Automic Workload Automation

  • Private Community

  • 1.  Secure storage of sensitive data

    Posted Aug 11, 2016 08:29 AM
    Recently, I have encountered a few scenarios in which it is necessary to retrieve, store, and use a piece of sensitive information — information that should not be accessible to everyone, and really should be accessible only to the job or workflow that needs it. The most recent example involves the RA Web Services agent. The use case looks something like this:
    1. Submit a LOGIN request to the remote application via a REST API, using a user name and the user’sbase64-encoded password.
    2. Extract anauthentication tokenfrom the response from the remote application.
    3. Use this authentication token in the header of subsequent REST requests submitted to the remote application.
    In this scenario, there are two pieces of sensitive information:
    • the base64-encoded password
    • the authentication token
    Either one of these could be used to obtain access to the remote application. Thus, we would like to find a way to store these pieces of information securely. In order to protect these data, task details, activation logs, and other job logs would have to be protected from public view.

    We currently allow all users read-only access to all objects in the Automation Engine system. (Write access is limited based on project, and this is enforced using user group membership and a strict object naming convention.) I suppose we could add a specific exception to the global read-only access, for objects with a certain keyword in the name. Any other ideas?


  • 2.  Secure storage of sensitive data

    Posted Aug 17, 2016 01:58 PM
    Just wondering if you have found a good way to do this?  I am working on something similar


  • 3.  Secure storage of sensitive data

    Posted Aug 22, 2016 09:34 AM

    I'm currently having the *exact* same issue (Webservice Object, GET-String contains cleartext password) and I also came to the same conclusion with read-restrictions to a VARA-name pattern.

    There are "rumors" about an X-function that can decode the encoded-string that is inputted by a promptset password-textfield / get_login, but we'll go for the read-restrictions.



  • 4.  Secure storage of sensitive data

    Posted Aug 23, 2016 01:29 AM
    Our "global read-only" security group has exceptions in it for similar reasons.


  • 5.  Secure storage of sensitive data

    Posted May 10, 2017 06:00 AM
    Joel Wiesmann wrote:

    There are "rumors" about an X-function that can decode the encoded-string that is inputted by a promptset password-textfield / get_login, but we'll go for the read-restrictions.


    I guess that the x-function to which you allude is DECRYPT_PASSWORD. Isn’t something similar possible just using the job messenger? We use this approach in a few PowerShell scripts:
    :SET &LOGIN_OBJ# = "TEST.LOGIN"
    :SET &LOGIN#     = GET_LOGIN(&LOGIN_OBJ#,"*",TEST,LOGIN_INFO)
    :SET &PW#        = GET_LOGIN(&LOGIN_OBJ#,"*",TEST,PASSWORD)
    $userName        = "&LOGIN#"
    $jobMessenger = "C:\Program Files\uc4\agent\bin\ucxjwx6m.exe"
    $password = & $jobMessenger "CMD=echo &PW#" 2>&1