5.3 Credential Checkout
The credential checkout feature helps in retrieving the credentials from Credential Vault. The credential checkout feature helps in managing the account credentials and provides the following capabilities:
-
Provide available shared account credentials and deny access if all the credentials are in use.
-
Provide users access to the application or database for a fixed period.
-
After every session, reset the account’s password in the target application to maintain password security.
A Privileged Account Manager administrator can create a privileged account for an application or database and save the application or database administrator credential. These credentials will be used only when resetting or checking in the password. So, when a user requests for credentials to connect to Oracle database or any application, Privileged Account Manager checks for the login credentials available for that application and then provides the credentials to the user. An administrator can monitor the commands that a user runs on any application and audit the report based on the defined risk score.
The following sections provide details on configuring, accessing, and managing a shared account credentials by using the credential checkout feature.
5.3.1 Configuring Credential Checkout for Application and Database Type Credentials
You can map credentials to permissions. For more information about permissions, see Permissions.
This section is only for Application and Database checkout feature. When you click the Application or Database type resource from Credential Vault > Resources, a fly-out is displayed if you are creating a resource and credential for the first time. The Credentials tab requires you to add the privileged type for the respective credential. If you have already created a credential, click on the resource name and the resource details open in a fly-out and when you click on the Credential Count, a Credential fly-out is displayed.
To create a permission:
In Access Control (enable the Access Control Policy engine from Settings > Policy Engine > Server Settings), follow the below procedure.
-
Create a Resource Pool for Application/Database type. You can add resources to the Resource Pool. For more information see, Configuring a Resource Pool
-
Add a User Role. For more information see, Configuring a User Role
-
Create an Assignment and assign permissions for Application/Database credential type. For more information see, Configuring Permissions.
-
In the Access Control > Assignments > Permissions > Checkout Options page, select the options as required.
-
Allow Password Change During Check-in: Move the radio button to the right to enable this option. By default this option is set to disabled and does not allow user to change the password while checking in. Enabling this option allows you to change the password while check in and provides the following options.
NOTE:For users upgrading from Privileged Account Manager 4.1 to 4.2 version, and want to continue using the same Check in and Check out behavior for credentials, do not enable the Allow Password Change During Check in option.
Whereas enabling the Allow Password Change During Check in is a new behavior of functionality from Privileged Account Manager 4.2 version onwards.
-
Credential Checkout Mode: Selected by System option allows system to select the user for checkout.
-
Allow Selection by User option allows you to select the user for which you want to perform password check-in and check-out function.
-
Credentials Allowed for Checkout This option allows you to either allow All credentials to perform Check in and Check Out function.
The Restrict Credentials to a Privilege Type option is only applicable if you have already defined privilege type and want to select for which user you want to change the password while check out. For more information about privilege type, see Section 5.1.3, Defining Privileged Type for a Credential.
-
-
5.3.2 Configuring Credential Checkout for Applications
The privileged accounts that are set up on the following applications or database can be managed through Privileged Account Manager. To manage those accounts, you must customize the sample script and add it to the Privileged Account Manager rule.
Following are the tested applications on which you can reset the password of the accounts that are existing for those applications:
IMPORTANT:Privileged Account Manager server must have Java 1.6 or higher for password reset to work on the following applications:
-
SAP
-
VMWare ESXi
eDirectory
NetIQ eDirectory is a list of objects that represent network resources, such as network users, servers, printers, print queues, and applications. You can enable password check-out feature to access the eDirectory server.
To enable the credential checkout feature for eDirectory, you can add the rules by using the eDirectory policy template.
Follow the procedure, after importing the vault:
General:
In the General tab, enter the name, example: DOM-APP_LDAP. Click Next.
Connection Details:
In the Connection tab, specify the following details:
-
Application Type: Enter the application type as LDAP.
-
Host Name/IP Address: Enter either the host name or the IP address of the E-Directory.
-
Port: Enter the port number. If you enable SSL, the port number is 636, else the port number is 389.
-
SSL: Enable or disable by moving the button to the left or to the right.
-
Password Change on Check in:
Based on the following selection the password of the application will be changed automatically every time a credential is checked in.
-
Never
You can use this option if you do not want to change the password after every credential check-in.
-
Delegate to Identity Manager
If you want to delegate the password check-in process to Identity Manager, select Delegate to Identity manager. Once a resource is created in Identity Manager, it gets synced to Privileged Account Manager. Resource permission is created in Privileged Account Manager but during check in and checkout password is rotated and handled by Identity Manager Driver Implementation guide on the PAM documentation page.
NOTE:Although the latest IDM driver version is 4.8.x, ensure that you use 4.5.x version of the IDM driver package, as 4.5.x version is currently supported with Privileged Account Manager.
NOTE:Before you delegate password check-in to Identity Manager ensure that both the Privileged Account Manager IDM driver and database driver are operational.
-
By Script
Enter the E-Directory script in the text box provided.
-
Select the appropriate Password Policy that must be used when Privileged Account Manager generates a new password. By default Default Password Policy is selected. You can either modify the default password policy or create a new password policy.
-
User DN
-
Password
NOTE:Enter the user DN and password in the Credentials fly out.
-
-
Reconcile Account: Select based on the account.
-
-
Script Arguments: Select any relevant script argument.
-
In the Extended Attributes tab, click +Define and select the relevant attributes from the list. Click Finish
Active Directory
Active Directory is a directory service that authenticates and authorizes all users and computers in a Windows domain type network. It assigns and enforces security policies for all computers and installs or updates the software. You can enable the password check-out feature to access the Active Directory server.
To enable the credential checkout feature for Active Directory, you can add the rules by using the Active Directory policy template.
Follow the procedure, after importing the vault:
General:
In the General tab, enter the name, example: DOM-APP_Active-Directory_LDAP. Click Next.
Connection Details:
-
Application Type: Enter the application type as LDAP.
-
Host Name/IP Address: Enter either the host name or the IP address of the Active Directory.
-
Port: Enter the port number. If you enable SSL, the port number is 636, else the port number is 389.
-
SSL: Enable or disable by moving the button to the left or to the right.
-
Password Change on Check in:
Based on the following selection the password of the application will be changed automatically every time a credential is checked in.
-
Never
You can use this option if you do not want to change the password after every credential check-in.
-
Delegate to Identity Manager
If you want to delegate the password check-in process to Identity Manager, select Delegate to Identity manager. Once a resource is created in Identity Manager, it gets synced to Privileged Account Manager. Resource permission is created in Privileged Account Manager but during check in and checkout password is rotated and handled by Identity Manager Driver Implementation guide on the PAM documentation page.
NOTE:Although the latest IDM driver version is 4.8.x, ensure that you use 4.5.x version of the IDM driver package, as 4.5.x version is currently supported with Privileged Account Manager.
NOTE:Before you delegate password check-in to Identity Manager ensure that both the Privileged Account Manager IDM driver and database driver are operational.
-
By Script
Enter the Active Directory script in the text box provided.
-
Select the appropriate Password Policy that must be used when Privileged Account Manager generates a new password. By default Default Password Policy is selected. You can either modify the default password policy or create a new password policy.
-
User DN
-
Password
NOTE:Enter the user DN and password in the Credentials fly out.
-
-
Reconcile Account: Select based on the account.
-
-
Script Arguments:
-
In the Extended Attributes tab, click +Define and select the relevant attributes from the list. Click Finish
System Applications Product
System Applications Products (SAP) is an Enterprise Resource Planning System (ERP). You can enable the password check-out feature to access the SAP application.
To connect Privileged Account Manager with the Systems, Applications, and Products (SAP) application, ensure that you download the following files on the Privileged Account Manager server:
-
SAP Java connector (JCO)
You can download the JCO from the SAP Connectors site
-
The following files must be downloaded from the SAP Service Marketplace Web site to the location /opt/netiq/npum/service/local/cmdctrl/lib/ (for Linux) and c:\Program Files\npum\opt\netiq\npum\service\local\cmdctrl\lib (for Windows):
-
sapjco3.jar
-
(For Linux) libsapjco3.so
-
(For Windows) sapjco3.dll
-
NOTE:The download is free to any SAP software customer or development partner, but you are required to log in to the mentioned website.
To enable credential checkout feature for SAP, you can add the rules by using the SAP policy template.
Follow the procedure, after importing the vault:
General:
In the General tab, enter the name, example: DOM-APP_SAP. Click Next.
Connection Details:
-
Application Type: Enter the application type as SAP.
-
Host Name/IP Address: Enter either the host name or the IP address of the SAP machine.
-
Port: Enter the port number as 3309.
-
SSL: Enable or disable by moving the button to the left or to the right.
-
Password Change on Check in:
Based on the following selection the password of the application will be changed automatically every time a credential is checked in.
-
Never
You can use this option if you do not want to change the password after every credential check-in.
-
Delegate to Identity Manager
If you want to delegate the password check-in process to Identity Manager, select Delegate to Identity manager. Once a resource is created in Identity Manager, it gets synced to Privileged Account Manager. Resource permission is created in Privileged Account Manager but during check in and checkout password is rotated and handled by Identity Manager Driver Implementation guide on the PAM documentation page.
NOTE:Although the latest IDM driver version is 4.8.x, ensure that you use 4.5.x version of the IDM driver package, as 4.5.x version is currently supported with Privileged Account Manager.
NOTE:Before you delegate password check-in to Identity Manager ensure that both the Privileged Account Manager IDM driver and database driver are operational.
-
By Script
Enter the SAP script in the text box provided.
-
Select the appropriate Password Policy that must be used when Privileged Account Manager generates a new password. By default Default Password Policy is selected. You can either modify the default password policy or create a new password policy.
-
User Name
-
Password
-
-
Reconcile Account: Select based on the account.
-
-
Script Arguments: Specify the Language, clientNumber, and systemNumber of the SAP machine.
-
In the Extended Attributes tab, click +Define and select the relevant attributes from the list.
VMWare ESXi
The VMware ESXi is a type-1 hypervisor that is used for the hardware virtualization. You can enable password check-out feature to access the ESXi server.
Privileged Account Manager bundles the VMWare Infrastructure Java API to communicate with VMware ESXi server. The default location to VMWare Infrastructure Java API is /opt/netiq/npum/service/local/cmdctrl/lib/ (for Linux) and c:\Program Files\npum\opt\netiq\npum\service\local\cmdctrl\lib (for Windows).
To enable credential checkout on ESXi, you can add the rules by using the ESX policy template.
Follow the procedure, after importing the vault:
General:
In the General tab, enter the name, example: DOM-APP_ESXi. Click Next.
Connection Details:
-
Application Type: Enter the application type as ESXi.
-
Host Name/IP Address: Enter either the host name or the IP address of the ESXi machine.
-
Port: Enter the port number as 443.
-
SSL: Enable or disable by moving the button to the left or to the right.
-
Password Change on Check in:
Based on the following selection the password of the application will be changed automatically every time a credential is checked in.
-
Never
You can use this option if you do not want to change the password after every credential check-in.
-
Delegate to Identity Manager
If you want to delegate the password check-in process to Identity Manager, select Delegate to Identity manager. Once a resource is created in Identity Manager, it gets synced to Privileged Account Manager. Resource permission is created in Privileged Account Manager but during check in and checkout password is rotated and handled by Identity Manager Driver Implementation guide on the PAM documentation page.
NOTE:Although the latest IDM driver version is 4.8.x, ensure that you use 4.5.x version of the IDM driver package, as 4.5.x version is currently supported with Privileged Account Manager.
NOTE:Before you delegate password check-in to Identity Manager ensure that both the Privileged Account Manager IDM driver and database driver are operational.
-
By Script
Enter the ESXi script in the text box provided.
-
Select the appropriate Password Policy that must be used when Privileged Account Manager generates a new password. By default Default Password Policy is selected. You can either modify the default password policy or create a new password policy.
-
User Name
-
Password
-
-
Reconcile Account: Select based on the account.
-
-
Script Arguments:
-
In the Extended Attributes tab, click +Define and select the relevant attributes from the list.
Local Account on Linux
Privileged Account Manager supports Credential Checkout feature for local user accounts on any Linux Operating System running SSH.
Follow the procedure, after importing the vault:
General:
In the General tab, enter the name, example: DOM-APP_Linuxlocal. Click Next.
Connection Details:
-
Application Type: Enter the application type as linuxlocal.
-
Host Name/IP Address: Enter either the host name or the IP address.
-
Port: Enter the port number. If you enable SSL, the port number is 636, else the port number is 22
-
SSL: Enable or disable by moving the button to the left or to the right.
-
Password Change on Check in:
Based on the following selection the password of the application will be changed automatically every time a credential is checked in.
-
Never
You can use this option if you do not want to change the password after every credential check-in.
-
Delegate to Identity Manager
If you want to delegate the password check-in process to Identity Manager, select Delegate to Identity manager. Once a resource is created in Identity Manager, it gets synced to Privileged Account Manager. Resource permission is created in Privileged Account Manager but during check in and checkout password is rotated and handled by Identity Manager Driver Implementation guide on the PAM documentation page.
NOTE:Although the latest IDM driver version is 4.8.x, ensure that you use 4.5.x version of the IDM driver package, as 4.5.x version is currently supported with Privileged Account Manager.
NOTE:Before you delegate password check-in to Identity Manager ensure that both the Privileged Account Manager IDM driver and database driver are operational.
-
By Script
Enter the Linux script in the text box provided.
-
Select the appropriate Password Policy that must be used when Privileged Account Manager generates a new password. By default Default Password Policy is selected. You can either modify the default password policy or create a new password policy.
-
User Name
-
Password
-
-
Reconcile Account: Select based on the account.
-
-
Script Arguments:
-
In the Extended Attributes tab, click +Define and select the relevant attributes from the list.
Local Accounts on Unix
Privileged Account Manager supports Credential Checkout feature for local user accounts on AIX Operating System.
Prerequisite
In AIX machine, configure the following:
-
Specify AcceptEnv LC_ALL in the sshd_config file.
-
Restart sshd service.
Follow the procedure, after importing the vault:
General:
In the General tab, enter the name, example: DOM-APP_Unixlocal. Click Next.
Connection Details:
-
Application Type: Enter the application type as Unixlocal.
-
Host Name/IP Address: Enter the host name and IP of the Unix machine.
-
Port: Enter the port number as 22.
-
SSL: Enable or disable by moving the button to the left or to the right.
-
Password Change on Check in:
Based on the following selection the password of the application will be changed automatically every time a credential is checked in.
-
Never
You can use this option if you do not want to change the password after every credential check-in.
-
Delegate to Identity Manager
If you want to delegate the password check-in process to Identity Manager, select Delegate to Identity manager. Once a resource is created in Identity Manager, it gets synced to Privileged Account Manager. Resource permission is created in Privileged Account Manager but during check in and checkout password is rotated and handled by Identity Manager Driver Implementation guide on the PAM documentation page.
NOTE:Although the latest IDM driver version is 4.8.x, ensure that you use 4.5.x version of the IDM driver package, as 4.5.x version is currently supported with Privileged Account Manager.
NOTE:Before you delegate password check-in to Identity Manager ensure that both the Privileged Account Manager IDM driver and database driver are operational.
-
By Script
Enter the Unix script in the text box provided.
-
Select the appropriate Password Policy that must be used when Privileged Account Manager generates a new password. By default Default Password Policy is selected. You can either modify the default password policy or create a new password policy.
-
User Name
-
Password
-
-
Reconcile Account: Select based on the account.
-
-
Script Arguments: Enter the relevant script argument.
-
In the Extended Attributes tab, click +Define and select the relevant attributes from the list.
Local Accounts on Windows
Prerequisites for adding local accounts on Windows machine:
For RHEL 8 (64-bit) and RHEL 7 (64 bit), install the redhat-lsb-core package.
For RHEL 8 (64-bit) and SLES 15 (64-bit), install the lsb-release package.
-
On Windows Manager:
-
Ensure that the Windows Remote Management (WinRM) service is running on Windows. To start winrm service, run the following command:
Enable-PSRemoting –force
-
Add the target machine, where the password must be changed, to the WinRM trusted host. To add all servers as a trusted host, run the following command:
winrm set winrm/config/client '@{TrustedHosts="*"}'
-
Set the PowerShell execution policy to Remotesigned using the following command:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
-
-
On Linux Manager:
Install the taskmanager package.
-
On Target Machine:
Ensure the following is done:
-
Powershell 2.0 or later must be installed in all the windows target machines as Privileged Account Manager uses PowerShell scripts to change password.
-
Windows Remote Management (WinRM) service must be running on the Windows machine. To start WinRM service, use the command:
Enable-PSRemoting –force
-
The IP address of the task manager must be added to the trusted host of the target machine. To add a trusted host, use the command:
winrm set winrm/config/client '@{TrustedHosts="x.x.x.x"}'
-
Follow the procedure, after importing the vault:
General:
In the General tab, enter the name, example: DOM-APP_WINDOWS. Click Next.
Connection Details:
-
Application Type: Enter the application type as WINDOWS.
-
Host Name/IP Address: Enter the host name and IP of the Windows machine.
-
Port: Enter the port number as 3389.
-
SSL: Enable or disable by moving the button to the left or to the right.
-
Password Change on Check in:
Based on the following selection the password of the application will be changed automatically every time a credential is checked in.
-
Never
You can use this option if you do not want to change the password after every credential check-in.
-
Delegate to Identity Manager
If you want to delegate the password check-in process to Identity Manager, select Delegate to Identity manager. Once a resource is created in Identity Manager, it gets synced to Privileged Account Manager. Resource permission is created in Privileged Account Manager but during check in and checkout password is rotated and handled by Identity Manager Driver Implementation guide on the PAM documentation page.
NOTE:Although the latest IDM driver version is 4.8.x, ensure that you use 4.5.x version of the IDM driver package, as 4.5.x version is currently supported with Privileged Account Manager.
NOTE:Before you delegate password check-in to Identity Manager ensure that both the Privileged Account Manager IDM driver and database driver are operational.
-
By Script
Enter the Windows script in the text box provided.
-
Select the appropriate Password Policy that must be used when Privileged Account Manager generates a new password. By default Default Password Policy is selected. You can either modify the default password policy or create a new password policy.
-
User Name
-
Password
-
-
Reconcile Account: Select based on the account.
-
-
Script Arguments: Enter the ClientID, Authority, and AuthenticationTokenURL.
-
In the Extended Attributes tab, click +Define and select the relevant attributes from the list.
Click Finish.
Privileged Account Manager supports Credential Checkout feature for local user accounts on Window Operating System.
Enabling Credential Checkout for Applications
You can be customize the credential checkout feature for the applications such as Salesforce and so on.
To enable credential checkout for LDAP, Active Directory, SAP, ESXi, you can import the respective policy template. When you import the policy template, all the components required for configuring a credential checkout, such as resource and rule are added with default values. You must customize these according to your requirement.
To enable credential checkout for an application whose policy template is not available, you need to add the application server as a resource in the credential vault and add a credential checkout rule. For information about adding a resource, see contextual help. For information about adding a rule, see Add a Permission in Access Control or Adding a Rule in Command Control.
5.3.3 Configuring Credential Checkout for Cloud Services
The privileged accounts that are set up on the following cloud services can be managed through Privileged Account Manager. To manage those accounts, you must customize the sample script and add it to the Privileged Account Manager rule.
Following are the tested applications on which you can reset the password of the accounts that are existing for those applications:
IMPORTANT:Privileged Account Manager server must have Java 1.6 or higher for password reset to work on the following:
-
OpenStack
-
Amazon Web Services
-
Microsoft Azure
-
OpenStack
OpenStack is a set of software tools designed for building and managing cloud computing platforms. You can enable the password check-out feature to access the OpenStack server.
To enable the credential checkout feature for OpenStack, you can add the rules by using the OpenStack policy template or add an OpenStack resource and rule manually.
-
Amazon Web Services
Amazon Web Services (AWS) is a bundled remote computing service that provides cloud computing infrastructure over the Internet with storage, bandwidth, and customized support for Application Programming Interfaces (API). You can enable the password check-out feature to access services in the AWS cloud.
To enable credential checkout feature for AWS, you can add the rules by using the AWS policy template or add an AWS resource and rule manually.
-
Microsoft Azure
Microsoft Azure is a bundled remote computing service that provides cloud computing infrastructure over the Internet with storage, bandwidth, and customized support for Application Programming Interfaces (API). You can enable the password check-out feature to access services in Microsoft Azure.
To enable credential checkout feature for Microsoft Azure, you can add the rules by using the Microsoft Azure policy template or add a Microsoft Azure resource and rule manually.
Enabling Credential Checkout for OpenStack
To enable the credential checkout feature for the OpenStack server, perform the following:
-
In the OpenStack server, create a user and assign the user to a project (tenant) with a role. For information about user creation and project and role assignment, see OpenStack Documentation.
-
In the Privileged Account Manager Administration Console,
Add the OpenStack policy template to add a resource and rule for OpenStack automatically. This OpenStack resource and rule can be customized as required.
Or
Add a resource in the credential vault and a rule manually for OpenStack. For information about adding a resource, see contextual help. For information about adding a rule, see Adding a Rule.
NOTE:For the password check out of accounts belonging to different OpenStack projects (tenants), you must create a different resource for each tenant.
Follow the procedure, after importing the vault:
General:
In the General tab, enter the OpenStack URL, example: http://myOpenstack.com/dashboard/auth/login/_openstack. Click Next.
Connection Details:
-
Application Type: Enter the application type as openstack.
-
Host Name/IP Address: Enter the host name and IP of the openstack machine.
-
Port: Enter the port number as 35357.
-
SSL: Enable or disable by moving the button to the left or to the right.
-
Password Change on Check in:
Based on the following selection the password of the application will be changed automatically every time a credential is checked in.
-
Never
You can use this option if you do not want to change the password after every credential check-in.
-
Delegate to Identity Manager
If you want to delegate the password check-in process to Identity Manager, select Delegate to Identity manager. Once a resource is created in Identity Manager, it gets synced to Privileged Account Manager. Resource permission is created in Privileged Account Manager but during check in and checkout password is rotated and handled by Identity Manager Driver Implementation guide on the PAM documentation page.
NOTE:Although the latest IDM driver version is 4.8.x, ensure that you use 4.5.x version of the IDM driver package, as 4.5.x version is currently supported with Privileged Account Manager.
NOTE:Before you delegate password check-in to Identity Manager ensure that both the Privileged Account Manager IDM driver and database driver are operational.
-
By Script
Enter the OpenStack script in the text box provided.
-
Select the appropriate Password Policy that must be used when Privileged Account Manager generates a new password. By default Default Password Policy is selected. You can either modify the default password policy or create a new password policy.
-
User Name
-
Password
-
-
Reconcile Account: Select based on the account.
-
-
Script Arguments: .
-
In the Extended Attributes tab, click +Define and select the relevant attributes from the list.
-
Enabling Credential Checkout for Amazon Web Services
To enable credential checkout feature for Amazon Web Services (AWS), perform the following:
-
Create a user and assign permissions or policies to the user in Amazon Web Services. For information about AWS user creation, see AWS Documentation.
-
In the Privileged Account Manager Administration Console, add the AWS policy template to add a resource and rule for AWS automatically. This resource and rule can be customized as required.
Or
Add a resource in the credential vault and a rule manually for AWS. For information about adding a resource, see contextual help. For information about adding a rule, see Adding a Rule.
Follow the procedure, after importing the vault:
General:
In the General tab, enter the name, example: https://ACCOUNT-ID.signin.aws.amazon.com/console_AWS. Click Next.
Connection Details:
-
Application Type: Enter the application type as AWS.
-
Host Name/IP Address: Enter account ID and the URI. Example: https://ACCOUNT-ID.signin.aws.amazon.com/console
-
Port: Enter the port number as 443.
-
SSL: Enable or disable by moving the button to the left or to the right.
-
Password Change on Check in:
Based on the following selection the password of the application will be changed automatically every time a credential is checked in.
-
Never
You can use this option if you do not want to change the password after every credential check-in.
-
Delegate to Identity Manager
If you want to delegate the password check-in process to Identity Manager, select Delegate to Identity manager. Once a resource is created in Identity Manager, it gets synced to Privileged Account Manager. Resource permission is created in Privileged Account Manager but during check in and checkout password is rotated and handled by Identity Manager Driver Implementation guide on the PAM documentation page.
NOTE:Although the latest IDM driver version is 4.8.x, ensure that you use 4.5.x version of the IDM driver package, as 4.5.x version is currently supported with Privileged Account Manager.
NOTE:Before you delegate password check-in to Identity Manager ensure that both the Privileged Account Manager IDM driver and database driver are operational.
-
By Script
Enter the AWS script in the text box provided.
-
Select the appropriate Password Policy that must be used when Privileged Account Manager generates a new password. By default Default Password Policy is selected. You can either modify the default password policy or create a new password policy.
-
User Name
-
Password. Enter the access key name and the ID. Example: AWS-ACCESS-KEY-ID.
-
-
Reconcile Account: Select based on the account.
-
-
Script Arguments:
-
In the Extended Attributes tab, click +Define and select the relevant attributes from the list.
-
Enabling Credential Checkout for Microsoft Azure
Prerequisite: Ensure that Privileged Account Manager password policies adhere to the Microsoft Azure password policies.
To enable credential checkout feature for Microsoft Azure, follow the procedure:
-
In the Microsoft Azure cloud, create a user and assign permissions or policies to the user. For information about Microsoft Azure user creation, see Microsoft Azure documentation.
-
In the Privileged Account Manager Administration Console,
Add the Microsoft Azure policy template to add a resource and rule for Microsoft Azure automatically. You can customize this resource and rule as required.
or
Add a resource in the Credential Vault and a rule manually for Microsoft Azure. Edit the resource in Privileged Account Manager and update the following fields:
-
Client ID: Microsoft Azure application ID. For more information, see Microsoft Azure documentation.
-
Authority: For example, https://login.microsoftonline.com/common/
-
AuthenticationTokenURL: For example, https://graph.windows.net
For information about adding a resource, see the contextual help. For information about adding a rule, see Adding a Rule.
Follow the procedure, after importing the vault:
General:
In the General tab, enter the name, example: https://portal.azure.com/_MSAzure. Click Next.
Connection Details:
-
Application Type: Enter the application type as MSAzure.
-
Host Name/IP Address: Enter account ID and the URI. Example: ADAccountDomainName.onmicrosoft.com
-
Port: Enter the port number as 443.
-
SSL: Enable or disable by moving the button to the left or to the right.
-
Password Change on Check in:
Based on the following selection the password of the application will be changed automatically every time a credential is checked in.
-
Never
You can use this option if you do not want to change the password after every credential check-in.
-
Delegate to Identity Manager
If you want to delegate the password check-in process to Identity Manager, select Delegate to Identity manager. Once a resource is created in Identity Manager, it gets synced to Privileged Account Manager. Resource permission is created in Privileged Account Manager but during check in and checkout password is rotated and handled by Identity Manager Driver Implementation guide on the PAM documentation page.
NOTE:Although the latest IDM driver version is 4.8.x, ensure that you use 4.5.x version of the IDM driver package, as 4.5.x version is currently supported with Privileged Account Manager.
NOTE:Before you delegate password check-in to Identity Manager ensure that both the Privileged Account Manager IDM driver and database driver are operational.
-
By Script
Enter the Azure script in the text box provided.
-
Select the appropriate Password Policy that must be used when Privileged Account Manager generates a new password. By default Default Password Policy is selected. You can either modify the default password policy or create a new password policy.
-
User Name: Example, adminuser@dn.onmicrosoft.com
-
Password
-
-
Reconcile Account: Select based on the account.
-
-
Script Arguments: Enter the ClientID, Authority, and AuthenticationTokenURL.
-
In the Extended Attributes tab, click +Define and select the relevant attributes from the list.
-
5.3.4 Configuring Credential Checkout Settings
-
On the home page of the Privileged Account Manager console, click Requests.
-
Click the Configuration tab.
-
In the Delete Request After field, select the number of days after which the request should be deleted from the list under All. For example, if you select 15 Days all the requests that are 15 days old is deleted from the list of requests.
-
In the Allow Grace Period of field, select the extra duration that a user can access the password, after the requested time period expires.
-
In the Server Email Id field, enter the email id that is defined for the Privileged Account Manager server. This is the email id from which emails are sent to the users.
-
In the Admin Email Id field, enter the email id of the administrator for Privileged Account Manager.
5.3.5 Checking Out Credentials
Privileged Account Manager allows users to checkout the credentials in the following ways:
-
Checkout credentials from the user console
-
Checkout credentials using API tokens.
For more information about AAPM, see Application to Application Password Management.
-
Checkout credentials using REST API.
To view the REST API documentation:
-
In the new administration or user console, click the logged in user on the top-right corner.
-
Click REST API.
The REST API document opens in a new tab.
-
5.3.6 Dynamic Credentials
Your users and applications can request just-in-time credentials by using dynamic database credentials. These requests also have the ability to be audited and have a defined TTL that causes them to expire automatically. You can also filter from a large number of records using the select box on the left pane.
This field contains ephemeral account details:
-
Requester
-
Resource Name
-
User Name
-
Type
-
Status
-
Creation Time
-
Expiry Time
For an active account you can revoke the credentials if you see any malicious or unwanted activity using the revoke icon 
against the credential.
5.3.7 View Policy
Clicking on the root path (/) allows you to View Policy
.
You must click +Add Policy to create a policy for the specific resource group from the Policy and Path Details page. Specify the details in the Create Policy dialog box.
-
Name: Specify a name for the policy.
-
+Add Add the groups by selecting from Local or LDAP Groups.
The policy that you created will be applicable for the specific groups you have selected, ex: API users.
Create Path
Only if the user is a path administrator or a owner for a path, he will be able to view the respective path, else the user gets the “access denied” error. A user should be part of a permission to be able to view the path. To get the appropriate permission, create a user group with the following mandatory permissions. Go to Users, click edit to modify Permissions. Under Credential Vault, select the following:
-
View Credential Vault Console
-
View Resources and Credentials in Credential Vault
-
Add and Modify Resources and Credentials in Credential Vault
You can create path using the following procedure:
-
Go to Credential Vault.
-
From the left pane, click +.
-
Add the Path name.
-
Add the groups by selecting from Local or LDAP Groups.
Enable Recursive if you want to populate the resources of the select path recursively.
-
Click Create.
Configuring Privilege Type
You can configure privilege type clicking Credential Vault > Resources. If you have defined credentials in the vault, you can use the credential as the privilege type. Edit any resource to define the privilege type. The privileged type attribute allows the user to access only certain privileges attributed to that role.
Follow the procedure to add the privilege type.
-
Go to Credential Vault.
-
Click an Application or Database credential count from the second column. The Credentials page is displayed.
-
Click + icon again the Resource Count column
-
In the Add Credential page enter the User Name, Password and Privilege Type.
-
Click Add.
The credential gets listed under the Privilege Type column. These credentials are populated when you are checking out a resource’s credentials or if you want to change a specific user’s password from
> My Access page.
5.3.8 Password Reset Scripts
You can use required policy templates to reset the password of the privileged accounts that are set on the supported application server. The password check-in process includes generating a random password, resetting the password on the Privileged Account Manager database, and resetting the password on the application. The password check-in process can either use the script to reset the password on the application and return the value to the Privileged Account Manager database, or use Identity Manager to send the reset password on Privileged Account Manager database and synchronize the password with an active Identity manager application.
This section contains Perl Script for Customizing the Password Reset of Accounts in Applications.
Active Directory Password Reset Script
Following is an example script for resetting the account’s password on Active Directory:
## PAM script to reset password of Microsoft ActiveDirectory LDAP user
use MIME::Base64;
use Encode qw(encode);
## global variables
my $ldapURL = "";
my $retVal = 1;
my $ldap = "";
## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $secure = $args->arg("secure");
my $adminDN = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $userDN = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
my $userPasswdEncoded = encode_base64(encode("UTF-16le", "\"$userPasswd\""));
$ctx->log_info("START PASSWD RESET");
$ctx->log_debug("Input LDAP parameters : host - $host :: port - $port :: secure - $secure :: adminDN - $adminDN :: userDN - $userDN ");
$ctx->log_info("Resetting the password of the LDAP user $userDN");
## validate inputs
if ($host eq "" or $adminDN eq "" or $adminPasswd eq "" or $userDN eq "" or $userPasswd eq "") {
$ctx->log_error("Incomplete LDAP inputs - following parameters are mandatory - host, adminDN, adminPasswd, userDN and userPasswd are passed.");
return 0;
}
# set default ldap port numbers
if ($port eq "") {
if ($secure eq "" || $secure != 0) {
$port = 636;
} else {
$port = 389;
}
}
# create ldap url
if ($secure != 0) {
$ldapURL = "ldaps://".$host.":".$port;
} else {
$ldapURL = "ldap://".$host.":".$port;
}
# Login as LDAP admin
$ctx->log_debug("Authenticating to the LDAP server...");
$ldap = ldap_bind($ctx, $ldapURL, $adminDN, $adminPasswd, 100);
if ($ldap->arg('err') != 0) {
my $le = $ldap->arg('err');
$ctx->log_error("LDAP authentication failed - $le");
return 0;
} else {
$ctx->log_debug("LDAP authentication to $ldapURL as $adminDN successful.");
}
# Reset the user password
$ctx->log_debug("Modifying the password of the user $userDN ...");
$ldap = ldap_modify($ctx, $userDN, "unicodePwd", $userPasswdEncoded);
if ($ldap->arg('err') != 0) {
my $le = $ldap->arg('err');
$ctx->log_error("LDAP modify failed - $le ");
$retVal = 0;
} else {
$ctx->log_debug("LDAP modify successful in resetting the password of the user $userDN.");
}
# Logout LDAP admin
$ctx->log_debug("Logging out $adminDN from $ldapURL");
ldap_unbind($ctx);
$ctx->log_info("END PASSWD RESET");
return $retVal;
AWS Password Reset Script
Following is an example script for resetting the account’s password on AWS:
# Sample perl script for Password Reset of a user on AWS system
## global variables
my $retVal = 1;
my $OS = $^O;
my $cmd_output = "";
## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $secure = $args->arg("secure");
my $admin = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $user = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
$ctx->log_info("*** START AWS PASSWD RESET");
$ctx->log_info("*** Privileged Account Manager running on the OS $OS");
$ctx->log_info("AWS System input parameters : AWS Host - $host :: Port Number - $port :: Secure - $secure :: admin - $admin :: user - $user");
$ctx->log_info("Resetting the password of the AWS user $user ...");
## validate inputs
if ($user eq "" or $admin eq "" or $adminPasswd eq "" or $userPasswd eq "") {
$ctx->log_error("Incomplete inputs - following parameters are mandatory - admin, adminPasswd, userName and userPasswd");
return 0;
}
# Set passwords as environment variables
$ENV{AWS_ACCESS_KEY_ID} = $admin;
$ENV{AWS_SECRET_ACCESS_KEY} = $adminPasswd;
$ENV{NEW_PASSWORD} = $userPasswd;
# Execute the java command for password reset
if ($OS =~ "^MSWin") {
$cmd_output = `java -jar C:/\"Program Files\"/NetIQ/npum/service/local/cmdctrl/lib/NPUM_AWS_api.jar $user`;
} else {
my $point;
my @new_pwd = ();
my @pwd;;
#escape single quote ''' in user password
@pwd = ();
@pwd = split(//, $userPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$userPasswd = join("", @new_pwd);
#escape single quote ''' in admin password
@pwd = ();
@new_pwd = ();
@pwd = split(//, $adminPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$adminPasswd = join("", @new_pwd);
$cmd_output = `AWS_ACCESS_KEY_ID='$admin' AWS_SECRET_ACCESS_KEY='$adminPasswd' NEW_PASSWORD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_AWS_api.jar $user`;
}
if ($? != 0) {
$ctx->log_error("Password reset for the user $user failed.");
$retVal = 0;
} else {
$ctx->log_info("Succesfully resetted the password of the AWS user $user .");
}
$ctx->log_info("Command execution output as below :
$cmd_output ");
$ctx->log_info("*** END AWS PASSWD RESET");
return $retVal;
ESXi User Password Reset Script
Following is an example script for resetting the account’s password on ESXi:
# Sample perl script for Password Reset of a user on ESXi system
## global variables
my $retVal = 1;
my $OS = $^O;
my $cmd_output = "";
## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $secure = $args->arg("secure");
my $admin = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $user = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
# Set passwords as environment variables
$ENV{ADMIN_PASSWD} = $adminPasswd;
$ENV{USER_NEW_PASSWD} = $userPasswd;
$ctx->log_info("*** START ESXi PASSWD RESET");
$ctx->log_info("*** Privileged Account Manager running on the OS $OS");
$ctx->log_debug("ESXi System input parameters : ESXi Host - $host :: Port Number - $port :: Secure - $secure :: admin - $admin :: user - $user ");
$ctx->log_info("Resetting the password of the ESXi user $user ...");
## validate inputs
if ($host eq "" or $port eq "" or $secure eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "") {
$ctx->log_error("Incomplete inputs - following parameters are mandatory - ESXi host, port number, secure(1/0), admin, adminPasswd, userName and userPasswd.");
return 0;
}
# Execute the java command for password reset
if ($OS =~ "^MSWin") {
$cmd_output = `java -jar C:/\"Program Files\"/NetIQ/npum/service/local/cmdctrl/lib/NPUM_ESXi_api.jar $host $port $secure $admin $user`;
} else {
my $point;
my @new_pwd = ();
my @pwd;;
#escape single quote ''' in user password
@pwd = ();
@pwd = split(//, $userPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$userPasswd = join("", @new_pwd);
#escape single quote ''' in admin password
@pwd = ();
@new_pwd = ();
@pwd = split(//, $adminPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$adminPasswd = join("", @new_pwd);
$cmd_output = `ADMIN_PASSWD='$adminPasswd' USER_NEW_PASSWD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_ESXi_api.jar $host $port $secure $admin $user`;
}
if ($? != 0) {
$ctx->log_error("Password reset for the user $user failed.");
$retVal = 0;
} else {
$ctx->log_info("Succesfully resetted the password of the ESXi user $user .");
}
$ctx->log_debug("Command execution output as below :
$cmd_output ");
$ctx->log_info("*** END ESXi PASSWD RESET");
return $retVal;
LDAP Password Reset Script
Following is an example script for resetting the accounts’ password on all the LDAP directory except Active Directory. To reset Active Directory account password, you can use the script Active Directory Password Reset Script.
## PAM script to reset password of an LDAP user
## global variables
my $ldapURL = "";
my $retVal = 0;
my $ldap = "";
## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $secure = $args->arg("secure");
my $adminDN = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $userDN = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
$ctx->log_info("START PASSWD RESET");
$ctx->log_debug("Input LDAP parameters : host - $host :: port - $port :: secure -
$secure :: adminDN - $adminDN :: userDN - $userDN ");
$ctx->log_info("Resetting the password of the LDAP user $userDN");
## validate inputs
if ($host eq "" or $adminDN eq "" or $adminPasswd eq "" or $userDN eq "" or
$userPasswd eq "") {
$ctx->log_error("Incomplete LDAP inputs - following parameters are mandatory -
host, adminDN, adminPasswd, userDN and userPasswd are passed.");
return 0;
}
# set default ldap port numbers
if ($port eq "") {
if ($secure eq "" || $secure != 0) {
$port = 636;
} else {
$port = 389;
}
}
# create ldap url
if ($secure != 0) {
$ldapURL = "ldaps://".$host.":".$port;
} else {
$ldapURL = "ldap://".$host.":".$port;
}
# Login as LDAP admin
$ctx->log_debug("Authenticating to the LDAP server...");
$ldap = ldap_bind($ctx, $ldapURL, $adminDN, $adminPasswd, 100);
if ($ldap->arg('err') != 0) {
my $le = $ldap->arg('err');
$ctx->log_error("LDAP authentication failed - $le");
return 0;
} else {
$ctx->log_debug("LDAP authentication to $ldapURL as $adminDN successful.");
}
# Reset the user password
$ctx->log_debug("Modifying the password of the user $userDN ...");
$ldap = ldap_modify($ctx, $userDN, "userpassword", $userPasswd);
if ($ldap->arg('err') != 0) {
my $le = $ldap->arg('err');
$ctx->log_error("LDAP modify failed - $le ");
return 0;
} else {
$ctx->log_debug("LDAP modify successful in resetting the password of the user
$userDN.");
}
# Logout LDAP admin
$ctx->log_debug("Logging out $adminDN from $ldapURL");
ldap_unbind($ctx);
$ctx->log_info("END PASSWD RESET");
return 1;
Linux User Password Reset Script
Following is an example script for resetting the account’s password on Linux:
#Sample perl script for Password Reset of a user on Linux local Account
## global variables
my $retVal = 1;
my $OS = $^O;
my $cmd_output = "";
## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $admin = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $user = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
my $pam_home = getcwd;
# Set passwords as environment variables - SSHPASS and LC_ALL
$ENV{SSHPASS} = $adminPasswd;
$ENV{LC_ALL} = $userPasswd;
$ctx->log_info("*** START Linux Local Account PASSWD RESET");
$ctx->log_info("*** Privileged Account Manager running on the OS $OS at location $pam_home");
$ctx->log_info("Linux System input parameters : Linux Host - $host :: Port Number - $port :: admin - $admin :: user - $user");
$ctx->log_info("Changing the password of the Linux user $user ...");
## validate inputs
if ($host eq "" or $port eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "") {
$ctx->log_error("Incomplete inputs - following parameters are mandatory - Linux host, port number, admin, adminPasswd, userName, userPasswd.");
return 0;
}
if ($OS =~ "^MSWin") {
$cmd_output = `\"$pam_home\"/bin/ssh.exe -p $port -n -o SendEnv=LC_ALL -o StrictHostKeyChecking=no -Z -l $admin $host "echo -e \$LC_ALL\\\\n\$LC_ALL | passwd $user 2>&1"`;
} else {
my $point;
my @new_pwd = ();
my @pwd;;
#escape single quote ''' in user password
@pwd = ();
@pwd = split(//, $userPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$userPasswd = join("", @new_pwd);
#escape single quote ''' in admin password
@pwd = ();
@new_pwd = ();
@pwd = split(//, $adminPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$adminPasswd = join("", @new_pwd);
$cmd_output = `SSHPASS='$adminPasswd' LC_ALL='$userPasswd' /opt/netiq/npum/service/local/sshrelay/bin/ssh -p $port -o SendEnv=LC_ALL -o StrictHostKeyChecking=no -Z -l $admin $host \"usr=$user;myrootuser=$admin;\" 'echo -e \$LC_ALL\\\\n\$LC_ALL | passwd $user 2>&1'`;
}
if ($? != 0) {
$ctx->log_error("Password reset for the user $user failed.");
$retVal = 0;
} else {
$ctx->log_info("Successfully changed the password of the Linux Local Account Password Reset");
}
$ctx->log_info("Command execution output as below : $cmd_output ");
$ctx->log_info("*** End Linux Local Account PASSWD RESET");
return $retVal;
Microsoft Azure Password Reset Script
Following is an example script for resetting the account’s password on Microsoft Azure:
# Sample perl script for Password Reset of a user on Microsoft Azure Account
## global variables
my $retVal = 1;
my $OS = $^O;
my $cmd_output = "";
## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $secure = $args->arg("secure");
my $admin = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $user = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
my $Authority = $args->arg("Authority");
my $ClientID = $args->arg("ClientID");
my $AuthenticationTokenURL = $args->arg("AuthenticationTokenURL");
my $pam_home = getcwd;
# Set passwords as environment variables
$ENV{ADMIN_PASSWORD} = $adminPasswd;
$ENV{NEW_PASSWORD} = $userPasswd;
$ctx->log_info("*** START Microsoft Azure PASSWD RESET");
$ctx->log_info("*** Privileged Account Manager running on the OS $OS at location $pam_home");
$ctx->log_info("Microsoft Azure System input parameters : Microsoft Azure Host - $host :: Port Number - $port :: Secure - $secure :: admin - $admin :: user - $user :: Authority - $Authority :: ClientID - $ClientID :: AuthenticationTokenURL - $AuthenticationTokenURL ");
$ctx->log_info("Changing the password of the Microsoft Azure user $user ...");
## validate inputs
if ($host eq "" or $port eq "" or $secure eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "" or $Authority eq "" or $ClientID eq "" or $AuthenticationTokenURL eq "") {
$ctx->log_error("Incomplete inputs - following parameters are mandatory - Microsoft Azure host, port number, secure(1/0), keystone version, admin, adminPasswd, userName, userPasswd ,Authority name, ClientID name and AuthenticationTokenURL.");
return 0;
}
# Execute the java command for password reset
if ($OS =~ "^MSWin") {
$cmd_output = `java -jar \"$pam_home\"/service/local/cmdctrl/lib/NPUM_AzureAD_api.jar $admin '$ClientID' '$AuthenticationTokenURL/$host/users/$user?api-version=1.6' $Authority $AuthenticationTokenURL`;
} else {
my $point;
my @new_pwd = ();
my @pwd;;
#escape single quote ''' in user password
@pwd = ();
@pwd = split(//, $userPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$userPasswd = join("", @new_pwd);
#escape single quote ''' in admin password
@pwd = ();
@new_pwd = ();
@pwd = split(//, $adminPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$adminPasswd = join("", @new_pwd);
$cmd_output = `ADMIN_PASSWORD='$adminPasswd' NEW_PASSWORD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_AzureAD_api.jar $admin '$ClientID' '$AuthenticationTokenURL/$host/users/$user?api-version=1.6' $Authority $AuthenticationTokenURL`;
}
if ($? != 0) {
$ctx->log_error("Password reset for the user $user failed.");
$retVal = 0;
} else {
$ctx->log_info("Successfully changed the password of the Microsoft Azure user $user .");
}
$ctx->log_info("Command execution output as below : $cmd_output ");
$ctx->log_info("*** END Microsoft Azure PASSWD RESET");
return $retVal;
Openstack Password Reset Script
Following is an example script for resetting the account’s password on Openstack:
# Sample perl script for Password Reset of a user on Openstack system
## global variables
my $retVal = 1;
my $OS = $^O;
my $cmd_output = "";
## arguments
my $host = $args->arg("host");
my $port = $args->arg("port");
my $secure = $args->arg("secure");
my $keystone_version = $args->arg("keystone_version");
my $admin = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $user = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
my $tenant = $args->arg("tenant");
# Set passwords as environment variables
$ENV{ADMIN_PASSWORD} = $adminPasswd;
$ENV{NEW_PASSWORD} = $userPasswd;
$ctx->log_info("*** START Openstack PASSWD RESET");
$ctx->log_info("*** Privileged Account Manager running on the OS $OS");
$ctx->log_info("Openstack System input parameters : Openstack Host - $host :: Port Number - $port :: Secure - $secure :: keystone_version - $keystone_version :: admin - $admin :: user - $user :: tenant - $tenant");
$ctx->log_info("Resetting the password of the Openstack user $user ...");
## validate inputs
if ($host eq "" or $port eq "" or $secure eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "" or $keystone_version eq "" or $tenant eq "") {
$ctx->log_error("Incomplete inputs - following parameters are mandatory - Openstack host, port number, secure(1/0), keystone version, admin, adminPasswd, userName, userPasswd and tenant name.");
return 0;
}
# Execute the java command for password reset
if ($OS =~ "^MSWin") {
$cmd_output = `java -jar C:/\"Program Files\"/NetIQ/npum/service/local/cmdctrl/lib/NPUM_Openstack_api.jar $host $port $secure $keystone_version $admin $user $tenant`;
} else {
my $point;
my @new_pwd = ();
my @pwd;;
#escape single quote ''' in user password
@pwd = ();
@pwd = split(//, $userPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$userPasswd = join("", @new_pwd);
#escape single quote ''' in admin password
@pwd = ();
@new_pwd = ();
@pwd = split(//, $adminPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$adminPasswd = join("", @new_pwd);
$cmd_output = `ADMIN_PASSWORD='$adminPasswd' NEW_PASSWORD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_Openstack_api.jar $host $port $secure $keystone_version $admin $user $tenant`;
}
if ($? != 0) {
$ctx->log_error("Password reset for the user $user failed.");
$retVal = 0;
} else {
$ctx->log_info("Succesfully reset the password of the Openstack user $user .");
}
$ctx->log_info("Command execution output as below : $cmd_output ");
$ctx->log_info("*** END Openstack PASSWD RESET");
return $retVal;
SAP User Password Reset Script
Following is an example script for resetting the account’s password on SAP:
# Sample perl script for Password Reset of a user on SAP system
## global variables
my $retVal = 1;
my $OS = $^O;
my $cmd_output = "";
## arguments
my $host = $args->arg("host");
my $systemNumber = $args->arg("systemNumber");
my $clientNumber = $args->arg("clientNumber");
my $lang = $args->arg("lang");
my $admin = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $user = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
# Set passwords as environment variables
$ENV{ADMIN_PASSWD} = $adminPasswd;
$ENV{USER_NEW_PASSWD} = $userPasswd;
$ctx->log_info("*** START SAP PASSWD RESET");
$ctx->log_info("*** Privileged Account Manager running on the OS $OS");
$ctx->log_debug("SAP System input parameters : SAP Host - $host :: System Number - $systemNumber :: Client Number - $clientNumber :: Language :: $lang :: admin - $admin :: user - $user ");
$ctx->log_info("Resetting the password of the SAP user $user ...");
## validate inputs
if ($host eq "" or $systemNumber eq "" or $clientNumber eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "") {
$ctx->log_error("Incomplete inputs - following parameters are mandatory - SAP host, systemNumber, clientNumber, admin, adminPasswd, userName and userPasswd.");
return 0;
}
# set default language
if ($lang eq "") {
$lang = "EN";
}
# Execute the java command for password reset
if ($OS =~ "^MSWin") {
$cmd_output = `java -jar "C:/\"Program Files\"/NetIQ/npum/service/local/cmdctrl/lib/NPUM_SAP_api.jar" $host $systemNumber $clientNumber $lang $admin $user`;
} else {
my $point;
my @new_pwd = ();
my @pwd;;
#escape single quote ''' in user password
@pwd = ();
@pwd = split(//, $userPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$userPasswd = join("", @new_pwd);
#escape single quote ''' in admin password
@pwd = ();
@new_pwd = ();
@pwd = split(//, $adminPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$adminPasswd = join("", @new_pwd);
$cmd_output = `ADMIN_PASSWD='$adminPasswd' USER_NEW_PASSWD='$userPasswd' java -jar /opt/netiq/npum/service/local/cmdctrl/lib/NPUM_SAP_api.jar $host $systemNumber $clientNumber $lang $admin $user`;
}
if ($? != 0) {
$ctx->log_error("Password reset for the user $user failed.");
$retVal = 0;
} else {
$ctx->log_info("Succesfully resetted the password of the SAP user $user .");
}
$ctx->log_debug("Command execution output as below :
$cmd_output ");
$ctx->log_info("*** END SAP PASSWD RESET");
return $retVal;
Windows User Password Reset Script
Following is an example script for resetting the account’s password on Windows:
# Sample perl script for Password Reset of a user on Windows system
## global variables
my $retVal = 1;
my $OS = $^O;
my $cmd_output = "";
my $pam_home = getcwd;
## arguments
my $host = $args->arg("host");
my $admin = $args->arg("adminName");
my $adminPasswd = $args->arg("adminPasswd");
my $user = $args->arg("userName");
my $userPasswd = $args->arg("userPasswd");
my $pam_home = getcwd;
# Set passwords as environment variables
$ENV{ADMIN_PASSWD} = $adminPasswd;
$ENV{USER_NEW_PASSWD} = $userPasswd;
$ctx->log_info("*** START WINDOWS PASSWD RESET");
$ctx->log_info("*** Privileged Account Manager running on the OS $OS at location $pam_home");
$ctx->log_info("WINDOWS System input parameters : WINDOWS Host - $host :: admin - $admin :: user - $user :: pam_home - $pam_home");
$ctx->log_info("Changing the password of the Windows user $user ...");
## validate inputs
if ($host eq "" or $admin eq "" or $adminPasswd eq "" or $user eq "" or $userPasswd eq "") {
$ctx->log_error("Incomplete inputs - following parameters are mandatory - WINDOWS host, admin, adminPasswd, userName and userPasswd.");
return 0;
}
# Execute powershell script for password reset
if ($OS =~ "^MSWin") {
$ctx->log_info("*** running powershell $adminPasswd $userPasswd");
$cmd_output = `powershell.exe -file "$pam_home/service/local/cmdctrl/template/exports/winPwdChangeLocal.ps1" $host $admin $user`;
$ctx->log_info("$cmd_output");
} else {
my $point;
my @new_pwd = ();
my @pwd;;
#escape single quote ''' in user password
@pwd = ();
@pwd = split(//, $userPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$userPasswd = join("", @new_pwd);
#escape single quote ''' in admin password
@pwd = ();
@new_pwd = ();
@pwd = split(//, $adminPasswd);
$point = 0;
foreach (@pwd){
if($_ eq "'"){
$new_pwd[$point++] = "'";
$new_pwd[$point++] = '\\';
$new_pwd[$point++] = "'";
$new_pwd[$point++] = "'";
}
else{
$new_pwd[$point] = $_;
}
$point++;
}
$adminPasswd = join("", @new_pwd);
$cmd_output = `ADMIN_PASSWD='$adminPasswd' USER_NEW_PASSWD='$userPasswd' /usr/bin/pwsh -file "/opt/netiq/npum/service/local/cmdctrl/template/exports/winPwdChangeLocal.ps1" $host $admin $user`;
}
if ($? != 0) {
$ctx->log_error("Password reset for the user $user failed.");
$retVal = 0;
} else {
$ctx->log_info("Successfully changed the password of the Windows user $user .");
}
$ctx->log_debug("Command execution output as below :
$cmd_output ");
$ctx->log_info("*** END WINDOWS PASSWD RESET");
return $retVal;