Nuance Document Imaging Security Configuration Tool Usage: NDISecTool.exe [-verbose] [-logging] [command] [options] ... Available commands: Global Options verbose Optional. Turns detailed logging on the console. logging Optional. Enables detailed logging into log file. -securityprogramdatapath Optional. Disk path relative to which NDI.Security component data is stored. Defaults to Windows %programdata% path. ------------------------------------------------------------------------------------------------------------------------ -addbootstrapuser Adds (or recover) the very first user to AA prior to full configuration -username Required. The username of the security administrative user. -password Required. The password associated with the security administrative user. -domain Required. Domain where security administrative user belongs to. -aasurl Optional. URL to an existing local AA instance ------------------------------------------------------------------------------------------------------------------------ -adduser [options] Adds a user into AA. -u Required. The username of the security administrator to authorize the add. -p Required. The password of the security administrator to authorize the add. -domain Required. The domain of the user to add. -username Required. The username of the user to add. -password Required. The password of the user to add. -groups The groups associated with the user. -permspersrv Optional. JSON dictionary of the permissions per service to be granted to the user. -locked Specify this parameter to create a locked user account. ------------------------------------------------------------------------------------------------------------------------ -changepassword [options] Update the password for the given user -u Required. The name of the user. -oldpassword Required. Old password. -newpassword Required. New password. ------------------------------------------------------------------------------------------------------------------------ -clientinstalltoken [options] Requests a token from AA to install an Equitrac Print Client (only) -u Required. Administrator username -p Required. Administrator username -expires Optional. Number of seconds the token is valid -sfsurl Optional. The base URL of the Security Framework service (default: local node) ------------------------------------------------------------------------------------------------------------------------ -clienttoken [options] Generates a client token request to the AA Service with specified permissions -n Required. The name of the client component. -servicename Optional. Name of the service to allocate token with permissions allowed by the service for the client. If not provided - basic token allocation. ------------------------------------------------------------------------------------------------------------------------ -configurefirstnode [options] Configures the first SecurityFramework node -sfsurl Required. The base URL of the Security Framework service. -domain Required. The domain of the security administrator to create. -username Required. The username of the security administrator to create. -password Required. The password of the security administrator to create. -sfscertpath Optional certificate for the service. ------------------------------------------------------------------------------------------------------------------------ -deletedatacenter [options] Deletes the specified datacenter if possible -datacenterid Required. The id of the datacenter to delete -u Required. The username of the security administrative user. -p Required. The password associated with the security administrative user. ------------------------------------------------------------------------------------------------------------------------ -enrollclient [options] Enrolls a client into the AA Service. -u Required. The username of the security administrative user. -p Required. The password associated with the security administrative user. -n Required. The client component name. -datacenterid Required, datacenter GUID to associate client to. -groups Optional. Space delimited list of groups that the client is a member of -permspersrv Optional JSON dictionary of the permissions per service to be granted to the client. -acl Optional. Comma delimited list of accounts with readonly permission to client credentials. ------------------------------------------------------------------------------------------------------------------------ -enrollservice [options] Enrolls a service into SSDS. -n Required. The name of the client component. The client component must be previously registered with a call to -enrollclient -u Required. The username of the security administrator -p Required. The password of the security administrator -servicename Required. The name of the service to register -serviceendpointurl Required. The url associated with the service. If the service is behind a load balancer, then this is the URL associated with the VIP of the load balancer -servicedirecturl The URL associated with the service. This must refer to the actual host. This is optional, and if not specified will be set to the serviceendpointurl value. -endpointcertpath Required for TLS enabled services. The certificate filename associated with the TLS connection to serviceendpointurl. PEM or DER formats are accepted. -directcertpath Required for TLS enabled services. The certificate filename associated with the TLS connection to servicedirecturl. PEM or DER formats are accepted. This is option, and if not specified will bve set to the value of endpointcertpath. -servicenamespace Required to specify service namespace (product) such Equitrac, AutoStore, etc for lookups. -datacenterid Required, datacenter GUID to associates service to for lookups by datacenter location. -servicehostname Service hostname, if not specified, could be taken from specified serice direct certificate. -roles Json string with set of service roles like: ['NBC_####1', 'NBC_####2'] -dependenciesfile Json file path for optional service dependencies like: {"v1-document": {"namespace": "Equitrac", "sameHostnameAsParent": true}} -properties Service properties to add / update. A comma delimited list of key/value pairs. for example: key0=value0,key1=value1,key2=value2... -ttlseconds Specify how frequently the service will update SSDS with health checks. Optional, defaults to zero, which implies that the service will never update for health checks. If the passed value is strict positive (>0) then the service state will be initialized to Unknown instead of Passing -nopassing If set this will initialize the service state to Unknown instead of Passing. -acl Optional. Comma delimited list of accounts with readonly permission to read the service config file that contains the service id. ------------------------------------------------------------------------------------------------------------------------ -exportclient [options] Exports a client and, optionally, specified associated services -n Required. The name of the client to export. -f Required. The name of file to export to. -p Required. The password to use for encrypting the contents of the exported file. -services Optional. Comma delimited list of services associated with the client to include in the export. ------------------------------------------------------------------------------------------------------------------------ -findservices [options] Searches SSDS for matching service name. -n Mostly Required. Specify the client component name. This option can be omitted if you are searching for JUST the SSDS or AA services, otherwise this option is required. -servicename Specify a regular expression that filters on the service name -propertykey Specify a regular expression that filters on the propertykey -propertyvalue Specify a regular expression that filters on the propertyvalue -endpointurl Specify a regular expression that filters on the endpointurl -status Specify a regular expression that filters on the status value. Valid status are 'critical', 'warning', 'unknown', 'passing' Examples NDISecTool.exe -findservices -servicename v1-auth Finds all instances of the AA service, without credentials NDISecTool.exe -findservices -n mycomponent Finds all services using the credentials of 'mycomponent' ------------------------------------------------------------------------------------------------------------------------ -getdatacenters [options] Retrieves list of available datacenters. -u Required. The username of the security administrative user. -p Required. The password associated with the security administrative user. -ssdsurl Required. Ssds url to retrieve the list. ------------------------------------------------------------------------------------------------------------------------ -getsfsnodes [options] Retrieves list of Security Framework Service nodes. -u Required. The username of the security administrative user. -p Required. The password associated with the security administrative user. -sfsurl Required. The base URL of the Security Framework service ------------------------------------------------------------------------------------------------------------------------ -importclient [options] Imports a client that was exported via the exportclient command -f Required. The name of file to import from. -p Required. The encryption password that was supplied to exportclient. -acl Optional. Comma delimited list of accounts with readonly permission to client credentials. -replace Optional. Specify this to allow the import to replace an existing client of the same name. ------------------------------------------------------------------------------------------------------------------------ -renamedatacenter [options] Renames the specified datacenter -datacenterid Required. The id of the datacenter to rename -name Required. The new name of the datacenter -u Required. The username of the security administrative user. -p Required. The password associated with the security administrative user. ------------------------------------------------------------------------------------------------------------------------ -serviceenrolled [options] Checks to see if a given service is enrolled in SSDS -u Required. Any valid username in the system. -p Required. The password associated with the username. -servicename Specify a regular expression that matches on the service name Examples NDISecTool.exe -serviceenrolled -u SercurityAdmin -p mypassword -servicename exampleservice ------------------------------------------------------------------------------------------------------------------------ -ssdscert [options] Set the local machine SSDS Bootstrap certificate. ** Note you must run this command as an Administrator ** -ssdsurl Required - Provide the URL to an existing SSDS instance -o Override the existing certificate and URL -tofu Trust on first use. NDISecTool will connect to -ssdsurl and extract the certificate from the TLS connection. The certificate will be saved for future use. This option is mutually exclusive with -ssdscertpath -ssdscertpath The filename of a PEM encoded certificate of the TLS endpoint specified by -ssdsurl. This options is mutually exclusive with -tofu Examples (Running as an Administrator) NDISecTool.exe -ssdscert -ssdsurl https://www.example.com:8181/SSDService -o -tofu Connects to www.example.com, extracts the X509 certificate and overrides any existing certificates saved SSDS Bootstrap certificates. NDISecTool.exe -ssdscert -ssdsurl https://www.example.com:8181/SSDService -ssdscertpath C:\tmp\myssdscert.cer ------------------------------------------------------------------------------------------------------------------------ -unenrollclient [options] Removes a previously registered client with the AA Service -clientname Required. The name of the client component to remove. ------------------------------------------------------------------------------------------------------------------------ -unenrollservice [options] Removes a previously registered service with the SSDS service -n Required. The name of the client component to remove. -servicename The service name associated with the client -serviceid The service id to be removed servicename and serviceid are mutually exclusive. ------------------------------------------------------------------------------------------------------------------------ -unenrollserviceadmin [options] Explicitly delete service by id using SFS admin account. -serviceid Required. The service id to be removed -u Required. The username of the security administrative user. -p Required. The password associated with the security administrative user. ------------------------------------------------------------------------------------------------------------------------ -updateserviceprops [options] Updates properties of enrolled service(s). To find service to update provide serviceid or servicename or serviceendpointurl or propertykey/propertyvalue or status or all -n Required. The name of the client component. The client component must be previously registered with a call to -enrollclient -serviceid Optional. GUID of the service to update -servicename Optional. Find service to update by Name -serviceendpointurl Optional. Find service to update by EndPointUrl -propertykey Optional. Find service to update by propertykey/propertyvalue -propertyvalue Optional. Find service to update by propertykey/propertyvalue -status Optional. Find service to update by status -allowmultipleupdate Optional. true or false, default - false. If more than one service is found to update, is update allowed? -properties Required. Service properties to add / update. A comma delimited list of key/value pairs. for example: key0=value0,key1=value1,key2=value2... ------------------------------------------------------------------------------------------------------------------------ -usertoken [options] Generates a user token request to the AA Service with specified permissions -u Required. The name of user. -p Required. The password of the given user. -servicename Optional. Name of the service to allocate token with permissions allowed by the service for the user. If not provided - basic token allocation. -aaurl Optional. The url of a given AAService