03-11-2016 07:33 AM - edited 03-11-2016 07:36 AM
We are not allowed to run FTP servers (even internal ones) with anonymous login access and all of our passwords are controlled by corporate policy for expiriy, complexity etc. We also don't store credentials insecurly in scripts. I have a NetMRI CCS script that connects to devices, does some file operations and checks and if everything is cool, will copy firmware or whatever to the device. Since the device initiates the connection to download the file, we need to feed the script credentials which is easy enough using Script-Variables. It all works just fine but the ID and password are recorded in the job details under the Process Log tab and the session log.
I looked in the CCS scripting guide and an few other places but I didn't find any knob or lever that would allow you to signal to NetMRI to not log a variable's values or to put little stars in their place.
Is there a knob or a flag you can use on a variable to tell the CCS processor to not log a particualar variable value?? The alternative of doing key based auth via SCP is pretty painful.
03-11-2016 08:03 AM
I'm not sure if you are aware of this, but NetMRI has a TFTP server running on it for such use cases. The TFTP server is typically blocked by an ACL list, however, for a given script run against a given device, it is opened for the device for the duration of the script run.
Simply scp the files into the admin shell “tftp” directory and then run the “tftpsync” command from inside the admin shell. The “tftpsync” command copies the files from the “tftp” directory into the TFTP server’s staging area. After that, jobs should be able to access the files via tftp://NetMRI_IP_Address/Name_of_File .
03-11-2016 08:16 AM
Could you place the files on an HTTP(S) server instead. Restrict access based on source address via the server OS firewall and/or webserver rules (Linux iptables + Apache)?
03-11-2016 08:42 AM
Actually, yes. The files in the TFTP server's staging area should also be available via http and https, depending on how your system is configured. Just replace tftp:// with http:// or https://, the rest should be the same.
03-11-2016 02:45 PM
Chris, I don't follow you on the last part. If one attempts an HTTP(S) access to the NetMRI without some special URL to point to the staging area, it would result in a UI login redirect. And NetMRI wouldn't allow an unauthenticated access for HTTP(S), right? Hopefully.
03-14-2016 07:48 AM
No, that is not the case. NetMRI dynamically manipulates its own ACL list such that, for the duration of the job, the target device is allowed access to *only* the tftp/http/https staging areas. Once the job has completed against the target device, the ACL change is reverted.
03-14-2016 09:15 AM
Never would have guessed that. So where exactly is this documented?
The admin guide discusses TFTP as part of ACM bare metal deployments. As part of that, it says "A NIOS appliance can also operate as a TFTP server."
03-14-2016 10:16 AM
Yeah, bits and pieces are documented here and there, but, I agree, it isn't all in one place and obvious. This support was added for Cisco rollbacks, and bulk config template pushes (Juniper needed http support as it did not support tftp).
03-22-2016 05:00 PM
To answer the original question... Yes, there is a way to make NetMRI obscure the value that is entered at runtime for a script variable.
If you specify "password" as the data type, like this:
Script-Variables: $SomeString password
...the value you enter for that variable will be obscured on-screen (to foil the bad guys looking over your shoulder), and in the Status and Process logs as well:
+++ [Script-Variables] +++ $somestring = '******'
...but if the string also appears in the session log (e.g. if the target device echoes the characters), then I don't think there is anything you can do on NetMRI to prevent that.