Automic Workload Automation

Expand all | Collapse all

Hiding a Variable value in Logs?

  • 1.  Hiding a Variable value in Logs?

    Posted 08-15-2019 10:53 AM
    Is there a way to encrypt a variable value so it does not show on the logs?    Our need is to hide our values that we need for encryption and decryption jobs we have built in Automic.


  • 2.  RE: Hiding a Variable value in Logs?

    Posted 08-15-2019 11:21 AM
    I suspect you are asking about how to encrypt and use passwords in a secure fashion.

    We store our passwords in LOGIN objects, retrieve the encrypted password via the GET_LOGIN() function, and pass it to the command line through the &UC_JOBMD feature which processes the decrypted value but only displays the encrypted value.


  • 3.  RE: Hiding a Variable value in Logs?

    Posted 08-17-2019 10:03 AM
    actually we have created jobs that encrypt and decrypt files we would like to hide some of the variables that contain pass phrase information.

  • 4.  RE: Hiding a Variable value in Logs?

    Posted 08-19-2019 05:30 AM

    I don't know of any supported way to encrypt or remove ​variable resolution statements from logs or report and would be surprised if there is one.

    You could certainly wipe the statements from the Automic logs as part of the job run e.g. using sed or perl, but that's just a dirty hack and also a major race condition, and altering the logs might or might not affect your support status if the logs are ever required for support cases. Altering the DB to wipe output from reports certainly would.

    In general though, I'm a bit wary of automating pass phrase entry through Automic. Without even considering past or future potential security issues or other exposure scenarios in Automic, passing a pass phrase over an Automation tool usually means it's passed as a command line parameter to some process (i.e. your encryption tool). This usually means it's in the OS environment for that process, and this usually means any other job running as the same user can probably get to your pass phrase as well. I'm not saying this is impossible to secure, there's ways to pipe stuff to programs without exposing it to the process environment, but this whole cascade will not be trivial to get right.

    After all, there's a reason tools will demand a pass phrase on stdin and not via command line, and the gpg man page for instance says: "Obviously, this is of very questionable security on a multi-user system. Don't use this option if you can avoid it."

    If you ARE using gpg, maybe consider "--passphrase-file". You'd still have a file with a pass phrase that somehow needs to be secured for the purpose (not sure if fully possible), but you wouldn't need to put your pass phrase into Automic.

  • 5.  RE: Hiding a Variable value in Logs?

    Posted 08-19-2019 01:37 PM
    I seem to remember that when we set up our gpg solutions that passphrases were optional, so we decided to not use them.  We couldn't think of a compelling reason to use them in a silent batch solution.


  • 6.  RE: Hiding a Variable value in Logs?

    Posted 08-20-2019 08:59 AM

    every output from an OS command of a OS Job is automatically shown in the job report and there is no way to hide it

    Workaround: call a batch file or shellscript and pass parameter into it.

    KR Wolfgang

    I know I do really know it!