Skip to Content
Information
Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Impact of secure module configuration on existing  processes

In BMC Atrium Orchestrator 7.6, a new module configuration type, Secure, was introduced. When secure data types are used where they are not expected, problems can occur.

In BMC Atrium Orchestrator 7.5.xx and earlier, all module configuration items had the type Static (text) or XML. The configuration items are often used for user IDs and passwords, adapter names, commands, and other constant strings and XML. A common way to use configuration items in transforms is to put them in a context and then use that context as a token in the transform. This practice was acceptable as long as the values in the configuration items, and thus context and token, did not make the transform style sheets invalid. This practice was a common coding technique in run books and modules supplied by BMC. However, it created the issue of storing sensitive data as plain text.

To address this issue, in BMC Atrium Orchestrator 7.6,secure configuration items are implemented as XML, similar to the following sample:

<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"  
Type="http://www.w3.org/2001/04/xmlenc#Content">
 <CipherData>
  <CipherValue>cGFzc3dvcmQK</CipherValue>
 </CipherData>
</EncryptedData>

When a module configuration item type is changed from Static to Secure, processes and transforms using that configuration item, even indirectly, might need to be modified to avoid process failures.

The following problems have occurred when secure data types are used where they are not expected:

  • An XSLT style sheet of a transform might become invalid, causing a process to compensate.
     In general, inserting a secure configuration item in a token into an XSLT transform in select attributes of copy (CP), copy-of (CPO), or similar elements or into test attributes of xsl:if elements (IF), invalidates the XSLT style sheet. An invalid XSLT style sheet usually results in processes compensating with XSLT errors.
  • A secure configuration item might be escaped so that it is not recognized as needing decryption before use.

Inserting a secure configuration item in a token into an XSLT transform in xsl:text elements (TXT) can cause the secure configuration item XML to be converted into a string in which all of the XML characters are escaped. When this situation occurs, BMC Atrium Orchestrator will not recognize it as XML, and will not decrypt it. This is a subtle error because most BMC Atrium Orchestrator logging unescapes the string for logging, which hides the fact that the error happened. This error usually causes connections to fail because of authentication errors, regardless of the authentication credentials provided.

Before you use secure configuration items, BMC recommends that you thoroughly test workflows, and if necessary, modify them for the use of secure configuration items.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

(archive) BMC Atrium Orchestrator Platform 7.7