Previous Topic: policydeploy -upgrade Function—Upgrade or Downgrade a Policy VersionNext Topic: ReportAgent Utility—Send Report Snapshots and Audit Events


pwextractor Utility—Extract Privileged Account Passwords

The pwextractor utility extracts privileged account passwords from the database. You can use pwextractor if you want to back up privileged account passwords, or if SAM is unavailable and you cannot check out privileged accounts.

To use pwextractor, you must:

When you use pwextractor to extract passwords from a Microsoft SQL Server database with Windows authentication, you must:

Note: You can use the pwextractor -url format only when you install the Enterprise Management Server on a Windows computer and use a Microsoft SQL Server database. For more information about the sqljdbc_auth.dll file, see the Microsoft SQL Server documentation.

pwextractor is located in the following directory:

ACServerInstallDir/IAM Suite/Access Control/tools/pwextractor

This command has the following format:

pwextractor {-backup | -restore} -h hostname [-r port] 
            -d {database | schema} -t {mssql | oracle} 
            -l login -p password -f filename {[-k key_file][-cleartext]}
            [-current]

This command has the following format for JDBC databases. This format is valid only when you install the Enterprise Management Server on a Windows computer and use a Microsoft SQL Server database:

pwextractor {-backup | -restore} -url url -f filename [-k key_file]
{-backup | -restore}

Specifying either –backup or –restore is required to run the tool.

-backup

Specifies that the tool is used to backup SAM passwords from the database.

-restore

Specifies that the tool is used to restore SAM passwords from the source database to the destination server.

-h hostname

Defines the name of the database host.

-r port

Defines the port number on which the database communicates.

-d {database | schema}

Defines one of the following:

-t {mssql | oracle}

Specifies the database type.

Values: mssql, oracle

-current

Extracts only active passwords of accounts that are in use.

Default: If omitted, it extracts all passwords stored in the database from the beginning.

-l login

Defines the user name for the account that SAM uses to access the database.

-p password

Defines the password for the account that SAM uses to access the database.

-f filename

Defines the directory path and file name for the output file. If you specify an existing file, pwextractor replaces the existing file with the new output.

-account_pwd

Extracts or restores passwords of all <pump> accounts.

Note: This option is mandatory.

-cleartext

Defines that extracted passwords are stored in plain text. If this option is skipped, passwords are stored in an encrypted format as available in the database column.

Note: This option is not required when using the restore option.

-k key_file

Defines the full path and name of the encryption file that is used to encrypt the passwords.

-url url

Defines the JDBC URL string to access the database.

Format: jdbc:sqlserver://servername:port[;property=value]

Example: jdbc:sqlserver://localhost:1433;selectMethod=cursor;DatabaseName=mydb;user=sa;password=mypwd;

Example: Extract SAM Passwords from a Microsoft SQL Server Database

The following example extracts a SAM password from a Microsoft SQL Server database named mydb on host myhost.example.com. The Enterprise Management Server is on a Windows computer and the encryption file is placed at C:\FIPSkey.dat. The pwextractor utility writes the output to the C:\accounts.txt file.

Note: The final text file contains the delimiter value @!~.

Example: Extract SAM Passwords from an Oracle Database

The following example extracts a SAM password from an Oracle database named ORCL on host.com. The Enterprise Management Server is on a Windows computer and the encryption file is placed at C:\FIPSkey.dat. The pwextractor utility writes the output to the C:\accounts1.txt file.

pwextractor.bat -backup -account_pwd -h host -r 1521 -d ORCL -t oracle -l ACDB -p mypwd -url jdbc:oracle:thin:@host.com:1521:orcl -f "C:\accounts1.txt" -k "C:\FIPSkey.dat"

Note: The final text file contains the delimiter value @!~.

More information:

Manual Password Extraction