10-09-2013 04:54 PM
Hi,
I would like to use power shell to perform UCS backup(full, All config etc), Is there anyway to Hide admin passowrd from Power shell script? Once script is ready, I would like to schedule task or have opertor(withoutu admin password) to run script as needed.
I can use UCS manager for schedule backup but since I am using windows FTP, it has some limitation.
Please advise, if anyone know, how to hide password in powershell script for UCS.
Thnaks
Hetal Soni
10-10-2013 08:13 AM
There are a few things you could do. You could use Export-UcsPsSession which will take all existing connections to UCS, and export them to a XML file. It uses a key to encrypt the passwords. You will need the key to decrypt the password and use it to connect to the domains
PS C:\ucs> Get-UcsPSSession
Proxy :
Cookie : 1381416965/b05e5478-27fa-49ab-abaf-5059f71d1a66
Domains :
LastUpdateTime : 10/10/2013 10:07:08 AM
Name : 172.25.206.5
NoSsl : False
NumPendingConfigs : 0
NumWatchers : 0
Port : 443
Priv : {admin, read-only}
RefreshPeriod : 600
SessionId : web_37790_A
TransactionInProgress : False
Ucs : eric
Uri : https://172.25.206.5
UserName : admin
VirtualIpv4Address : 172.25.206.5
Version : 2.2(0.272)
WatchThreadStatus : None
PS C:\ucs> Export-UcsPSSession -LiteralPath c:\ucs\test.xml
cmdlet Export-UcsPSSession at command pipeline position 1
Supply values for the following parameters:
Key: ********
PS C:\ucs> Get-Content .\test.xml
<ucshandles>
<ucs name="172.25.206.5" username="admin" password="ax3iHMPBxGK4MQQbysq+5DQ2oxQlZZqZVy1o4EUDEyM=" />
</ucshandles>
You can create a file you could use that takes the key and inputs in a varible to use with connect-ucs like below:
PS C:\ucs> ConvertTo-SecureString -String "asdf1234" -AsPlainText -Force | ConvertFrom-SecureString | Out-File test.txt
PS C:\ucs> Get-Content .\test.txt
01000000d08c9ddf0115d1118c7a00c04fc297eb0100000053588c82caa2e74da33a6ccfb82d0b1f0000000002000000000010660000000100002000000007fbba041b164717f00f598cc0b92215f7921933db7c1c1e2c24bac25f1be5af000000000e8
000000002000020000000fa582ead3a09cc3b88ae1da2290fd7aea466efa655adb0a6addeec708e47dd7220000000affd0ad368673667a1b630c4675bc8a64117ac33e4b4ea8af5a7d2540f08aa04400000002fdcbe3f9812af3a56f2dbfe965e9b9b14
0564f1ca832c027faa44c517d0ab49a738fe96c49019b713b081e8147af392bd33a12a26dbf85f7a61f8f8a25f495c
PS C:\ucs> $key = Get-Content test.txt | ConvertTo-SecureString
PS C:\ucs> connect-ucs -Key $key -LiteralPath .\test.xml
Proxy :
Cookie : 1381417271/f188a29d-445c-4aa2-b4c0-501a5e03232b
Domains :
LastUpdateTime : 10/10/2013 10:12:15 AM
Name : 172.25.206.5
NoSsl : False
NumPendingConfigs : 0
NumWatchers : 0
Port : 443
Priv : {admin, read-only}
RefreshPeriod : 600
SessionId : web_11114_A
TransactionInProgress : False
Ucs : eric
Uri : https://172.25.206.5
UserName : admin
VirtualIpv4Address : 172.25.206.5
Version : 2.2(0.272)
WatchThreadStatus : None
10-10-2013 04:54 PM
Eric,
Thnaks for your response.
It apprears that, it may lead me to same issue. If I share key to decrypt passowrd -it is similar to giving password.
Is it possible to setup something like "Run as Accounts" with necessary admin priveldge to run script to backup? Is it possible to use "Run as Accounts" in Microsoft SCO to perform backup?
Thanks
Hetal Soni
10-17-2013 12:07 PM
Remember there's no "single sign on" capability between UCSM and Microsoft. I don't think this is an option. When you do use the key like I posted earlier though, it does store it in a Secure String in PoSh at least so the password isn't in clear text though.
11-12-2013 02:05 PM
I typed up a reply but realized there was a problem with it. Here's what you should do and is similar to Eric's reply only I think this is secure:
connect to ucs using connect-usmgr and verify connection using get-ucssession.
$exportkey = read-host -AsSecureString -Prompt 'enter the key'
Export-UcsPSSession -LiteralPath $env:USERPROFILE"/Desktop/test.xml" -key $exportkey
ConvertFrom-SecureString $exportkey > $env:USERPROFILE"/Desktop/key.txt"
This will generate two files:
test.xml which is encoded using the key you typed into the prompt.
key.txt which is the encrypted string of the $exportkey securestring. You'll need that key.txt in order to decrypt the test.xml file. The thing is that the key will be stored using Powershell's securestring function which encrypts the file using the identity of the user and computer that generated it. So.. even if you share key.txt or copy to another machine it won't work. it can only be decrypted on the machine that generated it by the user account that generated it. for this reason, I recommend using a service account to run the scripts. You may also want to use a local UCSM user that you authenticate with using the connect-ucs commandlet but that's up to you.
Then in order to connect use the following:
$key = ConvertTo-SecureString (Get-Content $env:USERPROFILE"/Desktop/key.txt")
connect-ucs -Key $key -LiteralPath $env:USERPROFILE"/Desktop/test.xml"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide