Re: Using VMware PowerCLI - Issue with powershell operation storing passwords as clear-text (219 Views)
Reply
Valued Contributor
Dimiter Todorov
Posts: 104
Registered: ‎03-02-2010
Message 1 of 6 (450 Views)

Using VMware PowerCLI - Issue with powershell operation storing passwords as clear-text

Hi,

 

Since the OO flows for some things (Like reading Datastore information) are pretty slow.

I decided to try using PowerCLI.

It works pretty fast, and there are a lot of things you can do with powershell and PowerCLI.

 

The down-sides:
PowerCLI needs to be installed on the RAS servers and Studios where you are developing. (Not hard, we made a SW Policy for this in SA and pushed it this way).
Any sensitive information (Passwords etc…) has to be stored on the RAS end in encrypted format.
This is because if you pass a password (even obfuscated) to the Powershell script operation, it resolves it to the clear-text and stores it in the Event-log. Meaning anyone running the flow could read the password.

 

Does anyone have any ideas how we can prevent passwords or the script-source from being recorded.

 

For example, the following runs just fine. However the password is stored in the event log on central. 

 

 

Connect-VIServer -Server ${host} -Protocol https -User ${username} -Password ${password}
$ddt=Get-Datastore
$fark=$(Foreach ($row in $ddt){
    
    (New-Object PSObject | Add-Member -PassThru NoteProperty name $row.name | 
    Add-Member -PassThru NoteProperty freeSpaceGB $row.FreeSpaceGB |
    Add-Member -PassThru NoteProperty capacitySpaceGB $row.CapacityGB)
}) | ConvertTo-Json
$echo_begin="BEGINDSJSON445566"
$echo_begin
$fark
$echo_begin="ENDDSJSON445566"
$echo_begin

 

Please use plain text.
Valued Contributor
RiverRat_1
Posts: 50
Registered: ‎03-30-2010
Message 2 of 6 (404 Views)

Re: Using VMware PowerCLI - Issue with powershell operation storing passwords as clear-text

I found a way that you never have to use the password but once.  Not saying its the best way but it does work. 

 

This works in HPOO 9.   Not sure how this would work (yet) with the HPOO 10 Worker architecture.

 

You setup a very basic OO flow that runs this PowerShell script (I may have some typos here as I'm typing this in by hand):

 

Add-PSSnapin VMware.VimAutomation.Core

New-VICredentialStoreItem -host [vCenter Server IP/hostname] -user [vCenter Login] -password [vCenter Password]

 

You run this ONCE for that specific IP/Login/password combo.  This stores a credential locally somewhere on your RAS instance for the Local System Account (assuming RAS is running as the Local System Account which it does by default)  The stored cred is specific to the  vCenter/Login/Password triple combo.  Pretty sure you could run this multiple time for multiple vCenter Logins creating multiple vCenterIP/Login/Password cached combos.  However, a scale issue immediately comes to mind if you're attempting to a OO that is using AD for authenciation into vCenter that is also AD auth'ed.  In this, you're out of luck.  For one to serveral static logins that OO always uses, this could work.

 

 Each time your RAS hits that vCenter Server, it will always use that same vCenter Login/Password when using the right switches on the commands. 

 

Later say you update the password to the <vCenter Login> and need OO to get the same information.  You run this:

 

Add-PSSnapin VMware.VimAutomation.Core

Remove-VICredentialStoreItem -Host [vCenter Server IP/hostname] -Confirm:$false

 

The -Confirm:$false is very important !! as PowerShell by default wants to prompt you to confirm your deleting this store credential information.  The $false stops that confirmation and just does it.  Then you run the flow setting up a new login/password combo for that vCenter Host/IP again.

 

Now your PowerShell scripts simply reference the VMware vCenter Server hostname credential you cached without needing a password:

 

Add-PSSnap VMware.VimAutomation.Core

Connect-VIServer -Server ${server} -User ${user} -Protocol ${protocol} -NotDefault:$false

get-vm -server ${server} "${vmName}" | set-vm -server ${server} -name "${vmNewName}" -Confirm:$false

Disconnect-VIServer -Server ${server} -Confirm:$false

Please use plain text.
Trusted Contributor
Steve_Drummond
Posts: 88
Registered: ‎10-01-2012
Message 3 of 6 (396 Views)

Re: Using VMware PowerCLI - Issue with powershell operation storing passwords as clear-text

We had the same issue so I ended up writing our own Remote Command Execution object which takes the username/password as tokens and converts them in memory while running the command.

 

So instead of using the Powershell object we use the RCE object and point "powershell <load vim> <script> <arguments>". The arguments might look like "-esxUsername %%u0" and on the OO object the input "username0" inherits from the System Account you want to use. You can put as many %%ux tokens as you want.

 

Let me know if you want a copy of the object (tested on HPOO 7.51, 9.x); .NET version only.

Please use plain text.
Valued Contributor
Dimiter Todorov
Posts: 104
Registered: ‎03-02-2010
Message 4 of 6 (386 Views)

Re: Using VMware PowerCLI - Issue with powershell operation storing passwords as clear-text

If you can share the code, would be great. I would have to re-write it to jive with the OO 10 Action Model (Or Import the Legacy Action).

 

I have been working on some Java Actions to get by. But PowerCLI is pretty powerful to pass up.

 

If you don't feel like posting online, post it over. 

dimiter dot todorov at ontario dot ca

 

Please use plain text.
Occasional Contributor
JTorchia
Posts: 8
Registered: ‎08-02-2011
Message 5 of 6 (222 Views)

Re: Using VMware PowerCLI - Issue with powershell operation storing passwords as clear-text

I too am interested in this and would appreciate any additional details that can be provided.

 

Thanks

 

Jeff Torchia

Please use plain text.
Trusted Contributor
Steve_Drummond
Posts: 88
Registered: ‎10-01-2012
Message 6 of 6 (219 Views)

Re: Using VMware PowerCLI - Issue with powershell operation storing passwords as clear-text

Hey Dimiter, sorry got absolutely slammed at the end of last year and completely forgot about this.

 

Jeff/Dimiter: I have linked the source for the object; you're interested in Custom OO WMI.WMI_TokenCommand.

 

The Custom OO Commond Methods is a referenced DLL i wrote to help me with the API.

 

https://dl.dropboxusercontent.com/u/18281704/solutions/Custom%20OO%20WMI.7z

https://dl.dropboxusercontent.com/u/18281704/solutions/Custom%20OO%20Common%20Methods.7z

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation