How to update Enterprise Credential Vault everyday
I have PAM 3.2 installed in a RHEL Server, I need to configure a server, it has a policy where the system updates operating system users' password everyday. I have read admin document, but it doesn't exist any reference of how to update a credential using a script or API. could you tell me is it possible to update a credential in the Enterprise Credendial Vault everyday?.
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:
- Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
all the other self support options and support programs available.
- Open a service request: https://www.microfocus.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.microfocus.com)
- You might consider hiring a local partner to assist you.
Be sure to read the forum FAQ about what to expect in the way of responses:
Sometimes this automatic posting will alert someone that can respond.
If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot.
Your Micro Focus Forums Team
> Hello everyone,
> I have PAM 3.2 installed in a RHEL Server, I need to configure a
> server, it has a policy where the system updates operating system users'
> password everyday. I have read admin document, but it doesn't exist any
> reference of how to update a credential using a script or API. could you
> tell me is it possible to update a credential in the Enterprise
> Credendial Vault everyday?.
Have a look at this, which shows how to update an credential incl.
changing the password:
You probably also would have to look at this to get a better
understanding of the JSONApi:
https://<manager>/pam doesn't work on our 3.2 servers (browser returns "The requested item was not found on this server"). The REST API guide uses pum_rest_auth in the curl calls but makes no mention of how to obtain one.
New User Console "/pam" has been added in PAM 3.5:
Enhancements to REST API have been made including Credential Vault Management in PAM 3.5:
I recommend upgrading to PAM 3.5 / 3.6 as there has been many great enhancements made to the product.
However, in PAM 3.2, the following REST API Guide is available detailing all available at that time ("Add or Modify Credential"):
Thanks. But, if you look at #11 (Add or Modify Vault), in the REST API Guide, the curl command example uses "pum_rest_auth" for authentication. Where does the value for this variable come from? This variable is used in other curl examples but no information is provided on how to generate the variable's value.
That is the token needed to authenticate the request. The documentation has improved here in more recent releases of PAM and has a built-in with a "Try it Out" dashboard for the REST API.
There are a couple options in PAM 3.2 for authentication:
1) Basic Auth - provide on every curl command to set the "basic auth" username & password, which re-authenticates every time. From curl documentation, this can be done with -u, --user <user:password>. With this approach, you won't need to reference the "pum_rest_auth" part of the curl command examples.
2) Authenticate with PAM and retrieve the pum_rest_auth from the "Set-Cookie" HTTP response. To do so, you'll need to call the REST API "/rest/auth/Login" and then use the Cookie it returns in subsequent requests. Adding "-v, --verbose" to the curl will reveal this. There are other approaches to handle auth cookies built into curl. To obtain the cookie with verbose mode, something like the following:
curl -v --insecure -u <user:password> "https://localhost/rest/auth/Login"
Look for "< Set-Cookie: pum_rest_auth=..."
We looked into upgrading to 3.5/3.6 but because the consoles are being upgraded to HTML5 in a piecemeal fashion, admins have to work with the older and newer consoles, rather than one seamless experience. We can currently do everything we need with 3.2 so we plan to hold off on upgrading until all of the consoles we normally use are upgraded. Of course, if support for 3.2 ends, then we'll be forced to upgrade.