Versions Compared

Old Version 1

changes.mady.by.user Stonebranch

Saved on

compared with

New Version 2

changes.mady.by.user Stonebranch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Credentials are the user ID and password under which an Agent runs tasks on the machine where the Agent resides.

...

Standard

Runtime user name and runtime password of a user.

Resolvable

Runtime user name and runtime password of a user that you can embed into a task or script without exposing the password in clear text.

Web Service

Runtime user name and runtime password of a user running a Web Service task.

Email

Runtime user name and runtime password of a user connecting to an incoming mail server (IMAP).

...

Note
titleNote

Unless Credentials must be embedded, we recommend defining Standard Credentials. If required, you can always convert a Standard Credential to a Resolvable Credential at a future time.

...

You can convert a Credential from any type to any type.

To convert a Credential type from Standard to Resolvable, Web Service, or Email, the Resolvable Credentials Permitted, Web Service Credentials Permitted, or Email Credentials Permitted Universal Controller system property, respectively, must be set to true.

...

When you convert a Credential, you must provide a new password. The Controller will not convert an encrypted password of one Credential type to an encrypted password of a different Credential type.

...

Note
titleNote

Converting a Credential type does not create a new version of the Credential. Also, you cannot restore a Credential to an older version if the Credential type of the current version is not the same Credential type as the older version.

...

As of Universal Controller 6.4.x, the Credential Runtime Passwords, along with the LDAP Settings Bind Password, Email Connection Passwords, Promotion Target Passwords, and Promotion Schedule Promotion Passwords, now are encrypted using AES with 128-bit keys.

...

Please note the following backwards compatibility constraints with respect to List Import, Bulk Import, and the Universal Controller Start-up Properties (opswise.properties).

  • Any attempt to List Import or Bulk Import XML (containing a password encrypted by a 7.2.x release) into a pre-6.4.0.0 release will result in an encrypted value that cannot be decrypted by the pre-6.4.0.0 release.
  • Any encrypted passwords within the Universal Controller Start-up Properties will be re-encrypted using the new algorithm when the 7.2.x Controller initializes at start-up. Once converted, that Universal Controller Start-up Properties will no longer be compatible with a pre-6.4.0.0 release.

...

Resolvable Credentials are meant to be used with scripts and commands specified in tasks, and resolved when the script or command is executed. They provide the script or command with access to Credentials (user name and password) without having to hard-code the Credentials in the script, command, or parameters itself.

In order to enable the use of Resolvable Credentials, the Resolvable Credentials Permitted Universal Controller system property must be set to true (default is false).

If the Resolvable Credentials Permitted property is set to false, the following restrictions on Resolvable Credentials apply:

...

To use Resolvable Credentials with a script, embed the Resolvable Credentials in any of the following:

Anchor
Using Resolvable Credentials in a Task
Using Resolvable Credentials in a Task
Using Resolvable Credentials in a Task

To use Resolvable Credentials with a task, embed the Resolvable Credentials in any of the following:

TaskFields
Linux/Unix
  • Command
  • Parameters
Windows
  • Command
  • Parameters
Web Service

  • URL Query Parameter Values (Not Name)

  • Form Data Values (Not Name)

  • Form Payload

  • HTTP Headers Values (Not Name)

Anchor
Embedding Resolvable Credentials
Embedding Resolvable Credentials
Embedding Resolvable Credentials

Five Controller Credentials Functions are available for embedding Resolvable Credentials:

Name

Description

Syntax

Return Key Location of a Credential

Used for embedding the Key Location in a script.

${_credentialKeyLoc('<credential_name>')}

Return Passphrase of a Credential

Used for embedding the Passphrase in a script.

${_credentialPassphrase('<credential_name>')}

Return Token of a Credential

Used for embedding the Token in a script.

${_credentialToken('<credential_name>')}

Return User Name of a Credential

Used for embedding the Runtime User in a script.

${_credentialUser('<credential_name>')}

Return User Password of a Credential

Used for embedding the Runtime Password in a script.

${_credentialPwd('<credential_name>')}

...

  • $(ops_unv_cred_key_loc_08236da16c3944899aae5a874da077bb)
  • $(ops_unv_cred_passphrase_08236da16c3944899aae5a874da077bb)

  • $(ops_unv_cred_token_08236da16c3944899aae5a874da077bb)

  • $(ops_unv_cred_user_08236da16c3944899aae5a874da077bb)

  • $(ops_unv_cred_pwd_08236da16c3944899aae5a874da077bb)

Additionally, for a Universal Template, you can create a Field of Type = Credential, which lets you select or create Resolvable Credentials. The Controller will create a variable for the Resolvable Credential Field, which you can embed in the Universal Template script using the Credentials Functions. This also lets you change Credentials when you run a Universal Task based on the Universal Template.

...

Note
titleNote

By default, occurrences of Resolvable Credential passwords and passphrases are scrubbed from Web Service task output, reducing (but not eliminating) the risk of passwords and passphrases return to the task instance output or output metadata, which can be retrieved and viewed within Universal Controller. Please note, however, you still could use the functions against some API that stores the password and passphrase somewhere that you have access to.

...

If the Execution User for a task instance does not have Execute permission for an embedded Resolvable Credential, the task instance will transition to the Start Failure status with one of the following status descriptions:

  • Execution with credentials "credential-name", contained within the Universal Template Script, prohibited due to security constraints.
  • Execution with credentials "credential-name", contained within the command field or parameters field, prohibited due to security constraints.
  • Execution with credentials "credential-name", contained within the script "script-name", prohibited due to security constraints.
  • Execution with credentials "credential-name", contained within a script, prohibited due to security constraints.
  • For Web Service tasks:
    Execution with credentials "credential-name", contained within the "<URL Query Parameter/Form Data/Payload/Payload Script/HTTP Headers>" field, prohibited due to security constraints.

If the Resolvable Credentials Permitted Universal Controller system property is set to false, any task instance with an embedded Resolvable Credential will result in a Start Failure status with the following status description:

...

You can embed source and destination Credentials in a UDM script using File Transfer Task Instance built-in variables.

For File Transfer tasks, the Agent may need additional credentials for logging on to the FTP server.

Anchor
Defining a Credential
Defining a Credential
Defining a Credential

Step 1

From the Automation Center navigation pane, select Other > Credentials. The Credentials list displays a list of all currently defined Credentials.
 
Below the list, Credential Details for a new Credential displays.
 

Step 2

Enter/select Details for a new Credential, using the field descriptions below as a guide. As a best practice, use an alias in the Name field, as you may have several identical user names for different systems all having different passwords.

  • Required fields display an asterisk ( * ) after the field name.
  • Default values for fields, if available, display automatically.

To display more of the Details fields on the screen, you can either:

  • Use the scroll bar.
  • Temporarily hide the list above the Details.
  • Click the New button above the list to display a pop-up version of the Details.

Step 3

Click a Save button. The Credential is added to the database, and all buttons and tabs in the Credential Details are enabled.


Note
titleNote

To open an existing record on the list, either:

  • Click a record in the list to display its record Details below the list. (To clear record Details below the list, click the New button that displays above and below the Details.)
  • Clicking the Details icon next to a record name in the list, or right-click a record in the list and then click Open in the Action menu that displays, to display a pop-up version of the record Details.
  • Right-click a record in the a list, or open a record and right-click in the record Details, and then click Open In Tab in the Action menu that displays, to display the record Details under a new tab on the record list page (see Record Details as Tabs).

Anchor
Credential Details
Credential Details
Credential Details

The following Credential Details is for an existing credential. See the field descriptions, below, for a description of all fields that display in the Credential Details.

...

For information on how to access additional details - such as Metadata and complete database Details - for Credentials (or any type of record), see Records.

Anchor
Credential Details Field Descriptions
Credential Details Field Descriptions
Credential Details Field Descriptions

...

Field Name

Description

Details

This section contains detailed information about the credential.

Name

Include Page
IL:Name - Credential
IL:Name - Credential

Version

System-supplied; version number of the current record, which is incremented by Universal Controller every time a user updates a record. Click on the Versions 206419884 tab to view previous versions. For details, see Record Versioning.

Description

Include Page
IL:Summary
IL:Summary

Member of Business Services

Include Page
IL:Member of Business Services
IL:Member of Business Services

Anchor
Type
Type
Type

Type of Credential.
 
Options:

  • Standard (default)
  • Resolvable
  • Web Service
  • Email
Note
titleNote

Only Resolvable Credentials can be embedded in a Universal Template script.


Provider

Specifies Provider. 

Options:

Default is Universal Controller. 

Provider Parameters 

When switching the Provider option, the default Provider Parameters 206419884 for each provider will be populated.

When switching to the Universal Controller provider, the Provider Parameters 206419884  will not be displayed.

Runtime User

Include Page
IL:Runtime User - 6.8.0.0
IL:Runtime User - 6.8.0.0

Runtime Password

Include Page
IL:Runtime Password - 6.4.4.0
IL:Runtime Password - 6.4.4.0

Key Location
(SFTP only)

Include Page
IL:Key Location
IL:Key Location

Passphrase
(SFTP only)

Include Page
IL:Pass Phrase
IL:Pass Phrase

Token

Include Page
IL:Token
IL:Token

Metadata

This section contains Metadata information about this record.

UUID

Universally Unique Identifier of this record.

Updated By

Name of the user that last updated this record.

Updated

Date and time that this record was last updated.

Created By

Name of the user that created this record.

Created

Date and time that this record was created.

Buttons

This section identifies the buttons displayed above and below the Credential Details that let you perform various actions.

Save

Saves a new Credential record in the Controller database.

Save & New

Saves a new record in the Controller database and redisplays empty Details so that you can create another new record.

Save & View

Saves a new record in the Controller database and continues to display that record.

New

Displays empty (except for default values) Details for creating a new record.

Update

Include Page
IL:Update button
IL:Update button

Test ProviderFor providers other than Universal Controller.

Test Provider button will be available for validating the configured Provider Parameters.

Convert...

Allows you to convert the current Credential Type 206419884 to a new type and define a new password for the Credential (see Converting Credential Types 206419884).

Delete

Include Page
IL:Delete button
IL:Delete button

Refresh

Refreshes any dynamic data displayed in the Details.

Close

For pop-up view only; closes the pop-up view of this credential.

Tabs

This section identifies the tabs across the top of the Credential Details that provide access to additional information about the credential.

Anchor
Versions
Versions
Versions

Include Page
IL:Versions tab
IL:Versions tab

...

Provider Parameter

Required

Description

APPLICATION_ID

true

The unique ID of the application issuing the password request.

SAFE

true

The name of the Safe where the password is stored.

FOLDER

true

The name of the folder where the password is stored.

OBJECT

true

The name of the password object to retrieve.

REASON

false

The reason for retrieving the password.

CACHE_TTL

false

The TTL (Time To Live), in seconds, for the cached secret before a new request to the provider is made. (default 5 seconds)

Anchor
CyberArk Central
CyberArk Central
CyberArk Central Credential Provider

...