Password Reset Listener15 minutes to read
Password reset is one of the most important functions performed by PAM360 in order to protect the sensitive resources from unauthorized access. PAM360 allows you to carry out similar tasks by invoking scripts or executables, referred to as Password Reset Listeners. This document walks you through the following topics:
1. What are the Follow up Actions you can do using Password Reset Listeners?
2. How does a Password Reset Listener Work?
Password Reset Listener is a script or executable that can be invoked by you whenever the password of an account is being changed or reset in the PAM360 repository. This password reset listener can be invoked even for local password changes and also for resources for which remote password reset is not supported out-of-the-box by PAM360. You can configure listener scripts individually for each resource type including the user defined resource types.
The script runs with the same privilege as the user account running the PAM360 server. For Security reasons, dual control mechanism is implemented, which will ensure that two administrators will see and approve the script before it is invoked by PAM360. PAM360 will not invoke the script unless it has been approved by both the administrators. For example, when an administrator adds or edits the password reset listener, PAM360 will not invoke the scripts unless it has been approved by the other administrator. Thus, the add / edit / delete operations related to password reset listeners can be successfully executed only with the approval of two administrators in PAM360. The actions are also audited for future references. The password reset listener is invoked from a separate thread, so it does not impact the password reset process of PAM360. The listener scripts added will be stored in the same database as the other information. This provides security and also backup, if it is configured for PAM360 database. To set up password reset listener,
3. Who can Add Password Reset Listeners?The listeners can be added only by PAM360 administrators. In addition, all listeners added should also be approved by a second administrator to guard against potential risks associated with invoking arbitrary scripts. So, once a listener is created and saved by an admin, the same will be sent to another administrator for their approval. A mail will be sent to the second administrator intimating the approval request. To approve a recently added password reset listener,If you are an administrator, and another administrator requests you to approve a listener, then you need to;
The listener creation, edition, deletion, and approval events are all audited. 4. Custom ListenerIn addition to reset listeners, PAM360 allows you to provide your own implementation through "custom listeners". The custom listener basically lets you provide your own listener implementation class, which offers you complete flexibility to execute any post password reset follow-up action, instead of just letting PAM360 execute the listener script provided by you. It offers you complete flexibility to execute any post password reset follow-up action. How to create a custom listener? Summary of steps involved in custom Listener creation: Step 1: Write your own implementation classImplement PAM360ListenerInterface (more details in the reference implementation below). Step 2: Configuration in PAM360 GUIAdd entries for the implementation class in PAM360 GUI. Step 3: Archive your implementation class as .jar and put it into PAM360
5. Reference ImplementationTo explain how you can have your own implementation for listener in PAM360, we are providing a reference implementation below. This implementation is for executing PowerShell scripts with reset listener. Step 1 - To write your own implementation class:You need to write your own class implementing PAM360ListenerInterface.java as explained below.
You can implement your class in such a way that properties of resources (resources and accounts in PAM360) are obtained as arguments. For example, if you need 'Resource Name', you may have to do it as below:
You may obtain the value of any propery from the list of keys listed below. Resource Properties (resourceProps)
Account Properties (accountProps)
Other Arguments
Sample implementation to execute PowerShell script
Step 2: Configuration in PAM360 GUIAdd entries for your implementation class in PAM360 GUI. To do this, navigate to Admin >> Password Reset Listener >> Add Listener and in the GUI that opens, click the tab Custom Listener and then click the link Add New. Enter the following details:
Step 3: Archive your implementation class as .jar and put it into PAM360You need to convert your implementation class as .jar and put it into <PAM360-Installation Folder>/lib directory. Step 4: Restart PAM360After completing the above steps, you need to restart PAM360 to give effect to this implementation. 6. Frequently Asked Questions
| |
[Webinar] Weave privileged access security into your org-wide ITSM workflows. Register now