Tech Tip – Read Password Blob

TechTip

Read Password Blob – An utilty to decrypt the encrypted CA Single Sign-on password data.

 

The “Password Data” user attribute value is commonly called the “Password Blob”. It is an enciphered collection of several virtual user attributes used by SiteMinder Basic Password Services.

These virtual attributes are:

  1. Current Login Failure Count
  2. Last Login Timestamp
  3. Previous Login Timestamp
  4. Disabled Timestamp
  5. Password History
  6. Last Password Change Timestamp (from the most recent entry in the Password History)

An authentication attempt against an active (not disabled) user’s account or any forced setting of a user’s password (via the Admin API) causes at least one read-modify-write access of the

Password Blob in the user directory. Note that the “modify” part includes deciphering and unpacking the blob, modifying some of the virtual attributes, then packing and enciphering the attributes into the new Password Blob.

The Password History is a FIFO record of a user’s current and most recent passwords. Each entry comprises a password string and the timestamp of when the password was entered into the history. The maximum number entries maintained for a user depends on the password reuse restrictions in all of the Password Policies that apply to that user when the Password Blob is updated.

The purpose of this article is to provide an utility to read these attributes from the Password Blob.

Please note :

  • This utility will not be able read the Password History attribute from the Password Blob.
  • This utility is developed using SiteMinder Java SDK API and requires JDK to be installed on the box where it is running from.
Instructions

Please follow below steps to run the Read Password Blob Utility:

1. Download and extract the attached RPB.zip

2. Ensure you have JAVA_HOME environment variable set to  <Path to JDK Install Directory/bin>

3. Open command prompt at “RPB” folder and execute rpb-build.bat (rpb-build.sh for unix). This will recompile the SDK code.

4. Edit rpb-run.bat (rpb-run.sh for unix), and modify the parameters as per your setup :

e.g.

“%JAVA_HOME%\java” -classpath .;.\smjavasdk2.jar;.\smagentapi.jar;.\cryptoj.jar ReadPasswordBlob -psip ps-01.ca.com -agentip 127.0.0.1 -adminuser siteminder -adminpass siteminder -orgroot “CN=Users,DC=ad,DC=lab” -userdn   “CN=wonsa03,CN=Users,DC=ad,DC=lab” -userdir “AD2k8-01” -agentname “4x”  -agentsecret siteminder -debug true

Where,

psip = Policy Server IP/ Host Name

agentip = This is not relevant. You can leave it the default value.

adminuser = CA SiteMinder Admin UserID

adminpass  = CA SiteMinder Admin Password

orgroot = Search Root DN (For ODBC user store , give any dummy value)

userdn = DN of the user whose password blob attributes you want to read

userdir = Name of the User Directory as defined in the Administrative UI

agentname = Name of the 4x Agent (please ensure that the Supports 4x agent check box is checked in the Admin UI)

agentsecret = Shared secret value specified for the 4x agent.

debug = true|false to enable disable debugging

5. Save rpb-run.bat

6. Execute rpb-run.bat

TEST 1 : LDAP Directory 

Sample output: (with debug=false)

C:\Users\Administrator\Desktop\RPB>rpb-run.bat
C:\Users\Administrator\Desktop\RPB>"C:\Program Files (x86)\Java\jdk1.6.0_43\bin\java" -classpath .;.\smjavasdk2.jar;.\smagentapi.jar;.\cryptoj.jar Rea
dPasswordBlob -psip ps-01.ca.com -agentip 127.0.0.1 -adminuser siteminder -adminpass siteminder -orgroot "CN=Users,DC=ad,DC=lab" -userdn "CN=wonsa03,C
N=Users,DC=ad,DC=lab" -userdir "AD2k8-01" -agentname "4x"  -agentsecret siteminder -debug false

Output :

PS_IP=ps-01.ca.com AGENT_IP=127.0.0.1 AGENT_NAME=4x USER_DIR=AD2k8-01 ORG_ROOT=CN=Users,DC=ad,DC=lab USER_DN=CN=wonsa03,CN=Users,DC=ad,DC=lab ADMIN=siteminder
 
Get user directory list: STATUS_OK
Get user directory AD2k8-01: STATUS_OK
Get capabilities: STATUS_OK
 
Obtaining Password State:
LoginFailures: 0
LastLoginTime: February 24 2016 17:57:25
PrevLoginTime: January 10 2016 17:58:25
DisabledTime: January 01 1970 10:00:00
LastPWChangeTime: February 24 2016 17:57:05
C:\Users\Administrator\Desktop\RPB>

 

Sample output: (with debug=true)

C:\Users\Administrator\Desktop\RPB>rpb-run.bat
C:\Users\Administrator\Desktop\RPB>"C:\Program Files (x86)\Java\jdk1.6.0_43\bin\java" -classpath .;.\smjavasdk2.jar;.\smagentapi.jar;.\cryptoj.jar Rea
dPasswordBlob -psip ps-01.ca.com -agentip 127.0.0.1 -adminuser siteminder -adminpass siteminder -orgroot "CN=Users,DC=ad,DC=lab" -userdn "CN=wonsa03,C
N=Users,DC=ad,DC=lab" -userdir "AD2k8-01" -agentname "4x"  -agentsecret siteminder -debug true

Output :

PS_IP=ps-01.ca.com AGENT_IP=127.0.0.1 AGENT_NAME=4x USER_DIR=AD2k8-01 ORG_ROOT=CN=Users,DC=ad,DC=lab USER_DN=CN=wonsa03,CN=Users,DC=ad,DC=lab ADMIN=si
teminder
 
Get user directory list: STATUS_OK
        Result Code..................   [facility=4 severity=0 reason=0 status=0 message=]FederationWSCustomUserStore
                                        CADir-01
                                        AdvAuthExternalLDAPDir
                                        SAML2FederationCustomUserStore
                                        AD2k8-01
                                        AD2k8_AD
                                        FedBCCertUserDirectory
                                        FedBCCustomUserStore
Get user directory AD2k8-01: STATUS_OK
        Result Code..................   [facility=4 severity=0 reason=0 status=0 message=]SecureConnection=false
                                        EmailAddrAttr=mail
                                        ODBCQueryOid=00-
                                        GuidAttr=
                                        Server=ad2k8-01:389
                                        Username=CN=Administrator,CN=Users,DC=ad,DC=lab
                                        SearchTimeout=30
                                        Name=AD2k8-01
                                        Password=Siteminder1
                                        BlobAttribute=audio
                                        RequireCredentials=true
                                        SearchScope=2
                                        UserLookupEnd=)
                                        ChallengeRespAttr=
                                        SearchRoot=DC=ad,DC=lab
                                        EnableSecurityContext=false
                                        UserLookupStart=(sAMAccountName=
                                        UniversalID=sAMAccountName
                                        Oid=0e-40c066e3-ff0e-4bd2-94ca-115fb3697d71
                                        Desc=
                                        SearchResults=0
                                        DisabledAttr=carLicense
                                        PasswordAttribute=unicodePwd
                                        Namespace=LDAP:
                                        ObjectClassName=UserDirectory
Get capabilities: STATUS_OK
        Result Code..................   [facility=4 severity=0 reason=0 status=0 message=]133169663
 
Obtaining Password State:
LoginFailures: 0
LastLoginTime: February 24 2016 17:57:25

PrevLoginTime: January 10 2016 17:58:25

DisabledTime: January 01 1970 10:00:00

LastPWChangeTime: February 24 2016 17:57:05

LoginFailures=0,        LastLoginTime=Wed Feb 24 17:57:25 EST 2016,     PrevLoginTime=Sun Jan 10 17:58:25 EST 2016,     DisabledTime=Thu Jan 01 10:00:

00 EST 1970,    LastPWChangeTime=Wed Feb 24 17:57:05 EST 2016

C:\Users\Administrator\Desktop\RPB

 

TEST 2 : ODBC Directory 

Please note , for ODBC user directory you must provide a dummy DN for Organization. This is due to some bug in sdk code.

C:\Users\Administrator\Desktop\RPB>rpb-run.bat
C:\Users\Administrator\Desktop\RPB>"C:\Program Files (x86)\Java\jdk1.6.0_43\bin\java" -classpath .;.\smjavasdk2.jar;.\smagentapi.jar;.\cryptoj.jar Rea
dPasswordBlob -psip shruj01-i1849.ca.com -agentip 127.0.0.1 -adminuser siteminder -adminpass siteminder -orgroot "DUMMY_ROOT" -userdn "Lisac" -userdir "SMUSER" -agentname "agent_iis_01" -agentsecret siteminder -debug true

 Output :

PS_IP=shruj01-i1849.ca.com AGENT_IP=127.0.0.1 AGENT_NAME=agent_iis_01 USER_DIR=SMUSER ORG_ROOT=DUMMY_ROOT USER_DN=Lisac ADMIN=siteminder
Get user directory list: STATUS_OK
 Result Code.................. [facility=4 severity=0 reason=0 status=0 message=]FederationWSCustomUserStore
 CADir-shruj01-I2069
 SMUSER
 AdvAuthExternalLDAPDir
 SAML2FederationCustomUserStore
 CADir-shruj01-I2069(APS)
 FedBCCertUserDirectory
 jsdksample-userdir
 AD2K12-shruj01-i2077
 FedBCCustomUserStore
Get user directory SMUSER: STATUS_OK
 Result Code.................. [facility=4 severity=0 reason=0 status=0 message=]SecureConnection=false
 EmailAddrAttr=
 ODBCQueryOid=18-308a73ec-62c1-41a4-9b24-38db73d23a33
 GuidAttr=
 Server=SMUSER
 Username=sa
 SearchTimeout=30
 Name=SMUSER
 Password=interOP@1876
 BlobAttribute=PasswordData
 RequireCredentials=true
 SearchScope=2
 UserLookupEnd=
 ChallengeRespAttr=
 SearchRoot=
 EnableSecurityContext=false
 UserLookupStart=
 UniversalID=Name
 Oid=0e-1ae8b0f6-4751-486e-b1a8-e20ce89be8e1
 Desc=
 SearchResults=0
 DisabledAttr=Disabled
 PasswordAttribute=Password
 Namespace=ODBC:
 ObjectClassName=UserDirectory
Get capabilities: STATUS_OK
 Result Code.................. [facility=4 severity=0 reason=0 status=0 message=]28311965
Obtaining Password State: 
LoginFailures: 0
LastLoginTime: March 26 2018 10:23:28
PrevLoginTime: March 26 2018 10:23:07
DisabledTime: January 01 1970 10:00:00
LastPWChangeTime: March 26 2018 10:23:07
LoginFailures=0, LastLoginTime=Mon Mar 26 10:23:28 AEDT 2018, PrevLoginTime=Mon Mar 26 10:23:07 AEDT 2018, DisabledTime=Thu Jan 01 10:00:00 AEST 1970, LastPWChangeTime=Mon Mar 26 10:23:07 AEDT 2018
Attachment :

RPB

Leave a Reply