About Secure Credentials Access

You can develop system extensions that have access to user credentials: user ID (username) and password. Only extensions that are components, plug-ins, or data handlers can use the secure credentials feature. These extensions must be executed in the SIMULIA Execution Engine environment—secure credentials access is not supported when Isight is run without the SIMULIA Execution Engine.

It is common for system extensions to access external resources that require user credentials for authentication. For example, a component may access a remote database, FTP server, or other enterprise information system when executed as part of a job. The SIMULIA Execution Engine infrastructure itself does some level of credential management to run processes on stations with the security context of the user that submits the job. However, this infrastructure does not make such credentials available to user-supplied component code (extensions) as it could constitute a security breach; for example, allowing untrusted user code access to the job submitter’s cleartext password. This would violate many common IT environment security requirements.

To support system extension access to user credentials, the SIMULIA Execution Engine supports the concept of ‘privileged’ extensions. Specific system extension types (component, data handler, plug-in) can be designated as ‘privileged’ by the SIMULIA Execution Engine system administrator. There may be different types or levels of privilege. To have different privilege levels, an extension must have the ‘credential’ type privilege. A credential-privileged extension will be given access to the user credentials in so much as they are available to the SIMULIA Execution Engine infrastructure itself. (There are scenarios in which the SIMULIA Execution Engine does not itself have access to user credentials, in which case it cannot make them available to any extensions.) System extensions that have not been designated as privileged by the administrator will continue to have no access to user credentials. The majority of extensions will not be privileged because they have no need for user credentials.

Only components, data handlers, and plug-ins can be designated as having credential privileges. Other extensions (datatype, unit, limit, visual) cannot have this designation. The credentials made available to the extension will be the same as those used during SIMULIA Execution Engine job submission, including any extended grid credentials.

By limiting access only to extensions identified by the system administrator, extensions written and published by arbitrary system users cannot be used to compromise passwords. Administrators take on the responsibility of only marking as privileged components whose code has been reviewed and determined (to the satisfaction of the administrator) to handle the credentials safely. For example, a component that uses credentials to open a JDBC connection might be considered safe, whereas a component that writes the user’s password to a file might not.

To use the logon credentials for an external application or resource, the credentials for logging onto the application or resource must match the SIMULIA Execution Engine credentials exactly. For example, if a domain is required for logging onto an ftp server but is not used for logging on to the SIMULIA Execution Engine, this feature cannot be used and you must supply the logon credentials separately. In other words, if the ftp server credentials include the domain prepended to the username (e.g., domain\username) but the SIMULIA Execution Engine logon is only the username, a mismatch occurs when the SIMULIA Execution Engine attempts to pass credentials to the ftp server.