Ujwol Shrestha

Tech Tip - CA Single Sign-On:Policy Server: Read Password Blob Utility

Blog Post created by Ujwol Shrestha Employee on Feb 29, 2016

Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on Feb 29, 2016

 

Problem Summary

 

The “Password Data” user attribute value is commonly called the “Password Blob”. It is an enciphered collection of several virtual user attributes used by SiteMinder Basic Password Services.

These virtual attributes are:

 

  1. Current Login Failure Count
  2. Last Login Timestamp
  3. Previous Login Timestamp
  4. Disabled Timestamp
  5. Password History
  6. Last Password Change Timestamp (from the most recent entry in the Password History)

 

An authentication attempt against an active (not disabled) user’s account or any forced setting of a user’s password (via the Admin API) causes at least one read-modify-write access of the

Password Blob in the user directory. Note that the “modify” part includes deciphering and unpacking the blob, modifying some of the virtual attributes, then packing and enciphering the

attributes into the new Password Blob.

 

The Password History is a FIFO record of a user’s current and most recent passwords. Each entry comprises a password string and the timestamp of when the password was entered into the

history. The maximum number entries maintained for a user depends on the password reuse restrictions in all of the Password Policies that apply to that user when the Password Blob is updated.

 

The purpose of this article is to provide an utility to read these attributes from the Password Blob.

Please note :

  • This utility will not be able read the Password History attribute from the Password Blob.
  • This utility is developed using SiteMinder Java SDK API and requires JDK to be installed on the box where it is running from.

 

Instructions

 

Please follow below steps to run the Read Password Blob Utility:

1. Download and extract the attached RPB.zip

2. Ensure you have JAVA_HOME environment variable set to  <Path to JDK Install Directory/bin>

3. Open command prompt at "RPB" folder and execute rpb-build.bat (rpb-build.sh for unix). This will recompile the SDK code.

4. Edit rpb-run.bat (rpb-run.sh for unix), and modify the parameters as per your setup :

    e.g.

"%JAVA_HOME%\java" -classpath .;.\smjavasdk2.jar;.\smagentapi.jar;.\cryptoj.jar ReadPasswordBlob -psip ps-01.ca.com -agentip 127.0.0.1 -adminuser siteminder -adminpass siteminder -orgroot "CN=Users,DC=ad,DC=lab" -userdn   "CN=wonsa03,CN=Users,DC=ad,DC=lab" -userdir "AD2k8-01" -agentname "4x"  -agentsecret siteminder -debug true

 

Where,

psip = Policy Server IP/ Host Name

agentip = This is not relevant. You can leave it the default value.

adminuser = CA SiteMinder Admin UserID

adminpass  = CA SiteMinder Admin Password

orgroot = Search Root DN (For ODBC user store , give any dummy value)

userdn = DN of the user whose password blob attributes you want to read

userdir = Name of the User Directory as defined in the Administrative UI

agentname = Name of the 4x Agent (please ensure that the Supports 4x agent check box is checked in the Admin UI)

agentsecret = Shared secret value specified for the 4x agent.

debug = true|false to enable disable debugging

 

5. Save rpb-run.bat

6. Execute rpb-run.bat

 

TEST 1 : LDAP Directory 

Sample output: (with debug=false)

 

C:\Users\Administrator\Desktop\RPB>rpb-run.bat
C:\Users\Administrator\Desktop\RPB>"C:\Program Files (x86)\Java\jdk1.6.0_43\bin\java" -classpath .;.\smjavasdk2.jar;.\smagentapi.jar;.\cryptoj.jar Rea
dPasswordBlob -psip ps-01.ca.com -agentip 127.0.0.1 -adminuser siteminder -adminpass siteminder -orgroot "CN=Users,DC=ad,DC=lab" -userdn "CN=wonsa03,C
N=Users,DC=ad,DC=lab" -userdir "AD2k8-01" -agentname "4x"  -agentsecret siteminder -debug false

 

Output :

PS_IP=ps-01.ca.com AGENT_IP=127.0.0.1 AGENT_NAME=4x USER_DIR=AD2k8-01 ORG_ROOT=CN=Users,DC=ad,DC=lab USER_DN=CN=wonsa03,CN=Users,DC=ad,DC=lab ADMIN=siteminder
 
Get user directory list: STATUS_OK
Get user directory AD2k8-01: STATUS_OK
Get capabilities: STATUS_OK
 
Obtaining Password State:
LoginFailures: 0
LastLoginTime: February 24 2016 17:57:25
PrevLoginTime: January 10 2016 17:58:25
DisabledTime: January 01 1970 10:00:00
LastPWChangeTime: February 24 2016 17:57:05
C:\Users\Administrator\Desktop\RPB>

 

Sample output: (with debug=true)

 

C:\Users\Administrator\Desktop\RPB>rpb-run.bat
C:\Users\Administrator\Desktop\RPB>"C:\Program Files (x86)\Java\jdk1.6.0_43\bin\java" -classpath .;.\smjavasdk2.jar;.\smagentapi.jar;.\cryptoj.jar Rea
dPasswordBlob -psip ps-01.ca.com -agentip 127.0.0.1 -adminuser siteminder -adminpass siteminder -orgroot "CN=Users,DC=ad,DC=lab" -userdn "CN=wonsa03,C
N=Users,DC=ad,DC=lab" -userdir "AD2k8-01" -agentname "4x"  -agentsecret siteminder -debug true

 

Output :

PS_IP=ps-01.ca.com AGENT_IP=127.0.0.1 AGENT_NAME=4x USER_DIR=AD2k8-01 ORG_ROOT=CN=Users,DC=ad,DC=lab USER_DN=CN=wonsa03,CN=Users,DC=ad,DC=lab ADMIN=si
teminder
 
Get user directory list: STATUS_OK
        Result Code..................   [facility=4 severity=0 reason=0 status=0 message=]FederationWSCustomUserStore
                                        CADir-01
                                        AdvAuthExternalLDAPDir
                                        SAML2FederationCustomUserStore
                                        AD2k8-01
                                        AD2k8_AD
                                        FedBCCertUserDirectory
                                        FedBCCustomUserStore
Get user directory AD2k8-01: STATUS_OK
        Result Code..................   [facility=4 severity=0 reason=0 status=0 message=]SecureConnection=false
                                        EmailAddrAttr=mail
                                        ODBCQueryOid=00-
                                        GuidAttr=
                                        Server=ad2k8-01:389
                                        Username=CN=Administrator,CN=Users,DC=ad,DC=lab
                                        SearchTimeout=30
                                        Name=AD2k8-01
                                        Password=Siteminder1
                                        BlobAttribute=audio
                                        RequireCredentials=true
                                        SearchScope=2
                                        UserLookupEnd=)
                                        ChallengeRespAttr=
                                        SearchRoot=DC=ad,DC=lab
                                        EnableSecurityContext=false
                                        UserLookupStart=(sAMAccountName=
                                        UniversalID=sAMAccountName
                                        Oid=0e-40c066e3-ff0e-4bd2-94ca-115fb3697d71
                                        Desc=
                                        SearchResults=0
                                        DisabledAttr=carLicense
                                        PasswordAttribute=unicodePwd
                                        Namespace=LDAP:
                                        ObjectClassName=UserDirectory
Get capabilities: STATUS_OK
        Result Code..................   [facility=4 severity=0 reason=0 status=0 message=]133169663
 
Obtaining Password State:
LoginFailures: 0
LastLoginTime: February 24 2016 17:57:25

PrevLoginTime: January 10 2016 17:58:25

DisabledTime: January 01 1970 10:00:00

LastPWChangeTime: February 24 2016 17:57:05

LoginFailures=0,        LastLoginTime=Wed Feb 24 17:57:25 EST 2016,     PrevLoginTime=Sun Jan 10 17:58:25 EST 2016,     DisabledTime=Thu Jan 01 10:00:

00 EST 1970,    LastPWChangeTime=Wed Feb 24 17:57:05 EST 2016

C:\Users\Administrator\Desktop\RPB>


 

TEST 2 : ODBC Directory 

 

Please note , for ODBC user directory you must provide a dummy DN for Organization. This is due to some bug in sdk code.

C:\Users\Administrator\Desktop\RPB>rpb-run.bat
C:\Users\Administrator\Desktop\RPB>"C:\Program Files (x86)\Java\jdk1.6.0_43\bin\java" -classpath .;.\smjavasdk2.jar;.\smagentapi.jar;.\cryptoj.jar Rea
dPasswordBlob -psip shruj01-i1849.ca.com -agentip 127.0.0.1 -adminuser siteminder -adminpass siteminder -orgroot "DUMMY_ROOT" -userdn "Lisac" -userdir "SMUSER" -agentname "agent_iis_01" -agentsecret siteminder -debug true

 

 

Output :

PS_IP=shruj01-i1849.ca.com AGENT_IP=127.0.0.1 AGENT_NAME=agent_iis_01 USER_DIR=SMUSER ORG_ROOT=DUMMY_ROOT USER_DN=Lisac ADMIN=siteminder
Get user directory list: STATUS_OK
Result Code.................. [facility=4 severity=0 reason=0 status=0 message=]FederationWSCustomUserStore
CADir-shruj01-I2069
SMUSER
AdvAuthExternalLDAPDir
SAML2FederationCustomUserStore
CADir-shruj01-I2069(APS)
FedBCCertUserDirectory
jsdksample-userdir
AD2K12-shruj01-i2077
FedBCCustomUserStore
Get user directory SMUSER: STATUS_OK
Result Code.................. [facility=4 severity=0 reason=0 status=0 message=]SecureConnection=false
EmailAddrAttr=
ODBCQueryOid=18-308a73ec-62c1-41a4-9b24-38db73d23a33
GuidAttr=
Server=SMUSER
Username=sa
SearchTimeout=30
Name=SMUSER
Password=interOP@1876
BlobAttribute=PasswordData
RequireCredentials=true
SearchScope=2
UserLookupEnd=
ChallengeRespAttr=
SearchRoot=
EnableSecurityContext=false
UserLookupStart=
UniversalID=Name
Oid=0e-1ae8b0f6-4751-486e-b1a8-e20ce89be8e1
Desc=
SearchResults=0
DisabledAttr=Disabled
PasswordAttribute=Password
Namespace=ODBC:
ObjectClassName=UserDirectory
Get capabilities: STATUS_OK
Result Code.................. [facility=4 severity=0 reason=0 status=0 message=]28311965
Obtaining Password State:
LoginFailures: 0
LastLoginTime: March 26 2018 10:23:28
PrevLoginTime: March 26 2018 10:23:07
DisabledTime: January 01 1970 10:00:00
LastPWChangeTime: March 26 2018 10:23:07
LoginFailures=0, LastLoginTime=Mon Mar 26 10:23:28 AEDT 2018, PrevLoginTime=Mon Mar 26 10:23:07 AEDT 2018, DisabledTime=Thu Jan 01 10:00:00 AEST 1970, LastPWChangeTime=Mon Mar 26 10:23:07 AEDT 2018

Attachments

Outcomes