Solved: AIQUM v9.7 REST API add cluster encrypt password

matthias_beck · ‎2020-03-31

Hey guys,

I'm working on an Ansible role to add clusters after they are configured to our AIQUM.

To add the cluster, I have to provide a username and a password into the rest call. This password is then plain in the communication and will be logged or could be sniffed. Even if I'm in our secure internal network area, I don't want to have plain passwords ;-).

My question is, is there a way to encrypt the password or tell AIQUM use this (on UM stored) credential, certificate or ssh key for the connection?

Thx

Matthias

AnoopShukla · ‎2020-04-01

Hi Matthias,

Since the password being posted is part of POST payload and connection is https, it is highly unlikely someone can sniff it. The passwords do not get logged in OCUM logs. We only log the request URL being called. You can find the logs under /var/logs/ocum/*.log. Specifically you can take a look at access_log.log where we keep all request made to OCUM for auditing purposes.

There currently isn't a way to pass encrypted password for adding a datasource.

Regards

Anoop

View solution in original post

donny_lang · ‎2020-03-31

Could you use Ansible Vault to store those credentials and retrieve them at runtime?

https://docs.ansible.com/ansible/latest/user_guide/vault.html

matthias_beck · ‎2020-03-31

I'm already using vaul to store the passwords.

But I have to put into the rest api call and the transmission to the UM server is then plain.

Here is the call:

- name: Add_cluster_to_AIQUM
  uri:
    url: "https://<fqdn>/api/admin/datasources/clusters"
    validate_certs: false
    user: ansible
    password: "{{ pwd_definition.aiqum_api }}"
    method: POST
    body: "{ \"address\": \"{{ aiqum_cluster }}\", \"password\": \"{{ pwd_definition.aiqum_pwd }}\", \"port\": 443, \"protocol\": \"https\", \"username\": \"<username>\"}"
    status_code: 201
    body_format: json
    headers:
      Accept: application/json
      authorization: Basic <auth token>
  when: add_cluster == true

donny_lang · ‎2020-03-31

I'm definitely not the foremost authority on Ansible (and perhaps someone else will chime in) but if your password data is contained within the body of your POST request, and the URL you specified is HTTPS, is it really being passed to the AIQUM server in plaintext?

matthias_beck · ‎2020-03-31

You are right. The communication should be encrypted.

In this case, there is only the question: is it logged on the OCUM server in any logfile?

If not, than its fine

donny_lang · ‎2020-03-31

I'm not 100% sure if any Active IQ Unified Manager/OCUM log would contain a plaintext POST request like that; however, here is a KB article with a list of the log locations and their descriptions that might be worth a look:

https://kb.netapp.com/app/answers/answer_view/a_id/1001436/~/faq%3A-oncommand-unified-manager-for-clustered-data-ontap-log-files-and-their

AnoopShukla · ‎2020-04-01

Hi Matthias,

Since the password being posted is part of POST payload and connection is https, it is highly unlikely someone can sniff it. The passwords do not get logged in OCUM logs. We only log the request URL being called. You can find the logs under /var/logs/ocum/*.log. Specifically you can take a look at access_log.log where we keep all request made to OCUM for auditing purposes.

There currently isn't a way to pass encrypted password for adding a datasource.

Regards

Anoop

matthias_beck · ‎2020-04-02

Thx @donny_lang and @AnoopShukla for your support