Password Reset Plugin
PAM360 primarily provides out-of-the-box support to enforce automatic remote password reset for a wide range of commonly used resource types such as Windows local accounts, Windows domain accounts, Linux root accounts, etc. In addition to this, the Password Reset Plugin feature enables you to add your own implementation class and enforce automatic password resets for resources that are not supported by PAM360 out-of-the-box such as legacy resource types, in-house applications, etc.
With the plugin, you can also leverage access control for legacy accounts and enable automatic reset of passwords instantly upon usage. This way, the passwords of these accounts will serve as one-time passwords that are reset after every use via the associated plugin.
How does a Password Reset Plugin Work?
Password Reset Plugin is primarily an implementation class that an administrator has to manually add in PAM360. The plugin can be invoked from PAM360 server to connect to a remote resource and carry out a password reset. Password reset plugins can be configured individually for resources that are of user-defined resource types.
When you trigger a password reset for a resource belonging to a custom resource type for which a password reset plugin has been associated, then PAM360 will invoke the interface methods of that plugin. Once invoked, the plugin will first connect to the remote resource and try to reset the password of the resource. If the remote password reset is successfully completed by the plugin, PAM360 will subsequently update the new password it its repository. In addition to this, the plugin helps you verify whether the password of a remote resource is in sync with the one saved locally in PAM360's repository.
Who can Add Password Reset Plugins?
Password Reset Plugins can be added only by users with either the default administrator roles or custom roles that are provisioned with the "Manage Password Reset Plugin" scope under the operation category, "Custom Settings." Besides, all plugins added should also be approved by a second administrator to guard against potential risks associated with invoking arbitrary plugins.
Approving a recently added password reset listener:
If you are an administrator, and another administrator requests you to approve the addition of a password reset plugin, you need to:
- Navigate to Admin >> Customization >> Password Reset Plugin.
- Click the link under Approval Status column, beside the plugin which has to be approved.
The plugin creation, edition, deletion, and approval events are all audited for future reference.
How to Add a Password Reset Plugin?
Summary of Steps
- Create your Implementation Class
- Compilation
- Implementation Tips
- Configurations in PAM360 Installation
1. Create your Implementation Class
Write a java class by implementing the RemotePasswordReset interface:
public interface RemotePasswordReset
{
public boolean changeRemotePassword(Properties resetPropsprop) throws Exception;
public String getErrorMessage() throws Exception;
public boolean verifyRemotePassword(Properties verifyProps) throws Exception;
public boolean isDeviceAvailable(Properties verifyProps) throws Exception;
}
Implementation description:
// This class provides the methods to implement password reset plugin. You need to implement the interface
public interface RemotePasswordReset
{
/**
* Used to display the error message while doing the password reset and verification operations. The output gets reflected in audit trails.
* @return Error message, if password reset is successful, return null. Otherwise, return a proper error message.
*/
public boolean changeRemotePassword(Properties resetProps) throws Exception;
/** Actual function that will be called whenever "change remote password" functionality is triggered
*@param resetProps will contain all the details regarding the account for which password reset is triggered.
* @return Final output that will be sent to PAM360 server.
* {@value true} Success case - Allows the operation to proceed.
* {@value false} Failure case - Denies the operation to proceed.
**/
public String getErrorMessage() throws Exception;
/*** Used to display the error message while doing the remote password reset and verification operations. The output gets reflected in audit trails.
* Return a proper error message.
*/
public boolean verifyRemotePassword(Properties verifyProps) throws Exception;
/** This function will be called whenever "verify remote password" functionality is triggered.
*@param verifyProps will contain all the details regarding the account for which "verify remote password" was triggered.
*@return Final output that will be sent to PAM360 server.
*{@value true} Success case - Allows the operation to proceed.
*{@value false} Failure case - Denies the operation to proceed.
**/
public boolean isDeviceAvailable(Properties verifyProps) throws Exception; }
/** This function will be called before "verify remote password" function to check the accessibility of the device for which verify password was triggered.
*@param verifyProps will contain all the details regarding the account for which verify remote password was triggered.
*@return Final output that will be sent to PAM360 server.
*{@value true} Success case - Allows the operation to proceed.
*{@value false} Failure case - Denies the operation to proceed.
**/
2. Compilation
<PAM360_HOME>\lib folder.
AdventNetPassTrix.jar;
json_simple-1.1.jar;
For Example,
javac -d . -cp AdventNetPassTrix.jar;json_simple-1.1.jar; JiraServerResetImplementation.java - (For Windows)
javac -d . -cp AdventNetPassTrix.jar:json_simple-1.1.jar; JiraServerResetImplementation.java - (For Linux)
3. Implementation Tips
You can implement your class in such a way that properties of resources (resources and accounts in PAM360) are obtained as arguments. You may obtain the value of any property from the list of keys listed below.
resetProps.get("RESOURCEID"); |
Returns a Long object of the resource ID. |
|
resetProps.get("ACCOUNTID"); |
Returns a Long object of the account ID. |
|
resetProps.get("OLDPASSWORD"); |
Returns a String object of the account's old password. |
|
resetProps.get("NEWPASSWORD"); |
Returns a String object of the account's new password that has been set. |
|
resetProps.get("RESOURCENAME"); |
Returns a String object of the resource name. |
|
resetProps.get("DNSNAME"); |
Returns a String object of the resource's DNS name. |
|
Returns a String object of the account name. |
||
resetProps.get("OSTYPE"); |
Returns a String object of the resource's OS type. |
|
resetProps.get("NOTES"); |
Returns a String object of the notes present under the account details. |
|
resetProps.get("LOGINNAME"); |
Returns a String object of the login name of the user who initiated the password reset. |
|
resetProps.get("IPADDRESS"); |
Returns a String object of the IP address of the resource. |
|
resetpresetPropsrops.get("RESOURCEDETAILS"); |
Returns a ResourceDetails object that contains all other details of the resource. |
4. Configurations in PAM360 Installation
- The first step is adding the password reset plugin to PAM360. Navigate to Admin >> Customization >> Password Reset Plugin.
- Here, click on the Add Password Reset Plugin tab.
- In the dialog box that opens, give a suitable name to your plugin, and specify the name of the implementation class, for example, ''com.manageengine.helpdesk.JIRASecretResetPlugin''.
- After adding the plugin details, choose an administrator from the drop down list to send the approval request to, and click Save.
- Once the plugin is approved, you can add the resource type for which you want to use the plugin to reset such resources' passwords. To do so, navigate to the Resources tab and click on the Resource Types button at the top. Alternatively, you can also add a new resource type by navigating to Admin >> Customization >> Resource Types.
- In the Resource Types page, click on Add and switch to the Advanced tab in the dialog box that opens.
- Give a suitable name and set an icon (optional) for the custom resource type. Next, choose the Password Reset Plugin radio button.
- All the approved plugins will be available under the Reset method similar to: drop down menu. Choose the required plugin, and click Save.
- This plugin will now be invoked whenever you create a resource of this custom type, configure remote password reset for the resource's privileged accounts, and trigger the reset action.
Note: When you click 'Save' in the above step, an email will be sent to the chosen administrator regarding the request. In addition to this, all the administrators apart from you will be notified of the request; any of them can approve it by either clicking on the notification or navigating to Admin >> Customization >> Password Reset Plugin, and approving it under the 'Approval Status' column beside the plugin.
For further information, refer to this sample implementation class created to reset the user account passwords of Jira Service Desk. You can implement this code in the password reset plugin and reset the passwords of Jira Service Desk.
Ensure the below SHA256 value upon downloading the file:
SHA256 Checksum: