Use the Execute PowerShell Script action to integrate PowerShell scripts in your business workflow. For example, this can be used to update attributes or to check passwords within a compromised passwords database. This action is available in the Subroutine category.
Please note that this feature requires PowerShell 5.1.
Setting up your encryption key
Before using the Execute PowerShell Script workflow action, you must configure an encryption key, which is used to secure script execution. You can create an encryption key or add a previously generated key during the installation process or afterward.
The encryption key can be generated both during the installation process of the Transaction Engine and from the Management Portal, at Setup > Datastore.
-
When installing the Transaction Engine component of Identity Director, you have the possibility to Generate or Add a previously generated encryption key.
That key will be used to encrypt some of your PowerShell data, especially related to credentials used for the script execution.
-
Please only use encryption keys that were generated using the Transaction Engine installer or the Management Portal.
Using a key that was not generated using Identity Director components is not supported. -
Make sure you save your encryption key and store it in a safe place.
-
Transaction Engine:
-
In the Windows Registry, go to HKEY_LOCAL_MACHINE\SOFTWARE\RES\ITStore\Transaction Engine\DBEncryptionKey
If DBEncryptionKey does not exist, you need to manually create it as a REG_SZ type. -
Add the previously generated key.
Example: cQLZvNLyaw2LAvSKMACKyJnVvO+cv7NCaWE2omNr3p8= -
Restart the Transaction Engine.
The key will be encrypted and ready to use.
-
-
Management Portal:
Before applying the encryption key for the Management Portal, make sure that the Load User Profile option is set to True.
How to check the Load User Profile status for the Management Portal-
Open the IIS Management Console.
-
Navigate to Application Pools > IT Store Management.
-
Open the Advanced Settings for IT Store Management.
-
In the Process Model section, make sure that the Load User Profile is set to True.
-
If the Load User Profile is set to False, set it to True and click Recycle.
-
If you have to change the configuration, make sure to exit the Management Portal first.
-
Option 1: Set the encryption key from the Management Portal- Open the Management Portal, go to Setup > Datastore and add the existing encryption key, or generate a new one.
-
Press the Test Connection button. If the test passes, you can press Save.
Option 2: Set the encryption key in WebConsole.config
-
Browse to C:\Program Files (x86)\RES Software\IT Store\Web Console\Config.
-
Within this folder, locate the WebConsole.config file, open it and go to webConsoleConfiguration > managementService > database > encryptionKey.
-
Add the generated key.
Example: cQLZvNLyaw2LAvSKMACKyJnVvO+cv7NCaWE2omNr3p8= -
Once you restart the Application Pool or perform an IIS reset, the key will be encrypted and ready to use.
-
- The encryption key is not visible in the Management Portal, at Setup > Datastore for security reasons.
- Applying a new encryption key when a key has already been configured in the Transaction Engine will cause existing scripts to fail.
- To see if an encryption key has been configured, look in your WebConsole.config file, in the section webConsoleConfiguration > managementService > database > encryptionKey.
- Remember to use the same encryption key for all Identity Director components.
- Seeing different values among the stored keys of the Transaction Engine and the Management Portal from the above locations does not necessarily mean that the encryption keys are different, only that they are encrypted differently.
-
If the encryption key is configured during upgrades, it does not automatically update on all the machines/components.
In some situations, you will have to re-enter the Password information for your workflow actions, in order to re-encrypt your data:
- Changing the encryption key;
- Changing the user under which the Management Portal Application Pool runs;
- Changing the user under which the Transaction Engine service runs.
Workflow Action Fields and Configuration
Field |
Explanation and Tips |
---|---|
Action Name |
Optionally specify a friendly name for the action. If no name is specified, the workflow action type will be displayed instead.
|
User Name |
Specify the user name of the account that will execute the script (run as). For local accounts, the machine name is not required, while for domain accounts you need to specify the domain name (i.e. domain\user).
Please note that this is a required field. |
Password |
Specify the password of the account stated at User Name, above.
Please note that this is a required field. |
Script |
Specify the actual script that will be executed. The execution is handled by the engine responsible for the transactions.
|
Notes |
Specify a description of this action. |
Input Parameters |
Used for mapping attributes from Identity Director to PowerShell variables.
|
Output Parameters |
Used for mapping variables from PowerShell to Identity Director attributes.
|
Logging and Error Handling |
This action can handle both compile and runtime errors.
|
PowerShell Script Comments |
Only multiline comments are supported. This means that, for single line comments, you should use the same pattern. For example: <# this is a comment #>. |