CLI/SSH Integration

Estimated reading: 5 minutes 214 views

MyPass Cloud provides multiple options for command-line integration to applications and systems. These include CLI and SSH integrations. To ensure a successful integration with a system, some basic elements should be in place. First, a method for interacting with the remote system user’s password. To determine if integration is possible, please answer the questions below:

  • Is it possible to reset any user’s password using command line execution, web service request, API or using access to data storage? (There might be multiple possibilities; all should be mentioned)
  • If so, can the operation be executed locally from the MyPass Cloud, the Gateway, or does it require execution on a remote server?
  • Is the password on the remote system encrypted? If so, is the encryption method or DLL accessible? Or will the provided integration method take care of the encryption?
  • Is there a password policy on the remote system or any special requirements?
  • (Optional) Can the user be locked? What are the rules for this? Should MyPass Cloud unlock the user when resetting the password?
  • (Optional) Is there a “User Must Change Password at next logon” flag in the system, and should this be set?
  • Does the system require any upper/lower-case manipulation with the username or password?

The Generic CLI (Command Line, API, Web Service and SSH) Connector is used by the MyPass Cloud to reset passwords on a custom remote system that provides some kind of application or command line integration options (e.g. script).  The CLI connector empowers customers to build their own integrations into MyPass Cloud.

The connector is installed along with the Gateway server installation and provides many options for configuration. The following section explores these options in greater detail.

When the Generic CLI Connector is executed, it calls a specific program or application logic to action specific options on target systems. To transfer the data to the program, MyPass Cloud will either encode Base64 or use custom encryption.

From that point, it is up to the executable to set the password on the target system. MyPass Cloud will use state management to determine when and if the application/executable/logic was successfully executed.

In the event of a success code, the transaction will be set accordingly. In the event of a failure code, the automatic retry feature will go into action. Finally, a user that is not present will result in the transaction being aborted, as this indicates that the user ID in question has no account on the target system. The text will along with the code be saved in the Gateway server logs for the connector (Gateway-CLIconnector.log).

Parameters

When defining a generic call, the following parameters are available:

  • Check Connection: This value provides the path to a  Check Connection script/logic on the remote server.
  • Reset Password: This value defines the path to the Reset Password script/logic on the remote server.
  • InstanceID: (Optional) This value will be sent as a parameter to the scripts and can be used to determine which user repository is executing the connector. Use this when multiple endpoints are serviced from the same script/logic.
  • Working directory: The working directory for the executable/script.
  • Admin Account: If specified, this value will be sent to the executable as a parameter.
  • Admin Password: The password for the above account.
  • Method: This value determines how MyPass will transfer the password to the remote script. The following options are available:
    • None – the password is passed in clear text (Not recommended)
    • Base64 – the password is encoded in base64
    • Custom – MyPass offers the ability to build your own encryption algorithm.
  • Assembly path: Path to the encryption DLL – Used when Custom Encryption is chosen.
  • Class Name: Class name – Used when Custom Encryption is chosen.
  • Username Manipulation: (Optional) Tells if MyPass should upper or lowercase the username before sending it to the connector.
  • Password Manipulation:(Optional) Tells if MyPass should upper or lowercase the password before sending it to the connector.
  • Unlock After Reset: (Optional)Not used in the current version.
  • Mode: These Impersonation settings control which user is creating. This can be used to limit the access to a client certificate when using certificates. Possible values are:
    • None
    • Impersonate as FPIIS user
    • Impersonate as a specific user
  • Account: The account to be used for impersonation if “Impersonate as a specific user” is chosen.
  • Password: The password for the above account.
Execution of Application/Executable

When calling the script parameters will look like this:

				
					<Reset Password script> <Operation> <Encoding> <AdminUser> <AdminPass> <Instance name> <username> <Password>

Where:

  • Reset Password script is the script name from above
  • Operation is ResetPassword
  • Encoding is: None, Base64 or Custom (Chosen above)
  • AdminUser: is the admin username given above
  • AdminPass: is the password for the above account
  • Instance name is the name put into the Instance name field
  • Username is the username for the user who’s password we are setting
  • Password is the password
Execution of Application/Executable

The output from the script must be in one of the following codes. The output will be shown in the log for the connector. If the return code is 3, then MyPass Cloud will retry the operation.

				
					0; <TEXT> eg: 0; Password user johnd successfully set

2;<TEXT> eg: 2; The user johnd in not present In this system

3;<TEXT> eg: 3; Failed to set password for JOHD–system is unavailable
Connector Sample

A sample connector is included in the Gateway server installation under the following path: \FastPassCorp\FastPassGateway\bin\ConnectorCLI

There is a readme file explaining how to get the connector working. The sample connector implements a simple connector setting passwords on local MSSQL users by use of the osql.exe program.