Sudip,
Break-Glass scenarios can be dealt with in several ways. We really recommend that you have a secondary PAM cluster in a remote location so that you can always access your passwords via PAM. However there will often be one or two passwords that need to be kept outside of PAM.
In this case you can do it manually... having someone view the password on the first of the month (or whenever it changes) and write down the password and store in a safe. This wouldn't be ideal for 200 servers, but you shouldn't need to store 200 server root accounts.
If you really MUST store a lot of passwords in a break-glass situation, then I recommend that you use the PAM API's to retrieve those passwords and print them out. Such a script would have several steps... 1. Query PAM for the deviceid's of those devices. 2. Query PAM for the target application ID's associated with those devices. 3. Query PAM for the target account ID's associated with those devices. Finally 4. Query PAM for the password associated with those target account ID's.
Attached is a sample Powershell script that will do this... you will need to enable the API and create an API key to use it. Please do not use this script for production use, it's a demo with no error checking and minimal testing. Have someone in your organization develop a proper solution in a language of their choice. Also, keep in mind that the resulting output is very sensitive information and you will want to take precautions in handling it.
$apiURL = "https://demoPamServer.mydomain.com/api.php"
$deviceGroupName = "demoDeviceGroup"
if (-not ([System.Management.Automation.PSTypeName]"TrustEverything").Type) {
Add-Type -TypeDefinition @"
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public static class TrustEverything
{
private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors) { return true; }
public static void SetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
public static void UnsetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
}
"@
} [TrustEverything]::SetCallback()
if (-not $apikey) {$apikey = Get-Credential -Message "Enter your API key"}
$results = Invoke-RestMethod -Uri "$apiURL/v1/deviceGroups.json?fields=groupId&groupName=$deviceGroupName" -Method Get -Credential $apikey
$groupId = $results.groupId
$devices = Invoke-RestMethod -Uri "$apiURL/v1/deviceGroups.json/$groupId/devices" -Method Get -Credential $apikey
$devices = $devices.PsObject.Properties
ForEach ($device in $devices) {
$deciceId = $device.Value
$deviceName = $device.Name
$targetApps = Invoke-RestMethod -Uri "$apiURL/v1/devices.json/$deviceId/targetApplications?fields=id" -Method Get -Credential $apikey
ForEach ($targetAppId in $targetApps.id) {
$targetAccts = Invoke-RestMethod -Uri "$apiURL/v1/devices.json/$deviceId/targetApplications/$targetAppId/TargetAccounts" -Method Get -Credential $apikey
ForEach ($targetAcct in $targetAccts) {
$pw = Invoke-RestMethod -Uri "$apiURL/v1/passwords.json/$($targetAcct.accountId)?reason=Other&reasonDetails=Break%20Glass%20Storage" -Method Get -Credential $apikey
if($pw.publickey) {
$password = "Public Key"
} else {
$password = $($pw.password)
}
write-host "$deviceName\$($targetAcct.accountName): $password"
"$deviceName`t$($targetAcct.accountName)`t$password" | Out-File "$PSScriptRoot\output.csv" -Append
}
}
}