Skip to Content

Impact of secure module configuration on existing  processes

While configuring modules, if secure data types are used where they are not expected, problems can occur.

In the earlier versions of TrueSight Orchestration Platform, all module configuration items were either of the type Static (text) or XML. The configuration items are often used for user IDs and passwords, adapter names, commands, and other constant strings and XML. A common way to use configuration items in transforms is to put them in a context and then use that context as a token in the transform. This practice was acceptable as long as the values in the configuration items, and thus context and token, did not make the transform style sheets invalid. This practice was a common coding technique in run books and modules supplied by BMC. However, it created the issue of storing sensitive data as plain text.

To address this issue, secure configuration items are implemented as XML, similar to the following sample:

<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"  
Type="http://www.w3.org/2001/04/xmlenc#Content">
  <CipherData>
   <CipherValue>cGFzc3dvcmQK</CipherValue>
  </CipherData>
</EncryptedData>

When a module configuration item type is changed from Static to Secure, processes and transforms using that configuration item, even indirectly, might need to be modified to avoid process failures.

The following problems have occurred when secure data types are used where they are not expected:

  • An XSLT style sheet of a transform might become invalid, causing a process to compensate.
     In general, inserting a secure configuration item in a token into an XSLT transform in select attributes of copy (CP), copy-of (CPO), or similar elements or into test attributes of xsl:if elements (IF), invalidates the XSLT stylesheet. An invalid XSLT style sheet usually results in processes compensating with XSLT errors.
  • A secure configuration item might be escaped so that it is not recognized as needing decryption before use.

Inserting a secure configuration item in a token into an XSLT transform in xsl:text elements (TXT) can cause the secure configuration item XML to be converted into a string in which all of the XML characters are escaped. When this situation occurs, TrueSight Orchestration will not recognize it as XML, and will not decrypt it. This is a subtle error because most TrueSight Orchestration logging unescapes the string for logging, which hides the fact that the error happened. This error usually causes connections to fail because of authentication errors, regardless of the authentication credentials provided.

The following scenarios explain the cases where secure context items cannot be used as is and require modification.  

  • Since secure context items are treated as XML, one must use it as an XML in XSLT transforms. For example, if a secure configuration item is represented by a token, then, using the token directly in COPY-OF (xsl:copy-of) using select will fail. This is true regardless of whether you escape the token or not. In such a scenario, one must create a variable using the token, and then use the variable in the value for Copy of. 

  • In adapter requests, secure data underneath an XML element will be decrypted. No other scenario is supported. For example, in the XML below, the EncryptedData element underneath cp-element is decrypted, but the EncryptedData text underneath text-element shall not be decrypted.

    <cp-element>
      <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content">
         <CipherData>
            <CipherValue>Nuc2XnnfSQRB4+NPuYJX8w==</CipherValue>
         </CipherData>
      </EncryptedData>
      <text-element>&lt;EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content"&gt;                 &lt;CipherData&gt;&lt;CipherValue&gt;Nuc2XnnfSQRB4+NPuYJX8w==&lt;/CipherValue&gt;&lt;/CipherData&gt;&lt;/EncryptedData&gt;</text-element>
    </cp-element>

  • Presence of encrypted data in XML shall be searched using the following XPATH/XSLT expression:

    boolean(//*[name()=’EncryptedData’]) because of the presence of XML namespace
    specification in the EncryptedData XML

Before you use secure configuration items, BMC recommends that you thoroughly test workflows, and if necessary, modify them for the use of secure configuration items.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

TrueSight Orchestration Platform 8.1