ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Issue with special characters when using CLI to export credentials

book

Article ID: 241325

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We have been working to script password copies between servers during DR testing and have run into an issue with the credential export using the CLI. If the password has certain special characters, running the viewAccountPassword command substitutes "tags" for those characters. For example, "&" is replaced with "&", a single quote or apostrophe is replaced with "'" and lesser and greater than symbols are replaced with "<" or ">" respectively.

So the password Uw)Y&9F^>E*'Wgv?xB# is rendered as Uw)Y&9F^>E*'Wgv?xB# when extracted.

I believe this may be caused by the xml format as even after correcting the password, running other commands that use xml reverts the special characters to the "tag".

There may be other characters affected that I have not encountered yet.

Cause

XML has five special characters, see e.g. Special Characters in XML, and they need to be escaped in output strings in XML format.

Environment

Release : 4.0

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

This is not a problem, but working as it should. The viewAccountPassword command output is in XML format and the five XML special characters need to be escaped as required by the XML format.

Similarly, when remote CLI command batchSequence is used, it takes an XML file as input, and passwords inside the file need to have those characters escaped as well.

Sample command:

capam_command capam=<PAM server address> adminUserId=<PAM admin username> adminPassword=<PAM admin password> cmdName=batchSequence inputfile=<path to input file> outputfile=<path to output file>

Sample input file:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CLI_REQUEST 
 xmlns="http://www.cloakware.com"  
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 xsi:schemaLocation="http://www.cloakware.com/opt/cloakware/cspmserver/tools/cli/cspmcli.xsd">
 <COMMAND name="updateTargetAccountPassword">
 <COMMAND_PARAMETERS>
  <PARAMETER><NAME>TargetAccount.ID</NAME><VALUE>81001</VALUE></PARAMETER>
  <PARAMETER><NAME>password</NAME><VALUE>Uw)Y&amp;9F^&gt;E*&apos;Wgv?xB#</VALUE></PARAMETER>
  <PARAMETER><NAME>confirmPassword</NAME><VALUE>Uw)Y&amp;9F^&gt;E*&apos;Wgv?xB#</VALUE></PARAMETER>
  <PARAMETER><NAME>allowUnsynchronized</NAME><VALUE>true</VALUE></PARAMETER>
 </COMMAND_PARAMETERS>
</COMMAND>
</CLI_REQUEST>

will set the password of the (unsynchronized) account with ID 81001 to Uw)Y&9F^>E*'Wgv?xB#.