Using credentials on task definitions

If you enter the username of a credentials definition in the related section of a task definition, the password field can be resolved at runtime with the password value retrieved from the database.

For example, when defining a task using the UI, you can enter the username of a credentials definition and then select User from the Password section as shown below:

Figure 1. Credentials definition
This picture displays the credentials option field selected.
There are four available options to define a password. You can find descriptions below and the related examples:
Password
You can define a password by typing it.
For example:
$job

/WS_AGT_0#/TASK_WITH_PASSWORD
  TASK
    {
      "executable" : {
        "interactive" : false,
        "path" : "netstat",
        "credential" : {
          "userName" : "User1",
          "password" : "{aes}/VemdckN397hwTTRFi22ero1lyVg/C5keemnrNafguf5nLE\\=",
          "arguments" : {
            "arguments" : [ {
              "value" : "-an"
            } ]
          }
        }
      }
    }
  RECOVERY STOP
User
Password is resolved at run time using the password value retrieved from the database defined for Username, using either the Credentials definition panel or the ocli model user command.

You can also code this option in the JSDL section of the task template definition in ocli model. You can find more information in the related sections.

To use this option when defining a task template, you need the authorization with use access keyword for item type userobj in the security file as follows:
userobj    access=use
Attention: Credentials definitions lack referential integrity, so if a credentials definition that is referenced in the related section of a task template definition is changed or deleted, no warning or error messages are return until the task template runs.
For example:
$job

/WS_AGT_0#/TASK_WITH_USER_PASSWORD
  TASK
    {
      "executable" : {
        "interactive" : false,
        "path" : "netstat",
        "credential" : {
          "userName" : "User1",
          "password" : "${password:User1}",
          "arguments" : {
            "arguments" : [ {
              "value" : "-an"
            } ]
          }
        }
      }
    }
  RECOVERY STOP
Agent user
Using the param command, password is resolved at run time using the password value defined locally for User Name on the HCL Workload Automation dynamic agent that runs the task template.
For example:
$job

/WS_AGT_0#/TASK_WITH_AGENT_USER_PASSWORD
  TASK
    {
      "executable" : {
        "interactive" : false,
        "path" : "netstat",
        "credential" : {
          "userName" : "User1",
          "password" : "${agent:password.User1}",
          "arguments" : {
            "arguments" : [ {
              "value" : "-an"
            } ]
          }
        }
      }
    }
  RECOVERY STOP
Variable
Password is resolved at run time using the value defined for the variable you enter in the field (using the ${variable_name} notation).
The variable must have been defined in one of the following ways:
  • Locally on the agent, using the param command, for example:
    $job

/WS_AGT_0#/TASK_WITH_AGENT_VARIABLE
  TASK
    {
      "executable" : {
        "interactive" : false,
        "path" : "netstat",
        "credential" : {
          "userName" : "User1",
          "password" : "${agent:variableSection.User1}",
          "arguments" : {
            "arguments" : [ {
              "value" : "-an"
            } ]
          }
        }
      }
    }
  RECOVERY STOP
  • In the HCL Universal Orchestrator database, using a variable table definition. For example:
    $job

/WS_AGT_0#/TASK_WITH_VARIABLE
  TASK
    {
      "executable" : {
        "interactive" : false,
        "path" : "echo '${J:$}'",
        "credential" : {
          "userName" : "User1",
          "password" : "${var.PASSWORD_USER1}"
        }
      }
    }
  RECOVERY STOP
You can use the Variable option to specify the password of the remote user of a different workstation by entering the following string in the related field:
${password:workstation_name#value_of_user_name_field}
Note: The remote user of a different workstation must be defined in the database.
When HCL Universal Orchestrator has to resolve username and password at runtime, it follows the sequence below:
  • If the workstation is not specified (for example, ${password:myuser}):
    1. Searches myuser on the workstation running the task applying a case sensitive policy.
    2. Searches myuser on the workstation running the task applying a case insensitive policy.
    3. Searches myuser without an associated workstation applying a case sensitive policy.
    4. Searches myuser without an associated workstation applying a case insensitive policy.
  • If the workstation is specified (for example, ${password:agent#myuser}):
    1. Searches myuser on workstation agent applying a case sensitive policy.
    2. Searches myuser on workstation agent applying a case insensitive policy.
    3. Searches myuser without an associated workstation applying a case sensitive policy.
    4. Searches myuser without an associated workstation applying a case insensitive policy.
  • If the workstation is specified but is empty (for example, ${password:#myuser}):
    1. Searches myuser without an associated workstation applying a case sensitive policy.
    2. Searches myuser without an associated workstation applying a case insensitive policy.