Rotating stored passwords

When you run cgetaccount, you check out the account password for a specified period of time (example: one hour). The account password automatically rotates after that time expires. With crotatepasswd you can force the password to rotate so that no one else can use that password and you can do so without waiting for the specified period of time to expire.

The crotatepasswd command rotates the password for the specified account from Privileged Access Service. The account can be a system, domain, or database account.

  • If you execute crotatepasswd specifying the -f option, it ignores any password checkouts and force a password rotation.

  • To run the crotatepasswd command, you must be logged in as root and the computer where you run crotatepasswd must be registered in Privileged Access Service and the Application-to-Application Password Management feature must be enabled.

  • As a suggestion, during downtime, have a script execute crotatepasswd. If crotatepasswd succeeds, have the script then call cgetaccount to get the freshly-rotated password.

  • You can force a password rotation for the account "user" on "DOMAIN1" and ignore any password checkouts by running a command such as: crotatepasswd -T domain -f DOMAIN1/user.