Vaughan Harper's blog IBM Security Privilege Vault, IBM Security Secret Server, Thycotic Secret Server Symbol set problems with Secret Server custom batch file launchers
Symbol set problems with Secret Server custom batch file launchers

IBM Security Privilege Vault IBM Security Secret Server Thycotic Secret Server

Symbol set problems with Secret Server custom batch file launchers

I have come across an interesting problem when using custom batch file launchers: if any of the command line arguments, such as a password, contains any of these characters: | < > " & then they don’t get passed into the batch file correctly and it breaks. (Other symbols like @ ! ( ) ^ ' % # $ £ * are all fine.)

The first four problem characters will not generally cause difficulties as they are in the SAP character/symbol sets but not in the defaults. Mainframe passwords are generated from a more restricted character set and so are not affected either. However the & character is in the default Secret Server character set and symbol set, and so randomly generated passwords can contain this character – and hence cause a custom batch file launcher to fail.

There are two possible solutions:

(a) You can ‘escape’ the & character as follows: within the custom batch file launcher configuration page, if you click Advanced you can set ‘Characters to Escape’ to & and set ‘Escape Character’ to ^. That means that if a password is ABC&DEF, then what is presented to the batch file launcher is ABC^&DEF, so you therefore need to include logic in your batch file to modify any substring within a supplied argument from ^& to & in order to reverse the process.

(b) Update the default Password Requirements within Secret Server, so that it will not include the & character within a password that it generates.

This second approach can be done as follows:

  1. Go to Admin > Secret Templates > Password Requirements.

2. Assuming that you have not created your own password requirement templates click Default. You will be taken to the ‘Password Requirement Edit’ page.

3. Click Character Set. A new tab will open.

4. Create your own Character sets with names such as Default2 and Symbol2. These should be the same as the Default and Symbol character sets but with the & character removed. It should look similar to this:

Secret Server - Custom Character Set

5. Click Back.

6. On the ‘Password Requirement Edit’ page change any references to Default to Default2 and change any references to Symbol to Symbol2. The result should look similar to this:

Secret Server - Custom Password Rules

(Obviously the numbers of the different sorts of characters can be different – this screenshot shows the defaults.)

7. Click Save.

8. Click Default. You will be taken back to the ‘Password Requirement Edit’ page, which includes an example password at the top of the page:

Secret Server - 'Password Requirements Edit' page showing example password generated

Obviously the example password generated will be different from that shown here, but the important thing is that it should not contain any & characters. It is probably worth doing this a few times to make sure that it is working correctly.

After this, any automatically generated passwords should not include a & character, and thus not cause problems with a custom batch file.

This may be of use to someone out there!


Written by Vaughan

Leave a Reply

Your email address will not be published. Required fields are marked *