Active IQ Unified Manager Discussions

Using the Credentials cache to store account passwords?

TIMHOIBERG
4,658 Views

Hi,

I'm currently in the middle of creating an array builder workflow (Thanks to bdave for the excellent Day0 example) and I have to add a local user on every Netapp controller that we use for 3rd party support tools. I don't want to have the user's password in plain text in either the workflow or the execution history table as that would be a breach of our security code of conduct. I was wondering if it's possible to add the user's password as an other credential and then call it as part of the workflow. Does anyone know if it's possible and if so how I can reference it as part of a command?

Regards,

Tim

1 ACCEPTED SOLUTION

bdave
4,658 Views

Hi Tim,

I think Chaitu has the right idea here.  There's a variant of the New-NaUser cmdlet where you can use the credentials as saved by WFA without requiring decryption.  Note this version of calling the cmdlet:

New-NaUser -Credential <PSCredential> [-FullName <String>] [-Comment <String>] [-Groups <String[]>] [-PasswordMinAge <Int64>] [-PasswordMaxAge <Int64>] [-Controller <NaController>] [-WhatIf] [-Confirm] [<CommonParameters>]

where

    -Credential <PSCredential>

        A PSCredential object containing the Username for the new user to be created along with the Password to be used for the new user.

So, changing the Day-0 example command for creating a new user to something a little more secure would start as Chaitu stated by creating a dummy entry in the WFA cache to hold the user and password encrypted.  Then load the credentials into a variable as Chaitu stated, $NewUserCreds = Get-NaCredentials -Host $DummyHost

After that, assuming you're modifying the example command I posted, you could do something like this:

       if ( $options.Length > 0 )

       {

              New-NaUser -Credentials $NewUserCreds $options -Groups $Groups

       }

       else

       {

              New-NaUser -Credentials $NewUserCreds -Groups $Groups

       }

And, you're right.  This would be a more secure form of the command.

Thanks,

Dave

View solution in original post

4 REPLIES 4

chaitu
4,658 Views

Hi Tim,

Yes, you could use Credentials page in WFA to do that. Please add a new credential for your local user against any valid format IP address. Ex: 1.1.1.1.

You could create a command with the below code to read the credentials.

param(

        [Parameter(Mandatory=$true,  HelpMessage="Host for which credentials should be read.")]

        [string] $Host,

        [Parameter(Mandatory=$true,  HelpMessage="User name for which credentials should be read.")]

        [string] $UserName

    )

   $UserCreds = Get-NaCredentials -Host $Host

    if (!$UserCreds) {

       throw "Could not find credentials of host " + $Host

    }

    if ($UserCreds.Username -eq $UserName) {

           Get-WFALogger -Info -message $("Found credentials of " + $UserName)   

    } else {

           throw "Could not find credentials of user " + $UserName

   }

chaitu
4,658 Views

Hi Tim,

In my previous reply, when I said "Please add a new credential for your local user against any valid format IP address. Ex: 1.1.1.1.", I meant you can add the credential for your local user against any junk IP address (this IP address need not be reachable). You can literally add the credential against 1.1.1.1 IP address, and reference it in your command to retrieve these credentials.

bdave
4,659 Views

Hi Tim,

I think Chaitu has the right idea here.  There's a variant of the New-NaUser cmdlet where you can use the credentials as saved by WFA without requiring decryption.  Note this version of calling the cmdlet:

New-NaUser -Credential <PSCredential> [-FullName <String>] [-Comment <String>] [-Groups <String[]>] [-PasswordMinAge <Int64>] [-PasswordMaxAge <Int64>] [-Controller <NaController>] [-WhatIf] [-Confirm] [<CommonParameters>]

where

    -Credential <PSCredential>

        A PSCredential object containing the Username for the new user to be created along with the Password to be used for the new user.

So, changing the Day-0 example command for creating a new user to something a little more secure would start as Chaitu stated by creating a dummy entry in the WFA cache to hold the user and password encrypted.  Then load the credentials into a variable as Chaitu stated, $NewUserCreds = Get-NaCredentials -Host $DummyHost

After that, assuming you're modifying the example command I posted, you could do something like this:

       if ( $options.Length > 0 )

       {

              New-NaUser -Credentials $NewUserCreds $options -Groups $Groups

       }

       else

       {

              New-NaUser -Credentials $NewUserCreds -Groups $Groups

       }

And, you're right.  This would be a more secure form of the command.

Thanks,

Dave

TIMHOIBERG
4,658 Views

Thanks guys, you've been very helpful. I managed to add the credentials using the dummy IP as suggested (1.1.1.1) and it was able to create a test account with the correct password.

Public