Remote Password Reset

(Feature available only in Premium and Enterprise Editions)

Introduction

Password Manager Pro provides the option to remotely change the passwords of certain resources. In general, Password Manager Pro can support any device that can be reached via command-line interface (CLI) and accept commands for managing passwords. Password Manager Pro allows you to change the password of a remote resource through two modes; Agent Mode and Agent-less Mode. In this document, we will see how to remotely reset the password of various endpoints using agent-less mode.

List of Resource Types Supported for Remote Password Reset:

  • Windows
  • Windows Domain
  • Linux
  • IBM AIX
  • HP UNIX
  • Solaris
  • Mac OS
  • VMware ESXi
  • MS SQL server
  • MySQL server
  • Oracle WebLogic server
  • Oracle DB Server
  • Sybase ASE
  • LDAP Server
  • HP ProCurve
  • HP iLO
  • Cisco Devices (IOS, CatOS, PIX)
  • Juniper Netscreen
  • LDAP server
  • Google Apps
  • AWS IAM
  • Microsoft Azure
  • Rackspace
  • Salesforce

Steps to Configure Remote Password Reset for Different Resource Types via Agent-less Mode

Prerequisite

If you're configuring remote password reset via agent-less mode, you have to first specify the account which will be used to log in remotely to the target resource and reset the password.

Windows

Password Manager Pro is designed to perform password reset for all windows local accounts using the service account with which it is running. You can log in to Password Manager Pro server and open Services console (services.msc) to update the service account of Password Manager Pro service.

    Note: The aforementioned service account should have either domain admin rights or local admin rights in the PMP server and in the target systems that you would like to manage.


  • Log in to Password Manager Pro server and open the "Services" console (services.msc) to update the service account of Password Manager Pro service.
  • However, if you'd like to override this and use a local account for the password reset, then navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset and choose an admin account.
  • If the Password Manager Pro service is running with a privileged service account (Domain admin or Local admin on all member servers), then it can forcefully reset windows passwords without the need for old password to be present inside.

Windows Domain

If you are using the Privileged Accounts Discovery feature to import Windows resources from Active Directory, then Password Manager Pro will automatically add your domain controller as a Resource with Resource Type as Windows Domain.

To reset domain account passwords that are present in your Windows Domain resource, you need to specify an admin account to be used for remote login as well as password reset.

Steps Required:

  • Navigate to the Resources tab and choose Resource Actions >> Configure Remote Password Reset.
  • Select the domain account as the administrator account and save.
  • It is recommended to use the same Password Manager Pro Service Account here so that it will be helpful for AD Audit purposes.

Note: If PMP has the domain's administrator credentials, it will be able to reset domain account passwords, regardless of the trust between the domain in which PMP server is installed and the target domain. Any user with 'modify password' permission to the domain account password in PMP will be able to modify the password.


Linux/IBM AIX, HP UNIX, Solaris, Mac OS, VMware ESXi

For remote password reset of Unix resources, Password Manager Pro first uses the remote login account to log in to the target system. Then, to carry out password reset, privilege elevation is needed. If the target system supports execution of password reset commands through Sudo, Password Manager can either use the two options available here: 'su' as root or use 'sudo' to execute the remote password reset commands.

Steps Required:

To choose from one of the following actions, first navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset.

The following are the steps involved:

  • Selecting the Protocol.
  • Selecting the authentication method for remote login based on the protocol chosen and specifying the remote login account.
  • Specifying the root account if Password Manager Pro has to use 'su' / selecting 'sudo'.

Step 1 - Selecting the Protocol

  • Select the protocol for remote login method - SSH or Telnet. Next, specify your remote login account. For remote login, Password Manager Pro allows you to either choose an account of the resource type for which you're setting up the password reset or specify an account of any Windows Domain resource stored in Password Manager Pro. To use a Windows Domain account as the remote login account, select the option 'other resource' while setting up the remote login account. Then, specify the Resource Name as well as the Remote Login Account of the desired account.
  • The next step corresponds to specifying the authentication method. If you have chosen Telnet or SSH with Windows Domain account for remote login, you can skip step 2 and directly go to step 3, i.e. Setting the privilege escalation method.

Step 2 - If you opt for SSH, specify the authentication method

  • If you choose SSH as the Remote Login Method and the remote Unix resource's account as the remote login account, there are two authentication methods you can choose from: "Password Authentication" or "Public Key Infrastructure"(PKI) Authentication.

For PKI authentication, select the remote login account as explained below:

The public key would be present in the remote system under a specific remote login account. Typically, it would be available under $Home/.ssh folder. Select the remote login account for which the public key is present; browse and supply the corresponding Private Key.

Note: Password Manager Pro supports SSH2 and above only.

Step 3 - Specifying the root account/selecting 'sudo'

  • As mentioned above, for executing remote password reset commands, Password Manager Pro can use either 'su' as root or 'sudo', which allows the user to run the command with root privileges without having to switch to the root account.
  • If you use the option, 'su' as root, you need to select the root account.
  • If the target system allows execution of password reset commands through 'sudo', you can select that option.
  • Click "Save".

IBM AS400, Sun Oracle ALOM / ILOM / XSCF Sun Oracle ALOM / ILOM / XSCF

No specific configuration is required for remote password reset for these resources, as Password Manager Pro will use the account of each resource itself to perform password reset.

MySQL/PostgreSQL Server

As Password reset for a MySQL/PostgreSQL server is done over JDBC, the MySQL/PostgreSQL administrator credentials are required. You can enable remote reset of the password of MySQL/PostgreSQL server as below:

Steps Required:

Navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset.

  • Specify the port where the MySQL/PostgreSQL server is running. By default, MySQL/PostgreSQL occupies the port 3306.
  • Specify the connection mode - connection between MySQL/PostegreSQL Server and Password Manager Pro can be configured to be over an encrypted channel such as SSL or Non-SSL. If you choose SSL mode, do the following:

For SSL Mode:

To enable the SSL mode, the MySQL/PostgreSQL server should be serving over SSL and you will have to import the MySQL/PostgreSQL server's root certificate into the Password Manager Pro server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the Password Manager Pro server machine and intermediate certificates, if any.

To import root certificate, open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:

For Windows
importCert.bat    <Absolute Path of certificate>

For Linux
importCert.sh    <Absolute Path of certificate>

Restart Password Manager Pro server. Then, continue with the following steps:

  • To enable Password Manager Pro access the MySQL server, provide MySQL Root Account Name.
  • Click "Save".

Oracle WebLogic Server

As Password reset for a WebLogic server is done over JMX, the administrator credentials must be specified before proceeding with the below steps.

Prerequisites:

  • The following JAR files wljmxclient.jar, wlclient.jar, rmic.jar, weblogic.jar will be available under the path <weblogic_install_directory>\wlserver\server\lib> in the WebLogic server.
  • Copy the JAR files and save them in the \lib folder in the machine running the PMP server.

Steps Required:

You can enable remote reset of the password of the WebLogic server as below: Navigate to Resources >> Resource Actions >> Configure Remote Password Reset.

    Specify the port where the WebLogic server is running. By default, WebLogic server occupies the port 7001. Specify the connection mode - connection between WebLogic Server and Password Manager Pro can be configured to be over an encrypted channel such as SSL or Non-SSL. If you choose SSL mode, do the following.

For SSL Mode:

To enable the SSL mode, the WebLogic server should be serving over SSL and you will have to import the WebLogic server's root certificate into the Password Manager Pro server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the Password Manager Pro server machine and intermediate certificates, if any.

To import root certificate, open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:

For Windows
importCert.bat    <Absolute Path of certificate>

For Linux
importCert.sh    <Absolute Path of certificate>

Restart the Password Manager Pro server. Then, continue with the following steps:

  • To enable Password Manager Pro access the WebLogic server, provide WebLogic Root Account Name.
  • Click Save.

MS SQL Server

As Password reset for MS SQL server is done over JDBC, it is required to provide either the MS SQL Administrator credentials or a domain account credential having enough privileges to modify SQL server passwords. You can enable remote reset of the password of MS SQL server as below:

Steps Required:

Navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset.

  • Specify the instance name of MS SQL server. If the instance name is specified, Password Manager Pro will try to establish connection with specified instance. If not, Password Manager Pro will try to establish connection with the specified port.
  • Specify the port where the MS SQL server is running. By default, MS SQL occupies the port 1433.
  • Specify the connection mode - you can configure the connection between MS SQL Server and Password Manager Pro to be over an encrypted channel (SSL) or Non-SSL. If you choose SSL mode, do the following:

To enable the SSL mode, the MS SQL server should be serving over SSL and you will have to import the MS SQL server's root certificate into the Password Manager Pro server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the Password Manager Pro server machine and intermediate certificates, if any.

To import root certificate, open a command prompt and navigate to <pmp_server_home>\bin directory and execute the following command:

For Windows
importCert.bat    <Absolute Path of certificate>

For Linux
importCert.sh    <Absolute Path of certificate>

Restart Password Manager Pro server. Then, continue with the following steps.

  • To enable Password Manager Pro to access the MS SQL server, provide any one of the following details:
  • MS SQL Administrator Account (OR) Windows Authentication details: that is specifying the domain name of which the MS SQL server is a part and then selecting any one username present in the domain.
  • Click "Save".

Oracle DB Server

To carry out password reset for Oracle DB server, administrative privileges are required. So, an administrator account has to be specified. You can enable remote reset of the password of Oracle DB server as below:

Steps Required:

Navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset.

  • Specify the Oracle DB Listener Port. By default, the Oracle DB server listens to the port 1521.
  • Specify the connection mode - you can configure the connection between Oracle DB Server and Password Manager Pro to be over an encrypted channel (AES 256). If you choose the option 'YES' (encrypted mode), do the following:
    • Start Oracle Net Manager.
    • In the Navigator window, select "Oracle Net Configuration".
    • Expand the option Local > Profile.
    • From the list in the right side pane, select the option "Oracle Advanced Security".
    • In the tabbed window that appears thereafter, click the tab "Encryption".
    • In the drop-down list for Encryption, select the option "Server".
    • For "Encryption Type" list, select the option "Accepted".
    • The text field for 'Encryption Seed' can be left blank or you can enter random characters ranging between 10 and 70.
    • Select the algorithm "AES 256".
    • Specify an Oracle administrator account.
  • Specify the Oracle Service Name. By default, the service name is taken as ORCL.
  • Click "Save".

Sybase ASE

Prerequisites:

  • To perform remote password reset in Sybase ASE, jConnect 6.0 / jConnect 7.0 JDBC driver is required. The JDBC driver is a file named "jconn3.jar / jconn4.jar", which will be available under the path <sybase_install_directory>\jConnect_6_0\classes in Sybase ASE 15.0 or above.
  • Copy the "jconn3.jar / jconn4.jar" file and save it under the <pmp_install_directory>\lib folder in the machine, where the PMP server is running.

Steps Required:

As administrative privileges are required to carry out password reset for Sybase ASE, an administrator account has to be specified. Steps for enabling remote password reset for Sybase ASE are explained below:

  • Specify the Sybase ASE Port. By default, it occupies the port 5000 (in SSL mode, default port is 2748).
  • Specify the connection mode - you can configure the connection between Sybase ASE and Password Manager Pro to be over an encrypted channel (SSL) or Non-SSL. If you choose SSL mode, do the following:
    • If you want to enable SSL communication from Password Manager Pro to Sybase ASE,
      1. Copy and save the trust root certificate of the Sybase server present under <sybase_home>\ASE-15_0\certificates (in sybase ASE 15.0) to <pmp_install_directoty>\conf\ folder.
      2. Run this command to import the certificate in PMP: '<pmp_home>\jre\bin\keytool.exe -import -v -alias sybase -file <rootcert.txt> -keystore server.keystore -keypass passtrix -storepass passtrix -noprompt'.
      3. <rootcert.txt> is the root certificate of the Sybase ASE and usually named as <hostname>.txt.
    • Restart Password Manager Pro server.
  • Specify an administrator account of Sybase ASE.
  • Click "Finish".

LDAP Server

Prerequisites:

At the time of adding a new LDAP resource to Password Manager Pro, you should have specified a Distinguished Name for the LDAP server account being added.

Example: c=administrator, cn=people, dc=test, dc=com.

Steps Required:

As administrative privileges are required to carry out password reset for LDAP server, an administrator account has to be specified.

For remote reset, Password Manager Pro supports the following types of LDAP servers:

Microsoft Active Directory, OpenLDAP, Oracle Internet Directory, and Novell eDirectory.

You can enable remote password reset for the above types of LDAP servers by following the instructions below:

Navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset.

  • Specify the type of the LDAP Server being added.
  • Specify the LDAP server Port. By default, it occupies the port 389 (in SSL mode, default port is 636).
  • Specify the connection mode - you can configure the connection between the LDAP server and Password Manager Pro to be over an encryted channel (SSL) or Non-SSL.

    Note: If your LDAP server is of type Microsoft Active Directory, the connection has to be through SSL only. For other types, you may choose SSL or Non-SSL. If you choose SSL mode, do the following.

    1. To enable the SSL mode, the LDAP server should be serving over SSL and you will have to import the LDAP server's root certificate into the Password Manager Pro server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the Password Manager Pro server machine and intermediate certificates, if any.
    2. To import root certificate, open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:

      For Windows
      importCert.bat    <Absolute Path of certificate>

      For Linux
      importCert.sh    <Absolute Path of certificate>

    3. Restart Password Manager Pro server. Then continue with the following steps.
  • Specify an administrator account of LDAP server.
  • Click "Save".

HP ProCurve Devices

Password Manager Pro requires Telnet or SSH service to be running in the resource. Manager Account and Manager Mode Prompt and Configuration Mode Prompt are required for Password Manager Pro to login to the resource. Password Manager Pro will use the configuration mode to reset the passwords. You can enable remote reset of passwords of your HP Pro Curve devices by providing the following details:

Steps Required:

First, navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset.

Remote Login Method

Password Manager Pro supports SSH and TELNET protocols by which connection could be established with the device for password reset. Select the required protocol.

Manager Account

Login account for establishing connection with the device. If the device is configured to prompt for the user name, then check on the option 'Account name required for login'. The account name associated will then be used with the user name prompt. If this option is unchecked, Password Manager Pro will expect only the password prompt.

Manager Mode Prompt

The prompt that appears after successful login.

Configuration Mode Prompt

This is for entering into privileged mode to perform password reset.

Remote Login Method

If you want the password changes made to the running configuration from Password Manager Pro to be applied to the startup configuration, select this checkbox.

Note: Exercise caution while enabling the option to copy the running configuration to the startup configuration, as it will cause the current configuration content, including those made outside of Password Manager Pro, to be copied immediately.

HP iLO

Steps Required:

Navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset.

Select the Remote Login Method.

  • Password Manager Pro supports SSH and TELNET protocols by which connection could be established with the device for password reset.
  • Select the required protocol. Telnet or SSH service must be running in the resource.
  • Then, specify the prompt that appears upon successful user login and also the user account with administrator privileges.

Cisco Devices (IOS/CatOS/PIX)

Password Manager Pro requires Telnet or SSH service to be running in the resource. Passwords of the enable mode and a user account are required for Password Manager Pro to log into the resource. Password Manager Pro will use the configuration terminal mode to reset the passwords. You can enable remote reset of passwords of your cisco devices by providing the following details:

Steps Required:

First, navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset.

Remote Login Method

Password Manager Pro supports SSH and TELNET protocols by which connection could be established with the device for password reset. Select the required protocol.

Remote Login Account

Login account for establishing connection with the device.

Account name required for login

For the user and enable modes, if the device is configured to prompt for the user name, then check on the option 'Account name required for login'. The account name associated will then be used with the user name prompt. If this option is unchecked, Password Manager Pro will expect only the password prompt.

User Mode Prompt

The prompt that appears after successful login.

Enable Secret

This is for entering into privileged mode to perform password reset. If the remote login account has enough privileges to modify passwords, it is not necessary to specify Enable Secret.

Enable Password

This is for entering into privileged mode to perform password reset. If the remote login account has enough privileges to modify passwords, it is not necessary to specify Enable Password.

Enable Mode Prompt

This is the prompt that will appear after going into enable mode. For example, #.

Configuration Mode Prompt

To carry out any change to any feature/configuration of the device, you need to enter configuration mode. The prompt that will appear while going into configuration mode has to be entered here. For example, # "Primary Credentials".

Copy Password Changes to Startup

If you want the password changes made to the running configuration from Password Manager Pro to be applied to the startup configuration, select this checkbox.

Note: Exercise caution while enabling the option to copy the running configuration to the startup configuration, as it will cause the current configuration content, including those made outside of PMP, to be copied immediately.

Juniper Netscreen Firewall Devices

Password Manager Pro requires Telnet or SSH service to be running in the resource. Admin Account and Prompt of Admin Account are required for PMP to login to the resource. You can enable remote reset of passwords of your Netscreen devices by providing the following credentials:

Steps Required:

First, navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset.

Remote Login Method

Password Manager Pro supports SSH and TELNET protocols by which connection could be established with the device for password reset. Select the required protocol.

Manager Account

Login account for establishing connection with the device. If the device is configured to prompt for the user name, then check on the option 'Account name required for login'. The corresponding account name will then be used with the user name prompt. If this option is unchecked, Password Manager Pro will expect only the password prompt.

Manager Mode Prompt

The prompt that appears after successful login.

AWS IAM

Password reset for AWS IAM user accounts is done using AWS SDK.

Steps Required:

  • Navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset. The administrator account's Access Key and Secret Key are required.

Note: The Access Key and Secret Key should have already been added as Passwords in Password Manager Pro. These passwords can be associated with accounts of any resource types, which will eventually be used for remote synchronization.

 

Google Apps

Password reset for Google Apps is done using Google Data APIs. To enable the Password reset option for GApps, an administrator account has to be selected so that it can be used to reset the passwords of other admin/user accounts.

Microsoft Azure

Password Reset for Microsoft Azure accounts is done using Powershell. Please note that Password Resets for Microsoft Azure Resources work only with Powershell 2.0 and above.  Also, the MSOnline module of Powershell needs to be installed.

For resetting the passwords of user accounts, an administrator account has to be selected to enable login from remote.

Steps Required:

This can be done by navigating to the Resources tab >> Resource Actions >> Configure Remote Password Reset.

Steps to download and install Windows Azure AD Module for Powershell

Before you can configure Microsoft Azure with Password Manager Pro for Password Synchronization, you have to install the appropriate version of the Windows Azure AD Module for Windows PowerShell for your operating system.

For 32-bit systems:

  • Download and install the Microsoft Online Services Sign-In Assistant from here.
  • Download and install the Windows Azure AD Module for Windows PowerShell from here.

For 64-bit systems:

  • Download and install the Microsoft Online Services Sign-In Assistant from here.
  • Download and install the Windows Azure AD Module for Windows PowerShell from here.
  • After installing the module, move MSOnline and MSOnlineExtended folders from C:\Windows\System32\WindowsPowerShell\v1.0\Modules to  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules.

Rackspace

Password Reset for Rackspace user accounts is done using Rackspace REST APIs.

Steps Required:

  • To carry out password resets, navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset. Here, a Rackspace administrative credential is required which has to be selected as the admin account.

Note: The following are the location-based Authentication End Points available for connection to the server.

US Based end point - https://identity.api.rackspacecloud.com/v2.0

UK Based end point - https://lon.identity.api.rackspacecloud.com/v2.0

Salesforce

Password reset for Salesforce user accounts is done using Force.com REST API.

Steps Required:

  • In order to proceed with the configuration, navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset. The administrator account's Client ID and Client Secret are required.
  • The Client ID and Client Secret should have been added as a password in Password Manager Pro. This password can be associated with an account of any resource type, which will eventually be used for remote synchronization.

Configuring Remote Password Reset using PMP Agents

If you have devices residing in a demilitarized zone (DMZ) or if you have multiple sites/networks protected by firewalls, then Password Manager Pro will not have direct connectivity to those target systems. In such cases, you can use our agents to manage the passwords of those target systems. Password Manager Pro agents are designed to operate using one-way communication from the target system to the PMP application server. Therefore, the ports do not have to be opened for inbound traffic in the target network. Only outbound access is required for the Agent to reach the PMP login page (Default Port - 7272).

To download the Password Manager Pro agent, navigate to the Admin tab and select the appropriate agent under the PMP Agents.

There are individual agents for Windows, Windows Domain and Linux. Among this, the domain agent needs to be deployed in a DMZ domain controller.

For detailed information on PMP Agents, follow the below link:

https://www.manageengine.com/products/passwordmanagerpro/help/password-reset-oneway-agents.html.

©2014, ZOHO Corp. All Rights Reserved.

Top