Custom Remote Password Changer with ISVPV
05 February, 2025, by Scott McKenzie
IBM Security Verify Privilege Vault (ISVPV) can (obviously) vault secrets, but the beauty of the tool is its ability to automate the process of rotating secrets, whether that is on a fixed schedule or after each use of the secret.
For secrets stored in Active Directory, or local credentials on a Windows or Linux server, password rotation is an out-of-the-box capability. But the ability to update or rotate a password for a web application might not be quite as straightforward. In fact, it can be downright challenging!
The good news is that ISVPV comes with a pretty neat (and very powerful) way of developing such an integration. And you don't need to be a coding genius to do it.
In fact, any downstream system that supports password management via an API can be easily integrated with ISVPV.
Anatomy of a password changer
To create a remote password changer, you will need to build two PowerShell scripts:
- one that can confirm the validity of an existing password - a "Heartbeat" in Secret Server terms
- one that performs the password change
Once created, the heartbeat and password changer scripts can be applied to a Password Changer definition which can, in turn, be applied to a Secret Template. The relationship between the various entities can be visualised as such:
Step 1 - Create the password changer
As an administrator, select Create Password Changer (Settings > Remote password changing > Password changers > Create password changer)
Ensure PowerShell Script is selected as the Base password changer:
Step 2 - Create the secret template
Select Create Secret Template (Setting > Secret Templates > Create/import template).
- Select the Fields Tab
- Be sure to add all necessary fields to the Secret Template, e.g., URL, Username, Password
- Select the Mapping Tab
- Enable Remote Password Changing
- Select the newly created Password Changer as "Password type to use"
- Map the appropriate fields
Step 3 - Create a secret
Create a secret using the newly created Secret Template (Secrets > Create secret).
- Select the Remote Password Changing (RPC) Tab
- Set RPC to change password using a privileged account
- Assign a secret with permissions to run PowerShell scripts on the PAM server
- If needed, assign a Secret with permission to change password for users on the target system to Associated Secrets
Step 4 - Create PowerShell scripts
As an administrator, navigate to Settings > Scripts: PowerShell, SQL, SSH.
Select Create Script providing a name, description, script type, category and the script.
Sample Heartbeat Script
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = $args[0];
$username = $args[1];
$password = $args[2];
$endpoint = "/auth";
$body = @{
userName = $username
password = $password
};
$parameters = @{
Method = 'POST'
Uri = "$url$endpoint"
ContentType = 'application/json'
Body = ConvertTo-JSON($body)
};
$response = Invoke-RestMethod @parameters;
if ($response.accessToken -eq $null) {
throw "Authentication failed - please verify your username and password."
};Sample password changer script
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = $args[0]
$adminusername = $args[1]
$adminpassword = $args[2]
$targetusername = $args[3]
$targetpassword = $args[4]
function Get-Token {
$endpoint = "/auth"
$body = @{
userName = $adminusername
password = $adminpassword
}
#$body
$parameters = @{
Method = 'POST'
Uri = "$url$endpoint"
ContentType = 'application/json'
Body = ConvertTo-JSON($body)
}
$response = Invoke-RestMethod @parameters
$accessToken = $response.accessToken
$headers = @{Authorization = "Bearer $accessToken" }
return $headers
}
function Change-Password {
$endpoint = "/user/changepassword/"
$body = @{
newPassword = $targetpassword
}
$parameters = @{
Method = 'PUT'
Uri = "$url$endpoint$targetusername"
ContentType = 'application/json'
Body = ConvertTo-JSON($body)
Header = $headers
}
$response = Invoke-RestMethod @parameters
return $response
}
$headers = Get-Token
$response = Change-PasswordStep 5 - Assign PowerShell scripts to password changer
As an administrator, navigate to the Password Changer you created in Step 1 (Settings > Remote password changing > Password changers > [PasswordChanger]) then click on Edit scripts.
Add the PowerShell scripts for both the heartbeat and the password changer as appropriate ensuring that any script arguments are properly defined.
NOTE: Arguments are separated by a single space (no delimiter) and can include the following valid variables:
- $DOMAIN
- $PASSWORD
- $USERNAME
- $NEWPASSWORD
NOTE: Adding $[1] to the start of any variable will target the first Associated Secret for the primary secret being processed, e.g., $[1]$USERNAME and $[1]$PASSWORD will refer to the credentials of the Secret capable of changing passwords on the target system.
There you have it. A few simple steps to get up-and-running with a custom remote password changer. If you do happen to run into bother, of course, feel free to contact us and we will get you back on track.