Automic Workload Automation

 View Only
  • 1.  Authorization levels for the Service Manager

    Posted May 06, 2020 11:11 AM
    Hello!

    we have recently installed the AE Version 12.3.2 HF2. While configuring the Service Manager ini-file we have encountered some problems..
    The ini file of this new version includes the parameters password_l1, password_l2 and password_l3 for realizing authorization levels for the Service Manager. Testing in our dev environment, we set the same password for each level. This resulted in being not able to start the service manager!

    As a quick test, we tried to disable the 3 parameters by commenting them and instead set the parameter "password" as in the inis of previous versions.

    This worked out fine - but - after starting the service manager, we looked in the ucybsmgr.ini again. The "password" parameter we have just set had dissapeared. Instead, however, the parameters password_l2 and password_l3 were set by themselves again and they worked.

    Nevertheless this method works, we would like to know why the intended way with setting the authorization levels does not work.

    We have tested that actively setting the level 3 password is only possible by setting a new password in the service manager dialog! This leads to the level2 password still being the "old" password and the level3 password being the "new" one. We did not manage to change or set the level1 password at all.

    Does anybody have the same issues whith their Service Manager?

    Kind regards

    Christoph Sassenroth

    ------------------------------
    Application Manager/Admin
    Debeka
    ------------------------------


  • 2.  RE: Authorization levels for the Service Manager
    Best Answer

    Posted May 07, 2020 02:39 AM
    Hi @Christoph Sassenroth,

    I had some problems myself getting this to work, but using the following approach solved my issue, perhaps it help you as well...


    The information for the passwords does not appear to work if directly entered into the ucybsmgr.ini. The way to do this would be as such:
    From a service manager dialog connecting to a service manager that has no passwords set:
    1.) In the upper left corner of the ucybsmgr click on the icon and select change password
    2.) select '3' and then enter and confirm a password. Do NOT enter any value for administrator password
    3.) select ok
    4.) select change password again
    5.) select '2' and then enter and confirm a password. Enter the value from step 2 as the administrator password
    6.) select ok
    7.) select change password a third time
    8.) select '1' and then enter and confirm a password. Enter the value from step 2 as the administrator password
    9.) select ok
    Now all three values should be set - you'll see in the ucybsmgr.ini that all three now have encrypted values present.
    Once you refresh the service (and it shows the access denied) you can then go back to the upper left and select 'enter password' - once you've done so and refresh via f5 the access denied message should disappear.
    If you've already entered values, delete all values from the ucybsmgr.ini and restart the service.

    /Keld.



  • 3.  RE: Authorization levels for the Service Manager

    Posted May 07, 2020 08:12 AM
    Hi Keld,

    thanks for your reply! We are surely going to try this method and keep you updated whether it worked or not!

    Regards 

    Chris

    ------------------------------
    Application Manager/Admin
    Debeka
    ------------------------------



  • 4.  RE: Authorization levels for the Service Manager

    Posted Aug 09, 2020 07:34 AM
    Edited by Michael A. Lowry Aug 10, 2020 04:53 AM
    Here's a screenshot of the new password change dialog in SMgr 12.3:

    As @Keld Mollnitz pointed out, one must set the passwords in the order 3, 2, 1. The administrative password one sets for level 3 must be used when setting the passwords for levels 2 and 1.

    I made some additional findings during testing:
    • The passwords written to the ucybsmgr.ini file are different from the encrypted passwords generated by UCYBCRYP.EXE.  The documentation page on the Service Manager GUI states:
      Unlike previous versions of the ServiceManager, the passwords are not encrypted but stored as hashes in the INI file of the Service Manager...
      (Emphasis mine)
      A quick analysis revealed the hashing algorithm to be SHA2-512. Unlike DES, a one-way hash function cannot be reversed; and with a large salt, it provides good protection against rainbow table attacks. For this use case, switching from a symmetric & deterministic encryption algorithm to a one-way hash function makes sense.

      Because we now know that SHA2-512 is the hash function used, it's also now possible to generate password hashes outside of the program and insert them into the ucybsmgr.ini file. This is convenient if you generate INI files programmatically.
    • In the section describing the -p (password) option, the documentation page for the Service Manager Command Line program ucybsmcl still refers to the Encoding Passwords page:

      -p Password

      This parameter is optional for START_PROCESS and STOP_PROCESS. For information on encrypting passwords, see Encoding Passwords.

      This gives the misleading impression that encrypted passwords generated by UCYBCRYP.EXE work with the SMgr command line program. They do not. Plaintext passwords must be used with both the GUI and CLI.

    • Moreover, the documentation for ucybsmcl is out-of-date. It does not reflect the fact that whether a password is required to perform a particular command now depends on the lowest authorization level defined in the ucybsmgr.ini file. For instance, if a password is set for Authorization Level 1 (password_l1), a password will be required even to run even the GET_PROCESS_LIST command.
    Ping @Elina McCafferty ​​​




  • 5.  RE: Authorization levels for the Service Manager

    Broadcom Employee
    Posted Aug 10, 2020 01:58 AM
    Thank you, @Michael A. Lowry! I've passed this on, and the writer will review the content.​


  • 6.  RE: Authorization levels for the Service Manager

    Broadcom Employee
    Posted Aug 27, 2020 07:07 AM
    The reviewed version of the documentation is online.
    Best,
    Nicole Schwarz

    ------------------------------
    Documentation Engineer
    Broadcom
    ------------------------------



  • 7.  RE: Authorization levels for the Service Manager

    Posted Aug 18, 2020 07:20 AM
    Hi @Michael A. Lowry, @Elina McCafferty@Keld Mollnitz

    Thanks for checking the password topic!
    I tried to use the SHA2-512-encrypted password from the ucybsmgr.ini when calling the ucybsmcl.exe. That didn't work.
    But the password - encrypted with UCYBCRYP.EXE - works fine.

    ​Maybe you just stumbled over the 2 dashes...

    All my components are on V12.3.2

    Cheers
    Christoph 





    ------------------------------
    ----------------------------------------------------------------
    Automic AE Consultant and Trainer since 2000
    ----------------------------------------------------------------
    ------------------------------