19.1 Credential Checkout

The credential checkout feature helps in retrieving the credentials from Enterprise Credential Vault. The credential checkout feature helps in managing the account credentials and provides the following capabilities:

  • Provide available shared account credentials and deny access if all the credentials are in use.

  • Provide users access to application or database for a fixed time period.

  • After every session, reset the password of the account in the target application to maintain the password security.

A Privileged Account Manager administrator can create a privileged account for an application/ database and save the application/ database administrator credential. These credentials will be used only when resetting or checking-in the password. So, when a user requests for credentials to connect to Oracle database or any application, Privileged Account Manager checks for the login credentials that are available for that application, then provides the credentials to the user. An administrator can monitor the commands that a user runs on any application and audit the report based on the defined risk score.

The following sections provide details on configuring, accessing and managing shared account credentials by using the credential checkout feature.

19.1.1 Configuring Credential Checkout for Applications

The privileged accounts that are set up on the following applications/ database can be managed through PAM. To manage those accounts, you must customize the sample script and add it to the PAM rule. For more information about customizing the script refer, Password Reset Scripts.

Following are the tested applications on which you can reset the password of the accounts that are existing for those applications:

IMPORTANT:Privileged Account Manager server must have Java 1.6 or higher for password reset to work on the following applications:

  • SAP

  • VMWare ESXi

  • eDirectory

    NetIQ eDirectory is a list of objects that represent network resources, such as network users, servers, printers, print queues, and applications.You can enable password check-out feature to access the eDirectory server.

    To enable credential checkout feature for eDirectory, you can add the rules by using the eDirectory policy template. For more information about using the policy template refer, Adding a Policy Template.

  • Active Directory

    Active Directory is a directory service that authenticates and authorizes all users and computers in a Windows domain type network. It assigns and enforces security policies for all computers and installs, or updates software.You can enable password check-out feature to access the Active Directory server.

    To enable credential checkout feature for Active Directory, you can add the rules by using the Active Directory policy template. For more information about using the policy template, see Adding a Policy Template.

  • System Applications Products

    System Applications Products (SAP) is an Enterprise Resource Planning System (ERP). You can enable the password check-out feature to access the SAP application.

    To connect PAM with the Systems, Applications, and Products (SAP) application, ensure that you download the following files on the PAM manager server:

    • SAP Java connector (JCO)

      You can download the JCO from the SAP Connectors site

    • The followingfiles must be downloaded from the SAP Service Marketplace Web site:

      • sapjco3.jar: SAP java client library.

      • libsapjco3.so: SAP Linux 64-bit client library.

      • sapjco3.dll: SAP Windows 64-bit client library.

      • SAPUserPwdCheckIn.jar: Java SAP Client to reset a SAP users’ password.

    NOTE:The download is free to any SAP software customer or development partner, but you are required to log in to the mentioned website.

    To enable credential checkout feature for SAP, you can add the rules by using the SAP policy template. For more information about using the policy template, see Adding a Policy Template.

  • VMware ESXi

    The VMware ESXi is a type-1 hypervisor that is used for the hardware virtualization. You can enable password check-out feature to access the ESXi server.

    PAM bundles the VMWare Infrastructure Java API to communicate with VMware ESXi server. The default location to VMWare Infrastructure Java API is /opt/netiq/npum/service/local/cmdctrl/lib/ (for Linux) and c:\Program Files\npum\opt\netiq\npum\service\local\cmdctrl\lib (for Windows). To connect PAM with ESXi server, ensure that you download the following files:

    • sapjco3.jar

    • (For Linux) libsapjco3.so

    • (For Windows) sapjco3.dll

    To enable credential checkout on ESXi, you can add the rules by using the ESX policy template. For more information about using the policy template, see Adding a Policy Template.

Enabling Credential Checkout for Applications

The credential checkout feature can be customized for the applications such as Salesforce, and so on. You can use the policy template for the supported applications such as, LDAP Password Checkin-Checkout, and Active Directory Password Checkin-Checkout then customize it as per requirement. For more information about adding a policy template refer, Adding a Policy Template. To enable credential checkout for any other application, you need to add the account credentials of the application server to the enterprise credential vault. Perform the following to enable credential checkout feature for applications:

  1. Create a privileged account for the application server:

    1. On the home page of the console, click Enterprise Credential Vault.

    2. In the left pane, click Credential Vault.

    3. In the middle pane, click Add Account Domain.

      If you have imported a policy template for credential checkout, a sample account domain gets created with the name DOM-APP_<application name>. You need to modify the sample account domain by clicking Modify in the details pane.

    4. In the right pane, Specify the following information:

      Name: Specify the name of the application domain. The name of the domain should be followed by an underscore (_) and the application name.

      For example, if a SAP server is on the 172.16.0.1 domain, you need to specify the Account Name as 172.16.0.1_SAP. If you do not provide the correct domain name, user authentication fails.

      Type: Select Application

      Sub-Type: This field gets auto populated with the application name that you have specified in the Account Name field. For example, if you have specified the Account Name as abc_pqr_Salesforce. the Sub-Type field will be auto-populated as Salesforce.

      Host: Specify the IP address of the of the host server. Also provide the port number.

      Password Reset: Select the appropriate option that can be used for password check-in. You can specify either of the following:

      • Script: Specify any perl script to reset the account password for the application. For the password reset scripts, see Password Reset Scripts. The perl script should return 0 when the reset is unsuccessful or 1 when the reset is successful. You can add more attributes to the script. To add a custom attribute to the script, use the custom fields that you define in Add Custom Fields.

      • Delegate to Identity Manager: You can delegate the password check-in process to Identity Manager. On selecting this option, the IDM (Identity Manager) driver for PAM takes care of generating random password and synchronizing the password to IDM. The PAM driver checks-in the new password to PAM. IDM takes care of synchronizing password on the applications through the respective application driver. For more information refer the Driver Implementation guide on the PAM documentation page.

        NOTE:Before delegating password check-in to Identity Manager ensure that the PAM driver and the application driver are operational.

      • Never: You can use this option if you do not want to reset the password.

      Password Policy: Select the appropriate password policy. By default Default Password Policy is selected. You can either modify the default password policy or create a new password policy. For more information about specifying password policy refer, Specifying Password Policies.

      Create Command for subtype: Select this check box to create the command for the application. For example if the application is ABC_PQR a command is created for the application, APP PQR, which you use for the application rule.

      If you have imported a policy template for application credential checkout, the command is created automatically.

      To add additional fields, use Add Custom Fields.

    5. Click Add to save the account domain details.

    6. Add the application server account credentials. For more information refer, Adding Shared Account Credentials in the Account Domain

      These credentials are provided to the user when they checkout the password for the application. The available credentials are provided to the users and if all credentials are used, then the user who checks out password later will get a message that all credentials are in use. The user can try to connect after some time.

  2. Create rule. For information about creating rule, refer Adding a Rule.

    If you have added the policy template, this rule gets created automatically.

19.1.2 Configuring Credential Checkout for Cloud Services

The privileged accounts that are set up on the following cloud services can be managed through PAM. To manage those accounts, you must customize the sample script and add it to the PAM rule. For more information about customizing the script refer, Password Reset Scripts.

Following are the tested applications on which you can reset the password of the accounts that are existing for those applications:

IMPORTANT:Privileged Account Manager server must have Java 1.6 or higher for password reset to work on the following:

  • OpenStack

  • Amazon Web Services

  • OpenStack

    OpenStack is a set of software tools designed for building and managing cloud computing platforms. You can enable the password check-out feature to access the OpenStack server.

    To enable the credential checkout feature for OpenStack, you can add the rules by using the OpenStack policy template or create an account domain and rule manually. For more information about enabling the credential checkout for OpenStack, see Enabling Credential Checkout for OpenStack

  • Amazon Web Services

    Amazon Web Services (AWS) is a bundled remote computing service that provides cloud computing infrastructure over the Internet with storage, bandwidth, and customized support for Application Programming Interfaces (API). You can enable the password check-out feature to access services in AWS cloud.

    To enable credential checkout feature for AWS, you can add the rules by using the AWS policy template or create an account domain and rule manually. For more information about enabling the credential checkout for AWS, see Enabling Credential Checkout for Amazon Web Services

Enabling Credential Checkout for OpenStack

To enable credential checkout feature for the OpenStack server perform the following:

  1. In the OpenStack server, create a user and assign the user to a project (tenant) with a role. For information about user creation and project and role assignment, see OpenStack Documentation.

  2. In the Privileged Account Manager Admin Console,

    Add the OpenStack policy template to automatically create an account domain and rule for OpenStack. This OpenStack account domain and rule can be customized as required. For more information about adding the policy template, see Adding a Policy Template.

    Or

    Create an account domain and rule manually for OpenStack. For information about creating an account domain for OpenStack, see Creating an Account Domain for OpenStack. For information about creating a rule, see Adding a Rule.

    NOTE:For the password check out of accounts belonging to different OpenStack projects (tenants), you must create a different account domain for each tenant.

  3. After creating the appropriate account domain and rule for OpenStack server, you can check out the password for the OpenStack server from the User console.

Creating an Account Domain for OpenStack

  1. Create a privileged account for the OpenStack server:

    1. On the home page of the console, click Enterprise Credential Vault.

    2. In the left pane, click Credential Vault.

    3. In the middle pane, click Add Account Domain.

      If you have imported a policy template for credential checkout, a sample account domain gets created with the name http://myOpenstack/dashboard/auth/login/_openstack. You must modify the sample account domain by clicking Modify in the details pane.

    4. In the right pane, specify the following information:

      Name: Specify the name of the application domain. The name of the domain should be the OpenStack server IP followed by an underscore (_) and the application name.

      For example, if the OpenStack server IP is 172.16.0.1, you need to specify the Account Name as http://172.16.0.1/dashboard/auth/login/_openstack.

      Type: Select Application.

      Sub-Type: This field gets auto populated with the application name that you have specified in Account Name. For example, if you have specified the Account Name as http://172.16.0.1/dashboard/auth/login/_openstack, the Sub-Type is auto-populated as openstack.

      Host: Specify the IP address of the OpenStack server. Also provide the appropriate port number.

      Password Reset: Select the appropriate option that can be used for password check-in. You can specify either of the following:

      • Script: Specify any perl script to reset the account password for the application. For the OpenStack password reset script, see Openstack Password Reset Script. The perl script should return 0 when the reset is unsuccessful or 1 when the reset is successful. You can add more attributes to the script. To add a custom attribute to the script, use the custom fields that you define in Add Custom Fields.

      • Delegate to Identity Manager: You can delegate the password check-in process to Identity Manager. When you select this option, the Identity Manager driver for Privileged Account Manager takes care of generating random password and synchronizing the password to Identity Manager. The Privileged Account Manager driver checks-in the new password to Privileged Account Manager. Identity Manager takes care of synchronizing password on the applications through the respective application driver. For more information, see the Driver Implementation guide on the PAM documentation page.

        NOTE:Before delegating password check-in to Identity Manager, ensure that the Privileged Account Manager driver and the application driver are functional.

      • Never: You can use this option if you do not want to reset the password.

      Password Policy: Select the appropriate password policy. By default, Default Password Policy is selected. You can either modify the default password policy or create a new password policy. For more information about specifying password policy refer, Specifying Password Policies.

      Create Command for subtype: Select this option to create a command for the application. For example, if the application is ABC_PQR a command APP PQR is created for the application, that you can use for the application rule.

      If you have imported a policy template for application credential checkout, the command is created automatically.

      Custom Fields: To add additional fields, use Add Custom Fields.

      For OpenStack, you must create two custom fields keystone_version and tenant. Specify the OpenStack keystone version in keystone_version field and specify the tenant or the project in OpenStack to which the user belongs in the tenant field.

      If you have imported a policy template for application credential checkout, the keystone_version and tenant custom fields are created automatically with the default value. You can modify the value of these fields as required.

      NOTE:You must add only one tenant in the account domain. If you have multiple tenant, you must create separate account domains for each tenant.

    5. Click Add to save the account domain details.

  2. Add the appropriate OpenStack user and its account credentials. For more information refer, Adding Shared Account Credentials in the Account Domain

    These credentials are provided to the user when they check out the password for the application. The available credentials are provided to the users and if all credentials are used, then the user who checks out password later will get a message that all credentials are in use. The user can try to connect after some time.

Enabling Credential Checkout for Amazon Web Services

To enable credential checkout feature for Amazon Web Services(AWS) perform the following:

  1. In the Amazon Web Services cloud, create a user and assign permissions or policies to the user. For information about AWS user creation, see AWS Documentation.

  2. In the Privileged Account Manager Administration Console,

    Add the AWS policy template to automatically create an account domain and rule for AWS. This account domain and rule can be customized as required. For more information about adding the policy template, see Adding a Policy Template.

    Or

    Create an account domain and rule manually for AWS. For information about creating an account domain for AWS, refer Creating an Account Domain for AWS. For information about creating a rule, see Adding a Rule.

  3. After creating the appropriate account domain and rule for AWS, PAM users can check out the password for the AWS services from the User console.

Creating an Account Domain for AWS

  1. Create a privileged account for the AWS service:

    1. On the home page of the console, click Enterprise Credential Vault.

    2. In the left pane, click Credential Vault.

    3. In the middle pane, click Add Account Domain.

      If you have imported a policy template for credential checkout, a sample account domain gets created with the name https://ACCOUNT-ID.signin.aws.amazon.com/console_aws. You need to modify the sample account domain by clicking Modify in the details pane.

    4. In the right pane, specify the following information:

      Name: Specify the name of the application domain.

      The name of the domain should be the AWS user sign-in link followed by an underscore (_) and the application name.

      For example, if your AWS user sign-in url is https://<ACCOUNT-ID>.signin.aws.amazon.com/console, you must specify the Account Name as https://<ACCOUNT-ID>.signin.aws.amazon.com/console_aws.

      Type: Select Application

      Sub-Type: This field gets auto populated with the application name that you have specified in Account Name. For example, if you have specified the Account Name as https://<ACCOUNT-ID>.signin.aws.amazon.com/console_aws.. The Sub-Type will be auto-populated as aws.

      Host: Specify the AWS user sign-in url. Also provide the appropriate port number.

      Password Reset: Select the appropriate option that can be used for password check-in. You can specify either of the following:

      • Script: Specify any perl script to reset the account password for the application. For the AWS password reset script, see AWS Password Reset Script. The perl script should return 0 when the reset is unsuccessful or 1 when the reset is successful. You can add more attributes to the script. To add a custom attribute to the script, use the custom fields that you define in Add Custom Fields.

      • Delegate to Identity Manager: You can delegate the password check-in process to Identity Manager. On selecting this option, the Identity Manager driver for Privileged Account Manager takes care of generating random password and synchronizing the password to Identity Manager. The Privileged Account Manager driver checks-in the new password to Privileged Account Manager. Identity Manager takes care of synchronizing password on the applications through the respective application driver. For more information, see the Driver Implementation guide on the PAM documentation page.

        NOTE:Before delegating password check-in to Identity Manager, ensure that the Privileged Account Manager driver and the application driver are functional.

      • Never: You can use this option if you do not want to reset the password.

      Password Policy: Select the appropriate password policy. By default Default Password Policy is selected. You can either modify the default password policy or create a new password policy. For more information about specifying password policy, see Specifying Password Policies.

      Create Command for subtype: Select this option to create the command for the application. For example, if the application is ABC_PQR a command APP PQR is created for the application, that you use for the application rule.

      If you have imported a policy template for application credential checkout, the command is created automatically.

      Custom Fields: To add additional fields, use Add Custom Fields.

    5. Click Add to save the account domain details.

  2. Add the account domain credentials.

    To add the AWS account credentials, you must download the access keypair from the AWS cloud.Then add the AWS Access KeyId as the Privileged Account Manager account domain Username and AWS Secret Key as the Privileged Account Manager account domain Password. For more information about the AWS access key pair, refer AWS IAM User Guide.

    For more information about adding the account credentials refer, Adding Shared Account Credentials in the Account Domain

    These credentials are provided to the user when they checkout the password for the application. The available credentials are provided to the users and if all credentials are used, then the user who checks out password later will get a message that all credentials are in use. The user can try to connect after some time.

19.1.3 Adding Shared Account Credentials in the Account Domain

To add multiple shared account credentials to the existing account domain perform the following:

  1. On the home page of the console, click Command Control.

  2. In the navigation pane, click the Privileged Accounts icon and click Privileged Accounts.

  3. Select an Account Domain.

    If the account domain is not created, create it by using the Add Account Domain option.

  4. In the details pane, click Add.

  5. Specify the following details:

    Username: Specify the complete name for the domain user.

    Password: Specify the password for the domain user account.

  6. Click Add to save the account domain and credential details.

19.1.4 Configuring Credential Checkout Settings

  1. On the home page of the Privileged Account Manager console, click Access Dashboard.

  2. Click the Configuration tab.

  3. In the Delete Request After field, select the number of days after which the request should be deleted from the list under All. For example, if you select 15 Days all the requests that are 15 days old is deleted from the list of requests.

  4. In the Allow Grace Period of field, select the extra duration that a user can access the password, after the requested time period expires.

  5. In the Server Email Id field, enter the email id that is defined for the Privileged Account Manager server. This is the email id from which emails are sent to the users.

  6. In the Admin Email Id field, enter the email id of the administrator for Privileged Account Manager.

19.1.5 Checking Out Credentials

Privileged Account Manager (PAM) allows users to checkout the credentials in the following ways:

  • Checkout credentials from the user console

  • Checkout credentials using API tokens.

    For more information about AAPM, see Application to Application Password Management.

  • Checkout credentials using REST API.

    To view the REST API documentation:

    1. In the new administration or user console, click the logged in user on the top-right corner.

    2. Click REST API.

      The REST API document opens in a new tab.

19.1.6 Password Reset Scripts

You can use required policy templates to reset the password of the privileged accounts that are set on the supported application server. The password check-in process includes generating random password, resetting the password on the PAM database, and resetting password on the application. The password check-in process can either use the script to reset the password on the application and return the value to PAM database, or use Identity Manager to send the reset password on PAM database and synchronize the password with an active Identity manager application.

This section contains Perl Script for Customizing the Password Reset of Accounts in Applications.

LDAP Password Reset Script

Following is an example script for resetting the password of the accounts on all the LDAP directory except Active Directory. To reset Active Directory account password, you can use the script Active Directory Password Reset Script.

## PAM script to reset password of an LDAP user

## global variables
my $ldapURL = "";
my $retVal = 0;
my $ldap = "";

## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $secure = $args->arg("secure");
my $adminDN = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $userDN = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");

$ctx->log_info("START PASSWD RESET");
$ctx->log_debug("Input LDAP parameters : host - $host :: port - $port :: secure - $secure :: adminDN - $adminDN :: userDN - $userDN ");
$ctx->log_info("Resetting the password of the LDAP user $userDN");

## validate inputs
if ($host eq "" or $adminDN eq "" or $adminPasswd eq "" or $userDN eq "" or $userPasswd eq "") {
  $ctx->log_error("Incomplete LDAP inputs - following parameters are mandatory - host, adminDN, adminPasswd, userDN and userPasswd are passed.");
  return 0;
}
# set default ldap port numbers
if ($port eq "") {
  if ($secure eq "" || $secure != 0) {
		$port = 636;
  } else {
		$port = 389;
  }
}

# create ldap url
if ($secure != 0) {
  $ldapURL = "ldaps://".$host.":".$port;
} else {
  $ldapURL = "ldap://".$host.":".$port;
}

# Login as LDAP admin
$ctx->log_debug("Authenticating to the LDAP server...");
$ldap = ldap_bind($ctx, $ldapURL, $adminDN, $adminPasswd, 100);
if ($ldap->arg('err') != 0) {
  my $le = $ldap->arg('err');
	$ctx->log_error("LDAP authentication failed - $le");
  return 0;
} else {
  $ctx->log_debug("LDAP authentication to $ldapURL as $adminDN successful.");
}

# Reset the user password
$ctx->log_debug("Modifying the password of the user $userDN ...");
$ldap = ldap_modify($ctx, $userDN, "userpassword", $userPasswd);
if ($ldap->arg('err') != 0) {
  my $le = $ldap->arg('err');
	$ctx->log_error("LDAP modify failed - $le ");
  return 0;
} else {
  $ctx->log_debug("LDAP modify successful in resetting the password of the user $userDN.");
}

# Logout LDAP admin
$ctx->log_debug("Logging out $adminDN from $ldapURL");
ldap_unbind($ctx);

$ctx->log_info("END PASSWD RESET");
return 1;

Active Directory Password Reset Script

Following is an example script for resetting the password of the accounts on Active Directory:

## PAM script to reset password of Microsoft ActiveDirectory LDAP user
use MIME::Base64;
use Encode qw(encode);

## global variables
my $ldapURL = "";
my $retVal = 1;
my $ldap = "";

## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $secure = $args->arg("secure");
my $adminDN = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $userDN = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
my $userPasswdEncoded = encode_base64(encode("UTF-16le", "\"$userPasswd\""));

$ctx->log_info("START PASSWD RESET");
$ctx->log_debug("Input LDAP parameters : host - $host :: port - $port :: secure - $secure :: adminDN - $adminDN :: userDN - $userDN ");
$ctx->log_info("Resetting the password of the LDAP user $userDN");

## validate inputs
if ($host eq "" or $adminDN eq "" or $adminPasswd eq "" or $userDN eq "" or $userPasswd eq "") {
	$ctx->log_error("Incomplete LDAP inputs - following parameters are mandatory - host, adminDN, adminPasswd, userDN and userPasswd are passed.");
	return 0;
}
# set default ldap port numbers
if ($port eq "") {
	if ($secure eq "" || $secure != 0) {
    $port = 636;
	} else {
    $port = 389;
	}
}

# create ldap url
if ($secure != 0) {
	$ldapURL = "ldaps://".$host.":".$port;
} else {
	$ldapURL = "ldap://".$host.":".$port;
}

# Login as LDAP admin
$ctx->log_debug("Authenticating to the LDAP server...");
$ldap = ldap_bind($ctx, $ldapURL, $adminDN, $adminPasswd, 100);
if ($ldap->arg('err') != 0) {
	my $le = $ldap->arg('err');
  $ctx->log_error("LDAP authentication failed - $le");
	return 0;
} else {
	$ctx->log_debug("LDAP authentication to $ldapURL as $adminDN successful.");
}

# Reset the user password
$ctx->log_debug("Modifying the password of the user $userDN ...");
$ldap = ldap_modify($ctx, $userDN, "unicodePwd", $userPasswdEncoded);
if ($ldap->arg('err') != 0) {
	my $le = $ldap->arg('err');
  $ctx->log_error("LDAP modify failed - $le ");
	$retVal = 0;
} else {
	$ctx->log_debug("LDAP modify successful in resetting the password of the user $userDN.");
}

# Logout LDAP admin
$ctx->log_debug("Logging out $adminDN from $ldapURL");
ldap_unbind($ctx);

$ctx->log_info("END PASSWD RESET");
return $retVal;

AWS Password Reset Script

Following is an example script for resetting the password of the accounts on AWS:

# Sample perl script for Password Reset of a user on AWS system 
 
## global variables 
my $retVal = 1; 
my $OS = $^O; 
my $cmd_output = ""; 
 
## arguments 
my $host = $args->arg("host"); 
my $port = $args->arg("port"); 
my $secure = $args->arg("secure"); 
my $admin = $args->arg("adminName"); 
my $adminPasswd = $args->arg("adminPasswd"); 
my $user = $args->arg("userName"); 
my $userPasswd = $args->arg("userPasswd"); 
 
$ctx->log_info("*** START AWS PASSWD RESET"); 
$ctx->log_info("*** Privileged Account Manager running on the OS $OS"); 
$ctx->log_info("AWS System input parameters : AWS Host - $host :: Port Number - $port :: Secure - $secure :: admin - $admin :: user - $user"); 
$ctx->log_info("Resetting the password of the AWS user $user ..."); 
 
## validate inputs 
if ($user eq "" or $admin eq "" or $adminPasswd eq "" or $userPasswd eq "") { 
    $ctx->log_error("Incomplete inputs - following parameters are mandatory - admin, adminPasswd, userName and userPasswd"); 
    return 0; 
} 
 
# Set passwords as environment variables 
$ENV{AWS_ACCESS_KEY_ID} = $admin; 
$ENV{AWS_SECRET_ACCESS_KEY} = $adminPasswd; 
$ENV{NEW_PASSWORD} = $userPasswd; 
 
# Execute the java command for password reset 
if ($OS =~ "^MSWin") { 
    $cmd_output = `java -jar C:/\"Program Files\"/NetIQ/npum/service/local/cmdctrl/lib/NPUM_AWS_api.jar $user`; 
} else { 
    my $point; 
    my @new_pwd = (); 
    my @pwd;; 
 
#escape single quote ''' in user password 
    @pwd = (); 
    @pwd = split(//, $userPasswd); 
    $point = 0; 
    foreach (@pwd){ 
        if($_ eq "'"){ 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = '\\'; 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = "'"; 
        } 
        else{ 
            $new_pwd[$point] = $_; 
        } 
        $point++; 
    } 
    $userPasswd = join("", @new_pwd); 
 
#escape single quote ''' in admin password 
    @pwd = (); 
    @new_pwd = (); 
    @pwd = split(//, $adminPasswd); 
    $point = 0; 
    foreach (@pwd){ 
        if($_ eq "'"){ 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = '\\'; 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = "'"; 
        } 
        else{ 
            $new_pwd[$point] = $_; 
        } 
        $point++; 
    } 
    $adminPasswd = join("", @new_pwd); 
 
    $cmd_output = `AWS_ACCESS_KEY_ID='$admin' AWS_SECRET_ACCESS_KEY='$adminPasswd' NEW_PASSWORD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_AWS_api.jar $user`; 
} 
 
if ($? != 0) { 
    $ctx->log_error("Password reset for the user $user failed."); 
    $retVal = 0; 
} else { 
    $ctx->log_info("Succesfully resetted the password of the AWS user $user ."); 
} 
 
$ctx->log_info("Command execution output as below : 
        $cmd_output "); 
 
$ctx->log_info("*** END AWS PASSWD RESET"); 
return $retVal; 

Openstack Password Reset Script

Following is an example script for resetting the password of the accounts on Openstack:

# Sample perl script for Password Reset of a user on Openstack system 
 
## global variables 
my $retVal = 1; 
my $OS = $^O; 
my $cmd_output = ""; 
 
## arguments 
my $host = $args->arg("host"); 
my $port = $args->arg("port"); 
my $secure = $args->arg("secure"); 
my $keystone_version = $args->arg("keystone_version"); 
my $admin = $args->arg("adminName"); 
my $adminPasswd = $args->arg("adminPasswd"); 
my $user = $args->arg("userName"); 
my $userPasswd = $args->arg("userPasswd"); 
my $tenant = $args->arg("tenant"); 
 
# Set passwords as environment variables 
$ENV{ADMIN_PASSWORD} = $adminPasswd; 
$ENV{NEW_PASSWORD} = $userPasswd; 
 
$ctx->log_info("*** START Openstack PASSWD RESET"); 
$ctx->log_info("*** Privileged Account Manager running on the OS $OS"); 
$ctx->log_info("Openstack System input parameters : Openstack Host - $host :: Port Number - $port :: Secure - $secure :: keystone_version - $keystone_version :: admin - $admin :: user - $user :: tenant - $tenant"); 
$ctx->log_info("Resetting the password of the Openstack user $user ..."); 
 
## validate inputs 
if ($host eq "" or $port eq "" or $secure eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "" or $keystone_version eq "" or $tenant eq "") { 
    $ctx->log_error("Incomplete inputs - following parameters are mandatory - Openstack host, port number, secure(1/0), keystone version, admin, adminPasswd, userName, userPasswd and tenant name."); 
    return 0; 
} 
 
# Execute the java command for password reset 
if ($OS =~ "^MSWin") { 
    $cmd_output = `java -jar C:/\"Program Files\"/NetIQ/npum/service/local/cmdctrl/lib/NPUM_Openstack_api.jar  $host $port $secure $keystone_version $admin $user $tenant`; 
} else { 
    my $point; 
    my @new_pwd = (); 
    my @pwd;; 
 
#escape single quote ''' in user password 
    @pwd = (); 
    @pwd = split(//, $userPasswd); 
        $point = 0; 
    foreach (@pwd){ 
        if($_ eq "'"){ 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = '\\'; 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = "'"; 
        } 
        else{ 
            $new_pwd[$point] = $_; 
        } 
        $point++; 
    } 
    $userPasswd = join("", @new_pwd); 
 
#escape single quote ''' in admin password 
    @pwd = (); 
    @new_pwd = (); 
    @pwd = split(//, $adminPasswd); 
        $point = 0; 
    foreach (@pwd){ 
        if($_ eq "'"){ 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = '\\'; 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = "'"; 
        } 
        else{ 
            $new_pwd[$point] = $_; 
        } 
        $point++; 
    } 
    $adminPasswd = join("", @new_pwd); 
 
    $cmd_output = `ADMIN_PASSWORD='$adminPasswd' NEW_PASSWORD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_Openstack_api.jar $host $port $secure $keystone_version $admin $user $tenant`; 
} 
 
if ($? != 0) { 
    $ctx->log_error("Password reset for the user $user failed."); 
    $retVal = 0; 
} else { 
    $ctx->log_info("Succesfully reset the password of the Openstack user $user ."); 
} 
 
$ctx->log_info("Command execution output as below : $cmd_output "); 
 
$ctx->log_info("*** END Openstack PASSWD RESET"); 
return $retVal; 

ESXi User Password Reset Script

Following is an example script for resetting the password of the accounts on ESXi:

# Sample perl script for Password Reset of a user on ESXi system 
 
## global variables 
my $retVal = 1; 
my $OS = $^O; 
my $cmd_output = ""; 
 
## arguments 
my $host = $args->arg("host"); 
my $port = $args->arg("port"); 
my $secure = $args->arg("secure"); 
my $admin = $args->arg("adminName"); 
my $adminPasswd = $args->arg("adminPasswd"); 
my $user = $args->arg("userName"); 
my $userPasswd = $args->arg("userPasswd"); 
 
# Set passwords as environment variables 
$ENV{ADMIN_PASSWD} = $adminPasswd; 
$ENV{USER_NEW_PASSWD} = $userPasswd; 
 
$ctx->log_info("*** START ESXi PASSWD RESET"); 
$ctx->log_info("*** Privileged Account Manager running on the OS $OS"); 
$ctx->log_debug("ESXi System input parameters : ESXi Host - $host :: Port Number - $port :: Secure - $secure :: admin - $admin :: user - $user "); 
$ctx->log_info("Resetting the password of the ESXi user $user ..."); 
 
## validate inputs 
if ($host eq "" or $port eq "" or $secure eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "") { 
    $ctx->log_error("Incomplete inputs - following parameters are mandatory - ESXi host, port number, secure(1/0), admin, adminPasswd, userName and userPasswd."); 
    return 0; 
} 
 
# Execute the java command for password reset 
if ($OS =~ "^MSWin") { 
    $cmd_output = `java -jar C:/\"Program Files\"/NetIQ/npum/service/local/cmdctrl/lib/NPUM_ESXi_api.jar  $host $port $secure $admin $user`; 
} else { 
    my $point; 
    my @new_pwd = (); 
    my @pwd;; 
 
#escape single quote ''' in user password 
    @pwd = (); 
    @pwd = split(//, $userPasswd); 
    $point = 0; 
    foreach (@pwd){ 
        if($_ eq "'"){ 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = '\\'; 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = "'"; 
        } 
        else{ 
            $new_pwd[$point] = $_; 
        } 
        $point++; 
    } 
    $userPasswd = join("", @new_pwd); 
 
#escape single quote ''' in admin password 
    @pwd = (); 
    @new_pwd = (); 
    @pwd = split(//, $adminPasswd); 
    $point = 0; 
    foreach (@pwd){ 
        if($_ eq "'"){ 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = '\\'; 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = "'"; 
        } 
        else{ 
            $new_pwd[$point] = $_; 
        } 
        $point++; 
    } 
    $adminPasswd = join("", @new_pwd); 
 
    $cmd_output = `ADMIN_PASSWD='$adminPasswd' USER_NEW_PASSWD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_ESXi_api.jar $host $port $secure $admin $user`; 
} 
 
if ($? != 0) { 
    $ctx->log_error("Password reset for the user $user failed."); 
    $retVal = 0; 
} else { 
    $ctx->log_info("Succesfully resetted the password of the ESXi user $user ."); 
} 
 
$ctx->log_debug("Command execution output as below : 
        $cmd_output "); 
 
$ctx->log_info("*** END ESXi PASSWD RESET"); 
return $retVal; 

SAP User Password Reset Script

Following is an example script for resetting the password of the accounts on SAP:

# Sample perl script for Password Reset of a user on SAP system 
 
## global variables 
my $retVal = 1; 
my $OS = $^O; 
 
my $cmd_output = ""; 
 
## arguments 
my $host = $args->arg("host"); 
my $systemNumber = $args->arg("systemNumber"); 
my $clientNumber = $args->arg("clientNumber"); 
my $lang = $args->arg("lang"); 
my $admin = $args->arg("adminName"); 
my $adminPasswd = $args->arg("adminPasswd"); 
my $user = $args->arg("userName"); 
my $userPasswd = $args->arg("userPasswd"); 
 
# Set passwords as environment variables 
$ENV{ADMIN_PASSWD} = $adminPasswd; 
$ENV{USER_NEW_PASSWD} = $userPasswd; 
 
$ctx->log_info("*** START SAP PASSWD RESET"); 
$ctx->log_info("*** Privileged Account Manager running on the OS $OS"); 
$ctx->log_debug("SAP System input parameters : SAP Host - $host :: System Number - $systemNumber :: Client Number - $clientNumber :: Language :: $lang :: admin - $admin :: user - $user "); 
$ctx->log_info("Resetting the password of the SAP user $user ..."); 
 
## validate inputs 
if ($host eq "" or $systemNumber eq "" or $clientNumber eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "") { 
    $ctx->log_error("Incomplete inputs - following parameters are mandatory - SAP host, systemNumber, clientNumber, admin, adminPasswd, userName and userPasswd."); 
    return 0; 
} 
 
# set default language 
if ($lang eq "") { 
    $lang = "EN"; 
} 
 
# Execute the java command for password reset 
if ($OS =~ "^MSWin") { 
    $cmd_output = `java -jar "C:/\"Program Files\"/NetIQ/npum/service/local/cmdctrl/lib/NPUM_SAP_api.jar" $host $systemNumber $clientNumber $lang $admin $user`; 
} else { 
    my $point; 
    my @new_pwd = (); 
    my @pwd;; 
 
#escape single quote ''' in user password 
    @pwd = (); 
    @pwd = split(//, $userPasswd); 
    $point = 0; 
    foreach (@pwd){ 
        if($_ eq "'"){ 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = '\\'; 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = "'"; 
        } 
        else{ 
            $new_pwd[$point] = $_; 
        } 
        $point++; 
    } 
    $userPasswd = join("", @new_pwd); 
 
#escape single quote ''' in admin password 
    @pwd = (); 
    @new_pwd = (); 
    @pwd = split(//, $adminPasswd); 
    $point = 0; 
    foreach (@pwd){ 
        if($_ eq "'"){ 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = '\\'; 
            $new_pwd[$point++] = "'"; 
            $new_pwd[$point++] = "'"; 
        } 
        else{ 
            $new_pwd[$point] = $_; 
        } 
        $point++; 
    } 
    $adminPasswd = join("", @new_pwd); 
    $cmd_output = `ADMIN_PASSWD='$adminPasswd' USER_NEW_PASSWD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_SAP_api.jar $host $systemNumber $clientNumber $lang $admin $user`; 
} 
 
if ($? != 0) { 
    $ctx->log_error("Password reset for the user $user failed."); 
    $retVal = 0; 
} else { 
    $ctx->log_info("Succesfully resetted the password of the SAP user $user ."); 
} 
 
$ctx->log_debug("Command execution output as below : 
        $cmd_output "); 
 
$ctx->log_info("*** END SAP PASSWD RESET"); 
return $retVal;