CClient Commands

The CClient Agent includes a number of commands that can be used to administer features such as Vault Functionality.

This page provides the documentation for common commands included in CClient:

cdebug

NAME cdebug - start or stop detailed logging of cclient activity on the local computer. SYNOPSIS cdebug [option] DESCRIPTION The cdebug command is used to start or stop detailed logging activity for the Centrify cloud client (cclient) process on a local computer. If you do not specify an option, cdebug displays its current status, indicating whether logging is active or disabled. When you run this command with the on option, all of the Centrify cclient activity is written to the system log directory in the centrifycc.log file or jour- nal file. The system log directory is /var/log. Some distributions of Linux, such as Fedora, write system messages to the journal file instead of the traditional syslog location. For performance and security reasons, you should only enable Centrify logging only when necessary, for example, when requested to do so by Centrify Support, and for short periods of time to diagnose a problem. Keep in mind that sensitive information may be written to the log file and you should evaluate the contents of the file before giving others access to it. To run the cdebug command, you must be logged in as root. OPTIONS You can use the following options with this command: [on] The on option starts logging all Centrify cclient activity in the centrifycc.log file or the journal file as described above. [off] The off option stops logging all Centrify cclient activity. [clear] The clear option clears the existing log file, then continues logging activity to the cleared log file if the local computer uses the traditional syslog location to log data. If the local computer uses systemd journal to log system messages, however, this option is not supported. [syslog|journal] The syslog or journal option forces the traditional syslog dae- mon or systemd journal daemon to reload its configuration file. If the local computer uses the traditional syslog to log mes- sages, use the syslog option. If the local computer uses systemd journal to log messages, use the journal option. If the local computer writes system messages to the journal, log files are located in the /var/log/journal and /run/log/journal directo- ries. You can use journalctl to view and manage journal log files. [status] The status option prints the current logging level for all mod- ules. The supported levels are TRACE, DEBUG, INFO, WARN, ERROR, FATAL and DISABLED. [set [level]] The set option allows you to set a logging level. The level must be specified by using one of the following key words, from the most detailed logging of messages (TRACE) to the least level of detail (DISABLED). You must use all capital letters when specifying the level keyword: TRACE, DEBUG, INFO, WARN, ERROR, FATAL and DISABLED. EXAMPLES You use the cdebug command to start and stop detailed Centrify-specific logging to help you trace and resolve problems. To display the current status of logging, type: /usr/share/centrifycc/bin/cdebug Note You must type the full path to the command because cdebug is not included in the path by default. To turn on logging, type: /usr/share/centrifycc/bin/cdebug on This command records information in the centrifycc.log file or the journal file until you run the cdebug off command. To discontinue log- ging, type: /usr/share/centrifycc/bin/cdebug off

cdelaccount

NAME cdelaccount - delete an account from Centrify Privileged Access Service for the local computer. SYNOPSIS cdelaccount [-s, --silent] [-v, --version] [-V, --verbose] [-h, --help] accountname DESCRIPTION When you execute the cdelaccount command on a computer that is regis- tered as a resource in Centrify Privileged Access Service, the local account that you specify is deleted from Centrify Privileged Access Service. If you execute cdelacccount without specifying the -s option, the pass- word for the account that you are deleting is printed to standard out- put. To run the cdelaccount command you must be logged in as root, and the computer where you run cdelaccount must be registered as a resource in Centrify Privileged Access Service. OPTIONS You can use the following options with this command: -s, --silent Deletes the account from Centrify Privileged Access Service with- out asking for confirmation. The password for the deleted account is not printed to stdout. -V, --verbose Displays information about each step in the delete operation as it occurs. This option can be useful in diagnosing deletion problems. -v, --version Displays version information about the installed software. -h, --help Displays help information for this command. EXAMPLES To delete the local computer’s root account from Centrify Privileged Access Service, and have the deletion include a confirmation step and display the root password to stdout, you would type the following com- mand: cdelaccount root To delete the local computer’s root account from Centrify Privileged Access Service without prompting for confirmation, and without printing the root password to stdout, you would type the following command: cdelaccount -s root

cenroll

NAME cenroll - add a computer as a resource to the Centrify Privileged Access Service. SYNOPSIS cenroll [--tenant customer-specific-url ] [--user username ] [--code code ] [--name resource_name ] [--address ip_address_dns ] [--owner role ] [--features feature ] [--agentauth role ] [--resource-name name ] [--resource-setting key:value ] [--resource-setting-file file ] [--resource-policy key:value ] [--resource-policy-file policy_file_name ] [--resource-permission key:value ] [--http-proxy proxy-url ] [--resource-set set-name ] [--force] [--verbose] [--version] DESCRIPTION The cenroll command adds the local computer running the Centrify agent as a new system resource in the Centrify Privileged Access Service. By adding the computer or network device to the service, you can store and manage account passwords securely in the Centrify cloud, on your inter- nal network, in a private cloud, or in a key management appliance. To run the cenroll command, you must be logged in as root or configured to have root-level permissions in the sudoers file. OPTIONS You can use the following options with this command: -t, --tenant url Specifies the customer-specific URL for accessing Centrify services. -u, --user username Specifies the user account to use to enroll this computer in the Centrify Privileged Access Service. This option is mutually exclusive with the --code option. -c, --code code Specifies the enrollment code to use to enroll this computer in the Centrify Privileged Access Service. This option is mutually exclusive with the --user option. -n, --name name Specifies the login name to use for this computer or network device in the Centrify Privileged Access Service. The value returned by hostname is used if this argument is not supplied. -a, --address ip_address_dns Specifies the fully-qualified DNS name or IP address for the Centrify Privileged Access Service to use. If you don’t specify this option, the local host name is used by default. -w, --owner role Specifies the role used to manage this computer in the Cen- trify Privileged Access Service. -F, --features feature1, featureN, ... Specifies the features to enable for this computer. The valid values are: agentauth Enables authentication of users who are allowed to log on to the computer. aapm Enables application-to-application password management for Windows services and scheduled tasks. all Enables all features. -l, --agentauth role1,role2,... Specifies the roles that are allowed to authenti- cate and log on to this computer if you enable the agentauth fea- ture. -N, --resource-name name Specifies the name of the computer to be added to the Cen- trify Privileged Access Service. The value specified for the --name argument or hostname is used if this argument is not sup- plied. -S, --resource-setting key:value Specifies the computer-specific settings in key-value pairs. This option can be used multiple times). If the same set- ting is configured by this parameter and in the --resource-set- ting-file , the value in this parameter is applied. You can define the following settings on the command line or in the --resource- settings-file file: "Connectors:<string>[,<string>,...,<string>]" Specifies the list of connectors for the computer. The value should be a comma sepa- rated list of connector names. Each name must refer to a unique connector. This setting should be used instead of the "ProxyCol- lectionList" setting. For other settings, please refer to https://developer.centrify.com/reference#post_servermanage- updateresource and https://developer.centrify.com/refer- ence#post_servermanage-addresource A key-value pair should be wrapped in double quotes if the value con- tains comma. On the command line, the double quotes need to be escaped, for example, \"key:<string>[,<string>,...,<string>]\" -s, --resource-setting-file file Specifies the location of a plain-text file which contains computer-specific settings in key-value pairs. -O, --resource-policy key:value Specifies the computer-specific policies in key-value pairs. This option can be used multiple times). If the same policy is configured by this parameter and in the --resource-policy-file , the value in this parameter is applied. You can define the fol- lowing policies on the command line or in the --resource-policy- file file: Please refer to https://developer.centrify.com/reference#post_servermanage- updateresource and https://developer.centrify.com/refer- ence#post_servermanage-addresource for valid policies and values. A key-value pair should be wrapped in double quotes if the value con- tains comma. On the command line, the double quotes need to be escaped, for example, \"key:<string>[,<string>,...,<string>]\" -o, --resource-policy-file file Specifies the location of a plain-text file that contains computer-specific policies in key-value pairs. -P, --resource-permission identity:permission Specifies permissions for the computer that you are enrolling. The identity you specify can be a Centrify directory service user or a role followed by a colon (:) and the specific permissions you want to assign. For example: luxi.chan@ajax.demo:Grant,Edit A key-value pair should be wrapped in double quotes. On the command line, the double quotes must be escaped. For example, \"user:<name>:<right>[,<right>,...,<right>]\". You can specify the following permissions: Grant, View, ManageSession, Edit, Delete, AgentAuth, RequestZoneRole. If you specify a permission that is not recognized, a warning message is displayed and the permission is not applied. The command will con- tinue to set the remaining permissions. If the user or role already has a permission, it will be overwritten. -Z --resource-set set1,set2,... Specifies the names of one or more sets, to which the computer you are enrolling will be added to. If an enrollment code is being used for enrollment, the owner of the code must have the edit permission granted on each set. -p, --http-proxy proxy-url Specifies the HTTP proxy to connect to Centrify iden- tity services platform. Specifying this option will also update the following settings in centrifycc.conf: agent.web.proxy.global: <HTTP proxy> agent.web.proxy.order: global -f, --force Forces the enroll operation. -V, --verbose Displays information about each step in the enroll operation as it occurs. This option can be useful in diagnosing enroll prob- lems. This option also writes log messages to the syslog file for troubleshooting purposes. -v, --version Displays version information for the installed software. EXAMPLES To add a local computer to the Centrify Privileged Access Service using a specified user account, you could type a command similar to the fol- lowing: cenroll --tenant axi0407.mycorp.centrify.com --user luxi@demo --fea- tures aapm,agentauth --agentauth "Authorized Agent Login" To add the computer using a specific IP address and computer name, you could type a command similar to the following: cenroll -t axi0407.mycorp.centrify.com -u luxi@demo -n rhel9.mydo- main.com -a 172.27.99.148 If you want to allow the public network access for this computer and to perform periodic password rotation on the accounts associated with this computer every 30 days, you could specify these policies on the command line with a command similar to this: cenroll -O "AllowRemote:true" -O "AllowPasswordRotation:true" -O "Pass- wordRotateDuration:30" Alternatively, you could use a text editor to create a "policy.conf" file with settings similar to the following: AllowRemote:true AllowPasswordRotation:true PasswordRotateDuration:30 After defining the policies in the "policy.conf" file, you could type a command similar to the following: cenroll --resource-policy-file /tmp/policy.conf

cflush

NAME cflush - clear the Centrify agent for Linux cache on a local computer. SYNOPSIS cflush [--expire] [--verbose] [--version] [--help] DESCRIPTION You can use the cflush command to expire cached information for a Cen- trify agent from a local computer. Executing cflush with no options expires objects stored for agent-based authentication information from the local cclient cache. Cached information allows previously-authenticated users to log on when the Centrify agent for Linux is disconnected from the Centrify identity platform. OPTIONS You can use the following options with this command: -e, --expire The --expire option expires authentication information stored in the local cclient cache. -V, --verbose The --verbose option displays detailed information about the oper- ation performed. -v, --version The --version option displays version information for the installed software. -h, --help The --help option displays the usage message. EXAMPLES To expire objects in the local agent for Linux cache, run the following command: cflush --expire

cgetaccount

NAME cgetaccount - get the stored password for an account from Centrify Privileged Access Service. SYNOPSIS cgetaccount [-t, --lifetime minutes ] [-T, --type type ] [-s, --silent] [-v, --version] [-V, --verbose] targetname / accountname DESCRIPTION The cgetaccount command retrieves the password for the specified account from Centrify Privileged Access Service. The account can be a system, domain or database account. If you execute cgetaccount without specifying the -s option, the pass- word for the account is printed to standard output. To run the cgetaccount command you must be logged in as root, and the computer where you run cgetaccount must be registered in Centrify Priv- ileged Access Service. OPTIONS You can use the following options with this command: -t, --lifetime minutes specifies the password checkout interval (duration), in minutes. The value that you specify must be less than or equal to the account checkout lifetime defined in the target policy. If you specify a value greater than the account checkout lifetime, and error is returned. If you do not specify a password checkout interval (that is, if you do not use this option), a default pass- word checkout interval of one minute is used. -T, --type type specifies type of the target in which the account belongs to. Valid values are system, domain and database. -s, --silent Retrieves the account password from Centrify Privileged Access Service without asking for confirmation. The password is not printed to stdout. -v, --version Displays version information about the installed software. -V, --verbose Displays information about each step in the password retrieval operation as it occurs. This option can be useful in diagnosing password retrieval problems. -h, --help Displays usage information for this command. EXAMPLES The following command retrieves the password for the oracle account on the MACHINE1 system, keeps the password checked out for 10 minutes, includes a confirmation step, and displays the password to stdout: cgetaccount -t 10 MACHINE1/oracle The following example shows a shell script that retrieves the password for the local account oracle on the system MACHINE1 to perform a backup. The password is checked out for 10 minutes and is returned to stdout. PASSWORD=$(cgetaccount -s -t 10 MACHINE1/oracle) if [un_backup.sh;MACHINE1/oracle $PASSWORD . else echo "Failed to run cgetaccount to get password for oracle account." fi

cinfo

NAME cinfo - display detailed information about the cloud configuration for the local computer. SYNOPSIS cinfo [--address] [--tenant] [--connect url ] [--http-proxy url ] [--owner] [--resource-name] [--tenant-id] [--platform-version] [--sup- port] [--verbose] [--version] DESCRIPTION The cinfo command displays detailed and diagnostic information about the cloud configuration for the local computer. If you do not specify an option, cinfo returns the basic set of configuration details for the local computer. Note To run the cinfo command with the --connect , --platform-version or --support option, you must be logged in as root. You are not required to log in as root for any of the other cinfo options. OPTIONS You can use the following options with this command: -a, --address Displays the IP address or DNS name for a computer enrolled in the Centrify identity platform. -T, --tenant Displays the customer-specific URL for a computer enrolled in the Centrify identity platform. -P, --platform-version Displays the version of the Centrify identity platform that a com- puter is enrolled in. -C, --connect url Connects to the Centrify identity platform to verify avail- ability. -p, --http-proxy url HTTP proxy to use for the --connect option. Unlike the cenroll command, specifying this option does not cause /etc/centri- fycc/centrifycc.conf to be updated. -o, --owner Displays the owner of a computer enrolled in the Centrify identity platform. -N, --resource-name Displays the system name for a computer enrolled in the Centrify identity platform. -D, --tenant-id Displays the customer-specific identifier (tenant ID) registered. -t, --support Generates a support file with diagnostic information in the default file location (/var/centrify/tmp/cinfo_support.tar.gz). The generated file includes details about the cclient process operations, the contents of the /etc/centrifycc/centrifycc.conf file, and the /var/log/centrifycc.log log file. This option is typically used to send complete diagnostic informa- tion to a file, which can then be sent to Centrify Support for analysis.. -V, --verbose Sends detailed diagnostic information to standard error (stderr) output. You can use this option in combination with other options. -v, --version Displays version information for the installed software. EXAMPLES To display cloud configuration information for the local computer, type: cinfo If the computer has enrolled in the identity platform, the command dis- plays information similar to the following: Enrolled in: https://aah0155.my-qa.centrify.com/ Enrolled as: Service account: rhel68x64$@red.test2 Resource name: rhel68x64 IP/DNS name: rhel68x64 Owner: shellm@red.test2 (Type: User) Customer ID: AAH0155

creload

NAME creload - force the Centrify agent for Linux (cclient) to reload con- figuration properties SYNOPSIS creload [--verbose] [--version] [--help] DESCRIPTION The creload command enables you to force the Centrify agent for Linux (cclient) to reload the configuration properties from the /etc/centri- fycc/centrifycc.conf file. Running this command enables changes made to the configuration properties to take effect without restarting the agent cclient process. Note that you must have root privileges to run this command. OPTIONS You can use the following options with this command: -V, --verbose The --verbose option displays detailed information about the oper- ation performed. -v, --version The --version option displays version information for the installed software. -h, --help The --help option displays the usage message. EXAMPLES To reload the configuration properties on a local computer after making changes, run the following command: creload

csetaccount

NAME csetaccount - creates or updates a privilege account in Centrify Privi- leged Access Service for the specified local account. SYNOPSIS csetaccount [--stdin] [-m, --managed <true|false>] [-x, --useproxy <true|false>] [-w, --workflow <enable|disable|default>] [-a, --approver name <user: user |role: role >] [-p, --permission [<user|role>:] name : right [, right2 ,..., rightN ]] [-P, --nopassword] [-v, --version] [-V, --verbose] accountname DESCRIPTION The csetaccount command creates or updates a privilege account in Cen- trify Privileged Access Service for the specified local account. The privilege account is stored under the current registered computer. To run the csetaccount command you must be logged in as root, and the computer where you run csetaccount must be registered as a resource in Centrify Privileged Access Service. OPTIONS You can use the following options with this command: --stdin Specifies that no password confirmation be displayed when csetac- count runs. If you do not specify this option, an interactive prompt is displayed asking for the account password. -m, --managed Set this option to true or false to specify whether or not the password for the account is managed by Centrify Privileged Access Service. A value of true means that the account is managed. -x, --useproxy Set this option to true or false to specify whether Centrify Priv- ileged Access Service uses the proxy account to manage the pass- word for the account. A value of true means that the proxy account is used. -w, --workflow Set this option to enable, disable, or default to specify whether a workflow is used to process the account. A value of enable means that a workflow is used. A value of disable means that a workflow is not used. A value of default means that. -a, --approver Specifies an approver for the account that you are creating or updating. When you specify name, provide the user name of the approver. The approver can be a Centrify directory service user or a role; specify a value for either user: or role: to provide this setting. -p, --permission Specifies permissions for the account that you are creating or updating. When you specify name, provide the identity of the per- mission to grant to. The identity can be a Centrify directory ser- vice user or a role; specify a value for either user: or role: to provide this setting. A key-value pair should be wrapped in double quotes. On the command line, the double quotes need to be escaped, for example, \"user:<name>:<right>[,<right>,...,<right>]\" The rights include: Grant, View, Checkout, Login, Edit, Delete, UpdatePassword, PortalLogin, Rotate. When one of the supplied rights of the permission is not recognized, a warning message will be shown and the permission will not be applied. The command will continue to set the remaining permissions. If the user or role already has a permission, it will be overwritten. -d, --description description Specifies the account description. -P, --nopassword Specifies that no password input is required to update the account settings. Use this option to update account settings without updating the stored password. -v, --version Displays version information about the installed software. -V, --verbose Displays information about each step in the password retrieval operation as it occurs. This option can be useful in diagnosing password retrieval problems. -h, --help Displays usage information for this command. EXAMPLES The following command stores the root password in Centrify Privileged Access Service interactively (that is, it prompts for confirmation before storing the password): csetaccount root The following example shows the commands that you would execute to store the root password in Centrify Privileged Access Service non- interactively. The password is managed, and is automatically rotated every day at the same time. In this example, policy.conf contains the setting "password rotation=true, password rotation interval=1": cenroll -o policy.conf csetaccount --stdin root < "/root/secure_file"

cunenroll

NAME cunenroll - remove a resource from the Centrify identity platform. SYNOPSIS cunenroll [--machine [--delete]] [--user] [--noconf] [--restore] [--force] [--verbose] [--version] [--help] DESCRIPTION The cunenroll command removes the local host computer from the Centrify identity platform. To run the cunenroll command, you must be logged in as root. OPTIONS You can use the following options with this command: -m, --machine Removes the computer from the Centrify identity platform using the computer account credentials. -d, --delete Deletes the computer as a resource and all associated accounts stored in the Centrify identity platform. The computer must have been added as a resource using the cenroll command. You can spec- ify the --machine option or --user option with this option to con- trol the credentials used to remove the computer. -u, --user username Specifies the administrative user account used to unen- roll the computer from the Centrify identity platform. -C, --noconf Specifies that you do not want to update the computer configura- tion when unenrolling from the Centrify identity platform. -R, --restore Restores the computer configuration without unenrolling in the Centrify identity platform. -f, --force Forces the local computer settings to be restored to their pre- enroll state. This option only affects information stored locally. Running cunenroll with the --force option does not affect information stored in the identity platform. -V, --verbose Displays detailed information for each operation. -v, --version Displays version information for the installed software. -h, --help Displays usage information for this command. EXAMPLES To remove a computer from the Centrify identity platform, you could type a command line similar to the following: cunenroll --machine To revert all local computer settings to their pre-enroll state, you could type a command line similar to the following: cunenroll --force