POWERSHELL-FMS

This is a collection of assorted powershell scripts to make FIleMaker Server DevOps automation and administration a little less painful at Proof. This collection of scripts is intended to help with the following tasks:

• encrypting/decrypting FileMaker Server admin console username and password so that we can use various powershell scripts to run as admin without storing sensitive info in cleartext
• running a number of fmsadmin commands without retyping username and password for each
• gracefully shutting down fms processes
• installing LetsEncrypt SSL certificates via Win-Acme https://www.win-acme.com or some other LetsEncrypt tool
• dynamically register new IP address with AWS Route53 when the server restarts/reboots
• running various aws commands such as S3 sync/backups and Route53 dynamic DNS updates [TODO]

WARNING

Use at your own risk.

Please be mindful of security best practices when using these powershell-fms scripts. The scripts use Windows PSCredentials object and Window's Data Protection API to save sensitive fmsadmin admin credentials to a file that is stored on the filesystem. Assuming the user account used to create these encrypted files are not compromised, this provides a reasonable but not ideal means to store and retrieve credentials so that we can automate various common FileMaker Server admin operations.

However, the best way to protect your admin password is not to not save it on the filesystem in the first place.

USAGE

1. Download the latest release from from our the public mirror on github, https://github.com/ernestkoe/powershell-fms

   Proof devs/affiliates who need the latest greatest stuff can find this on the proof bitbucket main respository: https://bitbucket.org/proofgroup/powershell-fms/downloads/

   Note: unsigned and untrusted powershell scripts list these won't out-of-the-box without changing PS's execution policy. Read about it here, https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7. I will get around to signing these one day.

2. Unpack these files into a directory such as C:\Program Files\proof-powershell-fms\

3. Configure config.json before you use the scripts in the fms folder; the simplest way is to make copy of the template json file, fms\config.json-template and rename it to fms\config.json. Make sure your Hostname value is set correctly.

4. After configuring fms\config.json, you should first create an encrypted username and password file so that the other scripts can perform fmsadmin commands on your behalf.

fms scripts

EncryptCreds.ps1

EncryptCreds.ps1 saves your FileMaker Server admin console credentials to an encrypted PSCredentials object for secure storage on the server file system so that robots, scheduled events or other scripts can decrypt and perform fmsadmin commands on your behalf more securely.

cd to the fms scripts folder, e.g. C:\Program Files\proof-powershell-fms\fms, then run from your powershell prompt:

  > .\EncryptCreds.ps1

Advanced: You can also pass it parameters to override stuff in the config file like so:

 > EncryptCreds.ps1 -filename "{filename}" -path "{somepath}" -u "{fmsadminUsername}" -p "{fmsadminPassword}"

Note: Quotes are optional and are used to escape arguments that contain spaces.

Example:

 .\EncryptCreds.ps1 -filename fmsSecrets.xml -path C:\mysecrets -u theadminuser -p thepassword

DecryptCreds.ps1

Decrypts the encrypted credentials file. Useful to check if everything is properly encrypted.

InstallSSLCerts.ps1

InstallSSLCerts.ps1 is a powershell script that imports LetsEncrypt certificates generated by WACS (win-acme) or similar tools into FileMaker Server 16 and later. It uses the credentials file generated by the EncryptFMSCredentials.ps1 script above to tell perform fmsadmin CERTIFICATE commands on your behalf.

sudofmsadmin.ps1

sudofmsadmin.ps1 runs fmsadmin commands on your behalf using the encrypted credentials. Run your normal fmsadmin command but leave out the fmsadmin, -u, and -p bits. Example:

 > sudofmsadmin.ps1 list clients

StartFMS.ps1

StartFMS.ps1 starts all the processes in the order specified by the StartupSequence element in the fms\config.json. Out of the box, it does the following, but you can change the order and remove/add items as needed:

 "StartupSequence": [
    "SERVER",
    "ADMINSERVER",
    "FMSE",
    "XDBC",
    "WPE",
    "FMDAPI",
    "FMSTB"

ShutdownFMS.ps1

ShutdownFMS.ps1 stops all the processes in the order specified by the ShutdownSequence element in the fms\config.json. Out of the box, it does the following, but you can change the order and remove/add items as needed:

 "ShutdownSequence": [
    "FMSTB",
    "FMSE",
    "XDBC",
    "WPE",
    "FMDAPI",
    "ADMINSERVER",
    "SERVER"

__init__.ps1

Private script used by other scripts in fms module to load up config.json settings and to initialize common vars

Route53

UpdateR53.fp1

UpdateR53 updates AWS route53's DNS record using powershell's AWSPowershell module which is the PS implementation of the native AWS CLI program. Before you run this script, make sure you configure have a properly configured r53_config.json file. You can duplicate or rename r53_config.json-template in the Route53 folder to make one.

Known Issues

Not tested on MacOS X. May work with tweaks to paths but ymmv.