Decrypting Passwords in vCAC ConnectionCredentials

Suppose you provision a virtual machine to a vCenter and then want to change the socket/core ratio of that machine as described in vCloud Automation Center – vCAC – Workflow and Script to Change CPU’s to Cores. For this to actually work you not only need the vCenter address but also some valid credentials you can use to connect to that vCenter.

Luckily a simple solution exists for this task. You just have to look up the host that our virtual machine resides on and from there get the endpoint and its credentials (which are not really encrypted):

# $m is the management context (repository)
PS > $m.GetType().FullName;
# $vm is the virtual machine we want to access
PS > $vm.GetType().FullName;

# Load associated host object from this VM
PS > $null = $m.LoadProperty($vm, 'Host');

# Get host from VM
PS > $h = $vm.Host
# Load associated endpoint object from host
PS > $null = $m.LoadProperty($h, 'ManagementEndpoint');
# Get endpoint
PS > $ep = $m.ManagementEndpoints |? 
  ManagementEndpointName -eq $h.ManagementEndpoint.ManagementEndpointName;

# Load associated credentials object from endpoint and display scrambled password
PS > $null = $m.LoadProperty($ep, 'Credential');
PS > $ep.Credential.Password

# Unscramble password
PS > $password = [DynamicOps.Common.Utils.ScramblerHelpers]::Unscramble(
PS > $password
# Now you can connect via PowerCli to vCenter $ep.ManagementUri

This certainly works for any “encrypted” property in vCAC:

PS > $null = $m.LoadProperty($vm, 'VirtualMachineProperties');
PS > $p = $vm.VirtualMachineProperties |? PropertyName -eq 'encryptedPropertyString';
PS > $p.PropertyValue;
PS > [DynamicOps.Common.Utils.ScramblerHelpers]::Unscramble($p.PropertyValue);

… and if you really feel like decrypting something you can go ahead like this:

PS > $cfg = [System.Configuration.ConfigurationManager]::OpenExeConfiguration(
  '{0}\VMware\vCAC\Server\ManagerService.exe' -f ${ENV:ProgramFiles(x86)});
PS > $key = [DynamicOps.Common.Utils.EncryptionHelpers]::ReadKeyFromConfiguration($cfg);
PS > [DynamicOps.Common.Utils.EncryptionHelpers]::Decrypt($cryptedString, $Key);


  1. […] that will be passed to the ‘Set-DomainMembership.ps1′ in an unencrypted form (check this post to get more information about encrypted properties in vCAC). The ‘Domain’ parameter is hard-coded set to […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: