Original Message:
Sent: Sep 24, 2023 08:28 AM
From: MTrucillo
Subject: About Read Siteminder PasswordBlob (%PASSWORD DASTA%) from a IMS Task
I did it!
Basically I implemented the first solution I proposed as Java class and it works perfectly!
The second one, however, I realized that it wouldn't work: it would only work without the integration with siteminder: when there is integration with siteminder it is normal to get that null using PasswordBlobImpl.createBlobFromText or user.getPasswordBlob(); (that internally use same code I used)
I still don't understand how IMS checks (and writes) password history when new passwords are written via its services...
And it bothers me to have to use not so much the agent secret (which I was able to read in the same ra.xml used for siteminder integration) but the credentials with administrative powers on the policy server.
Original Message:
Sent: Sep 23, 2023 03:30 PM
From: MTrucillo
Subject: About Read Siteminder PasswordBlob (%PASSWORD DASTA%) from a IMS Task
Hi to all,
I need to get some information ( LastPWChangeTime and specially LastLoginTime) for a user in a IMS TASK.
I now that this value is stored in Siteminder Password Blob Data that is encrypted with a key on siteminder key store.
I alredy write some time ago a java standone class that decrypt this value. It use java DMS Api and work from command line well.
So I tried to reimplement my code in a BLTH (but in javascript just for a fast proof of concept). My function write LastPWChangeTime and LastLoginTime in two logical attributes. don't blame me for there being plaintext credentials in the code. It was just meant to be a proof of concept.
function handleSetSubject(BlthContext, errorMsg){
importPackage(Packages.java.util);
importPackage(com.netegrity.llsdk6.imsapi.type);
importPackage(com.netegrity.sdk.dmsapi);
importClass(java.net.InetAddress);
importPackage(com.netegrity.sdk.apiutil);
importPackage(com.netegrity.sdk.policyapi);
importPackage(netegrity.siteminder.javaagent);
var ORG_ROOT= "dc=store,dc=it";
var USER_DIR="MyUserStore";
var PS_IP="10.199.46.5";
var ADMIN="***";
var ADMIN_PWD="****";
var AGENT_NAME = "LAST_ACCESS_CHECK";
var AGENT_SECRET = "***";
var subj = BlthContext.getUser();
var uid=subj.getAttribute("uid");
var filtro="(uid="+uid+")";
var agentapi= new AgentAPI();//Mi serve per generare un'apiConnection
serverdef = new ServerDef();//mi serve per inizializzare AgentAPI
serverdef.serverIpAddress = PS_IP;
serverdef.connectionMin = 1;
serverdef.connectionMax = 3;
serverdef.connectionStep = 1;
serverdef.timeout = 75;
serverdef.authenticationPort = 44442;
serverdef.authorizationPort = 44443;
serverdef.accountingPort = 44441;
initdef = new InitDef( //mi serve per inizializzare AgentAPI
AGENT_NAME,
AGENT_SECRET,
false,
serverdef);
var ret=agentapi.init(initdef);//Mi serve per generare un'apiConnection
//RET deve essere AgentAPI.SUCCESS
var apiConnection= new SmApiConnection(agentapi);//Mi serve per generare un'apiSession
var apiSession= new SmApiSession(apiConnection); //Mi serve per generasre policyApi
var address = InetAddress.getLocalHost();
apiSession.login(
ADMIN,
ADMIN_PWD,
address,
0
);
var policyApi=new SmPolicyApiImpl(apiSession); //mi serve per inziializzare una SmUserDirectory
var dmsApi = new SmDmsApiImpl(apiSession); //mi servira' per il directory context
var userDir=new SmUserDirectory(USER_DIR);
policyApi.getUserDirectory(USER_DIR, userDir); //
var directoryContext=new SmDmsDirectoryContext();
dmsApi.getDirectoryContext(userDir, new SmDmsConfig(), directoryContext); //mi serve per il dmsDir
var dmsDir=directoryContext.getDmsDirectory(); //mi serve per un oggetto org
var org= dmsDir.newOrganization("");
org.getObject();
var ricerca=new SmDmsSearch( filtro ,ORG_ROOT);
ricerca.setScope(2);
ricerca.setMaxResults(-1);
ricerca.setNextItem(0);
org.search(ricerca,1);
var vsearch=ricerca.getResults();
// +--com.netegrity.sdk.dmsapi.SmDmsUser
var user=vsearch.elementAt(1);//utente ma porevo crearlo direttamente
//var user = org.newUser("uid=developer0,ou=people,o=security.com");
var pwstate = new SmDmsUserPWState();
user.getUserPWState(pwstate);
var LastLoginTime = pwstate.getLastLoginTime();
var LastPWChangeTime = pwstate.getLastPWChangeTime();
subj.setAttribute("|LastLoginTime|", LastLoginTime);
subj.setAttribute("|LastPWChangeTime|", LastPWChangeTime);
}
Basically it doesn't work because it can't import netegrity.siteminder.javaagent although this package exists and is in the right path.
I tried to replace the package with the one from the siteminder SDK: the jar has a different name, but the classes are the same. Apparently the siteminder one has more methods. In any case, the IMS works correctly (even the integration with siteminder) but it is not possible to import the package.
So I followed a completely different strategy starting from the fact that the Identity still has to manage the password blob: due to the password history, the verification of the requirements, the password change etc.. so after a bit of research I found an interesting class PasswordBlobImpl so
I wrote my BHLT in this wasy
function getSecretAttribute(user,attributeName) {
importPackage(com.netegrity.llsdk6.imsapi.collections);
importClass(com.netegrity.llsdk6.imsapi.collections.AttributeRightsCollection);
importClass(com.netegrity.llsdk6.imsapi.metadata.AttributeRight);
attrC = new AttributeRightsCollection();
attrC.addEntry(new AttributeRight(attributeName, PermissionType.READONLY));
user.addAttributes(attrC);
attrVal = user.getAttribute(attributeName);
return attrVal;
}
function handleSetSubject(BlthContext, errorMsg){
importClass(com.netegrity.llsdk6.imsimpl.passwordservices.PasswordBlob);
importClass(com.netegrity.llsdk6.imsimpl.passwordservices.PasswordBlobImpl.class);
importPackage(Packages.java.util);
var user = BlthContext.getUser();
var blobText;
try {
blobText = this.getAttribute("%PASSWORD_DATA%");
} catch(e) {
blobText = getSecretAttribute("%PASSWORD_DATA%",user);
}
blob = PasswordBlobImpl.createBlobFromText(blobText);
lastPWChangeTime = blob.getLastPWChangeTime();
lastLoginTime = blob.getLastLoginTime();
user.setAttribute("|LastLoginTime|", LastLoginTime);
user.setAttribute("|LastPWChangeTime|", LastPWChangeTime);
}
but it seems that I can't have access to PasswordBlob. I tried even to use
createBlobFromText
method from PasswordBlobImpl.createBlobFromText
passing the %PASSWORD DATA% value read from ldap browser as parameter but it give me null and not a PasswordBlob object.
I tried to use even
var user = BlthContext.getUser();
var blob = user.getPasswordBlob();
but it give me a null object...
Has anyone managed to do this somehow?
Thanks in advance
Marco