How to use Symantec's camouflage tool

book

Article ID: 172708

calendar_today

Updated On:

Products

VIP Authentication Service

Issue/Introduction

Using the Symantec VIP camouflage tool

Resolution

The VIP camouflage tool is used to mask sensitive shared secrets for RADIUS communication. Various VIP 3rd-party integration guides contain instructions on using this tool to generate a protected password for use within that integration.

The camouflage tool can be downloaded from VIP Manager > Account > Download files... > Third_Party_Integrations > Pugins > Tools.zip

The following architectures are supported:

Windows
Linux
Solaris
HP-UX
AIX

 

Windows

There are four versions of the "camouflage" tool for Windows. It is important that the correct version of camouflage.exe is used. Refer to the table below: 

64-bit
Windows Server 2016
Windows Server 2012
Windows 8, 8.1
Tools\windows8_64\camouflage.exe
Windows Server 2008
Windows 7
Tools\windows_64\camouflage.exe
32-bit
Windows Server 2008
Windows 7, XP
Tools\windows\camouflage.exe
Windows 8, 8.1 Tools\windows8\camouflage.exe

 

Generating a camouflaged shared secret

  • Open an elevated command prompt and navigate to the appropriate folder (see table above).
  • Type camouflage sharedsecret where "sharedsecret" is the value of the shared secret to be camouflaged. Store both the shared secret and the camouflaged value in a secure location. Alternatively, the shared secret can be piped directly to a file camouflage sharedsecret > secret.txt
  • Exit the command prompt and purge the command history. 
  • The camouflaged password can now be used. 

 

In most instances, the shared secret is entered directly in both the VIP Enterprise Gateway configuration console and the configuration file or settings for the integration. 

 

Linux

Two versions of camouflage are available for Linux: 32-bit and 64-bit.

32-bit Linux: Tools/linux/camouflage
64-bit Linux: Tools/linux_x86-64/camouflage

Sample syntax:

$ cd Tools/linux/camouflage
$ touch secret; chmod 600 secret;
$ cat > secret
sharedsecret
$ cat secret | ./camouflage - > sharedsecret.txt

Example:

 

Tips

  • To test connectivity to the validation server, run the vsradiusclient_test utility included with the tools.zip file. (see: How to test a VIP Enterprise Gateway validation server using vsradiusclient_test.exe)
  • Run the camouflage tool on the server where the masked password will be used.
  • Test with a simple camouflaged password with no special characters. One successful, proceed with using a more complex password. 
  • If possible, temporarily stop or pause command line history caching. Or, purge the command history on the server once complete. This will prevent retrieval of the shared secret by others with access to the system. 
  • If there is any risk of other users potentially accessing the camouflaged password, use the tool on a system where that risk is diminished.
  • VIP EG 9.8.4 and later supports 32-character passwords. Earlier versions support 30-characters. 
  • The RADIUS shared secret cannot contain spaces or any of the following special characters: " & =

Attachments