Use Case
Provisioning AD User Mailboxes in Microsoft Exchange Server using an OOTB REST connector and securely storing the password used in PowerShell script using a custom attribute.
If the system integrators(SI) choose to go with the
OOTB winconnector, the connector has an attribute called '
PSSCRIPT_PASSWORD' which will allow you to securely encrypt the password required to be passed in the PowerShell script which can then be referenced within the PowerShell script as '${PSSCRIPT_PASSWORD}' either in the createAccountJSON or updateAccountJSON or where ever you are passing the PowerShell script in the JSON.
This article provides you clarity on how you can achieve the same using the REST connector as opposed to passing the password that is required in the PowerShell script in plaintext.
Custom Attributes can be defined in REST connector outside of this use-case where a Windows Server is not required as well.
Applicable Version(s)
All
Solution
The REST connector does not have an attribute called '
PSSCRIPT_PASSWORD' as in the WinConnector. Alternatively, to add to our REST connector's versatility, it provides you with an option to define a custom attribute in the connection params section, and assign the password to it. This variable can then be referred to in the PowerShell Script of createAccountJSON, UpdateAccountJSON, etc instead of providing the password in plaintext. Since the value in the ConnectionParams is always masked, the PowerShell script's password is also masked. Sample below...
Defining custom attribute(PS_Password) in the Connection JSON.
{
"authentications": {
"acctAuth": {
"authType": "Basic",
"url": "<URL>",
"httpMethod": "POST",
"httpParams": {},
"httpHeaders": {},
"httpContentType": "text/html",
"properties": {
"userName": "<<USERNAME>>/token",
"password": "<<PASSWORD>>"
},
"expiryError": "ExpiredAuthenticationToken",
"authError": [
"InvalidAuthenticationToken",
"AuthenticationFailed"
],
"timeOutError": "Read timed out",
"PS_Password": "<password>",
"errorPath": "error.code",
"maxRefreshTryCount": 5,
"tokenResponsePath": "access_token",
"tokenType": "Basic",
"accessToken": "Basic <<TOKEN>>",
"apiRateLimitConfig": {
"retryAfterCalls": 100,
"retryWaitSeconds": 60
}
}
}
}
In the above JSON, a custom attribute named
'PS_Password' has been defined that can have the credentials. This custom attribute from the connectionJSON can now be referenced in any of the provisioning JSONs using the connection object as
${connection.PS_Password}
Example:"accountIdPath": "accountName",
"responseColsToPropsMap": {},
"call": [{
"name": "call1",
"connection": "userAuth",
"url": "
https://hostname.com/SaviyntApp/PS/ExecutePSScript",
"httpMethod": "POST",
"httpParams": "{\"Script\":\"\\$sAMAccName = '${user.username}';\\$pass = convertto-securestring -AsPlainText -Force -String
'${connection.PS_Password}';\\$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist 'dev\\\\\\\\svc_sampletext_dev',\\$pass;invoke-command -ConfigurationName Microsoft.Exchange -ConnectionUri '
https://outlook.xxxxx.xxxx.xx/powershell' -Credential \\$mycred -Authentication Basic -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck) -scriptblock {Enable-Mailbox -Identity \\$Using:sAMAccName -Database 'testDB'}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"SuccessResponses": {
"": [
"Success"
]
},
"unsuccessResponses": {
"responseMessage": [
"\"Failed\"",
"\"Powershell script taking too long Sample input: Invoke-Command -ComputerName \\\"COMPNAME\\\" -ScriptBlock {command to execute} -Credential $Cred\""
]
}
}]
}
References
https://docs.saviyntcloud.com/bundle/MSExchange-v2020x/page/Content/Understanding-the-Integration-to...
https://docs.saviyntcloud.com/bundle/WinPS-v2020x/page/Content/Understanding_the_Integration-between...