The pwextractor utility extracts privileged account passwords from the database. You can use pwextractor if you want to back up privileged account passwords, or if SAM is unavailable and you cannot check out privileged accounts.
To use pwextractor, you must:
Note: You provide these credentials when you install the Enterprise Management Server.
If you use a Microsoft SQL Server database and the database authentication mode is Windows Authentication, when you use pwextractor you must:
Note: You can use the pwextractor -url format only when you install the Enterprise Management Server on a Windows computer and use a Microsoft SQL Server database. For more information about the sqljdbc_auth.dll file, see the Microsoft SQL Server documentation.
pwextractor is located in the following directory:
ACServerInstallDir/IAM Suite/Access Control/tools/pwextractor
This command has the following format:
pwextractor {-backup | -restore} -h hostname [-r port]
-d {database | schema} -t {mssql | oracle}
-l login -p password -f filename [-k key_file]
[-current] [-cleartext]
This command has the following format for JDBC databases. This format is valid only when you install the Enterprise Management Server on a Windows computer and use a Microsoft SQL Server database:
pwextractor {-backup | -restore} -url url -f filename [-k key_file]
Specifying either –backup or –restore is required to run the tool.
Specifies that the tool is used to backup PUPM account passwords from the database.
Extracts only active passwords of accounts that are in use.
Default: If omitted, it extracts all passwords stored in the database from the beginning.
Specifies that the tool is used to restore SAM account passwords that are taken from the source database to the destination server.
Defines the name of the database host.
Defines the port number on which the database communicates.
Defines one of the following:
Specifies the database type.
Values: mssql, oracle
Default:
Defines the user name for the account that SAM uses to access the database.
Defines the password for the account that SAM uses to access the database.
Defines the directory path and file name for the output file. If you specify an existing file, pwextractor replaces the existing file with the new output.
Defines that the tool is meant for extracting or restoring passwords of all SAM accounts.
Note: This option is mandatory.
Defines that extracted passwords are stored in plain text. If this option is skipped, passwords are stored in an encrypted format as available in the database column.
Note: This option is not required when using the restore option.
Defines the full path and name for the encryption file that was used to encrypt the passwords.
Defines the JDBC URL string that you use to access the database.
Format: jdbc:sqlserver://servername:port[;property=value]
Example: jdbc:sqlserver://localhost:1433;selectMethod=cursor;DatabaseName=mydb;user=sa;password=mypwd;
Example: Extract SAM Passwords from a Microsoft SQL Server Database
The following examples extract the SAM passwords from a Microsoft SQL Server database named mydb and located on host myhost.example.com. The Enterprise Management Server is located on a Windows computer and the encryption file is located at C:\FIPSkey.dat. pwextractor writes the output to the C:\accounts.txt file.
pwextractor.bat -backup -account_pwd -h hostname -r 1433 -d databasename -t mssql -l sp1 -p capassword -f C:\accounts1.txt -k "E:\FIPSkey.dat"
pwextractor.bat -backup -url jdbc:sqlserver://myhost.example.com:1433;selectMethod=cursor;DatabaseName=mydb;user=sa;password=mypwd;integratedSecurity=true; -f C:\accounts.txt -k "C:\FIPSkey.dat"
Note: The final text file created contains the delimiter value @!~
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|