Windows Password Synchronization to CSV - example with TDI using MQe

Answer

To synchronize passwords from Windows to CSV file using MQe Messaging, you have to install and configure TDI Password Plugin, MQe Queue Managers and create Assembly line to pick up the changes and write them to CSV File. This is just an example, instead of CSV File you can write changes to any TDI supported target.

Example step-by-step instructions:

1. Install Plugin

- Run TDI Installer

- If TDI is already installed, choose Add features to a current version

- Select Password Synchronization Plugins to Add

- Install, Done and Exit

2. Configure Plugin

- Copy the file <TDI_HOME>\pwd_plugins\windows\tdipwflt.dll to the System32 folder of the Windows installation folder.
Note: On 64-bit Windows operating systems, the 64-bit DLL (tdipwflt_64.dll) of the Password Synchronizer must be put in the System32 folder.

- List the name of the Windows Password Synchronizer DLL (without the ".dll" file extension) in the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages" Windows registry key.
Note: Make sure you put in the name of the 64-bit DLL on a 64-bit Windows platform.

- Execute the <TDI_HOME>\pwd_plugins\windows\registerpwsync.reg file, which is shipped with the Password Synchronizer.
This will create a key for the Windows Password Synchronizer in the Windows registry: "HKEY_LOCAL_MACHINE\SOFTWARE\IBM\Tivoli Directory Integrator\Windows Password Synchronizer".
It will also set a string value "ConfigFile" that contains the absolute file name of the configuration file of the Windows Password Synchronizer.

3. Create MQe Queue Manager client

- Edit <TDI_HOME>\pwd_plugins\etc\mqeconfig.props as follows:

# Properties used for setting up MQe Queue Manager as client
clientRootFolder=MQePWStore
serverIP=127.0.0.1
communicationPort=41001
debug=true

- Execute from command line '<TDI_HOME>\pwd_plugins\bin\mqeconfig.bat ..\etc\mqeconfig.props create client'

4. Create MQe Queue Manager server

- Edit <TDI_HOME>\jars\plugins\mqeconfig.props as follows:

# Properties used for setting up MQe Queue Manager as server
serverRootFolder=MQePWStore
communicationPort=41001
debug=true

- Execute from command line '<TDI_HOME>\jars\plugins\mqeconfig.bat mqeconfig.props create server'

5. Configure MQe as the Password Store

- Edit <TDI_HOME>\pwd_plugins\windows\pwsync.props as follows:

syncClass=com.ibm.di.plugin.pwstore.jms.JMSPasswordStore
jmsDriverClass=com.ibm.di.plugin.pwstore.jms.driver.IBMMQe
mqe.file.ini=<TDI_HOME>\\pwd_plugins\\bin\\MQePWStore\\pwstore_client.ini
mqe.notify.port=41002

6. Verify system store

- Edit global.properties/solution.properties as follows:

systemqueue.jmsdriver.name=com.ibm.di.systemqueue.driver.IBMMQe
systemqueue.jmsdriver.param.mqe.file.ini=MQePWStore/pwstore_server.ini

7. Test MQe Queue Managers (optional)

- Execute 'mqeconfig.bat mqeconfig.props test server' from command line in <TDI_HOME>\jars\plugins folder

- Execute 'mqeconfig.bat ..\etc\mqeconfig.props test client' from command line (new command window) in <TDI_HOME>\pwd_plugins\bin folder

- Press 'Enter' in the test client window to create test message

- Press 'Enter' once again to terminate the client

- Press 'Enter' in the test server window to receive test message
Note: a message “Success: test MQe message successfully received.” indicates test success.

8. Reboot

9. Test Plugin

Verify <TDI_HOME>\pwd_plugins\windows\plugin.log & <TDI_HOME>\pwd_plugins\windows\proxy.log

Create AL

- Create new project, for example testMQeProject

- Create new AL, for example testMQeAL

- Add JMSPasswordStoreConnector to AL Feed, with the following settings:
Connection tab > Broker > localhost:41002
Input map > Work Attribute > * (Map all Attributtes)

- Add FileSystemConnector (with CSV Parser) to AL Data Flow, with the following settings:
Output map > Component Attribute > * (Map all Attributtes)
Connection > File Path > for example C:\TEMP\testMQe.csv

Export files

- Right click the project and export files, for example to C:\Temp folder

Run

- Run testMQeProject.bat from command line in C:\TEMP folder
- Change Windows password
- Verify C:\TEMP\testMQe.csv file for new password

10. In addition, if you want to encrypt/decrypt passwords

- to encrypt you need to modify general configuration file 'pwsync.props' located in <TDI_HOME>\pwd_plugins\windows folder and reboot (and optional verify proxy.log and plugin.log in the same folder after reboot)

- password for 'pkcs7KeyStoreFilePassword' must be encrypted, you can use 'encryptPasswd.bat' tool provided in <TDI_HOME>\pwd_plugins\bin folder

- to create keystore, you can use 'ikeyman.exe' tool provided in <TDI_HOME>\jvm\jre\bin folder

- you can create single self-signed cert used for encryption/decription and use it's alias for both 'pkcs7MqeStoreCertificateAlias' and 'pkcs7MqeConnectorCertificateAlias'

- excerpt 'pwsync.props' sample from my test lab:
pkcs7=true
pkcs7KeyStoreFilePath=c:\\temp\\testmqe.jks
pkcs7KeyStoreFilePassword=2f0fe0e2062f0d66
pkcs7MqeStoreCertificateAlias=testMQe
pkcs7MqeConnectorCertificateAlias=testMQe

- to decrypt you need to modify some Advanced fields under Connection tab of JMSPasswordStoreConnector. Excerpt from a test lab:
PKCS7 = enabled (checked)
PKCS7 Key Store File = c:\\temp\\testmqe.jks
PKCS7 Key Store File Password = Passw0rd (entered in clear text and asterisked, but you can see original password before encrypted with 'encryptPasswd.bat' tool above)
JMSPasswordStoreConnector's Certificate Alias = testMQe.

Sample batch (testMQeProject.bat), config (testMQeProject.xml) and key (testMQe.jks) files (where <TDI_HOME> = C:\TDI and <TDI_SOL> = C:\TDISOL) are attached