Symantec Privileged Access Management

 View Only
  • 1.  PAM REST API - using synchronize = 't' and password ='_generate_pass_' together

    Posted Mar 19, 2020 07:17 PM
    $newAcct = @{
    accountName = 'db2xxxxx'
    #aliasNames = ''
    #attributes = ''
    cacheBehavior = 'noCache'
    #cacheDuration = ''
    description1 = 'API'
    #description2 = ''
    password ='_generate_pass_' 
    passwordViewPolicyId = '3001'
    privileged = 't'
    synchronize = 't'
    useAliasNameParameter = 'f'
    }

    Using password ='_generate_pass_' and synchronize = 't' always generates an Error:

    Invoke-RestMethod : {"error":{"code":400,"message":"Bad Request: PAM-CMN-0467: A Password Authority problem prevented completing the request.
    Message: PAM-CM-1341: Failed to establish a communications channel to the remote host. AddTargetAccountCmd.invoke: Failed to verify password with  target. Check log for details."}}


  • 2.  RE: PAM REST API - using synchronize = 't' and password ='_generate_pass_' together

    Broadcom Employee
    Posted Mar 19, 2020 07:56 PM
    Hello Chris, This cannot possibly work for an account that manages its own password. For that you have to start by providing the current password. A newly generated password can work only when you use an existing account to update the new account's password.


  • 3.  RE: PAM REST API - using synchronize = 't' and password ='_generate_pass_' together

    Posted Mar 19, 2020 09:45 PM
    Ralph,

    It took some persistence - but I got it to work using separate account to set the password

    $newAcct = @{
    accountName = 'db2xxxxx
    #aliasNames = ''
    attributes = @{
    verifyThroughOtherAccount = 'false'
    otherAccount = '3001'
    useOtherAccountToChangePassword = 'true'
    passwordChangeMethod = 'USE_SUDO'
    }
    #cacheBehavior = 'noCache'
    #cacheDuration = ''
    description1 = 'API'
    #description2 = ''
    password = '_generate_pass_'
    passwordViewPolicyId = '3001'
    privileged = 't'
    synchronize = 't'
    useAliasNameParameter = 'f'
    }

    $newAcct = ConvertTo-Json -InputObject $newAcct
    $acctId = Invoke-RestMethod -Uri "https://$pamServer/api.php/v1/devices.json/$deviceId/targetApplications/$appId/targetAccounts" -Method Post -Body $newAcct -Credential $apikey -ContentType 'application/json'
    write-host "Target Account id $acctId added"


  • 4.  RE: PAM REST API - using synchronize = 't' and password ='_generate_pass_' together

    Broadcom Employee
    Posted Mar 19, 2020 11:03 PM
    Great, thanks for sharing, Ralf


  • 5.  RE: PAM REST API - using synchronize = 't' and password ='_generate_pass_' together

    Broadcom Employee
    Posted Mar 20, 2020 10:39 AM
    Glad your figuring this stuff out Chris.

    Just to expand on what Ralf was saying.  You can use the API to generate a password for a stand alone account, but it's a two step process:

    1. Create the target account first with a known password.
    2. Update the target account with password = '_generate_pass_'
    The two steps are necessary because the first one lets PAM know what the current password is, then the second says to use that password to change the password to the new randomized value.

    This is exactly how you would do it in the UI as well.


  • 6.  RE: PAM REST API - using synchronize = 't' and password ='_generate_pass_' together
    Best Answer

    Posted Mar 20, 2020 11:31 AM
    Edited by Christopher Hackett Mar 20, 2020 05:48 PM
    Joseph,

    Interesting as I was able to make it a one step process.
    Steps:
    Master Account
    1. Create a master unix account  - call it db2prov
    2. Assign the ability for db2prov to "sudo passwd" and "sudo pwdadm" as NOPASS
    3. Test elevated privs in CLI
    3. Create pam credential object for db2prov in pam - assign it to use  elevated privs

    Subordinate accounts
    SAMPLE / EXAMPLE PowerShell Script (obfuscated and comments removed) to
    1. Read in a list of credentials from a flat file C:\creds.txt
    2. API: create a unix credential with a generated password
    3. API: Assign a mater account to manage the credential
    4. API: Synchronize with the authentication server

    ** NO WARRANTIES - USE AT OWN RISK ** LOL

    $deviceId = '000' # ID of device (obtained via API)
    $appId = '0000'   #ID of dedicated application for subordinate accounts (obtained via API)
    $PAM_viewPolicy = '0000' # ID of view policy (obtained via API)
    $PAM_otheraccount = '0000' # ID of db2prov (obtained via API)
    $pamServer = "foo.bar.com"  # either FQDN or IP address
    $pamServer = "0.0.0.0"  # either FQDN or IP address
    
    #
    if (-not ([System.Management.Automation.PSTypeName]"TrustEverything").Type) {
        Add-Type -TypeDefinition  @"
        using System.Net.Security;
        using System.Security.Cryptography.X509Certificates;
        public static class TrustEverything
        {
            private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain,
                SslPolicyErrors sslPolicyErrors) { return true; }
            public static void SetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
            public static void UnsetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
        }
    "@
    } [TrustEverything]::SetCallback()
    
    #
    # prompt for an API key
    #
    if (-not $apikey) {$apikey = Get-Credential -Message "Enter your API key"}
    #
    # Run an API call to add a target account
    #
    
    ForEach ($line in Get-Content "C:\creds.txt") 
    {
        $acctId = ''
        write-host "Trying $line ...."
        $newAcct = @{
            accountName = "$line"
            #aliasNames = ''
            attributes = @{
                verifyThroughOtherAccount = 'false'
                otherAccount = $PAM_otheraccount 
                useOtherAccountToChangePassword = 'true'
                passwordChangeMethod = 'USE_SUDO'
            }
            #cacheBehavior = 'noCache'
            #cacheDuration = ''
            #description1 = ''
            #description2 = ''
            password = '_generate_pass_'
            passwordViewPolicyId = $PAM_viewPolicy
            privileged = 't'
            synchronize = 't'
            useAliasNameParameter = 'f'}
    
        $newAcct = ConvertTo-Json -InputObject $newAcct
        $acctId = Invoke-RestMethod -Uri "https://$pamServer/api.php/v1/devices.json/$deviceId/targetApplications/$appId/targetAccounts" -Method Post -Body $newAcct -Credential $apikey -ContentType 'application/json'
        If ($acctId -ne "") {write-host "Target Account id $acctId added"}
    }





  • 7.  RE: PAM REST API - using synchronize = 't' and password ='_generate_pass_' together

    Broadcom Employee
    Posted Mar 20, 2020 12:06 PM
    Using a master account, yes its a one step process, same as in the UI.

    I was talking about stand alone accounts... for example if you have a bunch of Linux servers and you need to vault one account on each of them... if you don't already have a master account to use in PAM you can use the two step process to get the accounts vaulted.

    Essentially, I was clarifying what Ralf said... that its impossible to sync an account with a randomized password unless your using a master account.  You can do it, but first you have to sync it with a known password, then generate a new random one.


  • 8.  RE: PAM REST API - using synchronize = 't' and password ='_generate_pass_' together

    Posted Aug 16, 2021 03:00 AM
    Hi,
    I am facing a similar issue.

    On running the powershell script, we are able to onboard a device and create target application successfully.

    But we are getting the following error when the script goes on to create the target account:

    Invoke-RestMethod : {"error":{"code":400,"message":"Bad Request: PAM-CMN-0467: A Password Authority problem prevented completing the request. Message:
    PAM-CM-1341: Failed to establish a communications channel to the remote host. AddTargetAccountCmd.invoke: Failed to verify password with target.

    Note: The above error is thrown while trying to create the account which has sudo privileges and is used to change password of the second account. (According to the above example, this should be "$PAM_otheraccount" )

    Please help in figuring out the possible resolution of the error.



    $account1 = @{
    	accountName=$targetAcc1Name
    	password=$targetAcc1Password
    	privileged="t"
    	attributes = @{
    		discoveryAllowed="true"
    		protocol="SSH2_PASSWORD_AUTH"
    		useOtherAccountToChangePassword="false"
    		passwordChangeMethod="USE_SUDO"
    	}
    	synchronize="t"
    }
    $jsonAccount1 = $account1 | ConvertTo-Json
    
    $account1Id = Invoke-RestMethod -Uri "https://$pamserver/api.php/v1/devices.json/$deviceId/targetApplications/$targetAppId/targetAccounts" -Credential $ApiKey -Method Post -Body $jsonAccount1 -ContentType "application/json"
    if ( $account1Id -match "^\d+$" )
    {
    	Write-Host "Created target account $targetAcc1Name with ID $account1Id"
    }
    else
    {
    	Write-Host "Unexpected return from target acccount $targetAcc1Name creation, bailing out"
    	$account1Id
    	exit
    }
    



    Thanks,
    Aayushi Dubey




  • 9.  RE: PAM REST API - using synchronize = 't' and password ='_generate_pass_' together

    Broadcom Employee
    Posted Aug 16, 2021 10:20 AM
    Edited by Joseph Fry Aug 16, 2021 10:20 AM
    Aayushi,

    The most common cause for that error is exactly what it says... the host is unreachable. 

    PAM will fail when you use
    synchronize="t"​

    unless it is able to verify the account, which requires it actually log into the host with the provided password.  In the case where you are using a master account, it will set the password then verify it by logging into the host.  But any time the verify fails, you will get an error.

    I recommend reproducing the steps your script is taking in the UI and confirming everything works.  Double check that the ip/fqdn are correct, the network ports are open, and that the credential being used to log into the endpoint is correct.

    If you are not using a master account that is already synchronized... then you will need to take two steps.  First create the target account with the synchronized flag set to false and set the correct password for the account.  Then update the target account to a new password with the synchronized flag set to true.  This two step process is necessary to inform PAM of the correct password to use to make the initial connection.

    I hope that helps?