Automic Workload Automation

 View Only
  • 1.  AWI login with crypted password

    Posted Apr 19, 2024 01:43 AM
    Edited by Tony Beeston Apr 19, 2024 03:39 AM

    Hello Community,

    I just noticed that the awi accepts encrypted passwords for login if given without the preceding '--'. Is this the intended behavior? Or is it a feature?

    If it's a feature, can anyone suggest how to disable it.

    If it's not, doesn't it defeat the purpose? because we store AE user passwords crypted by ucybcryp.exe in plain text files for using java/callapi integrations.

    NB: I am working with AE version 12.3.9 - Not sure if it has been fixed in a later version ;)



    ------------------------------
    Siva
    ------------------------------



  • 2.  RE: AWI login with crypted password

    Posted Apr 19, 2024 09:13 AM
    Hello Sivaprasad
     
    Oops, in our V21.0.4 I can log in with an encrypted password preceded by '--' !! 
    Not a good idea with this feature.
    Thanks for the tip here in the forum.
     
    Broadcom should respond.



  • 3.  RE: AWI login with crypted password

    Posted Apr 19, 2024 09:51 AM

    Hi Ralf and Siva,

    it's also working in v24.

    Might suppose to work with the undocumented password parameter (https://community.broadcom.com/enterprisesoftware/viewdocument/awi-urls?CommunityKey=2e1b01c9-f310-4635-829f-aead2f6587c4&tab=librarydocuments)?

    regards,
    Peter



    ------------------------------
    Automic Certified Professional/Expert & Broadcom Knight

    For AUTOMIC trainings please check https://www.qskills.de/qs/workshops/automic/
    ------------------------------



  • 4.  RE: AWI login with crypted password

    Posted Apr 20, 2024 02:38 AM

    Hi Ralf, Peter,

    Apparently, this encryption is not considered secure. Found this old thread while looking through - UCYBCRYP.EXE | Automic Workload Automation (broadcom.com)

    The only way I can think of is to disable AWI access is by adjusting 'AWI Access Control' parameters in user privileges. This ensures user won't be able to perform any action after logging into the AWI.




  • 5.  RE: AWI login with crypted password

    Posted Apr 23, 2024 01:36 AM
    Edited by Michael A. Lowry Apr 23, 2024 01:36 AM

    I would be interested to know if a user without the AWI Access Control privileges is able to perform equivalent actions via the Java APIs.



  • 6.  RE: AWI login with crypted password

    Posted May 01, 2024 09:53 AM

    Hi @Michael A. Lowry

    There were no such problems while performing actions via Java API with a user without AWI access.

    Stands the same for CallAPI as well.

    Need to understand if anyone else faced such issues.




  • 7.  RE: AWI login with crypted password

    Broadcom Employee
    Posted Apr 23, 2024 04:09 AM

    Password obfuscation using UCYBCRYP.EXE was designed to be able to use passwords in configuration files, without exposing the password as plain text.
    What is important to understand is that this is obfuscation and not strong encryption, as indicated in the Automic documentation.
    The obfuscated string is merely a different representation of the same password and therefore is accepted as valid password when used for REST API, Java API and access to AWI.

    The 'AWI Access Control' does not prevent authentication (you can still log in to AWI), but does affect authorization by restricting what a particular user can or cannot access.



    ------------------------------
    Kaj Wierda
    Sr. Product Line Manager | Automation

    Broadcom Software
    ------------------------------



  • 8.  RE: AWI login with crypted password

    Posted May 02, 2024 05:34 AM
    Edited by Michael A. Lowry May 02, 2024 05:34 AM

    @Kaj Wierda wrote:

    The 'AWI Access Control' does not prevent authentication (you can still log in to AWI), but does affect authorization by restricting what a particular user can or cannot access.

    That was my understanding as well.

    @Sivaprasad PR: to the best of my knowledge, there is no way to grant or deny specific authorizations on the basis of whether the user is performing an action via an API or via the web interface. Anything a user can do via the Java APIs, the user also can do via the AWI, and vice versa.