nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Securely storing credentials for use within a script (not for executing the script itself)

SilentMuse

I have a SAM component in a template that runs a powershell script locally to make an API call to a firewall and query some data. The issue is how to safely pass credentials to the script for the API query. This isn't for running the actual script, as it's run locally from Orion, but as variables to pass to the API call to hit the firewall box.

In testing I have the creds stored in the component and passed to the script as variables, but of course that's not idea as it's visible. I can't use the Orion credentials store as this is used for context for running the script, as opposed to something I can pass in to the script.

I did find a reference to storing the creds encrypted on a flatfile on the orion server and then have the script pull from that, however I have multiple poller engines in the instance, so maintenance of that flatfile would be non-ideal.

Anyone found a way to do this reasonably?

Find more posts tagged with

Accepted answers

All comments

chad.every

Are you passing the credentials via the component monitor script argument line? Or are you referencing the credential variable directly in the script?

What I've always done is:

Set the credentials in the Credentials for Monitoring dropdown
Reference the credentials with with ${creds} variable and Get-Credentials so it stores it as a secure string.

oversimplified example:

morr_rva

One way to do it is via the Powershell cmdlets "Export-CliXML" and "Import-CliXML." Assuming the script is running from the poller, log in as the userid running the script, then use Get-Credentials/Export-CliXML to create the file. Once it is created, you can use Import-CliXML in the script to read the credentials. The credentials are stored encrypted in the file and are only readable by that user on that machine. In your case, you'd have to repeat the export several times, once on each poller, but you could use the same file name on each poller, which should accomplish what you want.

SilentMuse

I was passing them directly from the arguments line. I had assumed (perhaps wrongly) that the Credentials for Monitoring line was about the credentials needed to run the script (ie. since it's a local powershell script, the user needed to execute the script on the Orion poller). But if I can give it the credentials that i need to pass into the script as you show, then I'd be set. In your example you show passing the creds to a single variable $MyCreds - how does it work for passing userID and pasword? OR, is it just passing the password portion of the cred? I'm ok with that if it is, since I don't need the userid to be secure, only the password, so I could pass the userid portion via the arguments line.

SilentMuse

I did consider this sort of approach, but my main concern is that since I have around 30 servers across 5 instances to deal with, the maintenance would be a problem. Ideally I'd like to find a solution that I can maintain from a single place.

chad.every

Once it is in Get-Credentials then you can extract only the username or password. I've had to do that before for similar things where I only needed the password to call into some other system. I don't have an example for that currently but I know there are examples out on the googles for that with Get-Credentials. 😀

muhammad.osama

SilentMuse

For the benefit of those searching this later, I solved it using a variation on what @chad.every offered me. Using what he supplied I was able to track down that after adding the Credentials in the Credential for Monitoring line, then in the powershell script I could use:

$c = Get-Credential -credential ${CREDENTIAL}
[string]$UserID = $c.Username
[string]$UserPass = $c.GetNetworkCredential().password

This populated UserID and UserPass with the creds supplied in Credential for Monitoring and populated UserID and UserPass, which I could then apply as needed further down the script with my API call.

Many thanks all, especially Chad.

regards,

Paul