Keep it secure: Automate Skyline Collector admin password changes

Too frequently I login to my Skyline Collector and am immediately required to change the password. Follow along with me as I explain how I figured out how to use automation to reduce the frustration of this process.

The Skyline Collector admin password will expire every 90 days. Because it’s not necessary to login to the collector frequently, it is common that when I do login, I’m force to immediately change the password. I began looking for an option to change this password programmatically, thus enabling the ability to schedule a task that would update the password before it expired, preferably every 30 days or so. That way when I go to login the password doesn’t need to be immediately changed and I can move along with my task.

Finding the API method

To find the API method being used, I opened the developer tools in my browser, switched to the Network tab, then began watching the monitor while I changed the admin password for my Skyline Collector. When I clicked the button to change password, the ‘request URL’ on the Headers tab shows that the method called is /api/v1/auth/update?auto=false (picture below):

On the ‘Payload’ tab I can see the JSON body that was posted to the /api/v1/auth/update method in the request URL (from the above screenshot). The request body looks like this:

Write a Script to Automate the Password Change

Knowing the API method called as well as the details of the payload gives us the details that we need to write some code. We could use any tool/language, but having a prefernce towards PowerShell I chose that path. The below example does just that — and the results showed Password updated successfully!

$serverName = '' # variable for Skyline Collector name/IP.
$changePassBody = @{'username'='admin'; 'oldPassword'='VMware1!'; 'newPassword'='VMware2!'} # JSON payload
# Following line will use variables above to POST the request
Invoke-RestMethod -method POST -Uri "https://$serverName/api/v1/auth/update?auto=false" -Body ($changePassBody | ConvertTo-Json) -ContentType "application/json"

# Output of Invoke-RestMethod from above
Password updated successfully.

With this test successful, I tested the code against a collector appliance with an expired password and it worked there also. 

It’s outside of the intent of this brief article but to have this be a complete solution, the remaining tasks to fully automate this process would include: 

  • Reading in a complete list of Skyline Collectors (either from a list in the script or CMDB solution)
  • Retrieving the current password for each collector (from a privileged access management tool like Cyberark / Thyotic)
  • Auto-generating a new password for each collector 
  • Storing the new password in the privileged access management vault for each collector 
  • Schedule this as a recurring task

Hopefully this has given you a helpful example of using your browsers Developer Tools to investigate APIs as well as writing a sample script to use what you find.

This entry was posted in Lab Infrastructure, Scripting. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *