Hello Team,
We are planning to secure passwords used in RA by restricting the visibility.
Currently we have it visible as a plain text in RA deployment logs even though we used the input as a password parameter for our actions we still not able to secure the plain text in deployment logs.
Issue Identification:
Cause: This is working as per design. The password type parameter in RA bear some properties like not getting printed as plain text in log files. When you type cast the password parameter to string type of parameter it does lost all those properties and hence resulting in printing of clear text password in logs.
Release : 6.6, 6.7 or higher
Component : CA RELEASE AUTOMATION RELEASE OPERATIONS CENTER
Recommendation
1: Don't cast password type to any string type of parameter else it will result in getting password printed as plain text.
2: For REST API call we recommend using RA built in action "REST Operation" which out of the box support various authentication mode and have password type of parameter. It will be making sure the proper encoding is done when making a call using user/name and password.
3: The other recommendation is not to generate base64 encoding in the RA instead either pass generated value from calling system. Set encoded value either in environment parameter (for environment level usage) or create a token (for application level usage) of type password and set it's value. Use this parameter directly in the REST action in this case the encoded value is printed in case of environment parameter if it's of type string and obfuscated value in case of parameter type password.