Active IQ Unified Manager Discussions

AIQUM v9.7 REST API add cluster encrypt password

matthias_beck
5,766 Views

Hey guys,

 

I'm working on an Ansible role to add clusters after they are configured to our AIQUM.

To add the cluster, I have to provide a username and a password into the rest call. This password is then plain in the communication and will be logged or could be sniffed. Even if I'm in our secure internal network area, I don't want to have plain passwords ;-).

 

My question is, is there a way to encrypt the password or tell AIQUM use this (on UM stored) credential, certificate or ssh key for the connection?

 

Thx

Matthias

1 ACCEPTED SOLUTION

AnoopShukla
5,646 Views

Hi Matthias,

 

Since the password being posted is part of POST payload and connection is https, it is highly unlikely someone can sniff it. The passwords do not get logged in OCUM logs. We only log the request URL being called. You can find the logs under /var/logs/ocum/*.log. Specifically you can take a look at access_log.log where we keep all request made to OCUM for auditing purposes.

 

There currently isn't a way to pass encrypted password for adding a datasource.

 

Regards

Anoop

View solution in original post

7 REPLIES 7

donny_lang
5,759 Views

Could you use Ansible Vault to store those credentials and retrieve them at runtime? 

 

https://docs.ansible.com/ansible/latest/user_guide/vault.html

matthias_beck
5,757 Views

I'm already using vaul to store the passwords.

 

But I have to put into the rest api call and the transmission to the UM server is then plain.

 

Here is the call:

 

 

- name: Add_cluster_to_AIQUM
  uri:
    url: "https://<fqdn>/api/admin/datasources/clusters"
    validate_certs: false
    user: ansible
    password: "{{ pwd_definition.aiqum_api }}"
    method: POST
    body: "{ \"address\": \"{{ aiqum_cluster }}\", \"password\": \"{{ pwd_definition.aiqum_pwd }}\", \"port\": 443, \"protocol\": \"https\", \"username\": \"<username>\"}"
    status_code: 201
    body_format: json
    headers:
      Accept: application/json
      authorization: Basic <auth token>
  when: add_cluster == true

 

donny_lang
5,748 Views

I'm definitely not the foremost authority on Ansible (and perhaps someone else will chime in) but if your password data is contained within the body of your POST request, and the URL you specified is HTTPS, is it really being passed to the AIQUM server in plaintext? 

 

 

matthias_beck
5,744 Views

You are right. The communication should be encrypted.

 

In this case, there is only the question:  is it logged on the OCUM server in any logfile?

 

If not, than its fine

donny_lang
5,720 Views

I'm not 100% sure if any Active IQ Unified Manager/OCUM log would contain a plaintext POST request like that; however, here is a KB article with a list of the log locations and their descriptions that might be worth a look: 

 

https://kb.netapp.com/app/answers/answer_view/a_id/1001436/~/faq%3A-oncommand-unified-manager-for-clustered-data-ontap-log-files-and-their

 

 

AnoopShukla
5,647 Views

Hi Matthias,

 

Since the password being posted is part of POST payload and connection is https, it is highly unlikely someone can sniff it. The passwords do not get logged in OCUM logs. We only log the request URL being called. You can find the logs under /var/logs/ocum/*.log. Specifically you can take a look at access_log.log where we keep all request made to OCUM for auditing purposes.

 

There currently isn't a way to pass encrypted password for adding a datasource.

 

Regards

Anoop

matthias_beck
5,618 Views

Thx @donny_lang  and @AnoopShukla  for your support

Public