Password Reset Listener

Password Reset is one of the important operations performed by the PMP. After resetting the password of resources/accounts in PMP, there might be requirements to carry out some follow-up action automatically. This could be done using the Password Reset Listeners.

 

For Example:

 

How does Password Reset Listener work?

Whenever the password of an account is modified in the PMP repository, you can configure PMP to invoke a script or executable supplied by you. The script or the executable is called the Password Reset Listener. The listener will be invoked even for local password changes and for resources for which remote password reset is not supported. It can be configured for each resource type, including the user defined resource types. Thus, the password reset listener mechanism is very helpful for resource types for which PMP does not support remote password reset by default.

 

 

The script runs with the same privileges as the user account running the PMP server. To guard against potential risks associated with invoking arbitrary scripts, a dual control mechanism is implemented, which will ensure two administrators see and approve the script before it is invoked by PMP. When an administrator adds a password reset listener, PMP does not invoke it unless it has been approved by another administrator. The same process if followed when the password reset listener details are edited by an administrator. These operations can be performed by any two administrators and are audited.

 

The password reset listener is invoked from a separate thread so that it does not impact the password reset process of PMP. The password reset listener script supplied will be stored in the same database as the other information, which provides security as well as backup, if it is configured for the PMP database.

How to setup Password Reset Listener?

Prerequisite

 

Before setting up the password, keep your custom script/executable ready. PMP has no control over the script other than invoking it and also does not process the result of the script. So, take care of all your requirements while creating the script.

 

To set up Password Reset Listener,

Approval for Listeners

As explained above, the listener script runs with the same privileges as the user account running the PMP server. To guard against potential risks associated with invoking arbitrary scripts, a dual control mechanism is implemented, which will ensure two administrators see and approve the script before it is invoked by PMP.

 

The listeners can be added only by PMP administrators. The listeners thus added have to be approved by some other administrator. So, the listener created will remain pending for approval. Select an administrator from the drop-down to send approval request. A mail will be sent to that administrator intimating the approval request.

 

If you are an administrator and requested by another admin to approve a listener, you need to navigate to  "Admin" >> "Customize" >> and click "Password Reset Listener" and click the link present under "Approval Status". Once it is approved, the listener will take effect.

 

 

The listener creation and approval events are all audited in PMP.

 

Custom Listener

Password Manager Pro allows you to provide your own implementation for Password Reset Listener through "custom listener". The custom listener basically lets you provide your own listener implementation class, instead of just letting PMP execute the listener script provided by you. It offers you complete flexibility to execute any post password reset follow-up action.

How to Create Custom Listener?

Summary of steps involved in custom Listener creation:

 

Step 1: Write your own implementation class

 

Implement PMPListenerInterface (more details in the reference implementation below)

 

Step 2: Configuration in PMP GUI

 

Add entries for the implementation class in PMP GUI

 

Step 3: Archive your implementation class as .jar and put it into PMP

 

Step 4: Restart PMP

 

Reference Implementation

To explain how you can have your own implementation for listener in PMP, we are providing a reference implementation below. This implementation is for executing PowerShell scripts with reset listener.

Step 1: Write your own implementation class

You need to write your own class implementing PMPListenerInterface.java as explained below.

public interface PMPListenerInterface {
static final Logger LOG = Logger.getLogger(PMPListenerInterface.class.getName());
public String executeListener(Properties resourceProps, Properties accountProps, String listenerFilePath, String oldPassword) throws Exception;
}

You can implement your class in such a way that properties of resources (resources and accounts in PMP) are obtained as arguments. For example, if you need 'Resource Name', you may have to do it as below:

 

resourceProps.get("RESOURCENAME")

 

You may obtain the value of any propery from the list of keys listed below.

 

Resource Properties (resourceProps)

 

RESOURCENAME - Name of the Resource added in Password Manager Pro
IPADDRESS - DNSName or IPAddress of the Resource
RESOURCEURL - Resource URL configured for the resource
DOMAINNAME - Domain Name if the Resource is of type WindowsDomain
SSHPORT - SSH Port if the device can be connected over SSH
RESOURCEDESC - Description of the resource
LOCATION - Location of the Resource
DEPARTMENT - Department to which the resource belongs to
ALL RESOURCE CUSTOM COLUMN NAMES (Label name will be the key)

 

Account Properties (accountProps):

DESCRIPTION - Account's description
LOGINNAME - Login Name of the userAccount added into PMP
PASSWORD - Password for this user account
DOMAINNAME - Domain Name if the account added is a domain account
COMPLIANTSTATUS - Provides a status whether the password is in compliant with the Password Policy configured in PMP
COMPLIANTREASON - Reason, if the password is not compliant with the Password Policy
EXPIRYSTATUS - Status of expiry of the account's password
PASSWRDSYNCSTATUS - Provides information if the password is in sync with the password that is set on the remote resource

ALL ACCOUNT CUSTOM COLUMN NAMES (Label name will be the key)

Other Arguments

 

Sample implementation to execute PowerShell script

public class PowerShellListener implements PMPListenerInterface {

public String executeListener(Properties resourceProps, Properties accountProps, String listenerFilePath, String oldPassword) throws Exception {
String message = "Executed Successfully";// used for audit reason
// got the properties
// call the powershell script
}
}

Step 2: Configuration in PMP GUI

Add entries for your implementation class in PMP GUI. To do this, navigate to Admin >> Password Reset Listener >> Add Listener and in the GUI that opens, click the tab "Custom Listener" and then click the link "Add New". Enter the following details:

 

 

Reset Listener

 

 

Step 3: Archive your implementation class as .jar and put it into PMP

You need to convert your implementation class as .jar and put it into <PMP-Installation Folder>/lib directory.

Step 4: Restart PMP

After completing the above steps, you need to restart PMP to give effect to this implementation.


© 2014, ZOHO Corp. All Rights Reserved.