How do I send a password securly to remote loader?

liasson · ‎2019-12-11

Hi!

I want to send a password from the startup policy to the remote loader.

How do I do this in a secure manner? Do I have to encrypt it myself, and decrypt on the other side?

BR

/Thomas

liasson · ‎2019-12-11

To clarify, the communication is not the problem.
I don't want passwords to be logged in the log-files.
Do I have to encrypt myself to hide the clear-text password in the log? Or is there another way to do it?

BR

/Thomas

cpedersen · ‎2019-12-11

You could try by setting is-sensitive on the attribute.

https://www.netiq.com/documentation/identity-manager-47/driver_admin/?page=/documentation/identity-manager-47/driver_admin/data/t45clgjllttj.html

Cheers,

Casper

geoffc · ‎2019-12-11

In fact, what you do first:

Append XML element, build where the attr will go in the process. Then set the XML Attribute is-sensitive=true, and then finally add in the password.

al_b · ‎2019-12-11

+ you can also disable trace for specific commands

geoffc · ‎2019-12-12

True. But what is interesting (David G told me he found this a week or three ago) is if you try to Set local variable to that attribute it STILL won't trace out, because the is-sensitive tag persists in some extra cirumstances. You would have to Strip by xpath, @IS-sensitive to be able to get at it.

dgersic · ‎2019-12-18

You used to be able to set-local-variable to get the value of a is-sensitive attribute, then trace-message out the variable to see the result. They've blocked that. You have to be more creative now.

cpedersen · ‎2019-12-18

As of what version, did they stop that you can trace a password?

dgersic · ‎2019-12-18

Unknown. I noticed it with 4.7.3.

cpedersen · ‎2019-12-18

Intersting. I've always stuffed it into an LV and then traced that. Which has worked for me.

dgersic · ‎2019-12-18

Yeah. Me too. I hadn't needed to do that for quite a while, so when I did and the trace spit out "<--- content supressed --->" for the value of the local variable, I was somewhat surprised.

liasson · ‎2019-12-18

I already tried this, but added attributes will still be visible in the log since the complete XML is logged at some trace levels.

Engine-Drivers