this technically can be done via API connection and a script to do the work for you. Few years back the company I worked for did a major upgrade where this exact process had to be done. Our implementor who performed the task is an amazing individual, However, Chris no longer works for that company and moved onwards with his career.  I would highly recommend engaging Beyond Trust Professional Services for this task just because of the risk associated with the commands being used. I am not certain if the process has been improved but when we did it, there was a risk of critical failure with unrecoverable consequences, unless you leveraged backups/images (We at the time did not have the ability to do those, as we were moving from physical appliances to UVM)

But I have seen it done, so I know its possible :)

Thank you Mike, for the reply. I was trying with some API example given for OAUTH2 setup script to invoke the rest API but I was getting below error, not sure if you are aware of it or encountered in past.

"Failed to authenticate due to one or more authentication rules."

The reference API that I used was from this article - 

BeyondInsight / Password Safe - How to setup OAuth application user to make API calls

Without knowing how you have your environment setup I would recommend stepping through this KB BeyondInsight / Password Safe - Configuring, testing, and troubleshooting Password Safe API - Sample API scripts and its subsequent articles. I know it helped me to troubleshoot password safe cache server we were recently setting up.

Hello MikeK,

Thanks for your response. I could be able to get started with use of Rest API but when I am trying to login with script using authorization of username, password and apiKey I am getting 401 unauthorized error. If you know anything about this, please suggest.

Thanks,

Prasad

​@prasadp87 This usually means the IP from where the solicitation is coming is not authorized, go to user audits and you find a entry with “PMM API Authentication Rule Failure” you will find the actual error there, but most times its a IP missing on the API registration.

 

Hi Pulitros,

Thank you for your response. I am getting something like this error message in Audit-

User not associated to key
 

What does it mean? I have API registration user and key associated with it. I have following Authentication Rule options enabled - “User Password Required”

authorization header in my script looks like this-

$headers = @{ Authorization="PS-Auth key=${apiKey}; runas=${runAsUser};pwd={runAsPassword}"; };

apiKey, runAsUser, runAsPassword are variables.

Thanks,

Prasad

​@prasadp87 you have to go on the group in User Management where the user is and add the API registration, otherwise it will not work:

 

Hi Paulo144,

Thanks I could able to resolve it and able to signin and signout with API script. However, when I am trying to fetch password using account given as input I am getting 400 bad requests error. I debugged it found that error is appearing at this line of powershell script attached.

$rURL= Invoke-RestMethod -Uri "${baseUrl}Requests" -Method POST -ContentType "application/json"  -Body $json -WebSession $session;

Can you help with this?

Thanks,

Prasad

​@prasadp87 I am not very good with api scripts, what i can help you with is, i have a powershell script that collects all passwords of any managed account in password safe that has the “Api Enabled” flag and creates a csv file with the name of the asset, the managed account name and the password.

You just need to replace the api key, user and server on the script and it will work.

If you want you can send the csv file to another directory, the default is “C:/Temp/accounts.csv”

Hi Paulo144,

Thank you so much for sharing the script and it’s working absolutely fine. 

Another favor, do you happen to have a script which will upload the passwords to BT environment by reading from file or from some location.

If so, can you share that. It will be helpful for me.

Thanks again!!

-Prasad

​@prasadp87 As a matter of fact i do have a brother of this script.

You can set the file location where the csv with the information is(C:\Temp\Acccounts.csv), but the rest is the same, it might have something in brazilian portuguese, because that my language, but i tried my best to translate to english the script.

This basically use the data created from the first script to look for the same Assets name and creates the account or if the account is already there it updates the password using the data from the csv.

Hi ​@Paulo144,

Thank you again for sharing the script. It is indeed helpful for me.

Regards,

Prasad