Password Reset Listener

Password Reset is one of the important operations performed by the PMP. After resetting the password of resources/accounts in PMP, there might be requirements to carry out some follow-up action automatically. This could be done using the Password Reset Listeners.

For Example:

  • restarting the dependent services immediately after password reset
  • if there is a windows service that makes use of the account whose password is being changed in PMP. You can use the listener mechanism to change the 'stored credentials' (i.e the credentials specified in the 'Logon' property) of the windows service
  • if you have added the accounts of network devices as resources/accounts in PMP, you can first reset the passwords of such accounts locally and then invoke a custom script to connect to the device and carry out the change in the device too
  • reset the passwords of windows scheduled tasks and other associated processes

How does Password Reset Listener work?

Whenever the password of an account is modified in the PMP repository, you can configure PMP to invoke a script or executable supplied by you. The script or the executable is called the Password Reset Listener. The listener will be invoked even for local password changes and for resources for which remote password reset is not supported. It can be configured for each resource type, including the user defined resource types. Thus, the password reset listener mechanism is very helpful for resource types for which PMP does not support remote password reset by default.

  • The password reset listener script will be invoked in a similar fashion as it will be from the command prompt of the operating system from which it is invoked
  • In case, the script needs another program to invoke it from the command prompt, it could be provided as the 'Pre-Command' for that script (for example 'cscript c:\scripts\changepassword.vbs old_password new_password)
  • PMP will pass these arguments, in this order, when the script is invoked: resource name, dns name, account name, old password, new password.
  • You can add additional arguments that will also be supplied at the time of invoking the script, in the order specified

The script runs with the same privileges as the user account running the PMP server. To guard against potential risks associated with invoking arbitrary scripts, a dual control mechanism is implemented, which will ensure two administrators see and approve the script before it is invoked by PMP. When an administrator adds a password reset listener, PMP does not invoke it unless it has been approved by another administrator. The same process if followed when the password reset listener details are edited by an administrator. These operations can be performed by any two administrators and are audited.

The password reset listener is invoked from a separate thread so that it does not impact the password reset process of PMP. The password reset listener script supplied will be stored in the same database as the other information, which provides security as well as backup, if it is configured for the PMP database.

How to setup Password Reset Listener?

Prerequisite

Before setting up the password, keep your custom script/executable ready. PMP has no control over the script other than invoking it and also does not process the result of the script. So, take care of all your requirements while creating the script.

To set up Password Reset Listener,

  • Go to "Admin" >> "Customize" >> and click "Password Reset Listener"
  • In the UI that opens, click the button "Add Listener"
  • As mentioned above, the password reset listener script will be invoked in a similar fashion as it will be from the command prompt of the operating system from which it is invoked. In case, the script needs another program to invoke it from the command prompt, it could be provided as the 'Pre-Command' for that script (for example 'cscript c:\scripts\changepassword.vbs old_password new_password)
  • Provide a name for the listener to be created. This would uniquely identify the listener
  • Browse and locate the listener script
  • By default, the parameters resource name, dns name, account name, old password, new password are passed as arguments to the script. In case, you require to pass additional arguments, specify them against the text field "Additional Parameters". The additional parameters supplied here will be passed to the script as they are
  • Specify the Resource Types for which the changes are to be applied

Approval for Listeners

    As explained above, the listener script runs with the same privileges as the user account running the PMP server. To guard against potential risks associated with invoking arbitrary scripts, a dual control mechanism is implemented, which will ensure two administrators see and approve the script before it is invoked by PMP.

    The listeners can be added only by PMP administrators. The listeners thus added have to be approved by some other administrator. So, the listener created will remain pending for approval. Select an administrator from the drop-down to send approval request. A mail will be sent to that administrator intimating the approval request.

    If you are an administrator and requested by another admin to approve a listener, you need to navigate to "Admin" >> "Customize" >> and click "Password Reset Listener" and click the link present under "Approval Status". Once it is approved, the listener will take effect.

  • Click "Save". The required listener has been created

The listener creation and approval events are all audited in PMP.

Custom Listener

Password Manager Pro allows you to provide your own implementation for Password Reset Listener through "custom listener". The custom listener basically lets you provide your own listener implementation class, instead of just letting PMP execute the listener script provided by you. It offers you complete flexibility to execute any post password reset follow-up action.

How to Create Custom Listener?

Summary of steps involved in custom Listener creation:

Step 1: Write your own implementation class

Implement PMPListenerInterface (more details in the reference implementation below)

Step 2: Configuration in PMP GUI

Add entries for the implementation class in PMP GUI

Step 3: Archive your implementation class as .jar and put it into PMP

Step 4: Restart PMP

Reference Implementation

To explain how you can have your own implementation for listener in PMP, we are providing a reference implementation below. This implementation is for executing PowerShell scripts with reset listener.

Step 1: Write your own implementation class

You need to write your own class implementing PMPListenerInterface.java as explained below.

    public interface PMPListenerInterface {
    static final Logger LOG = Logger.getLogger(PMPListenerInterface.class.getName());
    public String executeListener(Properties resourceProps, Properties accountProps, String listenerFilePath, String oldPassword) throws Exception;
    }

You can implement your class in such a way that properties of resources (resources and accounts in PMP) are obtained as arguments. For example, if you need 'Resource Name', you may have to do it as below:

resourceProps.get("RESOURCENAME")

You may obtain the value of any propery from the list of keys listed below.

Resource Properties (resourceProps)

RESOURCENAME - Name of the Resource added in Password Manager Pro
IPADDRESS - DNSName or IPAddress of the Resource
RESOURCEURL - Resource URL configured for the resource
DOMAINNAME - Domain Name if the Resource is of type WindowsDomain
SSHPORT - SSH Port if the device can be connected over SSH
RESOURCEDESC - Description of the resource
LOCATION - Location of the Resource
DEPARTMENT - Department to which the resource belongs to
ALL RESOURCE CUSTOM COLUMN NAMES (Label name will be the key)

Resource Properties (resourceProps)

DESCRIPTION - Account's description
LOGINNAME - Login Name of the userAccount added into PMP
PASSWORD - Password for this user account
DOMAINNAME - Domain Name if the account added is a domain account
COMPLIANTSTATUS - Provides a status whether the password is in compliant with the Password Policy configured in PMP
COMPLIANTREASON - Reason, if the password is not compliant with the Password Policy
EXPIRYSTATUS - Status of expiry of the account's password
PASSWRDSYNCSTATUS - Provides information if the password is in sync with the password that is set on the remote resource
ALL ACCOUNT CUSTOM COLUMN NAMES (Label name will be the key)

Other Arguments

  • listenerFilePath - The path of the script/file that you want to invoke as listener. You also have the option to provide the script/file while configuring the listener in PMP in Step 5.
  • oldPassword - Passing the old password to the implementation class to carry out password reset

Sample implementation to execute PowerShell script

public class PowerShellListener implements PMPListenerInterface {
public String executeListener(Properties resourceProps, Properties accountProps, String listenerFilePath, String oldPassword) throws Exception {
String message = "Executed Successfully";// used for audit reason
// got the properties
// call the powershell script
}
}

Step 2: Configuration in PMP GUI

Add entries for your implementation class in PMP GUI. To do this, navigate to Admin >> Password Reset Listener >> Add Listener and in the GUI that opens, click the tab "Custom Listener" and then click the link "Add New". Enter the following details:

  • Class Name - This lists down the already existing listener implementation classes
  • New Class Name - The name of the new implementation class that provides the workflow for the custom listener
  • Implementation Class - Full name of the implementation class with package details. For example: com.adventnet.passtrix.listener.PowerShellListener
  • Description - Information about the implementation class
  • Listener Name - Specify the name of the custom listener script with the appropriate extension. The label provided here will be invoked from the command line.
  • Listener Script - Browse and locate the listener script. If you have provided the file/script path of the listener in your implementation class OR if you are making use of APIs to do password reset, you may skip this step. When you browse and submit the script in this step, it will be persisted in PMP database in fully encrypted form. The script will be invoked at runtime.
  • Resource Types - Select the resource types to which the custom listener script will have to be applied
  • Send Approval Request to - The listener script runs with the same privileges as the user account running the PMP server. To guard against potential risks associated with invoking arbitrary scripts, a dual control mechanism is implemented, which will ensure two administrators see and approve the script before it is invoked by PMP.The listeners can be added only by PMP administrators. The listeners thus added have to be approved by some other administrator. So, the listener created will remain pending for approval. Select an administrator from the drop-down to send approval request. A mail will be sent to that administrator intimating the approval request.If you are an administrator and requested by another admin to approve a listener, you need to navigate to "Admin" >> "Customize" >> and click "Password Reset Listener" and click the link present under "Approval Status". Once it is approved, the listener will take effect.
  • Click "Save"
  • The listener creation and approval events are all audited in PMP.

Step 3: Archive your implementation class as .jar and put it into PMP

You need to convert your implementation class as .jar and put it into <PMP-Installation Folder>/lib directory.

Step 4: Restart PMP

After completing the above steps, you need to restart PMP to give effect to this implementation.

©2014, ZOHO Corp. All Rights Reserved.

Top