cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
614
Views
0
Helpful
6
Replies
Cisco Employee

ISE API change password

Hi Experts,

 

Customer is doing a customzied web page programing for changing ISE internal user password, but they cannot find API to support checking internal user password before this user tried to change the password. Any suggestion realize this code, thank you in advance!

 

 

DL

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE API change password

You can use Internal User API for this.You can do following operations- 

a sample output of the Get request is as below- 

XML
<?xml version="1.0" encoding="UTF-8"?>
<ns0:internaluser xmlns:ns0="identity.ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" description="description" id="id" name="name">
   <changePassword>true</changePassword>
   <customAttributes>
      <entry>
         <key>key1</key>
         <value>value1</value>
      </entry>
      <entry>
         <key>key2</key>
         <value>value3</value>
      </entry>
   </customAttributes>
   <email>email@domain.com</email>
   <enablePassword>enablePassword</enablePassword>
   <enabled>true</enabled>
   <expiryDate>2016-12-11</expiryDate>
   <expiryDateEnabled>false</expiryDateEnabled>
   <firstName>firstName</firstName>
   <identityGroups>identityGroups</identityGroups>
   <lastName>lastName</lastName>
   <password>password</password>
   <passwordIDStore>Internal Users</passwordIDStore>
</ns0:internaluser>

JSON
{
  "InternalUser" : {
    "id" : "id",
    "name" : "name",
    "description" : "description",
    "enabled" : true,
    "email" : "email@domain.com",
    "password" : "password",
    "firstName" : "firstName",
    "lastName" : "lastName",
    "changePassword" : true,
    "identityGroups" : "identityGroups",
    "expiryDateEnabled" : false,
    "expiryDate" : "2016-12-11",
    "enablePassword" : "enablePassword",
    "customAttributes" : {
      "key1" : "value1",
      "key2" : "value3"
    },
    "passwordIDStore" : "Internal Users"
  }
}

 

6 REPLIES 6
Cisco Employee

Re: ISE API change password

You can use Internal User API for this.You can do following operations- 

a sample output of the Get request is as below- 

XML
<?xml version="1.0" encoding="UTF-8"?>
<ns0:internaluser xmlns:ns0="identity.ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" description="description" id="id" name="name">
   <changePassword>true</changePassword>
   <customAttributes>
      <entry>
         <key>key1</key>
         <value>value1</value>
      </entry>
      <entry>
         <key>key2</key>
         <value>value3</value>
      </entry>
   </customAttributes>
   <email>email@domain.com</email>
   <enablePassword>enablePassword</enablePassword>
   <enabled>true</enabled>
   <expiryDate>2016-12-11</expiryDate>
   <expiryDateEnabled>false</expiryDateEnabled>
   <firstName>firstName</firstName>
   <identityGroups>identityGroups</identityGroups>
   <lastName>lastName</lastName>
   <password>password</password>
   <passwordIDStore>Internal Users</passwordIDStore>
</ns0:internaluser>

JSON
{
  "InternalUser" : {
    "id" : "id",
    "name" : "name",
    "description" : "description",
    "enabled" : true,
    "email" : "email@domain.com",
    "password" : "password",
    "firstName" : "firstName",
    "lastName" : "lastName",
    "changePassword" : true,
    "identityGroups" : "identityGroups",
    "expiryDateEnabled" : false,
    "expiryDate" : "2016-12-11",
    "enablePassword" : "enablePassword",
    "customAttributes" : {
      "key1" : "value1",
      "key2" : "value3"
    },
    "passwordIDStore" : "Internal Users"
  }
}

 

Cisco Employee

Re: ISE API change password

Customer told us the password showed like this “ ******* ” with GET, so cannot be used for checking password.

DL

-------------------------------------------------------------------------------
GC Security BOX folder:
https://cisco.box.com/s/j38g1c58jom2va76icsap17zr09w1l1c
-------------------------------------------------------------------------------


Highlighted
Beginner

Re: ISE API change password

Hi 
I am trying to solve the same problem but with Java Servlet

any idea how to authorize internal user without creating ERSClient object which requires Admin user name and password? 

// Get an instance of Rest Client
ERSClient ersClient = new ERSClient("admin", "adminpassword", host);
//then
/**
* 
* Use this method to change the password
* @param user
* @param password
* @return
*/
public boolean changeUserPassword(ERSClient ersClient,String userid , String password){
InternalUser user = null;
try {
user = searchUserByName(ersClient, userid);
if(user != null){
user.setPassword(password);
System.out.println("Password Changed Successfully");
}
return true; 
}
catch(Exception e) {
System.out.println("Something went wrong changing the password " + e.getMessage() );
return false;
}
}

 Here I am missing something, I just need to verify the users current password so to make sure user who is changing password is authorized user. 
Is there any api which can verify internal user's password? Thanks

Cisco Employee

Re: ISE API change password

This is expected. ISE admin users should not be allowed to read the user password, due to privacy concern, I think. See CSCvk59290.

On the other hand, ISE ERS API for internal users would allow to change the user passwords without knowing the existing ones. Please note CSCvm01627 with the doc bug CSCvn22448.

VIP Engager

Re: ISE API change password

CSCvk59290 is not public facing. 

While unrelated to the user accounts, I have noticed that LDAP connector credentials are plain text, you can inspect the element in chrome and get the configured password for the username.

Cisco Employee

Re: ISE API change password

That bug is junked as it expected behavior. The other issue is under investigation.