Previous Topic: Manage a Shared Account RequestNext Topic: Audit Privileged Accounts


Manual Password Extraction

If the application server is not running and SAM is unavailable, you cannot use SAM to check out privileged accounts. Instead, you can use pwextractor, the SAM password extraction utility, to export privileged account passwords from the database. You can then use the passwords to log in to privileged accounts as usual or, for back up of privileged account passwords.

If you extract privileged account passwords from the database because SAM is unavailable, you do not need to complete any post-recovery steps when SAM is restored.

You install pwextractor when you install the Enterprise Management Server. By default, CA ControlMinder rules do not protect pwextractor, but you can write rules to protect it.

To use pwextractor, you must:

You can use pwextractor whether CA ControlMinder Enterprise Management is running or stopped, and whether the application server is running or stopped. You can also run pwextractor remotely.

Note: For more information about pwextractor, see the Reference Guide.

Example: Extract Privileged Account Passwords from an Oracle Database

The following example extracts the privileged account passwords from an Oracle database and writes the output to the file C:\tmp\pwd.txt. The schema name is orcl and the database is located on host myhost.example.com. The Enterprise Management Server is installed on a Windows computer:

pwextractor.bat -h myhost.example.com -d orcl -t oracle -l joesmith -p P@ssw0rd -f C:\tmp\pwd.txt 
-k C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\config\com\netegrity\config\keys\FipsKey.dat