Layer7 Access Management

Tech Tip - CA Single Sign-On:Policy Server: Read Password Blob Utility

By Ujwol posted 02-28-2016 08:12 PM

  

Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on Feb 29, 2016

 

Problem Summary

 

The “Password Data” user attribute value is commonly called the “Password Blob”. It is an enciphered collection of several virtual user attributes used by SiteMinder Basic Password Services.

These virtual attributes are:

 

  1. Current Login Failure Count
  2. Last Login Timestamp
  3. Previous Login Timestamp
  4. Disabled Timestamp
  5. Password History
  6. Last Password Change Timestamp (from the most recent entry in the Password History)

 

An authentication attempt against an active (not disabled) user’s account or any forced setting of a user’s password (via the Admin API) causes at least one read-modify-write access of the

Password Blob in the user directory. Note that the “modify” part includes deciphering and unpacking the blob, modifying some of the virtual attributes, then packing and enciphering the

attributes into the new Password Blob.

 

The Password History is a FIFO record of a user’s current and most recent passwords. Each entry comprises a password string and the timestamp of when the password was entered into the

history. The maximum number entries maintained for a user depends on the password reuse restrictions in all of the Password Policies that apply to that user when the Password Blob is updated.

 

The purpose of this article is to provide an utility to read these attributes from the Password Blob.

Please note :

  • This utility will not be able read the Password History attribute from the Password Blob.
  • This utility is developed using SiteMinder Java SDK API and requires JDK to be installed on the box where it is running from.

 

Instructions

 

Please follow below steps to run the Read Password Blob Utility:

1. Download and extract the attached RPB.zip

2. Ensure you have JAVA_HOME environment variable set to  <Path to JDK Install Directory/bin>

3. Open command prompt at "RPB" folder and execute rpb-build.bat (rpb-build.sh for unix). This will recompile the SDK code.

4. Edit rpb-run.bat (rpb-run.sh for unix), and modify the parameters as per your setup :

    e.g.

"%JAVA_HOME%\java" -classpath .;.\smjavasdk2.jar;.\smagentapi.jar;.\cryptoj.jar ReadPasswordBlob -psip ps-01.ca.com -agentip 127.0.0.1 -adminuser siteminder -adminpass siteminder -orgroot "CN=Users,DC=ad,DC=lab" -userdn   "CN=wonsa03,CN=Users,DC=ad,DC=lab" -userdir "AD2k8-01" -agentname "4x"  -agentsecret siteminder -debug true

 

Where,

psip = Policy Server IP/ Host Name

agentip = This is not relevant. You can leave it the default value.

adminuser = CA SiteMinder Admin UserID

adminpass  = CA SiteMinder Admin Password

orgroot = Search Root DN (For ODBC user store , give any dummy value)

userdn = DN of the user whose password blob attributes you want to read

userdir = Name of the User Directory as defined in the Administrative UI

agentname = Name of the 4x Agent (please ensure that the Supports 4x agent check box is checked in the Admin UI)

agentsecret = Shared secret value specified for the 4x agent.

debug = true|false to enable disable debugging

 

5. Save rpb-run.bat

6. Execute rpb-run.bat

 

TEST 1 : LDAP Directory 

Sample output: (with debug=false)

 

C:\Users\Administrator\Desktop\RPB>rpb-run.bat
C:\Users\Administrator\Desktop\RPB>"C:\Program Files (x86)\Java\jdk1.6.0_43\bin\java" -classpath .;.\smjavasdk2.jar;.\smagentapi.jar;.\cryptoj.jar Rea
dPasswordBlob -psip ps-01.ca.com -agentip 127.0.0.1 -adminuser siteminder -adminpass siteminder -orgroot "CN=Users,DC=ad,DC=lab" -userdn "CN=wonsa03,C
N=Users,DC=ad,DC=lab" -userdir "AD2k8-01" -agentname "4x"  -agentsecret siteminder -debug false

 

Output :

PS_IP=ps-01.ca.com AGENT_IP=127.0.0.1 AGENT_NAME=4x USER_DIR=AD2k8-01 ORG_ROOT=CN=Users,DC=ad,DC=lab USER_DN=CN=wonsa03,CN=Users,DC=ad,DC=lab ADMIN=siteminder
 
Get user directory list: STATUS_OK
Get user directory AD2k8-01: STATUS_OK
Get capabilities: STATUS_OK
 
Obtaining Password State:
LoginFailures: 0
LastLoginTime: February 24 2016 17:57:25
PrevLoginTime: January 10 2016 17:58:25
DisabledTime: January 01 1970 10:00:00
LastPWChangeTime: February 24 2016 17:57:05
C:\Users\Administrator\Desktop\RPB>

 

Sample output: (with debug=true)

 

C:\Users\Administrator\Desktop\RPB>rpb-run.bat
C:\Users\Administrator\Desktop\RPB>"C:\Program Files (x86)\Java\jdk1.6.0_43\bin\java" -classpath .;.\smjavasdk2.jar;.\smagentapi.jar;.\cryptoj.jar Rea
dPasswordBlob -psip ps-01.ca.com -agentip 127.0.0.1 -adminuser siteminder -adminpass siteminder -orgroot "CN=Users,DC=ad,DC=lab" -userdn "CN=wonsa03,C
N=Users,DC=ad,DC=lab" -userdir "AD2k8-01" -agentname "4x"  -agentsecret siteminder -debug true

 

Output :

PS_IP=ps-01.ca.com AGENT_IP=127.0.0.1 AGENT_NAME=4x USER_DIR=AD2k8-01 ORG_ROOT=CN=Users,DC=ad,DC=lab USER_DN=CN=wonsa03,CN=Users,DC=ad,DC=lab ADMIN=si
teminder
 
Get user directory list: STATUS_OK
        Result Code..................   [facility=4 severity=0 reason=0 status=0 message=]FederationWSCustomUserStore
                                        CADir-01
                                        AdvAuthExternalLDAPDir
                                        SAML2FederationCustomUserStore
                                        AD2k8-01
                                        AD2k8_AD
                                        FedBCCertUserDirectory
                                        FedBCCustomUserStore
Get user directory AD2k8-01: STATUS_OK
        Result Code..................   [facility=4 severity=0 reason=0 status=0 message=]SecureConnection=false
                                        EmailAddrAttr=mail
                                        ODBCQueryOid=00-
                                        GuidAttr=
                                        Server=ad2k8-01:389
                                        Username=CN=Administrator,CN=Users,DC=ad,DC=lab
                                        SearchTimeout=30
                                        Name=AD2k8-01
                                        Password=Siteminder1
                                        BlobAttribute=audio
                                        RequireCredentials=true
                                        SearchScope=2
                                        UserLookupEnd=)
                                        ChallengeRespAttr=
                                        SearchRoot=DC=ad,DC=lab
                                        EnableSecurityContext=false
                                        UserLookupStart=(sAMAccountName=
                                        UniversalID=sAMAccountName
                                        Oid=0e-40c066e3-ff0e-4bd2-94ca-115fb3697d71
                                        Desc=
                                        SearchResults=0
                                        DisabledAttr=carLicense
                                        PasswordAttribute=unicodePwd
                                        Namespace=LDAP:
                                        ObjectClassName=UserDirectory
Get capabilities: STATUS_OK
        Result Code..................   [facility=4 severity=0 reason=0 status=0 message=]133169663
 
Obtaining Password State:
LoginFailures: 0
LastLoginTime: February 24 2016 17:57:25

PrevLoginTime: January 10 2016 17:58:25

DisabledTime: January 01 1970 10:00:00

LastPWChangeTime: February 24 2016 17:57:05

LoginFailures=0,        LastLoginTime=Wed Feb 24 17:57:25 EST 2016,     PrevLoginTime=Sun Jan 10 17:58:25 EST 2016,     DisabledTime=Thu Jan 01 10:00:

00 EST 1970,    LastPWChangeTime=Wed Feb 24 17:57:05 EST 2016

C:\Users\Administrator\Desktop\RPB>


 

TEST 2 : ODBC Directory 

 

Please note , for ODBC user directory you must provide a dummy DN for Organization. This is due to some bug in sdk code.

C:\Users\Administrator\Desktop\RPB>rpb-run.bat
C:\Users\Administrator\Desktop\RPB>"C:\Program Files (x86)\Java\jdk1.6.0_43\bin\java" -classpath .;.\smjavasdk2.jar;.\smagentapi.jar;.\cryptoj.jar Rea
dPasswordBlob -psip shruj01-i1849.ca.com -agentip 127.0.0.1 -adminuser siteminder -adminpass siteminder -orgroot "DUMMY_ROOT" -userdn "Lisac" -userdir "SMUSER" -agentname "agent_iis_01" -agentsecret siteminder -debug true

 

 

Output :

PS_IP=shruj01-i1849.ca.com AGENT_IP=127.0.0.1 AGENT_NAME=agent_iis_01 USER_DIR=SMUSER ORG_ROOT=DUMMY_ROOT USER_DN=Lisac ADMIN=siteminder
Get user directory list: STATUS_OK
Result Code.................. [facility=4 severity=0 reason=0 status=0 message=]FederationWSCustomUserStore
CADir-shruj01-I2069
SMUSER
AdvAuthExternalLDAPDir
SAML2FederationCustomUserStore
CADir-shruj01-I2069(APS)
FedBCCertUserDirectory
jsdksample-userdir
AD2K12-shruj01-i2077
FedBCCustomUserStore
Get user directory SMUSER: STATUS_OK
Result Code.................. [facility=4 severity=0 reason=0 status=0 message=]SecureConnection=false
EmailAddrAttr=
ODBCQueryOid=18-308a73ec-62c1-41a4-9b24-38db73d23a33
GuidAttr=
Server=SMUSER
Username=sa
SearchTimeout=30
Name=SMUSER
Password=interOP@1876
BlobAttribute=PasswordData
RequireCredentials=true
SearchScope=2
UserLookupEnd=
ChallengeRespAttr=
SearchRoot=
EnableSecurityContext=false
UserLookupStart=
UniversalID=Name
Oid=0e-1ae8b0f6-4751-486e-b1a8-e20ce89be8e1
Desc=
SearchResults=0
DisabledAttr=Disabled
PasswordAttribute=Password
Namespace=ODBC:
ObjectClassName=UserDirectory
Get capabilities: STATUS_OK
Result Code.................. [facility=4 severity=0 reason=0 status=0 message=]28311965
Obtaining Password State:
LoginFailures: 0
LastLoginTime: March 26 2018 10:23:28
PrevLoginTime: March 26 2018 10:23:07
DisabledTime: January 01 1970 10:00:00
LastPWChangeTime: March 26 2018 10:23:07
LoginFailures=0, LastLoginTime=Mon Mar 26 10:23:28 AEDT 2018, PrevLoginTime=Mon Mar 26 10:23:07 AEDT 2018, DisabledTime=Thu Jan 01 10:00:00 AEST 1970, LastPWChangeTime=Mon Mar 26 10:23:07 AEDT 2018
26 comments
7 views

Comments

04-29-2019 01:40 PM

Hey Guy, that's possible execute a ldap querie to return a account status from a CA Directory?

I receveid a message from diag on consol. Anyone help me?

04-18-2019 07:24 AM

Hi Ujwol,

 

In addition to the above query, can we use a load balancer IP in place of single policy server IP address to achieve this functionality or if you can suggest any other better way to achieve it, it would be helpful.

 

Thanks

Ankur

04-15-2019 03:29 AM

Hi Ujwol,

 

If we want to achieve the above functionality by having more than one policy server, can you suggest a way to do so.

 

Regards

Ankur Arora

04-11-2019 02:37 PM

Hi Ankur,

 

No, currently it works with single PS.

 

Cheers,

Ujwol

https://iamtechtips.com

04-01-2019 06:52 AM

Hi Ujwol,

 

I have a query, can we provide more than one policy server in psip. So that if one policy server is down, request will go to next policy server.

 

Thanks

Ankur

11-26-2018 12:57 PM

I think at one point I had a way to modify the blob. Are you saying that it’s not possible to modify any of the attributes or that the LastPWChangeTime can’t be modified but other attributes can? I can’t change the policy server time it would be better to change an attribute in the blob to force the account to be near to the expiration date. I am assuming that LastPWChangeTime is part of that equation.

11-26-2018 12:42 PM

You cannot change LastPWChangeTime directly. Best way to test PW

expirations is by modifying system time of Policy server OS.

On Tue, 27 Nov 2018 at 3:21 am, mghenry <

11-26-2018 11:20 AM

How can I modify the LastPWChangeTime so we can test expiration behavior? 

03-25-2018 07:32 PM

Correction. I have now confirmed that the DMSAPI does work for ODBC user store also. Updated the blog with the sample output and test case.

01-10-2018 05:59 PM

Uploaded new zip. This now contains the script for unix as well.

11-02-2016 07:34 PM

Thank you VVK.

 

Thanks and Regards,

Paresh Panchal

11-02-2016 01:12 PM

Hi Paresh,

 

Can you disable the password policy post removing the password blob attribute? You authentication and authorization should work. 

11-02-2016 01:09 PM

That is correct. Password policy evaluation relies on reading the data stored in blob. 

11-02-2016 09:11 AM

Yes, we do have password policy. So you mean, if we have password policy, we have to have blob and if we don’t want to keep blob, then we can’t have password policy. This is interesting.

 

Thanks and Regards,

Paresh Panchal

11-02-2016 03:16 AM

Have you removed password policy as well? If you do not have blob you need to remove password policy as well.


11-02-2016 02:43 AM

Hello Ujwol,

 

I have a basic question about password blob.

We have mentioned password blob related custom LDAP attribute in our user store configured in Admin UI.

When I remove that attribute from configured directory configuration, our login stops working. It comes back to login page (just like what happens when we are unauthorized). Do you know the significance of this blob attribute in user authentication in SiteMinder? We use version R12.52 SP1.

 

Thank you in advance.

 

Regards,

Paresh

03-08-2016 09:36 PM

Hi there,

 

It seems that DMSAPI itself doesn't work with ODBC user directory.

This seems to be a limitation.

 

However, I am researching on this a bit more and will confirm you shortly.

 

Cheers,

Ujwol

03-07-2016 05:32 AM

That looks like the default value. 


These could happen if :

1) if ps encryption key was reset 

2) if they have not used siteminder password services to change password (lastpassowrdchange) or if the login tracking is not enabled(for the login atttributes) in the password services.

03-04-2016 01:29 PM

One more question:  the whole bunch of users have date attributes set to 12/31/1969.  Is this an indication of an issue?

 

Obtaining Password State:

LoginFailures: 0

LastLoginTime: December 31 1969 19:00:00

PrevLoginTime: December 31 1969 19:00:00

DisabledTime: December 31 1969 19:00:00

LastPWChangeTime: December 31 1969 19:00:00

03-04-2016 01:26 PM

Here is debug output.  The user directory cssroseland is not even on this list.

 

Get user directory list: STATUS_OK

  Result Code.................. [facility=4 severity=0 reason=0 status=0 message=]FederationWSCustomUserStore

  SAML2FederationCustomUserStore

  FedBCCertUserDirectory

  ADDev

  CORPLDAPDEV

  CORPLDAPQA

  FedBCCustomUserStore

ERROR: Failed to locate user directory cssroseland in policy store user directories list.

03-04-2016 12:16 PM

No this should work for ODBC as well.


Can you share debug output?

03-04-2016 11:27 AM

Can this utility run against LDAP user directory only?  I am having issue running it against SQL user dir.

03-03-2016 05:43 PM

Hi,

 

Not in it's present form.

 

But with few customization it can be easily be achieved..

 

You can create a wrapper batch file which calls this batch repeatedly every time passing new user id.

Or directly modify the underlying java class.

03-03-2016 04:26 PM

Is there a way to run this utility against of a group of usernds or a whole user directory?

03-03-2016 02:06 PM

Hi Julia Vernoff,

 

Thanks for opening a case with CA Support for this question. Below is the answer we discussed in the case. You mentioned that you got the program to work successfully after this.

 

1. You would have to go to your AdminUI and create an agent by going to Infrastructure-->Agent-->Agents.

2. Make sure you check the "Supports 4x agent" check box.

3. Checking this box will open up 2 more lines - IP address and Shared Secret. Specify IP address of the server on which the Agent resides (in this case, the IP address of the server where you are running rpb-build.bat). The shared secret specifies the secret shared by the Agent and the Policy Server.

 

Thanks,

Akshata

03-03-2016 11:04 AM

Ujwol, - what agent needs to be used here? 

agentname = Name of the 4x Agent (please ensure that the Supports 4x agent check box is checked in the Admin UI)

agentsecret = Shared secret value specified for the 4x agent.