4 Replies Latest reply: Apr 9, 2013 9:44 PM by TIMHOIBERG RSS

Using the Credentials cache to store account passwords?

TIMHOIBERG
Currently Being Moderated

Hi,

 

I'm currently in the middle of creating an array builder workflow (Thanks to bdave for the excellent Day0 example) and I have to add a local user on every Netapp controller that we use for 3rd party support tools. I don't want to have the user's password in plain text in either the workflow or the execution history table as that would be a breach of our security code of conduct. I was wondering if it's possible to add the user's password as an other credential and then call it as part of the workflow. Does anyone know if it's possible and if so how I can reference it as part of a command?

 

Regards,

Tim

  • Re: Using the Credentials cache to store account passwords?
    chaitu
    Currently Being Moderated

    Hi Tim,

     

    Yes, you could use Credentials page in WFA to do that. Please add a new credential for your local user against any valid format IP address. Ex: 1.1.1.1.

     

    Credential.JPG

     

    You could create a command with the below code to read the credentials.

     

    param(

     

            [Parameter(Mandatory=$true,  HelpMessage="Host for which credentials should be read.")]

     

            [string] $Host,

     

            [Parameter(Mandatory=$true,  HelpMessage="User name for which credentials should be read.")]

     

            [string] $UserName

     

        )

     

       $UserCreds = Get-NaCredentials -Host $Host

     

        if (!$UserCreds) {

     

           throw "Could not find credentials of host " + $Host

     

        }

     

        if ($UserCreds.Username -eq $UserName) {

     

               Get-WFALogger -Info -message $("Found credentials of " + $UserName)   

     

        } else {

     

               throw "Could not find credentials of user " + $UserName

     

       }

    • Re: Using the Credentials cache to store account passwords?
      chaitu
      Currently Being Moderated

      Hi Tim,

       

      In my previous reply, when I said "Please add a new credential for your local user against any valid format IP address. Ex: 1.1.1.1.", I meant you can add the credential for your local user against any junk IP address (this IP address need not be reachable). You can literally add the credential against 1.1.1.1 IP address, and reference it in your command to retrieve these credentials.

  • Re: Using the Credentials cache to store account passwords?
    bdave
    Currently Being Moderated

    Hi Tim,

     

    I think Chaitu has the right idea here.  There's a variant of the New-NaUser cmdlet where you can use the credentials as saved by WFA without requiring decryption.  Note this version of calling the cmdlet:

     

    New-NaUser -Credential <PSCredential> [-FullName <String>] [-Comment <String>] [-Groups <String[]>] [-PasswordMinAge <Int64>] [-PasswordMaxAge <Int64>] [-Controller <NaController>] [-WhatIf] [-Confirm] [<CommonParameters>]

     

    where

     

        -Credential <PSCredential>

            A PSCredential object containing the Username for the new user to be created along with the Password to be used for the new user.

     

    So, changing the Day-0 example command for creating a new user to something a little more secure would start as Chaitu stated by creating a dummy entry in the WFA cache to hold the user and password encrypted.  Then load the credentials into a variable as Chaitu stated, $NewUserCreds = Get-NaCredentials -Host $DummyHost

     

    After that, assuming you're modifying the example command I posted, you could do something like this:

     

           if ( $options.Length > 0 )

           {

                  New-NaUser -Credentials $NewUserCreds $options -Groups $Groups

           }

           else

           {

                  New-NaUser -Credentials $NewUserCreds -Groups $Groups

           }

     

    And, you're right.  This would be a more secure form of the command.

     

    Thanks,

    Dave