Remote Password Reset
(Feature available only in Premium and Enterprise editions)

  1. Overview
  2. Remote Password Reset via Agent-less Mode

    2.1 Configuring Remote Password Reset for individual resource types

    1. Windows Windows Domain

    2. Linux/IBM AIX/HP UX/Solaris/Mac OS/VMWare ESXi

    3. IBM AS400/Sun Oracle ALOM/ILOM/XSCF Sun Oracle ALOM/ILOM/XSCF

    4. MySQL/Postgre SQL

    5. Oracle WebLogic server

    6. MS SQL Server

    7. Oracle DB Server

    8. Sybase ASE

    9. LDAP Server

    10. HP ProCurve

    11. HP iLO

    12. Cisco Devices (IOS, CatOS, PIX)

    13. Juniper Netscreen

    14. AWS IAM

    15. Google Apps

    16. Microsoft Azure

    17. Rackspace

    18. Salesforce

    2.2 Configuring Remote Password Reset for Resource Types in Bulk

  3. Remote Password Reset via Agent Mode

1. Overview

Password Manager Pro (PMP) provides the option to remotely change the passwords of certain resource types. In general, you can configure remote password reset in Password Manager Pro for any device that can be reached via command-line interface (CLI) and accept commands for managing passwords.

PMP allows you to change the password of a remote resource through two modes; agent-less mode and agent mode.

2. Remote Password Reset via Agent-less Mode

If you're configuring remote password reset via agent-less mode, specify the account which will be used to log in remotely to the target resource and reset the password.

2.1 Configuring Remote Password Reset for Individual Resource Types

2.1.1 Windows

  1. Password Manager Pro is designed to perform password reset for all Windows local accounts using the service account with which it is running.

    Note: The aforementioned service account should have either domain admin rights or local admin rights in the PMP server and in the target systems that you would like to manage.

  1. Log in to the PMP server and open the Services console (services.msc) to update the service account of Password Manager Pro service.
  2. However, if you'd like to override this and use a local account for the password reset, then navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset and choose an admin account.
  3. If the PMP service is running with a privileged service account (Domain admin or Local admin on all member servers), then it can forcefully reset Windows passwords without the need for the old password to be present inside.


2.1.2 Windows Domain

If you are using the Privileged Accounts Discovery feature to import Windows resources from Active Directory, then PMP will automatically add your domain controller as a resource with Resource Type as Windows Domain.

To reset domain account passwords that are present in your Windows Domain resource, specify an admin account to be used for remote login as well as password reset. Follow the below steps to configure remote password reset.

  1. Navigate to the Resources tab and click Resource Actions >> Configure Remote Password Reset.
  2. Select the domain account as the administrator account and save.
  3. It is recommended to use the same Password Manager Pro Service Account here so that it will be helpful for AD Audit purposes.

Note: If PMP has the domain administrator credentials, it can reset domain account passwords regardless of the trust between the domain in which PMP server is installed and the target domain. Any user with 'modify password' permission for the domain account password in PMP will be able to modify the password.




2.1.3 Linux/IBM AIX/HP UX/Solaris/Mac OS/VMWare ESXi

For remote password reset of Unix resources, Password Manager Pro first uses the remote login account to log in to the target system. Then, to carry out password reset, privilege elevation is needed. If the target system supports execution of password reset commands through Sudo, Password Manager can either use the two options available here: 'su' as root or use 'sudo' to execute the remote password reset commands.

  1. Navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset and then do the following:

i. Selecting the Protocol

  1. Select the protocol for remote login method - SSH or Telnet. Next, specify your remote login account. For remote login, Password Manager Pro allows you to either choose an account of the resource type for which you're setting up the password reset or specify an account of any Windows Domain resource stored in Password Manager Pro. To use a Windows Domain account as the remote login account, select the option 'other resource' while setting up the remote login account. Then, specify the Resource Name as well as the Remote Login Account of the desired account.
  2. Specify the authentication method. If you have chosen Telnet or SSH with Windows Domain account for remote login, you can skip this step go to setting the privilege escalation method.

ii. If you opt for SSH, specify the authentication method

  1. If you choose SSH as the Remote Login Method and the remote Unix resource's account as the remote login account, there are two authentication methods you can choose from: "Password Authentication" or "Public Key Infrastructure"(PKI) Authentication.
  2. For PKI authentication, the public key would be present in the remote system under a specific remote login account. Typically, it would be available under $Home/.ssh folder. Select the remote login account for which the public key is present; browse and supply the corresponding Private Key.

Note: Password Manager Pro supports SSH2 and above only.

iii. Specifying the root account/selecting 'sudo'

  1. As mentioned above, for executing remote password reset commands, PMP can use either 'su' as root or 'sudo', which allows the user to run the command with root privileges without having to switch to the root account.
  2. If you use the option, 'su' as root, select the root account.
  3. If the target system allows execution of password reset commands through 'sudo', then select that option.
  4. Click "Save".

    Note: You can also use SSH Command sets to configure remote password reset for the types Linux, IBM AIX, HP UX, Solaris, Mac OS, VMWare ESXi and any other Linux or Unix-based resource types. Click here to learn more.



2.1.4 IBM AS400/Sun Oracle ALOM/ILOM/XSCF Sun Oracle ALOM/ILOM/XSCF

No specific password reset configuration required for these resources as PMP will use the accounts added to the resources to perform the password reset.


2.1.5 MySQL/PostgreSQL Server

As password reset for a MySQL/PostgreSQL server is done over JDBC, the MySQL/PostgreSQL administrator credentials are required. Follow the below steps to enable remote reset of the password of MySQL/PostgreSQL server:

  1. Navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset.
  2. Specify the port where the MySQL/PostgreSQL server is running. By default, MySQL/PostgreSQL occupies the port 3306.
  3. Specify the connection mode: Connection between MySQL/PostegreSQL Server and Password Manager Pro can be configured to be over an encrypted channel such as SSL or Non-SSL. If you choose SSL mode, do the following:

SSL Mode:

  1. To enable the SSL mode, the MySQL/PostgreSQL server should be serving over SSL and you have to import the MySQL/PostgreSQL server's root certificate into the PMP server machine's certificate store. Import all the certificates that are present in the respective root certificate chain - that is the certificate of the PMP server machine and intermediate certificates, if any.
  2. To import root certificate, open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:

For Windows
importCert.bat    <Absolute Path of certificate>

For Linux
importCert.sh    <Absolute Path of certificate>

  1. Restart PMP server. Then, continue with the below steps.
  2. To enable access to the MySQL server for PMP, provide MySQL Root Account Name.
  3. Click Save.


2.1.6 Oracle WebLogic Server

As Password reset for a WebLogic server is done over JMX, the administrator credentials must be specified before proceeding with the below steps.

Prerequisites

  1. The following JAR files wljmxclient.jar, wlclient.jar, rmic.jar, weblogic.jar will be available under the path <weblogic_install_directory>\wlserver\server\lib> in the WebLogic server.
  2. Copy the JAR files and save them in the \lib folder in the machine running the PMP server.

Steps to Configure Remote Password Reset for Oracle WebLogic Server

Follow the below steps to enable remote reset of the password of the WebLogic server:

  1. Navigate to Resources >> Resource Actions >> Configure Remote Password Reset.
  2. Specify the port where the WebLogic server is running. By default, WebLogic server occupies the port 7001. Specify the connection mode - connection between WebLogic Server and PMP can be configured to be over an encrypted channel such as SSL or Non-SSL. If you choose SSL mode, do the following.

SSL Mode:

  1. To enable the SSL mode, the WebLogic server should be serving over SSL and you have to import the WebLogic server's root certificate into the PMP server machine's certificate store. Import all the certificates that are present in the respective root certificate chain - that is the certificate of the PMP server machine and intermediate certificates, if any.
  2. To import root certificate, open a command prompt, navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:

For Windows
importCert.bat    <Absolute Path of certificate>

For Linux
importCert.sh    <Absolute Path of certificate>

 

  1. Restart the PMP server. Then, continue with the following steps.
  2. To enable Password Manager Pro access the WebLogic server, provide the WebLogic Root Account Name.
  3. Click Save.


2.1.7 MS SQL Server

As Password reset for MS SQL server is done over JDBC, it is required to provide either the MS SQL Administrator credentials or a domain account credentials with enough privileges to modify SQL server passwords. Follow the below steps to enable remote reset of the password of MS SQL server:

  1. Navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset.
  2. Specify the instance name of MS SQL server. If the instance name is specified, PMP will try to establish connection with specified instance. If not, PMP will try to establish connection with the specified port.
  3. Specify the port where the MS SQL server is running. By default, MS SQL occupies the port 1433.
  4. Specify the connection mode - you can configure the connection between MS SQL Server and Password Manager Pro to be over an encrypted channel (SSL) or Non-SSL. If you choose SSL mode, do the following:

SSL Mode:

  1. To enable the SSL mode, the MS SQL server should be serving over SSL and you have to import the MS SQL server's root certificate into the PMP server machine's certificate store. Import all the certificates that are present in the respective root certificate chain - that is the certificate of the PMP server machine and intermediate certificates, if any.
  2. To import root certificate, open a command prompt and navigate to <pmp_server_home>\bin directory and execute the following command:

For Windows
importCert.bat    <Absolute Path of certificate>

For Linux

importCert.sh    <Absolute Path of certificate>

  1. Restart PMP server. Then, continue with the following steps.
  2. To enable Password Manager Pro to access the MS SQL server, provide any one of the following details: Windows Authentication (OR) MS SQL Administrator Account. Select the domain name the MS SQL server is a part of and select any account present in the domain.
  3. Click Save.

2.1.8 Oracle DB Server

To carry out password reset for Oracle DB server, administrative privileges are required, so specify an administrator account. Follow the below steps to enable remote reset of the password of Oracle DB server:

  1. Navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset.
  2. Specify the Oracle DB Listener Port. By default, the Oracle DB server listens to the port 1521.
  3. Specify the connection mode - you can configure the connection between Oracle DB Server and Password Manager Pro to be over an encrypted channel (AES 256). If you choose the option 'YES' (encrypted mode), do the following:
    1. Start Oracle Net Manager.
    2. In the Navigator window, select "Oracle Net Configuration".
    3. Expand the option Local > Profile.
    4. From the list in the right side pane, select the option "Oracle Advanced Security".
    5. In the tabbed window that appears thereafter, click the tab "Encryption".
    6. In the drop-down list for Encryption, select the option "Server".
    7. For "Encryption Type" list, select the option "Accepted".
    8. The text field for 'Encryption Seed' can be left blank or you can enter random characters ranging between 10 and 70.
    9. Select the algorithm "AES 256".
    10. Specify an Oracle administrator account.
  4. Specify the Oracle Service Name. By default, the service name is taken as ORCL.
  5. Click Save.


2.1.9 Sybase ASE

Prerequisites

  1. To perform remote password reset in Sybase ASE, jConnect 6.0 JDBC driver is required. The JDBC driver is a file named "jconn3.jar" which will be available under the path <sybase_install_directory>\jConnect_6_0\classes in Sybase ASE 15.0.
  2. Copy the "jconn3.jar" file and save it under <pmp_install_directory>\lib folder in the machine running the PMP server.

Steps to Configure Remote Password Reset for Sybase ASE

As administrative privileges are required to carry out password reset for Sybase ASE, specify an administrator account. Follow the below steps to enable remote password reset for Sybase ASE:

  1. Specify the Sybase ASE Port. By default, it occupies the port 5000 (in SSL mode, default port is 2748).
  2. Specify the connection mode - you can configure the connection between Sybase ASE and Password Manager Pro to be over an encrypted channel (SSL) or Non-SSL. If you choose SSL mode, do the following:

SSL Mode:

  1. Copy and save the trust root certificate of the Sybase server present under <sybase_home>\ASE-15_0\certificates (in sybase ASE 15.0) to <pmp_install_directoty>\conf\ folder.
  2. Run this command to import the certificate in PMP: '<pmp_home>\jre\bin\keytool.exe -import -v -alias sybase -file <rootcert.txt> -keystore server.keystore -keypass passtrix -storepass passtrix -noprompt'.
  3. <rootcert.txt> is the root certificate of the Sybase ASE and usually named as <hostname>.txt.
  1. Restart PMP server.
  2. Specify an administrator account of Sybase ASE.
  3. Click Save.


2.1.10 LDAP Server

Prerequisite

At the time of adding a new LDAP resource to Password Manager Pro, you must specify a Distinguished Name for the LDAP server account.

Example: c=administrator, cn=people, dc=test, dc=com.

Steps to Configure Remote Password Reset for LDAP Server

As administrative privileges are required to carry out password reset for LDAP server, an administrator account has to be specified.

For remote reset, Password Manager Pro supports the following types of LDAP servers:

  • Microsoft Active Directory
  • OpenLDAP
  • Oracle Internet Directory
  • Novell eDirectory.

Follow the below steps to enable remote password reset for the aforementioned types of LDAP servers:

  1. Navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset.
  2. Specify the type of the LDAP Server being added.
  3. Specify the LDAP server Port. By default, it occupies the port 389 (in SSL mode, default port is 636).
  4. Specify the connection mode - you can configure the connection between the LDAP server and Password Manager Pro to be over an encrypted channel (SSL) or Non-SSL. Except Microsoft Active Directory, for other LDAP servers, choose SSL or Non-SSL. If you choose SSL mode, do the following.

    Note: If the selected LDAP server is Microsoft Active Directory, the connection has to be through SSL only.

    SSL Mode:

    1. To enable the SSL mode, the LDAP server should be serving over SSL and you will have to import the LDAP server's root certificate into the PMP server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the PMP server machine and intermediate certificates, if any.
    2. To import root certificate, open a command prompt and navigate to <PMP_SERVER_HOME>\bin directory and execute the following command:

      For Windows
      importCert.bat    <Absolute Path of certificate>

      For Linux
      importCert.sh    <Absolute Path of certificate>

  5. Restart PMP server. Then continue with the following steps.
  6. Specify an administrator account of LDAP server.
  7. Click Save.


2.1.11 HP ProCurve Devices

For HP ProCurve Devices, Password Manager Pro requires Telnet or SSH service to be running in the resource. Specify the Manager Account and Manager Mode Prompt and Configuration Mode Prompt details for PMP to login to the resource. PMP will use the configuration mode to reset the passwords.

  1. Navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset.
  2. Provide the following details:

i. Remote Login Method: Password Manager Pro supports SSH and TELNET protocols through which connection could be established with the device for password reset. Select the required protocol.

ii. Manager Account: Login account for establishing connection with the device. If the device is configured to prompt for the user name, then select the option Account name required for login. The account name associated will then be used with the user name prompt. If this option is unchecked, Password Manager Pro will expect only the password prompt.

iii. Manager Mode Prompt: The prompt that appears after successful login.

iv. Configuration Mode Prompt: This is for entering into privileged mode to perform password reset.

v. Copy Password Changes to the Startup Configuration: Select this option to apply the password changes made to the running configuration in Password Manager Pro to the startup configuration.

Note: Enabling the option to copy the running configuration to the startup configuration will cause the current configuration content, including those made outside of Password Manager Pro, to be copied immediately.

 



2.1.12 HP iLO

  1. Navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset and enter the following details.

i. Remote Login Method: Password Manager Pro supports SSH and TELNET protocols by which connection could be established with the device for password reset. For this to work, Telnet or SSH service must be running in the resource.

ii. Enter the port: By default, SSH occupies the port 22.

iii. Specify the prompt: Enter the prompt that appears upon successful user login and also the user account with administrator privileges.



2.1.13 Cisco Devices (IOS/CatOS/PIX)

Password Manager Pro requires Telnet or SSH service to be running in the resource. Passwords of the enable mode and a user account are required for PMP to log into the resource. Password Manager Pro will use the configuration terminal mode to reset the passwords. Follow the below steps to enable remote password reset for Cisco devices:

  1. Navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset and specify the following details.

i. Remote Login Method: Password Manager Pro supports SSH and TELNET protocols by which connection could be established with the device for password reset. Select the required protocol.

ii. Remote Login Account: Login account for establishing connection with the device.

iii. Account name required for login: For the user and enable modes, if the device is configured to prompt for the user name, then check on the option 'Account name required for login'. The account name associated will then be used with the user name prompt. If this option is unchecked, Password Manager Pro will expect only the password prompt.

iv. User Mode Prompt: The prompt that appears after successful login.

v. Enable Secret: This is for entering into privileged mode to perform password reset. If the remote login account has enough privileges to modify passwords, it is not necessary to specify Enable Secret.

vi. Enable Password: This is for entering into privileged mode to perform password reset. If the remote login account has enough privileges to modify passwords, it is not necessary to specify Enable Password.

vii. Enable Mode Prompt: This is the prompt that will appear after going into enable mode. For example, #.

viii. Configuration Mode Prompt: To carry out any change to any feature/configuration of the device, you need to enter configuration mode. The prompt that will appear while going into configuration mode has to be entered here. For example, # "Primary Credentials".

ix. Copy Password Changes to the Startup Configuration: Select this option to apply the password changes made to the running configuration in Password Manager Pro to the startup configuration.

Note: Enabling the option to copy the running configuration to the startup configuration will cause the current configuration content, including those made outside of PMP, to be copied immediately.



2.1.14 Juniper Netscreen Firewall Devices

Password Manager Pro requires Telnet or SSH service to be running in the resource. Admin Account and Prompt of Admin Account are required for PMP to login to the resource. Follow the below steps to enable remote reset of passwords for Netscreen devices:

  1. Navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset and specify the following details.

i. Remote Login Method: Password Manager Pro supports SSH and TELNET protocols by which connection could be established with the device for password reset. Select the required protocol.

ii. Manager Account: Login account for establishing connection with the device. If the device is configured to prompt for the user name, then check on the option 'Account name required for login'. The corresponding account name will then be used with the user name prompt. If this option is unchecked, Password Manager Pro will expect only the password prompt.

iii. Manager Mode Prompt: The prompt that appears after successful login.



2.1.15 AWS IAM

  1. Password reset for AWS IAM user accounts is done using AWS SDK.
  2. Navigate to the Resources tab >> Resource Actions >> Configure Remote Password Reset. The administrator account's access key and secret key are required.
  3. The access key and secret key should have been added as passwords in Password Manager Pro. These passwords can be associated with an account of any resource type, which can be used for the remote synchronization.


2.1.16 Google Apps

  1. Password reset for Google Apps is done using Google Data APIs.
  2. To enable the Password reset option for GApps, select an administrator account has so that it can be used to reset the passwords of other admin/user accounts.


2.1.17 Microsoft Azure

Prerequisites

Password Reset for Microsoft Azure accounts is done using Powershell so works only if Powershell 2.0 and above. Also, the MSOnline module of Powershell needs to be installed.

Steps to Download and Install Windows Azure AD Module for Powershell

Before you can configure Microsoft Azure with Password Manager Pro, install the appropriate version of the Windows Azure AD Module for Windows PowerShell for your OS.

For 32-bit Systems

  1. Download and install the Microsoft Online Services Sign-In Assistant from here.
  2. Download and install the Windows Azure AD Module for Windows PowerShell from here.

For 64-bit Systems

  1. Download and install the Microsoft Online Services Sign-In Assistant from here.
  2. Download and install the Windows Azure AD Module for Windows PowerShell from here.
  3. After installing the module, move MSOnline and MSOnlineExtended folders fromthe path C:\Windows\System32\WindowsPowerShell\v1.0\Modules to  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules.

Steps to Configure Remote Password Reset for Microsoft Azure

For resetting the passwords of user accounts, select an administrator account to enable remote login.

  1. Navigate to the Resources tab >> Resource Actions >> Configure Remote Password Reset.
  2. Select an Administrator Account and click Save.


2.1.18 Rackspace

  1. Password Reset for Rackspace user accounts is done using Rackspace REST APIs.
  2. To carry out password resets, navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset. Here, a Rackspace administrative credential is required which has to be selected as the admin account.

Note: The following are the location-based Authentication End Points available for connection to the server.

US-based end point: https://identity.api.rackspacecloud.com/v2.0

UK-based end point: https://lon.identity.api.rackspacecloud.com/v2.0



2.1.19 Salesforce

  1. Password reset for Salesforce user accounts is done using Force.com REST API.
  2. In order to proceed with the configuration, navigate to Resources tab >> Resource Actions >> Configure Remote Password Reset. The administrator account's Client ID and Client Secret are required.
  3. The Client ID and Client Secret should have been added as passwords in PMP. These passwords can be associated with an account of any resource type, which can be used for remote synchronization.


2.2 Configuring Remote Password Reset for Resource Types in Bulk

To configure remote password reset in bulk for the supported resource types, follow the below steps:

  1. Navigate to Resources tab and select the required resources.
  2. Go to Resource Actions >> Configure >> Remote Password Reset.

  1. In the Configure Remote Password Reset window that opens, all the available resources will be listed. Enter configuration settings individually and save changes. Click here for more details on how to configure password reset for each resource type.



3. Remote Password Reset via Agent Mode

If you have devices residing in a demilitarized zone (DMZ) or if you have multiple sites/networks protected by firewalls, then PMP will not have direct connectivity to those target systems. In such cases, use the PMP Agents to manage the passwords of those target systems. PMP Agents operate using a one-way communication from the target system to the PMP application server. Therefore, the ports do not have to be opened for inbound traffic in the target network. Only outbound access is required for the PMP Agent to reach the PMP login page (Default port: 7272).

To download the PMP Agent, navigate to the Admin tab >>  PMP Agents. There are 64-bit and 32-bit agents for Windows, Windows Domain, and Linux. Among this, the Windows Domain Agent needs to be deployed in a DMZ domain controller.

Click here for more on PMP Agents.

©2014, ZOHO Corp. All Rights Reserved.

Top