After I depoly my application to Tibco ActiveMatrix Administrator, I go to properties and the property type is now changed to 'string' even though I made it as 'password' type. (Oh, but it is then encrypted like "#!jZ8MsfxWv2PCwTMAngz67w==") Stroing as string with encrypted value is fine, but if I change the value (For example, password 123 to 456), it is not encrypted anymore
Here are my questions..
1) Does Password type field not exist anymore in TIBCO ActiveMatrix Administrator version 3.2.0?
2) If you have any experience on automated build using TFS, what I meant by 'changing property' was property file in my script folder. My archive, ear, daa file stores that as password type, but it is changed to 'string' type automatically if I depoly to TIBCOM AMX Administrator.
Administrator supports changing passwords. You will see like this.
If you want to change/update the password via scripts - you will have to encrypt the password. You can use the obfuscate.exe in the /bin folder. Read up on this in the TRA documentation.
Also of interest might be the "Working with Passwords" section in the TRA Scripting Deployment guide.
Related
I would like to restrict some functions in a user written server add-in for certain users or groups.
Question: Is it possible to get (via an API) the user name who is sending a "Tell" command from a remotely connected server console?
Example:
Tell AddinName Command (issued remotely by Hotline User)
Tell AddinName Command (issued remotely by Admin User)
The remote console (and therefore the "Tell" command) is available to both users, but a subset of commands should only be allowed to authorised users (e.g. Group in Server Document->Security).
Is the user name (entering the "Tell" command) available (e.g. in the MessageQueue)?
I know that internally in Domino there are already some restriction possible to commands issued at the console.
The session.getCommonUserName() always returns the server name (since the add-in runs in context of the server).
Thanks for any pointer or ideas.
Andy
I believe that the answer to this is no, and it would not be advisable to implement tell commands that you can't trust to all authorized administrators.
If you really do need to confirm a user identity for a command, you're going to need to use database to queue the commands. I.e., you could build an application that stores the commands in documents in a database with a restricted ACL. Your addin code can use an Extension Manager hook to monitor the database for changes and read new documents when they appear, or you could have your application use NotesSession.SendConsoleCommand to issue something like 'tell myAddIn process ' to wake up your addin and give it the noteid of the document it just created. If you need to protect against people with full access admin rights overriding the ACL, your application could digitally sign the documents and your addin could verify the signatures.
I am trying to get our build server (TFS2010) to sign the assemblies for one of our projects.
I have manually imported the pfx (and associated 'chain' certificate) from verisign on the build machine, under/within the context of the build user account. I am using ResovleKeySource as part of the before build where I should be getting the ResolvedThumbprint as an output parameter.
The project file has the SignAssembly property set to true.
When i run this locally (ie build within VS2012), if I add a property to the proj file (ie CertificateThumbprint) with the thumbprint, on my local machine it finds the certificate in the store and signs the assembly.
The same thumbprint value is passed as a parameter to the build process, I can see it's there (using message statements) however, as noted, it never resolves.
Build user is local admin on that machine.
Has anyone encountered anything similar, and have suggestions on how to resolve the issue?
I am not getting errors from the build process (ie such as can't find certificate in store) - I get nothing. No errors, but no resolved thumbprint either.
Ok, so it looks like there may have been a funky (unprinted) character in the thumbprint that was passed as a parameter from TFS to build. I had another developer look at the build definition, got them to modify the thumbprint parm value (yes, the ONLY change made) and, voila, the build starts signing like a champ....
We are in the process of completing SSIS packages. However as we move towards the deployment phase surprisingly we realized that deployment of SSIS package is not really straight forward as terms of security.
we need to run a SSIS package using either batch file or .NET program in production server. The caller (batch or .NET) should call the SSIS package by supplying parameters (such as source file, destination database, userid, password etc) and also read return code (Success/Error) from SSIS. The user id and password should not be in clear text format visible to anyone. We did some research and found that deployment can be done using many options such as XML config, SQL server Configuration, environment variables, Registry etc but did not mentioned any about password encryption. How can we achieve security and ensure flexibility deploying same package in multiple environment (DEV,UAT,PROD) and simple changing the environment specific variables at the time of deployment.
I am looking for somthing where MVC/Entity framework the connection strings are automatically encypted when the application is run first time using following code.
Configuration config = WebConfigurationManager.OpenWebConfiguration("~");
ConfigurationSection section = config.GetSection("connectionStrings");
if (!section.SectionInformation.IsProtected)
{
section.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
config.Save();
}
Your question confuses things.
By default, SSIS is going to encrypt anything that could be of a sensitive nature by using the author's Active Directory, AD, account. SSIS Packages Using Package Protection Level This Package Protection Level is EncryptSensitiveWithUserKey If you're using a SQL Server user and password in your connection string, the at-rest value in your SSIS package is going to be encrypted. Don't believe, me, open the file and find the Connection Manager's ConnectionString property.
Deployment is not done through XML, SQL Server, Registry etc. Those refer to methods of creating and storing configuration values that an SSIS package may access during run-time. Configuration has no concept of decrypting values. That isn't to say you can't encrypt values and have them decrypted for the caller, just that there is not built in mechanism for signifying "decrypt using this key."
An approach we are using is to use SQL Server for the holding of encrypted data. We create roles authorized to use the keys and then have computed columns that automatically decrypt the data based on role membership. A person not in that role querying the column will only ever get NULL back as the decrypted value. It's working well for use. EncryptionPOC
Deployment is done through
file copy
dtutil.exe
dtsinstall.exe
.NET api
I am trying to use the following code to get the email address from LDAP active directory? What should be the format of workerid? Should it be domainname\userid or just Environment.Username only?
I am thinking of using
DirectorySearcher search = new DirectorySearcher(entry);
search.Filter = "(SAMAccountName=" + workerID + ")";
The sAMAccountName attribute will usually reflect a combination of the first initial and last name of the user.
Being Greg Stachurski, my sAMAccountName in active directory is GStachurski.
Also, you should check out Softerra's LDAP Browser (the free version of LDAP Administrator). It's a fantastic piece of software that will be invaluable as you build applications around the LDAP protocol.
You can download it here - http://www.ldapbrowser.com/download.htm
There is no standard SAMAccountName format. It would be unique to your Directory Environment. If your on a windows machine, I would recommend using the LDP.exe utility. Select run from the start menu and enter ldp.exe (also works from the commandline). Most windows computers should have that utility installed. Select Connect from the Connection Menu and enter your AD server IP or FQDN and LDAP port. Then from the Connection Menu, select Bind, enter your username and password if required (or leave blank if not required). Then from the View Menu item, select Tree and enter the BaseDN value, you can also check the drop down for preloaded values. From here you can expand and navigate through your directory. Check a few user accounts to see how they have the SAMAccountName value formatted and you can base your code off that. Hope this helps.
I have one SSIS package i was deployed on server now i need to debug that SSIS package
so i have downloaded that on my local machine but
I'm not able to set breakpoints not on any step :(
nor able to compile or run why so getting error like
Error : Failed to decrypt protected XML node "DTS:Property" with
error 0x8009000B "Key
not valid for use in specified state.".
You may not be authorized to access this information. This error occurs when there
is a cryptographic error. Verify that the
correct key is available. C:\Users\Job1.dtsx 1 1
Package protection level sets to : EncryptSensitiveWithUserKey
You are getting this error because you are not the user who saved/deployed the package. If the package is encrypted by saving sesative with user key then only that user will be able to run or debug the package properly. You need to change the package protection level to do not save sensitive and then rebuild it. Next you will need to re-enter the sensitive data such as FTP credentials, etc and then change the package protection level to Encrypt sensitive with password. You will then be able to debug the package.
If you deploy to MSDB, then it is always a good idea to choose the Rely on server storage for encryption. If you do this, then when you pull the package down from the package store, it will automatically encrypt using your user key and you can set the appropriate protection level without the pain