Altiris Software Dev Kit (ASDK)

Environment: ITMS 7.5 SP1 HF5, HTTPS/SSL required.

Goal: A task that runs a script to add a computer to a filter (collection) which I can then add to the end of our imaging job.

Literally the exact use case outlined in the Connect posting below.

https://www-secure.symantec.com/connect/forums/ds71-it-possible-have-taskscript-add-computer-filter

I spliced together the vbscript below which is a combination of the script in the posting above and the built-in examples. Setup as a task on Task Server because it uses token %COMPNAME% so you run it against the target computer.

Problem: It only works if I specify username/password for authenticating to the web services in the script. This is a problem because the password is stored in clear text inside the task.

Running it directly from the NS or from a task server (site server) as an account that has rights to the NS/cmdb it works without specifying the credentials in the script. Running it via SMC task it runs as SYSTEM because it's a task on Task Server and there is no RunAs option like with normal tasks. Again specifying the credentials in the script does work but is problematic.

Specifying to use local assembly does not seem to work from either the NS nor the task server.
The NS has all of the ASDK components. NS error: "Failed to construct DatabaseContext object. Connection to database failed."
Task server should have all of the required ASDK componentes. I ran symantec_asdkcombine_7_5_sp1_64.msi and symantec_asdkservercombine_7_5_sp1_x64.msi. TS error: "Exception has been thrown by the target of an invocation."

I don't really care if using local assembly doesn't work if web service works. Just wondering if anyone can think of something I may be overlooking or perhaps another way of accomplishing this same process. Any advice would be greatly appreciated. I did try changing service "Altiris Object Host Service" to RunAs a service account on TS/NS and it didn't work so I changed it back. That was suggested by another customer in a different post.
 

' Setup management objects
'---------------------------------------

set collectionManagement = CreateObject("Altiris.ASDK.NS.CollectionManagement")
set itemManagement = CreateObject("Altiris.ASDK.NS.ItemManagement")
Const strFilterName = "<filter name>"

'---------------------------------------
' Determine whether to use the web
' or use the local instance.
'---------------------------------------
if wscript.Arguments.Count = 0 then
    'wscript.Echo "No argument passed, using web service"
    args = "-w"
else
    args = wscript.Arguments.Item(0)
end if

if args ="-a" then
    'wscript.Echo "Using the local assembly"
    itemManagement.CreateLocalInstance()
    collectionManagement.CreateLocalInstance()
elseif args = "-w" then
    'wscript.Echo "Using the web service"

ItemManagement.TargetServer  = "<NS name>"
itemManagement.UserName = "<username>"
itemManagement.Password = "<password>"
itemManagement.DomainName = "<domain>"
itemManagement.Protocol = "HTTPS"
itemManagement.Port = "443"
itemManagement.Authenticate()

collectionManagement.TargetServer = "<NS name>"
collectionManagement.UserName = "<username>"
collectionManagement.Password = "<password>"
collectionManagement.DomainName = "<domain>"
collectionManagement.Protocol = "HTTPS"
collectionManagement.Port = "443"
collectionManagement.Authenticate()

elseif args = "-?" then
    wscript.Echo "<script file> [-a, -w, -?] " & vbcrlf _
        & "-w to use the web service. " & vbcrlf _
        & "-a to bypass the web and use the local COM object." & vbcrlf _
        & "-? to display the use information."
        wscript.Quit(-1)
else
    wscript.Echo "Unrecognized option, ending the program." & vbcrlf _
        & " " & vbcrlf _
        & "-w to use the web service." & vbcrlf _
        & "-a to bypass the web and use the local COM object." & vbcrlf _
        & "-? to display the use information."
    wscript.Quit(-1)
end if

strItemName = "%COMPNAME%"
colItems = ItemManagement.GetItemsByName(strItemName)
For Each itemComputer In colItems
itemComputerToAdd = itemComputer.Guid
Next

strItemName = strFilterName
colItems = ItemManagement.GetItemsByName(strItemName)
For Each itemFilter In colItems
itemFilterForAdding = itemFilter.Guid
Next

Call CollectionManagement.AddInclusions(itemFilterForAdding, itemComputerToAdd)
Call CollectionManagement.UpdateCollections(itemFilterForAdding)

Hi,

I see two possible options.

-Either you create a webservice in workflow where you provide computer guid and collection guid and let workflow do the job. The authentication is then done within the workflow and no password is required when you call the webservice for example from a script.

-Or you convert you script to csharp code which you can compile to an EXE file where the password is not seen in cleartext. There are csharp samples in the ASDK folder (...Altiris ASDK\Samples\....). I did this and have added an extra account just for this purpose. The account lets call it ASDKUser still needs to be in the Symantec Administrator group to be able to call the ASDK. But having an extra account and not using your "Altiris" service account gives you a little bit more security and lets you easily disable it if necessary.

Stefan

I opted to go with workflow to create the webservice. This solution is actualy not as difficult as I thought it would be - arguably easier than doing the scripting. I have the authentication and process working now, all that is left is to figure out how to feed the workflow variables/tokens on the fly or have them read from a .csv file or something.

Thanks a lot for the advice Stefan, much appreciated.

Here is an article with a good example.

http://www.symantec.com/connect/articles/access-workflow-web-service-vbscript