There is a workflow under

Microsoft -> AD -> configurations -> add domain server (I think or similiarly named)

You then provide the domain server's information as well as an account to access the server with. You type in the password in a secure string box so it is not visible to the user or anyone else.

Once that is done it saves the connection string data with the object in the vro database and in doing this it encrypts the password into a hash to store with the domain server connection information. (Using the hashing algorithm you provided in the docs). Any time vro needs to interact with the domain server after that is uses the hashed password that it saved to connect to the domain server.

Also there is a secureString object which does the same thing. You can save any password (in say a local variable in a vro workflow) and it will be hashed and saved in the vro database so any user

could use that particular workflow with the credentials but not know what the password was. (You then could limit the access of that workflow to only qualified users)

https://en.wikipedia.org/wiki/Password-based_cryptography

Vro utilizes the multi-party method. (I believe)

Hi,

This document is a bit outdated.

The recent versions of vRealize Orchestrator use a FIPS-compliant Advanced Encryption Standard (AES) with a 256-bit cipher key for encryption of strings. The cipher key is randomly generated and is unique across appliances that are not part of a cluster. All nodes in a cluster share the same cipher key.

Every plug-in that has configuration workflow(s) collects the config information provided by the user and stores it server-side so each node in vRO cluster share the same plug-in configuration. Password fields are automatically encrypted when the configuration is persisted. Plug-ins have access to configuration persister service on Java code level.

What he said ^