CClient Commands
The CClient Agent includes a number of commands that can be used to administer features such as Vault Functionality.
This page provides the documentation for common commands included in CClient:
cdebug
NAME
cdebug - start or stop detailed logging of cclient activity on the
local computer.
SYNOPSIS
cdebug [option]
DESCRIPTION
The cdebug command is used to start or stop detailed logging activity
for the Centrify cloud client (cclient) process on a local computer.
If you do not specify an option, cdebug displays its current status,
indicating whether logging is active or disabled. When you run this
command with the on option, all of the Centrify cclient activity is
written to the system log directory in the centrifycc.log file or jour-
nal file.
The system log directory is /var/log. Some distributions of Linux,
such as Fedora, write system messages to the journal file instead of
the traditional syslog location.
For performance and security reasons, you should only enable Centrify
logging only when necessary, for example, when requested to do so by
Centrify Support, and for short periods of time to diagnose a problem.
Keep in mind that sensitive information may be written to the log file
and you should evaluate the contents of the file before giving others
access to it.
To run the cdebug command, you must be logged in as root.
OPTIONS
You can use the following options with this command:
[on] The on option starts logging all Centrify cclient activity in
the centrifycc.log file or the journal file as described above.
[off] The off option stops logging all Centrify cclient activity.
[clear]
The clear option clears the existing log file, then continues
logging activity to the cleared log file if the local computer
uses the traditional syslog location to log data. If the local
computer uses systemd journal to log system messages, however,
this option is not supported.
[syslog|journal]
The syslog or journal option forces the traditional syslog dae-
mon or systemd journal daemon to reload its configuration file.
If the local computer uses the traditional syslog to log mes-
sages, use the syslog option. If the local computer uses systemd
journal to log messages, use the journal option. If the local
computer writes system messages to the journal, log files are
located in the /var/log/journal and /run/log/journal directo-
ries. You can use journalctl to view and manage journal log
files.
[status]
The status option prints the current logging level for all mod-
ules. The supported levels are TRACE, DEBUG, INFO, WARN, ERROR,
FATAL and DISABLED.
[set [level]]
The set option allows you to set a logging level. The level
must be specified by using one of the following key words, from
the most detailed logging of messages (TRACE) to the least level
of detail (DISABLED). You must use all capital letters when
specifying the level keyword: TRACE, DEBUG, INFO, WARN, ERROR,
FATAL and DISABLED.
EXAMPLES
You use the cdebug command to start and stop detailed Centrify-specific
logging to help you trace and resolve problems. To display the current
status of logging, type:
/usr/share/centrifycc/bin/cdebug
Note You must type the full path to the command because cdebug is not
included in the path by default.
To turn on logging, type:
/usr/share/centrifycc/bin/cdebug on
This command records information in the centrifycc.log file or the
journal file until you run the cdebug off command. To discontinue log-
ging, type:
/usr/share/centrifycc/bin/cdebug off
cdelaccount
NAME
cdelaccount - delete an account from Centrify Privileged Access Service
for the local computer.
SYNOPSIS
cdelaccount [-s, --silent] [-v, --version] [-V, --verbose] [-h, --help]
accountname
DESCRIPTION
When you execute the cdelaccount command on a computer that is regis-
tered as a resource in Centrify Privileged Access Service, the local
account that you specify is deleted from Centrify Privileged Access
Service.
If you execute cdelacccount without specifying the -s option, the pass-
word for the account that you are deleting is printed to standard out-
put.
To run the cdelaccount command you must be logged in as root, and the
computer where you run cdelaccount must be registered as a resource in
Centrify Privileged Access Service.
OPTIONS
You can use the following options with this command:
-s, --silent
Deletes the account from Centrify Privileged Access Service with-
out asking for confirmation. The password for the deleted account
is not printed to stdout.
-V, --verbose
Displays information about each step in the delete operation as it
occurs. This option can be useful in diagnosing deletion problems.
-v, --version
Displays version information about the installed software.
-h, --help
Displays help information for this command.
EXAMPLES
To delete the local computer’s root account from Centrify Privileged
Access Service, and have the deletion include a confirmation step and
display the root password to stdout, you would type the following com-
mand:
cdelaccount root
To delete the local computer’s root account from Centrify Privileged
Access Service without prompting for confirmation, and without printing
the root password to stdout, you would type the following command:
cdelaccount -s root
cenroll
NAME
cenroll - add a computer as a resource to the Centrify Privileged
Access Service.
SYNOPSIS
cenroll [--tenant customer-specific-url ] [--user username ] [--code
code ] [--name resource_name ] [--address ip_address_dns ] [--owner
role ] [--features feature ] [--agentauth role ] [--resource-name name
] [--resource-setting key:value ] [--resource-setting-file file ]
[--resource-policy key:value ] [--resource-policy-file policy_file_name
] [--resource-permission key:value ] [--http-proxy proxy-url ]
[--resource-set set-name ] [--force] [--verbose] [--version]
DESCRIPTION
The cenroll command adds the local computer running the Centrify agent
as a new system resource in the Centrify Privileged Access Service. By
adding the computer or network device to the service, you can store and
manage account passwords securely in the Centrify cloud, on your inter-
nal network, in a private cloud, or in a key management appliance.
To run the cenroll command, you must be logged in as root or configured
to have root-level permissions in the sudoers file.
OPTIONS
You can use the following options with this command:
-t, --tenant
url Specifies the customer-specific URL for accessing Centrify
services.
-u, --user
username Specifies the user account to use to enroll this computer
in the Centrify Privileged Access Service. This option is mutually
exclusive with the --code option.
-c, --code
code Specifies the enrollment code to use to enroll this computer
in the Centrify Privileged Access Service. This option is mutually
exclusive with the --user option.
-n, --name
name Specifies the login name to use for this computer or network
device in the Centrify Privileged Access Service. The value
returned by hostname is used if this argument is not supplied.
-a, --address
ip_address_dns Specifies the fully-qualified DNS name or IP
address for the Centrify Privileged Access Service to use. If you
don’t specify this option, the local host name is used by default.
-w, --owner
role Specifies the role used to manage this computer in the Cen-
trify Privileged Access Service.
-F, --features
feature1, featureN, ... Specifies the features to enable for this
computer. The valid values are:
agentauth
Enables authentication of users who are allowed to log on to the
computer.
aapm Enables application-to-application password management for Windows
services and scheduled tasks.
all Enables all features.
-l, --agentauth
role1,role2,... Specifies the roles that are allowed to authenti-
cate and log on to this computer if you enable the agentauth fea-
ture.
-N, --resource-name
name Specifies the name of the computer to be added to the Cen-
trify Privileged Access Service. The value specified for the
--name argument or hostname is used if this argument is not sup-
plied.
-S, --resource-setting
key:value Specifies the computer-specific settings in key-value
pairs. This option can be used multiple times). If the same set-
ting is configured by this parameter and in the --resource-set-
ting-file , the value in this parameter is applied. You can define
the following settings on the command line or in the --resource-
settings-file file:
"Connectors:<string>[,<string>,...,<string>]" Specifies the list
of connectors for the computer. The value should be a comma sepa-
rated list of connector names. Each name must refer to a unique
connector. This setting should be used instead of the "ProxyCol-
lectionList" setting.
For other settings, please refer to
https://developer.centrify.com/reference#post_servermanage-
updateresource and https://developer.centrify.com/refer-
ence#post_servermanage-addresource
A key-value pair should be wrapped in double quotes if the value con-
tains comma.
On the command line, the double quotes need to be escaped, for
example, \"key:<string>[,<string>,...,<string>]\"
-s, --resource-setting-file
file Specifies the location of a plain-text file which contains
computer-specific settings in key-value pairs.
-O, --resource-policy
key:value Specifies the computer-specific policies in key-value
pairs. This option can be used multiple times). If the same policy
is configured by this parameter and in the --resource-policy-file
, the value in this parameter is applied. You can define the fol-
lowing policies on the command line or in the --resource-policy-
file file:
Please refer to
https://developer.centrify.com/reference#post_servermanage-
updateresource and https://developer.centrify.com/refer-
ence#post_servermanage-addresource
for valid policies and values.
A key-value pair should be wrapped in double quotes if the value con-
tains comma.
On the command line, the double quotes need to be escaped, for
example, \"key:<string>[,<string>,...,<string>]\"
-o, --resource-policy-file
file Specifies the location of a plain-text file that contains
computer-specific policies in key-value pairs.
-P, --resource-permission
identity:permission Specifies permissions for the computer that
you are enrolling. The identity you specify can be a Centrify
directory service user or a role followed by a colon (:) and the
specific permissions you want to assign. For example:
[email protected]:Grant,Edit
A key-value pair should be wrapped in double quotes. On the command
line, the double quotes must be escaped. For example,
\"user:<name>:<right>[,<right>,...,<right>]\".
You can specify the following permissions: Grant, View, ManageSession,
Edit, Delete, AgentAuth, RequestZoneRole.
If you specify a permission that is not recognized, a warning message
is displayed and the permission is not applied. The command will con-
tinue to set the remaining permissions.
If the user or role already has a permission, it will be overwritten.
-Z --resource-set
set1,set2,... Specifies the names of one or more sets, to
which the computer you are enrolling will be added to.
If an enrollment code is being used for enrollment, the owner of the
code must have the edit permission granted on each set.
-p, --http-proxy
proxy-url Specifies the HTTP proxy to connect to Centrify iden-
tity services platform. Specifying this option will also update
the following settings in centrifycc.conf:
agent.web.proxy.global: <HTTP proxy>
agent.web.proxy.order: global
-f, --force
Forces the enroll operation.
-V, --verbose
Displays information about each step in the enroll operation as
it occurs. This option can be useful in diagnosing enroll prob-
lems. This option also writes log messages to the syslog file
for troubleshooting purposes.
-v, --version
Displays version information for the installed software.
EXAMPLES
To add a local computer to the Centrify Privileged Access Service using
a specified user account, you could type a command similar to the fol-
lowing:
cenroll --tenant axi0407.mycorp.centrify.com --user luxi@demo --fea-
tures aapm,agentauth --agentauth "Authorized Agent Login"
To add the computer using a specific IP address and computer name, you
could type a command similar to the following:
cenroll -t axi0407.mycorp.centrify.com -u luxi@demo -n rhel9.mydo-
main.com -a 172.27.99.148
If you want to allow the public network access for this computer and to
perform periodic password rotation on the accounts associated with this
computer every 30 days, you could specify these policies on the command
line with a command similar to this:
cenroll -O "AllowRemote:true" -O "AllowPasswordRotation:true" -O "Pass-
wordRotateDuration:30"
Alternatively, you could use a text editor to create a "policy.conf"
file with settings similar to the following:
AllowRemote:true
AllowPasswordRotation:true
PasswordRotateDuration:30
After defining the policies in the "policy.conf" file, you could type a command
similar to the following:
cenroll --resource-policy-file /tmp/policy.conf
cflush
NAME
cflush - clear the Centrify agent for Linux cache on a local computer.
SYNOPSIS
cflush [--expire] [--verbose] [--version] [--help]
DESCRIPTION
You can use the cflush command to expire cached information for a Cen-
trify agent from a local computer.
Executing cflush with no options expires objects stored for agent-based
authentication information from the local cclient cache.
Cached information allows previously-authenticated users to log on when
the Centrify agent for Linux is disconnected from the Centrify identity
platform.
OPTIONS
You can use the following options with this command:
-e, --expire
The --expire option expires authentication information stored in
the local cclient cache.
-V, --verbose
The --verbose option displays detailed information about the oper-
ation performed.
-v, --version
The --version option displays version information for the
installed software.
-h, --help
The --help option displays the usage message.
EXAMPLES
To expire objects in the local agent for Linux cache, run the following
command:
cflush --expire
cgetaccount
NAME
cgetaccount - get the stored password for an account from Centrify
Privileged Access Service.
SYNOPSIS
cgetaccount [-t, --lifetime minutes ] [-T, --type type ] [-s, --silent]
[-v, --version] [-V, --verbose] targetname / accountname
DESCRIPTION
The cgetaccount command retrieves the password for the specified
account from Centrify Privileged Access Service. The account can be a
system, domain or database account.
If you execute cgetaccount without specifying the -s option, the pass-
word for the account is printed to standard output.
To run the cgetaccount command you must be logged in as root, and the
computer where you run cgetaccount must be registered in Centrify Priv-
ileged Access Service.
OPTIONS
You can use the following options with this command:
-t, --lifetime
minutes specifies the password checkout interval (duration), in
minutes. The value that you specify must be less than or equal to
the account checkout lifetime defined in the target policy. If you
specify a value greater than the account checkout lifetime, and
error is returned. If you do not specify a password checkout
interval (that is, if you do not use this option), a default pass-
word checkout interval of one minute is used.
-T, --type
type specifies type of the target in which the account belongs to.
Valid values are system, domain and database.
-s, --silent
Retrieves the account password from Centrify Privileged Access
Service without asking for confirmation. The password is not
printed to stdout.
-v, --version
Displays version information about the installed software.
-V, --verbose
Displays information about each step in the password retrieval
operation as it occurs. This option can be useful in diagnosing
password retrieval problems.
-h, --help
Displays usage information for this command.
EXAMPLES
The following command retrieves the password for the oracle account on
the MACHINE1 system, keeps the password checked out for 10 minutes,
includes a confirmation step, and displays the password to stdout:
cgetaccount -t 10 MACHINE1/oracle
The following example shows a shell script that retrieves the password
for the local account oracle on the system MACHINE1 to perform a
backup. The password is checked out for 10 minutes and is returned to
stdout.
PASSWORD=$(cgetaccount -s -t 10 MACHINE1/oracle)
if [un_backup.sh;MACHINE1/oracle $PASSWORD
.
else
echo "Failed to run cgetaccount to get password for oracle account."
fi
cinfo
NAME
cinfo - display detailed information about the cloud configuration for
the local computer.
SYNOPSIS
cinfo [--address] [--tenant] [--connect url ] [--http-proxy url ]
[--owner] [--resource-name] [--tenant-id] [--platform-version] [--sup-
port] [--verbose] [--version]
DESCRIPTION
The cinfo command displays detailed and diagnostic information about
the cloud configuration for the local computer. If you do not specify
an option, cinfo returns the basic set of configuration details for the
local computer.
Note To run the cinfo command with the --connect , --platform-version
or --support option, you must be logged in as root. You are not
required to log in as root for any of the other cinfo options.
OPTIONS
You can use the following options with this command:
-a, --address
Displays the IP address or DNS name for a computer enrolled in the
Centrify identity platform.
-T, --tenant
Displays the customer-specific URL for a computer enrolled in the
Centrify identity platform.
-P, --platform-version
Displays the version of the Centrify identity platform that a com-
puter is enrolled in.
-C, --connect
url Connects to the Centrify identity platform to verify avail-
ability.
-p, --http-proxy
url HTTP proxy to use for the --connect option. Unlike the cenroll
command, specifying this option does not cause /etc/centri-
fycc/centrifycc.conf to be updated.
-o, --owner
Displays the owner of a computer enrolled in the Centrify identity
platform.
-N, --resource-name
Displays the system name for a computer enrolled in the Centrify
identity platform.
-D, --tenant-id
Displays the customer-specific identifier (tenant ID) registered.
-t, --support
Generates a support file with diagnostic information in the
default file location (/var/centrify/tmp/cinfo_support.tar.gz).
The generated file includes details about the cclient process
operations, the contents of the /etc/centrifycc/centrifycc.conf
file, and the /var/log/centrifycc.log log file.
This option is typically used to send complete diagnostic informa-
tion to a file, which can then be sent to Centrify Support for
analysis..
-V, --verbose
Sends detailed diagnostic information to standard error (stderr)
output. You can use this option in combination with other
options.
-v, --version
Displays version information for the installed software.
EXAMPLES
To display cloud configuration information for the local computer,
type:
cinfo
If the computer has enrolled in the identity platform, the command dis-
plays information similar to the following:
Enrolled in: https://aah0155.my-qa.centrify.com/
Enrolled as:
Service account: [email protected]
Resource name: rhel68x64
IP/DNS name: rhel68x64
Owner: [email protected] (Type: User)
Customer ID: AAH0155
creload
NAME
creload - force the Centrify agent for Linux (cclient) to reload con-
figuration properties
SYNOPSIS
creload [--verbose] [--version] [--help]
DESCRIPTION
The creload command enables you to force the Centrify agent for Linux
(cclient) to reload the configuration properties from the /etc/centri-
fycc/centrifycc.conf file. Running this command enables changes made
to the configuration properties to take effect without restarting the
agent cclient process.
Note that you must have root privileges to run this command.
OPTIONS
You can use the following options with this command:
-V, --verbose
The --verbose option displays detailed information about the oper-
ation performed.
-v, --version
The --version option displays version information for the
installed software.
-h, --help
The --help option displays the usage message.
EXAMPLES
To reload the configuration properties on a local computer after making
changes, run the following command:
creload
csetaccount
NAME
csetaccount - creates or updates a privilege account in Centrify Privi-
leged Access Service for the specified local account.
SYNOPSIS
csetaccount [--stdin] [-m, --managed <true|false>] [-x, --useproxy
<true|false>] [-w, --workflow <enable|disable|default>] [-a, --approver
name <user: user |role: role >] [-p, --permission [<user|role>:] name :
right [, right2 ,..., rightN ]] [-P, --nopassword] [-v, --version] [-V,
--verbose] accountname
DESCRIPTION
The csetaccount command creates or updates a privilege account in Cen-
trify Privileged Access Service for the specified local account. The
privilege account is stored under the current registered computer.
To run the csetaccount command you must be logged in as root, and the
computer where you run csetaccount must be registered as a resource in
Centrify Privileged Access Service.
OPTIONS
You can use the following options with this command:
--stdin
Specifies that no password confirmation be displayed when csetac-
count runs. If you do not specify this option, an interactive
prompt is displayed asking for the account password.
-m, --managed
Set this option to true or false to specify whether or not the
password for the account is managed by Centrify Privileged Access
Service. A value of true means that the account is managed.
-x, --useproxy
Set this option to true or false to specify whether Centrify Priv-
ileged Access Service uses the proxy account to manage the pass-
word for the account. A value of true means that the proxy account
is used.
-w, --workflow
Set this option to enable, disable, or default to specify whether
a workflow is used to process the account. A value of enable means
that a workflow is used. A value of disable means that a workflow
is not used. A value of default means that.
-a, --approver
Specifies an approver for the account that you are creating or
updating. When you specify name, provide the user name of the
approver. The approver can be a Centrify directory service user or
a role; specify a value for either user: or role: to provide this
setting.
-p, --permission
Specifies permissions for the account that you are creating or
updating. When you specify name, provide the identity of the per-
mission to grant to. The identity can be a Centrify directory ser-
vice user or a role; specify a value for either user: or role: to
provide this setting. A key-value pair should be wrapped in double
quotes. On the command line, the double quotes need to be escaped,
for example, \"user:<name>:<right>[,<right>,...,<right>]\"
The rights include: Grant, View, Checkout, Login, Edit, Delete,
UpdatePassword, PortalLogin, Rotate.
When one of the supplied rights of the permission is not recognized, a
warning message will be shown and the permission will not be applied.
The command will continue to set the remaining permissions.
If the user or role already has a permission, it will be overwritten.
-d, --description
description Specifies the account description.
-P, --nopassword
Specifies that no password input is required to update the
account settings. Use this option to update account settings
without updating the stored password.
-v, --version
Displays version information about the installed software.
-V, --verbose
Displays information about each step in the password retrieval
operation as it occurs. This option can be useful in diagnosing
password retrieval problems.
-h, --help
Displays usage information for this command.
EXAMPLES
The following command stores the root password in Centrify Privileged
Access Service interactively (that is, it prompts for confirmation
before storing the password):
csetaccount root
The following example shows the commands that you would execute to
store the root password in Centrify Privileged Access Service non-
interactively. The password is managed, and is automatically rotated
every day at the same time. In this example, policy.conf contains the
setting "password rotation=true, password rotation interval=1":
cenroll -o policy.conf
csetaccount --stdin root < "/root/secure_file"
cunenroll
NAME
cunenroll - remove a resource from the Centrify identity platform.
SYNOPSIS
cunenroll [--machine [--delete]] [--user] [--noconf] [--restore]
[--force] [--verbose] [--version] [--help]
DESCRIPTION
The cunenroll command removes the local host computer from the Centrify
identity platform.
To run the cunenroll command, you must be logged in as root.
OPTIONS
You can use the following options with this command:
-m, --machine
Removes the computer from the Centrify identity platform using the
computer account credentials.
-d, --delete
Deletes the computer as a resource and all associated accounts
stored in the Centrify identity platform. The computer must have
been added as a resource using the cenroll command. You can spec-
ify the --machine option or --user option with this option to con-
trol the credentials used to remove the computer.
-u, --user
username Specifies the administrative user account used to unen-
roll the computer from the Centrify identity platform.
-C, --noconf
Specifies that you do not want to update the computer configura-
tion when unenrolling from the Centrify identity platform.
-R, --restore
Restores the computer configuration without unenrolling in the
Centrify identity platform.
-f, --force
Forces the local computer settings to be restored to their pre-
enroll state. This option only affects information stored
locally. Running cunenroll with the --force option does not affect
information stored in the identity platform.
-V, --verbose
Displays detailed information for each operation.
-v, --version
Displays version information for the installed software.
-h, --help
Displays usage information for this command.
EXAMPLES
To remove a computer from the Centrify identity platform, you could
type a command line similar to the following: cunenroll --machine
To revert all local computer settings to their pre-enroll state, you
could type a command line similar to the following:
cunenroll --force
Updated about 5 years ago