Saviynt Forums

N598231 · ‎05/09/2024

Hi,

We have created a lambda function for changing the password for Zscaler accounts. We tested it successfully using postman. However, when we try to use it within the change password JSON configuration, when we try to enable PAM for credential method for the account - change password task is getting triggered and completed successfully and account also getting PAM enabled.

the issue is that when user check out the credentials and once the priv. session ends, the credentials are not being rotated. We noticed that the emergency revoke access task has the error mentioned bottom of this post.

Connection type: Rest

{
"call": [
{
"name": "call1",
"connection": "ASM",
"url": "LambdafunctionURLremoved/?password=${password}",
"httpMethod": "POST",
"httpParams": {
"password": "${password}"
},
"httpContentType": "application/json",
"httpHeaders": {},
"successResponses": {
"statusCode": [
201,
200,
204,
205
]
}
}
]
}

error from emergency access ID revoke task:

{"auditDetails":{"call1":[{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"}]},"call1":{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"}}

Saathvik · ‎05/10/2024

@N598231 : Can you explain your integration/use case in detail? Like what type of connection you are using? How are you triggering change password?

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

N598231 · ‎05/13/2024

Hi @Saathvik the use case is to vault the Zscaler local account for BG usage and password needs to be rotated after each and every credentials checkout or check-in. we used rest connection type with change password JSON. The account is getting PAM enable successfully and also, we noticed the change password task is triggered and completed successfully when we enable PAM for the account. The problem is the password change is not happening after checkout and check-in the credentials.

Getting below error in emergency access ID revoke task provisioning commants:

{"auditDetails":{"call1":[{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"}]},"call1":{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"}}

Saathvik · ‎05/13/2024

@N598231 : Can you please share the logs during the issue timeframe.

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

N598231 · ‎05/15/2024

HI @Saathvik

Below is the error we are getting

2024-05-15T10:43:01.093270176Z stdout F 2024-05-15 10:43:01,092 [quartzScheduler_Worker-10] DEBUG rest.RestProvisioningService - Got Webservice API Response: [error:Error Illegal character in fragment at index 84: <removedLambdaURL>/?password=******&&#B&Y&@#5#2x3&##A&#]
2024-05-15T10:43:01.093272959Z stdout F 2024-05-15 10:43:01,092 [quartzScheduler_Worker-10] DEBUG rest.RestUtilService - pullObjectsByRest - responseStatusCode ::null
2024-05-15T10:43:01.093275308Z stdout F 2024-05-15 10:43:01,092 [quartzScheduler_Worker-10] DEBUG rest.RestUtilService - Got showLogs = true
2024-05-15T10:43:01.093278803Z stdout F 2024-05-15 10:43:01,092 [quartzScheduler_Worker-10] DEBUG rest.RestUtilService - Got null response statusCode with erroMsg - [error:Error Illegal character in fragment at index 84: <removedLambdaURL>/?password=******&&#B&Y&@#5#2x3&##A&#]

Saathvik · ‎05/15/2024

@N598231 : Looks like a special character is breaking the process. Try to do trial and error to figure out which one is breaking the logic, I assume it could be "@".

Also is there any restrictions on special chars on target side?

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

N598231 · ‎05/22/2024

HI @Saathvik we tried by changing the regex and most of the time it works and some time it is generating the password without special characters and change password is not happening - target needs to have special characters for successful password reset. Can you pls share the regex which use atleast one special character. And in target '"\\| these chars are not supported and end and start should not have special character at same password.

^(?=.{20,22}$)(?:([\w~!@#$?])(?!\1))+$

^(?=.*[@#&-])[^\s'"\\|%;~=:`{*}]{22,24}$

Saathvik · ‎05/23/2024

@N598231 : Try below policy, It uses atleast one of each like number, lower char, upper char and special char listed in square brackets

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[~!#$%^&?]).{22,24}$

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Saviynt Forums

Change password is not working for Zscaler