Automic Workload Automation

  • Private Community
 View Only

  • 1.  AWI login with crypted password

    Posted 13 days ago
    Edited by Antony Beeston 12 days ago

    Hello Community,

    I just noticed that the awi accepts encrypted passwords for login if given without the preceding '--'. Is this the intended behavior? Or is it a feature?

    If it's a feature, can anyone suggest how to disable it.

    If it's not, doesn't it defeat the purpose? because we store AE user passwords crypted by ucybcryp.exe in plain text files for using java/callapi integrations.

    NB: I am working with AE version 12.3.9 - Not sure if it has been fixed in a later version ;)



    ------------------------------
    Siva
    ------------------------------



  • 2.  RE: AWI login with crypted password

    Posted 12 days ago
    Hello Sivaprasad
     
    Oops, in our V21.0.4 I can log in with an encrypted password preceded by '--' !! 
    Not a good idea with this feature.
    Thanks for the tip here in the forum.
     
    Broadcom should respond.

    Original Message


  • 3.  RE: AWI login with crypted password

    Posted 12 days ago

    Hi Ralf and Siva,

    it's also working in v24.

    Might suppose to work with the undocumented password parameter (https://community.broadcom.com/enterprisesoftware/viewdocument/awi-urls?CommunityKey=2e1b01c9-f310-4635-829f-aead2f6587c4&tab=librarydocuments)?

    regards,
    Peter



    ------------------------------
    Automic Certified Professional/Expert & Broadcom Knight

    For AUTOMIC trainings please check https://www.qskills.de/qs/workshops/automic/
    ------------------------------

    Original Message


  • 4.  RE: AWI login with crypted password

    Posted 12 days ago

    Hi Ralf, Peter,

    Apparently, this encryption is not considered secure. Found this old thread while looking through - UCYBCRYP.EXE | Automic Workload Automation (broadcom.com)

    The only way I can think of is to disable AWI access is by adjusting 'AWI Access Control' parameters in user privileges. This ensures user won't be able to perform any action after logging into the AWI.


    Original Message


  • 5.  RE: AWI login with crypted password

    Posted 9 days ago
    Edited by Michael A. Lowry 9 days ago

    I would be interested to know if a user without the AWI Access Control privileges is able to perform equivalent actions via the Java APIs.



  • 6.  RE: AWI login with crypted password

    Posted 17 hours ago

    Hi @Michael A. Lowry

    There were no such problems while performing actions via Java API with a user without AWI access.

    Stands the same for CallAPI as well.

    Need to understand if anyone else faced such issues.


    Original Message


  • 7.  RE: AWI login with crypted password

    Broadcom Employee
    Posted 8 days ago

    Password obfuscation using UCYBCRYP.EXE was designed to be able to use passwords in configuration files, without exposing the password as plain text.
    What is important to understand is that this is obfuscation and not strong encryption, as indicated in the Automic documentation.
    The obfuscated string is merely a different representation of the same password and therefore is accepted as valid password when used for REST API, Java API and access to AWI.

    The 'AWI Access Control' does not prevent authentication (you can still log in to AWI), but does affect authorization by restricting what a particular user can or cannot access.



    ------------------------------
    Kaj Wierda
    Sr. Product Line Manager | Automation

    Broadcom Software
    ------------------------------

    Original Message