The credential checkout feature helps in retrieving the credentials from Credential Vault. The credential checkout feature helps in managing the account credentials and provides the following capabilities:
Provide available shared account credentials and deny access if all the credentials are in use.
Provide users access to application or database for a fixed time period.
After every session, reset the password of the account in the target application to maintain the password security.
A Privileged Account Manager administrator can create a privileged account for an application/ database and save the application/ database administrator credential. These credentials will be used only when resetting or checking-in the password. So, when a user requests for credentials to connect to Oracle database or any application, Privileged Account Manager checks for the login credentials that are available for that application, then provides the credentials to the user. An administrator can monitor the commands that a user runs on any application and audit the report based on the defined risk score.
The following sections provide details on configuring, accessing and managing shared account credentials by using the credential checkout feature.
The privileged accounts that are set up on the following applications/ database can be managed through PAM. To manage those accounts, you must customize the sample script and add it to the PAM rule. For more information about customizing the script refer, Password Reset Scripts.
Following are the tested applications on which you can reset the password of the accounts that are existing for those applications:
IMPORTANT:Privileged Account Manager server must have Java 1.6 or higher for password reset to work on the following applications:
SAP
VMWare ESXi
eDirectory
NetIQ eDirectory is a list of objects that represent network resources, such as network users, servers, printers, print queues, and applications.You can enable password check-out feature to access the eDirectory server.
To enable credential checkout feature for eDirectory, you can add the rules by using the eDirectory policy template. For more information about using the policy template refer, Adding a Policy Template.
Active Directory
Active Directory is a directory service that authenticates and authorizes all users and computers in a Windows domain type network. It assigns and enforces security policies for all computers and installs, or updates software.You can enable password check-out feature to access the Active Directory server.
To enable credential checkout feature for Active Directory, you can add the rules by using the Active Directory policy template. For more information about using the policy template, see Adding a Policy Template.
System Applications Products
System Applications Products (SAP) is an Enterprise Resource Planning System (ERP). You can enable the password check-out feature to access the SAP application.
To connect PAM with the Systems, Applications, and Products (SAP) application, ensure that you download the following files on the PAM manager server:
SAP Java connector (JCO)
You can download the JCO from the SAP Connectors site
The following files must be downloaded from the SAP Service Marketplace Web site to the location /opt/netiq/npum/service/local/cmdctrl/lib/ (for Linux) and c:\Program Files\npum\opt\netiq\npum\service\local\cmdctrl\lib (for Windows):
sapjco3.jar
(For Linux) libsapjco3.so
(For Windows) sapjco3.dll
NOTE:The download is free to any SAP software customer or development partner, but you are required to log in to the mentioned website.
To enable credential checkout feature for SAP, you can add the rules by using the SAP policy template. For more information about using the policy template, see Adding a Policy Template.
VMware ESXi
The VMware ESXi is a type-1 hypervisor that is used for the hardware virtualization. You can enable password check-out feature to access the ESXi server.
PAM bundles the VMWare Infrastructure Java API to communicate with VMware ESXi server. The default location to VMWare Infrastructure Java API is /opt/netiq/npum/service/local/cmdctrl/lib/ (for Linux) and c:\Program Files\npum\opt\netiq\npum\service\local\cmdctrl\lib (for Windows).
To enable credential checkout on ESXi, you can add the rules by using the ESX policy template. For more information about using the policy template, see Adding a Policy Template.
Local Accounts on Linux
PAM supports Credential Checkout feature for local user accounts on any Linux Operating System running SSH.
Local Accounts on Unix
PAM supports Credential Checkout feature for local user accounts on AIX Operating System.
Prerequisite
In AIX machine, configure the following:
Specify AcceptEnv LC_ALL in the sshd_config file.
Restart sshd service.
Local Accounts on Windows
Prerequisite
For RHEL 8 (64-bit) and RHEL 7 (64 bit), install the redhat-lsb-core package.
For RHEL 8 (64-bit) and SLES 15 (64-bit), install the lsb-release package.
On Windows Manager:
Ensure that the Windows Remote Management (WinRM) service is running on Windows. To start winrm service, run the following command:
Enable-PSRemoting –force
Add the target machine, where the password must be changed, to the WinRM trusted host. To add all servers as trusted host, run the following command:
winrm set winrm/config/client '@{TrustedHosts="*"}'
Set the PowerShell execution policy to Remotesigned using the following command:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
On Linux Manager:
Install the taskmanager package.
On Target Machine:
Ensure the following is done:
Powershell 2.0 or later must be installed in all the windows target machines as PAM uses PowerShell scripts to change password.
Windows Remote Management (WinRM) service must be running on the Windows machine. To start WinRM service, use the command:
Enable-PSRemoting –force
IP address of the task manager must be added to the trusted host of the target machine. To add trusted host, use the command:
winrm set winrm/config/client '@{TrustedHosts="x.x.x.x"}'
PAM supports Credential Checkout feature for local user accounts on Window Operating System.
The credential checkout feature can be customized for the applications such as Salesforce, and so on.
To enable credential checkout for applications such as LDAP, Active Directory, SAP, ESXi you can import the respective policy template. When you import the policy template, all the components required for configuring a credential checkout, such as resource, and rule are added with default values. You must customize these according to your requirement. For more information about adding a policy template refer, Adding a Policy Template.
To enable credential checkout for application whose policy template is not available, you need to add the application server as a resource in the credential vault and add a rule for credential checkout. For information about adding a resource, see contextual help. For information about adding a rule, see Adding a Rule.
The privileged accounts that are set up on the following cloud services can be managed through PAM. To manage those accounts, you must customize the sample script and add it to the PAM rule. For more information about customizing the script refer, Password Reset Scripts.
Following are the tested applications on which you can reset the password of the accounts that are existing for those applications:
IMPORTANT:Privileged Account Manager server must have Java 1.6 or higher for password reset to work on the following:
OpenStack
Amazon Web Services
Microsoft Azure
OpenStack
OpenStack is a set of software tools designed for building and managing cloud computing platforms. You can enable the password check-out feature to access the OpenStack server.
To enable the credential checkout feature for OpenStack, you can add the rules by using the OpenStack policy template or add an OpenStack resource and rule manually. For more information about enabling the credential checkout for OpenStack, see Enabling Credential Checkout for OpenStack
Amazon Web Services
Amazon Web Services (AWS) is a bundled remote computing service that provides cloud computing infrastructure over the Internet with storage, bandwidth, and customized support for Application Programming Interfaces (API). You can enable the password check-out feature to access services in AWS cloud.
To enable credential checkout feature for AWS, you can add the rules by using the AWS policy template or add a AWS resource and rule manually. For more information about enabling the credential checkout for AWS, see Enabling Credential Checkout for Amazon Web Services
Microsoft Azure
Microsoft Azure is a bundled remote computing service that provides cloud computing infrastructure over the Internet with storage, bandwidth, and customized support for Application Programming Interfaces (API). You can enable the password check-out feature to access services in Microsoft Azure.
To enable credential checkout feature for Microsoft Azure, you can add the rules by using the Microsoft Azure policy template or add a Microsoft Azure resource and rule manually. For more information about enabling the credential checkout for Microsoft Azure, see Enabling Credential Checkout for Microsoft Azure.
To enable credential checkout feature for the OpenStack server perform the following:
In the OpenStack server, create a user and assign the user to a project (tenant) with a role. For information about user creation and project and role assignment, see OpenStack Documentation.
In the PAM Administration Console,
Add the OpenStack policy template to automatically add a resource and rule for OpenStack. This OpenStack resource and rule can be customized as required. For more information about adding the policy template, see Adding a Policy Template.
Or
Add a resource in the credential vault and a rule manually for OpenStack. For information about adding a resource, see contextual help. For information about adding a rule, see Adding a Rule.
NOTE:For the password check out of accounts belonging to different OpenStack projects (tenants), you must create a different resource for each tenant.
To enable credential checkout feature for Amazon Web Services (AWS) perform the following:
In the Amazon Web Services cloud, create a user and assign permissions or policies to the user. For information about AWS user creation, see AWS Documentation.
In the Privileged Account Manager Administration Console,
Add the AWS policy template to automatically add a resource and rule for AWS. This resource and rule can be customized as required. For more information about adding the policy template, see Adding a Policy Template.
Or
Add a resource in the credential vault and a rule manually for AWS. For information about adding a resource, see contextual help. For information about adding a rule, see Adding a Rule.
Prerequisite: Ensure that PAM password policies adhere to the Microsoft Azure password policies.
To enable credential checkout feature for Microsoft Azure:
In the Microsoft Azure cloud, create a user and assign permissions or policies to the user. For information about Microsoft Azure user creation, see Microsoft Azure documentation.
In the Privileged Account Manager Administration Console,
Add the Microsoft Azure policy template to automatically add a resource and rule for Microsoft Azure. You can customize this resource and rule as required. For more information about adding the policy template, see Adding a Policy Template.
or
Add a resource in the Credential Vault and a rule manually for Microsoft Azure. Edit the resource in PAM and update the following fields:
Client ID: Microsoft Azure application ID. For more information, see Microsoft Azure documentation.
Authority: For example, https://login.microsoftonline.com/common/
AuthenticationTokenURL: For example, https://graph.windows.net
For information about adding a resource, see the contextual help. For information about adding a rule, see Adding a Rule.
On the home page of the Privileged Account Manager console, click Access Dashboard.
Click the Configuration tab.
In the Delete Request After field, select the number of days after which the request should be deleted from the list under All. For example, if you select 15 Days all the requests that are 15 days old is deleted from the list of requests.
In the Allow Grace Period of field, select the extra duration that a user can access the password, after the requested time period expires.
In the Server Email Id field, enter the email id that is defined for the Privileged Account Manager server. This is the email id from which emails are sent to the users.
In the Admin Email Id field, enter the email id of the administrator for Privileged Account Manager.
Privileged Account Manager (PAM) allows users to checkout the credentials in the following ways:
Checkout credentials from the user console
Checkout credentials using API tokens.
For more information about AAPM, see Application to Application Password Management.
Checkout credentials using REST API.
To view the REST API documentation:
In the new administration or user console, click the logged in user on the top-right corner.
Click REST API.
The REST API document opens in a new tab.
You can use required policy templates to reset the password of the privileged accounts that are set on the supported application server. The password check-in process includes generating random password, resetting the password on the PAM database, and resetting password on the application. The password check-in process can either use the script to reset the password on the application and return the value to PAM database, or use Identity Manager to send the reset password on PAM database and synchronize the password with an active Identity manager application.
This section contains Perl Script for Customizing the Password Reset of Accounts in Applications.
Following is an example script for resetting the password of the accounts on all the LDAP directory except Active Directory. To reset Active Directory account password, you can use the script Active Directory Password Reset Script.
## PAM script to reset password of an LDAP user
## global variables
my $ldapURL = "";
my $retVal = 0;
my $ldap = "";
## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $secure = $args->arg("secure");
my $adminDN = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $userDN = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
$ctx->log_info("START PASSWD RESET");
$ctx->log_debug("Input LDAP parameters : host - $host :: port - $port :: secure -
$secure :: adminDN - $adminDN :: userDN - $userDN ");
$ctx->log_info("Resetting the password of the LDAP user $userDN");
## validate inputs
if ($host eq "" or $adminDN eq "" or $adminPasswd eq "" or $userDN eq "" or
$userPasswd eq "") {
$ctx->log_error("Incomplete LDAP inputs - following parameters are mandatory -
host, adminDN, adminPasswd, userDN and userPasswd are passed.");
return 0;
}
# set default ldap port numbers
if ($port eq "") {
if ($secure eq "" || $secure != 0) {
$port = 636;
} else {
$port = 389;
}
}
# create ldap url
if ($secure != 0) {
$ldapURL = "ldaps://".$host.":".$port;
} else {
$ldapURL = "ldap://".$host.":".$port;
}
# Login as LDAP admin
$ctx->log_debug("Authenticating to the LDAP server...");
$ldap = ldap_bind($ctx, $ldapURL, $adminDN, $adminPasswd, 100);
if ($ldap->arg('err') != 0) {
my $le = $ldap->arg('err');
$ctx->log_error("LDAP authentication failed - $le");
return 0;
} else {
$ctx->log_debug("LDAP authentication to $ldapURL as $adminDN successful.");
}
# Reset the user password
$ctx->log_debug("Modifying the password of the user $userDN ...");
$ldap = ldap_modify($ctx, $userDN, "userpassword", $userPasswd);
if ($ldap->arg('err') != 0) {
my $le = $ldap->arg('err');
$ctx->log_error("LDAP modify failed - $le ");
return 0;
} else {
$ctx->log_debug("LDAP modify successful in resetting the password of the user
$userDN.");
}
# Logout LDAP admin
$ctx->log_debug("Logging out $adminDN from $ldapURL");
ldap_unbind($ctx);
$ctx->log_info("END PASSWD RESET");
return 1;
Following is an example script for resetting the password of the accounts on Active Directory:
## PAM script to reset password of Microsoft ActiveDirectory LDAP user
use MIME::Base64;
use Encode qw(encode);
## global variables
my $ldapURL = "";
my $retVal = 1;
my $ldap = "";
## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $secure = $args->arg("secure");
my $adminDN = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $userDN = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
my $userPasswdEncoded = encode_base64(encode("UTF-16le", "\"$userPasswd\""));
$ctx->log_info("START PASSWD RESET");
$ctx->log_debug("Input LDAP parameters : host - $host :: port - $port :: secure - $secure :: adminDN - $adminDN :: userDN - $userDN ");
$ctx->log_info("Resetting the password of the LDAP user $userDN");
## validate inputs
if ($host eq "" or $adminDN eq "" or $adminPasswd eq "" or $userDN eq "" or $userPasswd eq "") {
$ctx->log_error("Incomplete LDAP inputs - following parameters are mandatory - host, adminDN, adminPasswd, userDN and userPasswd are passed.");
return 0;
}
# set default ldap port numbers
if ($port eq "") {
if ($secure eq "" || $secure != 0) {
$port = 636;
} else {
$port = 389;
}
}
# create ldap url
if ($secure != 0) {
$ldapURL = "ldaps://".$host.":".$port;
} else {
$ldapURL = "ldap://".$host.":".$port;
}
# Login as LDAP admin
$ctx->log_debug("Authenticating to the LDAP server...");
$ldap = ldap_bind($ctx, $ldapURL, $adminDN, $adminPasswd, 100);
if ($ldap->arg('err') != 0) {
my $le = $ldap->arg('err');
$ctx->log_error("LDAP authentication failed - $le");
return 0;
} else {
$ctx->log_debug("LDAP authentication to $ldapURL as $adminDN successful.");
}
# Reset the user password
$ctx->log_debug("Modifying the password of the user $userDN ...");
$ldap = ldap_modify($ctx, $userDN, "unicodePwd", $userPasswdEncoded);
if ($ldap->arg('err') != 0) {
my $le = $ldap->arg('err');
$ctx->log_error("LDAP modify failed - $le ");
$retVal = 0;
} else {
$ctx->log_debug("LDAP modify successful in resetting the password of the user $userDN.");
}
# Logout LDAP admin
$ctx->log_debug("Logging out $adminDN from $ldapURL");
ldap_unbind($ctx);
$ctx->log_info("END PASSWD RESET");
return $retVal;
Following is an example script for resetting the password of the accounts on Openstack:
# Sample perl script for Password Reset of a user on Openstack system
## global variables
my $retVal = 1;
my $OS = $^O;
my $cmd_output = "";
## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $secure = $args->arg("secure");
my $keystone_version = $args->arg("keystone_version");
my $admin = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $user = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
my $tenant = $args->arg("tenant");
# Set passwords as environment variables
$ENV{ADMIN_PASSWORD} = $adminPasswd;
$ENV{NEW_PASSWORD} = $userPasswd;
$ctx->log_info("*** START Openstack PASSWD RESET");
$ctx->log_info("*** Privileged Account Manager running on the OS $OS");
$ctx->log_info("Openstack System input parameters : Openstack Host - $host :: Port Number - $port :: Secure - $secure :: keystone_version - $keystone_version :: admin - $admin :: user - $user :: tenant - $tenant");
$ctx->log_info("Resetting the password of the Openstack user $user ...");
## validate inputs
if ($host eq "" or $port eq "" or $secure eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "" or $keystone_version eq "" or $tenant eq "") {
$ctx->log_error("Incomplete inputs - following parameters are mandatory - Openstack host, port number, secure(1/0), keystone version, admin, adminPasswd, userName, userPasswd and tenant name.");
return 0;
}
# Execute the java command for password reset
if ($OS =~ "^MSWin") {
$cmd_output = `java -jar C:/\"Program Files\"/NetIQ/npum/service/local/cmdctrl/lib/NPUM_Openstack_api.jar $host $port $secure $keystone_version $admin $user $tenant`;
} else {
my $point;
my @new_pwd = ();
my @pwd;;
#escape single quote ''' in user password
@pwd = ();
@pwd = split(//, $userPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$userPasswd = join("", @new_pwd);
#escape single quote ''' in admin password
@pwd = ();
@new_pwd = ();
@pwd = split(//, $adminPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$adminPasswd = join("", @new_pwd);
$cmd_output = `ADMIN_PASSWORD='$adminPasswd' NEW_PASSWORD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_Openstack_api.jar $host $port $secure $keystone_version $admin $user $tenant`;
}
if ($? != 0) {
$ctx->log_error("Password reset for the user $user failed.");
$retVal = 0;
} else {
$ctx->log_info("Succesfully reset the password of the Openstack user $user .");
}
$ctx->log_info("Command execution output as below : $cmd_output ");
$ctx->log_info("*** END Openstack PASSWD RESET");
return $retVal;
Following is an example script for resetting the password of the accounts on AWS:
# Sample perl script for Password Reset of a user on AWS system
## global variables
my $retVal = 1;
my $OS = $^O;
my $cmd_output = "";
## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $secure = $args->arg("secure");
my $admin = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $user = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
$ctx->log_info("*** START AWS PASSWD RESET");
$ctx->log_info("*** Privileged Account Manager running on the OS $OS");
$ctx->log_info("AWS System input parameters : AWS Host - $host :: Port Number - $port :: Secure - $secure :: admin - $admin :: user - $user");
$ctx->log_info("Resetting the password of the AWS user $user ...");
## validate inputs
if ($user eq "" or $admin eq "" or $adminPasswd eq "" or $userPasswd eq "") {
$ctx->log_error("Incomplete inputs - following parameters are mandatory - admin, adminPasswd, userName and userPasswd");
return 0;
}
# Set passwords as environment variables
$ENV{AWS_ACCESS_KEY_ID} = $admin;
$ENV{AWS_SECRET_ACCESS_KEY} = $adminPasswd;
$ENV{NEW_PASSWORD} = $userPasswd;
# Execute the java command for password reset
if ($OS =~ "^MSWin") {
$cmd_output = `java -jar C:/\"Program Files\"/NetIQ/npum/service/local/cmdctrl/lib/NPUM_AWS_api.jar $user`;
} else {
my $point;
my @new_pwd = ();
my @pwd;;
#escape single quote ''' in user password
@pwd = ();
@pwd = split(//, $userPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$userPasswd = join("", @new_pwd);
#escape single quote ''' in admin password
@pwd = ();
@new_pwd = ();
@pwd = split(//, $adminPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$adminPasswd = join("", @new_pwd);
$cmd_output = `AWS_ACCESS_KEY_ID='$admin' AWS_SECRET_ACCESS_KEY='$adminPasswd' NEW_PASSWORD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_AWS_api.jar $user`;
}
if ($? != 0) {
$ctx->log_error("Password reset for the user $user failed.");
$retVal = 0;
} else {
$ctx->log_info("Succesfully resetted the password of the AWS user $user .");
}
$ctx->log_info("Command execution output as below :
$cmd_output ");
$ctx->log_info("*** END AWS PASSWD RESET");
return $retVal;
Following is an example script for resetting the password of the accounts on Microsoft Azure:
# Sample perl script for Password Reset of a user on Microsoft Azure Account
## global variables
my $retVal = 1;
my $OS = $^O;
my $cmd_output = "";
## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $secure = $args->arg("secure");
my $admin = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $user = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
my $Authority = $args->arg("Authority");
my $ClientID = $args->arg("ClientID");
my $AuthenticationTokenURL = $args->arg("AuthenticationTokenURL");
my $pam_home = getcwd;
# Set passwords as environment variables
$ENV{ADMIN_PASSWORD} = $adminPasswd;
$ENV{NEW_PASSWORD} = $userPasswd;
$ctx->log_info("*** START Microsoft Azure PASSWD RESET");
$ctx->log_info("*** Privileged Account Manager running on the OS $OS at location $pam_home");
$ctx->log_info("Microsoft Azure System input parameters : Microsoft Azure Host - $host :: Port Number - $port :: Secure - $secure :: admin - $admin :: user - $user :: Authority - $Authority :: ClientID - $ClientID :: AuthenticationTokenURL - $AuthenticationTokenURL ");
$ctx->log_info("Changing the password of the Microsoft Azure user $user ...");
## validate inputs
if ($host eq "" or $port eq "" or $secure eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "" or $Authority eq "" or $ClientID eq "" or $AuthenticationTokenURL eq "") {
$ctx->log_error("Incomplete inputs - following parameters are mandatory - Microsoft Azure host, port number, secure(1/0), keystone version, admin, adminPasswd, userName, userPasswd ,Authority name, ClientID name and AuthenticationTokenURL.");
return 0;
}
# Execute the java command for password reset
if ($OS =~ "^MSWin") {
$cmd_output = `java -jar \"$pam_home\"/service/local/cmdctrl/lib/NPUM_AzureAD_api.jar $admin '$ClientID' '$AuthenticationTokenURL/$host/users/$user?api-version=1.6' $Authority $AuthenticationTokenURL`;
} else {
my $point;
my @new_pwd = ();
my @pwd;;
#escape single quote ''' in user password
@pwd = ();
@pwd = split(//, $userPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$userPasswd = join("", @new_pwd);
#escape single quote ''' in admin password
@pwd = ();
@new_pwd = ();
@pwd = split(//, $adminPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$adminPasswd = join("", @new_pwd);
$cmd_output = `ADMIN_PASSWORD='$adminPasswd' NEW_PASSWORD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_AzureAD_api.jar $admin '$ClientID' '$AuthenticationTokenURL/$host/users/$user?api-version=1.6' $Authority $AuthenticationTokenURL`;
}
if ($? != 0) {
$ctx->log_error("Password reset for the user $user failed.");
$retVal = 0;
} else {
$ctx->log_info("Successfully changed the password of the Microsoft Azure user $user .");
}
$ctx->log_info("Command execution output as below : $cmd_output ");
$ctx->log_info("*** END Microsoft Azure PASSWD RESET");
return $retVal;
Following is an example script for resetting the password of the accounts on ESXi:
# Sample perl script for Password Reset of a user on ESXi system
## global variables
my $retVal = 1;
my $OS = $^O;
my $cmd_output = "";
## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $secure = $args->arg("secure");
my $admin = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $user = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
# Set passwords as environment variables
$ENV{ADMIN_PASSWD} = $adminPasswd;
$ENV{USER_NEW_PASSWD} = $userPasswd;
$ctx->log_info("*** START ESXi PASSWD RESET");
$ctx->log_info("*** Privileged Account Manager running on the OS $OS");
$ctx->log_debug("ESXi System input parameters : ESXi Host - $host :: Port Number - $port :: Secure - $secure :: admin - $admin :: user - $user ");
$ctx->log_info("Resetting the password of the ESXi user $user ...");
## validate inputs
if ($host eq "" or $port eq "" or $secure eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "") {
$ctx->log_error("Incomplete inputs - following parameters are mandatory - ESXi host, port number, secure(1/0), admin, adminPasswd, userName and userPasswd.");
return 0;
}
# Execute the java command for password reset
if ($OS =~ "^MSWin") {
$cmd_output = `java -jar C:/\"Program Files\"/NetIQ/npum/service/local/cmdctrl/lib/NPUM_ESXi_api.jar $host $port $secure $admin $user`;
} else {
my $point;
my @new_pwd = ();
my @pwd;;
#escape single quote ''' in user password
@pwd = ();
@pwd = split(//, $userPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$userPasswd = join("", @new_pwd);
#escape single quote ''' in admin password
@pwd = ();
@new_pwd = ();
@pwd = split(//, $adminPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$adminPasswd = join("", @new_pwd);
$cmd_output = `ADMIN_PASSWD='$adminPasswd' USER_NEW_PASSWD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_ESXi_api.jar $host $port $secure $admin $user`;
}
if ($? != 0) {
$ctx->log_error("Password reset for the user $user failed.");
$retVal = 0;
} else {
$ctx->log_info("Succesfully resetted the password of the ESXi user $user .");
}
$ctx->log_debug("Command execution output as below :
$cmd_output ");
$ctx->log_info("*** END ESXi PASSWD RESET");
return $retVal;
Following is an example script for resetting the password of the accounts on SAP:
# Sample perl script for Password Reset of a user on SAP system
## global variables
my $retVal = 1;
my $OS = $^O;
my $cmd_output = "";
## arguments
my $host = $args->arg("host");
my $systemNumber = $args->arg("systemNumber");
my $clientNumber = $args->arg("clientNumber");
my $lang = $args->arg("lang");
my $admin = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $user = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
# Set passwords as environment variables
$ENV{ADMIN_PASSWD} = $adminPasswd;
$ENV{USER_NEW_PASSWD} = $userPasswd;
$ctx->log_info("*** START SAP PASSWD RESET");
$ctx->log_info("*** Privileged Account Manager running on the OS $OS");
$ctx->log_debug("SAP System input parameters : SAP Host - $host :: System Number - $systemNumber :: Client Number - $clientNumber :: Language :: $lang :: admin - $admin :: user - $user ");
$ctx->log_info("Resetting the password of the SAP user $user ...");
## validate inputs
if ($host eq "" or $systemNumber eq "" or $clientNumber eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "") {
$ctx->log_error("Incomplete inputs - following parameters are mandatory - SAP host, systemNumber, clientNumber, admin, adminPasswd, userName and userPasswd.");
return 0;
}
# set default language
if ($lang eq "") {
$lang = "EN";
}
# Execute the java command for password reset
if ($OS =~ "^MSWin") {
$cmd_output = `java -jar "C:/\"Program Files\"/NetIQ/npum/service/local/cmdctrl/lib/NPUM_SAP_api.jar" $host $systemNumber $clientNumber $lang $admin $user`;
} else {
my $point;
my @new_pwd = ();
my @pwd;;
#escape single quote ''' in user password
@pwd = ();
@pwd = split(//, $userPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$userPasswd = join("", @new_pwd);
#escape single quote ''' in admin password
@pwd = ();
@new_pwd = ();
@pwd = split(//, $adminPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$adminPasswd = join("", @new_pwd);
$cmd_output = `ADMIN_PASSWD='$adminPasswd' USER_NEW_PASSWD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_SAP_api.jar $host $systemNumber $clientNumber $lang $admin $user`;
}
if ($? != 0) {
$ctx->log_error("Password reset for the user $user failed.");
$retVal = 0;
} else {
$ctx->log_info("Succesfully resetted the password of the SAP user $user .");
}
$ctx->log_debug("Command execution output as below :
$cmd_output ");
$ctx->log_info("*** END SAP PASSWD RESET");
return $retVal;
Following is an example script for resetting the password of the accounts on Linux:
#Sample perl script for Password Reset of a user on Linux local Account
## global variables
my $retVal = 1;
my $OS = $^O;
my $cmd_output = "";
## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $admin = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $user = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
my $pam_home = getcwd;
# Set passwords as environment variables - SSHPASS and LC_ALL
$ENV{SSHPASS} = $adminPasswd;
$ENV{LC_ALL} = $userPasswd;
$ctx->log_info("*** START Linux Local Account PASSWD RESET");
$ctx->log_info("*** Privileged Account Manager running on the OS $OS at location $pam_home");
$ctx->log_info("Linux System input parameters : Linux Host - $host :: Port Number - $port :: admin - $admin :: user - $user");
$ctx->log_info("Changing the password of the Linux user $user ...");
## validate inputs
if ($host eq "" or $port eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "") {
$ctx->log_error("Incomplete inputs - following parameters are mandatory - Linux host, port number, admin, adminPasswd, userName, userPasswd.");
return 0;
}
if ($OS =~ "^MSWin") {
$cmd_output = `\"$pam_home\"/bin/ssh.exe -p $port -n -o SendEnv=LC_ALL -o StrictHostKeyChecking=no -Z -l $admin $host "echo -e \$LC_ALL\\\\n\$LC_ALL | passwd $user 2>&1"`;
} else {
my $point;
my @new_pwd = ();
my @pwd;;
#escape single quote ''' in user password
@pwd = ();
@pwd = split(//, $userPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$userPasswd = join("", @new_pwd);
#escape single quote ''' in admin password
@pwd = ();
@new_pwd = ();
@pwd = split(//, $adminPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$adminPasswd = join("", @new_pwd);
$cmd_output = `SSHPASS='$adminPasswd' LC_ALL='$userPasswd' /opt/netiq/npum/service/local/sshrelay/bin/ssh -p $port -o SendEnv=LC_ALL -o StrictHostKeyChecking=no -Z -l $admin $host \"usr=$user;myrootuser=$admin;\" 'echo -e \$LC_ALL\\\\n\$LC_ALL | passwd $user 2>&1'`;
}
if ($? != 0) {
$ctx->log_error("Password reset for the user $user failed.");
$retVal = 0;
} else {
$ctx->log_info("Successfully changed the password of the Linux Local Account Password Reset");
}
$ctx->log_info("Command execution output as below : $cmd_output ");
$ctx->log_info("*** End Linux Local Account PASSWD RESET");
return $retVal;
Following is an example script for resetting the password of the accounts on Windows:
# Sample perl script for Password Reset of a user on Windows system
## global variables
my $retVal = 1;
my $OS = $^O;
my $cmd_output = "";
my $pam_home = getcwd;
## arguments
my $host = $args->arg("host");
my $admin = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $user = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
my $pam_home = getcwd;
# Set passwords as environment variables
$ENV{ADMIN_PASSWD} = $adminPasswd;
$ENV{USER_NEW_PASSWD} = $userPasswd;
$ctx->log_info("*** START WINDOWS PASSWD RESET");
$ctx->log_info("*** Privileged Account Manager running on the OS $OS at location $pam_home");
$ctx->log_info("WINDOWS System input parameters : WINDOWS Host - $host :: admin - $admin :: user - $user :: pam_home - $pam_home");
$ctx->log_info("Changing the password of the Windows user $user ...");
## validate inputs
if ($host eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "") {
$ctx->log_error("Incomplete inputs - following parameters are mandatory - WINDOWS host, admin, adminPasswd, userName and userPasswd.");
return 0;
}
# Execute powershell script for password reset
if ($OS =~ "^MSWin") {
$ctx->log_info("*** running powershell $adminPasswd $userPasswd");
$cmd_output = `powershell.exe -file "$pam_home/service/local/cmdctrl/template/exports/winPwdChangeLocal.ps1" $host $admin $user`;
$ctx->log_info("$cmd_output");
} else {
my $point;
my @new_pwd = ();
my @pwd;;
#escape single quote ''' in user password
@pwd = ();
@pwd = split(//, $userPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$userPasswd = join("", @new_pwd);
#escape single quote ''' in admin password
@pwd = ();
@new_pwd = ();
@pwd = split(//, $adminPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$adminPasswd = join("", @new_pwd);
$cmd_output = `ADMIN_PASSWD='$adminPasswd' USER_NEW_PASSWD='$userPasswd' /usr/bin/pwsh -file "/opt/netiq/npum/service/local/cmdctrl/template/exports/winPwdChangeLocal.ps1" $host $admin $user`;
}
if ($? != 0) {
$ctx->log_error("Password reset for the user $user failed.");
$retVal = 0;
} else {
$ctx->log_info("Successfully changed the password of the Windows user $user .");
}
$ctx->log_debug("Command execution output as below :
$cmd_output ");
$ctx->log_info("*** END WINDOWS PASSWD RESET");
return $retVal;