The pwextractor utility extracts privileged account passwords from the database. You can use pwextractor if you want to back up privileged account passwords, or if SAM is unavailable and you cannot check out privileged accounts.
To use pwextractor, you must:
Note: Provide these credentials while installing the Enterprise Management Server.
When you use pwextractor to extract passwords from a Microsoft SQL Server database with Windows authentication, you must:
Note: You can use the pwextractor -url format only when you install the Enterprise Management Server on a Windows computer and use a Microsoft SQL Server database. For more information about the sqljdbc_auth.dll file, see the Microsoft SQL Server documentation.
pwextractor is located in the following directory:
ACServerInstallDir/IAM Suite/Access Control/tools/pwextractor
This command has the following format:
pwextractor {-backup | -restore} -h hostname [-r port] -d {database | schema} -t {mssql | oracle} -l login -p password -f filename {[-k key_file][-cleartext]} [-current]
This command has the following format for JDBC databases. This format is valid only when you install the Enterprise Management Server on a Windows computer and use a Microsoft SQL Server database:
pwextractor {-backup | -restore} -url url -f filename [-k key_file]
Specifying either –backup or –restore is required to run the tool.
Specifies that the tool is used to backup SAM passwords from the database.
Specifies that the tool is used to restore SAM passwords from the source database to the destination server.
Defines the name of the database host.
Defines the port number on which the database communicates.
Defines one of the following:
Specifies the database type.
Values: mssql, oracle
Extracts only active passwords of accounts that are in use.
Default: If omitted, it extracts all passwords stored in the database from the beginning.
Defines the user name for the account that SAM uses to access the database.
Defines the password for the account that SAM uses to access the database.
Defines the directory path and file name for the output file. If you specify an existing file, pwextractor replaces the existing file with the new output.
Extracts or restores passwords of all <pump> accounts.
Note: This option is mandatory.
Defines that extracted passwords are stored in plain text. If this option is skipped, passwords are stored in an encrypted format as available in the database column.
Note: This option is not required when using the restore option.
Defines the full path and name of the encryption file that is used to encrypt the passwords.
Defines the JDBC URL string to access the database.
Format: jdbc:sqlserver://servername:port[;property=value]
Example: jdbc:sqlserver://localhost:1433;selectMethod=cursor;DatabaseName=mydb;user=sa;password=mypwd;
Example: Extract SAM Passwords from a Microsoft SQL Server Database
The following example extracts a SAM password from a Microsoft SQL Server database named mydb on host myhost.example.com. The Enterprise Management Server is on a Windows computer and the encryption file is placed at C:\FIPSkey.dat. The pwextractor utility writes the output to the C:\accounts.txt file.
pwextractor.bat -backup -account_pwd -h hostname -r 1433 -d databasename -t mssql -l sp1 -p capassword -f C:\accounts1.txt -k "E:\FIPSkey.dat"
pwextractor.bat -backup -url jdbc:sqlserver://myhost.example.com:1433;selectMethod=cursor;DatabaseName=mydb;user=sa;password=mypwd;integratedSecurity=true; -f C:\accounts.txt -k "C:\FIPSkey.dat"
Note: The final text file contains the delimiter value @!~.
Example: Extract SAM Passwords from an Oracle Database
The following example extracts a SAM password from an Oracle database named ORCL on host.com. The Enterprise Management Server is on a Windows computer and the encryption file is placed at C:\FIPSkey.dat. The pwextractor utility writes the output to the C:\accounts1.txt file.
pwextractor.bat -backup -account_pwd -h host -r 1521 -d ORCL -t oracle -l ACDB -p mypwd -url jdbc:oracle:thin:@host.com:1521:orcl -f "C:\accounts1.txt" -k "C:\FIPSkey.dat"
Note: The final text file contains the delimiter value @!~.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|