Symantec IGA

 View Only
  • 1.  About Read Siteminder PasswordBlob (%PASSWORD DASTA%) from a IMS Task

    Posted Sep 23, 2023 03:30 PM

    Hi to all,

    I need to get some information ( LastPWChangeTime and specially LastLoginTime) for  a user in a IMS TASK.

    I now that this value is stored in Siteminder Password Blob Data that is encrypted with a key on siteminder key store.

    I alredy write some time ago a java standone class that decrypt this value. It use java DMS Api and work from command line well. 

    So I tried to reimplement my code in a BLTH (but in javascript just for a fast proof of concept). My function write LastPWChangeTime and LastLoginTime in two logical attributes. don't blame me for there being plaintext credentials in the code. It was just meant to be a proof of concept.

    function handleSetSubject(BlthContext, errorMsg){



        var ORG_ROOT= "dc=store,dc=it";
        var USER_DIR="MyUserStore";
        var PS_IP="";
        var ADMIN="***";
        var ADMIN_PWD="****";

        var  AGENT_SECRET = "***";

        var subj = BlthContext.getUser();
        var uid=subj.getAttribute("uid");
        var filtro="(uid="+uid+")";

        var agentapi= new AgentAPI();//Mi serve per generare un'apiConnection

        serverdef = new ServerDef();//mi serve per inizializzare AgentAPI
        serverdef.serverIpAddress = PS_IP;
        serverdef.connectionMin = 1;
        serverdef.connectionMax = 3;
        serverdef.connectionStep = 1;
        serverdef.timeout = 75;
        serverdef.authenticationPort = 44442;
        serverdef.authorizationPort = 44443;
        serverdef.accountingPort = 44441;
        initdef = new InitDef(  //mi serve per inizializzare AgentAPI

        var ret=agentapi.init(initdef);//Mi serve per generare un'apiConnection
        //RET deve essere AgentAPI.SUCCESS        
        var apiConnection= new SmApiConnection(agentapi);//Mi serve per generare un'apiSession
        var apiSession= new SmApiSession(apiConnection); //Mi serve per generasre policyApi

        var address = InetAddress.getLocalHost();    

        var policyApi=new SmPolicyApiImpl(apiSession); //mi serve per inziializzare una SmUserDirectory
        var dmsApi = new SmDmsApiImpl(apiSession); //mi servira' per il directory context

        var userDir=new SmUserDirectory(USER_DIR);
        policyApi.getUserDirectory(USER_DIR, userDir);  //

        var directoryContext=new SmDmsDirectoryContext();

        dmsApi.getDirectoryContext(userDir, new SmDmsConfig(), directoryContext); //mi serve per il dmsDir
        var dmsDir=directoryContext.getDmsDirectory(); //mi serve per un oggetto org

        var org= dmsDir.newOrganization("");  

        var ricerca=new SmDmsSearch( filtro ,ORG_ROOT);
        var vsearch=ricerca.getResults();
        //        +--com.netegrity.sdk.dmsapi.SmDmsUser
        var user=vsearch.elementAt(1);//utente ma porevo crearlo direttamente
        //var user = org.newUser("uid=developer0,ou=people,");
        var pwstate = new SmDmsUserPWState();
        var LastLoginTime = pwstate.getLastLoginTime();
        var LastPWChangeTime = pwstate.getLastPWChangeTime();

        subj.setAttribute("|LastLoginTime|", LastLoginTime);
        subj.setAttribute("|LastPWChangeTime|", LastPWChangeTime);


    Basically it doesn't work because it can't import netegrity.siteminder.javaagent although this package exists and is in the right path.
    I tried to replace the package with the one from the siteminder SDK: the jar has a different name, but the classes are the same. Apparently the siteminder one has more methods. In any case, the IMS works correctly (even the integration with siteminder) but it is not possible to import the package.

    So I followed a completely different strategy starting from the fact that the Identity still has to manage the password blob: due to the password history, the verification of the requirements, the password change etc.. so after a bit of research I found an interesting class  PasswordBlobImpl so
    I wrote my BHLT in this wasy

    function getSecretAttribute(user,attributeName) {
        attrC = new AttributeRightsCollection();
        attrC.addEntry(new AttributeRight(attributeName, PermissionType.READONLY));
        attrVal = user.getAttribute(attributeName);
        return attrVal; 
    function handleSetSubject(BlthContext, errorMsg){
        var user = BlthContext.getUser();
        var blobText;
        try {
            blobText = this.getAttribute("%PASSWORD_DATA%");
        } catch(e) {
            blobText = getSecretAttribute("%PASSWORD_DATA%",user);
        blob = PasswordBlobImpl.createBlobFromText(blobText);
        lastPWChangeTime = blob.getLastPWChangeTime();
        lastLoginTime = blob.getLastLoginTime();    
        user.setAttribute("|LastLoginTime|", LastLoginTime);
        user.setAttribute("|LastPWChangeTime|", LastPWChangeTime);

    but it seems that I can't have access to PasswordBlob. I tried even to use 

    createBlobFromTextmethod from PasswordBlobImpl.createBlobFromText passing the %PASSWORD DATA% value read from ldap browser as parameter but it give me null and not a PasswordBlob object.
    I tried to use even 

        var user = BlthContext.getUser();
        var blob = user.getPasswordBlob();

    but it give me a null object...

    Has anyone managed to do this somehow?
    Thanks in advance

  • 2.  RE: About Read Siteminder PasswordBlob (%PASSWORD DASTA%) from a IMS Task

    Posted Sep 24, 2023 08:28 AM

    I did it!

    Basically I implemented the first solution I proposed as Java class and it works perfectly!
    The second one, however, I realized that it wouldn't work: it would only work without the integration with siteminder: when there is integration with siteminder it is normal to get that null using PasswordBlobImpl.createBlobFromText or user.getPasswordBlob(); (that internally use same code I used)

    I still don't understand how IMS checks (and writes) password history when new passwords are written via its services...
    And it bothers me to have to use not so much the agent secret (which I was able to read in the same ra.xml used for siteminder integration) but the credentials with administrative powers on the policy server.

  • 3.  RE: About Read Siteminder PasswordBlob (%PASSWORD DASTA%) from a IMS Task

    Broadcom Employee
    Posted Oct 06, 2023 04:14 AM

    Well done Marco.