.
-f--fingerprint-sha1SHA1 fingerprint of parent CA certificate
List the assigned server of a certificateweb-certslist-assigned-server-f--fingerprint-sha1SHA1 fingerprint of certificate
List all web certificates or details of a certificateweb-certslist-f--fingerprint-sha1SHA1 fingerprint of certificateWhen you specify a fingerprint, the details of the certificate with that fingerprint are shown.
Renew certificateweb-certsrenew-cert-f--fingerprint-sha1SHA1 fingerprint of certificateYou only have to specify the fingerprint of the certificate that should be renewed. If the other parameters are not specified, the values from the old certificate are used (with a new expiration date).
-n--nameCertificate name 

--cnCommon name
-c--countryCountry code (two letters)
-o--organizationOrganization
-l--localityLocality
-d--expiration-dateExpiration date (YYYY-MM-DD)
(Current date plus 1 year if not specified)

-h--hostname

Hostname (hostname or one of these values:

  • ALL_SERVER
  • CURRENT_SERVER

Superuser

ActionPrimary SubcommandSecondary SubcommandShort Option Long Option Value Option Description 
Show UMS superusersulist



Change UMS superuser

su

change

-u--userstringNew superuser
-p--password:filestringThe password is read from a file (plain text) whose path is provided after this option.

--password:instringThe password is read from stdin; an interactive prompt is shown.

UMS ID

ActionPrimary SubcommandSecondary SubcommandShort Option Long Option Value Option Description 
Show the current UMS IDslicensinglist



Create a new UMS IDlicensingcreate



Backup the UMS IDlicensing

backup

-o--outfilestringPath to the target file (file suffix: .ksbak)
-p--parent
All directories for the specified path will be created if they are not already existing.

--password:filestringThe password is read from a file (plain text) whose path is provided after this option.

--password:instringThe password is read from stdin; an interactive prompt is shown.
Restore a UMS ID from a backup

licensing

restore

-f--filestringPath to the backup file

--password:filestringThe password is read from a file (plain text) whose path is provided after this option.

--password:instringThe password is read from stdin; an interactive prompt is shown.

Network Token

ActionPrimary SubcommandShort Option Long Option Value Option Description Remarks
Install a network token for the UMS Server or a broker (UMS HA)

token

-f--token-filestringPath to token file

This command is also available as a standalone command named umstokeninstall-cli in broker-only installations. It is equivalent to umsadmin-cli token.



--serverbooleanInstall token for UMS Server
--brokerbooleanInstall token for broker

UMS Cluster

ActionPrimary SubcommandSecondary SubcommandShort Option Long Option Option Description 
Show the current UMS cluster FQDNums-clusterlist


Set a new UMS cluster FQDNums-clustercreate-n--nameName for the new UMS cluster FQDN
Delete the current UMS cluster FQDNums-clusterremove


Server

ActionPrimary SubcommandSecondary SubcommandShort Option Long Option Option Description 
Start the local UMS Serverserverstart


Stop the local UMS Serverserverstop


Restart the local UMS Serverserverrestart


End the update mode of the local UMS Serverserverend-update-mode


Set the distributed mode of the UMS installationserverdistributed-e--enableEnable Distributed UMS

-d--disableDisable Distributed UMS

Error Numbers

The error numbers are printed in the following format:

<E-NNNN>: <HUMAN READABLE MESSAGE>

Some error descriptions in the following table contain the phrase „[param]“. These will be replaced during runtime with details for the relevant error, e.g. the problematic path for E-1030.

Error numberError description
1000Unable to connect to database. UMS server may be down.
1001Cannot get database configurations.
1002Cannot create database.
1003Cannot activate database. [param]
1004Internal error while activating database.
1005Database already exists in this configuration.
1006Database type is unknown.
1007Database is already activated.
1008Cannot edit database configurations.
1009Internal error while optimizing database.
1010The active data source type is not Embedded or Derby and does not support optimization.
1011Test of the active data source failed.
1012No database is activated.
1013Cannot deactivate database.
1014No database is active or the active database is not of type 'Embedded' or 'Derby'.
1020Database could not be deleted.
1030The specified directory for the backup does not exist: [param]
1031Internal error while attempting database backup.
1040The specified backup file was not found.
1041The specified backup file has an invalid file type.
1042Unable to read the specified backup file.
1043Internal error while activating data source after restore.
1044Internal error while attempting to restore database.
1045The active data source is not embedded or there is no active data source.
1051Authentication error or internal error when an attempt was made to copy the database
1052Error Accessing credentials of source database
1090A name is required for non-embedded database types.
1091Activation failed, incorrect password provided.
1092Backup failed, the specified file already exists.
1093Port number is required for non-Embedded database.
1094A data source of the Embedded type cannot be edited.
1095No such data source with this ID.
1100The name 'rmdb' is reserved for the Embedded database.
2000Internal error while reading port configuration.
2001Internal error while setting port configuration.
2002Internal error while restarting UMS server.
2003Invalid port number provided.
2004Port number [param] already configured.
3000Internal error while reading cipher data.
3001Internal error while changing cipher configuration.
3002Invalid ciphers provided: [param]
4000Resetting web certificates requires '--yes' option for confirmation.
4001Internal error while resetting web certificates.
5000Internal error while reading superuser credentials.
5001Internal error while writing superuser credentials.
5002No username was provided for new credentials.
5003Unable to set superuser credentials. There is no active data source.
6000Unable to create a new UMS ID.
6001The specified file for the license key backup already exists.
6002No internal license keystore found.
6003Internal error while creating license key backup.
6004Internal error while restoring license key backup.
6005The specified file for the license key backup does not exist.
6006The specified password for the license key backup is incorrect.
6007The specified path for the license key backup does not exist: [param]
7000Token file was not found.
7001Setup type not defined, token not installed.
7501Unable to set UMS cluster FQDN.
7502Unable to show UMS cluster FQDN.
7503Unable to delete the cluster FQDN.
8000Internal error while restarting the UMS server.
8001Internal error while starting the UMS server.
8002Internal error while stopping the UMS server.
8003Internal error while ending the update mode of the UMS Server.
8004Internal error while setting the distributed mode of the UMS installation.
8005Either --enable or --disable must be provided in the options.
8006Distributed UMS not recommended for Derby Embedded Database.
9000An error with the password file occurred: [param]
9001The provided passwords did not match. Aborted.
9002The provided password exceeds the maximum character limit ([param]) or contains only whitespace.
9700File [param] doesn't exist!
9701Keystore contains no certificate entries!
9702Keystore password is invalid!
9703Keystore couldn't be read!
9704Could not import certificate chain!
9705Internal error while importing certificate chain!
9706No SHA1 fingerprint specified!
9707Could not delete certificate(s) with SHA1 fingerprint [param]!
9708Certificate must not be deleted because it is currently in use!
9709Root certificate creation failed!
9710Certificate could not be created! Private key of CA certificate is not known.
9711Certificate could not be created! CA certificate is not valid.
9712Could not find CA certificate with specified fingerprint.
9713Certificate could not be created! CA certificate does not meet the requirements.
9714Certificate could not be created! Requirements for CA certificate creation are not met.
9715Creation of signed certificate failed!
9716Certificate could not be created! Certificate name too long (only 200 characters are allowed)!
9717Could not find certificate with specified fingerprint!
9718Certificate could not be renewed! Certificate has no CA parent.
9719Certificate file [param] doesn't exist!
9720Certificate is invalid!
9721Import of certificate failed! No CA certificate.
9722Import of certificate failed!
9723Import of certificate failed! Certificate is not valid.
9724Import failed! Certificate doesn't contain any subject alternative names.
9725Import of private key failed! File [param] doesn't exist.
9726Import of private key failed! Private key is encrypted. Decrypt it before importing it.
9727Import of private key failed!
9728Certificate already has private key!
9729Import of private key failed! Private key does not match the specified certificate.
9730Export of certificate failed! Directory [param] doesn't exist.
9731Export of certificate failed!
9732Export of certificate chain failed! Directory [param] doesn't exist.
9733Certificate must not be a root or CA certificate!
9734Export of certificate chain failed!
9735Password must be at least 6 characters long!
9736Assignment of certificate failed!
9737Private key is not known!
9738Could not read certificate info!
9739Import failed! Certificate with same fingerprint already exists.
9740Import failed! No valid root certificate.
9741Import failed! Verification of signature failed.
9742Import failed! No valid CA certificate available.
9743Could not read assigned server info!
9744Could not find certificate with specified fingerprint or no server is assigned to certificate!
9745Common name is invalid! Only A-Z, a-z, 0-9, - and . are allowed.