Tech Monger

Programming, Web Development and Computer Science.

Skip to main content| Skip to information by topic

Secure infamd connection using encrypted password

Informatica provides infacmd command line utility to perform various tasks from command line. Using infacmd you can write scripts to automate your regular tasks. To use any of the infacmd command you need to provide user credentials for the domain and repository. However providing credentials in plain text could be security risk, to avoid this you can use encrypted password and environment variables to make secure connection. In this article we will briefly touch upon following points.

Location

In Unix like operating systemsinfacmd binaries can be found inside informatica installation directory $INFA_HOME. Depending on the version of the informatica infacmd can be located in either of the below path.

$INFA_HOME/isp/bin/infacmd.sh

$INFA_HOME/server/bin/infacmd.sh

Execution

If above directories are added inside user's operating system path variable then you can invoke infacmd from any location of your choice otherwise you will have to manually invoke infacmd like below. 

$INFA_HOME/server/bin/infacmd.sh {command-name} {option} {value} ...

Insecure Execution

infacmd connect to informatica domain, repository service and integration services in order to execute command and perform desired operations. Hence it may verify username and password for both domain and repository.

For example to get informatica workflow log infacmd executes command GetWorkflowLog which requires both repository and domain credentials and can be executed like below.

Note that how below command accepts domain password (-Password) and repository password (-RepositoryPassword) in plain text. Using below command exposes credentials and compromises security. 

infacmd GetWorkflowLog -Gateway example.com:8888 -DomainName MY_DOMAIN 
-UserName DOMAIN_USERNAME -Password MyStr0ngP#d 
-IntegrationService MY_INT_SERVICE -RepositoryService MY_REP_SERVICE 
-RepositoryUser REP_USERNAME -RepositoryPassword MyStr0ngP#d
-Format TEXT -OutputFile workflow_name.log -FolderName FOLDER_NAME 
-Workflow WORKFLOW_NAME

Secure Execution

To overcome above insecure connection issue you can provide encrypted password as an input to infacmd command using environment variables.

  1. Encrypt domain and repository password using pmpasswd. 
    $ cd $INFA_HOME/server/bin/
$ pmpasswd MyStr0ngP#d

Encrypted string -->KBACAF604ekJHoTuzISGOjo==<--
Will decrypt to -->MyStr0ngP#d<--

    You should run pmpasswd on the same server on which domain you are trying to connect is running on.

  2. Encrypted domain password should be set as an environment variable with name INFA_DEFAULT_DOMAIN_PASSWORD. 
    INFA_DEFAULT_DOMAIN_PASSWORD="KBACAF604ekJHoTuzISGOjo==";
export INFA_DEFAULT_DOMAIN_PASSWORD
  3. Encrypted repository password should be set as an environment variable with name INFA_REPOSITORY_PASSWORD. 
    INFA_REPOSITORY_PASSWORD="KBACAF604ekJHoTuzISGOjo==";
export INFA_REPOSITORY_PASSWORD

INFACMD Example - Secure Command

INFA_DEFAULT_DOMAIN_PASSWORD="KBACAF604ekJHoTuzISGOjo==";
export INFA_DEFAULT_DOMAIN_PASSWORD

INFA_REPOSITORY_PASSWORD="KBACAF604ekJHoTuzISGOjo==";
export INFA_REPOSITORY_PASSWORD

infacmd GetWorkflowLog -Gateway example.com:8888 -DomainName MY_DOMAIN 
-UserName DOMAIN_USERNAME
-IntegrationService MY_INT_SERVICE -RepositoryService MY_REP_SERVICE 
-RepositoryUser REP_USERNAME
-Format TEXT -OutputFile workflow_name.log -FolderName FOLDER_NAME 
-Workflow WORKFLOW_NAME

Conclusion

We have set encrypted password in environment variable before command execution. It eliminates password flags -Password and -RepositoryPassword in command. Informatica will automatically check encrypted passwords and decrypt it internally to execute command. This makes script or command secure by hiding the password.

Tagged Under : INFACMD Informatica Linux

Previous Next