Tivoli Management Framework 'W' Commands

This page details General problems and issues relating to Tivoli Management Framework 'W' Commands.

Can I run CLI from a Remote Machine? [20/7/02]
"Bad file number" Error when Running winstlcf [19/3/03]
"EXCEPTION decrypt_data: HMAC does not match encrypted data!" Error when running wadminep [8/4/03]
"ipc_create_new_remote_client failed" Error when trying to run "wep <epname> status" [14/4/03]
wchkdb Command to Check the TMR Database Only [1/1/03]
What are 'w' Commands? [19/9/02]
WIDMAP Confusion [20/9/02]
WINSTLCF Installation on NT Endpoint Fails [21/9/02]

Can I run CLI from a Remote Machine?

Contributed By: Cliff Hobbs [MVP SMS], Gareth Smith
Wouldn't it be handy if you could run the Tivoli Command Line Interface (CLI) from a remote desktop machine rather than just the TMR itself? Well you can - check out the Running the CLI From a Remote Machine article on the Hot Tips page.

“Bad file number” Error when Running winstlcf

Contributed By: Gary Hamilton
If you’re running "winstlcf -g <ip gw> <ep_label>" and you get back “connect: Bad file number” then here could be the reason… [Go to the article]

“EXCEPTION decrypt_data: HMAC does not match encrypted data!” Error when running wadminep

Contributed By: Cliff Hobbs [MVP SMS]
If you’re seeing the above error when you run the ‘wadminep <ep_name> view_version’ command then read on… [Go to the article]

"ipc_create_new_remote_client failed" Error when trying to run "wep <epname> status"

Contributed By: Gary Hamilton
If you’re seeing this error when trying to run a 'wep <epname> status' then read on… [Go to the article]

wchkdb Command to Check the TMR Database Only

I believe I had heard that there was a wchkdb command switch that would allow you to check the TMR database only, however I can not seem to find any documentation. We have close to 350 remote gateways(MN's) and this process, as you can imagine takes a while. We are currently running FW3.7.1 + patches.

Contributed By: Cooper Begis, JT Edwards
#wchkdb -u $TMR.1.<ID of TMR server>

you get the ID of TMR server by:

#wlookup -ar ManagedNode

I also found out that you can run 'wchkdb -ut'. The 't' option will default to the TMR only.

What are 'w' Commands?

Am I right in assuming that all a 'w' command is is a Perl script that then runs an associated or embedded EXE?

Contributed By: Paul Claridge
Generally Tivoli supply compiled binaries. On UNIX they don't usually have a file extension. However, on NT they do. Just to complicate things Tivoli also supply Perl scripts which look like binaries but are not. winstlcf is a classic example. This can be very frustrating when you try and run one of these scripts on NT because is simply says something useless like "cannot find the file". Naturally if you call Perl with the script (possibly with prepended correct path) as a parameter everything bursts into life - well, you at least get a usage statement!

This can cause all sorts of fun and games in scripting because shell commands demand the full name of the file. So if you miss off the .EXE things tend to fail. However if you run the file in a Windows context the OS might properly say that's an EXE so I'll load the file anyway. Wouldn't it be nice if things were consistent!

WIDMAP Confusion

I've got a question regarding widmap. My TMR server is running NT. I want to setup a single Tivoli account that multiple NT users can use for Software Distribution and I'm a bit confused over the best way of doing this with widmap (assuming widmap is the way to go).

Does anyone have any information they'd be willing to share as I'm struggling with the Framework Reference Guide?

Contributed By: Paul Claridge, Pete Haswell, Cliff Hobbs [MVP SMS], Ken Wood
When things run on the Framework they need to have an "effective user" to use a UNIX expression. Tivoli refers to it as a Principal. The Principal is a userid that must exist on the platform you want to run the method on, otherwise the method cannot be run by the operating system.

Each Tivoli Administrator is created with two distinct sets of userids.

The first is the effective user (or principal) and group and this determines what that Administrator will behave as when doing anything on any platform (interp).
The second is a list of logins which the Framework uses to authenticate users through their Tivoli desktops, when they login to that Administrator desktop. The rule here is that the userid (sometimes qualified by domain name or hostname) must be able to be authenticated by the TMR Managed Node that is going to launch the Tivoli desktop server process.

So what is an ID map? It is simply a look up table that enables an alias to be used (by prefixing the table name with a "$" sign) as the principal. The one most people are familiar with because it designates the "superuser" on each platform is the "$root_user" idmap (use the "widmap list_entries root_user" command to list the entries).

This is an important idmap because a lot of the methods run with a principal of $root_user. When the method is invoked on NT the Framework does a lookup on the TMR and resolves the idmap to "Administrator" (by default on older versions) or "BuiltinNTAdministrator" on the current 3.7.1 Framework.

So idmaps are for individuals who may have different userids on different interps. Hence for an idmap "$bill", aix4-r1 might map to "bill_jones", whilst w32-ix86 might map to "jonesb3", etc. See Setting up Single Tivoli Account Access across Platforms for more details on using the widmap command.

I don't think your problem will be solved by considering idmaps, which might be causing the problem.

One solution would be to create a privileged swdist user (in the NT domain or local SAM(s)); make this the principal of the Tivoli Administrator, and then add logins for all the users you want to do swdist. An idmap might be appropriate if you then want to define different privileged users on different platforms for the swdist function. In this case a "$swdist" idmap will give you the required flexibility. The subtlety is that you will need to change the Administrators principal from swdist to the idmap reference "$swdist".

You used to be able to forget NT groups but I think later versions require a valid group definition as well.

It's probably better to think of widmap as an ability to set the user you want something to run as.

Remember Tivoli is case sensitive and NT is not. Be sure the entry in the Logins dialog box matches exactly the way the user logs in to NT.

WINSTLCF Installation on NT Endpoint Fails

I'm trying to install the Endpoint on one of my NT Endpoints but the installation fails.

Contributed By: Cliff Hobbs [MVP SMS]
Make sure that the first NT Endpoint you install is installed via the InstallShield wizard. You need to do this as NT doesn't have any remote execution service. Once you have installed the first NT Endpoint using the InstallShield installation program you can then run the winstlcf command with the "-N <source_Endpoint> <target_Endpoint>" command line. So if I've installed the Endpoint on an Endpoint named "first" using InstallShield, if I now want to install the Endpoint on a machine named "second", I could use the following command by using "first" as a proxy:

winstlcf -N first second

The assumption is that the Endpoints you wish to install are in the same domain or trust as the source Endpoint. By using this method you don't need to install TRIP.