pwextractor Utility—Extract Privileged Account Passwords

Reference Guide › Utilities › pwextractor Utility—Extract Privileged Account Passwords

pwextractor Utility—Extract Privileged Account Passwords

The pwextractor utility extracts privileged account passwords from the database. You can use pwextractor if you want to back up privileged account passwords, or if SAM is unavailable and you cannot check out privileged accounts.

To use pwextractor, you must:

Have access to the database tables
Know the user name and password for the account that SAM uses to access the database
Note: You provide these credentials when you install the Enterprise Management Server.

If you use a Microsoft SQL Server database and the database authentication mode is Windows Authentication, when you use pwextractor you must:

Verify that the sqljdbc_auth.dll file is located in the JAVA_HOME\bin directory
Use the pwextractor -url format
Specify integratedSecurity=true; in the JDBC URL string

Note: You can use the pwextractor -url format only when you install the Enterprise Management Server on a Windows computer and use a Microsoft SQL Server database. For more information about the sqljdbc_auth.dll file, see the Microsoft SQL Server documentation.

pwextractor is located in the following directory:

ACServerInstallDir/IAM Suite/Access Control/tools/pwextractor

This command has the following format:

pwextractor -h hostname [-r port] -d {database | schema} -t {mssql | oracle} -l login -p password -f filename [-k key_file]

This command has the following format for JDBC databases. This format is valid only when you install the Enterprise Management Server on a Windows computer and use a Microsoft SQL Server database:

pwextractor -url url -f filename [-k key_file]

-h hostname

Defines the name of the database host.

-r port

Defines the port number on which the database communicates.

-d {database | schema}

Defines the following:

(MS SQL) Defines the database name.
(Oracle) Defines the schema name.

-t {mssql | oracle}

Specifies the database type.

Values: mssql, oracle

-l login

Defines the user name for the account that SAM uses to access the database.

-p password

Defines the password for the account that SAM uses to access the database.

-f filename

Defines the directory path and file name for the output file. If you specify an existing file, pwextractor replaces the existing file with the new output.

-k key_file

Defines the full path and name for the encryption file that was used to encrypt the passwords.

-url url

Defines the JDBC URL string that you use to access the database.

Format: jdbc:sqlserver://servername:port[;property=value]

Example: jdbc:sqlserver://localhost:1433;selectMethod=cursor;DatabaseName=mydb;user=sa;password=mypwd;

Example: Extract SAM Passwords from a Microsoft SQL Server Database

The following examples extract the SAM passwords from a Microsoft SQL Server database named mydb and located on host myhost.example.com. The Enterprise Management Server is located on a Windows computer and the encryption file is located at C:\FIPSkey.dat. pwextractor writes the output to the C:\accounts.txt file.

This example extracts the passwords when the database authentication mode is SQL Server Authentication:

pwextractor.bat -h myhost.example.com -r 1433 -d mydb -t mssql -l sa -p mypwd -f C:\accounts.txt -k "C:\FIPSkey.dat"

This example extracts the passwords when the database authentication mode is Windows Authentication:

pwextractor.bat -url jdbc:sqlserver://myhost.example.com:1433;selectMethod=cursor;DatabaseName=mydb;user=sa;password=mypwd;integratedSecurity=true; -f C:\accounts.txt -k "C:\FIPSkey.dat"

More information:

Manual Password Extraction