cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3779
Views
0
Helpful
4
Replies

Hiding UCS Password in Power Shell Script

hetalsoni
Level 1
Level 1

Hi,

I would like to use power shell to perform UCS backup(full, All config etc), Is there anyway to Hide admin passowrd from Power shell script? Once script is ready, I would like to schedule task or have opertor(withoutu admin password) to run script as needed.

I can use UCS manager for schedule backup but since I am using windows FTP, it has some limitation.

Please advise, if anyone know, how to hide password in powershell script for UCS.

Thnaks

Hetal Soni

4 Replies 4

ericwill
Cisco Employee
Cisco Employee

There are a few things you could do.  You could use Export-UcsPsSession which will take all existing connections to UCS, and export them to a XML file.  It uses a key to encrypt the passwords.   You will need the key to decrypt the password and use it to connect to the domains

PS C:\ucs> Get-UcsPSSession

   

Proxy                 :

Cookie                : 1381416965/b05e5478-27fa-49ab-abaf-5059f71d1a66

Domains               :

LastUpdateTime        : 10/10/2013 10:07:08 AM

Name                  : 172.25.206.5

NoSsl                 : False

NumPendingConfigs     : 0

NumWatchers           : 0

Port                  : 443

Priv                  : {admin, read-only}

RefreshPeriod         : 600

SessionId             : web_37790_A

TransactionInProgress : False

Ucs                   : eric

Uri                   : https://172.25.206.5

UserName              : admin

VirtualIpv4Address    : 172.25.206.5

Version               : 2.2(0.272)

WatchThreadStatus     : None

     

PS C:\ucs> Export-UcsPSSession -LiteralPath c:\ucs\test.xml

 

cmdlet Export-UcsPSSession at command pipeline position 1

Supply values for the following parameters:

Key: ********

PS C:\ucs> Get-Content .\test.xml

<ucshandles>

  <ucs name="172.25.206.5" username="admin" password="ax3iHMPBxGK4MQQbysq+5DQ2oxQlZZqZVy1o4EUDEyM=" />

</ucshandles>

You can create a file you could use that takes the key and inputs in a varible to use with connect-ucs like below:

PS C:\ucs> ConvertTo-SecureString -String "asdf1234" -AsPlainText -Force | ConvertFrom-SecureString | Out-File test.txt

PS C:\ucs> Get-Content .\test.txt

01000000d08c9ddf0115d1118c7a00c04fc297eb0100000053588c82caa2e74da33a6ccfb82d0b1f0000000002000000000010660000000100002000000007fbba041b164717f00f598cc0b92215f7921933db7c1c1e2c24bac25f1be5af000000000e8

000000002000020000000fa582ead3a09cc3b88ae1da2290fd7aea466efa655adb0a6addeec708e47dd7220000000affd0ad368673667a1b630c4675bc8a64117ac33e4b4ea8af5a7d2540f08aa04400000002fdcbe3f9812af3a56f2dbfe965e9b9b14

0564f1ca832c027faa44c517d0ab49a738fe96c49019b713b081e8147af392bd33a12a26dbf85f7a61f8f8a25f495c

PS C:\ucs> $key = Get-Content test.txt | ConvertTo-SecureString

PS C:\ucs> connect-ucs -Key $key -LiteralPath .\test.xml

Proxy                 :

Cookie                : 1381417271/f188a29d-445c-4aa2-b4c0-501a5e03232b

Domains               :

LastUpdateTime        : 10/10/2013 10:12:15 AM

Name                  : 172.25.206.5

NoSsl                 : False

NumPendingConfigs     : 0

NumWatchers           : 0

Port                  : 443

Priv                  : {admin, read-only}

RefreshPeriod         : 600

SessionId             : web_11114_A

TransactionInProgress : False

Ucs                   : eric

Uri                   : https://172.25.206.5

UserName              : admin

VirtualIpv4Address    : 172.25.206.5

Version               : 2.2(0.272)

WatchThreadStatus     : None

Eric,


Thnaks for your response.

It apprears that, it may lead me to same issue. If I share key to decrypt passowrd -it is similar to giving password.

Is it possible to setup something like "Run as Accounts" with necessary admin priveldge to run script to backup?  Is it possible to use "Run as Accounts" in Microsoft SCO to perform backup?

Thanks

Hetal Soni

Remember there's no "single sign on" capability between UCSM and Microsoft.  I don't think this is an option.  When you do use the key like I posted earlier though, it does store it in a Secure String in PoSh at least so the password isn't in clear text though.    

I typed up a reply but realized there was a problem with it. Here's what you should do and is similar to Eric's reply only I think this is secure:

connect to ucs using connect-usmgr and verify connection using get-ucssession.

$exportkey = read-host -AsSecureString -Prompt 'enter the key'

Export-UcsPSSession -LiteralPath $env:USERPROFILE"/Desktop/test.xml" -key $exportkey

ConvertFrom-SecureString $exportkey > $env:USERPROFILE"/Desktop/key.txt"

This will generate two files:

test.xml which is encoded using the key you typed into the prompt.

key.txt which is the encrypted string of the $exportkey securestring. You'll need that key.txt in order to decrypt the test.xml file. The thing is that the key will be stored using Powershell's securestring function which encrypts the file using the identity of the user and computer that generated it. So.. even if you share key.txt or copy to another machine it won't work. it can only be decrypted on the machine that generated it by the user account that generated it. for this reason, I recommend using a service account to run the scripts. You may also want to use a local UCSM user that you authenticate with using the connect-ucs commandlet but that's up to you.

Then in order to connect use the following:

$key = ConvertTo-SecureString (Get-Content $env:USERPROFILE"/Desktop/key.txt")

connect-ucs -Key $key -LiteralPath $env:USERPROFILE"/Desktop/test.xml"

Review Cisco Networking for a $25 gift card

Cisco UCS X-Series Energy Efficiency Offer