search

controlm / automation-api-community-solutions

Control-M Automation API community solutions
Other
49 stars 89 forks source link

lcps_to_ccps.py doesn't handle AI passwords correctly #103

Open rwestbrock-24hf opened 3 years ago

rwestbrock-24hf commented 3 years ago

The lcps_to_ccps.py script converts local connection profiles to centralized connection profiles which includes changing the value of the Password field in the exported JSON to a secret. I found that when trying to convert Application Integrator profiles the script does not account for the fact that the password field name for AI jobs is named AI-Password instead.

To illustrate this below is a profile I exported using CTM CLI:

  "LOCKBOX": {
    "Type": "ConnectionProfile:ApplicationIntegrator:ZCONNECTWF",
    "AI-Timeout (minutes)": "60",
    "AI-Status Interval (seconds)": "600",
    "AI-Password": "*****",
    "AI-Zuora Workflow ID": "82290",
    "AI-Host": "workflow.apps.zuora.com",
    "TargetAgent": "agentname",
    "TargetCTM": "servername"
  }

When I use the script to generate the temporary JSON file for that same profile you can see that it has added the Password element:

    "LOCKBOX": {
        "Type": "ConnectionProfile:ApplicationIntegrator:ZCONNECTWF",
        "AI-Timeout (minutes)": "60",
        "AI-Status Interval (seconds)": "600",
        "AI-Password": "*****",
        "AI-Zuora Workflow ID": "82290",
        "AI-Host": "workflow.apps.zuora.com",
        "Centralized": true,
        "Password": {
            "Secret": "lockbox_secret"
        }

For the moment I am going to use the workaround of modifying the JSON file before telling the script to deploy it but I am sure the script could be refactored to handle AI passwords properly. When I have time I will likely create my own fork and work on that.

rbeker-BMC commented 8 months ago

Hi @rwestbrock-24hf, Thank you for bringing this matter to our attention.

In the process of retrieving connection profiles from Control-M, it's important to note that all password definitions are concealed for security purposes. Therefore, if you require the usage of passwords, it is advisable to replace the hidden passwords with actual ones or utilize the "Secrets" functionality, where the values are securely stored within Control-M/Enterprise Manager.

For further guidance on managing secrets and ensuring secure handling of sensitive information within your automation workflows, please refer to the following resources:

  1. REST API Secrets - https://community.bmc.com/s/article/rest-api-secrets
  2. Secrets in Code Documentation - https://docs.bmc.com/docs/automation-api/9021/secrets-in-code-1123726054.html

Thank you for your cooperation and understanding.

rwestbrock-24hf commented 8 months ago

We are using secrets as I showed in the manually adjusted JSON. My intention was to refactor the script to have it set the Password element to use a secret with the same name as the connection profile. Unfortunately I had to back burner that and haven't worked on migrating connection profiles in three years now since my initial post; even with the refactor I have to use a script I wrote to read a flat file of the secrets (which I composed from our password vault) to use AAPI to create the secrets.