This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TPAM Script query

Can someone please advise if we have any script or batch file to telnet the ports 135 and 445 from TPAM devices to bulk windows servers

We would like to know if TPAM is able to telnet the group of windows servers as these ports are essential for password rotation. Thank you. 

Parents
  • I do not really understand what you are trying to achieve here. TPAM will already make use of port 445 when checking or changing a windows password when the account is enabled for auto management and assuming that all systems are reachable it a timely fashion TPAM is able to change and check 20K accounts in a 4 hour window.

    Why would you therefore want to telnet to a windows system to rotate a password and much more importantly Why would you wish to use an insecure protocol like telnet anywhere in the password check and change process where data could be seen in the clear.

    TPAM does have the Custom Platform feature available. Here you can create your own custom script or use a jump server that you can configure TPAM to pass variable to and the have the jump server launch the script and pass the results back to TPAM

    Also have you looked at the TPAM Windows client? This allows an SSH connection to a windows server for password management. A much more secure way than using telnet and a supported platform

    If you can explain your requirements that perhaps more help can be given on achieving the solution you require.

    All the best

    Tim

Reply
  • I do not really understand what you are trying to achieve here. TPAM will already make use of port 445 when checking or changing a windows password when the account is enabled for auto management and assuming that all systems are reachable it a timely fashion TPAM is able to change and check 20K accounts in a 4 hour window.

    Why would you therefore want to telnet to a windows system to rotate a password and much more importantly Why would you wish to use an insecure protocol like telnet anywhere in the password check and change process where data could be seen in the clear.

    TPAM does have the Custom Platform feature available. Here you can create your own custom script or use a jump server that you can configure TPAM to pass variable to and the have the jump server launch the script and pass the results back to TPAM

    Also have you looked at the TPAM Windows client? This allows an SSH connection to a windows server for password management. A much more secure way than using telnet and a supported platform

    If you can explain your requirements that perhaps more help can be given on achieving the solution you require.

    All the best

    Tim

Children
  • Hi Tim,

    we add every month few systems in TPAM for changing the password. 

    While adding we would like to know if TPAM is able to reach the systems through port 445 for checking and changing password. 

    If there is any port connectivity issue we can resolve before changing the password.

    Please advise. 

  • Ok you do not say how you are adding "a few systems" every month.

    If via the GUI then use the test system button as you add the system to TPAM. This will check that 446 and 135 are open. As I said TPAM uses 445 fro check change operations. TPAM will try to use 135 to resolve the server name.

    If you have automated your adding of the systems/accounts then in that case I would suggest a simple batch file of script that used the CLI "TestSystem" command to carry this out. I would then user either plink.exe if running my script from windows platform or native ssh if from Linux.to make a key based connection to TPAM.

    This is the same as using the test button when you add a system

    I would start by listing either listing all the Windows systems configured on TPAM to a CSV file or creating a CSV file with the new systems you have added. This CSV file could then be used to seed a loop for the "TestSystem" cli command.

    You can add error checking to your batch file/script to report result just by trapping the message that comes back from TPAM.

    I have a batch file somewhere that I wrote to carry out this task.

    One thing to remember. With the CLI you CANNOT make a persistent connection to TPAM CLI. TPAM will not allow this and cannot be configured to allow this.

    The process your script has to follow is to: Establish an SSH connection and send the CLI command. TPAM will run the CLI command and return results. TPAM will then drop the SSH connection.

    So your script has to run round this loop each time you test another system.

    Hope this helps.

    All the best

    Tim

  • We add systems using  a batch import file via GUI from windows desktop.

    Please guide the process to test the connectivity for bulk systems

  • Send me your email address and I will let you have a sample batch file that will show how  the testsystem cli command can be run against a list of systems.

    tim.Westcott@quest.com

    This batch file will create a list of all TPAM system or a user selected platform type, place them in a csv file and then test them

    For it to run you will need a CLI user on TPAM and you will need to download the user key. This account will need to be a TPAM cli administrator.

    Download the TPAM cli user key and then use puttygen.exe to convert the TPAM format key into the a  format. plink.exe can use. Just open puttygen select the user key then save it as a private key.

    Edit the batch file so that the key name and paths match where you place them. Easiest way is to put everything in the same sub directory. You will also need to  change the network address of the TPAM appliance

    Run it from the command line.

    Now the disclaimer bit I must add.

    This is something I wrote to help with work and is not supported by Quest/One Identity.

    I provide it as is with no guarantee and as a sample to help with your requirement and you use it at your own risk.

    All the best

    Tim

  • cthathineni@vmware.com is my mail id.

    Thank you very much Tim for your guidance on this.