search cancel

Recovery of DLP Administrator account in V15.7 and above

book

Article ID: 160705

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

In the old design, a lost Administrator password could be recovered at any time by using the internal-only password recovery tool.  This was possible because the password was encrypted using the DLP embedded key and saved to the ProtectPassword.properties file.

In V11.1, the process has changed and there is a new utility called AdminPasswordReset.exe.

NOTES:

*As there is no method to recover a lost password, you can use this utility to assign a new password.

 

Environment

DLP 15.7 and above

Resolution

*Important Note - This tool resolves the following issues:

1. Lost Administrator password
2. Misconfigured Single Sign On (everyone configured for SSO and no one can log in)

Tool prerequisites & results:

•Would require access to the Symantec DLP software on the Enforce Server and Oracle DB password for PROTECT user.
•Needs to be run from a command line at /opt/Symantec/DataLossPrevention/EnforceServer/15.7/Protect/bin (Linux)
or C:\Program Files\Symantec\DataLossPrevention\EnforceServer\Protect\bin (Windows) directory.

•Would set the Administrator user password to the given password
•Would also set the flag to allow password login by the Administrator user in single sign-on situations
•Would create an audit log record and system event to note the password reset

This can be done with a command-line tool as follows:

AdminPasswordReset.exe -dbpass <oracle "protect" password> -newpass <new admin password> (Windows)

./AdminPasswordReset.exe -dbpass <oracle "protect" password> -newpass <new admin password> (Linux)

Additional Information