Template Inputs of type string with encrypted true are passed by vRealize Automation 8.8 to vRealize Orchestrator as plain text.
search cancel

Template Inputs of type string with encrypted true are passed by vRealize Automation 8.8 to vRealize Orchestrator as plain text.

book

Article ID: 314823

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:
  • Template Inputs of type string with encrypted true are passed by vRealize Automation 8.8 to vRealize Orchestrator as plain text. See password example below:
inputs:
password:
type: string
title: Password
description: Password
encrypted: true
pattern: ^$|^(?:(?=.*[a-z])(?:(?=.*[A-Z])(?=.*[\d\W])|(?=.*\W)(?=.*\d))|(?=.*\W)(?=.*[A-Z])(?=.*\d)).{8,}$
default: ''
 
  • In vRealize Automation under extensibility and workflow runs the inputProperties are visible and the password value is shown as encrypted.
  • Checking the inputProperties variable in the workflow run in vRealize Orchestrator you see that the password is shown in plain text.


Environment

VMware vRealize Automation 8.8.x

Cause

For backward compatibility when the vRealize Automation sends the request to vRealize Orchestrator it decrypts these inputs and the Orchestrator receives them as decrypted.

Resolution

The behaviour is configurable via a feature toggle that can be enabled which instructs vRealize Automation to pass encrypted values to vRealize Orchestrator.

Note before proceeding best practise dictates you first snapshot the vRealize Automation appliances

1. Open https://$VRA_HOSTNAME:443/automation-ui/#/provisioning-ui;ash=%2FconfigurationProperties.
2. Create a new Configuration property with the key "vro.encryption.enabled" and a value of "true".

Now when you run a workflow/action these inputs will appear encrypted in Orchestrator. However, this can be a destructive change!

3. If these variables are leveraged in the scripting, you will no longer be able to use them directly as they will be encrypted. The objects themselves will still be a Javascript string, however, it will have an encrypted value. In order to fix this, you  need to decrypt the values before they can be used in the code.

For example if prior to enabling the toggle the password code looked like this:
inputProperties.get("customProperties").get("password")

You would need to change it to something like this in order to decrypt the password value:

EncryptionService.decrypt(inputProperties("customProperties").get("password"), System.getContext().getOneTimeKey()))