Dsjob command

neeraj · Post by **neeraj** » Mon Nov 03, 2014 3:37 pm

Hello,

I am using the below mentioned command to run the DataStage Job.

In the command, I am passing Username,password at runtime which is not encrypted and writing in the log files. The command is working fine and I am getting the expected results.

ds_command=`echo "$DSHOME/bin/dsjob -server $ds_server -user $userid1 -password $2 -run -wait -jobstatus -param Jp_Bus_DT=$BUS_DT -param Jp_batch_id=$PGM_BATCH_ID -par
am jp_Invc=$runid -param jp_src_system=$IPS_SRC_DB DEV Px_Jb_File.$runid"`

But In my previous project, I have executed the script without credentials(Username and password).

Please let me know what setting I need to make so that I could run the command as below
ds_command=`echo "$DSHOME/bin/dsjob -server $ds_server -run -wait -jobstatus -param Jp_Bus_DT=$BUS_DT -param Jp_batch_id=$PGM_BATCH_ID -par
am jp_Invc=$runid -param jp_src_system=$SRC_DB Dev Px_Jb_File.$runid"`

Regards
Neeraj

roy · Post by **roy** » Mon Nov 03, 2014 7:42 pm

Hi,
There are several ways:
1. use any variation of system authentication
like SEPS in oracle or OS authentication with SQL Server
2. use parameters and connection repository objects having them pre-configured at each project and use those as your DB connections.
3. use some kind of wrapper that uses encrypted files or files with restricted access and extract the passwords from them and run the desired job.

each option may have it's pros and cons depending on the security you want to enforce.

IHTH,

priyadarshikunal · Post by **priyadarshikunal** » Tue Nov 04, 2014 2:31 am

By default the datastage command line interface connects to the engine on the local system using the user name and password of the user running the command. So if that user is on local system and can be used to run that command you may not need to use the same. Alternatively, when running from a local unix user when you specify -domain=NONE to login to engine rather than logging in to domain.

roy · Post by **roy** » Tue Nov 04, 2014 7:38 am

I got confused due to the mention of password info in logs

What logs are you referring to?

priyadarshikunal · Post by **priyadarshikunal** » Tue Nov 04, 2014 8:49 am

I think he mentioned that the password is getting printer to stdout or in log file when output of that command is redirected to a file using ">>" operator.

The easiest way to avoid that is storing the connection information in a restricted area and using that file to authenticate connection to data stage server.

neeraj · Post by **neeraj** » Tue Nov 04, 2014 9:07 am

Hi,

Thanks a lot for the reply.

We have DataStage and Unix on the same box. In the previous project, we have skipped the domain authentication and not using the Username and password and comand looked something similar.

ds_command=`echo "$DSHOME/bin/dsjob -server $ds_server -run -wait -jobstatus -param Jp_Bus_DT=$BUS_DT -param Jp_batch_id=$PGM_BATCH_ID -par
am jp_Invc=$runid -param jp_src_system=$SRC_DB Dev Px_Jb_File.$runid"`

Not sure what was the setting done to skipp the autentication process. I was looking to do similar setting for my current project so that I need not to pass the Userame and password in dsjob comand.

Regards
Neeraj

ray.wurlod · Post by **ray.wurlod** » Tue Nov 04, 2014 1:07 pm

Have you tried using the -authfile option?

neeraj · Post by **neeraj** » Tue Nov 04, 2014 1:14 pm

Hi Ray,

I have tried with Auth file and it worked for me.

But here I am trying to identify what setting I need to make to run the DsJob command without passing credential either via -user or Authfile.

Regards
Neeraj

ray.wurlod · Post by **ray.wurlod** » Tue Nov 04, 2014 3:40 pm

I suspect that not providing any authentication information would work only if the command were executed on the services tier (which would require the engine and services tier to be on the same computer), and authentication managed locally (either internal IIS user registry or operating system user registry).

chulett · Post by **chulett** » Tue Nov 04, 2014 4:37 pm

In other words, there's no "setting" for this.

PaulVL · Post by **PaulVL** » Tue Nov 04, 2014 5:32 pm

If you run dsjob -run from the command line, as long as the user id has group permissions (dstage) to the engine tools, and the project (maybe dstage, maybe not), he/she can run the jobs. If it's a grid setup he/she will also need SSH (or rsh) access to the compute nodes. Doesn't need LDAP authentication via websphere to do that. DataStage/Websphere credential mapping lookup only happens if you add the -user and -password parms to dsjob -run.

neeraj · Post by **neeraj** » Wed Nov 05, 2014 9:30 am

Hi,

I executed the below mentioned command
id User1
The output is --->
uid=3842(User1) gid=1(staff) groups=209(dstage),213(cdcadmin)

It seems the user which I am using to execute the dsjob command is having the dstage permission as well.

Can you please suggest me some guide which I can refer to make sure that all the settings are proper and user has got all the correct persmission to execute the dsjob witout user and password and skip the authentication.

Regards
Neeraj

PaulVL · Post by **PaulVL** » Wed Nov 05, 2014 2:00 pm

Why do you want to skip authentication?

If you are worried about passwords being visible, use the authentation file method.

forcing authentication is a better security approach in PROD anyhow.

There are valid reasons why you would want the authentication and credential mapping to be engaged rather then letting the user who is logged in to the OS run the job.

If you set a standard of passing parms (auth file method), then you can benefit later on with a gold star from your security team to say:

Authorized users to the project. "Check".
Credential mapping to execute all jobs as a service ID for project X. "Check"

Have you thought about always running jobs in a project (in prod mostly) as a service ID and not by just any developper who has access to the project? That will save you support calls down the line when file ownership gets in the way.

neeraj · Post by **neeraj** » Thu Nov 06, 2014 11:09 am

I have no issue in the authentication and sorry for bugging you all again.

Let me try to explain it once again

1. I have DataStage on the same Unix box where I have logged in
2. The username and password of Unix and DataStage is same.
3. I have logged in to the Unix using my credential and try to run the DsJob command after doing the due diligence i.e.

DSHOME=`cat /.dshome`
. $DSHOME/dsenv

Now when I run the dsjob command, I am trying to run it without username and password. My understanding that it should run successfully but it is not running and I am forced to pass the username and password in the syntax.

My question is how it was running fine in previous project without passing the Username and Password.
what group my user id need to be assigned so that I can run the dsjob without credential.

PaulVL · Post by **PaulVL** » Thu Nov 06, 2014 2:14 pm

Look at the user group that the project/job has as owner.

$DSHOME/bin/dsjob -projectinfo your_project

look at the install path.

cd to that path.

ls -la

Look at the GROUP ownership of those directories. Are you in that group?

type "groups" to find out.