Data Infrastructure Management Software Discussions

Highlighted

AIQUM v9.7 REST API add cluster encrypt password

Hey guys,

 

I'm working on an Ansible role to add clusters after they are configured to our AIQUM.

To add the cluster, I have to provide a username and a password into the rest call. This password is then plain in the communication and will be logged or could be sniffed. Even if I'm in our secure internal network area, I don't want to have plain passwords ;-).

 

My question is, is there a way to encrypt the password or tell AIQUM use this (on UM stored) credential, certificate or ssh key for the connection?

 

Thx

Matthias

7 REPLIES 7
Highlighted

Re: AIQUM v9.7 REST API add cluster encrypt password

Could you use Ansible Vault to store those credentials and retrieve them at runtime? 

 

https://docs.ansible.com/ansible/latest/user_guide/vault.html

Highlighted

Re: AIQUM v9.7 REST API add cluster encrypt password

I'm already using vaul to store the passwords.

 

But I have to put into the rest api call and the transmission to the UM server is then plain.

 

Here is the call:

 

 

- name: Add_cluster_to_AIQUM
  uri:
    url: "https://<fqdn>/api/admin/datasources/clusters"
    validate_certs: false
    user: ansible
    password: "{{ pwd_definition.aiqum_api }}"
    method: POST
    body: "{ \"address\": \"{{ aiqum_cluster }}\", \"password\": \"{{ pwd_definition.aiqum_pwd }}\", \"port\": 443, \"protocol\": \"https\", \"username\": \"<username>\"}"
    status_code: 201
    body_format: json
    headers:
      Accept: application/json
      authorization: Basic <auth token>
  when: add_cluster == true

 

Highlighted

Re: AIQUM v9.7 REST API add cluster encrypt password

I'm definitely not the foremost authority on Ansible (and perhaps someone else will chime in) but if your password data is contained within the body of your POST request, and the URL you specified is HTTPS, is it really being passed to the AIQUM server in plaintext? 

 

 

Highlighted

Re: AIQUM v9.7 REST API add cluster encrypt password

You are right. The communication should be encrypted.

 

In this case, there is only the question:  is it logged on the OCUM server in any logfile?

 

If not, than its fine

Highlighted

Re: AIQUM v9.7 REST API add cluster encrypt password

I'm not 100% sure if any Active IQ Unified Manager/OCUM log would contain a plaintext POST request like that; however, here is a KB article with a list of the log locations and their descriptions that might be worth a look: 

 

https://kb.netapp.com/app/answers/answer_view/a_id/1001436/~/faq%3A-oncommand-unified-manager-for-clustered-data-ontap-log-files-and-their

 

 

Highlighted

Re: AIQUM v9.7 REST API add cluster encrypt password

Hi Matthias,

 

Since the password being posted is part of POST payload and connection is https, it is highly unlikely someone can sniff it. The passwords do not get logged in OCUM logs. We only log the request URL being called. You can find the logs under /var/logs/ocum/*.log. Specifically you can take a look at access_log.log where we keep all request made to OCUM for auditing purposes.

 

There currently isn't a way to pass encrypted password for adding a datasource.

 

Regards

Anoop

View solution in original post

Highlighted

Re: AIQUM v9.7 REST API add cluster encrypt password

Thx @donny_lang  and @AnoopShukla  for your support

Check out the KB!
Knowledge Base
All Community Forums