VMware Cloud Community
Flynch00
Enthusiast
Enthusiast
Jump to solution

Decrypt vRO Endpoint passwords

Good morning guys,

I'm currently trying to decrypt a vRO Active Directory endpoint password from vRO. The passwords come under a crypted string like vcoencrypted:{riv}dX5Bw6UfnbG7bH83HtiJDmqMeSqFhzEv5YN+UPbaucE=

In previous 7.x version there was a script /usr/lib/vco/tools/configuration-cli/bin/vro-configure.sh decrypt --value vcoencrypted:{riv}dX5Bw6UfnbG7bH83HtiJDmqMeSqFhzEv5YN+UPbaucE= that could achieve that.

 

Unfortunatly this doesn't exist anymore in vRO 8.

Is there any other way to decrypt these crypted strings ?

 

Thanks for your help !

Reply
0 Kudos
3 Solutions

Accepted Solutions
eoinbyrne
Expert
Expert
Jump to solution

This KB is interesting - https://kb.vmware.com/s/article/83653 - due to the part on running an  RPM installation for vco-cfg-cli which looks rather like the old vro-configure.sh you were looking for?

Might be worth a shot to get that package installed and then explore the help docs to see what other services it provides?

View solution in original post

eoinbyrne
Expert
Expert
Jump to solution

I found a slightly wonky 8.x instance in our lab and tried out my own suggestion there & it looks like that has what you need

eoinbyrne_0-1677598515853.png

You need to run the "vro-configure-inner.sh" as the wrapper variant complained about "su" not being on the PATH for the Container bash session

-HTH

 

View solution in original post

Flynch00
Enthusiast
Enthusiast
Jump to solution

Hi Xian

 

That is weird. Here is what I did to accomplish this task :

I retrieve the encrypted Active Directory password with this method :

 

adHost.hostConfiguration.sharedUserPassword

 

 

 

And here is my action code to decryt vro encrypted passwords :

 

var command = new Command("/usr/lib/vco-cli/bin/vro-configure-inner.sh decrypt --value " + stringToDecrypt);
    command.execute(true)
var cmdResult = command.result;
var cmdOutput = command.output;
if (cmdResult != 0){
throw "Command output: " + cmdOutput;
}
var splittedResult = cmdOutput.split("\n")
var adPassword = splittedResult[splittedResult.length -3]
return adPassword;

 

 

It returns the result successfully.

 

Obviously you have to configure the vRO instance an mentionned before in this thread.

Configure the vro-cfg-cli :

kubectl get pods -n prelude
kubectl -n prelude exec -it vco-app-7fbc9c65cc-2vm25 -c vco-server-app -- bash
rpm -hiv --nodeps /vco-cfg-cli.rpm

 

And allow vRO to execute system commands by adding this property in Control Center :

com.vmware.js.allow-local-process: true

 

View solution in original post

12 Replies
Errock07
Enthusiast
Enthusiast
Jump to solution

how about this: https://github.com/vmware/o11n-plugin-crypto ** If you found this reply useful, may i have kudos **
Reply
0 Kudos
eoinbyrne
Expert
Expert
Jump to solution

EncryptedString values can only be decoded by the Server IIRC (or Plugins - can't 100% recall)

One option you could look at might be the WorkflowToken for the "Add an Active Directory server" workflow run if it still exists. The input variable there is stored as a SecureString which a workflow/action can retrieve and print (or at least this used to work in 7.x)

-- EDIT -- Checked on a 7.x and that while that workflow has a variable on the token, it looks to be *always* empty after the workflow has ended..... Script is the option then

Code is here

eoinbyrne_0-1677588279768.png

Failing that, if you're desperate and have access to a 7.x you might be able to re-create the vro-configure.sh script on the 8.x? Since the script calls a Java class in the background its possible that the relevant JARs and classes still exist on 8.x  - this would be logical since the 8.x server has to have the same capability available if the string is encrypted with a host-level key?

eoinbyrne
Expert
Expert
Jump to solution

This KB is interesting - https://kb.vmware.com/s/article/83653 - due to the part on running an  RPM installation for vco-cfg-cli which looks rather like the old vro-configure.sh you were looking for?

Might be worth a shot to get that package installed and then explore the help docs to see what other services it provides?

eoinbyrne
Expert
Expert
Jump to solution

I found a slightly wonky 8.x instance in our lab and tried out my own suggestion there & it looks like that has what you need

eoinbyrne_0-1677598515853.png

You need to run the "vro-configure-inner.sh" as the wrapper variant complained about "su" not being on the PATH for the Container bash session

-HTH

 

Flynch00
Enthusiast
Enthusiast
Jump to solution

Hi guys and sorry for my late answer !

@eoinbyrne That is exactly what I needed for ! Just didn't realize that it's an optionnal RPM !

I decrypted the password correctly through the script ! That's great !

Many thanks for your help.

Reply
0 Kudos
Flynch00
Enthusiast
Enthusiast
Jump to solution

Thanks for sharing but it seems impossible to decrypt this kind of vRO crypting from this plugin. Or at least I didn't succeed !

Thanks anyway 🙂

Reply
0 Kudos
xian_
Expert
Expert
Jump to solution

in vRO8 the script reports 'null' for SecureString inputs ☹️

Reply
0 Kudos
Flynch00
Enthusiast
Enthusiast
Jump to solution

Hi Xian

 

That is weird. Here is what I did to accomplish this task :

I retrieve the encrypted Active Directory password with this method :

 

adHost.hostConfiguration.sharedUserPassword

 

 

 

And here is my action code to decryt vro encrypted passwords :

 

var command = new Command("/usr/lib/vco-cli/bin/vro-configure-inner.sh decrypt --value " + stringToDecrypt);
    command.execute(true)
var cmdResult = command.result;
var cmdOutput = command.output;
if (cmdResult != 0){
throw "Command output: " + cmdOutput;
}
var splittedResult = cmdOutput.split("\n")
var adPassword = splittedResult[splittedResult.length -3]
return adPassword;

 

 

It returns the result successfully.

 

Obviously you have to configure the vRO instance an mentionned before in this thread.

Configure the vro-cfg-cli :

kubectl get pods -n prelude
kubectl -n prelude exec -it vco-app-7fbc9c65cc-2vm25 -c vco-server-app -- bash
rpm -hiv --nodeps /vco-cfg-cli.rpm

 

And allow vRO to execute system commands by adding this property in Control Center :

com.vmware.js.allow-local-process: true

 

eoinbyrne
Expert
Expert
Jump to solution

Just to be clear / sure in vRO terms it is important to remember that

SecureString != EncryptedString

a SecureString has a normal string value within it that the UI treats as a "secured" value. This means that the value is not encrypted but the UI will NEVER display the value in any widget/control. If you have a SecureString you can ALWAYS just do System.log(secureStringInstance) and the log stream will print the real string value

an EncryptedString on the other hand has a value which is the result of encrypting the input string with the Server key/certificate and then storing the result. An EncryptedString can only be decrypted using the Server key/certificate of the Server where the value was encrypted

   

Reply
0 Kudos
Flynch00
Enthusiast
Enthusiast
Jump to solution

Thanks for clarifying the situation.

In my case AD endpoint returns an EncryptedString. But I never succeeed to decrypt it from Crypto plugin, even with vRO certificate and key.
There is maybe a better way to do this, but I haven't found it yet ! 🙂

Reply
0 Kudos
xian_
Expert
Expert
Jump to solution

Thanks,

I was referring to @eoinbyrne 's code on getting SecureString inputs from workflow runs, which did not work for me.

Reply
0 Kudos
eoinbyrne
Expert
Expert
Jump to solution

@xian_ Apologies, I got mixed up in the concurrent contexts there

Also, I'm seeing the same thing in vRO 8.x - SecureString attributes print as null from a WorkflowToken. That must have been changed as it still works in 7.x

To be fair, it *was* a bit of a security hole 🙂