In the "early days" it was possible to extract passwords from LOGIN objects by simply echoing them with the Job Messenger.
Some time around 10.x, it appears they introduced a sort of "blacklist" preventing you from using that method with the pre-defined password types ("UNIX", "WINDOWS", "R3" and another I can't remember). You could go around this by temporarily changing the type of password from the pre-defined one to a custom type, which were not subject to the "blacklist" and could still be exported. Of course, fully at your own risk as this approach required writing a field in the database. I recently tried this method in 12.2, and couldn't get it to work, so it appears they are patching holes with the printing of passwords. Unfortunately I can't recall anymore why specificially I couldn't get it to work any more (it was late ... ;) but I remember thinking it looks like done on purpose, then gave up.
You specified "ORACLE" as a "type" parameter to get_login, which is a custom login type, right?
I have the strong feeling the inability to get passwords back is now "by design". But since this was not communicated, the ticket is the way to go regardless. I'd be very interrested in what the outcome is (since we occasionally also need a password back), so if you could keep us up to date here, much appreciated.
Best,
Carsten
Original Message:
Sent: 08-02-2019 01:57 PM
From: Reed Byers
Subject: UC_JOBMD returning only two chars?
At Oregon State University, we've just started migrating from Application Manager to AWA. We started on AWA version 12.2 (I think), and just upgraded to 12.3.0+build.1563349870418 when it was released.
We took some training courses, and our instructor gave us the following code so we could extract and decrypt a password from a login object, for use in a BASH script:
:PSET &db_pass# = get_login(&login#, &$INT_ACCOUNT#, "ORACLE", PASSWORD)
export DB_PASS=$(&UC_JOBMD CMD="echo &db_pass#")
This worked just fine prior to the upgrade. When we upgraded to 12.3, it broke.
The result from the above code now, is that the BASH variable simply contains two dashes ("--").
We recognized that this is just the first two characters of the encrypted password, so we tried this test:
&UC_JOBMD CMD="echo sharitest"
This resulted in "sh" being output.
&UC_JOBMD seems determined to only give us two characters from our echo commands. Can anyone explain this?
Did we break something? Is there a setting we need to fix? Is this a bug in 12.3?
Thanks for your help...
------------------------------
Reed Byers
Programmer/Analyst
Oregon State University
------------------------------