uberAgent

Username and Configuration Setting Encryption

uberAgent optionally encrypts user and domain names in the agent and has support to encrypt sensitive settings in its configuration.

User and Domain Names

Encryption

User and domain names can be encrypted in the agent before being sent off to the backend. This can be useful for compliance with privacy regulations.

User and domain name encryption is disabled by default. If required, enable it via the configuration setting EncryptUserNames.

With encryption enabled, user and domain names show up in the backend and in dashboards like this:

2019-01-29-uberAgent-encrypted-user-name

Decryption

uberAgent’s download package comes with the command line-tool uAEncrypt.exe, which can be used to decrypt usernames as shown in the following example:

uAEncrypt.exe -decrypt -keyId 101 -data

Configuration Settings

Configuration settings can optionally be obfuscated or retrieved from the OS-specific credential store. Obfuscation is the older option, but less secure. The OS credential store has been added in uberAgent 7.2 and is the recommended way to store passwords and other sensitive information that is required by uberAgent.

Encryption

Some configuration setting may optionally be retrieved from the OS-specific credential store. To indicate to uberAgent that a setting should be read from the OS credential store, specify its value in the following format: ###UA_CREDENTIAL_SOMENAME###. When uberAgent encounters the above format in its configuration, it reads the actual value from the setting SOMENAME in the OS credential store.

Example:

To secure a backend receiver’s REST token, specify it in uberAgent’s configuration as follows:

RESTToken = ###UA_CREDENTIAL_SplunkRESTToken###

Distribute the actual REST token value to the OS credential store (see below) of all endpoints where uberAgent’s configuration references it.

Supported Settings

Encryption is supported for the following configuration settings:

[AzureEventHubsConfiguration]
AzureClientSecret

[CitrixADC_Config]
Password

[CitrixCloud_Config]
ClientSecret

[Receiver]
RESTToken
TLSClientCertificate
<!--NeedCopy-->

Deployment to the OS Credential Store

uberAgent doesn’t handle the deployment of secrets to the endpoint’s OS credential store.

Windows Implementation

The credentials are read from the SYSTEM user’s credential store (more information).

macOS Implementation

Under macOS the credentials are read from the keychain (more information). The keychain items must be stored in the system keychain, and uberAgent must be exempt from the option Confirm before allowing access under the tab Access Control.

Example:

To create a keychain item securing the REST token for Splunk, you can run the following command line:

sudo security add-generic-password -a "Splunk" -s "uberAgent" -w "TOKEN_TO_BE_USED" -T "/Library/uberAgent/uberAgent.app" -U /Library/Keychains/System.keychain

where Splunk is the keychain item’s account name, uberAgent is the service name and TOKEN_TO_BE_USED the REST token. The account name can be chosen freely. If you want to change the default service name uberAgent, you can do so by adding the configuration option CredentialStoreServiceName in stanza Miscellaneous, and passing the name with option -s as seen in the example above.

Example:

[Miscellaneous]
ConfigFlags = CredentialStoreServiceName:MY_CUSTOM_SERVICE_NAME
<!--NeedCopy-->

Obfuscation

Sensitive settings like passwords can be obfuscated with the command-line tool uAEncrypt.exe, which is available in the uberAgent download package. The syntax is viewable by running uAEncrypt.exe -?.

To encrypt MySecretPassword:

uAEncrypt.exe -encrypt -keyId 1 -data PlaintextData

De-Obfuscation

De-obfuscation is possible with:

uAEncrypt.exe -decrypt -keyId 1 -data ObfuscatedData

Supported Settings

Obfuscation is supported for all configuration settings.

Username and Configuration Setting Encryption