Skip to main content

Obtaining credentials

After initialization, Blue Prism developers can obtain the credentials by calling runwithpass from the "Utility - Environment" "Start Process Read Stderr and Stdout" Action as shown below:

blueprism-pamutil-action-1

This will retrieve the password for the "dbapp1" account on the "VM031PROD" resource and places it into the data item "password."

Additional calling considerations:

  • Multiple names or locations for the config.ini configuration file can be specified. Each configuration specifies the location of its credential storage file creds.ini.

  • You should avoid obtaining the credentials as a data item unless it is absolutely necessary. The runwithpass program can also execute commands directly without retrieving them.

  • Obtain credentials only immediately before they are used (as late as possible). If they are not used again, then re-assign (or clear) the variable values after use as a precaution.

  • In cases where it is necessary to obtain sensitive information from pamutil then the Blue Prism Password data type should be used.

  • In production, you may want to ensure that logging is turned off for this stage. This will help contain the inadvertent release of sensitive information through diagnostic channels.

Use case

The following steps demonstrate how to obtain credentials using Blue Prism:

  1. Set up an OTP IDAPI caller.

    You can either use the Manage the system (PSA) module or with request workflow.

  2. Configure pamutil with the following command:

    runwithpass.exe -initial

  3. Make sure runwithpass can retrieve a managed account password correctly.

  4. To use pamuti l in BluePrism, grab the environment-utility from

    https://github.com/blue-prism/environment-utility

    or use a business object that can read standard-out / standard-error.

  5. Create an Action to use the business object to run runwithpass.

  6. Configure the business object to run runwithpass as shown in the example below:

    blueprism-pamutil-action-2

    For the Business Object "Utility - Environment", use the Action "Start Process Read Stderr and Stdout" with the inputs:

    Arguments "-conf ""C:\pamutil\config.ini"" -res " & [target] & " -acct " & [username]

    Process name """C:\pamutil\runwithpass.exe"""

    We need to specify the path to runwithpass and the config.ini file, where:

    • target is the managed system ID

    • username is the managed account

    • target and username are in this format because they are Blue Prism Data Items and the & is used to concatenate the data item into the Arguments input.

    blueprism-inputs-arguments

  7. For the Outputs, store Standard Output and Standard Error into Data Items:

    blueprism-outputs

  8. Once the action is configured with the business object to run runwithpass , we can set the Data items for the inputs and run the process to verify that the password can be retrieved without errors.

    blueprism-data-items

    We can use the pamutil / runwithpass action with other business objects or publish this business object to use with as a business object as a whole.

    In the following example, we show how we can use pamutil to either login to a Bravura Security Fabric instance or RDP into a workstation using the managed account and its password:

    blueprism-data-items-2
In this section: