VMware Cloud Community
rkuechler
Enthusiast
Enthusiast
‎11-14-2022 01:31 AM
Jump to solution

Saving a Private Key to a local TMP file leads to problems?

Hi

We have several vRealize Orchestrator (vRO) servers in use (development, acceptance testing and production).
We now have a workflow with which the vRO server connects to a Linux target machine via public key authentication. Of course, the source vRO server needs a private key for this.
To be able to move (to stage) this workflow from one environment to the next (Dev -> Test -> Prod), this private key is stored in a vRO configuration as a secure string and then is copied to the respective environment as a TMP file on the vRO server during the workflow run.

The problem: The copied Private Key on the vRO source machine is claimed to be "invalid". We see, that when we copy a private key as a TMP file to a vRO machine, then this key no longer has the permissions "600". However, as far as we know, a private key must have this permission setting to be considered valid and usable, right?

Question: If that is the reason for our problems; how can we set the permission to 600 when creating the TMP Private Key (or afterwards) on the source vRO machine?

Or is there a better way to handle with Private Keys on several vRO machines during the run of the workflow which needs it?

Kind regards
Roman

0 Kudos
1 Solution

Accepted Solutions
eoinbyrne
Expert
Expert
‎11-15-2022 01:49 AM
Jump to solution

There are two possible ways (assuming here that you are doing the following to create & write the temp key file)

System.createTempFile() to get a local file then writing the key content into the returned file handle?

You can get the file path from the File handle at which point you *should* have the full local path on the FS (be careful though in case of container re-directs here! The container may reflect a path it understands so worth testing carefully...)

 

Anyway, once you have the FS path to the actual temp file you could try the following

1. Use the Command object to run a shell command on the local node. You'd have to check if this is still supported on 8.x versions and also (IIRC) you need to modify a server configuration / whitelist to permit local command execution

eoinbyrne_0-1668505272772.png

2. (Slightly crazy but should be doable) - Add the vRO node as an SSH target then use a workflow to connect and execute the chmod command in the active session. Close the session before proceeding

 

YMMV in a production scenario 🙂

-HTH

View solution in original post

3 Replies
rkuechler
Enthusiast
Enthusiast
‎11-15-2022 01:03 AM
Jump to solution

Maybe I could simply work around this issue with this alternative Question:

How can I generally change the permissions of a specific file on the vRealize Orchestrator file system iteself with in a Workflow?

Regards
Roman

0 Kudos
eoinbyrne
Expert
Expert
‎11-15-2022 01:49 AM
Jump to solution

There are two possible ways (assuming here that you are doing the following to create & write the temp key file)

System.createTempFile() to get a local file then writing the key content into the returned file handle?

You can get the file path from the File handle at which point you *should* have the full local path on the FS (be careful though in case of container re-directs here! The container may reflect a path it understands so worth testing carefully...)

 

Anyway, once you have the FS path to the actual temp file you could try the following

1. Use the Command object to run a shell command on the local node. You'd have to check if this is still supported on 8.x versions and also (IIRC) you need to modify a server configuration / whitelist to permit local command execution

eoinbyrne_0-1668505272772.png

2. (Slightly crazy but should be doable) - Add the vRO node as an SSH target then use a workflow to connect and execute the chmod command in the active session. Close the session before proceeding

 

YMMV in a production scenario 🙂

-HTH

rkuechler
Enthusiast
Enthusiast
‎11-17-2022 01:28 AM
Jump to solution

@eoinbyrne 

Thank you very much. We tried solution 1 and it works very well! 🙂

Kind regards
Roman

0 Kudos