How could we use CA PUPM Password Extractor tool?


Article ID: 40286


Updated On:


CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM)


Is there a way to extract privileged user passwords from the PIM database?


Privileged Identity Manager 12.8, 12.9, or 14.0


Yes, there is a tool called pwextractor located on the Enterprise Management server which can be used to extract PUPM/SAM users and passwords from the backend database.

The tool is located in the following directory by default.
C:\Program Files\CA\AccessControlServer\IAM Suite\Access Control\tools\pwextractor


In order to use the tool, the following information is required.
- Database server hostname
- Database username
- Database password
- Database name/schema
- Database type (mssql/oracle)
- Location of FIPSkey.dat

The tool will connect directly to the database and perform a query to retrieve all privileged user accounts. The tool will then write the output to a specified filename. The tool can output the passwords to the text file as either encrypted or decrypted passwords.

Here is an example from a test system:
>pwextractor -backup -account_pwd -cleartext -h localhost -r 1433 -d entm -l ac -p memco123 -t mssql -f C:\backup3.txt -k jboss
CA PUPM Password extractor.
Successfully parsed the following options:
Hostname :       localhost
DB/Schema :       entm
DB Type :       mssql
Login name      : ac

Password :       memco123
Output file     : C:\backup3.txt
FIPS key file   : C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\config\com\netegrity\config\keys\FIPS
Successfully connected to database

Starting passwords extraction for ACCOUNT_PASSWORD......

Completed exporting current user passwords to file: C:\backup3.txt
Starting passwords extraction of ACCOUNT_PASSWORD_HISTORY......
Successfully completed password extraction to file is: C:\backup3.txt
Signed file successfully to C:\backup3.txt.sig
Press any key to continue . . .

The content in C:\backup3.txt looks like the following:

[email protected][email protected][email protected]!~eTDYNAccountName=root,eTDYNAccountContainerName=SSH Accounts,,eTNamespaceName=SSH Device,dc=im,[email protected][email protected]!~CN=Administrator,CN=Users,DC=entmlab,[email protected]!~26/09/2013 07:02:40

For the above account, the password is "memco123".  Each field is preceeded by: @!~

Additional Information

For more information, please refer to the documentation link below.