and more in a single search tool across platforms. Read the announcement here. |
05/09/2024 11:30 AM - edited 05/13/2024 05:12 AM
Hi,
We have created a lambda function for changing the password for Zscaler accounts. We tested it successfully using postman. However, when we try to use it within the change password JSON configuration, when we try to enable PAM for credential method for the account - change password task is getting triggered and completed successfully and account also getting PAM enabled.
the issue is that when user check out the credentials and once the priv. session ends, the credentials are not being rotated. We noticed that the emergency revoke access task has the error mentioned bottom of this post.
Connection type: Rest
{
"call": [
{
"name": "call1",
"connection": "ASM",
"url": "LambdafunctionURLremoved/?password=${password}",
"httpMethod": "POST",
"httpParams": {
"password": "${password}"
},
"httpContentType": "application/json",
"httpHeaders": {},
"successResponses": {
"statusCode": [
201,
200,
204,
205
]
}
}
]
}
error from emergency access ID revoke task:
{"auditDetails":{"call1":[{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"}]},"call1":{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"}}
05/10/2024 10:18 AM
05/13/2024 05:17 AM
Hi @Saathvik the use case is to vault the Zscaler local account for BG usage and password needs to be rotated after each and every credentials checkout or check-in. we used rest connection type with change password JSON. The account is getting PAM enable successfully and also, we noticed the change password task is triggered and completed successfully when we enable PAM for the account. The problem is the password change is not happening after checkout and check-in the credentials.
Getting below error in emergency access ID revoke task provisioning commants:
{"auditDetails":{"call1":[{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"}]},"call1":{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"}}
05/13/2024 05:47 AM
05/15/2024 03:47 AM
HI @Saathvik
Below is the error we are getting
2024-05-15T10:43:01.093270176Z stdout F 2024-05-15 10:43:01,092 [quartzScheduler_Worker-10] DEBUG rest.RestProvisioningService - Got Webservice API Response: [error:Error Illegal character in fragment at index 84: <removedLambdaURL>/?password=******&&#B&Y&@#5#2x3&##A&#]
2024-05-15T10:43:01.093272959Z stdout F 2024-05-15 10:43:01,092 [quartzScheduler_Worker-10] DEBUG rest.RestUtilService - pullObjectsByRest - responseStatusCode ::null
2024-05-15T10:43:01.093275308Z stdout F 2024-05-15 10:43:01,092 [quartzScheduler_Worker-10] DEBUG rest.RestUtilService - Got showLogs = true
2024-05-15T10:43:01.093278803Z stdout F 2024-05-15 10:43:01,092 [quartzScheduler_Worker-10] DEBUG rest.RestUtilService - Got null response statusCode with erroMsg - [error:Error Illegal character in fragment at index 84: <removedLambdaURL>/?password=******&&#B&Y&@#5#2x3&##A&#]
05/15/2024 06:00 AM
@N598231 : Looks like a special character is breaking the process. Try to do trial and error to figure out which one is breaking the logic, I assume it could be "@".
Also is there any restrictions on special chars on target side?
05/22/2024 01:18 PM - edited 05/23/2024 01:59 AM
HI @Saathvik we tried by changing the regex and most of the time it works and some time it is generating the password without special characters and change password is not happening - target needs to have special characters for successful password reset. Can you pls share the regex which use atleast one special character. And in target '"\\| these chars are not supported and end and start should not have special character at same password.
^(?=.{20,22}$)(?:([\w~!@#$?])(?!\1))+$
^(?=.*[@#&-])[^\s'"\\|%;~=:`{*}]{22,24}$
05/23/2024 08:04 AM
@N598231 : Try below policy, It uses atleast one of each like number, lower char, upper char and special char listed in square brackets
^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[~!#$%^&?]).{22,24}$