Release Automation

  • 1.  encrypt password to connect to ldap

    Posted Oct 20, 2016 05:40 PM

    Hi, Is there any way to encrypt the password for the user used to connect to ldap?

     

     

    Thanks.



  • 2.  Re: encrypt password to connect to ldap
    Best Answer

    Broadcom Employee
    Posted Oct 20, 2016 06:00 PM

    Hi Julio,

    I believe you can use the scripts/encrypt_password.sh (or scripts\encrypt_password.bat if you're on windows) to encrypt the password. To use this tool you will need to open a command prompt and specifically cd to the <nac install dir>. Then run: scripts\encrypt_password.bat <your pass in clear text>

     

    It will return the encrypted version of your password. If you cd to <nac install dir>\scripts and run: encrypt_password.bat <your pass in clear text> 

    then this will generate an error. It must be run from <nac install dir> (last that i remember).

     

    --

    EDIT

    --

    I hadn't realized the screenshot you included. This screenshot is used temporarily to import either a user or a group. It is not stored anywhere and will not accept the encrypted password I mentioned. The encrypted password I mentioned can be used in your distributed.properties file for the integration between RA and LDAP/ActiveDirectory. The distributed.properties setup for LDAP/ActiveDirectory is only needed when importing and using ActiveDirectory or LDAP Groups. It is not needed when importing and using ActiveDirectory or LDAP users.

     

    Regards,
    Gregg



  • 3.  Re: encrypt password to connect to ldap

    Posted Oct 21, 2016 04:21 PM

    Thanks Gregg, I think It should be useful for future release to use  the distributed.properties file to import users. I have this restriction in my company. The security group need this password encrypted for importing LDAP users.

     

    Thanks for your help.



  • 4.  Re: encrypt password to connect to ldap

    Posted Oct 27, 2016 06:06 AM

    Hi Gregg

    This is very interesting. Can this password encryption also be used for other passwords that are still in clear-text? I'm thinking about

    • the DB runtime password in conf/context.xml
    • the keystore password in conf/server.xml
    • jmx.web.console.password in webapps/datamanagement/WEB-INF/distributed.properties
    • use.general.ldap.user.password in webapps/datamanagement/WEB-INF/distributed.properties

    these are the ones that are not yet encrypted on my NAC. Whereas the most critical one is the DB runtime password.

    Cheers

    Bernard



  • 5.  Re: encrypt password to connect to ldap

    Broadcom Employee
    Posted Oct 27, 2016 09:27 AM

    Hi Bernard,

     

    Some, yes. Let me go one by one and share with you my understanding.

    • the DB runtime password in conf/context.xml

    note: this is an interesting one. i say that because I, like you, thought that this conf/context.xml file was required. but i have seen environments without it and heard other people say that it isn't used. I honestly haven't tried encrypting this password so I can't give you an answer as to whether or not it would work. but its necessity is questionable. the db password used in the distributed.properties file can be encrypted using this tool. 

     

    • the keystore password in conf/server.xml

    note: later version (i think after 5.5.2) support using a variable. the product documentation describes where the password would go (in a different file). it is still in clear text. but i think the idea is that it would be in a file less frequently accessed. 

     

    • jmx.web.console.password in webapps/datamanagement/WEB-INF/distributed.properties

    note: i haven't tried or heard but chances might be good since many of the other password fields in this file seem to accept it.

     

    • use.general.ldap.user.password in webapps/datamanagement/WEB-INF/distributed.properties

    note: i believe you can use the encryption tool to encrypt this password.

     

    Sorry I don't have solid yes/no answers for you. I will try and get solid answers for you but not at the expense of getting caught in other things and possibly not responding at all.

     

    Cheers,
    Gregg



  • 6.  Re: encrypt password to connect to ldap

    Posted Oct 28, 2016 06:21 AM

    Hi Gregg,

    thanks for your answers. I time allows for it, I will give it a go on my sandbox environment.I agree with you regarding the distributed.properties file. If it's good for one password, then it _should_ be ok for other passwords as well. Regarding context.xml, yes, your comment is really interesting! Simply trash the file and it should be ok. On the other hand, it is not _that_ surprising. We have Oracle Data Guard on the DB side. In the context.xml file, I have painstaikingly put together an elaborate Data Guard aware connectionURL, which is apparently not used. The DB usually runs on server A. Sometimes after patching the underlying servers (OS patch, or DB maintenance), they forget to switch the DB back to server A. From a DB perspective, the DB is fully available, running ok on server B. But CARA can't connect to it, so I assume it uses the parameter values fetched from webapps/datamanagement/WEB-INF/distributed.properties. More or less the same parameters, simply using another form. In this file, however, you have the parameter data.management.database.host, which is a hostname, not a Data Guard aware connection string. And you MUST provide this with a single hostname, I have tried quite a number of things that failed one after the other. At this place, there is a single point of failure, even if all other RA components are laid out in HA architecture. A while ago I have opened an idea for this but without much response so far. See Make DB configuration Oracle Dataguard aware .

    anyway, always good to hear from you.

    Cheers

    Bernard



  • 7.  Re: encrypt password to connect to ldap

    Broadcom Employee
    Posted Oct 31, 2016 12:57 PM

    Hi Bernard,

    Good to hear from you too.

    Regarding the use of context.xml, maybe tamme01 can clarify whether it is still used or not (since it is still documented in the "Set Up the Database" section of our Installation guide).

     

    As for using an oracle dataguard aware setup, was the idea created after verifying that we do not support this? Or was it created after not being able to get it to work? And does this mean that you still have this single point of failure? If so then maybe you can somehow trigger DNS updates to point to virtual hostname that gets redirected when a switch occurs. Or maybe use a load balancer device as a way to use active/passive routing to the appropriate database server.

     

    Regarding the keystore and jmx passwords... JulioTelecom and I worked together on a different issue where he just shared with me that we do actually document how to encrypt the keystore and jmx passwords. Please find it here: Security Configuration - CA Release Automation - 6.2 - CA Technologies Documentation (Thanks Julio!)

     

     

    Cheers,
    Gregg



  • 8.  Re: encrypt password to connect to ldap

    Posted Oct 31, 2016 04:43 PM

    You mention that I should use encrypt_password.sh, it is ok if I used it twice?

     

    One for:

    # The DB password shall be encrypted. Please use the encrypt_password.bat/sh utility to encrypt the password.

    data.management.database.pwd = 

     

     

    and then for:

     

    use.general.ldap.user.password

     

     

    Thanks.



  • 9.  Re: encrypt password to connect to ldap

    Broadcom Employee
    Posted Nov 03, 2016 09:12 PM

    Sorry for the delay. Yes, use it as many times as you need to for different passwords.

     

    Regards,

    Gregg