Password Reset is one of the important operations performed by the PMP. After resetting the password of resources/accounts in PMP, there might be requirements to carry out some follow-up action automatically. This could be done using the Password Reset Listeners.
For Example:
restarting the dependent services immediately after password reset
if there is a windows service that makes use of the account whose password is being changed in PMP. You can use the listener mechanism to change the 'stored credentials' (i.e the credentials specified in the 'Logon' property) of the windows service
if you have added the accounts of network devices as resources/accounts in PMP, you can first reset the passwords of such accounts locally and then invoke a custom script to connect to the device and carry out the change in the device too
reset the passwords of windows scheduled tasks and other associated processes
Whenever the password of an account is modified in the PMP repository, you can configure PMP to invoke a script or executable supplied by you. The script or the executable is called the Password Reset Listener. The listener will be invoked even for local password changes and for resources for which remote password reset is not supported. It can be configured for each resource type, including the user defined resource types. Thus, the password reset listener mechanism is very helpful for resource types for which PMP does not support remote password reset by default.
The password reset listener script will be invoked in a similar fashion as it will be from the command prompt of the operating system from which it is invoked
In case, the script needs another program to invoke it from the command prompt, it could be provided as the 'Pre-Command' for that script (for example 'cscript c:\scripts\changepassword.vbs old_password new_password)
PMP will pass these arguments, in this order, when the script is invoked: resource name, dns name, account name, old password, new password.
You can add additional arguments that will also be supplied at the time of invoking the script, in the order specified
The script runs with the same privileges as the user account running the PMP server. To guard against potential risks associated with invoking arbitrary scripts, a dual control mechanism is implemented, which will ensure two administrators see and approve the script before it is invoked by PMP. When an administrator adds a password reset listener, PMP does not invoke it unless it has been approved by another administrator. The same process if followed when the password reset listener details are edited by an administrator. These operations can be performed by any two administrators and are audited.
The password reset listener is invoked from a separate thread so that it does not impact the password reset process of PMP. The password reset listener script supplied will be stored in the same database as the other information, which provides security as well as backup, if it is configured for the PMP database.
|
Prerequisite
Before setting up the password, keep your custom script/executable ready. PMP has no control over the script other than invoking it and also does not process the result of the script. So, take care of all your requirements while creating the script. |
Go to "Admin" >> "Customize" >> and click "Password Reset Listener"
In the UI that opens, click the button "Add Listener"
As mentioned above, the password reset listener script will be invoked in a similar fashion as it will be from the command prompt of the operating system from which it is invoked. In case, the script needs another program to invoke it from the command prompt, it could be provided as the 'Pre-Command' for that script (for example 'cscript c:\scripts\changepassword.vbs old_password new_password)
Provide a name for the listener to be created. This would uniquely identify the listener
Browse and locate the listener script
By default, the parameters resource name, dns name, account name, old password, new password are passed as arguments to the script. In case, you require to pass additional arguments, specify them against the text field "Additional Parameters". The additional parameters supplied here will be passed to the script as they are
Specify the Resource
Types for which the changes are to be applied
As explained above, the listener script runs with the same privileges as the user account running the PMP server. To guard against potential risks associated with invoking arbitrary scripts, a dual control mechanism is implemented, which will ensure two administrators see and approve the script before it is invoked by PMP.
The listeners can be added only by PMP administrators. The listeners thus added have to be approved by some other administrator. So, the listener created will remain pending for approval. Select an administrator from the drop-down to send approval request. A mail will be sent to that administrator intimating the approval request.
If you are an administrator and requested by another admin to approve a listener, you need to navigate to "Admin" >> "Customize" >> and click "Password Reset Listener" and click the link present under "Approval Status". Once it is approved, the listener will take effect.
Click "Save". The required listener has been created
The listener creation and approval events are all audited in PMP.
Password Manager Pro allows you to provide your own implementation for Password Reset Listener through "custom listener". The custom listener basically lets you provide your own listener implementation class, instead of just letting PMP execute the listener script provided by you. It offers you complete flexibility to execute any post password reset follow-up action.
Summary of steps involved in custom Listener creation:
Step 1: Write your own implementation class
Implement PMPListenerInterface (more details in the reference implementation below)
Step 2: Modify CustomListener.xml File in PMP
Add entries for the implementation class in CustomListener.XML
Step 3: Archive your implementation class as .jar and put it into PMP
Step 4: Restart PMP
Step 5: Carry out Listener Configuration in PMP
To explain how you can have your own implementation for listener in PMP, we are providing a reference implementation below. This implementation is for executing PowerShell scripts with reset listener.
You need to write your own class implementing PMPListenerInterface.java as explained below.
public interface PMPListenerInterface {
static final Logger LOG = Logger.getLogger(PMPListenerInterface.class.getName());
public String executeListener(Properties resourceProps, Properties accountProps, String listenerFilePath, String oldPassword) throws Exception;
}
You can implement your class in such a way that properties of resources (resources and accounts in PMP) are obtained as arguments. For example, if you need 'Resource Name', you may have to do it as below:
resourceProps.get("RESOURCENAME")
You may obtain the value of any propery from the list of keys listed below.
Resource Properties (resourceProps)
RESOURCENAME - Name of the Resource added in Password Manager Pro
IPADDRESS - DNSName or IPAddress of the Resource
RESOURCEURL - Resource URL configured for the resource
DOMAINNAME - Domain Name if the Resource is of type WindowsDomain
SSHPORT - SSH Port if the device can be connected over SSH
RESOURCEDESC - Description of the resource
LOCATION - Location of the Resource
DEPARTMENT - Department to which the resource belongs to
ALL RESOURCE CUSTOM COLUMN NAMES (Label name will be the key)
Account Properties (accountProps):
DESCRIPTION - Account's description
LOGINNAME - Login Name of the userAccount added into PMP
PASSWORD - Password for this user account
DOMAINNAME - Domain Name if the account added is a domain account
COMPLIANTSTATUS - Provides a status whether the password is in compliant with the Password Policy configured in PMP
COMPLIANTREASON - Reason, if the password is not compliant with the Password Policy
EXPIRYSTATUS - Status of expiry of the account's password
PASSWRDSYNCSTATUS - Provides information if the password is in sync with the password that is set on the remote resource
ALL ACCOUNT CUSTOM COLUMN NAMES (Label name will be the key)
Other Arguments
listenerFilePath - The path of the script/file that you want to invoke as listener. You also have the option to provide the script/file while configuring the listener in PMP in Step 5.
oldPassword - Passing the old password to the implementation class to carry out password reset
Sample implementation to execute PowerShell script
public class PowerShellListener implements PMPListenerInterface {
public String executeListener(Properties resourceProps, Properties accountProps, String listenerFilePath, String oldPassword) throws Exception {
String message = "Executed Successfully";// used for audit reason
// got the properties
// call the powershell script
}
}
Add entries for your implementation class in CustomListener.xml present under <PMP-Home>/conf/PassTrix directory.
<listener-data>
<Ptrx_CustomListenerDetails CUSTOMLISTENERID="2" CLASSNAME="PowerShell" IMPLEMENTATION_CLASS="com.adventnet.passtrix.listener.PowerShellListener" DESCRIPTION="Listener to invoke powershell commands" USERID="admin"/>
</listener-data>
CUSTOMLISTENERID - Unique Identifier for Custom Listener Implementation. 2 denotes that this is a custom listener. So, you may leave it unchanged.
CLASSNAME - Unique name to identify this custom listener in PMP GUI
IMPLEMENTATION_CLASS - Implementation class that provides the workflow for the custom listener
DESCRIPTION - Description about the listener
USERID - You need to provide the 'username' of a PMP administrator here. Only if the username is valid, PMP will allow the listener to be executed.
After properly, filling-in the above details, add this entry to CustomListener.xml present under <PMP-Installation Folder>/conf/PassTrix directory.
You need to convert your implementation class as .jar and put it into <PMP-Installation Folder>/lib directory.
After completing the above steps, you need to restart PMP to give effect to this implementation.
Go to "Admin" >> "Customize" >> and click "Password Reset Listener"
In the UI that opens, click the button "Add Listener" >> "Custom Listener"
Provide a name for the listener to be created. This would uniquely identify the listener
Browse and locate the listener script (if required). If you have provided the file/script path of the listener in your implementation class OR if you are making use of APIs to do password reset, you may skip this step. When you browse and submit the script in this step, it will be persisted in PMP database in fully encrypted form. The script will be invoked at runtime.
By default, the parameters resource name, dns name, account name, old password, new password are passed as arguments to the script. In addition, based on the implementation class, additional paramaters may have to be passed
Specify additional pecify the Resource Types for which the changes are to be applied
The listener script runs with the same privileges as the user account running the PMP server. To guard against potential risks associated with invoking arbitrary scripts, a dual control mechanism is implemented, which will ensure two administrators see and approve the script before it is invoked by PMP.The listeners can be added only by PMP administrators. The listeners thus added have to be approved by some other administrator. So, the listener created will remain pending for approval. Select an administrator from the drop-down to send approval request. A mail will be sent to that administrator intimating the approval request.
If you are an administrator and requested by another admin to approve a listener, you need to navigate to "Admin" >> "Customize" >> and click "Password Reset Listener" and click the link present under "Approval Status". Once it is approved, the listener will take effect.
Click "Save". The required listener has been created.
The listener creation and approval events are all audited in PMP.
© 2009, ZOHO Corp. All Rights Reserved.