How to Pass Encrypted Custom Properties to vRealize Automation Guest Agent


Please note passing encrypted custom properties to the Guest Agent in vRA 7.0.1 and higher has been included as an Out of the Box feature. It still use the square brackets as in the below article but it will not require you to modify any files as it was the case with previous versions. You will only need to add the following custom property to your blueprint to activate this:  VirtualMachine.ScriptPath.Decrypt=true. In vRA 7.0.1, for Linux machines you might want to check out the following KB as well: https://ikb.vmware.com/kb/2146540

Have you ever needed to pass an encrypted custom property to your vRealize Automation (previously known as vCloud Automation Center) gugent? I have been asked for this frequently by customers and below are just two of the most common use cases for this.

1- The customer wanted the Gugent to run a script that map a share drive to the deployed VM using the Net Use command where they need a different user credential to login to the map drive.

This is easy to do by letting the Gugent run a command similar to: “net use s: \\tower\movies /user HTG Pa$$word”. The challenge here is who wants to pass his password in clear text or store it in clear text in a script? Yop, I have deployed vRA for banks and government customers and none of them can accept that.

2- The customer want to be able to join the VM to one of many domains. They wants to achieve this without having to create tons of Custom Specifications in each vCenter they have as that will be a management nightmare in the long run.

This as well can be easily achievable by having a script as the following:

==================================

REM JoinDomain.bat script start here

If %1==firstdomain netdom join %%computername%% /domain:firstdomain.COM /userd:%2 /passwordd:%3
If %1==2nddomain netdom join %%computername%% /domain:2nddomain.COM /userd:%4 /passwordd:%5
If %1==3rdomain netdom join %%computername%% /domain:3rddomain.COM /userd:%6 /passwordd:%7

REM JoinDomain.bat script End here

==================================

You will then run the above script from vRA using a command like: JoinDomain.bat {domainname} {firstdomainUser} {firstdomainPassword} {2nddomainUser} {2nddomainPassword} {3rddomainUser} {3rddomainPassword}

Again the above resolve the problem, but you will need to pass the password in clear text. Ooops, your security team does not allow that? then you will have to find away to encrypt that script and put it on the template, which is many hates to do being a painfull process.

Alright some of you might say, I can use encrypted custom properties in vRA just as in the below screen shot, what are you talking about?

vRA encrypted Custom Property

Alright as you can see in the above screenshot vRA allow you to create an encrypted custom property, so what am I squaking in here for. The problem is if you try to pass a command as follow using the VirtualMachine.Software0.ScriptPath custom property:

net use s: \\tower\movies /user HTG {MyPassword}

What vRA will try to  execut is: “net use s: \\tower\movies /user HTG -1uHzfr#2$4”, where -1uHzfr#2$4 is the encrypted value of my password not my actual password, which means the command will fail as the command is expected the Gugent to decrypt it at execution time. Unfortunately, the current version of the Gugent decrypt encrypted custom properties at execution time.

Now I have explained the issue, and if you have read so far, you are probably already aware of the issue and have your own use case for it. The good news, I have worked with one of our brilliant BU Technical Staff  John Clarks, who gave me a hint on how to do this and guidance on how to code it, but left it for me to write the actual code, and implement it. Before I share how you can do this with you, I have to put a clear disclaimer in here:

– This code might not be supported by GSS, and did not go through any proper QA by our engineering team. This code was implement solely by me on my own free time to help couple of my customers who were able to accept the above mentioned risks and wanted it badly. I am currently working with engineering and seeing if they can take the code and improve it and maybe include it in a future release, but there is no guarantee that will ever happen.

Now my disclaimer is out of the way, the nice news is to get around this issue, all you have to do is replace one Java Script file in your Gugent directory. You always can keep a copy of the old one in the same directory and change its name with .backup and if you have issue with it or support instruct you to prove its not what is causing a problem you called support to help you with, it is easy to revert it back by putting the original file in.

Below is the steps you need to do to allow your Gugent Agent to decrypt your Custom Properties in commands passed to it using the ScriptPath Custom property.

1- Start by downloading the needed Java script here.

2- Extract the downloaded file, it should include one file installsoftware.js.

3- Rename the old  installsoftware.js to installsoftware.js.backup. This file is found in your Gugent folder in your template found at: C:\VRMGuestAgent\site\InstallSoftware. Please make sure to do this and don’t overwrite the original file as you might need it in case of a support issue arise or if the new one does not work for you.

4- Place the new installsoftware.js in C:\VRMGuestAgent\site\InstallSoftware

5- In the VirtualMachine.Software0.ScriptPath Custom Property start using square brackates ‘[‘ instead of the curely brackets ‘{‘ for encrypted values as in the example below:

net use s: \\tower\movies /user {MyUserName} [MyPassword]

Well this should have you set for now!

If you need any help with running scripts using the GuGent or installing the Gugent in your environment, please check out the below two blog posts of mine:

1- vRA 6.x using gugent to run scripts

2- How to install vRA Guest Agent

At last, please enjoy at your own risk! I will try to help by responding to questions around this, but again this comes with no implied support at all.


15 responses to “How to Pass Encrypted Custom Properties to vRealize Automation Guest Agent”

  1. hey,

    Good Post it helped me a lot to understand the complexity for the encrypted properties. I am wondering if there is anyway to execute gugent scripts as part of the Post Provisioning activities i.e. Day-2 activities?

    Thanks,
    Mohit Goyal

  2. Hi Mohit, As the Gugent remove it self after the initial deployment, it does not work for day 2 action. Your option though would be to use vRO to send your commands to the VMware Tools VIX.

  3. Hi, thanks for the article, but when I try this it seems to just pass the name of my variable as output instead of the actual password I set?

    i.e.
    VirtualMachine.Software0.ScriptPath = powershell.exe -file “myscript.ps1” -password [myPassword]

    In the output of myscript.ps1, the value passed into the script is “[myPassword]” instead of the actual value that I set in the custom properties

    I am using vRA version 7. Any tips on how to fix this?

  4. Update: I have resolved the issue. As a best practice I normally encase my variables in double quotes (to handle for any spaces that might be getting passed in the variables, etc).

    After testing, it appears that the quote was causing the custom code to not evaluate my square braced variables (the code looks for the first character to be a [ ).

    Thanks again for the code!

  5. Hi, thanks for the article, but it does not work, why?

    Custom properties:
    password = xxxxx (encrypted)
    VirtualMachine.Software3.Name = Join Domain
    VirtualMachine.Software3.ScriptPath = netdom join %computername% /domain:mydomain.com /UserD:toto /PasswordD:[password] /reboot

  6. hey question…I need to do this exact thing however all your examples are using a window based agent. When i go and try to add it to my Linux agent file structure it does not have a JavaScript file. I am using the agent version 6.2.2, in the site folder and i only see the file 10_InstallSoftware.sh. Is that the file i replace or do i just drop the JavaScript file into that folder without modifying anything?

  7. Hi, Question….I am trying to pass an encrypted password into a Linux guest and am running into the same issues you have described above. I looked into your solution but it appears to be only for Windows guest agents. When i look at the /usr/share/gugent/site/InstallSoftware directory on my linux guest i only see “10_InstallSoftware.sh” and “getprop.py”. Do i just add the JavaScript file into the directory or rename one of the files?

  8. Hi Thierry,

    Unfortunately the parsing of the script assumes there is a space before the property. You might have to change the code a bit to work without space for prasing. As It was not an issue for my use case, I did not bother to come back and do that as my challenge was what if someone password included [].

    Hope this help,
    Eiad

  9. Hi Alan, Please note I have only updated the script for Windows in the past as that what my customer needed at that time. If you are to use the same trick for linux, you will need to update the 10_InstallSoftware.sh script. While the logic will be the same, the code will be different as the Windows one used JavaScript where the linux one uses bash. Unfortunately, I did not have time to work on the Linux one. I will provide more info to you by e-mail. Hope this help.

  10. Hello ,

    I am trying to get a solution for passing an encrypted value , could you please share your thoughts on this .

  11. Hi Hari,

    I would suggest you go for to upgrade to vRA 6.2.3 or vRA 7.0 as both include the new Gugent that support it out of the box.

    Cheers,
    Eiad

  12. Hi Eiad, you mentioned to Alan in a comment above that you would provide info via email on enabling the passing of encrypted properties for the Linux guest agent. Could I kindly request the same? I’m interested in this functionality, and sadly it seems this isn’t built into the Linux agent even in vRA 7.

  13. Hi Chip,

    I believe that was addressed for Linux in vRA 7.1. Unfortunately I don’t have a code for it for Linux, as I only fixed the Windows one as a hack previously.

    Thanks,
    Eiad

Leave a Reply

Your email address will not be published. Required fields are marked *