Skyhigh Cloud Connector commands (CLI commands) allow you to update the new passwords, configuration names, new user details, and configuration checks and registry updates. The information stored is secured in the database.
Credentials and Auth Check
When you enter your credentials, Skyhigh Cloud Connector uses the Bouncy Castle hashing function to store user passwords in the database. Storing the password locally allows CC to communicate to Skyhigh CASB to periodically upload things such as processed events, logs, and health reports.
- Because the passwords are stored locally, it is possible to access the CC web UI when internet access is not available.
- If a user’s password is updated via User Settings through the Skyhigh CASB dashboard, it must be updated explicitly on CC via the CLI command.
NOTE: Starting with Skyhigh CASB 5.4.0 onwards, by default Skyhigh Cloud Connector is Federal Information Processing Standards (FIPS) compliant.
Update Cloud Connector Properties using CLI Commands
Follow the below steps to update the Cloud Connector properties using CLI commands:
- Stop the CC service.
- The below table lists some of the frequently used Cloud Connector property names that can be updated using the corresponding CLI commands:
|Property Name||CLI commands|
./shnlpcli sp --name u --val <Newuser> --encrypt
Replace <Newuser> with a new user name. For example, if the new user name is User1, the CLI command would look as below:
./shnlpcli sp --name u --val User1 --encrypt
./shnlpcli sp --name p --val <password> --encrypt
Replace <password> with a new password. For example, if the new password is Welcome@123, the CLI command would look as below:
./shnlpcli sp --name p --val Welcome@123 --encrypt
./shnlpcli sp --name configName --val <NewConfig>
Replace <NewConfig> with a new config name. For example, if the new config name is Config1, the CLI command would look as below:
./shnlpcli sp --name configName --val Config1
./shnlpcli sp --name proxyHost --val <IP Address> --encrypt
Replace <IP Address> with a new IP Address. For example, if the new IP Address is 172.18.15.27, the CLI command would look as below:
./shnlpcli sp --name proxyHost --val 172.18.15.27 --encrypt
./shnlpcli sp --name proxyPort --val <Port> --encrypt
Replace <port> with a new port. For example, if the new port is 8763, the CLI command would look as below:
./shnlpcli sp --name proxyPort --val 8763 --encrypt
IMPORTANT: The following command lists all CLI commands available in CC:
root@ecqa-automation00-new:/shn/balu-perf# ./shnlpcli --help
- Start the CC service after executing the CLI commands.
For more assistance on CLI commands, contact Skyhigh Support.
Tokenization and Secrets
SHA-1 or SHA-256 is used for tokenizing user names, source IPs, and Active Directory custom attributes (if configured), which combines the secret salt, or password with the value.
To dynamically detokenize when dashboard pages are rendered, the browser calls the CC detokenization server over port 443. It then fetches the information and displays the corresponding clear text values.
Config Check and Registry Update
CC periodically checks configuration and Skyhigh CASB Registry updates, and syncs the following changes to the local instance:
- If Tokenization is enabled, SHA-1 or SHA-256 is used.
- CC configuration is updated every five minutes.
- The Registry is updated every three hours.