ticalotta
Level 4

Programmatically updating the password manager

Jump to solution

Hello everyone. Is it possible to update an existing credential in the password manager via command line? My goal is to programmatically update the password manager to accommodate credential vaulting solutions beyond CyberArk. Thanks in advance.

0 Kudos
1 Solution
ChrisG
Community Manager Community Manager
Community Manager

I expect you would also need to use the "--add" option to specify the logical name of the entry to be updated. In other words - I would try using the same command line to update an existing record as you would use to add a new record.

As per the documentation linked to in my previous comment:

If you repeat the command line with the --add parameter and a logical-name that already exists in Password Manager, the existing record is updated.
(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

View solution in original post

4 Replies
ChrisG
Community Manager Community Manager
Community Manager

The mgspswd.exe command line tool (typically found in C:\Program Files (x86)\Flexera Software\Inventory Beacon\RemoteExecutioncan be used on beacons to make updates to the Password Manager.

Here is the output from running mgspswd.exe --help:

Usage: mgspswd.exe [--help] [--list] [--matches] [--reset] [--recrypt]
[--list <logical name>]
[--delete <logical name>]
[--add <logical name>]
[--account <account name>]
[--password <password>]
[--privilege-prefix <prefix>]
[--privilege-password <privilege password >]
[--privilege-password-prompt <privilege password prompt>]
[--type <account type>]
[--privatekeyfile <path>]
[--vault <vault>]
[--cyberark-query <query>]
[--privilege-cyberark-query <query>]
[--filter-names <list>]
[--filter-dnsnames <list>]
[--filter-dnsdomains <list>]
[--filter-netbiosdomains <list>]
[--filter-ipaddresses <list>]
[--filter-macaddresses <list>]
[--filter-oracleservicenames <list>]

Manages passwords in the FlexNet Manager Platform password store.

--help Show this help message.

--list List all passwords within the password store.

--list <logical name>
Prints the password with the specified logical name.

--matches List all passwords within the password store matching a device.

--reset Clear the password store and reset the internal security key.

--recrypt Re-encrypt all passwords using the strongest available algorithm.

--delete <logical name>
Removes the password with the specified logical name from the password store.

--add <logical name>
Add a new password with the specified logical name and account name.

--account <account name>
Specify the account to use. This is only used with the --add option.

--password <password>
Specify the password to use. This is only used with the --add option.

--privilege-prefix <prefix>
Specify a prefix used to execute privileged commands on the device.
UNIX/Linux only. This is only used with the --add option.
Example: sudo

--privilege-password <privilege password>
Specify a password that will be used to elevate privileges on the
device.
UNIX/Linux only. This is only used with the --add option.

--privilege-password-prompt <privilege password prompt>
Specify a prompt to match before issuing password for privilege
escalation.
UNIX/Linux only. This is only used with the --add option.

--type <account type>
Specify the account type. This is only used with the --add and --matches
options. Valid values are:

WindowsLocal - Local account on windows managed device
WindowsDomain - Windows domain account
SSHPassword - SSH account (password)
SSHKeyPair - SSH account (key pair)
VMwareESX - Account on VMware ESX server
VMwareVirtualCenter - Account on VMware VirtualCenter
OracleListener - Password for Oracle listener
OracleDatabase - Account on Oracle database
OracleVMManagerApiAccess - Oracle VM Manager API account

--privatekeyfile <path>
Specify the path to the file that contains your private key.
The key will be imported and a public/private key pair generated.
This is only used with the --add option.

--vault <vault>
Specify "CyberArk" to use the CyberArk vault for credentials, or
"FlexNetBeacon" to use the local vault on the inventory beacon.

CyberArk options:
If specified the password store will retrieve credentials from the
CyberArk safe.
The vault type should be specified as CyberArk to use CyberArk options.

--cyberark-query <query>
The query string must uniquely identify a single credential
saved in CyberArk

--privilege-cyberark-query <query>
The query identifies the password for elevating privilege on a
UNIX-like device.

Filtering options:
If specified, filters restrict devices to which the password applies.
If not specified, the password applies to all devices and will be
attempted after passwords that define filters.
To specify filters on the command-line, use the options below.
Filters are only used with the --add and --matches options.
For more information about filters, refer to FlexNet Manager Platform documentation.

--filter-names <list>
Specify a comma-separated list of device names the password applies to.
Example: bob-laptop,bob-desktop

--filter-dnsnames <list>
Specify a comma-separated list of DNS names the password applies to.
Example: bob-laptop.aloha.com,bob-desktop.aloha.com

--filter-dnsdomains <list>
Specify a comma-separated list of DNS domains the password applies to.
Example: aloha.com,hawaii.aloha.com

--filter-netbiosdomains <list>
Specify a comma-separated list of NetBIOS domains the password applies
to.
Example: ALOHA-COM,HAWAII-ALOHA-COM

--filter-ipaddresses <list>
Specify a comma-separated list of IP addresses the password applies to.
Example: 10.10.10.1,10.10.10.2

--filter-macaddresses <list>
Specify a comma-separated list of MAC addresses the password applies
to. Both Windows and UNIX formats are valid.
Example: 00:01:b0:c4:e6:10,00-AF-F7-CD-F9-10

--filter-oracleservicenames <list>
Specify a comma-separated list of service names the password applies
to. Oracle credentials only (Oracle database, Oracle listener).
Example: Service01A,production-listener-service

See the following page for some more information about this tool: Command-Line Updates to Password Manager

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

Thanks @ChrisG  and @mfranz  for the input. One thing I didn't see in the docs is an "update" function within mgspswd.exe. Is the proper way to overwrite an existing account's password with a new one something like?

mgspswd.exe --account <my account> --password <my new password>

 

0 Kudos
ChrisG
Community Manager Community Manager
Community Manager

I expect you would also need to use the "--add" option to specify the logical name of the entry to be updated. In other words - I would try using the same command line to update an existing record as you would use to add a new record.

As per the documentation linked to in my previous comment:

If you repeat the command line with the --add parameter and a logical-name that already exists in Password Manager, the existing record is updated.
(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)
mfranz
Level 15

Hi,

C:\Program Files (x86)\Flexera Software\Inventory Beacon\RemoteExecution>mgspswdw.exe -?

will open a list of parameters:

2020-11-13_09h13_01.png

Best regards,

Markward

Softline Group is Europe's leading independent expert in Software Asset Management.