Encrypted vRA custom properties with vRO – Part I
Recently I came across an Interesting customer request,
To be able to automate application installation in vRO, while database connection details will be provided by the end-user.
This being a production system, the requirement was to encrypt details, end-to-end.
While vRA does encrypt connection to vRO and vice-versa, values provided by end user to an IaaS blueprint are saved as is, plain-text. So to pass an encrypted value to a blueprint we need to encrypt the custom property. While using the vRA guest agent does offer a solution Here , vRO does not.
You can certainly use an external tool to encrypt and decrypt passwords passing a plain-text encrypted value as password and then decrypting it in vRO (More on that in Part II).
A simpler solution is to use the built in encryption method in vRA.
Information found in VMware KB #2092330 – Here ,
helped me automate the task of encrypting and decrypting vRA custom properties with vRO.
My Solution uses a Windows PowerShell host running with .NET Framework 4.5.2 and a small PowerShell Script. The IaaS host would be a perfect match.
(Optional) we need to copy two DLLs from the First IaaS Web node (Repository Role)
found in C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data :
- DynamicOps.Core.Common.dll
- DynamicOps.Repository.dll
put them in the same folder, since #1 references #2.
in my implementation, I have put them in c:\dlls folder
The Following scripts provides the magic code
Encrypting (Using Scramble method) :
#dll to load
$dllPath = "c:\\dlls\\DynamicOps.Repository.dll";
#plaintext to encrypt
$plainText = "ExampleTextHere";
#load the dll
[System.Reflection.Assembly]::LoadFrom($dllPath) | Out-Null;
#encrypt plain text
$encText = [DynamicOps.Repository.ScramblerHelpersClient]::Scramble($plainText);
return $encText;
Decrypting (Using Unscramble method) :
#dll to load
$dllPath = "c:\\dlls\\DynamicOps.Repository.dll";
#encrypted value
$encText = "tB4PnHtI8h5qNFz006wBnQ==";
#load the dll
[System.Reflection.Assembly]::LoadFrom($dllPath) | Out-Null;
#decrypt text
$plainText = [DynamicOps.Repository.ScramblerHelpersClient]::Unscramble($encText);
return $plainText;
Now Connecting the dots –
- In my example I am running the commands on my PowerShell host, so there was no need to provide the credentials again (CredSSP).
Workflow Name : vRA Scramble (/Yaniv/vRA Scramble)
Inputs : PowerShell Host, DLL folder path, plainText to encrypt
Output : Encrypted text.
Workflow Name : vRA Unscramble (/Yaniv/vRA Unscramble)
Inputs : PowerShell Host, DLL Folder path, Base64 encrypted text
Output : Plain Text
Similar to vRA Scramble, we use the same workflow pattern.
You Can download the package here : com.parsingwings.vra.encrypt.package
Yaniv.