Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on Feb 29, 2016
Problem Summary
The “Password Data” user attribute value is commonly called the “Password Blob”. It is an enciphered collection of several virtual user attributes used by SiteMinder Basic Password Services.
These virtual attributes are:
- Current Login Failure Count
- Last Login Timestamp
- Previous Login Timestamp
- Disabled Timestamp
- Password History
- Last Password Change Timestamp (from the most recent entry in the Password History)
An authentication attempt against an active (not disabled) user’s account or any forced setting of a user’s password (via the Admin API) causes at least one read-modify-write access of the
Password Blob in the user directory. Note that the “modify” part includes deciphering and unpacking the blob, modifying some of the virtual attributes, then packing and enciphering the
attributes into the new Password Blob.
The Password History is a FIFO record of a user’s current and most recent passwords. Each entry comprises a password string and the timestamp of when the password was entered into the
history. The maximum number entries maintained for a user depends on the password reuse restrictions in all of the Password Policies that apply to that user when the Password Blob is updated.
The purpose of this article is to provide an utility to read these attributes from the Password Blob.
Please note :
- This utility will not be able read the Password History attribute from the Password Blob.
- This utility is developed using SiteMinder Java SDK API and requires JDK to be installed on the box where it is running from.
Instructions
Please follow below steps to run the Read Password Blob Utility:
1. Download and extract the attached RPB.zip
2. Ensure you have JAVA_HOME environment variable set to <Path to JDK Install Directory/bin>
3. Open command prompt at "RPB" folder and execute rpb-build.bat (rpb-build.sh for unix). This will recompile the SDK code.
4. Edit rpb-run.bat (rpb-run.sh for unix), and modify the parameters as per your setup :
e.g.
"%JAVA_HOME%\java" -classpath .;.\smjavasdk2.jar;.\smagentapi.jar;.\cryptoj.jar ReadPasswordBlob -psip ps-01.ca.com -agentip 127.0.0.1 -adminuser siteminder -adminpass siteminder -orgroot "CN=Users,DC=ad,DC=lab" -userdn "CN=wonsa03,CN=Users,DC=ad,DC=lab" -userdir "AD2k8-01" -agentname "4x" -agentsecret siteminder -debug true
Where,
psip = Policy Server IP/ Host Name
agentip = This is not relevant. You can leave it the default value.
adminuser = CA SiteMinder Admin UserID
adminpass = CA SiteMinder Admin Password
orgroot = Search Root DN (For ODBC user store , give any dummy value)
userdn = DN of the user whose password blob attributes you want to read
userdir = Name of the User Directory as defined in the Administrative UI
agentname = Name of the 4x Agent (please ensure that the Supports 4x agent check box is checked in the Admin UI)
agentsecret = Shared secret value specified for the 4x agent.
debug = true|false to enable disable debugging
5. Save rpb-run.bat
6. Execute rpb-run.bat
TEST 1 : LDAP Directory
Sample output: (with debug=false)
C:\Users\Administrator\Desktop\RPB>rpb-run.bat
C:\Users\Administrator\Desktop\RPB>"C:\Program Files (x86)\Java\jdk1.6.0_43\bin\java" -classpath .;.\smjavasdk2.jar;.\smagentapi.jar;.\cryptoj.jar Rea
dPasswordBlob -psip ps-01.ca.com -agentip 127.0.0.1 -adminuser siteminder -adminpass siteminder -orgroot "CN=Users,DC=ad,DC=lab" -userdn "CN=wonsa03,C
N=Users,DC=ad,DC=lab" -userdir "AD2k8-01" -agentname "4x" -agentsecret siteminder -debug false
Output :
PS_IP=ps-01.ca.com AGENT_IP=127.0.0.1 AGENT_NAME=4x USER_DIR=AD2k8-01 ORG_ROOT=CN=Users,DC=ad,DC=lab USER_DN=CN=wonsa03,CN=Users,DC=ad,DC=lab ADMIN=siteminder
Get user directory list: STATUS_OK
Get user directory AD2k8-01: STATUS_OK
Get capabilities: STATUS_OK
Obtaining Password State:
LoginFailures: 0
LastLoginTime: February 24 2016 17:57:25
PrevLoginTime: January 10 2016 17:58:25
DisabledTime: January 01 1970 10:00:00
LastPWChangeTime: February 24 2016 17:57:05
C:\Users\Administrator\Desktop\RPB>
Sample output: (with debug=true)
C:\Users\Administrator\Desktop\RPB>rpb-run.bat
C:\Users\Administrator\Desktop\RPB>"C:\Program Files (x86)\Java\jdk1.6.0_43\bin\java" -classpath .;.\smjavasdk2.jar;.\smagentapi.jar;.\cryptoj.jar Rea
dPasswordBlob -psip ps-01.ca.com -agentip 127.0.0.1 -adminuser siteminder -adminpass siteminder -orgroot "CN=Users,DC=ad,DC=lab" -userdn "CN=wonsa03,C
N=Users,DC=ad,DC=lab" -userdir "AD2k8-01" -agentname "4x" -agentsecret siteminder -debug true
Output :
PS_IP=ps-01.ca.com AGENT_IP=127.0.0.1 AGENT_NAME=4x USER_DIR=AD2k8-01 ORG_ROOT=CN=Users,DC=ad,DC=lab USER_DN=CN=wonsa03,CN=Users,DC=ad,DC=lab ADMIN=si
teminder
Get user directory list: STATUS_OK
Result Code.................. [facility=4 severity=0 reason=0 status=0 message=]FederationWSCustomUserStore
CADir-01
AdvAuthExternalLDAPDir
SAML2FederationCustomUserStore
AD2k8-01
AD2k8_AD
FedBCCertUserDirectory
FedBCCustomUserStore
Get user directory AD2k8-01: STATUS_OK
Result Code.................. [facility=4 severity=0 reason=0 status=0 message=]SecureConnection=false
EmailAddrAttr=mail
ODBCQueryOid=00-
GuidAttr=
Server=ad2k8-01:389
Username=CN=Administrator,CN=Users,DC=ad,DC=lab
SearchTimeout=30
Name=AD2k8-01
Password=Siteminder1
BlobAttribute=audio
RequireCredentials=true
SearchScope=2
UserLookupEnd=)
ChallengeRespAttr=
SearchRoot=DC=ad,DC=lab
EnableSecurityContext=false
UserLookupStart=(sAMAccountName=
UniversalID=sAMAccountName
Oid=0e-40c066e3-ff0e-4bd2-94ca-115fb3697d71
Desc=
SearchResults=0
DisabledAttr=carLicense
PasswordAttribute=unicodePwd
Namespace=LDAP:
ObjectClassName=UserDirectory
Get capabilities: STATUS_OK
Result Code.................. [facility=4 severity=0 reason=0 status=0 message=]133169663
Obtaining Password State:
LoginFailures: 0
LastLoginTime: February 24 2016 17:57:25
PrevLoginTime: January 10 2016 17:58:25
DisabledTime: January 01 1970 10:00:00
LastPWChangeTime: February 24 2016 17:57:05
LoginFailures=0, LastLoginTime=Wed Feb 24 17:57:25 EST 2016, PrevLoginTime=Sun Jan 10 17:58:25 EST 2016, DisabledTime=Thu Jan 01 10:00:
00 EST 1970, LastPWChangeTime=Wed Feb 24 17:57:05 EST 2016
C:\Users\Administrator\Desktop\RPB>
TEST 2 : ODBC Directory
Please note , for ODBC user directory you must provide a dummy DN for Organization. This is due to some bug in sdk code.
C:\Users\Administrator\Desktop\RPB>rpb-run.bat
C:\Users\Administrator\Desktop\RPB>"C:\Program Files (x86)\Java\jdk1.6.0_43\bin\java" -classpath .;.\smjavasdk2.jar;.\smagentapi.jar;.\cryptoj.jar Rea
dPasswordBlob -psip shruj01-i1849.ca.com -agentip 127.0.0.1 -adminuser siteminder -adminpass siteminder -orgroot "DUMMY_ROOT" -userdn "Lisac" -userdir "SMUSER" -agentname "agent_iis_01" -agentsecret siteminder -debug true
Output :
PS_IP=shruj01-i1849.ca.com AGENT_IP=127.0.0.1 AGENT_NAME=agent_iis_01 USER_DIR=SMUSER ORG_ROOT=DUMMY_ROOT USER_DN=Lisac ADMIN=siteminder
Get user directory list: STATUS_OK
Result Code.................. [facility=4 severity=0 reason=0 status=0 message=]FederationWSCustomUserStore
CADir-shruj01-I2069
SMUSER
AdvAuthExternalLDAPDir
SAML2FederationCustomUserStore
CADir-shruj01-I2069(APS)
FedBCCertUserDirectory
jsdksample-userdir
AD2K12-shruj01-i2077
FedBCCustomUserStore
Get user directory SMUSER: STATUS_OK
Result Code.................. [facility=4 severity=0 reason=0 status=0 message=]SecureConnection=false
EmailAddrAttr=
ODBCQueryOid=18-308a73ec-62c1-41a4-9b24-38db73d23a33
GuidAttr=
Server=SMUSER
Username=sa
SearchTimeout=30
Name=SMUSER
Password=interOP@1876
BlobAttribute=PasswordData
RequireCredentials=true
SearchScope=2
UserLookupEnd=
ChallengeRespAttr=
SearchRoot=
EnableSecurityContext=false
UserLookupStart=
UniversalID=Name
Oid=0e-1ae8b0f6-4751-486e-b1a8-e20ce89be8e1
Desc=
SearchResults=0
DisabledAttr=Disabled
PasswordAttribute=Password
Namespace=ODBC:
ObjectClassName=UserDirectory
Get capabilities: STATUS_OK
Result Code.................. [facility=4 severity=0 reason=0 status=0 message=]28311965
Obtaining Password State:
LoginFailures: 0
LastLoginTime: March 26 2018 10:23:28
PrevLoginTime: March 26 2018 10:23:07
DisabledTime: January 01 1970 10:00:00
LastPWChangeTime: March 26 2018 10:23:07
LoginFailures=0, LastLoginTime=Mon Mar 26 10:23:28 AEDT 2018, PrevLoginTime=Mon Mar 26 10:23:07 AEDT 2018, DisabledTime=Thu Jan 01 10:00:00 AEST 1970, LastPWChangeTime=Mon Mar 26 10:23:07 AEDT 2018