About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Question & Answer
Question
How do you use ActiveMQ to store the intercepted Windows passwords in clear text or encrypted in a JMS provider Queue from where any JMS client (for example SDI) can read them?
Cause
JMS Password Store Connector in SDI version 7.2, known as the MQe Password Store Connector in previous releases, is now able to make use of SDI's JMS Driver pluggable architecture. IBM MQ Everyplace is deprecated and will be removed in a future SDI version, therefore ActiveMQ can be used as an alternative.
Answer
To synchronize passwords from Windows to CSV file using ActiveMQ, you have to install and configure SDI Password Plugin and create Assembly line to pick up the changes and write them to CSV File. This is just an example, instead of CSV File you can write changes to any SDI supported target.
Example step-by-step instructions:
1. Install Plugin
- Run SDI Installer
- If SDI is already installed, choose Add features to a current version
- Select Password Synchronization Plugins to Add
- Install, Done and Exit
2. Configure Plugin
- Copy the file <SDI_HOME>\pwd_plugins\windows\tdipwflt.dll to the System32 folder of the Windows installation folder.
Note: On 64-bit Windows operating systems, the 64-bit DLL (tdipwflt_64.dll) of the Password Synchronizer must be put in the System32 folder.
- List the name of the Windows Password Synchronizer DLL (without the ".dll" file extension) in the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages" Windows registry key.
Note: Make sure you put in the name of the 64-bit DLL on a 64-bit Windows platform.
- Execute the <TDI_HOME>\pwd_plugins\windows\registerpwsync.reg file, which is shipped with the Password Synchronizer.
This will create a key for the Windows Password Synchronizer in the Windows registry: "HKEY_LOCAL_MACHINE\SOFTWARE\IBM\Security Directory Integrator\Windows Password Synchronizer".
It will also set a string value "ConfigFile" that contains the absolute file name of the configuration file of the Windows Password Synchronizer.
3. Configure ActiveMQ as the Password Store
- Edit <SDI_HOME>\pwd_plugins\windows\pwsync.props as follows:
syncClass=com.ibm.di.plugin.pwstore.jms.JMSPasswordStore
jmsDriverClass=com.ibm.di.plugin.pwstore.jms.driver.ActiveMQ
jms.broker=tcp://localhost:61616
jms.clientId=tdiplugin
Note: Even though the jms.clientId does not appear under the ActiveMQ section in pwsync.props, it is required for the use of ActiveMQ JMS Store. See technote "Using ActiveMQ as JMS Store for Password Plugin" for more info.
4. Reboot
5. Test Plugin
Verify <SDI_HOME>\pwd_plugins\windows\plugin.log & <SDI_HOME>\pwd_plugins\windows\proxy.log
Create Assembly line (AL)
- Create new project, for example testActiveMQ
- Create new AL, for example testActiveMQ
- Add JMSPasswordStoreConnector to AL Feed, with the following settings:
Connection tab
> Broker > localhost:61616
> Queue manager > INITIAL_CONTEXT_FACTORY
> Client ID > tdiconnector (most brokers do not allow clients to have the same Id)
> Decrypt messages > unchecked (disabled for clear text)
Input map tab
> Work Attribute > * (Map all Attributtes)
- Add FileSystemConnector (with CSV Parser) to AL Data Flow, with the following settings:
Connection tab
> File Path > for example C:\TEMP\testActiveMQ.csv
Output map tab
> Component Attribute > * (Map all Attributtes)
Export files
- Right click the project and export files, for example to C:\Temp folder
Run
- Run testActiveMQ.bat from command line in C:\TEMP folder
- Change Windows password, for example Ctrl+Alt+Del
- Verify C:\TEMP\testActiveMQ.csv file for new password
6. In addition, if you want to encrypt/decrypt passwords
- to encrypt you need to modify general configuration file 'pwsync.props' located in <SDI_HOME>\pwd_plugins\windows folder and reboot (and optional verify proxy.log and plugin.log in the same folder after reboot)
- password for 'pkcs7KeyStoreFilePassword' must be encrypted, you can use 'encryptPasswd.bat' tool provided in <SDI_HOME>\pwd_plugins\bin folder
- to create keystore, you can use 'ikeyman.exe' tool provided in <SDI_HOME>\jvm\jre\bin folder
- you can create single self-signed cert used for encryption/decription and use it's alias for both 'pkcs7MqeStoreCertificateAlias' and 'pkcs7MqeConnectorCertificateAlias'
- sample 'pwsync.props' excerpt:
pkcs7=true
pkcs7KeyStoreFilePath=c:\\temp\\testActiveMQ.jks
pkcs7KeyStoreFilePassword=2f0fe0e2062f0d66
pkcs7MqeStoreCertificateAlias=testActiveMQ
pkcs7MqeConnectorCertificateAlias=testActiveMQ
- to decrypt you need to modify some Advanced fields of JMSPasswordStoreConnector:
Connection tab
> PKCS7 = checked (enabled)
> PKCS7 Key Store File = c:\\temp\\testActiveMQ.jks
> PKCS7 Key Store File Password = Passw0rd (entered in clear text)
> JMSPasswordStoreConnector's Certificate Alias = testActiveMQ
Sample files: testActiveMQ.bat, testActiveMQ.xml and testActiveMQ.jks are attached.
Related Information
[{"Product":{"code":"SSCQGF","label":"Tivoli Directory Integrator"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"General","Platform":[{"code":"PF025","label":"Platform Independent"},{"code":"PF033","label":"Windows"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
More support for:
Tivoli Directory Integrator
Software version:
7.2
Operating system(s):
Windows
Document number:
294707
Modified date:
16 June 2018
UID
swg22000629