Command-Line Updates to Password Manager
The mgspswd command-line utility allows rapid updating of the Password Manager on an individual inventory beacon. It is installed on each
inventory beacon in InstallDir\RemoteExecution
(by default C:\Program Files\Flexera Software\Inventory
Beacon\RemoteExecution\mgspswd.exe
). It is an alternative to the GUI presentation
of the Password Manager.
- Storing credentials in a local vault (encrypted within the Windows registry), and recalling them on demand from there
- Storing a query string that can uniquely access one existing credential saved in a CyberArk Vault, where integration with CyberArk has been detected (by the presence of the CyberArk Credential Provider installed on the inventory beacon). In this case, you may switch between storage types for individual credentials: for example, you can reference CyberArk for production passwords, but use the FlexNet Beacon vault to store credentials for test environments that have lower administrative overheads.
mgspswd.exe --add logical-name [options...]
mgspswd.exe --delete logical-name
mgspswd.exe --help
mgspswd.exe --list [logical-name]
mgspswd.exe --matches [options...]
mgspswd.exe --recrypt
mgspswd.exe --reset
where logical-name is the friendly name given to the current credential (name/password pair).
- Domain: the Windows domain within which the specified credential applies. This is not
available as a separate parameter in the command line. You may insert the domain into
the account name parameter, using the normal format of
domainName\sampleUser
. - Password: while this value can be provided in the command line, it will be visible there in plain text. If omitted as a command-line parameter, it can be entered interactively, in which case the password characters are masked.
- Other mandatory parameters (such as account and the logical name, when saving to the FlexNet Beacon vault) also prompt interactively for values if they are omitted from the command line.
The parameters and options available in the command line include the following (in alphabetical order):
Options | Notes |
---|---|
--account
account-name |
Specify the account name (often called the user name) to use. This parameter is
only used with the ‑‑add parameter, and only when
--vault is not specified as CyberArk .In its
simplest form, this parameter specifies only the account name (or user name). Three
compound formats are also supported:
|
--add
logical-name [options...]
|
Add a new credential (account/password pair) with the specified logical name,
account name, and password.
Tip: If the logical name includes spaces, enclose it in double quotation
marks.
Example: Since
the --password option is omitted, the utility prompts for the password
value, masking the characters as they are entered. This example presumes the
unusual situation of using a common administrator password across a range of
devices. A more common example might specify an exact match for a particular device name,
such
as:
Note: When
the parameter --vault CyberArk is included in the command line, the
command is adding to Password Manager a reference to an existing credential saved
in an appropriate CyberArk vault and safe. Commands from the inventory beacon
cannot change the content of CyberArk. The saved reference allows Password Manager to request the appropriate credential from CyberArk at an appropriate
time.
|
--cyberark-query ["]query-string["] |
This parameter is only used with the |
--delete
logical name |
Removes the credential (account and password record) with the specified logical
name from Password Manager. Notice that when the vault setting is for the default
(omitted, or set to FlexNetBeacon ), the credentials themselves are
removed from the FlexNet Beacon vault; but when the parameter --vault
CyberArk is included in the command line, the reference to the CyberArk
record (including the query string) is removed, but the credential itself (account name
and password pair) is not removed from CyberArk. Removal of credentials from
CyberArk must be performed by a CyberArk administrator. |
--filter-dnsdomains
list |
If this credential should only be used for a limited set of target devices, you can specify the DNS domains of affected managed devices here as a comma-separated list of domain names. If multiple filters are specified, target devices that match any of the specified criteria will use the credentials. Credentials matched through a filter are tried before unfiltered credentials. This option is only used with the |
--filter-dnsnames
list |
If this credential should only be used for a limited set of target devices, you can specify the DNS names of target devices as a comma-separated list of names. If multiple filters are specified, target devices that match any of the specified criteria will use the credentials. Credentials matched through a filter are tried before unfiltered credentials. This option is only used with the |
--filter-ipaddresses
list |
If this credential should only be used for a limited set of target devices, you can specify the IPv4 addresses of target devices as a comma-separated list of addresses. If multiple filters are specified, target devices that match any of the specified criteria will use the credentials. Credentials matched through a filter are tried before unfiltered credentials. This option is only used with the |
--filter-macaddresses
list |
If this credential should only be used for a limited set of
target devices, you can specify the MAC
addresses of target devices as a comma-separated list of addresses. Both the Windows and
UNIX formats are valid.
Example:
If multiple
filters are specified, target devices that match any of the specified criteria will
use the credentials. Credentials matched through a filter are tried before unfiltered
credentials.This option is only used with the |
--filter-names
list
|
If this credential should only be used for a limited set of
target devices, you can specify the device names
of target devices here as a comma-separated list. For example:
If multiple filters are specified, target devices that match any of the specified criteria will use the credentials. Credentials matched through a filter are tried before unfiltered credentials. This option is only used with the |
--filter-netbiosdomains
list |
If this credential should only be used for a limited set of target devices, you can specify the NetBIOS domain names of target devices as a comma-separated list of domain names. If multiple filters are specified, target devices that match any of the specified criteria will use the credentials. Credentials matched through a filter are tried before unfiltered credentials. This option is only used with the |
--filter-oracleservicenames
list |
This parameter only applies to accounts of type
OracleDatabase. If this credential should only be used for a limited set of
target devices, you can specify a comma-separated
list of the Oracle service names to which the credential applies. Use only with the
OracleDatabase and OracleListener account types. For
example,
If multiple filters are specified, target devices that match any of the specified criteria will use the credentials. Credentials matched through a filter are tried before unfiltered credentials. This option is only used with the Tip: Oracle names may match on individual parts of the service name. It may be
helpful to specify the fully qualified service name in the Oracle service names filter
to avoid unintentional matches. To use a filter to match service names with multiple
suffixes, you can specify each fully qualified service name in the filter, separated by
commas.
|
--help
|
Displays a list of parameters. |
--list |
Lists all credentials within the password store. All elements are shown (logical
name, account name, and password) with the password displayed in masking characters. If the optional logical-name for a credential is supplied, the utility displays the credential with the specified logical name. |
--matches |
Identifies all the credentials in the Password Manager that match (and therefore
may be applied to) a device. To narrow the specification, you may add the
--type option with one valid value, and any of the filter options
(also described in this listing):
|
--password
password |
Specify the password to use. Only permitted for the default FlexNet Beacon vault (that is, omit when --vault CyberArk is specified). Note that if you do not wish to see the password echoed in plain text on the command line, you may omit this parameter, and the utility will prompt for it, and mask it as it is entered. Passwords are required for the OracleListener account type, and are optional for all other account types. This option is only used with the |
--privatekeyfile
path |
The name and location of a source file containing the private key for SSH, for use with
the default FlexNet Beacon vault. (This parameter is not relevant when
Using the default FlexNet Beacon vault, the private key file is read from the
specified path, and added to the Password Manager. The private key can be in the
OpenSSH project’s format (generated using The corresponding public key must be in place on the target device before SSH login
using a private-public key pair. If you are using OpenSSH on target devices, the public
key is expected in ~/.ssh/authorized_keys. Use This option is only used:
|
--privilege-cyberark-query
["]query-string["] |
Specify the exact query string expected by CyberArk for it to return the credential
required to escalate privileges on the target device. Of course, the escalation
credential itself (account name and password pair) must already exist as a separate
credential in the appropriate CyberArk vault and safe. If the query string contains any
white space, it should be enclosed in double quotation marks (otherwise, these are
optional). (See also This option is only used:
|
--privilege-password password |
You can specify that login should be attempted with elevated privileges on
target devices running UNIX-like operating systems. This is the password used to gain
those elevated (
This option is only used:root ) privileges. (See also
--privilege-password-prompt and privilege-prefix ,
which are used in conjunction with this.)Tip: If
sudo on the target device(s) is configured
to allow escalation of privileges without requiring an interactive password, just omit
this parameter.
|
--privilege-password-prompt text |
For UNIX-like devices on which login should be attempted using elevated
privileges, specify the exact prompt for which FlexNet Beacon should wait
before issuing the value of the Tip: The
sudo tool typically issues a prompt similar to
this: You
could enter this entire value, since you know the User name for
this login, in the --privilege-password-prompt parameter; but
(assuming that this credential is reused across multiple servers) this approach is at
risk because of variations across different versions of UNIX-like operating systems. A
risk-free alternative is to use the following special settings:
sudo now
issues a known prompt, which in turn is recognized by the FlexNet Beacon
engine, and inventory collection can proceed.--privilege-password-prompt option is only used:
|
--privilege-prefix
prefix |
For UNIX-like devices on which login should be attempted using elevated privileges,
specify the valid privilege elevation command (such as This option is only used:
|
--recrypt |
Decrypts all passwords in the Password Manager vault using the current primary password (security key), replaces the primary password with a new one, and re-encrypts all the passwords in the Password Manager vault with the new security key, using the strongest available algorithm. For more information, see Password Manager Security Overview. |
--reset |
Clears the Password Manager vault on this inventory beacon, and resets the internal security key. |
--type
type |
The credential type. This must be one of:
--add or
--matches parameters. |
--vault
vault-type |
The kind of vault used for storing the credentials. May be omitted when CyberArk
integration has not been detected on this inventory beacon (in which case the
FlexNet Beacon vault is used). When CyberArk is available, the
vault-type must be one of:
Tip: Values are case insensitive.
This option is only used with
the --add or --matches parameters. |
mgspswd --add WDomain07 --vault CyberArk --type WindowsDomain
--cyberark-query Safe=PasswordSafe;Folder=Root\Applications;Object=WinDomain07-DLPW
Because
the domain name is a property of the credential returned from CyberArk, no specification of
the domain is needed in this command line, and you rely on naming conventions in the
logical-name to track the purpose of this credential.mgspswd --add WDomain07 --type WindowsDomain --account ourDomain\winSvcAcct --password qwerty1
Notice
that you cannot specify the domain name as a distinct command line parameter, but you can
specify it as part of the account data as shown. You may choose to enter the password
interactively (with character masking) by omitting it from the command
line.myDevice
:mgspswd --add myDevicePW --type WindowsLocal --account svcUser --password qwerty!
--filter-names myDevice
mgspswd
with the --add parameter (and using the
default vault) stores on the inventory beacon:- A logical name for the account/password pair (when this is a new logical name, a new entry is created; and when it is an existing logical name, the current entry is updated)
- Optional filters to restrict the use of this credential to specific target devices (in
this example, the
filter-names
parameter ensures that this credential is attempted only on the device of the matching device name) - An account name (or username) on the target device
- The account password on the target device, encrypted using a private key unique to each inventory beacon, with the private key stored as a private data object on the inventory beacon. The private key is automatically initialized with the first save to the Password Manager on each inventory beacon.
myDevice
:mgspswd --add myDevicePW --type WindowsLocal --filter-names myDevice --vault CyberArk
--cyberark-query Safe=PasswordSafe;Folder=Root\Applications;Object=LocPW-myDevice
In
this case, the account name (username) and password are already saved within CyberArk, and
we supply the query string that returns this credential for use. Notice that the same filter
now means that the inventory beacon only attempts to retrieve this credential from
CyberArk when it is targeting the matching device.Notes
net use
\\machineName\ipc$
to test that login
credentials work before adding them to Password Manager. FlexNet Manager Suite (On-Premises)
2023 R1