Active IQ Unified Manager Discussions

Using the Get-WfaCredentials in a WFA command script (PowerShell)

RickStratton
6,926 Views

I have created some PowerShell-based WFA commands that allow me to do storage provisioning on IBM Storwize-based storage systems, but I don't like that I have a username/password for logging into the storage systems embedded in my script.

 

Right now, the script has the username/password hard-coded as variables:

 

$storageUser   = "TESTDOMAIN\WFA_USERACCT"
$storagePasswd = '***********'

 

I was hoping I could create a UserName/Password entry in the WFA Execution/Credentials section, and then reference those settings within my script... and I was hoping that the WFA "Get-WfaCredentials" cmdlet would do the trick...

 

For testing, I am using the C:\Program Files\NetApp\WFA\bin\ps.cmd shell (for testing), which loads the WFA cmdlets, and I pass the cmdlet the name of an entry that I put in the WFA Execution/Credentials section. This is what I get when I try it:

 

 

PS C:\Program Files\NetApp\WFA\bin> Get-WfaCredentials -HostName RC_IBM_Storwize
Get-WfaCredentials : Execution URI input line was not set.

 

I think I'm probably missing something simple here... just don't know what it is Smiley Happy

1 ACCEPTED SOLUTION

mbeattie
6,720 Views

Hi Rick,

 

Ah sorry i misunderstood your requirement, if you just want to extract the password from the credentials for use in your SSH command line to the IBM storage system within a WFA command using PowerShell you can just use the "GetNetworkCredential" method of the PSAutomation credential object returned from the "Get-WfaCredentials" CmdLet. EG

 

$credentials = Get-WfaCredentials -HostName RC_IBM_Storwize
$password = $credentials.GetNetworkCredential().Password

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

8 REPLIES 8

mbeattie
6,898 Views

Hi Rick,

 

I think the Get-WFACredential CmdLet can't be used externally to WFA, have you considered either passing a Credential Object into your script or using the CmdLets in the DataONTAP toolkit to cache\retrieve them (See get-help for "Add-NcCredential" and "Get-NcCredential". Once credentials are cached you can use them with the "Connect-NcController" cmdlet)

 

/Matt

 

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

RickStratton
6,849 Views

Hi Matt, thanks for the reply. I am not creating WFA commands/scripts to connect to NetApp storage devices, rather, I am connecting to IBM Storwize storage devices, so I am not sure that the "Nc" NetApp cmdlets will be able to be used...

 

To get to the IBM storage system CLI, I have to SSH into the system... so, to script out communicating with an IBM Storwize storage device, I use a combination of Microsoft PowerShell talking to the IBM storage system via SSH via Putty PLINK... kinda kludgy, but it is IBM after all!... and it works...

 

As an example, here is an excerpt from one of my PowerShell-based WFA Command scripts ... with a lot of the variable data changed for obvious reasons...:

 

# Set some variables

$plinkPath           =  "C:\Program Files\plink\plink.exe"

$storageUser         = "TESTDOMAIN\WFA_USERACCT"
$storagePasswd       = '***********'

$sourceStorageSystem = "ibmstorage.dns.name"

$sourceStorwizeCmd   = "mkvdisk " + " -iogrp " + $sourceIOGrp + " -mdiskgrp " + $sourceMdiskGrp + " -name " + $sourceVdiskUName + " -size " + $sizeInMB + " -nofmtdisk -unit mb"

 

#Call Putty Plink, to SSH into the IBM Storage System, and then run the command to create a vdisk:

& "$plinkPath" $sourceStorageSystem -ssh -l $storageUser -pw $storagePasswd -batch "$sourceStorwizeCmd" > $exportPath\$uniqueVar-$sourceVdiskName-logfile.txt

 

 

As you can see, I need to pass a username (-l) and a password (-pwd) to Putty PLINK in order to SSH into the IBM storage system... so I was hoping I could store these values somewhere other than in my script, such as storing them in another PowerShell object (hopefully in encryped format) ... and then within my PowerShell-based WFA Command scripts, just set my $storageUser and $storagePasswd variables via the appropriate item of that other object, ie. $credential.Username and $credential.Password

 

Hope that makes sense... I've only had one cup of coffee this morning! Smiley Very Happy

 

 

sinhaa
6,827 Views

@RickStratton @mbeattie

 

The below should get you how to do what you are looking for:

 

 

 http://community.netapp.com/t5/OnCommand-Storage-Management-Software-Discussions/Connect-to-WFA-vi-web-services-using-machine-domain-account/m-p/73654...

 

Its my very old post, but I think its still relavent. 

 

sinhaa

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

RickStratton
6,738 Views

Sinhaa,

 

That is a pretty cool solution... very creative!... Unforunately, my WFA environment doesn't have a valid certificate, so I get this error:

 

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Location: Row '1' step 'rstratton - test2'.

 

 

I ended up being able to get it to work this way:

 

$Credentials    = Get-WfaCredentials -HostName RC_IBM_Storwize
$securepassword = $Credentials.Password
$BSTR           = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securepassword)
$clearpassword  = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

mbeattie
6,812 Views

Hi Rick,

 

You could have your script prompt for credentials. You can use the "GetNetworkCredentials" Method of the PSCredential object to enumerate the username and password. This will save you from having to hard code username and passwords or stop prying eyes of entering passwords in clear text (EG $password = Read-Host "Enter the password").

 

Param(
   [Parameter(Mandatory=$False, HelpMessage="The credentials to authenticate as")]   
   [System.Management.Automation.PSCredential]$Credentials 
)
#'------------------------------------------------------------------------------
#'Prompt for credentials if not provided.
#'------------------------------------------------------------------------------
If(-Not($Credentials)){
   $username    = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
   $Credentials = Get-Credential -Credential $username
}
#'------------------------------------------------------------------------------
#'Enumerate variables from credential object
#'------------------------------------------------------------------------------
$domain   = $Credentials.GetNetworkCredential().Domain
$username = $Credentials.GetNetworkCredential().Username
$password = $Credentials.GetNetworkCredential().Password
If(-Not([String]::IsNullOrEmpty($domain))){
   $user = "$domain\$username"
}Else{
   $user = $username
}
If(([String]::IsNullOrEmpty($user)) -Or ([String]::IsNullOrEmpty($password))){
   Write-Warning -Message "Credentials must be provided"
   Break;
}
#'------------------------------------------------------------------------------
#'Set variables.
#'------------------------------------------------------------------------------
$plinkPath =  "C:\Program Files\plink\plink.exe"
$fqdn      = "ibmstorage.dns.name"
$command   = "mkvdisk " + " -iogrp " + $sourceIOGrp + " -mdiskgrp " + $sourceMdiskGrp + " -name " + $sourceVdiskUName + " -size " + $sizeInMB + " -nofmtdisk -unit mb"
#'------------------------------------------------------------------------------
#'Call Putty Plink, to SSH into the IBM Storage System, and then run the command to create a vdisk:
#'------------------------------------------------------------------------------
& "$plinkPath" $fqdn -ssh -l $user -pw $password -batch "$command" > $exportPath\$uniqueVar-$sourceVdiskName-logfile.txt
#'------------------------------------------------------------------------------

 

You might also consider passing the other variables as input parameters so they aren't hard coded either. EG

 

 

Param(
   [Parameter(Mandatory=$True, HelpMessage="The FQDN of the storage system")]   
   [String]$Fqdn,
   [Parameter(Mandatory=$True, HelpMessage="The Source IO Group")]   
   [String]$SourceIOGrp,
   [Parameter(Mandatory=$True, HelpMessage="The Source Mdisk Group")]   
   [String]$SourceMdiskGrp,
   [Parameter(Mandatory=$True, HelpMessage="The Source Vdisk UName")]   
   [String]$SourceVdiskUName,
   [Parameter(Mandatory=$True, HelpMessage="The disk size in MB")]   
   [Int]$SizeInMB,
   [Parameter(Mandatory=$False, HelpMessage="The credentials to authenticate as")]   
   [System.Management.Automation.PSCredential]$Credentials 
)

 

 

Then call your script from a powershell prompt, EG assuming you saved it as "ibm.ps1" in "C:\scripts\ibm" (The -Credentials paramater is optional, IE if you don't provide it it will be prompted for credentials)

 

 

PS C:\Scripts\IBM>ibm.ps1 -Fqdn $Fqdn -SourceIOGrp $SourceIOGrp -SourceMdiskGrp $SourceMdiskGrp -SourceVdiskUName $SourceVdiskUName -SizeInMB $sizeInMB

That should work fine if you don't mind being prompted to enter a username or password when you run the script. If you want to run the script multiple times, first create a credential object in your powershell session then pass it as a paramater so you are not prompted to enter credentials every time. EG

 

PS C:\Scripts\IBM>$Credentials = Get-Credential
PS C:\Scripts\IBM>ibm.ps1 -Fqdn $Fqdn -SourceIOGrp $SourceIOGrp -SourceMdiskGrp $SourceMdiskGrp -SourceVdiskUName $SourceVdiskUName -SizeInMB $sizeInMB -Credentials $Credentials

Hope that gives you some ideas.

 

/Matt

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

RickStratton
6,737 Views

Matt,

 

Thanks for the feedback. I may not have been doing a good job of explaining what I was trying to do... I am trying to do all this within a WFA Command script (PowerShell based), not in an external PowerShell script.

 

I ended up being able to get it to work this way:

 

$Credentials    = Get-WfaCredentials -HostName RC_IBM_Storwize
$securepassword = $Credentials.Password
$BSTR           = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($securepassword)
$clearpassword  = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

 

As for the other variables - I agree - most, if not all of them, will be populated either with user input or via other WFA Commands that pass parameters to this WFA Command ... my script right now is just a rough POC script, to make sure I can communicate/configure IBM storage systems via NetApp WFA ... unfortunately, we are a 2-vendor storage environment Smiley Frustrated  

 

I've actually already created an IBM Storwize Data Source collector that then populates an IBM Storwize Scheme and associated Dictionaries

mbeattie
6,721 Views

Hi Rick,

 

Ah sorry i misunderstood your requirement, if you just want to extract the password from the credentials for use in your SSH command line to the IBM storage system within a WFA command using PowerShell you can just use the "GetNetworkCredential" method of the PSAutomation credential object returned from the "Get-WfaCredentials" CmdLet. EG

 

$credentials = Get-WfaCredentials -HostName RC_IBM_Storwize
$password = $credentials.GetNetworkCredential().Password

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

RickStratton
6,660 Views

Matt,

 

That's exactly what I was looking for, sorry for not explaining myself well enough!

 

I appreciate the quick/detailed feedback from both you and Sinhaa.

 

I am a rookie at MS PowerShell scripting... doing some Internet searches, I was seeing references to the "GetNetworkCredential" method, but it wasn't clicking, and wasn't sure I could use it with WFA's Get-WfaCredentials

Public