14 Replies Latest reply on Nov 3, 2014 6:56 AM by Santosh Kothuru

    Using encrypted properties

      We are storing properties in the property dictionnary that we use in some nsh scripts.  We can get them through blcli without problem.  Some of them are sensible informations like passwords and we store them as encrypted strings.  Is there a way to decrypt them in a nsh script so we can do something usefull with them ?  Our base need is an nsh script that calls Subversion and have to pass credentials.  For now, we are hardcoding them in the script, but we would like to define them in a custom property instance as an encrypted string.

       

      Thanks

        • 1. Using encrypted properties
          Bill Robinson

          put the below into a xml file like NSH/br/PropertyInstance-PS-Additional.xml on your appserver(s)

           

           

          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE command_inventory SYSTEM "file://bladelogic.com/dtds/Command-Inventory.dtd">
          <command_inventory>
              <name_space name="Property">
                  <complex_command command_id="decryptPropertyValue-PS-0001" published="yes" release="yes">
                      <name>decryptPropertyValue</name>
                      <description>
                          <author>Anonymous</author>
                      <paragraph>
                              <string_literal>This command prints the clear text value of a given encrypted property</string_literal>
                          </paragraph>
                       </description>
                      <argument_list>
                          <argument desc="Name of the property whose value you want to print." name="propertyValue">java.lang.String</argument>
                      </argument_list>
                      <commands_to_execute>
                          <command_invocation>
                              <namespace_ref>BlValue</namespace_ref>
                              <name>createEncryptedStringBlValueBean</name>
                              <input></input>
                          </command_invocation>
                          <command_invocation>
                              <namespace_ref>EncryptedStringBlValueBean</namespace_ref>
                              <name>parseFromString</name>
                              <input>$propertyValue$</input>
                          </command_invocation>
                          <command_invocation>
                              <namespace_ref>EncryptedStringBlValueBean</namespace_ref>
                              <name>getValue</name>
                              <input></input>
                          </command_invocation>
                      </commands_to_execute>
                  </complex_command>
              </name_space>
          </command_inventory>

           

          call it like:

           

              blcli_execute PropertyInstance getFullyResolvedPropertyValue Class://SystemObject/Test/test password
              blcli_storeenv ENC_VALUE
              blcli_execute Property decryptPropertyValue ${ENC_VALUE}
              blcli_storeenv PASS
              echo $PASS

          • 2. Using encrypted properties

            Thanks Bill for the answer,

             

            Technically it is a correct answer, but I have to warn that doing this will show the passwords in clear in the logs.  I had to some magic to be able to hide the value, but I fear it will be error prone.

             

            I tried doing

                 PASS=`blcli_execute Property decryptPropertyValue ${ENC_VALUE}`

            but variables doesn't seem to be expanding and PASS would always be empty, so I did this :

                 blcli_execute Property decryptPropertyValue ${ENC_VALUE} > tmp.txt

                 password=`cat tmp.txt`

                 rm tmp.txt

            I know it is ugly, but this is the only way I found.  Would you suggest something else ?

            In our other use case, we use Jython, so we don't have that problem.

             

            Frederic

            • 3. Using encrypted properties
              Gerardo Bartoccini

              You can't use blcli_execute as you're doing.

              See Bill's example above. In your case it would be:

               

              blcli_execute Property decryptPropertyValue ${ENC_VALUE} > /dev/null

              blcli_storeenv PASS

               

              Then you can use $PASS.

              Be aware that if you use it in commands you may see the password in agent logs.

               

              As Bill was recommending somewhere else, here's what you should do:

               

              blcli_execute Property decryptPropertyValue ${ENC_VALUE} > /dev/null

              blcli_storeenv PASS

              echo "your command $PASS" > tmpcommand.sh

              sh ./tmpcommand.sh

              rm ./tmpcommand.sh

              • 4. Using encrypted properties
                Siddu angadi

                Hi Bill,

                 

                I followed your step, However I am not succeeded.  Please see beow error message and help me:

                 

                Untitled.png

                • 5. Using encrypted properties
                  Bill Robinson

                  did you put the xml file in the NSH/br/xml/cli directory on all the appservers ?

                  • 6. Using encrypted properties
                    Siddu angadi

                    Hi Bill,

                     

                    I did that. I am getting below error when I run commands:

                     

                    Command execution failed. com.bladelogic.om.infra.cli.factory.CommandNotFoundExc

                    eption: Name space : EncryptedStringBlValueBean has no commands by name : getVal

                    ue

                     

                     

                    Thanks

                    Siddu

                    • 7. Using encrypted properties
                      Bill Robinson

                      someone else noted in another thread that instead of 'getValue' you should use 'getClearTextString' becaue the commands have changed in a newer version of BSA.

                      • 8. Re: Using encrypted properties

                        I had the same issue and it took me a few mintues to catch on here.

                         

                        The xml file that contains the definition for the custom command "decryptPropertyValue" needs to be updated.  Change the "getValue" method to "getClearTextString".

                         

                        In my case the file was located in /opt/bmc/BladeLogic/8.1/NSH/br/xml/cli/PropertyInstance-Additional.xml.

                         

                        Don't forget to update all app servers.

                         

                        Thanks again Bill!

                        • 9. Re: Using encrypted properties
                          Santosh Kothuru

                          Bill,

                           

                          I'm receiving this error while running decryptPropertyValue command. Can you please suggest the correct command in 8.3 ?

                           

                          blcli_execute PropertyInstance getPropertyValue Class://SystemObject/BL_SUPPORT/Unix USER_NAME >/dev/null

                          blcli_storeenv ENC_USER

                          blcli_execute Property decryptPropertyValue "$ENC_USER" >/dev/null

                          Command execution failed. com.bladelogic.om.infra.cli.factory.CommandNotFoundException: Name space : EncryptedStringBlValueBean has no commands by name : getValue

                           

                          Thanks,

                          Santosh.

                          • 10. Re: Using encrypted properties
                            Edwin Lindeman

                            did you happen to create the PropertyInstance-PS-Additional.xml ?

                            • 11. Re: Using encrypted properties
                              Santosh Kothuru

                              yes, I did. but still error.

                               

                              blcli_execute Property decryptPropertyValue "$ENC_USER" >/dev/null

                              Command execution failed. com.bladelogic.om.infra.cli.factory.CommandNotFoundException: Name space : EncryptedStringBlValueBean has no commands by name : getValue

                              • 12. Re: Using encrypted properties
                                Edwin Lindeman

                                you try this?

                                Per Previous Thread from Bill

                                 

                                "someone else noted in another thread that instead of 'getValue' you should use 'getClearTextString' because the commands have changed in a newer version of BSA."

                                • 13. Re: Using encrypted properties
                                  Bill Robinson

                                  blenc -d BLencrypt:<hash>

                                  • 14. Re: Using encrypted properties
                                    Santosh Kothuru

                                    Thanks Bill. its working now.