Password Reset Listener

Password reset is one of the critical functions performed by PAM360 to secure the sensitive data within an organization from unauthorized access. When passwords of critical systems are reset, they should be updated in the dependent services and systems that utilize this password to prevent service disruptions.

The Password Reset Listener in PAM360 is a post-reset mechanism that automatically synchronizes updated credentials with external applications and services. It helps administrators securely inject the new passwords across their environment, ensuring consistency across systems, applications, and databases. By doing so, it minimizes downtime caused by password mismatches and simplifies credential management.

This help document covers the following topics in detail:

1. Roles and Permissions
2. Workflow
3. Follow-Up Actions Supported by PAM360
4. Adding a Password Reset Listener
5. Approving a Password Reset Listener
6. Implementing a Custom Password Reset Listener
7. Frequently Asked Questions

1. Roles and Permissions

By default, users with the Privileged Administrator and Administrator roles can add, manage, and configure password reset listeners in PAM360. Additionally, PAM360 allows administrators to configure custom user roles with the Manage Password Reset Listener privilege within Admin >> Customization >> Roles >> Custom Settings to add, manage, and approve password reset listeners.

2. Workflow

Whenever the password of an account stored in the PAM360 repository is rotated, the configured Password Reset Listener in PAM360 invokes a script or executable to update the passwords on dependent services and systems. The listener scripts can be invoked when the local account passwords are rotated and when the passwords of resource types for which remote password reset is not natively supported by PAM360 are rotated. Administrators can configure password reset listener scripts individually for each resource type, including the custom (i.e., user-defined) resource types.

1. The listener scripts are executed in the same way as they would be executed from the operating system’s command prompt.
2. If the scripts require another program to run (for example, cscript c:\scripts\changepassword.vbs old_password new_password), it can be specified as a Pre-Command.
3. By default, PAM360 passes parameters such as the resource name, DNS name, account name, old password, and new password as arguments to the script.
4. Additional arguments can also be configured through the Additional Parameters field.

For security reasons, the password reset listener scripts run with the same privilege as the user account running the PAM360 server, and a dual control mechanism ensures that any add, edit, or delete operation on password reset listeners is approved by another administrator. PAM360 will not invoke the script until it has been reviewed and approved.

The password reset listeners are invoked from a separate thread, so it does not affect the password reset process itself. Listener scripts are stored securely in the PAM360 database, ensuring that they benefit from existing database security and backup configurations.

3. Follow-Up Actions Supported by PAM360

PAM360 allows administrators to execute a range of follow-up actions via listener scripts immediately after a password reset. These actions help ensure that dependent services and processes remain synchronized with the updated credentials, minimizing disruptions. The supported follow-up actions include:

1. Restarting dependent services immediately after password reset to ensure continuity without any service disruptions.
2. Updating the credentials of Windows scheduled tasks and other associated processes to prevent authentication failures.
3. For services that use accounts whose passwords are reset in PAM360, listener scripts can automatically update the stored credentials in the service’s Logon property.
4. If accounts of network devices are added as resources in PAM360, their passwords can first be reset locally in PAM360, and then a custom listener script can be triggered to connect to the devices and apply the updated passwords directly on them.

4. Adding a Password Reset Listener

Follow these steps to set up a new password reset listener:

1. Navigate to Admin >> Password Management >> Password Reset Listener.
2. In the Password Reset Listener window that appears, click the Add Listener button in the top pane.
   
3. In the pop-up window that appears, enter the following details:
   1. Pre Command - If the script you are adding requires another program to run (for example, cscript c:\scripts\changepassword.vbs old_password new_password), specify it in this field.
   2. Listener Name - Enter a name for the password reset listener you are creating.
   3. Listener Script - Click the Browse button and upload the listener script from your machine. The allowed maximum file size is 5 MB.
   4. Additional Parameters - If you want to pass additional parameters to the script, specify them in this field. These parameters will be passed as arguments to the script during execution in the specified order.
   5. Execution Order - Select the execution order of the script. This allows administrators to execute the script before or after the password reset operation.
   6. Resource Types - Click on the desired resource type in the left column and click the right arrow button to select that resource type. Repeat this step for all the required resource types for which you are configuring this password reset listener.
   7. Execution Mode - Click on the drop-down menu and select the desired execution mode from the given options, such as Agentless, Agent, and Agentless & Agent.
      • If you choose the Agentless mode, the script will be executed in the PAM360 server.
      • If you choose the Agent mode, the script will be executed on the agent machine.
      • If you choose the Agentless & Agent mode, the script will be executed first in the PAM360 server, and if it fails, it will then be executed in the agent machine.
4. After adding the necessary details, select an administrator from the drop-down option beside the Send Approval Request to field and click Save. An email will be sent to the selected administrator intimating the approval request.
5. The listener script will be added successfully once it is approved by the selected administrator.

5. Approving a Password Reset Listener

By default, users with the administrator type user role can add the password reset listeners in PAM360. Additionally, all the password reset listeners added by an administrator should be approved by another administrator to ensure that only authorized and necessary scripts or programs are being invoked. Follow these steps to approve the addition of a password reset listener:

1. Navigate to Admin >> Password Management >> Password Reset Listener.
2. On the Password Reset Listener page, you will see the list of all the listeners added in your environment.
3. Click the Approve button located under the Approval Status column beside the desired listener you want to approve.

All the events related to password reset listeners are audited in PAM360.

6. Implementing a Custom Password Reset Listener

In addition to the default password reset listeners, PAM360 allows you to implement your own custom listeners. A custom listener provides the flexibility to define and execute any post-password-reset follow-up action beyond the standard listener scripts. This can be achieved by writing your own implementation class that integrates with PAM360 through the provided interface.

The following is a sample implementation of steps that execute PowerShell scripts with a reset listener:

1. Write your own implementation class that implements the PAM360ListenerInterface.java interface to define your custom listener as shown below:

   	public interface PAM360ListenerInterface {
   
   	static final Logger LOG = Logger.getLogger(PAM360ListenerInterface.class.getName());
   
   	public String executeListener(Properties resourceProps, Properties accountProps, String listenerFilePath, String oldPassword) throws Exception;}	

2. Implement your class in such a way that resource or account properties are passed as arguments. You can pass various resource and account properties as arguments to your implementation class. For example, to access the Resource Name, you can use the resourceProps.get("RESOURCENAME") syntax.
3. Add your implementation class as a custom listener in PAM360. To do so, navigate to Admin >> Password Management >> Password Reset Listener >> Add Listener.
   
4. In the window that appears, switch to the Custom Listener tab and enter the following details:
   1. Class Name - Select the desired implementation class from the available options. Click the Add New button to add a new implementation class.
      • New Class Name - Enter the name for your implementation class in this field.
      • Implementation Class - Enter your implementation class in this field.
   2. Description - Enter a brief description for the custom listener you are adding in this field.
   3. Listener Name - Enter a name for the password reset listener you are creating.
   4. Listener Script - Click the Browse button and upload the listener script from your machine. The allowed maximum file size is 5 MB.
   5. Resource Types - Click on the desired resource type in the left column and click the right arrow button to select that resource type. Repeat this step for all the required resource types for which you are configuring this custom reset listener.
   6. After adding the necessary details, select an administrator from the drop-down option beside the Send Approval Request to field and click Save. An email will be sent to the selected administrator intimating the approval request.
5. Convert your implementation class into a .jar file and move the .jar file to the <PAM360-Installation-Directory>/bin folder.
6. Restart the PAM360 service for the changes to take effect.

You can retrieve the value of any property using the keys listed below.

Below is an example of a custom implementation class designed to execute a PowerShell script using the listener mechanism:

public class PowerShellListener implements PAM360ListenerInterface {

	public String executeListener(Properties resourceProps, Properties accountProps, String listenerFilePath, String oldPassword) throws Exception {

	String message = "Executed Successfully";// used for audit reason

	// got the properties

	// call the powershell script}}