Password Reset Listener

Password reset is one of the most important functions performed by PAM360 in order to protect the sensitive resources from unauthorized access. PAM360 allows you to carry out similar tasks by invoking scripts or executables, referred to as Password Reset Listeners.

This document walks you through the following topics:

  1. What are the Follow up Actions you can do using Password Reset Listeners?
  2. How does a Password Reset Listener Work?
  3. Who can Add Password Reset Listeners?
  4. Custom Listener
  5. Reference Implementation

1. What are the Follow up Actions you can do using Password Reset Listeners?

  1. Restart the dependent services immediately after password reset.
  2. In case of a Windows service that makes use of an account whose password is reset locally in PAM360 database, the reset listener helps change the respective stored credentials (i.e the credentials specified in the Logon property) of the windows service.
  3. Reset the passwords of Windows scheduled tasks and other associated processes.
  4. Carry out password resets for network devices. For instance, if you have added the accounts of network devices as resources, you can first reset the passwords of such accounts locally and then invoke a custom script to connect to the devices and execute the changes in the device as well.

2. How does a Password Reset Listener Work?

Password Reset Listener is a script or executable that can be invoked by you whenever the password of an account is being changed or reset in the PAM360 repository. This password reset listener can be invoked even for local password changes and also for resources for which remote password reset is not supported out-of-the-box by PAM360. You can configure listener scripts individually for each resource type including the user defined resource types.

  • The password reset listener script will be invoked in a similar fashion as it will be from the command prompt of the operating system from which it is invoked.
  • In case, the script needs another program to invoke it from the command prompt, it could be provided as the 'Pre-Command' for that script (for example 'cscript c:\scripts\changepassword.vbs old_password new_password).
  • By default, the parameters resource name, dns name, account name, old password, new password are passed as arguments to the script.
  • You can also add additional arguments by specifying them against the text field "Additional Parameters" at the time of invoking the script, in the order specified.

The script runs with the same privilege as the user account running the PAM360 server. For Security reasons, dual control mechanism is implemented, which will ensure that two administrators will see and approve the script before it is invoked by PAM360. PAM360 will not invoke the script unless it has been approved by both the administrators. For example, when an administrator adds or edits the password reset listener, PAM360 will not invoke the scripts unless it has been approved by the other administrator. Thus, the add / edit / delete operations related to password reset listeners can be successfully executed only with the approval of two administrators in PAM360. The actions are also audited for future references.

The password reset listener is invoked from a separate thread, so it does not impact the password reset process of PAM360. The listener scripts added will be stored in the same database as the other information. This provides security and also backup, if it is configured for PAM360 database.

To set up password reset listener,

  1. Navigate to Admin >> Customization >> Password Reset Listener.
  2. The Password Reset Listener window will open. Click Add Listener.
  3. As mentioned above, the password reset listener script will be invoked in a similar fashion as it will be from the command prompt of the operating system from which it is invoked. In case, the script needs another program to invoke it from the command prompt, it could be provided as the Pre-Command for that script (for example 'cscript c:\scripts\changepassword.vbs old_password new_password).
  4. Enter a name for the listener. Next, browse and add the listener script.
  5. By default, parameters such as resource name, dns name, account name, old password, and new password are passed as arguments to the script. In case you require to pass additional arguments, add additional arguments by specifying them against the text field Additional Parameters. The additional parameters supplied will be passed to the script in the order given, at the time of invoking the script.
  6. You can also specify the resource types for which the changes to be applied and send approval request to the other administrator.
  7. After adding necessary details, select an administrator from the drop down for sending an approval request. A mail will be sent to the selected administrator intimating the approval request.
  8. Click Save.

3. Who can Add Password Reset Listeners?

The listeners can be aded only by PAM360 administrators. In addition, all listeners added should also be approved by a second administrator to guard against potential risks associated with invoking arbitrary scripts. So, once a listener is created and saved by an admin, the same will be sent to another administrator for their approval. A mail will be sent to the second administrator intimating the approval request.

To approve a recently added password reset listener,

If you are an administrator, and another administrator requests you to approve a listener, then you need to;

  1. Navigate to Admin >> Customization >> Password Reset Listener.
  2. Click the link under Approval Status column, beside the listener which has to be approved.
  3. Once you approve, the listener will take effect.

The listener creation, edition, deletion, and approval events are all audited.

4. Custom Listener

In addition to reset listeners, PAM360 allows you to provide your own implementation through "custom listeners". The custom listener basically lets you provide your own listener implementation class, which offers you complete flexibility to execute any post password reset follow-up action, instead of just letting PAM360 execute the listener script provided by you. It offers you complete flexibility to execute any post password reset follow-up action.

How to create a custom listener?

Summary of steps involved in custom Listener creation:

Step 1: Write your own implementation class

Implement PAM360ListenerInterface (more details in the reference implementation below).

Step 2: Configuration in PAM360 GUI

Add entries for the implementation class in PAM360 GUI.

Step 3: Archive your implementation class as .jar and put it into PAM360

Step 4: Restart PAM360

5. Reference Implementation

To explain how you can have your own implementation for listener in PAM360, we are providing a reference implementation below. This implementation is for executing PowerShell scripts with reset listener.

Step 1 - To write your own implementation class:

You need to write your own class implementing PAM360ListenerInterface.java as explained below.

public interface PAM360ListenerInterface {
static final Logger LOG = Logger.getLogger(PAM360ListenerInterface.class.getName());
public String executeListener(Properties resourceProps, Properties accountProps, String listenerFilePath, String oldPassword) throws Exception;}

You can implement your class in such a way that properties of resources (resources and accounts in PAM360) are obtained as arguments. For example, if you need 'Resource Name', you may have to do it as below:

resourceProps.get("RESOURCENAME")

You may obtain the value of any propery from the list of keys listed below.

Resource Properties (resourceProps)

  • RESOURCENAME - Name of the Resource added in PAM360
  • IPADDRESS - DNSName or IPAddress of the Resource
  • RESOURCEURL - Resource URL configured for the resource
  • DOMAINNAME - Domain Name if the Resource is of type WindowsDomain
  • SSHPORT - SSH Port if the device can be connected over SSH
  • RESOURCEDESC - Description of the resource
  • LOCATION - Location of the Resource
  • DEPARTMENT - Department to which the resource belongs to
  • ALL RESOURCE CUSTOM COLUMN NAMES (Label name will be the key)

Account Properties (accountProps)

  • DESCRIPTION - Account's description
  • LOGINNAME - Login Name of the userAccount added into PAM360
  • PASSWORD - Password for this user account
  • DOMAINNAME - Domain Name if the account added is a domain account
  • COMPLIANTSTATUS - Provides a status whether the password is in compliant with the Password Policy configured in PAM360
  • COMPLIANTREASON - Reason, if the password is not compliant with the Password Policy
  • EXPIRYSTATUS - Status of expiry of the account's password
  • PASSWRDSYNCSTATUS - Provides information if the password is in sync with the password that is set on the remote resource
  • ALL ACCOUNT CUSTOM COLUMN NAMES (Label name will be the key)

Other Arguments

  • listenerFilePath - The path of the script/file that you want to invoke as listener. You also have the option to provide the script/file while configuring the listener in PAM360 in Step 5.
  • oldPassword - Passing the old password to the implementation class to carry out password reset

Sample implementation to execute PowerShell script

public class PowerShellListener implements PAM360ListenerInterface {
public String executeListener(Properties resourceProps, Properties accountProps, String listenerFilePath, String oldPassword) throws Exception {
String message = "Executed Successfully";// used for audit reason
// got the properties
// call the powershell script}}

Step 2: Configuration in PAM360 GUI

Add entries for your implementation class in PAM360 GUI. To do this, navigate to Admin >> Password Reset Listener >> Add Listener and in the GUI that opens, click the tab Custom Listener and then click the link Add New. Enter the following details:

  1. Navigate to Admin >> Customization >> Password Reset Listener.
  2. Click Add Listener.
  3. In the pop-up form that opens, click on Add new under Custom Listener tab and enter the details.
  4. Enter the name of the new implementation class and add your own implementation class.
  5. Add entries for your implementation class and also give information about your implementation class in description.
  6. Enter a name for the listener script with appropriate extension and then browse and locate the listener script.
  7. You can also specify the resource types for which the changes to be applied and send approval request to the other administrator.
  8. Select an administrator from the drop down for sending approval request. A mail will be sent to the administrator intimating approval request.
  9. Click Save.

Step 3: Archive your implementation class as .jar and put it into PAM360

You need to convert your implementation class as .jar and put it into <PAM360-Installation Folder>/lib directory.

Step 4: Restart PAM360

After completing the above steps, you need to restart PAM360 to give effect to this implementation.

Top