7 Replies Latest reply on Apr 11, 2013 5:42 PM by Bill Robinson

    Preventing passwords used in NSH script from appearing in the logs

      I have a NSH script that includes a Windows command run via nexec.

       

      cmd /c "netdom join /domain:mydomain.com myserver /ou "OU=Test,DC=mydomain,DC=com" /userd:mydomain\domain.admin /passwordd:somepassword"

       

      I would like to avoid having the password appear in clear-text in the RSCD logs but because it is run via nexec, there doesn't seem to be any way around this except to generate an external file and then have the NSH script job run that. The problem is that I can only do this via an NSH script, and anything executed via nexec in the NSH script seems to be logged by rscd.log

       

      Suggestions?

        • 1. Preventing passwords used in NSH script from appearing in the logs
          Bill Robinson

          iirc this should

          1 - copy the below into a file named 'Property-PS-Additional.xml' in the br/xml/cli directory on the system(s) running the nsh script (appservers?)

           

          <?xml version="1.0" encoding="UTF-8"?>

          <!DOCTYPE command_inventory SYSTEM "file://bladelogic.com/dtds/Command-Inventory.dtd">

          <command_inventory>

              <name_space name="Property">

                  <complex_command command_id="decryptPropertyValue-PS-0001" published="yes" release="yes">

                      <name>decryptPropertyValue</name>

                      <description>

                          <author>Anonymous</author>

                      <paragraph>

                              <string_literal>This command prints the clear text value of a given encrypted property</string_literal>

                          </paragraph>

                       </description>

                      <argument_list>

                          <argument desc="Name of the property whose value you want to print." name="propertyValue">java.lang.String</argument>

                      </argument_list>

                      <commands_to_execute>

                          <command_invocation>

                              <namespace_ref>BlValue</namespace_ref>

                              <name>createEncryptedStringBlValueBean</name>

                              <input></input>

                          </command_invocation>

                          <command_invocation>

                              <namespace_ref>EncryptedStringBlValueBean</namespace_ref>

                              <name>parseFromString</name>

                              <input>$propertyValue$</input>

                          </command_invocation>

                          <command_invocation>

                              <namespace_ref>EncryptedStringBlValueBean</namespace_ref>

                              <name>getValue</name>

                              <input></input>

                          </command_invocation>

                      </commands_to_execute>

                  </complex_command>

              </name_space>

          </command_inventory>

           

          2 -

          create an encrypted property and put the passwd in there.

           

          run a command like this in your nsh script:

           

          blcli_execute PropertyInstance getFullyResolvedPropertyValue Class://SystemObject/Test/test password

          blcli_storeenv ENC_VALUE

          blcli_execute Property decryptPropertyValue ${ENC_VALUE}  > /dev/null

          blcli_storeenv PASS > /dev/null

          echo "cmd /c \"netdom join /domain:mydomain.com myserver /ou \"OU=Test,DC=mydomain,DC=com\" /userd:mydomain\\domain.admin /passwordd:${PASS}" > /tmp/foo.bat

          nexec -i -l <server> cmd /c "c:\tmp\foo.bat"

          rm //<server>/tmp/foo.bat

           

          i think that keeps it out of the rscd log.

          • 2. Preventing passwords used in NSH script from appearing in the logs

            I had to make a few changes as the systems I am running this against are Windows servers, not Linux:

             

            Below is my NSH script that works. May not be great but I'm just starting to learn about NSH scripting:

             

            HOST=$NSH_RUNCMD_HOST

            DEBUG="TRUE"

             

            # Set the DEBUG variable to 1 to print out all debug statements

            sub print_debug()

            {

                  if [ "$DEBUG" = "TRUE" -o "$DEBUG" = "True" -o "$DEBUG" = "true" ]

                  then

                        echo $@

                  fi

            }

             

            # netdom requires at least domain and domain user and password

            # We include the OU as well, otherwise server is placed in the default OU, Computers

            # Password passed into this script should be encrypted by BladeLogic and it is

            # eventually decrypted.

            DOMAIN=$1

            OU=$2

            DOMAINUSER=$3

            ENCCRYPTED_PASSWORD=$4

             

            # Get the hostname of the server. This may be different than what is listed in BladeLogic

            #   as the server can be added any number of ways in BladeLogic (hostname, FQDN, IP address)

            #   so long as it resolves on the BladeLogic application server.

            LOCALHOSTNAME=`nexec -ncq $HOST cmd /c hostname`

             

            # Decrypt the password and store it in DOMAINPASSWORD which will be used

            # by the netdom command.

            blcli_execute Property decryptPropertyValue ${ENCCRYPTED_PASSWORD} > NUL

            blcli_storeenv DOMAINPASSWORD > NUL

             

            # We can't execute the netdom command directly via BladeLogic (through nexec, for example) because

            # the password is cleartext in the rscd.log or Transactions/bldeploy log.

            #

            echo "netdom join /domain:$DOMAIN $LOCALHOSTNAME /ou \"$OU\" /userd:$DOMAINUSER /passwordd:\"$DOMAINPASSWORD\"" > //$HOST/temp/foo.bat

            echo "Running command: netdom join /domain:$DOMAIN $LOCALHOSTNAME /ou \"$OU\" /userd:$DOMAINUSER"

             

            # Windows command should be in foo.bat now, so tell BladeLogic to execute batch file.

            nexec -ncq $HOST cmd /c "c:\temp\foo.bat"

            # Need to delete foo.bat

            rm //$HOST/temp/foo.bat

             

            if test "$?" = "0"

            then

                  echo "SUCCESS"

            else

                  echo "ERROR: failed to run $RESULT"

            fi

            • 3. Preventing passwords used in NSH script from appearing in the logs

              I was using this information to automate things in 8.0 and it was working great.

              Then I upgraded to 8.2 and the EncryptedStringBlValueBean getValue call fails now.

               

              It looks like the way to go is to use EncryptedStringBlValueBean getClearTextString instead.

              • 4. Re: Preventing passwords used in NSH script from appearing in the logs

                Hi All

                 

                What is the correct method for 8.x to get the value of an encrypted string?

                EncryptedStringBlValueBean getClearTextString has no input arugments so how do you specify which property to decrypt?

                Also it is unreleased.

                • 5. Re: Preventing passwords used in NSH script from appearing in the logs
                  Bill Robinson

                  what is wrong w/ the above ? i believe you need to take clarke's post and combine it w/ my original.  so swap out one of the commands in the xml.

                  • 6. Re: Preventing passwords used in NSH script from appearing in the logs
                    R V

                    Maybe another - although unreleased - function worth looking at is:

                     

                    Util decryptWithPrefix <encrypted_string_from_property_instance_for_example>

                     

                    The thing about this function is the "prefix" which is just "BLencrypt:" (you could find out this one with "Util encryptWithPrefix", which will create an encrypted string with the above named prefix.

                    • 7. Re: Preventing passwords used in NSH script from appearing in the logs
                      Bill Robinson

                      or you can use 'blenc -d BLencrypt:<hash>' to decode the value.