Hello Team,

We are planning to secure passwords used in RA by restricting the visibility.

Currently we have it visible as a plain text in RA deployment logs even though we used the input as a password parameter for our actions we still not able to secure the plain text in deployment logs.

Issue Identification:

• As identified in review password type parameter are being used inside an action Execute Javascript Code which accept parameter of type string. When you use password parameter inside them they are getting implicit case to string and hence getting printed in the logs.

Cause: This is working as per design. The password type parameter in RA bear some properties like not getting printed as plain text in log files. When you type cast the password parameter to string type of parameter it does lost all those properties and hence resulting in printing of clear text password in logs.

Release : 6.6, 6.7 or higher

Component : CA RELEASE AUTOMATION RELEASE OPERATIONS CENTER

Recommendation

1: Don't cast password type to any string type of parameter else it will result in getting password printed as plain text.

2: For REST API call we recommend using RA built in action "REST Operation" which out of the box support various authentication mode and have password type of parameter. It will be making sure the proper encoding is done when making a call using user/name and password.

3: The other recommendation is not to generate base64 encoding in the RA instead either pass generated value from calling system. Set encoded value either in environment parameter (for environment level usage) or create a token (for application level usage) of type password and set it's value. Use this parameter directly in the REST action in this case the encoded value is printed in case of environment parameter if it's of type string and obfuscated value in case of parameter type password.

Some important links for your reference

• How to use $ characters within token values to prevent failures?
• Application environment variables are not shown in environments
• Documentation: Release Automation Tokens (6.7)
• Documentation: Release Automation Tokens Best Practices(6.7)