VMware Aria Automation Orchestrator

Good morning guys,

I'm currently trying to decrypt a vRO Active Directory endpoint password from vRO. The passwords come under a crypted string like vcoencrypted:{riv}dX5Bw6UfnbG7bH83HtiJDmqMeSqFhzEv5YN+UPbaucE=

In previous 7.x version there was a script /usr/lib/vco/tools/configuration-cli/bin/vro-configure.sh decrypt --value vcoencrypted:{riv}dX5Bw6UfnbG7bH83HtiJDmqMeSqFhzEv5YN+UPbaucE= that could achieve that.

Unfortunatly this doesn't exist anymore in vRO 8.

Is there any other way to decrypt these crypted strings ?

Thanks for your help !

Thanks for sharing but it seems impossible to decrypt this kind of vRO crypting from this plugin. Or at least I didn't succeed !

Thanks anyway

EncryptedString values can only be decoded by the Server IIRC (or Plugins - can't 100% recall)

One option you could look at might be the WorkflowToken for the "Add an Active Directory server" workflow run if it still exists. The input variable there is stored as a SecureString which a workflow/action can retrieve and print (or at least this used to work in 7.x)

-- EDIT -- Checked on a 7.x and that while that workflow has a variable on the token, it looks to be *always* empty after the workflow has ended..... Script is the option then

Code is here

Failing that, if you're desperate and have access to a 7.x you might be able to re-create the vro-configure.sh script on the 8.x? Since the script calls a Java class in the background its possible that the relevant JARs and classes still exist on 8.x  - this would be logical since the 8.x server has to have the same capability available if the string is encrypted with a host-level key?

This KB is interesting - https://kb.vmware.com/s/article/83653 - due to the part on running an  RPM installation for vco-cfg-cli which looks rather like the old vro-configure.sh you were looking for?

Might be worth a shot to get that package installed and then explore the help docs to see what other services it provides?

I found a slightly wonky 8.x instance in our lab and tried out my own suggestion there & it looks like that has what you need

You need to run the "vro-configure-inner.sh" as the wrapper variant complained about "su" not being on the PATH for the Container bash session

-HTH

Hi guys and sorry for my late answer !

 That is exactly what I needed for ! Just didn't realize that it's an optionnal RPM !

I decrypted the password correctly through the script ! That's great !

Many thanks for your help.

in vRO8 the script reports 'null' for SecureString inputs 

Hi Xian

That is weird. Here is what I did to accomplish this task :

I retrieve the encrypted Active Directory password with this method :

adHost.hostConfiguration.sharedUserPassword

And here is my action code to decryt vro encrypted passwords :

var command = new Command("/usr/lib/vco-cli/bin/vro-configure-inner.sh decrypt --value " + stringToDecrypt);
    command.execute(true)
var cmdResult = command.result;
var cmdOutput = command.output;
if (cmdResult != 0){
throw "Command output: " + cmdOutput;
}
var splittedResult = cmdOutput.split("\n")
var adPassword = splittedResult[splittedResult.length -3]
return adPassword;

It returns the result successfully.

Obviously you have to configure the vRO instance an mentionned before in this thread.

Configure the vro-cfg-cli :

kubectl get pods -n prelude
kubectl -n prelude exec -it vco-app-7fbc9c65cc-2vm25 -c vco-server-app -- bash
rpm -hiv --nodeps /vco-cfg-cli.rpm

And allow vRO to execute system commands by adding this property in Control Center :

com.vmware.js.allow-local-process: true

Thanks,

I was referring to  's code on getting SecureString inputs from workflow runs, which did not work for me.

 Apologies, I got mixed up in the concurrent contexts there

Also, I'm seeing the same thing in vRO 8.x - SecureString attributes print as null from a WorkflowToken. That must have been changed as it still works in 7.x

To be fair, it *was* a bit of a security hole

Just to be clear / sure in vRO terms it is important to remember that

SecureString != EncryptedString

a SecureString has a normal string value within it that the UI treats as a "secured" value. This means that the value is not encrypted but the UI will NEVER display the value in any widget/control. If you have a SecureString you can ALWAYS just do System.log(secureStringInstance) and the log stream will print the real string value

an EncryptedString on the other hand has a value which is the result of encrypting the input string with the Server key/certificate and then storing the result. An EncryptedString can only be decrypted using the Server key/certificate of the Server where the value was encrypted

Thanks for clarifying the situation.

In my case AD endpoint returns an EncryptedString. But I never succeeed to decrypt it from Crypto plugin, even with vRO certificate and key.
There is maybe a better way to do this, but I haven't found it yet !