pwextractor Utility—Extract Privileged Account Passwords

Reference Guide › Utilities › pwextractor Utility—Extract Privileged Account Passwords

pwextractor Utility—Extract Privileged Account Passwords

The pwextractor utility extracts privileged account passwords from the database. You can use pwextractor if you want to back up privileged account passwords, or if SAM is unavailable and you cannot check out privileged accounts.

To use pwextractor, you must:

Have access to the database tables
Know the user name and password for the account that SAM uses to access the database
Note: Provide these credentials while installing the Enterprise Management Server.

When you use pwextractor to extract passwords from a Microsoft SQL Server database with Windows authentication, you must:

Verify that the sqljdbc_auth.dll file is located in the JAVA_HOME\bin directory
Use the pwextractor -url format
Specify integratedSecurity=true; in the JDBC URL string

Note: You can use the pwextractor -url format only when you install the Enterprise Management Server on a Windows computer and use a Microsoft SQL Server database. For more information about the sqljdbc_auth.dll file, see the Microsoft SQL Server documentation.

pwextractor is located in the following directory:

ACServerInstallDir/IAM Suite/Access Control/tools/pwextractor

This command has the following format:

pwextractor {-backup | -restore} -h hostname [-r port] 
            -d {database | schema} -t {mssql | oracle} 
            -l login -p password -f filename {[-k key_file][-cleartext]}
            [-current]

This command has the following format for JDBC databases. This format is valid only when you install the Enterprise Management Server on a Windows computer and use a Microsoft SQL Server database:

pwextractor {-backup | -restore} -url url -f filename [-k key_file]

{-backup | -restore}

Specifying either –backup or –restore is required to run the tool.

-backup: Specifies that the tool is used to backup SAM passwords from the database.
-restore: Specifies that the tool is used to restore SAM passwords from the source database to the destination server.

-h hostname

Defines the name of the database host.

-r port

Defines the port number on which the database communicates.

-d {database | schema}

Defines one of the following:

(MS SQL) Defines the database name.
(Oracle) Defines the schema name.

-t {mssql | oracle}

Specifies the database type.

Values: mssql, oracle

-current

Extracts only active passwords of accounts that are in use.

Default: If omitted, it extracts all passwords stored in the database from the beginning.

-l login

Defines the user name for the account that SAM uses to access the database.

-p password

Defines the password for the account that SAM uses to access the database.

-f filename

Defines the directory path and file name for the output file. If you specify an existing file, pwextractor replaces the existing file with the new output.

-account_pwd

Extracts or restores passwords of all <pump> accounts.

Note: This option is mandatory.

-cleartext

Defines that extracted passwords are stored in plain text. If this option is skipped, passwords are stored in an encrypted format as available in the database column.

Note: This option is not required when using the restore option.

-k key_file

Defines the full path and name of the encryption file that is used to encrypt the passwords.

-url url

Defines the JDBC URL string to access the database.

Format: jdbc:sqlserver://servername:port[;property=value]

Example: jdbc:sqlserver://localhost:1433;selectMethod=cursor;DatabaseName=mydb;user=sa;password=mypwd;

Example: Extract SAM Passwords from a Microsoft SQL Server Database

The following example extracts a SAM password from a Microsoft SQL Server database named mydb on host myhost.example.com. The Enterprise Management Server is on a Windows computer and the encryption file is placed at C:\FIPSkey.dat. The pwextractor utility writes the output to the C:\accounts.txt file.

This example extracts a password when the database authentication mode is SQL Server Authentication:

pwextractor.bat -backup -account_pwd -h hostname -r 1433 -d databasename -t mssql -l sp1 -p capassword -f C:\accounts1.txt -k "E:\FIPSkey.dat"

This example extracts a password when the database authentication mode is Windows Authentication:

pwextractor.bat -backup -url jdbc:sqlserver://myhost.example.com:1433;selectMethod=cursor;DatabaseName=mydb;user=sa;password=mypwd;integratedSecurity=true; -f C:\accounts.txt -k "C:\FIPSkey.dat"

Note: The final text file contains the delimiter value @!~.

Example: Extract SAM Passwords from an Oracle Database

The following example extracts a SAM password from an Oracle database named ORCL on host.com. The Enterprise Management Server is on a Windows computer and the encryption file is placed at C:\FIPSkey.dat. The pwextractor utility writes the output to the C:\accounts1.txt file.

pwextractor.bat -backup -account_pwd -h host -r 1521 -d ORCL -t oracle -l ACDB -p mypwd -url jdbc:oracle:thin:@host.com:1521:orcl -f "C:\accounts1.txt" -k "C:\FIPSkey.dat"

Note: The final text file contains the delimiter value @!~.

More information:

Manual Password Extraction