Skip to content

Connection and Script Details By Asset Type

Introduction

This document describes different types of accounts, methods they use to connect and tasks associated with the rotation of credentials.

For all credential rotations scripts described below, the server first generates new password or private-public key pair based on the Password Requirements configured for the asset (inherited from the hierarchy of the asset containers and the sites).

After the successful script execution confirmed by either the script exit code or credentials verification script that is configured in the same batch, the server updates the newly generated credentials back to the main asset in the asset database.

During the credentials rotation script or batch execution and also for the failed tasks the generated credentials could be unlocked from the job record. This option is useful to recover the credentials from the failed jobs in case then the credentials has been reset on the destination host but not yet updated in the asset database.

Asset types

Windows Host

Connection

Interactive connections are performed using RDP protocol, user and password as credentials and NTLM authentication.

Script connections are performed using WinRM or WinRMs protocol, user and password as credentials, Basic, NTLM or Kerberos authentication.

Account management scripts

  • Windows Password Reset by Account Itself - the server connects to the destination host using main asset credentials and executes the script to reset the main asset account password providing old password to re-authenticate for the password reset.

  • Windows Password Set by Shadow Account - the server connects to the destination host using shadow asset credentials and executes the script to set main account password. It is assumed that the shadow account privileges on the destination host allow it to set the main account credentials. The script sets main account password without the use of the old password and by-passing the configured password limitation such as destination password requirements and time limits. The script is useful to reset credentials of the accounts after they were unlocked to use by operators to use on the host.

  • Windows Password Set by Shadow Account Updating Dependencies - the script sets the main asset account password by the shadow account in the way described in the Windows Password Set by Shadow Account section. After the password is successfully set, the script finds all services, tasks and application pools on the same destination host that run as the main asset account and updates the password in the run as property to reflect the new password.

Unix Host

Connection

Both interactive and script connections are performed using SSH protocol, and user and password as credentials.

Account management scripts

  • Unix Password Reset Typing by Account Itself - the server connects to the destination host using main asset credentials and executes the script to reset the main asset account password providing old password to re-authenticate for the password reset.

  • Unix Password Set by Shadow with no sudo Password - the server connects to the destination host using shadow asset credentials and executes the script to set main account password. It is assumed that the shadow account privileges on the destination host allow it to set the main account credentials using passwordless sudo command. The script sets main account password without the use of the old password. The script is useful to reset credentials of the accounts after they were unlocked to use by operators to use on the host.

  • Unix Password Reset Typing by Account Itself - the server connects to the destination host using main asset credentials and executes the script to reset the main asset account password providing old password to re-authenticate for the password reset. The script itself guides the interactive session to type commands instead of executing shell scripts, read and analyse the text responses and type new commands back to the interactive terminal. Unlike Shell scripts the script uses Groovy driver to control the type, read, analyse flow. The script is useful for the destination endpoint that do not allow password modifications commands to receive passwords from the standard input. In this case the script opens an interactive SSH terminal to type commands to the host.

  • Unix Password Set by Shadow with sudo Password - the server connects to the destination host using shadow asset credentials and executes the script to set main account password. It is assumed that the shadow account privileges on the destination host allow it to set the main account credentials using password-based sudo command. In this case the script uses interactive terminal to type necessary commands, read back their responses and analyse their output. The script sets main account password without the use of the old password. The script is useful to reset credentials of the accounts after they were unlocked to use by operators to use on the host where sudo command is protected by the password.

  • Unix Password Verify by Shadow - the server connects to the destination host using shadow asset credentials and executes the script to verify main account password usually just reset by the set or reset script. The script uses interactive terminal to type necessary commands, read back their responses and analyse their output. The script is useful to use as the last step in the password reset batch before updating asset with the new password in case when the password set script does not produce definitive error code to rely on.

  • Unix Status Check - the server connects to the destination host using main asset credentials and executes simple script to check successful connectivity to the destination server using asset credentials. The script is useful to use as the last step in the password reset batch before updating asset with the new password in case when the password set script does not produce definitive error code to rely on.

Unix Host with Private Key

Connection

Both interactive and script connections are performed using SSH protocol, user and passwordless private key stored in the asset Private Key text field.

Account management scripts

  • Unix Public Key Replacement by Account Itself the server connects to the destination host using main asset credentials and updates account public key to allow connectivity with the newly generated key pair.

  • Unix Status Check - read script description in the Unix Host section.

Unix Host with Protected Private Key

Connection

Both interactive and script connections are performed using SSH protocol, user and private key protected by the password stored in the asset Private Key Password secret string field.

Account management scripts

  • Unix Public Key Replacement by Account Itself - read script description in the Unix Host with Private Key section.

  • Unix Status Check - read script description in the Unix Host section.

Unix Host with Switch User

Connection

Both interactive and script connections are performed using SSH protocol, user and password as credentials following by immediate switch user command (sudo su - switch-user) to the user stored in the asset Switch User string field. The asset type is useful to access privileged accounts on the destination hosts that are usually blocked from the direct login from the remote locations. The asset type assumes that the privileged account password is not known to the server but the main asset account has privileges to sudo switch to the privileged account using their own password.

Account management scripts

  • Unix Password Reset Typing by Account Itself - read script description in the Unix Host section.

  • Unix Password Set by Shadow with sudo Password - read script description in the Unix Host section.

  • Unix Password Verify by Shadow - read script description in the Unix Host section.

  • Unix Status Check - read script description in the Unix Host section.

Unix Host with Switch User Password

Connection

Both interactive and script connections are performed using SSH protocol, user and password as credentials following by immediate switch user command (su - switch-user) to the user stored in the asset Switch User string field using user password stored in the Switch User Password secret string field. The asset type is useful to access privileged accounts on the destination hosts that are usually blocked from the direct login from the remote locations. The asset type assumes that the privileged account password is known to the server.

Account management scripts

  • Unix Password Reset Typing by Account Itself - read script description in the Unix Host section.

  • Unix Password Set by Shadow with sudo Password - read script description in the Unix Host section.

  • Unix Password Verify by Shadow - read script description in the Unix Host section.

  • Unix Status Check - read script description in the Unix Host section.

Oracle Solaris Host and IBM AIX Host

Connection

Oracle Solaris Host and IBM AIX Host are special cases of Unix Host asset type that do not allow password reset commands to accept credentials from the standard input. As a result, the out of the box configuration includes interactive type, read, analyse scripts for the account management needs.

Account management scripts

  • Unix Password Reset Typing by Account Itself - read script description in the Unix Host section.

  • Unix Password Set by Shadow with sudo Password - read script description in the Unix Host section.

  • Unix Password Verify by Shadow - read script description in the Unix Host section.

  • Unix Status Check - read script description in the Unix Host section.

LDAP Administrator

Connection

Interactive sessions are not supported. Scripts are executed using LDAP protocol connecting to the specified ldap or ldaps URL using specified User and Password. For ldaps SSL or TLS based protocol, asset owner should establish trust with the destination URL using asset URL field control to import LDAPs server certificate to the server store.

The asset describes connection to MS Active Directory or other LDAP compatible server. The asset is designed to manage accounts in the LDAP server described by LDAP User assets. At the same time, the account management scripts defined for LDAP Administrator asset could manage its own password as well.

Account management scripts

  • Active Directory LDAP Set Password by Shadow - The script resets the password of the main asset user. For LDAP Administrator asset the script should run as a main asset user. The script itself does not need the old password. However, the server needs the old password to connect to the LDAP server.

  • LDAP Verify Password by Shadow - The script verifies the newly reset password of the main asset user. For LDAP Administrator asset the script should run as a main asset user.

LDAP User

Connection

Interactive sessions are not supported. Scripts are executed using LDAP protocol using connection established by the shadow LDAP Administrator account. The main asset relies on the URL with established trust provided by the shadow account. The main asset does not include URL field itself.

The asset describes individual account in MS Active Directory or other LDAP compatible server managed by the shadow member LDAP Administrator asset.

Account management scripts

  • Active Directory LDAP Set Password by Shadow - The script sets the password of the main asset user using shadow member LDAP Administrator asset. The script does not need the old password to set the new one.

  • LDAP Verify Password by Shadow - The script verifies the newly reset password of the main asset user by directly connecting to the LDAP server using URL and established trust from the shadow member LDAP Administrator account, and user and password from the main account. The script is useful to use as the last step in the password reset batch before updating asset with the new password in case when the password set script does not produce definitive error code to rely on.

IBM i Host

Connection

Both interactive and script connections are supported using Telnet protocol, host, user and password on the asset. Interactive sessions enforce specific screen size, color and keyboard mapping.

Account management scripts

  • IBM i Password Reset - the server connects to the destination host using main asset credentials and executes the script to reset the main asset account password providing old password to re-authenticate for the password reset.

  • IBM i Set Password by Shadow - the server connects to the destination host using shadow asset credentials and executes the script to set main account password. It is assumed that the shadow account privileges on the destination host allow it to set the main account credentials. The script sets main account password without the use of the old password. The script is useful to reset credentials of the accounts after they were unlocked to use by operators to use on the host.

  • IBM i Verify Password - The script verifies the newly reset password of the main asset user by directly connecting to the destination endpoint. The script is useful to use as the last step in the password reset batch before updating asset with the new password in case when the password set script does not produce definitive error code to rely on.

Entra ID User

Connection

Interactive sessions are not supported. Scripts are executed using HTTPs protocol using configuration established by the shadow Entra ID Application asset. The main asset relies on the privileges provided by the Entra ID application described by the Entra ID Application asset to set Entra ID users credentials.

The Entra ID User asset describes individual account in Entra ID service.

Account management scripts

  • Entra ID Set Password by Shadow - the server connects to the destination Entra ID application described in shadow member asset and executes the script to set the main asset account password. It is assumed that the shadow member asset describes Entra ID application with the privileges to set the main account credentials. The script sets main account password without the use of the old password.

  • Entra ID Verify Password by Shadow - the server connects to the destination Entra ID application described in shadow member asset and authenticated main asset user and password using the application from the shadow member asset. The script is useful to use as the last step in the password reset batch before updating asset with the new password in case when the password set script does not produce definitive error code to rely on.