Using the UAA Config Tool
About this task
- Add a local UAA user.
Here a local UAA user means a user defined by UAA, not by an external identity provider such as LDAP.
- Remove a local UAA user.
- Reset the password for a local UAA user.
- Add a local UAA user to an existing UAA group.
Since OAuth2 scopes are implemented as UAA groups, this means the same as adding a scope to a user.
- Remove a local UAA user from an existing UAA group.
A user who performs these functions is acting as the ?admin client and needs to know the secret of the admin client. The tool does provide a way for the user to cache the secret safely to be used later.
By default, this tool is available in the following folder: C:\Program Files\GE Digital\Historian Config. Run the tool from a Windows command prompt window.
Syntax
The tool ?s syntax follows this format:
uaa_config_tool verb [options]add_userremove_userset_user_passwordadd_user_to_groupremove_user_from_groupclear_secret
Run the tool without a verb or any other options to view the help screen.
The uaa_config_tool utility prompts for a port number. This is the port number that you have specified in the Public HTTS Port field in the TCP PORT ASSIGNMENTS page. By default, it is set to 443. If you have changed the public HTTPS port number, enter the number. Otherwise, enter 443.
Options can be specified in the form of single dash followed by a short name, or double dash followed by a long name, followed by the value of the option, if any. For example, you can specify the user name Alice by either
-u Aliceor
--UserName AliceOptions
| Short name | Long name | Remark |
-t | --Target | URL of the UAA instance that the command should be performed on. Typically, the URL is https://localhost:8443/uaa, which is the default value. This option is optional and is only needed when the user wants to run the command against a remote UAA instance (which is not recommended due to security concerns). |
-n | --ClientId | ID of the client that the user is acting as. By default, it is admin. This option is optional and is only needed when the admin has set up the UAA to delegate certain operations to others. |
-s | --ClientSecret | This is the secret used to authenticate the user for acting as the admin client (or an alternative client given in a --ClientId option). If the user has elected to cache the secret previously, then this option can be omitted. Otherwise, it has to be provided. |
-c | --CacheSecret | This option is not followed by a value and is optional. If specified, the tool will cache the client secret so when the next time this tool is invoked the secret does not have to be specified. Note that the secret is encrypted and only the current Windows logon user can access and decrypt. |
-u | --UserName | Name of the user that the tool is being invoked for. For example, the user that is being added or removed. |
-p | --UserPassword | The password for the user being added or whose password is being reset. The option is only needed for the add_user and set_user_password commands. |
-g | --Group | Name of the UAA group (scope) that the user is being added to or removed from. The option is only needed for the add_user_to_group and remove_user_from_group commands. |
Examples
- To add a new user named
bobwith the passwordbobcat2(with the admin client secretMyNotSoSecretspecified on the command line, to be cached and used later):uaa_config_tool add_user -u bob -p bobcat2 -s MyNotSoSecret -c - To add user
bobto the grouphistorian_visualization.user, using the previously cached admin secret:uaa_config_tool add_user_to_group -u bob -g historian_visualization.user - To remove user
alicefrom a remote instance of UAA as an alternative client (that is, other thanadmin)useradmin:uaa_config_tool remove_user -u alice -t https://webhost.lab:8443/uaa -n useradmin -s MyOtherNonSecret - To clear any cached client secret:
uaa_config_tool clear_secretNote: If the Windows logon account is not shared, it is not necessary to clear cached secret, since the cache is encrypted and only the same Windows user account can decrypt.