Highlighted
Super Contributor.
Super Contributor.
224 views

Exporting used credentials per host

Jump to solution

Hello,

We would like to export a list of credentials used per host, but we can't find any way to do this directly in the client.

Each used credential is directly "configured" on an Agent CI (not through a relation), so it doesn't seem to be usable in a report 

Does anyone know if it's possible to achieve this ? Maybe querying the database directly or through the JMX Console ?

Version 2019.02.

Thanks,
Best regards,
Yann Pingot

0 Likes
1 Solution

Accepted Solutions
Highlighted
Super Contributor.
Super Contributor.

Re: Exporting used credentials per host

Jump to solution

After some research it is possible to extract the credentials_id list (eg. "89_1_CMS") from the database with this query (i'm also taking the application_ip because we don't always have a root_container_name, for matching purposes, and i also take only SSH credentials for our needs) :

select a_root_container_name, a_application_ip, a_credentials_id from "cdm_ssh_1";

Real usernames however cannot be found in tables (like cdm_sshprotocol_1 for example which is empty), i suspect them to be in the blob found in the cm_storage table.
As a workaround i've extracted the credentials list with the exportCredentialsAndRangesInformation Jmx method and we're matching all this stuff with some powershell.

Hope this helps is someone wants to do the same thing.

Best regards,
Yann Pingot

View solution in original post

0 Likes
6 Replies
Highlighted
Super Contributor.
Super Contributor.

Re: Exporting used credentials per host

Jump to solution

After some research it is possible to extract the credentials_id list (eg. "89_1_CMS") from the database with this query (i'm also taking the application_ip because we don't always have a root_container_name, for matching purposes, and i also take only SSH credentials for our needs) :

select a_root_container_name, a_application_ip, a_credentials_id from "cdm_ssh_1";

Real usernames however cannot be found in tables (like cdm_sshprotocol_1 for example which is empty), i suspect them to be in the blob found in the cm_storage table.
As a workaround i've extracted the credentials list with the exportCredentialsAndRangesInformation Jmx method and we're matching all this stuff with some powershell.

Hope this helps is someone wants to do the same thing.

Best regards,
Yann Pingot

View solution in original post

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Exporting used credentials per host

Jump to solution

Hello Yann,

 

interesting approach. You retrieved some attributes from the SSH shell CIs. This can be done also in a report.

The usernames and passwords are stored in the Confidential Manager (CM) and they are encrypted in a special flow. Because it's a security-related flow we can't provide details.

With exportCredentialsAndRangesInformationyou can export only the list of credentials in XML format without the actual password. The output will be something like

<object id="45ba9730421c0bae85609b4ccc88e83e" id_type="CmdbObjectID" class="sshprotocol" isReference="false" anchor_id="null" is_anchor="false">
<attribute name="sshprotocol_sudo_su_policy" type="String">su</attribute>
<attribute name="protocol_pe_su_username" type="Unknown"/>
<attribute name="protocol_username" type="String">root</attribute>
<attribute name="sshprotocol_su_username" type="Unknown"/>
<attribute name="sshprotocol_prompts" type="Unknown"/>
<attribute name="protocol_port" type="String">22</attribute>
<attribute name="protocol_timeout" type="String">25000</attribute>
<attribute name="user_label" type="String">lab-esx</attribute>
<attribute name="protocol_pe_mode" type="String">su</attribute>
<attribute name="protocol_netaddress" type="String">DEFAULT</attribute>
<attribute name="protocol_pce_command_list" type="Unknown"/>
<attribute name="sshprotocol_authmode" type="String">password</attribute>
<attribute name="sshprotocol_sudo_commands" type="Unknown"/>
<attribute name="sshprotocol_version" type="String">SSH2/SSH1</attribute>
<attribute name="protocol_in_use" type="Boolean">true</attribute>
<attribute name="sshprotocol_shell_env_sep_char" type="String">;</attribute>
<attribute name="cm_credential_id" type="String">68_1_CMS</attribute>
<attribute name="sshprotocol_keypath" type="Unknown"/>
<attribute name="protocol_type" type="String">sshprotocol</attribute>
<attribute name="protocol_pce_policy" type="String">privileged_execution</attribute>
<attribute name="protocol_index" type="Integer">1</attribute>
<attribute name="sshprotocol_hello_timeout" type="String">10000</attribute>
</object>

I don't know how this information is useful.

 

Kind regards,
Bogdan Mureșan
EMEA CMS Technical Success
0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: Exporting used credentials per host

Jump to solution

Hi Bogdan,

I didn't find a way to do this in a report, as the credentials used on an agent are not stored in an attribute, any clue on this ?

The goal is pretty simple : extract all credentials (i mean usernames, i don't need passwords for this) used by hosts (through agents), that's why i did a mix between a database query and the XML export to match the whole thing.

Best regards,
Yann Pingot

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Exporting used credentials per host

Jump to solution

There could be another way.

Clone the Host Application by shell adapter to your custom adapter. It has the needed input and trigger TQLs with the node, IP and shell CIs. It will dispatch to the probe the node details, the IP and the needed credentials. It has everything you need.
take this data from the dispatch mechanism and model it in Jython to be saved as output in the Communication log of the job as a csv. I don't see a reason why it shouldn't work.

Kind regards,
Bogdan Mureșan
EMEA CMS Technical Success
0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: Exporting used credentials per host

Jump to solution

Hi Bogdan,

Indeed there is also the possibility to duplicate and enhance an adapter.

In this case it's almost a one shot extraction so it's a little heavy 🙂

We used the method i mentioned and got our results as expected with little effort time.

Anyway it would be useful to do that natively in one of the client, maybe an enhancement in a next version ? 🙂

Best regards,
Yann Pingot

Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Exporting used credentials per host

Jump to solution

Hello Yann,

 

at one point we will have to migrate some of the current applet based OOTB reports to the new HTML5 UI.
My suggestion is to submit on Idea Exchange to have such a report in the new UI. If it gets traction then it might be implemented.

Kind regards,
Bogdan Mureșan
EMEA CMS Technical Success
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.