UMC UMCONFUserManual
UMC UMCONFUserManual
UMCONF Overview 1
Concepts You Need to Know About 2
Commands for Listing a Summary
3
of UMCONF Commands
Commands for Creating UM Entities 4
Commands for the Management of
5
UM Services
Commands for Binding/Unbinding 6
User Management Component 2.7 Commands for Centralized
7
Configuration Management
UMCONF User Manual
Commands for Upgrading Entities 8
Commands for Deleting a UM
9
Configuration
Commands for Importing Packages 10
Commands for the Management of
11
Whitelist Entries
Commands for the Management of
12
Plugins
Commands for the Management of
13
Logs
Commands for Renewing
14
Certificates
Commands for Launching UMConf
15
in Interactive Mode
Commands for Purging Roles 16
Commands for Displaying Lists 17
Commands for dSSO functionality 18
Error Codes 19
05/2019
A5E47537974-AA
Guidelines
This manual contains notes of varying importance that should be read with care; i.e.:
Important:
Highlights key information on handling the product, the product itself or to a particular part of the documentation.
Note: Provides supplementary information regarding handling the product, the product itself or a specific part of
the documentation.
Trademarks
The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes
could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.
Security information
Siemens provides products and solutions with industrial security functions that support the secure operation of
plants, systems, machines and networks. In order to protect plants, systems, machines and networks against
cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial
security concept. Siemens’ products and solutions only form one element of such a concept.
Customer is responsible to prevent unauthorized access to its plants, systems, machines and networks. Systems,
machines and components should only be connected to the enterprise network or the internet if and to the extent
necessary and with appropriate security measures (e.g. use of firewalls and network segmentation) in place.
Additionally, Siemens’ guidance on appropriate security measures should be taken into account. For more
information about industrial security, please visit http://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly
recommends to apply product updates as soon as available and to always use the latest product versions. Use of
product versions that are no longer supported, and failure to apply latest updates may increase customer’s
exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under http://www.
siemens.com/industrialsecurity.
This utility, which is distributed with UMC, is installed in the subdirectory \BIN (for example C:\Program
Files\Siemens\UserManagement\BIN) and must be executed from a command prompt within this
directory or in the C:\Program Files\Siemens\UserManagement\WOW\BIN folder. The execution of
umconf is allowed by a Windows user with Administrative rights ( elevated user if User Account
Control (UAC) is enabled) or any users belonging to the um_config group.
CAUTION:
• The umconf utility must be used with care. Incorrect usage can cause system
unavailability.
• Stop all of the applications that use UMC before launching umconf and making
changes to the machine configuration.
After the first installation it is necessary to perform the configuration steps above to run UMC on a
machine that, once configured, will be promoted to UM ring server.
Important:
We strongly suggest using the command umconf -i to perform all the configuration steps.
Configuration Options
• fresh configuration: it is the first time that you are configuring UMC;
• overwrite an existing configuration: you have already configured UMC and you want to modify
the configuration;
• upgrade an existing configuration from a previous version: you have already configured UMC,
you have installed a newer version of UMC and you have to upgrade the configuration.
Important:
UM domains are different entities with respect to Windows domains that are defined at
operating system level.
• UM ring server: the owner of the UM configuration, which is responsible for managing the
domain, and provides full implementation of authentication and user management features. The
priority ring server is the one which is configured first, running the umconf utility. If more than
one ring server is available, if you unjoin the priority ring server, the system dynamically elects a
new priority ring server.
• UM server: provides full implementation of authentication features, the UM server is in
degraded mode if it is not connected to any UM ring server.
• UM agent: works as a client of the UM server/UM ring server to which it is attached, which can
be used to run an application developed using the UMC API. See the User Management
Component API SDK Developer Manual for more details. In order to import Windows Local
Users, see Importing a Windows Local User on an Agent in the UMC Installation Manual.
Important:
Engineering operations are not allowed on the UM Agent except for encryption
enablement.
CAUTION:
If you want to manage Active Directory users, the UM ring server and the UM server
machines have to be joined to the AD Windows domain.
Custom attributes can be associated with UM users. Example of custom attributes are common user
properties such as phone number, department, and so on.
To apply Secure Application Data Support (SADS), access to encrypted application data can be
granted to authorized users to allow them to decrypt it using specific Subject Keys.
UM User Types
UM User Passwords
Users created within UMC have also an associated password. Empty passwords are not allowed.
Users imported from Windows authenticate against Windows and do not have a UMC password.
Imported Windows local users authenticate only locally against Windows on the machine where they
are present. They can be used only for configuration purposes, for instance to be associated with a
Windows service running on the machine.
Offline Users
When you create a UMC user you can flag the user as offline. UMC provisioning service checks if the
offline user exists in Active Directory:
• if the user is present, user data are synchronized and the user becomes online,
• otherwise the user remains offline.
Important:
Users created as offline are enabled by design: they can therefore perform the actions
allowed by their function rights.
The user name of offline users must follow the AD pattern <domainName>\<ADuserName>. They do
not have a UMC password, as they cannot authenticate until they become online. The User Security
Identifier (SID, see Microsoft Documentation on Security Identifiers for more details) property is set to a
default value (S-1-0-0) that is synchronized with the actual AD value by the UMC provisioning service.
Users are also flagged offline if they are deleted from AD. In this case users are permanently deleted
from UMC database after an amount of time that can be configured (default is12 hours). See the
additional provisioning configuration in the User Management Component Installation Manual for more
details.
User Limits
Description Maximum
The following roles are automatically created by the system while configuring UMC:
• Administrator: built-in "root" role, can perform any operation. The user that has this role is a
root user that can perform any operation. This role cannot be associated with any group. It can
be associated with a user if the user performing the association has in turn the Administrator
role. The Administrator role cannot be deleted. Only users having the Administrator role can
modify other users having this role.
• UMC Admin: can manage users, groups and all the other UMC entities.
• UMC Viewer: can access the user management configuration without making modifications.
Name Description
UM_ADMIN Allows you to display the UMC database data and to configure the UMC
database, that is to create users, groups and so on, to import and export data
via file, to register UMC station clients. This function right allows you to execute
all umx commands.
UM_VIEW Allows you to display the UMC database data related to users, groups, roles
and account policies.
UM_RESETPWD The user can reset the password of another user. The user must also have
associated the UM_VIEW function right.
UM_UNLOCKUSR The user can unlock any other user. The user must also have associated the
UM_VIEW function right.
UM_ATTACH The user can attach a machine to a UM domain, the machine is promoted to the
UM agent role.
UM_JOIN The user can promote a machine to a UM server role. If the machine is not yet
attached to the UM domain, it is attached. This function right incorporates the
UM_ATTACH function right.
UM_RESETJOIN The user can downgrade a machine from the UM ring server or UM server role
to the UM agent role.
UM_IMPORT The user can import the UM Configuration via package. The user must also
have associated the UM_VIEW function right.
UM_EXPORT The user can export the UM Configuration into a package. The user must also
have associated the UM_VIEW function right.
UM_BACKUP The user can back up the UM Configuration (Full backup). This function right is
not used, as the functionality controlled by it has not yet been implemented.
UM_EXPORTCK The user can export Claim Key. This function right is not used, as the
functionality controlled by it has not yet been implemented.
UM_EXPORTDK The user can export Domain Key. This function right is not used, as the
functionality controlled by it has not yet been implemented.
UM_RA Login from Remote Authentication. This function right is not used, as the
functionality controlled by it has not yet been implemented.
UM_RINGMNG The user can promote a machine to a UM ring server role. If the machine is not
yet attached to the UM domain, it is attached.
UM_VIEWELG The user can display event logging data. The user must also have associated
the UM_VIEW function right.
Name Description
• Help
3.1 Help
This command displays a brief summary of the different commands with their parameters and
switches.
Syntax
umconf -h
• Create Domain
• Create UM Administrator User
• Create Claim Key
CAUTION:
Syntax
Parameters
• name is the string representing the UM Domain name, only alphanumeric characters are
allowed.
Switches
Switch Description
-f Forces the creation of a new UM Domain. If a domain with the same name is present it is
overwritten.
Example #1
umconf -c -d mydomain
CAUTION:
Using umconf you can create only one UM user with Administrator role and neither the
user nor the password can be changed. The password can be changed via umx
command or via Web UI.
General Recommendations
It is strongly recommend that you comply with the password policies of your organization in order to
grant password strength for the UM Administrator user. For example, a password policy may impose
that your password meets the following requirements:
When creating the UM Administrator User, if you are using the command via script, add a warning that
suggests to insert a password that complies with the password policies of your organization.
Syntax
Parameters
• name is the string representing the user name, only alphanumeric characters are allowed.
• password is the password associated to the user. An empty password is not accepted.
Example #1
CAUTION:
In case of a distributed scenario, once you have created a new claim key on a UM master
ring server/UM server, to align the keys, the UMCService of the other UM ring server/UM
server machine has to be manually restarted.
Syntax
umconf -c -k
Important:
In order to disable the Active Directory provisioning, you have to set to "no" the value of
the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Siemens\User Management\
WebUI\Settings\domains_support and stop the UM service UPService.exe.
Syntax
Parameters
• name is the string representing the user name preceded by the domain.
• password is the password associated with the user.
Switches
Switch Description
-f If the Provisioning Service is running and has been already configured, this switch allows
you to overwrite the existing configuration.
CAUTION:
Syntax
Parameters
• name is the string representing the user name preceded by the domain. If the user is local, the
name must be preceded by the string ".\" or machinename\. For Example: .\administrator,
mydomain\myuser.
• password is the password associated with the user. If the virtual account NT SERVICE\UMC
Service has been specified, the password will not be prompted.
Switches
Switch Description
-f If the services are running and have been already configured, this switch allows you to
overwrite the existing configuration.
• Attach Agent
• Join Server
• Unjoin Server
• Retrieve Fingerprint
The command installs the network and machine certificates on your machine. In presence of an active
firewall, the inbound and outbound connections through the 4002 port must be allowed. In an agent
machine you can run an application developed using the UMC API, see the User Management
Component API SDK Developer Manual for more details.
Syntax
Parameters
• computerName is the name of one of the UM ring servers or UM servers of the domain you
want to be attached to.
• userName is the name of a UM user having the UM_ATTACH function right or the
Administrator role.
• password is the password of the UM user associated with the parameter userName.
• serviceUserName is the name of a Windows Local/domain user (who is either a member of the
UM Service Accounts group or has Administrative rights) that you want to associate with the
User Manager services.
• servicePassword is the password of the Windows user associated with the parameter
serviceUserName.
• fingerprint is the fingerprint of the UMC domain.
Switches
Switch Description
-f If the machine has already been configured, the existing configuration is overwritten.
-v If this switch is present, the installation of the certificates is not interactive. The -v switch is
mandatory if the fingerprint is specified.
In presence of an active firewall, the inbound and outbound connections through the 4002 port must be
allowed.
CAUTION:
Consider that if you have configured the AD provisioning on the priority ring server you
must configure it also in the machine you are joining. See the -b switch below to exclude
the AD provisioning configuration. If you want to use this command via script, the use of -
b is mandatory and to configure the provisioning you have to use the umconf command to
associate the Active Directory Windows user with the Provisioning Service.
Syntax
umconf -j [-f] [-m serverType] [-c computerName] [-u userName] [-p password]
[-s serviceUserName servicePassword] [-v][-b] [-fp fingerprint]
Parameters
• serverType determines the type of the server that will be joined to the ring:
– 0 the machine will be a UM server, in this case the provisioning is not configured;
– 1 the machine will be a UM ring server.
• computerName is the name of one of the UM ring servers of the domain you want to be joined
to.
• userName is the name of a UM user having the UM_RINGMNG function right (to create a UM
ring server) or UM_JOIN function right (to create a UM server) or having the Administrator
role. For more details see User Manager Function Rights.
• password is the password of the UM user associated with the parameter userName.
• serviceUserName is the name of a Windows Local/domain user (who is either a member of the
UM Service Accounts group or has Administrative rights) that you want to associate with the
User Manager services.
• servicePassword is the password of the Windows user associated with the parameter
serviceUserName.
• fingerprint is the fingerprint of the UMC domain.
Switches
Switch Description
-m This switch determines the type of server that will be joined to the ring:
• 0 the machine will be a UM server;
• 1 the machine will be a UM ring server.
-v If this switch is present, the installation of the certificates is not interactive. The -v switch is
mandatory if the fingerprint is specified.
-fp If the switch -v and -fp are present the fingerprint specified is used for validation.
-b The Active Directory provisioning configuration is not performed. This switch is relevant only
for UM ring server configuration. In case of UM server the provisioning is never configured.
In presence of an active firewall, the inbound and outbound connections through the 4002 port must be
allowed.
CAUTION:
Syntax
Parameters
• userName is the name of a UM user having the UM_RESETJOIN function right or having the
Administrator role.
• password is the password of the UM user associated with the parameter userName.
• computerName is the name of the machine having the UM ring server/UM server role that you
are unjoining. This parameter must be used only if the UMC services of the machine you are
running the command cannot communicate with the UMC services of the machine you are
unjoining. This happens for instance when the unjoining machine is no more available.
Switches
Switch Description
Syntax
Parameters
• computerName is the name of the machine from which you want to obtain the fingerprint.
1. Execute get configuration in order to retrieve the current version of centralized configuration.
2. Modify the current configuration as required, see the User Manager Installation Manual.
3. Set the centralized configuration.
For information on the contents of the default, central and local configuration files see the Identity
provider configuration section in the User Manager Installation Manual.
Syntax
Parameters
• fullpath the path and the name of file in which the default configuration is to be saved.
Syntax
Parameters
• userName is the name of a UM user who has the UM_ADMIN function right or the
Administrator role.
• password is the password of the UM user associated with the parameter userName.
• fullpath is the complete path of the .json file which contains the UMC configuration that is to be
set.
• labelName is the name that identifies the configuration.
Switch Description
-label (for future use only) Optional, allows you to specify a label in order to identify each specific
configuration.
Syntax
Parameters
Switch Description
-label (for future use only) Optional, allows you to specify a label in order to identify each specific
configuration.
• Upgrade Domain
CAUTION:
We strongly suggest to use the command umconf -i to perform all the upgrade steps that
include this domain upgrade operation.
Syntax
umconf -U [-f]
Switches
Switch Description
• Delete Configuration
In case you want to remove a UM ring server/UM server from the UMC system you have also to
perform the unjoin operation of the machine before executing this command.
CAUTION:
Performing the restart of a UMC service and/or the Recycle of the application pool can
cause service interruption.
Syntax
umconf -D [-f]
Switches
Switch Description
UMC package is a UMC proprietary format, zipped and encrypted. If not inserted, you will be prompted
to insert a password for the decryption that has to be the same as the one used in the export package
umx command. For more details see the UMX User Manual.
For more information on the import/export/update package usage see the Standalone Engineering
Station Scenario in the User Management Component Installation Manual.
Syntax
Parameters
• file is the path and name of the file to be imported, for instance C:\temp\myPackage;
• password is the archive password.
Switches
Switch Description
If the host is not present in the list, the call is rejected. In case of service validation, we log a warning
message on UMC event log and, if enabled, we log also a message on the Identity Provider log file.
After executing the command, for each machine where the Identity Provider is installed, it is necessary:
CAUTION:
Performing the restart of a UMC service and/or the Recycle of the application pool can
cause service interruption.
Syntax
umconf -c -w -d name
Parameters
• name is the string that represents the host according to URL standard format, and must specify
the exact path of the relying party. It can be:
– localhost;
– machine name (e.g. myMachine);
– internet domain name (e.g. www.myDomain.net);
– IP address (e.g. 172.23.1.48).
Remember to recycle the application pool of the Identity Provider to apply all pending modifications.
Syntax
umconf -l -w
Example
umconf -l -w
Example output:
localhost
myMachine
170.23.1.48
After executing the command, for each machine where the Identity Provider is installed, it is necessary:
CAUTION:
Performing the restart of a UMC service and/or the Recycle of the application pool can
cause service interruption.
Syntax
umconf -d -w -d name
Parameters
• name is the string representing the host according to URL standard format. It can be:
– localhost;
– machine name (e.g. myMachine);
– domain name (e.g. www.myDomain.net);
– IP address (e.g. 172.23.1.48).
Example
umconf -d -w -d 175.22.3.55
Output:
• Register Plugin
• Register Cookie Adapter
• List Registered Plugins
• Deregister Plugin
After executing the command, for each machine where the Identity Provider is installed, it is necessary
to perform the Recycle of the application pool of the Identity Provider (SimaticLogonPool, for
configuration via script) in IIS Manager.
CAUTION:
Performing the Recycle of the application pool can cause service interruption.
Syntax
Parameters
• userName is the name of a UM user who has the UM_ADMIN function right or the
Administrator role.
• password is the password of the UM user associated with the parameter userName.
• plugin_path is the path and name of the dll plugin to be registered, for instance C:\temp\
myPlugin.dll;
• plugin_description is the string that will appear in the drop-down menu on the right of the Idp
login page on the client machine;
• plugin_name specifies the unique name of the plugin. Note that the following names are
reserved: iwa, pki, desktop, web, web_cors, hybrid, hybrid_cors and ":".
• response format for future use.
• securitylevel defines the type of authentication. This information is passed in the IdP claim so
that the third party application can determine the authentication security level; in UMC Web UI
can only be used if the authentication is standard or strong.The security level can only be
specified for web and hybrid plugins. The possible values are:
– weak
– standard
– strong
Switch Description
-w For future use. Specifies that the plug in is a web plugin, if this switch is used you must
use -pk, see below.
-pk For future use. Specifies a public key associated to the plugin.
- Specifies that the alias of the user is to be used instead of the username.
usealias
After executing the command, for each machine where the Identity Provider is installed, it is necessary
to perform the Recycle of the application pool of the Identity Provider (SimaticLogonPool, for
configuration via script) in IIS Manager.
CAUTION:
Performing the Recycle of the application pool can cause service interruption.
Syntax
Parameters
• userName is the name of a UM user having the UM_ADMIN function right or having the
Administrator role.
• password is the password of the UM user associated with the parameter userName.
• url is the url of the cookie adapter to be registered;
• plugin_description is the string that will appear in the drop-down menu on the right of the Idp
login page on the client machine;
Switches
Switch Description
• Plugin Uid: the unique id of the plugin which is necessary to activate plugins on clients.
• Path: the path of the plugin.
• Description: the description of the plugin.
• Class: Specifies the type of plugin: desktop, web or hybrid.
• Pub keyid: the public key id.
• Security Level: Weak, Standard and Strong, see register custom plugin for more information.
• Plugin Name: the unique the name of the plugin, this field is empty in plugins which were
created prior to UMC 1.9.1.
Syntax
umconf -l -P
Example
After executing the command, for each machine where the Identity Provider is installed, it is necessary
to perform the Recycle of the application pool of the Identity Provider (SimaticLogonPool, for
configuration via script) in IIS Manager.
CAUTION:
Performing the Recycle of the application pool can cause service interruption.
Syntax
Parameters
• userName is the name of a UM user having the UM_ADMIN function right or having the
Administrator role.
• password is the password of the UM user associated with the parameter userName.
• pluginname is the name of the plugin alternatively you can use pluginId.
• pluginId is the position of the plugin in the list of registered plugins. See example below.
Example
If the command:
umconf -l -P
the command:
• Archive logs
• Extract logs
Syntax
Parameters
• file is the path and name of the package file, for instance C:\temp\myLogs;
• password is the package password. If not provided, the user will be prompted to insert the
password.
Syntax
Parameters
• file is the path and name of the package file, for instance C:\temp\myLogs;
• password is the package password.
• Renew Certificate
CAUTION:
When performing this operation from a machine which is not ring server, if the operation
fails the machine will be detached and must be re-attached in order to attempt the
operation again.
Syntax
-rc [-f(orce)] [-c computername] [-u username] [-p password] [-v] [-fp
fingerprint]
Parameters
• computerName is the name of one of the UM server on which the certificate is located.
• userName is the name of a UM user who has the UM_ATTACH function right or the
Administrator role. For more details see User Manager Function Rights.
• password is the password of the UM user associated with the parameter userName.
• fingerprint is the fingerprint of the UMC domain.
Switches
Switch Description
• the Windows user that is associated with the UMCService.exe service; if the virtual account NT
SERVICE\UMC Service has been specified, the password will not be prompted.
• the Windows user that is associated with the UPService.exe service - mandatory only if you
need to import Active Directory users via the umx tool or via the Web UI;
• the private claim key.
• fresh configuration: it is the first time that you are configuring UMC;
• overwrite an existing configuration: you have already configured UMC and you want to modify
the configuration;
• upgrade an existing configuration from a previous version: you have already configured UMC,
you have installed a newer version of UMC and you have to upgrade the configuration.
Syntax
umconf -i
Or alternatively:
umconf
CAUTION:
This command stops the UMCService and restarts it after the execution. The stop can
cause service interruption.
Syntax
Syntax
umconf -t
Example
umconf -t
Output
Syntax
Switches
Switch Description
Examples
Output
Output
0 Success.
1 The user launching the command does not have the proper administrative rights.